RFC 9244: Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
- M. Boucadair, Ed.,
- T. Reddy.K, Ed.,
- E. Doron,
- M. Chen,
- J. Shallow
Abstract
This document aims to enrich the Distributed Denial
This document specifies two YANG modules: one for representing DOTS telemetry message types and one for sharing the attack mapping details over the DOTS data channel.¶
Status of This Memo
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
https://
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://
1. Introduction
IT organizations and service providers are facing Distributed Denial
To compound the problem, attackers also leverage multi-vectored
attacks. These attacks are assembled from dynamic network-layer and
application
The conclusion derived from the aforementioned attack scenarios is that modern attack detection and mitigation are most certainly complicated and highly convoluted tasks. They demand a comprehensive knowledge of the attack attributes and the normal behavior of the targeted systems (including normal traffic patterns), as well as the attacker's ongoing and past actions. Even more challenging, retrieving all the analytics needed for detecting these attacks is not simple with the industry's current reporting capabilities.¶
The Distributed Denial
DOTS clients can be integrated within a DDoS attack detector or within network and security elements that have been actively engaged with ongoing attacks. The DOTS client mitigation environment determines that it is no longer possible or practical for it to handle these attacks itself. This can be due to a lack of resources or security capabilities, as derived from the complexities and intensity of these attacks. In this circumstance, the DOTS client has invaluable knowledge about the actual attacks that need to be handled by its DOTS server(s). By enabling the DOTS client to share this comprehensive knowledge of an ongoing attack under specific circumstances, the DOTS server can drastically increase its ability to accomplish successful mitigation. While the attack is being handled by the mitigation resources associated with the DOTS server, the DOTS server has knowledge about the ongoing attack mitigation. The DOTS server can share this information with the DOTS client so that the client can better assess and evaluate the actual mitigation realized.¶
DOTS clients can send mitigation hints derived from attack details to DOTS servers, with the full understanding that a DOTS server may ignore mitigation hints, as described in [RFC8612] (Gen-004). Mitigation hints will be transmitted across the DOTS signal channel, as the data channel may not be functional during an attack. How a DOTS server handles normal and attack traffic attributes, and mitigation hints, is implementation specific.¶
Both DOTS clients and servers can benefit from this information by presenting various information details in relevant management, reporting, and portal systems.¶
This document defines DOTS telemetry attributes that can be conveyed by DOTS clients to DOTS servers, and vice versa. The DOTS telemetry attributes are not mandatory attributes of the DOTS signal channel protocol [RFC9132]. When no limitation policy is provided to a DOTS agent, it can signal available telemetry attributes to its peers in order to optimize the overall mitigation service provisioned using DOTS. The aforementioned policy can be, for example, agreed upon during a service subscription (which is out of scope for this document) to identify a subset of DOTS clients among those deployed in a DOTS client domain that are allowed to send or receive telemetry data.¶
Section 11.2 of this document specifies a YANG module that augments the DOTS data channel [RFC8783] with information related to attack details. Sharing such details during 'idle' time is meant to optimize the data exchanged over the DOTS signal channel.¶
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
The reader should be familiar with the terms defined in [RFC8612].¶
"DOTS telemetry" is defined as the collection of attributes that are
used to characterize the normal traffic baseline, attacks and their
mitigation measures, and any related information that may help in
enforcing countermeasures
The Telemetry Setup Identifier (tsid) is an identifier that is generated by DOTS clients to uniquely identify DOTS telemetry setup configuration data. See Section 7.1.2 for more details.¶
The Telemetry Identifier (tmid) is an identifier that is generated by DOTS clients to uniquely identify DOTS telemetry data that is communicated prior to or during a mitigation. See Section 8.2 for more details.¶
"Overlapped" lower numeric 'tsid' (or 'tmid') refers to the lower 'tsid' (or 'tmid') value of two overlapping telemetry requests.¶
The term "pipe" represents the maximum level of traffic that the DOTS client domain can receive. Whether a "pipe" is mapped to one or a group of network interfaces is deployment specific. For example, each interconnection link may be considered as a specific pipe if the DOTS server is hosted by each upstream provider, while the aggregate of all links to connect to upstream network providers can be considered by a DOTS client domain as a single pipe when communicating with a DOTS server not hosted by these upstream providers.¶
This document uses IANA-assigned Enterprise Numbers. These numbers are
also known as "Private Enterprise Numbers" and "SMI (Structure of
Management Information) Network Management Private Enterprise Codes"
[Private
The meanings of the symbols in YANG tree diagrams are defined in [RFC8340] and [RFC8791].¶
Consistent with the convention set in Section 2 of [RFC8783], the examples in Section 8.1.6 use "/restconf" as the discovered RESTCONF API root path. Within these examples, some protocol header lines are split into multiple lines for display purposes only. When a line ends with a backslash ("\") as the last character, the line is wrapped for display purposes. It is considered to be joined to the next line by deleting the backslash, the following line break, and the leading whitespace of the next line.¶
3. DOTS Telemetry: Overview and Purpose
Timely and effective signaling of up-to-date DDoS telemetry to all elements involved in the mitigation process is essential and improves the overall DDoS mitigation service's effectiveness. Bidirectional feedback between DOTS agents is required for increased awareness by each party of the attack and mitigation efforts, supporting a superior and highly efficient attack mitigation service.¶
3.1. Need for More Visibility
When signaling a mitigation request, it is most certainly beneficial for DOTS clients to signal to DOTS servers any knowledge regarding ongoing attacks. This can happen in cases where DOTS clients are asking DOTS servers for support in defending against attacks that they have already detected and/or (partially) mitigated.¶
If attacks are already detected and categorized within a DOTS
client domain, the DOTS server, and its associated mitigation
services, can proactively benefit from this information and optimize
the overall service delivery. It is important to note that DOTS client
domains' and DOTS server domains' detection and mitigation approaches
can be different and can potentially result in different results and
attack classifications
In addition to the DOTS server directly using telemetry data as operational hints, the DOTS server's security operation team also benefits from telemetry data. A basic requirement of security operation teams is to be aware of and get visibility into the attacks they need to handle. This holds especially for the case of ongoing attacks, where DOTS telemetry provides data about the current attack status. Even if some mitigation can be automated, operational teams can use the DOTS telemetry information to be prepared for attack mitigation and to assign the correct resources (e.g., operation staff, networking resources, mitigation resources) for the specific service. Similarly, security operations personnel at the DOTS client side ask for feedback about their requests for protection. Therefore, it is valuable for DOTS servers to share DOTS telemetry with DOTS clients.¶
Mutual sharing of information is thus crucial for "closing the mitigation loop" between DOTS clients and servers. For the server-side team, it is important to confirm that the same attacks that the DOTS server's mitigation resources are seeing are those for which a DOTS client is requesting mitigation. For the DOTS client-side team, it is important to realize that the DOTS clients receive the required service -- for example, understanding that "I asked for mitigation of two attacks, and my DOTS server detects and mitigates only one of them." Cases of inconsistency in attack classification between DOTS clients and servers can be highlighted, and maybe handled, using the DOTS telemetry attributes.¶
In addition, management and orchestration systems, at both the DOTS client and server sides, can use DOTS telemetry as feedback to automate various control and management activities derived from signaled telemetry information.¶
If the DOTS server's mitigation resources have the capabilities to facilitate the DOTS telemetry, the DOTS server adapts its protection strategy and activates the required countermeasures immediately (automation enabled) for the sake of optimized attack mitigation decisions and actions. Discussion regarding the interface from the DOTS server to the mitigator to signal the telemetry data is out of scope for this document.¶
3.2. Enhanced Detection
DOTS telemetry can also be used as input for determining what
values to use for the tuning parameters available on the mitigation
resources. During the last few years, DDoS attack detection
technologies have evolved from threshold-based detection (that is,
cases when all or specific parts of traffic cross a predefined
threshold for a certain period of time is considered as an attack) to
an "anomaly detection" approach. For the latter, it is required to
maintain rigorous learning of "normal" behavior, and an "anomaly" (or
an attack) is identified and categorized based on the knowledge about
the normal behavior and a deviation from this normal behavior.
