►
From YouTube: IETF93-DOTS-20150721-1740
Description
DOTS meeting session at IETF93
2015/07/21 1740
A
A
Excellent,
so
the
first
big
piece
of
news
to
announce
is
that
we
are
the
dots
working
group
because
of
all
your
hard
work
since
dallas
and
putting
things
on
the
mailing
list
working
through
the
Charter
and
putting
some
ideas
about
what
that
scope
is.
We
are
now
approved
to
really
make
some
progress
and
get
something
standardized
so
again,
ITF
note
well
kinds
of
things,
there's
IPR
issues,
so
please
kind
of
read
through
that.
A
If
you
have
any
concerns,
feel
free
to
kind
of
ask
us
and
of
course
all
of
this
is
being
recorded
for
later
consideration
and
for
our
remote
participants.
Next
slide:
administrative
Lee.
The
first
thing
we
need
is
a
jabber
scribe.
Who
can
help
us
with
that
perfect?
Thank
you
and
the
other
thing
we
need
to
do
is
start
off
with
the
with
the
blue
sheets.
We
unfortunately
have
one
clipboard,
so
we're
going
to
have
to
make
the
whole
thing
go
around
the
room
when
it
gets
to
the
back.
A
So
as
we
do
the
use
cases
in
the
requirements,
we'd
ask
that
you
only
ask
clarifying
questions
and
save
bigger
conversations
about
direction
to
the
discussion
portion
and
then,
after
that,
we're
going
to
turn
to
talk
about
a
couple
of
drafts.
Some
updated
some
new
that
hint
and
talks
about
a
little
bit
about
requirements,
but
also
start
talking
about
implementation.
So
we
wanted
to
really
front-load
the
use
cases,
the
requirements,
but
with
that
I'll
take
a
pause.
Anyone
like
to
bash
this
existing
agenda.
A
The
thing
I'd
really
like
to
show
you
is
that
we
have
a
very
aggressive
timeline.
We
have
three
primary
milestones.
What
we're
hoping
to
accomplish
is
by
early
2016
get
requirements
in
use
case
documents
written
to
scope
out
what
exactly
we're
doing
and
then
in
relatively
short
order,
follow
that
with
the
protocol
transport
document
and
a
data
model
document,
so
primarily
we're
talking
about
three
different
classes.
A
Here
before
we
get
into
the
technical
discussion,
I
wanted
to
to
show
you
what
the
questions
were.
There
were
going
to
be
asking
you
when
that
discussion
is
done.
So,
as
you're
hearing
talk
about
the
use
cases
than
the
requirements
and
all
the
different
perspectives,
one
thing
I
would
ask
is
first
thing
about:
where
do
you
think
we
should
head
with
those
use
cases?
So
we
have
a
number
of
intimate
individual
drafts.
There's
also
some
conversation
on
the
mailing
list
that
isn't
captured
anywhere.
So
how
would
you
like
to
see
all
of
that
formulated?
A
Would
you
like
to
see
multiple
working
drafts
for
the
use
cases?
Would
you
like
to
see
a
single
single
working
group
document
capturing
all
the
use
cases,
and
we
need
to
do
similar
thinking
for
that
with
the
requirements
and
then
certainly
we'd
like
to
talk
a
little
bit
about
who's
thinking
about
implementing
this.
A
So
with
that
I
turn
it
over
to
the
beginning
of
the
technical
agenda.
So
daniel
is
going
to
be
the
first
presenting
on
our
on
our
use
cases
and
again
just
to
just
to
clarify
again
but
thinking
it
is
clarifying
questions
only
when
the
individual
speakers
for
the
use
cases
and
the
requirements
are
up
and
then
we'll
have
time
a
little
bit
of
time
for
discussion.
After
all
of
that
is
random.
D
So
I'm
gonna
well
I'm
going
to
try
to
address
some
of
the
youth
as
I
envisioned.
Can
you
hear
me
ok
right
much
better,
so
I
will
try
to
describe
briefly
someday
use
case.
Basically,
the
idea
of
this
use
case
is
to
see
agree
on
the
scope
of
doats
and
see
whether
there
are
any
additional
use
cases
so
next
slide
so
well.
The
idea
I
had
initially
was
that
in
order
to
mitigate
details,
we
need
collaboration
and
coordination
between
the
different
different
d-does
devices
appliance
and
some
kind
of
programmability.
So
next
slide
so
well.
D
D
Well,
the
programming
interface
also
involves
some
other
service
and
also
some
interaction
between
the
d
Dorcas
burger.
So,
basically,
the
idea
is
to
to
define
worry,
to
scope
of
dots
in
that
and
what
we
really
want
to
address.
So
probably
the
figure
would
be
a
little
bit
more
differently
far.
It
has
been
presented
before
the
I
to
NFS.
So
currently,
my
opinion
would
be
that
the
D
does.
Programming
interface
should
be
part
of
the
I
to
NFS,
and
maybe
the
scope
of
Dutch
should
be
reduced
to
the
other
service.
B
B
D
It's
the
same
way
where
well,
the
scope
is
to
to
mitigate
well
I.
Guess
it's
my
use
case.
So
next
slide.
So
I
came
with.
The
first
scenario
is
a
symmetry.
Well,
what
I
call
the
unpermitted
symmetric?
Well,
you
have
a
deed
of
the
client,
so
it's
an
appliance
that
is
supposed
to
mitigate
d
dos
attacks.
Usually
it
has
a
monitoring
and
mitigation
facilities,
as
well
as
the
alert
service
inside
so
well.
D
What
we
expected,
what
we
expect
is
some
relation
with
the
details,
configuration
or
we
call
next
on
the
next
slide
orchestrator
in
order
to
coordinate
these
details.
Appliance
next
slide.
