| < draft-ietf-dots-multihoming-00.txt | draft-ietf-dots-multihoming-01.txt > | |||
|---|---|---|---|---|
| Network Working Group M. Boucadair | Network Working Group M. Boucadair | |||
| Internet-Draft Orange | Internet-Draft Orange | |||
| Intended status: Standards Track T. Reddy | Intended status: Standards Track T. Reddy | |||
| Expires: July 18, 2019 McAfee | Expires: July 25, 2019 McAfee | |||
| January 14, 2019 | January 21, 2019 | |||
| Multi-homing Deployment Considerations for Distributed-Denial-of-Service | Multi-homing Deployment Considerations for Distributed-Denial-of-Service | |||
| Open Threat Signaling (DOTS) | Open Threat Signaling (DOTS) | |||
| draft-ietf-dots-multihoming-00 | draft-ietf-dots-multihoming-01 | |||
| Abstract | Abstract | |||
| This document discusses multi-homing considerations for Distributed- | This document discusses multi-homing considerations for Distributed- | |||
| Denial-of-Service Open Threat Signaling (DOTS). The goal is to | Denial-of-Service Open Threat Signaling (DOTS). The goal is to | |||
| provide a set of guidance for DOTS clients/gateways when multihomed. | provide some guidance for DOTS clients/gateways when multihomed. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on July 18, 2019. | This Internet-Draft will expire on July 25, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 12 ¶ | skipping to change at page 2, line 12 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 | 2. Requirements Language . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Multi-Homing Scenarios . . . . . . . . . . . . . . . . . . . 4 | 4. Multi-Homing Scenarios . . . . . . . . . . . . . . . . . . . 4 | |||
| 4.1. Residential Single CPE . . . . . . . . . . . . . . . . . 5 | 4.1. Residential Single CPE . . . . . . . . . . . . . . . . . 5 | |||
| 4.2. Multi-homed Enterprise: Single CPE, Multiple Upstream | 4.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream | |||
| ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream | 4.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream | |||
| ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 6 | |||
| 4.4. Multi-homed Enterprise with the Same ISP . . . . . . . . 7 | 4.4. Multi-homed Enterprise with the Same ISP . . . . . . . . 7 | |||
| 5. DOTS Deployment Considerations . . . . . . . . . . . . . . . 7 | 5. DOTS Deployment Considerations . . . . . . . . . . . . . . . 7 | |||
| 5.1. Residential CPE . . . . . . . . . . . . . . . . . . . . . 7 | 5.1. Residential CPE . . . . . . . . . . . . . . . . . . . . . 7 | |||
| 5.2. Multi-homed Enterprise: Single CPE, Multiple Upstream | 5.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream | |||
| ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 8 | ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 9 | |||
| 5.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream | 5.3. Multi-Homed Enterprise: Multiple CPEs, Multiple Upstream | |||
| ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 10 | ISPs . . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 5.4. Multi-homed Enterprise: Single ISP . . . . . . . . . . . 11 | 5.4. Multi-Homed Enterprise: Single ISP . . . . . . . . . . . 12 | |||
| 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | 6. Security Considerations . . . . . . . . . . . . . . . . . . . 12 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 12 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 12 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 13 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | 9.2. Informative References . . . . . . . . . . . . . . . . . 13 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 1. Introduction | 1. Introduction | |||
| In many deployments, it may not be possible for a network to | In many deployments, it may not be possible for a network to | |||
| determine the cause for a distributed Denial-of-Service (DoS) attack | determine the cause of a distributed Denial-of-Service (DoS) attack | |||
| [RFC4732], but instead just realize that some resources seem to be | [RFC4732]. Rather, the network may just realize that some resources | |||
| under attack. To fill that gap, the IETF is specifying an | seem to be under attack. To improve such situation, the IETF is | |||
| architecture, called DDoS Open Threat Signaling (DOTS) | specifying the DDoS Open Threat Signaling (DOTS) | |||
| [I-D.ietf-dots-architecture], in which a DOTS client can inform a | [I-D.ietf-dots-architecture]architecture, where a DOTS client can | |||
| DOTS server that the network is under a potential attack and that | inform a DOTS server that the network is under a potential attack and | |||
| appropriate mitigation actions are required. Indeed, because the | that appropriate mitigation actions are required. Indeed, because | |||
| lack of a common method to coordinate a real-time response among | the lack of a common method to coordinate a real-time response among | |||
