Re: [Dots] WGLC for draft-dots-use-cases-19

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Tue, 06 August 2019 09:14 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 20CFA120148 for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 02:14:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.301
X-Spam-Level:
X-Spam-Status: No, score=-4.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vBjeUffRI9DE for <dots@ietfa.amsl.com>; Tue, 6 Aug 2019 02:14:45 -0700 (PDT)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5513012006F for <dots@ietf.org>; Tue, 6 Aug 2019 02:14:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1565082884; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1AkF26F9fzjLOb6j+K8yEKh/RF/WhrqH3+dB0ucA7/I=; b=AsbiY4TTWmROkMA5IqDyPgIAEkGfhNG4kMs/MF+LCYenQrQ+SpFMPHLk8eZJImtRC+o8eH EY08U4sAcWCB7AekmKp3ZI7wTob2o8gpxWObFu2a+YJWaMolzA3Vsqhg4Ghls2iiE9p/XA zohx4X1TilMTBB5/e+meCwQzSjWPn1Y=
Received: from MIVWSMAILOUT1.mcafee.com (mivwsmailout1.mcafee.com [161.69.47.167]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-192-nlwQPS2pPlChkZ5wE0qwHQ-1; Tue, 06 Aug 2019 05:14:40 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (DNVEXAPP1N05.corpzone.internalzone.com [10.44.48.89]) by MIVWSMAILOUT1.mcafee.com with smtp (TLS: TLSv1/SSLv3,256bits,ECDHE-RSA-AES256-SHA384) id 6975_8a93_55ccab48_2b13_4eeb_a009_6154b03ac3cc; Tue, 06 Aug 2019 05:15:21 -0400
Received: from DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 03:14:34 -0600
Received: from DNVO365EDGE2.corpzone.internalzone.com (10.44.176.74) by DNVEXAPP1N05.corpzone.internalzone.com (10.44.48.89) with Microsoft SMTP Server (TLS) id 15.0.1395.4 via Frontend Transport; Tue, 6 Aug 2019 03:14:34 -0600
Received: from NAM04-SN1-obe.outbound.protection.outlook.com (10.44.176.241) by edge.mcafee.com (10.44.176.74) with Microsoft SMTP Server (TLS) id 15.0.1395.4; Tue, 6 Aug 2019 03:14:33 -0600
Received: from DM5PR16MB1705.namprd16.prod.outlook.com (10.172.44.147) by DM5PR16MB2405.namprd16.prod.outlook.com (52.132.143.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2136.16; Tue, 6 Aug 2019 09:14:32 +0000
Received: from DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba]) by DM5PR16MB1705.namprd16.prod.outlook.com ([fe80::532:f001:84e1:55ba%10]) with mapi id 15.20.2136.018; Tue, 6 Aug 2019 09:14:32 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: "mohamed.boucadair@orange.com" <mohamed.boucadair@orange.com>, "Valery Smyslov" <valery@smyslov.net>, "dots@ietf.org" <dots@ietf.org>
CC: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [Dots] WGLC for draft-dots-use-cases-19
Thread-Index: AdVMHvzhmt/V33ByRr+d368GCi1ExgABDh/gAAA/2oAAAmsFAAAApBygAAFk76A=
Date: Tue, 6 Aug 2019 09:14:32 +0000
Message-ID: <DM5PR16MB17050DF869BABA8B3670DC85EAD50@DM5PR16MB1705.namprd16.prod.outlook.com>
References: <00b001d54c1f$d57799e0$8066cda0$@smyslov.net> <DM5PR16MB17050571BAD70FACA597FA6CEAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDB17@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <DM5PR16MB170555606E26709FC5C54AA4EAD50@DM5PR16MB1705.namprd16.prod.outlook.com> <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
In-Reply-To: <787AE7BB302AE849A7480A190F8B9330312FDBC8@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.3.0.17
dlp-reaction: no-action
x-originating-ip: [49.37.202.60]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a4dd6c0e-63c0-452f-0fbc-08d71a4e7e42
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM5PR16MB2405;
x-ms-traffictypediagnostic: DM5PR16MB2405:
x-ms-exchange-purlcount: 2
x-microsoft-antispam-prvs: <DM5PR16MB2405E551D49A1E98278804F3EAD50@DM5PR16MB2405.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0121F24F22
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(39860400002)(136003)(366004)(396003)(376002)(346002)(199004)(189003)(13464003)(32952001)(7736002)(446003)(11346002)(966005)(66574012)(66556008)(66446008)(66066001)(26005)(478600001)(52536014)(14454004)(9686003)(6306002)(55016002)(64756008)(66946007)(76116006)(66476007)(305945005)(5660300002)(4326008)(80792005)(25786009)(33656002)(6246003)(68736007)(81166006)(76176011)(86362001)(81156014)(8676002)(99286004)(3846002)(6116002)(229853002)(2906002)(110136005)(6436002)(53936002)(5024004)(8936002)(316002)(14444005)(71190400001)(71200400001)(74316002)(7696005)(19627235002)(486006)(256004)(53546011)(6506007)(186003)(2501003)(476003)(102836004)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR16MB2405; H:DM5PR16MB1705.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: R3nAzw+JsMbqbHTBlO3mDlczg+/k79UeqSiseXrL/R5Y6nMQhOfGeBUPSM3K8PyGMbq9yu0DH0AWuJn1ZdiP/4hXnmVplZtJbhREubEb0JT6Ahi0OeNTDuT51qCzbgPIV3SZ4Ia9ROC8Kp8Azi8o+wbHW1aTbLsOJeTGGCbEDs+zc8TyimecvQHcnSyjYF8YoqRp1FkOoDy5b+etkNCIMwI8FCCbwjT63BGcFdkgdZvkLhzA1wzdKQFETjkLwIhLWuZ7HBhwQPq1BA3JukecSq9uUfWGXZ13oFYyw/5t1nY8luGph4DbreAiMg8hW9GjfCrbNYduFiDVWqEZtmYngIcpm0FplBAx9JXxzpagn+dZxp3j+zhrSNKZLC4nkarCHHq6lTYayDs/RnxoCq/4WbUrwG8lpnQLgqZuUwSHAMI=
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: a4dd6c0e-63c0-452f-0fbc-08d71a4e7e42
X-MS-Exchange-CrossTenant-originalarrivaltime: 06 Aug 2019 09:14:32.1325 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TirumaleswarReddy_Konda@McAfee.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR16MB2405
X-OriginatorOrg: mcafee.com
X-NAI-Spam-Flag: NO
X-NAI-Spam-Threshold: 15
X-NAI-Spam-Score: 0
X-NAI-Spam-Version: 2.3.0.9418 : core <6605> : inlines <7131> : streams <1829512> : uri <2879062>
X-MC-Unique: nlwQPS2pPlChkZ5wE0qwHQ-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/yKsACvZF5dFdQ3t4THYMyHEsxQs>
Subject: Re: [Dots] WGLC for draft-dots-use-cases-19
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 Aug 2019 09:14:48 -0000

