IETF Logo Mail Archive

Re: [Sdn] new draft on SDN for DDoS mitigation

Linda Dunbar <linda.dunbar@huawei.com> Wed, 26 August 2015 22:35 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: sdn@ietfa.amsl.com
Delivered-To: sdn@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E2F1B3500 for <sdn@ietfa.amsl.com>; Wed, 26 Aug 2015 15:35:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id tcd5Ox-YdOvy for <sdn@ietfa.amsl.com>; Wed, 26 Aug 2015 15:35:27 -0700 (PDT)
Received: from dfwrgout.huawei.com (dfwrgout.huawei.com [206.16.17.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E24701B348D for <sdn@irtf.org>; Wed, 26 Aug 2015 15:35:26 -0700 (PDT)
Received: from 172.18.9.243 (EHLO dfweml702-chm.china.huawei.com) ([172.18.9.243]) by dfwrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BHN46244; Wed, 26 Aug 2015 17:35:22 -0500 (CDT)
Received: from DFWEML701-CHM.china.huawei.com ([10.193.5.50]) by dfweml702-chm ([10.193.5.72]) with mapi id 14.03.0235.001; Wed, 26 Aug 2015 15:35:13 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Wesley Eddy <wes@mti-systems.com>, "sdn@irtf.org" <sdn@irtf.org>
Thread-Topic: [Sdn] new draft on SDN for DDoS mitigation
Thread-Index: AQHQ1QFBU6fvAcAI90e9HO/6Zj+3Vp4e7HoQ
Date: Wed, 26 Aug 2015 22:35:12 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F657D19ACA@dfweml701-chm>
References: <55CB473A.3010505@mti-systems.com>
In-Reply-To: <55CB473A.3010505@mti-systems.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.236]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F657D19ACAdfweml701chm_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/sdn/rN0EwpdLjApADyVXh5bZpip_t_M>
Cc: "gclark mti-systems.com" <gclark@mti-systems.com>, Justin Dailey <Justin@mti-systems.com>
Subject: Re: [Sdn] new draft on SDN for DDoS mitigation
X-BeenThere: sdn@mail.ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: List to Discuss SDN Research Group in the IRTF <sdn.mail.ietf.org>
List-Unsubscribe: <https://mail.ietf.org/mailman/options/sdn>, <mailto:sdn-request@mail.ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/sdn/>
List-Post: <mailto:sdn@mail.ietf.org>
List-Help: <mailto:sdn-request@mail.ietf.org?subject=help>
List-Subscribe: <https://mail.ietf.org/mailman/listinfo/sdn>, <mailto:sdn-request@mail.ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Aug 2015 22:35:30 -0000

Eddy, et al,

I think the content provided by this draft will be very useful in preventing junk and malicious traffic taking over precious network resources and providing a more effective way to protect applications from DoS/DDoS attacks.

A few comments to the draft:

-       When applications or end points (Customer sites) detect any kind of attack and need to inform ISPs to block those traffic,  the packets content might be using private addresses, local Tenant Identifiers, etc, while the filters for the ISP ingress may  be using "public addresses".

-       Figure 1: The Filter Management Apps is from customer side. The "filter rules" or the commands to "ISF Sub-Controller" may need more than what OpenFlow (e.g. OF1.5) can provide because those rules/commands might need to specify the environmental conditions that are not in the packets, e.g. Time of the Day, a specific event, customer ID, etc. Maybe some other methods should be explored, such as Open-Config, or OF-config, or others


-       The requests from applications and end points may be from different administrative domains than the ISP, therefore it is necessary to have pre-agreed format to pass "Filter rules". The recent IETF initiative (Interface to Network Security Functions - I2NSF is intended to specify the standardized format for specifying rules to security functions. See the latest charter: https://sites.google.com/site/interface2nsf/home ). I see your draft provide a really good input to I2NSF.


Linda


-----Original Message-----
From: sdn [mailto:sdn-bounces@mail.ietf.org] On Behalf Of Wesley Eddy
Sent: Wednesday, August 12, 2015 8:17 AM
To: sdn@irtf.org
Cc: gclark mti-systems.com; Justin Dailey
Subject: [Sdn] new draft on SDN for DDoS mitigation

Hello, we wanted to make people aware of a new I-D that uses SDN (or more specifically OpenFlow) as a tool to improve DDoS mitigation:

https://datatracker.ietf.org/doc/draft-eddy-sdnrg-customer-filters/

The interesting part of this for SDNRG is probably the sub-controller concept, which is how we allow OpenFlow to be used inter-domain (for customers to control aspects of their ISP's network), and the three- stage organization of flow tables.

The content is fairly specific to DDoS, but could be extended and generalized for other uses.

Much of the other interdomain SDN work has the ISPs setting up virtual networks for each customer, or slice-based constructions, which are not required by this sub-controller approach.  It may be of interest as an alternative construction with its own set of advantages and disadvantages in comparison to other interdomain SDN approaches.

We're eager to hear your comments, criticisms, and questions.

--
Wes Eddy
MTI Systems

_______________________________________________
sdn mailing list
sdn@mail.ietf.org<mailto:sdn@mail.ietf.org>
https://mail.ietf.org/mailman/listinfo/sdn

v2.23.0 | Report a Bug | By Email