Re: [savnet] draft-cui-savnet-anti-ddos-00

+1 to what Med is pointing out. 

I totally support new work on SAV and the techniques we use to push back against DDoS. But, I’m failing to see the new work that justifies a new IETF Working Group. 

We have decades of tools, techniques, and approaches that have yet to be fully deployed. Understanding the reasons and dynamics behind the lack of deployment is critical to any new “anti-DDoS” work. 

> On Sep 26, 2022, at 3:37 PM, mohamed.boucadair@orange.com wrote:
> 
> Hi Linbo,
>  
> On the DOTS part, and for information, the protocol supports also a telemetry mechanism (RFC9244). Among things that can be reported as part of DOTS telemetry is the spoofing status of an address that is actively involved in an attack.  
>  
> Cheers,
> Med
>  
> De : savnet <savnet-bounces@ietf.org <mailto:savnet-bounces@ietf.org>> De la part de ???
> Envoyé : samedi 24 septembre 2022 12:04
> À : bgreene@senki.org <mailto:bgreene@senki.org>
> Cc : savnet@ietf.org <mailto:savnet@ietf.org>
> Objet : Re: [savnet] draft-cui-savnet-anti-ddos-00
>  
> Hi Barry,
>  
> Thanks for your suggestion.
>  
> In SADA, the SAV routers are designed not to simply discard the spoofed packets but to record the spoofing statistics and behaviors, which we regard as a honeynet. Compared with existing honeynets, the SAV routers lack some lure and sacrifice mechanisms. If the terminology "honeynet" in SADA is considered unsuitable, we will remove it in the revised draft.
> 
> Netflow/IPFIX is a network traffic measurement technology that uses packet sampling to generate flow-level statistics that can be used to detect attacks. In addition, the DOTS WG(https://datatracker.ietf.org/wg/dots/about/ <https://datatracker.ietf.org/wg/dots/about/>) has proposed a signaling architecture to detect, classify, traceback, and mitigate DDoS attacks. DOTS focuses on DDoS threat signals transmission under attack traffic congestion conditions. In comparison, the SADA collects statistics on every spoofed packet and is targeted for DDoS detection. Netflow/IPFIX and DOTS are both potential data collection methods for SADA.
>  
>  
> Best,
> Linbo Hui
>  
> 
> 
> 
> 
> -----原始邮件-----
> 发件人:"Barry Greene" <bgreene@senki.org <mailto:bgreene@senki.org>>
> 发送时间:2022-09-20 09:45:58 (星期二)
> 收件人: "惠林博" <huilb@zgclab.edu.cn <mailto:huilb@zgclab.edu.cn>>
> 抄送: "savnet@ietf.org <mailto:savnet@ietf.org>" <savnet@ietf.org <mailto:savnet@ietf.org>>
> 主题: Re: [savnet] draft-cui-savnet-anti-ddos-00
> 
>  
> Read through twice. I would suggestion more research into today’s operational realities. For example:
>  
> "A distributed DDoS detection mechanism based on honeynets.  The SADA introduces a SAV controller for gathering spoofing statistics from SAV routers that act as honeynets.”
>  
> This is active today through multiple HoneyNet projects. For context on today’s operational deployments, talk wot Q360 for a in China example.
>  
> “The SADA can detect DDoS attacks with a comprehensive analysis using aggregated information from distributed SAV routers.”
>  
> Isn’t that Netflow/IPFIX with open source and commercial telemetry systems? 
>  
> What is improving on what we have deployed today?
>  
>  
> 
> 
> On Sep 20, 2022, at 8:36 AM, 惠林博 <huilb=40zgclab.edu.cn@dmarc.ietf.org <mailto:huilb=40zgclab.edu.cn@dmarc.ietf.org>> wrote:
>  
> Hi SAVNET Experts,
> 
> We have submitted a new draft: draft-cui-savnet-anti-ddos-00. The link is https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/ <https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/> 
> 
> The draft proposes the SAVA-based Anti-DDoS Architecture (SADA), which can efficiently detect, mitigate, and traceback Denial-of-Service (DDoS) attacks that spoof source addresses. The SADA consists of a distributed DDoS detection mechanism based on honeynets, a multi-stage DDoS mitigation mechanism, and a suspect-based DDoS traceback mechanism. By adopting the Source Address Validation Architecture (SAVA) of SAVNET and introducing the data plane and the control plane, the SADA makes minor changes to the SAVA while providing major benefits.
> 
> We'd be grateful if you could provide some feedback. Please let us know if you have any questions or comments about the draft.
> 
> 
> Best regards
> 
> Linbo Hui
> -- 
> savnet mailing list
> savnet@ietf.org <mailto:savnet@ietf.org>
> https://www.ietf.org/mailman/listinfo/savnet <https://www.ietf.org/mailman/listinfo/savnet>
>  
> _________________________________________________________________________________________________________________________
> 
> Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
> pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
> a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
> Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
> 
> This message and its attachments may contain confidential or privileged information that may be protected by law;
> they should not be distributed, used or copied without authorisation.
> If you have received this email in error, please notify the sender and delete this message and its attachments.
> As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
> Thank you.
> -- 
> savnet mailing list
> savnet@ietf.org <mailto:savnet@ietf.org>
> https://www.ietf.org/mailman/listinfo/savnet <https://www.ietf.org/mailman/listinfo/savnet>