> -----Original Message-----
> From: mohamed.boucadair@orange.com
> <mohamed.boucadair@orange.com>;
> Sent: Tuesday, August 6, 2019 2:00 PM
> To: Konda, Tirumaleswar Reddy
> <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> <valery@smyslov.net>;; dots@ietf.org
> Cc: Xialiang (Frank, Network Standard & Patent Dept)
> <frank.xialiang@huawei.com>;
> Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> 
> This email originated from outside of the organization. Do not click links or
> open attachments unless you recognize the sender and know the content is
> safe.
> 
> Re-,
> 
> Please see inline.
> 
> Cheers,
> Med
> 
> > -----Message d'origine-----
> > De : Konda, Tirumaleswar Reddy
> > [mailto:TirumaleswarReddy_Konda@McAfee.com]
> > Envoyé : mardi 6 août 2019 10:14
> > À : BOUCADAIR Mohamed TGI/OLN; Valery Smyslov; dots@ietf.org Cc :
> > Xialiang (Frank, Network Standard & Patent Dept) Objet : RE: [Dots]
> > WGLC for draft-dots-use-cases-19
> >
> > Hi Med,
> >
> > No, the orchestrator is not ignoring the mitigation hints.
> 
> [Med] Why? The text is clear the orchestrator acts as DOTS server. As such, it
> can ignore/accept hints.
> 
>  It is sending
> > filtering rules to block or rate-limit traffic to routers (last but
> > one line in the new paragraph).
> 
> [Med] Yes. That filtering rule is that would be applied by the DMS if it has
> sufficient resources.
> 
>  The adverse impact is legitimate users whose
> > IP addresses were spoofed
> > cannot access the services of the target server.
> 
> [Med] This is a check at the DMS side. This check applies independently of **
> where ** the filters are applied. This is not specific to this NEW text.

If the orchestrator is sending filtering rules to block traffic, checks are required to ensure spoofed IP address are not conveyed by the DMS. If the orchestrator delegates the mitigation to a separate domain (recursive signaling), 
the attack information provided by DMS can include spoofed IP addresses (so the new mitigator in the separate domain learns the attack traffic is coming from spoofed IP addresses).

