| < draft-ietf-dots-telemetry-use-cases-09.txt | draft-ietf-dots-telemetry-use-cases-10.txt > | |||
|---|---|---|---|---|
| DOTS Y. Hayashi | DOTS Y. Hayashi | |||
| Internet-Draft NTT | Internet-Draft NTT | |||
| Intended status: Informational M. Chen | Intended status: Informational M. Chen | |||
| Expires: 27 August 2022 Li. Su | Expires: 4 October 2022 Li. Su | |||
| CMCC | CMCC | |||
| 23 February 2022 | 2 April 2022 | |||
| Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry | Use Cases for DDoS Open Threat Signaling (DOTS) Telemetry | |||
| draft-ietf-dots-telemetry-use-cases-09 | draft-ietf-dots-telemetry-use-cases-10 | |||
| Abstract | Abstract | |||
| Denial-of-service Open Threat Signaling (DOTS) Telemetry enriches the | DDoS Open Threat Signaling (DOTS) Telemetry enriches the base DOTS | |||
| base DOTS protocols to assist the mitigator in using efficient DDoS | protocols to assist the mitigator in using efficient DDoS attack | |||
| attack mitigation techniques in a network. This document presents | mitigation techniques in a network. This document presents sample | |||
| sample use cases for DOTS Telemetry. It discusses in particular what | use cases for DOTS Telemetry. It discusses in particular what | |||
| components are deployed in the network, how they cooperate, and what | components are deployed in the network, how they cooperate, and what | |||
| information is exchanged to effectively use these techniques. | information is exchanged to effectively use these techniques. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on 27 August 2022. | This Internet-Draft will expire on 4 October 2022. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2022 IETF Trust and the persons identified as the | Copyright (c) 2022 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents (https://trustee.ietf.org/ | Provisions Relating to IETF Documents (https://trustee.ietf.org/ | |||
| license-info) in effect on the date of publication of this document. | license-info) in effect on the date of publication of this document. | |||
| Please review these documents carefully, as they describe your rights | Please review these documents carefully, as they describe your rights | |||
| skipping to change at page 3, line 44 ¶ | skipping to change at page 3, line 44 ¶ | |||
| 3. Telemetry Use Cases | 3. Telemetry Use Cases | |||
| This section describes DOTS telemetry use cases that use attributes | This section describes DOTS telemetry use cases that use attributes | |||
| included in DOTS telemetry specifications [I-D.ietf-dots-telemetry]. | included in DOTS telemetry specifications [I-D.ietf-dots-telemetry]. | |||
| 3.1. Mitigation Resources Assignment | 3.1. Mitigation Resources Assignment | |||
| 3.1.1. Mitigating Attack Flow of Top-talker Preferentially | 3.1.1. Mitigating Attack Flow of Top-talker Preferentially | |||
| Some transit providers have to mitigate such large-scale DDoS attacks | Some transit providers have to mitigate such large-scale DDoS attacks | |||
| using DDoS Mitigation Systems (DMSes) with limited resources, which | by using DDoS Mitigation Systems (DMSes) with limited resources, | |||
| is already deployed in their network. For example, recent reported | which is already deployed in their network. For example, recent | |||
| large DDoS attacks exceeded 1 Tps. | reported large DDoS attacks exceeded 1 Tps. | |||
| The aim of this use case is to enable transit providers to use their | The aim of this use case is to enable transit providers to use their | |||
| DMS efficiently under volume-based DDoS attacks whose volume is more | DMS efficiently under volume-based DDoS attacks whose volume is more | |||
| than the available capacity of the DMS. To enable this, the attack | than the available capacity of the DMS. To enable this, the attack | |||
| traffic of top talkers is redirected to the DMS preferentially by | traffic of top-talkers is redirected to the DMS preferentially by | |||
| cooperation among forwarding nodes, flow collectors, and | cooperation among forwarding nodes, flow collectors, and | |||
| orchestrators. | orchestrators. | |||
| Figure 1 gives an overview of this use case. Figure 2 provides an | Figure 1 gives an overview of this use case. Figure 2 provides an | |||
| example of a DOTS telemetry message body that is used to signal top- | example of a DOTS telemetry message body that is used to signal top- | |||
| talkers (2001:db8::2/128 and 2001:db8::3/128). | talkers (2001:db8::2/128 and 2001:db8::3/128). | |||
| (Internet Transit Provider) | (Internet Transit Provider) | |||
| +-----------+ +--------------+ e.g., SNMP | +-----------+ +--------------+ e.g., SNMP | |||
| skipping to change at page 4, line 30 ¶ | skipping to change at page 4, line 30 ¶ | |||
| --->| Flow ||C<-->S| Orchestrator | e.g., BGP Flowspec | --->| Flow ||C<-->S| Orchestrator | e.g., BGP Flowspec | |||
| | collector |+ | |---> (Redirect) | | collector |+ | |---> (Redirect) | |||
| +-----------+ +--------------+ | +-----------+ +--------------+ | |||
| +-------------+ | +-------------+ | |||
| e.g., IPFIX +-------------+| e.g., BGP Flowspec | e.g., IPFIX +-------------+| e.g., BGP Flowspec | |||
| <---| Forwarding ||<--- (Redirect) | <---| Forwarding ||<--- (Redirect) | |||
| | nodes || | | nodes || | |||
| | || DDoS Attack | | || DDoS Attack | |||
| [ Target ]<============|=============================== | [ Target ]<============|=============================== | |||
