| draft-ietf-dots-requirements-02.txt | draft-ietf-dots-requirements-03.txt | |||
|---|---|---|---|---|
| DOTS A. Mortensen | DOTS A. Mortensen | |||
| Internet-Draft Arbor Networks, Inc. | Internet-Draft Arbor Networks, Inc. | |||
| Intended status: Informational R. Moskowitz | Intended status: Informational R. Moskowitz | |||
| Expires: January 9, 2017 HTT Consulting | Expires: May 3, 2017 HTT Consulting | |||
| T. Reddy | T. Reddy | |||
| Cisco Systems, Inc. | Cisco Systems, Inc. | |||
| July 08, 2016 | October 30, 2016 | |||
| Distributed Denial of Service (DDoS) Open Threat Signaling Requirements | Distributed Denial of Service (DDoS) Open Threat Signaling Requirements | |||
| draft-ietf-dots-requirements-02 | draft-ietf-dots-requirements-03 | |||
| Abstract | Abstract | |||
| This document defines the requirements for the Distributed Denial of | This document defines the requirements for the Distributed Denial of | |||
| Service (DDoS) Open Threat Signaling (DOTS) protocols coordinating | Service (DDoS) Open Threat Signaling (DOTS) protocols coordinating | |||
| attack response against DDoS attacks. | attack response against DDoS attacks. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| skipping to change at page 1, line 35 ¶ | skipping to change at page 1, line 35 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 9, 2017. | This Internet-Draft will expire on May 3, 2017. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2016 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 14 ¶ | skipping to change at page 2, line 14 ¶ | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 1.1. Context and Motivation . . . . . . . . . . . . . . . . . 2 | 1.1. Context and Motivation . . . . . . . . . . . . . . . . . 2 | |||
| 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 | 2. Requirements . . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 2.1. General Requirements . . . . . . . . . . . . . . . . . . 7 | 2.1. General Requirements . . . . . . . . . . . . . . . . . . 7 | |||
| 2.2. Operational Requirements . . . . . . . . . . . . . . . . 8 | 2.2. Operational Requirements . . . . . . . . . . . . . . . . 7 | |||
| 2.3. Data Channel Requirements . . . . . . . . . . . . . . . . 10 | 2.3. Data Channel Requirements . . . . . . . . . . . . . . . . 10 | |||
| 2.4. Security requirements . . . . . . . . . . . . . . . . . . 11 | 2.4. Security requirements . . . . . . . . . . . . . . . . . . 11 | |||
| 2.5. Data Model Requirements . . . . . . . . . . . . . . . . . 12 | 2.5. Data Model Requirements . . . . . . . . . . . . . . . . . 12 | |||
| 3. Congestion Control Considerations . . . . . . . . . . . . . . 13 | 3. Congestion Control Considerations . . . . . . . . . . . . . . 13 | |||
| 3.1. Signal Channel . . . . . . . . . . . . . . . . . . . . . 13 | 3.1. Signal Channel . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 3.2. Data Channel . . . . . . . . . . . . . . . . . . . . . . 13 | 3.2. Data Channel . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 4. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14 | 5. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.1. 02 revision . . . . . . . . . . . . . . . . . . . . . . . 14 | 7.1. 03 revision . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7.2. 01 revision . . . . . . . . . . . . . . . . . . . . . . . 14 | 7.2. 02 revision . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.3. 00 revision . . . . . . . . . . . . . . . . . . . . . . . 15 | 7.3. 01 revision . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7.4. Initial revision . . . . . . . . . . . . . . . . . . . . 15 | 7.4. 00 revision . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 7.5. Initial revision . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 15 | 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 16 | |||
| 8.1. Normative References . . . . . . . . . . . . . . . . . . 16 | ||||
| 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | 8.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | |||
| 1. Introduction | 1. Introduction | |||
| 1.1. Context and Motivation | 1.1. Context and Motivation | |||
| Distributed Denial of Service (DDoS) attacks continue to plague | Distributed Denial of Service (DDoS) attacks continue to plague | |||
| networks around the globe, from Tier-1 service providers on down to | networks around the globe, from Tier-1 service providers on down to | |||
