IETF Logo Mail Archive

Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1

tirumal reddy <kondtir@gmail.com> Thu, 15 October 2020 07:37 UTC

Return-Path: <kondtir@gmail.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 727583A1340; Thu, 15 Oct 2020 00:37:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m566lBuWAJDY; Thu, 15 Oct 2020 00:37:26 -0700 (PDT)
Received: from mail-il1-x12b.google.com (mail-il1-x12b.google.com [IPv6:2607:f8b0:4864:20::12b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E14F13A1338; Thu, 15 Oct 2020 00:37:20 -0700 (PDT)
Received: by mail-il1-x12b.google.com with SMTP id w17so3003401ilg.8; Thu, 15 Oct 2020 00:37:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Qaq60cppeF+uxHTsdAk28fVL/yKZ0EvLp2w9D+yTNw8=; b=IlMeL5XSV1EzWSQR2hkM19BdXf8/wPRIXEIWp1iJa3jIyCzPPWlXHDarVgqS5N7+h1 wYQfGmxbZi+zzZAqlo956d0n8X7ruV3lwgGlYHZCYua6JxIyaKEVY3SgvmkGcazSsnic fTH6ZzhvEA9ti1b4a3G3FzIuXkI8sZ2nYZZq9/bVoC4zqE93cYB9Im3eYhwybMMauobI jMR0CJHQ6PrtLyBl4ZIafc0iz++pVZsPsCIsJgnDdLFNLZ6wqjOSZZyPE4skBF/Kt8it g9b5rD6/oKsp/yW66rOSb9CVtRwRFvtnrBiUupk3FQxfsYRkpCITOjlD8P8QTrujSTvy 61TQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Qaq60cppeF+uxHTsdAk28fVL/yKZ0EvLp2w9D+yTNw8=; b=hisn5s6XjU6yLUaAE6y4ZVp8c2d6ymIQ+VFAa9LqkPd+blpqf7uaLNXjoI63okuW/J VtcndaZeuVzAwSAXjawKuq3hUXXYNZd82mAJqxvbkkXs+zzxh6gqfjGHvgXhNlRHRj4X TEhvkG7ZkqBMUA/GRbtjDPGEi0YVF3jLHceexG4WpEsxp3QjodRclBCWfqs3GXYpJZ0k Jk+qm91vjIlESmPIRiGMWOFbc9a93iQbajPi/FsBNsBMYceavxle9o9w+fvSdKkv6ArQ AcJzBf5lEzCdn5MYgsbkDYtmOWIEq3XEyRW9w77pFlkFgDM4k5z6B/vOUHn2B24S6i0m iXpg==
X-Gm-Message-State: AOAM533K/R99WgG9q9FETf1YUHM4qTAm/7Hp2P72NMNtq1T4ln+STpej fNK21C9NGmeNoexoRM9G4CJscYqRd86/cubNTOM=
X-Google-Smtp-Source: ABdhPJxgV8re/xf1tCfN7nd14zy9ESIqvk7h0tWMv16ruOMa0e/hwbzgefNn06GxdSxogkuHNTD0JCveKJjeoqWVvN8=
X-Received: by 2002:a05:6e02:dea:: with SMTP id m10mr2255844ilj.208.1602747440014; Thu, 15 Oct 2020 00:37:20 -0700 (PDT)
MIME-Version: 1.0
References: <7048_1602675845_5F86E485_7048_112_3_787AE7BB302AE849A7480A190F8B93303155FF8F@OPEXCAUBMA2.corporate.adroot.infra.ftgroup> <20201015022547.GY50845@kduck.mit.edu>
In-Reply-To: <20201015022547.GY50845@kduck.mit.edu>
From: tirumal reddy <kondtir@gmail.com>
Date: Thu, 15 Oct 2020 13:07:08 +0530
Message-ID: <CAFpG3geoie+yArj9LZboo0-kcPno=ccmYHB4o2TXMJgWRcW7ig@mail.gmail.com>
To: Benjamin Kaduk <kaduk@mit.edu>
Cc: Mohamed Boucadair <mohamed.boucadair@orange.com>, "draft-ietf-dots-signal-call-home.all@ietf.org" <draft-ietf-dots-signal-call-home.all@ietf.org>, "dots@ietf.org" <dots@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000d3a9ef05b1b0b70e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/zw26koynczWMY7ELPyQGxdPbjPU>
Subject: Re: [Dots] AD evaluation of draft-ietf-dots-signal-call-home-09: Section 1
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 15 Oct 2020 07:37:28 -0000

On Thu, 15 Oct 2020 at 07:55, Benjamin Kaduk <kaduk@mit.edu> wrote:

