Re: [Dots] New Version Notification for draft-reddy-dots-home-network-02.txt
Dan Wing <danwing@gmail.com> Thu, 13 December 2018 17:28 UTC
Return-Path: <danwing@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3228F130E06 for <dots@ietfa.amsl.com>; Thu, 13 Dec 2018 09:28:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TOFoJMfs_i5R for <dots@ietfa.amsl.com>; Thu, 13 Dec 2018 09:27:59 -0800 (PST)
Received: from mail-pl1-x633.google.com (mail-pl1-x633.google.com [IPv6:2607:f8b0:4864:20::633]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 78243130DFA for <dots@ietf.org>; Thu, 13 Dec 2018 09:27:59 -0800 (PST)
Received: by mail-pl1-x633.google.com with SMTP id g9so1375417plo.3 for <dots@ietf.org>; Thu, 13 Dec 2018 09:27:59 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=9idxqslh8Tdg7j7olbvkKyGOCo+zUES0iiZB203LZ1s=; b=ZU6Gpb7cZi4x0MBXr9/3bAL7+IgFwk/o4yRyDnUPagQ443bYbFb8D6OLkBBCJi4GYr i/6Y3BFT/fgR0yYaIbTEM0Wpf46YB/FlS042sGcLN0k6+IgVCi1zTTtalf3mAfWZedBy P89eMX4aZE3VBXNVEP1deyOq2SVSQeDsYVzh/dHIq30fBHzs9e+RsaWhf1qkmkjjk38Y r7NwlqW+t6ST0bq3DCMy+DBk4QzwyHnmWJNMoCdYsY9amRCI/flD0V4wTigypH48OE4R BiUXIW/98MLe8DxvXZqI2yhiAcb7ynAeqTCcoi6QE+y+ukJZNgIQaicq9RJO/g+Nm5GM 9Rlw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=9idxqslh8Tdg7j7olbvkKyGOCo+zUES0iiZB203LZ1s=; b=kQXKTkBsuiQpNLcbgXmF1GqJZo1lFgBzddjba2t1untOXrZjZ7wmBR98YdqI+8LyVM 9JQqEbyjdtLYUzMtx9Cor1eHK01wnYC/JY4kHLL7uKAMab/5XGtHoOj2GpDHgm6mv06A zgXLw2a+zFJEieOdpw+4w4Pmy2c1sE4SCVith5aEDB1IMKqyz8je99b4Wu2d3e6OV8cG CINb/xTheP3OohXy5Lf5i2DbeSwHQ+tLA8ZnkAjdoJKK+i7gntEdNH0OxeITJPhb0Kix QMc95LGGCUzZXpLAJv/BCsKhfIW3pf8b9Jqlb/ec0q0o4RZFrnCtexJwM/JCx6mFyUH5 Vygw==
X-Gm-Message-State: AA+aEWY/Dn4dtlBJfNoCMFsueVjVB9KQwvinj4l96EK40wzbLLFQ++hk tSLMCg5gvfEH+w/hIqMjrrY=
X-Google-Smtp-Source: AFSGD/XMoHmE9Wno6LYvBaPJ/0xIDREnvGNkfAMBNXZ9Vwz2Ng7sDG2Cln4gKbxFJJ4IfsTS7W/cqQ==
X-Received: by 2002:a17:902:820d:: with SMTP id x13mr25181031pln.229.1544722078876; Thu, 13 Dec 2018 09:27:58 -0800 (PST)
Received: from [192.168.86.180] ([75.111.77.103]) by smtp.gmail.com with ESMTPSA id d202sm4422955pfd.58.2018.12.13.09.27.57 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 13 Dec 2018 09:27:58 -0800 (PST)
From: Dan Wing <danwing@gmail.com>
Message-Id: <378B4F3F-87CC-4482-8CF2-A554997FF1E3@gmail.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_8351A9DB-991E-45D9-AD26-568E053B1220"
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Date: Thu, 13 Dec 2018 09:27:56 -0800
In-Reply-To: <787AE7BB302AE849A7480A190F8B93302E04BEC7@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
Cc: Roman Danyliw <rdd@cert.org>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>, "Panwei (William) (william.panwei@huawei.com)" <william.panwei@huawei.com>, "dots@ietf.org" <dots@ietf.org>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
References: <154211930418.26992.12586161888366921.idtracker@ietfa.amsl.com> <787AE7BB302AE849A7480A190F8B93302E045230@OPEXCLILMA3.corporate.adroot.infra.ftgroup> <9C23835F-E460-43C2-9F6D-9F7ED007DAAB@gmail.com> <787AE7BB302AE849A7480A190F8B93302E04BEC7@OPEXCLILMA3.corporate.adroot.infra.ftgroup>
X-Mailer: Apple Mail (2.3445.102.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/yss0PQgYEt5LdywfNV-hX9uxnFk>
Subject: Re: [Dots] New Version Notification for draft-reddy-dots-home-network-02.txt
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 17:28:04 -0000
Modified text in 1.2 now says: Unlike classic DOTS deployments [I-D.ietf-dots-use-cases], such DOTS server maintains a single DOTS signal channel session with an upstream DOTS client, if the CPE is single-homed. The phrase "if the CPE is single-homed" caught me off-guard, because you're not saying how multi-homed is handled or providing guidance to implementations for how to learn how to handle multi-homing. Perhaps change from "if CPE is single-homed" to "for each upstream provisioning domain"? Maybe you want to cite the multi-homing document informationally, but could be useful. The new text in 3.2.1 starts with " "When a Carrier Grade NAT (CGN) is located between the DOTS client and DOTS server," what is the mechanism for the DOTS client and server to determine there is a Carrier Grade NAT between them, such that the rest of the requirements in the paragraph have to be followed; that is, is there a DOTS mechanism like ICE messages to determine address rewriting occurred? Do the requirements in that paragraph apply only to CGN, as it reads -- it seems the requirements are the same as the paragraph slightly below which mentions "NAT on CPE", but the phrasing is different so I can't tell if implementation is supposed to be exactly same. How does a CGN get differentiated from a non-"Carrier Grade" NAT between the elements, from things as simple as an accidentally-installed NAT to things as complex as a laptop tethered to a NAT44 and 464xlat cellular phone and NAT64 in the carrier, where