| < draft-ietf-dots-multihoming-09.txt | draft-ietf-dots-multihoming-10.txt > | |||
|---|---|---|---|---|
| Network Working Group M. Boucadair | Network Working Group M. Boucadair | |||
| Internet-Draft Orange | Internet-Draft Orange | |||
| Intended status: Informational T. Reddy | Intended status: Informational T. Reddy | |||
| Expires: 5 June 2022 McAfee | Expires: 8 July 2022 McAfee | |||
| W. Pan | W. Pan | |||
| Huawei Technologies | Huawei Technologies | |||
| 2 December 2021 | 4 January 2022 | |||
| Multi-homing Deployment Considerations for Distributed-Denial-of-Service | Multi-homing Deployment Considerations for Distributed-Denial-of-Service | |||
| Open Threat Signaling (DOTS) | Open Threat Signaling (DOTS) | |||
| draft-ietf-dots-multihoming-09 | draft-ietf-dots-multihoming-10 | |||
| Abstract | Abstract | |||
| This document discusses multi-homing considerations for Distributed- | This document discusses multi-homing considerations for Distributed- | |||
| Denial-of-Service Open Threat Signaling (DOTS). The goal is to | Denial-of-Service Open Threat Signaling (DOTS). The goal is to | |||
| provide some guidance for DOTS clients/gateways when multihomed. | provide some guidance for DOTS clients and client-domain DOTS | |||
| gateways when multihomed. | ||||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 5 June 2022. | This Internet-Draft will expire on 8 July 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2021 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| and restrictions with respect to this document. Code Components | and restrictions with respect to this document. Code Components | |||
| extracted from this document must include Revised BSD License text as | extracted from this document must include Revised BSD License text as | |||
| described in Section 4.e of the Trust Legal Provisions and are | described in Section 4.e of the Trust Legal Provisions and are | |||
| provided without warranty as described in the Revised BSD License. | provided without warranty as described in the Revised BSD License. | |||
| skipping to change at page 4, line 25 ¶ | skipping to change at page 4, line 25 ¶ | |||
| * Augment the description with multi-homing technicalities, e.g., | * Augment the description with multi-homing technicalities, e.g., | |||
| - One vs. multiple upstream network providers | - One vs. multiple upstream network providers | |||
| - One vs. multiple interconnect routers | - One vs. multiple interconnect routers | |||
| - Provider-Independent (PI) vs. Provider-Aggregatable (PA) IP | - Provider-Independent (PI) vs. Provider-Aggregatable (PA) IP | |||
| addresses | addresses | |||
| * Describe the recommended behavior of DOTS clients and gateways for | * Describe the recommended behavior of DOTS clients and client- | |||
| each case. | domain DOTS gateways for each case. | |||
| Multi-homed DOTS agents are assumed to make use of the protocols | Multi-homed DOTS agents are assumed to make use of the protocols | |||
| defined in [RFC9132] and [RFC8783]; no specific extension is required | defined in [RFC9132] and [RFC8783]; no specific extension is required | |||
| to the base DOTS protocols for deploying DOTS in a multi-homed | to the base DOTS protocols for deploying DOTS in a multi-homed | |||
| context. | context. | |||
| 2. Requirements Language | 2. Requirements Language | |||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", | |||
| "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and | |||
| skipping to change at page 8, line 11 ¶ | skipping to change at page 8, line 11 ¶ | |||
| This scenario is a variant of Section 4.2 and Section 4.3 in which | This scenario is a variant of Section 4.2 and Section 4.3 in which | |||
| multi-homing is supported by the same ISP (i.e., same provisioning | multi-homing is supported by the same ISP (i.e., same provisioning | |||
| domain). | domain). | |||
| 5. DOTS Multi-homing Deployment Considerations | 5. DOTS Multi-homing Deployment Considerations | |||
| Table 1 provides some sample, non-exhaustive, deployment schemes to | Table 1 provides some sample, non-exhaustive, deployment schemes to | |||
