Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-channel-31: (with DISCUSS and COMMENT)

[<mohamed.boucadair@orange.com>]

Hi Mirja, all,

(removing resolved items).

Please see inline. 

Cheers,
Tiru & Med

> -----Message d'origine-----
> De : Mirja Kuehlewind [mailto:ietf@kuehlewind.net]
> Envoyé : lundi 1 juillet 2019 18:21
> À : Konda, Tirumaleswar Reddy; Benjamin Kaduk
> Cc : draft-ietf-dots-signal-channel@ietf.org; frank.xialiang@huawei.com;
> dots@ietf.org; The IESG; dots-chairs@ietf.org
> Objet : Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-signal-
> channel-31: (with DISCUSS and COMMENT)
> 
> Hi Ben, hi Tiru,
> 
> Please see below.
> 
> > On 29. Jun 2019, at 14:10, Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com> wrote:
> >
> > Please see inline
> >
> >> -----Original Message-----
> >> From: Dots <dots-bounces@ietf.org> On Behalf Of Benjamin Kaduk
> >> Sent: Saturday, June 29, 2019 3:51 AM
> >> To: Mirja Kühlewind <ietf@kuehlewind.net>
> >> Cc: draft-ietf-dots-signal-channel@ietf.org; frank.xialiang@huawei.com;
> >> dots-chairs@ietf.org; The IESG <iesg@ietf.org>; dots@ietf.org
> >> Subject: Re: [Dots] Mirja Kühlewind's Discuss on draft-ietf-dots-
> signal-
> >> channel-31: (with DISCUSS and COMMENT)
> >>
> >>
> >>
> >> Hi Mirja,
> >>
> >> I wanted to check in with the status of the remaining Discuss points
> for this
> >> document.  I tried to go through the previous discussions and have made
> my
> >> own analysis of where things stand, so hopefully we can compare notes.
> >>
> >> On Wed, May 01, 2019 at 07:42:31AM -0700, Mirja Kühlewind via
> Datatracker
> >> wrote:
> >>>
> >>>
> >>> ----------------------------------------------------------------------
> >>> DISCUSS:
> >>> ----------------------------------------------------------------------
> >>>
> >>> 1) Port usage (see section 3):
> >>> The port request for DOTS was reviewed by the port expert team. Some
> >>> members of the team were concerned about the assignment of a separate
> >>> port number for DOTS as Coap is used and already has a designated port
> >>> number. I believe that Coap is used as a transport in the case and
> >>> DOTS provides a separate service compared to what Coap is usually used
> >>> for, however, it is not clear why DOTS needs a designated port.
> >>> Section 3 says that the port can either be preconfigured or
> >>> dynamically detected, therefore it is not clear why a fixed port is
> >>> needed (see also section 7.1. of RFC7605). In the port review process
> >>> the authored argued that a port is needed to differentiate the DOTS
> >>> service in the network. However, this is not an endorsed usage for
> >>> port numbers (see section 6.2. of RFC7605). Further, I believe
> >>> assigning a fixed port might actually add an attack vector for DOTS,
> >>> either by DDoSing the respective port at the DOTS server, or any
> attempt
> >> to block DOTS traffic on the network from the DOTS client to the DOTS
> server.
> >>
> >> If I understand correctly you were supporting a port allocation, but
> wanted
> >> the document to be more clear about its usage and necessity.
> >>
> >> There were some text changes, so that we now have:
> >>
> >>   In some cases, a DOTS client and server may have mutual agreement to
> >>   use a specific port number, such as by explicit configuration or
> >>   dynamic discovery [I-D.ietf-dots-server-discovery].  Absent such
> >>   mutual agreement, the DOTS signal channel MUST run over port number
> >>   TBD as defined in Section 9.1, for both UDP and TCP.  In order to use
> >>   a distinct port number (as opposed to TBD), DOTS clients and servers
> >>   SHOULD support a configurable parameter to supply the port number to
> >>   use.  The rationale for not using the default port number 5684
> >>   ((D)TLS CoAP) is to allow for differentiated behaviors in
> >>   environments where both a DOTS gateway and an IoT gateway (e.g.,
> >>   Figure 3 of [RFC7452]) are present.
> >>
> >> Does that address your concerns?
> 
> I think this still leaves my original question open. I agree that using
> port 5684 is no alternative. However, I still don’t see why a fixed port
> is needed at all. In all scenarios described either the server IP address
> needs to be configured or a detection mechanism is used. In both cases
> this could be used to also configure or detect the port.
> 

[Med] This comment would apply to other protocols as well such as SIP (for which more than one port was assigned), TURN (2 ports assigned), etc. The same reasons for allocating ports for those protocols would apply for DOTS.

