| draft-ietf-dots-signal-call-home-06.txt | draft-ietf-dots-signal-call-home-07.txt | |||
|---|---|---|---|---|
| DOTS T. Reddy | DOTS T. Reddy | |||
| Internet-Draft McAfee | Internet-Draft McAfee | |||
| Intended status: Standards Track M. Boucadair | Intended status: Standards Track M. Boucadair | |||
| Expires: March 13, 2020 Orange | Expires: May 21, 2020 Orange | |||
| J. Shallow | J. Shallow | |||
| September 10, 2019 | November 18, 2019 | |||
| Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal | Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal | |||
| Channel Call Home | Channel Call Home | |||
| draft-ietf-dots-signal-call-home-06 | draft-ietf-dots-signal-call-home-07 | |||
| Abstract | Abstract | |||
| This document specifies the DOTS signal channel Call Home, which | This document specifies the DOTS signal channel Call Home, which | |||
| enables a DOTS server to initiate a secure connection to a DOTS | enables a DOTS server to initiate a secure connection to a DOTS | |||
| client, and to receive the attack traffic information from the DOTS | client, and to receive the attack traffic information from the DOTS | |||
| client. The DOTS server in turn uses the attack traffic information | client. The DOTS server in turn uses the attack traffic information | |||
| to identify the compromised devices launching the outgoing DDoS | to identify the compromised devices launching the outgoing DDoS | |||
| attack and takes appropriate mitigation action(s). | attack and takes appropriate mitigation action(s). | |||
| skipping to change at page 2, line 22 ¶ | skipping to change at page 2, line 22 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on March 13, 2020. | This Internet-Draft will expire on May 21, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 3, line 7 ¶ | skipping to change at page 3, line 7 ¶ | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12 | 3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12 | |||
| 3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12 | 3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13 | 3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13 | |||
| 3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13 | 3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13 | |||
| 3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14 | 3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14 | |||
| 3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15 | 3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15 | |||
| 3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15 | 3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15 | |||
| 3.3.2. Address Sharing Considerations . . . . . . . . . . . 18 | 3.3.2. Address Sharing Considerations . . . . . . . . . . . 18 | |||
| 3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21 | 3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21 | |||
| 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 | 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 | |||
| 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 25 | 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 26 | |||
| 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26 | 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26 | |||
| 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27 | 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27 | |||
| 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28 | 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28 | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 | |||
| 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30 | 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 | |||
| 9.1. Normative References . . . . . . . . . . . . . . . . . . 30 | 9.1. Normative References . . . . . . . . . . . . . . . . . . 30 | |||
| 9.2. Informative References . . . . . . . . . . . . . . . . . 31 | 9.2. Informative References . . . . . . . . . . . . . . . . . 31 | |||
| skipping to change at page 13, line 11 ¶ | skipping to change at page 13, line 11 ¶ | |||
| | ... | | | ... | | |||
| Figure 7: DOTS Signal Channel Call Home Sequence Diagram | Figure 7: DOTS Signal Channel Call Home Sequence Diagram | |||
