< draft-ietf-dots-telemetry-use-cases-09.txt   draft-ietf-dots-telemetry-use-cases-10.txt >
DOTS Y. Hayashi DOTS Y. Hayashi
Internet-Draft NTT Internet-Draft NTT
Intended status: Informational M. Chen Intended status: Informational M. Chen
Expires: 27 August 2022 Li. Su Expires: 4 October 2022 Li. Su
CMCC CMCC
23 February 2022 2 April 2022
Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry
draft-ietf-dots-telemetry-use-cases-09 draft-ietf-dots-telemetry-use-cases-10
Abstract Abstract
Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the DDoS Open Threat Signaling (DOTS) Telemetry enriches the base DOTS
base DOTS protocols to assist the mitigator in using efficient DDoS protocols to assist the mitigator in using efficient DDoS attack
attack mitigation techniques in a network. This document presents mitigation techniques in a network. This document presents sample
sample use cases for DOTS Telemetry. It discusses in particular what use cases for DOTS Telemetry. It discusses in particular what
components are deployed in the network, how they cooperate, and what components are deployed in the network, how they cooperate, and what
information is exchanged to effectively use these techniques. information is exchanged to effectively use these techniques.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on 27 August 2022. This Internet-Draft will expire on 4 October 2022.
Copyright Notice Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/ Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights Please review these documents carefully, as they describe your rights
skipping to change at page 3, line 44 skipping to change at page 3, line 44
3. Telemetry Use Cases 3. Telemetry Use Cases
This section describes DOTS telemetry use cases that use attributes This section describes DOTS telemetry use cases that use attributes
included in DOTS telemetry specifications [I-D.ietf-dots-telemetry]. included in DOTS telemetry specifications [I-D.ietf-dots-telemetry].
3.1. Mitigation Resources Assignment 3.1. Mitigation Resources Assignment
3.1.1. Mitigating Attack Flow of Top-talker Preferentially 3.1.1. Mitigating Attack Flow of Top-talker Preferentially
Some transit providers have to mitigate such large-scale DDoS attacks Some transit providers have to mitigate such large-scale DDoS attacks
using DDoS Mitigation Systems (DMSes) with limited resources, which by using DDoS Mitigation Systems (DMSes) with limited resources,
is already deployed in their network. For example, recent reported which is already deployed in their network. For example, recent
large DDoS attacks exceeded 1 Tps. reported large DDoS attacks exceeded 1 Tps.
The aim of this use case is to enable transit providers to use their The aim of this use case is to enable transit providers to use their
DMS efficiently under volume-based DDoS attacks whose volume is more DMS efficiently under volume-based DDoS attacks whose volume is more
than the available capacity of the DMS. To enable this, the attack than the available capacity of the DMS. To enable this, the attack
traffic of top talkers is redirected to the DMS preferentially by traffic of top-talkers is redirected to the DMS preferentially by
cooperation among forwarding nodes, flow collectors, and cooperation among forwarding nodes, flow collectors, and
orchestrators. orchestrators.
Figure 1 gives an overview of this use case. Figure 2 provides an Figure 1 gives an overview of this use case. Figure 2 provides an
example of a DOTS telemetry message body that is used to signal top- example of a DOTS telemetry message body that is used to signal top-
talkers (2001:db8::2/128 and 2001:db8::3/128). talkers (2001:db8::2/128 and 2001:db8::3/128).