Statistical and artificial intelligence algorithms (e.g., machine
learning) are used such that the actual traffic thresholds are
automatically calculated by learning the protected entity's normal
traffic behavior during 'idle' time (i.e., no mitigation is active).
The normal traffic characterizatio
In addition, subsequent activities toward mitigating an attack are much more challenging. The ability to distinguish legitimate traffic from attacker traffic on a per-packet basis is complex. For example, a packet may look "legitimate" and no attack signature can be identified. The anomaly can be identified only after detailed statistical analysis. DDoS attack mitigators use the normal baseline during the mitigation of an attack to identify and categorize the expected appearance of a specific traffic pattern. Particularly, the mitigators use the normal baseline to recognize the "level of normality" that needs to be achieved during the various mitigation processes.¶
Normal baseline calculation is performed based on continuous learning of the normal behavior of the protected entities. The minimum learning period varies from hours to days and even weeks, depending on the protected applications' behavior. The baseline cannot be learned during active attacks because attack conditions do not characterize the protected entities' normal behavior.¶
If the DOTS client has calculated the normal baseline of its protected entities, signaling such information to the DOTS server along with the attack traffic levels provides value. The DOTS server benefits from this telemetry by tuning its mitigation resources with the DOTS client's normal baseline. The DOTS server's mitigators use the baseline to familiarize themselves with the attack victim's normal behavior and target the baseline as the level of normality they need to achieve. Fed with this information, the overall mitigation performance is expected to be improved in terms of time to mitigate, accuracy, and false-negative and false-positive rates.¶
Mitigation of attacks without having certain knowledge of normal traffic can be inaccurate at best. This is especially true for recursive signaling (see Section 3.2.3 of [RFC8811]). Given that DOTS clients can be integrated in a highly diverse set of scenarios and use cases, this emphasizes the need for knowledge of the behavior of each DOTS client domain -- especially given that common global thresholds for attack detection can almost never be realized. Each DOTS client domain can have its own levels of traffic and normal behavior. Without facilitating normal baseline signaling, it may be very difficult for DOTS servers in some cases to detect and mitigate the attacks accurately:¶
Of course, this information can be provided using out-of-band mechanisms or manual configuration, at the risk of unmaintained information becoming inaccurate as the network evolves and "normal" patterns change. The use of a dynamic and collaborative means between the DOTS client and server to identify and share key parameters for the sake of efficient DDoS protection is valuable.¶
3.3. Efficient Mitigation
During a high-volume attack, DOTS client pipes can be totally saturated. DOTS clients ask their DOTS servers to handle the attack upstream so that DOTS client pipes return to a reasonable load level (normal pattern, ideally). At this point, it is essential to ensure that the mitigator does not overwhelm the DOTS client pipes by sending back large volumes of "clean traffic", or what it believes is "clean". This can happen when the mitigator has not managed to detect and mitigate all the attacks launched toward the DOTS client domain.¶
In this case, it can be valuable to DOTS clients to signal to DOTS
servers the total pipe capacity, which is the level of traffic the
DOTS client domain can absorb from its upstream network. This is usually
the circuit size, which includes all the packet overheads. Dynamic
updates of the condition of pipes between DOTS agents while they are
under a DDoS attack are essential (e.g., where multiple DOTS clients
share the same physical connectivity pipes). The DOTS server should
activate other mechanisms to ensure that it does not allow the DOTS client
domain's pipes to be saturated unintentionally
4. Design Overview
4.1. Overview of Telemetry Operations
The DOTS protocol suite is divided into two logical channels: the
signal channel [RFC9132] and data channel [RFC8783]. This division is due to the vastly different
requirements placed upon the traffic they carry. The DOTS signal
channel must remain available and usable even in the face of attack
traffic that might, for example, saturate one direction of the links
involved, rendering acknowledgment
Telemetry information has aspects that correspond to both operational modes (i.e., signal channel and data channel): there is certainly a need to convey updated information about ongoing attack traffic and targets during an attack, so as to convey detailed information about mitigation status and inform updates to mitigation strategy in the face of adaptive attacks. However, it is also useful to provide mitigation services with a picture of normal or "baseline" traffic toward potential targets to aid in detecting when incoming traffic deviates from normal into being an attack. Also, one might populate a "database" of classifications of known types of attacks so that a short attack identifier can be used during an attack period to describe an observed attack. This specification does make provision for use of the DOTS data channel for the latter function (Section 8.1.6) but otherwise retains most telemetry functionality in the DOTS signal channel.¶
Note that it is a functional requirement to convey information about ongoing attack traffic during an attack, and information about baseline traffic uses an essentially identical data structure that is naturally defined to sit next to the description of attack traffic. The related telemetry setup information used to parameterize actual traffic data is also sent over the signal channel, out of expediency.¶
This document specifies an extension to the DOTS signal channel protocol. Considerations about how to establish, maintain, and make use of the DOTS signal channel are specified in [RFC9132].¶
Once the DOTS signal channel is established, DOTS clients that support the DOTS telemetry extension proceed with the telemetry setup configuration (e.g., measurement interval, telemetry notification interval, pipe capacity, normal traffic baseline) as detailed in Section 7. DOTS agents can then include DOTS telemetry attributes using the DOTS signal channel (Section 8.1). A DOTS client can use separate messages to share with its DOTS server(s) a set of telemetry data bound to an ongoing mitigation (Section 8.2). Also, a DOTS client that is interested in receiving telemetry notifications related to some of its resources follows the procedure defined in Section 8.3. A DOTS client that receives such notifications can then decide to send a mitigation request if an attack cannot be mitigated locally within the DOTS client domain.¶
Aggregate DOTS telemetry data can also be included in efficacy update (Section 9.1) or mitigation update (Section 9.2) messages.¶
4.2. Block-Wise Transfers
DOTS clients can use a block-wise transfer [RFC7959] with the recommendation detailed in Section 4.4.2 of [RFC9132] to control the size of a response when the data to be returned does not fit within a single datagram.¶
DOTS clients can also use the Constrained Application Protocol (CoAP) Block1 Option in a PUT request (Section 2.5 of [RFC7959]) to initiate large transfers, but these Block1 transfers are likely to fail if the inbound "pipe" is running full because the transfer requires a message from the server for each block, which would likely be lost in the incoming flood. Consideration needs to be made to try to fit this PUT into a single transfer or to separate out the PUT into several discrete PUTs where each of them fits into a single packet.¶
Q-Block1 and Q-Block2 Options that are similar to the CoAP Block1
and Block2 Options, but enable robust transmissions of big blocks of
data with less packet interchanges using NON messages, are defined in
[RFC9177]. DOTS implementations
can consider the use of Q-Block1 and Q-Block2 Options [DOTS
4.3. DOTS Multihoming Considerations
Considerations for multihomed DOTS clients to select which DOTS server to contact and which IP prefixes to include in a telemetry message to a given peer DOTS server are discussed in [DOTS-Multihoming]. For example, if each upstream network exposes a DOTS server and the DOTS client maintains DOTS channels with all of them, only the information related to prefixes assigned by an upstream network to the DOTS client domain will be signaled via the DOTS channel established with the DOTS server of that upstream network.¶
Considerations related to whether (and how) a DOTS client gleans some telemetry information (e.g., attack details) it receives from a first DOTS server and shares it with a second DOTS server are implementation and deployment specific.¶
4.4. YANG Considerations
Telemetry messages exchanged between DOTS agents are serialized
using Concise Binary Object Representation (CBOR) [RFC8949]. CBOR-encoded payloads are used to carry
signal
This document specifies a YANG module [RFC7950] for representing DOTS telemetry message types (Section 11.1). All parameters in the payload of the DOTS signal channel are mapped to CBOR types as specified in Section 12. As a reminder, Section 3 of [RFC9132] defines the rules for mapping YANG-modeled data to CBOR.¶
