--- 1/draft-ietf-dots-signal-call-home-07.txt 2020-03-02 02:13:10.676031771 -0800 +++ 2/draft-ietf-dots-signal-call-home-08.txt 2020-03-02 02:13:10.748033761 -0800 @@ -1,21 +1,21 @@ DOTS T. Reddy Internet-Draft McAfee Intended status: Standards Track M. Boucadair -Expires: May 21, 2020 Orange +Expires: September 3, 2020 Orange J. Shallow - November 18, 2019 + March 2, 2020 Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Call Home - draft-ietf-dots-signal-call-home-07 + draft-ietf-dots-signal-call-home-08 Abstract This document specifies the DOTS signal channel Call Home, which enables a DOTS server to initiate a secure connection to a DOTS client, and to receive the attack traffic information from the DOTS client. The DOTS server in turn uses the attack traffic information to identify the compromised devices launching the outgoing DDoS attack and takes appropriate mitigation action(s). @@ -57,25 +57,25 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on May 21, 2020. + This Internet-Draft will expire on September 3, 2020. Copyright Notice - Copyright (c) 2019 IETF Trust and the persons identified as the + Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as @@ -91,34 +91,34 @@ 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 11 3. DOTS Signal Channel Call Home . . . . . . . . . . . . . . . . 12 3.1. Procedure . . . . . . . . . . . . . . . . . . . . . . . . 12 3.2. DOTS Signal Channel Variations . . . . . . . . . . . . . 13 3.2.1. Heartbeat Mechanism . . . . . . . . . . . . . . . . . 13 3.2.2. Redirected Signaling . . . . . . . . . . . . . . . . 14 3.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 15 3.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 15 3.3.2. Address Sharing Considerations . . . . . . . . . . . 18 3.3.3. DOTS Signal Call Home YANG Module . . . . . . . . . . 21 - 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 26 - 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 26 - 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 26 - 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 27 - 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 28 - 5. Security Considerations . . . . . . . . . . . . . . . . . . . 28 - 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 29 - 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 30 - 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 30 - 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 30 - 9.1. Normative References . . . . . . . . . . . . . . . . . . 30 - 9.2. Informative References . . . . . . . . . . . . . . . . . 31 - Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home . . 34 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 35 + 4. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 27 + 4.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 27 + 4.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 27 + 4.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 28 + 4.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 29 + 5. Security Considerations . . . . . . . . . . . . . . . . . . . 29 + 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 30 + 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 31 + 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 31 + 9. References . . . . . . . . . . . . . . . . . . . . . . . . . 31 + 9.1. Normative References . . . . . . . . . . . . . . . . . . 31 + 9.2. Informative References . . . . . . . . . . . . . . . . . 32 + Appendix A. Disambiguate Base DOTS Signal vs. DOTS Call Home . . 35 + Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 36 1. Introduction 1.1. The Problem The DOTS signal channel protocol [I-D.ietf-dots-signal-channel] is used to carry information about a network resource or a network (or a part thereof) that is under a Distributed Denial of Service (DDoS) attack [RFC4732]. Such information is sent by a DOTS client to one or multiple DOTS servers so that appropriate mitigation actions are @@ -944,44 +944,45 @@ augment /ietf-signal:dots-signal/ietf-signal:message-type /ietf-signal:redirected-signal: +--rw alt-ch-client string {call-home}? +--rw alt-ch-client-record* inet:ip-address {call-home}? +--rw ttl uint32 {call-home}? 