| [ or ] | ++=========================[top talker] | [ or ] | ++=========================[top-talker] | |||
| [ Targets ] | || ++======================[top talker] | [ Targets ] | || ++======================[top-talker] | |||
| +----|| ||---+ | +----|| ||---+ | |||
| || || | || || | |||
| || || | || || | |||
| |/ |/ | |/ |/ | |||
| +----x--x----+ | +----x--x----+ | |||
| | DDoS | e.g., SNMP | | DDoS | e.g., SNMP | |||
| | mitigation |<--- | | mitigation |<--- | |||
| | system | | | system | | |||
| +------------+ | +------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 1: Mitigating DDoS Attack Flow of Top-talkers Preferentially | Figure 1: Mitigating DDoS Attack Flow of Top-talkers Preferentially | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry": { | "ietf-dots-telemetry:telemetry": { | |||
| "pre-or-ongoing-mitigation": [ | "pre-or-ongoing-mitigation": [ | |||
| { | { | |||
| "target": { | "target": { | |||
| "target-prefix": [ | "target-prefix": [ | |||
| "2001:db8::1/128" | "2001:db8::1/128" | |||
| ] | ] | |||
| skipping to change at page 6, line 11 ¶ | skipping to change at page 6, line 11 ¶ | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 2: An Example of Message Body to Signal Top-Talkers | Figure 2: An Example of Message Body to Signal Top-Talkers | |||
| The forwarding nodes send traffic statistics to the flow collectors | The forwarding nodes send traffic statistics to the flow collectors | |||
| using, e.g., IPFIX [RFC7011]. When DDoS attacks occur, the flow | using, e.g., IP Flow Information Export (IPFIX) [RFC7011]. When DDoS | |||
| collectors identifies the attack traffic and send information of the | attacks occur, the flow collectors identifies the attack traffic and | |||
| top-talkers to the orchestrator using the "target-prefix" and "top- | send information of the top-talkers to the orchestrator using the | |||
| talkers" DOTS telemetry attributes. The orchestrator, then, checks | "target-prefix" and "top-talkers" DOTS telemetry attributes. The | |||
| the available capacity of the DMSes by using a network management | orchestrator, then, checks the available capacity of the DMSes by | |||
| protocol, such as SNMP [RFC3413]. After that, the orchestrator | using a network management protocol, such as Simple Network | |||
| orders the forwarding nodes to redirect as much of the top talker's | Management Protocol (SNMP) [RFC3413]. After that, the orchestrator | |||
| orders the forwarding nodes to redirect as much of the top-talker's | ||||
| traffic to the DMS as possible by dissemination of Flow | traffic to the DMS as possible by dissemination of Flow | |||
| Specifications relying upon tools, such as BGP Flowspec [RFC8955]. | Specifications relying upon tools, such as Border Gateway Protocol | |||
| Dissemination of Flow Specification Rules (BGP Flowspec) [RFC8955]. | ||||
| The flow collector implements a DOTS client while the orchestrator | The flow collector implements a DOTS client while the orchestrator | |||
| implements a DOTS server. | implements a DOTS server. | |||
| 3.1.2. Optimal DMS Selection for Mitigation | 3.1.2. Optimal DMS Selection for Mitigation | |||
| Transit providers can deploy their DMSes in clusters. Then, they can | Transit providers can deploy their DMSes in clusters. Then, they can | |||
| select the DMS to be used to mitigate a DDoS attack under attack | select the DMS to be used to mitigate a DDoS attack under attack | |||
| time. | time. | |||
| skipping to change at page 7, line 33 ¶ | skipping to change at page 7, line 33 ¶ | |||
| || || +-----------+ | || || +-----------+ | |||
| || |/ | DMS3 | | || |/ | DMS3 | | |||
| || +-----x------+ |<--- e.g., SNMP | || +-----x------+ |<--- e.g., SNMP | |||
| |/ | DMS2 |--------+ | |/ | DMS2 |--------+ | |||
| +--x---------+ |<--- e.g., SNMP | +--x---------+ |<--- e.g., SNMP | |||
| | DMS1 |------+ | | DMS1 |------+ | |||
| | |<--- e.g., SNMP | | |<--- e.g., SNMP | |||
| +------------+ | +------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 3: Optimal DMS Selection for Mitigation | Figure 3: Optimal DMS Selection for Mitigation | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry": { | "ietf-dots-telemetry:telemetry": { | |||
| "pre-or-ongoing-mitigation": [ | "pre-or-ongoing-mitigation": [ | |||
| { | { | |||
| "target": { | "target": { | |||
| "target-prefix": [ | "target-prefix": [ | |||
| "2001:db8::1/128" | "2001:db8::1/128" | |||
| ] | ] | |||
| skipping to change at page 8, line 33 ¶ | skipping to change at page 8, line 33 ¶ | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 4: Example of Message Body with Total Attack Traffic | Figure 4: Example of Message Body with Total Attack Traffic | |||
| The forwarding nodes send traffic statistics to the flow collectors | The forwarding nodes send traffic statistics to the flow collectors | |||
| using, e.g., IPFIX. When DDoS attacks occur, the flow collectors | using, e.g., IPFIX. When DDoS attacks occur, the flow collectors | |||
| identify the attack traffic and send information of the attack | identify the attack traffic and send information of the attack | |||
| traffic volume to the orchestrator using the "target-prefix" and | traffic volume to the orchestrator by using the "target-prefix" and | |||
| "total-attack-traffic" DOTS telemetry attributes. The orchestrator, | "total-attack-traffic" DOTS telemetry attributes. The orchestrator, | |||
