IETF Logo Mail Archive

Re: [Dots] AD Review of draft-ietf-dots-architecture-14

"Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com> Fri, 10 January 2020 09:05 UTC

Return-Path: <tirumaleswarreddy_konda@mcafee.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9A73012002E for <dots@ietfa.amsl.com>; Fri, 10 Jan 2020 01:05:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=mcafee.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2HYH6iAI8QuX for <dots@ietfa.amsl.com>; Fri, 10 Jan 2020 01:05:02 -0800 (PST)
Received: from us-smtp-delivery-140.mimecast.com (us-smtp-delivery-140.mimecast.com [63.128.21.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A1B1200CE for <dots@ietf.org>; Fri, 10 Jan 2020 01:05:01 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mcafee.com; s=mimecast20190606; t=1578647100; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=Md0hb31TDeHYxbglwezNlMTzSYBpkCqvirrqgXC8r1I=; b=S0jg0et7sZ8lcUw/gFkXHg0yABW9GfHOtTxoATjkcy0Xc1wSB5hKQW7mbWuKh9EqGoTQAj vdBthDlJE5EY92jBM7FmB7sLdwRmYdLb1TtGGYGnlsveYiuVDpqG5mIrlF5F0Ql3JqbUcz eAJPV42VFkglnmnZsfczuV8FHpck5yM=
Received: from NAM12-DM6-obe.outbound.protection.outlook.com (mail-dm6nam12lp2174.outbound.protection.outlook.com [104.47.59.174]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-118-RzYWmhi4NSyc_fyZADaBqg-1; Fri, 10 Jan 2020 04:04:56 -0500
Received: from DM5PR1601MB1259.namprd16.prod.outlook.com (10.172.87.13) by DM5PR1601MB1308.namprd16.prod.outlook.com (10.172.85.139) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2623.9; Fri, 10 Jan 2020 09:04:54 +0000
Received: from DM5PR1601MB1259.namprd16.prod.outlook.com ([fe80::949b:6afa:b9ba:f4e4]) by DM5PR1601MB1259.namprd16.prod.outlook.com ([fe80::949b:6afa:b9ba:f4e4%3]) with mapi id 15.20.2623.013; Fri, 10 Jan 2020 09:04:54 +0000
From: "Konda, Tirumaleswar Reddy" <TirumaleswarReddy_Konda@McAfee.com>
To: Roman Danyliw <rdd@cert.org>, "dots@ietf.org" <dots@ietf.org>
Thread-Topic: AD Review of draft-ietf-dots-architecture-14
Thread-Index: AdXHMmoiRx3D3KUrRUiecOSiRVyATgAQ2HbA
Date: Fri, 10 Jan 2020 09:04:54 +0000
Message-ID: <DM5PR1601MB1259400B085262756BF3C125EA380@DM5PR1601MB1259.namprd16.prod.outlook.com>
References: <359EC4B99E040048A7131E0F4E113AFC01E7100170@marchand>
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC01E7100170@marchand>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
dlp-product: dlpe-windows
dlp-version: 11.4.0.45
dlp-reaction: no-action
x-originating-ip: [49.37.206.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3d29914d-4904-4bc9-7881-08d795ac2886
x-ms-traffictypediagnostic: DM5PR1601MB1308:
x-microsoft-antispam-prvs: <DM5PR1601MB1308C58706E06C35E3937663EA380@DM5PR1601MB1308.namprd16.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5516;
x-forefront-prvs: 02788FF38E
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(366004)(346002)(39860400002)(396003)(32952001)(51914003)(13464003)(199004)(189003)(110136005)(26005)(316002)(55016002)(33656002)(9686003)(53546011)(6506007)(7696005)(66556008)(186003)(66446008)(86362001)(5660300002)(81156014)(66946007)(71200400001)(66476007)(81166006)(478600001)(64756008)(2906002)(8936002)(52536014)(76116006)(966005)(8676002)(85282002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM5PR1601MB1308; H:DM5PR1601MB1259.namprd16.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: OX4kCwq0ZqHd3VB1l5RtBxT+icYo1ZoswdYRZ/aeuwzBYP2sEuAeVxwcFt5brmPmqHJpv8vBPheKhqlVYh162MqrMzoqKA21yisB0Ax/QuUEVh5iTFZUxXD/PXzkrlIOdh317X6bbqJwn+z3gYlBPAI8ACGmGwqB4+CtPjSAFUVAklVbst/276IGG0Y3syKYQocnU8DN9WtD+yn52DlbTV8+Wc2wx1x8FVJ1+qVXyu/o75imltUSIOgwU16nzRNDqj1zZamI5FcTn2FqAiqBLBrnyz9X+ZUc3NH/hSVy21VSZxwOqj7nuLYyjMikSjVmGc8Yt1wtkm30qHg5vIyewhyJwKypjZdrQxs8ZMTAStiiIvMLfeOw8ZGsup4iS5V1wWUov8OSGZ2+H1wIrGlTCDM9hXoqdvG0jjBc1lDDHsV9KX5/TC032fstLoNRlI6z1eE+eV+rFnprecaxePPXfPFFXsCVw3A2qwJR6oQlNdTEHO/wovZ/fxs1Fd50goy651a1xy5aYPmXy5TZwbtWCHCO9kNaRGivcvbJxrQO0X3Bh8CT2ECeSYZLBoUk8+k4YjychDd0DyKOTmaLpTaNuT4SWSafaBwYPyoXvzwpG0c=
x-ms-exchange-transport-forked: True
MIME-Version: 1.0
X-OriginatorOrg: mcafee.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3d29914d-4904-4bc9-7881-08d795ac2886
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jan 2020 09:04:54.2349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 4943e38c-6dd4-428c-886d-24932bc2d5de
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: QtgmqWxehPTPSetrXz2AExVe8WuwuFMIWWt7IRpkGZn21+HdeVOVcWtk7rkShNEEnojsomaPBRBj2ffU29NuLxkDKczrV4w0oVm2fM79QwxPPUDhy/04LLIJZTUQ9XTr
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1601MB1308
X-MC-Unique: RzYWmhi4NSyc_fyZADaBqg-1
X-Mimecast-Spam-Score: 0
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/yd1FEyXQdbvM_p4-LjFKSDO3iNA>
Subject: Re: [Dots] AD Review of draft-ietf-dots-architecture-14
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Jan 2020 09:05:07 -0000