So
this
is
what
I
represented
by
the
programming
interface,
but
currently,
at
this
time,
I
understanding
is
that
this
programming
interface
should
be
restricted
to
a
kind
of
alert
service.
So
it's
like
you,
define
some
threshold
and
say
well
when
this
threshold
just
being
rich,
send
me
an
alert.
It's
not
truly
having
an
eye
to
NFS
interface
next
slide
so
well
and
another
one.
D
Is
that
it's
what
I
call
the
on-premises
symmetric
key,
which
means
that
in
some
cases
you
have
the
mitigation
well
d,
dos
appliance
that
are
specialized
for
mitigation
and
adults,
/
Bryant
for
monitoring
so
well.
The
idea
is
that
you
can
share
between
a
multiple
links,
the
mitigations
so
well
you.
The
way
is
that
when
you
notice
that
some
traffic
is
being
a
suspicious,
you
redirect
those
with
a
with
a
network
element
to
this
mitigations
link
the
link
where
the
dealers
in
mitigation
appliance
is,
and
so
only
for
the
suspicion
traffic.
B
Class
Scott
Barbic
there
in
all
these
use
cases,
and
even
in
the
draft
I
think
the
big
question
I
keep
looking
at
it
in
light
of,
is
how
it
as
use
cases,
how
prescriptive
are
some
of
these
components
in
your
mind,
as
existing
or
being
defined
in
the
standard
versus
the
notion
of
being
an
inner
system
interface,
and
that
can
be
anything
these
just
examples
of
what
could
be
on
either
side
of
the
interface
or
in
your
mind,
this
is
the
use
cases.
This
is
how
it
should
be.
Oh.
D
No
I'm
not
trying
to
get
the
question,
it
could
be
any
element
and
well.
The
only
thing
we
are
looking
at
is
way
too
to
receive
feedback
from
this
element,
so
it
can
be
an
already
existing
hardware.
Where
you
just
add
one
service,
it
can
be
a
virtual
one.
It
can
be
a
combination
of
these
two
functions
or.
B
So
yeah,
so
is
a
use
case.
There
could
be
many
things
you
could
implement
this
in
many
ways,
but
what
word,
what
maybe
you
would
say
is
or
what
I'm
hoping
you
would
say,
is
what
we
stop
at
the
interface
level
between
the
two,
the
receiver
and
the
and
the
sender.
But
all
these
things
could
exist
in
a
particular
implementation
particular
use
case.
D
Well,
I
mean
yeah,
I,
don't
see.
Well,
we
don't
have
to
well.
We
are
not
going
to
define
what
is
the
deed
of
monitoring
appliance,
for
example,
we're
why
my
understanding
is
that
we
should
only
be
focused
on
the
interface
okay,
which
in
DC
yeah
thanks,
but
it's
not
an
architecture
document
when
I
recommend
some
architecture
either.
So
that's
the
symmetry
one,
and
so
basically
you
can
see
that
the
details,
monitoring
appliance,
is
sending
a
lot
of
information
to
the
deed
orchestrator.
D
So
on
the
next
slide,
what
we
can
expect
from
dots-
it's
that
are
you.
Instead
of
sending
all
the
traffic-free
got
owned.
Well,
all
the
information
related
to
the
traffic.
You
can
only
reduce
that
to
one
alert
so
which
is
represented
by
the
details,
programming
interface.
So
it's
only
one
alert
that
say
well,
the
threshold
has
been
rich
and
you
can
provide
even
to
do
some
additional
information,
but
that's
up
to
then
the
D
does
orchestrator
to
take
the
decision
next
slide.
So
well,
we
cloud
the
cloud
use
case.
D
I
just
wanted
to
mention
that
on
the
alert
can
be
sent
on
to
on
premise.
So
some
to
a
device
that
is
on
a
given
domain,
but
you
can
also
be
sent
outside
to
a
third
party,
for
example.
In
this
case,
the
third
party
is
going
to
be
cloud,
doesn't
mean
any
think,
so
so
next
slide
so
well.
Basically,
when
you
it
can
be
what
the
alert
can
be
sent
by
anyone
any
device.
D
D
B
D
I
mean
this
slide:
yeah
no
I
mean
dislike
well,
the
fights
were
done
before
I
to
NFS.
So
the
presentation
we
add
was
quite
helpful
to
define
on
what's
going
to
be
the
scope
of
thoughts
regarding
to
I-20
FS
and
I
really
wanted
to
have
a
separation
between
those
two.
So
what
I
wanted
is
to
have
to
clearly
identify.
Well,
you
have
a
dealer's
clients
and
speaking
to
someone
else-
and
I
thought
I
mentioned
this-
the
dots
agent
I'm
not
specifying
specifically
what
he's
doing
and
some
of
the
it's
possible
interactions.
B
So
I
think
that
one
of
the
things
that
may
help
looking
at
this
is
to
clearly
define
what
are
things
that
the
management
plane
of
a
mitigation
service
provider
might
be
expected
to
handle
that
our
subscription
time
events
right,
setting
up
the
ability
to
announce
customers
prefixes
to
redirect
traffic,
to
set
baselining
or
configurations
of
the
mitigation
on
a
poor
customer
bases
and
clearly
separate
those
from
what
you
might
want
to
do
in
real
time
or
have
a
protocol.
That's
outside
the
routing
system,
we're
outside
the
management
plane
to
to
to.
D
B
Just
one
part
of
the
system,
one
part
of
one
minor
part
of
the
system
is
getting
traffic
to
the
mitigation
Center.
The
the
other
person
isn't
seem
interesting
is
letting
it
letting
a
customer
or
some
end
in
sight,
declare
that
there
they
have
an
issue
and
then
doing
some
and
then
doing
something
about
that
second
step
and
then
filtering
and
and
and
re-inject
what
traffic
being
the
third.
So.