(Internet Transit Provider) (Internet Transit Provider)
+-----------+ +--------------+ e.g., SNMP +-----------+ +--------------+ e.g., SNMP
skipping to change at page 4, line 30 skipping to change at page 4, line 30
--->| Flow ||C<-->S| Orchestrator | e.g., BGP Flowspec --->| Flow ||C<-->S| Orchestrator | e.g., BGP Flowspec
| collector |+ | |---> (Redirect) | collector |+ | |---> (Redirect)
+-----------+ +--------------+ +-----------+ +--------------+
+-------------+ +-------------+
e.g., IPFIX +-------------+| e.g., BGP Flowspec e.g., IPFIX +-------------+| e.g., BGP Flowspec
<---| Forwarding ||<--- (Redirect) <---| Forwarding ||<--- (Redirect)
| nodes || | nodes ||
| || DDoS Attack | || DDoS Attack
[ Target ]<============|=============================== [ Target ]<============|===============================
[ or ] | ++=========================[top talker] [ or ] | ++=========================[top-talker]
[ Targets ] | || ++======================[top talker] [ Targets ] | || ++======================[top-talker]
+----|| ||---+ +----|| ||---+
|| || || ||
|| || || ||
|/ |/ |/ |/
+----x--x----+ +----x--x----+
| DDoS | e.g., SNMP | DDoS | e.g., SNMP
| mitigation |<--- | mitigation |<---
| system | | system |
+------------+ +------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 1: Mitigating DDoS Attack Flow of Top-talkers Preferentially Figure 1: Mitigating DDoS Attack Flow of Top-talkers Preferentially
{ {
"ietf-dots-telemetry:telemetry": { "ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [ "pre-or-ongoing-mitigation": [
{ {
"target": { "target": {
"target-prefix": [ "target-prefix": [
"2001:db8::1/128" "2001:db8::1/128"
] ]
skipping to change at page 6, line 11 skipping to change at page 6, line 11
] ]
} }
] ]
} }
} }
Figure 2: An Example of Message Body to Signal Top-Talkers Figure 2: An Example of Message Body to Signal Top-Talkers
The forwarding nodes send traffic statistics to the flow collectors The forwarding nodes send traffic statistics to the flow collectors
using, e.g., IPFIX [RFC7011]. When DDoS attacks occur, the flow using, e.g., IP Flow Information Export (IPFIX) [RFC7011]. When DDoS
collectors identifies the attack traffic and send information of the attacks occur, the flow collectors identifies the attack traffic and
top-talkers to the orchestrator using the "target-prefix" and "top- send information of the top-talkers to the orchestrator using the
talkers" DOTS telemetry attributes. The orchestrator, then, checks "target-prefix" and "top-talkers" DOTS telemetry attributes. The
the available capacity of the DMSes by using a network management orchestrator, then, checks the available capacity of the DMSes by
protocol, such as SNMP [RFC3413]. After that, the orchestrator using a network management protocol, such as Simple Network
orders the forwarding nodes to redirect as much of the top talker's Management Protocol (SNMP) [RFC3413]. After that, the orchestrator
orders the forwarding nodes to redirect as much of the top-talker's
traffic to the DMS as possible by dissemination of Flow traffic to the DMS as possible by dissemination of Flow
Specifications relying upon tools, such as BGP Flowspec [RFC8955]. Specifications relying upon tools, such as Border Gateway Protocol
Dissemination of Flow Specification Rules (BGP Flowspec) [RFC8955].
The flow collector implements a DOTS client while the orchestrator The flow collector implements a DOTS client while the orchestrator
implements a DOTS server. implements a DOTS server.
3.1.2. Optimal DMS Selection for Mitigation 3.1.2. Optimal DMS Selection for Mitigation
Transit providers can deploy their DMSes in clusters. Then, they can Transit providers can deploy their DMSes in clusters. Then, they can
select the DMS to be used to mitigate a DDoS attack under attack select the DMS to be used to mitigate a DDoS attack under attack
time. time.
skipping to change at page 7, line 33 skipping to change at page 7, line 33
|| || +-----------+ || || +-----------+
|| |/ | DMS3 | || |/ | DMS3 |
|| +-----x------+ |<--- e.g., SNMP || +-----x------+ |<--- e.g., SNMP
|/ | DMS2 |--------+ |/ | DMS2 |--------+
+--x---------+ |<--- e.g., SNMP +--x---------+ |<--- e.g., SNMP
| DMS1 |------+ | DMS1 |------+
| |<--- e.g., SNMP | |<--- e.g., SNMP
+------------+ +------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 3: Optimal DMS Selection for Mitigation Figure 3: Optimal DMS Selection for Mitigation
{ {
"ietf-dots-telemetry:telemetry": { "ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [ "pre-or-ongoing-mitigation": [
{ {
"target": { "target": {
"target-prefix": [ "target-prefix": [
"2001:db8::1/128" "2001:db8::1/128"
] ]
skipping to change at page 8, line 33 skipping to change at page 8, line 33
} }
] ]
} }
} }
Figure 4: Example of Message Body with Total Attack Traffic Figure 4: Example of Message Body with Total Attack Traffic
The forwarding nodes send traffic statistics to the flow collectors The forwarding nodes send traffic statistics to the flow collectors
using, e.g., IPFIX. When DDoS attacks occur, the flow collectors using, e.g., IPFIX. When DDoS attacks occur, the flow collectors
identify the attack traffic and send information of the attack identify the attack traffic and send information of the attack
traffic volume to the orchestrator using the "target-prefix" and traffic volume to the orchestrator by using the "target-prefix" and
"total-attack-traffic" DOTS telemetry attributes. The orchestrator, "total-attack-traffic" DOTS telemetry attributes. The orchestrator,
then, checks the available capacity of the DMSes using a network then, checks the available capacity of the DMSes by using a network
management protocol, such as SNMP. After that, the orchestrator management protocol, such as SNMP. After that, the orchestrator
selects an optimal DMS to which each attack traffic should be selects an optimal DMS to which each attack traffic should be
redirected. For example, a simple DMS selection algorithm is to redirected. For example, a simple DMS selection algorithm is to
choose a DMS whose available capacity is greater than the "peak-g" choose a DMS whose available capacity is greater than the "peak-g"
atribute indicated in the DOTS telemetry message. The orchestrator atribute indicated in the DOTS telemetry message. The orchestrator
orders the appropriate forwarding nodes to redirect the attack orders the appropriate forwarding nodes to redirect the attack
traffic to the optimal DMS relying upon routing policies, such as BGP traffic to the optimal DMS relying upon routing policies, such as BGP
[RFC4271]. [RFC4271].