| enterprises and small businesses. Attack scale and frequency | enterprises and small businesses. Attack scale and frequency | |||
| skipping to change at page 3, line 48 ¶ | skipping to change at page 3, line 49 ¶ | |||
| DDoS: A distributed denial-of-service attack, in which traffic | DDoS: A distributed denial-of-service attack, in which traffic | |||
| originating from multiple sources are directed at a target on a | originating from multiple sources are directed at a target on a | |||
| network. DDoS attacks are intended to cause a negative impact on | network. DDoS attacks are intended to cause a negative impact on | |||
| the availability of servers, services, applications, and/or other | the availability of servers, services, applications, and/or other | |||
| functionality of an attack target. Denial-of-service | functionality of an attack target. Denial-of-service | |||
| considerations are discussed in detail in [RFC4732]. | considerations are discussed in detail in [RFC4732]. | |||
| DDoS attack target: A network connected entity with a finite set of | DDoS attack target: A network connected entity with a finite set of | |||
| resources, such as network bandwidth, memory or CPU, that is the | resources, such as network bandwidth, memory or CPU, that is the | |||
| focus of a DDoS attack. Potential targets include servers, | focus of a DDoS attack. Potential targets include network | |||
| services and applications. | elements, servers, and services. | |||
| DDoS attack telemetry: Collected behavioral characteristics defining | DDoS attack telemetry: Collected behavioral characteristics defining | |||
| the nature of a DDoS attack. This document makes no assumptions | the nature of a DDoS attack. | |||
| regarding telemetry collection methodology. | ||||
| Countermeasure: An action or set of actions taken to recognize and | Countermeasure: An action or set of actions taken to recognize and | |||
| filter out DDoS attack traffic while passing legitimate traffic to | filter out DDoS attack traffic while passing legitimate traffic to | |||
| the attack target. | the attack target. | |||
| Mitigation: A set of countermeasures enforced against traffic | Mitigation: A set of countermeasures enforced against traffic | |||
| destined for the target or targets of a detected or reported DDoS | destined for the target or targets of a detected or reported DDoS | |||
| attack, where countermeasure enforcement is managed by an entity | attack, where countermeasure enforcement is managed by an entity | |||
| in the network path between attack sources and the attack target. | in the network path between attack sources and the attack target. | |||
| Mitigation methodology is out of scope for this document. | Mitigation methodology is out of scope for this document. | |||
| skipping to change at page 4, line 38 ¶ | skipping to change at page 4, line 37 ¶ | |||
| attack response coordination with other DOTS-aware elements. | attack response coordination with other DOTS-aware elements. | |||
| DOTS server: A DOTS-aware software module handling and responding to | DOTS server: A DOTS-aware software module handling and responding to | |||
| messages from DOTS clients. The DOTS server SHOULD enable | messages from DOTS clients. The DOTS server SHOULD enable | |||
| mitigation on behalf of the DOTS client, if requested, by | mitigation on behalf of the DOTS client, if requested, by | |||
| communicating the DOTS client's request to the mitigator and | communicating the DOTS client's request to the mitigator and | |||
| returning selected mitigator feedback to the requesting DOTS | returning selected mitigator feedback to the requesting DOTS | |||
| client. A DOTS server MAY also be a mitigator. | client. A DOTS server MAY also be a mitigator. | |||
| DOTS agent: Any DOTS-aware software module capable of participating | DOTS agent: Any DOTS-aware software module capable of participating | |||
| in a DOTS siganling session. | in a DOTS signaling session. | |||
| DOTS gateway: A logical DOTS agent resulting from the logical | DOTS gateway: A logical DOTS agent resulting from the logical | |||
| concatenation of a DOTS server and a DOTS client, analogous to a | concatenation of a DOTS server and a DOTS client, analogous to a | |||
| SIP Back-to-Back User Agent (B2BUA) [RFC3261]. DOTS gateways are | SIP Back-to-Back User Agent (B2BUA) [RFC3261]. DOTS gateways are | |||