A
E
D
If
we
want
things
to
be
complex,
we
could
say
well
I'm
orchestrating
my
own
network
and
when
I
see
that
the
attacks
is
beyond
my
capacity
I'm
asking
to
a
third
party,
can
you
handle
with
that?
So
I
can
well,
one
way
is
to
say
you're
going
to
handle
with
the
wall
suspicious
traffic
and
in
some
way
you
can
say:
well,
we
can
cooperate
on
some
things,
so
that's
part
of
there
might
be
some
interaction
between
details.
Orchestrators,
that's
a.
B
D
D
Ya
know
because
I
LCD
the
agent,
the
audience
voted
yes
by
the
way.
Yes,
no
well,
it
depends
well
that
that's
part
of
the
questions
I
mean
I'm,
but
I'm
I
would
try
to
to
limit
the
interaction
between
the
agent
and
the
internal
system.
But
if
you
asking
the
system
to
send
an
alert
when
something
is
happening
well,
it
needs
to
have
some
access
at
least
read
access
to
some
monitoring
events,
or
some
kind
of
things
like
that.
B
Right
but
whether
that's
considered
dots
or
just
something
else,
I
guess
I
was
trying
to
figure
that
out
did
the
other
thing
I
was
trying
to
figure
out
is,
is
if
you
would
click
back
to
the
previous
more
complex
picture,
so
just
everything
that
wasn't
in
the
orchestrator
has
been
subsumed
into
the
now
go
forward,
whatever
the
lower
box
forward,
one
side
now
forward,
so
everything
that
wasn't
the
orchestrator
is
now
in
this
bottom
box
and
we're
calling
that
the
dots
interface
is
it.
What
happened
there?
E
Hello,
everyone
I'm
friend
from
Hawaii-
and
this
is
another
thoughts,
good
cases
draft.
We
call
it
a
dose
exchanging
the
use
case
and
in
the
foster
okay
to
the
time.
Okay,
University
page
I
try
to
try
to
kill
my
my
my
personal
understanding
of
the
potential
nor
work
of
the
whole
outline
of
the
thoughts
architecture.
Maybe
I
think
that
the
the
dose
sister
can
is
a
close
race
that
collaborative
and
distributed
sister.
It
should.
E
It
may
be
included
several
elements
which
included
the
first
of
I,
think
we
should
have
a
century
centralized
the
controller
entity
does
to
control.
Then
we
have
the
maybe
wait,
wait.
We
need
our
energy
loss
detection
Center
this.
This
Edmond
is
mainly
for
the
collector,
the
the
thread
or
the
event
information
or
some
flow
summary
information
and
the
Tucson
standardize,
the
analyst
or
big
mining
technology
to
detect
her
to
monitoring
the
network
and
also
we
have
several
network
elements
which
can
be
a
traditional
or
the
network,
devices
deuter
or
switch,
but
also
it
is.
E
It
also
also
can
be
the
specified
and
it
across
applies
it
most
sophisticated
and
intelligent
to
directory
monitoring
the
attack.
Events,
and
also
for
for
some
more
for
some
more
idea,
I
think
maybe
a
country
or
the
cloud-based,
the
entity
door
service
is
very,
very
popular.
So
this
is
also
the
original
reason
that
we
propose
that
to
do
some
working
ideas,
because
we
need
some
singular,
a
negotiation
between
the
on-premise
and
it
does
need
a
las
devices
and
the
cloud
basis,
and
it
also
is
so.
This
is
also
very
important.
E
The
last
party
is
about
if
we
considered
how
to
support
the
interdomain
entity
does
a
function.
So
this
is
a
no
no
more
pika
scenario.
So
maybe
we
need
a
coordinator
to
to
to
help
different
operators
to
to
coordinate
the
idea,
does
requester
and
to
the
have
work.
That
is
so,
and
we
have
all
these
elements
and
we
have
a
fight
five
possible
interfaces
between
all
these
elements.
They
are
the
controls,
including
interface
or
detector,
signaling,
or
shares
inventory,
a
report
or
coordinator.
E
So
that's
all
I
will
come
our
current
understanding
of
the
post,
potentional
thoughts,
architecture,
okay,
okay,
so
why
we?
Why?
The
the
the
the
background
that
way
varieties
extending
the
use
case
drafter,
is
that
wasting
that
a
specific
entity
does
system
is
influenced
by
many
arrival
arrivals,
which
include
that
a
the
first
whined
about
architecture.
If
we
choose
the
wither,
we
choose
the
centralized
architecture
on
that
distributed
totally
distributed.
Architecture.
Oh
the
secondary
data,
whether
we
use
with
just
the
collector
the
floor
sample
information
from
the
folding
devices.
E
Oh,
oh,
we
can
use
some
specified
that
indeed
Ottawa
appliance
to
get
the
attack
events.
They
are
different,
detective,
Messer
and
and
also
we
can
statically
deployed
at
the
anti
device,
and
he
does
applies
to
the
network.
All
we
can
use
some
new
technology
energy
technology
to
deport
the
dynamically
deployed.
Our
adidas
advice
and
other
variables
can
include
the
what
is
a
trash
bag,
mechanical
issues
and
and
the
different
or
maybe
have
different
solutions.
E
What
we
try
to
do
is
we
try
to
identify
the
variable
and
the
promising
use
cases
to
derive
the
requirement
for
multi
technology,
integrated
and
collaborative
individual
solutions,
and
it
can
help
us
to
identify
the
ta's
work
or
what
we
can
do.
Maybe
it's
a
step-by-step.
If
ya
wait,
we
can
foster
so
the
most
own,
a
most
urgent,
the
most
a
single
scenario
game
we
so
the
next
of
that
work.
Okay,
next,
the
page,
okay,
so
I
wasted
some
time.
E
So
sorry,
okay,
this
is
our
use
case-
is
a
the
content
of
a
lot
of
a
draft
away.