-Tiru

> 
> >
> > Cheers,
> > -Tiru
> >
> > > -----Original Message-----
> > > From: mohamed.boucadair@orange.com
> > > <mohamed.boucadair@orange.com>;
> > > Sent: Tuesday, August 6, 2019 12:50 PM
> > > To: Konda, Tirumaleswar Reddy
> > > <TirumaleswarReddy_Konda@McAfee.com>;; Valery Smyslov
> > > <valery@smyslov.net>;; dots@ietf.org
> > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > <frank.xialiang@huawei.com>;
> > > Subject: RE: [Dots] WGLC for draft-dots-use-cases-19
> > >
> > > This email originated from outside of the organization. Do not click
> > links or
> > > open attachments unless you recognize the sender and know the
> > > content is safe.
> > >
> > > Hi Tiru,
> > >
> > > The NEW text indicates the following:
> > >
> > > ==
> > >    In addition to the above DDoS Orchestration, the selected DDoS
> > >    mitigation systems can return back a mitigation request to the
> > >    orchestrator as an offloading.
> > >                      ^^^^^^^^^^^
> > >    ....
> > >    the DDoS mitigation system can send mitigation requests
> > >    with additional hints such as its blocked traffic information to the
> > >                                  ^^^^^^^^^^^^^^^^^^^^^^^^^^
> > >    orchestrator.
> > > ==
> > >
> > > Which means that the DMS is blocking that traffic based on "some"
> > > information. That same information is passed to an orchestrator so
> > > that
> > it can
> > > filter the traffic. What changes is ** how/where ** filters are
> > installed.
> > >
> > > Like the interface with a mitigator, the interface between the
> > controller and
> > > underlying routers is out of scope.
> > >
> > > From a DOTS perspective, the information supplied by the DMS to an
> > > Orchestrator is considered as "additional hints" which is adhering
> > > to
> > RFC8612:
> > >
> > > ==
> > >    GEN-004  Mitigation Hinting: DOTS clients may have access to attack
> > >       details that can be used to inform mitigation techniques.  Example
> > >       attack details might include locally collected fingerprints for an
> > >       on-going attack, or anticipated or active attack focal points
> > >       based on other threat intelligence.  DOTS clients MAY send
> > >       mitigation hints derived from attack details to DOTS servers, with
> > >       the full understanding that the DOTS server MAY ignore mitigation
> > >       hints.
> > > ==
> > >
> > > I don't think there are new security considerations induced by the
> > > NEW
> > text.
> > >
> > > Cheers,
> > > Med
> > >
> > > > -----Message d'origine-----
> > > > De : Dots [mailto:dots-bounces@ietf.org] De la part de Konda,
> > > > Tirumaleswar Reddy Envoyé : mardi 6 août 2019 08:52 À : Valery
> > > > Smyslov; dots@ietf.org Cc : Xialiang (Frank, Network Standard &
> > > > Patent
> > > > Dept) Objet : Re: [Dots] WGLC for draft-dots-use-cases-19
> > > >
> > > > The security implications of the new use case need to be discussed
> > > > in the draft, please see
> > > > https://mailarchive.ietf.org/arch/msg/dots/tb-
> > > > 1ojJ6TmSmRUci6JoUeD-gB1Y
> > > >
> > > > Cheers,
> > > > -Tiru
> > > >
> > > > > -----Original Message-----
> > > > > From: Dots <dots-bounces@ietf.org>; On Behalf Of Valery Smyslov
> > > > > Sent: Tuesday, August 6, 2019 11:56 AM
> > > > > To: dots@ietf.org
> > > > > Cc: Xialiang (Frank, Network Standard & Patent Dept)
> > > > > <frank.xialiang@huawei.com>;
> > > > > Subject: [Dots] WGLC for draft-dots-use-cases-19
> > > > >
> > > > >
> > > > >
> > > > > Hi,
> > > > >
> > > > > this message starts a short WGLC for
> > > > > draft-ietf-dots-use-cases-19 to
> > > > confirm
> > > > > the WG consensus regarding the latest addition of a new use case
> > > > > to the draft.
> > > > > The WGLS will last one week and will end on Tuesday, 13 August.
> > > > >
> > > > > Regards,
> > > > > Frank & Valery.
> > > > >
> > > > > _______________________________________________
> > > > > Dots mailing list
> > > > > Dots@ietf.org
> > > > > https://www.ietf.org/mailman/listinfo/dots
> > > >
> > > > _______________________________________________
> > > > Dots mailing list
> > > > Dots@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/dots