< draft-ietf-dots-telemetry-14.txt   draft-ietf-dots-telemetry-15.txt >
DOTS M. Boucadair, Ed. DOTS M. Boucadair, Ed.
Internet-Draft Orange Internet-Draft Orange
Intended status: Standards Track T. Reddy, Ed. Intended status: Standards Track T. Reddy, Ed.
Expires: May 19, 2021 McAfee Expires: June 11, 2021 McAfee
E. Doron E. Doron
Radware Ltd. Radware Ltd.
M. Chen M. Chen
CMCC CMCC
J. Shallow J. Shallow
November 15, 2020 December 8, 2020
Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
draft-ietf-dots-telemetry-14 draft-ietf-dots-telemetry-15
Abstract Abstract
This document aims to enrich DOTS signal channel protocol with This document aims to enrich DOTS signal channel protocol with
various telemetry attributes allowing optimal Distributed Denial-of- various telemetry attributes allowing optimal Distributed Denial-of-
Service attack mitigation. It specifies the normal traffic baseline Service attack mitigation. It specifies the normal traffic baseline
and attack traffic telemetry attributes a DOTS client can convey to and attack traffic telemetry attributes a DOTS client can convey to
its DOTS server in the mitigation request, the mitigation status its DOTS server in the mitigation request, the mitigation status
telemetry attributes a DOTS server can communicate to a DOTS client, telemetry attributes a DOTS server can communicate to a DOTS client,
and the mitigation efficacy telemetry attributes a DOTS client can and the mitigation efficacy telemetry attributes a DOTS client can
skipping to change at page 1, line 45 skipping to change at page 1, line 45
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 19, 2021. This Internet-Draft will expire on June 11, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. DOTS Telemetry: Overview and Purpose . . . . . . . . . . . . 6 3. DOTS Telemetry: Overview and Purpose . . . . . . . . . . . . 6
3.1. Need More Visibility . . . . . . . . . . . . . . . . . . 6 3.1. Need More Visibility . . . . . . . . . . . . . . . . . . 6
3.2. Enhanced Detection . . . . . . . . . . . . . . . . . . . 7 3.2. Enhanced Detection . . . . . . . . . . . . . . . . . . . 7
3.3. Efficient Mitigation . . . . . . . . . . . . . . . . . . 9 3.3. Efficient Mitigation . . . . . . . . . . . . . . . . . . 9
4. Design Overview . . . . . . . . . . . . . . . . . . . . . . . 9 4. Design Overview . . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Overview of Telemetry Operations . . . . . . . . . . . . 9 4.1. Overview of Telemetry Operations . . . . . . . . . . . . 10
4.2. Generic Considerations . . . . . . . . . . . . . . . . . 10 4.2. Generic Considerations . . . . . . . . . . . . . . . . . 10
4.2.1. DOTS Client Identification . . . . . . . . . . . . . 10 4.2.1. DOTS Client Identification . . . . . . . . . . . . . 10
4.2.2. DOTS Gateways . . . . . . . . . . . . . . . . . . . . 10 4.2.2. DOTS Gateways . . . . . . . . . . . . . . . . . . . . 10
4.2.3. Empty URI Paths . . . . . . . . . . . . . . . . . . . 10 4.2.3. Empty URI Paths . . . . . . . . . . . . . . . . . . . 11
4.2.4. Controlling Configuration Data . . . . . . . . . . . 10 4.2.4. Controlling Configuration Data . . . . . . . . . . . 11
4.3. Block-wise Transfer . . . . . . . . . . . . . . . . . . . 11 4.3. Block-wise Transfer . . . . . . . . . . . . . . . . . . . 11
4.4. DOTS Multi-homing Considerations . . . . . . . . . . . . 11 4.4. DOTS Multi-homing Considerations . . . . . . . . . . . . 11
4.5. YANG Considerations . . . . . . . . . . . . . . . . . . . 11 4.5. YANG Considerations . . . . . . . . . . . . . . . . . . . 12
4.6. A Note About Examples . . . . . . . . . . . . . . . . . . 12 4.6. A Note About Examples . . . . . . . . . . . . . . . . . . 13
5. Telemetry Operation Paths . . . . . . . . . . . . . . . . . . 12 5. Telemetry Operation Paths . . . . . . . . . . . . . . . . . . 13
6. DOTS Telemetry Setup Configuration . . . . . . . . . . . . . 13 6. DOTS Telemetry Setup Configuration . . . . . . . . . . . . . 14
6.1. Telemetry Configuration . . . . . . . . . . . . . . . . . 14 6.1. Telemetry Configuration . . . . . . . . . . . . . . . . . 15
6.1.1. Retrieve Current DOTS Telemetry Configuration . . . . 14 6.1.1. Retrieve Current DOTS Telemetry Configuration . . . . 15
6.1.2. Convey DOTS Telemetry Configuration . . . . . . . . . 16 6.1.2. Convey DOTS Telemetry Configuration . . . . . . . . . 17
6.1.3. Retrieve Installed DOTS Telemetry Configuration . . . 19 6.1.3. Retrieve Installed DOTS Telemetry Configuration . . . 20
6.1.4. Delete DOTS Telemetry Configuration . . . . . . . . . 20 6.1.4. Delete DOTS Telemetry Configuration . . . . . . . . . 21
6.2. Total Pipe Capacity . . . . . . . . . . . . . . . . . . . 20 6.2. Total Pipe Capacity . . . . . . . . . . . . . . . . . . . 21
6.2.1. Convey DOTS Client Domain Pipe Capacity . . . . . . . 21 6.2.1. Convey DOTS Client Domain Pipe Capacity . . . . . . . 22
6.2.2. Retrieve Installed DOTS Client Domain Pipe Capacity . 27 6.2.2. Retrieve Installed DOTS Client Domain Pipe Capacity . 28
6.2.3. Delete Installed DOTS Client Domain Pipe Capacity . . 27 6.2.3. Delete Installed DOTS Client Domain Pipe Capacity . . 28
6.3. Telemetry Baseline . . . . . . . . . . . . . . . . . . . 27 6.3. Telemetry Baseline . . . . . . . . . . . . . . . . . . . 28
6.3.1. Convey DOTS Client Domain Baseline Information . . . 30 6.3.1. Convey DOTS Client Domain Baseline Information . . . 31
6.3.2. Retrieve Installed Normal Traffic Baseline . . . . . 33 6.3.2. Retrieve Installed Normal Traffic Baseline . . . . . 34
6.3.3. Delete Installed Normal Traffic Baseline . . . . . . 33 6.3.3. Delete Installed Normal Traffic Baseline . . . . . . 34
6.4. Reset Installed Telemetry Setup . . . . . . . . . . . . . 33 6.4. Reset Installed Telemetry Setup . . . . . . . . . . . . . 34
6.5. Conflict with Other DOTS Clients of the Same Domain . . . 33 6.5. Conflict with Other DOTS Clients of the Same Domain . . . 34
7. DOTS Pre-or-Ongoing Mitigation Telemetry . . . . . . . . . . 34 7. DOTS Pre-or-Ongoing Mitigation Telemetry . . . . . . . . . . 35
7.1. Pre-or-Ongoing-Mitigation DOTS Telemetry Attributes . . . 36 7.1. Pre-or-Ongoing-Mitigation DOTS Telemetry Attributes . . . 37
7.1.1. Target . . . . . . . . . . . . . . . . . . . . . . . 37 7.1.1. Target . . . . . . . . . . . . . . . . . . . . . . . 38
7.1.2. Total Traffic . . . . . . . . . . . . . . . . . . . . 38 7.1.2. Total Traffic . . . . . . . . . . . . . . . . . . . . 39
7.1.3. Total Attack Traffic . . . . . . . . . . . . . . . . 39 7.1.3. Total Attack Traffic . . . . . . . . . . . . . . . . 41
7.1.4. Total Attack Connections . . . . . . . . . . . . . . 41 7.1.4. Total Attack Connections . . . . . . . . . . . . . . 43
7.1.5. Attack Details . . . . . . . . . . . . . . . . . . . 44 7.1.5. Attack Details . . . . . . . . . . . . . . . . . . . 45
7.2. From DOTS Clients to DOTS Servers . . . . . . . . . . . . 50 7.2. From DOTS Clients to DOTS Servers . . . . . . . . . . . . 52
7.3. From DOTS Servers to DOTS Clients . . . . . . . . . . . . 53 7.3. From DOTS Servers to DOTS Clients . . . . . . . . . . . . 55
8. DOTS Telemetry Mitigation Status Update . . . . . . . . . . . 58 8. DOTS Telemetry Mitigation Status Update . . . . . . . . . . . 60
8.1. DOTS Clients to Servers Mitigation Efficacy DOTS 8.1. DOTS Clients to Servers Mitigation Efficacy DOTS
Telemetry Attributes . . . . . . . . . . . . . . . . . . 58 Telemetry Attributes . . . . . . . . . . . . . . . . . . 60
8.2. DOTS Servers to Clients Mitigation Status DOTS Telemetry 8.2. DOTS Servers to Clients Mitigation Status DOTS Telemetry
Attributes . . . . . . . . . . . . . . . . . . . . . . . 60 Attributes . . . . . . . . . . . . . . . . . . . . . . . 62
9. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 64 9. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 66
10. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 64 10. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 67
10.1. DOTS Signal Channel Telemetry YANG Module . . . . . . . 64 10.1. DOTS Signal Channel Telemetry YANG Module . . . . . . . 67
10.2. Vendor Attack Mapping Details YANG Module . . . . . . . 92 10.2. Vendor Attack Mapping Details YANG Module . . . . . . . 98
11. YANG/JSON Mapping Parameters to CBOR . . . . . . . . . . . . 95 11. YANG/JSON Mapping Parameters to CBOR . . . . . . . . . . . . 101
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 97 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 104
12.1. DOTS Signal Channel CBOR Key Values . . . . . . . . . . 97 12.1. DOTS Signal Channel CBOR Key Values . . . . . . . . . . 104
12.2. DOTS Signal Channel Conflict Cause Codes . . . . . . . . 100 12.2. DOTS Signal Channel Conflict Cause Codes . . . . . . . . 106
12.3. DOTS Signal Telemetry YANG Module . . . . . . . . . . . 100 12.3. DOTS Signal Telemetry YANG Module . . . . . . . . . . . 107
13. Security Considerations . . . . . . . . . . . . . . . . . . . 101 13. Security Considerations . . . . . . . . . . . . . . . . . . . 107
13.1. DOTS Signal Channel Telemetry . . . . . . . . . . . . . 101 13.1. DOTS Signal Channel Telemetry . . . . . . . . . . . . . 107
13.2. Vendor Attack Mapping . . . . . . . . . . . . . . . . . 102 13.2. Vendor Attack Mapping . . . . . . . . . . . . . . . . . 108
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 103 14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 109
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 103 15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 109
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 103 16. References . . . . . . . . . . . . . . . . . . . . . . . . . 109
16.1. Normative References . . . . . . . . . . . . . . . . . . 103 16.1. Normative References . . . . . . . . . . . . . . . . . . 110
16.2. Informative References . . . . . . . . . . . . . . . . . 105 16.2. Informative References . . . . . . . . . . . . . . . . . 111
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 106 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 113
1. Introduction 1. Introduction
Distributed Denial of Service (DDoS) attacks have become more Distributed Denial of Service (DDoS) attacks have become more
sophisticated. IT organizations and service providers are facing sophisticated. IT organizations and service providers are facing
DDoS attacks that fall into two broad categories: DDoS attacks that fall into two broad categories:
1. Network/Transport layer attacks target the victim's 1. Network/Transport layer attacks target the victim's
infrastructure. These attacks are not necessarily aimed at infrastructure. These attacks are not necessarily aimed at
taking down the actual delivered services, but rather to taking down the actual delivered services, but rather to
skipping to change at page 4, line 38 skipping to change at page 4, line 38
detect and defend. Multiple and simultaneous mitigation techniques detect and defend. Multiple and simultaneous mitigation techniques
are needed to defeat such attack campaigns. It is also common for are needed to defeat such attack campaigns. It is also common for
attackers to change attack vectors right after a successful attackers to change attack vectors right after a successful
mitigation, burdening their opponents with changing their defense mitigation, burdening their opponents with changing their defense
methods. methods.
The conclusion derived from these real scenarios is that modern The conclusion derived from these real scenarios is that modern
attacks detection and mitigation are most certainly complicated and attacks detection and mitigation are most certainly complicated and
highly convoluted tasks. They demand a comprehensive knowledge of highly convoluted tasks. They demand a comprehensive knowledge of
the attack attributes, the targeted normal behavior (including, the attack attributes, the targeted normal behavior (including,
normal traffic patterns), as well as the attacker's on-going and past normal traffic patterns), as well as the attacker's ongoing and past
actions. Even more challenging, retrieving all the analytics needed actions. Even more challenging, retrieving all the analytics needed
for detecting these attacks is not simple to obtain with the for detecting these attacks is not simple to obtain with the
industry's current capabilities. industry's current capabilities.
The DOTS signal channel protocol [I-D.ietf-dots-rfc8782-bis] is used The DOTS signal channel protocol [I-D.ietf-dots-rfc8782-bis] is used
to carry information about a network resource or a network (or a part to carry information about a network resource or a network (or a part
thereof) that is under a DDoS attack. Such information is sent by a thereof) that is under a DDoS attack. Such information is sent by a
DOTS client to one or multiple DOTS servers so that appropriate DOTS client to one or multiple DOTS servers so that appropriate
mitigation actions are undertaken on traffic deemed suspicious. mitigation actions are undertaken on traffic deemed suspicious.
Various use cases are discussed in [I-D.ietf-dots-use-cases]. Various use cases are discussed in [I-D.ietf-dots-use-cases].
Typically, DOTS clients can be integrated within a DDoS attack DOTS clients can be integrated within a DDoS attack detector, or
detector, or network and security elements that have been actively network and security elements that have been actively engaged with
engaged with ongoing attacks. The DOTS client mitigation environment ongoing attacks. The DOTS client mitigation environment determines
determines that it is no longer possible or practical for it to that it is no longer possible or practical for it to handle these
handle these attacks. This can be due to a lack of resources or attacks. This can be due to a lack of resources or security
security capabilities, as derived from the complexities and the capabilities, as derived from the complexities and the intensity of
intensity of these attacks. In this circumstance, the DOTS client these attacks. In this circumstance, the DOTS client has invaluable
has invaluable knowledge about the actual attacks that need to be knowledge about the actual attacks that need to be handled by its
handled by its DOTS server(s). By enabling the DOTS client to share DOTS server(s). By enabling the DOTS client to share this
this comprehensive knowledge of an ongoing attack under specific comprehensive knowledge of an ongoing attack under specific
circumstances, the DOTS server can drastically increase its ability circumstances, the DOTS server can drastically increase its ability
to accomplish successful mitigation. While the attack is being to accomplish successful mitigation. While the attack is being
handled by the DOTS server associated mitigation resources, the DOTS handled by the DOTS server associated mitigation resources, the DOTS
server has the knowledge about the ongoing attack mitigation. The server has the knowledge about the ongoing attack mitigation. The
DOTS server can share this information with the DOTS client so that DOTS server can share this information with the DOTS client so that
the client can better assess and evaluate the actual mitigation the client can better assess and evaluate the actual mitigation
realized. realized.
DOTS clients can send mitigation hints derived from attack details to DOTS clients can send mitigation hints derived from attack details to
DOTS servers, with the full understanding that the DOTS server may DOTS servers, with the full understanding that the DOTS server may
skipping to change at page 6, line 15 skipping to change at page 6, line 15
attributes that can be signaled in the DOTS signal channel protocol. attributes that can be signaled in the DOTS signal channel protocol.
Telemetry Setup Identifier (tsid) is an identifier that is generated Telemetry Setup Identifier (tsid) is an identifier that is generated
by DOTS clients to uniquely identify DOTS telemetry setup by DOTS clients to uniquely identify DOTS telemetry setup
configuration data. configuration data.
Telemetry Identifier (tmid) is an identifier that is generated by Telemetry Identifier (tmid) is an identifier that is generated by
DOTS clients to uniquely identify DOTS telemetry data that is DOTS clients to uniquely identify DOTS telemetry data that is
communicated prior or during a mitigation. communicated prior or during a mitigation.
When two telemetry requests overlap, "overlapped" lower numeric
'tsid' (or 'tmid')" refers to the lower 'tsid' (or 'tmid') value of
these overlapping requests.
The meaning of the symbols in YANG tree diagrams are defined in The meaning of the symbols in YANG tree diagrams are defined in
[RFC8340] and [RFC8791]. [RFC8340] and [RFC8791].
3. DOTS Telemetry: Overview and Purpose 3. DOTS Telemetry: Overview and Purpose
Timely and effective signaling of up-to-date DDoS telemetry to all Timely and effective signaling of up-to-date DDoS telemetry to all
elements involved in the mitigation process is essential and improves elements involved in the mitigation process is essential and improves
the overall DDoS mitigation service effectiveness. Bi-directional the overall DDoS mitigation service effectiveness. Bi-directional
feedback between DOTS agents is required for an increased awareness feedback between DOTS agents is required for an increased awareness
of each party, supporting superior and highly efficient attack of each party, supporting superior and highly efficient attack
skipping to change at page 9, line 42 skipping to change at page 10, line 4
other mechanisms to ensure it does not allow the DOTS client domain's other mechanisms to ensure it does not allow the DOTS client domain's
pipes to be saturated unintentionally. The rate-limit action defined pipes to be saturated unintentionally. The rate-limit action defined
in [RFC8783] is a reasonable candidate to achieve this objective; the in [RFC8783] is a reasonable candidate to achieve this objective; the
DOTS client can ask for the type(s) of traffic (such as ICMP, UDP, DOTS client can ask for the type(s) of traffic (such as ICMP, UDP,
TCP port number 80) it prefers to limit. The rate-limit action can TCP port number 80) it prefers to limit. The rate-limit action can
be controlled via the signal channel be controlled via the signal channel
[I-D.ietf-dots-signal-filter-control] even when the pipe is [I-D.ietf-dots-signal-filter-control] even when the pipe is
overwhelmed. overwhelmed.