In
this
draft,
we
propose
the
two
use
cases.
These
two
use
cases
industry
the
most
in
areas
and
the
multiple
ways
to
implement
the
cut
two
for
the
implementation
within
the
way
we
think
it
can
be
under
the
calendar
are
tossed
work
scope.
E
The
first
one
is
that
we
collect
her
and
correlated
the
security
related,
a
flow
information
from
network
forwarding
devices,
for
example,
of
the
deuteron
switch
and
based
on
this
information
and
the
sender
eyes
the
data,
mining
or
analysis
process.
We
can
proactively
detective
ethos
attack
by
by
this
way.
I
think
this
is
our
future
trained,
yeah
and
secondary
use
cases.
We
use
the
dynamic
and
distributed
indeed
a
solution
to
create
the
B&H,
and
it
is
also
be
honest
and
deploy
them
to
the
edge
of
the
network.
E
Auntie
mom,
okay,
next
30,
okay,
this
is
the
fourth
the
use
cases.
I
I,
don't
want
to
talk
about
details
actually
this
visa.
This
is
a
closed
loop
feedback
system.
We
have
the
controller,
we
have
the
we
have
the
flow,
collector
and
and
the
based
on
these
floats
full
of
piss
down
this
loop.
We
can,
we
can
get
information,
we
can
mitigate
the
T
dos
attack.
E
Okay,
this
is
the
first
one
and
next
the
pager,
that's
the
pager
is
about
about
the
deployment
stages
of
the
on
digital
system,
and
here
the
key
point
is
about
that.
If
you
are
a
network
operator,
you
can
control
your
local
network
and
by
using
the
current,
are
only
three
technologies
you
can
deploy
your
we
are
your
entity.
Does
devices
utilize
the
added
our
devices
to
the
nearest
location
and,
and
it
can
help
you
to
very
efficiently
to
mitigate
the
entity
that
attack
so
about
the
key
problem
here?
E
Is
that
how
to
stop
tracking
how
to
do
the
soft
raking?
How
to
how
to
find
you
the
right
place
to
deploy
in
the
your
we
are
as
individuals,
alliance,
okay,
next
to
page
and
I,
want
to
take
the
chance
to
to
give
up
just
justification
that
the
flow
sampling
technology
can
be
used
to
detector
the
entity
dos
attack
because,
for
example,
in
this
use
case,
are
using
in
this
example
week.
We
can
see
that
so
HTTP
sync
flat
are:
we
can
detector
the
flow
character?
Is
it's
a
it's
wrong
inspired
by
direction
delay?
B
E
E
Actually,
the
the
technology
is
very
similar
with
the
injured
man
and
digital
solution.
The
the
the
I
think
the
key
difference
or
the
keep-keep
problem.
Okie
difficulty
is
that
that
how
to
construct
the
the
trustor
or
the
authentication
relation
between
the
different
vendors?
If
we,
if
we
can
have
the
tractor
motor
to
to
teaching
the
different
operators,
are,
we
can,
we
can
achieve
the
interdomain
and
it
it
does
go
okay,
next
page,
so,
okay,
the
necklace
table.
We
try
to
a
solicitor,
a
more
comments
from
from
York.
E
B
E
C
E
Can
specify
the
flow
summary
interfaces?
How
to
extend
the
IP
fix
protocol
to
to
convey
some
attack
information
and
to
the
sender
eyes
the
analyzer
center
and
to
detector
attack
and
I
also
think
that
the
interface
three
men
across
the
line
here
213.
I
also
think
they
they
can
be
specified
that
you
are
involved,
because
the
story
is
about
how
to
auto
control,
how
to
signal
into
the
network
device
or
the
specified,
and
it
does
device
to
do
some
security
policy
and
the
22
separation
of
all
cleaning
the
traffic.
Alright.
So.
B
B
B
B
E
B
B
B
In
the
answer
to
the
question
of
how
much
do
we
think
this
is
in
within
dot
scope
and
what
might
not
be
we'll
need
to
look
at
some
of
these
things
and,
for
example,
on
the
flow
sampling?
Is
that
something
where
some
other
methodology
communities
like
that
when
I
keep
an
eye
on
miles
as
an
example?
It
may
not
be
there,
but
keeping
our
eye
out
in
terms
of
other
technologies
which
are
which
are
part
of
this
landscape,
which
may
be
of
assistance
as
answering
as
we
look
at
them
yeah.
F
Good
evening,
Andrew
Mortensen
from
arbor
networks
can't
hear
me
how
about
now,
better
all
right
once
again,
Andrew
Mortensen
from
harbor
networks
I
have
no
colors
on
my
slides,
so
I
hope
that
would
be
an
adequate
I'm
going
to
keep
this
very
brief
because
my
my
draft
was
accepted
very
late
in
the
game
and
I
hope
everyone
has
everybody
who
had
a
chance
to
read
it
show
of
hands
who's.
Read
it
whew.
Okay,
so
I
had
made
some
assumptions
about
how
much
time
I
was
going
to
have
so
I
kept.
This
very
sparse
next
slide.
F
Please.
There
are
a
couple
goals
in
writing.
The
requirements
draft
and
one
of
them,
was
to
try
to
come
to
a
common
understanding
of
actors
in
terms
and
dots.
It
seemed
to
me,
through
the
discussions
on
the
mailing
list,
that
there
was
some
disagreement
here
and
so
the
requirements
draft
is
partially
intended
to
try
to
expose
those
things
and
enforces
to
come
to
that
common
understanding.
F
Additionally,
I'm
hoping
to
develop
a
consensus
on
the
protocol
needs
again.
I
think
there's
been
some
disagreement
in
some
confusion
about
what's
required
here.
Next
slide,
please,
alright!