The DOTS telemetry module (Section 11.1) is not
intended to be used via the Network Configuration Protocol (NETCONF) / RESTCONF for DOTS server management
purposes. It serves only to provide a data model and encoding
following [RFC8791]. Server deviations (Section 5.6.3 of [RFC7950]) are strongly discouraged, as
the peer DOTS agent does not have the means to retrieve the list of
deviations and thus interoperabilit
The DOTS telemetry module (Section 11.1) uses
"enumerations" rather than "identities" to define units, samples, and
intervals because otherwise the namespace identifier
"ietf
The DOTS telemetry module (Section 11.1) includes some lists for which no "key" statement is included. This behavior is compliant with [RFC8791]. The reason for not including these keys is that they are not included in the message body of DOTS requests; such keys are included as mandatory Uri-Paths in requests (Sections 7 and 8). Otherwise, whenever a "key" statement is used in the module, the same definition as the definition provided in Section 7.8.2 of [RFC7950] is assumed.¶
Some parameters (e.g., low-percentile values) may be associated with different YANG types (e.g., decimal64 and yang:gauge64). To easily distinguish the types of these parameters while using meaningful names, the following suffixes are used:¶
The full tree diagram of the DOTS telemetry module can be generated using the "pyang" tool [PYANG]. That tree is not included here because it is too long (Section 3.3 of [RFC8340]). Instead, subtrees are provided for the reader's convenience.¶
In order to optimize the data exchanged over the DOTS signal
channel, this document specifies a second YANG module
5. Generic Considerations
5.1. DOTS Client Identification
Following the rules in Section 4.4.1 of [RFC9132], a unique identifier is generated by a DOTS client to prevent request collisions ('cuid').¶
As a reminder, Section 4.4.1.3 of [RFC9132] forbids 'cuid' to be returned in a response message body.¶
5.2. DOTS Gateways
DOTS gateways may be located between DOTS clients and servers. The considerations elaborated in Section 4.4.1 of [RFC9132] must be followed. In particular, the 'cdid' attribute is used to unambiguously identify a DOTS client domain.¶
As a reminder, Section 4.4.1.3 of [RFC9132] forbids 'cdid' (if present) to be returned in a response message body.¶
5.3. Uri-Path Parameters and Empty Values
Uri-Path parameters and attributes with empty values MUST NOT be present in a request. The presence of such an empty value renders the entire containing message invalid.¶
5.4. Controlling Configuration Data
The DOTS server follows the same considerations discussed in Section 4.5.3 of [RFC9132] for managing DOTS telemetry configuration freshness and notifications.¶
Likewise, a DOTS client may control the selection of configuration
and non
5.5. Message Validation
The authoritative references for validating telemetry messages exchanged over the DOTS signal channel are Sections 7, 8, and 9 together with the mapping table provided in Section 12. The structure of telemetry message bodies is represented as a YANG data structure (Section 11.1).¶
5.6. A Note about Examples
Examples are provided for illustration purposes. This document does not aim to provide a comprehensive list of message examples.¶
JSON encoding of YANG-modeled data is used to illustrate the various telemetry operations. To ease readability, parameter names and their JSON types are thus used in the examples rather than their CBOR key values and CBOR types following the mappings in Section 12. These conventions are inherited from [RFC9132].¶
The examples use Enterprise Number 32473, which is defined for documentation use; see [RFC5612].¶
6. Telemetry Operation Paths
As discussed in Section 4.2 of [RFC9132], each DOTS operation is indicated by a path suffix that indicates the intended operation. The operation path is appended to the path prefix to form the URI used with a CoAP request to perform the desired DOTS operation. The following telemetry path suffixes are defined (Table 2):¶
Consequently, the "ietf
DOTS implementations MUST support the Observe Option [RFC7641] for 'tm' (Section 8).¶
7. DOTS Telemetry Setup Configuration
In reference to Figure 1, a DOTS telemetry
setup message MUST include only telemetry
A DOTS client can reset all installed DOTS telemetry setup configuration data following the considerations detailed in Section 7.4.¶
A DOTS server may detect conflicts when processing requests related to DOTS client domain pipe capacity or telemetry traffic baseline information with requests from other DOTS clients of the same DOTS client domain. More details are included in Section 7.5.¶
Telemetry setup configuration is bound to a DOTS client domain. DOTS servers MUST NOT expect DOTS clients to send regular requests to refresh the telemetry setup configuration. Any available telemetry setup configuration is valid until the DOTS server ceases to service a DOTS client domain. DOTS servers MUST NOT reset 'tsid' because a session failed with a DOTS client. DOTS clients update their telemetry setup configuration upon change of a parameter that may impact attack mitigation.¶
DOTS telemetry setup configuration request and response messages are marked as Confirmable messages (Section 2.1 of [RFC7252]).¶
7.1. Telemetry Configuration
DOTS telemetry uses several percentile values to provide a picture of a traffic distribution overall, as opposed to just a single snapshot of observed traffic at a single point in time. Modeling raw traffic flow data as a distribution and describing that distribution entails choosing a measurement period that the distribution will describe, and a number of sampling intervals, or "buckets", within that measurement period. Traffic within each bucket is treated as a single event (i.e., averaged), and then the distribution of buckets is used to describe the distribution of traffic over the measurement period. A distribution can be characterized by statistical measures (e.g., mean, median, and standard deviation) and also by reporting the value of the distribution at various percentile levels of the data set in question (e.g., "quartiles" that correspond to 25th, 50th, and 75th percentiles). More details about percentile values and their computation are found in Section 11.3 of [RFC2330].¶
DOTS telemetry uses up to three percentile values, plus the overall
peak, to characterize traffic distributions. Which percentile
thresholds are used for these "low
A DOTS client can negotiate with its server(s) a set of telemetry configuration parameters to be used for telemetry. Such parameters include:¶
7.1.1. Retrieving the Current DOTS Telemetry Configuration
A GET request is used to obtain acceptable and current telemetry configuration parameters on the DOTS server. This request may include a 'cdid' Uri-Path when the request is relayed by a DOTS gateway. An example of such a GET request (without a gateway) is depicted in Figure 2.¶
Upon receipt of such a request, and assuming that no error is encountered when processing the request, the DOTS server replies with a 2.05 (Content) response that conveys the telemetry parameters that are acceptable to the DOTS server, any pipe information (Section 7.2), and the current baseline information (Section 7.3) maintained by the DOTS server for this DOTS client. The tree structure of the response message body is provided in Figure 3.¶
DOTS servers that support the capability of sending telemetry
information to DOTS clients prior to or during a mitigation (Section 9.2) set 'server
When both 'min
7.1.2. Conveying the DOTS Telemetry Configuration
A PUT request is used to convey the configuration parameters for the telemetry data (e.g., low-, mid-, or high-percentile values). For example, a DOTS client may contact its DOTS server to change the default percentile values used as the baseline for telemetry data. Figure 3 lists the attributes that can be set by a DOTS client in such a PUT request. An example of a DOTS client that modifies all percentile reference values is shown in Figure 4.¶
'cuid' is a mandatory Uri-Path parameter for PUT requests.¶
The following additional Uri-Path parameter is defined:¶
- tsid:
-
The Telemetry Setup Identifier is an identifier for the DOTS telemetry setup configuration data represented as an integer. This identifier MUST be generated by DOTS clients. 'tsid' values MUST increase monotonically whenever new configuration parameters (not just for changed values) need to be conveyed by the DOTS client.¶
The procedure specified in Section 4.4.1 of [RFC9132] for 'mid' rollover MUST also be followed for 'tsid' rollover.¶
This is a mandatory attribute. 'tsid' MUST appear after 'cuid' in the Uri-Path options.¶
'cuid' and 'tsid' MUST NOT appear in the PUT request message body.¶
At least one configurable attribute MUST be present in the PUT request.¶
A PUT request with a higher numeric 'tsid' value overrides the DOTS telemetry configuration data installed by a PUT request with a lower numeric 'tsid' value. To avoid maintaining a long list of 'tsid' requests for requests carrying telemetry configuration data from a DOTS client, the lower numeric 'tsid' MUST be automatically deleted and no longer be available at the DOTS server.¶
The DOTS server indicates the result of processing the PUT request using the following Response Codes:¶
By default, low-percentile (10th percentile), mid-percentile
(50th percentile), high-percentile (90th percentile), and peak
(100th percentile) values are used to represent telemetry data.