Having a fixed port allows for minimal setup for DOTS session establishment. Moreover, the fixed port allocation helps with default settings such as on-path firewalls.  

The specification does not mandate a discovery mechanism. Furthermore, the server IP address may not be required to be explicitly configured if (1) an anycast address is assigned for DOTS, (2) if the client assumes that its default router is its DOTS server (e.g., LAN scenarios with DOTS gateways on CPEs), or (3) redirect for which this specification returns only an alternate IP address (but not any alternate port number).

Even if a way (e.g., DHCP) is used to configure the IP address, DHCP options are not designed to provision a port number. You may check the list at: https://www.iana.org/assignments/bootp-dhcp-parameters/bootp-dhcp-parameters.xhtml   

If the DDoS attack is targeting the victim's infrastructure, the DNS server may not be reachable or available.

We need to accommodate a variety of target deployment scenarios, hence this request.  

> >>
> >>> 3) Why are these statements SHOULDs and not MUSTs (see section 4.4)?
> >>>  "DOTS agents SHOULD follow the data transmission guidelines discussed
> >>>   in Section 3.1.3 of [RFC8085] and control transmission behavior by
> >>>   not sending more than one UDP datagram per round-trip time (RTT) to
> >>>   the peer DOTS agent on average."
> >>> and
> >>>  "If the DOTS client cannot maintain an RTT estimate, it
> >>>   SHOULD NOT send more than one Non-confirmable request every 3
> >>>   seconds"
> >>> as well as in section 4.4.2.1:
> >>>  "If the DOTS server cannot maintain an RTT
> >>>   estimate, it SHOULD NOT send more than one asynchronous notification
> >>>   every 3 seconds"
> >>> and again in section 4.4.2.2:
> >>> "The frequency of polling the DOTS server to get the
> >>>   mitigation status SHOULD follow the transmission guidelines in
> >>>   Section 3.1.3 of [RFC8085].
> >>
> >> These changes made, except for the last one, IIUC.
> 
> This one is a weird MUST now because RFC8085 only gives guidelines:
>   "DOTS agents MUST follow the data transmission guidelines discussed in
>    Section 3.1.3 of [RFC8085] and control transmission behavior by not
>    sending more than one UDP datagram per round-trip time (RTT) to the
>    peer DOTS agent on average.”
> 
> I would rather recommend something like
>   "DOTS agents MUST not
>    sending more than one UDP datagram per round-trip time (RTT) to the
>    peer DOTS agent on average following the data transmission guidelines
> discussed in Section 3.1.3 of [RFC8085].”
> 

[Med] OK. 

> And I think the last one (4.4.2.2) also needs a more concrete statement.
> 

[Med] Can be updated as follows: 

OLD:
   Absent such policy, the frequency of polling the DOTS server to get
   the mitigation status SHOULD follow the transmission guidelines in
   Section 3.1.3 of [RFC8085].

NEW:
   Absent such policy, the frequency of polling the DOTS server to get
   the mitigation status SHOULD NOT be more than one UDP datagram per RTT
   as discussed in Section 3.1.3 of [RFC8085].

(Note: SHOULD is used here because of a comment from Alissa related to a similar wording).

