--- 1/draft-ietf-dots-signal-call-home-06.txt 2019-11-18 02:13:36.460417427 -0800 +++ 2/draft-ietf-dots-signal-call-home-07.txt 2019-11-18 02:13:36.532419269 -0800 @@ -1,21 +1,21 @@ DOTS T. Reddy Internet-Draft McAfee Intended status: Standards Track M. Boucadair -Expires: March 13, 2020 Orange +Expires: May 21, 2020 Orange J. Shallow - September 10, 2019 + November 18, 2019 Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Call Home - draft-ietf-dots-signal-call-home-06 + draft-ietf-dots-signal-call-home-07 Abstract This document specifies the DOTS signal channel Call Home, which enables a DOTS server to initiate a secure connection to a DOTS client, and to receive the attack traffic information from the DOTS client. The DOTS server in turn uses the attack traffic information to identify the compromised devices launching the outgoing DDoS attack and takes appropriate mitigation action(s). @@ -57,21 +57,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on March 13, 2020. + This Internet-Draft will expire on May 21, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -91,22 +91,22 @@ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11 3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12 3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13 3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13 3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14 3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15 3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15 3.3.2. Address Sharing Considerations . . . . . . . . . . . 18 3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21 - 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 25 - 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 25 + 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 + 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 26 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 9.1. Normative References . . . . . . . . . . . . . . . . . . 30 9.2. Informative References . . . . . . . . . . . . . . . . . 31 @@ -525,23 +525,23 @@ | ... | Figure 7: DOTS Signal Channel Call Home Sequence Diagram The DOTS signal channel Call Home procedure is as follows: 1. If UDP transport is used, the Call Home DOTS server begins by initiating a DTLS connection to the Call Home DOTS client. If TCP is used, the Call Home DOTS server begins by initiating a - TCP connection to the Call Home DOTS client. Using this TCP - connection, the Call Home DOTS server initiates a TLS connection - to the Call Home DOTS client. + TCP connection to the Call Home DOTS client. Once connected, the + Call Home DOTS server continues to initiate a TLS connection to + the Call Home DOTS client. In some cases, peer DOTS agents may have mutual agreement to use a specific port number, such as by explicit configuration or dynamic discovery [I-D.ietf-dots-server-discovery]. Absent such mutual agreement, the DOTS signal channel Call Home MUST run over port number TBD (that is, Call Home DOTS clients must support accepting DTLS (or TCP) connections on TBD) as defined in Section 4.1, for both UDP and TCP. The interaction between the base DOTS signal channel and the Call Home is discussed in Appendix A. @@ -940,21 +940,52 @@ +--rw source-icmp-type-range* | [lower-type] {source-signaling}? +--rw lower-type uint8 +--rw upper-type? uint8 augment /ietf-signal:dots-signal/ietf-signal:message-type /ietf-signal:redirected-signal: +--rw alt-ch-client string {call-home}? +--rw alt-ch-client-record* inet:ip-address {call-home}? +--rw ttl uint32 {call-home}? -3.3.3.2. YANG Module +3.3.3.2. YANG/JSON Mapping Parameters to CBOR + + The YANG/JSON mapping parameters to CBOR are listed in Table 1. + + +-------------------+------------+--------+---------------+--------+ + | Parameter Name | YANG | CBOR | CBOR Major | JSON | + | | Type | Key | Type & | Type | + | | | | Information | | + +-------------------+------------+--------+---------------+--------+ + | source-prefix | leaf-list | 0x8000 | 4 array | Array | + | | inet: | (TBD1) | | | + | | ip-prefix | | 3 text string | String | + | source-port-range | list | 0x8001 | 4 array | Array | + | | | (TBD2) | | | + | source-icmp-type- | list | 0x8002 | 4 array | Array | + | range | | (TBD3) | | | + | lower-type | uint8 | 0x8003 | 0 unsigned | Number | + | | | (TBD4) | | | + | upper-type | uint8 | 0x8004 | 0 unsigned | Number | + | | | (TBD5) | | | + | alt-ch-client | string | 0x8005 | 3 text string | String | + | | | (TBD6) | | | + | alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | + | record | inet: | (TBD7) | | | + | | ip-address| | 3 text string | String | + | ttl | uint32 | 0x8007 | 0 unsigned | Number | + | | | (TBD8) | | | + +-------------------+------------+--------+---------------+--------+ + + Table 1: YANG/JSON Mapping Parameters to CBOR + +3.3.3.3. YANG Module This module uses the common YANG types defined in [RFC6991]. file "ietf-dots-call-home@2019-09-06.yang" module ietf-dots-call-home { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-call-home"; prefix call-home; @@ -1124,57 +1155,51 @@ Description: DOTS Signal Channel Call Home Assignee: IESG Contact: IETF Chair Reference: RFC XXXX The assignment of port number 4647 is strongly suggested (DOTS signal channel uses port number 4646). 