/
draft-ietf-dots-signal-call-home.xml
1854 lines (1616 loc) · 87.1 KB
/
draft-ietf-dots-signal-call-home.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-ietf-dots-signal-call-home-latest"
ipr="trust200902">
<front>
<title abbrev="DOTS Signal Call Home">Distributed Denial-of-Service Open
Threat Signaling (DOTS) Signal Channel Call Home</title>
<author fullname="Tirumaleswar Reddy" initials="T." surname="Reddy">
<organization abbrev="McAfee">McAfee, Inc.</organization>
<address>
<postal>
<street>Embassy Golf Link Business Park</street>
<city>Bangalore</city>
<region>Karnataka</region>
<code>560071</code>
<country>India</country>
</postal>
<email>kondtir@gmail.com</email>
</address>
</author>
<author fullname="Mohamed Boucadair" initials="M." role="editor"
surname="Boucadair">
<organization>Orange</organization>
<address>
<postal>
<street></street>
<city>Rennes</city>
<code>35000</code>
<country>France</country>
</postal>
<email>mohamed.boucadair@orange.com</email>
</address>
</author>
<author fullname="Jon Shallow" initials="J." surname="Shallow">
<organization></organization>
<address>
<postal>
<street></street>
<city></city>
<code></code>
<country>UK</country>
</postal>
<email>supjps-ietf@jpshallow.com</email>
</address>
</author>
<date />
<workgroup>DOTS</workgroup>
<keyword>Automation</keyword>
<keyword>Anti-DDoS Automation</keyword>
<keyword>DDoS Mitigation</keyword>
<keyword>Collaborative Networking</keyword>
<keyword>Protective Networking</keyword>
<keyword>Security</keyword>
<keyword>Scrubbing</keyword>
<abstract>
<t>This document specifies the DOTS signal channel Call Home, which
enables a Call Home DOTS server to initiate a secure connection to a
Call Home DOTS client, and to receive attack traffic information from
the Call Home DOTS client. The Call Home DOTS server in turn uses the
attack traffic information to identify compromised devices launching
outgoing DDoS attacks and take appropriate mitigation action(s).</t>
<t>The DOTS signal channel Call Home is not specific to home networks;
the solution targets any deployment in which it is required to block
DDoS attack traffic closer to the source(s) of a DDoS attack.</t>
</abstract>
<note title="Editorial Note (To be removed by RFC Editor)">
<t>Please update these statements within the document with the RFC
number to be assigned to this document:<list style="symbols">
<t>"This version of this YANG module is part of RFC XXXX;"</t>
<t>"RFC XXXX: Distributed Denial-of-Service Open Threat Signaling
(DOTS) Signal Channel Call Home";</t>
<t>"| [RFCXXXX] |"</t>
<t>reference: RFC XXXX</t>
</list></t>
<t>Please update this statement with the RFC number to be assigned to
the following documents:<list style="symbols">
<t>"RFC YYYY: Distributed Denial-of-Service Open Threat Signaling
(DOTS) Signal Channel Specification" (used to be
I-D.ietf-dots-rfc8782-bis)</t>
</list></t>
<t>Please update TBD/TBA statements with the assignments made by IANA to
DOTS Signal Channel Call Home.</t>
<t>Also, please update the "revision" date of the YANG module.</t>
</note>
</front>
<middle>
<section anchor="introduction" title="Introduction">
<t>The Distributed Denial-of-Service Open Threat Signaling (DOTS) signal
channel protocol <xref target="I-D.ietf-dots-rfc8782-bis"></xref> is
used to carry information about a network resource or a network (or a
part thereof) that is under a Distributed Denial of Service (DDoS)
attack <xref target="RFC4732"></xref>. Such information is sent by a
DOTS client to one or multiple DOTS servers so that appropriate
mitigation actions are undertaken on traffic deemed suspicious. Various
use cases are discussed in <xref
target="I-D.ietf-dots-use-cases"></xref>.</t>
<t>However, <xref target="I-D.ietf-dots-rfc8782-bis"></xref> only covers
how to mitigate when being attacked (i.e., protect a network from
inbound DDoS attacks). It does not cover how to control the attacks
close to their source(s) that are misusing network resources (i.e.,
outbound DDoS attacks). In particular, the DOTS signal protocol does not
discuss cooperative DDoS mitigation between the network hosting an
attack source and the Internet Service Provider (ISP) to suppress the
outbound DDoS attack traffic originating from that network. As a
reminder, the base basic DOTS architecture is depicted in <xref
target="basea"></xref> (Section 2 of <xref
target="RFC8811"></xref>).</t>
<t><figure align="center" anchor="basea" title="Basic DOTS Architecture">
<artwork align="center"><![CDATA[+-----------+ +-------------+
| Mitigator | ~~~~~~~~~~ | DOTS Server |
+-----------+ +-------------+
|
|
|
+---------------+ +-------------+