4. Design Overview 4. Design Overview
4.1. Overview of Telemetry Operations 4.1. Overview of Telemetry Operations
This document specifies an extension to the DOTS signal channel This document specifies an extension to the DOTS signal channel
protocol. Considerations about how to establish, maintain, and make protocol. Considerations about how to establish, maintain, and make
use of the DOTS signal channel are specified in use of the DOTS signal channel are specified in
[I-D.ietf-dots-rfc8782-bis]. [I-D.ietf-dots-rfc8782-bis].
Once the DOTS signal channel is established, DOTS clients that Once the DOTS signal channel is established, DOTS clients that
support the DOTS telemetry extension proceed with the telemetry setup support the DOTS telemetry extension proceed with the telemetry setup
configuration (e.g., measurement interval, telemetry notification configuration (e.g., measurement interval, telemetry notification
interface, pipe capacity, normal traffic baseline) as detailed in interface, pipe capacity, normal traffic baseline) as detailed in
Section 6. DOTS agents can then include DOTS telemetry attributes Section 6. DOTS agents can then include DOTS telemetry attributes
using the DOTS signal channel (Section 7.1). Typically, a DOTS using the DOTS signal channel (Section 7.1). A DOTS client can use
client can use separate messages to share with its DOTS server(s) a separate messages to share with its DOTS server(s) a set of telemetry
set of telemetry data bound to an ongoing mitigation (Section 7.2). data bound to an ongoing mitigation (Section 7.2). Also, a DOTS
Also, a DOTS client that is interested to receive telemetry client that is interested to receive telemetry notifications related
notifications related to some of its resources follows the procedure to some of its resources follows the procedure defined in
defined in Section 7.3. The DOTS client can then decide to send a Section 7.3. The DOTS client can then decide to send a mitigation
mitigation request if the notified attack cannot be mitigated locally request if the notified attack cannot be mitigated locally within the
within the DOTS client domain. DOTS client domain.
Aggregate DOTS telemetry data can also be included in efficacy update Aggregate DOTS telemetry data can also be included in efficacy update
(Section 8.1) or mitigation update (Section 8.2) messages. (Section 8.1) or mitigation update (Section 8.2) messages.
4.2. Generic Considerations 4.2. Generic Considerations
4.2.1. DOTS Client Identification 4.2.1. DOTS Client Identification
Following the rules in Section 4.4.1 of [I-D.ietf-dots-rfc8782-bis], Following the rules in Section 4.4.1 of [I-D.ietf-dots-rfc8782-bis],
a unique identifier is generated by a DOTS client to prevent request a unique identifier is generated by a DOTS client to prevent request
skipping to change at page 11, line 48 skipping to change at page 12, line 13
network. network.
Considerations related to whether (and how) a DOTS client gleans some Considerations related to whether (and how) a DOTS client gleans some
telemetry information (e.g., attack details) it receives from a first telemetry information (e.g., attack details) it receives from a first
DOTS server and share it with a second DOTS server are implementation DOTS server and share it with a second DOTS server are implementation
and deployment specific. and deployment specific.
4.5. YANG Considerations 4.5. YANG Considerations
Telemetry messages exchanged between DOTS agents are serialized using Telemetry messages exchanged between DOTS agents are serialized using
Concise Binary Object Representation (CBOR) [RFC7049]. CBOR-encoded Concise Binary Object Representation (CBOR) [RFC8949]. CBOR-encoded
payloads are used to carry signal channel specific payload messages payloads are used to carry signal channel specific payload messages
which convey request parameters and response information such as which convey request parameters and response information such as
errors. errors.
This document specifies a YANG module [RFC7950] for representing DOTS This document specifies a YANG module [RFC7950] for representing DOTS
telemetry message types (Section 10.1). All parameters in the telemetry message types (Section 10.1). All parameters in the
payload of the DOTS signal channel are mapped to CBOR types as payload of the DOTS signal channel are mapped to CBOR types as
specified in Section 11. specified in Section 11. As a reminder, Section 3 of
[I-D.ietf-dots-rfc8782-bis] defines the rules for mapping YANG-
modeled data to CBOR.
The DOTS telemetry module (Section 10.1) is not intended to be used The DOTS telemetry module (Section 10.1) is not intended to be used
via NETCONF/RESTCONF for DOTS server management purposes. It serves via NETCONF/RESTCONF for DOTS server management purposes. It serves
only to provide a data model and encoding following [RFC8791]. only to provide a data model and encoding following [RFC8791].
Server deviations are strongly discouraged as the peer DOTS agent
does not have means to retrieve the list of deviations and that
interoperability issues are likely to be encountered.
The DOTS telemetry module (Section 10.1) uses "enumerations" rather The DOTS telemetry module (Section 10.1) uses "enumerations" rather
than "identities" to define units, samples, and intervals because than "identities" to define units, samples, and intervals because
otherwise the namespace identifier "ietf-dots-telemetry" must be otherwise the namespace identifier "ietf-dots-telemetry" must be
included when a telemetry attribute is included (e.g., in a included when a telemetry attribute is included (e.g., in a
mitigation efficacy update). The use of "identities" is thus mitigation efficacy update). The use of "identities" is thus
suboptimal from a message compactness standpoint. suboptimal from a message compactness standpoint; one of the key
requirements for DOTS messages.
The DOTS telemetry module (Section 10.1) includes some lists for
which no key statement is included. This behavior is compliant with
[RFC8791]. The reason for not including these keys is because they
are not included in the request message body but as mandatory Uri-
Paths in requests (Sections 6 and 7). Otherwise, whenever a key
statement is used in the module, the same definition as in
Section 7.8.2 of [RFC7950] is assumed.
In order to optimize the data exchanged over the DOTS signal channel,
the document specifies a second YANG module ("ietf-dots-mapping",
Section 10.2) that augments the DOTS data channel [RFC8783]. This
augmentation can be used during idle time to share the attack mapping
details (Section 7.1.5). DOTS clients can use tools, e.g., YANG
Library [RFC8525], to retrieve the list of features and deviations
supported by the DOTS server.
4.6. A Note About Examples 4.6. A Note About Examples
Examples are provided for illustration purposes. The document does Examples are provided for illustration purposes. The document does
not aim to provide a comprehensive list of message examples. not aim to provide a comprehensive list of message examples.
The authoritative reference for validating telemetry messages is the The authoritative reference for validating telemetry messages
YANG module (Section 10.1) and the mapping table established in exchanged over the DOTS signal channel are sections 6, 7, and 8
Section 11. together with the mapping table established in Section 11. The
structure of telemetry message bodies is represented as a YANG data
structure (Section 10.1).
5. Telemetry Operation Paths 5. Telemetry Operation Paths
As discussed in Section 4.2 of [I-D.ietf-dots-rfc8782-bis], each DOTS As discussed in Section 4.2 of [I-D.ietf-dots-rfc8782-bis], each DOTS
operation is indicated by a path suffix that indicates the intended operation is indicated by a path suffix that indicates the intended
operation. The operation path is appended to the path prefix to form operation. The operation path is appended to the path prefix to form
the URI used with a CoAP request to perform the desired DOTS the URI used with a CoAP request to perform the desired DOTS
operation. The following telemetry path suffixes are defined operation. The following telemetry path suffixes are defined
(Table 1): (Table 1):
skipping to change at page 15, line 30 skipping to change at page 16, line 27
| | | +-- high-percentile? percentile | | | +-- high-percentile? percentile
| | | +-- server-originated-telemetry? boolean | | | +-- server-originated-telemetry? boolean
| | | +-- telemetry-notify-interval? uint32 | | | +-- telemetry-notify-interval? uint32
| | +-- min-config-values | | +-- min-config-values
| | | +-- measurement-interval? interval | | | +-- measurement-interval? interval
| | | +-- measurement-sample? sample | | | +-- measurement-sample? sample
| | | +-- low-percentile? percentile | | | +-- low-percentile? percentile
| | | +-- mid-percentile? percentile | | | +-- mid-percentile? percentile
| | | +-- high-percentile? percentile | | | +-- high-percentile? percentile
| | | +-- telemetry-notify-interval? uint32 | | | +-- telemetry-notify-interval? uint32
| | +-- supported-units | | +-- supported-unit-classes
| | | +-- unit-config* [unit] | | | +-- unit-config* [unit]
| | | +-- unit unit-type | | | +-- unit unit-class
| | | +-- unit-status boolean | | | +-- unit-status boolean
| | +-- query-type* query-type | | +-- query-type* query-type
| +-- telemetry* [] | +-- telemetry* []
| +-- (direction)? | +-- (direction)?
| | +--:(server-to-client-only) | | +--:(server-to-client-only)
| | +-- tsid? uint32 | | +-- tsid? uint32
| +-- (setup-type)? | +-- (setup-type)?
| +--:(telemetry-config) | +--:(telemetry-config)
| | +-- current-config | | +-- current-config
| | +-- measurement-interval? interval | | +-- measurement-interval? interval
| | +-- measurement-sample? sample | | +-- measurement-sample? sample
| | +-- low-percentile? percentile | | +-- low-percentile? percentile
| | +-- mid-percentile? percentile | | +-- mid-percentile? percentile
| | +-- high-percentile? percentile | | +-- high-percentile? percentile
| | +-- unit-config* [unit] | | +-- unit-config* [unit]
| | | +-- unit unit-type | | | +-- unit unit-class
| | | +-- unit-status boolean | | | +-- unit-status boolean
| | +-- server-originated-telemetry? boolean | | +-- server-originated-telemetry? boolean
| | +-- telemetry-notify-interval? uint32 | | +-- telemetry-notify-interval? uint32
| +--:(pipe) | +--:(pipe)
| | ... | | ...
| +--:(baseline) | +--:(baseline)
| ... | ...
+--:(telemetry) +--:(telemetry)
... ...
skipping to change at page 19, line 5 skipping to change at page 19, line 47
"mid-percentile": "0.00", "mid-percentile": "0.00",
"high-percentile": "95.00" "high-percentile": "95.00"
} }
} }
] ]
} }
} }
Figure 5: PUT to Disable Low- and Mid-Percentiles Figure 5: PUT to Disable Low- and Mid-Percentiles
DOTS clients can also configure the unit type(s) to be used for DOTS clients can also configure the unit class(es) to be used for
traffic-related telemetry data. Typically, the supported unit types traffic-related telemetry data among the following supported unit
are: packets per second, bits per second, and bytes per second. classes: packets per second, bits per second, and bytes per second.
DOTS clients that are interested to receive pre or ongoing mitigation DOTS clients that are interested to receive pre or ongoing mitigation
telemetry (pre-or-ongoing-mitigation) information from a DOTS server telemetry (pre-or-ongoing-mitigation) information from a DOTS server
(Section 8.2) MUST set 'server-originated-telemetry' to 'true'. If (Section 8.2) MUST set 'server-originated-telemetry' to 'true'. If
'server-originated-telemetry' is not present in a PUT request, this 'server-originated-telemetry' is not present in a PUT request, this
is equivalent to receiving a request with 'server-originated- is equivalent to receiving a request with 'server-originated-
telemetry' set to 'false'. An example of a request to enable pre-or- telemetry' set to 'false'. An example of a request to enable pre-or-
ongoing-mitigation telemetry from DOTS servers is shown in Figure 6. ongoing-mitigation telemetry from DOTS servers is shown in Figure 6.
Header: PUT (Code=0.03) Header: PUT (Code=0.03)
skipping to change at page 21, line 34 skipping to change at page 22, line 34
... ...
Figure 9: Pipe Tree Structure Figure 9: Pipe Tree Structure
A DOTS client domain pipe is defined as a list of limits of A DOTS client domain pipe is defined as a list of limits of
(incoming) traffic volume ('total-pipe-capacity') that can be (incoming) traffic volume ('total-pipe-capacity') that can be
forwarded over ingress interconnection links of a DOTS client domain. forwarded over ingress interconnection links of a DOTS client domain.
Each of these links is identified with a 'link-id' [RFC8345]. Each of these links is identified with a 'link-id' [RFC8345].
The unit used by a DOTS client when conveying pipe information is The unit used by a DOTS client when conveying pipe information is
captured in 'unit' attribute. captured in 'unit' attribute. The DOTS client MUST auto-scale so
that the appropriate unit is used.
6.2.1. Convey DOTS Client Domain Pipe Capacity 6.2.1. Convey DOTS Client Domain Pipe Capacity
Similar considerations to those specified in Section 6.1.2 are Similar considerations to those specified in Section 6.1.2 are
followed with one exception: followed with one exception:
The relative order of two PUT requests carrying DOTS client domain The relative order of two PUT requests carrying DOTS client domain
pipe attributes from a DOTS client is determined by comparing pipe attributes from a DOTS client is determined by comparing
their respective 'tsid' values. If such two requests have their respective 'tsid' values. If such two requests have
overlapping 'link-id' and 'unit', the PUT request with higher overlapping 'link-id' and 'unit', the PUT request with higher
numeric 'tsid' value will override the request with a lower numeric 'tsid' value will override the request with a lower
numeric 'tsid' value. The overlapped lower numeric 'tsid' MUST be numeric 'tsid' value. The overlapped lower numeric 'tsid' MUST be
automatically deleted and no longer be available. automatically deleted and no longer be available.
DOTS clients SHOULD minimize the number of active 'tsids' used for DOTS clients SHOULD minimize the number of active 'tsids' used for
pipe information. Typically, in order to avoid maintaining a long pipe information. In order to avoid maintaining a long list of
list of 'tsids' for pipe information, it is RECOMMENDED that DOTS 'tsids' for pipe information, it is RECOMMENDED that DOTS clients
clients include in any request to update information related to a include in any request to update information related to a given link
given link the information of other links (already communicated using the information of other links (already communicated using a lower
a lower 'tsid' value). Doing so, this update request will override 'tsid' value). Doing so, this update request will override these
these existing requests and hence optimize the number of 'tsid' existing requests and hence optimize the number of 'tsid' request per
request per DOTS client. DOTS client.
o Note: This assumes that all link information can fit in one single o Note: This assumes that all link information can fit in one single
message. message.
For example, a DOTS client managing a single homed domain (Figure 10) For example, a DOTS client managing a single homed domain (Figure 10)
can send a PUT request (shown in Figure 11) to communicate the can send a PUT request (shown in Figure 11) to communicate the
capacity of "link1" used to connect to its ISP. capacity of "link1" used to connect to its ISP.
,--,--,--. ,--,--,--. ,--,--,--. ,--,--,--.
,-' `-. ,-' `-. ,-' `-. ,-' `-.
skipping to change at page 27, line 38 skipping to change at page 28, line 38
The traffic normal per protocol ('total-traffic-normal-per- The traffic normal per protocol ('total-traffic-normal-per-
protocol') baseline is represented for a target and is transport- protocol') baseline is represented for a target and is transport-
protocol specific. protocol specific.
The traffic normal per port number ('total-traffic-normal-per- The traffic normal per port number ('total-traffic-normal-per-
port') baseline is represented for each port number bound to a port') baseline is represented for each port number bound to a
target. target.
If the DOTS client negotiated percentile values and units If the DOTS client negotiated percentile values and units
(Section 6.1), these negotiated values will be used instead of the (Section 6.1), these negotiated parameters will be used instead of
default ones. the default ones. For each used unit class, the DOTS client MUST
auto-scale so that the appropriate unit is used.
Total connections capacity: If the target is subjected to resource Total connections capacity: If the target is subjected to resource
consuming DDoS attacks, the following optional attributes for the consuming DDoS attacks, the following optional attributes for the
target per transport protocol are useful to detect resource target per transport protocol are useful to detect resource
consuming DDoS attacks: consuming DDoS attacks:
* The maximum number of simultaneous connections that are allowed * The maximum number of simultaneous connections that are allowed
to the target. to the target.
* The maximum number of simultaneous connections that are allowed * The maximum number of simultaneous connections that are allowed
skipping to change at page 30, line 46 skipping to change at page 31, line 46
The overlapped lower numeric 'tsid' MUST be automatically deleted The overlapped lower numeric 'tsid' MUST be automatically deleted
and no longer be available. and no longer be available.
Two PUT requests from a DOTS client have overlapping targets if there Two PUT requests from a DOTS client have overlapping targets if there
is a common IP address, IP prefix, FQDN, URI, or alias-name. Also, is a common IP address, IP prefix, FQDN, URI, or alias-name. Also,
two PUT requests from a DOTS client have overlapping targets if the two PUT requests from a DOTS client have overlapping targets if the
addresses associated with the FQDN, URI, or alias are overlapping addresses associated with the FQDN, URI, or alias are overlapping
with each other or with 'target-prefix'. with each other or with 'target-prefix'.
DOTS clients SHOULD minimize the number of active 'tsids' used for DOTS clients SHOULD minimize the number of active 'tsids' used for
baseline information. Typically, in order to avoid maintaining a baseline information. In order to avoid maintaining a long list of
long list of 'tsids' for baseline information, it is RECOMMENDED that 'tsids' for baseline information, it is RECOMMENDED that DOTS clients
DOTS clients include in a request to update information related to a include in a request to update information related to a given target,
given target, the information of other targets (already communicated the information of other targets (already communicated using a lower
using a lower 'tsid' value) (assuming this fits within one single 'tsid' value) (assuming this fits within one single datagram). This
datagram). This update request will override these existing requests update request will override these existing requests and hence
and hence optimize the number of 'tsid' request per DOTS client. optimize the number of 'tsid' request per DOTS client.
If no target clause is included in the request, this is an indication If no target attribute is included in the request, this is an
that the baseline information applies for the DOTS client domain as a indication that the baseline information applies for the DOTS client
whole. domain as a whole.