| involved actors and network domains inhibits the effectiveness of | involved actors and network domains jeopardizes the efficiency of | |||
| DDoS attack mitigation, DOTS protocol is meant to carry requests for | DDoS attack mitigation actions, the DOTS protocol is meant to carry | |||
| DDoS attack mitigation, thereby reducing the impact of an attack and | requests for DDoS attack mitigation, thereby reducing the impact of | |||
| leading to more efficient defensive actions. | an attack and leading to more efficient responsive actions. | |||
| [I-D.ietf-dots-use-cases] identifies a set of scenarios for DOTS; | [I-D.ietf-dots-use-cases] identifies a set of scenarios for DOTS; | |||
| almost all these scenarios involve a CPE. | most of these scenarios involve a Customer Premises Equipment (CPE). | |||
| The basic high-level DOTS architecture is illustrated in Figure 1 | The high-level DOTS architecture is illustrated in Figure 1 | |||
| ([I-D.ietf-dots-architecture]): | ([I-D.ietf-dots-architecture]): | |||
| +-----------+ +-------------+ | +-----------+ +-------------+ | |||
| | Mitigator | ~~~~~~~~~~ | DOTS Server | | | Mitigator | ~~~~~~~~~~ | DOTS Server | | |||
| +-----------+ +-------------+ | +-----------+ +-------------+ | |||
| | | | | |||
| | | | | |||
| | | | | |||
| +---------------+ +-------------+ | +---------------+ +-------------+ | |||
| | Attack Target | ~~~~~~ | DOTS Client | | | Attack Target | ~~~~~~ | DOTS Client | | |||
| +---------------+ +-------------+ | +---------------+ +-------------+ | |||
| Figure 1: Basic DOTS Architecture | Figure 1: Basic DOTS Architecture | |||
| [I-D.ietf-dots-architecture] specifies that the DOTS client may be | [I-D.ietf-dots-architecture] specifies that the DOTS client may be | |||
| provided with a list of DOTS servers; each associated with one or | provided with a list of DOTS servers; each of these servers is | |||
| more IP addresses. These addresses may or may not be of the same | associated with one or more IP addresses. These addresses may or may | |||
| address family. The DOTS client establishes one or more DOTS | not be of the same address family. The DOTS client establishes one | |||
| sessions by connecting to the provided DOTS server(s) addresses. | or more DOTS sessions by connecting to the provided DOTS server(s) | |||
| addresses. | ||||
| DOTS may be deployed within networks that are connected to one single | DOTS may be deployed within networks that are connected to one single | |||
| upstream provider. It can also be enabled within networks that are | upstream provider. It can also be enabled within networks that are | |||
| multi-homed. The reader may refer to [RFC3582] for an overview of | multi-homed. The reader may refer to [RFC3582] for an overview of | |||
| multi-homing goals and motivations. This document discusses DOTS | multi-homing goals and motivations. This document discusses DOTS | |||
| multi-homing considerations. Specifically, the document aims to: | multi-homing considerations. Specifically, the document aims to: | |||
| 1. Complete the base DOTS architecture with multi-homing specifics. | 1. Complete the base DOTS architecture with multi-homing specifics. | |||
| Those specifics need to be taking into account because: | Those specifics need to be taken into account because: | |||
| * Send a DOTS mitigation request to an arbitrary DOTS server | * Send a DOTS mitigation request to an arbitrary DOTS server | |||
| won't help mitigating a DDoS attack. | won't help mitigating a DDoS attack. | |||
| * Blindly forking all DOTS mitigation requests among all | * Blindly forking all DOTS mitigation requests among all | |||
| available DOTS servers is suboptimal. | available DOTS servers is suboptimal. | |||
| * Sequentially contacting DOTS servers may increase the delay | * Sequentially contacting DOTS servers may increase the delay | |||
| before a mitigation plan is enforced. | before a mitigation plan is enforced. | |||
| 2. Identify DOTS deployment schemes in a multi-homing context, where | 2. Identify DOTS deployment schemes in a multi-homing context, where | |||
| DOTS service can be offered by all or a subset of upstream | DOTS services can be offered by all or a subset of upstream | |||
| providers. | providers. | |||
| 3. Sketch guidelines and recommendations for placing DOTS requests | 3. Sketch guidelines and recommendations for placing DOTS requests | |||
| in multi-homed networks, e.g.,: | in multi-homed networks, e.g.,: | |||
| * Select the appropriate DOTS server(s). | * Select the appropriate DOTS server(s). | |||
| * Identify cases where anycast is not recommended. | * Identify cases where anycast is not recommended. | |||
| This document adopts the following methodology: | This document adopts the following methodology: | |||
| skipping to change at page 4, line 23 ¶ | skipping to change at page 4, line 25 ¶ | |||
| * Provider-Independent (PI) vs. Provider-Aggregatable (PA) IP | * Provider-Independent (PI) vs. Provider-Aggregatable (PA) IP | |||