| Attack Target | ~~~~~~ | DOTS Client |
+---------------+ +-------------+
]]></artwork>
</figure></t>
<t><xref target="home"></xref> details why the rise of Internet of
Things (IoT) compounds the possibility of these being used as malicious
actors which need to be controlled. Similar issues can be encountered in
enterprise networks, data centers, etc. The ISP offering a DDoS
mitigation service can detect outgoing DDoS attack traffic originating
from its subscribers or the ISP may receive filtering rules (e.g., using
BGP Flowspec <xref target="RFC8955"></xref><xref
target="RFC8956"></xref>) from a transit provider to filter, block, or
rate-limit DDoS attack traffic originating from the ISP's subscribers to
a downstream target. Nevertheless, the DOTS signal channel does not
provide means for the ISP to request blocking such attacks close to the
sources without altering legitimate traffic. This document fills that
void by specifying an extension to the DOTS signal channel: DOTS signal
channel Call Home.<list style="empty">
<t>Note: Another design approach would be to extend the DOTS signal
channel with a new attribute to explicitly indicate whether a
mitigation request is about an outbound DDoS attack. In such an
approach, it is assumed that a DOTS server is deployed within the
domain that is hosting the attack source(s), while a DOTS client is
enabled within an upstream network (e.g., access network). However,
initiating a DOTS signal channel from an upstream network to a
source network is complicated because of the presence of translators
and firewalls. Moreover, the use of the same signal channel to
handle both inbound and outbound attacks complicates both the
heartbeat and redirection mechanisms that are executed as a function
of the attack direction (see Sections <xref format="counter"
target="hb"></xref> and <xref format="counter"
target="redirect"></xref>). Also, the DOTS server will be subject to
fingerprinting (e.g., using scanning tools) and DoS attacks (e.g.,
by having the DOTS server to perform computationally expensive
operations). Various management and deployment considerations that
motivate the Call Home functionality are listed in Section 1.1 of
<xref target="RFC8071"></xref>.</t>
</list></t>
<t>'DOTS signal channel Call Home' (or DOTS Call Home, for short) refers
to a DOTS signal channel established at the initiative of a DOTS server
thanks to a role reversal at the (D)TLS layer (<xref
target="proc"></xref>). That is, the DOTS server initiates a secure
connection to a DOTS client, and uses that connection to receive the
attack traffic information (e.g., attack sources) from the DOTS
client.</t>
<t>A high-level DOTS Call Home functional architecture is shown in <xref
target="fa"></xref>. Attack source(s) are within the DOTS server
domain.</t>
<t><figure align="center" anchor="fa"
title="Basic DOTS Signal Channel Call Home Functional Architecture">
<artwork align="center"><![CDATA[ Scope
+.-.-.-.-.-.-.-.-.-.-.-.+
+---------------+ : +-------------+ :
| Alert | ~~~:~~~ | Call Home | :
| | : | DOTS client | :
+---------------+ : +------+------+ :
: | :
: | :
: | :
+---------------+ : +------+------+ :
| Attack | ~~~:~~~ | Call Home | :
| Source(s) | : | DOTS server | :
+---------------+ : +-------------+ :
+.-.-.-.-.-.-.-.-.-.-.-.+]]></artwork>
</figure></t>
<t>DOTS agents involved in the DOTS Call Home otherwise adhere to the
DOTS roles as defined in <xref target="RFC8612"></xref>. For clarity,
this document uses "Call Home DOTS client" (or "Call Home DOTS server")
to refer to a DOTS client (or DOTS server) deployed in a Call Home
scenario (<xref target="fa"></xref>). DOTS Call Home agents may (or not)
be co-located with DOTS agents that are compliant with <xref
target="I-D.ietf-dots-rfc8782-bis"></xref> (see <xref
target="coex"></xref> for more details).</t>
<t>A Call Home DOTS client relies upon a variety of triggers to make use
of the Call Home function (e.g., scrubbing the traffic from the attack
source, receiving an alert from an attack target, a peer DDoS Mitigation
System (DMS), or a transit provider). The definition of these triggers
is deployment-specific. It is therefore out of the scope of this
document to elaborate on how these triggers are made available to a Call
Home DOTS client.</t>
<t>In a typical deployment scenario, the Call Home DOTS server is
enabled on a Customer Premises Equipment (CPE), which is aligned with
recent trends to enrich the CPE with advanced security features. For
example, the DOTS Call Home service can be part of services supported by
an ISP-managed CPE or a managed security service subscribed by the user.