An example of a PUT request to convey the baseline information is An example of a PUT request to convey the baseline information is
shown in Figure 19. shown in Figure 19.
Header: PUT (Code=0.03) Header: PUT (Code=0.03)
Uri-Path: ".well-known" Uri-Path: ".well-known"
Uri-Path: "dots" Uri-Path: "dots"
Uri-Path: "tm-setup" Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=126" Uri-Path: "tsid=126"
skipping to change at page 34, line 28 skipping to change at page 35, line 28
The pre-or-ongoing-mitigation telemetry attributes are indicated by The pre-or-ongoing-mitigation telemetry attributes are indicated by
the path suffix '/tm'. The '/tm' is appended to the path prefix to the path suffix '/tm'. The '/tm' is appended to the path prefix to
form the URI used with a CoAP request to signal the DOTS telemetry. form the URI used with a CoAP request to signal the DOTS telemetry.
Pre-or-ongoing-mitigation telemetry attributes specified in Pre-or-ongoing-mitigation telemetry attributes specified in
Section 7.1 can be signaled between DOTS agents. Section 7.1 can be signaled between DOTS agents.
Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS
client or a DOTS server. client or a DOTS server.
DOTS agents SHOULD bind pre-or-ongoing-mitigation telemetry data with DOTS agents SHOULD bind pre-or-ongoing-mitigation telemetry data with
mitigation requests relying upon the target clause. In particular, a mitigation requests relying upon the target attribute. In
telemetry PUT request sent after a mitigation request may include a particular, a telemetry PUT request sent after a mitigation request
reference to that mitigation request ('mid-list') as shown in may include a reference to that mitigation request ('mid-list') as
Figure 22. An example illustrating requests correlation by means of shown in Figure 22. An example illustrating requests correlation by
'target-prefix' is shown in Figure 23. means of 'target-prefix' is shown in Figure 23.
When generating telemetry data to send to a peer, the DOTS agent MUST When generating telemetry data to send to a peer, the DOTS agent MUST
auto-scale so that appropriate unit(s) are used. auto-scale so that appropriate unit(s) are used.
+-----------+ +-----------+ +-----------+ +-----------+
|DOTS client| |DOTS server| |DOTS client| |DOTS server|
+-----------+ +-----------+ +-----------+ +-----------+
| | | |
|=========Mitigation Request (mid)=====================>| |=========Mitigation Request (mid)=====================>|
| | | |
skipping to change at page 38, line 17 skipping to change at page 39, line 17
target definition. target definition.
If the target is subjected to bandwidth consuming attack, the If the target is subjected to bandwidth consuming attack, the
attributes representing the percentile values of the 'attack-id' attributes representing the percentile values of the 'attack-id'
attack traffic are included. attack traffic are included.
If the target is subjected to resource consuming DDoS attacks, the If the target is subjected to resource consuming DDoS attacks, the
same attributes defined for Section 7.1.4 are applicable for same attributes defined for Section 7.1.4 are applicable for
representing the attack. representing the attack.
This is an optional subattribute. This is an optional attribute.
7.1.2. Total Traffic 7.1.2. Total Traffic
The 'total-traffic' attribute (Figure 26) conveys the percentile The 'total-traffic' attribute (Figure 26) conveys the percentile
values of total traffic observed during a DDoS attack. More granular values (including peak and current observed values) of total traffic
total traffic can be conveyed in 'total-traffic-protocol' and 'total- observed during a DDoS attack. More granular total traffic can be
traffic-port'. conveyed in 'total-traffic-protocol' and 'total-traffic-port'.
The 'total-traffic-protocol' represents the total traffic for a The 'total-traffic-protocol' represents the total traffic for a
target and is transport-protocol specific. target and is transport-protocol specific.
The 'total-traffic-port' represents the total traffic for a target The 'total-traffic-port' represents the total traffic for a target
per port number. per port number.
+--:(telemetry) +--:(telemetry)
+-- pre-or-ongoing-mitigation* [] +-- pre-or-ongoing-mitigation* []
+-- (direction)? +-- (direction)?
| +--:(server-to-client-only) | +--:(server-to-client-only)
| +-- tmid? uint32 | +-- tmid? uint32
+-- target +-- target
| ... | ...
+-- total-traffic* [unit] +-- total-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-traffic-protocol* [unit protocol] +-- total-traffic-protocol* [unit protocol]
| +-- protocol uint8 | +-- protocol uint8
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-traffic-port* [unit port] +-- total-traffic-port* [unit port]
| +-- port inet:port-number | +-- port inet:port-number
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| ... | ...
+-- total-attack-traffic-protocol* [unit protocol] +-- total-attack-traffic-protocol* [unit protocol]
| ... | ...
+-- total-attack-traffic-port* [unit port] +-- total-attack-traffic-port* [unit port]
| ... | ...
+-- total-attack-connection +-- total-attack-connection
| ... | ...
+-- total-attack-connection-port +-- total-attack-connection-port
| ... | ...
skipping to change at page 41, line 25 skipping to change at page 42, line 25
| ... | ...
+-- total-traffic-port* [unit port] +-- total-traffic-port* [unit port]
| ... | ...
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- protocol? uint8 | +-- protocol? uint8
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-traffic-protocol* [unit protocol] +-- total-attack-traffic-protocol* [unit protocol]
| +-- protocol uint8 | +-- protocol uint8
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-traffic-port* [unit port] +-- total-attack-traffic-port* [unit port]
| +-- port inet:port-number | +-- port inet:port-number
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-connection +-- total-attack-connection
| ... | ...
+-- total-attack-connection-port +-- total-attack-connection-port
| ... | ...
+-- attack-detail* [vendor-id attack-id] +-- attack-detail* [vendor-id attack-id]
... ...
Figure 27: Total Attack Traffic Tree Structure Figure 27: Total Attack Traffic Tree Structure
7.1.4. Total Attack Connections 7.1.4. Total Attack Connections
If the target is subjected to resource consuming DDoS attack, the If the target is subjected to resource consuming DDoS attack, the
'total-attack-connection' attribute is used to convey the percentile 'total-attack-connection' attribute is used to convey the percentile
values of total attack connections. The following optional values (including peak and current observed values) of total attack
subattributes for the target per transport protocol are included to connections. The following optional subattributes for the target per
represent the attack characteristics: transport protocol are included to represent the attack
characteristics:
o The number of simultaneous attack connections to the target. o The number of simultaneous attack connections to the target.
o The number of simultaneous embryonic connections to the target. o The number of simultaneous embryonic connections to the target.
o The number of attack connections per second to the target. o The number of attack connections per second to the target.
o The number of attack requests to the target. o The number of attack requests to the target.
The total attack connections per port number is represented using The total attack connections per port number is represented using
'total-attack-connection-port' attribute. 'total-attack-connection-port' attribute.
+--:(telemetry) +--:(telemetry)
skipping to change at page 43, line 9 skipping to change at page 44, line 15
| | +-- request-ps? yang:gauge64 | | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64 | | +-- partial-request-ps? yang:gauge64
| +-- high-percentile-l* [protocol] | +-- high-percentile-l* [protocol]
| | +-- protocol uint8 | | +-- protocol uint8
| | +-- connection? yang:gauge64 | | +-- connection? yang:gauge64
| | +-- embryonic? yang:gauge64 | | +-- embryonic? yang:gauge64
| | +-- connection-ps? yang:gauge64 | | +-- connection-ps? yang:gauge64
| | +-- request-ps? yang:gauge64 | | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64 | | +-- partial-request-ps? yang:gauge64
| +-- peak-l* [protocol] | +-- peak-l* [protocol]
| | +-- protocol uint8
| | +-- connection? yang:gauge64
| | +-- embryonic? yang:gauge64
| | +-- connection-ps? yang:gauge64
| | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64
| +-- current-l* [protocol]
| +-- protocol uint8 | +-- protocol uint8
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- total-attack-connection-port +-- total-attack-connection-port
| +-- low-percentile-l* [protocol port] | +-- low-percentile-l* [protocol port]
| | +-- port inet:port-number | | +-- port inet:port-number
| | +-- protocol uint8 | | +-- protocol uint8
skipping to change at page 43, line 41 skipping to change at page 45, line 6
| | +-- partial-request-ps? yang:gauge64 | | +-- partial-request-ps? yang:gauge64
| +-- high-percentile-l* [protocol port] | +-- high-percentile-l* [protocol port]
| | +-- port inet:port-number | | +-- port inet:port-number
| | +-- protocol uint8 | | +-- protocol uint8
| | +-- connection? yang:gauge64 | | +-- connection? yang:gauge64
| | +-- embryonic? yang:gauge64 | | +-- embryonic? yang:gauge64
| | +-- connection-ps? yang:gauge64 | | +-- connection-ps? yang:gauge64
| | +-- request-ps? yang:gauge64 | | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64 | | +-- partial-request-ps? yang:gauge64
| +-- peak-l* [protocol port] | +-- peak-l* [protocol port]
| | +-- port inet:port-number
| | +-- protocol uint8
| | +-- connection? yang:gauge64
| | +-- embryonic? yang:gauge64
| | +-- connection-ps? yang:gauge64
| | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64
| +-- current-l* [protocol port]
| +-- port inet:port-number | +-- port inet:port-number
| +-- protocol uint8 | +-- protocol uint8
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- attack-detail* [vendor-id attack-id] +-- attack-detail* [vendor-id attack-id]
... ...
skipping to change at page 44, line 30 skipping to change at page 46, line 4
an attack type. Textual representation of attack solves two an attack type. Textual representation of attack solves two
problems: (a) avoids the need to create mapping tables manually problems: (a) avoids the need to create mapping tables manually
between vendors and (b) avoids the need to standardize attack between vendors and (b) avoids the need to standardize attack
types which keep evolving. types which keep evolving.
attack-severity: Attack severity level. This attribute takes one of attack-severity: Attack severity level. This attribute takes one of
the values defined in Section 3.12.2 of [RFC7970]. the values defined in Section 3.12.2 of [RFC7970].
start-time: The time the attack started. The attack's start time is start-time: The time the attack started. The attack's start time is
expressed in seconds relative to 1970-01-01T00:00Z in UTC time expressed in seconds relative to 1970-01-01T00:00Z in UTC time
(Section 2.4.1 of [RFC7049]). The CBOR encoding is modified so (Section 3.4.2 of [RFC8949]). The CBOR encoding is modified so
that the leading tag 1 (epoch-based date/time) MUST be omitted. that the leading tag 1 (epoch-based date/time) MUST be omitted.
end-time: The time the attack ended. The attack end time is end-time: The time the attack ended. The attack end time is
expressed in seconds relative to 1970-01-01T00:00Z in UTC time expressed in seconds relative to 1970-01-01T00:00Z in UTC time
(Section 2.4.1 of [RFC7049]). The CBOR encoding is modified so (Section 3.4.2 of [RFC8949]). The CBOR encoding is modified so
that the leading tag 1 (epoch-based date/time) MUST be omitted. that the leading tag 1 (epoch-based date/time) MUST be omitted.
source-count: A count of sources involved in the attack targeting source-count: A count of sources involved in the attack targeting
the victim. the victim.
top-talkers: A list of top talkers among attack sources. The top top-talker: A list of top talkers among attack sources. The top
talkers are represented using the 'source-prefix'. talkers are represented using the 'source-prefix'.
'spoofed-status' indicates whether a top talker is a spoofed IP 'spoofed-status' indicates whether a top talker is a spoofed IP
address (e.g., reflection attacks) or not. address (e.g., reflection attacks) or not.
If the target is subjected to a bandwidth consuming attack, the If the target is subjected to a bandwidth consuming attack, the
attack traffic from each of the top talkers is included ('total- attack traffic from each of the top talkers is included ('total-
attack-traffic', Section 7.1.3). attack-traffic', Section 7.1.3).
If the target is subjected to a resource consuming DDoS attack, If the target is subjected to a resource consuming DDoS attack,
skipping to change at page 45, line 32 skipping to change at page 47, line 4
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| ... | ...
+-- total-attack-traffic-protocol* [unit protocol] +-- total-attack-traffic-protocol* [unit protocol]
| ... | ...
+-- total-attack-traffic-port* [unit port] +-- total-attack-traffic-port* [unit port]
| ... | ...
+-- total-attack-connection +-- total-attack-connection
| ... | ...
+-- total-attack-connection-port +-- total-attack-connection-port
| ... | ...
+-- attack-detail* [vendor-id attack-id] +-- attack-detail* [vendor-id attack-id]
+-- vendor-id uint32 +-- vendor-id uint32
+-- attack-id uint32 +-- attack-id uint32
+-- attack-description? string +-- attack-description? string
+-- attack-severity? attack-severity +-- attack-severity? attack-severity
+-- start-time? uint64 +-- start-time? uint64
+-- end-time? uint64 +-- end-time? uint64
+-- source-count +-- source-count
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- top-talker +-- top-talker
+-- talker* [source-prefix] +-- talker* [source-prefix]
+-- spoofed-status? boolean +-- spoofed-status? boolean
+-- source-prefix inet:ip-prefix +-- source-prefix inet:ip-prefix
+-- source-port-range* [lower-port] +-- source-port-range* [lower-port]
| +-- lower-port inet:port-number | +-- lower-port inet:port-number
| +-- upper-port? inet:port-number | +-- upper-port? inet:port-number
+-- source-icmp-type-range* [lower-type] +-- source-icmp-type-range* [lower-type]
| +-- lower-type uint8 | +-- lower-type uint8
| +-- upper-type? uint8 | +-- upper-type? uint8
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-connection +-- total-attack-connection
+-- low-percentile-l* [protocol] +-- low-percentile-l* [protocol]
| +-- protocol uint8 | +-- protocol uint8
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- mid-percentile-l* [protocol] +-- mid-percentile-l* [protocol]
| +-- protocol uint8 | +-- protocol uint8
skipping to change at page 46, line 34 skipping to change at page 48, line 9
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- high-percentile-l* [protocol] +-- high-percentile-l* [protocol]
| +-- protocol uint8 | +-- protocol uint8
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- peak-l* [protocol] +-- peak-l* [protocol]
| +-- protocol uint8
| +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64
+-- current-l* [protocol]
+-- protocol uint8 +-- protocol uint8
+-- connection? yang:gauge64 +-- connection? yang:gauge64
+-- embryonic? yang:gauge64 +-- embryonic? yang:gauge64
+-- connection-ps? yang:gauge64 +-- connection-ps? yang:gauge64
+-- request-ps? yang:gauge64 +-- request-ps? yang:gauge64
+-- partial-request-ps? yang:gauge64 +-- partial-request-ps? yang:gauge64
Figure 29: Attack Detail Tree Structure Figure 29: Attack Detail Tree Structure
In order to optimize the size of telemetry data conveyed over the In order to optimize the size of telemetry data conveyed over the
skipping to change at page 48, line 7 skipping to change at page 49, line 35
+--ro vendor-name? string +--ro vendor-name? string
+--ro last-updated uint64 +--ro last-updated uint64
+--ro attack-mapping* [attack-id] +--ro attack-mapping* [attack-id]
+--ro attack-id uint32 +--ro attack-id uint32
+--ro attack-description string +--ro attack-description string
Figure 30: Vendor Attack Mapping Tree Structure Figure 30: Vendor Attack Mapping Tree Structure
A DOTS client sends a GET request to retrieve the capabilities A DOTS client sends a GET request to retrieve the capabilities
supported by a DOTS server as per Section 7.1 of [RFC8783]. This supported by a DOTS server as per Section 7.1 of [RFC8783]. This
request is meant to assess whether vendor attack mapping details request is meant to assess whether the capability of sharing vendor
feature is supported by the server (i.e., check the value of 'vendor- attack mapping details is supported by the server (i.e., check the
mapping-enabled'). value of 'vendor-mapping-enabled').
If 'vendor-mapping-enabled' is set to 'true', A DOTS client MAY send If 'vendor-mapping-enabled' is set to 'true', A DOTS client MAY send
a GET request to retrieve the DOTS server's vendor attack mapping a GET request to retrieve the DOTS server's vendor attack mapping
details. An example of such GET request is shown in Figure 31. details. An example of such GET request is shown in Figure 31.
GET /restconf/data/ietf-dots-data-channel:dots-data\ GET /restconf/data/ietf-dots-data-channel:dots-data\
/ietf-dots-mapping:vendor-mapping HTTP/1.1 /ietf-dots-mapping:vendor-mapping HTTP/1.1
Host: example.com Host: example.com
Accept: application/yang-data+json Accept: application/yang-data+json
skipping to change at page 55, line 24 skipping to change at page 57, line 24
The DOTS client can filter out the asynchronous notifications from The DOTS client can filter out the asynchronous notifications from
the DOTS server by indicating one or more Uri-Query options in its the DOTS server by indicating one or more Uri-Query options in its
GET request. A Uri-Query option can include the following GET request. A Uri-Query option can include the following
parameters: 'target-prefix', 'target-port', 'target-protocol', parameters: 'target-prefix', 'target-port', 'target-protocol',
'target-fqdn', 'target-uri', 'alias-name', 'mid', and 'c' (content) 'target-fqdn', 'target-uri', 'alias-name', 'mid', and 'c' (content)
(Section 4.2.4). Furthermore: (Section 4.2.4). Furthermore:
If more than one Uri-Query option is included in a request, these If more than one Uri-Query option is included in a request, these
options are interpreted in the same way as when multiple target options are interpreted in the same way as when multiple target
clauses are included in a message body. attributes are included in a message body.
If multiple values of a query parameter are to be included in a If multiple values of a query parameter are to be included in a
request, these values MUST be included in the same Uri-Query request, these values MUST be included in the same Uri-Query
option and separated by a "," character without any spaces. option and separated by a "," character without any spaces.
Range values (i.e., contiguous inclusive block) can be included Range values (i.e., contiguous inclusive block) can be included
for 'target-port', 'target-protocol', and 'mid' parameters by for 'target-port', 'target-protocol', and 'mid' parameters by
indicating two bound values separated by a "-" character. indicating two bound values separated by a "-" character.