| addresses | addresses | |||
| o Describe the recommended behavior of DOTS clients and gateways for | o Describe the recommended behavior of DOTS clients and gateways for | |||
| each case. | each case. | |||
| Multi-homed DOTS agents are assumed to make use of the protocols | Multi-homed DOTS agents are assumed to make use of the protocols | |||
| defined in [I-D.ietf-dots-signal-channel] and | defined in [I-D.ietf-dots-signal-channel] and | |||
| [I-D.ietf-dots-data-channel]; no specific extension is required to | [I-D.ietf-dots-data-channel]; no specific extension is required to | |||
| the base DOTS protocols for deploying DOTS in a multihomed context. | the base DOTS protocols for deploying DOTS in a multi-homed context. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| "OPTIONAL" in this document are to be interpreted as described in BCP | "OPTIONAL" in this document are to be interpreted as described in BCP | |||
| 14 [RFC2119][RFC8174] when, and only when, they appear in all | 14 [RFC2119][RFC8174] when, and only when, they appear in all | |||
| capitals, as shown here. | capitals, as shown here. | |||
| 3. Terminology | 3. Terminology | |||
| This document makes use of the terms defined in | This document makes use of the terms defined in | |||
| [I-D.ietf-dots-architecture] and [RFC4116]. | [I-D.ietf-dots-architecture] and [RFC4116]. | |||
| IP refers to both IPv4 and IPv6. | IP indifferently refers to IPv4 or IPv6. | |||
| 4. Multi-Homing Scenarios | 4. Multi-Homing Scenarios | |||
| This section briefly describes some multi-homing scenarios that are | This section describes some multi-homing scenarios that are relevant | |||
| relevant to DOTS. In the following sub-sections, only the | to DOTS. In the following sub-sections, only the connections of | |||
| connections of border routers are shown; internal network topologies | border routers are shown; internal network topologies are not | |||
| are not elaborated hereafter. | elaborated. | |||
| This section distinguishes between residential CPEs vs. enterprise | This section distinguishes between residential CPEs vs. enterprise | |||
| CPEs because PI addresses may be used for enterprises while this is | CPEs because PI addresses may be used for enterprises while this is | |||
| not the current practice for residential CPEs. | not the current practice for residential CPEs. | |||
| 4.1. Residential Single CPE | 4.1. Residential Single CPE | |||
| The scenario shown in Figure 2 is characterized as follows: | The scenario shown in Figure 2 is characterized as follows: | |||
| o The home network is connected to the Internet using one single CPE | o The home network is connected to the Internet using one single CPE | |||
| skipping to change at page 5, line 21 ¶ | skipping to change at page 5, line 21 ¶ | |||
| o The CPE is connected to multiple provisioning domains (i.e., both | o The CPE is connected to multiple provisioning domains (i.e., both | |||
| fixed and mobile networks). Provisioning domain (PvD) is | fixed and mobile networks). Provisioning domain (PvD) is | |||
| explained in [RFC7556]. | explained in [RFC7556]. | |||
| o Each of these provisioning domains assigns IP addresses/prefixes | o Each of these provisioning domains assigns IP addresses/prefixes | |||
| to the CPE and provides additional configuration information such | to the CPE and provides additional configuration information such | |||
| as a list of DNS servers, DNS suffixes associated with the | as a list of DNS servers, DNS suffixes associated with the | |||
| network, default gateway address, and DOTS server's name | network, default gateway address, and DOTS server's name | |||
| [I-D.boucadair-dots-server-discovery]. These addresses/prefixes | [I-D.boucadair-dots-server-discovery]. These addresses/prefixes | |||
| are said to be Provider-Aggregatable (PA). | are assumed to be Provider-Aggregatable (PA). | |||
| o Because of ingress filtering, packets forwarded by the CPE to a | o Because of ingress filtering, packets forwarded by the CPE towards | |||
| given provisioning domain must be send with a source IP address | a given provisioning domain must be sent with a source IP address | |||
| that was assigned by that network [RFC8043]. | that was assigned by that domain [RFC8043]. | |||
| +-------+ +-------+ | +-------+ +-------+ | |||
| |Fixed | |Mobile | | |Fixed | |Mobile | | |||
| |Network| |Network| | |Network| |Network| | |||
| +---+---+ +---+---+ | +---+---+ +---+---+ | |||
| | | Service Providers | | | Service Providers | |||
| ............|....................|....................... | ............|....................|....................... | |||
| +---------++---------+ Home Network | +---------++---------+ Home Network | |||
| || | || | |||
| +--++-+ | +--++-+ | |||
| | CPE | | | CPE | | |||
| +-----+ | +-----+ | |||
| ... (Internal Network) | ... (Internal Network) | |||