| then, checks the available capacity of the DMSes using a network | then, checks the available capacity of the DMSes by using a network | |||
| management protocol, such as SNMP. After that, the orchestrator | management protocol, such as SNMP. After that, the orchestrator | |||
| selects an optimal DMS to which each attack traffic should be | selects an optimal DMS to which each attack traffic should be | |||
| redirected. For example, a simple DMS selection algorithm is to | redirected. For example, a simple DMS selection algorithm is to | |||
| choose a DMS whose available capacity is greater than the "peak-g" | choose a DMS whose available capacity is greater than the "peak-g" | |||
| atribute indicated in the DOTS telemetry message. The orchestrator | atribute indicated in the DOTS telemetry message. The orchestrator | |||
| orders the appropriate forwarding nodes to redirect the attack | orders the appropriate forwarding nodes to redirect the attack | |||
| traffic to the optimal DMS relying upon routing policies, such as BGP | traffic to the optimal DMS relying upon routing policies, such as BGP | |||
| [RFC4271]. | [RFC4271]. | |||
| The detailed DMS selection algorithm is out of the scope of this | The detailed DMS selection algorithm is out of the scope of this | |||
| skipping to change at page 9, line 24 ¶ | skipping to change at page 9, line 24 ¶ | |||
| bandwidth of the attack traffic and total traffic. Figure 5 gives an | bandwidth of the attack traffic and total traffic. Figure 5 gives an | |||
| overview of this use case. Figure 6 provides an example of a DOTS | overview of this use case. Figure 6 provides an example of a DOTS | |||
| telemetry message body that is used to signal various attack traffic | telemetry message body that is used to signal various attack traffic | |||
| percentiles and total traffic percentiles. | percentiles and total traffic percentiles. | |||
| (Internet Transit Provider) | (Internet Transit Provider) | |||
| +-----------+ +--------------+ DOTS | +-----------+ +--------------+ DOTS | |||
| e.g., +-----------+| | |S<--- | e.g., +-----------+| | |S<--- | |||
| IPFIX | Flow || DOTS | Orchestrator | | IPFIX | Flow || DOTS | Orchestrator | | |||
| -->| collector ||C<-->S| | e.g., BGP Flow spec | -->| collector ||C<-->S| | e.g., BGP Flowspec | |||
| | |+ | |---> (Redirect) | | |+ | |---> (Redirect) | |||
| +-----------+ +--------------+ | +-----------+ +--------------+ | |||
| DOTS +------------+ DOTS +------------+ e.g., IPFIX | DOTS +------------+ DOTS +------------+ e.g., IPFIX | |||
| --->C| Forwarding | --->C| Forwarding |---> | --->C| Forwarding | --->C| Forwarding |---> | |||
| e.g., BGP Flow spec | node | | node | | e.g., BGP Flowspec | node | | node | | |||
| (Redirect) --->| | | | DDoS Attack | (Redirect) --->| | | | DDoS Attack | |||
| [Target] | ++==================================== | [Target] | ++==================================== | |||
| +-------||---+ +------------+ | +-------||---+ +------------+ | |||
| || / | || / | |||
| || / (congested link) | || / (congested link) | |||
| || / | || / | |||
| DOTS +-||----------------+ e.g., BGP Flow spec | DOTS +-||----------------+ e.g., BGP Flowspec | |||
| --->C| || Forwarding |<--- (Redirect) | --->C| || Forwarding |<--- (Redirect) | |||
| | ++=== node | | | ++=== node | | |||
| +----||-------------+ | +----||-------------+ | |||
| |/ | |/ | |||
| +--x-----------+ | +--x-----------+ | |||
| | DMS | | | DMS | | |||
| +--------------+ | +--------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 5: Best-path Selection for Redirection | Figure 5: Best-path Selection for Redirection | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry": { | "ietf-dots-telemetry:telemetry": { | |||
| "pre-or-ongoing-mitigation": [ | "pre-or-ongoing-mitigation": [ | |||
| { | { | |||
| "target": { | "target": { | |||
| "target-prefix": [ | "target-prefix": [ | |||
| "2001:db8::1/128" | "2001:db8::1/128" | |||
| ] | ] | |||
| skipping to change at page 11, line 6 ¶ | skipping to change at page 11, line 6 ¶ | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 6: An Example of Message Body with Total Attack | Figure 6: An Example of Message Body with Total Attack | |||
| Traffic and Total Traffic | Traffic and Total Traffic | |||
| The forwarding nodes send traffic statistics to the flow collectors | The forwarding nodes send traffic statistics to the flow collectors | |||
| using, e.g., IPFIX. When DDoS attacks occur, the flow collectors | by using, e.g., IPFIX. When DDoS attacks occur, the flow collectors | |||
| identify attack traffic and send information of the attack traffic | identify attack traffic and send information of the attack traffic | |||
| volume to the orchestrator using a "target-prefix" and "total-attack- | volume to the orchestrator by using a "target-prefix" and "total- | |||
| traffic" DOTS telemetry attributes. On the other hands, the | attack-traffic" DOTS telemetry attributes. On the other hands, the | |||
| underlying forwarding nodes send volume of the total traffic passing | underlying forwarding nodes send volume of the total traffic passing | |||
| the node to the orchestrator using "total-traffic" telemetry | the node to the orchestrator by using "total-traffic" telemetry | |||
| attributes. The orchestrator then selects an optimal path to which | attributes. The orchestrator then selects an optimal path to which | |||