Nevertheless, a DOTS client can disable some percentile types (low,
mid, high). In particular, setting 'low
DOTS clients can also configure the unit class(es) to be used for traffic-related telemetry data among the following supported unit classes: packets per second, bits per second, and bytes per second. Supplying both bits per second and bytes per second unit classes is allowed for a given set of telemetry data. However, receipt of conflicting values is treated as invalid parameters and rejected with a 4.00 (Bad Request) Response Code.¶
DOTS clients that are interested in receiving pre-or-ongoing-
mitigation telemetry
7.1.3. Retrieving the Installed DOTS Telemetry Configuration
A DOTS client may issue a GET message with a 'tsid' Uri-Path parameter to retrieve the current DOTS telemetry configuration. An example of such a request is depicted in Figure 7.¶
If the DOTS server does not find the 'tsid' Uri-Path value conveyed in the GET request in its configuration data for the requesting DOTS client, it MUST respond with a 4.04 (Not Found) error Response Code.¶
7.1.4. Deleting the DOTS Telemetry Configuration
A DELETE request is used to delete the installed DOTS telemetry configuration data (Figure 8). 'cuid' and 'tsid' are mandatory Uri-Path parameters for such DELETE requests.¶
The DOTS server resets the DOTS telemetry configuration back to the default values and acknowledges a DOTS client's request to remove the DOTS telemetry configuration using a 2.02 (Deleted) Response Code. A 2.02 (Deleted) Response Code is returned even if the 'tsid' parameter value conveyed in the DELETE request does not exist in its configuration data before the request.¶
Section 7.4 discusses the procedure to reset all DOTS telemetry setup configuration data.¶
7.2. Total Pipe Capacity
A DOTS client can communicate to the DOTS server(s) its DOTS client domain pipe information. The tree structure of the pipe information is shown in Figure 9.¶
A DOTS client domain pipe is defined as a list of limits on
(incoming) traffic volume
The unit used by a DOTS client when conveying pipe information is captured in the 'unit' attribute. The DOTS client MUST auto-scale so that the appropriate unit is used. That is, for a given unit class, the DOTS client uses the largest unit that gives a value greater than one. As such, only one unit per unit class is allowed.¶
7.2.1. Conveying DOTS Client Domain Pipe Capacity
Considerations similar to those specified in Section 7.1.2 are followed, with one exception:¶
DOTS clients SHOULD minimize the number of active 'tsid's used for pipe information. In order to avoid maintaining a long list of 'tsid's for pipe information, it is RECOMMENDED that DOTS clients include in any request to update information related to a given link the information regarding other links (already communicated using a lower 'tsid' value). By doing so, this update request will override these existing requests and hence optimize the number of 'tsid' requests per DOTS client.¶
As an example of configuring pipe information, a DOTS client managing a single-homed domain (Figure 10) can send a PUT request (shown in Figure 11) to communicate the capacity of "link1" used to connect to its ISP.¶
DOTS clients may be instructed to signal a link aggregate instead of individual links. For example, a DOTS client that manages a DOTS client domain having two interconnection links with an upstream ISP (Figure 12) can send a PUT request (shown in Figure 13) to communicate the aggregate link capacity with its ISP. Signaling individual or aggregate link capacity is deployment specific.¶
Now consider that the DOTS client domain was upgraded to connect to an additional ISP (e.g., ISP#B in Figure 14); the DOTS client can inform a DOTS server that is not hosted with ISP#A and ISP#B domains about this update by sending the PUT request depicted in Figure 15. This request also includes information related to "link1" even if that link is not upgraded. Upon receipt of this request, the DOTS server removes the request with 'tsid=126' and updates its configuration base to maintain two links (link1 and link2).¶
A DOTS client can delete a link by sending a PUT request with the 'capacity' attribute set to "0" if other links are still active for the same DOTS client domain. For example, if a DOTS client domain re-homes (that is, it changes its ISP), the DOTS client can inform its DOTS server about this update (e.g., from the network configuration in Figure 10 to the network configuration shown in Figure 16) by sending the PUT request depicted in Figure 17. Upon receipt of this request, and assuming that no error is encountered when processing the request, the DOTS server removes "link1" from its configuration bases for this DOTS client domain. Note that if the DOTS server receives a PUT request with a 'capacity' attribute set to "0" for all included links, it MUST reject the request with a 4.00 (Bad Request) Response Code. Instead, the DOTS client can use a DELETE request to delete all links (Section 7.2.3).¶
7.2.2. Retrieving Installed DOTS Client Domain Pipe Capacity
A GET request with a 'tsid' Uri-Path parameter is used to retrieve the specific information related to an installed DOTS client domain pipe. The same procedure as that defined in Section 7.1.3 is followed.¶
To retrieve all pipe information bound to a DOTS client, the DOTS client proceeds as specified in Section 7.1.1.¶
7.2.3. Deleting Installed DOTS Client Domain Pipe Capacity
A DELETE request is used to delete the specific information related to an installed DOTS client domain pipe. The same procedure as that defined in Section 7.1.4 is followed.¶
7.3. Telemetry Baseline
A DOTS client can communicate to its DOTS server(s) its normal traffic baseline and connection capacity:¶
- Total traffic normal baseline:
-
Total traffic normal baseline data provides the percentile values representing the total traffic normal baseline. It can be represented for a target using 'total
-traffic -normal' .¶ The traffic normal per-protocol
('total -traffic -normal -per -protocol' ) baseline is represented for a target and is transport -protocol specific.¶ The traffic normal per-port-number
('total -traffic -normal -per -port' ) baseline is represented for each port number bound to a target.¶ If the DOTS client negotiated percentile values and units (Section 7.1), these negotiated parameters will be used instead of the default parameters. For each unit class used, the DOTS client MUST auto-scale so that the appropriate unit is used.¶
- Total connection capacity:
-
If the target is susceptible to resource
-consuming DDoS attacks, the following optional attributes for the target per transport protocol are useful for detecting resource -consuming DDoS attacks:¶ The aggregate per transport protocol is captured in 'total
-connection -capacity', while port-specific capabilities are represented using 'total -connection -capacity -per -port' .¶
Note that a target resource is identified using the attributes
'target
The tree structure of the normal traffic baseline is shown in Figure 18.¶
A DOTS client can share one or multiple normal traffic baselines (e.g., aggregate or per-prefix baselines); each is uniquely identified within the DOTS client domain with an identifier ('id'). This identifier can be used to update a baseline entry, delete a specific entry, etc.¶
7.3.1. Conveying DOTS Client Domain Baseline Information
Considerations similar to those specified in Section 7.1.2 are followed, with one exception:¶
Two PUT requests from a DOTS client have overlapping targets if
there is a common IP address, IP prefix, FQDN, URI, or alias name.