| Figure 2: Typical Multi-homed Residential CPE | Figure 2: Typical Multi-homed Residential CPE | |||
| 4.2. Multi-homed Enterprise: Single CPE, Multiple Upstream ISPs | 4.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs | |||
| The scenario shown in Figure 3 is characterized as follows: | The scenario shown in Figure 3 is characterized as follows: | |||
| o The enterprise network is connected to the Internet using one | o The enterprise network is connected to the Internet using one | |||
| single router. | single router. | |||
| o That router is connected to multiple provisioning domains (i.e., | o That router is connected to multiple provisioning domains (i.e., | |||
| managed by distinct administrative entities). | managed by distinct administrative entities). | |||
| Unlike the previous scenario, two sub-cases can be considered for an | Unlike the previous scenario, two sub-cases can be considered for an | |||
| enterprise network with regards to assigned addresses: | enterprise network with regards to assigned addresses: | |||
| 1. PI addresses/prefixes: The enterprise is the owner of the IP | 1. PI addresses/prefixes: The enterprise is the owner of the IP | |||
| addresses/prefixes; the same address/prefix is then used for | addresses/prefixes; the same address/prefix is then used when | |||
| communication placed using any of the provisioning domains. | establishing communications over any of the provisioning domains. | |||
| 2. PA addresses/prefixes: each of provisioning domains assigns IP | 2. PA addresses/prefixes: each of the provisioning domains assigns | |||
| addresses/prefixes to the enterprise network. | IP addresses/prefixes to the enterprise network. | |||
| +------+ +------+ | +------+ +------+ | |||
| | ISP1 | | ISP2 | | | ISP1 | | ISP2 | | |||
| +---+--+ +--+---+ | +---+--+ +--+---+ | |||
| | | Service Providers | | | Service Providers | |||
| ............|....................|....................... | ............|....................|....................... | |||
| +---------++---------+ Enterprise Network | +---------++---------+ Enterprise Network | |||
| || | || | |||
| +--++-+ | +--++-+ | |||
| | rtr | | | rtr | | |||
| +-----+ | +-----+ | |||
| ... (Internal Network) | ... (Internal Network) | |||
| Figure 3: Multi-homed Enterprise Network (Single CPE connected to | Figure 3: Multi-homed Enterprise Network (Single CPE connected to | |||
| Multiple Networks) | Multiple Networks) | |||
| 4.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream ISPs | 4.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream ISPs | |||
| This scenario is similar to the one in Section 4.2; the main | This scenario is similar to the one described in Section 4.2; the | |||
| difference is that dedicated routers are used to connect to each | main difference is that dedicated routers are used to connect to each | |||
| provisioning domain. | provisioning domain. | |||
| +------+ +------+ | +------+ +------+ | |||
| | ISP1 | | ISP2 | | | ISP1 | | ISP2 | | |||
| +---+--+ +--+---+ | +---+--+ +--+---+ | |||
| | | Service Providers | | | Service Providers | |||
| ......................|..........|....................... | ......................|..........|....................... | |||
| | | Enterprise Network | | | Enterprise Network | |||
| +---+--+ +--+---+ | +---+--+ +--+---+ | |||
| | rtr1 | | rtr2 | | | rtr1 | | rtr2 | | |||
| +------+ +------+ | +------+ +------+ | |||
| ... (Internal Network) | ... (Internal Network) | |||
| Figure 4: Multi-homed Enterprise Network (Multiple CPEs, Multiple | Figure 4: Multi-homed Enterprise Network (Multiple CPEs, Multiple | |||
| ISPs) | ISPs) | |||
| 4.4. Multi-homed Enterprise with the Same ISP | 4.4. Multi-homed Enterprise with the Same ISP | |||
| This scenario is a variant of Section 4.2 and Section 4.3 in which | This scenario is a variant of Section 4.2 and Section 4.3 in which | |||
| multi-homing is provided by the same ISP (i.e., same provisioning | multi-homing is supported by the same ISP (i.e., same provisioning | |||
| domain). | domain). | |||
| Editor's Note: The use of anycast addresses is to be consistently | ||||
| discussed. | ||||
| 5. DOTS Deployment Considerations | 5. DOTS Deployment Considerations | |||
| Table 1 provides some sample (non-exhaustive) deployment schemes to | Table 1 provides some sample, non-exhaustive, deployment schemes to | |||
| illustrate how DOTS agents may be deployed for each of the scenarios | illustrate how DOTS agents may be deployed for each of the scenarios | |||
| introduced in Section 4. | introduced in Section 4. | |||
| +---------------------------+-------------------------+-------------+ | +---------------------------+-------------------------+-------------+ | |||
| | Scenario | DOTS client | DOTS | | | Scenario | DOTS client | DOTS | | |||
| | | | gateway | | | | | gateway | | |||
| +---------------------------+-------------------------+-------------+ | +---------------------------+-------------------------+-------------+ | |||