| The DOTS signal channel Call Home procedure is as follows: | The DOTS signal channel Call Home procedure is as follows: | |||
| 1. If UDP transport is used, the Call Home DOTS server begins by | 1. If UDP transport is used, the Call Home DOTS server begins by | |||
| initiating a DTLS connection to the Call Home DOTS client. | initiating a DTLS connection to the Call Home DOTS client. | |||
| If TCP is used, the Call Home DOTS server begins by initiating a | If TCP is used, the Call Home DOTS server begins by initiating a | |||
| TCP connection to the Call Home DOTS client. Using this TCP | TCP connection to the Call Home DOTS client. Once connected, the | |||
| connection, the Call Home DOTS server initiates a TLS connection | Call Home DOTS server continues to initiate a TLS connection to | |||
| to the Call Home DOTS client. | the Call Home DOTS client. | |||
| In some cases, peer DOTS agents may have mutual agreement to use | In some cases, peer DOTS agents may have mutual agreement to use | |||
| a specific port number, such as by explicit configuration or | a specific port number, such as by explicit configuration or | |||
| dynamic discovery [I-D.ietf-dots-server-discovery]. Absent such | dynamic discovery [I-D.ietf-dots-server-discovery]. Absent such | |||
| mutual agreement, the DOTS signal channel Call Home MUST run over | mutual agreement, the DOTS signal channel Call Home MUST run over | |||
| port number TBD (that is, Call Home DOTS clients must support | port number TBD (that is, Call Home DOTS clients must support | |||
| accepting DTLS (or TCP) connections on TBD) as defined in | accepting DTLS (or TCP) connections on TBD) as defined in | |||
| Section 4.1, for both UDP and TCP. The interaction between the | Section 4.1, for both UDP and TCP. The interaction between the | |||
| base DOTS signal channel and the Call Home is discussed in | base DOTS signal channel and the Call Home is discussed in | |||
| Appendix A. | Appendix A. | |||
| skipping to change at page 22, line 22 ¶ | skipping to change at page 22, line 22 ¶ | |||
| +--rw source-icmp-type-range* | +--rw source-icmp-type-range* | |||
| | [lower-type] {source-signaling}? | | [lower-type] {source-signaling}? | |||
| +--rw lower-type uint8 | +--rw lower-type uint8 | |||
| +--rw upper-type? uint8 | +--rw upper-type? uint8 | |||
| augment /ietf-signal:dots-signal/ietf-signal:message-type | augment /ietf-signal:dots-signal/ietf-signal:message-type | |||
| /ietf-signal:redirected-signal: | /ietf-signal:redirected-signal: | |||
| +--rw alt-ch-client string {call-home}? | +--rw alt-ch-client string {call-home}? | |||
| +--rw alt-ch-client-record* inet:ip-address {call-home}? | +--rw alt-ch-client-record* inet:ip-address {call-home}? | |||
| +--rw ttl uint32 {call-home}? | +--rw ttl uint32 {call-home}? | |||
| 3.3.3.2. YANG Module | 3.3.3.2. YANG/JSON Mapping Parameters to CBOR | |||
| The YANG/JSON mapping parameters to CBOR are listed in Table 1. | ||||
| +-------------------+------------+--------+---------------+--------+ | ||||
| | Parameter Name | YANG | CBOR | CBOR Major | JSON | | ||||
| | | Type | Key | Type & | Type | | ||||
| | | | | Information | | | ||||
| +-------------------+------------+--------+---------------+--------+ | ||||
| | source-prefix | leaf-list | 0x8000 | 4 array | Array | | ||||
| | | inet: | (TBD1) | | | | ||||
| | | ip-prefix | | 3 text string | String | | ||||
| | source-port-range | list | 0x8001 | 4 array | Array | | ||||
| | | | (TBD2) | | | | ||||
| | source-icmp-type- | list | 0x8002 | 4 array | Array | | ||||
| | range | | (TBD3) | | | | ||||
| | lower-type | uint8 | 0x8003 | 0 unsigned | Number | | ||||
| | | | (TBD4) | | | | ||||
| | upper-type | uint8 | 0x8004 | 0 unsigned | Number | | ||||
| | | | (TBD5) | | | | ||||
| | alt-ch-client | string | 0x8005 | 3 text string | String | | ||||
| | | | (TBD6) | | | | ||||
| | alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | | ||||
| | record | inet: | (TBD7) | | | | ||||
| | | ip-address| | 3 text string | String | | ||||
| | ttl | uint32 | 0x8007 | 0 unsigned | Number | | ||||
| | | | (TBD8) | | | | ||||
| +-------------------+------------+--------+---------------+--------+ | ||||
| Table 1: YANG/JSON Mapping Parameters to CBOR | ||||
| 3.3.3.3. YANG Module | ||||