The detailed DMS selection algorithm is out of the scope of this The detailed DMS selection algorithm is out of the scope of this
skipping to change at page 9, line 24 skipping to change at page 9, line 24
bandwidth of the attack traffic and total traffic. Figure 5 gives an bandwidth of the attack traffic and total traffic. Figure 5 gives an
overview of this use case. Figure 6 provides an example of a DOTS overview of this use case. Figure 6 provides an example of a DOTS
telemetry message body that is used to signal various attack traffic telemetry message body that is used to signal various attack traffic
percentiles and total traffic percentiles. percentiles and total traffic percentiles.
(Internet Transit Provider) (Internet Transit Provider)
+-----------+ +--------------+ DOTS +-----------+ +--------------+ DOTS
e.g., +-----------+| | |S<--- e.g., +-----------+| | |S<---
IPFIX | Flow || DOTS | Orchestrator | IPFIX | Flow || DOTS | Orchestrator |
-->| collector ||C<-->S| | e.g., BGP Flow spec -->| collector ||C<-->S| | e.g., BGP Flowspec
| |+ | |---> (Redirect) | |+ | |---> (Redirect)
+-----------+ +--------------+ +-----------+ +--------------+
DOTS +------------+ DOTS +------------+ e.g., IPFIX DOTS +------------+ DOTS +------------+ e.g., IPFIX
--->C| Forwarding | --->C| Forwarding |---> --->C| Forwarding | --->C| Forwarding |--->
e.g., BGP Flow spec | node | | node | e.g., BGP Flowspec | node | | node |
(Redirect) --->| | | | DDoS Attack (Redirect) --->| | | | DDoS Attack
[Target] | ++==================================== [Target] | ++====================================
+-------||---+ +------------+ +-------||---+ +------------+
|| / || /
|| / (congested link) || / (congested link)
|| / || /
DOTS +-||----------------+ e.g., BGP Flow spec DOTS +-||----------------+ e.g., BGP Flowspec
--->C| || Forwarding |<--- (Redirect) --->C| || Forwarding |<--- (Redirect)
| ++=== node | | ++=== node |
+----||-------------+ +----||-------------+
|/ |/
+--x-----------+ +--x-----------+
| DMS | | DMS |
+--------------+ +--------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 5: Best-path Selection for Redirection Figure 5: Best-path Selection for Redirection
{ {
"ietf-dots-telemetry:telemetry": { "ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [ "pre-or-ongoing-mitigation": [
{ {
"target": { "target": {
"target-prefix": [ "target-prefix": [
"2001:db8::1/128" "2001:db8::1/128"
] ]
skipping to change at page 11, line 6 skipping to change at page 11, line 6
] ]
} }
] ]
} }
} }
Figure 6: An Example of Message Body with Total Attack Figure 6: An Example of Message Body with Total Attack
Traffic and Total Traffic Traffic and Total Traffic
The forwarding nodes send traffic statistics to the flow collectors The forwarding nodes send traffic statistics to the flow collectors
using, e.g., IPFIX. When DDoS attacks occur, the flow collectors by using, e.g., IPFIX. When DDoS attacks occur, the flow collectors
identify attack traffic and send information of the attack traffic identify attack traffic and send information of the attack traffic
volume to the orchestrator using a "target-prefix" and "total-attack- volume to the orchestrator by using a "target-prefix" and "total-
traffic" DOTS telemetry attributes. On the other hands, the attack-traffic" DOTS telemetry attributes. On the other hands, the
underlying forwarding nodes send volume of the total traffic passing underlying forwarding nodes send volume of the total traffic passing
the node to the orchestrator using "total-traffic" telemetry the node to the orchestrator by using "total-traffic" telemetry
attributes. The orchestrator then selects an optimal path to which attributes. The orchestrator then selects an optimal path to which
each attack-traffic flow should be redirected. For example, the each attack-traffic flow should be redirected. For example, the
simple algorithm of the selection is to choose a path whose available simple algorithm of the selection is to choose a path whose available
capacity is greater than the "peak-g" attribute that was indicated in capacity is greater than the "peak-g" attribute that was indicated in
a DOTS telemetry message. After that, the orchestrator orders the a DOTS telemetry message. After that, the orchestrator orders the
appropriate forwarding nodes to redirect the attack traffic to the appropriate forwarding nodes to redirect the attack traffic to the
optimal DMS by dissemination of Flow Specifications relying upon optimal DMS by dissemination of Flow Specifications relying upon
tools, such as BGP Flowspec. tools, such as BGP Flowspec.