Unlike classic DOTS deployments <xref
target="I-D.ietf-dots-use-cases"></xref>, a Call Home DOTS server
maintains a single DOTS signal channel session for each DOTS-capable
upstream provisioning domain <xref target="I-D.ietf-dots-multihoming">
</xref>.</t>
<t>For instance, the Call Home DOTS server in the home network initiates
the signal channel Call Home in 'idle' time and then subsequently the
Call Home DOTS client in the ISP environment can initiate a mitigation
request whenever the ISP detects there is an attack from a compromised
device in the DOTS server domain (i.e., from within the home
network).</t>
<t>The Call Home DOTS server uses the DDoS attack traffic information to
identify the compromised device in its domain that is responsible for
launching the DDoS attack, optionally notifies a network administrator,
and takes appropriate mitigation action(s). For example, a mitigation
action can be to quarantine the compromised device or block its traffic
to the attack target(s) until the mitigation request is withdrawn.</t>
<t>This document assumes that Call Home DOTS servers are provisioned
with a way to know how to reach the upstream Call Home DOTS client(s),
which could occur by a variety of means (e.g., <xref
target="RFC8973"></xref>). The specification of such means are out of
scope of this document.</t>
<t>More information about the applicability scope of the DOTS signal
channel Call Home is provided in <xref target="as"></xref>.</t>
</section>
<section anchor="notation" title="Terminology">
<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
<xref target="RFC2119"></xref><xref target="RFC8174"></xref> when, and
only when, they appear in all capitals, as shown here.</t>
<t>The reader should be familiar with the terms defined in Section 1.2
of <xref target="RFC8612"></xref>.</t>
<t>DDoS Mitigation System (DMS) refers to a system that performs DDoS
mitigation.</t>
<t>'Base DOTS signal channel' refers to <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>.</t>
<t>The meaning of the symbols in YANG tree diagrams are defined in <xref
target="RFC8340"></xref> and <xref target="RFC8791"></xref>.</t>
<t>(D)TLS is used for statements that apply to both Transport Layer
Security (TLS) <xref target="RFC8446"></xref> and Datagram Transport
Layer Security (DTLS) <xref target="RFC6347"></xref>. Specific terms are
used for any statement that applies to either protocol alone.</t>
</section>
<section anchor="as" title="Applicability Scope">
<t>The problems discussed in <xref target="introduction"></xref> may be
encountered in many deployments (e.g., home networks, enterprise
networks, transit networks, data centers). The solution specified in
this document can be used for those deployments to block DDoS attack
traffic closer to the source(s) of the attack. That is, attacks that are
issued, e.g., from within an enterprise network or a data center, will
thus be blocked before exiting these networks.</t>
<t>An instantiation of the Call Home functional architecture is depicted
in <xref target="pb"></xref>.</t>
<t><figure align="center" anchor="pb"
title="DOTS Signal Channel Call Home Reference Architecture">
<artwork align="center"><![CDATA[ +-------------+
|Attack Target|
+-----+-------+
| /\ Target Network
......................|.||....................
.--------+-||-------.
( || )-.
.' || '
( Internet || )
( || -'
'-( || )
'------+-||---------'
......................|.||.....................
.--------+-||-------. Network
( || )-. Provider
.' Call Home || ' (DMS)
( DOTS client || )
( || -'
'-( || )
'------+-||---------'
......................|.||.......................
.--------+-||-------. Source Network
( || )-.
.' Call Home || '
( DOTS server || Outbound )
( || DDoS -'
'-( || Attack )
'------+-||---------'
| ||
+-----+-++----+
|Attack Source|
+-------------+
]]></artwork>
</figure></t>
<t>It is out of the scope of this document to identify an exhaustive
list of such deployments.</t>
<t>Call Home DOTS agent relationships are similar to those discussed in
Section 2.3 of <xref target="RFC8811"></xref>. For example, multiple
Call Home DOTS servers of the same domain can be associated with the
same Call Home DOTS client. A Call Home DOTS client may decide to
contact these Call Home DOTS servers sequentially, fork a mitigation
request to all of them, or select one Call Home DOTS server to place a
mitigation request. Such decision is implementation-specific.</t>
<t>For some mitigations, a feedback may be required from an
administrator to confirm a filtering action. Means to seek for an
administrator's consent are deployment-specific. Indeed, a variety of
implementation options can be considered as a function of the Call Home
DOTS deployment: push notifications using a dedicated application,
Syslog, etc. It is out of the scope of this document to make
recommendations about how such interactions are implemented (see <xref
target="fa"></xref>).</t>
<t>The Call Home DOTS server can be enabled on a border router or a
dedicated appliance. For the particular case of home networks, the Call
Home DOTS server functionality can be enabled on a managed CPE or be
bundled with a CPE management application that is provided by an ISP to
its subscribers. These managed services are likely to be designed to
hide the complexity of managing (including configuring) the CPE. For
example, managed CPEs support means to notify the user when a new device
is detected in order to seek a confirmation whether access should be
granted or not to the device. These means can be upgraded to interface
with the Call Home DOTS server. Customized settings can be configured by
users to control the notifications (e.g., triggers, type) and default
actions.</t>
</section>
<section anchor="coex"
title="Co-existence of Base DOTS Signal Channel and DOTS Call Home">
<t>The DOTS signal channel Call Home does not require nor preclude the
activation of the base DOTS signal channel <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>. Some sample deployment
schemes are discussed in this section for illustration purposes.</t>
<t>The network that hosts an attack source may also be subject to
inbound DDoS attacks. In that case, both the base DOTS signal channel
and DOTS signal channel Call Home may be enabled as shown in <xref
target="merged"></xref> (Same DMS provider) or <xref
target="merged1"></xref> (Distinct DMS providers).</t>
<t><figure align="center" anchor="merged"
title="Activation of Base DOTS Signal Channel and Call Home (Same DMS Provider)">
<artwork align="center"><![CDATA[ DOTS Signal Channel Base DOTS
Call Home Signal Channel
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
: +------+ :: +------+ :
: | DOTS | :: | DOTS | :
: |client| :: |server| :
: +--+---+ :: +---+--+ :
: /\ | :: | : Network
: || | :: | :Provider
: || | :: | : (DMS)
...:.....||......|.....::.....|.............:........