So,
as
I
said,
it's
brand
new
and
there
are
some
subsections.
What
I
did
try
to
do
was
define
some
of
the
terms.
The
various
end
points,
including
who
was
responsible
for
sending
the
signal
who
is
responsible
for
processing
it
and
what
the
signal
is
going
to
going
to
contain
and,
as
Daniel
alluded
to
I
feel
like
the
the
basic
dots
signal
needs
to
contain
that
alert.
F
That
request
for
help
I've
also
included
some
information
about
attack
telemetry,
whatever
might
be
available
to
the
signal,
ER
and
so
I'm.
Looking
for
a
lot
of
feedback,
there's
been
only
a
little
bit
on
the
list.
I've
had
some
offline
feedback
too,
and
the
feedback
to
date
has
largely
been
around
some
of
the
clarifications
of
terms.
F
There
has
been
a
little
bit
of
some
some
question
about
the
the
relevance
of
the
dtls
section
I
included
when
talking
about
the
the
need
to
encrypt
or
the
need
to
provide
confidentiality,
integrity
and
authenticity.
That
is
again
partially
meant
to
elicit
some
disagreements
or
some
friction
on
the
the
understanding
of
what
dots
is
supposed
to
be
providing.
F
This
is
positioned
for
rapid
development
revision,
I'm,
hoping
to
make
some
very
quick
progress
on
this.
So
again,
I'm
looking
for
a
feedback.
Next,
the
next
steps
are
again
to
incorporate
that
feedback
and
make
very
rapid
progress
on
this
I'm
hoping
to
have
the
the
next
revision
of
the
draft
out
shortly
after
this
ITF
concludes.
So
please
take
a
look.
Please
provide
your
feedback.
There
are
some
subsections,
and
one
of
them
is
the
configuration
channel.
F
I
have
made
some
allusions
in
there
about
what
that
might
constitute,
and
Nick's
draft
does
include
some
suggestions
about
using
what
he
describes
as
adjacent
RPC.
Api
I
have
suggested
rest
conf.
That
is
not
necessarily
a
requirement
at
this
point,
but
given
the
RPC
element
that
he
suggested
rest
comp
seemed
like
a
possible
candidate.
F
The
revision
of
the
terminology,
improving
improving
the
terminology,
expanding
it
based
on
feedback
is
going
to
be
critical.
I
have
included
here
the
mention
of
any
required
data
models
that
is
a
sort
of
longer-term
target,
but
figuring
out
the
requirements
for
the
data
mountain
data
models
at
this
stage,
I
feel
also
will
help
set
the
course,
and
finally,
it
will
be
very
important
for
the
requirements
to
have
to
be
mapped
to
NE,
uski
new
use
cases
and
revised
use
cases
fitting
the
requirements
draft
to
any
architecture
documents
that
we
develop
also
will
be
very
important.
F
B
But
I
wasn't
quite
sure
because,
because
most
of
its
terminology,
mm-hmm
and
so
I
wasn't
quite
sure
if
I
was
actually
calling
those
requirements
mm
or
set
up
for
the
requirements.
You
know
the
the
supplicant
will
ask
you
something
or
you
know
so
in
your
mind,
is:
are
those
requirements
yet
or
just
the
it's?
It's
the
base,
yeah
I
think
it's
at.
F
B
B
C
C
F
C
So
do
dos
attacks
or
attacks
against
capacity
and
state
the
idea
is
to
disrupt
availability.
Next
slide.
We
Nick
go
ahead
and
advance
the
next
slide
yeah.
We
want
to
be
able
to
maintain
availability
even
in
the
face
of
tap
next
slide.
Please
next
slide.
So
most
endpoint
networks
on
the
internet
have
a
relatively
Placid
view
most
the
time
with
their
security
posture.
The
sky
is
blue:
they
have
a
white
picket
fence
to
keep
things
out
next
slide
and
then
this
happens.
C
You
know
nothing
of
d
dust,
offense,
Jon
Snow,
and
he
has
it
know
much
about
malicious
insiders.
Artic
next
slide,
please.
So
when
that
happens,
who
do
they
call
next
slide?
Typically
ISPs
and
ms
SBS?
And
unfortunately,
despite
all
the
various
advances
that
we've
made
technologically,
we
still
tend
to
use
a
variation
on
a
three
hundred
fifty
year
old
technology
to
communicate
on
the
need
for
assistance
next
slide,
please.
So
it's
very,
very
difficult
for
most
endpoint
organizations
to
communicate
effectively
on
their
requirements
for
the
Oz
mitigation
in
real
time.
C
C
There
are
various
solutions
out
there
on
that:
our
user
as
technologies
they're
used,
but
basically
each
deployment
of
a
DDoS
mitigation
system
of
some
kind
to
be
a
very
bespoke
custom
kind
of
solution
and
because
there's
a
there's
currently
a
lot
of
manual
work
required
to
do
the
provisioning
as
well
as
the
operation
on
it
can
become
a
very
long
and
involved
process
to
even
notify
a
provider
that
there's
a
need
for
Jaws
mitigation
assistance,
much
less
to
effectively
communicate.
What's
required
next
slide,
please.
So
there
are
methods
today
to
automate.
C
So
in
this
communication,
the
problem
is
that
they
are
proprietary
and
so
there's
an
element
of
vendor
lock-in
here
and
what
we
want
to
be
able
to
accomplish
with
dots
is
we
want
organisations
who
need
DDoS
mitigation
protection
to
be
able
to
mix
and
match?
We
want
them
to
be
able
to
pick
different
vendors,
different
implementations,
different
providers
and
have
assurance
that
there
is
a
programmatic
way
that
they
can
very
quickly
communicate
when
they
are
under
attack
and
receive
situationally.
Appropriate
assistance,
there's
also
an
application
here
for
inter
provider
communications
as
well.
