forked from boucadair/draft-dots-telemetry
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-ietf-dots-telemetry.txt
6048 lines (4588 loc) · 211 KB
/
draft-ietf-dots-telemetry.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
DOTS M. Boucadair, Ed.
Internet-Draft Orange
Intended status: Standards Track T. Reddy, Ed.
Expires: May 28, 2021 McAfee
E. Doron
Radware Ltd.
M. Chen
CMCC
J. Shallow
November 24, 2020
Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
draft-ietf-dots-telemetry-13
Abstract
This document aims to enrich DOTS signal channel protocol with
various telemetry attributes allowing optimal Distributed Denial-of-
Service attack mitigation. It specifies the normal traffic baseline
and attack traffic telemetry attributes a DOTS client can convey to
its DOTS server in the mitigation request, the mitigation status
telemetry attributes a DOTS server can communicate to a DOTS client,
and the mitigation efficacy telemetry attributes a DOTS client can
communicate to a DOTS server. The telemetry attributes can assist
the mitigator to choose the DDoS mitigation techniques and perform
optimal DDoS attack mitigation.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 28, 2021.
Boucadair, et al. Expires May 28, 2021 [Page 1]
Internet-Draft DOTS Telemetry November 2020
Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
3. DOTS Telemetry: Overview and Purpose . . . . . . . . . . . . 6
3.1. Need More Visibility . . . . . . . . . . . . . . . . . . 6
3.2. Enhanced Detection . . . . . . . . . . . . . . . . . . . 7
3.3. Efficient Mitigation . . . . . . . . . . . . . . . . . . 9
4. Design Overview . . . . . . . . . . . . . . . . . . . . . . . 9
4.1. Overview of Telemetry Operations . . . . . . . . . . . . 9
4.2. Generic Considerations . . . . . . . . . . . . . . . . . 10
4.2.1. DOTS Client Identification . . . . . . . . . . . . . 10
4.2.2. DOTS Gateways . . . . . . . . . . . . . . . . . . . . 10
4.2.3. Empty URI Paths . . . . . . . . . . . . . . . . . . . 10
4.2.4. Controlling Configuration Data . . . . . . . . . . . 10
4.3. Block-wise Transfer . . . . . . . . . . . . . . . . . . . 11
4.4. DOTS Multi-homing Considerations . . . . . . . . . . . . 11
4.5. YANG Considerations . . . . . . . . . . . . . . . . . . . 11
4.6. A Note About Examples . . . . . . . . . . . . . . . . . . 12
5. Telemetry Operation Paths . . . . . . . . . . . . . . . . . . 12
6. DOTS Telemetry Setup Configuration . . . . . . . . . . . . . 13
6.1. Telemetry Configuration . . . . . . . . . . . . . . . . . 14
6.1.1. Retrieve Current DOTS Telemetry Configuration . . . . 14
6.1.2. Convey DOTS Telemetry Configuration . . . . . . . . . 16
6.1.3. Retrieve Installed DOTS Telemetry Configuration . . . 19
6.1.4. Delete DOTS Telemetry Configuration . . . . . . . . . 20
6.2. Total Pipe Capacity . . . . . . . . . . . . . . . . . . . 20
6.2.1. Convey DOTS Client Domain Pipe Capacity . . . . . . . 21
6.2.2. Retrieve Installed DOTS Client Domain Pipe Capacity . 27
6.2.3. Delete Installed DOTS Client Domain Pipe Capacity . . 27
6.3. Telemetry Baseline . . . . . . . . . . . . . . . . . . . 27
6.3.1. Convey DOTS Client Domain Baseline Information . . . 30
6.3.2. Retrieve Installed Normal Traffic Baseline . . . . . 33
Boucadair, et al. Expires May 28, 2021 [Page 2]
Internet-Draft DOTS Telemetry November 2020
6.3.3. Delete Installed Normal Traffic Baseline . . . . . . 33
6.4. Reset Installed Telemetry Setup . . . . . . . . . . . . . 33
6.5. Conflict with Other DOTS Clients of the Same Domain . . . 33
7. DOTS Pre-or-Ongoing Mitigation Telemetry . . . . . . . . . . 34
7.1. Pre-or-Ongoing-Mitigation DOTS Telemetry Attributes . . . 36
7.1.1. Target . . . . . . . . . . . . . . . . . . . . . . . 37
7.1.2. Total Traffic . . . . . . . . . . . . . . . . . . . . 38
7.1.3. Total Attack Traffic . . . . . . . . . . . . . . . . 39
