< draft-ietf-dots-signal-channel-11.txt   draft-ietf-dots-signal-channel-12.txt >
DOTS T. Reddy DOTS T. Reddy
Internet-Draft McAfee Internet-Draft McAfee
Intended status: Standards Track M. Boucadair Intended status: Standards Track M. Boucadair
Expires: June 8, 2018 Orange Expires: June 9, 2018 Orange
P. Patil P. Patil
Cisco Cisco
A. Mortensen A. Mortensen
Arbor Networks, Inc. Arbor Networks, Inc.
N. Teague N. Teague
Verisign, Inc. Verisign, Inc.
December 5, 2017 December 6, 2017
Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal
Channel Channel
draft-ietf-dots-signal-channel-11 draft-ietf-dots-signal-channel-12
Abstract Abstract
This document specifies the DOTS signal channel, a protocol for This document specifies the DOTS signal channel, a protocol for
signaling the need for protection against Distributed Denial-of- signaling the need for protection against Distributed Denial-of-
Service (DDoS) attacks to a server capable of enabling network Service (DDoS) attacks to a server capable of enabling network
traffic mitigation on behalf of the requesting client. traffic mitigation on behalf of the requesting client.
A companion document defines the DOTS data channel, a separate A companion document defines the DOTS data channel, a separate
reliable communication layer for DOTS management and configuration. reliable communication layer for DOTS management and configuration.
skipping to change at page 2, line 20 skipping to change at page 2, line 20
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on June 8, 2018. This Internet-Draft will expire on June 9, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2017 IETF Trust and the persons identified as the Copyright (c) 2017 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 27 skipping to change at page 3, line 27
Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 58 Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 59
9.1. DOTS Signal Channel UDP and TCP Port Number . . . . . . . 59 9.1. DOTS Signal Channel UDP and TCP Port Number . . . . . . . 59
9.2. Well-Known 'dots' URI . . . . . . . . . . . . . . . . . . 59 9.2. Well-Known 'dots' URI . . . . . . . . . . . . . . . . . . 59
9.3. CoAP Response Code . . . . . . . . . . . . . . . . . . . 59 9.3. CoAP Response Code . . . . . . . . . . . . . . . . . . . 59
9.4. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 60 9.4. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 60
9.4.1. Registration Template . . . . . . . . . . . . . . . . 60 9.4.1. Registration Template . . . . . . . . . . . . . . . . 60
9.4.2. Initial Registry Contents . . . . . . . . . . . . . . 60 9.4.2. Initial Registry Contents . . . . . . . . . . . . . . 60
9.5. DOTS Signal Channel YANG Module . . . . . . . . . . . . . 66 9.5. DOTS Signal Channel YANG Module . . . . . . . . . . . . . 66
10. Implementation Status . . . . . . . . . . . . . . . . . . . . 66 10. Implementation Status . . . . . . . . . . . . . . . . . . . . 66
10.1. nttdots . . . . . . . . . . . . . . . . . . . . . . . . 66 10.1. nttdots . . . . . . . . . . . . . . . . . . . . . . . . 67
11. Security Considerations . . . . . . . . . . . . . . . . . . . 67 11. Security Considerations . . . . . . . . . . . . . . . . . . . 67
12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 68 12. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 68
13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 68 13. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 68
14. References . . . . . . . . . . . . . . . . . . . . . . . . . 68 14. References . . . . . . . . . . . . . . . . . . . . . . . . . 68
14.1. Normative References . . . . . . . . . . . . . . . . . . 68 14.1. Normative References . . . . . . . . . . . . . . . . . . 68
14.2. Informative References . . . . . . . . . . . . . . . . . 70 14.2. Informative References . . . . . . . . . . . . . . . . . 70
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 74
1. Introduction 1. Introduction
skipping to change at page 17, line 22 skipping to change at page 17, line 22
client identity allows the DOTS server to accept mitigation requests client identity allows the DOTS server to accept mitigation requests
with scopes which the DOTS client is authorized to manage. The DOTS with scopes which the DOTS client is authorized to manage. The DOTS
server couples the DOTS signal and data channel sessions using the server couples the DOTS signal and data channel sessions using the
DOTS client identity and the 'client-identifier' parameter value, so DOTS client identity and the 'client-identifier' parameter value, so
the DOTS server can validate whether the aliases conveyed in the the DOTS server can validate whether the aliases conveyed in the
mitigation request were indeed created by the same DOTS client using mitigation request were indeed created by the same DOTS client using
the DOTS data channel session. If the aliases were not created by the DOTS data channel session. If the aliases were not created by
the DOTS client, the DOTS server returns 4.00 (Bad Request) in the the DOTS client, the DOTS server returns 4.00 (Bad Request) in the
response. response.
The DOTS server uses 'mitigation-id' parameter value to detect The DOTS server couples the DOTS signal channel sessions using the
DOTS client identity and the 'client-identifier' parameter value, and
the DOTS server uses 'mitigation-id' parameter value to detect
duplicate mitigation requests. If the mitigation request contains duplicate mitigation requests. If the mitigation request contains
both alias-name and other parameters identifying the target resources both alias-name and other parameters identifying the target resources
(such as, 'target-ip', 'target-prefix', 'target-port-range', 'target- (such as, 'target-ip', 'target-prefix', 'target-port-range', 'target-
fqdn', or 'target-uri'), then the DOTS server appends the parameter fqdn', or 'target-uri'), then the DOTS server appends the parameter
values in 'alias-name' with the corresponding parameter values in values in 'alias-name' with the corresponding parameter values in
'target-ip', 'target-prefix', 'target-port-range', 'target-fqdn', or 'target-ip', 'target-prefix', 'target-port-range', 'target-fqdn', or
'target-uri'. 'target-uri'.
