►
From YouTube: IETF103-DOTS-20181108-0900
Description
DOTS meeting session at IETF103
2018/11/08 0900
https://datatracker.ietf.org/meeting/103/proceedings/
B
C
B
B
Okay,
Wow,
alright,
so
just
putting
up
it's
very
late
in
the
week,
but
the
note
well
of
course
applies.
I'd
ask
you
to
just
quickly
look
at
that,
and
if
you
have
any
questions
you
know,
don't
don't
hesitate
to
ask
the
chairs
or
the
e
DS
as
to
what's
going
on
there
administrative
leave,
the
blue
sheets
have
been
passed
around.
We
have
an
agenda.
This
is
largely
what
was
on
the
mailing
list.
We're
gonna
talk
about
primarily
about
the
interrupts
that
happened
at
the
hackathon
and
then
some
new
work
to
bring
into
the
working
group.
B
The
both
the
two
protocol
drafts,
the
signal
draft
and
the
the
data
channel
draft
one
is
with
an
ad
evaluation
and
we're
bouncing
back
comments
based
on
what
Ben
had
asked
and
after
that
I
believe
Ben
is
going
to
review
the
data
channel.
The
use
case
is
ready.
It's
actually
with
me,
as
the
Shepard
I
need
help
from
some
of
the
authors
to
make
their
IPR
claims
on
the
list.
B
So
I've
asked
on
the
list
I've
reached
out
kind
of
privately
and
that's
what's
blocking
moving
forward
with
that
use
case
document
and
then
with
the
architecture
document.
I'd
love
to
hear
from
the
authors,
because
I've
gotten
a
bit
of
a
mixed
story
as
to
whether
we're
ready
to
go
to
working,
we're
blasts
call
or
whether
we
still
need
another
revision
based
on
some
mat
issues
that
were
that
were
there.
B
So
that's
where
we
stand
with
those
drafts,
honestly
kinda
with
that
we
were
gonna,
get
into
the
get
into
the
new
work.
Three
weeks
ago
on
the
mailing
list,
Frank
and
I
asked
the
question.
Given
that
a
lot
of
our
charter
charter
documents
were
nearing
a
conclusion
whether
there
were
new
thoughts
on
what
the
working
group
wanted
to
take
on
and
what
you're
seeing
there.
What
you're
seeing
here
in
this
agenda
is
primarily
kind
of
that,
and
we
do
have
some
time
at
the
end
of
the
session,
to
talk
about
any
other
additional
ideas.
B
C
I'm
coming
she's
come
from
NTT
communications,
and
this
report
is
from
I
am
sure
of
remains
a
spirit
and
reaction.
Yes,
here
from
far
away,
then
we
did
a
hackathon
in
the
last
weekend
in
the
IETF
in
we
did
some
interesting.
Also.
We
did
some
attack
scenario
in
a
directive
report
about
with
result
of
things.
C
Then
this
is
the
fourth
probability
testing
India
ITF,
so
actually
our
last
I
gave
1:02.
We
did
each
other
interrupts
tasting
for
the
first
time,
but
actually
this
time
we
proceed
to
the
hackathon
to
show
that
the
protocol
function
of
spirit
or
icky
body.
It
is
protection,
so
we
try
to
handle
the
DDoS
attack
in
our
control
in
a
testing
environment
and
also
actually,
as
roma,
said,
that
draft
is
now
another
is
proceeding
to
the
publication.
So
these
testing
are
conducted
in
the
latest
version
of
China
channel
on
the
channel
draft.
C
Then
here
the
setting
of
the
internal
testing,
then
we
set
up
the
internet
fishing
web
servers
on
the
fair
on
the
bottom
of
this
figure.
Then
neural
link
resizing
the
a
transit,
so
it
can
be
intricate.
Congested
was
saturated
by
the
DDoS
attack.
Then
dot
client
is
in
the
in
one
of
the
web
server
and
also
the
dots
travels
resize
in
the
upstream
networks.
Then
we
used
our
open
source
implementation
called
dot,
and
also
we
used
little
secures
proprietary
implementations.
C
Then
also
we
tried
the
dots
gateway
functionalities
and
we
did
not
cry
out
thought
service
functions
vice,
but
then,
after
the
father
get
these
attacked,
the
neuro-link
are
saturated.
So
all
of
these
wave
servers
can
be
easily
affected
by
the
DDoS
attack,
because
that
is
now
nari
link
is
so
no
one
can
go
through
this
link,
so
all
of
ours
are
damaged
in
the
dot
client
requests
for
those
head
with
mutation
requests
over
the
dots
protocol,
accurate
at
odds
protocol
communicate
over
this
Maori
link.
C
Then
we,
as
I
said
we
had
to
impede
independent
implementations.
One
is
a
code.
Switch
source
code
is
open
in
the
kid
heart
this
week
and
it
has
functionality
of
dot,
client
and
server.
Then
also
it
has
a
protection
functionality
of
insertion
of
a
shell
rot
on
the
some
rather
platforms,
and
also
it
has
a
BGP
route
injection
function,
so
it
can
work
as
the
traffic
with
a
direction
or
remotely
triggered
block
Holly
then
adido
secures
implementation
is
implemented
on
their
leaders
mitigation
system,
so
it
has
a
more
complicated
or
sophisticated
way
to
protect
service.
C
Then
we
take
both
tested
this
time.
Communication
on
attack
time
communication,
so
we
tried
to
use
these
units
other
functionalities
and
each
other
functionalities.
It
is
hackathon,
then
here
the
result
summary
so
about
table
is
a
high-level
summary
of
communication
in
attack
time
actually
in
peacetime.
C
Those
functionality
is
okay,
of
course,
so
we
checked
if
it
works
under
the
attack,
then
in
during
the
attack
time,
the
link
is
overwhelmed
by
Simplot,
so
over
90
percentage
of
packet
loss
was
detected
for
downstream
traffic.
However,
as
for
the
upstream
traffic,
there
is
no
packet
loss,
so
the
communication
is
kind
of
one
directional.
