Skip to main content

Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry


Paul Wouters

No Objection

Erik Kline
John Scudder
(Andrew Alston)

Note: This ballot was opened for revision 14 and is now closed.

Paul Wouters
Erik Kline
No Objection
John Scudder
No Objection
Murray Kucherawy
No Objection
Comment (2022-10-19 for -14) Sent
Just a couple of minor points:

The shepherd writeup template asks why the chosen status was appropriate, but the writeup itself doesn't answer this question.  (It is fairly obvious, but it's still good to have the complete writeup.)

Section 6 refers to "the IESG review" conducted by people who are not on the IESG.
Roman Danyliw
No Objection
Comment (2022-10-19 for -14) Sent
Thank you to Phillip Hallam-Baker for the SECDIR review.

** Section 4.

Some use cases involve controllers, orchestrators, and programmable
   interfaces.  These interfaces can be misused by misbehaving nodes to
   further exacerbate DDoS attacks.  

This is good advice.  I recommend calling out that that these security considerations are for end-to-end systems for DoS mitigation.  These mechanics are outside the scope of DOTS protocols and standardization activity. 

** Section 6.

   Thanks to Donald Eastlake, Phillip Hallam-Baker, Sean Turner, and
   Peter Yee for the IESG review

I’m sure these reviews appreciate the acknowledgement.  To clarify, these were the directorate reviewers, not the IESG.
Zaheduzzaman Sarker
No Objection
Comment (2022-10-20 for -14) Not sent
No objection apart from similar observation regarding the shepherd write up as Murray.
Éric Vyncke
No Objection
Comment (2022-10-20 for -14) Sent
# Éric Vyncke, INT AD, comments for draft-ietf-shmoo-hackathon-07
CC @evyncke

Thank you for the work put into this document. 

Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education).

Special thanks to Valery Smyslov for the shepherd's detailed write-up including the WG consensus *but* the justification of the intended status is missing. 

I hope that this review helps to improve the document,




### Timing of the WG docs

Like Alvaro wrote, it would have been nicer for the reviewer to have this document published before RFC 9244 ;-)

### Section 3.1.1 report

`recently reported large DDoS attacks exceeded several Tbps` please provide an informative reference to this report.

### Section 3.1.1 top-talkers

I am a little puzzled how an attack coming out of *two* top-talkers (and thanks for using IPv6 examples :-) ) is a *distributed* DoS attack. Suggest to change the prefix to something broader (e.g., two /48) rather than a host /128 prefix.

### Section 3.1.1 figure 1 e.g.

Is the use of "E.g.," in figures common ? or useful ? in figure 1 ?

As a side note, I am hard time to understand the figure 1: they are overloaded and little explanations on the graphics are given.

### Section 3.1.5

The intro text is about DNS torture attack, but the DOTS example is about DNS amplification attack, which appears as different attacks to me.

### Section 3.3.1

To be honest, the value of this section about ML escapes me ;-) (notably why DOTS is helping here) but the example DOTS message would benefit of using 2001:db8::2/127 rather than the 2 /128 ;)

### Section 6

Like Murray, I also wonder why some reviews are labelled as IESG review ;-)

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. 

Alvaro Retana Former IESG member
No Objection
No Objection (2022-10-17 for -14) Not sent
It's too bad that this document wasn't progressed with rfc9244 and that it isn't even referenced there.
Andrew Alston Former IESG member
No Objection
No Objection (for -14) Not sent

Lars Eggert Former IESG member
No Objection
No Objection (2022-10-20 for -14) Sent
# GEN AD review of draft-ietf-dots-telemetry-use-cases-14

CC @larseggert

Thanks to Peter E. Yee for the General Area Review Team (Gen-ART) review

## Nits

All comments below are about very minor potential issues that you may choose to
address in some way - or ignore - as you see fit. Some were flagged by
automated tools (via, so there
will likely be some false positives. There is no need to let me know what you
did with these suggestions.

### Grammar/style

#### Section 1, paragraph 1
 highly automated. To that aim, multi-vendor components involved in DDoS atta
This word is normally spelled as one. (Also elsewhere.)

#### Section 3.1.5, paragraph 2
S mitigation service by reporting on-going and detailed DDoS countermeasure
Did you mean "ongoing"? (Also elsewhere.)

#### Section 3.2, paragraph 6
irroring to copy the traffic destined a IP address and to monitor the traffic
Use "an" instead of "a" if the following word starts with a vowel sound, e.g.
"an article", "an hour".

## Notes

This review is in the ["IETF Comments" Markdown format][ICMF], You can use the
[`ietf-comments` tool][ICT] to automatically convert this review into
individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT].

Robert Wilton Former IESG member
No Objection
No Objection (2022-10-20 for -14) Sent

Thanks for this document.  A couple of minor nits:                                                                                                                                                                                                                                                                                                                                                                      
(1) p 2, sec 1.  Introduction                                                                                                                                                                                                                                                                                                                                                                
  This document presents sample use                                                                                                                                                                                                                                                                                                                                                          
   cases for DOTS Telemetry, which makes concrete overview and purpose                                                                                                                                                                                                                                                                                                                       
   described in [RFC9244]: what components are deployed in the network,                                                                                                                                                                                                                                                                                                                      
   how they cooperate, and what information is exchanged to effectively                                                                                                                                                                                                                                                                                                                      
   use attack-mitigation techniques.                                                                                                                                                                                                                                                                                                                                                         
I found this sentence hard to parse.                                                                                                                                                                                                                                                                                                                                                                               
(2) p 5, sec 3.1.1.  Mitigating Attack Flow of Top-talker Preferentially                                                                                                                                                                                                                                                                                                                     
   The forwarding nodes send traffic statistics to the flow collectors,                                                                                                                                                                                                                                                                                                                      
   e.g., using IP Flow Information Export (IPFIX) [RFC7011].  When DDoS                                                                                                                                                                                                                                                                                                                      
   attacks occur, the flow collectors identify the attack traffic and                                                                                                                                                                                                                                                                                                                        
   send information about the top-talkers to the orchestrator using the                                                                                                                                                                                                                                                                                                                      
   "target-prefix" and "top-talkers" DOTS telemetry attributes.  The                                                                                                                                                                                                                                                                                                                         
   orchestrator then checks the available capacity of the DMSes by using                                                                                                                                                                                                                                                                                                                     
   a network management protocol, such as Simple Network Management                                                                                                                                                                                                                                                                                                                          
   Protocol (SNMP) [RFC3413] or YANG with Network Configuration Protocol                                                                                                                                                                                                                                                                                                                     
   (YANG/NETCONF) [RFC6020].                                                                                                                                                                                                                                                                                                                                                                 

Please use RFC 7950 as the reference for YANG.  Please check other references.