| each attack-traffic flow should be redirected. For example, the | each attack-traffic flow should be redirected. For example, the | |||
| simple algorithm of the selection is to choose a path whose available | simple algorithm of the selection is to choose a path whose available | |||
| capacity is greater than the "peak-g" attribute that was indicated in | capacity is greater than the "peak-g" attribute that was indicated in | |||
| a DOTS telemetry message. After that, the orchestrator orders the | a DOTS telemetry message. After that, the orchestrator orders the | |||
| appropriate forwarding nodes to redirect the attack traffic to the | appropriate forwarding nodes to redirect the attack traffic to the | |||
| optimal DMS by dissemination of Flow Specifications relying upon | optimal DMS by dissemination of Flow Specifications relying upon | |||
| tools, such as BGP Flowspec. | tools, such as BGP Flowspec. | |||
| The detailed path selection algorithm is out of the scope of this | The detailed path selection algorithm is out of the scope of this | |||
| skipping to change at page 12, line 9 ¶ | skipping to change at page 12, line 9 ¶ | |||
| attack traffic. Figure 7 gives an overview of this use case. | attack traffic. Figure 7 gives an overview of this use case. | |||
| Figure 8 provides an example of a DOTS telemetry message body that is | Figure 8 provides an example of a DOTS telemetry message body that is | |||
| used to signal total pipe capacity. Figure 9 provides an example of | used to signal total pipe capacity. Figure 9 provides an example of | |||
| a DOTS telemetry message body that is used to signal various attack | a DOTS telemetry message body that is used to signal various attack | |||
| traffic percentiles and total traffic percentiles. | traffic percentiles and total traffic percentiles. | |||
| (Internet Transit Provider) | (Internet Transit Provider) | |||
| +------------+ +----------------+ | +------------+ +----------------+ | |||
| e.g., | Network | DOTS | Administrative | | e.g., | Network | DOTS | Administrative | | |||
| Alert ----->| Management |C<--->S| System | e.g., BGP Flow spec | Alert ----->| Management |C<--->S| System | e.g., BGP Flowspec | |||
| | System | | |---> (Rate-Limit) | | System | | |---> (Rate-Limit) | |||
| +------------+ +----------------+ | +------------+ +----------------+ | |||
| +------------+ +------------+ e.g., BGP Flow spec | +------------+ +------------+ e.g., BGP Flowspec | |||
| | Forwarding | | Forwarding |<--- (Rate-Limit X bps) | | Forwarding | | Forwarding |<--- (Rate-Limit X bps) | |||
| | node | | node | | | node | | node | | |||
| Link1 | | | | DDoS & Normal traffic | Link1 | | | | DDoS & Normal traffic | |||
| [Target]<------------------------------------================ | [Target]<------------------------------------================ | |||
| Pipe +------------+ +------------+ Attack Traffic | Pipe +------------+ +------------+ Attack Traffic | |||
| Capability Bandwidth | Capability Bandwidth | |||
| e.g., X bps e.g., Y bps | e.g., X bps e.g., Y bps | |||
| Network access success rate | Network access success rate | |||
| e.g., X / (X + Y) | e.g., X / (X + Y) | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 7: Short but Extreme Volumetric Attack Mitigation | Figure 7: Short but Extreme Volumetric Attack Mitigation | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry-setup": { | "ietf-dots-telemetry:telemetry-setup": { | |||
| "telemetry": [ | "telemetry": [ | |||
| { | { | |||
| "total-pipe-capacity": [ | "total-pipe-capacity": [ | |||
| { | { | |||
| "link-id": "link1", | "link-id": "link1", | |||
| skipping to change at page 13, line 40 ¶ | skipping to change at page 13, line 40 ¶ | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 9: Example of Message Body with Total Attack Traffic, | Figure 9: Example of Message Body with Total Attack Traffic, | |||
| and Total Traffic | and Total Traffic | |||
| When DDoS attacks occur, the network management system receives | When DDoS attacks occur, the network management system receives | |||
| alerts. Then, it sends the target IP address(es) and volume of the | alerts. Then, it sends the target IP address(es) and volume of the | |||
| DDoS attack traffic to the administrative system using the "target- | DDoS attack traffic to the administrative system by using the | |||
| prefix" and "total-attack-traffic" DOTS telemetry attributes. After | "target-prefix" and "total-attack-traffic" DOTS telemetry attributes. | |||
| that, the administrative system orders relevant forwarding nodes to | After that, the administrative system orders relevant forwarding | |||
| carry out rate-limit all traffic destined to the target based on the | nodes to carry out rate-limit all traffic destined to the target | |||
| pipe capability by the dissemination of the Flow Specifications | based on the pipe capability by the dissemination of the Flow | |||
| relying upon tools, such as BGP Flowspec. In addition, the | Specifications relying upon tools, such as BGP Flowspec. In | |||
| administrative system estimates the network-access success rate of | addition, the administrative system estimates the network-access | |||
| the target, which is calculated by (total-pipe-capability / (total- | success rate of the target, which is calculated by (total-pipe- | |||
| pipe-capability + total-attack-traffic)). | capability / (total-pipe-capability + total-attack-traffic)). | |||
