IETF Logo Mail Archive

Re: [savnet] draft-cui-savnet-anti-ddos-00

惠林博 <huilb@zgclab.edu.cn> Fri, 30 September 2022 02:51 UTC

Return-Path: <huilb@zgclab.edu.cn>
X-Original-To: savnet@ietfa.amsl.com
Delivered-To: savnet@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 597FEC152579 for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 19:51:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.122
X-Spam-Level: **
X-Spam-Status: No, score=2.122 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, RCVD_IN_SBL_CSS=3.335, RDNS_NONE=0.793, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=zgclab.edu.cn
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s85b7fYDqHPC for <savnet@ietfa.amsl.com>; Thu, 29 Sep 2022 19:51:30 -0700 (PDT)
Received: from hw-sdnproxy-1.icoremail.net (unknown [119.13.111.191]) by ietfa.amsl.com (Postfix) with SMTP id B2FB7C152575 for <savnet@ietf.org>; Thu, 29 Sep 2022 19:51:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=zgclab.edu.cn; s=dkim; h=Received:Date:From:To:Cc:Message-ID: In-Reply-To:References:Subject:MIME-Version:Content-Type: Content-Transfer-Encoding; bh=bAwrPN2WTcBNIeVSq6j8cfHui5jIJ9DsU3 zLtl5Neq4=; b=I4Eh7/foyRYxehlmMo36eaOMJ5+r6ideskeYrr2ZfkY6XG7eDK DDqawDLa4+tkM57heH6ehwPkMv8HGXhrw7YApq15khxZn2vjduQAaOGyGOtLtV/R rOkSpY6W8R2CjMoJY4S1PSV9JA9bsZQtOvaNPgrIyrLwxJbPlbBDspho8=
Received: from Linbo-X13 (unknown [58.206.199.178]) by web4 (Coremail) with SMTP id ywQGZQBXlnUzWTZjJw9LAA--.16353S2; Fri, 30 Sep 2022 10:49:23 +0800 (CST)
Date: Fri, 30 Sep 2022 10:49:24 +0800
From: 惠林博 <huilb@zgclab.edu.cn>
To: "bgreene@senki.org" <bgreene@senki.org>
Cc: "savnet@ietf.org" <savnet@ietf.org>
Message-ID: <1BFE69FB-5606-4824-87A6-EC05F012F3AD@zgclab.edu.cn>
In-Reply-To: <993AA924-560A-4732-BBCB-5ABE3DEF6747@senki.org>
References: <ACF4F69E-4639-4FA6-9368-26D039DCBB3E@zgclab.edu.cn> <2968_1664177831_633156A7_2968_250_1_3521434ebbd743f7800992a41283855c@orange.com> <993AA924-560A-4732-BBCB-5ABE3DEF6747@senki.org>
X-Mailer: MailMasterPC/4.17.5.1008 (Win11)
X-CUSTOM-MAIL-MASTER-SENT-ID: 300B5F51-BCC9-4436-BCCC-65D3D4E6BBAC
MIME-Version: 1.0
Content-Type: text/html; charset="utf-8"
Content-Transfer-Encoding: base64
X-CM-TRANSID: ywQGZQBXlnUzWTZjJw9LAA--.16353S2
X-Coremail-Antispam: 1UD129KBjvJXoW3Gr4DKF1DAw18AF1xtF47urg_yoWxXw4rpa yYqws0k3y8JrWxA34kAw10qr409rs5GrW7GFn3try5Aas8JFyqvry29a1Fva4DAr15J34j vF4j9r1DAanYvFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUdEb7Iv0xC_Cr1lb4IE77IF4wAFF20E14v26r1j6r4UM7CY07I2 0VC2zVCF04k26cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rw A2F7IY1VAKz4vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Jr0_JF4l84ACjcxK6xII jxv20xvEc7CjxVAFwI0_Jr0_Gr1l84ACjcxK6I8E87Iv67AKxVW8JVWxJwA2z4x0Y4vEx4 A2jsIEc7CjxVAFwI0_Gr0_Gr1UM2AIxVAIcxkEcVAq07x20xvEncxIr21l5I8CrVAYj202 j2C_Gr0_Xr1l5I8CrVAqjxCE14ACF2xKxwAqx4xG64kEw2xG04xIwI0_Jr0_Gr1l5I8CrV CF0I0E4I0vr24l5I8CrVC2j2CE0s8v4I0Ex7kE8s4lYx0E2Ix0cI8IcVAFwI0_Jrv_JF1l Yx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrw ACY4xI67k04243AVAKzVAKj4xxM4xvF2IE5I8CrVAEw40kM4kE6x8GjcxK67AEwI8IwI0E xsIj0wCY02Avz4vE14v_Gr1l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr 1lx2IqxVAqx4xG67AKxVWUGVWUWwC20s026x8GjcxK67AKxVWUJVWUGwC2zVAF1VAY17CE 14v26r1Y6r17MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7 IYx2IY6xkF7I0E14v26r1j6r4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY6I8E 87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r1j6r4UMVCEFcxC0VAYjxAxZF UvcSsGvfC2KfnxnUUI43ZEXa7IU8MSoJUUUUU==
X-CM-SenderInfo: hkxlzuo62juzldeovvfxof0/1tbiAgIFAWM1aAGMmQAAsu
Archived-At: <https://mailarchive.ietf.org/arch/msg/savnet/QNwpeaKgL8vOdO08G1ZRrBz186A>
Subject: Re: [savnet] draft-cui-savnet-anti-ddos-00
X-BeenThere: savnet@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Source Address Validation in Intra-domain and Inter-domain Networks <savnet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/savnet>, <mailto:savnet-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/savnet/>
List-Post: <mailto:savnet@ietf.org>
List-Help: <mailto:savnet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/savnet>, <mailto:savnet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 30 Sep 2022 02:51:34 -0000

Hi Barry,

Yes, it’s true that we have decades of tools, techniques, and approaches that have yet to be fully deployed. From my understanding, the reasons may lie in significant modifications to existing equipment, unsuitable business models, and even policies. Fortunately, SAVA has made great progress in China. We have more and more vendor devices with SAVA capabilities, and they are already deployed in CERNET2 and lots of campus networks.