In
that
case,
then,
education
requests
only
requires
the
upstream
traffic.
So
actually
it
worked
even
in
attack
time
by
design.
That
is
the
most
significant
part
of
the
superiority
of
dots
protocol.
C
But,
however,
there
are
failing
functions
in
attack
time,
so,
for
example,
how
to
beat
mekinese
couldn't
work
because
it
was
the
Sheila
from
Java
to
cryin.
Also
resumption
or
weak
negotiation
of
DTLS
cannot
be
done
and
also
all
of
the
channel
communications
failed
because
they
used
a
TCP,
so
they
cannot
use
them
as
they
cannot
even
do
the
handshake
over
this
congestive
neural
link
in
our
from
here
I'd
like
to
explain
some
issues
about
one
directional
communication
situation
so
about
a
deep.
B
C
C
C
Response
from
that
server
to
client
cannot
be
seen
from
dot
client,
so
don't
cry
and
try
to
resend
the
copying
for
the
several
times
before
the
reaching
to
the
count
of
machine
heartbeat
allowed
in
the
drug
says
it
should
do
the
DTLS
resorption.
However,
the
problem
was
ok.
Details.
Resumption
is
a
really
feared
in
attack
time,
so
it
is
it.
It
can
be
happen
easily.
So
other
implementation
recommendation
we
do.
We
recommend
to
try
to
keep
sending
the
me
it's
a
request
over
the
current
established
in
this
type.
B
C
C
Then
this
is
the
found
issue
about
the
trigger
or
of
these
connections.
So
these
are
draw
says
that
if
the
dot
solder
does
not
receive
any
traffic
from
the
Piedad
client,
then
the
dot
service
in
the
heartbeat
request
is
a
toad
cry
and
also
they
check.
If
the
copying
rock,
then,
if
also
again,
the
mission
heartbeat
allowed
threshold
was
reaching
reach,
it
then
dot
server.
C
Concludes
that
disconnected
okay,
but,
however,
both
client
can
send
the
copying
pocket
to
dot
server,
because
ugly
I
think
three
me
is
not
congested,
so
the
service
she
is
the
traffic
is
coming
so
pain
is
the
real
trigger
of
the
studying
of
heartbeat
from
dot
server
to
dot
crier.
So
if
they
have
no
chance
to
do
that,
it
leads
to
the
conclusion
of
this
connection
collection,
but
I
think
there
could
be
a
more
beta
trigger
of
server-side
heartbeat
because
in
the
congestion
station
still
thought
savage
observed.
C
C
Then
about
the
implementation
implication,
this
is
not
related
to
the
drastic
it
is
safe,
but
it
is
important
to
make
sure
that
protocol
or
dot
software
is
robust
to
include
in
complete
communication
situation.
So
the
software,
especially
fraud
client,
must
not
be
read.
I
read
for
returning
packet
in
attack
time
so,
for
example,
our
software
stocked
with
no
reply
from
the
dots
other
industries
and
of
attack
time.
So
it
is
just
a
recommendation.
Implication
yep.
F
F
C
F
Okay
but
I
mean
it
I'm,
just
trying
to
remember
the
sequence
of
events.
That's
going
to
read.
You
know
that's
going
to
result
from
this
right,
because
if
the
server
was
not
receiving
the
client
paying,
then
the
server
might
conclude
that
the
client
is
under
attack
and
initiate
mitigation
and
all
that
that
wouldn't
be
so
good.
But
in
this
particular
case,
when
the
client
does
not
receive
a
response
from
the
server,
is
it
just
busy
to
the
Detailers
resumption?
That's
not
taking
place
correctly
or
the
client.
F
Get
that
love
fighter
for
you.
Is
it
only
as
you're
showing
here
the
details
resumption?
The
client
essentially
is
not
getting
the
heartbeat.
So
it
concludes
that
there
is
no
session
and
it
tries
to
detail
s
resumption,
but
that's
the
only
thing
that
the
client
is
doing
this
particular
case
right
or
would
it
also
potentially
try
to
contact
another
server
and
set
up
a
different
session
I.
C
C
B
G
G
If
he
wants
to
set
up,
send
a
put
mitigation
request
or
something
similar,
he
can
still
send
it
to
the
server,
but
he
will
not
get
a
response
back,
but
he
is
blindly
sending
out
the
put
to
the
server
in
parallel
because
there
may
be
a
restart
or
something
somewhere.
He
should
be
trying
to
restart
or
set
up
a
new
session
to
either
resume
a
session
or
set
up
a
new
session
to
try
and
talk
to
the
dot
server.
So
the
communication
that
he
is
just
talking
blind
at
that
point.
G
So
from
the
service
perspective,
he
realizes
that
the
client
is
in
a
quasi
state
that
there
is
data
communication
problems,
at
which
point
the
server
still
thinks
the
clients
alive,
because
he
is
seeing
his
ping
requests
coming
in
and
then
at
that
point,
if
there's
any
trigger
mitigation
falses
set
on
any
mitigation
requests,
he
will
then
invoke
those
mitigation
requests
at
that
point.
Does
that
help
in
clarification
there?
It
does
I'm.
F
Just
trying
to
think
through
you
know
what
are
the
incorrect
ramifications
of
what's
being
described
here,
and
it
sounds
like
that
one
is
incorrect.
Is
the
client
concluding
that
he
should
try
to
initiate
a
new
DTLS
session,
whether
that's
to
the
same
that
server
or
a
different
one,
because
most
likely
that's
not
going
to
succeed
right?
Everything
else
still
has
the
intended
results.
If
I
understand
correctly,
okay,.
G
So
the
specification
specifically
says
that
the
the
client
should
continue
using
the
existing
channel
whenever
he's
doing
any
requests.
In
addition,
he
should
be
requesting
or
trying
to
set
up
a
new
session.
Not
the
spec
doesn't
talk
anything
about
to
an
alternative
server.
At
this
point,
the
client
needs
to
start
a
new
session.