Outbound || | :: | || Inbound
DDoS || | :: | || DDoS
Attack || | :: | \/ Attack
: +--+---+ :: +---+--+ :
: | DOTS | :: | DOTS | :
: |server| :: |client| :
: +------+ :: +------+ :
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
Network #A]]></artwork>
</figure></t>
<t>Note that a DMS provider may not be on the default forwarding path of
an inbound DDoS attack traffic targeting a network (e.g., Network #B in
<xref target="merged1"></xref>). Nevertheless, the DOTS signal channel
Call Home requires the DMS provider to be on the default forwarding path
of the outbound traffic from a given network.</t>
<t><figure align="center" anchor="merged1"
title="Activation of Base DOTS Signal Channel and Call Home (Distinct DMS Providers)">
<artwork align="center"><![CDATA[ DOTS Signal Channel Base DOTS
Call Home Signal Channel
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
: Network +------+ :: +------+ Third :
: Provider | DOTS | :: | DOTS | Party :
: (DMS) |client| :: |server| DMS :
: +--+---+ :: +---+--+ Provider :
: /\ | :: | :
: || | :: | :
: || | :: | :
...:.....||......|.....::.....|.............:........
Outbound || | :: | || Inbound
DDoS || | :: | || DDoS
Attack || | :: | \/ Attack
: +--+---+ :: +---+--+ :
: | DOTS | :: | DOTS | :
: |server| :: |client| :
: +------+ :: +------+ :
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
Network #B
]]></artwork>
</figure></t>
<t>Figures <xref format="counter" target="snode"></xref> and <xref
format="counter" target="snode2"></xref> depict examples where the same
node embeds both base DOTS and DOTS Call Home agents. For example, a
DOTS server and a Call Home DOTS client may be enabled on the same
device within the infrastructure of a DMS provider (e.g., Node #i in
<xref target="snode"></xref>) or a DOTS client and a Call Home DOTS
server may be enabled on the same device within a source network (e.g.,
Node #j with Network #D shown in <xref target="snode2"></xref>) .</t>
<t>Whether the same or distinct nodes are used to host base DOTS and
DOTS Call Home agents is specific to each domain.</t>
<t><figure align="center" anchor="snode"
title="An Example of the Same Node Embedding both a Call Home DOTS Client and a DOTS Server at the Network Provider's Side">
<artwork align="center"><![CDATA[ DOTS Signal Channel Base DOTS
Call Home Signal Channel
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
: +----------------------+ :
: | Node #i | :
: | +------+ +------+ | :
: | | DOTS | | DOTS | | :
: | |client| |server| | :
: | +--+---+ +---+--+ | :
: +----|-----::-----|----+ : Network
: /\ | :: | :Provider
: || | :: | : (DMS)
...:.....||......|.....::.....|.............:........
Outbound || | :: | || Inbound
DDoS || | :: | || DDoS
Attack || | :: | \/ Attack
: +--+---+ :: +---+--+ :
: | DOTS | :: | DOTS | :
: |server| :: |client| :
: +------+ :: +------+ :
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
Network #C
]]></artwork>
</figure></t>
<t><figure align="center" anchor="snode2"
title="Another Example where the Same Node Embeds both a DOTS Client and a Call Home DOTS Server">
<artwork align="center"><![CDATA[ DOTS Signal Channel Base DOTS
Call Home Signal Channel
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
: +----------------------+ :
: | Node #k | :
: | +------+ +------+ | :
: | | DOTS | | DOTS | | :
: | |client| |server| | :
: | +--+---+ +---+--+ | :
: +----|-----::-----|----+ : Network
: /\ | :: | :Provider
: || | :: | : (DMS)
...:.....||......|.....::.....|.............:........