| This module uses the common YANG types defined in [RFC6991]. | This module uses the common YANG types defined in [RFC6991]. | |||
| <CODE BEGINS> file "ietf-dots-call-home@2019-09-06.yang" | <CODE BEGINS> file "ietf-dots-call-home@2019-09-06.yang" | |||
| module ietf-dots-call-home { | module ietf-dots-call-home { | |||
| yang-version 1.1; | yang-version 1.1; | |||
| namespace "urn:ietf:params:xml:ns:yang:ietf-dots-call-home"; | namespace "urn:ietf:params:xml:ns:yang:ietf-dots-call-home"; | |||
| prefix call-home; | prefix call-home; | |||
| skipping to change at page 26, line 18 ¶ | skipping to change at page 26, line 43 ¶ | |||
| Description: DOTS Signal Channel Call Home | Description: DOTS Signal Channel Call Home | |||
| Assignee: IESG <iesg@ietf.org> | Assignee: IESG <iesg@ietf.org> | |||
| Contact: IETF Chair <chair@ietf.org> | Contact: IETF Chair <chair@ietf.org> | |||
| Reference: RFC XXXX | Reference: RFC XXXX | |||
| The assignment of port number 4647 is strongly suggested (DOTS signal | The assignment of port number 4647 is strongly suggested (DOTS signal | |||
| channel uses port number 4646). | channel uses port number 4646). | |||
| 4.2. DOTS Signal Channel CBOR Mappings Registry | 4.2. DOTS Signal Channel CBOR Mappings Registry | |||
| This specification registers the 'source-prefix', 'source-port- | This specification registers the following comprehension-optional | |||
| range', and 'source-icmp-type-range' parameters in the IANA "DOTS | parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry | |||
| Signal Channel CBOR Key Values" registry established by | established by [I-D.ietf-dots-signal-channel] (Table 2). | |||
| [I-D.ietf-dots-signal-channel] (Figure 13). | ||||
| The 'source-prefix', 'source-port-range', and 'source-icmp-type- | ||||
| range' are comprehension-optional parameters. | ||||
| o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys | o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys | |||
| are assigned from the 0x8000 - 0xBFFF range. | are assigned from the 0x8000 - 0xBFFF range. | |||
| +-------------------+------------+--------+---------------+--------+ | +-------------------+--------+-------+------------+---------------+ | |||
| | Parameter Name | YANG | CBOR | CBOR Major | JSON | | | Parameter Name | CBOR | CBOR | Change | Specification | | |||
| | | Type | Key | Type & | Type | | | | Key | Major | Controller | Document(s) | | |||
| | | | | Information | | | | | Value | Type | | | | |||
| +-------------------+------------+--------+---------------+--------+ | +-------------------+--------+-------+------------+---------------+ | |||
| | source-prefix | leaf-list | 0x8000 | 4 array | Array | | | source-prefix | 0x8000 | 4 | IESG | [RFCXXXX] | | |||
| | | inet: | (TBD1) | | | | | | (TBD1) | | | | | |||
| | | ip-prefix | | 3 text string | String | | | source-port-range | 0x8001 | 4 | IESG | [RFCXXXX] | | |||
| | source-port-range | list | 0x8001 | 4 array | Array | | | | (TBD2) | | | | | |||
| | | | (TBD2) | | | | | source-icmp-type- | 0x8002 | 4 | IESG | [RFCXXXX] | | |||
| | source-icmp-type- | list | 0x8002 | 4 array | Array | | | range | (TBD3) | | | | | |||
| | range | | (TBD3) | | | | | lower-type | 0x8003 | 0 | IESG | [RFCXXXX] | | |||
| | lower-type | uint8 | 0x8003 | 0 unsigned | Number | | | | (TBD4) | | | | | |||
| | | | (TBD4) | | | | | upper-type | 0x8004 | 0 | IESG | [RFCXXXX] | | |||
| | upper-type | uint8 | 0x8004 | 0 unsigned | Number | | | | (TBD5) | | | | | |||
| | | | (TBD5) | | | | | alt-ch-client | 0x8005 | 3 | IESG | [RFCXXXX] | | |||
| | alt-ch-client | string | 0x8005 | 3 text string | String | | | | (TBD6) | | | | | |||
| | | | (TBD6) | | | | | alt-ch-client- | 0x8006 | 4 | IESG | [RFCXXXX] | | |||
| | alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | | | record | (TBD7) | | | | | |||
| | record | inet: | (TBD7) | | | | | ttl | 0x8007 | 0 | IESG | [RFCXXXX] | | |||
| | | ip-address| | 3 text string | String | | | | (TBD8) | | | | | |||
| | ttl | uint32 | 0x8007 | 0 unsigned | Number | | +-------------------+--------+-------+------------+---------------+ | |||
| | | | (TBD8) | | | | ||||
| +-------------------+------------+--------+---------------+--------+ | ||||
| Figure 13: Assigned DOTS Signal Channel CBOR Key Values | Table 2: Assigned DOTS Signal Channel CBOR Key Values | |||