The detailed path selection algorithm is out of the scope of this The detailed path selection algorithm is out of the scope of this
skipping to change at page 12, line 9 skipping to change at page 12, line 9
attack traffic. Figure 7 gives an overview of this use case. attack traffic. Figure 7 gives an overview of this use case.
Figure 8 provides an example of a DOTS telemetry message body that is Figure 8 provides an example of a DOTS telemetry message body that is
used to signal total pipe capacity. Figure 9 provides an example of used to signal total pipe capacity. Figure 9 provides an example of
a DOTS telemetry message body that is used to signal various attack a DOTS telemetry message body that is used to signal various attack
traffic percentiles and total traffic percentiles. traffic percentiles and total traffic percentiles.
(Internet Transit Provider) (Internet Transit Provider)
+------------+ +----------------+ +------------+ +----------------+
e.g., | Network | DOTS | Administrative | e.g., | Network | DOTS | Administrative |
Alert ----->| Management |C<--->S| System | e.g., BGP Flow spec Alert ----->| Management |C<--->S| System | e.g., BGP Flowspec
| System | | |---> (Rate-Limit) | System | | |---> (Rate-Limit)
+------------+ +----------------+ +------------+ +----------------+
+------------+ +------------+ e.g., BGP Flow spec +------------+ +------------+ e.g., BGP Flowspec
| Forwarding | | Forwarding |<--- (Rate-Limit X bps) | Forwarding | | Forwarding |<--- (Rate-Limit X bps)
| node | | node | | node | | node |
Link1 | | | | DDoS & Normal traffic Link1 | | | | DDoS & Normal traffic
[Target]<------------------------------------================ [Target]<------------------------------------================
Pipe +------------+ +------------+ Attack Traffic Pipe +------------+ +------------+ Attack Traffic
Capability Bandwidth Capability Bandwidth
e.g., X bps e.g., Y bps e.g., X bps e.g., Y bps
Network access success rate Network access success rate
e.g., X / (X + Y) e.g., X / (X + Y)
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 7: Short but Extreme Volumetric Attack Mitigation Figure 7: Short but Extreme Volumetric Attack Mitigation
{ {
"ietf-dots-telemetry:telemetry-setup": { "ietf-dots-telemetry:telemetry-setup": {
"telemetry": [ "telemetry": [
{ {
"total-pipe-capacity": [ "total-pipe-capacity": [
{ {
"link-id": "link1", "link-id": "link1",
skipping to change at page 13, line 40 skipping to change at page 13, line 40
} }
] ]
} }
} }
Figure 9: Example of Message Body with Total Attack Traffic, Figure 9: Example of Message Body with Total Attack Traffic,
and Total Traffic and Total Traffic
When DDoS attacks occur, the network management system receives When DDoS attacks occur, the network management system receives
alerts. Then, it sends the target IP address(es) and volume of the alerts. Then, it sends the target IP address(es) and volume of the
DDoS attack traffic to the administrative system using the "target- DDoS attack traffic to the administrative system by using the
prefix" and "total-attack-traffic" DOTS telemetry attributes. After "target-prefix" and "total-attack-traffic" DOTS telemetry attributes.
that, the administrative system orders relevant forwarding nodes to After that, the administrative system orders relevant forwarding
carry out rate-limit all traffic destined to the target based on the nodes to carry out rate-limit all traffic destined to the target
pipe capability by the dissemination of the Flow Specifications based on the pipe capability by the dissemination of the Flow
relying upon tools, such as BGP Flowspec. In addition, the Specifications relying upon tools, such as BGP Flowspec. In
administrative system estimates the network-access success rate of addition, the administrative system estimates the network-access
the target, which is calculated by (total-pipe-capability / (total- success rate of the target, which is calculated by (total-pipe-
pipe-capability + total-attack-traffic)). capability / (total-pipe-capability + total-attack-traffic)).