Outbound || | :: | || Inbound
DDoS || | :: | || DDoS
Attack || | :: | \/ Attack
: +----|-----::-----|----+ :
: | +--+---+ +---+--+ | :
: | | DOTS | | DOTS | | :
: | |server| |client| | :
: | +------+ +------+ | :
: | Node #j | :
: +----------------------+ :
+-.-.-.-.-.-.-.-.-.-++-.-.-.-.-.-.-.-.-.-+
Network #D]]></artwork>
</figure><xref target="app"></xref> elaborates on the considerations
to unambiguously distinguish DOTS messages which belong to each of these
channels.</t>
</section>
<section anchor="spec" title="DOTS Signal Channel Call Home">
<section anchor="proc" title="Procedure">
<t>The DOTS signal channel Call Home preserves all but one of the DOTS
client/server roles in the DOTS protocol stack, as compared to DOTS
client-initiated DOTS signal channel protocol <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>. The role reversal that
occurs is at the (D)TLS layer; that is, (1) the Call Home DOTS server
acts as a DTLS client and the Call Home DOTS client acts as a DTLS
server or (2) the Call Home DOTS server acts as a TLS client
initiating the underlying TCP connection and the Call Home DOTS client
acts as a TLS server. The Call Home DOTS server initiates (D)TLS
handshake to the Call Home DOTS client.</t>
<t>For example, a home network element (e.g., home router) co-located
with a Call Home DOTS server is the (D)TLS client. That is, the Call
Home DOTS server assumes the role of the (D)TLS client, but the
network element's role as a DOTS server remains the same.</t>
<t>Existing certificate chains and mutual authentication mechanisms
between the DOTS agents are unaffected by the Call Home function. From
a deployment standpoint, and given the scale of Call Home DOTS servers
that may be involved, enabling means for automating the provisioning
of credentials on Call Home DOTS servers to authenticate to the Call
Home DOTS client is encouraged. It is out of the scope of this
document to elaborate on these means.</t>
<t><xref target="signalch"></xref> illustrates a sample DOTS Call Home
flow exchange:</t>
<t><figure align="center" anchor="signalch"
title="DOTS Signal Channel Call Home Sequence Diagram">
<artwork><![CDATA[ +-----------+ +-----------+
| Call Home | | Call Home |
| DOTS | | DOTS |
| server | | client |
+-----+-----+ +-----+-----+
(D)TLS client (D)TLS server
| |
| 1. (D)TLS connection |
|----------------------------------->|
| 2. Mitigation request |
|<-----------------------------------|
| ... |
]]></artwork>
</figure></t>
<t>The DOTS signal channel Call Home procedure is as follows:</t>
<t><list style="numbers">
<t>If UDP transport is used, the Call Home DOTS server begins by
initiating a DTLS connection to the Call Home DOTS client.<vspace
blankLines="1" />If TCP is used, the Call Home DOTS server begins
by initiating a TCP connection to the Call Home DOTS client. Once
connected, the Call Home DOTS server continues to initiate a TLS
connection to the Call Home DOTS client.<vspace
blankLines="1" />Peer DOTS agents may have mutual agreement to use
a specific port number, such as by explicit configuration or
dynamic discovery <xref target="RFC8973"></xref>. The interaction
between the base DOTS signal channel and the Call Home is
discussed in <xref target="app"></xref>.<vspace
blankLines="1" />The Happy Eyeballs mechanism explained in Section
4.3 of <xref target="I-D.ietf-dots-rfc8782-bis"></xref> is used
for initiating (D)TLS connections.</t>
<t>Using this (D)TLS connection, the Call Home DOTS client may
request, withdraw, or retrieve the status of mitigation requests.
The Call Home DOTS client supplies the source information by means
of new attributes defined in <xref target="mitigation"></xref>.
<vspace blankLines="1" />The Heartbeat mechanism used for the DOTS
Call Home deviates from the one defined in Section 4.7 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>. <xref
target="hb"></xref> specifies the behavior to be followed by Call
Home DOTS agents.</t>
</list></t>
<t></t>
</section>
<section title="DOTS Signal Channel Variations">
<t></t>
<section anchor="hb" title="Heartbeat Mechanism">
<t>Once the (D)TLS section is established between the DOTS agents,
the Call Home DOTS client contacts the Call Home DOTS server to
retrieve the session configuration parameters (Section 4.5 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>). The Call Home DOTS
server adjusts the 'heartbeat-interval' to accommodate binding
timers used by on-path NATs and firewalls. Heartbeats will be then
exchanged by the DOTS agents following the instructions retrieved
using the signal channel session configuration exchange.</t>
<t>It is the responsibility of Call Home DOTS servers to ensure that
on-path translators/firewalls are maintaining a binding so that the
same external IP address and/or port number is retained for the DOTS
signal channel session. A Call Home DOTS client MAY trigger their
heartbeat requests immediately after receiving heartbeat probes from
its peer Call Home DOTS server.</t>
<t>When an outgoing attack that saturates the outgoing link from the
Call Home DOTS server is detected and reported by a Call Home DOTS
client, the latter MUST continue to use the DOTS signal channel even
if no traffic is received from the Call Home DOTS server.</t>
<t>If the Call Home DOTS server receives traffic from the Call Home
DOTS client, the Call Home DOTS server MUST continue to use the DOTS
signal channel even if the missing heartbeats allowed threshold
('missing-hb-allowed') is reached.</t>