| Note that total pipe capability information can be gatherd by | Note that total pipe capability information can be gatherd by | |||
| telemetry setup in advance (Section 7.2 of | telemetry setup in advance (Section 7.2 of | |||
| [I-D.ietf-dots-telemetry]). | [I-D.ietf-dots-telemetry]). | |||
| The network management system implements a DOTS client while the | The network management system implements a DOTS client while the | |||
| administrative system implements a DOTS server. | administrative system implements a DOTS server. | |||
| 3.1.5. Selecting Mitigation Technique Based on Attack Type | 3.1.5. Selecting Mitigation Technique Based on Attack Type | |||
| Some volumetric attacks, such as amplification attacks, can be | Some volumetric attacks, such as amplification attacks, can be | |||
| detected with high accuracy by checking the Layer 3 or Layer 4 | detected with high accuracy by checking the Layer 3 or Layer 4 | |||
| information of attack packets. These attacks can be detected and | information of attack packets. These attacks can be detected and | |||
| mitigated through cooperation among forwarding nodes and flow | mitigated through cooperation among forwarding nodes and flow | |||
| collectors using IPFIX. It may also necessary to inspect the Layer 7 | collectors by using IPFIX. It may also be necessary to inspect the | |||
| information of suspecious packets to detect attacks such as DNS Water | Layer 7 information of suspecious packets to detect attacks such as | |||
| Torture Attacks. Such an attack traffic should be detected and | DNS Water Torture Attacks. Such an attack traffic should be detected | |||
| mitigated at a DMS. | and mitigated at a DMS. | |||
| The aim of this use case is to enable transit providers to select a | The aim of this use case is to enable transit providers to select a | |||
| mitigation technique based on the type of attack traffic: | mitigation technique based on the type of attack traffic: | |||
| amplification attack or not. To use such a technique, the attack | amplification attack or not. To use such a technique, the attack | |||
| traffic is blocked by forwarding nodes or redirected to a DMS based | traffic is blocked by forwarding nodes or redirected to a DMS based | |||
| on the attack type through cooperation among forwarding nodes, flow | on the attack type through cooperation among forwarding nodes, flow | |||
| collectors, and an orchestrator. | collectors, and an orchestrator. | |||
| Figure 10 gives an overview of this use case. Figure 11 provides an | Figure 10 gives an overview of this use case. Figure 11 provides an | |||
| example of attack mappings as below are shared using the DOTS data | example of attack mappings as below are shared by using the DOTS data | |||
| channel in advance. Figure 12 provides an example of a DOTS | channel in advance. Figure 12 provides an example of a DOTS | |||
| telemetry message body that is used to signal various attack traffic | telemetry message body that is used to signal various attack traffic | |||
| percentiles, total traffic percentiles, total attack connection and | percentiles, total traffic percentiles, total attack connection and | |||
| attack type. | attack type. | |||
| The example in Figure 11 uses the folding defined in [RFC8792] for | The example in Figure 11 uses the folding defined in [RFC8792] for | |||
| long lines. | long lines. | |||
| (Internet Transit Provider) | (Internet Transit Provider) | |||
| skipping to change at page 18, line 12 ¶ | skipping to change at page 18, line 12 ¶ | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 12: Example of Message Body with Total Attack Traffic, | Figure 12: Example of Message Body with Total Attack Traffic, | |||
| Total Attack Traffic Protocol, Total Attack Connection and Attack Type | Total Attack Traffic Protocol, Total Attack Connection and Attack Type | |||
| Attack mappings are shared using the DOTS data channel in advance | Attack mappings are shared by using the DOTS data channel in advance | |||
| (Section 8.1.6 of [I-D.ietf-dots-telemetry]). The forwarding nodes | (Section 8.1.6 of [I-D.ietf-dots-telemetry]). The forwarding nodes | |||
| send traffic statistics to the flow collectors using, e.g., IPFIX. | send traffic statistics to the flow collectors by using, e.g., IPFIX. | |||
| When DDoS attacks occur, the flow collectors identify attack traffic | When DDoS attacks occur, the flow collectors identify attack traffic | |||
| and send attack type information to the orchestrator the using | and send attack type information to the orchestrator by using | |||
| "vendor-id" and "attack-id" telemetry attributes. The orchestrator, | "vendor-id" and "attack-id" telemetry attributes. The orchestrator, | |||
| then, resolves abused port numbers and orders relevant forwarding | then, resolves abused port numbers and orders relevant forwarding | |||
| nodes to block the amplification attack traffic flow by dissemination | nodes to block the amplification attack traffic flow by dissemination | |||
| of Flow Specifications, e.g. [RFC8955]. Also, the orchestrator | of Flow Specifications, e.g. [RFC8955]. Also, the orchestrator | |||
| orders relevant forwarding nodes to redirect other traffic than the | orders relevant forwarding nodes to redirect other traffic than the | |||
| amplification attack traffic using a routing protocol, such as BGP. | amplification attack traffic by using a routing protocol, such as | |||