7.1.4. Total Attack Connections . . . . . . . . . . . . . . 41
7.1.5. Attack Details . . . . . . . . . . . . . . . . . . . 44
7.2. From DOTS Clients to DOTS Servers . . . . . . . . . . . . 50
7.3. From DOTS Servers to DOTS Clients . . . . . . . . . . . . 53
8. DOTS Telemetry Mitigation Status Update . . . . . . . . . . . 58
8.1. DOTS Clients to Servers Mitigation Efficacy DOTS
Telemetry Attributes . . . . . . . . . . . . . . . . . . 58
8.2. DOTS Servers to Clients Mitigation Status DOTS Telemetry
Attributes . . . . . . . . . . . . . . . . . . . . . . . 60
9. Error Handling . . . . . . . . . . . . . . . . . . . . . . . 64
10. YANG Modules . . . . . . . . . . . . . . . . . . . . . . . . 64
10.1. DOTS Signal Channel Telemetry YANG Module . . . . . . . 64
10.2. Vendor Attack Mapping Details YANG Module . . . . . . . 93
11. YANG/JSON Mapping Parameters to CBOR . . . . . . . . . . . . 96
12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 98
12.1. DOTS Signal Channel CBOR Key Values . . . . . . . . . . 98
12.2. DOTS Signal Channel Conflict Cause Codes . . . . . . . . 101
12.3. DOTS Signal Telemetry YANG Module . . . . . . . . . . . 101
13. Security Considerations . . . . . . . . . . . . . . . . . . . 102
13.1. DOTS Signal Channel Telemetry . . . . . . . . . . . . . 102
13.2. Vendor Attack Mapping . . . . . . . . . . . . . . . . . 103
14. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 104
15. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 104
16. References . . . . . . . . . . . . . . . . . . . . . . . . . 104
16.1. Normative References . . . . . . . . . . . . . . . . . . 104
16.2. Informative References . . . . . . . . . . . . . . . . . 106
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 107
1. Introduction
Distributed Denial of Service (DDoS) attacks have become more
sophisticated. IT organizations and service providers are facing
DDoS attacks that fall into two broad categories:
1. Network/Transport layer attacks target the victim's
infrastructure. These attacks are not necessarily aimed at
taking down the actual delivered services, but rather to
eliminate various network elements (routers, switches, firewalls,
transit links, and so on) from serving legitimate users traffic.
Boucadair, et al. Expires May 28, 2021 [Page 3]
Internet-Draft DOTS Telemetry November 2020
The main method of such attacks is to send a large volume or high
packet per second (pps) of traffic toward the victim's
infrastructure. Typically, attack volumes may vary from a few
100 Mbps to 100s of Gbps or even Tbps. Attacks are commonly
carried out leveraging botnets and attack reflectors for
amplification attacks such as NTP (Network Time Protocol), DNS
(Domain Name System), SNMP (Simple Network Management Protocol),
or SSDP (Simple Service Discovery Protocol).
2. Application layer attacks target various applications. Typical
examples include attacks against HTTP/HTTPS, DNS, SIP (Session
Initiation Protocol), or SMTP (Simple Mail Transfer Protocol).
However, all applications with their port numbers open at network
edges can be attractive attack targets.
Application layer attacks are considered more complex and hard to
categorize, therefore harder to detect and mitigate efficiently.
To compound the problem, attackers also leverage multi-vectored
attacks. These attacks are assembled from dynamic attack vectors
(Network/Application) and tactics. As such, multiple attack vectors
formed by multiple attack types and volumes are launched
simultaneously towards a victim. Multi-vector attacks are harder to
detect and defend. Multiple and simultaneous mitigation techniques
are needed to defeat such attack campaigns. It is also common for
attackers to change attack vectors right after a successful
mitigation, burdening their opponents with changing their defense
methods.