| 4.3. New DOTS Conflict Cause | 4.3. New DOTS Conflict Cause | |||
| This document requests IANA to assign a new code from the "DOTS | This document requests IANA to assign a new code from the "DOTS | |||
| Signal Channel Conflict Cause Codes" registry: | Signal Channel Conflict Cause Codes" registry: | |||
| +-----+-----------------------------------+-------------+-----------+ | +-----+-----------------------------------+-------------+-----------+ | |||
| | Cod | Label | Description | Reference | | | Cod | Label | Description | Reference | | |||
| | e | | | | | | e | | | | | |||
| +-----+-----------------------------------+-------------+-----------+ | +-----+-----------------------------------+-------------+-----------+ | |||
| skipping to change at page 30, line 49 ¶ | skipping to change at page 30, line 49 ¶ | |||
| Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments. | Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments. | |||
| 9. References | 9. References | |||
| 9.1. Normative References | 9.1. Normative References | |||
| [I-D.ietf-dots-signal-channel] | [I-D.ietf-dots-signal-channel] | |||
| K, R., Boucadair, M., Patil, P., Mortensen, A., and N. | K, R., Boucadair, M., Patil, P., Mortensen, A., and N. | |||
| Teague, "Distributed Denial-of-Service Open Threat | Teague, "Distributed Denial-of-Service Open Threat | |||
| Signaling (DOTS) Signal Channel Specification", draft- | Signaling (DOTS) Signal Channel Specification", draft- | |||
| ietf-dots-signal-channel-37 (work in progress), July 2019. | ietf-dots-signal-channel-38 (work in progress), October | |||
| 2019. | ||||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | DOI 10.17487/RFC2119, March 1997, | |||
| <https://www.rfc-editor.org/info/rfc2119>. | <https://www.rfc-editor.org/info/rfc2119>. | |||
| [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, | |||
| DOI 10.17487/RFC3688, January 2004, | DOI 10.17487/RFC3688, January 2004, | |||
| <https://www.rfc-editor.org/info/rfc3688>. | <https://www.rfc-editor.org/info/rfc3688>. | |||
| skipping to change at page 34, line 13 ¶ | skipping to change at page 34, line 13 ¶ | |||
| <https://www.rfc-editor.org/info/rfc8576>. | <https://www.rfc-editor.org/info/rfc8576>. | |||
| [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open | [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open | |||
| Threat Signaling (DOTS) Requirements", RFC 8612, | Threat Signaling (DOTS) Requirements", RFC 8612, | |||
| DOI 10.17487/RFC8612, May 2019, | DOI 10.17487/RFC8612, May 2019, | |||
| <https://www.rfc-editor.org/info/rfc8612>. | <https://www.rfc-editor.org/info/rfc8612>. | |||
| [Sec] UK Department for Digital Culture, Media & Sport, "Secure | [Sec] UK Department for Digital Culture, Media & Sport, "Secure | |||
| by Design: Improving the cyber security of consumer | by Design: Improving the cyber security of consumer | |||
| Internet of Things Report", March 2018, | Internet of Things Report", March 2018, | |||
| <https://www.gov.uk/government/publications/ | <https://www.gov.uk/government/publications/secure-by- | |||
| secure-by-design-report>. | design-report>. | |||
| Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home | Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home | |||
| With the DOTS signal channel Call Home, there is a chance that two | With the DOTS signal channel Call Home, there is a chance that two | |||
| DOTS agents can simultaneously establish two DOTS signal channels | DOTS agents can simultaneously establish two DOTS signal channels | |||
| with different directions (base DOTS signal channel and DOTS signal | with different directions (base DOTS signal channel and DOTS signal | |||
| channel Call Home). Here is one example drawn from the home network. | channel Call Home). Here is one example drawn from the home network. | |||
| Nevertheless, the outcome of the discussion is not specific to these | Nevertheless, the outcome of the discussion is not specific to these | |||
| networks, but applies to any DOTS Call Home scenario. | networks, but applies to any DOTS Call Home scenario. | |||
| End of changes. 12 change blocks. | ||||
| 45 lines changed or deleted | 71 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||