C
When
you're
in
point
network,
you
have
multiple
transit
links.
For
example,
you
have
multiple
operators,
ms
SPS,
who
are
providing
the
dots
mitigation
services.
They
may
have
radically
different
implementations
with
different
paradigms,
and
so
it
becomes.
It
really
becomes
incumbent
upon
the
end
customer
who's
under
attack
to
try
to
coordinate
all
this
many
times
they
don't
have
the
instrumentation.
They
don't
have
the
skill
set.
They
don't
have
the
people
and
so
effective,
quick
ddotty
negation
in
those
circumstances
can
be
well-nigh
impossible
in
many
circumstances.
Next
slide,
please.
So
what
happens?
C
Is
d
das
defense
devolves
into
a
typing
contest
between
the
attackers
next
slide
and
the
defenders
who
in
many
cases
are
blindfolded
because
they
don't
receive
adequate
information
from
the
organizations
they're
trying
to
protect
next
slide?
Please
and
as
history
shows
us
when
we
have
largely
static
load,
ility
defenses
that
may
not
be
deployed
optimally
next
lie.
This
is
what
happens
next
slide
please
so,
20
years
ago,
DDoS
mitigation
was
coordinated,
using
email
and
telephone
next
slide.
Please,
ten
years
ago,
DDoS
mitigation
was
coordinated,
using
email
and
telephone
next
slide.
C
Please,
today,
this
is
how
DDoS
mitigation
is
largely
coordinated.
Next
slide,
please
we
have
to
do
better
than
this,
rather
than
bubbling
around
the
phone
jotting
notes
and
flipping
through
our
various
playbooks
next
slide.
Please,
we
need
a
standardized
way
to
share
this
information
next
light
across
a
very
fast
unreliable
transport.
They
can
get
the
information
through
very
very
quickly
next
line.
We
also
need
to
have
an
option
for
a
good
old,
reliable
transport
that
can
weave
its
way
through
policies
which
may
not
allow
the
unreliable
transport
through
next
line
this
protocol.
C
This
needs
to
be
able
to
describe
itself
and
what
the
problem
is
and
what
its
desired
outcome
is.
That's
right.
We
also
need
to
be
able
to
relay
on
these
requests
for
assistance,
as
well
as
responses
in
status
across
administrative
boundaries.
Also
between
on
state
home
and
stateless
transports,
we
want
everyone
and
everything
to
have
the
opportunity
to
participate,
not
just
bespoke
systems
that
are
designed
very
specifically
to
do
DDoS
mitigation.
C
Thanks
lie
please,
and
we
want
to
be
able
to
bring
them
together
so
that
we
can
all
bring
our
shields
up
and
tune
them
to
the
frequencies
that
the
Klingons
are
using
on
their
face,
or
so
that
we
can
have
a
natural
defense
that
can
react
very
quickly
when
the
attackers
change
their
vectors
and
circumstances
change
next
light.
Please.
G
Hi
I'm
Chris,
no
Mike's
too
slow,
too
low
all
right
so
next
time,
please
so,
as
as
Ron
said,
we're
looking
for
some
standards
based
approach
so
that
my
six
vendors
can
talk
to
each
other
when
I
have
a
problem
and
I
don't
have
to
worry
about
having
six
signalers
on
my
side
and
controlling
and
managing
and
dealing
with.
All
of
that
I'd
like
to
make
sure
that
I
don't
send
request.
It
says:
please
do
this
specific
thing
to
the
far
side
I
want
to
tell
them.
I.
Have
this
problem
help
me
solve
it.
G
I
want
them
to
tell
me
back.
I
got
your
message:
I'm
going
to
do
something
or
I'm
not
going
to
do
something
based
on
their
capabilities
and
I,
also
like
the
ability
to
make
sure
that
I
send
it
to
the
right
person
that
they
hear
from
the
right
person.
So
not
just
getting
messages
from
any
random
person.
Saying
Chris
wants
help
and
killing
me.
So
I
need
to
be
able
to
say
what
it
is
I'm
trying
to
do
like
I
have
a
web
server.
It's
getting
sin
flooded,
like
that's.
G
G
You
may
want
to
include
some
information
about,
like
please
rate
limit
to
this
level
or
please
deal
with
requests
that
look
like
this
type.
This
we
can
get
into
that
in
the
protocol
further
down
the
road,
but
I
need
a
packaging
system
to
do
that
in
a
state
of
fashion
and
also
as
we
roll
and
said,
I
may
have
multiple
arms
inside
my
company
that
need
to
do
something
or
inside
of
my
deployment
you
something
you
may
have
multiple
inside
of
yours.
G
If
I
need
to
talk
to
you,
I
need
to
make
sure
that
the
right
part
of
your
company
gets
my
conversation
right
and
working
at
it
previously
working
at
a
large
telco.
There
are
lots
of
arms
of
any
telco
or
isp
making
sure
you
get
the
right
messages.
The
right
people,
if
not
always
easy.
Next,
like
this
oftentimes
the
as
warrants
that
morning
as
Roland
said
the
systems
on
the
far
side,
they're,
not
what
you
would
expect
right:
it's
not
always
a
harbor,
TMS
or
carreiro
whatever
they
call
it.
These
days,
don't
work.
G
Sorry
I
forgot
what
they
call
it.
You
can
correct
me
later,
whatever
those
things
aren't
right,
I
may
have
only
the
capability
in
this
particular
deployment
to
deal
with
the
router.
So
if
I
say,
please
rate
limit
this
stuff
or
please
block
this
URL
like
you,
but
you
have
to
be
able
to
tell
me
I
can't
block
the
aura.
Sorry
or
I
can
break
limit,
but
only
to
this
level
we're
only
of
this
type
of
stuff.
I
can
only
do
TCP.
I
can't
do
UDP,
for
whatever
reason
routers
are
crazy,
sometimes
either
way.
