draft-ietf-dots-signal-call-home-10.txt   draft-ietf-dots-signal-call-home-11.txt 
DOTS T. Reddy DOTS T. Reddy
Internet-Draft McAfee Internet-Draft McAfee
Intended status: Standards Track M. Boucadair Intended status: Standards Track M. Boucadair
Expires: April 25, 2021 Orange Expires: April 30, 2021 Orange
J. Shallow J. Shallow
October 22, 2020 October 27, 2020
Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal
Channel Call Home Channel Call Home
draft-ietf-dots-signal-call-home-10 draft-ietf-dots-signal-call-home-11
Abstract Abstract
This document specifies the DOTS signal channel Call Home, which This document specifies the DOTS signal channel Call Home, which
enables a Call Home DOTS server to initiate a secure connection to a enables a Call Home DOTS server to initiate a secure connection to a
Call Home DOTS client, and to receive attack traffic information from Call Home DOTS client, and to receive attack traffic information from
the Call Home DOTS client. The Call Home DOTS server in turn uses the Call Home DOTS client. The Call Home DOTS server in turn uses
the attack traffic information to identify compromised devices the attack traffic information to identify compromised devices
launching outgoing DDoS attacks and take appropriate mitigation launching outgoing DDoS attacks and take appropriate mitigation
action(s). action(s).
skipping to change at page 2, line 25 skipping to change at page 2, line 25
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2021. This Internet-Draft will expire on April 30, 2021.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 16 skipping to change at page 3, line 16
5.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 16 5.3. DOTS Signal Channel Extension . . . . . . . . . . . . . . 16
5.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 16 5.3.1. Mitigation Request . . . . . . . . . . . . . . . . . 16
5.3.2. Address Sharing Considerations . . . . . . . . . . . 20 5.3.2. Address Sharing Considerations . . . . . . . . . . . 20
6. DOTS Signal Call Home YANG Module . . . . . . . . . . . . . . 23 6. DOTS Signal Call Home YANG Module . . . . . . . . . . . . . . 23
6.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 23 6.1. Tree Structure . . . . . . . . . . . . . . . . . . . . . 23
6.2. YANG/JSON Mapping Parameters to CBOR . . . . . . . . . . 24 6.2. YANG/JSON Mapping Parameters to CBOR . . . . . . . . . . 24
6.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25 6.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 25
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 29
7.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 29 7.1. DOTS Signal Channel Call Home UDP and TCP Port Number . . 29
7.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 30 7.2. DOTS Signal Channel CBOR Mappings Registry . . . . . . . 30
7.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 30 7.3. New DOTS Conflict Cause . . . . . . . . . . . . . . . . . 31
7.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 31 7.4. DOTS Signal Call Home YANG Module . . . . . . . . . . . . 32
8. Security Considerations . . . . . . . . . . . . . . . . . . . 31 8. Security Considerations . . . . . . . . . . . . . . . . . . . 32
9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 33 9. Privacy Considerations . . . . . . . . . . . . . . . . . . . 34
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 34 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 35
11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 34 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 35
12. References . . . . . . . . . . . . . . . . . . . . . . . . . 34 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 35
12.1. Normative References . . . . . . . . . . . . . . . . . . 34 12.1. Normative References . . . . . . . . . . . . . . . . . . 35
12.2. Informative References . . . . . . . . . . . . . . . . . 36 12.2. Informative References . . . . . . . . . . . . . . . . . 37
Appendix A. Disambiguating Base DOTS Signal vs. DOTS Call Home . 39 Appendix A. Disambiguating Base DOTS Signal vs. DOTS Call Home . 40
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 40 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 41
1. Introduction 1. Introduction
1.1. The Problem 1.1. The Problem
The DOTS signal channel protocol [I-D.ietf-dots-rfc8782-bis] is used The DOTS signal channel protocol [I-D.ietf-dots-rfc8782-bis] is used
to carry information about a network resource or a network (or a part to carry information about a network resource or a network (or a part
thereof) that is under a Distributed Denial of Service (DDoS) attack thereof) that is under a Distributed Denial of Service (DDoS) attack
[RFC4732]. Such information is sent by a DOTS client to one or [RFC4732]. Such information is sent by a DOTS client to one or
multiple DOTS servers so that appropriate mitigation actions are multiple DOTS servers so that appropriate mitigation actions are
skipping to change at page 17, line 39 skipping to change at page 17, line 39
When only 'lower-type' is present, it represents a single ICMP When only 'lower-type' is present, it represents a single ICMP
type. Both ICMP [RFC0792] and ICMPv6 [RFC4443] types are type. Both ICMP [RFC0792] and ICMPv6 [RFC4443] types are
supported. Whether ICMP or ICMPv6 types are to be used is supported. Whether ICMP or ICMPv6 types are to be used is
determined by the address family of the 'target-prefix'. determined by the address family of the 'target-prefix'.
This is an optional attribute for the base DOTS signal channel This is an optional attribute for the base DOTS signal channel
operations. operations.