Also, two PUT requests from a DOTS client have overlapping targets
from the perspective of the DOTS server if the addresses associated
with the FQDN, URI, or alias are overlapping with each other or with
'target
DOTS clients SHOULD minimize the number of active 'tsid's used for baseline information. In order to avoid maintaining a long list of 'tsid's for baseline information, it is RECOMMENDED that DOTS clients include in any request to update information related to a given target the information regarding other targets (already communicated using a lower 'tsid' value) (assuming that this information fits within one single datagram). This update request will override these existing requests and hence optimize the number of 'tsid' requests per DOTS client.¶
If no target attribute is included in the request, this is an indication that the baseline information applies for the DOTS client domain as a whole.¶
An example of a PUT request to convey the baseline information is shown in Figure 19.¶
The DOTS client may share protocol
The normal traffic baseline information should be updated to reflect legitimate overloads (e.g., flash crowds) to prevent unnecessary mitigation.¶
7.3.2. Retrieving Installed Normal Traffic Baseline Information
A GET request with a 'tsid' Uri-Path parameter is used to retrieve a specific installed DOTS client domain's baseline traffic information. The same procedure as that defined in Section 7.1.3 is followed.¶
To retrieve all baseline information bound to a DOTS client, the DOTS client proceeds as specified in Section 7.1.1.¶
7.3.3. Deleting Installed Normal Traffic Baseline Information
A DELETE request is used to delete the installed DOTS client domain's normal traffic baseline information. The same procedure as that defined in Section 7.1.4 is followed.¶
7.4. Resetting the Installed Telemetry Setup
Upon bootstrapping (or reboot or any other event that may alter the DOTS client setup), a DOTS client MAY send a DELETE request to set the telemetry parameters to default values. Such a request does not include any 'tsid' parameters. An example of such a request is depicted in Figure 21.¶
7.5. Conflict with Other DOTS Clients of the Same Domain
A DOTS server may detect conflicts between requests conveying pipe
and baseline information received from DOTS clients of the same DOTS
client domain. 'conflict
- 1:
- Overlapping targets (Section 4.4.1 of [RFC9132]).¶
- 5:
- Overlapping pipe scope (see Section 13).¶
8. DOTS Pre-or-Ongoing-Mitigation Telemetry
There are two broad types of DDoS attacks: bandwidth
The "ietf
The pre
Pre
DOTS agents SHOULD bind pre
Much of the pre
DOTS agents MUST NOT send pre
DOTS pre
8.1. Pre-or-Ongoing-Mitigation DOTS Telemetry Attributes
Section 3 discusses the motivation for using the DOTS telemetry attributes. These attributes are specified in the following subsections.¶
8.1.1. Target
A target resource (Figure 25) is identified
using the attributes 'target
At least one of the attributes 'target
If the target is susceptible to bandwidth
If the target is susceptible to resource
At least the 'target' attribute and one other
pre
8.1.2. Total Traffic
The 'total-traffic' attribute (Figure 26)
conveys the percentile values (including peak and current observed
values) of the total observed traffic. More fine-grained information
about the total traffic can be conveyed in the
'total
The 'total
The 'total
8.1.3. Total Attack Traffic
The 'total
The 'total
The 'total
8.1.4. Total Attack Connections
If the target is susceptible to resource
The total attack connections per port number are represented
using the 'total
8.1.5. Attack Details
This attribute (depicted in Figure 29) is used to signal a set of details characterizing an attack. The following sub-attributes describing the ongoing attack can be signaled as attack details:¶
- vendor-id:
- Vendor ID. This parameter represents a security vendor's
enterprise number as registered in the IANA "Private
Enterprise Numbers" registry [Private
-Enterprise ].¶-Numbers - attack-id:
- Unique identifier assigned for the
attack by a vendor. This parameter MUST be present, independently
of whether 'attack
-description' is included or not.¶ - description
-lang : - Indicates the language tag that
is used for the text that is included in the
'attack
-description' attribute. This attribute is encoded following the rules in Section 2.1 of [RFC5646]. The default language tag is "en-US".¶ - attack
-description : - Textual representation of the attack description. This description is related to the class of attack rather than a specific instance of it. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type. Textual representation of an attack solves two problems: it avoids the need to (a) create mapping tables manually between vendors and (b) standardize attack types that keep evolving.¶
- attack-severity:
- Attack severity level. This attribute takes one of the values defined in Section 3.12.2 of [RFC7970].¶
- start-time:
- The time the attack started. The
attack's start time is expressed in seconds relative to
1970
-01 -01T00 :00Z (Section 3.4.2 of [RFC8949]). The CBOR encoding is modified so that the leading tag 1 (epoch-based date/time) MUST be omitted.¶ - end-time:
- The time the attack ended. The attack's
end time is expressed in seconds relative to 1970
-01 -01T00 :00Z (Section 3.4.2 of [RFC8949]). The CBOR encoding is modified so that the leading tag 1 (epoch-based date/time) MUST be omitted.¶ - source-count:
- A count of sources involved in the attack targeting the victim.¶
- top-talker:
-
A list of attack sources that are involved in an attack and that are generating an important part of the attack traffic. The top talkers are represented using 'source
-prefix' .¶ 'spoofed-status' indicates whether a top talker is a spoofed IP address (e.g., reflection attacks) or not. If no 'spoofed
-status' data node is included, this means that the spoofing status is unknown.¶ If the target is being subjected to a bandwidth
-consuming attack, a statistical profile of the attack traffic from each of the top talkers is included ('total -attack -traffic'; see Section 8.1.3).¶ If the target is being subjected to a resource
-consuming DDoS attack, the same attributes as those defined in Section 8.1.4 are applicable for characterizing the attack on a per-talker basis.¶
In order to optimize the size of telemetry data conveyed over the DOTS signal channel, DOTS agents MAY use the DOTS data channel [RFC8783] to exchange vendor-specific attack mapping details (that is, {vendor identifier, attack identifier} ==> textual representation of the attack description). As such, DOTS agents do not have to convey an attack description systematically in their telemetry messages over the DOTS signal channel. Refer to Section 8.1.6.¶
8.1.6. Vendor Attack Mapping
Multiple mappings for different vendor identifiers may be used; the DOTS agent transmitting telemetry information can elect to use one or more vendor mappings even in the same telemetry message.¶