| BGP. | ||||
| The flow collector implements a DOTS client while the orchestrator | The flow collector implements a DOTS client while the orchestrator | |||
| implements a DOTS server. | implements a DOTS server. | |||
| 3.2. Detailed DDoS Mitigation Report | 3.2. Detailed DDoS Mitigation Report | |||
| It is possible for the transit provider to add value to the DDoS | It is possible for the transit provider to add value to the DDoS | |||
| mitigation service by reporting on-going and detailed DDoS | mitigation service by reporting on-going and detailed DDoS | |||
| countermeasure status to the enterprise network. In addition, it is | countermeasure status to the enterprise network. In addition, it is | |||
| possible for the transit provider to know whether the DDoS counter | possible for the transit provider to know whether the DDoS counter | |||
| skipping to change at page 18, line 44 ¶ | skipping to change at page 18, line 45 ¶ | |||
| network. | network. | |||
| The aim of this use case is to share the information about on-going | The aim of this use case is to share the information about on-going | |||
| DDoS counter measure between the transit provider and the enterprise | DDoS counter measure between the transit provider and the enterprise | |||
| network mutually. Figure 13 gives an overview of this use case. | network mutually. Figure 13 gives an overview of this use case. | |||
| Figure 14 provides an example of a DOTS telemetry message body that | Figure 14 provides an example of a DOTS telemetry message body that | |||
| is used to signal total pipe capacity from the enterprise network | is used to signal total pipe capacity from the enterprise network | |||
| administrator to the orchestrator in the ISP. Figure 15 provides an | administrator to the orchestrator in the ISP. Figure 15 provides an | |||
| example of a DOTS telemetry message body that is used to signal | example of a DOTS telemetry message body that is used to signal | |||
| various total traffic percentiles, total attack traffic percentiles | various total traffic percentiles, total attack traffic percentiles | |||
| and attack detail from the orchestrator to the network . | and attack detail from the orchestrator to the network. | |||
| +------------------+ +------------------------+ | +------------------+ +------------------------+ | |||
| | Enterprise | | Upstream | | | Enterprise | | Upstream | | |||
| | Network | | Internet Transit | | | Network | | Internet Transit | | |||
| | +------------+ | | Provider | | | +------------+ | | Provider | | |||
| | | Network |C | | S+--------------+ | | | | Network |C | | S+--------------+ | | |||
| | | admini- |<-----DOTS---->| Orchestrator | | | | | admini- |<-----DOTS---->| Orchestrator | | | |||
| | | strator | | | +--------------+ | | | | strator | | | +--------------+ | | |||
| | +------------+ | | C ^ | | | +------------+ | | C ^ | | |||
| | | | | DOTS | | | | | | DOTS | | |||
| skipping to change at page 21, line 8 ¶ | skipping to change at page 21, line 8 ¶ | |||
| The network management system in the enterprise network reports | The network management system in the enterprise network reports | |||
| limits of incoming traffic volume from the transit provider to the | limits of incoming traffic volume from the transit provider to the | |||
| orchestrator in the transit provider in advance. It is reported by | orchestrator in the transit provider in advance. It is reported by | |||
| using "total-pipe-capacity" telemetry attribute in DOTS telemetry | using "total-pipe-capacity" telemetry attribute in DOTS telemetry | |||
| setup. | setup. | |||
| When DDoS attacks occur, DDoS mitugation orchestration [RFC8903] is | When DDoS attacks occur, DDoS mitugation orchestration [RFC8903] is | |||
| carried out in the transit provider. Then, the DDoS mitigation | carried out in the transit provider. Then, the DDoS mitigation | |||
| systems reports the status of DDoS countermeasures to the | systems reports the status of DDoS countermeasures to the | |||
| orchestrator sending "attack-detail" telemetry attributes. After | orchestrator by sending "attack-detail" telemetry attributes. After | |||
| that, the orchestrator integrates the reports from the DDoS | that, the orchestrator integrates the reports from the DDoS | |||
| mitigation system, while removing duplicate contents, and send it to | mitigation system, while removing duplicate contents, and sends them | |||
| a network administrator using DOTS telemetry periodically. | to a network administrator by using DOTS telemetry periodically. | |||
| During the DDoS mitigation, the orchestrator in the transit provider | During the DDoS mitigation, the orchestrator in the transit provider | |||
| retrieves link congestion status from the network manager in the | retrieves link congestion status from the network manager in the | |||
| enterprise network using "total-traffic" telemetry attributes. Then, | enterprise network by using "total-traffic" telemetry attributes. | |||
| the orchestrator checks whether the DDoS countermeasures are | Then, the orchestrator checks whether the DDoS countermeasures are | |||
| effective or not by comparing the "total-traffic" and the "total- | effective or not by comparing the "total-traffic" and the "total- | |||
| pipe-capacity" attributes. | pipe-capacity" attributes. | |||
| The DMS implements a DOTS server while the orchestrator behaves as a | The DMS implements a DOTS server while the orchestrator behaves as a | |||