Wildcard names (i.e., a name with the leftmost label is the "*" Wildcard names (i.e., a name with the leftmost label is the "*"
skipping to change at page 55, line 46 skipping to change at page 57, line 46
parameters. DOTS clients MUST NOT include a name in which the "*" parameters. DOTS clients MUST NOT include a name in which the "*"
character is included in a label other than the leftmost label. character is included in a label other than the leftmost label.
"*.example.com" is an example of a valid wildcard name that can be "*.example.com" is an example of a valid wildcard name that can be
included as a value of the 'target-fqdn' parameter in an Uri-Query included as a value of the 'target-fqdn' parameter in an Uri-Query
option. option.
DOTS clients may also filter out the asynchronous notifications from DOTS clients may also filter out the asynchronous notifications from
the DOTS server by indicating a specific source information. To that the DOTS server by indicating a specific source information. To that
aim, a DOTS client may include 'source-prefix', 'source-port', or aim, a DOTS client may include 'source-prefix', 'source-port', or
'source-icmp-type' in a Uri-Query option. The same considerations 'source-icmp-type' in a Uri-Query option. The same considerations
(ranges, multiple values) specified for target clauses apply for (ranges, multiple values) specified for target attributes apply for
source clauses. Special care SHOULD be taken when using these source attributes. Special care SHOULD be taken when using these
filters as some attacks may be hidden to the requesting DOTS client filters as some attacks may be hidden to the requesting DOTS client
(e.g., the attack changes its source information). (e.g., the attack changes its source information).
Requests with invalid query types (e.g., not supported, malformed) by Requests with invalid query types (e.g., not supported, malformed) by
the DOTS server MUST be rejected by DOTS servers with a 4.00 (Bad the DOTS server MUST be rejected by DOTS servers with a 4.00 (Bad
Request). Request).
An example of request to subscribe to asynchronous UDP telemetry An example of request to subscribe to asynchronous UDP telemetry
notifications is shown in Figure 42. This filter will be applied for notifications is shown in Figure 42. This filter will be applied for
all 'tmids'. all 'tmids'.
skipping to change at page 57, line 50 skipping to change at page 59, line 50
A DOTS server sends the aggregate data for a target using 'total- A DOTS server sends the aggregate data for a target using 'total-
attack-traffic' attribute. The aggregate assumes that Uri-Query attack-traffic' attribute. The aggregate assumes that Uri-Query
filters are applied on the target. The DOTS server MAY include more filters are applied on the target. The DOTS server MAY include more
granular data when needed (that is, 'total-attack-traffic-protocol' granular data when needed (that is, 'total-attack-traffic-protocol'
and 'total-attack-traffic-port'). If a port filter (or protocol and 'total-attack-traffic-port'). If a port filter (or protocol
filter) is included in a request, 'total-attack-traffic-protocol' (or filter) is included in a request, 'total-attack-traffic-protocol' (or
'total-attack-traffic-port') conveys the data with the port (or 'total-attack-traffic-port') conveys the data with the port (or
protocol) filter applied. protocol) filter applied.
A DOTS server may aggregate pre-or-ongoing-mitigation data (e.g., A DOTS server may aggregate pre-or-ongoing-mitigation data (e.g.,
'top-talkers') for all targets of a domain, or when justified, send 'top-talker') for all targets of a domain, or when justified, send
specific information (e.g., 'top-talkers') per individual targets. specific information (e.g., 'top-talker') per individual targets.
The DOTS client may log pre-or-ongoing-mitigation telemetry data with The DOTS client may log pre-or-ongoing-mitigation telemetry data with
an alert sent to an administrator or a network controller. The DOTS an alert sent to an administrator or a network controller. The DOTS
client may send a mitigation request if the attack cannot be handled client may send a mitigation request if the attack cannot be handled
locally. locally.
A DOTS client that is not interested to receive pre-or-ongoing- A DOTS client that is not interested to receive pre-or-ongoing-
mitigation telemetry data for a target MUST send a delete request mitigation telemetry data for a target MUST send a delete request
similar to the one depicted in Figure 37. similar to the one depicted in Figure 37.
skipping to change at page 58, line 45 skipping to change at page 60, line 45
by a DOTS client in a mitigation efficacy update (Figure 44). by a DOTS client in a mitigation efficacy update (Figure 44).
augment-structure /dots-signal:dots-signal/dots-signal:message-type augment-structure /dots-signal:dots-signal/dots-signal:message-type
/dots-signal:mitigation-scope/dots-signal:scope: /dots-signal:mitigation-scope/dots-signal:scope:
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- attack-detail* [vendor-id attack-id] +-- attack-detail* [vendor-id attack-id]
+-- vendor-id uint32 +-- vendor-id uint32
+-- attack-id uint32 +-- attack-id uint32
+-- attack-description? string +-- attack-description? string
+-- attack-severity? attack-severity +-- attack-severity? attack-severity
+-- start-time? uint64 +-- start-time? uint64
+-- end-time? uint64 +-- end-time? uint64
+-- source-count +-- source-count
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- top-talker +-- top-talker
+-- talker* [source-prefix] +-- talker* [source-prefix]
+-- spoofed-status? boolean +-- spoofed-status? boolean
+-- source-prefix inet:ip-prefix +-- source-prefix inet:ip-prefix
+-- source-port-range* [lower-port] +-- source-port-range* [lower-port]
| +-- lower-port inet:port-number | +-- lower-port inet:port-number
| +-- upper-port? inet:port-number | +-- upper-port? inet:port-number
+-- source-icmp-type-range* [lower-type] +-- source-icmp-type-range* [lower-type]
| +-- lower-type uint8 | +-- lower-type uint8
| +-- upper-type? uint8 | +-- upper-type? uint8
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-connection +-- total-attack-connection
+-- low-percentile-c +-- low-percentile-c
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- mid-percentile-c +-- mid-percentile-c
| ... | ...
+-- high-percentile-c +-- high-percentile-c
| ... | ...
+-- peak-c +-- peak-c
| ...
+-- current-c
... ...
Figure 44: Telemetry Efficacy Update Tree Structure Figure 44: Telemetry Efficacy Update Tree Structure
In order to signal telemetry data in a mitigation efficacy update, it In order to signal telemetry data in a mitigation efficacy update, it
is RECOMMENDED that the DOTS client has already established a DOTS is RECOMMENDED that the DOTS client has already established a DOTS
telemetry setup session with the server in 'idle' time. telemetry setup session with the server in 'idle' time.
An example of an efficacy update with telemetry attributes is An example of an efficacy update with telemetry attributes is
depicted in Figure 45. depicted in Figure 45.
skipping to change at page 61, line 32 skipping to change at page 63, line 32
augment-structure /dots-signal:dots-signal/dots-signal:message-type augment-structure /dots-signal:dots-signal/dots-signal:message-type
/dots-signal:mitigation-scope/dots-signal:scope: /dots-signal:mitigation-scope/dots-signal:scope:
+-- (direction)? +-- (direction)?
| +--:(server-to-client-only) | +--:(server-to-client-only)
| +-- total-traffic* [unit] | +-- total-traffic* [unit]
| | +-- unit unit | | +-- unit unit
| | +-- low-percentile-g? yang:gauge64 | | +-- low-percentile-g? yang:gauge64
| | +-- mid-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64
| | +-- high-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64
| | +-- peak-g? yang:gauge64 | | +-- peak-g? yang:gauge64
| | +-- current-g? yang:gauge64
| +-- total-attack-connection | +-- total-attack-connection
| +-- low-percentile-c | +-- low-percentile-c
| | +-- connection? yang:gauge64 | | +-- connection? yang:gauge64
| | +-- embryonic? yang:gauge64 | | +-- embryonic? yang:gauge64
| | +-- connection-ps? yang:gauge64 | | +-- connection-ps? yang:gauge64
| | +-- request-ps? yang:gauge64 | | +-- request-ps? yang:gauge64
| | +-- partial-request-ps? yang:gauge64 | | +-- partial-request-ps? yang:gauge64
| +-- mid-percentile-c | +-- mid-percentile-c
| | ... | | ...
| +-- high-percentile-c | +-- high-percentile-c
| | ... | | ...
| +-- peak-c | +-- peak-c
| | ...
| +-- current-c
| ... | ...
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- attack-detail* [vendor-id attack-id] +-- attack-detail* [vendor-id attack-id]
+-- vendor-id uint32 +-- vendor-id uint32
+-- attack-id uint32 +-- attack-id uint32
+-- attack-description? string +-- attack-description? string
+-- attack-severity? attack-severity +-- attack-severity? attack-severity
+-- start-time? uint64 +-- start-time? uint64
+-- end-time? uint64 +-- end-time? uint64
+-- source-count +-- source-count
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- top-talker +-- top-talker
+-- talker* [source-prefix] +-- talker* [source-prefix]
+-- spoofed-status? boolean +-- spoofed-status? boolean
+-- source-prefix inet:ip-prefix +-- source-prefix inet:ip-prefix
+-- source-port-range* [lower-port] +-- source-port-range* [lower-port]
| +-- lower-port inet:port-number | +-- lower-port inet:port-number
| +-- upper-port? inet:port-number | +-- upper-port? inet:port-number
+-- source-icmp-type-range* [lower-type] +-- source-icmp-type-range* [lower-type]
| +-- lower-type uint8 | +-- lower-type uint8
| +-- upper-type? uint8 | +-- upper-type? uint8
+-- total-attack-traffic* [unit] +-- total-attack-traffic* [unit]
| +-- unit unit | +-- unit unit
| +-- low-percentile-g? yang:gauge64 | +-- low-percentile-g? yang:gauge64
| +-- mid-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64
| +-- high-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64
| +-- peak-g? yang:gauge64 | +-- peak-g? yang:gauge64
| +-- current-g? yang:gauge64
+-- total-attack-connection +-- total-attack-connection
+-- low-percentile-c +-- low-percentile-c
| +-- connection? yang:gauge64 | +-- connection? yang:gauge64
| +-- embryonic? yang:gauge64 | +-- embryonic? yang:gauge64
| +-- connection-ps? yang:gauge64 | +-- connection-ps? yang:gauge64
| +-- request-ps? yang:gauge64 | +-- request-ps? yang:gauge64
| +-- partial-request-ps? yang:gauge64 | +-- partial-request-ps? yang:gauge64
+-- mid-percentile-c +-- mid-percentile-c
| ... | ...
+-- high-percentile-c +-- high-percentile-c
| ... | ...
+-- peak-c +-- peak-c
| ...
+-- current-c
... ...
Figure 46 shows an example of an asynchronous notification of attack Figure 46 shows an example of an asynchronous notification of attack
mitigation status from the DOTS server. This notification signals mitigation status from the DOTS server. This notification signals
both the mid-percentile value of processed attack traffic and the both the mid-percentile value of processed attack traffic and the
peak percentile value of unique sources involved in the attack. peak percentile value of unique sources involved in the attack.
{ {
"ietf-dots-signal-channel:mitigation-scope": { "ietf-dots-signal-channel:mitigation-scope": {
"scope": [ "scope": [
skipping to change at page 64, line 52 skipping to change at page 67, line 11
o 4.04 (Not Found) is returned by the DOTS server when the DOTS o 4.04 (Not Found) is returned by the DOTS server when the DOTS
client has sent a request with a target query that does not match client has sent a request with a target query that does not match
the target of the enclosed 'mid' as maintained by the DOTS server. the target of the enclosed 'mid' as maintained by the DOTS server.
10. YANG Modules 10. YANG Modules
10.1. DOTS Signal Channel Telemetry YANG Module 10.1. DOTS Signal Channel Telemetry YANG Module
This module uses types defined in [RFC6991] and [RFC8345]. This module uses types defined in [RFC6991] and [RFC8345].
<CODE BEGINS> file "ietf-dots-telemetry@2020-10-08.yang" Note to the RFC Editor: Please replace "RFC UUUU" with the RFC
module ietf-dots-telemetry { number to be assigned to [I-D.ietf-dots-rfc8782-bis].
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dots-telemetry";
prefix dots-telemetry;
import ietf-dots-signal-channel { <CODE BEGINS> file "ietf-dots-telemetry@2020-12-07.yang"
prefix dots-signal; module ietf-dots-telemetry {
reference yang-version 1.1;
"RFC UUUU: Distributed Denial-of-Service Open Threat Signaling namespace "urn:ietf:params:xml:ns:yang:ietf-dots-telemetry";
(DOTS) Signal Channel Specification"; prefix dots-telemetry;
}
import ietf-dots-data-channel {
prefix data-channel;
reference
"RFC 8783: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Data Channel Specification";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-inet-types {
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-network-topology {
prefix nt;
reference
"Section 6.2 of RFC 8345: A YANG Data Model for Network
Topologies";
}
import ietf-yang-structure-ext {
prefix sx;
reference
"RFC 8791: YANG Data Structure Extensions";
}
organization import ietf-dots-signal-channel {
"IETF DDoS Open Threat Signaling (DOTS) Working Group"; prefix dots-signal;
contact reference
"WG Web: <https://datatracker.ietf.org/wg/dots/> "RFC UUUU: Distributed Denial-of-Service Open Threat Signaling
WG List: <mailto:dots@ietf.org> (DOTS) Signal Channel Specification";
}
import ietf-dots-data-channel {
prefix data-channel;
reference
"RFC 8783: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Data Channel Specification";
}
import ietf-yang-types {
prefix yang;
reference
"Section 3 of RFC 6991";
}
import ietf-inet-types {
prefix inet;
reference
"Section 4 of RFC 6991";
}
import ietf-network-topology {
prefix nt;
reference
"Section 6.2 of RFC 8345: A YANG Data Model for Network
Topologies";
}
import ietf-yang-structure-ext {
prefix sx;
reference
"RFC 8791: YANG Data Structure Extensions";
}
organization
"IETF DDoS Open Threat Signaling (DOTS) Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/dots/>
WG List: <mailto:dots@ietf.org>
Author: Mohamed Boucadair Author: Mohamed Boucadair
<mailto:mohamed.boucadair@orange.com> <mailto:mohamed.boucadair@orange.com>
Author: Konda, Tirumaleswar Reddy Author: Konda, Tirumaleswar Reddy
<mailto:TirumaleswarReddy_Konda@McAfee.com>"; <mailto:TirumaleswarReddy_Konda@McAfee.com>";
description description
"This module contains YANG definitions for the signaling "This module contains YANG definitions for the signaling
of DOTS telemetry exchanged between a DOTS client and of DOTS telemetry exchanged between a DOTS client and
a DOTS server by means of the DOTS signal channel. a DOTS server by means of the DOTS signal channel.
Copyright (c) 2020 IETF Trust and the persons identified as Copyright (c) 2020 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices."; the RFC itself for full legal notices.";
revision 2020-10-08 { revision 2020-12-07 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: Distributed Denial-of-Service Open Threat "RFC XXXX: Distributed Denial-of-Service Open Threat
Signaling (DOTS) Telemetry"; Signaling (DOTS) Telemetry";
} }
typedef attack-severity { typedef attack-severity {
type enumeration { type enumeration {
enum none { enum none {
value 1; value 1;
description description
"No effect on the DOTS client domain."; "No effect on the DOTS client domain.";
} }
enum low { enum low {
value 2; value 2;
description description
"Minimal effect on the DOTS client domain."; "Minimal effect on the DOTS client domain.";
}
enum medium {
value 3;
description
"A subset of DOTS client domain resources are
out of service.";
}
enum high {
value 4;
description
"The DOTS client domain is under extremly severe
conditions.";
}
enum unknown {
value 5;
description
"The impact of the attack is not known.";
}
}
description
"Enumeration for attack severity.";
reference
"RFC 7970: The Incident Object Description Exchange
Format Version 2";
}
typedef unit-type { }
type enumeration { enum medium {
enum packet-ps { value 3;
value 1; description
description "A subset of DOTS client domain resources are
"Packets per second (pps)."; out of service.";
} }
enum bit-ps { enum high {
value 2; value 4;
description description
"Bits per Second (bit/s)."; "The DOTS client domain is under extremly severe
} conditions.";
enum byte-ps { }
value 3; enum unknown {
description value 5;
"Bytes per second (Byte/s)."; description
} "The impact of the attack is not known.";
} }
description }
"Enumeration to indicate which unit type is used."; description
} "Enumeration for attack severity.";
reference
"RFC 7970: The Incident Object Description Exchange
Format Version 2";
}
typedef unit { typedef unit-class {
type enumeration { type enumeration {
enum packet-ps { enum packet-ps {
value 1; value 1;
description description
"Packets per second (pps)."; "Packets per second (pps).";
} }
enum bit-ps { enum bit-ps {
value 2; value 2;
description description
"Bits per Second (bps)."; "Bits per Second (bit/s).";
} }
enum byte-ps { enum byte-ps {
value 3; value 3;
description description
"Bytes per second (Bps)."; "Bytes per second (Byte/s).";
} }
enum kilopacket-ps { }
value 4; description
description "Enumeration to indicate which unit class is used.