G
Just
in
case
the
server
has
restarted,
let's
say
been
rebooted
or
whatever,
and
therefore
the
existing
session
Keys
no
longer
work,
so
he
needs
to
start
trying
establishing
a
new
dot
session,
with
a
new
set
of
keys
or
trying
to
resume
or
whatever
back
to
the
server.
Just
in
case,
it's
just
a
case
of
the
server
has
been
rebooted
at
the
at
that
point.
The
client
is
doing
two
things.
The
client
according
to
spec,
is
not
going
to
go
and
try
an
alternative
server.
G
F
B
C
Then
4
flexible
vertex,
or
this
could
be
a
suggestion,
so
we'd
like
to
talk
about
these
things.
If
it
is
applicable,
then
it
is
assumed
that
the
trial
hitter
in
rules
cannot
be
installed
or
removed
in
attack
time,
but
I
just
thought
what?
If
a
drug
lab
need
to
change
the
octave,
a
mitigation
meeting
actively
mitigation
filters
in
attack
time,
because
in
the
attack
time
those
cry
out
could
feel
that
I
could
hear
in
Kovac
inconvenience
about
triggers
field
so
haughty.
So
what
can
be
done
from
dose
crowd
in
the
attack
time
about
this
date?
C
Italian
few
does
so
I
thought
that
as
a
point
one,
should
we
add
our
control
of
the
time
filtering
rules.
Yes,
she's
not
tell
about
kind
of
name
of
a
she
is
she
is
or
something
and
the
second
point
she's.
We
have
some
interface
to
get
status
of
its
on.
If
you
take
rules,
yes,
you
know
each
other,
but
it
could
maybe,
as
for
the
second,
what
it
could
be
lost,
because
there
is
only
one
directional
communication,
but
I
thought
this
means
points
could
have
the
situation
of
a
moral
fiction,
control.
F
So
let
me
and
raise
me
and
yeah
I
was
just
thinking
the
same
thing.
I
mean
the
first
option
that
you're
showing
here
I
could
see
that
making
sense,
because
that
would
only
require
essentially
the
upstream
communication,
but
the
second
one
I
mean
if
that's
gonna
work,
then
why
wouldn't
it
work
over
the
data
channel
would
be
my
question.
Yeah.
That's.
C
D
The
first
option,
I
mean
I-
think
it's
pretty
much
looks
like
it's
going
to
be
required,
especially
for
the
whitelisting,
its
users.
That's
going
to
be
created
because
the
DDoS
attack
traffic
could
be
emerging
from
the
whitelisted
IP
addresses
of
prefixes
and
signal
channels
may
could
be
used
to
overwrite
that
so
option
one
seems
to
be
like
a
good
option.
Maybe
maybe
you
should
propose
a
draft.
B
So
I
just
want
to
make
sure
I
understood
what
you
were
proposing.
You
were
endorsing
option.
One
I
heard
Fleming
also
talking
about
option
1,
but
to
do
that
we
have
two
options.
Of
course,
the
draft
the
single
challenge
raft
itself
is
now
kind
of
with
Ben,
so
our
ability
to
modify
something
as
substantial
this.
You
know
that
although
that'll
take
some
working
and
then
there's
discussion
of
you
were
saying
thiru
to
create
another
draft
that
would
patch
effectively
the
signal
channel.
H
Ben
cater
so
I
mean
we
don't
need
to
consider
the
signal
channel
finished.
You
know
we
can
put
more
stuff
into
it
and
that's
not
a
problem.
It
would
only
be
a
question
of
you
know
if
we
thought
this
new
stuff
was
gonna,
take
like
six
months
to
finalize
or
something,
and
we
don't
need
to
hold
up
this
single
channel
for
that
sort
of
thing.
But
if
we
have
a
good
idea
what
we
want
to
do,
we
can
just
do
it.
B
C
C
C
G
Okay,
just
I
want
to
clarify
back
with
TLS
1.3
and
so
on,
TLS
1.3.
We
were
not
using
as
part
of
this
process.
Ts
1.3
is
out,
but
we
actually
were
using
TLS
1.2
over
the
data
channel.
We
have
not
been
using
DTLS
1.3,
as
that
spec
is
not
yet
out
and
I
don't
have
support
for
testing
that
out,
as
we
speak
at
this
point
in
time,
so
everything
was
done
with
either
TLS
1.2
or
DT.
That's
1.2.
B
B
If
the
the
you
know
the
team-
and
you
have
not
been
doing
all
of
this
at
these
last
kind
of
four
meetings,
bringing
that
back
to
the
working
group
and
I
was
changing
that
so
we
profoundly
appreciate
it-
and
you
know
thanks
so
much
for
all
your
hard
work
yeah.
Thank
you
very
much,
okay.
So
next
we
so
that
brings
us
that
brings
us
to
discussing
the
server
discovery
draft
and
to
set
the
stage
set
the
stage
for
this.
B
B
J
In
I
want
to
I
made
a
presentation
about
Eidos
mutation
occurs
case
using
Godot
in
a
single
domain
network,
so
we
use
goats
as
interface
between
fro
correcta
and
Orchestrator
and
DDoS
mutation
system
and
okay,
so
raita.
The
main
point
of
the
talk
is
peer
out
in
Co
network
filters.
Attack
traffic
are
based
on
the
information
detection,
information
of
a
DDoS
mutation
system.
J
J
These
are
feedback
from
adult
working
group.
One
feedback
is
that
the
signal
channel
should
be
frozen
at
a
certain
point.
On
the
other
hand,
dots
working
group
can
do
some
extent
shots
after
the
crossings
are
done.
Our
impression
that
our
signature
is
working
state
is
a
summative
ICD.
So
it's
good
time
to
discuss
some
extension
of
signature
now
in
working
group
and
some
people
say,
please
write
a
draft,
so
we
written
a
new
idea
about
the
extension,
or
this
is
my
first
IV
game.
J
J
This
is
a
sequence
diagram
in
our
draft.
The
main
point
of
our
proposal
is
that
so
this
point,
d-rose
mutation
system
sends
requests
to
Orchestrator,
using
dots
and
Orchestrator,
configure
the
router
using
such
a
like
a
BGP
flowspec
and
so
on,
so
that
a
lot
of
rock
attack
traffic
based
on
direction
mitigation
of
DMS.