The DOTS server indicates the result of processing the PUT request The DOTS server indicates the result of processing the PUT request
using CoAP response codes. CoAP 2.xx codes are success. CoAP 4.xx using CoAP response codes. CoAP 2.xx codes are success. CoAP 4.xx
skipping to change at page 22, line 38 skipping to change at page 22, line 38
1: Overlapping targets. 'conflict-scope' provides more details 1: Overlapping targets. 'conflict-scope' provides more details
about the conflicting target clauses. about the conflicting target clauses.
2: Conflicts with an existing white list. This code is 2: Conflicts with an existing white list. This code is
returned when the DDoS mitigation detects source addresses/ returned when the DDoS mitigation detects source addresses/
prefixes in the white-listed ACLs are attacking the target. prefixes in the white-listed ACLs are attacking the target.
conflict-scope Indicates the conflict scope. It may include a conflict-scope Indicates the conflict scope. It may include a
list of IP addresses, a list of prefixes, a list of port list of IP addresses, a list of prefixes, a list of port
numbers, a list of target protocols, a list of FQDNs, a list of numbers, a list of target protocols, a list of FQDNs, a list of
URIs, or a list of alias-names. URIs, a list of alias-names, or references to conflicting ACLs.
retry-timer Indicates, in seconds, the time upon which the DOTS retry-timer Indicates, in seconds, the time upon which the DOTS
client may re-issue the same request. The DOTS server returns client may re-issue the same request. The DOTS server returns
'retry-timer' only to DOTS client(s) for which a mitigation 'retry-timer' only to DOTS client(s) for which a mitigation
request is deactivated. Any retransmission of the same request is deactivated. Any retransmission of the same
mitigation request before the expiry of this timer is likely to mitigation request before the expiry of this timer is likely to
be rejected by the DOTS server for the same reasons. be rejected by the DOTS server for the same reasons.
The retry-timer SHOULD be equal to the lifetime of the active The retry-timer SHOULD be equal to the lifetime of the active
mitigation request resulting in the deactivation of the mitigation request resulting in the deactivation of the
skipping to change at page 33, line 8 skipping to change at page 33, line 8
Uri-Path: "config" Uri-Path: "config"
Figure 15: GET to retrieve configuration Figure 15: GET to retrieve configuration
The DOTS server in the 2.05 (Content) response conveys the current, The DOTS server in the 2.05 (Content) response conveys the current,
minimum and maximum attribute values acceptable by the DOTS server. minimum and maximum attribute values acceptable by the DOTS server.
Content-Format: "application/cbor" Content-Format: "application/cbor"
{ {
"heartbeat-interval": { "heartbeat-interval": {
"CurrentValue": integer, "current-value": integer,
"MinValue": integer, "min-value": integer,
"MaxValue" : integer, "max-value" : integer,
}, },
"missing-hb-allowed": { "missing-hb-allowed": {
"CurrentValue": integer, "current-value": integer,
"MinValue": integer, "min-value": integer,
"MaxValue" : integer, "max-value" : integer,
}, },
"max-retransmit": { "max-retransmit": {
"CurrentValue": integer, "current-value": integer,
"MinValue": integer, "min-value": integer,
"MaxValue" : integer, "max-value" : integer,
}, },
"ack-timeout": { "ack-timeout": {
"CurrentValue": integer, "current-value": integer,
"MinValue": integer, "min-value": integer,
"MaxValue" : integer, "max-value" : integer,
}, },
"ack-random-factor": { "ack-random-factor": {
"CurrentValue": number, "current-value": number,
"MinValue": number, "min-value": number,
"MaxValue" : number, "max-value" : number,
}, },
"trigger-mitigation": { "trigger-mitigation": {
"CurrentValue": boolean, "current-value": boolean,
} }
} }
Figure 16: GET response body Figure 16: GET response body
Figure 17 shows an example of acceptable and current configuration Figure 17 shows an example of acceptable and current configuration
parameters on the DOTS server for DOTS signal channel session parameters on the DOTS server for DOTS signal channel session
configuration. configuration.