> Hi Med,
>
> Also inline.
>
> On Wed, Oct 14, 2020 at 11:44:05AM +0000, mohamed.boucadair@orange.com
> wrote:
> > Hi Ben,
> >
> > Thank you for the detailed review.
> >
> > Please see inline.
> >
> > Cheers,
> > Med
> >
> > > -----Message d'origine-----
> > > De : Benjamin Kaduk [mailto:kaduk@mit.edu]
> > > Envoyé : mercredi 14 octobre 2020 01:08
> > > À : draft-ietf-dots-signal-call-home.all@ietf.org
> > > Cc : dots@ietf.org
> > > Objet : AD evaluation of draft-ietf-dots-signal-call-home-09
> > >
> > > Hi all,
> > >
> > > Nothing super-earth-shattering in here, but there's enough that
> > > we'll need a revised I-D and some more WG input before I'm ready to
> > > start the IETF LC.
> > >
> > > -Ben
> > >
> > >
> > > YANG lint says:
> > >
> > > ietf-dots-call-home@2020-07-07.yang:11: warning: imported module
> > > "ietf-dots-signal-channel" not used
> > >
> > > AFAICT that's a yanglint bug, since we do augment nodes from the
> > > signal channel.
> >
> > [Med] Yes, it is a pyang issue. We have a similar warning for RFC8791
> (where sx is defined):
>
> Thanks for confirming.
>
> > ==
> > $ pyang -f tree --tree-print-structures
> example-module-aug\@2020-07-07.yang
> > example-module-aug@2020-07-07.yang:9: warning: imported module
> "example-module" not used
> > module: example-module-aug
> >
> >   augment-structure /exm:address-book/exm:address:
> >     +-- county?    string
> >     +-- zipcode?   string
> > ==
> >
> > >
> > > I see that this document has a few IPR notices against it; in
> > > particular, the one at https://datatracker.ietf.org/ipr/3318/ does
> > > not list any licensing terms ("Unwilling to Commit to the Provisions
> > > of a), b), or c) Above", where a/b/c are "no license needed for
> > > implementation"/"RAND with no fee"/"RAND with possible fee").
> > > I believe we are working to see if the situation can be clarified
> > > and the IPR disclosure updated, but I don't know that we need to
> > > delay any progress until that has occurred.  That said, personally,
> > > I'm not very comfortable about a protocol that potentially is
> > > encumbered by IPR with unknown license terms.  However, I am willing
> > > to at least advance the document to IETF LC if there is clear WG
> > > support for doing so, even knowing that use of the protocol would
> > > potentially be subject to arbitrary terms from the IPR holder.  I
> > > would really like to hear from the WG members on this point.
> >
> > [Med] Actually, there is only one IPR disclosure (3328) that is directly
> made for the document. Some more information below:
> > * The two IPR disclosures (3318/3337) were made in early stages of the
> development of the individual submission, especially before WG adoption.
> > * 3328 is not a new disclosure but an update of 3337 to point to the
> wg-adopted version. A note was sent to the chairs to inform them about the
> update.
> > * I'm not sure that IPR disclosures are transitive. 3318 is not filled
> directly against draft-ietf-dots-signal-call-home.
>
> I believe that the tooling assumes they are transitive (and is right to do
> so).  In essence, "we" don't know which parts of the individual draft the
> IPR is supposed to apply to without getting legal advice, so if any part of
> the individual draft's machinery appears in the WG draft we are forced to
> assume that it is "tainted" by the IPR claim.
>

An update to IPR disclosure (3318) will be published soon.