Note that total pipe capability information can be gatherd by Note that total pipe capability information can be gatherd by
telemetry setup in advance (Section 7.2 of telemetry setup in advance (Section 7.2 of
[I-D.ietf-dots-telemetry]). [I-D.ietf-dots-telemetry]).
The network management system implements a DOTS client while the The network management system implements a DOTS client while the
administrative system implements a DOTS server. administrative system implements a DOTS server.
3.1.5. Selecting Mitigation Technique Based on Attack Type 3.1.5. Selecting Mitigation Technique Based on Attack Type
Some volumetric attacks, such as amplification attacks, can be Some volumetric attacks, such as amplification attacks, can be
detected with high accuracy by checking the Layer 3 or Layer 4 detected with high accuracy by checking the Layer 3 or Layer 4
information of attack packets. These attacks can be detected and information of attack packets. These attacks can be detected and
mitigated through cooperation among forwarding nodes and flow mitigated through cooperation among forwarding nodes and flow
collectors using IPFIX. It may also necessary to inspect the Layer 7 collectors by using IPFIX. It may also be necessary to inspect the
information of suspecious packets to detect attacks such as DNS Water Layer 7 information of suspecious packets to detect attacks such as
Torture Attacks. Such an attack traffic should be detected and DNS Water Torture Attacks. Such an attack traffic should be detected
mitigated at a DMS. and mitigated at a DMS.
The aim of this use case is to enable transit providers to select a The aim of this use case is to enable transit providers to select a
mitigation technique based on the type of attack traffic: mitigation technique based on the type of attack traffic:
amplification attack or not. To use such a technique, the attack amplification attack or not. To use such a technique, the attack
traffic is blocked by forwarding nodes or redirected to a DMS based traffic is blocked by forwarding nodes or redirected to a DMS based
on the attack type through cooperation among forwarding nodes, flow on the attack type through cooperation among forwarding nodes, flow
collectors, and an orchestrator. collectors, and an orchestrator.
Figure 10 gives an overview of this use case. Figure 11 provides an Figure 10 gives an overview of this use case. Figure 11 provides an
example of attack mappings as below are shared using the DOTS data example of attack mappings as below are shared by using the DOTS data
channel in advance. Figure 12 provides an example of a DOTS channel in advance. Figure 12 provides an example of a DOTS
telemetry message body that is used to signal various attack traffic telemetry message body that is used to signal various attack traffic
percentiles, total traffic percentiles, total attack connection and percentiles, total traffic percentiles, total attack connection and
attack type. attack type.
The example in Figure 11 uses the folding defined in [RFC8792] for The example in Figure 11 uses the folding defined in [RFC8792] for
long lines. long lines.
(Internet Transit Provider) (Internet Transit Provider)
skipping to change at page 18, line 12 skipping to change at page 18, line 12
] ]
} }
] ]
} }
} }
Figure 12: Example of Message Body with Total Attack Traffic, Figure 12: Example of Message Body with Total Attack Traffic,
Total Attack Traffic Protocol, Total Attack Connection and Attack Type Total Attack Traffic Protocol, Total Attack Connection and Attack Type
Attack mappings are shared using the DOTS data channel in advance Attack mappings are shared by using the DOTS data channel in advance
(Section 8.1.6 of [I-D.ietf-dots-telemetry]). The forwarding nodes (Section 8.1.6 of [I-D.ietf-dots-telemetry]). The forwarding nodes
send traffic statistics to the flow collectors using, e.g., IPFIX. send traffic statistics to the flow collectors by using, e.g., IPFIX.
When DDoS attacks occur, the flow collectors identify attack traffic When DDoS attacks occur, the flow collectors identify attack traffic
and send attack type information to the orchestrator the using and send attack type information to the orchestrator by using
"vendor-id" and "attack-id" telemetry attributes. The orchestrator, "vendor-id" and "attack-id" telemetry attributes. The orchestrator,
then, resolves abused port numbers and orders relevant forwarding then, resolves abused port numbers and orders relevant forwarding
nodes to block the amplification attack traffic flow by dissemination nodes to block the amplification attack traffic flow by dissemination
of Flow Specifications, e.g. [RFC8955]. Also, the orchestrator of Flow Specifications, e.g. [RFC8955]. Also, the orchestrator
orders relevant forwarding nodes to redirect other traffic than the orders relevant forwarding nodes to redirect other traffic than the
amplification attack traffic using a routing protocol, such as BGP. amplification attack traffic by using a routing protocol, such as
BGP.