Content-Format: "application/cbor" Content-Format: "application/cbor"
{ {
"heartbeat-interval": { "heartbeat-interval": {
"CurrentValue": 30, "current-value": 30,
"MinValue": 15, "min-value": 15,
"MaxValue" : 240, "max-value" : 240,
}, },
"missing-hb-allowed": { "missing-hb-allowed": {
"CurrentValue": 5, "current-value": 5,
"MinValue": 3, "min-value": 3,
"MaxValue" : 9, "max-value" : 9,
}, },
"max-retransmit": { "max-retransmit": {
"CurrentValue": 3, "current-value": 3,
"MinValue": 2, "min-value": 2,
"MaxValue" : 15, "max-value" : 15,
}, },
"ack-timeout": { "ack-timeout": {
"CurrentValue": 2, "current-value": 2,
"MinValue": 1, "min-value": 1,
"MaxValue" : 30, "max-value" : 30,
}, },
"ack-random-factor": { "ack-random-factor": {
"CurrentValue": 1.5, "current-value": 1.5,
"MinValue": 1.1, "min-value": 1.1,
"MaxValue" : 4.0, "max-value" : 4.0,
}, },
"trigger-mitigation": { "trigger-mitigation": {
"CurrentValue": true, "current-value": true,
} }
} }
Figure 17: Configuration response body Figure 17: Configuration response body
4.5.2. Convey DOTS Signal Channel Session Configuration 4.5.2. Convey DOTS Signal Channel Session Configuration
A PUT request is used to convey the configuration parameters for the A PUT request is used to convey the configuration parameters for the
signal channel (e.g., heartbeat interval, maximum retransmissions). signal channel (e.g., heartbeat interval, maximum retransmissions).
Message transmission parameters for CoAP are defined in Section 4.8 Message transmission parameters for CoAP are defined in Section 4.8
of [RFC7252]. The RECOMMENDED values of transmission parameter of [RFC7252]. The RECOMMENDED values of transmission parameter
values are ack_timeout (2 seconds), max-retransmit (3), ack-random- values are ack-timeout (2 seconds), max-retransmit (3), ack-random-
factor (1.5). In addition to those parameters, the RECOMMENDED factor (1.5). In addition to those parameters, the RECOMMENDED
specific DOTS transmission parameter values are heartbeat-interval specific DOTS transmission parameter values are heartbeat-interval
(30 seconds) and missing-hb-allowed (5). (30 seconds) and missing-hb-allowed (5).
Note: heartbeat-interval should be tweaked to also assist DOTS Note: heartbeat-interval should be tweaked to also assist DOTS
messages for NAT traversal (SIG-010 of messages for NAT traversal (SIG-010 of
[I-D.ietf-dots-requirements]). According to [RFC8085], keepalive [I-D.ietf-dots-requirements]). According to [RFC8085], keepalive
messages must not be sent more frequently than once every 15 messages must not be sent more frequently than once every 15
seconds and should use longer intervals when possible. seconds and should use longer intervals when possible.
Furthermore, [RFC4787] recommends NATs to use a state timeout of 2 Furthermore, [RFC4787] recommends NATs to use a state timeout of 2
skipping to change at page 35, line 23 skipping to change at page 35, line 23
anticipate the expiry of NAT state. anticipate the expiry of NAT state.
A heartbeat-interval of 30 second may be seen as too chatty in A heartbeat-interval of 30 second may be seen as too chatty in
some deployments. For such deployments, DOTS agents may negotiate some deployments. For such deployments, DOTS agents may negotiate
longer heartbeat-interval values to avoid overloading the network longer heartbeat-interval values to avoid overloading the network
with too frequent keepalives. with too frequent keepalives.
When a confirmable "CoAP Ping" is sent, and if there is no response, When a confirmable "CoAP Ping" is sent, and if there is no response,
the "CoAP Ping" is retransmitted max-retransmit number of times by the "CoAP Ping" is retransmitted max-retransmit number of times by
the CoAP layer using an initial timeout set to a random duration the CoAP layer using an initial timeout set to a random duration
between ack_timeout and (ack-timeout*ack-random-factor) and between ack-timeout and (ack-timeout*ack-random-factor) and
exponential back-off between retransmissions. By choosing the exponential back-off between retransmissions. By choosing the
recommended transmission parameters, the "CoAP Ping" will timeout recommended transmission parameters, the "CoAP Ping" will timeout
after 45 seconds. If the DOTS agent does not receive any response after 45 seconds. If the DOTS agent does not receive any response
from the peer DOTS agent for missing-hb-allowed number of consecutive from the peer DOTS agent for missing-hb-allowed number of consecutive
"CoAP Ping" confirmable messages, it concludes that the DOTS signal "CoAP Ping" confirmable messages, it concludes that the DOTS signal
channel session is disconnected. A DOTS client MUST NOT transmit a channel session is disconnected. A DOTS client MUST NOT transmit a
"CoAP Ping" while waiting for the previous "CoAP Ping" response from "CoAP Ping" while waiting for the previous "CoAP Ping" response from
the same DOTS server. the same DOTS server.
If the DOTS agent wishes to change the default values of message If the DOTS agent wishes to change the default values of message
skipping to change at page 38, line 44 skipping to change at page 38, line 44
o If the DOTS server does not find the 'session-id' parameter value o If the DOTS server does not find the 'session-id' parameter value
conveyed in the PUT request in its configuration data and if the conveyed in the PUT request in its configuration data and if the
DOTS server has accepted the configuration parameters, then a DOTS server has accepted the configuration parameters, then a
response code 2.01 (Created) is returned in the response. response code 2.01 (Created) is returned in the response.
o If the request is missing one or more mandatory attributes or it o If the request is missing one or more mandatory attributes or it
contains one or more invalid or unknown parameters, then 4.00 (Bad contains one or more invalid or unknown parameters, then 4.00 (Bad
Request) is returned in the response. Request) is returned in the response.