<t>If the Call Home DOTS server does not receive any traffic from
the peer Call Home DOTS client during the time span required to
exhaust the maximum 'missing-hb-allowed' threshold, the Call Home
DOTS server concludes the session is disconnected. Then, the Call
Home DOTS server MUST try to establish a new DOTS signal channel
session, preferably by resuming the (D)TLS session.</t>
</section>
<section anchor="redirect" title="Redirected Signaling">
<t>A Call Home DOTS server MUST NOT support the Redirected Signaling
mechanism as specified in Section 4.6 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref> (i.e., a 5.03 response
that conveys an alternate DOTS server's FQDN or alternate DOTS
server's IP address(es)). A Call Home DOTS client MUST silently
discard such message as only a Call Home DOTS server can initiate a
new (D)TLS connection.</t>
<t>If a Call Home DOTS client wants to redirect a Call Home DOTS
server to another Call Home DOTS client, it MUST send a
Non-confirmable PUT request to the predefined resource
“.well-known/dots/redirect” with the following
attributes in the body of the PUT request:</t>
<t><list style="hanging">
<t hangText="alt-ch-client:">The FQDN of an alternate Call Home
DOTS client. It is also presented as reference identifier for
authentication purposes.<vspace blankLines="1" />This is a
mandatory attribute for DOTS signal Call Home. It MUST NOT be
used for base DOTS signal channel operations.</t>
<t hangText="alt-ch-client-record:">List of IP addresses for the
alternate Call Home DOTS client. If no 'alt-ch-client-record' is
provided, the Call Home DOTS server passes the 'alt-ch-client'
name to a name resolution library to retrieve one or more IP
addresses of the alternate Call Home DOTS client.<vspace
blankLines="1" />This is an optional attribute for DOTS signal
Call Home. It MUST NOT be used for base DOTS signal channel
operations.</t>
<t hangText="ttl:">The Time to live (TTL) of the alternate Call
Home DOTS client. That is, the time interval that the alternate
Call Home DOTS client may be cached for use by a Call Home DOTS
server.<vspace blankLines="1" />This is an optional attribute
for DOTS signal Call Home. It MUST NOT be used for base DOTS
signal channel operations.</t>
</list></t>
<t>On receipt of this PUT request, the Call Home DOTS server
responds with a 2.01 (Created), closes this connection and
establishes a connection with the new Call Home DOTS client. The
processing of the TTL is defined in Section 4.6 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>. If the Call Home DOTS
server cannot service the PUT request, the response is rejected with
a 4.00 (Bad Request).</t>
<t><xref target="red-example"></xref> shows a PUT request example to
convey the alternate Call Home DOTS client
'alt-call-home-client.example' together with its IP addresses
2001:db8:6401::1 and 2001:db8:6401::2. The validity of this
alternate Call Home DOTS client is 10 minutes.</t>
<t><figure anchor="red-example"
title="Example of a PUT Request for Redirected Signaling">
<artwork><![CDATA[ Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "redirect"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "mid=123"
Content-Format: "application/dots+cbor"
{
"ietf-dots-signal-channel:redirected-signal": {
"ietf-dots-call-home:alt-ch-client":
"alt-call-home-client.example",
"ietf-dots-call-home:alt-ch-client-record": [
"2001:db8:6401::1",
"2001:db8:6401::2"
],
"ietf-dots-call-home:ttl": 600
}
]]></artwork>
</figure></t>
</section>
</section>
<section title="DOTS Signal Channel Extension">
<section anchor="mitigation" title="Mitigation Request">
<t>This specification extends the mitigation request defined in
Section 4.4.1 of <xref target="I-D.ietf-dots-rfc8782-bis"></xref> to
convey the attack source information (e.g., source prefixes, source
port numbers). The DOTS client conveys the following new parameters
in the CBOR body of the mitigation request:<list style="hanging">
<t hangText="source-prefix:">A list of attacker IP prefixes used
to attack the target. Prefixes are represented using Classless
Inter-Domain Routing (CIDR) notation <xref target="RFC4632">BCP
122 </xref>. <vspace blankLines="1" />As a reminder, the prefix
length MUST be less than or equal to 32 (or 128) for IPv4 (or
IPv6).<vspace blankLines="1" />The prefix list MUST NOT include
broadcast, loopback, or multicast addresses. These addresses are
considered as invalid values. Note that link-local addresses are
allowed. The Call Home DOTS client MUST validate that attacker
prefixes are within the scope of the Call Home DOTS server
domain (e.g., prefixes assigned to the Call Home DOTS server
domain or networks it services). This check is meant to avoid
contacting Call Home DOTS servers that are not entitled to
enforce actions on specific prefixes.<vspace
blankLines="1" />This is an optional attribute for the base DOTS
signal channel operations.</t>
<t hangText="source-port-range:">A list of port numbers used by
the attack traffic flows. <vspace blankLines="1" />A port range
is defined by two bounds, a lower port number (lower-port) and
an upper port number (upper-port). When only 'lower-port' is
present, it represents a single port number. <vspace
blankLines="1" />For TCP, UDP, Stream Control Transmission
Protocol (SCTP) <xref target="RFC4960"></xref>, or Datagram
Congestion Control Protocol (DCCP) <xref
target="RFC4340"></xref>, a range of ports can be any subrange
of 0-65535, for example, 0-1023, 1024-65535, or 1024-49151.