In this context, the SADA can be based on the current deployment of SAVA and other techniques (e.g., the DOTS related techniques, IPFIX, and FlowSpec) to provide more powerful DDoS detection and mitigation. We hope to fully unleash the SAVA’s protection potential under its incremental deployment and, in turn, incentive more techniques to be deployed. I would like to hear your opinions on this. In addition, what do you think of the reasons and dynamics behind the lack of deployment?


Best,
Linbo
---- Replied Message ----
+1 to what Med is pointing out. 

I totally support new work on SAV and the techniques we use to push back against DDoS. But, I’m failing to see the new work that justifies a new IETF Working Group. 

We have decades of tools, techniques, and approaches that have yet to be fully deployed. Understanding the reasons and dynamics behind the lack of deployment is critical to any new “anti-DDoS” work. 


On Sep 26, 2022, at 3:37 PM, mohamed.boucadair@orange.com wrote:

Hi Linbo,
 
On the DOTS part, and for information, the protocol supports also a telemetry mechanism (RFC9244). Among things that can be reported as part of DOTS telemetry is the spoofing status of an address that is actively involved in an attack.  
 
Cheers,
Med
 
De : savnet <savnet-bounces@ietf.org> De la part de ???
Envoyé : samedi 24 septembre 2022 12:04
À : bgreene@senki.org
Cc : savnet@ietf.org
Objet : Re: [savnet] draft-cui-savnet-anti-ddos-00
 

Hi Barry,

 

Thanks for your suggestion.

 

In SADA, the SAV routers are designed not to simply discard the spoofed packets but to record the spoofing statistics and behaviors, which we regard as a honeynet. Compared with existing honeynets, the SAV routers lack some lure and sacrifice mechanisms. If the terminology "honeynet" in SADA is considered unsuitable, we will remove it in the revised draft.


Netflow/IPFIX is a network traffic measurement technology that uses packet sampling to generate flow-level statistics that can be used to detect attacks. In addition, the DOTS WG(https://datatracker.ietf.org/wg/dots/about/" class="" rel="nofollow">https://datatracker.ietf.org/wg/dots/about/) has proposed a signaling architecture to detect, classify, traceback, and mitigate DDoS attacks. DOTS focuses on DDoS threat signals transmission under attack traffic congestion conditions. In comparison, the SADA collects statistics on every spoofed packet and is targeted for DDoS detection. Netflow/IPFIX and DOTS are both potential data collection methods for SADA.

 

 

Best,

Linbo Hui

 




-----原始邮件-----
发件人:"Barry Greene" <bgreene@senki.org>
发送时间:2022-09-20 09:45:58 (星期二)
收件人: "惠林博" <huilb@zgclab.edu.cn>
抄送: "savnet@ietf.org" <savnet@ietf.org>
主题: Re: [savnet] draft-cui-savnet-anti-ddos-00

 
Read through twice. I would suggestion more research into today’s operational realities. For example:
 
"A distributed DDoS detection mechanism based on honeynets.  The SADA introduces a SAV controller for gathering spoofing statistics from SAV routers that act as honeynets.”
 
This is active today through multiple HoneyNet projects. For context on today’s operational deployments, talk wot Q360 for a in China example.
 
“The SADA can detect DDoS attacks with a comprehensive analysis using aggregated information from distributed SAV routers.”
 
Isn’t that Netflow/IPFIX with open source and commercial telemetry systems? 
 
What is improving on what we have deployed today?
 
 


On Sep 20, 2022, at 8:36 AM, 惠林博 <huilb=40zgclab.edu.cn@dmarc.ietf.org> wrote:
 
Hi SAVNET Experts,

We have submitted a new draft: draft-cui-savnet-anti-ddos-00. The link is https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/" class="" rel="nofollow">https://datatracker.ietf.org/doc/draft-cui-savnet-anti-ddos/ 

The draft proposes the SAVA-based Anti-DDoS Architecture (SADA), which can efficiently detect, mitigate, and traceback Denial-of-Service (DDoS) attacks that spoof source addresses. The SADA consists of a distributed DDoS detection mechanism based on honeynets, a multi-stage DDoS mitigation mechanism, and a suspect-based DDoS traceback mechanism. By adopting the Source Address Validation Architecture (SAVA) of SAVNET and introducing the data plane and the control plane, the SADA makes minor changes to the SAVA while providing major benefits.

We'd be grateful if you could provide some feedback. Please let us know if you have any questions or comments about the draft.


Best regards

Linbo Hui
 
_________________________________________________________________________________________________________________________

Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.

This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
-- 
savnet mailing list
savnet@ietf.org
https://www.ietf.org/mailman/listinfo/savnet" class="" rel="nofollow">https://www.ietf.org/mailman/listinfo/savnet

v2.23.0 | Report a Bug | By Email