G
I'd
also
really
would
like
to
be
able
to
know
that
my
das
service
provider
upstream,
is
still
there
right.
So
if
I
use
a
duster,
a
survivor,
that's
you
know.
2
a-s,
hops
away.
I
may
have
made
a
relationship
with
them.
You
know
a
year
ago
if
they
go
out
of
business
or
disappear
or
change
their
deployment.
I
need
to
be
able
to
know
that
before
I
get
attacked
right
as
again
working
at
a
large
toko,
and
when
someone
calls
you
up
and
says,
are
you
my
isp
I
think
I'm
under
attack?
Like
that's?
G
That's
really
not
the
best
start
of
the
conversation
so
be
good
to
know
this.
You
know
on
going
to
have
you
know
a
reliable
communication
to
them
on
regular
basis.
It'd
be
great
if
I
could
tell
more
than
one
person
from
my
deployment
right.
I
have
two
isps
as
uplinks
I'd
like
to
go
a
little,
both
of
them
the
same
story
if
possible,
yep,
that's
it
I
think
we
don't
really
have
much
also
than
that
to
say
so
then
make
as
questions
I.
Think.
G
Be
good
to
know
how
many
people
in
this
room
have
actually
built
and
deployed
das
mitigation
system.
1
2,
3,
4,
5,
6,
7,
8,
9,
10
12,
you
go,
you
don't
count.
Yes,
I
mean
I.
Think
it's
interesting
that
those
are
the
folks
you
all
should
really
be
talking
to.
You
know
how
to
make
this
work
right
because
they
have
those
guys
have
got
deployments
that
are
made
of
multiple
different
systems,
but
please
go.
G
Think
the
rowans
early
for
one
of
his
early
slides
said
we
need
to
be
concerned
with
maintaining
availability.
So
if
it's,
you
know
ping
out
death
right,
there's
a
solution
for
that.
If
it's
200
gigabit
reflected
DNS
attack,
there's
a
solution
to
that
right.
I
mean
I.
Think
that
scares
that
there's
a
that
somebody
says
I
have
a
problem.
Please
help
me
I,
don't
think
we
really
care
so
much.
But
if
it's
a.
C
To
be
clear,
we
want
this
to
be
agnostic
in
terms
of
you,
das
attack
methodologies.
We
want
be
agnostic
in
terms
of
the
specificity
of
DDoS
mitigation
technologies
that
are
being
used
and
also
we
want
to
keep
an
eye
on
other
use
cases
beyond
aghast,
but
we
don't
want
to
try
to
solve
security
and
this
working
group.
C
G
B
B
E
G
E
B
Handing
over
to
the
left-hand
side
at
this
moment,
thank
you,
I
just
mean
it's
kind
of
a
Segway,
perhaps
but
I
think
it
will
come
up
that
the
definition
of
DDoS
will
have
to
check
ourselves
along
the
way
to
make
sure
it's
actually
the
d.
Indeed,
us
you
know,
distributor,
org
or
large-scale,
or
something
that
might
have
this
change
protocols
or
or
use
specific
protocol,
because
it's
not
just
you
know,
somebody's
decision
to
send
one
slow,
loris
and
that's
not
necessarily
das,
but
something
that
could
blow
through
that's.
B
G
C
Understand
later
genesis
of
your
comment
rate-
and
I
think
that,
as
we
start
working
towards
actual
requirements
that
this
will
become
clear
on,
but
but
the
intent
here
is
to
be
universal
in
nature
and
one
way
of
being
universal
in
nature
is
to
describe
what
is
being
attached
and
with
some
basic.
You
know
kind
of
verb
as
to
what
you
would
like
to
have
happen
and
then
all
the
rest
of
it
is
provisioned
up
here
and
there's
no
automation
and
we'll
sets
and
things
of
that
nature
might.
E
B
Verizon,
just
I
wanted
to
have
a
quick
comment
on
the
gentleman
that
was
pointing
on
the
motivation
of
trying
to
prevent
adidas
attack.
So
as
a
carrier,
I
can
speak
that
you
know
the
the
discussion
here
is
actually
much
more
sensible
to
us
and
I
know
of
no
reason
for
when
you
could
not
prevent
d
das
attack
for
any
reason,
so
you
know
f1.
B
Thank
you
very
much.
That's
a
very
nice
closing
point
of
the
open
discussion.
I'm
sorry
that
we
have
to
cut
so
short,
but
I
wanted
to
also
have
a
few
last
minutes
to
ask
questions
to
get
a
feeling
how
we
can
move
forward.
I.
Think
you
see
some
of
the
questions
Roman
put
before
that
we
should
address.
If
you
have
other
questions
that
you
think
we
should
address,
I'm
also
happy
to
take
them
as
well,
I'm,
very
conscious
that
we
are
between
you
and
the
castle,
so
yeah
I'm,
careful
with
that.
C
Dobbins
arbor
networks,
I
actually
have
a
lot
of
very
detailed
notes
on
the
draft.
I
won't
get
into
that
right
now.
What
I
do
want
to
stay
is
that,
in
my
view,
on
what
we've
really
seen
that
that
then
describes
use
cases
or
not
use
cases,
these
are
model
architectures.
They
have
varying
degrees
of
correspondence
with
what
is
actually
being
done
and
I
think
that
what
we
really
need
to
do
is
to
take
some
of
the
useful
comments
out
of
those
and
combine
them
with
additional
thoughts
and
come
up
with
a
unified
use
cases
draft.
C
What
we
have
right
now
in
many
cases
is
overly
prescriptive
in
some
cases
under
bleep
under
prescriptive
and
there's
also,
I
think,
in
something
of
a
lack
of
awareness,
the
current
state
of
the
art,
and
so
we
need
to
reconcile
all
of
those
and
make
sure
that
our
use
cases
are
really
use
cases
and
are
not
architectural
reference
documents.
