IETF Logo Mail Archive

Re: [IPsec] Textual changes to the DDoS draft

"Waltermire, David A." <david.waltermire@nist.gov> Fri, 26 February 2016 00:03 UTC

Return-Path: <david.waltermire@nist.gov>
X-Original-To: ipsec@ietfa.amsl.com
Delivered-To: ipsec@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8D081B37DF for <ipsec@ietfa.amsl.com>; Thu, 25 Feb 2016 16:03:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5volKbXApeVL for <ipsec@ietfa.amsl.com>; Thu, 25 Feb 2016 16:03:26 -0800 (PST)
Received: from gcc01-CY1-obe.outbound.protection.outlook.com (mail-cy1gcc01on0101.outbound.protection.outlook.com [23.103.200.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D65941B31EB for <ipsec@ietf.org>; Thu, 25 Feb 2016 16:03:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nistgov.onmicrosoft.com; s=selector1-nist-gov; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=pTKiB7UKHQtONocrbKA+KT6Mxf+Hm2HBqgfqvTeqrhM=; b=zUzVVgTCl8IZ9uj976M4kdi9fAPn9vhaEm4SFARzBplQ8FCPXixOGfmgUDW51mSLirBy6ml4oQpKEop+bkSJzOmk6sSmC40ZEL07QE2Q28WzoyAdT6wJuzhQOPkSD6T8EQ3GIna6fh63WBUQPez+bQyDOAhsIao1sqhmeqXkhkc=
Received: from DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) by DM2PR09MB0365.namprd09.prod.outlook.com (10.160.247.18) with Microsoft SMTP Server (TLS) id 15.1.409.15; Fri, 26 Feb 2016 00:03:22 +0000
Received: from DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) by DM2PR09MB0365.namprd09.prod.outlook.com ([10.160.247.18]) with mapi id 15.01.0409.024; Fri, 26 Feb 2016 00:03:22 +0000
From: "Waltermire, David A." <david.waltermire@nist.gov>
To: "ipsec@ietf.org WG" <ipsec@ietf.org>
Thread-Topic: [IPsec] Textual changes to the DDoS draft
Thread-Index: AQHRbWMiakRhWjG5V0W8hGiSgOCOwp89czsg
Date: Fri, 26 Feb 2016 00:03:22 +0000
Message-ID: <DM2PR09MB0365CABFFA5C55BB6A637720F0A70@DM2PR09MB0365.namprd09.prod.outlook.com>
References: <9DC60612-D5BC-4D55-8364-90DA5CAEB41F@gmail.com>
In-Reply-To: <9DC60612-D5BC-4D55-8364-90DA5CAEB41F@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=nist.gov;
x-originating-ip: [129.6.224.58]
x-microsoft-exchange-diagnostics: 1; DM2PR09MB0365; 5:DdO9K8YJubcfKePzavQDAT+tVZ34X2tYj//rsQA6BBPxyM9NVRdux9+3/Gf4RyXXfNa5nyx4yGF1Aej/iFcDVkToFKyrR8DiU2eXCvVUWkjyroc4m6XiuWuVWd2xFfYcqVAQlYBOC2KV4wK/O+QGvQ==; 24:pWBG55jSSoC2PF9HKSDUlMOO6CNa6rII1sMNolEjZCU7QmvzKHOP4tELVHiSNhT0Kt9v6RFPAd+cSclk14w+djXEjYbjdM9+IHVbqEk/sHI=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR09MB0365;
x-ms-office365-filtering-correlation-id: fee9d533-92e8-4d4d-8b6f-08d33e403df6
x-microsoft-antispam-prvs: <DM2PR09MB0365457BAE1080B66B54D31FF0A70@DM2PR09MB0365.namprd09.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001); SRVR:DM2PR09MB0365; BCL:0; PCL:0; RULEID:; SRVR:DM2PR09MB0365;
x-forefront-prvs: 0864A36BBF
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(377454003)(52604005)(164054003)(53754006)(122556002)(1220700001)(92566002)(19617315012)(19609705001)(790700001)(74316001)(3660700001)(6116002)(40100003)(15975445007)(99286002)(19580405001)(77096005)(19580395003)(33656002)(450100001)(2950100001)(2900100001)(16236675004)(19625215002)(10400500002)(3280700002)(5003600100002)(5002640100001)(11100500001)(54356999)(19300405004)(107886002)(189998001)(50986999)(106116001)(110136002)(1096002)(87936001)(102836003)(3846002)(76176999)(5001960100002)(86362001)(5008740100001)(586003)(2906002)(76576001)(66066001)(5004730100002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR09MB0365; H:DM2PR09MB0365.namprd09.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_DM2PR09MB0365CABFFA5C55BB6A637720F0A70DM2PR09MB0365namp_"
MIME-Version: 1.0
X-OriginatorOrg: nist.gov
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2016 00:03:22.4022 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 2ab5d82f-d8fa-4797-a93e-054655c61dec
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR09MB0365
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipsec/VH7OYWPy2rxTvkdABHk_LjUAiq0>
Subject: Re: [IPsec] Textual changes to the DDoS draft
X-BeenThere: ipsec@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Discussion of IPsec protocols <ipsec.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipsec>, <mailto:ipsec-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ipsec/>
List-Post: <mailto:ipsec@ietf.org>
List-Help: <mailto:ipsec-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipsec>, <mailto:ipsec-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 26 Feb 2016 00:03:30 -0000