| discussed in detail in [I-D.ietf-dots-architecture]. | discussed in detail in [I-D.ietf-dots-architecture]. | |||
| Signal channel: A bidirectional, mutually authenticated | Signal channel: A bidirectional, mutually authenticated | |||
| communication channel between DOTS agents characterized by | communication channel between DOTS agents characterized by | |||
| resilience even in conditions leading to severe packet loss, such | resilience even in conditions leading to severe packet loss, such | |||
| as a volumetric DDoS attack causing network congestion. | as a volumetric DDoS attack causing network congestion. | |||
| skipping to change at page 7, line 46 ¶ | skipping to change at page 7, line 44 ¶ | |||
| GEN-005 Bulk Data Exchange: Infrequent bulk data exchange between | GEN-005 Bulk Data Exchange: Infrequent bulk data exchange between | |||
| DOTS agents can also significantly augment attack response | DOTS agents can also significantly augment attack response | |||
| coordination, permitting such tasks as population of black- or | coordination, permitting such tasks as population of black- or | |||
| white-listed source addresses; address or prefix group aliasing; | white-listed source addresses; address or prefix group aliasing; | |||
| exchange of incident reports; and other hinting or configuration | exchange of incident reports; and other hinting or configuration | |||
| supplementing attack response. | supplementing attack response. | |||
| As the resilience requirements for the DOTS signal channel mandate | As the resilience requirements for the DOTS signal channel mandate | |||
| small signal message size, a separate, secure data channel | small signal message size, a separate, secure data channel | |||
| utilizing an established reliable transport protocol MUST be used | utilizing a reliable transport protocol MUST be used for bulk data | |||
| for bulk data exchange. | exchange. | |||
| 2.2. Operational Requirements | 2.2. Operational Requirements | |||
| OP-001 Use of Common Transport Protocols: DOTS MUST operate over | OP-001 Use of Common Transport Protocols: DOTS MUST operate over | |||
| common widely deployed and standardized transport protocols. | common widely deployed and standardized transport protocols. | |||
| While the User Datagram Protocol (UDP) [RFC0768] SHOULD be used | While the User Datagram Protocol (UDP) [RFC0768] SHOULD be used | |||
| for the signal channel, the Transmission Control Protocol (TCP) | for the signal channel, the Transmission Control Protocol (TCP) | |||
| [RFC0793] MAY be used if necessary due to network policy or | [RFC0793] MAY be used if necessary due to network policy or | |||
| middlebox capabilities or configurations. The data channel MUST | middlebox capabilities or configurations. The data channel MUST | |||
| use TCP; see Section 2.3 below. | use a reliable transport; see Section 2.3 below. | |||
| OP-002 Session Health Monitoring: Peer DOTS agents MUST regularly | OP-002 Session Health Monitoring: Peer DOTS agents MUST regularly | |||
| send heartbeats to each other after mutual authentication in order | send heartbeats to each other after mutual authentication in order | |||
| to keep the DOTS session open. A session MUST be considered | to keep the DOTS session active. A session MUST be considered | |||
| active until a DOTS agent explicitly ends the session, or either | active until a DOTS agent explicitly ends the session, or either | |||
| DOTS agent fails to receive heartbeats from the other after a | DOTS agent fails to receive heartbeats from the other after a | |||
| mutually agreed upon timeout period has elapsed. | mutually agreed upon timeout period has elapsed. | |||
| OP-003 Session Redirection: In order to increase DOTS operational | OP-003 Session Redirection: In order to increase DOTS operational | |||
| flexibility and scalability, DOTS servers SHOULD be able to | flexibility and scalability, DOTS servers SHOULD be able to | |||
| redirect DOTS clients to another DOTS server at any time. Due to | redirect DOTS clients to another DOTS server at any time. Due to | |||
| the decreased probability of DOTS server signal delivery due to | the decreased probability of DOTS server signal delivery due to | |||
| link congestion, it is RECOMMENDED DOTS servers avoid redirecting | link congestion, it is RECOMMENDED DOTS servers avoid redirecting | |||
| while mitigation is enabled during an active attack against a | while mitigation is enabled during an active attack against a | |||
