IETF Logo Mail Archive

Re: [Dots] Adoption call for draft-reddy-dots-home-network-04

Daniel Migault <daniel.migault@ericsson.com> Fri, 26 April 2019 01:01 UTC

Return-Path: <mglt.ietf@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3CA120379; Thu, 25 Apr 2019 18:01:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.647
X-Spam-Level:
X-Spam-Status: No, score=-1.647 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FORGED_FROMDOMAIN=0.25, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6AHJGMR_LE4; Thu, 25 Apr 2019 18:00:57 -0700 (PDT)
Received: from mail-lf1-f42.google.com (mail-lf1-f42.google.com [209.85.167.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4FCF8120006; Thu, 25 Apr 2019 18:00:56 -0700 (PDT)
Received: by mail-lf1-f42.google.com with SMTP id o16so1155491lfl.7; Thu, 25 Apr 2019 18:00:56 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3MHBzDVqIdzivdpB8t1jdREiwVDs9w4cNlzQZ9WRFuM=; b=aNqHGm7e6/a9P11pd82wrIP6RPWwR4/GodlpzMuMCyza6/ctBYHzUkiXRKKGjC/Up5 /oIPZzm1oJSThCAnkMjffIjp2D30Drvs4fS+Vqfv5ClgXZESzzH/fOtuBfOwgJpZkKid S96CJ74LXFZP9ERfJV8S2CzBztQx65tnpVGXZIckZGTIwV34+/81du9J6W65uukMlJP/ Ebl4hxhvtyEeDA+GDNHOQNa3+rpg+bIblhfPY1Y+a2ZKsgPeCFMHN5yh/Xt2DLfYC/3W tgEywvYVf1ieGDfnl/fE1p5uCJ8pyO1mUDC/HWlt+NrS8lDAQXBbUhvmMvMFe5x6AMd7 sRxA==
X-Gm-Message-State: APjAAAUjytMHXSN+JsULUKeAM0hfKOe19suJuMKahpWUEapw7oMhaLI2 inYUs2VjIPWuEqwGo1JxeVfjFN5l6z4rAqmixps=
X-Google-Smtp-Source: APXvYqz/dhExLNUvuBVxu6R6Aj2oZhCQoXcR+p6mWrgpNVQp4liD0g/21Le7gVZWU7Nj5gu5HGzN5UgFiM0KosCAeN0=
X-Received: by 2002:ac2:52a8:: with SMTP id r8mr22735005lfm.160.1556240454036; Thu, 25 Apr 2019 18:00:54 -0700 (PDT)
MIME-Version: 1.0
References: <023d01d4ee1f$c2bcb190$483614b0$@smyslov.net> <30E95A901DB42F44BA42D69DB20DFA6A69F3A581@nkgeml513-mbx.china.huawei.com> <CADZyTkmtyO25-JiHMicZDUL2F+5RXpnFPsYHmyn67yfHTns5fA@mail.gmail.com> <BYAPR16MB2790ECCDECA7EA5E62F76F0DEA260@BYAPR16MB2790.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B93302EA62879@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302EA62879@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
From: Daniel Migault <daniel.migault@ericsson.com>
Date: Thu, 25 Apr 2019 21:00:42 -0400
Message-ID: <CADZyTkkCWV5Y8i=R6SEKpAwGCpZDMzFP_GaSa3LtvtPa2mYKaQ@mail.gmail.com>
To: mohamed.boucadair@orange.com
Cc: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@mcafee.com>, "dots-chairs@ietf.org" <dots-chairs@ietf.org>, Valery Smyslov <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>, "kaduk@mit.edu" <kaduk@mit.edu>
Content-Type: multipart/alternative; boundary="00000000000072b21e0587647767"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/y0Sg5ovUaYYZXHL-Jf68WG2Chiw>
Subject: Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Apr 2019 01:01:01 -0000

Hi,

Please find my comments inline. I believe my initial comment is addressed.
Igot confused between the DOTS and DTLS Client.