We
may
need
architectural,
you
know
reference
models,
but
but
what
we
saw
today
being
described
as
use
cases
we're
not
use
cases
affecting
noted.
B
As
a
comment
in
favor
of
combining
drafts
and
consolidating
next
one,
please
thank
you
were
first
and
then
I'm
there
any
notion
of
Doug
Montgomery
again.
Is
there
any
notion
of
clearly
differentiating
attacks
from
what
could
be
a
provision
of
service
attack
that
your
poorly
engineered
and
you're
being
overrun
by
your
own
traffic?
F
B
One
could
envision,
you
know
you
envision
having
to
convey
some
notion
of
that
other
than
I
just
want
you
to
get
rid
of
this
traffic.
I'm
not
trying
to
prove
to
you
that
it's
an
attack,
I
just
want
you
to
give
us
so
so
at
this
point,
I
feel
that
we
need
to
get
to
the
next
steps
and
I'm
really
sorry
for
kind
of
cutting
this,
but
I
would
encourage
this
question
may
be
to
put
to
the
mailing
list
and
just
notice
that
everyone
use
the
word
attack
and
I'm
sure
that
yeah
ninety-nine.
B
Adult
it
knows
it
yes,
Rick
Rick
saw
a
lockma
I
just
want
to
rain,
reinforce
the
point
about
the
current
news
cases.
They
really
read
his
block
diagrams
from
implementers
and
not
something
that
the
usual
would
actually
use
some
more
concerned
about.
What
is
it
we're
trying
to
protect
and
what's
the
threat
model
that
will
protect
me
against
so
I'm,
good,
okay,
yeah,
I'm
really
going
to
cut
the
mic
now
yeah,
you.
B
B
So,
okay,
I
have
some
yes
could
be
bomb-ass
quits.
If
we're
going
to
RC,
you
want
a
single
unified
draft.
If
you
use
case
is
not
going
to
see
it's
significant
expenditure
of
time
of
everybody
to
get
the
various
offices
authors
to
get
to
a
unified
writing
style,
our
intention
is
to
go
to
RFC.
This
is
part
of
the
milestones
in
the
charger.
B
So
then,
okay,
then
let
me
give
her
hum
so
who's
in
favor
of
starting
one
unified
instead
of
I
coab
getting
up
okay.
So
let
me
go
to
a
hum
who
is
in
favor
of
starting
a
new
unified
use
case
graph
for
dots.
Please
come
now
if
you're
in
favor,
who
is
against.
Please
come
now.
Okay.
This
sounds
like
rough
consensus.
B
Let
me
actually
ask
you
who
would
be
interested
in
editing
who
would
be
volunteering
to
edit
such
a
draft
hands
up?
Okay,
that's
a
lot
of
hands!
That's
one!
Two,
three,
four:
five:
six
like
10-15,
not
12
to
our
profit,
yeah!
Well,
yeah!
Okay,
so
you
can
later
get
your
names
known
to
the
working
group
chairs.
Please,
who
would
be
willing
to
review
this
kind
of
rushed?
B
B
Can
you
later
give
us
the
name
of
the
person,
so
we
can
haunt
him
for
the
requirements.
Discussion
should
we
also
unify
the
requirements
documents
into
one.
Is
that
not
so
essential,
annie?
Is
that
a
question
I
can
ask
for?
Is
any
ok
I'll
go
ahead?
Who
is
in
favor
of
us
unifying
the
requirements
draft?
Please?
I
am
now
ok,
who
is
against
a
unifying
the
requirements?
Droughts?
Please
come
now.
B
There
I
hear
a
little
humming
yeah,
so
it's
like
still
rough
consent
might
be
in
favor
of
unifying
looking
at
the
ad
she's
nodding
so
and
the
last
question
would
be:
oh
yeah,
who's
in
who's
willing
to
edit
requirements
raft
end
up.
Okay,
that's
less!
That's
only
one,
two,
three
four:
five:
six,
seven,
eight
nine!
Well,
that's
still
10,
like
still
a
lot
of
them.
Okay,
that's
great!
That's
great
and
I
huge,
their
worst
group,
excellent
who's,
going
to
review
12,
yep
and
moving
to
the
last
question,
I'm
interested
in
actually
implementers.
B
So,
who
will
be
implementing
solutions
or
has
plans
on
implementing
solutions
based
on
what
thoughts
is
producing?
Based
on
the
use
cases
you
have
seen
so
far?
Thats
1
2,
3,
4,
12,
12,
12,
12
m,
collects
books,
looks
good,
yeah,
okay,
excellent
yeah,
I,
think
I'm
going
to
close
here
and
I'm,
sorry
that
we
had
to
cut
short
our
first
meeting
that
we
had
only
60
minutes
and
I
wish
you
a
great
evening
at
the
social
there's
one
more
thing.
Just.
A
Want
to
know
we
didn't
get
a
chance
to
talk
to
about
three
drafts.
You've
seen
Nick
strap,
which
is
draft
check.
You
open
thread,
signaling
one
there's
some
updates
there
and
then
Giroux
has
actually
posted
two
new
drafts
that
we
haven't
talked
about
at
all.
So
please
do
take
a
look
at
them
and
put
them
on
the
mailing
list
and
before
we
can
go
see
the
castle,
who
has
the
blue?
She
who.
B
Has
the
blue
sheet
and
exactly
who
has
not
signed
the
blue
sheet?
Go
there
and
overall,
so
many
people
have
not
signed
okay.
This
is
really
bad.
So
please
do
sign
the
blue
sheet,
because
this
is
really
important.
Otherwise,
next
time
you're
going
to
be
in
a
room
for
10
people
and
fifty
bit,
people
fighting
for
chairs.