The conclusion derived from these real scenarios is that modern
attacks detection and mitigation are most certainly complicated and
highly convoluted tasks. They demand a comprehensive knowledge of
the attack attributes, the targeted normal behavior (including,
normal traffic patterns), as well as the attacker's on-going and past
actions. Even more challenging, retrieving all the analytics needed
for detecting these attacks is not simple to obtain with the
industry's current capabilities.
The DOTS signal channel protocol [I-D.ietf-dots-rfc8782-bis] is used
to carry information about a network resource or a network (or a part
thereof) that is under a DDoS attack. Such information is sent by a
DOTS client to one or multiple DOTS servers so that appropriate
mitigation actions are undertaken on traffic deemed suspicious.
Various use cases are discussed in [I-D.ietf-dots-use-cases].
Typically, DOTS clients can be integrated within a DDoS attack
detector, or network and security elements that have been actively
engaged with ongoing attacks. The DOTS client mitigation environment
Boucadair, et al. Expires May 28, 2021 [Page 4]
Internet-Draft DOTS Telemetry November 2020
determines that it is no longer possible or practical for it to
handle these attacks. This can be due to a lack of resources or
security capabilities, as derived from the complexities and the
intensity of these attacks. In this circumstance, the DOTS client
has invaluable knowledge about the actual attacks that need to be
handled by its DOTS server(s). By enabling the DOTS client to share
this comprehensive knowledge of an ongoing attack under specific
circumstances, the DOTS server can drastically increase its ability
to accomplish successful mitigation. While the attack is being
handled by the DOTS server associated mitigation resources, the DOTS
server has the knowledge about the ongoing attack mitigation. The
DOTS server can share this information with the DOTS client so that
the client can better assess and evaluate the actual mitigation
realized.
DOTS clients can send mitigation hints derived from attack details to
DOTS servers, with the full understanding that the DOTS server may
ignore mitigation hints, as described in [RFC8612] (Gen-004).
Mitigation hints will be transmitted across the DOTS signal channel,
as the data channel may not be functional during an attack. How a
DOTS server is handling normal and attack traffic attributes, and
mitigation hints is implementation specific.
Both DOTS clients and servers can benefit this information by
presenting various information in relevant management, reporting, and
portal systems.
This document defines DOTS telemetry attributes that can be conveyed
by DOTS clients to DOTS servers, and vice versa. The DOTS telemetry
attributes are not mandatory attributes of the DOTS signal channel
protocol [I-D.ietf-dots-rfc8782-bis]. Nevertheless, when DOTS
telemetry attributes are available to a DOTS agent, and absent any
policy, it can signal the attributes in order to optimize the overall
mitigation service provisioned using DOTS.
2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP
14 [RFC2119][RFC8174] when, and only when, they appear in all
capitals, as shown here.
The reader should be familiar with the terms defined in [RFC8612].
"DOTS Telemetry" is defined as the collection of attributes that are
used to characterize normal traffic baseline, attacks and their
mitigation measures, and any related information that may help in
Boucadair, et al. Expires May 28, 2021 [Page 5]
Internet-Draft DOTS Telemetry November 2020
enforcing countermeasures. The DOTS Telemetry is an optional set of
attributes that can be signaled in the DOTS signal channel protocol.
Telemetry Setup Identifier (tsid) is an identifier that is generated
by DOTS clients to uniquely identify DOTS telemetry setup
configuration data.
Telemetry Identifier (tmid) is an identifier that is generated by
DOTS clients to uniquely identify DOTS telemetry data that is
communicated prior or during a mitigation.
The meaning of the symbols in YANG tree diagrams are defined in
[RFC8340] and [RFC8791].
3. DOTS Telemetry: Overview and Purpose
Timely and effective signaling of up-to-date DDoS telemetry to all
elements involved in the mitigation process is essential and improves
the overall DDoS mitigation service effectiveness. Bi-directional
feedback between DOTS agents is required for an increased awareness
of each party, supporting superior and highly efficient attack
mitigation service.
3.1. Need More Visibility
When signaling a mitigation request, it is most certainly beneficial
for DOTS clients to signal to DOTS servers any knowledge regarding
ongoing attacks. This can happen in cases where DOTS clients are
asking DOTS servers for support in defending against attacks that
they have already detected and/or mitigated.