Yours,
Daniel

On Thu, Apr 18, 2019 at 9:13 AM <mohamed.boucadair@orange.com> wrote:

> Hi Tiru, Daniel,
>
>
>
> With regards to:
>
>
>
> “ I believe that
>
> the same mechanism could be deployed between a DDoS target, its Cloud
>
> provider major ISPs up to the origin.”
>
>
>
> This is not currently doable with DOTS. Some key functional components are
> needed:
>
> (1) To identify the appropriate ISP which is hosting a DDoS source once a
> DDoS target has detected/reported an attack to its DOTS server/provider.
> The target may not be on the same network as the source.
>
<mglt>I might be wrong, but it seems to me that when the IP address is not
spoof, you can relatively easily go back to the ISP of that IP address. (at
least). Am I missing something ?</mglt>

> (2) That ISP needs to expose a service to receive these notifications.
>
<mglt>Theoretically, you would need an mesh of ISP DOTS communications (for
DTLS). but I imagine we could start with ISP you peer with or have servers
at the RIR level....</mglt>

>
>
> Of course, if the ISP is capable of receiving these notifications, it can
> invoke the procedure in draft-reddy-dots-home-network.
>


>
>
> The scenario mentioned by Daniel is an interesting problem to address…but
> I’m afraid this is out of scope of the current DOTS charter.
>
<mglt>In fact what I really wanted to point out was that at the target
node. a DOT Client sends a message to the DMS. briefly re-reading the draft
I have the impression the DOTS client is on the ISP side. Only TCP/DTLS
client server are exchanged. This seems fine. I believe I misread this the
first time.</mglt>