| skipping to change at page 10, line 23 ¶ | skipping to change at page 10, line 16 ¶ | |||
| DOTS servers attempting to honor conflicting requests may flap | DOTS servers attempting to honor conflicting requests may flap | |||
| network route or DNS information, degrading the networks | network route or DNS information, degrading the networks | |||
| attempting to participate in attack response with the DOTS | attempting to participate in attack response with the DOTS | |||
| clients. DOTS servers SHALL detect such conflicting requests, and | clients. DOTS servers SHALL detect such conflicting requests, and | |||
| SHALL notify the DOTS clients in conflict. The notification | SHALL notify the DOTS clients in conflict. The notification | |||
| SHOULD indicate the nature and scope of the conflict, for example, | SHOULD indicate the nature and scope of the conflict, for example, | |||
| the overlapping prefix range in a conflicting mitigation request. | the overlapping prefix range in a conflicting mitigation request. | |||
| OP-009: Network Address Translator Traversal: The DOTS protocol MUST | OP-009: Network Address Translator Traversal: The DOTS protocol MUST | |||
| operate over networks in which Network Address Translation (NAT) | operate over networks in which Network Address Translation (NAT) | |||
| is deployed. As UDP is the recommended transport for DOTS, all | is deployed. As UDP is the recommended transport for the DOTS | |||
| considerations in "Middlebox Traversal Guidelines" in [RFC5405] | signal channel, all considerations in "Middlebox Traversal | |||
| apply to DOTS. Regardless of transport, DOTS protocols MUST | Guidelines" in [RFC5405] apply to DOTS. Regardless of transport, | |||
| follow established best common practices (BCPs) for NAT traversal. | DOTS protocols MUST follow established best common practices | |||
| (BCPs) for NAT traversal. | ||||
| 2.3. Data Channel Requirements | 2.3. Data Channel Requirements | |||
| The data channel is intended to be used for bulk data exchanges | The data channel is intended to be used for bulk data exchanges | |||
| between DOTS agents. Unlike the signal channel, which must operate | between DOTS agents. Unlike the signal channel, which must operate | |||
| nominally even when confronted with despite signal degradation due to | nominally even when confronted with signal degradation due to packet | |||
| packet loss, the data channel is not expected to be constructed to | loss, the data channel is not expected to be constructed to deal with | |||
| deal with attack conditions. As the primary function of the data | attack conditions. As the primary function of the data channel is | |||
| channel is data exchange, a reliable transport is required in order | data exchange, a reliable transport is required in order for DOTS | |||
| for DOTS agents to detect data delivery success or failure. | agents to detect data delivery success or failure. | |||
| The data channel must be extensible. We anticipate the data channel | The data channel must be extensible. We anticipate the data channel | |||
| will be used for such purposes as configuration or resource | will be used for such purposes as configuration or resource | |||
| discovery. For example, a DOTS client may submit to the DOTS server | discovery. For example, a DOTS client may submit to the DOTS server | |||
| a collection of prefixes it wants to refer to by alias when | a collection of prefixes it wants to refer to by alias when | |||
| requesting mitigation, to which the server would respond with a | requesting mitigation, to which the server would respond with a | |||
| success status and the new prefix group alias, or an error status and | success status and the new prefix group alias, or an error status and | |||
| message in the event the DOTS client's data channel request failed. | message in the event the DOTS client's data channel request failed. | |||
| The transactional nature of such data exchanges suggests a separate | The transactional nature of such data exchanges suggests a separate | |||
| set of requirements for the data channel, while the potentially | set of requirements for the data channel, while the potentially | |||
| sensitive content sent between DOTS agents requires extra precautions | sensitive content sent between DOTS agents requires extra precautions | |||