If attacks are already detected and categorized within a DOTS client
domain, the DOTS server, and its associated mitigation services, can
proactively benefit this information and optimize the overall service
delivery. It is important to note that DOTS client domains and DOTS
server domains detection and mitigation approaches can be different,
and can potentially outcome different results and attack
classifications. The DDoS mitigation service treats the ongoing
attack details received from DOTS clients as hints and cannot
completely rely or trust the attack details conveyed by DOTS clients.
A basic requirement of security operation teams is to be aware and
get visibility into the attacks they need to handle. The DOTS server
security operation teams benefit from the DOTS telemetry, especially
from the reports of ongoing attacks. Even if some mitigation can be
automated, operational teams can use the DOTS telemetry to be
prepared for attack mitigation and to assign the correct resources
(operation staff, networking and mitigation) for the specific
Boucadair, et al. Expires May 28, 2021 [Page 6]
Internet-Draft DOTS Telemetry November 2020
service. Similarly, security operation personnel at the DOTS client
side ask for feedback about their requests for protection.
Therefore, it is valuable for DOTS servers to share DOTS telemetry
with DOTS clients.
Mutual sharing of information is thus crucial for "closing the
mitigation loop" between DOTS clients and servers. For the server
side team, it is important to realize that the same attacks that the
DOTS server's mitigation resources are seeing are those that a DOTS
client is asking to mitigate. For the DOTS client side team, it is
important to realize that the DOTS clients receive the required
service. For example, understanding that "I asked for mitigation of
two attacks and my DOTS server detects and mitigates only one of
them". Cases of inconsistency in attack classification between DOTS
clients and servers can be highlighted, and maybe handled, using the
DOTS telemetry attributes.
In addition, management and orchestration systems, at both DOTS
client and server sides, can use DOTS telemetry as a feedback to
automate various control and management activities derived from
signaled telemetry information.
If the DOTS server's mitigation resources have the capabilities to
facilitate the DOTS telemetry, the DOTS server adapts its protection
strategy and activates the required countermeasures immediately
(automation enabled) for the sake of optimized attack mitigation
decisions and actions.
3.2. Enhanced Detection
DOTS telemetry can also be used to tune the DDoS mitigators with the
correct state of an attack. During the last few years, DDoS attack
detection technologies have evolved from threshold-based detection
(that is, cases when all or specific parts of traffic cross a
predefined threshold for a certain period of time is considered as an
attack) to an "anomaly detection" approach. For the latter, it is
required to maintain rigorous learning of "normal" behavior and where
an "anomaly" (or an attack) is identified and categorized based on
the knowledge about the normal behavior and a deviation from this
normal behavior. Machine learning approaches are used such that the
actual traffic thresholds are automatically calculated by learning
the protected entity normal traffic behavior during idle time. The
normal traffic characterization learned is referred to as the "normal
traffic baseline". An attack is detected when the victim's actual
traffic is deviating from this normal baseline.
In addition, subsequent activities toward mitigating an attack are
much more challenging. The ability to distinguish legitimate traffic
Boucadair, et al. Expires May 28, 2021 [Page 7]
Internet-Draft DOTS Telemetry November 2020
from attacker traffic on a per packet basis is complex. For example,
a packet may look "legitimate" and no attack signature can be
identified. The anomaly can be identified only after detailed
statistical analysis. DDoS attack mitigators use the normal baseline
during the mitigation of an attack to identify and categorize the
expected appearance of a specific traffic pattern. Particularly, the
mitigators use the normal baseline to recognize the "level of
normality" needs to be achieved during the various mitigation
process.
Normal baseline calculation is performed based on continuous learning
of the normal behavior of the protected entities. The minimum
learning period varies from hours to days and even weeks, depending
on the protected application behavior. The baseline cannot be
learned during active attacks because attack conditions do not
characterize the protected entities' normal behavior.
If the DOTS client has calculated the normal baseline of its
protected entities, signaling such information to the DOTS server
along with the attack traffic levels is significantly valuable. The
DOTS server benefits from this telemetry by tuning its mitigation
resources with the DOTS client's normal baseline. The DOTS server
mitigators use the baseline to familiarize themselves with the attack
victim's normal behavior and target the baseline as the level of
normality they need to achieve. Fed with this information, the
overall mitigation performances is expected to be improved in terms
of time to mitigate, accuracy, false-negative, and false-positive.
