draft-ietf-dots-signal-call-home-06.txt   draft-ietf-dots-signal-call-home-07.txt 
DOTS T. Reddy DOTS T. Reddy
Internet-Draft McAfee Internet-Draft McAfee
Intended status: Standards Track M. Boucadair Intended status: Standards Track M. Boucadair
Expires: March 13, 2020 Orange Expires: May 21, 2020 Orange
J. Shallow J. Shallow
September 10, 2019 November 18, 2019
Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal
Channel Call Home Channel Call Home
draft-ietf-dots-signal-call-home-06 draft-ietf-dots-signal-call-home-07
Abstract Abstract
This document specifies the DOTS signal channel Call Home, which This document specifies the DOTS signal channel Call Home, which
enables a DOTS server to initiate a secure connection to a DOTS enables a DOTS server to initiate a secure connection to a DOTS
client, and to receive the attack traffic information from the DOTS client, and to receive the attack traffic information from the DOTS
client. The DOTS server in turn uses the attack traffic information client. The DOTS server in turn uses the attack traffic information
to identify the compromised devices launching the outgoing DDoS to identify the compromised devices launching the outgoing DDoS
attack and takes appropriate mitigation action(s). attack and takes appropriate mitigation action(s).
skipping to change at page 2, line 22 skipping to change at page 2, line 22
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 13, 2020. This Internet-Draft will expire on May 21, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 7 skipping to change at page 3, line 7
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11
3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12 3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12
3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12 3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12
3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13 3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13
3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13 3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13
3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14 3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14
3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15 3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15
3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15 3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15
3.3.2. Address Sharing Considerations . . . . . . . . . . . 18 3.3.2. Address Sharing Considerations . . . . . . . . . . . 18
3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21 3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21
4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26
4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 25 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 26
4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26
4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27
4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28
5. Security Considerations . . . . . . . . . . . . . . . . . . . 28 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30
9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30
9.1. Normative References . . . . . . . . . . . . . . . . . . 30 9.1. Normative References . . . . . . . . . . . . . . . . . . 30
9.2. Informative References . . . . . . . . . . . . . . . . . 31 9.2. Informative References . . . . . . . . . . . . . . . . . 31
skipping to change at page 13, line 11 skipping to change at page 13, line 11
| ... | | ... |
Figure 7: DOTS Signal Channel Call Home Sequence Diagram Figure 7: DOTS Signal Channel Call Home Sequence Diagram
The DOTS signal channel Call Home procedure is as follows: The DOTS signal channel Call Home procedure is as follows:
1. If UDP transport is used, the Call Home DOTS server begins by 1. If UDP transport is used, the Call Home DOTS server begins by
initiating a DTLS connection to the Call Home DOTS client. initiating a DTLS connection to the Call Home DOTS client.
If TCP is used, the Call Home DOTS server begins by initiating a If TCP is used, the Call Home DOTS server begins by initiating a
TCP connection to the Call Home DOTS client. Using this TCP TCP connection to the Call Home DOTS client. Once connected, the
connection, the Call Home DOTS server initiates a TLS connection Call Home DOTS server continues to initiate a TLS connection to
to the Call Home DOTS client. the Call Home DOTS client.
In some cases, peer DOTS agents may have mutual agreement to use In some cases, peer DOTS agents may have mutual agreement to use
a specific port number, such as by explicit configuration or a specific port number, such as by explicit configuration or
dynamic discovery [I-D.ietf-dots-server-discovery]. Absent such dynamic discovery [I-D.ietf-dots-server-discovery]. Absent such
mutual agreement, the DOTS signal channel Call Home MUST run over mutual agreement, the DOTS signal channel Call Home MUST run over
port number TBD (that is, Call Home DOTS clients must support port number TBD (that is, Call Home DOTS clients must support
accepting DTLS (or TCP) connections on TBD) as defined in accepting DTLS (or TCP) connections on TBD) as defined in
Section 4.1, for both UDP and TCP. The interaction between the Section 4.1, for both UDP and TCP. The interaction between the
base DOTS signal channel and the Call Home is discussed in base DOTS signal channel and the Call Home is discussed in
Appendix A. Appendix A.
skipping to change at page 22, line 22 skipping to change at page 22, line 22
+--rw source-icmp-type-range* +--rw source-icmp-type-range*
| [lower-type] {source-signaling}? | [lower-type] {source-signaling}?
+--rw lower-type uint8 +--rw lower-type uint8
+--rw upper-type? uint8 +--rw upper-type? uint8
augment /ietf-signal:dots-signal/ietf-signal:message-type augment /ietf-signal:dots-signal/ietf-signal:message-type
/ietf-signal:redirected-signal: /ietf-signal:redirected-signal:
+--rw alt-ch-client string {call-home}? +--rw alt-ch-client string {call-home}?