| to ensure data privacy and authenticity. | to ensure data privacy and authenticity. | |||
| DATA-001 Reliable transport: Messages sent over the data channel | DATA-001 Reliable transport: Messages sent over the data channel | |||
| MUST be delivered reliably, in send order. | MUST be delivered reliably, in order sent. | |||
| DATA-002 Data privacy and integrity: Transmissions over the data | DATA-002 Data privacy and integrity: Transmissions over the data | |||
| channel is likely to contain operationally or privacy-sensitive | channel are likely to contain operationally or privacy-sensitive | |||
| information or instructions from the remote DOTS agent. Theft or | information or instructions from the remote DOTS agent. Theft or | |||
| modification of data channel transmissions could lead to | modification of data channel transmissions could lead to | |||
| information leaks or malicious transactions on behalf of the | information leaks or malicious transactions on behalf of the | |||
| sending agent (see Section 4 below). Consequently data sent over | sending agent (see Section 4 below). Consequently data sent over | |||
| the data channel MUST be encrypted and authenticated using current | the data channel MUST be encrypted and authenticated using current | |||
| industry best practices. DOTS servers MUST enable means to | industry best practices. DOTS servers MUST enable means to | |||
| prevent leaking operationally or privacy-sensitive data. Although | prevent leaking operationally or privacy-sensitive data. Although | |||
| administrative entities participating in DOTS may detail what data | administrative entities participating in DOTS may detail what data | |||
| may be revealed to third-party DOTS agents, such considerations | may be revealed to third-party DOTS agents, such considerations | |||
| are not in scope for this document. | are not in scope for this document. | |||
| DATA-003 Session configuration: To help meet the general and | DATA-003 Resource Configuration: To help meet the general and | |||
| operational requirements in this document, DOTS servers MUST | operational requirements in this document, DOTS server | |||
| provide methods for DOTS client operators to configure DOTS | implementations MUST provide an interface to configure resource | |||
| session behavior using the data channel. DOTS server | identifiers, as described in OP-007. DOTS server implementations | |||
| implementations MUST have mechanisms to configure the following: | MAY expose additional configurability. Additional configurability | |||
| is implementation-specific. | ||||
| * Acceptable signal lossiness, as described in GEN-002. | ||||
| * Heartbeat intervals, as described in OP-002. | ||||
| * Maximum mitigation lifetime, as described in OP-005. | ||||
| * Resource identifiers, as described in OP-006. | ||||
| DOTS server implementations MAY expose additional configurability. | ||||
| Additional configurability is implementation-specific. | ||||
| DATA-004 Black- and whitelist management: DOTS servers SHOULD | DATA-004 Black- and whitelist management: DOTS servers SHOULD | |||
| provide methods for DOTS clients to manage black- and white-lists | provide methods for DOTS clients to manage black- and white-lists | |||
| of traffic destined for resources belonging to a client. | of traffic destined for resources belonging to a client. | |||
| For example, a DOTS client should be able to create a black- or | For example, a DOTS client should be able to create a black- or | |||
| whitelist entry; retrieve a list of current entries from either | whitelist entry; retrieve a list of current entries from either | |||
| list; update the content of either list; and delete entries as | list; update the content of either list; and delete entries as | |||
| necessary. | necessary. | |||
| skipping to change at page 12, line 24 ¶ | skipping to change at page 12, line 11 ¶ | |||
| server. While specific transport- and message-level security | server. While specific transport- and message-level security | |||
| options are not specified, the protocols MUST follow current | options are not specified, the protocols MUST follow current | |||
| industry best practices for encryption and message authentication. | industry best practices for encryption and message authentication. | |||
| In order for DOTS protocols to remain secure despite advancements | In order for DOTS protocols to remain secure despite advancements | |||