DOTS clients and servers may be provided with mappings from different vendors and so have their own different sets of vendor attack mappings. A DOTS agent MUST accept receipt of telemetry data with a vendor identifier that is different than the identifier it uses to transmit telemetry data. Furthermore, it is possible that the DOTS client and DOTS server are provided by the same vendor but the vendor mapping tables are at different revisions. The DOTS client SHOULD transmit telemetry information using any vendor mapping(s) that it provided to the DOTS server (e.g., using a POST as depicted in Figure 30), and the DOTS server SHOULD use any vendor mappings(s) provided to the DOTS client when transmitting telemetry data to the peer DOTS agent.¶
The "ietf
A DOTS client sends a GET request over the DOTS data channel to
retrieve the capabilities supported by a DOTS server as per Section 7.1 of [RFC8783]. This request is meant to
assess whether the capability of sharing vendor attack mapping
details is supported by the server (i.e., check the value of
'vendor
If 'vendor
A DOTS client can retrieve only the list of vendors supported by the DOTS server. It does so by setting the "depth" parameter (Section 4.8.2 of [RFC8040]) to "3" in the GET request as shown in Figure 33. An example of a response body received from the DOTS server as a response to such a request is illustrated in Figure 34.¶
The DOTS client repeats the above procedure regularly (e.g., once a week) to update the DOTS server's vendor attack mapping details.¶
If the DOTS client concludes that the DOTS server does not have any reference to the specific vendor attack mapping details, the DOTS client uses a POST request to install its vendor attack mapping details. An example of such a POST request is depicted in Figure 30.¶
The DOTS server indicates the result of processing the POST
request using the status-line. A "201 Created" status-line MUST be
returned in the response if the DOTS server has accepted the vendor
attack mapping details. If the request is missing a mandatory
attribute or contains an invalid or unknown parameter, a "400 Bad
Request" status-line MUST be returned by the DOTS server in the
response. The error-tag is set to "missing
If the request is received via a server-domain DOTS gateway but
the DOTS server does not maintain a 'cdid' for this 'cuid' while a
'cdid' is expected to be supplied, the DOTS server MUST reply with a
"403 Forbidden" status-line and the error-tag "access
The DOTS client uses the PUT request to modify its vendor attack mapping details maintained by the DOTS server (e.g., add a new mapping entry, update an existing mapping).¶
A DOTS client uses a GET request to retrieve its vendor attack mapping details as maintained by the DOTS server (Figure 35).¶
When conveying attack details in DOTS telemetry messages
(Sections 8.2, 8.3, and 9), DOTS agents MUST NOT
include the 'attack
8.2. From DOTS Clients to DOTS Servers
DOTS clients use PUT requests to signal pre
'cuid' is a mandatory Uri-Path parameter for DOTS PUT requests.¶
The following additional Uri-Path parameter is defined:¶
- tmid:
-
The Telemetry Identifier is an identifier for the DOTS pre
-or -ongoing -mitigation telemetry data represented as an integer. This identifier MUST be generated by DOTS clients. 'tmid' values MUST increase monotonically whenever a DOTS client needs to convey a new set of pre -or -ongoing -mitigation telemetry data.¶ The procedure specified in Section 4.4.1 of [RFC9132] for 'mid' rollover MUST be followed for 'tmid' rollover.¶
This is a mandatory attribute. 'tmid' MUST appear after 'cuid' in the Uri-Path options.¶
'cuid' and 'tmid' MUST NOT appear in the PUT request message body.¶
At least the 'target' attribute and another
pre
The relative order of two PUT requests carrying DOTS
pre
The DOTS server indicates the result of processing a PUT request
using CoAP Response Codes. In particular, the 2.04 (Changed) Response
Code is returned if the DOTS server has accepted the
pre
How long a DOTS server maintains a 'tmid' as active or logs the enclosed telemetry information is implementation specific. Note that if a 'tmid' is still active, then logging details are updated by the DOTS server as a function of the updates received from the peer DOTS client.¶
A DOTS client that lost the state of its active 'tmid's or has to set 'tmid' back to zero (e.g., crash or restart) MUST send a GET request to the DOTS server to retrieve the list of active 'tmid' values. The DOTS client may then delete 'tmid's that should not be active anymore (Figure 37). Sending a DELETE with no 'tmid' indicates that all 'tmid's must be deactivated (Figure 38).¶
8.3. From DOTS Servers to DOTS Clients
The pre
The DOTS client can use the attack details to decide whether to trigger a DOTS mitigation request or not. Furthermore, the security operations personnel at the DOTS client domain can use the attack details to determine the protection strategy and select the appropriate DOTS server for mitigating the attack.¶
In order to receive pre
The relative order of two PUT requests carrying DOTS
pre
DOTS clients of the same domain can ask to receive
pre
Once the PUT request to instantiate request state on the server has
succeeded, the DOTS client issues a GET request to receive ongoing
telemetry updates. The client uses the Observe Option, set to "0"
(register), in the GET request to receive asynchronous notifications
carrying pre
The DOTS client can use a filter to request a subset of the
asynchronous notifications from the DOTS server by indicating one or
more Uri-Query options in its GET request. A Uri-Query option can
include the following parameters to restrict the notifications based
on the attack target: 'target
DOTS clients may also filter out the asynchronous notifications
from the DOTS server by indicating information about a specific attack
source. To that aim, a DOTS client may include 'source
Requests with invalid query types (e.g., not supported, malformed) received by the DOTS server MUST be rejected with a 4.00 (Bad Request) Response Code.¶
An example of a request to subscribe to asynchronous telemetry notifications regarding UDP traffic is shown in Figure 42. This filter will be applied for all 'tmid's.¶
The DOTS server will send asynchronous notifications to the DOTS
client when an attack event is detected, following considerations similar
to those discussed in Section 4.4.2.1 of [RFC9132]. An example of a pre
A DOTS server sends the aggregate data for a target using the
'total
A DOTS server may aggregate pre
The DOTS client may log pre
A DOTS client that is not interested in receiving
pre
9. DOTS Telemetry Mitigation Status Update
9.1. From DOTS Clients to DOTS Servers: Mitigation Efficacy DOTS Telemetry Attributes
The mitigation efficacy telemetry attributes can be signaled from DOTS clients to DOTS servers as part of the periodic mitigation efficacy updates to the server (Section 4.4.3 of [RFC9132]).¶
- Total attack traffic:
- The overall attack traffic as observed from the DOTS client's perspective during an active mitigation. See Figure 27.¶
- Attack details:
- The overall attack details as observed from the DOTS client's perspective during an active mitigation. See Section 8.1.5.¶
The "ietf