| | Residential CPE | CPE | N/A | | | Residential CPE | CPE | N/A | | |||
| +---------------------------+-------------------------+-------------+ | +---------------------------+-------------------------+-------------+ | |||
| | Single CPE, Multiple | internal hosts or CPE | CPE | | | Single CPE, Multiple | internal hosts or CPE | CPE | | |||
| skipping to change at page 7, line 41 ¶ | skipping to change at page 7, line 44 ¶ | |||
| | domain | | | | | domain | | | | |||
| +---------------------------+-------------------------+-------------+ | +---------------------------+-------------------------+-------------+ | |||
| Table 1: Sample Deployment Cases | Table 1: Sample Deployment Cases | |||
| These deployment schemes are further discussed in the following sub- | These deployment schemes are further discussed in the following sub- | |||
| sections. | sections. | |||
| 5.1. Residential CPE | 5.1. Residential CPE | |||
| Figure 5 depicts DOTS sessions that are required to be established | Figure 5 depicts DOTS sessions that need to be established between a | |||
| between a DOTS client (C) and DOTS servers (S1, S2) in the context of | DOTS client (C) and two DOTS servers (S1, S2) within the context of | |||
| the scenario described in Section 4.1. | the scenario described in Section 4.1. | |||
| For each provisioning domain, the DOTS client MUST resolve the DOTS | For each provisioning domain, the DOTS client MUST resolve the DOTS | |||
| server's name provided by a provisioning domain | server's name provided by a provisioning domain | |||
| ([I-D.boucadair-dots-server-discovery]) using the DNS servers learned | ([I-D.boucadair-dots-server-discovery]) using the DNS servers learned | |||
| from the same provisioning domain. The DOTS client MUST use the | from the respective provisioning domain. The DOTS client MUST use | |||
| source address selection algorithm defined in [RFC6724] to select the | the source address selection algorithm defined in [RFC6724] to select | |||
| candidate source addresses to contact each of these DOTS servers. | the candidate source addresses to contact each of these DOTS servers. | |||
| DOTS sessions must be established and maintained with each of the | DOTS sessions must be established and maintained with each of the | |||
| DOTS servers because the mitigation scope of these servers is | DOTS servers because the mitigation scope of these servers is | |||
| restricted. The DOTS client SHOULD use the certificate provisioned | restricted. The DOTS client SHOULD use the certificate provisioned | |||
| by a provisioning domain to authenticate itself to the DOTS server | by a provisioning domain to authenticate itself to the DOTS server | |||
| provided by the same provisioning domain. When conveying a | provided by the same provisioning domain. | |||
| mitigation request to protect the attack target(s), the DOTS client | ||||
| among the DOTS servers available MUST select a DOTS server whose | When conveying a mitigation request to protect the attack target(s), | |||
| network has assigned the prefixes from which target prefixes and | the DOTS client among the DOTS servers available MUST select a DOTS | |||
| target IP addresses are derived. This implies that if no appropriate | server whose network has assigned the prefixes from which target | |||
| DOTS server is found, the DOTS client must not send the mitigation | prefixes and target IP addresses are derived. This implies that if | |||
| request to any DOTS server. For example, mitigation request to | no appropriate DOTS server is found, the DOTS client must not send | |||
| protect target resources bound to a PA IP address/prefix cannot be | the mitigation request to any DOTS server. | |||
| honored by an provisioning domain other than the one that owns those | ||||
| addresses/prefixes. Consequently, Typically, if a CPE detects a DDoS | For example, a mitigation request to protect target resources bound | |||
| attack on all its network attachments, it must contact both DOTS | to a PA IP address/prefix cannot be satisfied by a provisioning | |||
| servers for mitigation. Nevertheless, if the DDoS attack is received | domain another domain than the one that owns those addresses/ | |||
| from one single network, then only the DOTS server of that network | prefixes. Consequently, if a CPE detects a DDoS attack that spreads | |||
| must be contacted. | over all its network attachments, it must contact both DOTS servers | |||
| for mitigation purposes. Nevertheless, if the DDoS attack is | ||||
| received from one single network, then only the DOTS server of that | ||||
| network must be contacted. | ||||
| The DOTS client MUST be able to associate a DOTS server with each | The DOTS client MUST be able to associate a DOTS server with each | |||
| provisioning domain. For example, if the DOTS client is provisioned | provisioning domain. For example, if the DOTS client is provisioned | |||