<vspace blankLines="1" />This is an optional attribute for the
base DOTS signal channel operations.</t>
<t hangText="source-icmp-type-range:">A list of ICMP types used
by the attack traffic flows. An ICMP type range is defined by
two bounds, a lower ICMP type (lower-type) and an upper ICMP
type (upper-type). When only 'lower-type' is present, it
represents a single ICMP type. Both ICMP <xref
target="RFC0792"></xref> and ICMPv6 <xref
target="RFC4443"></xref> types are supported. Whether ICMP or
ICMPv6 types are to be used is determined by the address family
of the 'target-prefix'. <vspace blankLines="1" />This is an
optional attribute for the base DOTS signal channel
operations.</t>
</list></t>
<t>The 'source-prefix' parameter is a mandatory attribute when the
attack traffic information is signaled by a Call Home DOTS client
(i.e., the Call Home scenario depicted in <xref
target="signalch"></xref>). The 'target-prefix' attribute MUST be
included in the mitigation request signaling the attack information
to a Call Home DOTS server. The 'target-uri' or 'target-fqdn'
parameters can be included in a mitigation request for diagnostic
purposes to notify the Call Home DOTS server domain administrator,
but SHOULD NOT be used to determine the target IP addresses.
'alias-name' is unlikely to be conveyed in a Call Home mitigation
request given that a target may be any IP resource and that there is
no incentive for a Call Home DOTS server (embedded, for example, in
a CPE) to maintain aliases.</t>
<t>In order to help attack source identification by a Call Home DOTS
server, the Call Home DOTS client SHOULD include in its mitigation
request additional information such as 'source-port-range' or
'source-icmp-type-range' to disambiguate nodes sharing the same
'source-prefix'. IPv6 addresses/prefixes are sufficient to uniquely
identify a network endpoint, without need for port numbers or ICMP
type information. While this is also possible for IPv4, it is much
less often the case than for IPv6. More address sharing implications
on the setting of source information ('source-prefix',
'source-port-range') are discussed in <xref
target="nat"></xref>.</t>
<t>Only immediate mitigation requests (i.e., 'trigger-mitigation'
set to 'true') are allowed; Call Home DOTS clients MUST NOT send
requests with 'trigger-mitigation' set to 'false'. Such requests
MUST be discarded by the Call Home DOTS server with a 4.00 (Bad
Request).</t>
<t>An example of a mitigation request sent by a Call Home DOTS
client is shown in <xref target="example"></xref>.<figure
anchor="example"
title="An Example of Mitigation Request Issued by a Call Home DOTS Client">
<artwork align="left"><![CDATA[ Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "mitigate"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "mid=56"
Content-Format: "application/dots+cbor"
{
"ietf-dots-signal-channel:mitigation-scope": {
"scope": [
{
"target-prefix": [
"2001:db8:c000::/128"
],
"ietf-dots-call-home:source-prefix": [
"2001:db8:123::1/128"
],
"lifetime": 3600
}
]
}
}]]></artwork>
</figure></t>
<t>The Call Home DOTS server MUST check that the 'source-prefix' is
within the scope of the Call Home DOTS server domain. Note that in a
DOTS Call Home scenario, the Call Home DOTS server considers, by
default, that any routeable IP prefix enclosed in 'target-prefix' is
within the scope of the Call Home DOTS client. Invalid mitigation
requests are handled as per Section 4.4.1 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>.<list style="empty">
<t>Note: These validation checks do not apply when the source
information is included as a hint in the context of the base
DOTS signal channel.</t>
</list></t>
<t>The Call Home DOTS server domain administrator consent MAY be
required to block the traffic from the compromised device to the
attack target. An implementation MAY have a configuration knob to
block the traffic from the compromised device to the attack target
with or without DOTS server domain administrator consent.</t>
<t>If a consent from the Call Home DOTS server domain administrator
is required, the Call Home DOTS server replies with 2.01 (Created)
and 'status' code set to 1 (attack-mitigation-in-progress). Then,
the mechanisms defined in Section 4.4.2 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref> are followed by the DOTS
agents to update the mitigation status. Particularly, if the attack
traffic is blocked, the Call Home DOTS server informs the Call Home
DOTS client that the attack is being mitigated (i.e., by setting the
'status' code to 2 (attack-successfully-mitigated)).</t>
<t>If the attack traffic information is identified by the Call Home
DOTS server or the Call Home DOTS server domain administrator as
legitimate traffic, the mitigation request is rejected with a 4.09
(Conflict) (e.g., when no consent is required from an administrator)
or a notification message with the 'conflict-clause' (Section 4.4.1
of <xref target="I-D.ietf-dots-rfc8782-bis"></xref>) set to the
following new value:</t>
<t><list style="hanging">
<t hangText="4:">Mitigation request rejected. This code is
returned by the DOTS server to indicate the attack traffic has
been classified as legitimate traffic.</t>
</list></t>
<t>Once the request is validated by the Call Home DOTS server,
appropriate actions are enforced to block the attack traffic within
the source network. For example, if the Call Home DOTS server is
embedded in a CPE, it can program the packet processor to punt all
the traffic from the compromised device to the target to slow path.