| illustrate how DOTS agents may be deployed for each of the scenarios | illustrate how DOTS agents may be deployed for each of the scenarios | |||
| introduced in Section 4. | introduced in Section 4. | |||
| +============================+=======================+==============+ | +=========================+=======================+===============+ | |||
| | Scenario | DOTS client | DOTS | | | Scenario | DOTS client | Client-domain | | |||
| | | | gateway | | | | | DOTS gateway | | |||
| +============================+=======================+==============+ | +=========================+=======================+===============+ | |||
| | Residential CPE | CPE | N/A | | | Residential CPE | CPE | N/A | | |||
| +----------------------------+-----------------------+--------------+ | +-------------------------+-----------------------+---------------+ | |||
| | Single CPE, Multiple | Internal hosts or CPE | CPE | | | Single CPE, Multiple | Internal hosts or CPE | CPE | | |||
| | provisioning domains | | | | | provisioning domains | | | | |||
| +----------------------------+-----------------------+--------------+ | +-------------------------+-----------------------+---------------+ | |||
| | Multiple CPEs, Multiple | Internal hosts or all | CPEs (rtr1 | | | Multiple CPEs, Multiple | Internal hosts or all | CPEs (rtr1 | | |||
| | provisioning domains | CPEs (rtr1 and rtr2) | and rtr2) | | | provisioning domains | CPEs (rtr1 and rtr2) | and rtr2) | | |||
| +----------------------------+-----------------------+--------------+ | +-------------------------+-----------------------+---------------+ | |||
| | Multi-homed enterprise, | Internal hosts or all | CPEs (rtr1 | | | Multi-homed enterprise, | Internal hosts or all | CPEs (rtr1 | | |||
| | Single provisioning domain | CPEs (rtr1 and rtr2) | and rtr2) | | | Single provisioning | CPEs (rtr1 and rtr2) | and rtr2) | | |||
| +----------------------------+-----------------------+--------------+ | | domain | | | | |||
| +-------------------------+-----------------------+---------------+ | ||||
| Table 1: Sample Deployment Cases | Table 1: Sample Deployment Cases | |||
| These deployment schemes are further discussed in the following | These deployment schemes are further discussed in the following | |||
| subsections. | subsections. | |||
| 5.1. Residential CPE | 5.1. Residential CPE | |||
| Figure 5 depicts DOTS sessions that need to be established between a | Figure 5 depicts DOTS sessions that need to be established between a | |||
| DOTS client (C) and two DOTS servers (S1, S2) within the context of | DOTS client (C) and two DOTS servers (S1, S2) within the context of | |||
| skipping to change at page 10, line 7 ¶ | skipping to change at page 10, line 7 ¶ | |||
| \ | \ | |||
| \ +--+ | \ +--+ | |||
| ----------|S2| | ----------|S2| | |||
| +--+ | +--+ | |||
| DOTS Server Domain #2 | DOTS Server Domain #2 | |||
| Figure 5: DOTS Associations for a Multihomed Residential CPE | Figure 5: DOTS Associations for a Multihomed Residential CPE | |||
| 5.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs | 5.2. Multi-Homed Enterprise: Single CPE, Multiple Upstream ISPs | |||
| Figure 6 illustrates a first set of DOTS associations that can be | Figure 6 illustrates a first set of DOTS sessions that can be | |||
| established with a DOTS gateway, which is enabled within the context | established with a client-domain DOTS gateway, which is enabled | |||
| of the scenario described in Section 4.2. This deployment is | within the context of the scenario described in Section 4.2. This | |||
| characterized as follows: | deployment is characterized as follows: | |||
| * One of more DOTS clients are enabled in hosts located in the | * One of more DOTS clients are enabled in hosts located in the | |||
| internal network. | internal network. | |||
| * A DOTS gateway is enabled to aggregate and then relay the requests | * A client-domain DOTS gateway is enabled to aggregate and then | |||
| towards upstream DOTS servers. | relay the requests towards upstream DOTS servers. | |||
| +--+ | +--+ | |||
| ----------|S1| | ----------|S1| | |||
| +---+ / +--+ | +---+ / +--+ | |||