o Response code 4.22 (Unprocessable Entity) is returned in the o Response code 4.22 (Unprocessable Entity) is returned in the
response, if any of the heartbeat-interval, missing-hb-allowed, response, if any of the 'heartbeat-interval', 'missing-hb-
max-retransmit, target-protocol, ack-timeout, and ack-random- allowed', 'max-retransmit', 'target-protocol', 'ack-timeout', and
factor attribute values are not acceptable to the DOTS server. 'ack-random-factor' attribute values are not acceptable to the
Upon receipt of the 4.22 error response code, the DOTS client DOTS server. Upon receipt of the 4.22 error response code, the
should request the maximum and minimum attribute values acceptable DOTS client should request the maximum and minimum attribute
to the DOTS server (Section 4.5.1). The DOTS client may re-try values acceptable to the DOTS server (Section 4.5.1).
and send the PUT request with updated attribute values acceptable
to the DOTS server. The DOTS client may re-try and send the PUT request with updated
attribute values acceptable to the DOTS server.
4.5.3. Delete DOTS Signal Channel Session Configuration 4.5.3. Delete DOTS Signal Channel Session Configuration
A DELETE request is used to delete the installed DOTS signal channel A DELETE request is used to delete the installed DOTS signal channel
session configuration data (Figure 20). session configuration data (Figure 20).
Header: DELETE (Code=0.04) Header: DELETE (Code=0.04)
Uri-Host: "host" Uri-Host: "host"
Uri-Path: ".well-known" Uri-Path: ".well-known"
Uri-Path: "dots" Uri-Path: "dots"
skipping to change at page 43, line 5 skipping to change at page 43, line 5
This document defines a YANG [RFC7950] module for mitigation scope This document defines a YANG [RFC7950] module for mitigation scope
and DOTS signal channel session configuration data. and DOTS signal channel session configuration data.
5.1. Tree Structure 5.1. Tree Structure
This document defines the YANG module "ietf-dots-signal" This document defines the YANG module "ietf-dots-signal"
(Section 5.2), which has the following tree structure. A DOTS signal (Section 5.2), which has the following tree structure. A DOTS signal
message can either be a mitigation or a configuration message. message can either be a mitigation or a configuration message.
module: ietf-dots-signal module: ietf-dots-signal
+--rw dots-signal +--rw dots-signal
+--rw (message-type)? +--rw (message-type)?
+--:(mitigation-scope) +--:(mitigation-scope)
| +--rw client-identifier* binary | +--rw client-identifier* binary
| +--rw scope* [mitigation-id] | +--rw scope* [mitigation-id]
| +--rw mitigation-id int32 | +--rw mitigation-id int32
| +--rw target-ip* inet:ip-address | +--rw target-ip* inet:ip-address
| +--rw target-prefix* inet:ip-prefix | +--rw target-prefix* inet:ip-prefix
| +--rw target-port-range* [lower-port upper-port] | +--rw target-port-range* [lower-port upper-port]
| | +--rw lower-port inet:port-number | | +--rw lower-port inet:port-number
| | +--rw upper-port inet:port-number | | +--rw upper-port inet:port-number
| +--rw target-protocol* uint8 | +--rw target-protocol* uint8
| +--rw target-fqdn* inet:domain-name | +--rw target-fqdn* inet:domain-name
| +--rw target-uri* inet:uri | +--rw target-uri* inet:uri
| +--rw alias-name* string | +--rw alias-name* string
| +--rw lifetime? int32 | +--rw lifetime? int32
| +--rw mitigation-start? int64 | +--rw mitigation-start? int64
| +--ro status? enumeration | +--ro status? enumeration
| +--ro conflict-information | +--ro conflict-information
| | +--ro conflict-status? enumeration | | +--ro conflict-status? enumeration
| | +--ro conflict-cause? enumeration | | +--ro conflict-cause? enumeration
| | +--ro retry-timer? int32 | | +--ro retry-timer? int32
| | +--ro conflict-scope | | +--ro conflict-scope
| | +--ro target-ip* inet:ip-address | | +--ro target-ip* inet:ip-address
| | +--ro target-prefix* inet:ip-prefix | | +--ro target-prefix* inet:ip-prefix
| | +--ro target-port-range* [lower-port upper-port] | | +--ro target-port-range* [lower-port upper-port]
| | | +--ro lower-port inet:port-number | | | +--ro lower-port inet:port-number
| | | +--ro upper-port inet:port-number | | | +--ro upper-port inet:port-number
| | +--ro target-protocol* uint8 | | +--ro target-protocol* uint8
| | +--ro target-fqdn* inet:domain-name | | +--ro target-fqdn* inet:domain-name
| | +--ro target-uri* inet:uri | | +--ro target-uri* inet:uri
| | +--ro alias-name* string | | +--ro alias-name* string
| +--ro pkts-dropped? yang:zero-based-counter64 | | +--ro acl-list* [name type]
| +--ro bps-dropped? yang:zero-based-counter64 | | +--ro name -> /ietf-acl:access-lists/acl/acl-name
| +--ro bytes-dropped? yang:zero-based-counter64 | | +--ro type -> /ietf-acl:access-lists/acl/acl-type
| +--ro pps-dropped? yang:zero-based-counter64 | +--ro pkts-dropped? yang:zero-based-counter64
+--:(configuration) | +--ro bps-dropped? yang:zero-based-counter64
+--rw session-id int32 | +--ro bytes-dropped? yang:zero-based-counter64
+--rw heartbeat-interval? int16 | +--ro pps-dropped? yang:zero-based-counter64
+--rw missing-hb-allowed? int16 +--:(configuration)