The flow collector implements a DOTS client while the orchestrator The flow collector implements a DOTS client while the orchestrator
implements a DOTS server. implements a DOTS server.
3.2. Detailed DDoS Mitigation Report 3.2. Detailed DDoS Mitigation Report
It is possible for the transit provider to add value to the DDoS It is possible for the transit provider to add value to the DDoS
mitigation service by reporting on-going and detailed DDoS mitigation service by reporting on-going and detailed DDoS
countermeasure status to the enterprise network. In addition, it is countermeasure status to the enterprise network. In addition, it is
possible for the transit provider to know whether the DDoS counter possible for the transit provider to know whether the DDoS counter
skipping to change at page 18, line 44 skipping to change at page 18, line 45
network. network.
The aim of this use case is to share the information about on-going The aim of this use case is to share the information about on-going
DDoS counter measure between the transit provider and the enterprise DDoS counter measure between the transit provider and the enterprise
network mutually. Figure 13 gives an overview of this use case. network mutually. Figure 13 gives an overview of this use case.
Figure 14 provides an example of a DOTS telemetry message body that Figure 14 provides an example of a DOTS telemetry message body that
is used to signal total pipe capacity from the enterprise network is used to signal total pipe capacity from the enterprise network
administrator to the orchestrator in the ISP. Figure 15 provides an administrator to the orchestrator in the ISP. Figure 15 provides an
example of a DOTS telemetry message body that is used to signal example of a DOTS telemetry message body that is used to signal
various total traffic percentiles, total attack traffic percentiles various total traffic percentiles, total attack traffic percentiles
and attack detail from the orchestrator to the network . and attack detail from the orchestrator to the network.
+------------------+ +------------------------+ +------------------+ +------------------------+
| Enterprise | | Upstream | | Enterprise | | Upstream |
| Network | | Internet Transit | | Network | | Internet Transit |
| +------------+ | | Provider | | +------------+ | | Provider |
| | Network |C | | S+--------------+ | | | Network |C | | S+--------------+ |
| | admini- |<-----DOTS---->| Orchestrator | | | | admini- |<-----DOTS---->| Orchestrator | |
| | strator | | | +--------------+ | | | strator | | | +--------------+ |
| +------------+ | | C ^ | | +------------+ | | C ^ |
| | | | DOTS | | | | | DOTS |
skipping to change at page 21, line 8 skipping to change at page 21, line 8
The network management system in the enterprise network reports The network management system in the enterprise network reports
limits of incoming traffic volume from the transit provider to the limits of incoming traffic volume from the transit provider to the
orchestrator in the transit provider in advance. It is reported by orchestrator in the transit provider in advance. It is reported by
using "total-pipe-capacity" telemetry attribute in DOTS telemetry using "total-pipe-capacity" telemetry attribute in DOTS telemetry
setup. setup.
When DDoS attacks occur, DDoS mitugation orchestration [RFC8903] is When DDoS attacks occur, DDoS mitugation orchestration [RFC8903] is
carried out in the transit provider. Then, the DDoS mitigation carried out in the transit provider. Then, the DDoS mitigation
systems reports the status of DDoS countermeasures to the systems reports the status of DDoS countermeasures to the
orchestrator sending "attack-detail" telemetry attributes. After orchestrator by sending "attack-detail" telemetry attributes. After
that, the orchestrator integrates the reports from the DDoS that, the orchestrator integrates the reports from the DDoS
mitigation system, while removing duplicate contents, and send it to mitigation system, while removing duplicate contents, and sends them
a network administrator using DOTS telemetry periodically. to a network administrator by using DOTS telemetry periodically.
During the DDoS mitigation, the orchestrator in the transit provider During the DDoS mitigation, the orchestrator in the transit provider
retrieves link congestion status from the network manager in the retrieves link congestion status from the network manager in the
enterprise network using "total-traffic" telemetry attributes. Then, enterprise network by using "total-traffic" telemetry attributes.
the orchestrator checks whether the DDoS countermeasures are Then, the orchestrator checks whether the DDoS countermeasures are
effective or not by comparing the "total-traffic" and the "total- effective or not by comparing the "total-traffic" and the "total-
pipe-capacity" attributes. pipe-capacity" attributes.
The DMS implements a DOTS server while the orchestrator behaves as a The DMS implements a DOTS server while the orchestrator behaves as a
DOTS client and a server in the transit provider. In addition, the DOTS client and a server in the transit provider. In addition, the
network administrator implements a DOTS client. network administrator implements a DOTS client.