The 'source-prefix' parameter is a mandatory attribute when the The 'source-prefix' parameter is a mandatory attribute when the
attack traffic information is signaled by a Call Home DOTS client attack traffic information is signaled by a Call Home DOTS client
(i.e., the Call Home scenario depicted in Figure 7). 'target-prefix' (i.e., the Call Home scenario depicted in Figure 7). The 'target-
attribute MUST be included in the mitigation request signaling the prefix' attribute MUST be included in the mitigation request
attack information to a Call Home DOTS server. The 'target-uri' or signaling the attack information to a Call Home DOTS server. The
'target-fqdn' parameters can be included in a mitigation request for 'target-uri' or 'target-fqdn' parameters can be included in a
diagnostic purposes to notify the Call Home DOTS server domain mitigation request for diagnostic purposes to notify the Call Home
administrator, but SHOULD NOT be used to determine the target IP DOTS server domain administrator, but SHOULD NOT be used to determine
addresses. 'alias-name' is unlikely to be conveyed in a Call Home the target IP addresses. 'alias-name' is unlikely to be conveyed in
mitigation request given that a target may be any IP resource and a Call Home mitigation request given that a target may be any IP
that there is no incentive for a Call Home DOTS server (embedded, for resource and that there is no incentive for a Call Home DOTS server
example, in a CPE) to maintain aliases. (embedded, for example, in a CPE) to maintain aliases.
In order to help attack source identification by a Call Home DOTS In order to help attack source identification by a Call Home DOTS
server, the Call Home DOTS client SHOULD include in its mitigation server, the Call Home DOTS client SHOULD include in its mitigation
request additional information such as 'source-port-range' or request additional information such as 'source-port-range' or
'source-icmp-type-range' to disambiguate nodes sharing the same 'source-icmp-type-range' to disambiguate nodes sharing the same
'source-prefix'. IPv6 addresses/prefixes are sufficient to uniquely 'source-prefix'. IPv6 addresses/prefixes are sufficient to uniquely
identify a network endpoint, without need for port numbers or ICMP identify a network endpoint, without need for port numbers or ICMP
type information. While this is also possible for IPv4, it is much type information. While this is also possible for IPv4, it is much
less often the case than for IPv6. More address sharing implications less often the case than for IPv6. More address sharing implications
on the setting of source information ('source-prefix', 'source-port- on the setting of source information ('source-prefix', 'source-port-
skipping to change at page 19, line 28 skipping to change at page 19, line 28
If a consent from the Call Home DOTS server domain administrator is If a consent from the Call Home DOTS server domain administrator is
required, the Call Home DOTS server replies with 2.01 (Created) and required, the Call Home DOTS server replies with 2.01 (Created) and
'status' code set to 1 (attack-mitigation-in-progress). Then, the 'status' code set to 1 (attack-mitigation-in-progress). Then, the
mechanisms defined in Section 4.4.2 of [I-D.ietf-dots-rfc8782-bis] mechanisms defined in Section 4.4.2 of [I-D.ietf-dots-rfc8782-bis]
are followed by the DOTS agents to update the mitigation status. are followed by the DOTS agents to update the mitigation status.
Particularly, if the attack traffic is blocked, the Call Home DOTS Particularly, if the attack traffic is blocked, the Call Home DOTS
server informs the Call Home DOTS client that the attack is being server informs the Call Home DOTS client that the attack is being
mitigated (i.e., by setting the 'status' code to 2 (attack- mitigated (i.e., by setting the 'status' code to 2 (attack-
successfully-mitigated)). successfully-mitigated)).
If the Call Home DOTS server rejects the mitigation request without
waiting for a consent from the Call Home DOTS server domain
administrator, the 'conflict-cause' set to '4' is returned in 4.09
(Conflict) sent back to the Call Home DOTS client.
If the attack traffic information is identified by the Call Home DOTS If the attack traffic information is identified by the Call Home DOTS
server or the Call Home DOTS server domain administrator as server or the Call Home DOTS server domain administrator as
legitimate traffic, the mitigation request is rejected with a 4.09 legitimate traffic, the mitigation request is rejected with a 4.09
(Conflict) or a notification message with the 'conflict-clause' (Conflict) (e.g., when no consent is required from an administrator)
(Section 4.4.1 of [I-D.ietf-dots-rfc8782-bis]) set to the following or a notification message with the 'conflict-clause' (Section 4.4.1
new value: of [I-D.ietf-dots-rfc8782-bis]) set to the following new value:
4: Mitigation request rejected. This code is returned by the DOTS 4: Mitigation request rejected. This code is returned by the DOTS
server to indicate the attack traffic has been classified as server to indicate the attack traffic has been classified as
legitimate traffic. legitimate traffic.