Hi Roman,

Thanks for the review. Please see inline

> -----Original Message-----
> From: Dots <dots-bounces@ietf.org> On Behalf Of Roman Danyliw
> Sent: Friday, January 10, 2020 3:00 AM
> To: dots@ietf.org
> Subject: [Dots] AD Review of draft-ietf-dots-architecture-14
> 
> CAUTION: External email. Do not click links or open attachments unless you
> recognize the sender and know the content is safe.
> 
> Hello!
> 
> The following is my AD review of draft-ietf-dots-architecture-14:
> 
> ** Section 1.2.  Per "In this architecture, DOTS clients and servers
> communicate using DOTS signaling ...", is this definition too narrow?  Per the
> guidance in Section 1.1.2 to use RFC8612 definitions, which says that "DOTS
> signal:  [is a] A status/control message transmitted over the authenticated
> signal channel ..." the text seems to ignoring the data channel.

Updated line as follows:
In this architecture, DOTS clients and servers communicate using DOTS signal channel and data channel protocols.

> 
> ** Section 1.2.  Along the same line, the next sentence, "As a result of signals
> from the DOTS client ...", seems to also present a very narrow example of
> what the signal channel might do (let alone the data channel).  I'm not sure
> how much this sentence adds to clarifying the scope as suggested by the
> section title.

Agreed, I don't see a need for this sentence in the "Scope" section. Removed it. 

> 
> ** Section.  1.3 Per "The signal and data channels are loosely coupled, and
> may not terminate on the same DOTS server", it seems help to clarify the
> obvious that how these signals would be synchronized is out of scope.

Okay, added the following line:
How the DOTS servers synchronize the DOTS configuration is out of scope of this specification.

> 
> ** Section 2.  Figure 3.  Is this figure (i.e., the JSON example) normative?

No.

 This
> seems like a detail best left to the data channel spec (and omitted from this
> document).

Yes, we have an example in the data channel spec. Removed Figure 3. 

> 
> ** Section 2.  Per:
> Note that while it is possible to exchange the above information
>    before, during or after a DDoS attack, DOTS requires reliable
>    delivery of this information and does not provide any special means
>    for ensuring timely delivery of it during an attack.  In practice,
>    this means that DOTS deployments should not rely on such information
>    being exchanged during a DDoS attack.
> 
> It seems to me that there is guidance missing here.  If the first sentence says
> that this information can be exchanged before, during or after an attack, but
> don't count on it during the attack.  The second sentence reiterates the point
> that during an attack it will be unreliable, is a statement to the effect that
> necessary configuration must be made prior to the attack also needed?

Yes, updated last line as follows:
In practice, this means that DOTS deployments should rely on such information 
being exchanged only under normal traffic conditions.

> 
> ** Section 2.1  Per "It is not until this point that the mitigation service is
> available for use.", this closing point about a mitigation service follows from
> the previous description.  However, I wanted to point out, the notion of a
> "mitigation service" being available after a fully configured DOTS client is not
> a construct previously used in the document or the terminology.  It's likely
> worth relating it to the previously defined terms like mitigator.

"mitigation service" is already used in Sections 2 and 1.2

> 
> ** Section 2.1.  To avoid confusion on terms (i.e., from HTTP), perhaps
> replace s/basic authorization/authorization/.

