DDoS Open Threat Signaling (DOTS) WG Minutes TUESDAY, July 21, 2015 1740-1840 Afternoon Session III Congress Hall II SEC DOTS (DDoS Open Threat Signaling WG) Co-Chairs: Roman Danyliw and Tobias Gondrom Meeting recording: http://ietf93.conf.meetecho.com/index.php/Recorded_Sessions#DOTS 1. Note well, logistics, charter introduction (chairs, 5 min) 2. Use Case Discussion (20 min) - draft-mglt-dots-use-cases-00 (Daniel Migault, 10 min) - draft-xia-dots-extended-use-cases-00 (Frank Xialiang 10 min) draft-fu-ipfix-network-security-01 3. Requirements Discussion (20 min) - draft-mortensen-threat-signaling-requirements-00 (Andrew Mortensen, 10 min) - Chris Morrow and Roland Dobbins (10 min) 4. Way Ahead for Use Cases and Requirements Discussion (10 min) 5. Summaries of Other Drafts (5 min) - draft-teague-open-threat-signaling-01 (Nik Teague) - draft-reddy-dots-transport-00 (Tiru Reddy) draft-reddy-dots-info-model-00 ------------------------------------------------ 1. Note well, logistics, charter introduction ------------------------------------------------ Presenters: Roman Danyliw and Tobias Gondrom Slides: https://www.ietf.org/proceedings/93/slides/slides-93-dots-0.pdf The agenda was approved without any changes. The newly approved charter and the options for advancing the use case and requirements conversations were introduced. ------------------------------------------------ 2a. Use Cases: draft-mglt-dots-use-cases-00 ------------------------------------------------ Presenters: Daniel Migault Draft: draft-mglt-dots-use-cases-00 Slides: https://www.ietf.org/proceedings/93/slides/slides-93-dots-2.pdf The presenter provided an overview of an individual draft submission on DOTS use cases. Clarifying questions during presentation. Q: (?) Is the "DDOS Orchestrator" in the architecture diagram the attacker or the defender? A: Defender. Q: (Scott Arvik) How prescriptive are the depicted use cases for the work in DOTS? A: The use cases are not suggesting a definitive architecture. Q: (?) Can multiple "orchestrators" interact with each other in the depicted use cases? A: Yes. ------------------------------------------------ 2b. Use Cases: draft-xia-dots-extended-use-cases-00 draft-fu-ipfix-network-security-01 ------------------------------------------------ Presenters: Frank Xialiang Draft: draft-xia-dots-extended-use-cases-00 draft-fu-ipfix-network-security-01 Slides: https://www.ietf.org/proceedings/93/slides/slides-93-dots-1.pdf The presenter provided an overview of another individual draft submission on DOTS use cases. Q: (Aliba) How much implementation exists for the presented use cases? A: Some. We've already capable of finding Top-N traffic Comment: (Bob Moscowitz) Have you looked at flow sampling for your use cases? ------------------------------------------------ 3a. Requirements: draft-mortensen-threat-signaling-requirements-00 ------------------------------------------------ Presenters: Andrew Mortensen Draft: draft-mortensen-threat-signaling-requirements-00 Slides: https://www.ietf.org/proceedings/93/slides/slides-93-dots-4.pdf The presenter provided an overview of an individual draft submission on requirements for DOTS. Q: (?) Is the terminology the draft introduces intertwined with the requirements it enumerates? A: No, the terminology and requirements are separable. Q: (Tobias Gondrom, as individual) Did you use the existing other drafts to inform your document. A: Yes. ------------------------------------------------ 3b. Requirements: Operational Requirements ------------------------------------------------ Presenters: Chris Morrow and Roland Dobbins Draft: none Slides: https://www.ietf.org/proceedings/93/slides/slides-93-dots-3.pdf The presenters presented operational requirements for DOTS. Q: (?) Is there a concise definition of DOS used in your presentation or for DOTS? A: Maintaining availability. Comment: No provider has the motivation to stop inter-domain DOS attacks. A: That doesn't matter. DOTS should support this use cases. Q: (?) Does the DOS attack have to be large scale to be in scope? A: Not necessarily. The specifics of the attack don't matter much to DOTS. Comment: (?) DOTS needs to describe what is being attacked and how. ------------------------------------------------ 4. Way Ahead for Use Cases and Requirements Discussion ------------------------------------------------ After the presentations, the chairs opened the floor to discussion about where to take the requirements and use case discussion. --[ Open Discussion ]-- Comment: (Roland Dobbins) From the presented materials, we largely don't have use cases, only model architecture of what's currently done. Comment: (Doug McDomery?) There may be a need to consider differentiating an attack from bad provisioning. Comment: (Rick Sullivan) The current use cases are block diagrams of implementations. They can't be used by operators. Comment: (Bob Muscowitz) Only go through the trouble of combining use cases or requirements drafts if the WG will be submitting to RFC. Comment Response: (Tobias Gondrom) A use case/requirement document is a charter item. --[ Consensus Call #1 ]-- Should we combine all input on use cases into a single WG document? yes: very strong no : almost none Result: consensus to create a single WG use case document - How many volunteers to be editors? ~10 - How many volunteers to be reviewers? ~15 --[ Consensus Call #2 ]-- Should we combine all input on requirements into a single WG document? yes: strong no : some Result: consensus to create a single WG requirements document - How many volunteers to be editors? ~10 - How many volunteers to be reviewers? ~12 --[ Question to WG ]-- How many of you will implement DOTS? ~12 ------------------------------------------------ Closing ------------------------------------------------ The chairs thanked the participants and closed the meeting. The following items were on the agenda but due to an overrun in earlier topics were not presented: 5. Summaries of Other Drafts (5 min) - draft-teague-open-threat-signaling-01 (Nik Teague) - draft-reddy-dots-transport-00 (Tiru Reddy) draft-reddy-dots-info-model-00