we might imagine DOTS in the laptop or the cellphone; I think the ISP-operated NAT64 qualifies as CGN (does it?), but I need half hour of sketching to understand the situation here. More succinctly: can the requirements for NAT be simplified and explained why the requirements are necessary for interoperation, rather than saying "if CGN, then do ___", and "if NAT integrated into CPE do ___"? In Privacy Considerations, new text says "Concretely, the protocol does not leak any new information that can be used to ease surveillance", but the new text in 3.2.1 says the internal IP address and port number (of the victim) are communicated to the DOTS server. This is new information disclosed by DOTS. -d > On Nov 21, 2018, at 11:54 PM, mohamed.boucadair@orange.com wrote: > > Hi Dan, > > Enjoy your stay in Morocco! > > Looking forward to receiving your review. > > Cheers, > Med > >> -----Message d'origine----- >> De : Dan Wing [mailto:danwing@gmail.com] >> Envoyé : jeudi 22 novembre 2018 08:20 >> À : BOUCADAIR Mohamed TGI/OLN >> Cc : Roman Danyliw; Xialiang (Frank, Network Integration Technology Research >> Dept); Panwei (William) (william.panwei@huawei.com); dots@ietf.org >> Objet : Re: [Dots] TR: New Version Notification for draft-reddy-dots-home- >> network-02.txt >> >> Currently I am in Morocco. Still useful to review next week? >> >> >> -d >> >>> On Nov 13, 2018, at 3:37 PM, <mohamed.boucadair@orange.com> >> <mohamed.boucadair@orange.com> wrote: >>> >>> Hi Roman, Franck, Wei, >>> >>> FYI, we released an updated version of the draft which integrates the >> comments you raised. The main changes are as follows: >>> >>> * Add a new privacy considerations section as suggested by Roman. >>> * Add a discussion on issues/fixes when an address sharing function is >> present between the DOTS client and server (Wei) >>> * Add some text to clarify that the DOTS server on the CPE is simple >> compared to the one on the provider side. Only a single DOTS session will be >> maintained (Franck). >>> * Further highlight that the solution is suitable for blocking attacks near >> the sources (I failed to get the name of the gentleman who raised this issue >> in the meeting). >>> * Add some text to clarify that DOTS servers do not blindly accept requests >> and that the solution does not aim to track or censor users (the comment was >> made by same gentleman as above). >>> >>> Please let us know if the new text addresses your concern. >>> >>> As usual, comments, suggestions, and questions are more than welcome. >>> >>> Cheers, >>> Med >>> >>>> -----Message d'origine----- >>>> De : internet-drafts@ietf.org [mailto:internet-drafts@ietf.org] >>>> Envoyé : mardi 13 novembre 2018 15:28 >>>> À : Tirumaleswar Reddy; Joshi Harsha; Jon Shallow; Reddy K; BOUCADAIR >> Mohamed >>>> TGI/OLN >>>> Objet : New Version Notification for draft-reddy-dots-home-network-02.txt >>>> >>>> >>>> A new version of I-D, draft-reddy-dots-home-network-02.txt >>>> has been successfully submitted by Mohamed Boucadair and posted to the >>>> IETF repository. >>>> >>>> Name: draft-reddy-dots-home-network >>>> Revision: 02 >>>> Title: Denial-of-Service Open Threat Signaling (DOTS) Signal >>>> Channel Call Home >>>> Document date: 2018-11-12 >>>> Group: Individual Submission >>>> Pages: 17 >>>> URL: https://www.ietf.org/internet-drafts/draft-reddy-dots- >> home- >>>> network-02.txt >>>> Status: https://datatracker.ietf.org/doc/draft-reddy-dots-home- >>>> network/ >>>> Htmlized: https://tools.ietf.org/html/draft-reddy-dots-home-network- >> 02 >>>> Htmlized: https://datatracker.ietf.org/doc/html/draft-reddy-dots- >> home- >>>> network >>>> Diff: https://www.ietf.org/rfcdiff?url2=draft-reddy-dots-home- >>>> network-02 >>>> >>>> Abstract: >>>> This document presents DOTS signal channel Call Home service, which >>>> enables a DOTS server to initiate a secure connection to a DOTS >>>> client, and to receive the attack traffic information from the DOTS >>>> client. The DOTS server in turn uses the attack traffic information >>>> to identify the compromised devices launching the outgoing DDOS >>>> attack and takes appropriate mitigation action. >>>> >>>> >>>> >>>> >>>> Please note that it may take a couple of minutes from the time of >> submission >>>> until the htmlized version and diff are available at tools.ietf.org. >>>> >>>> The IETF Secretariat >>> >>> _______________________________________________ >>> Dots mailing list >>> Dots@ietf.org >>> https://www.ietf.org/mailman/listinfo/dots
- [Dots] TR: New Version Notification for draft-red… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-red… Roman Danyliw
- Re: [Dots] TR: New Version Notification for draft… Dan Wing
- Re: [Dots] TR: New Version Notification for draft… mohamed.boucadair
- Re: [Dots] New Version Notification for draft-red… Dan Wing
- Re: [Dots] New Version Notification for draft-red… mohamed.boucadair