3.3.3.2. YANG/JSON Mapping Parameters to CBOR The YANG/JSON mapping parameters to CBOR are listed in Table 1. - +-------------------+------------+--------+---------------+--------+ + +--------------------+------------+------+---------------+--------+ | Parameter Name | YANG | CBOR | CBOR Major | JSON | | | Type | Key | Type & | Type | | | | | Information | | - +-------------------+------------+--------+---------------+--------+ - | source-prefix | leaf-list | 0x8000 | 4 array | Array | - | | inet: | (TBD1) | | | + +--------------------+------------+------+---------------+--------+ + |ietf-dots-call-home:| leaf-list | | | | + | source-prefix | inet: | TBA1 | 4 array | Array | | | ip-prefix | | 3 text string | String | - | source-port-range | list | 0x8001 | 4 array | Array | - | | | (TBD2) | | | - | source-icmp-type- | list | 0x8002 | 4 array | Array | - | range | | (TBD3) | | | - | lower-type | uint8 | 0x8003 | 0 unsigned | Number | - | | | (TBD4) | | | - | upper-type | uint8 | 0x8004 | 0 unsigned | Number | - | | | (TBD5) | | | - | alt-ch-client | string | 0x8005 | 3 text string | String | - | | | (TBD6) | | | - | alt-ch-client- | leaf-list | 0x8006 | 4 array | Array | - | record | inet: | (TBD7) | | | - | | ip-address| | 3 text string | String | - | ttl | uint32 | 0x8007 | 0 unsigned | Number | - | | | (TBD8) | | | - +-------------------+------------+--------+---------------+--------+ + |ietf-dots-call-home:| | | | | + | source-port-range | list | TBA2 | 4 array | Array | + |ietf-dots-call-home:| | | | | + | source-icmp-type- | list | TBA3 | 4 array | Array | + | range | | | | | + |ietf-dots-call-home:| | | | | + | lower-type | uint8 | TBA4 | 0 unsigned | Number | + |ietf-dots-call-home:| | | | | + | upper-type | uint8 | TBA5 | 0 unsigned | Number | + |ietf-dots-call-home:| | | | | + | alt-ch-client | string | TBA6 | 3 text string | String | + |ietf-dots-call-home:| leaf-list | TBA7 | 4 array | Array | + | alt-ch-client- | inet: | | | | + | record | ip-address| | 3 text string | String | + |ietf-dots-call-home:| | | | | + | ttl | uint32 | TBA8 | 0 unsigned | Number | + +--------------------+------------+------+---------------+--------+ Table 1: YANG/JSON Mapping Parameters to CBOR 3.3.3.3. YANG Module This module uses the common YANG types defined in [RFC6991]. file "ietf-dots-call-home@2019-09-06.yang" module ietf-dots-call-home { @@ -1014,21 +1015,21 @@ ; Author: Jon Shallow "; description "This module contains YANG definitions for the signaling messages exchanged between a DOTS client and a DOTS server for the Call Home deployment scenario. - Copyright (c) 2019 IETF Trust and the persons identified as + Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX; see @@ -1156,76 +1156,84 @@ Assignee: IESG Contact: IETF Chair Reference: RFC XXXX The assignment of port number 4647 is strongly suggested (DOTS signal channel uses port number 4646). 4.2. DOTS Signal Channel CBOR Mappings Registry This specification registers the following comprehension-optional - parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry - established by [I-D.ietf-dots-signal-channel] (Table 2). + parameters (Table 2) in the IANA "DOTS Signal Channel CBOR Key + Values" registry established by [I-D.ietf-dots-signal-channel] and + maintained at https://www.iana.org/assignments/dots/dots.xhtml#dots- + signal-channel-cbor-key-values. - o Note to the RFC Editor: Please delete (TBD1)-(TBD8) once CBOR keys - are assigned from the 0x8000 - 0xBFFF range. + o Note to the RFC Editor: Please delete TBA1-TBA8 once CBOR keys are + assigned from the 32768-49151 range. - +-------------------+--------+-------+------------+---------------+ + +--------------------+-------+-------+------------+---------------+ | Parameter Name | CBOR | CBOR | Change | Specification | | | Key | Major | Controller | Document(s) | | | Value | Type | | | - +-------------------+--------+-------+------------+---------------+ - | source-prefix | 0x8000 | 4 | IESG | [RFCXXXX] | - | | (TBD1) | | | | - | source-port-range | 0x8001 | 4 | IESG | [RFCXXXX] | - | | (TBD2) | | | | - | source-icmp-type- | 0x8002 | 4 | IESG | [RFCXXXX] | - | range | (TBD3) | | | | - | lower-type | 0x8003 | 0 | IESG | [RFCXXXX] | - | | (TBD4) | | | | - | upper-type | 0x8004 | 0 | IESG | [RFCXXXX] | - | | (TBD5) | | | | - | alt-ch-client | 0x8005 | 3 | IESG | [RFCXXXX] | - | | (TBD6) | | | | - | alt-ch-client- | 0x8006 | 4 | IESG | [RFCXXXX] | - | record | (TBD7) | | | | - | ttl | 0x8007 | 0 | IESG | [RFCXXXX] | - | | (TBD8) | | | | - +-------------------+--------+-------+------------+---------------+ + +--------------------+-------+-------+------------+---------------+ + |ietf-dots-call-home:| | | | | + | source-prefix | TBA1 | 4 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + | source-port-range | TBA2 | 4 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + | source-icmp-type- | TBA3 | 4 | IESG | [RFCXXXX] | + | range | | | | | + |ietf-dots-call-home:| | | | | + | lower-type | TBA4 | 0 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + | upper-type | TBA5 | 0 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + | alt-ch-client | TBA6 | 3 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + |alt-ch-client-record| TBA7 | 4 | IESG | [RFCXXXX] | + |ietf-dots-call-home:| | | | | + | ttl | TBA8 | 0 | IESG | [RFCXXXX] | + +--------------------+-------+-------+------------+---------------+ Table 2: Assigned DOTS Signal Channel CBOR Key Values 4.3. New DOTS Conflict Cause This document requests IANA to assign a new code from the "DOTS - Signal Channel Conflict Cause Codes" registry: + Signal Channel Conflict Cause Codes" registry established by + [I-D.ietf-dots-signal-channel] and maintained at + https://www.iana.org/assignments/dots/dots.xhtml#dots-signal-channel- + conflict-cause-codes. - +-----+-----------------------------------+-------------+-----------+ - | Cod | Label | Description | Reference | - | e | | | | - +-----+-----------------------------------+-------------+-----------+ - | 4 | request-rejected-legitimate- | Mitigation | [RFCXXXX] | - | | traffic | request | | + +-------+----------------------------------+------------+-----------+ + | Code | Label | Descriptio | Reference | + | | | n | | + +-------+----------------------------------+------------+-----------+ + | 4 (TB | request-rejected-legitimate- | Mitigation | [RFCXXXX] | + | A9) | traffic | request | | | | | rejected. | | | | | This code | | - | | | is returned | | - | | | by the DOTS | | + | | | is | | + | | | returned | | + | | | by the | | + | | | DOTS | | | | | server to | | | | | indicate | | | | | the attack | | - | | | traffic has | | - | | | been | | + | | | traffic | | + | | | has been | | | | | classified | | | | | as | | | | | legitimate | | | | | traffic. | | - +-----+-----------------------------------+-------------+-----------+ + +-------+----------------------------------+------------+-----------+ 4.4. DOTS Signal Call Home YANG Module This document requests IANA to register the following URI in the "ns" subregistry within the "IETF XML Registry" [RFC3688]: URI: urn:ietf:params:xml:ns:yang:ietf-dots-call-home Registrant Contact: The IESG. XML: N/A; the requested URI is an XML namespace. @@ -1329,25 +1337,25 @@ 8. Acknowledgements Thanks to Wei Pei, Xia Liang, Roman Danyliw, Dan Wing, Toema Gavrichenkov, Daniel Migault, and Valery Smyslov for the comments. 9. References 9.1. Normative References [I-D.ietf-dots-signal-channel] - K, R., Boucadair, M., Patil, P., Mortensen, A., and N. - Teague, "Distributed Denial-of-Service Open Threat + Reddy.K, T., Boucadair, M., Patil, P., Mortensen, A., and + N. Teague, "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification", draft- - ietf-dots-signal-channel-38 (work in progress), October - 2019. + ietf-dots-signal-channel-41 (work in progress), January + 2020. [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC3688] Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10.17487/RFC3688, January 2004, . @@ -1367,47 +1375,47 @@ 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol Version 1.3", RFC 8446, DOI 10.17487/RFC8446, August 2018, . 9.2. Informative References [I-D.ietf-dots-multihoming] - Boucadair, M., K, R., and W. Pan, "Multi-homing Deployment - Considerations for Distributed-Denial-of-Service Open - Threat Signaling (DOTS)", draft-ietf-dots-multihoming-02 - (work in progress), July 2019. + Boucadair, M., Reddy.K, T., and W. Pan, "Multi-homing + Deployment Considerations for Distributed-Denial-of- + Service Open Threat Signaling (DOTS)", draft-ietf-dots- + multihoming-03 (work in progress), January 2020. [I-D.ietf-dots-server-discovery] - Boucadair, M. and R. K, "Distributed-Denial-of-Service - Open Threat Signaling (DOTS) Agent Discovery", draft-ietf- - dots-server-discovery-05 (work in progress), August 2019. + Boucadair, M. and T. Reddy.K, "Distributed-Denial-of- + Service Open Threat Signaling (DOTS) Agent Discovery", + draft-ietf-dots-server-discovery-10 (work in progress), + February 2020. [I-D.ietf-dots-use-cases] Dobbins, R., Migault, D., Moskowitz, R., Teague, N., Xia, L., and K. Nishizuka, "Use cases for DDoS Open Threat Signaling", draft-ietf-dots-use-cases-20 (work in progress), September 2019. [I-D.ietf-i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) Terminology", draft-ietf-i2nsf-terminology-08 (work in progress), July 2019. [I-D.ietf-idr-flow-spec-v6] - McPherson, D., Raszuk, R., Pithawala, B., - akarch@cisco.com, a., and S. Hares, "Dissemination of Flow - Specification Rules for IPv6", draft-ietf-idr-flow-spec- - v6-09 (work in progress), November 2017. + Loibl, C., Raszuk, R., and S. Hares, "Dissemination of + Flow Specification Rules for IPv6", draft-ietf-idr-flow- + spec-v6-10 (work in progress), November 2019. [RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address Translator (NAT) Terminology and Considerations", RFC 2663, DOI 10.17487/RFC2663, August 1999, . [RFC4340] Kohler, E., Handley, M., and S. Floyd, "Datagram Congestion Control Protocol (DCCP)", RFC 4340, DOI 10.17487/RFC4340, March 2006, .