Mitigation of attacks without having certain knowledge of normal
traffic can be inaccurate at best. This is especially true for
recursive signaling (see Section 3.2.3 in [I-D.ietf-dots-use-cases]).
In addition, the highly diverse types of use cases where DOTS clients
are integrated also emphasize the need for knowledge of each DOTS
client domain behavior. Consequently, common global thresholds for
attack detection practically cannot be realized. Each DOTS client
domain can have its own levels of traffic and normal behavior.
Without facilitating normal baseline signaling, it may be very
difficult for DOTS servers in some cases to detect and mitigate the
attacks accurately:
It is important to emphasize that it is practically impossible for
the DOTS server's mitigators to calculate the normal baseline in
cases where they do not have any knowledge of the traffic
beforehand.
In addition, baseline learning requires a period of time that
cannot be afforded during active attack.
Boucadair, et al. Expires May 28, 2021 [Page 8]
Internet-Draft DOTS Telemetry November 2020
Of course, this information can provided using out-of-band
mechanisms or manual configuration at the risk to maintain
inaccurate information as the network evolves and "normal"
patterns change. The use of a dynamic and collaborative means
between the DOTS client and server to identify and share key
parameters for the sake of efficient DDoS protection is valuable.
3.3. Efficient Mitigation
During a high volume attack, DOTS client pipes can be totally
saturated. DOTS clients ask their DOTS servers to handle the attack
upstream so that DOTS client pipes return to a reasonable load level
(normal pattern, ideally). At this point, it is essential to ensure
that the mitigator does not overwhelm the DOTS client pipes by
sending back "clean traffic", or what it believes is "clean". This
can happen when the mitigator has not managed to detect and mitigate
all the attacks launched towards the DOTS client domain.
In this case, it can be valuable to DOTS clients to signal to DOTS
servers the "total pipe capacity", which is the level of traffic the
DOTS client domain can absorb from its upstream network. Dynamic
updates of the condition of pipes between DOTS agents while they are
under a DDoS attack is essential (e.g., where multiple DOTS clients
share the same physical connectivity pipes). It is important to note
that the term "pipe" noted here does not necessary represent physical
pipe, but rather represents the maximum level of traffic that the
DOTS client domain can receive. The DOTS server should activate
other mechanisms to ensure it does not allow the DOTS client domain's
pipes to be saturated unintentionally. The rate-limit action defined
in [RFC8783] is a reasonable candidate to achieve this objective; the
DOTS client can ask for the type(s) of traffic (such as ICMP, UDP,
TCP port number 80) it prefers to limit. The rate-limit action can
be controlled via the signal channel
[I-D.ietf-dots-signal-filter-control] even when the pipe is
overwhelmed.
4. Design Overview
4.1. Overview of Telemetry Operations
This document specifies an extension to the DOTS signal channel
protocol. Considerations about how to establish, maintain, and make
use of the DOTS signal channel are specified in
[I-D.ietf-dots-rfc8782-bis].
Once the DOTS signal channel is established, DOTS clients that
support the DOTS telemetry extension proceed with the telemetry setup
configuration (e.g., measurement interval, telemetry notification
Boucadair, et al. Expires May 28, 2021 [Page 9]
Internet-Draft DOTS Telemetry November 2020
interface, pipe capacity, normal traffic baseline) as detailed in
Section 6. DOTS agents can then include DOTS telemetry attributes
using the DOTS signal channel (Section 7.1). Typically, a DOTS
client can use separate messages to share with its DOTS server(s) a
set of telemetry data bound to an ongoing mitigation (Section 7.2).
Also, a DOTS client that is interested to receive telemetry
notifications related to some of its resources follows the procedure
defined in Section 7.3. The DOTS client can then decide to send a
mitigation request if the notified attack cannot be mitigated locally
within the DOTS client domain.
Aggregate DOTS telemetry data can also be included in efficacy update
(Section 8.1) or mitigation update (Section 8.2) messages.
4.2. Generic Considerations
4.2.1. DOTS Client Identification
Following the rules in Section 4.4.1 of [I-D.ietf-dots-rfc8782-bis],
a unique identifier is generated by a DOTS client to prevent request
collisions ('cuid').