| DOTS client and a server in the transit provider. In addition, the | DOTS client and a server in the transit provider. In addition, the | |||
| network administrator implements a DOTS client. | network administrator implements a DOTS client. | |||
| 3.3. Tuning Mitigation Resources | 3.3. Tuning Mitigation Resources | |||
| 3.3.1. Supervised Machine Learning of Flow Collector | 3.3.1. Supervised Machine Learning of Flow Collector | |||
| DDoS detection based on tools, such as IPFIX, is a lighter weight | DDoS detection based on tools, such as IPFIX, is a lighter weight | |||
| method of detecting DDoS attacks than DMSes in internet transit | method of detecting DDoS attacks than DMSes in internet transit | |||
| provider networks. On the other hand, DDoS detection based on the | provider networks. On the other hand, DDoS detection based on the | |||
| DMSes is a more accurate method for detecting attack traffic better | DMSes is a more accurate method for detecting attack traffic than | |||
| than flow monitoring. | flow monitoring. | |||
| The aim of this use case is to increases flow collector's detection | The aim of this use case is to increase flow collector's detection | |||
| accuracy by carrying out supervised machine-learning techniques | accuracy by carrying out supervised machine-learning techniques | |||
| according to attack detail reported by the DMSes. To use such a | according to attack detail reported by the DMSes. To use such a | |||
| technique, forwarding nodes, flow collector, and a DMS should | technique, forwarding nodes, flow collector, and a DMS should | |||
| cooperate. Figure 16 gives an overview of this use case. Figure 17 | cooperate. Figure 16 gives an overview of this use case. Figure 17 | |||
| provides an example of a DOTS telemetry message body that is used to | provides an example of a DOTS telemetry message body that is used to | |||
| signal various total attack traffic percentiles and attack detail. | signal various total attack traffic percentiles and attack detail. | |||
| +-----------+ | +-----------+ | |||
| +-----------+| DOTS | +-----------+| DOTS | |||
| e.g., IPFIX | Flow ||S<--- | e.g., IPFIX | Flow ||S<--- | |||
| skipping to change at page 22, line 28 ¶ | skipping to change at page 22, line 28 ¶ | |||
| +---||-|| ||-+ | +---||-|| ||-+ | |||
| || || || | || || || | |||
| |/ |/ |/ | |/ |/ |/ | |||
| DOTS +---X--X--X--+ | DOTS +---X--X--X--+ | |||
| --->C| DDoS | | --->C| DDoS | | |||
| | mitigation | | | mitigation | | |||
| | system | | | system | | |||
| +------------+ | +------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 16: Training Supervised Machine Learning of Flow Collectors | Figure 16: Training Supervised Machine Learning of Flow Collectors | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry": { | "ietf-dots-telemetry:telemetry": { | |||
| "pre-or-ongoing-mitigation": [ | "pre-or-ongoing-mitigation": [ | |||
| { | { | |||
| "target": { | "target": { | |||
| "target-prefix": [ | "target-prefix": [ | |||
| "2001:db8::1/128" | "2001:db8::1/128" | |||
| ] | ] | |||
| skipping to change at page 23, line 37 ¶ | skipping to change at page 23, line 37 ¶ | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 17: An Example of Message Body with Attack Type | Figure 17: An Example of Message Body with Attack Type | |||
| and Top Talkers | and top-talkers | |||
| The forwarding nodes send traffic statisticsto the flow collectors | The forwarding nodes send traffic statistics to the flow collectors | |||
| using, e.g., IPFIX. When DDoS attacks occur, DDoS mitigation | by using, e.g., IPFIX. When DDoS attacks occur, DDoS mitigation | |||
| orchestration is carried out (as per Section 3.3 of [RFC8903]) and | orchestration is carried out (as per Section 3.3 of [RFC8903]) and | |||
| the DMS mitigates all attack traffic destined for a target. The DDoS | the DMS mitigates all attack traffic destined for a target. The DDoS | |||
| mitigation system reports the "vendor-id", "attack-id", and "top- | mitigation system reports the "vendor-id", "attack-id", and "top- | |||
| talker" telemetry attributes to a flow collector. | talker" telemetry attributes to a flow collector. | |||
| After mitigating a DDoS attack, the flow collector attaches outputs | After mitigating a DDoS attack, the flow collector attaches outputs | |||
| of the DMS as labels to the statistics of traffic flow of top- | of the DMS as labels to the statistics of traffic flow of top- | |||
| talkers. The outputs, for example, are the "attack-id" telemetry | talkers. The outputs, for example, are the "attack-id" telemetry | |||
| attributes. The flow collector, then, carries out supervised machine | attributes. The flow collector, then, carries out supervised machine | |||
| learning to increase its detection accuracy, setting the statistics | learning to increase its detection accuracy, setting the statistics | |||
| skipping to change at page 24, line 49 ¶ | skipping to change at page 24, line 49 ¶ | |||
| +---||-------+ | +---||-------+ | |||
| || | || | |||
| |/ | |/ | |||
| DOTS +---X--------+ | DOTS +---X--------+ | |||
| --->C| DDoS | | --->C| DDoS | | |||
| | mitigation | | | mitigation | | |||
| | system | | | system | | |||
| +------------+ | +------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS client functionality | * S is for DOTS server functionality | |||