"Kilo packets per second (kpps)."; These classes are supported: pps, bit/s, and Byte/s.";
} }
enum kilobit-ps { typedef unit {
value 5; type enumeration {
description enum packet-ps {
"Kilobits per second (kbps)."; value 1;
} description
enum kilobyte-ps { "Packets per second (pps).";
value 6; }
description enum bit-ps {
"Kilobytes per second (kBps)."; value 2;
} description
enum megapacket-ps { "Bits per Second (bps).";
value 7; }
description enum byte-ps {
"Mega packets per second (Mpps)."; value 3;
} description
enum megabit-ps { "Bytes per second (Bps).";
value 8; }
description enum kilopacket-ps {
"Megabits per second (Mbps)."; value 4;
} description
enum megabyte-ps { "Kilo packets per second (kpps).";
value 9; }
description enum kilobit-ps {
"Megabytes per second (MBps)."; value 5;
} description
enum gigapacket-ps { "Kilobits per second (kbps).";
value 10; }
description enum kilobyte-ps {
"Giga packets per second (Gpps)."; value 6;
} description
enum gigabit-ps { "Kilobytes per second (kBps).";
value 11; }
description enum megapacket-ps {
"Gigabits per second (Gbps)."; value 7;
} description
enum gigabyte-ps { "Mega packets per second (Mpps).";
value 12; }
description enum megabit-ps {
"Gigabytes per second (GBps)."; value 8;
} description
enum terapacket-ps { "Megabits per second (Mbps).";
value 13; }
description enum megabyte-ps {
"Tera packets per second (Tpps)."; value 9;
} description
enum terabit-ps { "Megabytes per second (MBps).";
value 14; }
description enum gigapacket-ps {
"Terabits per second (Tbps)."; value 10;
} description
enum terabyte-ps { "Giga packets per second (Gpps).";
value 15; }
description enum gigabit-ps {
"Terabytes per second (TBps)."; value 11;
} description
} "Gigabits per second (Gbps).";
description }
"Enumeration to indicate which unit is used."; enum gigabyte-ps {
} value 12;
description
"Gigabytes per second (GBps).";
}
enum terapacket-ps {
value 13;
description
"Tera packets per second (Tpps).";
}
enum terabit-ps {
value 14;
description
"Terabits per second (Tbps).";
}
enum terabyte-ps {
value 15;
description
"Terabytes per second (TBps).";
}
enum petapacket-ps {
value 16;
description
"Peta packets per second (Ppps).";
}
enum petabit-ps {
value 17;
description
"Petabits per second (Pbps).";
}
enum petabyte-ps {
value 18;
description
"Exabytes per second (PBps).";
}
enum exapacket-ps {
value 19;
description
"Exa packets per second (Epps).";
typedef interval { }
type enumeration { enum exabit-ps {
enum hour { value 20;
value 1; description
description "Exabits per second (Ebps).";
"Hour."; }
} enum exabyte-ps {
enum day { value 21;
value 2; description
description "Exabytes per second (EBps).";
"Day."; }
} enum zettapacket-ps {
enum week { value 22;
value 3; description
description "Zetta packets per second (Zpps).";
"Week."; }
} enum zettabit-ps {
enum month { value 23;
value 4; description
description "Zettabits per second (Zbps).";
"Month."; }
} enum zettabyte-ps {
} value 24;
description description
"Enumeration to indicate the overall measurement period."; "Zettabytes per second (ZBps).";
} }
}
description
"Enumeration to indicate which unit is used.
Only one unit per unit class is used owing to
unit auto-scaling.";
}
typedef sample { typedef interval {
type enumeration { type enumeration {
enum second { enum 5-minutes {
value 1; value 1;
description description
" A one second measurement period."; "5 minutes.";
} }
enum 5-seconds { enum 10-minutes {
value 2; value 2;
description description
"5 seconds measurement period."; "10 minutes.";
} }
enum 30-seconds { enum 30-minutes {
value 3; value 3;
description description
"30 seconds measurement period."; "30 minutes.";
} }
enum minute { enum hour {
value 4; value 4;
description description
"One minute measurement period."; "Hour.";
} }
enum 5-minutes { enum day {
value 5; value 5;
description description
"5 minutes measurement period."; "Day.";
} }
enum 10-minutes { enum week {
value 6; value 6;
description description
"10 minutes measurement period."; "Week.";
} }
enum 30-minutes { enum month {
value 7; value 7;
description description
"30 minutes measurement period."; "Month.";
} }
enum hour { }
value 8; description
description "Enumeration to indicate the overall measurement period.";
"One hour measurement period."; }
}
}
description
"Enumeration to indicate the measurement period.";
}
typedef percentile { typedef sample {
type decimal64 { type enumeration {
fraction-digits 2; enum second {
} value 1;
description description
"The nth percentile of a set of data is the "A one second measurement period.";
value at which n percent of the data is below it."; }
} enum 5-seconds {
value 2;
description
"5 seconds measurement period.";
}
enum 30-seconds {
value 3;
description
"30 seconds measurement period.";
}
enum minute {
value 4;
description
"One minute measurement period.";
typedef query-type { }
type enumeration { enum 5-minutes {
enum target-prefix { value 5;
value 1; description
description "5 minutes measurement period.";
"Query based on target prefix."; }
} enum 10-minutes {
enum target-port { value 6;
value 2; description
description "10 minutes measurement period.";
"Query based on target port number."; }
} enum 30-minutes {
enum target-protocol { value 7;
value 3; description
description "30 minutes measurement period.";
"Query based on target protocol."; }
} enum hour {
enum target-fqdn { value 8;
value 4; description
description "One hour measurement period.";
"Query based on target FQDN."; }
} }
enum target-uri { description
value 5; "Enumeration to indicate the sampling period.";
description }
"Query based on target URI.";
}
enum target-alias {
value 6;
description
"Query based on target alias.";
}
enum mid {
value 7;
description
"Query based on mitigation identifier (mid).";
} typedef percentile {
enum source-prefix { type decimal64 {
value 8; fraction-digits 2;
description }
"Query based on source prefix."; description
} "The nth percentile of a set of data is the
enum source-port { value at which n percent of the data is below it.";
value 9; }
description
"Query based on source port number.";
}
enum source-icmp-type {
value 10;
description
"Query based on ICMP type";
}
enum content {
value 11;
description
"Query based on 'c' Uri-Query option that is used
to control the selection of configuration
and non-configuration data nodes.";
reference
"Section 4.4.2 of RFC 8782.";
}
}
description
"Enumeration support for query types that can be used
in a GET request to filter out data.";
}
grouping percentile-config { typedef query-type {
description type enumeration {
"Configuration of low, mid, and high percentile values."; enum target-prefix {
leaf measurement-interval { value 1;
type interval; description
description "Query based on target prefix.";
"Defines the period on which percentiles are computed."; }
} enum target-port {
leaf measurement-sample { value 2;
type sample; description
description "Query based on target port number.";
"Defines the time distribution for measuring }
values that are used to compute percentiles."; enum target-protocol {
} value 3;
leaf low-percentile { description
type percentile; "Query based on target protocol.";
default "10.00"; }
description enum target-fqdn {
"Low percentile. If set to '0', this means low-percentiles value 4;
are disabled."; description
} "Query based on target FQDN.";
leaf mid-percentile { }
type percentile; enum target-uri {
must '. >= ../low-percentile' { value 5;
error-message description
"The mid-percentile must be greater than "Query based on target URI.";
or equal to the low-percentile."; }
} enum target-alias {
default "50.00"; value 6;
description description
"Mid percentile. If set to the same value as low-percentiles, "Query based on target alias.";
this means mid-percentiles are disabled."; }
} enum mid {
leaf high-percentile { value 7;
type percentile; description
must '. >= ../mid-percentile' { "Query based on mitigation identifier (mid).";
error-message }
"The high-percentile must be greater than enum source-prefix {
or equal to the mid-percentile."; value 8;
} description
default "90.00"; "Query based on source prefix.";
description }
"High percentile. If set to the same value as mid-percentiles, enum source-port {
this means high-percentiles are disabled."; value 9;
} description
} "Query based on source port number.";
}
enum source-icmp-type {
value 10;
description
"Query based on ICMP type";
}
enum content {
value 11;
description
"Query based on 'c' Uri-Query option that is used
to control the selection of configuration
and non-configuration data nodes.";
reference
"Section 4.4.2 of RFC UUUU.";
}
grouping percentile { }
description description
"Generic grouping for percentile."; "Enumeration support for query types that can be used
leaf low-percentile-g { in a GET request to filter out data. Requests with
type yang:gauge64; invalid query types (e.g., not supported, malformed)
description by the DOTS server are rejected by DOTS servers with
"Low percentile value."; a 4.00 (Bad Request).";
} }
leaf mid-percentile-g {
type yang:gauge64;
description
"Mid percentile value.";
}
leaf high-percentile-g {
type yang:gauge64;
description
"High percentile value.";
}
leaf peak-g {
type yang:gauge64;
description
"Peak value.";
}
}
grouping unit-config { grouping telemetry-parameters {
description description
"Generic grouping for unit configuration."; "A grouping that includes a set of parameters that
list unit-config { are used to compute telemetry data.
key "unit";
description
"Controls which unit types are allowed when sharing
telemetry data.";
leaf unit {
type unit-type;
description
"Can be packet-ps, bit-ps, or byte-ps.";
}
leaf unit-status {
type boolean;
mandatory true;
description
"Enable/disable the use of the measurement unit type.";
}
}
}
grouping traffic-unit { The grouping indicates a measurement interval,
description a measurement sample period, and low/mid/high
"Grouping of traffic as a function of the measurement unit."; percentile values.";
leaf unit { leaf measurement-interval {
type unit; type interval;
description description
"The traffic can be measured using unit types: packet-ps, "Defines the period on which percentiles are computed.";
bit-ps, or byte-ps. DOTS agents auto-scale to the appropriate }
units (e.g., megabit-ps, kilobit-ps)."; leaf measurement-sample {
} type sample;
uses percentile; description
} "Defines the time distribution for measuring
values that are used to compute percentiles.
grouping traffic-unit-protocol { The measurement sample value must be less than the
description measurement interval value.";
"Grouping of traffic of a given transport protocol as }
a function of the measurement unit."; leaf low-percentile {
leaf protocol { type percentile;
type uint8; default "10.00";
description description
"The transport protocol. "Low percentile. If set to '0', this means low-percentiles
Values are taken from the IANA Protocol Numbers registry: are disabled.";
<https://www.iana.org/assignments/protocol-numbers/>. }
leaf mid-percentile {
type percentile;
must '. >= ../low-percentile' {
error-message
"The mid-percentile must be greater than
or equal to the low-percentile.";
}
default "50.00";
description
"Mid percentile. If set to the same value as low-percentiles,
this means mid-percentiles are disabled.";
}
leaf high-percentile {
type percentile;
must '. >= ../mid-percentile' {
error-message
"The high-percentile must be greater than
or equal to the mid-percentile.";
}
default "90.00";
description
"High percentile. If set to the same value as mid-percentiles,
this means high-percentiles are disabled.";
}
}
For example, this parameter contains 6 for TCP, grouping percentile-and-peak {
17 for UDP, 33 for DCCP, or 132 for SCTP."; description
} "Generic grouping for percentile and peak values.";
uses traffic-unit; leaf low-percentile-g {
} type yang:gauge64;
description
"Low percentile value.";
}
leaf mid-percentile-g {
type yang:gauge64;
description
"Mid percentile value.";
}
leaf high-percentile-g {
type yang:gauge64;
description
"High percentile value.";
}
leaf peak-g {
type yang:gauge64;
description
"Peak value.";
}
}
grouping traffic-unit-port { grouping unit-config {
description description
"Grouping of traffic bound to a port number as "Generic grouping for unit configuration.";
a function of the measurement unit."; list unit-config {
leaf port { key "unit";
type inet:port-number; description
description "Controls which unit classes are allowed when sharing
"Port number."; telemetry data.";
} leaf unit {
uses traffic-unit; type unit-class;
} description
"Can be packet-ps, bit-ps, or byte-ps.";
}
leaf unit-status {
type boolean;
default true;
description
"Enable/disable the use of the measurement unit class.";
}
}
}
grouping total-connection-capacity { grouping traffic-unit {
description description
"Total Connections Capacity. These data nodes are "Grouping of traffic as a function of the measurement unit.";
useful to detect resource consuming DDoS attacks"; leaf unit {
leaf connection { type unit;
type uint64; description
description "The traffic can be measured using unit classes: packet-ps,
"The maximum number of simultaneous connections that bit-ps, or byte-ps. DOTS agents auto-scale to the appropriate
are allowed to the target server."; units (e.g., megabit-ps, kilobit-ps).";
} }
leaf connection-client { uses percentile-and-peak;
type uint64; }
description
"The maximum number of simultaneous connections that
are allowed to the target server per client.";
}
leaf embryonic {
type uint64;
description
"The maximum number of simultaneous embryonic connections
that are allowed to the target server. The term 'embryonic
connection' refers to a connection whose connection handshake
is not finished. Embryonic connection is only possible in
connection-oriented transport protocols like TCP or SCTP.";
}
leaf embryonic-client {
type uint64;
description
"The maximum number of simultaneous embryonic connections
that are allowed to the target server per client.";
}
leaf connection-ps {
type uint64;
description
"The maximum number of connections allowed per second
to the target server.";
}
leaf connection-client-ps {
type uint64;
description
"The maximum number of connections allowed per second
to the target server per client.";
}
leaf request-ps {
type uint64;
description
"The maximum number of requests allowed per second
to the target server.";
}
leaf request-client-ps {
type uint64;
description
"The maximum number of requests allowed per second
to the target server per client.";
}
leaf partial-request-ps {
type uint64;
description
"The maximum number of partial requests allowed per
second to the target server.";
}
leaf partial-request-client-ps {
type uint64;
description
"The maximum number of partial requests allowed per
second to the target server per client.";
}
}
grouping total-connection-capacity-protocol { grouping traffic-unit-all {
description description
"Total Connections Capacity per protocol. These data nodes are "Grouping of traffic as a function of the measurement unit,
useful to detect resource consuming DDoS attacks."; including current values.";
uses traffic-unit;
leaf current-g {
type yang:gauge64;
description
"Current observed value.";
}
}
leaf protocol { grouping traffic-unit-protocol {
type uint8; description
description "Grouping of traffic of a given transport protocol as
"The transport protocol. a function of the measurement unit.";
Values are taken from the IANA Protocol Numbers registry: leaf protocol {
<https://www.iana.org/assignments/protocol-numbers/>."; type uint8;
} description
uses total-connection-capacity; "The transport protocol.
}
grouping connection { Values are taken from the IANA Protocol Numbers registry:
description <https://www.iana.org/assignments/protocol-numbers/>.
"A set of data nodes which represent the attack
characteristics";
leaf connection {
type yang:gauge64;
description
"The number of simultaneous attack connections to
the target server.";
}
leaf embryonic {
type yang:gauge64;
description
"The number of simultaneous embryonic connections to
the target server.";
}
leaf connection-ps {
type yang:gauge64;
description
"The number of attack connections per second to
the target server.";
}
leaf request-ps {
type yang:gauge64;
description
"The number of attack requests per second to
the target server.";
}
leaf partial-request-ps {
type yang:gauge64;
description
"The number of attack partial requests to
the target server.";
}
}
grouping connection-percentile { For example, this parameter contains 6 for TCP,
description 17 for UDP, 33 for DCCP, or 132 for SCTP.";
"Total attack connections."; }
container low-percentile-c { uses traffic-unit;
description }
"Low percentile of attack connections.";
uses connection;
}
container mid-percentile-c {
description
"Mid percentile of attack connections.";
uses connection;
}
container high-percentile-c {
description
"High percentile of attack connections.";
uses connection;
}
container peak-c {
description
"Peak attack connections.";
uses connection;
}
}
grouping connection-protocol { grouping traffic-unit-protocol-all {
description description
"Total attack connections."; "Grouping of traffic of a given transport protocol as,
leaf protocol { including current values.";
type uint8; uses traffic-unit-protocol;
description leaf current-g {
"The transport protocol. type yang:gauge64;
Values are taken from the IANA Protocol Numbers registry: description
<https://www.iana.org/assignments/protocol-numbers/>."; "Current observed value.";
} }
uses connection; }
}
grouping connection-port { grouping traffic-unit-port {
description description
"Total attack connections per port number."; "Grouping of traffic bound to a port number as
leaf port { a function of the measurement unit.";
type inet:port-number; leaf port {
description type inet:port-number;
"Port number."; description
} "Port number used by a transport protocol.";
uses connection-protocol; }
} uses traffic-unit;
}
grouping connection-protocol-percentile { grouping traffic-unit-port-all {
description description
"Total attack connections per protocol."; "Grouping of traffic bound to a port number as
list low-percentile-l { a function of the measurement unit, including
key "protocol"; current values.";
description uses traffic-unit-port;
"Low percentile of attack connections per protocol."; leaf current-g {
uses connection-protocol; type yang:gauge64;
} description
list mid-percentile-l { "Current observed value.";
key "protocol"; }
description }
"Mid percentile of attack connections per protocol.";
uses connection-protocol;
}
list high-percentile-l {
key "protocol";
description
"High percentile of attack connections per protocol.";
uses connection-protocol;
}
list peak-l {
key "protocol";
description
"Peak attack connections per protocol.";
uses connection-protocol;
}
}
grouping connection-protocol-port-percentile { grouping total-connection-capacity {
description description
"Total attack connections per port number."; "Total connections capacity. These data nodes are
list low-percentile-l { useful to detect resource consuming DDoS attacks.";
key "protocol port"; leaf connection {
description type uint64;
"Low percentile of attack connections per port number."; description
uses connection-port; "The maximum number of simultaneous connections that
} are allowed to the target server.";
list mid-percentile-l { }
key "protocol port"; leaf connection-client {
description type uint64;
"Mid percentile of attack connections per port number."; description
uses connection-port; "The maximum number of simultaneous connections that
} are allowed to the target server per client.";
list high-percentile-l { }
key "protocol port"; leaf embryonic {
description type uint64;
"High percentile of attack connections per port number."; description
uses connection-port; "The maximum number of simultaneous embryonic connections
that are allowed to the target server. The term 'embryonic
connection' refers to a connection whose connection handshake
is not finished. Embryonic connection is only possible in
connection-oriented transport protocols like TCP or SCTP.";
}
leaf embryonic-client {
type uint64;
description
"The maximum number of simultaneous embryonic connections
that are allowed to the target server per client.";
}
leaf connection-ps {
type uint64;
description
"The maximum number of connections allowed per second
to the target server.";
}
leaf connection-client-ps {
type uint64;
description
"The maximum number of connections allowed per second
to the target server per client.";
}
leaf request-ps {
type uint64;
description
"The maximum number of requests allowed per second
to the target server.";
}
leaf request-client-ps {
type uint64;
description
"The maximum number of requests allowed per second
to the target server per client.";
}
leaf partial-request-ps {
type uint64;
description
"The maximum number of partial requests allowed per
second to the target server.";
}
leaf partial-request-client-ps {
type uint64;
description
"The maximum number of partial requests allowed per
second to the target server per client.";
}
}
} grouping total-connection-capacity-protocol {
list peak-l { description
key "protocol port"; "Total connections capacity per protocol. These data nodes are
description useful to detect resource consuming DDoS attacks.";
"Peak attack connections per port number."; leaf protocol {
uses connection-port; type uint8;
} description
} "The transport protocol.