| with S1 using DHCP when attaching to a first network and with S2 | with S1 using DHCP when attaching to a first network and with S2 | |||
| using Protocol Configuration Option (PCO) when attaching to a second | using Protocol Configuration Option (PCO) when attaching to a second | |||
| network, the DOTS client must record the interface from which a DOTS | network, the DOTS client must record the interface from which a DOTS | |||
| server was provisioned. DOTS signaling session to a given DOTS | server was provisioned. DOTS signaling session to a given DOTS | |||
| server must be established using the interface from which the DOTS | server must be established using the interface from which the DOTS | |||
| server was provisioned. | server was provisioned. | |||
| skipping to change at page 8, line 46 ¶ | skipping to change at page 9, line 5 ¶ | |||
| | C | | | C | | |||
| +---+\ | +---+\ | |||
| \ | \ | |||
| \ | \ | |||
| \ +--+ | \ +--+ | |||
| -----------|S2| | -----------|S2| | |||
| +--+ | +--+ | |||
| Figure 5: DOTS associations for a multihomed residential CPE | Figure 5: DOTS associations for a multihomed residential CPE | |||
| 5.2. Multi-homed Enterprise: Single CPE, Multiple Upstream ISPs | 5.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs | |||
| Figure 6 illustrates a first set of DOTS associations that can be | Figure 6 illustrates a first set of DOTS associations that can be | |||
| established with a DOTS gateway is enabled in the context of the | established with a DOTS gateway, which is enabled within the context | |||
| scenario described in Section 4.2. This deployment is characterized | of the scenario described in Section 4.2. This deployment is | |||
| as follows: | characterized as follows: | |||
| o One of more DOTS clients are enabled in hosts located in the | o One of more DOTS clients are enabled in hosts located in the | |||
| internal network. | internal network. | |||
| o A DOTS gateway is enabled to aggregate/relay the requests to | o A DOTS gateway is enabled to aggregate and then relay the requests | |||
| upstream DOTS servers. | towards upstream DOTS servers. | |||
| When PA addresses/prefixes are in use, the same considerations | When PA addresses/prefixes are in use, the same considerations | |||
| discussed in Section 5.1 are to be followed by the DOTS gateway to | discussed in Section 5.1 need to be followed by the DOTS gateway to | |||
| contact its DOTS server(s). The DOTS gateways can be reachable from | contact its DOTS server(s). The DOTS gateways can be reachable from | |||
| DOTS client using a unicast or anycast address. | DOTS clients by using an unicast address or an anycast address. | |||
| Nevertheless, when PI addresses/prefixes are assigned, the DOTS | Nevertheless, when PI addresses/prefixes are assigned, the DOTS | |||
| gateway MUST sent the same request to all its DOTS servers. | gateway MUST send the same request to all its DOTS servers. | |||
| +--+ | +--+ | |||
| -----------|S1| | -----------|S1| | |||
| +---+ / +--+ | +---+ / +--+ | |||
| | C1|----+ / | | C1|----+ / | |||
| +---+ | / | +---+ | / | |||
| +---+ +-+-+/ | +---+ +-+-+/ | |||
| | C3|------| G | | | C3|------| G | | |||
| +---+ +-+-+\ | +---+ +-+-+\ | |||
| +---+ | \ | +---+ | \ | |||
| skipping to change at page 9, line 39 ¶ | skipping to change at page 9, line 46 ¶ | |||
| +---+ \ +--+ | +---+ \ +--+ | |||
| -----------|S2| | -----------|S2| | |||
| +--+ | +--+ | |||
| Figure 6: Multiple DOTS Clients, Single DOTS Gateway, Multiple DOTS | Figure 6: Multiple DOTS Clients, Single DOTS Gateway, Multiple DOTS | |||
| Servers | Servers | |||
| An alternate deployment model is depicted in Figure 7. This | An alternate deployment model is depicted in Figure 7. This | |||
| deployment assumes that: | deployment assumes that: | |||
| o One of more DOTS clients are enabled in hosts located in the | o One or more DOTS clients are enabled in hosts located in the | |||
| internal network. These DOTS client may use | internal network. These DOTS clients may use | |||
| [I-D.boucadair-dots-server-discovery] to discover its DOTS | [I-D.boucadair-dots-server-discovery] to discover their DOTS | |||
| server(s). | server(s). | |||
| o These DOTS clients communicate directly with upstream DOTS | o These DOTS clients communicate directly with upstream DOTS | |||
| servers. | servers. | |||
| If PI addresses/prefixes are in use, the DOTS client can send the | If PI addresses/prefixes are in use, the DOTS client MUST send the | |||
| mitigation request for all its PI addresses/prefixes to any one of | mitigation request for all its PI addresses/prefixes to all the DOTS | |||
| the DOTS servers. The use of anycast addresses is NOT RECOMMENDED. | servers. The use of anycast addresses is NOT RECOMMENDED. | |||
| If PA addresses/prefxies are used, the same considerations discussed | If PA addresses/prefixes are used, the same considerations discussed | |||