3.3. Tuning Mitigation Resources 3.3. Tuning Mitigation Resources
3.3.1. Supervised Machine Learning of Flow Collector 3.3.1. Supervised Machine Learning of Flow Collector
DDoS detection based on tools, such as IPFIX, is a lighter weight DDoS detection based on tools, such as IPFIX, is a lighter weight
method of detecting DDoS attacks than DMSes in internet transit method of detecting DDoS attacks than DMSes in internet transit
provider networks. On the other hand, DDoS detection based on the provider networks. On the other hand, DDoS detection based on the
DMSes is a more accurate method for detecting attack traffic better DMSes is a more accurate method for detecting attack traffic than
than flow monitoring. flow monitoring.
The aim of this use case is to increases flow collector's detection The aim of this use case is to increase flow collector's detection
accuracy by carrying out supervised machine-learning techniques accuracy by carrying out supervised machine-learning techniques
according to attack detail reported by the DMSes. To use such a according to attack detail reported by the DMSes. To use such a
technique, forwarding nodes, flow collector, and a DMS should technique, forwarding nodes, flow collector, and a DMS should
cooperate. Figure 16 gives an overview of this use case. Figure 17 cooperate. Figure 16 gives an overview of this use case. Figure 17
provides an example of a DOTS telemetry message body that is used to provides an example of a DOTS telemetry message body that is used to
signal various total attack traffic percentiles and attack detail. signal various total attack traffic percentiles and attack detail.
+-----------+ +-----------+
+-----------+| DOTS +-----------+| DOTS
e.g., IPFIX | Flow ||S<--- e.g., IPFIX | Flow ||S<---
skipping to change at page 22, line 28 skipping to change at page 22, line 28
+---||-|| ||-+ +---||-|| ||-+
|| || || || || ||
|/ |/ |/ |/ |/ |/
DOTS +---X--X--X--+ DOTS +---X--X--X--+
--->C| DDoS | --->C| DDoS |
| mitigation | | mitigation |
| system | | system |
+------------+ +------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 16: Training Supervised Machine Learning of Flow Collectors Figure 16: Training Supervised Machine Learning of Flow Collectors
{ {
"ietf-dots-telemetry:telemetry": { "ietf-dots-telemetry:telemetry": {
"pre-or-ongoing-mitigation": [ "pre-or-ongoing-mitigation": [
{ {
"target": { "target": {
"target-prefix": [ "target-prefix": [
"2001:db8::1/128" "2001:db8::1/128"
] ]
skipping to change at page 23, line 37 skipping to change at page 23, line 37
] ]
} }
} }
] ]
} }
] ]
} }
} }
Figure 17: An Example of Message Body with Attack Type Figure 17: An Example of Message Body with Attack Type
and Top Talkers and top-talkers
The forwarding nodes send traffic statisticsto the flow collectors The forwarding nodes send traffic statistics to the flow collectors
using, e.g., IPFIX. When DDoS attacks occur, DDoS mitigation by using, e.g., IPFIX. When DDoS attacks occur, DDoS mitigation
orchestration is carried out (as per Section 3.3 of [RFC8903]) and orchestration is carried out (as per Section 3.3 of [RFC8903]) and
the DMS mitigates all attack traffic destined for a target. The DDoS the DMS mitigates all attack traffic destined for a target. The DDoS
mitigation system reports the "vendor-id", "attack-id", and "top- mitigation system reports the "vendor-id", "attack-id", and "top-
talker" telemetry attributes to a flow collector. talker" telemetry attributes to a flow collector.
After mitigating a DDoS attack, the flow collector attaches outputs After mitigating a DDoS attack, the flow collector attaches outputs
of the DMS as labels to the statistics of traffic flow of top- of the DMS as labels to the statistics of traffic flow of top-
talkers. The outputs, for example, are the "attack-id" telemetry talkers. The outputs, for example, are the "attack-id" telemetry
attributes. The flow collector, then, carries out supervised machine attributes. The flow collector, then, carries out supervised machine
learning to increase its detection accuracy, setting the statistics learning to increase its detection accuracy, setting the statistics
skipping to change at page 24, line 49 skipping to change at page 24, line 49
+---||-------+ +---||-------+
|| ||
|/ |/
DOTS +---X--------+ DOTS +---X--------+
--->C| DDoS | --->C| DDoS |
| mitigation | | mitigation |
| system | | system |
+------------+ +------------+
* C is for DOTS client functionality * C is for DOTS client functionality
* S is for DOTS client functionality * S is for DOTS server functionality
Figure 18: Training Unsupervised Machine Learning of Flow Collectors Figure 18: Training Unsupervised Machine Learning of Flow Collectors
{ {
"ietf-dots-telemetry:telemetry-setup": { "ietf-dots-telemetry:telemetry-setup": {
"telemetry": [ "telemetry": [
{ {
"baseline": [ "baseline": [
{ {
"id": 1, "id": 1,
"target-prefix": [ "target-prefix": [
skipping to change at page 25, line 42 skipping to change at page 25, line 42
] ]
} }
] ]
} }
} }
Figure 19: An Example of Message Body with Traffic Baseline Figure 19: An Example of Message Body with Traffic Baseline
The forwarding nodes carry out mirroring traffic destined IP address. The forwarding nodes carry out mirroring traffic destined IP address.
