Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry
draft-ietf-dots-telemetry-use-cases-16
Yes
Paul Wouters
No Objection
Erik Kline
John Scudder
(Andrew Alston)
Note: This ballot was opened for revision 14 and is now closed.
Paul Wouters
Yes
Erik Kline
No Objection
John Scudder
No Objection
Murray Kucherawy
No Objection
Comment
(2022-10-19 for -14)
Sent
Just a couple of minor points: The shepherd writeup template asks why the chosen status was appropriate, but the writeup itself doesn't answer this question. (It is fairly obvious, but it's still good to have the complete writeup.) Section 6 refers to "the IESG review" conducted by people who are not on the IESG.
Roman Danyliw
No Objection
Comment
(2022-10-19 for -14)
Sent
Thank you to Phillip Hallam-Baker for the SECDIR review. ** Section 4. Some use cases involve controllers, orchestrators, and programmable interfaces. These interfaces can be misused by misbehaving nodes to further exacerbate DDoS attacks. This is good advice. I recommend calling out that that these security considerations are for end-to-end systems for DoS mitigation. These mechanics are outside the scope of DOTS protocols and standardization activity. ** Section 6. Thanks to Donald Eastlake, Phillip Hallam-Baker, Sean Turner, and Peter Yee for the IESG review I’m sure these reviews appreciate the acknowledgement. To clarify, these were the directorate reviewers, not the IESG.
Zaheduzzaman Sarker
No Objection
Comment
(2022-10-20 for -14)
Not sent
No objection apart from similar observation regarding the shepherd write up as Murray.
Éric Vyncke
No Objection
Comment
(2022-10-20 for -14)
Sent
# Éric Vyncke, INT AD, comments for draft-ietf-shmoo-hackathon-07 CC @evyncke Thank you for the work put into this document. Please find below some non-blocking COMMENT points (but replies would be appreciated even if only for my own education). Special thanks to Valery Smyslov for the shepherd's detailed write-up including the WG consensus *but* the justification of the intended status is missing. I hope that this review helps to improve the document, Regards, -éric ## COMMENTS ### Timing of the WG docs Like Alvaro wrote, it would have been nicer for the reviewer to have this document published before RFC 9244 ;-) ### Section 3.1.1 report `recently reported large DDoS attacks exceeded several Tbps` please provide an informative reference to this report. ### Section 3.1.1 top-talkers I am a little puzzled how an attack coming out of *two* top-talkers (and thanks for using IPv6 examples :-) ) is a *distributed* DoS attack. Suggest to change the prefix to something broader (e.g., two /48) rather than a host /128 prefix. ### Section 3.1.1 figure 1 e.g. Is the use of "E.g.," in figures common ? or useful ? in figure 1 ? As a side note, I am hard time to understand the figure 1: they are overloaded and little explanations on the graphics are given. ### Section 3.1.5 The intro text is about DNS torture attack, but the DOTS example is about DNS amplification attack, which appears as different attacks to me. ### Section 3.3.1 To be honest, the value of this section about ML escapes me ;-) (notably why DOTS is helping here) but the example DOTS message would benefit of using 2001:db8::2/127 rather than the 2 /128 ;) ### Section 6 Like Murray, I also wonder why some reviews are labelled as IESG review ;-) ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments
Alvaro Retana Former IESG member
No Objection
No Objection
(2022-10-17 for -14)
Not sent
It's too bad that this document wasn't progressed with rfc9244 and that it isn't even referenced there.
Andrew Alston Former IESG member
No Objection
No Objection
(for -14)
Not sent
Lars Eggert Former IESG member
No Objection
No Objection
(2022-10-20 for -14)
Sent
# GEN AD review of draft-ietf-dots-telemetry-use-cases-14 CC @larseggert Thanks to Peter E. Yee for the General Area Review Team (Gen-ART) review (https://mailarchive.ietf.org/arch/msg/gen-art/jpVrKg9QCjWlcKWgprDRW0Q09lY). ## Nits All comments below are about very minor potential issues that you may choose to address in some way - or ignore - as you see fit. Some were flagged by automated tools (via https://github.com/larseggert/ietf-reviewtool), so there will likely be some false positives. There is no need to let me know what you did with these suggestions. ### Grammar/style #### Section 1, paragraph 1 ``` highly automated. To that aim, multi-vendor components involved in DDoS atta ^^^^^^^^^^^^ ``` This word is normally spelled as one. (Also elsewhere.) #### Section 3.1.5, paragraph 2 ``` S mitigation service by reporting on-going and detailed DDoS countermeasure ^^^^^^^^ ``` Did you mean "ongoing"? (Also elsewhere.) #### Section 3.2, paragraph 6 ``` irroring to copy the traffic destined a IP address and to monitor the traffic ^ ``` Use "an" instead of "a" if the following word starts with a vowel sound, e.g. "an article", "an hour". ## Notes This review is in the ["IETF Comments" Markdown format][ICMF], You can use the [`ietf-comments` tool][ICT] to automatically convert this review into individual GitHub issues. Review generated by the [`ietf-reviewtool`][IRT]. [ICMF]: https://github.com/mnot/ietf-comments/blob/main/format.md [ICT]: https://github.com/mnot/ietf-comments [IRT]: https://github.com/larseggert/ietf-reviewtool
Robert Wilton Former IESG member
No Objection
No Objection
(2022-10-20 for -14)
Sent
Hi,
Thanks for this document. A couple of minor nits:
(1) p 2, sec 1. Introduction
This document presents sample use
cases for DOTS Telemetry, which makes concrete overview and purpose
described in [RFC9244]: what components are deployed in the network,
how they cooperate, and what information is exchanged to effectively
use attack-mitigation techniques.
I found this sentence hard to parse.
(2) p 5, sec 3.1.1. Mitigating Attack Flow of Top-talker Preferentially
The forwarding nodes send traffic statistics to the flow collectors,
e.g., using IP Flow Information Export (IPFIX) [RFC7011]. When DDoS
attacks occur, the flow collectors identify the attack traffic and
send information about the top-talkers to the orchestrator using the
"target-prefix" and "top-talkers" DOTS telemetry attributes. The
orchestrator then checks the available capacity of the DMSes by using
a network management protocol, such as Simple Network Management
Protocol (SNMP) [RFC3413] or YANG with Network Configuration Protocol
(YANG/NETCONF) [RFC6020].
Please use RFC 7950 as the reference for YANG. Please check other references.
Regards,
Rob