Re: [secdir] Review of draft-ietf-dots-signal-filter-control-04
mohamed.boucadair@orange.com Mon, 08 June 2020 05:48 UTC
Return-Path: <mohamed.boucadair@orange.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D65D23A0845; Sun, 7 Jun 2020 22:48:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, UNPARSEABLE_RELAY=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=orange.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Zy7B9lQficiy; Sun, 7 Jun 2020 22:48:00 -0700 (PDT)
Received: from relais-inet.orange.com (relais-inet.orange.com [80.12.66.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68B4B3A0841; Sun, 7 Jun 2020 22:48:00 -0700 (PDT)
Received: from opfedar07.francetelecom.fr (unknown [xx.xx.xx.9]) by opfedar27.francetelecom.fr (ESMTP service) with ESMTP id 49gMjV4hZjz2xJP; Mon, 8 Jun 2020 07:47:58 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=orange.com; s=ORANGE001; t=1591595278; bh=olMewL3mF18VtVMg9zxVgRRCE2Uvf4RcjDkHI/6eKaI=; h=From:To:Subject:Date:Message-ID:Content-Type: Content-Transfer-Encoding:MIME-Version; b=xX5ABpPbnlCogFA+LUdplAO4Dj7ZfcGNcEfVzf/cXxbnPG4weDabU6I55ZC8xptty qwAZi+gVxv9QUuClZYgSKv655U/s+9Z+28kGAKPjEH8on1GP976feT4CWX/wTAmNlJ 3+L5bPJd9V9MTNHJtZzhlqRs1gHz/QHPM7JVuW/e3aZRc0KIA4aGTgwmWIsxaRYyn/ ceREuk6tNMmP7/8JHh3+3n/ZX5lNTQtAeWNJjv2AEAfxjJxN52PCIoeKH2/9MUfrCC I9ZxC3t/5skDL6bSgwxWtA26FdFjf4DS7/aXPRRfetnLkDhd4u6gBHY9MIFQ0tFk3O XqCkxz83cchzg==
Received: from Exchangemail-eme6.itn.ftgroup (unknown [xx.xx.13.92]) by opfedar07.francetelecom.fr (ESMTP service) with ESMTP id 49gMjV3Dwqz5vMv; Mon, 8 Jun 2020 07:47:58 +0200 (CEST)
From: mohamed.boucadair@orange.com
To: Benjamin Kaduk <kaduk@mit.edu>, Shawn Emery <shawn.emery@gmail.com>
CC: secdir <secdir@ietf.org>, "draft-ietf-dots-signal-filter-control.all@ietf.org" <draft-ietf-dots-signal-filter-control.all@ietf.org>, "last-call@ietf.org" <last-call@ietf.org>, Shawn Emery <semery@uccs.edu>
Thread-Topic: Review of draft-ietf-dots-signal-filter-control-04
Thread-Index: AQHWPF9gitgGThlzD0SLD0GELty+HajONQfA
Date: Mon, 08 Jun 2020 05:47:57 +0000
Message-ID: <787AE7BB302AE849A7480A190F8B9330314D972E@OPEXCAUBMA2.corporate.adroot.infra.ftgroup>
References: <CAChzXmZZEGy3J=UqiFvN51Q5dniNZ4aJcjwO2ARpR688ph1dmA@mail.gmail.com> <20200607000528.GR58497@mit.edu>
In-Reply-To: <20200607000528.GR58497@mit.edu>
Accept-Language: fr-FR, en-US
Content-Language: fr-FR
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.114.13.247]
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/U8Gl12RgtcbylSIU0rlTyTfvJA0>
Subject: Re: [secdir] Review of draft-ietf-dots-signal-filter-control-04
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 08 Jun 2020 05:48:02 -0000
Hi Shawn, Thank you for the review. Please see inline. Cheers, Med > -----Message d'origine----- > De : Benjamin Kaduk [mailto:kaduk@mit.edu] > Envoyé : dimanche 7 juin 2020 02:05 > À : Shawn Emery > Cc : secdir; draft-ietf-dots-signal-filter-control.all@ietf.org; last- > call@ietf.org; Shawn Emery > Objet : Re: Review of draft-ietf-dots-signal-filter-control-04 > > Hi Shawn, > > Thanks for the review. > I believe you're correct that any filter that filters monitoring > agents > would have to have been confiugred previously over the data channel, > yes. > > -Ben > > On Fri, Jun 05, 2020 at 04:14:02PM -0600, Shawn Emery wrote: > > Reviewer: Shawn M. Emery > > Review result: Ready with nits > > > > I have reviewed this document as part of the security directorate's > > ongoing effort to review all IETF documents being processed by the > IESG. > > These comments were written primarily for the benefit of the > security > > area directors. Document editors and WG chairs should treat these > > comments just like any other last call comments. > > > > This draft specifies a filter control through the Distributed > > Denial-of-Service Open Threat > > Signaling (DOTS) signal channel rather than through the data > channel, given > > that an active > > DDoS attack would essentially disable the data channel. The > assumption is > > that the filter > > rules would have been constructed and distributed during idle time, > before > > the attack. > > > > The security considerations section does exist and the defers to the > base > > RFCs, 8782 and 8783, for confidentiality and integrity requirements. > The > > draft > > continues that the filtering rules should be constructed before any > attack > > through > > the data channel. The section finishes with an attack by using the > control > > filter to > > make a DDoS worse and recommends mitigation through operators > monitoring > > and countering malicious behavior. They describe this as only a > variation > > of the > > attacks outlined in 8782 and 8783, though I wonder if a new attack > vector is > > introduced through an attacker enabling a filter that filters > monitoring > > agents? > > However this would have had to have been configured through the data > channel > > priori, no? [Med] I confirm. > > > > General comments: > > > > Thank you for the examples, this makes the concepts behind the draft > more > > clear. > > > > Editorial comments: > > > > ietf-dots-signal-channel and ietf-dots-data-channel are now RFCs. > > [Med] Fixed in our local copy. Thanks. > > Shawn. > > --
- [secdir] Review of draft-ietf-dots-signal-filter-… Shawn Emery
- Re: [secdir] Review of draft-ietf-dots-signal-fil… Benjamin Kaduk
- Re: [secdir] Review of draft-ietf-dots-signal-fil… mohamed.boucadair