J
J
This
right
shows
that
a
contents
of
attacker
information-
it
is
difficult
to
send
or
attacker
information,
so
we
expand
it
so
that
adults
can
send
October
some
people
or
gave
me
a
feedback
to
this
draft.
So
I
will
revise
the
draft
for
IOT
IETF
104
who
helps
more
feedback.
Oh,
please
give
me
a
comment
or
two
mailing
list.
B
Hi,
can
you
back
up
to
slides
for
the
time
series
one
more
yeah?
Could
you
Oh
Roman
janae
do
CMU?
Could
you
kind
of
back
up?
You
know
it's
kind
of
start
from
the
top
and
walk
telemetry
monetary
system
to
orchestration
the
network,
admin
to
orchestration
and
kind
of
talk
through
that
flow.
A
little
bit.
It's
some
of
the
things
I
asked
on
the
mailing
list,
yeah.
B
So
can
you
describe
the
workflow,
then
that
gets
the
network
administrator
talking
to
the
orchestrator
you
it's
the
second
line,
this
one
right,
so
I
get
how
a
telemetry
system
you
know
sue
something,
and
it
says:
hey
I
need
to
do
something
about
that
and
talks
to
an
Orchestrator
I
don't
understand
the
now.
The
network
administrator
is
triggering
something
with
an
Orchestrator,
because
someone
needed
to
tell
the
network
so.
J
J
B
It's
the
telemetry
system
saw
something
and
automatically
you'd
said
you
know.
Orchestrator
I
saw
something.
The
network
administrator
also
was
watching
a
console.
Some
saw
something
and
said
wow
that
looks
odd.
I'm
gonna
tip
the
the
orchestration
system,
so
they
independently
observe
the
same
phenomena
because
I
asked
because
in
the
giraffe
it
looked
like
there's
this
workflow
thing.
H
B
D
I
have
a
question
on
the
DDoS
mitigation
system.
Talking
to
the
orchestrator
using
dots
I
mean
I
was
just
wondering.
Why
can't
the
DDoS
mitigation
system
just
use
any
of
the
interfaces
like
it
could
be
an
SDN
controller,
and
you
just
program
that
to
you
use
program,
the
network
devices
using
PGP
flows
back
right,
I
mean
why
do
you
really
need
dots
here
and
why
can't
it
be
done
using
any
of
the
existing
control
message
configuration
that's
already.
There.
D
Question
was
for
the
DDoS
mitigation
system,
where
it's
sending
the
mitigation
requests
in
the
in
the
rectangle
you
had
highlighted.
I
was
wondering
any
specific
reason
for
using
dots.
Why
can't
you
use
any
sdn,
not
bone
interfaces
to
program
the
orchestrator?
Why
can't
the
DDoS
mitigation
system
use
Sdn,
ApS
to
basically
program
the
orchestrator
to
basically
install
bgp
flowspec
rules
on
routers
and
switches?
J
C
Michael
I
mean
she's
got
from
NTT
communications,
so
I
read
the
draft
and
also
the
point
he
the
reason
why
there,
those
communications
is
the
hash,
is
thinking
about
the
kind
of
tiered
mitigation
services
like
for
a
small
amount
of
traffic.
They
want
to
use
the
kind
of
DMS
the
u.s.
position
system,
but
which
could
be
more
extensive,
so
they
try
to
use
the
more
inexpensive
way
kind
of
filtering
on
the
routers
and
switches.
Then
so
they
want
to
grow
up
mitigation
protection
countermeasure
in
in
kind
of
the
orchestration
way,
so
that
that's
great
well.
C
F
Thank
you
Fleming
interesting.
We
go
back
to
the
previous
slide
again.
Sorry,
one
more
the
the
workflow
yeah
that
one
that
was
one
too
many,
the
one
that
Ruhlman
was
asking
about
previously
as
well
that
one
yeah
okay
I'm
trying
to
understand
whether
this
really
fits
into
what
we're
trying
to
do
with
the
signal,
Channel
and
I
guess.
H
F
Two
questions
the
first
one
is
I
mean
the
value
of
having
a
standardized
protocol
typically
is
when
we
assume
that
there
is
a
multitude
of
you
know
in
this
particular
case
different
clients
and
servers
that
want
to
support
the
implementation,
because
there's
a
lot
of
them
right.
As
my
first
question
would
be.
Do
we
see
that,
as
being
the
case
here
between
DDoS
mitigation
systems
and
orchestrators?
Is
it
worthwhile
actually
standardizing
this?
F
My
second
question,
which
is
more
technical
in
nature,
is
the
signal
channel
is
designed
to
operate
in
an
environment
that
is
under
attack
all
right
specifically,
because
the
link
that
we're
trying
to
take
no
over
is
very
congested
and
there's
a
lot
of
compromises.
If
you
will
that
the
signal
channel
has
a
result
of
that
by
the
GDP
base
right,
there's,
not
necessarily
any
acknowledgments.
As
a
result
of
that,
there's,
you
know
limits
to
how
much
information
we
can
actually
convey.
F
F
H
F
J
G
Okay
yeah.
Thank
you,
I,
just
looking
at
the
summary
of
the
draft.
If
it
was
network
administrator,
then
telemetry
monitoring
systems,
then
that
deep
DMS,
then
orchestrated,
then
routers
I
can
get
some
more
of
an
idea.
Understanding
where
this
is
coming
from.
In
the
sense
you
could
have
on
your
local
premises,
a
DMS
system
that
is
smart
and
intelligent.
The
orchestrator
is
somewhere
within
the
ISP
cloud
and
the
routers
and
the
switches
are
somewhere
within
the
ISP
cloud.
B
B
Well
right,
I'm,
paraphrasing
here
John,
maybe
yeah,
correct
me
when
I
got
it
wrong,
there's
a
kind
of
a
question
in
what
administrative
domain
in
which
which
pieces
are
in
the
enterprise
which
are
another
administrative
domains.
I
think
John
was
saying.