Once the request is validated by the Call Home DOTS server, Once the request is validated by the Call Home DOTS server,
appropriate actions are enforced to block the attack traffic within appropriate actions are enforced to block the attack traffic within
the source network. For example, if the Call Home DOTS server is the source network. For example, if the Call Home DOTS server is
embedded in a CPE, it can program the packet processor to punt all embedded in a CPE, it can program the packet processor to punt all
the traffic from the compromised device to the target to slow path. the traffic from the compromised device to the target to slow path.
skipping to change at page 20, line 15 skipping to change at page 20, line 12
DOTS client is informed about the progress of the attack mitigation DOTS client is informed about the progress of the attack mitigation
following the rules in Section 4.4.2 of [I-D.ietf-dots-rfc8782-bis]. following the rules in Section 4.4.2 of [I-D.ietf-dots-rfc8782-bis].
The DOTS agents follow the same procedures specified in The DOTS agents follow the same procedures specified in
[I-D.ietf-dots-rfc8782-bis] for managing a mitigation request. [I-D.ietf-dots-rfc8782-bis] for managing a mitigation request.
5.3.2. Address Sharing Considerations 5.3.2. Address Sharing Considerations
Figure 10 depictes an example of a network provider that hosts a Call Figure 10 depictes an example of a network provider that hosts a Call
Home DOTS client and deploys a Carrier Grade NAT (CGN) between the Home DOTS client and deploys a Carrier Grade NAT (CGN) between the
DOTS client domain and DOTS server domain. In such case, DOTS client domain and DOTS server domain. In such cases,
communicating an external IP address in a mitigation request by a communicating an external IP address in a mitigation request by a
Call Home DOTS client is likely to be discarded by the Call Home DOTS Call Home DOTS client is likely to be discarded by the Call Home DOTS
server because the external IP address is not visible locally to the server because the external IP address is not visible locally to the
Call Home DOTS server (Figure 10). The Call Home DOTS server is only Call Home DOTS server (Figure 10). The Call Home DOTS server is only
aware of the internal IP addresses/prefixes bound to its domain aware of the internal IP addresses/prefixes bound to its domain
(i.e., those used in the Internal Realm shown in Figure 10). Thus, (i.e., those used in the Internal Realm shown in Figure 10). Thus,
Call Home DOTS clients that are aware of the presence of on-path CGNs Call Home DOTS clients that are aware of the presence of on-path CGNs
MUST NOT include the external IP address and/or port number MUST NOT include the external IP address and/or port number
identifying the suspect attack source (i.e., those used in the identifying the suspect attack source (i.e., those used in the
External Realm shown in Figure 10), but MUST include the internal IP External Realm shown in Figure 10), but MUST include the internal IP
skipping to change at page 29, line 38 skipping to change at page 29, line 38
} }
} }
} }
<CODE ENDS> <CODE ENDS>
7. IANA Considerations 7. IANA Considerations
7.1. DOTS Signal Channel Call Home UDP and TCP Port Number 7.1. DOTS Signal Channel Call Home UDP and TCP Port Number
IANA is requested to assign the port number TBD to the DOTS signal IANA is requested to assign the port number TBD to the DOTS signal
channel Call Home protocol for both UDP and TCP from the "Service channel Call Home protocol for both UDP and TCP and update the
Name and Transport Protocol Port Number Registry" [ServicePorts]. following entry from the "Service Name and Transport Protocol Port
Number Registry" [ServicePorts].
Service Name: dots-call-home Service Name: dots-call-home
Port Number: TBD Port Number: TBD
Transport Protocol(s): TCP/UDP Transport Protocol(s): TCP/UDP
Description: DOTS Signal Channel Call Home Protocol. Description: DOTS Signal Channel Call Home Protocol.
The service name is used to construct the The service name is used to construct the
SRV service names "_dots-call-home._udp" SRV service names "_dots-call-home._udp"
and "_dots-call-home._tcp" for discovering and "_dots-call-home._tcp" for discovering
Call Home DOTS clients used to establish Call Home DOTS clients used to establish
DOTS signal channel call home. DOTS signal channel call home.
Assignee: IESG <iesg@ietf.org> Assignee: IESG <iesg@ietf.org>
Contact: IETF Chair <chair@ietf.org> Contact: IETF Chair <chair@ietf.org>
Reference: RFC XXXX Reference: [RFCXXXX][I-D.ietf-dots-server-discovery]
The assignment of port number 4647 is strongly suggested (DOTS signal The assignment of port number 4647 is strongly suggested (DOTS signal
channel uses port number 4646). channel uses port number 4646).
7.2. DOTS Signal Channel CBOR Mappings Registry 7.2. DOTS Signal Channel CBOR Mappings Registry
This specification registers the following comprehension-optional This specification registers the following comprehension-optional
parameters (Table 2) in the IANA "DOTS Signal Channel CBOR Key parameters (Table 2) in the IANA "DOTS Signal Channel CBOR Key
Values" registry [Key-Map]. Values" registry [Key-Map].
 End of changes. 11 change blocks. 
37 lines changed or deleted 33 lines changed or added

This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/