-Tiru


>
> > >
> > > I mention it in the section-by-section comments, but we introduce
> > > the possibility of "wait for administrator approval" in the
> > > mitigation-request processing pipeline, which could exceed a normal
> > > CoAP request timeout.  I think we need to have some substantive text
> > > discussion the expected behavior in this case.
> >
> > [Med] There is no request timeout because a request that requires an
> admin validation can be first replied with attack-mitigation-in-progress
> status. If the request is then rejected by the admin, the status will
> change to attack-mitigation-withdrawn with conflict-status set to the new
> code "mitigation-request-rejected" defined in the document.
> >
> > Will add more text.
>
> Okay.  I wasn't sure if (among other things)
> "attack-mitigation-in-progress" is appropriate for "I'm not actually
> mitigating anything yet, just waiting for approval".  Thanks for adding
> text.
>
> > >
> > > Section 1.1
> > >
> > >    Some of the DDoS attacks like spoofed RST or FIN packets,
> > > Slowloris,
> > >    and Transport Layer Security (TLS) re-negotiation are difficult
> > > to
> > >    detect on a home network device without adversely affecting its
> > >
> > > (side note) TLS renegotiation as an attack is just keeping a TLS
> > > connection open and repeatedly re-negotiating to cause the server to
> > > burn CPU on signing operations?
> >
> > [Med] Yes.
> >
> >   I don't think I've heard of that
> > > one before.
> >
> > [Med] Some DoS tools are supporting this, but I don't have data about
> recent attacks exploiting it. Unless there is an objection (Tiru?), I would
> remove the example as we don't need to be exhaustive anyway.
>
> I think it's okay to keep the example; it helps get people thinking outside
> the box.
>
> > >
> > > Section 1.2
> > >
> > >    'DOTS signal channel Call Home' (or DOTS Call Home, for short)
> > > refers
> > >    to a DOTS signal channel established at the initiative of a DOTS
> > >    server.  That is, the DOTS server initiates a secure connection
> > > to a
> > >    DOTS client, and uses that connection to receive the attack
> > > traffic
> > >    information (e.g., attack sources) from the DOTS client.  More
> > >    details are provided in Section 3.
> > >
> > > I think this introductory section needs to be crystal clear for the
> > > reader about the relationship between the "conventional" signal
> > > channel DOTS client and the corresponding call home DOTS client for
> > > a given mitigation process.  Some people will expect both things
> > > with "client"
> > > in the name to be on the same device, and some people will expect
> > > the (call home) client to be the device that makes mitigation
> > > requests, but both cannot be right.  The phrase "role reversal"
> > > might be useful in describing these interpretations, as might a
> > > forward reference to section 1.4.  (Yes, I understand that there is
> > > no need for either DOTS call home peer to be colocated with any base
> > > signal channel element, but I think that the default scenario in
> > > many readers' minds will be the simple role-reversal setup.)
> > >
> >
> > [Med] The NEW text is as follows:
> >
> > NEW:
> >    'DOTS signal channel Call Home' (or DOTS Call Home, for short) refers
> >    to a DOTS signal channel established at the initiative of a DOTS
> >    server thanks to a role reversal at the (D)TLS layer (Section 3.1).
> >           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    That is, the DOTS server initiates a secure connection to a DOTS
> >    client, and uses that connection to receive the attack traffic
> >    information (e.g., attack sources) from the DOTS client.
> >
> >    DOTS agents involved in the DOTS Call Home adhere to the DOTS roles
>
> (Maybe "otherwise adhere"?)
>
> >    as defined in [RFC8612].  For clarity, this document uses "Call Home
> >    DOTS client" (or "Call Home DOTS server") to refer to a DOTS client
> >    (or DOTS server) deployed in a Call Home scenario (Figure 1).  DOTS
> >    Call Home agents may (or not) be co-located with DOTS agents that are
> >    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    compliant with [I-D.ietf-dots-rfc8782-bis] (see Section 1.4 for more
> >    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> >    details).
>
> Thanks a bunch; this does seem to meet the "crystal clear" criterion.
> I am sure that you considered "DOTS Call Home server"/client in the one
> sentence that uses "DOTS server"/client before the call-home-specific terms
> are introduced, and don't want to try to nitpick further.
>
> >
> > > Section 1.3
> > >
> > > It's a little unfortunate that we are using the "DMS" acronym in the
> > > figure here, when we only mention the terminology of RFC 8612 in
> > > section 2.  (That said, I'm willing to leave it as-is for now and
> > > see if anyone
> > > complains.)
> >
> > [Med] Added this NEW text to the terminology section:
> >
> >    DDoS Mitigation System (DMS) refers to a system that performs DDoS
> >    mitigation.
>
> Sorry, I meant that the figure occurs before the terminology section in the
> flow of the document.  Even expanding "DMS" specifically in the terminology
> section doesn't change that.  (But I don't have a particular proposal to
> improve things, and am willing to leave it as you have it in the editor's
> copy.)
>
> Thanks,
>
> Ben
>
> > >
> > > Section 3.1
> > >
> > >    The DOTS signal channel Call Home preserves all but one of the
> > > DOTS
> > >    client/server roles in the DOTS protocol stack, as compared to
> > > DOTS
> > >    client-initiated DOTS signal channel protocol
> > >
> > > I suppose one could quibble about whether "party allowed to behave
> > > passively with respect to heartbeats" qualifies as a "client/server
> > > role" ... I think I'm okay leaving this as-is for now, though.
> > >
> > >    For example, a home network element (e.g., home router) co-
> > > located
> > >    with a Call Home DOTS server is the (D)TLS server.  However, when
> > >
> > > Figure 7 has a box labelled "Call Home DOTS server" and also "(D)TLS
> > > client" (not server).  At first I thought this was trying to make an
> > > analogy to a (normal) signal channel DOTS server as being the (D)TLS
> > > server, but that would not be in a home network element.  So maybe
> > > this is just a typo?
> >
> > [Med] This is a typo in the text. The figure is correct. Thanks for
> catching this.
> >
> > >
> > >    calling home, the DOTS server initially assumes the role of the
> > >    (D)TLS client, but the network element's role as a DOTS server
> > >
> > > We may want to continue using "DOTS Call Home server" in these two
> > > lines.
> >
> > [Med] OK.
> >
> >
> >
> _________________________________________________________________________________________________________________________
> >
> > Ce message et ses pieces jointes peuvent contenir des informations
> confidentielles ou privilegiees et ne doivent donc
> > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez
> recu ce message par erreur, veuillez le signaler
> > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages
> electroniques etant susceptibles d'alteration,
> > Orange decline toute responsabilite si ce message a ete altere, deforme
> ou falsifie. Merci.
> >
> > This message and its attachments may contain confidential or privileged
> information that may be protected by law;
> > they should not be distributed, used or copied without authorisation.
> > If you have received this email in error, please notify the sender and
> delete this message and its attachments.
> > As emails may be altered, Orange is not liable for messages that have
> been modified, changed or falsified.
> > Thank you.
> >
>

v2.23.0 | Report a Bug | By Email