+--rw alt-ch-client-record* inet:ip-address {call-home}? +--rw alt-ch-client-record* inet:ip-address {call-home}?
+--rw ttl uint32 {call-home}? +--rw ttl uint32 {call-home}?
3.3.3.2. YANG Module 3.3.3.2. YANG/JSON Mapping Parameters to CBOR
The YANG/JSON mapping parameters to CBOR are listed in Table 1.
+-------------------+------------+--------+---------------+--------+
| Parameter Name | YANG | CBOR | CBOR Major | JSON |
| | Type | Key | Type & | Type |
| | | | Information | |
+-------------------+------------+--------+---------------+--------+
| source-prefix | leaf-list | 0x8000 | 4 array | Array |
| | inet: | (TBD1) | | |
| | ip-prefix | | 3 text string | String |
| source-port-range | list | 0x8001 | 4 array | Array |
| | | (TBD2) | | |
| source-icmp-type- | list | 0x8002 | 4 array | Array |
| range | | (TBD3) | | |
| lower-type | uint8 | 0x8003 | 0 unsigned | Number |
| | | (TBD4) | | |
| upper-type | uint8 | 0x8004 | 0 unsigned | Number |
| | | (TBD5) | | |
| alt-ch-client | string | 0x8005 | 3 text string | String |
| | | (TBD6) | | |
| alt-ch-client- | leaf-list | 0x8006 | 4 array | Array |
| record | inet: | (TBD7) | | |
| | ip-address| | 3 text string | String |
| ttl | uint32 | 0x8007 | 0 unsigned | Number |
| | | (TBD8) | | |
+-------------------+------------+--------+---------------+--------+
Table 1: YANG/JSON Mapping Parameters to CBOR
3.3.3.3. YANG Module
This module uses the common YANG types defined in [RFC6991]. This module uses the common YANG types defined in [RFC6991].
<CODE BEGINS> file "ietf-dots-call-home@2019-09-06.yang" <CODE BEGINS> file "ietf-dots-call-home@2019-09-06.yang"
module ietf-dots-call-home { module ietf-dots-call-home {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-dots-call-home"; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-call-home";
prefix call-home; prefix call-home;
skipping to change at page 26, line 18 skipping to change at page 26, line 43
Description: DOTS Signal Channel Call Home Description: DOTS Signal Channel Call Home
Assignee: IESG <iesg@ietf.org> Assignee: IESG <iesg@ietf.org>
Contact: IETF Chair <chair@ietf.org> Contact: IETF Chair <chair@ietf.org>
Reference: RFC XXXX Reference: RFC XXXX
The assignment of port number 4647 is strongly suggested (DOTS signal The assignment of port number 4647 is strongly suggested (DOTS signal
channel uses port number 4646). channel uses port number 4646).
4.2. DOTS Signal Channel CBOR Mappings Registry 4.2. DOTS Signal Channel CBOR Mappings Registry
This specification registers the 'source-prefix', 'source-port- This specification registers the following comprehension-optional
range', and 'source-icmp-type-range' parameters in the IANA "DOTS parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry
Signal Channel CBOR Key Values" registry established by established by [I-D.ietf-dots-signal-channel] (Table 2).
[I-D.ietf-dots-signal-channel] (Figure 13).
The 'source-prefix', 'source-port-range', and 'source-icmp-type-
range' are comprehension-optional parameters.
o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys
are assigned from the 0x8000 - 0xBFFF range. are assigned from the 0x8000 - 0xBFFF range.