> 
> >
> >>
> >>> 6) Section 4.7: "the DOTS
> >>>   agent sends a heartbeat over the signal channel to maintain its half
> >>>   of the channel.  The DOTS agent similarly expects a heartbeat from
> >>>   its peer DOTS agent"
> >>> and
> >>> "DOTS servers MAY trigger their heartbeat requests immediately after
> >>>   receiving heartbeat probes from peer DOTS clients."
> >>> Actually heartbeat should only be send in one direction (as the other
> >>> end will send an ack) and the protocol should clearly specify which
> >>> endpoint is responsible for triggering the ping.
> >>
> >> I'm not sure I see resolution on this; do the authors still need to
> answer why
> >> the "pong" reply cannot serve as a reverse-path heartbeat?
> >
> > If the DOTS client domain is subjected to volumetric DDoS attack and the
> incoming link is saturated, the pong response from the server will not
> reach the client. DOTS server gets traffic from the client but receives no
> responses to its ping requests indicating the client has not detected the
> attack or, if an attack mitigation is in progress, it implies the applied
> DDoS mitigation actions are not yet effective to handle the DDoS attack
> volume.
> 
> Yes, I understand what heartbeat are used for. However, what you described
> implies that the server should send the ping and client sends the pong.
> This is fine.

[Med] Choosing the other way around may be problematic because of NAT/FWs. This is why the heartbeats from the server will fly right after the one from the client so that we can use the warm mappings. Having both directions allows to accommodate the scenario described by Tiru.

As you know, RFC4787 mandates the NAT outbound refresh behavior (packets go from the internal side of the NAT to the external side of the NAT to refresh the timer value) but not the NAT inbound refresh behavior.

 The text however seems to imply that both server and client
> test their have connection separately and both send pings and pongs. That
> doesn’t seem to be need.

[Med] In addition to the clarification above, we have also added a pointer to this part of 8085: 

==
   A UDP application with a long-lived association between the sender
   and receiver, ought to be designed so that the sender periodically
   checks that the receiver still wants ("consents") to receive traffic
   and need to be designed to stop if there is no explicit confirmation
   of this [RFC7675].  Applications that require communications in two
   directions to implement protocol functions (such as reliability or
   congestion control) will need to independently check both directions
                       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^              
   of communication, and may have to exchange keep-alive messages to
   ^^^^^^^^^^^^^^^^
   traverse middleboxes (see Section 3.5).
==

> 
> 
> >
> >>
> >>> 7) sec 7.3:"To avoid DOTS signal message fragmentation and the
> >> subsequent
> >>>   decreased probability of message delivery, DOTS agents MUST ensure
> >>>   that the DTLS record MUST fit within a single datagram."
> >>> This should be handled by the DTLS record layer and not by DOTS that
> >>> works on top of DTLS (actually Coap), therefor it seems straight to
> >>> have a normative requirement here in the DOTS spec. Also note that the
> >>> calculation provided is not valid for early data (0-RTT) as the hello
> >>> messages could be transmitted in the same datagram.
> >>
> >> There was some clarifying discussion here; do you still see an issue?
> 
> I was wrong that DTLS helps you, however rfc7252 (soap) does and specifies
> message sizes. While for Coap this is a SHOULD, you have a MUST here. I
> think that is correctly and therefore it’s fine to specify it normatively.
> Not need to change. Still I recommend to highlight this difference!

[Med] Will add some text to highlight this.  


> >>
> >>> 10) The document should more explicitly provide more guidance about
> >>> when a client should start a session and what should be done (from the
> >>> client side) if a session is detected as inactive (other than during
> >>> migration which is discussed a bit in 4.7). Is the assumption to have
> >>> basically permanently an active session or connect for migration and
> >>> configuration requests separately at a time?
> >>
> >> I think there was some clarifying text added, but please confirm if you
> think it
> >> is sufficient.
> 
> Sorry, don’t see where text was added. Can you provide a pointer?

[Med] We do have this text, for example:

   The DOTS signal channel can be established between two DOTS agents
   prior or during an attack.  The DOTS signal channel is initiated by
   the DOTS client.  The DOTS client can then negotiate, configure, and
   retrieve the DOTS signal channel session behavior with its DOTS peer
   (Section 4.5).  Once the signal channel is established, the DOTS
   agents periodically send heartbeats to keep the channel active
   (Section 4.7).  At any time, the DOTS client may send a mitigation
   request message (Section 4.4) to a DOTS server over the active signal
   channel.  While mitigation is active (because of the higher
   likelihood of packet loss during a DDoS attack), the DOTS server
   periodically sends status messages to the client, including basic
   mitigation feedback details.  Mitigation remains active until the
   DOTS client explicitly terminates mitigation, or the mitigation
   lifetime expires.  Also, the DOTS server may rely on the signal
   channel session loss to trigger mitigation for pre-configured
   mitigation requests (if any).