The DMS then identifies "clean" traffic and reports the baseline The DMS then identifies "clean" traffic and reports the baseline
attributes to the flow collector using DOTS telemetry. attributes to the flow collector by using DOTS telemetry.
The flow collector, then, carries out unsupervised machine learning The flow collector, then, carries out unsupervised machine learning
to be able to carry out anomaly detection. to be able to carry out anomaly detection.
The DMS implements a DOTS client while the flow collector implements The DMS implements a DOTS client while the flow collector implements
a DOTS server. a DOTS server.
4. Security Considerations 4. Security Considerations
DOTS telemetry security considerations are discussed in Section 14 of DOTS telemetry security considerations are discussed in Section 14 of
[I-D.ietf-dots-telemetry]. These considerations apply for the [I-D.ietf-dots-telemetry]. These considerations apply for the
communication interfaces where DOTS is used. communication interfaces where DOTS is used.
Some use cases involve controllers, orchestrators, and programmable Some use cases involve controllers, orchestrators, and programmable
interfaces. These interfaces can be misused by misbehaving nodes to interfaces. These interfaces can be misused by misbehaving nodes to
further exacerbate a DDoS attacks. Section 5 of [RFC7149] discusses further exacerbate DDoS attacks. Section 5 of [RFC7149] discusses
some generic security considerations to take into account in such some generic security considerations to take into account in such
contexts (e.g., reliable access control). Specific security measures contexts (e.g., reliable access control). Specific security measures
depend on the actual mechanism used to control underlying forwarding depend on the actual mechanism used to control underlying forwarding
nodes and other controlled elements. For example, Section 13 of nodes and other controlled elements. For example, Section 13 of
[RFC8955] discusses security considerations that are relevant to BGP [RFC8955] discusses security considerations that are relevant to BGP
Flow Specifications. IPFIX-specific considerations are discussed in Flowspec. IPFIX-specific considerations are discussed in Section 11
Section 11 of [RFC7011]. of [RFC7011].
5. IANA Considerations 5. IANA Considerations
This document does not require any action from IANA. This document does not require any action from IANA.
6. Acknowledgement 6. Acknowledgement
The authors would like to thank among others Mohamed Boucadair for The authors would like to thank Mohamed Boucadair and Valery Smyslov
their valuable feedback. for their valuable feedback.
7. References 7. References
7.1. Normative References 7.1. Normative References
[I-D.ietf-dots-telemetry] [I-D.ietf-dots-telemetry]
Boucadair, M., Reddy.K, T., Doron, E., Chen, M., and J. Boucadair, M., Reddy.K, T., Doron, E., Chen, M., and J.
Shallow, "Distributed Denial-of-Service Open Threat Shallow, "Distributed Denial-of-Service Open Threat
Signaling (DOTS) Telemetry", Work in Progress, Internet- Signaling (DOTS) Telemetry", Work in Progress, Internet-
Draft, draft-ietf-dots-telemetry-23, 4 February 2022, Draft, draft-ietf-dots-telemetry-25, 21 March 2022,
<https://www.ietf.org/archive/id/draft-ietf-dots- <https://www.ietf.org/archive/id/draft-ietf-dots-
telemetry-23.txt>. telemetry-25.txt>.
7.2. Informative References 7.2. Informative References
[RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network
Management Protocol (SNMP) Applications", STD 62, Management Protocol (SNMP) Applications", STD 62,
RFC 3413, DOI 10.17487/RFC3413, December 2002, RFC 3413, DOI 10.17487/RFC3413, December 2002,
<https://www.rfc-editor.org/info/rfc3413>. <https://www.rfc-editor.org/info/rfc3413>.
[RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A
Border Gateway Protocol 4 (BGP-4)", RFC 4271, Border Gateway Protocol 4 (BGP-4)", RFC 4271,
 End of changes. 47 change blocks. 
77 lines changed or deleted 80 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/