| | C1|----+ / DOTS Server Domain #1 | | C1|----+ / DOTS Server Domain #1 | |||
| +---+ | / | +---+ | / | |||
| +---+ +-+-+/ | +---+ +-+-+/ | |||
| | C3|------| G | | | C3|------| G | | |||
| +---+ +-+-+\ | +---+ +-+-+\ | |||
| +---+ | \ | +---+ | \ | |||
| | C2|----+ \ | | C2|----+ \ | |||
| +---+ \ +--+ | +---+ \ +--+ | |||
| ----------|S2| | ----------|S2| | |||
| +--+ | +--+ | |||
| DOTS Server Domain #2 | DOTS Server Domain #2 | |||
| Figure 6: Multiple DOTS Clients, Single DOTS Gateway, Multiple | Figure 6: Multiple DOTS Clients, Single DOTS Gateway, Multiple | |||
| DOTS Servers | DOTS Servers | |||
| When PA addresses/prefixes are in use, the same considerations | When PA addresses/prefixes are in use, the same considerations | |||
| discussed in Section 5.1 need to be followed by the DOTS gateway to | discussed in Section 5.1 need to be followed by the client-domain | |||
| contact its DOTS server(s). The DOTS gateways can be reachable from | DOTS gateway to contact its DOTS server(s). The client-domain DOTS | |||
| DOTS clients by using an unicast address or an anycast address. | gateways can be reachable from DOTS clients by using an unicast | |||
| address or an anycast address (Section 3.2.4 of [RFC8811]). | ||||
| Nevertheless, when PI addresses/prefixes are assigned, the DOTS | Nevertheless, when PI addresses/prefixes are assigned and absent any | |||
| gateway MUST send mitigation requests to all its DOTS servers. | policy, the client-domain DOTS gateway MUST send mitigation requests | |||
| Otherwise, the attack traffic may still be delivered via the ISP | to all its DOTS servers. Otherwise, the attack traffic may still be | |||
| which hasn't received the mitigation request. | delivered via the ISP which hasn't received the mitigation request. | |||
| An alternate deployment model is depicted in Figure 7. This | An alternate deployment model is depicted in Figure 7. This | |||
| deployment assumes that: | deployment assumes that: | |||
| * One or more DOTS clients are enabled in hosts located in the | * One or more DOTS clients are enabled in hosts located in the | |||
| internal network. These DOTS clients may use [RFC8973] to | internal network. These DOTS clients may use [RFC8973] to | |||
| discover their DOTS server(s). | discover their DOTS server(s). | |||
| * These DOTS clients communicate directly with upstream DOTS | * These DOTS clients communicate directly with upstream DOTS | |||
| servers. | servers. | |||
| skipping to change at page 11, line 28 ¶ | skipping to change at page 11, line 28 ¶ | |||
| +--------|C2|--------+ | +--------|C2|--------+ | |||
| . +--+ . | . +--+ . | |||
| .......... | .......... | |||
| DOTS Client | DOTS Client | |||
| Domain | Domain | |||
| Figure 7: Multiple DOTS Clients, Multiple DOTS Servers | Figure 7: Multiple DOTS Clients, Multiple DOTS Servers | |||
| If PI addresses/prefixes are in use, the DOTS client MUST send a | If PI addresses/prefixes are in use, the DOTS client MUST send a | |||
| mitigation request to all the DOTS servers. The use of anycast | mitigation request to all the DOTS servers. The use of anycast | |||
| addresses to reach the DOTS servers is NOT RECOMMENDED. If anycast | addresses to reach these DOTS servers is NOT RECOMMENDED. If a well- | |||
| addresses are used to reach multiple DOTS servers, the CPE may not be | known anycast address is used to reach multiple DOTS servers, the CPE | |||
| able to select the appropriate provisioning domain to which the | may not be able to select the appropriate provisioning domain to | |||
| mitigation request should be forwarded. As a consequence, the | which the mitigation request should be forwarded. As a consequence, | |||
| request may not be forwarded to the appropriate DOTS server. | the request may not be forwarded to the appropriate DOTS server. | |||
| If PA addresses/prefixes are used, the same considerations discussed | If PA addresses/prefixes are used, the same considerations discussed | |||
| in Section 5.1 need to be followed by the DOTS clients. Because DOTS | in Section 5.1 need to be followed by the DOTS clients. Because DOTS | |||