| in Section 5.1 are to be followed by the DOTS clients. Because DOTS | in Section 5.1 need to be followed by the DOTS clients. Because DOTS | |||
| clients are not located on the CPE and multiple addreses/prefixes may | clients are not embedded in the CPE and multiple addreses/prefixes | |||
| not be assigned to the DOTS client (IPv4 context, typically), some | may not be assigned to the DOTS client (typically in an IPv4 | |||
| complications arise to steer the traffic to the appropriate DOTS | context), some issues arise to steer traffic towards the appropriate | |||
| server using the appropriate source IP address. These complications | DOTS server by using the appropriate source IP address. These | |||
| discussed in [RFC4116] are not specific to DOTS . | complications discussed in [RFC4116] are not specific to DOTS. | |||
| +--+ | +--+ | |||
| +--------|C1|--------+ | +--------|C1|--------+ | |||
| | +--+ | | | +--+ | | |||
| +--+ +--+ +--+ | +--+ +--+ +--+ | |||
| |S2|------|C3|------|S1| | |S2|------|C3|------|S1| | |||
| +--+ +--+ +--+ | +--+ +--+ +--+ | |||
| | +--+ | | | +--+ | | |||
| +--------|C2|--------+ | +--------|C2|--------+ | |||
| +--+ | +--+ | |||
| Figure 7: Multiple DOTS Clients, Multiple DOTS Servers | Figure 7: Multiple DOTS Clients, Multiple DOTS Servers | |||
| Another deployment approach is to enable many DOTS clients; each of | Another deployment approach is to enable many DOTS clients; each of | |||
| them responsible to handle communication with a specific DOTS server | them is responsible for handling communications with a specific DOTS | |||
| (see Figure 8). Each DOTS client is provided with policies (e.g., | server (see Figure 8). | |||
| prefix filter) that will trigger DOTS communications with the DOTS | ||||
| servers. The CPE MUST select the appropriate source IP address when | ||||
| forwarding DOTS messages received from an internal DOTS client. If | ||||
| anycast addresses are used to reach DOTS servers, the CPE may not be | ||||
| able to select the appropriate provisioning domain to which the | ||||
| mitigation request should be forwarded. As a consequence, the | ||||
| request may not be forwarded to the appropriate DOTS server. | ||||
| +--+ | +--+ | |||
| +--------|C1| | +--------|C1| | |||
| | +--+ | | +--+ | |||
| +--+ +--+ +--+ | +--+ +--+ +--+ | |||
| |S2| |C2|------|S1| | |S2| |C2|------|S1| | |||
| +--+ +--+ +--+ | +--+ +--+ +--+ | |||
| Figure 8: Single Homed DOTS Clients | Figure 8: Single Homed DOTS Clients | |||
| 5.3. Multi-homed Enterprise: Multiple CPEs, Multiple Upstream ISPs | Each DOTS client is provided with policies (e.g., prefix filter) that | |||
| will trigger DOTS communications with the DOTS servers. Such | ||||
| policies will help the DOTS client to select the appropriate | ||||
| destination IP address. | ||||
| The deployments depicted in Figure 7 and Figure 8 apply also for the | The CPE MUST select the appropriate source IP address when forwarding | |||
| DOTS messages received from an internal DOTS client. If anycast | ||||
| addresses are used to reach DOTS servers, the CPE may not be able to | ||||
| select the appropriate provisioning domain to which the mitigation | ||||
| request should be forwarded. As a consequence, the request may not | ||||
| be forwarded to the appropriate DOTS server. | ||||
| 5.3. Multi-Homed Enterprise: Multiple CPEs, Multiple Upstream ISPs | ||||
| The deployments depicted in Figures 7 and 8 also apply to the | ||||
| scenario described in Section 4.3. One specific problem for this | scenario described in Section 4.3. One specific problem for this | |||
| scenario is to select the appropriate exit router when contacting a | scenario is to select the appropriate exit router when contacting a | |||
| given DOTS server. | given DOTS server. | |||
| An alternative deployment scheme is shown in Figure 9: | An alternative deployment scheme is shown in Figure 9: | |||
| o DOTS clients are enabled in hosts located in the internal network. | o DOTS clients are enabled in hosts located in the internal network. | |||
| o A DOTS gateway is enabled in each CPE (rtr1, rtr2). | o A DOTS gateway is enabled in each CPE (rtr1, rtr2). | |||
| o Each of these DOTS gateways communicate with the DOTS server of | o Each of these DOTS gateways communicates with the DOTS server of | |||
| the provisioning domain. | the provisioning domain. | |||
| When PI addresses/prefixes are used, DOTS clients can contact any of | When PI addresses/prefixes are used, DOTS clients MUST contact all | |||
| the DOTS gateways to send a DOTS message. DOTS gateway will then | the DOTS gateways to send a DOTS message. DOTS gateways will then | |||
| relay the request to the DOTS server. Note that the use of anycast | relay the request to the DOTS server. Note that the use of anycast | |||
| addresses is NOT RECOMMENDED to establish DOTS sessions between DOTS | addresses is NOT RECOMMENDED to establish DOTS sessions between DOTS | |||
| client and DOTS gateways. | clients and DOTS gateways. | |||