4.2. DOTS Signal Channel CBOR Mappings Registry - This specification registers the 'source-prefix', 'source-port- - range', and 'source-icmp-type-range' parameters in the IANA "DOTS - Signal Channel CBOR Key Values" registry established by - [I-D.ietf-dots-signal-channel] (Figure 13). - - The 'source-prefix', 'source-port-range', and 'source-icmp-type- - range' are comprehension-optional parameters. + This specification registers the following comprehension-optional + parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry + established by [I-D.ietf-dots-signal-channel] (Table 2). o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys are assigned from the 0x8000 - 0xBFFF range. - +-------------------+------------+--------+---------------+--------+ - | Parameter Name | YANG | CBOR | CBOR Major | JSON | - | | Type | Key | Type & | Type | - | | | | Information | | - +-------------------+------------+--------+---------------+--------+ - | source-prefix | leaf-list | 0x8000 | 4 array | Array | - | | inet: | (TBD1) | | | - | | ip-prefix | | 3 text string | String | - | source-port-range | list | 0x8001 | 4 array | Array | - | | | (TBD2) | | | - | source-icmp-type- | list | 0x8002 | 4 array | Array | - | range | | (TBD3) | | | - | lower-type | uint8 | 0x8003 | 0 unsigned | Number | - | | | (TBD4) | | | - | upper-type | uint8 | 0x8004 | 0 unsigned | Number | - | | | (TBD5) | | | - | alt-ch-client | string | 0x8005 | 3 text string | String | - | | | (TBD6) | | | - | alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | - | record | inet: | (TBD7) | | | - | | ip-address| | 3 text string | String | - | ttl | uint32 | 0x8007 | 0 unsigned | Number | - | | | (TBD8) | | | - +-------------------+------------+--------+---------------+--------+ + +-------------------+--------+-------+------------+---------------+ + | Parameter Name | CBOR | CBOR | Change | Specification | + | | Key | Major | Controller | Document(s) | + | | Value | Type | | | + +-------------------+--------+-------+------------+---------------+ + | source-prefix | 0x8000 | 4 | IESG | [RFCXXXX] | + | | (TBD1) | | | | + | source-port-range | 0x8001 | 4 | IESG | [RFCXXXX] | + | | (TBD2) | | | | + | source-icmp-type- | 0x8002 | 4 | IESG | [RFCXXXX] | + | range | (TBD3) | | | | + | lower-type | 0x8003 | 0 | IESG | [RFCXXXX] | + | | (TBD4) | | | | + | upper-type | 0x8004 | 0 | IESG | [RFCXXXX] | + | | (TBD5) | | | | + | alt-ch-client | 0x8005 | 3 | IESG | [RFCXXXX] | + | | (TBD6) | | | | + | alt-ch-client- | 0x8006 | 4 | IESG | [RFCXXXX] | + | record | (TBD7) | | | | + | ttl | 0x8007 | 0 | IESG | [RFCXXXX] | + | | (TBD8) | | | | + +-------------------+--------+-------+------------+---------------+ - Figure 13: Assigned DOTS Signal Channel CBOR Key Values + Table 2: Assigned DOTS Signal Channel CBOR Key Values 4.3. New DOTS Conflict Cause This document requests IANA to assign a new code from the "DOTS Signal Channel Conflict Cause Codes" registry: +-----+-----------------------------------+-------------+-----------+ | Cod | Label | Description | Reference | | e | | | | +-----+-----------------------------------+-------------+-----------+ @@ -1307,21 +1332,22 @@ Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments. 9. References 9.1. Normative References [I-D.ietf-dots-signal-channel] K, R., Boucadair, M., Patil, P., Mortensen, A., and N. Teague, "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification", draft- - ietf-dots-signal-channel-37 (work in progress), July 2019. + ietf-dots-signal-channel-38 (work in progress), October + 2019. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . @@ -1461,22 +1487,22 @@ . [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open Threat Signaling (DOTS) Requirements", RFC 8612, DOI 10.17487/RFC8612, May 2019, . [Sec] UK Department for Digital Culture, Media & Sport, "Secure by Design: Improving the cyber security of consumer Internet of Things Report", March 2018, - . + . Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home With the DOTS signal channel Call Home, there is a chance that two DOTS agents can simultaneously establish two DOTS signal channels with different directions (base DOTS signal channel and DOTS signal channel Call Home). Here is one example drawn from the home network. Nevertheless, the outcome of the discussion is not specific to these networks, but applies to any DOTS Call Home scenario.