| Figure 18: Training Unsupervised Machine Learning of Flow Collectors | Figure 18: Training Unsupervised Machine Learning of Flow Collectors | |||
| { | { | |||
| "ietf-dots-telemetry:telemetry-setup": { | "ietf-dots-telemetry:telemetry-setup": { | |||
| "telemetry": [ | "telemetry": [ | |||
| { | { | |||
| "baseline": [ | "baseline": [ | |||
| { | { | |||
| "id": 1, | "id": 1, | |||
| "target-prefix": [ | "target-prefix": [ | |||
| skipping to change at page 25, line 42 ¶ | skipping to change at page 25, line 42 ¶ | |||
| ] | ] | |||
| } | } | |||
| ] | ] | |||
| } | } | |||
| } | } | |||
| Figure 19: An Example of Message Body with Traffic Baseline | Figure 19: An Example of Message Body with Traffic Baseline | |||
| The forwarding nodes carry out mirroring traffic destined IP address. | The forwarding nodes carry out mirroring traffic destined IP address. | |||
| The DMS then identifies "clean" traffic and reports the baseline | The DMS then identifies "clean" traffic and reports the baseline | |||
| attributes to the flow collector using DOTS telemetry. | attributes to the flow collector by using DOTS telemetry. | |||
| The flow collector, then, carries out unsupervised machine learning | The flow collector, then, carries out unsupervised machine learning | |||
| to be able to carry out anomaly detection. | to be able to carry out anomaly detection. | |||
| The DMS implements a DOTS client while the flow collector implements | The DMS implements a DOTS client while the flow collector implements | |||
| a DOTS server. | a DOTS server. | |||
| 4. Security Considerations | 4. Security Considerations | |||
| DOTS telemetry security considerations are discussed in Section 14 of | DOTS telemetry security considerations are discussed in Section 14 of | |||
| [I-D.ietf-dots-telemetry]. These considerations apply for the | [I-D.ietf-dots-telemetry]. These considerations apply for the | |||
| communication interfaces where DOTS is used. | communication interfaces where DOTS is used. | |||
| Some use cases involve controllers, orchestrators, and programmable | Some use cases involve controllers, orchestrators, and programmable | |||
| interfaces. These interfaces can be misused by misbehaving nodes to | interfaces. These interfaces can be misused by misbehaving nodes to | |||
| further exacerbate a DDoS attacks. Section 5 of [RFC7149] discusses | further exacerbate DDoS attacks. Section 5 of [RFC7149] discusses | |||
| some generic security considerations to take into account in such | some generic security considerations to take into account in such | |||
| contexts (e.g., reliable access control). Specific security measures | contexts (e.g., reliable access control). Specific security measures | |||
| depend on the actual mechanism used to control underlying forwarding | depend on the actual mechanism used to control underlying forwarding | |||
| nodes and other controlled elements. For example, Section 13 of | nodes and other controlled elements. For example, Section 13 of | |||
| [RFC8955] discusses security considerations that are relevant to BGP | [RFC8955] discusses security considerations that are relevant to BGP | |||
| Flow Specifications. IPFIX-specific considerations are discussed in | Flowspec. IPFIX-specific considerations are discussed in Section 11 | |||
| Section 11 of [RFC7011]. | of [RFC7011]. | |||
| 5. IANA Considerations | 5. IANA Considerations | |||
| This document does not require any action from IANA. | This document does not require any action from IANA. | |||
| 6. Acknowledgement | 6. Acknowledgement | |||
| The authors would like to thank among others Mohamed Boucadair for | The authors would like to thank Mohamed Boucadair and Valery Smyslov | |||
| their valuable feedback. | for their valuable feedback. | |||
| 7. References | 7. References | |||
| 7.1. Normative References | 7.1. Normative References | |||
| [I-D.ietf-dots-telemetry] | [I-D.ietf-dots-telemetry] | |||
| Boucadair, M., Reddy.K, T., Doron, E., Chen, M., and J. | Boucadair, M., Reddy.K, T., Doron, E., Chen, M., and J. | |||
| Shallow, "Distributed Denial-of-Service Open Threat | Shallow, "Distributed Denial-of-Service Open Threat | |||
| Signaling (DOTS) Telemetry", Work in Progress, Internet- | Signaling (DOTS) Telemetry", Work in Progress, Internet- | |||
| Draft, draft-ietf-dots-telemetry-23, 4 February 2022, | Draft, draft-ietf-dots-telemetry-25, 21 March 2022, | |||
| <https://www.ietf.org/archive/id/draft-ietf-dots- | <https://www.ietf.org/archive/id/draft-ietf-dots- | |||
| telemetry-23.txt>. | telemetry-25.txt>. | |||
| 7.2. Informative References | 7.2. Informative References | |||
| [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network | [RFC3413] Levi, D., Meyer, P., and B. Stewart, "Simple Network | |||
| Management Protocol (SNMP) Applications", STD 62, | Management Protocol (SNMP) Applications", STD 62, | |||
| RFC 3413, DOI 10.17487/RFC3413, December 2002, | RFC 3413, DOI 10.17487/RFC3413, December 2002, | |||
| <https://www.rfc-editor.org/info/rfc3413>. | <https://www.rfc-editor.org/info/rfc3413>. | |||
| [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | [RFC4271] Rekhter, Y., Ed., Li, T., Ed., and S. Hares, Ed., "A | |||
| Border Gateway Protocol 4 (BGP-4)", RFC 4271, | Border Gateway Protocol 4 (BGP-4)", RFC 4271, | |||
| End of changes. 47 change blocks. | ||||
| 77 lines changed or deleted | 80 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||