Perhaps
some
of
those
mitigation
systems
and
routers
switches
are
in
an
ISP,
but
the
orchestrator
and
those
early
telemetry
systems
are
in
an
enterprise
I.
A
I
B
I
B
D
D
D
Yeah,
so
today,
what
we
have
in
dots
is
the
we
are
assuming
the
dot
client
needs
to
learn
the
IP
address,
reachability
information
of
the
dot
servers,
and
we
are
assuming
it's
going
to
be
done
using
some
manual
configuration
and
similarly
even
for
other
dots
gateway.
But
the
whole
problem
is
the
dots
architecture
and
door
signal
channels
do
not
specify
any
or
any
specific
mechanism
of
how
such
information
will
be
learned
by
the
dot
client.
So
this
truck
is
trying
to
fill
that
void
next
slide.
D
So
what
we
have
done
in
this
draft
is,
we
have
specified
four
different
mechanisms
for
discovering
the
rod
silver.
One
is
basically
the
explicit
configuration
whether
it
could
be
local
or
manual
configuration
where
the
dots
client
is
programmed
either
using
either
by
the
network
administrator
or
through
some
Sdn
mechanism
to
basically
learn
the
dot
server
IP
address
under
my
name's,
the
other
one,
that
this
draft
discusses
is
automatic
automatic
configuration.
That
would
probably
be
done
using
DHCP.
D
The
other
mechanisms
that
this
draft
covers
the
service
resolution
using
SNMP,
TR
n
apt
ur,
has
an
advantage
where
the
dots
server
domain
administrator
can
basically
give
a
precedence
for
the
transports.
It
has
preference,
for
example,
it
can
say:
hey
I
want
to
pick
TCP
or
UDP
or
UDP
or
TCP,
though
the
dot
signal
Journal
says:
UDP
has
higher
precedence
over
UDP.
It
can
also
specify
ports
for
which
the
dot
server
is
using
for
listening
to
connections
from
the
dots
client,
Venis
service
discovery.
D
Basically,
we
are
covering
two
mechanisms:
either
DNS
service
discovery
or
multicast
DNS
to
discover
the
dots
gateway
or
dots
located
in
the
located
in
the
site
itself
and
the
last
and
least
preferred
one
is
anycast.
So
the
draft
currently
recommends
all
the
four
mechanisms
and
and
and
and
the
guidelines
is
the
order
in
which
it's
specified
is
the
order
in
which
it
should
start
discovering
the
dot
service.
I
mean
this
is
pretty
much
a
similar
mechanism
we
had
proposed
and
it's
being
used
for
turns
over
discovery
by
WebRTC.
D
So
so
we
wanted
more
feedback
on
the
existing
on
the
current
discovery
mechanisms
we
have
proposed
and
if
the
working
group
has
any
feedback
on
adding
more
discovery
mechanisms
or
removing
any
of
them,
which
does
not
make
sense
for
dots.
So
more
feedback
is
appreciated
for
this
drafter
and
we
would
like
to
texture
forward
any
questions
on
this
tractor.
I
I
E
D
D
B
B
B
D
F
B
F
B
B
D
D
D
Basically,
it's
it's
trying
to
address
dots
deployments
in
multihoming
or
multi
interface
in
areas
where
there
are
multiple
upstream
service
providers
offering
DDoS
mitigation
service,
it
does
not
recommend
any
deployment
model,
but
it
just
talks
about
various
scenarios
where
there
could
be
multihoming
and
how,
in
those
multihoming,
the
dots
client
could
efficiently
reach
the
right
dot
server
for
mitigation,
and
it
also
gives
guidelines
on
where
anycast
makes
sense.
Where
any
case
it
does
not
make
sense,
and
how
does
the
dots
client
handle
or
multihoming
scenarios
and
how
does
the
dots
gateway
handle
the
multihoming
scenario?
D
D
The
goal
of
this
draft
is
to
basically
make
sure,
for
example,
if
the,
if
the
dots
client
is
provisioned
with
provider
dependent
addresses,
then
the
whole
idea
is
to
make
sure
the
dots
medication
request
is
not
sent
to
any
arbitrary
dots
ever
because
that
won't
help
mitigating
the
DDoS
attack,
because
IP
addresses
or
provider
specific
and
and
even
for
a
dots
gateway,
blindly
flow
working.
All
the
dots
mitigation
requests
to
all
the
available
dots.
D
This
is
not
going
to
work
because
the
dots
of
each
cannot
serve
those
IP,
addresses
or
prefixes
will
reject
the
DDoS
mitigation
request
and
sequentially
trying
them
will
eventually
delay
the
mitigation
plan
to
kick
in.
So
this
graph
is
basically
going
into
guidelines.
Just
like
ipv6
RFC's
referred
to
algorithms
to
basically
select
the
right
source,
prefix
and
destination
address
for
for
especially
provider
dependent
addresses.
So
this
disrupt
goes
into
those
details,
giving
guidelines
for
dots,
client
and
get
the
implementations
next
slide.
D
So
the
dots
use-case
draft
is
already
relying
is
referencing
this
draft
for
multihoming
considerations.
This
draft
is
going
discussing
various
scenarios
where
there
are
single
versus
multiple
upstream
providers
and
the
same
provider
giving
both
fixed
and
cellular
connectivity.
It
also
discusses
use
cases
with
regard
to
what
happens
when
the
cork
line
domain
is
provisioned
with
provider
independent
or
provider
dependent
addresses
and
the
behavior
for
dots
clients
and
gates
gateways
in
each
of
those
cases.
D
Yeah
feedback
on
this
draft
I
think
I.
Don't
think
this
Draft
caught
a
lot
of
traction
in
the
working
group
and
we
are
hoping
that
we
would
like
to
see
more
discussion
on
this,
and
this
should
basically
help
operational
deployments
for
dots,
especially
in
multihoming
scenarios,
and
we
would
like
more
feedback
and
group
is
interested.
We
would
like
to
have
this.
B
So
is
a
reminder
to
the
working
group
on
on
the
history.