In order to signal telemetry data in a mitigation efficacy update, it is RECOMMENDED that the DOTS client have already established a DOTS telemetry setup session with the server in 'idle' time. Such a session is primarily meant to assess whether the peer DOTS server supports telemetry extensions and to thus prevent message processing failure (Section 3.1 of [RFC9132]).¶
An example of an efficacy update with telemetry attributes is depicted in Figure 45.¶
9.2. From DOTS Servers to DOTS Clients: Mitigation Status DOTS Telemetry Attributes
The mitigation status telemetry attributes can be signaled from the DOTS server to the DOTS client as part of the periodic mitigation status update (Section 4.4.2 of [RFC9132]). In particular, DOTS clients can receive asynchronous notifications of the attack details from DOTS servers using the Observe Option defined in [RFC7641].¶
In order to make use of this feature, DOTS clients MUST establish a
telemetry session with the DOTS server in 'idle' time and MUST set the
'server
DOTS servers MUST NOT include telemetry attributes in mitigation
status updates sent to DOTS clients for telemetry sessions in which
the 'server
As defined in [RFC8612], the actual mitigation
activities can include several countermeasure mechanisms. The DOTS
server signals the current operational status of relevant
countermeasures
The "ietf
Figure 47 shows an example of an asynchronous notification of attack mitigation status from the DOTS server. This notification signals both the mid-percentile value of processed attack traffic and the peak count of unique sources involved in the attack.¶
DOTS clients can filter out the asynchronous notifications from the
DOTS server by indicating one or more Uri-Query options in its GET
request. A Uri-Query option can include the following parameters:
'target
An example of a request to subscribe to asynchronous notifications bound to the "https1" alias is shown in Figure 48.¶
If the target query does not match the target of the enclosed 'mid' as maintained by the DOTS server, the latter MUST respond with a 4.04 (Not Found) error Response Code. The DOTS server MUST NOT add a new Observe entry if this query overlaps with an existing Observe entry. In such a case, the DOTS server replies with a 4.09 (Conflict) Response Code.¶
10. Error Handling
A list of common CoAP errors that are implemented by DOTS servers is provided in Section 9 of [RFC9132]. The following additional error cases apply for the telemetry extension:¶
As indicated in Section 9 of [RFC9132], an additional plaintext diagnostic payload (Section 5.5.2 of [RFC7252]) to help with troubleshooting is returned in the body of the response.¶
11. YANG Modules
12. YANG/JSON Mapping Parameters to CBOR
All DOTS telemetry parameters in the payload of the DOTS signal channel MUST be mapped to CBOR types as shown in Table 3:¶
13. IANA Considerations
13.1. DOTS Signal Channel CBOR Key Values
This specification registers the following comprehension
13.2. DOTS Signal Channel Conflict Cause Codes
Per this document, IANA has assigned a new code from the "DOTS Signal Channel Conflict Cause Codes" registry [Cause].¶
13.3. DOTS Telemetry URIs and YANG Module Registrations
Per this document, IANA has registered the following URIs in the "ns" subregistry within the "IETF XML Registry" [RFC3688]:¶
- URI:
- urn
:ietf :params :xml :ns :yang :ietf -dots -telemetry¶ - Registrant Contact:
- The IESG.¶
- XML:
- N/A; the requested URI is an XML namespace.¶
- URI:
- urn
:ietf :params :xml :ns :yang :ietf -dots -mapping¶ - Registrant Contact:
- The IESG.¶
- XML:
- N/A; the requested URI is an XML namespace.¶
Per this document, IANA has registered the following YANG modules in the "YANG Module Names" subregistry [RFC6020] within the "YANG Parameters" registry.¶
14. Security Considerations
14.1. DOTS Signal Channel Telemetry
The security considerations for the DOTS signal channel protocol are discussed in Section 11 of [RFC9132]. The following discusses the security considerations that are specific to the DOTS signal channel extension defined in this document.¶
The DOTS telemetry information includes DOTS client network topology, DOTS client domain pipe capacity, normal traffic baseline and connection capacity, and threat and mitigation information. Such information is sensitive; it MUST be protected at rest by the DOTS server domain to prevent data leakage. Note that sharing this sensitive data with a trusted DOTS server does not introduce any new significant considerations other than the need for the aforementioned protection. Such a DOTS server is already trusted to have access to that kind of information by being in the position to observe and mitigate attacks.¶
DOTS clients are typically considered to be trusted devices by the DOTS client domain. DOTS clients may be co-located on network security services (e.g., firewall devices), and a compromised security service potentially can do a lot more damage to the network than just the DOTS client component. This assumption differs from the often-held view (often referred to as the "zero-trust model") that devices are untrusted. A compromised DOTS client can send fake DOTS telemetry data to a DOTS server to mislead the DOTS server. This attack can be prevented by monitoring and auditing DOTS clients to detect misbehavior and to deter misuse, and by only authorizing the DOTS client to convey DOTS telemetry information for specific target resources (e.g., an application server is authorized to exchange DOTS telemetry for its IP addresses but a DDoS mitigator can exchange DOTS telemetry for any target resource in the network). As a reminder, this is a variation of dealing with compromised DOTS clients as discussed in Section 11 of [RFC9132].¶
DOTS servers must be capable of defending themselves against DoS
attacks from compromised DOTS clients. The following non
Note also that the telemetry notification interval may be used to
rate-limit the pre
14.2. Vendor Attack Mapping
The security considerations for the DOTS data channel protocol are discussed in Section 10 of [RFC8783]. The following discusses the security considerations that are specific to the DOTS data channel extension defined in this document.¶
All data nodes defined in the YANG module specified in Section 11.2 that can be created, modified, and deleted (i.e., config true, which is the default) are considered sensitive. Write operations to these data nodes without proper protection can have a negative effect on network operations. Appropriate security measures are recommended to prevent illegitimate users from invoking DOTS data channel primitives as discussed in [RFC8783]. Nevertheless, an attacker who can access a DOTS client is technically capable of undertaking various attacks, such as:¶
Some of the readable data nodes in the YANG module specified in Section 11.2 may be considered sensitive. It is thus important to control read access to these data nodes. These are the data nodes and their sensitivity:¶
15. References
15.1. Normative References
- [Private
-Enterprise -Numbers] -
IANA, "Private Enterprise Numbers", <https://
www >..iana .org /assignments /enterprise -numbers / - [RFC2119]
-
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10
.17487 , , <https:///RFC2119 www >..rfc -editor .org /info /rfc2119 - [RFC3688]
-