| in cryptanalysis and traffic analysis, DOTS agents MUST be able to | in cryptanalysis and traffic analysis, DOTS agents MUST be able to | |||
| negotiate the terms and mechanisms of protocol security, subject | negotiate the terms and mechanisms of protocol security, subject | |||
| to the interoperability and signal message size requirements | to the interoperability and signal message size requirements | |||
| above. | above. | |||
| While the interfaces between downstream DOTS server and upstream | ||||
| DOTS client within a DOTS gateway are implementation-specific, | ||||
| those interfaces nevertheless MUST provide security equivalent to | ||||
| that of the signaling sessions bridged by gateways in the | ||||
| signaling path. For example, when a DOTS gateway consisting of a | ||||
| DOTS server and DOTS client is running on the same logical device, | ||||
| they must be within the same process security boundary. | ||||
| SEC-003 Message Replay Protection: In order to prevent a passive | SEC-003 Message Replay Protection: In order to prevent a passive | |||
| attacker from capturing and replaying old messages, DOTS protocols | attacker from capturing and replaying old messages, DOTS protocols | |||
| MUST provide a method for replay detection. | MUST provide a method for replay detection. | |||
| 2.5. Data Model Requirements | 2.5. Data Model Requirements | |||
| The value of DOTS is in standardizing a mechanism to permit elements, | The value of DOTS is in standardizing a mechanism to permit elements, | |||
| networks or domains under or under threat of DDoS attack to request | networks or domains under or under threat of DDoS attack to request | |||
| aid mitigating the effects of any such attack. A well-structured | aid mitigating the effects of any such attack. A well-structured | |||
| DOTS data model is therefore critical to the development of a | DOTS data model is therefore critical to the development of a | |||
| skipping to change at page 13, line 24 ¶ | skipping to change at page 13, line 18 ¶ | |||
| above, the data model MUST be capable of flexible representation | above, the data model MUST be capable of flexible representation | |||
| of mitigation scope. | of mitigation scope. | |||
| DM-005: Mitigation Lifetime Representation: The data model MUST | DM-005: Mitigation Lifetime Representation: The data model MUST | |||
| support representation of a mitigation request's lifetime, | support representation of a mitigation request's lifetime, | |||
| including mitigations with no specified end time. | including mitigations with no specified end time. | |||
| DM-006: Mitigation Efficacy Representation: The data model MUST | DM-006: Mitigation Efficacy Representation: The data model MUST | |||
| support representation of a DOTS client's understanding of the | support representation of a DOTS client's understanding of the | |||
| efficacy of a mitigation enabled through a mitigation request. | efficacy of a mitigation enabled through a mitigation request. | |||
| TBD: how do we represent the efficacy? | ||||
| DM-007: Relationship to Transport: The DOTS data model MUST NOT | DM-007: Acceptable Signal Loss Representation: The data model MUST | |||
| be able to represent the DOTS agent's preference for acceptable | ||||
| signal loss when establishing a signaling session, as described in | ||||
| GEN-002. | ||||
| DM-008: Heartbeat Interval Representation: The data model MUST be | ||||
| able to represent the DOTS agent's preferred heartbeat interval, | ||||
| which the client may include when establishing the signal channel, | ||||
| as described in OP-002. | ||||
| DM-009: Relationship to Transport: The DOTS data model MUST NOT | ||||
| depend on the specifics of any transport to represent fields in | depend on the specifics of any transport to represent fields in | |||
| the model. | the model. | |||
| 3. Congestion Control Considerations | 3. Congestion Control Considerations | |||
| 3.1. Signal Channel | 3.1. Signal Channel | |||
| As part of a protocol expected to operate over links affected by DDoS | As part of a protocol expected to operate over links affected by DDoS | |||
| attack traffic, the DOTS signal channel MUST NOT contribute | attack traffic, the DOTS signal channel MUST NOT contribute | |||
| significantly to link congestion. To meet the operational | significantly to link congestion. To meet the operational | |||