+--rw max-retransmit? int16 +--rw session-id int32
+--rw ack-timeout? int16 +--rw heartbeat-interval? int16
+--rw ack-random-factor? decimal64 +--rw missing-hb-allowed? int16
+--rw trigger-mitigation? boolean +--rw max-retransmit? int16
+--rw ack-timeout? int16
+--rw ack-random-factor? decimal64
+--rw trigger-mitigation? boolean
5.2. YANG Module 5.2. YANG Module
<CODE BEGINS> file "ietf-dots-signal@2017-12-05.yang" <CODE BEGINS> file "ietf-dots-signal@2017-12-07.yang"
module ietf-dots-signal { module ietf-dots-signal {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dots-signal"; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-signal";
prefix "signal"; prefix "signal";
import ietf-inet-types {prefix "inet";} import ietf-inet-types {prefix "inet";}
import ietf-yang-types {prefix yang; } import ietf-yang-types {prefix yang;}
import ietf-access-control-list {prefix "ietf-acl";}
organization "IETF DOTS Working Group"; organization "IETF DOTS Working Group";
contact contact
"Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com> "Konda, Tirumaleswar Reddy <TirumaleswarReddy_Konda@McAfee.com>
Mohamed Boucadair <mohamed.boucadair@orange.com> Mohamed Boucadair <mohamed.boucadair@orange.com>
Prashanth Patil <praspati@cisco.com> Prashanth Patil <praspati@cisco.com>
Andrew Mortensen <amortensen@arbor.net> Andrew Mortensen <amortensen@arbor.net>
Nik Teague <nteague@verisign.com>"; Nik Teague <nteague@verisign.com>";
description description
"This module contains YANG definition for the signaling "This module contains YANG definition for the signaling
messages exchanegd between the DOTS client to the DOTS server. messages exchanged between the DOTS client to the DOTS server.
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2017-12-05 { revision 2017-12-07 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: Distributed Denial-of-Service Open Threat "RFC XXXX: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Signal Channel"; Signaling (DOTS) Signal Channel";
} }
grouping target { grouping target {
description description
"Specifies the scope of the mitigation request."; "Specifies the scope of the mitigation request.";
skipping to change at page 50, line 11 skipping to change at page 50, line 12
units "seconds"; units "seconds";
description description
"The DOTS client must not re-send the "The DOTS client must not re-send the
same request before the expiry of this timer. same request before the expiry of this timer.
It must be included in responses, only."; It must be included in responses, only.";
} }
container conflict-scope { container conflict-scope {
description description
"Provides more information about the conflict scope."; "Provides more information about the conflict scope.";
uses target;
uses target {
when "../conflict-cause = '1'";
}
list acl-list {
when "../../conflict-cause = '2'";
key "name type";
description
"List of conflicting ACLs";
leaf name {
type leafref {
path "/ietf-acl:access-lists/ietf-acl:acl" +
"/ietf-acl:acl-name";
}
description
"Reference to the conflicting ACL name bound to
a DOTS client.";
}
leaf type {
type leafref {
path "/ietf-acl:access-lists/ietf-acl:acl" +
"/ietf-acl:acl-type";
}
description
"Reference to the conflicting ACL type bound to
a DOTS client.";
}
}
} }
} }
leaf pkts-dropped { leaf pkts-dropped {
type yang:zero-based-counter64; type yang:zero-based-counter64;
config false; config false;
description description
"Number of dropped packets"; "Number of dropped packets";
} }
leaf bps-dropped { leaf bps-dropped {
type yang:zero-based-counter64; type yang:zero-based-counter64;
config false; config false;
description description
"The average dropped bytes per second for "The average dropped bytes per second for
the mitigation request since the attack the mitigation request since the attack
mitigation is triggered."; mitigation is triggered.";
} }
leaf bytes-dropped { leaf bytes-dropped {
type yang:zero-based-counter64; type yang:zero-based-counter64;
units 'bytes'; units 'bytes';
config false; config false;
description description
"Counter for dropped pacckets; in bytes."; "Counter for dropped packets; in bytes.";
} }
leaf pps-dropped { leaf pps-dropped {
type yang:zero-based-counter64; type yang:zero-based-counter64;
config false; config false;
description description
"The average dropped packets per second "The average dropped packets per second
for the mitigation request since the attack for the mitigation request since the attack
mitigation is triggered."; mitigation is triggered.";
} }
skipping to change at page 54, line 26 skipping to change at page 54, line 26
| target-fqdn | 9 | 4 | | target-fqdn | 9 | 4 |
| target-uri | 10 | 4 | | target-uri | 10 | 4 |
| alias-name | 11 | 4 | | alias-name | 11 | 4 |
| lifetime | 12 | 0 | | lifetime | 12 | 0 |
| attack-status | 13 | 0 | | attack-status | 13 | 0 |
| signal-config | 14 | 5 | | signal-config | 14 | 5 |
| heartbeat-interval | 15 | 0 | | heartbeat-interval | 15 | 0 |
| max-retransmit | 16 | 0 | | max-retransmit | 16 | 0 |
| ack-timeout | 17 | 0 | | ack-timeout | 17 | 0 |
| ack-random-factor | 18 | 7 | | ack-random-factor | 18 | 7 |
| MinValue | 19 | 0 | | min-value | 19 | 0 |