Values are taken from the IANA Protocol Numbers registry:
<https://www.iana.org/assignments/protocol-numbers/>.";
}
uses total-connection-capacity;
}
grouping attack-detail { grouping connection {
description description
"Various details that describe the on-going "A set of data nodes which represent the attack
attacks that need to be mitigated by the DOTS server. characteristics.";
The attack details need to cover well-known and common attacks leaf connection {
(such as a SYN Flood) along with new emerging or vendor-specific type yang:gauge64;
attacks."; description
leaf vendor-id { "The number of simultaneous attack connections to
type uint32; the target server.";
description }
"Vendor ID is a security vendor's Enterprise Number."; leaf embryonic {
} type yang:gauge64;
leaf attack-id { description
type uint32; "The number of simultaneous embryonic connections to
description the target server.";
"Unique identifier assigned by the vendor for the attack.";
}
leaf attack-description {
type string;
description
"Textual representation of attack description. Natural Language
Processing techniques (e.g., word embedding) can possibly be
used to map the attack description to an attack type.";
}
leaf attack-severity {
type attack-severity;
description
"Severity level of an attack. How this level is determined
is implementation-specific.";
}
leaf start-time {
type uint64;
description
"The time the attack started. Start time is represented in
seconds relative to 1970-01-01T00:00:00Z in UTC time.";
}
leaf end-time {
type uint64;
description
"The time the attack ended. End time is represented in seconds
relative to 1970-01-01T00:00:00Z in UTC time.";
}
container source-count {
description
"Indicates the count of unique sources involved
in the attack.";
uses percentile;
}
}
grouping top-talker-aggregate { }
description leaf connection-ps {
"Top attack sources."; type yang:gauge64;
list talker { description
key "source-prefix"; "The number of attack connections per second to
description the target server.";
"IPv4 or IPv6 prefix identifying the attacker(s)."; }
leaf spoofed-status { leaf request-ps {
type boolean; type yang:gauge64;
description description
"Indicates whether this address is spoofed."; "The number of attack requests per second to
} the target server.";
leaf source-prefix { }
type inet:ip-prefix; leaf partial-request-ps {
description type yang:gauge64;
"IPv4 or IPv6 prefix identifying the attacker(s)."; description
} "The number of attack partial requests to
list source-port-range { the target server.";
key "lower-port"; }
description }
"Port range. When only lower-port is
present, it represents a single port number.";
leaf lower-port {
type inet:port-number;
mandatory true;
description
"Lower port number of the port range.";
}
leaf upper-port {
type inet:port-number;
must '. >= ../lower-port' {
error-message
"The upper port number must be greater than
or equal to lower port number.";
}
description
"Upper port number of the port range.";
} grouping connection-percentile-and-peak {
} description
list source-icmp-type-range { "Total attack connections. Low/mid/high percentile
key "lower-type"; and peak values are included.";
description container low-percentile-c {
"ICMP type range. When only lower-type is description
present, it represents a single ICMP type."; "Low percentile of attack connections.";
leaf lower-type { uses connection;
type uint8; }
mandatory true; container mid-percentile-c {
description description
"Lower ICMP type of the ICMP type range."; "Mid percentile of attack connections.";
} uses connection;
leaf upper-type { }
type uint8; container high-percentile-c {
must '. >= ../lower-type' { description
error-message "High percentile of attack connections.";
"The upper ICMP type must be greater than uses connection;
or equal to lower ICMP type."; }
} container peak-c {
description description
"Upper type of the ICMP type range."; "Peak attack connections.";
} uses connection;
} }
list total-attack-traffic { }
key "unit";
description
"Total attack traffic issued from this source.";
uses traffic-unit;
}
container total-attack-connection {
description
"Total attack connections issued from this source.";
uses connection-percentile;
}
}
}
grouping top-talker { grouping connection-all {
description description
"Top attack sources."; "Total attack connections including current values.";
list talker { uses connection-percentile-and-peak;
key "source-prefix"; container current-c {
description description
"IPv4 or IPv6 prefix identifying the attacker(s)."; "Current attack connections.";
leaf spoofed-status { uses connection;
type boolean; }
description }
"Indicates whether this address is spoofed.";
}
leaf source-prefix {
type inet:ip-prefix;
description
"IPv4 or IPv6 prefix identifying the attacker(s).";
}
list source-port-range {
key "lower-port";
description
"Port range. When only lower-port is
present, it represents a single port number.";
leaf lower-port {
type inet:port-number;
mandatory true;
description
"Lower port number of the port range.";
}
leaf upper-port {
type inet:port-number;
must '. >= ../lower-port' {
error-message
"The upper port number must be greater than
or equal to lower port number.";
}
description
"Upper port number of the port range.";
}
}
list source-icmp-type-range {
key "lower-type";
description
"ICMP type range. When only lower-type is
present, it represents a single ICMP type.";
leaf lower-type {
type uint8;
mandatory true;
description
"Lower ICMP type of the ICMP type range.";
}
leaf upper-type {
type uint8;
must '. >= ../lower-type' {
error-message
"The upper ICMP type must be greater than
or equal to lower ICMP type.";
}
description
"Upper type of the ICMP type range.";
}
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic issued from this source.";
uses traffic-unit;
}
container total-attack-connection {
description
"Total attack connections issued from this source.";
uses connection-protocol-percentile;
}
}
}
grouping baseline { grouping connection-protocol {
description description
"Grouping for the telemetry baseline."; "Total attack connections.";
uses data-channel:target; leaf protocol {
leaf-list alias-name { type uint8;
type string; description
description "The transport protocol.
"An alias name that points to a resource."; Values are taken from the IANA Protocol Numbers registry:
} <https://www.iana.org/assignments/protocol-numbers/>.";
list total-traffic-normal { }
key "unit"; uses connection;
description }
"Total traffic normal baselines.";
uses traffic-unit;
}
list total-traffic-normal-per-protocol {
key "unit protocol";
description
"Total traffic normal baselines per protocol.";
uses traffic-unit-protocol;
}
list total-traffic-normal-per-port {
key "unit port";
description
"Total traffic normal baselines per port number.";
uses traffic-unit-port;
}
list total-connection-capacity {
key "protocol";
description
"Total connection capacity.";
uses total-connection-capacity-protocol; grouping connection-port {
} description
list total-connection-capacity-per-port { "Total attack connections per port number.";
key "protocol port"; leaf port {
description type inet:port-number;
"Total connection capacity per port number."; description
leaf port { "Port number.";
type inet:port-number; }
description uses connection-protocol;
"The target port number."; }
}
uses total-connection-capacity-protocol;
}
}
grouping pre-or-ongoing-mitigation { grouping connection-protocol-percentile {
description description
"Grouping for the telemetry data."; "Total attack connections per protocol.";
list total-traffic { list low-percentile-l {
key "unit"; key "protocol";
description description
"Total traffic."; "Low percentile of attack connections per protocol.";
uses traffic-unit; uses connection-protocol;
} }
list total-traffic-protocol { list mid-percentile-l {
key "unit protocol"; key "protocol";
description description
"Total traffic per protocol."; "Mid percentile of attack connections per protocol.";
uses traffic-unit-protocol; uses connection-protocol;
}
list total-traffic-port {
key "unit port";
description
"Total traffic per port.";
uses traffic-unit-port;
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic.";
uses traffic-unit-protocol;
}
list total-attack-traffic-protocol {
key "unit protocol";
description
"Total attack traffic per protocol.";
uses traffic-unit-protocol;
}
list total-attack-traffic-port {
key "unit port";
description
"Total attack traffic per port.";
uses traffic-unit-port;
}
container total-attack-connection {
description
"Total attack connections.";
uses connection-protocol-percentile;
}
container total-attack-connection-port {
description
"Total attack connections.";
uses connection-protocol-port-percentile;
}
list attack-detail {
key "vendor-id attack-id";
description
"Provides a set of attack details.";
uses attack-detail;
container top-talker {
description
"Lists the top attack sources.";
uses top-talker;
}
}
}
sx:augment-structure "/dots-signal:dots-signal" }
+ "/dots-signal:message-type" list high-percentile-l {
+ "/dots-signal:mitigation-scope" key "protocol";
+ "/dots-signal:scope" { description
description "High percentile of attack connections per protocol.";
"Extends mitigation scope with telemetry update data."; uses connection-protocol;
choice direction { }
description list peak-l {
"Indicates the communication direction in which the key "protocol";
data nodes can be included."; description
case server-to-client-only { "Peak attack connections per protocol.";
description uses connection-protocol;
"These data nodes appear only in a mitigation message }
sent from the server to the client."; }
list total-traffic {
key "unit";
description
"Total traffic.";
uses traffic-unit;
} grouping connection-protocol-all {
container total-attack-connection { description
description "Total attack connections per protocol, including current
"Total attack connections."; values.";
uses connection-percentile; uses connection-protocol-percentile;
} list current-l {
} key "protocol";
} description
list total-attack-traffic { "Current attack connections per protocol.";
key "unit"; uses connection-protocol;
description }
"Total attack traffic."; }
uses traffic-unit;
}
list attack-detail {
key "vendor-id attack-id";
description
"Attack details";
uses attack-detail;
container top-talker {
description
"Top attack sources.";
uses top-talker-aggregate;
}
}
}
sx:structure dots-telemetry {
description
"Main structure for DOTS telemetry messages.";
choice telemetry-message-type {
description
"Can be a telemetry-setup or telemetry data.";
case telemetry-setup {
description
"Indicates the message is about telemetry.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
container max-config-values {
description
"Maximum acceptable configuration values.";
uses percentile-config;
leaf server-originated-telemetry {
type boolean;
description
"Indicates whether the DOTS server can be instructed
to send pre-or-ongoing-mitigation telemetry. If set
to FALSE or the data node is not present, this is
an indication that the server does not support this
capability.";
}
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
must ". >= ../../min-config-values"
+ "/telemetry-notify-interval" {
error-message
"The value must be greater than or equal
to the telemetry-notify-interval in the
min-config-values";
}
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
container min-config-values {
description
"Minimum acceptable configuration values.";
uses percentile-config;
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
container supported-units {
description
"Supported units and default activation status.";
uses unit-config;
}
leaf-list query-type {
type query-type;
description
"Indicates which query types are supported by
the server.";
}
}
}
list telemetry {
description
"The telemetry data per DOTS client.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
leaf tsid {
type uint32;
description
"An identifier for the DOTS telemetry setup
data.";
}
}
}
choice setup-type {
description
"Can be a mitigation configuration, a pipe capacity,
or baseline message.";
case telemetry-config {
description
"Uses to set low, mid, and high percentile values.";
container current-config {
description
"Current configuration values.";
uses percentile-config;
uses unit-config;
leaf server-originated-telemetry {
type boolean;
description
"Used by a DOTS client to enable/disable whether it
accepts pre-or-ongoing-mitigation telemetry from
the DOTS server.";
}
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
}
case pipe {
description
"Total pipe capacity of a DOTS client domain";
list total-pipe-capacity {
key "link-id unit";
description
"Total pipe capacity of a DOTS client domain.";
leaf link-id {
type nt:link-id;
description
"Identifier of an interconnection link.";
}
leaf capacity {
type uint64;
mandatory true;
description
"Pipe capacity.";
}
leaf unit {
type unit;
description
"The traffic can be measured using unit types:
packets per second (PPS), Bits per Second (BPS),
and/or bytes per second. DOTS agents auto-scale
to the appropriate units (e.g., megabit-ps,
kilobit-ps).";
}
}
}
case baseline {
description
"Traffic baseline information";
list baseline {
key "id";
description
"Traffic baseline information";
leaf id {
type uint32;
must '. >= 1';
description
"A baseline entry identifier.";
}
uses baseline;
} grouping connection-protocol-port-percentile {
} description
} "Total attack connections per port number experessed in
} low/mid/high percentile and peak values.";
} list low-percentile-l {
case telemetry { key "protocol port";
description description
"Indicates the message is about telemetry."; "Low percentile of attack connections per port number.";
list pre-or-ongoing-mitigation { uses connection-port;
description }
"Pre-or-ongoing-mitigation telemetry per DOTS client."; list mid-percentile-l {
choice direction { key "protocol port";
description description
"Indicates the communication direction in which the "Mid percentile of attack connections per port number.";
data nodes can be included."; uses connection-port;
case server-to-client-only { }
description list high-percentile-l {
"These data nodes appear only in a mitigation message key "protocol port";
sent from the server to the client."; description
leaf tmid { "High percentile of attack connections per port number.";
type uint32;
description uses connection-port;
"An identifier to uniquely demux telemetry data sent }
using the same message."; list peak-l {
} key "protocol port";
} description
} "Peak attack connections per port number.";
container target { uses connection-port;
description }
"Indicates the target."; }
uses data-channel:target;
leaf-list alias-name { grouping connection-protocol-port-all {
type string; description
description "Total attack connections per port number, including current
"An alias name that points to a resource."; values.";
} uses connection-protocol-port-percentile;
leaf-list mid-list { list current-l {
type uint32; key "protocol port";
description description
"Reference a list of associated mitigation requests."; "Current attack connections per port number.";
} uses connection-port;
} }
uses pre-or-ongoing-mitigation; }
}
} grouping attack-detail {
} description
} "Various details that describe the on-going
} attacks that need to be mitigated by the DOTS server.
<CODE ENDS> The attack details need to cover well-known and common attacks
(such as a SYN Flood) along with new emerging or vendor-specific
attacks.";
leaf vendor-id {
type uint32;
description
"Vendor ID is a security vendor's Enterprise Number.";
}
leaf attack-id {
type uint32;
description
"Unique identifier assigned by the vendor for the attack.";
}
leaf attack-description {
type string;
description
"Textual representation of attack description. Natural Language
Processing techniques (e.g., word embedding) can possibly be
used to map the attack description to an attack type.";
}
leaf attack-severity {
type attack-severity;
description
"Severity level of an attack. How this level is determined
is implementation-specific.";
}
leaf start-time {
type uint64;
description
"The time the attack started. Start time is represented in
seconds relative to 1970-01-01T00:00:00Z in UTC time.";
}
leaf end-time {
type uint64;
description
"The time the attack ended. End time is represented in seconds
relative to 1970-01-01T00:00:00Z in UTC time.";
}
container source-count {
description
"Indicates the count of unique sources involved
in the attack.";
uses percentile-and-peak;
leaf current-g {
type yang:gauge64;
description
"Current observed value.";
}
}
}
grouping top-talker-aggregate {
description
"An aggregate of top attack sources. This aggregate is
typically used when included in a mitigation request.";
list talker {
key "source-prefix";
description
"IPv4 or IPv6 prefix identifying the attacker(s).";
leaf spoofed-status {
type boolean;
description
"Indicates whether this address is spoofed.";
}
leaf source-prefix {
type inet:ip-prefix;
description
"IPv4 or IPv6 prefix identifying the attacker(s).";
}
list source-port-range {
key "lower-port";
description
"Port range. When only lower-port is
present, it represents a single port number.";
leaf lower-port {
type inet:port-number;
description
"Lower port number of the port range.";
}
leaf upper-port {
type inet:port-number;
must '. >= ../lower-port' {
error-message
"The upper port number must be greater than
or equal to lower port number.";
}
description
"Upper port number of the port range.";
}
}
list source-icmp-type-range {
key "lower-type";
description
"ICMP type range. When only lower-type is
present, it represents a single ICMP type.";
leaf lower-type {
type uint8;
description
"Lower ICMP type of the ICMP type range.";
}
leaf upper-type {
type uint8;
must '. >= ../lower-type' {
error-message
"The upper ICMP type must be greater than
or equal to lower ICMP type.";
}
description
"Upper type of the ICMP type range.";
}
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic issued from this source.";
uses traffic-unit-all;
}
container total-attack-connection {
description
"Total attack connections issued from this source.";
uses connection-all;
}
}
}
grouping top-talker {
description
"Top attack sources.";
list talker {
key "source-prefix";
description
"IPv4 or IPv6 prefix identifying the attacker(s).";
leaf spoofed-status {
type boolean;
description
"Indicates whether this address is spoofed.";
}
leaf source-prefix {
type inet:ip-prefix;
description
"IPv4 or IPv6 prefix identifying the attacker(s).";
}
list source-port-range {
key "lower-port";
description
"Port range. When only lower-port is
present, it represents a single port number.";
leaf lower-port {
type inet:port-number;
description
"Lower port number of the port range.";
}
leaf upper-port {
type inet:port-number;
must '. >= ../lower-port' {
error-message
"The upper port number must be greater than
or equal to lower port number.";
}
description
"Upper port number of the port range.";
}
}
list source-icmp-type-range {
key "lower-type";
description
"ICMP type range. When only lower-type is
present, it represents a single ICMP type.";
leaf lower-type {
type uint8;
description
"Lower ICMP type of the ICMP type range.";
}
leaf upper-type {
type uint8;
must '. >= ../lower-type' {
error-message
"The upper ICMP type must be greater than
or equal to lower ICMP type.";
}
description
"Upper type of the ICMP type range.";
}
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic issued from this source.";
uses traffic-unit-all;
}
container total-attack-connection {
description
"Total attack connections issued from this source.";
uses connection-protocol-all;
}
}
}
grouping baseline {
description
"Grouping for the telemetry baseline.";
uses data-channel:target;
leaf-list alias-name {
type string;
description
"An alias name that points to an IP resource.