>
>
> I don’t see how BGP Flowspec solves this.
>
>
>
> Cheers,
>
> Med
>
>
>
> *De :* Dots [mailto:dots-bounces@ietf.org] *De la part de* Konda,
> Tirumaleswar Reddy
> *Envoyé :* jeudi 18 avril 2019 14:52
> *À :* Daniel Migault; Panwei (William)
> *Cc :* dots-chairs@ietf.org; Valery Smyslov; dots@ietf.org; kaduk@mit.edu
> *Objet :* Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
>
>
> Hi Daniel,
>
>
>
> Thanks for the review, Please see inline [TR]
>
>
>
> *From:* Dots <dots-bounces@ietf.org> *On Behalf Of *Daniel Migault
> *Sent:* Monday, April 15, 2019 9:34 PM
> *To:* Panwei (William) <william.panwei@huawei.com>
> *Cc:* dots-chairs@ietf.org; Valery Smyslov <valery@smyslov.net>;
> dots@ietf.org; kaduk@mit.edu
> *Subject:* Re: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
>
>
> *CAUTION*: External email. Do not click links or open attachments unless
> you recognize the sender and know the content is safe.
> ------------------------------
>
> I support the adoption of the draft, please see my comments on the current
> version. None of them should be considered as preventing the adoption.
>
>
>
> Yours,
>
> Daniel
>
>
>
> Some random comments:
>
>
>
>
>
> Section 1:
>
>
>
> """
>
>    Some of the DDoS attacks like spoofed RST or FIN packets, Slowloris,
>
>    and TLS re-negotiation are difficult to detect on the home network
>
>    devices without adversely affecting its performance.  The reason is
>
>    typically home routers have fast path to boost the throughput.  For
>
>    every new TCP/UDP flow, only the first few packets are punted through
>
>    the slow path.  Hence, it is not possible to detect various DDoS
>
>    attacks in the slow path, since the attack payload is sent to the
>
>    target server after the flow is switched to fast path.  Deep packet
>
>    inspection (DPI) of all the packets of a flow would be able to detect
>
>    some of the attacks.  However, a full-fledged DPI to detect these
>
>    type of DDoS attacks is functionally or operationally not possible
>
>    for all the devices attached to the home network owing to the memory
>
>    and CPU limitations of the home routers.  Further, for certain DDoS
>
>    attacks the ability to distinguish legitimate traffic from attacker
>
>    traffic on a per packet basis is complex.  This complexity originates
>
>    from the fact that the packet itself may look "legitimate" and no
>
>    attack signature can be identified.  The anomaly can be identified
>
>    only after detailed statistical analysis.
>
> """
>
>
>
> I understand, the paragraph below as saying that detection at the ISP is
>
> easier than at the homenet level as the ISP aggregates the traffic. This
>
> is correct and I agree with the text. However, if we are going a bit
>
> further, the detection is even easier to the DDoS target. I believe that
>
> the same mechanism could be deployed between a DDoS target, its Cloud
>
> provider major ISPs up to the origin. The example of the Homenet and the
>
> ISP is only one bound but the mechanism can be generalized and actually
>
> help coordination between independent domains.  I believe the draft can
>
> be placed in a larger perspective.
>
>
>
> [TR] Agreed, it is relatively easy for the DDoS mitigation provider for
> the attack target to detect sophisticated DDoS attacks (especially if the
> attack uses encrypted traffic).
>
>
>
> I will add the following lines:
>
>
>
> BGP defines a mechanism as described in [RFC5575] that can be used to
>
> automate inter-domain coordination of traffic filtering, such as what
>
> is required in order to mitigate DDoS attacks. DDoS mitigation provider
>
> for the attack target can detect sophisticated DDoS attacks
>
> using encrypted attack traffic, and can possibly use BGP flowspec
> [RFC5575] to
>
>   convey the filtering rules to filter block, or rate-limit DDoS attack
> traffic originating
>
>   from the ISP's subscribers to the attack target.
>
>
>
>
>
> Section 3.1 Procedure:
>
>
>
> I am not convinced this is the right approach to switch the roles
>
> between clients and servers. I believe that while the previous dots
>
> signal-channel was foreseeing the relation as asymmetric, we are now
>
> considering DOTS Client and DOTS Server as mostly symmetric. Maybe one
>
> way to see this could be to have a DOTS communication between different
>
> entities, and exchanges can be in both directions. The one initiating
>
> the exchange could be designated as DOTS Initiator, while the receiving
>
> side is the DOTS Responder.
>
>
>
> Here is a more concrete example while Client / Server  might be
>
> confusing. When  a server sends an alert when under attach it is designated
>
> as the DOTS Client, while the same client specifying these IP addresses
>
> are detected as belonging to an attacker will be the Server.
>
>
>
> It seems also to me that establishment of the (D)TLS channel can be sent
>
> by any other peer, not necessarily the peer sending further
>
> notification/request. Typically the DOTS Client may have set the DOTS
>
> channel protected by (D)TLS, and the DOTS Server may re-use that exact
>
> same channel.
>
>
>
> I am also wondering if the support of the extension is agreed or
>
> announced. If so this would ease the negotiation of which peer is able
>
> to handle the requests and be a "Server".
>
>
>
> [TR] Both draft-reddy-dots-home-network and RFC8071 adopt the same
> approach for managing roles and connections. You may want to look into
> RFC8071.
>
>         CoAP allows asynchronous messages but the request is always sent
> by the CoAP client.
>
>
>
> I believe the clarification and comparison with the
>
> "traditional"/"initial" DOTS use cases is useful and needs to stay for
>
> clarification purpose. However, one should make sure also that such
>
> signalling can also be made with a signal dots signalling established in
>
> the initial use cases. Typically, the DOTS client may have set the DOTS
>
> channel and set a DTLS session which could carry the signalling of the
>
> draft.
>
>
>
> [TR] I don’t get the above comment.
>
>
>
> Cheers,
>
> -Tiru
>
>
>
>
>
> On Sun, Apr 14, 2019 at 11:06 PM Panwei (William) <
> william.panwei@huawei.com> wrote:
>
> Hi,
>
> I support adoption of this draft.
>
> Best Regards
> Wei Pan
>
> -----Original Message-----
> From: Dots [mailto:dots-bounces@ietf.org] On Behalf Of Valery Smyslov
> Sent: Monday, April 08, 2019 11:29 PM
> To: dots@ietf.org
> Cc: dots-chairs@ietf.org; kaduk@mit.edu
> Subject: [Dots] Adoption call for draft-reddy-dots-home-network-04
>
> Hi all,
>
> the chairs recently received an adoption request for
> draft-reddy-dots-home-network-04.
>
> This message starts a two-week adoption call for
> draft-reddy-dots-home-network-04.
> The call ends up on Tuesday, April the 23rd.
>
> Please send your opinion regarding adoption of this document to the list
> before this date.
> If you think the draft should be adopted, please indicate whether you're
> willing to review it/to work on it. If you think the draft should not be
> adopted, please explain why.
>
> Regards,
> Frank & Valery.
>
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots
>

v2.23.0 | Report a Bug | By Email