| skipping to change at page 14, line 22 ¶ | skipping to change at page 14, line 29 ¶ | |||
| o Signaling blocking | o Signaling blocking | |||
| The DOTS protocol MUST be designed for minimal data transfer to | The DOTS protocol MUST be designed for minimal data transfer to | |||
| address the blocking risk. Impersonation and traffic injection | address the blocking risk. Impersonation and traffic injection | |||
| mitigation can be managed through current secure communications best | mitigation can be managed through current secure communications best | |||
| practices. See Section 2.4 above for a detailed discussion. | practices. See Section 2.4 above for a detailed discussion. | |||
| 5. Contributors | 5. Contributors | |||
| Med Boucadair Flemming Andreasen | Med Boucadair | |||
| Orange | ||||
| mohamed.boucadair@orange.com | ||||
| Flemming Andreasen: | ||||
| Cisco Systems, Inc. | ||||
| fandreas@cisco.com | ||||
| 6. Acknowledgments | 6. Acknowledgments | |||
| Thanks to Roman Danyliw and Matt Richardson for careful reading and | Thanks to Roman Danyliw and Matt Richardson for careful reading and | |||
| feedback. | feedback. | |||
| 7. Change Log | 7. Change Log | |||
| 7.1. 02 revision | 7.1. 03 revision | |||
| 7.2. 01 revision | 2016-10-30 | |||
| o Extended SEC-003 to require secure interfaces within DOTS | ||||
| gateways. | ||||
| o Changed DATA-003 to Resource Configuration, delegating control of | ||||
| acceptable signal loss, heartbeat intervals, and mitigation | ||||
| lifetime to DOTS client. | ||||
| o Added data model requirements reflecting client control over the | ||||
| above. | ||||
| 7.2. 02 revision | ||||
| 7.3. 01 revision | ||||
| 2016-03-21 | 2016-03-21 | |||
| o Reconciled terminology with -00 revision of | o Reconciled terminology with -00 revision of | |||
| [I-D.ietf-dots-use-cases]. | [I-D.ietf-dots-use-cases]. | |||
| o Terminology clarification based on working group feedback. | o Terminology clarification based on working group feedback. | |||
| o Moved security-related requirements to separate section. | o Moved security-related requirements to separate section. | |||
| o Made resilience/robustness primary general requirement to align | o Made resilience/robustness primary general requirement to align | |||
| with charter. | with charter. | |||
| o Clarified support for unidirectional communication within the | o Clarified support for unidirectional communication within the | |||
| bidirection signal channel. | bidirectional signal channel. | |||
| o Added proposed operational requirement to support session | o Added proposed operational requirement to support session | |||
| redirection. | redirection. | |||
| o Added proposed operational requirement to support conflict | o Added proposed operational requirement to support conflict | |||
| notification. | notification. | |||
| o Added proposed operational requirement to support mitigation | o Added proposed operational requirement to support mitigation | |||
| lifetime in mitigation requests. | lifetime in mitigation requests. | |||
| skipping to change at page 15, line 22 ¶ | skipping to change at page 16, line 5 ¶ | |||
| efficacy reporting from DOTS clients. | efficacy reporting from DOTS clients. | |||
| o Added proposed operational requirement to cache lookups of all | o Added proposed operational requirement to cache lookups of all | |||
| kinds. | kinds. | |||
| o Added proposed operational requirement regarding NAT traversal. | o Added proposed operational requirement regarding NAT traversal. | |||
| o Removed redundant mutual authentication requirement from data | o Removed redundant mutual authentication requirement from data | |||
| channel requirements. | channel requirements. | |||
| 7.3. 00 revision | 7.4. 00 revision | |||
| 2015-10-15 | 2015-10-15 | |||
| 7.4. Initial revision | 7.5. Initial revision | |||
| 2015-09-24 Andrew Mortensen | 2015-09-24 Andrew Mortensen | |||
| 8. References | 8. References | |||
| 8.1. Normative References | 8.1. Normative References | |||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| DOI 10.17487/RFC0768, August 1980, | DOI 10.17487/RFC0768, August 1980, | |||
| <http://www.rfc-editor.org/info/rfc768>. | <http://www.rfc-editor.org/info/rfc768>. | |||
| End of changes. 28 change blocks. | ||||
| 56 lines changed or deleted | 87 lines changed or added | |||
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||