Here
we
had
a
lot
of
text
in
the
use
case
document
we
had
a
little
bit
in
the
requirements
document.
We
decided
boy.
There
was
a
lot
to
say
about
multihoming.
Let's
keep
those
other
informational
documents
kind
of
simple,
and
this
will
allow
us
to
say
even
more
about
these
kinds
of
environments
and
the
origin.
B
Okay,
so
we
see
a
couple,
a
couple
of
hands
on
that
I
think
again
as
there's
a
as
in
this
case
as
well,
we
have
to
take
it
to
the
list
and
and
get
additional
feedback.
But
again,
this
is,
as
you
noted,
this
is
a
reference
in
what
some
of
the
informations
were
trying
to
publish.
So
thank
you
for
the
update
okay.
So
we
have.
We
have
a
blue
sheets
getting
passed
around
again
for
those
that
came
in.
Please
do
sign
up,
so
we
can
appropriately
provision
next
time.
D
D
D
The
other
interesting
thing
is
network
devices.
Nowadays,
in
home
networks
are
offering
security
functions,
especially
for
IOT
device
security
and
for
parental
control.
Some
of
the
the
various
vendors
I
mean
they're,
offering
either
this
security
service
either
on
a
standalone
gateway
or
or
or
a
home
router
on
home
routers,
especially
on
the
home
routers,
that
I
have
been
working
on
both
from
Intel
and
Broadcom.
They
have
a
fast
path
in
able
to
basically
boost
the
throughput,
and
the
problem
that
we
see
is
not
all
the
packets
get
pointed
to.
D
The
kernel,
so
we
don't
get
if
you're,
using
that
filter
or
any
other
hooks
to
basically
take
the
packets
to
use
the
space
for
inspection.
We
only
get
specific
number
of
packets
and
we
basically
have
to
program
the
packet
processor
to
find
more
packets.
So
by
default
we
only
get
specific
number
of
packets,
probably
15,
to
30
packets,
that
you
program
the
packet
processor
to
punt.
So
this
leaves
us
open
to
various
attacks.
D
Were
the
home
routers
with
even
other
firewall
or
security
functionality
of
DDoS
detection
capability
cannot
look
into
all
the
packets
in
a
flow,
and
that
causes
a
problem
that
if
the
attack
traffic
is
sent
to
the
target
after
the
flow
is
switch
to
fast
path.
The
security
service
on
the
homework
cannot
detect
the
bad
packets
and
block
them
and
for
the
home.
Routers
have
limited
CPU
and
memory
and
they
may
not
be
able
to
detect
new
emerging
or
a
multi
vector
or
sophisticated
attacks.
So
this
some
of
the
challenges
that
at
least
I
am
facing.
D
D
This
problem
is
not
just
a
specific
for
ipv4
I
mean
we
have
seen.
Cases
who
are
human
ipv6
devices
can
pretty
much
easily
change
their
ipv6
addresses,
for
example,
using
stateless,
auto
address
configuration
or
if
they
they
try
to
even
use
an
IP
address,
novel
assigned
by
the
DHCP
server
and
I
space
may
not
be
able
to
identify
and
isolate
such
ipv6
devices
because
they
are
located
multiple
hops
away
from
the
home
router
next
slide.
Please.
D
So
what
we're
trying
to
do
here
is
basically
fill
in
the
gap,
basically
by
making
the
cooperation
between
the
secretary
service
on
the
home
router
and
the
ISP,
which
is
having
because
their
detection
and
mitigation
capabilities.
So,
unlike
typical
client-server
communication,
where
the
client
establishes
a
DTLS
session
or
a
TCP
session
with
the
the
server
here,
the
Detailers
connection
will
be
initiated
by
the
dot
server.
This
is.
H
D
Similar
to
restaurant
for
net
conf
call
home
functionality
where
the
server
is
typically
located
behind,
NAT
or
firewall,
and
and
so
in
order
to
reach
it.
The
server
itself
initiate
initially
initiates
the
TCP
connection
or
DTLS
connection
to
the
is
initiated
by
the
server
itself
and
whenever
attack
traffic
from
compromised
devices
from
the
home
network
is
launched,
and
the
DDoS
detection
in
the
SP
detects
that
there
is
an
attack.
The
mitigation
request
conveys
the
attack
traffic
information.
D
D
We
implemented
on
an
open,
wrt
router
so
where
we
had
basically
embedded
dot,
server
on
and
ability
router
and
then
what
what
happens
is
initially.
The
dot
signal
channel
is
initiated
by
the
dot
server
and
it
establishes
a
DTLS
session
with
the
dots
client
tcp.
If
it's
tcp
transport,
then
tcp
connection
will
be
initiated
by
the
dot
server.
In
this
case,
and
after
that,
whenever
the
DDoS
attack
is
detected
by
the
isp,
then
it
would
send
the
DDoS
attack
details
and
the
home
router.
Basically,
for
example,
is
located
behind
that
it
does.
D
Once
the
attack
traffic
information
comes
from
the
dot
server,
it
uses
the
that
information
to
identify
the
device
and
take
appropriate
mitigation
actions.
For
example,
if
the
NAT
is
on
path,
then
the
home
router
is
the
attack
information
to
find
the
internal
source
IP
address
of
the
compromised
device
on
at
least
one
interval.
D
Yeah
for
the
call
home,
even
a
reskin
phonetic,
on,
have
asked
for
a
new
port,
so
similarly
I
guess
we
need
to
ask
I
enough
for
a
new
port
to
accept
DTLS
connections
for
call
home.
Some
of
the
extensions
that
we
added
to
the
medication
request
are
the
list
of
attacker
prefixes
and
the
list
of
port
numbers.
This
is
going
to
help
us
do
the
pre
net
lookup,
and
if
it's
not
UDP
TCP,
then
the
list
of
ICMP
types
too,
which
are
used
for
attacking
the
victim
next
slide.
Please.