The CPE inspects the punted slow path traffic to detect and block
the outgoing DDoS attack traffic or quarantine the device (e.g.,
using MAC level filtering) until it is remediated, and notifies the
CPE administrator about the compromised device. Note that the Call
Home DOTS client is informed about the progress of the attack
mitigation following the rules in Section 4.4.2 of <xref
target="I-D.ietf-dots-rfc8782-bis"></xref>.</t>
<t>The DOTS agents follow the same procedures specified in <xref
target="I-D.ietf-dots-rfc8782-bis"></xref> for managing a mitigation
request.</t>
</section>
<section anchor="nat" title="Address Sharing Considerations">
<t><xref target="ex1"></xref> depicts an example of a network
provider that hosts a Call Home DOTS client and deploys a Carrier
Grade NAT (CGN) between the DOTS client domain and DOTS server
domain. In such cases, communicating an external IP address in a
mitigation request by a Call Home DOTS client is likely to be
discarded by the Call Home DOTS server because the external IP
address is not visible locally to the Call Home DOTS server (<xref
target="ex1"></xref>). The Call Home DOTS server is only aware of
the internal IP addresses/prefixes bound to its domain (i.e., those
used in the Internal Realm shown in <xref target="ex1"></xref>).
Thus, Call Home DOTS clients that are aware of the presence of
on-path CGNs MUST NOT include the external IP address and/or port
number identifying the suspect attack source (i.e., those used in
the External Realm shown in <xref target="ex1"></xref>), but MUST
include the internal IP address and/or port number. To that aim, the
Call Home DOTS client SHOULD rely on mechanisms, such as <xref
target="RFC8512"></xref> or <xref target="RFC8513"></xref>, to
retrieve the internal IP address and port number which are mapped to
an external IP address and port number. For the particular case of
NAT64 <xref target="RFC6146"></xref>, if the target address is an
IPv4 address, the IPv4-converted IPv6 address of this target address
<xref target="RFC6052"></xref> SHOULD be used.</t>
<t><figure align="center" anchor="ex1"
title="Example of a CGN between DOTS Domains">
<artwork align="center"><![CDATA[ N | .-------------------.
E | ( )-.
T | .' '
W | ( Call Home )
O | ( DOTS client -'
R | '-( )
K | '-------+-----------'
| |
P | |
R | +---+---+
O | | CGN | External Realm
V |..............| |......................
I | | | Internal Realm
D | +---+---+
E | |
R | |
--- |
.---------+---------.
( )-.
.' Source Network '
( )
( Call Home -'
'-( DOTS server )
'------+------------'
|
+-----+-------+
|Attack Source|
+-------------+
]]></artwork>
</figure></t>
<t>If a MAP Border Relay <xref target="RFC7597"></xref> or lwAFTR
<xref target="RFC7596"></xref> is enabled in the provider's domain
to service its customers, the identification of an attack source
bound to an IPv4 address/prefix MUST also rely on source port
numbers because the same IPv4 address is assigned to multiple
customers. The port information is required to unambiguously
identify the source of an attack.</t>
<t>If a translator is enabled on the boundaries of the domain
hosting the Call Home DOTS server (e.g., a CPE with NAT enabled as
shown in Figures <xref format="counter" target="ex2"></xref> and
<xref format="counter" target="ex2b"></xref>), the Call Home DOTS
server uses the attack traffic information conveyed in a mitigation
request to find the internal source IP address of the compromised
device and blocks the traffic from the compromised device traffic to
the attack target until the mitigation request is withdrawn. The
Call Home DOTS server proceeds with a NAT mapping table lookup using
the attack information (or a subset thereof) as a key. The lookup
can be local (<xref target="ex2"></xref>) or via a dedicated
administration interface that is offered by the CPE (<xref
target="ex2b"></xref>). This identification allows the suspicious
device to be isolated while avoiding disturbances of other
services.</t>
<t><figure align="center" anchor="ex2"
title="Example of a DOTS Server Domain with a NAT Embedded in a CPE">
<artwork align="center"><![CDATA[ .-------------------.
( )-.
.' Network Provider (DMS)'
( )
( Call Home -'
'-( DOTS client )
'-------+-----------'
|
--- +---+---+
S | | CPE | External Realm
O |..............| |................
U | | NAT | Internal Realm
R | +---+---+
C | |
E | .---------+---------.
| ( )-.
N | .' '
E | ( Call Home )