Mealling, M., "The IETF XML Registry", BCP 81, RFC 3688, DOI 10
.17487 , , <https:///RFC3688 www >..rfc -editor .org /info /rfc3688 - [RFC5646]
-
Phillips, A., Ed. and M. Davis, Ed., "Tags for Identifying Languages", BCP 47, RFC 5646, DOI 10
.17487 , , <https:///RFC5646 www >..rfc -editor .org /info /rfc5646 - [RFC6020]
-
Bjorklund, M., Ed., "YANG - A Data Modeling Language for the Network Configuration Protocol (NETCONF)", RFC 6020, DOI 10
.17487 , , <https:///RFC6020 www >..rfc -editor .org /info /rfc6020 - [RFC6991]
-
Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10
.17487 , , <https:///RFC6991 www >..rfc -editor .org /info /rfc6991 - [RFC7252]
-
Shelby, Z., Hartke, K., and C. Bormann, "The Constrained Application Protocol (CoAP)", RFC 7252, DOI 10
.17487 , , <https:///RFC7252 www >..rfc -editor .org /info /rfc7252 - [RFC7641]
-
Hartke, K., "Observing Resources in the Constrained Application Protocol (CoAP)", RFC 7641, DOI 10
.17487 , , <https:///RFC7641 www >..rfc -editor .org /info /rfc7641 - [RFC7950]
-
Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10
.17487 , , <https:///RFC7950 www >..rfc -editor .org /info /rfc7950 - [RFC7959]
-
Bormann, C. and Z. Shelby, Ed., "Block-Wise Transfers in the Constrained Application Protocol (CoAP)", RFC 7959, DOI 10
.17487 , , <https:///RFC7959 www >..rfc -editor .org /info /rfc7959 - [RFC7970]
-
Danyliw, R., "The Incident Object Description Exchange Format Version 2", RFC 7970, DOI 10
.17487 , , <https:///RFC7970 www >..rfc -editor .org /info /rfc7970 - [RFC8040]
-
Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF Protocol", RFC 8040, DOI 10
.17487 , , <https:///RFC8040 www >..rfc -editor .org /info /rfc8040 - [RFC8174]
-
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10
.17487 , , <https:///RFC8174 www >..rfc -editor .org /info /rfc8174 - [RFC8345]
-
Clemm, A., Medved, J., Varga, R., Bahadur, N., Ananthakrishnan, H., and X. Liu, "A YANG Data Model for Network Topologies", RFC 8345, DOI 10
.17487 , , <https:///RFC8345 www >..rfc -editor .org /info /rfc8345 - [RFC8783]
-
Boucadair, M., Ed. and T. Reddy.K, Ed., "Distributed Denial
-of , RFC 8783, DOI 10-Service Open Threat Signaling (DOTS) Data Channel Specification" .17487 , , <https:///RFC8783 www >..rfc -editor .org /info /rfc8783 - [RFC8791]
-
Bierman, A., Björklund, M., and K. Watsen, "YANG Data Structure Extensions", RFC 8791, DOI 10
.17487 , , <https:///RFC8791 www >..rfc -editor .org /info /rfc8791 - [RFC8949]
-
Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", STD 94, RFC 8949, DOI 10
.17487 , , <https:///RFC8949 www >..rfc -editor .org /info /rfc8949 - [RFC9132]
-
Boucadair, M., Ed., Shallow, J., and T. Reddy.K, "Distributed Denial
-of , RFC 9132, DOI 10-Service Open Threat Signaling (DOTS) Signal Channel Specification" .17487 , , <https:///RFC9132 www >..rfc -editor .org /info /rfc9132
15.2. Informative References
- [Cause]
-
IANA, "DOTS Signal Channel Conflict Cause Codes", <https://
www >..iana .org /assignments /dots / - [DOTS
-Multihoming] -
Boucadair, M., Reddy.K, T., and W. Pan, "Multi-homing Deployment Considerations for Distributed
-Denial , Work in Progress, Internet-Draft, draft-of -Service Open Threat Signaling (DOTS)" -ietf , , <https://-dots -multihoming -13 datatracker >..ietf .org /doc /html /draft -ietf -dots -multihoming -13 - [DOTS
-Robust -Blocks] -
Boucadair, M. and J. Shallow, "Distributed Denial
-of , Work in Progress, Internet-Draft, draft-Service Open Threat Signaling (DOTS) Signal Channel Configuration Attributes for Robust Block Transmission" -ietf , , <https://-dots -robust -blocks -03 datatracker >..ietf .org /doc /html /draft -ietf -dots -robust -blocks -03 - [DOTS
-Telemetry -Specs] -
Doron, E., Reddy, T., Andreasen, F., Xia, L., and K. Nishizuka, "Distributed Denial
-of , Work in Progress, Internet-Draft, draft-Service Open Threat Signaling (DOTS) Telemetry Specifications" -doron , , <https://-dots -telemetry -00 datatracker >..ietf .org /doc /html /draft -doron -dots -telemetry -00 - [Key-Map]
-
IANA, "DOTS Signal Channel CBOR Key Values", <https://
www >..iana .org /assignments /dots / - [PYANG]
-
"pyang", commit dad5c68, , <https://
github >..com /mbj4668 /pyang - [RFC2330]
-
Paxson, V., Almes, G., Mahdavi, J., and M. Mathis, "Framework for IP Performance Metrics", RFC 2330, DOI 10
.17487 , , <https:///RFC2330 www >..rfc -editor .org /info /rfc2330 - [RFC4732]
-
Handley, M., Ed., Rescorla, E., Ed., and IAB, "Internet Denial
-of , RFC 4732, DOI 10-Service Considerations" .17487 , , <https:///RFC4732 www >..rfc -editor .org /info /rfc4732 - [RFC5612]
-
Eronen, P. and D. Harrington, "Enterprise Number for Documentation Use", RFC 5612, DOI 10
.17487 , , <https:///RFC5612 www >..rfc -editor .org /info /rfc5612 - [RFC8340]
-
Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10
.17487 , , <https:///RFC8340 www >..rfc -editor .org /info /rfc8340 - [RFC8525]
-
Bierman, A., Bjorklund, M., Schoenwaelder, J., Watsen, K., and R. Wilton, "YANG Library", RFC 8525, DOI 10
.17487 , , <https:///RFC8525 www >..rfc -editor .org /info /rfc8525 - [RFC8612]
-
Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open Threat Signaling (DOTS) Requirements", RFC 8612, DOI 10
.17487 , , <https:///RFC8612 www >..rfc -editor .org /info /rfc8612 - [RFC8811]
-
Mortensen, A., Ed., Reddy.K, T., Ed., Andreasen, F., Teague, N., and R. Compton, "DDoS Open Threat Signaling (DOTS) Architecture", RFC 8811, DOI 10
.17487 , , <https:///RFC8811 www >..rfc -editor .org /info /rfc8811 - [RFC8903]
-
Dobbins, R., Migault, D., Moskowitz, R., Teague, N., Xia, L., and K. Nishizuka, "Use Cases for DDoS Open Threat Signaling", RFC 8903, DOI 10
.17487 , , <https:///RFC8903 www >..rfc -editor .org /info /rfc8903 - [RFC9133]
-
Nishizuka, K., Boucadair, M., Reddy.K, T., and T. Nagata, "Controlling Filtering Rules Using Distributed Denial
-of , RFC 9133, DOI 10-Service Open Threat Signaling (DOTS) Signal Channel" .17487 , , <https:///RFC9133 www >..rfc -editor .org /info /rfc9133 - [RFC9177]
-
Boucadair, M. and J. Shallow, "Constrained Application Protocol (CoAP) Block-Wise Transfer Options Supporting Robust Transmission", RFC 9177, DOI 10
.17487 , , <https:///RFC9177 www >..rfc -editor .org /info /rfc9177 - [RFC9260]
-
Stewart, R., Tüxen, M., and K. Nielsen, "Stream Control Transmission Protocol", RFC 9260, DOI 10
.17487 , , <https:///RFC9260 www >..rfc -editor .org /info /rfc9260
Acknowledgments
The authors would like to thank Flemming Andreasen, Liang Xia, and
Kaname Nishizuka, coauthors of [DOTS
Thanks to Kaname Nishizuka, Yuhei Hayashi, and Tom Petch for comments and review.¶
Special thanks to Jon Shallow and Kaname Nishizuka for their
implementation and interoperabilit
Many thanks to Jan Lindblad for the yangdoctors review, Nagendra Nainar for the opsdir review, James Gruessing for the artart review, Michael Scharf for the tsv-art review, Ted Lemon for the int-dir review, and Robert Sparks for the gen-art review.¶
Thanks to Benjamin Kaduk for the detailed AD review.¶
Thanks to Roman Danyliw, Éric Vyncke, Francesca Palombini, Warren Kumari, Erik Kline, Lars Eggert, and Robert Wilton for the IESG review.¶
Contributors
The following individuals have contributed to this document:¶