I haven't seen any additional feedback on the DDoS draft this week based on Yoav's note about the PR [1]. It also looks like the discussion on chaining puzzles has wrapped up with no changes needed to the draft [2].

Unless there is any additional concerns with these issues, I believe we are ready for a WGLC on an updated revision of the draft.

Once Yoav posts the updated draft based on the PR, I'll issue the WGLC.

Thanks for working through these last issues.

Thanks,
Dave

[1] https://mailarchive.ietf.org/arch/msg/ipsec/XjuWvb9PvVjH1YMSzAMkAuC1zOQ
[2] https://mailarchive.ietf.org/arch/msg/ipsec/yeS8ooGWfvnxfs8zS24LYYpr9QM

From: IPsec [mailto:ipsec-bounces@ietf.org] On Behalf Of Yoav Nir
Sent: Monday, February 22, 2016 6:21 AM
To: ipsec@ietf.org WG <ipsec@ietf.org>
Subject: [IPsec] Textual changes to the DDoS draft

Hi all

Valery submitted a new PR with a couple of textual changes, mostly based on comments by Dave.

https://github.com/ietf-ipsecme/drafts/pull/12

The changes (listed below) seem fine to me. If nobody objects, I will merge them in on Friday.

Yoav

List of changes:

#1: Change snarky reference to Starbucks to something less snarky and less related to starbucks:
OLD:
For example, if a certain purveyor of beverages resembling coffee provides Internet connectivity to its customers through an IPv4 NAT device, a single malicious customer can create enough half-open SAs to fill the quota for the NAT device external IP address. Legitimate Initiators on the same network will not be able to initiate IKE.

NEW:
For example, if an network service provider or some establishment offers Internet connectivity to its customers or employees through an IPv4 NAT device, a single malicious customer can create enough half-open SAs to fill the quota for the NAT device external IP address. Legitimate Initiators on the same network will not be able to initiate IKE.


#2: Purely textual change
OLD:
Regardless of the type of rate-limiting used, there is a huge advantage in blocking the DoS attack using rate-limiting in that legitimate clients who are away from the attacking nodes should not be adversely affected by either the attack or by the measures used to counteract it.

NEW:
Regardless of the type of rate-limiting used, there is a huge advantage in blocking the DoS attack using rate-limiting for legitimate clients that are away from the attacking nodes. In such cases, adverse impacts caused by the attack or by the measures used to counteract the attack can be avoided.

v2.23.0 | Report a Bug | By Email