An IP resource can be be a router, a host,
an IoT object, a server, etc.";
}
list total-traffic-normal {
key "unit";
description
"Total traffic normal baselines.";
uses traffic-unit;
}
list total-traffic-normal-per-protocol {
key "unit protocol";
description
"Total traffic normal baselines per protocol.";
uses traffic-unit-protocol;
}
list total-traffic-normal-per-port {
key "unit port";
description
"Total traffic normal baselines per port number.";
uses traffic-unit-port;
}
list total-connection-capacity {
key "protocol";
description
"Total connection capacity.";
uses total-connection-capacity-protocol;
}
list total-connection-capacity-per-port {
key "protocol port";
description
"Total connection capacity per port number.";
leaf port {
type inet:port-number;
description
"The target port number.";
}
uses total-connection-capacity-protocol;
}
}
grouping pre-or-ongoing-mitigation {
description
"Grouping for the telemetry data.";
list total-traffic {
key "unit";
description
"Total traffic.";
uses traffic-unit-all;
}
list total-traffic-protocol {
key "unit protocol";
description
"Total traffic per protocol.";
uses traffic-unit-protocol-all;
}
list total-traffic-port {
key "unit port";
description
"Total traffic per port number.";
uses traffic-unit-port-all;
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic.";
uses traffic-unit-protocol-all;
}
list total-attack-traffic-protocol {
key "unit protocol";
description
"Total attack traffic per protocol.";
uses traffic-unit-protocol-all;
}
list total-attack-traffic-port {
key "unit port";
description
"Total attack traffic per port number.";
uses traffic-unit-port-all;
}
container total-attack-connection {
description
"Total attack connections.";
uses connection-protocol-all;
}
container total-attack-connection-port {
description
"Total attack connections.";
uses connection-protocol-port-all;
}
list attack-detail {
key "vendor-id attack-id";
description
"Provides a set of attack details.";
uses attack-detail;
container top-talker {
description
"Lists the top attack sources.";
uses top-talker;
}
}
}
sx:augment-structure "/dots-signal:dots-signal"
+ "/dots-signal:message-type"
+ "/dots-signal:mitigation-scope"
+ "/dots-signal:scope" {
description
"Extends mitigation scope with telemetry update data.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
list total-traffic {
key "unit";
description
"Total traffic.";
uses traffic-unit-all;
}
container total-attack-connection {
description
"Total attack connections.";
uses connection-all;
}
}
}
list total-attack-traffic {
key "unit";
description
"Total attack traffic.";
uses traffic-unit-all;
}
list attack-detail {
key "vendor-id attack-id";
description
"Attack details";
uses attack-detail;
container top-talker {
description
"Top attack sources.";
uses top-talker-aggregate;
}
}
}
sx:structure dots-telemetry {
description
"Main structure for DOTS telemetry messages.";
choice telemetry-message-type {
description
"Can be a telemetry-setup or telemetry data.";
case telemetry-setup {
description
"Indicates the message is about telemetry.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
container max-config-values {
description
"Maximum acceptable configuration values.";
uses telemetry-parameters;
leaf server-originated-telemetry {
type boolean;
default false;
description
"Indicates whether the DOTS server can be instructed
to send pre-or-ongoing-mitigation telemetry. If set
to FALSE or the data node is not present, this is
an indication that the server does not support this
capability.";
}
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
must ". >= ../../min-config-values"
+ "/telemetry-notify-interval" {
error-message
"The value must be greater than or equal
to the telemetry-notify-interval in the
min-config-values";
}
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
container min-config-values {
description
"Minimum acceptable configuration values.";
uses telemetry-parameters;
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
container supported-unit-classes {
description
"Supported unit classes and default activation
status.";
uses unit-config;
}
leaf-list query-type {
type query-type;
description
"Indicates which query types are supported by
the server. If the server does not announce
the query types it supports, the client will
be unable to use any of the potential
query-type to reduce the returned data
content from the server.";
}
}
}
list telemetry {
description
"The telemetry data per DOTS client. The keys
of the list are 'cuid' and 'tsid', but these keys are not
represented here because these keys are conveyed as
mandatory Uri-Paths in requests. Omitting keys
is compliant with RFC8791.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
leaf tsid {
type uint32;
description
"An identifier for the DOTS telemetry setup
data.";
}
}
}
choice setup-type {
description
"Can be a mitigation configuration, a pipe capacity,
or baseline message.";
case telemetry-config {
description
"Used to set telemetry parameters such as setting
low, mid, and high percentile values.";
container current-config {
description
"Current telemetry configuration values.";
uses telemetry-parameters;
uses unit-config;
leaf server-originated-telemetry {
type boolean;
description
"Used by a DOTS client to enable/disable whether it
accepts pre-or-ongoing-mitigation telemetry from
the DOTS server.";
}
leaf telemetry-notify-interval {
type uint32 {
range "1 .. 3600";
}
units "seconds";
description
"Minimum number of seconds between successive
telemetry notifications.";
}
}
}
case pipe {
description
"Total pipe capacity of a DOTS client domain.";
list total-pipe-capacity {
key "link-id unit";
description
"Total pipe capacity of a DOTS client domain.";
leaf link-id {
type nt:link-id;
description
"Identifier of an interconnection link of
the DOTS client domain.";
}
leaf capacity {
type uint64;
mandatory true;
description
"Pipe capacity. This attribute is mandatory when
total-pipe-capacity is included in a message.";
}
leaf unit {
type unit;
description
"The traffic can be measured using unit classes:
packets per second (pps), Bits per Second (bit/s),
and/or bytes per second (Byte/s).
For a given type, the DOTS agents auto-scale
to the appropriate units (e.g., megabit-ps,
kilobit-ps).";
}
}
}
case baseline {
description
"Traffic baseline information of a DOTS client domain.";
list baseline {
key "id";
description
"Traffic baseline information of a DOTS client
domain.";
leaf id {
type uint32;
must '. >= 1';
description
"An identifier that uniquely identifies a baseline
entry communicated by a DOTS client.";
}
uses baseline;
}
}
}
}
}
case telemetry {
description
"Indicates the message is about telemetry.";
list pre-or-ongoing-mitigation {
description
"Pre-or-ongoing-mitigation telemetry per DOTS client.
The keys of the list are 'cuid' and 'tmid', but these
keys are not represented here because these keys are
conveyed as mandatory Uri-Paths in requests.
Omitting keys is compliant with RFC8791.";
choice direction {
description
"Indicates the communication direction in which the
data nodes can be included.";
case server-to-client-only {
description
"These data nodes appear only in a mitigation message
sent from the server to the client.";
leaf tmid {
type uint32;
description
"An identifier to uniquely demux telemetry data sent
using the same message.";
}
}
}
container target {
description
"Indicates the target. At least one of the attributes
'target-prefix', 'target-fqdn', 'target-uri',
'alias-name', or 'mid-list' must be present in the
target definition.";
uses data-channel:target;
leaf-list alias-name {
type string;
description
"An alias name that points to a resource.";
}
leaf-list mid-list {
type uint32;
description
"Reference a list of associated mitigation requests.";
}
}
uses pre-or-ongoing-mitigation;
}
}
}
}
}
<CODE ENDS>
10.2. Vendor Attack Mapping Details YANG Module 10.2. Vendor Attack Mapping Details YANG Module
<CODE BEGINS> file "ietf-dots-mapping@2020-06-26.yang" <CODE BEGINS> file "ietf-dots-mapping@2020-06-26.yang"
module ietf-dots-mapping { module ietf-dots-mapping {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dots-mapping"; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-mapping";
prefix dots-mapping; prefix dots-mapping;
import ietf-dots-data-channel { import ietf-dots-data-channel {
prefix data-channel; prefix data-channel;
skipping to change at page 95, line 6 skipping to change at page 101, line 4
if-feature "dots-telemetry"; if-feature "dots-telemetry";
description description
"Augments the data channel with a vendor attack "Augments the data channel with a vendor attack
mapping table of the DOTS server."; mapping table of the DOTS server.";
container vendor-mapping { container vendor-mapping {
config false; config false;
description description
"Includes the list of vendor attack mapping details "Includes the list of vendor attack mapping details
that will be shared upon request with DOTS clients."; that will be shared upon request with DOTS clients.";
uses attack-mapping; uses attack-mapping;
} }
} }
} }
<CODE ENDS> <CODE ENDS>
11. YANG/JSON Mapping Parameters to CBOR 11. YANG/JSON Mapping Parameters to CBOR
All DOTS telemetry parameters in the payload of the DOTS signal All DOTS telemetry parameters in the payload of the DOTS signal
channel MUST be mapped to CBOR types as shown in the following table: channel MUST be mapped to CBOR types as shown in Table 2:
o Implementers may use the values in: https://github.com/boucadair/ o Note: Implementers must check that the mapping output provided by
draft-dots-telemetry/blob/master/mapping-table.txt their YANG-to-CBOR encoding schemes is aligned with the content of
Table 2.
+----------------------+-------------+------+---------------+--------+ +----------------------+-------------+------+---------------+--------+
| Parameter Name | YANG | CBOR | CBOR Major | JSON | | Parameter Name | YANG | CBOR | CBOR Major | JSON |
| | Type | Key | Type & | Type | | | Type | Key | Type & | Type |
| | | | Information | | | | | | Information | |
+======================+=============+======+===============+========+ +======================+=============+======+===============+========+
| tsid | uint32 |TBA1 | 0 unsigned | Number | | tsid | uint32 |TBA1 | 0 unsigned | Number |
| telemetry | container |TBA2 | 5 map | Object | | telemetry | container |TBA2 | 5 map | Object |
| low-percentile | decimal64 |TBA3 | 6 tag 4 | | | low-percentile | decimal64 |TBA3 | 6 tag 4 | |
| | | | [-2, integer]| String | | | | | [-2, integer]| String |
| mid-percentile | decimal64 |TBA4 | 6 tag 4 | | | mid-percentile | decimal64 |TBA4 | 6 tag 4 | |
| | | | [-2, integer]| String | | | | | [-2, integer]| String |
| high-percentile | decimal64 |TBA5 | 6 tag 4 | | | high-percentile | decimal64 |TBA5 | 6 tag 4 | |
| | | | [-2, integer]| String | | | | | [-2, integer]| String |
| unit-config | list |TBA6 | 4 array | Array | | unit-config | list |TBA6 | 4 array | Array |
| unit | enumeration |TBA7 | 0 unsigned | String | | unit | enumeration |TBA7 | 0 unsigned | String |
| unit-status | boolean |TBA8 | 7 bits 20 | False | | unit-status | boolean |TBA8 | 7 bits 20 | False |
| | | | 7 bits 21 | True | | | | | 7 bits 21 | True |
| total-pipe-capability| list |TBA9 | 4 array | Array | | total-pipe-capacity | list |TBA9 | 4 array | Array |
| link-id | string |TBA10 | 3 text string | String | | link-id | string |TBA10 | 3 text string | String |
| pre-or-ongoing- | list |TBA11 | 4 array | Array | | pre-or-ongoing- | list |TBA11 | 4 array | Array |
| mitigation | | | | | | mitigation | | | | |
| total-traffic-normal | list |TBA12 | 4 array | Array | | total-traffic-normal | list |TBA12 | 4 array | Array |
| low-percentile-g | yang:gauge64|TBA13 | 0 unsigned | String | | low-percentile-g | yang:gauge64|TBA13 | 0 unsigned | String |
| mid-percentile-g | yang:gauge64|TBA14 | 0 unsigned | String | | mid-percentile-g | yang:gauge64|TBA14 | 0 unsigned | String |
| high-percentile-g | yang:gauge64|TBA15 | 0 unsigned | String | | high-percentile-g | yang:gauge64|TBA15 | 0 unsigned | String |
| peak-g | yang:gauge64|TBA16 | 0 unsigned | String | | peak-g | yang:gauge64|TBA16 | 0 unsigned | String |
| total-attack-traffic | list |TBA17 | 4 array | Array | | total-attack-traffic | list |TBA17 | 4 array | Array |
| total-traffic | list |TBA18 | 4 array | Array | | total-traffic | list |TBA18 | 4 array | Array |
skipping to change at page 96, line 37 skipping to change at page 102, line 36
| spoofed-status | boolean |TBA44 | 7 bits 20 | False | | spoofed-status | boolean |TBA44 | 7 bits 20 | False |
| | | | 7 bits 21 | True | | | | | 7 bits 21 | True |
| low-percentile-c | container |TBA45 | 5 map | Object | | low-percentile-c | container |TBA45 | 5 map | Object |
| mid-percentile-c | container |TBA46 | 5 map | Object | | mid-percentile-c | container |TBA46 | 5 map | Object |
| high-percentile-c | container |TBA47 | 5 map | Object | | high-percentile-c | container |TBA47 | 5 map | Object |
| peak-c | container |TBA48 | 5 map | Object | | peak-c | container |TBA48 | 5 map | Object |
| baseline | container |TBA49 | 5 map | Object | | baseline | container |TBA49 | 5 map | Object |
| current-config | container |TBA50 | 5 map | Object | | current-config | container |TBA50 | 5 map | Object |
| max-config-values | container |TBA51 | 5 map | Object | | max-config-values | container |TBA51 | 5 map | Object |
| min-config-values | container |TBA52 | 5 map | Object | | min-config-values | container |TBA52 | 5 map | Object |
| supported-units | container |TBA53 | 5 map | Object | |supported-unit-classes| container |TBA53 | 5 map | Object |
| server-originated- | boolean |TBA54 | 7 bits 20 | False | | server-originated- | boolean |TBA54 | 7 bits 20 | False |
| telemetry | | | 7 bits 21 | True | | telemetry | | | 7 bits 21 | True |
| telemetry-notify- | uint32 |TBA55 | 0 unsigned | Number | | telemetry-notify- | uint32 |TBA55 | 0 unsigned | Number |
| interval | | | | | | interval | | | | |
| tmid | uint32 |TBA56 | 0 unsigned | Number | | tmid | uint32 |TBA56 | 0 unsigned | Number |
| measurement-interval | enumeration |TBA57 | 0 unsigned | String | | measurement-interval | enumeration |TBA57 | 0 unsigned | String |
| measurement-sample | enumeration |TBA58 | 0 unsigned | String | | measurement-sample | enumeration |TBA58 | 0 unsigned | String |
| talker | list |TBA59 | 4 array | Array | | talker | list |TBA59 | 4 array | Array |
| source-prefix | inet: |TBA60 | 3 text string | String | | source-prefix | inet: |TBA60 | 3 text string | String |
| | ip-prefix | | | | | | ip-prefix | | | |
skipping to change at page 97, line 43 skipping to change at page 103, line 42
| total-traffic | list |TBA81 | 4 array | Array | | total-traffic | list |TBA81 | 4 array | Array |
| ietf-dots-telemetry: | | | | | | ietf-dots-telemetry: | | | | |
| total-attack-traffic | list |TBA82 | 4 array | Array | | total-attack-traffic | list |TBA82 | 4 array | Array |
| ietf-dots-telemetry: | | | | | | ietf-dots-telemetry: | | | | |
| total-attack- | | | | | | total-attack- | | | | |
| connection | container |TBA83 | 5 map | Object | | connection | container |TBA83 | 5 map | Object |
| ietf-dots-telemetry: | | | | | | ietf-dots-telemetry: | | | | |
| attack-detail | list |TBA84 | 4 array | Array | | attack-detail | list |TBA84 | 4 array | Array |
| ietf-dots-telemetry: | | | | | | ietf-dots-telemetry: | | | | |
| telemetry | container |TBA85 | 5 map | Object | | telemetry | container |TBA85 | 5 map | Object |
| current-g | yang:gauge64|TBA86 | 0 unsigned | String |
| current-l | list |TBA87 | 4 array | Array |
| current-c | container |TBA88 | 5 map | Object |
+----------------------+-------------+------+---------------+--------+ +----------------------+-------------+------+---------------+--------+
Table 2: YANG/JSON Mapping Parameters to CBOR
12. IANA Considerations 12. IANA Considerations
12.1. DOTS Signal Channel CBOR Key Values 12.1. DOTS Signal Channel CBOR Key Values
This specification registers the DOTS telemetry attributes in the This specification registers the DOTS telemetry attributes in the
IANA "DOTS Signal Channel CBOR Key Values" registry [Key-Map]. IANA "DOTS Signal Channel CBOR Key Values" registry [Key-Map].