| MaxValue | 20 | 0 | | max-value | 20 | 0 |
| status | 21 | 0 | | status | 21 | 0 |
| conflict-information | 22 | 5 (map) | | conflict-information | 22 | 5 (map) |
| conflict-status | 23 | 0 | | conflict-status | 23 | 0 |
| conflict-cause | 24 | 0 | | conflict-cause | 24 | 0 |
| retry-timer | 25 | 0 | | retry-timer | 25 | 0 |
| bytes-dropped | 26 | 0 | | bytes-dropped | 26 | 0 |
| bps-dropped | 27 | 0 | | bps-dropped | 27 | 0 |
| pkts-dropped | 28 | 0 | | pkts-dropped | 28 | 0 |
| pps-dropped | 29 | 0 | | pps-dropped | 29 | 0 |
| session-id | 30 | 0 | | session-id | 30 | 0 |
| trigger-mitigation | 31 | 7 (simple types) | | trigger-mitigation | 31 | 7 (simple types) |
| missing-hb-allowed | 32 | 0 | | missing-hb-allowed | 32 | 0 |
| CurrentValue | 33 | 0 | | current-value | 33 | 0 |
| mitigation-start | 34 | 7 (floating-point) | | mitigation-start | 34 | 7 (floating-point) |
| target-prefix | 35 | 4 (array) | | target-prefix | 35 | 4 (array) |
| client-identifier | 36 | 2 (byte string) | | client-identifier | 36 | 2 (byte string) |
| alt-server | 37 | 2 | | alt-server | 37 | 2 |
| alt-server-record | 38 | 4 | | alt-server-record | 38 | 4 |
| addr | 39 | 2 | | addr | 39 | 2 |
| ttl | 40 | 0 | | ttl | 40 | 0 |
| conflict-scope | 41 | 5 (map) |
\----------------------+----------------+--------------------------/ \----------------------+----------------+--------------------------/
Table 4: CBOR mappings used in DOTS signal channel message Table 4: CBOR mappings used in DOTS signal channel message
7. (D)TLS Protocol Profile and Performance Considerations 7. (D)TLS Protocol Profile and Performance Considerations
7.1. (D)TLS Protocol Profile 7.1. (D)TLS Protocol Profile
This section defines the (D)TLS protocol profile of DOTS signal This section defines the (D)TLS protocol profile of DOTS signal
channel over (D)TLS and DOTS data channel over TLS. channel over (D)TLS and DOTS data channel over TLS.
skipping to change at page 55, line 25 skipping to change at page 55, line 25
discussion of these security issues. DOTS agents MUST adhere to the discussion of these security issues. DOTS agents MUST adhere to the
(D)TLS implementation recommendations and security considerations of (D)TLS implementation recommendations and security considerations of
[RFC7525] except with respect to (D)TLS version. Since encryption of [RFC7525] except with respect to (D)TLS version. Since encryption of
DOTS using (D)TLS is virtually a green-field deployment DOTS agents DOTS using (D)TLS is virtually a green-field deployment DOTS agents
MUST implement only (D)TLS 1.2 or later. MUST implement only (D)TLS 1.2 or later.
When a DOTS client is configured with a domain name of the DOTS When a DOTS client is configured with a domain name of the DOTS
server, and connects to its configured DOTS server, the server may server, and connects to its configured DOTS server, the server may
present it with a PKIX certificate. In order to ensure proper present it with a PKIX certificate. In order to ensure proper
authentication, DOTS client MUST verify the entire certification path authentication, DOTS client MUST verify the entire certification path
per [RFC5280]. The DOTS client additionaly uses [RFC6125] validation per [RFC5280]. The DOTS client additionally uses [RFC6125]
techniques to compare the domain name to the certificate provided. validation techniques to compare the domain name to the certificate
provided.
A key challenge to deploying DOTS is provisioning DOTS clients, A key challenge to deploying DOTS is provisioning DOTS clients,
including the distribution of keying material to DOTS clients to make including the distribution of keying material to DOTS clients to make
possible the required mutual authentication of DOTS agents. EST possible the required mutual authentication of DOTS agents. EST
defines a method of certificate enrollment by which domains operating defines a method of certificate enrollment by which domains operating
DOTS servers may provision DOTS clients with all necessary DOTS servers may provision DOTS clients with all necessary
cryptographic keying material, including a private key and cryptographic keying material, including a private key and
certificate with which to authenticate itself. One deployment option certificate with which to authenticate itself. One deployment option
is DOTS clients to behave as EST clients for certificate enrollment is DOTS clients to behave as EST clients for certificate enrollment
from an EST server provisioned by the mitigation provider. This from an EST server provisioned by the mitigation provider. This
skipping to change at page 56, line 37 skipping to change at page 56, line 39
o Absent packet loss, a full handshake in which the DOTS client is o Absent packet loss, a full handshake in which the DOTS client is
able to send the DOTS signal message after one round trip and the able to send the DOTS signal message after one round trip and the
DOTS server immediately after receiving the first DOTS signal DOTS server immediately after receiving the first DOTS signal
message from the client. message from the client.