+-------------------+------------+--------+---------------+--------+ +-------------------+--------+-------+------------+---------------+
| Parameter Name | YANG | CBOR | CBOR Major | JSON | | Parameter Name | CBOR | CBOR | Change | Specification |
| | Type | Key | Type & | Type | | | Key | Major | Controller | Document(s) |
| | | | Information | | | | Value | Type | | |
+-------------------+------------+--------+---------------+--------+ +-------------------+--------+-------+------------+---------------+
| source-prefix | leaf-list | 0x8000 | 4 array | Array | | source-prefix | 0x8000 | 4 | IESG | [RFCXXXX] |
| | inet: | (TBD1) | | | | | (TBD1) | | | |
| | ip-prefix | | 3 text string | String | | source-port-range | 0x8001 | 4 | IESG | [RFCXXXX] |
| source-port-range | list | 0x8001 | 4 array | Array | | | (TBD2) | | | |
| | | (TBD2) | | | | source-icmp-type- | 0x8002 | 4 | IESG | [RFCXXXX] |
| source-icmp-type- | list | 0x8002 | 4 array | Array | | range | (TBD3) | | | |
| range | | (TBD3) | | | | lower-type | 0x8003 | 0 | IESG | [RFCXXXX] |
| lower-type | uint8 | 0x8003 | 0 unsigned | Number | | | (TBD4) | | | |
| | | (TBD4) | | | | upper-type | 0x8004 | 0 | IESG | [RFCXXXX] |
| upper-type | uint8 | 0x8004 | 0 unsigned | Number | | | (TBD5) | | | |
| | | (TBD5) | | | | alt-ch-client | 0x8005 | 3 | IESG | [RFCXXXX] |
| alt-ch-client | string | 0x8005 | 3 text string | String | | | (TBD6) | | | |
| | | (TBD6) | | | | alt-ch-client- | 0x8006 | 4 | IESG | [RFCXXXX] |
| alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | | record | (TBD7) | | | |
| record | inet: | (TBD7) | | | | ttl | 0x8007 | 0 | IESG | [RFCXXXX] |
| | ip-address| | 3 text string | String | | | (TBD8) | | | |
| ttl | uint32 | 0x8007 | 0 unsigned | Number | +-------------------+--------+-------+------------+---------------+
| | | (TBD8) | | |
+-------------------+------------+--------+---------------+--------+
Figure 13: Assigned DOTS Signal Channel CBOR Key Values Table 2: Assigned DOTS Signal Channel CBOR Key Values
4.3. New DOTS Conflict Cause 4.3. New DOTS Conflict Cause
This document requests IANA to assign a new code from the "DOTS This document requests IANA to assign a new code from the "DOTS
Signal Channel Conflict Cause Codes" registry: Signal Channel Conflict Cause Codes" registry:
+-----+-----------------------------------+-------------+-----------+ +-----+-----------------------------------+-------------+-----------+
| Cod | Label | Description | Reference | | Cod | Label | Description | Reference |
| e | | | | | e | | | |
+-----+-----------------------------------+-------------+-----------+ +-----+-----------------------------------+-------------+-----------+
skipping to change at page 30, line 49 skipping to change at page 30, line 49
Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments. Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments.
9. References 9. References
9.1. Normative References 9.1. Normative References
[I-D.ietf-dots-signal-channel] [I-D.ietf-dots-signal-channel]
K, R., Boucadair, M., Patil, P., Mortensen, A., and N. K, R., Boucadair, M., Patil, P., Mortensen, A., and N.
Teague, "Distributed Denial-of-Service Open Threat Teague, "Distributed Denial-of-Service Open Threat
Signaling (DOTS) Signal Channel Specification", draft- Signaling (DOTS) Signal Channel Specification", draft-
ietf-dots-signal-channel-37 (work in progress), July 2019. ietf-dots-signal-channel-38 (work in progress), October
2019.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688,
DOI 10.17487/RFC3688, January 2004, DOI 10.17487/RFC3688, January 2004,
<https://www.rfc-editor.org/info/rfc3688>. <https://www.rfc-editor.org/info/rfc3688>.
skipping to change at page 34, line 13 skipping to change at page 34, line 13
<https://www.rfc-editor.org/info/rfc8576>. <https://www.rfc-editor.org/info/rfc8576>.
[RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open
Threat Signaling (DOTS) Requirements", RFC 8612, Threat Signaling (DOTS) Requirements", RFC 8612,
DOI 10.17487/RFC8612, May 2019, DOI 10.17487/RFC8612, May 2019,
<https://www.rfc-editor.org/info/rfc8612>. <https://www.rfc-editor.org/info/rfc8612>.
[Sec] UK Department for Digital Culture, Media & Sport, "Secure [Sec] UK Department for Digital Culture, Media & Sport, "Secure
by Design: Improving the cyber security of consumer by Design: Improving the cyber security of consumer
Internet of Things Report", March 2018, Internet of Things Report", March 2018,
<https://www.gov.uk/government/publications/ <https://www.gov.uk/government/publications/secure-by-
secure-by-design-report>. design-report>.
Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home
With the DOTS signal channel Call Home, there is a chance that two With the DOTS signal channel Call Home, there is a chance that two
DOTS agents can simultaneously establish two DOTS signal channels DOTS agents can simultaneously establish two DOTS signal channels
with different directions (base DOTS signal channel and DOTS signal with different directions (base DOTS signal channel and DOTS signal
channel Call Home). Here is one example drawn from the home network. channel Call Home). Here is one example drawn from the home network.
Nevertheless, the outcome of the discussion is not specific to these Nevertheless, the outcome of the discussion is not specific to these
networks, but applies to any DOTS Call Home scenario. networks, but applies to any DOTS Call Home scenario.
 End of changes. 12 change blocks. 
45 lines changed or deleted 71 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/