The DOTS telemetry attributes defined in this specification are The DOTS telemetry attributes defined in this specification are
comprehension-optional parameters. comprehension-optional parameters.
skipping to change at page 98, line 24 skipping to change at page 104, line 31
| | Value | Type | | | | | Value | Type | | |
+======================+=======+=======+============+===============+ +======================+=======+=======+============+===============+
| tsid | TBA1 | 0 | IESG | [RFCXXXX] | | tsid | TBA1 | 0 | IESG | [RFCXXXX] |
| telemetry | TBA2 | 5 | IESG | [RFCXXXX] | | telemetry | TBA2 | 5 | IESG | [RFCXXXX] |
| low-percentile | TBA3 | 6tag4 | IESG | [RFCXXXX] | | low-percentile | TBA3 | 6tag4 | IESG | [RFCXXXX] |
| mid-percentile | TBA4 | 6tag4 | IESG | [RFCXXXX] | | mid-percentile | TBA4 | 6tag4 | IESG | [RFCXXXX] |
| high-percentile | TBA5 | 6tag4 | IESG | [RFCXXXX] | | high-percentile | TBA5 | 6tag4 | IESG | [RFCXXXX] |
| unit-config | TBA6 | 4 | IESG | [RFCXXXX] | | unit-config | TBA6 | 4 | IESG | [RFCXXXX] |
| unit | TBA7 | 0 | IESG | [RFCXXXX] | | unit | TBA7 | 0 | IESG | [RFCXXXX] |
| unit-status | TBA8 | 7 | IESG | [RFCXXXX] | | unit-status | TBA8 | 7 | IESG | [RFCXXXX] |
| total-pipe-capability| TBA9 | 4 | IESG | [RFCXXXX] | | total-pipe-capacity | TBA9 | 4 | IESG | [RFCXXXX] |
| link-id | TBA10 | 3 | IESG | [RFCXXXX] | | link-id | TBA10 | 3 | IESG | [RFCXXXX] |
| pre-or-ongoing- | TBA11 | 4 | IESG | [RFCXXXX] | | pre-or-ongoing- | TBA11 | 4 | IESG | [RFCXXXX] |
| mitigation | | | | | | mitigation | | | | |
| total-traffic-normal | TBA12 | 4 | IESG | [RFCXXXX] | | total-traffic-normal | TBA12 | 4 | IESG | [RFCXXXX] |
| low-percentile-g | TBA13 | 0 | IESG | [RFCXXXX] | | low-percentile-g | TBA13 | 0 | IESG | [RFCXXXX] |
| mid-percentile-g | TBA14 | 0 | IESG | [RFCXXXX] | | mid-percentile-g | TBA14 | 0 | IESG | [RFCXXXX] |
| high-percentile-g | TBA15 | 0 | IESG | [RFCXXXX] | | high-percentile-g | TBA15 | 0 | IESG | [RFCXXXX] |
| peak-g | TBA16 | 0 | IESG | [RFCXXXX] | | peak-g | TBA16 | 0 | IESG | [RFCXXXX] |
| total-attack-traffic | TBA17 | 4 | IESG | [RFCXXXX] | | total-attack-traffic | TBA17 | 4 | IESG | [RFCXXXX] |
| total-traffic | TBA18 | 4 | IESG | [RFCXXXX] | | total-traffic | TBA18 | 4 | IESG | [RFCXXXX] |
skipping to change at page 99, line 23 skipping to change at page 105, line 30
| top-talker | TBA43 | 5 | IESG | [RFCXXXX] | | top-talker | TBA43 | 5 | IESG | [RFCXXXX] |
| spoofed-status | TBA44 | 7 | IESG | [RFCXXXX] | | spoofed-status | TBA44 | 7 | IESG | [RFCXXXX] |
| low-percentile-c | TBA45 | 5 | IESG | [RFCXXXX] | | low-percentile-c | TBA45 | 5 | IESG | [RFCXXXX] |
| mid-percentile-c | TBA46 | 5 | IESG | [RFCXXXX] | | mid-percentile-c | TBA46 | 5 | IESG | [RFCXXXX] |
| high-percentile-c | TBA47 | 5 | IESG | [RFCXXXX] | | high-percentile-c | TBA47 | 5 | IESG | [RFCXXXX] |
| peak-c | TBA48 | 5 | IESG | [RFCXXXX] | | peak-c | TBA48 | 5 | IESG | [RFCXXXX] |
| ietf-dots-signal-cha | TBA49 | 5 | IESG | [RFCXXXX] | | ietf-dots-signal-cha | TBA49 | 5 | IESG | [RFCXXXX] |
| current-config | TBA50 | 5 | IESG | [RFCXXXX] | | current-config | TBA50 | 5 | IESG | [RFCXXXX] |
| max-config-value | TBA51 | 5 | IESG | [RFCXXXX] | | max-config-value | TBA51 | 5 | IESG | [RFCXXXX] |
| min-config-values | TBA52 | 5 | IESG | [RFCXXXX] | | min-config-values | TBA52 | 5 | IESG | [RFCXXXX] |
| supported-units | TBA55 | 5 | IESG | [RFCXXXX] | |supported-unit-classes| TBA55 | 5 | IESG | [RFCXXXX] |
| server-originated- | TBA54 | 7 | IESG | [RFCXXXX] | | server-originated- | TBA54 | 7 | IESG | [RFCXXXX] |
| telemetry | | | | | | telemetry | | | | |
| telemetry-notify- | TBA55 | 0 | IESG | [RFCXXXX] | | telemetry-notify- | TBA55 | 0 | IESG | [RFCXXXX] |
| interval | | | | | | interval | | | | |
| tmid | TBA56 | 0 | IESG | [RFCXXXX] | | tmid | TBA56 | 0 | IESG | [RFCXXXX] |
| measurement-interval | TBA57 | 0 | IESG | [RFCXXXX] | | measurement-interval | TBA57 | 0 | IESG | [RFCXXXX] |
| measurement-sample | TBA58 | 0 | IESG | [RFCXXXX] | | measurement-sample | TBA58 | 0 | IESG | [RFCXXXX] |
| talker | TBA59 | 0 | IESG | [RFCXXXX] | | talker | TBA59 | 0 | IESG | [RFCXXXX] |
| source-prefix | TBA60 | 0 | IESG | [RFCXXXX] | | source-prefix | TBA60 | 0 | IESG | [RFCXXXX] |
| mid-list | TBA61 | 4 | IESG | [RFCXXXX] | | mid-list | TBA61 | 4 | IESG | [RFCXXXX] |
skipping to change at page 100, line 25 skipping to change at page 106, line 32
| total-traffic | | | | | | total-traffic | | | | |
| ietf-dots-telemetry: | TBA82 | 0 | IESG | [RFCXXXX] | | ietf-dots-telemetry: | TBA82 | 0 | IESG | [RFCXXXX] |
| total-attack-traffic | | | | | | total-attack-traffic | | | | |
| ietf-dots-telemetry: | TBA83 | 0 | IESG | [RFCXXXX] | | ietf-dots-telemetry: | TBA83 | 0 | IESG | [RFCXXXX] |
| total-attack- | | | | | | total-attack- | | | | |
| connection | | | | | | connection | | | | |
| ietf-dots-telemetry: | TBA84 | 4 | IESG | [RFCXXXX] | | ietf-dots-telemetry: | TBA84 | 4 | IESG | [RFCXXXX] |
| attack-detail | | | | | | attack-detail | | | | |
| ietf-dots-telemetry: | TBA85 | 5 | IESG | [RFCXXXX] | | ietf-dots-telemetry: | TBA85 | 5 | IESG | [RFCXXXX] |
| telemetry | | | | | | telemetry | | | | |
| current-g | TBA86 | 0 | IESG | [RFCXXXX] |
| current-l | TBA87 | 4 | IESG | [RFCXXXX] |
| current-c | TBA88 | 5 | IESG | [RFCXXXX] |
+----------------------+-------+-------+------------+---------------+ +----------------------+-------+-------+------------+---------------+
Table 3: Registered DOTS Signal Channel CBOR Key Values
12.2. DOTS Signal Channel Conflict Cause Codes 12.2. DOTS Signal Channel Conflict Cause Codes
This specification requests IANA to assign a new code from the "DOTS This specification requests IANA to assign a new code from the "DOTS
Signal Channel Conflict Cause Codes" registry [Cause]. Signal Channel Conflict Cause Codes" registry [Cause].
+------+-------------------+------------------------+-------------+ +------+-------------------+------------------------+-------------+
| Code | Label | Description | Reference | | Code | Label | Description | Reference |
+======+===================+========================+=============+ +======+===================+========================+=============+
| TBA | overlapping-pipes | Overlapping pipe scope | [RFCXXXX] | | TBA | overlapping-pipes | Overlapping pipe scope | [RFCXXXX] |
+------+-------------------+------------------------+-------------+ +------+-------------------+------------------------+-------------+
Table 4: Registered DOTS Signal Channel Conflict Cause Code
12.3. DOTS Signal Telemetry YANG Module 12.3. DOTS Signal Telemetry YANG Module
This document requests IANA to register the following URIs in the This document requests IANA to register the following URIs in the
"ns" subregistry within the "IETF XML Registry" [RFC3688]: "ns" subregistry within the "IETF XML Registry" [RFC3688]:
URI: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry URI: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry
Registrant Contact: The IESG. Registrant Contact: The IESG.
XML: N/A; the requested URI is an XML namespace. XML: N/A; the requested URI is an XML namespace.
URI: urn:ietf:params:xml:ns:yang:ietf-dots-mapping URI: urn:ietf:params:xml:ns:yang:ietf-dots-mapping
skipping to change at page 103, line 38 skipping to change at page 110, line 4
The authors would like to thank Kaname Nishizuka, Wei Pan, and Yuuhei The authors would like to thank Kaname Nishizuka, Wei Pan, and Yuuhei
Hayashi for comments and review. Hayashi for comments and review.
Special thanks to Jon Shallow and Kaname Nishizuka for their Special thanks to Jon Shallow and Kaname Nishizuka for their
implementation and interoperability work. implementation and interoperability work.
Many thanks to Jan Lindblad for the yangdoctors review and Nagendra Many thanks to Jan Lindblad for the yangdoctors review and Nagendra
Nainar for the opsdir review. Nainar for the opsdir review.
16. References 16. References
16.1. Normative References 16.1. Normative References
[Enterprise-Numbers] [Enterprise-Numbers]
"Private Enterprise Numbers", May 2020, "Private Enterprise Numbers", May 2020,
<http://www.iana.org/assignments/enterprise-numbers.html>. <http://www.iana.org/assignments/enterprise-numbers.html>.
[I-D.ietf-dots-rfc8782-bis] [I-D.ietf-dots-rfc8782-bis]
Boucadair, M., Shallow, J., and T. Reddy.K, "Distributed Boucadair, M., Shallow, J., and T. Reddy.K, "Distributed
Denial-of-Service Open Threat Signaling (DOTS) Signal Denial-of-Service Open Threat Signaling (DOTS) Signal
Channel Specification", draft-ietf-dots-rfc8782-bis-01 Channel Specification", draft-ietf-dots-rfc8782-bis-04
(work in progress), September 2020. (work in progress), December 2020.
[I-D.ietf-dots-signal-filter-control] [I-D.ietf-dots-signal-filter-control]
Nishizuka, K., Boucadair, M., Reddy.K, T., and T. Nagata, Nishizuka, K., Boucadair, M., Reddy.K, T., and T. Nagata,
"Controlling Filtering Rules Using Distributed Denial-of- "Controlling Filtering Rules Using Distributed Denial-of-
Service Open Threat Signaling (DOTS) Signal Channel", Service Open Threat Signaling (DOTS) Signal Channel",
draft-ietf-dots-signal-filter-control-07 (work in draft-ietf-dots-signal-filter-control-07 (work in
progress), June 2020. progress), June 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
skipping to change at page 104, line 30 skipping to change at page 110, line 41
[RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for [RFC6020] Bjorklund, M., Ed., "YANG - A Data Modeling Language for
the Network Configuration Protocol (NETCONF)", RFC 6020, the Network Configuration Protocol (NETCONF)", RFC 6020,
DOI 10.17487/RFC6020, October 2010, DOI 10.17487/RFC6020, October 2010,
<https://www.rfc-editor.org/info/rfc6020>. <https://www.rfc-editor.org/info/rfc6020>.
[RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types",
RFC 6991, DOI 10.17487/RFC6991, July 2013, RFC 6991, DOI 10.17487/RFC6991, July 2013,
<https://www.rfc-editor.org/info/rfc6991>. <https://www.rfc-editor.org/info/rfc6991>.
[RFC7049] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049,
October 2013, <https://www.rfc-editor.org/info/rfc7049>.
[RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained [RFC7252] Shelby, Z., Hartke, K., and C. Bormann, "The Constrained
Application Protocol (CoAP)", RFC 7252, Application Protocol (CoAP)", RFC 7252,
DOI 10.17487/RFC7252, June 2014, DOI 10.17487/RFC7252, June 2014,
<https://www.rfc-editor.org/info/rfc7252>. <https://www.rfc-editor.org/info/rfc7252>.
[RFC7641] Hartke, K., "Observing Resources in the Constrained [RFC7641] Hartke, K., "Observing Resources in the Constrained
Application Protocol (CoAP)", RFC 7641, Application Protocol (CoAP)", RFC 7641,
DOI 10.17487/RFC7641, September 2015, DOI 10.17487/RFC7641, September 2015,
<https://www.rfc-editor.org/info/rfc7641>. <https://www.rfc-editor.org/info/rfc7641>.
skipping to change at page 105, line 31 skipping to change at page 111, line 40
[RFC8783] Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed [RFC8783] Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed
Denial-of-Service Open Threat Signaling (DOTS) Data Denial-of-Service Open Threat Signaling (DOTS) Data
Channel Specification", RFC 8783, DOI 10.17487/RFC8783, Channel Specification", RFC 8783, DOI 10.17487/RFC8783,
May 2020, <https://www.rfc-editor.org/info/rfc8783>. May 2020, <https://www.rfc-editor.org/info/rfc8783>.
[RFC8791] Bierman, A., Bjoerklund, M., and K. Watsen, "YANG Data [RFC8791] Bierman, A., Bjoerklund, M., and K. Watsen, "YANG Data
Structure Extensions", RFC 8791, DOI 10.17487/RFC8791, Structure Extensions", RFC 8791, DOI 10.17487/RFC8791,
June 2020, <https://www.rfc-editor.org/info/rfc8791>. June 2020, <https://www.rfc-editor.org/info/rfc8791>.
[RFC8949] Bormann, C. and P. Hoffman, "Concise Binary Object
Representation (CBOR)", STD 94, RFC 8949,
DOI 10.17487/RFC8949, December 2020,
<https://www.rfc-editor.org/info/rfc8949>.
16.2. Informative References 16.2. Informative References
[Cause] IANA, "DOTS Signal Channel Conflict Cause Codes", [Cause] IANA, "DOTS Signal Channel Conflict Cause Codes",
<https://www.iana.org/assignments/dots/dots.xhtml#dots- <https://www.iana.org/assignments/dots/dots.xhtml#dots-
signal-channel-conflict-cause-codes>. signal-channel-conflict-cause-codes>.
[I-D.doron-dots-telemetry] [I-D.doron-dots-telemetry]
Doron, E., Reddy, T., Andreasen, F., Xia, L., and K. Doron, E., Reddy, T., Andreasen, F., Xia, L., and K.
Nishizuka, "Distributed Denial-of-Service Open Threat Nishizuka, "Distributed Denial-of-Service Open Threat
Signaling (DOTS) Telemetry Specifications", draft-doron- Signaling (DOTS) Telemetry Specifications", draft-doron-
skipping to change at page 106, line 9 skipping to change at page 112, line 21
[I-D.ietf-core-new-block] [I-D.ietf-core-new-block]
Boucadair, M. and J. Shallow, "Constrained Application Boucadair, M. and J. Shallow, "Constrained Application
Protocol (CoAP) Block-Wise Transfer Options for Faster Protocol (CoAP) Block-Wise Transfer Options for Faster
Transmission", draft-ietf-core-new-block-02 (work in Transmission", draft-ietf-core-new-block-02 (work in
progress), October 2020. progress), October 2020.
[I-D.ietf-dots-multihoming] [I-D.ietf-dots-multihoming]
Boucadair, M., Reddy.K, T., and W. Pan, "Multi-homing Boucadair, M., Reddy.K, T., and W. Pan, "Multi-homing
Deployment Considerations for Distributed-Denial-of- Deployment Considerations for Distributed-Denial-of-
Service Open Threat Signaling (DOTS)", draft-ietf-dots- Service Open Threat Signaling (DOTS)", draft-ietf-dots-
multihoming-04 (work in progress), May 2020. multihoming-05 (work in progress), November 2020.
[I-D.ietf-dots-use-cases] [I-D.ietf-dots-use-cases]
Dobbins, R., Migault, D., Moskowitz, R., Teague, N., Xia, Dobbins, R., Migault, D., Moskowitz, R., Teague, N., Xia,
L., and K. Nishizuka, "Use cases for DDoS Open Threat L., and K. Nishizuka, "Use cases for DDoS Open Threat
Signaling", draft-ietf-dots-use-cases-25 (work in Signaling", draft-ietf-dots-use-cases-25 (work in
progress), July 2020. progress), July 2020.
[Key-Map] IANA, "DOTS Signal Channel CBOR Key Values", [Key-Map] IANA, "DOTS Signal Channel CBOR Key Values",
<https://www.iana.org/assignments/dots/dots.xhtml#dots- <https://www.iana.org/assignments/dots/dots.xhtml#dots-
signal-channel-cbor-key-values>. signal-channel-cbor-key-values>.
[RFC2330] Paxson, V., Almes, G., Mahdavi, J., and M. Mathis, [RFC2330] Paxson, V., Almes, G., Mahdavi, J., and M. Mathis,
"Framework for IP Performance Metrics", RFC 2330, "Framework for IP Performance Metrics", RFC 2330,
DOI 10.17487/RFC2330, May 1998, DOI 10.17487/RFC2330, May 1998,
<https://www.rfc-editor.org/info/rfc2330>. <https://www.rfc-editor.org/info/rfc2330>.
[RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams",
BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018,
<https://www.rfc-editor.org/info/rfc8340>. <https://www.rfc-editor.org/info/rfc8340>.
[RFC8525] Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K.,
and R. Wilton, "YANG Library", RFC 8525,
DOI 10.17487/RFC8525, March 2019,
<https://www.rfc-editor.org/info/rfc8525>.
[RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open
Threat Signaling (DOTS) Requirements", RFC 8612, Threat Signaling (DOTS) Requirements", RFC 8612,
DOI 10.17487/RFC8612, May 2019, DOI 10.17487/RFC8612, May 2019,
<https://www.rfc-editor.org/info/rfc8612>. <https://www.rfc-editor.org/info/rfc8612>.
Authors' Addresses Authors' Addresses
Mohamed Boucadair (editor) Mohamed Boucadair (editor)
Orange Orange
Rennes 35000 Rennes 35000
 End of changes. 124 change blocks. 
1408 lines changed or deleted 1682 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/