o 0-RTT mode in which the DOTS client can authenticate itself and o 0-RTT mode in which the DOTS client can authenticate itself and
send DOTS signal message on its first flight, thus reducing send DOTS signal message on its first flight, thus reducing
handshake latency. 0-RTT only works if the DOTS client has handshake latency. 0-RTT only works if the DOTS client has
previously communicated with that DOTS server, which is very previously communicated with that DOTS server, which is very
likely with the DOTS signal channel. The DOTS client SHOULD likely with the DOTS signal channel.
establish a (D)TLS session with the DOTS server during peacetime
and share a PSK. During DDOS attack, the DOTS client can use the The DOTS client SHOULD establish a (D)TLS session with the DOTS
(D)TLS session to convey the DOTS signal message and if there is server during peacetime and share a PSK.
no response from the server after multiple re-tries then the DOTS
client can resume the (D)TLS session in 0-RTT mode using PSK. A During DDOS attack, the DOTS client can use the (D)TLS session to
simplified TLS 1.3 handshake with 0-RTT DOTS signal message convey the DOTS signal message and if there is no response from
the server after multiple re-tries, then the DOTS client can
resume the (D)TLS session in 0-RTT mode using PSK.
A simplified TLS 1.3 handshake with 0-RTT DOTS signal message
exchange is shown in Figure 23. exchange is shown in Figure 23.
DOTS Client DOTS Server DOTS Client DOTS Server
ClientHello ClientHello
(Finished) (Finished)
(0-RTT DOTS signal message) (0-RTT DOTS signal message)
(end_of_early_data) --------> (end_of_early_data) -------->
ServerHello ServerHello
{EncryptedExtensions} {EncryptedExtensions}
skipping to change at page 60, line 16 skipping to change at page 60, line 16
| Code | Description | Reference | | Code | Description | Reference |
+------+------------------+-----------+ +------+------------------+-----------+
| 3.00 | Alternate server | [RFCXXXX] | | 3.00 | Alternate server | [RFCXXXX] |
+------+------------------+-----------+ +------+------------------+-----------+
Table 4: CoAP Response Code Table 4: CoAP Response Code
9.4. DOTS Signal Channel CBOR Mappings Registry 9.4. DOTS Signal Channel CBOR Mappings Registry
The document requests IANA to create a new registry, entitled "DOTS The document requests IANA to create a new registry, entitled "DOTS
Signal Channel CBOR Mappings Registry". The structrue of this Signal Channel CBOR Mappings Registry". The structure of this
registry is provided in Section 9.4.1. registry is provided in Section 9.4.1.
The registry is initially populated with the values in Section 9.4.2. The registry is initially populated with the values in Section 9.4.2.
Values from that registry MUST be assigned via Expert Review Values from that registry MUST be assigned via Expert Review
[RFC8126]. [RFC8126].
9.4.1. Registration Template 9.4.1. Registration Template
Parameter name: Parameter name:
Parameter names (e.g., "target_ip") in the DOTS signal channel. Parameter name as used in the DOTS signal channel.
CBOR Key Value: CBOR Key Value:
Key value for the parameter. The key value MUST be an integer in Key value for the parameter. The key value MUST be an integer in
the range of 1 to 65536. The key values in the range of 32768 to the range of 1 to 65536. The key values in the range of 32768 to
65536 are assigned for Vendor-Specific parameters. 65536 are assigned for Vendor-Specific parameters.
CBOR Major Type: CBOR Major Type:
CBOR Major type and optional tag for the claim. CBOR Major type and optional tag for the claim.
Change Controller: Change Controller:
skipping to change at page 60, line 50 skipping to change at page 60, line 50
address, email address, home page URI) may also be included. address, email address, home page URI) may also be included.
Specification Document(s): Specification Document(s):
Reference to the document or documents that specify the parameter, Reference to the document or documents that specify the parameter,
preferably including URIs that can be used to retrieve copies of preferably including URIs that can be used to retrieve copies of
the documents. An indication of the relevant sections may also be the documents. An indication of the relevant sections may also be
included but is not required. included but is not required.