D
So,
in
this
case,
since
the
target
uri
target,
fqdn
and
Aaliyah's
do
not
make
sense,
the
the
target
prefix
and
source
prefix
became
mandatory
attributes
and
in
in
some
deployments,
especially
we
see
that
the
dot
server
domain
administrator
consent
may
be
required
to
block
the
traffic
from
the
compromise
device
to
the
attack
target,
especially
for
false
positives.
So
we
also
added
a
new
request,
rejected
concrete
cross
code
to
indicate
back
to
the
dots
client
that
the
traffic
has
been
classified
as
a
legitimate
traffic.
D
We
have
various
questions
on
this
draft.
I
mean
I
mean
in
case.
If
the
home
router
is
not
capable
of
detecting
new
emerging,
sophisticated
attacks,
then
would
signaling
attack,
name
type
or
any
other
ID
for
Diagnostics.
Would
that
be
helpful?
It
looks
helpful
for
at
least
identifying
why
the
home
worker
could
not
detect
specific
attacks.
D
Respond
already
has
a
call
home
defined
in
RFC
8:07
one,
but
we
are
not
sure
if
there
is
any
real
use
case
for
adding
dots
data
channel
called
home
service.
So
we
wanted
to
pass
the
working
group
if
they
have
any
specific
use
cases
where
they
see
the
need
for
dots,
data
channel
call
home,
and
we
need
more
comments
and
suggestions
for
this
stuff
to
make
progress.
So.
E
E
E
D
So
here
the
one
which
is
raining
is
gonna,
be
assigning
prefixes
or
IP
addresses
to
the
dots
to
the
home
networks.
So
the
ISP
should
be
pretty
much
aware
of
from
which
home
network
that
I
traffic
is
coming
right,
even
if
it's
located
behind
NAT.
So
if
you
see
a
mobile
network,
they
have
PCRF
and
other
was
where
they
logged
to
the
net
logging
and
they
know
pretty
much
which
router
is
generating,
what
amount
of
traffic
and
whether
they
are
in
DT
generating
any
attack
traffic.
B
Roam
engineer:
Carnegie
Mellon,
no
hat
on
I
generally,
like
this
use
case.
One
thing
I
wanted
to
say
practically
though,
since
we're
now
talking
about
the
ISP
touching
something
in
a
home
network
environment
and
making
things
happen
on
that
home
network
behind
it
just
include
some
language
in
the
privacy
section
to
talk
about.
What's
not
getting
leaked
to
the
ISP.
C
Yeah
Kamini
she's
from
NTT
communications.
Basically
I
learned
these
draft,
so
I
don't
support
it
then
yeah.
There
may
be
a
discussion
about
not
in
ipv4
case,
but
the
Internet
traffic
is
moving
to
a
key
v6.
So
also
this
is
also
used
for
a
6kc
then
about
the
open
questions.
You
said
that
does
dot
grant
also
need
to
convey
attack
named
pepper,
I
defy
you,
Dino
knows
diagonal
Diagnostics,
then
I
think
yeah.
C
The
home
router
may
not
be
capable
of
taking
new
map
merging
sophisticated
attacks
and
also
I
think
the
home
Rada
may
not
be
capable
of
blocking
or
distinguishing
the
emerging
sophisticated
attacks.
So
I
I,
don't
think
such
kind
of
new
information
is
required
because
the
such
kind
of
a
limited
function
of
home
router
cannot
do
anything
on
such
kind
of
you.
D
Yeah
I
mean
it's
just
for
diagnostic
purpose.
For
example,
the
security
vector
can
go
back
and
update
the
signatures
basically
and
learn
that
hey
there's
that
better
at
it
does
not
have
the
capability.
So
it's
not
going
to
be
immediately
useful,
but
it's
going
to
be
used
for
basically
identifying
why
the
home
router
did
not
detect
those
attacks.
I
Francie
ahora
comments
on
into
video
I,
a
person
I
think
yes,
this
is
a
rarity
use
case
and
but
in
front
from
the
implemented
implementation
view
from
my
personal
view.
If
we
want
to
achieve
this
goal,
so
it
means
that
the
home
network
gateway
should
supporter
the
toast
server
function
just
upon
the
thought
protocol,
but
I'm,
not
sure
that
you
know
it's
very
limited.
I
H
I
Solar
or
for
the
web
server
side
or
the
enterprise
side
and
the
server
is
usually
are
some
IP
or
some
so-called
service
and
children.
Something,
but
now
you
know
your
your.
Your
toaster
is
on
the
home
network,
home
network
gateway,
so
I
have
some
confusion
about
it.
Maybe
so
this
fight
by
app
and
looking
you're
looking
at
a
yoyos
case,
I
I,
also
think
about
actually
the
essentially
this
the
the
the
solution
reflects.
The
idea
is
that
we
need
to
do
some
real
sauce
attack
mitigation.
I
Actually
I
think
that's
a
key
point
of
the
solution
of
Nazis
draft,
so
the
similar
case
can
be.
We
have
some
other
similar
cases,
for
example,
for
the
datacenter
or
for
the
branch
network.
They
have
the
outbound
attack
to
the
network,
so
I
think
the
the
solution
you
propose
the
here
can
can
also
be
used
by
those
use
cases.
So
I
think
it
may
be
later.
You
can
add
more
use
cases
because
they
can.
You
know
they
can
justify.
D
Your
solution
we
started
discussing
this
draft
I
think
I
think
it's
going
to
be
useful
for
various
other
use
cases
and
I
think
we
can
definitely
update
the
draft
to
list
the
ones
and
and
I
agree
with
you.
There's
a
big
myth
that
home
routers
do
not
provide
any
security
and
like,
if
you
see
some
of
the
vendors
I
listed
and
the
vendor
that
I
work
for.
Basically,
we
are
adding
a
lot
of
capability
to
the
home
router.
We
have
a
limited
IPS
on
the
home
router.
We
have
IOT
firewall
on
the
home
router.
D
We
have
basically
Deepak
an
inspection,
enabled
on
the
home
router
and
pretty
much
I.
Think
many
of
the
other
security
vendors
are
doing
and
I
think
the
dorsum
is
not
going
to
be
a
public
dot
server.
It's
going
to
be
only
for
the
intended
dots
client.