| When PA addresses/prefixes are used, but no filter rules are provided | When PA addresses/prefixes are used, but no filter rules are provided | |||
| to DOTS clients, these MUST contact all DOTS gateways simultaneously | to DOTS clients, the latter MUST contact all DOTS gateways | |||
| to send a DOTS message. Upon receipt of a request by a DOTS gateway, | simultaneously to send a DOTS message. Upon receipt of a request by | |||
| it MUST check whether the request is to be forwarded upstream or be | a DOTS gateway, it MUST check whether the request is to be forwarded | |||
| rejected. | upstream (if the target IP prefix is managed by the upstream server) | |||
| or rejected. | ||||
| When PA addresses/prefixes are used, but specific filter rules are | When PA addresses/prefixes are used, but specific filter rules are | |||
| provided to DOTS clients using some means that are out of scope, | provided to DOTS clients using some means that are out of scope of | |||
| these later MUST select the appropriate DOTS gateway to be contacted. | this document, the clients MUST select the appropriate DOTS gateway | |||
| The use of anycast is NOT RECOMMENDED to reach DOTS gateways. | to reach. The use of anycast addresses is NOT RECOMMENDED to reach | |||
| DOTS gateways. | ||||
| +---+ | +---+ | |||
| +------------| C1|----+ | +------------| C1|----+ | |||
| | +---+ | | | +---+ | | |||
| +--+ +-+-+ +---+ +-+-+ +--+ | +--+ +-+-+ +---+ +-+-+ +--+ | |||
| |S2|------|G2 |------| C3|------|G1 |------|S1| | |S2|------|G2 |------| C3|------|G1 |------|S1| | |||
| +--+ +-+-+ +---+ +-+-+ +--+ | +--+ +-+-+ +---+ +-+-+ +--+ | |||
| | +---+ | | | +---+ | | |||
| +------------| C2|----+ | +------------| C2|----+ | |||
| +---+ | +---+ | |||
| Figure 9: Multiple DOTS Clients, Multiple DOTS Gateways, Multiple | Figure 9: Multiple DOTS Clients, Multiple DOTS Gateways, Multiple | |||
| DOTS Servers | DOTS Servers | |||
| 5.4. Multi-homed Enterprise: Single ISP | 5.4. Multi-Homed Enterprise: Single ISP | |||
| The key difference of the scenario described in Section 4.4 compared | The key difference of the scenario described in Section 4.4 compared | |||
| to the other scenarios is that multi-homing is provided by the same | to the other scenarios is that multi-homing is provided by the same | |||
| ISP. Concretely, that ISP can decided to provision the enterprise | ISP. Concretely, that ISP can decide to provision the enterprise | |||
| network with: | network with: | |||
| 1. The same DOTS server for all network attachments. | 1. The same DOTS server for all network attachments. | |||
| 2. Distinct DOTS servers for each network attachment. These DOTS | 2. Distinct DOTS servers for each network attachment. These DOTS | |||
| servers needs to coordinate when a mitigation action is received | servers need to coordinate when a mitigation action is received | |||
| from the enterprise network. | from the enterprise network. | |||
| In both cases, DOTS agents enabled within the enterprise network may | In both cases, DOTS agents enabled within the enterprise network MAY | |||
| decide to select one or all network attachments to place DOTS | decide to select one or all network attachments to send DOTS | |||
| mitigation requests. | mitigation requests. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| DOTS-related security considerations are discussed in Section 4 of | DOTS-related security considerations are discussed in Section 4 of | |||
| [I-D.ietf-dots-architecture]. | [I-D.ietf-dots-architecture]. | |||
| TBD: In Home networks, if EST is used then how will the DOTS gateway | TBD: In Home networks, if EST is used then how will the DOTS gateway | |||
| (EST client) be provisioned with credentials for initial enrolment | (EST client) be provisioned with credentials for initial enrolment | |||
| (see Section 2.2 in RFC 7030). | (see Section 2.2 in RFC 7030). | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document does not require any action from IANA. | This document does not require any action from IANA. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Thanks to Roland Dobbins, Nik Teague, Jon Shallow, Dan Wing, and Wei | Thanks to Roland Dobbins, Nik Teague, Jon Shallow, Dan Wing, Wei Pan, | |||
| Pan for sharing their comments on the mailing list. | and Christian Jacquenet for sharing their comments on the mailing | |||
| list. | ||||
| Thanks to Kirill Kasavchenko for the comments. | Thanks to Kirill Kasavchenko for the comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-dots-architecture] | [I-D.ietf-dots-architecture] | |||
| Mortensen, A., Andreasen, F., K, R., Teague, N., Compton, | Mortensen, A., Andreasen, F., K, R., Teague, N., Compton, | |||
| R., and c. christopher_gray3@cable.comcast.com, | R., and c. christopher_gray3@cable.comcast.com, | |||
| End of changes. 50 change blocks. | ||||
| 122 lines changed or deleted | 137 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||