9.4.2. Initial Registry Contents 9.4.2. Initial Registry Contents
o Parameter Name: "mitigation-scope" o Parameter Name: mitigation-scope
o CBOR Key Value: 1 o CBOR Key Value: 1
o CBOR Major Type: 5 o CBOR Major Type: 5
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "scope" o Parameter Name: scope
o CBOR Key Value: 2 o CBOR Key Value: 2
o CBOR Major Type: 5 o CBOR Major Type: 5
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "mitigation-id" o Parameter Name: mitigation-id
o CBOR Key Value: 3 o CBOR Key Value: 3
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:target-ip o Parameter Name: target-ip
o CBOR Key Value: 4 o CBOR Key Value: 4
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: target-port-range o Parameter Name: target-port-range
o CBOR Key Value: 5 o CBOR Key Value: 5
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "lower-port" o Parameter Name: lower-port
o CBOR Key Value: 6 o CBOR Key Value: 6
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "upper-port" o Parameter Name: upper-port
o CBOR Key Value: 7 o CBOR Key Value: 7
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: target-protocol o Parameter Name: target-protocol
o CBOR Key Value: 8 o CBOR Key Value: 8
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "target-fqdn" o Parameter Name: target-fqdn
o CBOR Key Value: 9 o CBOR Key Value: 9
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "target-uri" o Parameter Name: target-uri
o CBOR Key Value: 10 o CBOR Key Value: 10
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: alias-name o Parameter Name: alias-name
o CBOR Key Value: 11 o CBOR Key Value: 11
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: "lifetime" o Parameter Name: lifetime
o CBOR Key Value: 12 o CBOR Key Value: 12
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: attack-status o Parameter Name: attack-status
o CBOR Key Value: 13 o CBOR Key Value: 13
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
skipping to change at page 63, line 13 skipping to change at page 63, line 13
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: ack-random-factor o Parameter Name: ack-random-factor
o CBOR Key Value: 18 o CBOR Key Value: 18
o CBOR Major Type: 7 o CBOR Major Type: 7
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: MinValue o Parameter Name: min-value
o CBOR Key Value: 19 o CBOR Key Value: 19
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: MaxValue o Parameter Name: max-value
o CBOR Key Value: 20 o CBOR Key Value: 20
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: status o Parameter Name: status
o CBOR Key Value: 21 o CBOR Key Value: 21
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
skipping to change at page 64, line 49 skipping to change at page 64, line 49
o CBOR Major Type: 7 o CBOR Major Type: 7
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: missing-hb-allowed o Parameter Name: missing-hb-allowed
o CBOR Key Value: 32 o CBOR Key Value: 32
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: CurrentValue o Parameter Name: current-value
o CBOR Key Value: 33 o CBOR Key Value: 33
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:mitigation-start o Parameter Name: mitigation-start
o CBOR Key Value: 34 o CBOR Key Value: 34
o CBOR Major Type: 7 o CBOR Major Type: 7
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:target-prefix o Parameter Name: target-prefix
o CBOR Key Value: 35 o CBOR Key Value: 35
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:client-identifier o Parameter Name: client-identifier
o CBOR Key Value: 36 o CBOR Key Value: 36
o CBOR Major Type: 2 o CBOR Major Type: 2
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:alt-server o Parameter Name: alt-server
o CBOR Key Value: 37 o CBOR Key Value: 37
o CBOR Major Type: 2 o CBOR Major Type: 2
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:alt-server-record o Parameter Name: alt-server-record
o CBOR Key Value: 38 o CBOR Key Value: 38
o CBOR Major Type: 4 o CBOR Major Type: 4
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:addr o Parameter Name: addr
o CBOR Key Value: 39 o CBOR Key Value: 39
o CBOR Major Type: 2 o CBOR Major Type: 2
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name:ttl o Parameter Name: ttl
o CBOR Key Value: 40 o CBOR Key Value: 40
o CBOR Major Type: 0 o CBOR Major Type: 0
o Change Controller: IESG o Change Controller: IESG
o Specification Document(s): this document o Specification Document(s): this document
o Parameter Name: conflict-scope
o CBOR Key Value: 41
o CBOR Major Type: 5
o Change Controller: IESG
o Specification Document(s): this document
9.5. DOTS Signal Channel YANG Module 9.5. DOTS Signal Channel YANG Module
This document requests IANA to register the following URI in the This document requests IANA to register the following URI in the
"IETF XML Registry" [RFC3688]: "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-dots-signal URI: urn:ietf:params:xml:ns:yang:ietf-dots-signal
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
This document requests IANA to register the following YANG module in This document requests IANA to register the following YANG module in
skipping to change at page 68, line 31 skipping to change at page 68, line 36
Robert Moskowitz HTT Consulting Oak Park, MI 42837 United States Robert Moskowitz HTT Consulting Oak Park, MI 42837 United States
Email: rgm@htt-consult.com Email: rgm@htt-consult.com
Dan Wing Email: dwing-ietf@fuggles.com Dan Wing Email: dwing-ietf@fuggles.com
13. Acknowledgements 13. Acknowledgements
Thanks to Christian Jacquenet, Roland Dobbins, Roman D. Danyliw, Thanks to Christian Jacquenet, Roland Dobbins, Roman D. Danyliw,
Michael Richardson, Ehud Doron, Kaname Nishizuka, Dave Dolson, Liang Michael Richardson, Ehud Doron, Kaname Nishizuka, Dave Dolson, Liang
Xia, Jon Shallow, Gilbert Clark, and Nesredien Suleiman for the Xia, Gilbert Clark, and Nesredien Suleiman for the discussion and
discussion and comments. comments.
Special thanks to Jon Shallow for the careful reviews and inputs that
enhanced this specification.
14. References 14. References
14.1. Normative References 14.1. Normative References
[I-D.ietf-core-coap-tcp-tls] [I-D.ietf-core-coap-tcp-tls]
Bormann, C., Lemay, S., Tschofenig, H., Hartke, K., Bormann, C., Lemay, S., Tschofenig, H., Hartke, K.,
Silverajan, B., and B. Raymor, "CoAP (Constrained Silverajan, B., and B. Raymor, "CoAP (Constrained
Application Protocol) over TCP, TLS, and WebSockets", Application Protocol) over TCP, TLS, and WebSockets",
draft-ietf-core-coap-tcp-tls-10 (work in progress), draft-ietf-core-coap-tcp-tls-10 (work in progress),
 End of changes. 58 change blocks. 
136 lines changed or deleted 187 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/