Okay, replaced.

> 
> ** Section 2.2.2.  Per "For a given DOTS client (administrative) domain, the
> DOTS server needs to be able to determine whether a given target  resource
> is in that domain.", what is a "target resource" isn't clear.  I think it is meant to
> be the resource that is the target of the attack (that the DOTS client is
> signaling about). 

Yes.

> Also, the idea that DOTS clients have "domains" is a new
> concept here that needs clarification.

I have simplified the text as follows:
For a given DOTS client (administrative) domain, the DOTS server needs to be
able to determine whether a given resource is in that domain. For
example, this could take the form of associating a set of IP addresses and/or
prefixes per DOTS client domain.

> 
> ** Section 2.2.2. Per "The DOTS server enforces authorization of DOTS
> clients' signals for mitigation.", no objection.  Is there a complementary
> statement to make the data channel?

Good point, updated text as follows:
The DOTS server enforces authorization of signals for mitigation, filtering rules and aliases for resources from DOTS clients.  
The mechanism of enforcement is not in scope for this document, but is expected to restrict mitigation requests, filtering rules and aliases
scope to addresses, prefixes, and/or services owned by the DOTS client domain, such that a DOTS
client from one domain is not able to influence the network path to another
domain. A DOTS server MUST reject requests for mitigation of resources, filtering rules and aliases for
resources not owned by the requesting DOTS client's administrative domain.

> 
> ** Section 5.  Per "Any attacker with the ability to impersonate ...", this
> paragraph clearly describes in the impact of impersonation.  However, the
> suggested mitigations read like requirements.  Instead of trying to list them
> again, I would recommend explicitly citing the relevant requirements from
> Section 2.4 of the RFC8612 and noting that need for conformance to these
> security mechanisms.

Good point, updated paragraph as follows:

Any attacker with the ability to impersonate a legitimate DOTS client or server
or, indeed, inject false messages into the stream may potentially
trigger/withdraw traffic redirection, trigger/cancel mitigation activities or
subvert drop-/accept-lists.  From an architectural standpoint, operators MUST
ensure conformance to the security requirements defined in Section 2.4 of 
RFC8612 to secure data in transit. 

> 
> ** Section 5.  Per "Similarly, received data at rest SHOULD be stored with a
> satisfactory degree of security.", I would recommend explaining why the
> data should be secured. Perhaps:
> OLD:
> Similarly, received data at rest SHOULD be
>    stored with a satisfactory degree of security.
> 
> NEW (or something like it):
> Similarly, as the received data may contain network topology, telemetry,
> threat, or preconfigured mitigation information which could be considered
> sensitive in certain environment, it SHOULD be protected at rest per required
> local policy.

Works for me, minor update to proposed text:

Similarly, as the received data may contain network topology, telemetry,
threat and mitigation information which could be considered
sensitive in certain environment, it SHOULD be protected at rest per required
local policy.
 
> 
> ** Section 5.  Per "As many mitigation systems employ diversion to scrub
> attack traffic, operators of DOTS agents SHOULD ensure DOTS sessions are
> resistant to Man-in-the-Middle (MitM) attacks.", I'm not following the link
> between the mitigation systems re-routing traffic with DOTS agents resisting
> MitM attack.  What actions should be agents be taking?

Good point, modified paragraph as follows (and removed line discussing re-routing traffic):

An attacker with control of a DOTS client may negatively
influence network traffic by requesting and withdrawing requests for mitigation
for particular prefixes, leading to route or DNS flapping. DOTS operators should carefully
monitor and audit DOTS clients to detect misbehavior and deter misuse.


> 
> ** Section 5.  Per:
>    Any attack targeting the availability of DOTS servers may disrupt the
>    ability of the system to receive and process DOTS signals resulting
>    in failure to fulfill a mitigation request.  DOTS agents SHOULD be
>    given adequate protections, again in accordance with best current
>    practices for network and host security.
> -- The first sentence talks about "DOTS servers".  The second talk about
> protecting "DOTS agents".  What's the role in the DOTS clients in this
> guidance?
> -- Shouldn't the protections afforded to the DOTS agents be a mandatory
> (MUST)?

Good point, the guidance is only meant for DOTS servers and is mandatory. Modified text as follows:
DOTS servers MUST be given adequate protections,  in accordance with best current practices for network and host security.

> 
> ** Editorial Nits:
> -- Section 1.  Editorial. s/for help defending/for help to defend/
> -- Section 3.2.5.  Typo. s/deployements/deployments/

Thanks, Fixed.

Cheers,
-Tiru

> 
> _______________________________________________
> Dots mailing list
> Dots@ietf.org
> https://www.ietf.org/mailman/listinfo/dots

v2.23.0 | Report a Bug | By Email