So
so
it's
not
going
to
be
like
it's
going
to
receive
hundreds
of
connections.
It's
just
going
to
be
one
connection
from
the
internet
or
client.
So
this
is
this
is
not
gonna
overwhelm
the
home
router
to
act
as
any
public.
D
I
K
H
D
We
did,
we
didn't
want
to
blindly
take
those
holes
and
block
the
traffic.
So
what
we
did
was
we
started
funding
all
the
traffic
from
the
packet
processor
to
the
user
space
so
that
we
could
detect
those,
for
example,
seven
attacks.
That
was
so
it
could
be
two
models
right,
I
mean
this
is
pretty
much
specific
for
DDoS
and
we
don't
want
to
be
used
for
other
purposes,
especially
for
naturally
or
vertically
right,
and
the
other
case
is
whether
we
want
to
blindly
trust
Fordyce
pieces.
D
So
it's
basically
doing
and
conditional
dpi
for
the
compromise
devices,
and
that
gives
us
basically
that
gives
us
performance
benefits
that
we
don't
inspect
all
the
traffic
flows
from
all
the
devices,
but
only
for
specific
devices
where
the
ISP
seems
there
are
bad
flows
happening
from
those
devices,
so
that
gave
us
good
leeway
for
inspecting,
enabling
full
dpi
for
certain
devices
only
within
the
home,
which
could
be
probably
a
four
to
five
devices
at
a
time.
Launching
this
attack
so.
B
D
B
B
So
what
we've
heard,
what
we've
heard
so
far
today
is
most
of
the
drafts
that
we
currently
have
milestones
for
or
on
a
glide
slope,
either
for
publication
or
about
to
enter
working
group.
Last
fall.
We
started
talking
about
potential
new
work
that
that
we
could
get
into,
and
so
today
you
heard
two
new
use
cases
being
kind
of
broad
and
what
their
implications
would
be.
And
out
of
that
conversation,
it
appeared
that
we
need
to
talk
a
little
bit
more
about
what
what
they
are
kind
of
specifically
before
we
can
move
to
adoption.
B
So
we're
gonna
bring
that
to
the
man
list,
the
other
two
things
we
talked
about,
we're
two
deferred
items,
one
around
kind
of
server
discovery
which
would
be.
How
do
we?
You
know
more
seamlessly,
insert
dots
like
technology
into
kind
of
someone's
network
and
then
the
other
one
was
around
multihoming
considerations,
which
was
providing
additional
guidance
that
additional
guidance
on
how
to
ultimately
feeling
that
dots
technology,
and
we
need
to
bring
that
back
to
the
list
to
figure
out
whether
that
additional
work
on
what
we
initially
laid
out.
B
B
C
Yeah
I
have
a
question
to
appear,
so
you
have
the
survey,
discovery
and
Matt
Honan
Conservation's,
but
also
you
have
the
call
home
use
case
which
the
server
is
in
the
home
network.
Okay.
So
if
there
are
any
connection
with
the
server
discovery
and
Matt
home
incarcerations,
we
ste
called
homies
cases.
So
what
about
hobbies
discovery
in.
D
D
B
K
So
I
have
a
question
for
you:
I
on
this
mitigation
of
long
queues
case
I'm
wondering
if
the
signalling
of
what
the
client
perceives
to
be
attack
traffic
and
the
offloading
news
case
are
actually
bound
tightly
together
or
whether
they
are
good
ideas
on
their
own
and
I.
I
haven't
read
the
draft
in
detail,
so
this
may
be
answered
in
that
case.
Sorry.
J
H
K
H
Not
really
discussion
but
I
just
wanted
to
apologize
to
everybody
that
the
ad
review
on
the
signal
channel
in
the
jail
data
channel
are
taking
so
long,
I
expected
to
get
it
out
sooner
and
I'm.
Sorry
that
do
not
I'm
about
3/4
of
the
way
through
the
data
channel
or
no
signal
channel,
so
I'm
working
on
the
signal
channel
and
get
to
the
data
channel.
After
that.
So
I
said
little.
L
Markovski,
yes,
see
I
apologize,
I
haven't
been
in
this
working
before,
but
I
thought
it
might
be
an
opportunity
to
raise
awareness
over
a
new
proposed
research
group
that
we're
that
we're
launching
that
I
think
will
have
some
overlap
with
what
this
group
has
been
doing.
It
is
called
Smart
which
stands
for
stopping
malware
and
researching
threats.
Ddos
attacks
are
going
to
be
one
of
the
the
threats
that
we're
considering
in
that
group.
L
D
H
I
Middle
East
and
we
hope
that
we
have
four
I,
read
new
oak
items.
Yes,
we
definitely
we
need
more
discussion
and
if
we
have
enough
interest,
I,
think
okay,
we
can.
We
can
do
this
kind
of
work
and
also
for
our
country,
our
today's
several
new
individual
draft
and
I
think
they
are
all
make
sense
to
some
extent,
I
think
so,
but
wait
wait,
but
all
we
need
is
a
modification
and
more
comments
on
them,
so
help
us
to
do
to
improve
the
overall
document.
So
yeah
thanks.
M
Hello,
my
name
is
Lawrence
I'm,
an
IT
FR
fellow
I,
so
felt
the
ITF,
first-time
attendee.
Welcome.
Thank
you.
I
just
want
to
volunteer
my
time
to
anyone
who
might
need
help
I'm
fairly,
decent
with
lineups
and
a
few
scripting
language
Python.
So
if
you
need
help
with
in
implementation
moving
trail.
Thank
you.
Wonderful.
B
That'd
be
great:
okay,
wait
next,
we're
gonna
we're
gonna
wrap
up
the
meeting
again
one
or
two
to
thank
you
for
carrying
the
load
for
some
of
the
other
presenters
during
his
vacation
for
doing
that,
and
to
thank
you,
he
and
Kira
for
bringing
the
two
new
use
cases
for
our
discussion
and
we're
gonna.
Take
it
to
the
list,
and
hopefully
folks
can
use
the
extra
time
we
gave
you
back
have
a
good.