IETF Logo Mail Archive

Re: [Dyncast] edge capability feedback

Meiling Chen <chenmeiling@chinamobile.com> Fri, 12 March 2021 10:15 UTC

Return-Path: <chenmeiling@chinamobile.com>
X-Original-To: dyncast@ietfa.amsl.com
Delivered-To: dyncast@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 765833A175D for <dyncast@ietfa.amsl.com>; Fri, 12 Mar 2021 02:15:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EfgNpVfzcsUq for <dyncast@ietfa.amsl.com>; Fri, 12 Mar 2021 02:15:07 -0800 (PST)
Received: from cmccmta3.chinamobile.com (cmccmta3.chinamobile.com [221.176.66.81]) by ietfa.amsl.com (Postfix) with ESMTP id AA3683A175B for <dyncast@ietf.org>; Fri, 12 Mar 2021 02:15:06 -0800 (PST)
Received: from spf.mail.chinamobile.com (unknown[172.16.121.7]) by rmmx-syy-dmz-app12-12012 (RichMail) with SMTP id 2eec604b3f1e2a3-68899; Fri, 12 Mar 2021 18:14:55 +0800 (CST)
X-RM-TRANSID: 2eec604b3f1e2a3-68899
X-RM-TagInfo: emlType=0
X-RM-SPAM-FLAG: 00000000
Received: from cmcc-PC (unknown[10.2.54.47]) by rmsmtp-syy-appsvr04-12004 (RichMail) with SMTP id 2ee4604b3f1d68f-68612; Fri, 12 Mar 2021 18:14:55 +0800 (CST)
X-RM-TRANSID: 2ee4604b3f1d68f-68612
Date: Fri, 12 Mar 2021 18:15:22 +0800
From: "Meiling Chen" <chenmeiling@chinamobile.com>
To: "Carsten Bormann" <cabo@tzi.org>, "Luigi IANNONE" <luigi.iannone@huawei.com>
Cc: dyncast <dyncast@ietf.org>, "Dirk Trossen" <dirk.trossen@huawei.com>, "Joel M. Halpern" <jmh@joelhalpern.com>
References: <20210311102435132657878@chinamobile.com>, <9A6BA68B-3916-413E-BD29-62D4096DF1D3@senki.org>, <00CCE76F-D3F8-49DD-8E11-29E7DBB956E1@huawei.com>, <5EEEA7D8-D4E7-42AE-9D40-2DF6DF744567@chinamobile.com>, <ea129e08-d5b2-5edb-a5ee-8362b12dc2b5@joelhalpern.com>, <B930F50D-4A0C-4DAB-A3E5-0CD308CEB67F@tzi.org>, <b5941a0414144d0ab958cb69b96c3786@huawei.com>, <005cb41e526c4cac9cffd9ad9db5c5da@huawei.com>, <84BAF6A9-5EA2-46F4-8535-9A8FD74198BD@tzi.org>
X-Priority: 3
X-Has-Attach: no
X-Mailer: Foxmail 7.2.9.115[cn]
Mime-Version: 1.0
Message-ID: <2021031218152182020617@chinamobile.com>
Content-Type: multipart/alternative; boundary="----=_001_NextPart648150833522_=----"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dyncast/PCVlz2Kk_2hrOrksxkFRB-rbD28>
Subject: Re: [Dyncast] edge capability feedback
X-BeenThere: dyncast@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <dyncast.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dyncast>, <mailto:dyncast-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dyncast/>
List-Post: <mailto:dyncast@ietf.org>
List-Help: <mailto:dyncast-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dyncast>, <mailto:dyncast-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Mar 2021 10:15:11 -0000

Hi,
It's really worth talking about whether DOTS can be applied to new fields.
As one of the DOTS contributors, I may think DOTS is not so suitable to solve the problem existed in Dyncast, 
DOTS use client to send mitigation request to DOTS server, It's C/S structure.
the scope of DOTS definition mainly in Signal channel and Data channel which between DOTS client and server.
Signal channel use CoAP based on TLS or DTLS to transmit mitigation request which triggered by DDoS Alarm.
The main function of the data channel is data exchange, which requires a reliable transport mode and uses RESTCONF based on TLS.
the protocol which will be used in Dyncast should be reliable, however, data channel is not lightweight enough.

Best Regards,
Meiling.
 
From: Carsten Bormann
Date: 2021-03-12 17:03
To: Luigi IANNONE
CC: dyncast; Dirk Trossen; Joel M. Halpern
Subject: Re: [Dyncast] edge capability feedback
On 2021-03-12, at 09:48, Luigi IANNONE <luigi.iannone@huawei.com> wrote:
> 
> 
> However, I would like to come back to Barry's point: DDoS.
> 
> AFAIR we did not touch that much this issues, yet, it is important to consider the case of a malicious attacker trying to abuse Dyncast.
 
I think we need to distinguish the client as an attacker and the server as an attacker.
 
Beyond what any network user can do, the most interesting angle a dyncast client can use is resource exhaustion by creating fake state.
Not creating state per client (Option 5) is probably the only realistic mitigation.
 
I haven’t really thought about server-side attacks.  Servers will be able to create state, and there needs to be some active state management (not just against attacks, but also against malfunctions such as continuously rebooting or respawning servers).
 
> What kind of mechanism should Dyncast include? Can DOTS somehow help? (I do not know this technology so I do not have an answer)
 
DOTS is really about the victim (or their collaterals) talking to the network to mitigate an attack that cannot be otherwise managed.  Let’s try to make that unnecessary :-)
 
> Certainly in the next version of the architectural document we should start to provide a security analysis at least from an architectural perspective ;-) 
 
Indeed!
 
Grüße, Carsten
 
-- 
Dyncast mailing list
Dyncast@ietf.org
https://www.ietf.org/mailman/listinfo/dyncast

v2.8.7 | Report a Bug | By Email