| clients are not embedded in the CPE and multiple addreses/prefixes | clients are not embedded in the CPE and multiple addreses/prefixes | |||
| may not be assigned to the DOTS client (typically in an IPv4 | may not be assigned to the DOTS client (typically in an IPv4 | |||
| context), some issues may arise in how to steer traffic towards the | context), some issues may arise in how to steer traffic towards the | |||
| appropriate DOTS server by using the appropriate source IP address. | appropriate DOTS server by using the appropriate source IP address. | |||
| These complications discussed in [RFC4116] are not specific to DOTS. | These complications discussed in [RFC4116] are not specific to DOTS. | |||
| Another deployment approach is to enable many DOTS clients; each of | Another deployment approach is to enable many DOTS clients; each of | |||
| skipping to change at page 12, line 38 ¶ | skipping to change at page 12, line 38 ¶ | |||
| The deployments depicted in Figures 7 and 8 also apply to the | The deployments depicted in Figures 7 and 8 also apply to the | |||
| scenario described in Section 4.3. One specific problem for this | scenario described in Section 4.3. One specific problem for this | |||
| scenario is to select the appropriate exit router when contacting a | scenario is to select the appropriate exit router when contacting a | |||
| given DOTS server. | given DOTS server. | |||
| An alternative deployment scheme is shown in Figure 9: | An alternative deployment scheme is shown in Figure 9: | |||
| * DOTS clients are enabled in hosts located in the internal network. | * DOTS clients are enabled in hosts located in the internal network. | |||
| * A DOTS gateway is enabled in each CPE (rtr1, rtr2). | * A client-domain DOTS gateway is enabled in each CPE (rtr1, rtr2). | |||
| * Each of these DOTS gateways communicates with the DOTS server of | * Each of these client-domain DOTS gateways communicates with the | |||
| the provisioning domain. | DOTS server of the provisioning domain. | |||
| +---+ | +---+ | |||
| +------------| C1|----+ | +------------| C1|----+ | |||
| | +---+ | | | +---+ | | |||
| +--+ +-+-+ +---+ +-+-+ +--+ | +--+ +-+-+ +---+ +-+-+ +--+ | |||
| |S2|------|G2 |------| C3|------|G1 |------|S1| | |S2|------|G2 |------| C3|------|G1 |------|S1| | |||
| +--+ +-+-+ +---+ +-+-+ +--+ | +--+ +-+-+ +---+ +-+-+ +--+ | |||
| | +---+ | | | +---+ | | |||
| +------------| C2|----+ | +------------| C2|----+ | |||
| +---+ | +---+ | |||
| Figure 9: Multiple DOTS Clients, Multiple DOTS Gateways, Multiple | Figure 9: Multiple DOTS Clients, Multiple DOTS Gateways, Multiple | |||
| DOTS Servers | DOTS Servers | |||
| When PI addresses/prefixes are used, DOTS clients MUST contact all | When PI addresses/prefixes are used, DOTS clients MUST contact all | |||
| the DOTS gateways to send a DOTS message. DOTS gateways will then | the client-domain DOTS gateways to send a DOTS message. Client- | |||
| relay the request to the DOTS servers. Note that anycast addresses | domain DOTS gateways will then relay the request to the DOTS servers | |||
| cannot be used to establish DOTS sessions between DOTS clients and | as a function of local policy. Note that anycast addresses cannot be | |||
| DOTS gateways because only one DOTS gateway will receive the | used to establish DOTS sessions between DOTS clients and client- | |||
| domain DOTS gateways because only one DOTS gateway will receive the | ||||
| mitigation request. | mitigation request. | |||
| When PA addresses/prefixes are used, but no filter rules are provided | When PA addresses/prefixes are used, but no filter rules are provided | |||
| to DOTS clients, the latter MUST contact all DOTS gateways | to DOTS clients, the latter MUST contact all client-domain DOTS | |||
| simultaneously to send a DOTS message. Upon receipt of a request by | gateways simultaneously to send a DOTS message. Upon receipt of a | |||
| a DOTS gateway, it MUST check whether the request is to be forwarded | request by a client-domain DOTS gateway, it MUST check whether the | |||
| upstream (if the target IP prefix is managed by the upstream server) | request is to be forwarded upstream (if the target IP prefix is | |||
| or rejected. | managed by the upstream server) or rejected. | |||
| When PA addresses/prefixes are used, but specific filter rules are | When PA addresses/prefixes are used, but specific filter rules are | |||
| provided to DOTS clients using some means that are out of scope of | provided to DOTS clients using some means that are out of scope of | |||
| this document, the clients MUST select the appropriate DOTS gateway | this document, the clients MUST select the appropriate client-domain | |||
| to reach. The use of anycast addresses is NOT RECOMMENDED to reach | DOTS gateway to reach. The use of anycast addresses is NOT | |||
| DOTS gateways. | RECOMMENDED to reach client-domain DOTS gateways. | |||
| 5.4. Multi-Homed Enterprise: Single ISP | 5.4. Multi-Homed Enterprise: Single ISP | |||
| The key difference of the scenario described in Section 4.4 compared | The key difference of the scenario described in Section 4.4 compared | |||
| to the other scenarios is that multi-homing is provided by the same | to the other scenarios is that multi-homing is provided by the same | |||
| ISP. Concretely, that ISP can decide to provision the enterprise | ISP. Concretely, that ISP can decide to provision the enterprise | |||
| network with: | network with: | |||
| * The same DOTS server for all network attachments. | * The same DOTS server for all network attachments. | |||
| skipping to change at page 14, line 7 ¶ | skipping to change at page 14, line 7 ¶ | |||
| decide to select one or all network attachments to send DOTS | decide to select one or all network attachments to send DOTS | |||
| mitigation requests. | mitigation requests. | |||
| 6. Security Considerations | 6. Security Considerations | |||
| DOTS-related security considerations are discussed in Section 4 of | DOTS-related security considerations are discussed in Section 4 of | |||
| [RFC8811]. | [RFC8811]. | |||
| DOTS clients should control the information that they share with peer | DOTS clients should control the information that they share with peer | |||
| DOTS servers. In particular, if a DOTS client maintains DOTS | DOTS servers. In particular, if a DOTS client maintains DOTS | |||
| associations with specific DOTS servers per interconnection link, the | sessions with specific DOTS servers per interconnection link, the | |||
| DOTS client SHOULD NOT leak information specific to a given link to | DOTS client SHOULD NOT leak information specific to a given link to | |||
| DOTS servers on different interconnection links that are not | DOTS servers on different interconnection links that are not | |||
| authorized to mitigate attacks for that given link. Whether this | authorized to mitigate attacks for that given link. Whether this | |||
| constraint is relaxed is deployment-specific and must be subject to | constraint is relaxed is deployment-specific and must be subject to | |||
| explicit consent from the DOTS client domain administrator. How to | explicit consent from the DOTS client domain administrator. How to | |||
| seek for such consent is implementation- and deployment-specific. | seek for such consent is implementation- and deployment-specific. | |||
| 7. IANA Considerations | 7. IANA Considerations | |||
| This document does not require any action from IANA. | This document does not require any action from IANA. | |||
| 8. Acknowledgements | 8. Acknowledgements | |||
| Thanks to Roland Dobbins, Nik Teague, Jon Shallow, Dan Wing, and | Thanks to Roland Dobbins, Nik Teague, Jon Shallow, Dan Wing, and | |||
| Christian Jacquenet for sharing their comments on the mailing list. | Christian Jacquenet for sharing their comments on the mailing list. | |||
| Thanks to Kirill Kasavchenko for the comments. | Thanks to Kirill Kasavchenko for the comments. | |||
| Thanks to Kathleen Moriarty for the secdir review and Joel Jaeggli | ||||
| for the opsdir review. | ||||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown, | [RFC6724] Thaler, D., Ed., Draves, R., Matsumoto, A., and T. Chown, | |||
| End of changes. 20 change blocks. | ||||
| 57 lines changed or deleted | 64 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||