As a reminder, [I-D.ietf-dots-rfc8782-bis] forbids 'cuid' to be
returned in a response message body.
4.2.2. DOTS Gateways
DOTS gateways may be located between DOTS clients and servers. The
considerations elaborated in Section 4.4.1 of
[I-D.ietf-dots-rfc8782-bis] must be followed. In particular, 'cdid'
attribute is used to unambiguously identify a DOTS client domain.
As a reminder, [I-D.ietf-dots-rfc8782-bis] forbids 'cdid' (if
present) to be returned in a response message body.
4.2.3. Empty URI Paths
Uri-Path parameters and attributes with empty values MUST NOT be
present in a request and render an entire message invalid.
4.2.4. Controlling Configuration Data
The DOTS server follows the same considerations discussed in
Section of 4.5.3 of [I-D.ietf-dots-rfc8782-bis] for managing DOTS
telemetry configuration freshness and notification.
Likewise, a DOTS client may control the selection of configuration
and non-configuration data nodes when sending a GET request by means
Boucadair, et al. Expires May 28, 2021 [Page 10]
Internet-Draft DOTS Telemetry November 2020
of the 'c' Uri-Query option and following the procedure specified in
Section of 4.4.2 of [I-D.ietf-dots-rfc8782-bis]. These
considerations are not reiterated in the following sections.
4.3. Block-wise Transfer
DOTS clients can use block wise transfer [RFC7959] with the
recommendation detailed in Section 4.4.2 of
[I-D.ietf-dots-rfc8782-bis] to control the size of a response when
the data to be returned does not fit within a single datagram.
DOTS clients can also use CoAP Block1 Option in a PUT request (see
Section 2.5 of [RFC7959]) to initiate large transfers, but these
Block1 transfers will fail if the inbound "pipe" is running full, so
consideration needs to be made to try to fit this PUT into a single
transfer, or to separate out the PUT into several discrete PUTs where
each of them fits into a single packet.
Q-Block1 and Q-Block2 Options that are similar to the CoAP Block1 and
Block2 Options, but enable faster transmissions of big blocks of data
with less packet interchanges, are defined in
[I-D.ietf-core-new-block]. DOTS implementations can consider the use
of Q-Block1 and Q-Block2 Options.
4.4. DOTS Multi-homing Considerations
Multi-homed DOTS clients are assumed to follow the recommendations in
[I-D.ietf-dots-multihoming] to select which DOTS server to contact
and which IP prefixes to include in a telemetry message to a given
peer DOTS server. For example, if each upstream network exposes a
DOTS server and the DOTS client maintains DOTS channels with all of
them, only the information related to prefixes assigned by an
upstream network to the DOTS client domain will be signaled via the
DOTS channel established with the DOTS server of that upstream
network.
Considerations related to whether (and how) a DOTS client gleans some
telemetry information (e.g., attack details) it receives from a first
DOTS server and share it with a second DOTS server are implementation
and deployment specific.
4.5. YANG Considerations
Telemetry messages exchanged between DOTS agents are serialized using
Concise Binary Object Representation (CBOR) [RFC7049]. CBOR-encoded
payloads are used to carry signal channel specific payload messages
which convey request parameters and response information such as
errors.
Boucadair, et al. Expires May 28, 2021 [Page 11]
Internet-Draft DOTS Telemetry November 2020
This document specifies a YANG module [RFC7950] for representing DOTS
telemetry message types (Section 10.1). All parameters in the
payload of the DOTS signal channel are mapped to CBOR types as
specified in Section 11.
The DOTS telemetry module (Section 10.1) is not intended to be used
via NETCONF/RESTCONF for DOTS server management purposes. It serves
only to provide a data model and encoding following [RFC8791].
The DOTS telemetry module (Section 10.1) uses "enumerations" rather
than "identities" to define units, samples, and intervals because
otherwise the namespace identifier "ietf-dots-telemetry" must be
included when a telemetry attribute is included (e.g., in a
mitigation efficacy update). The use of "identities" is thus
suboptimal from a message compactness standpoint.
4.6. A Note About Examples
Examples are provided for illustration purposes. The document does
not aim to provide a comprehensive list of message examples.
The authoritative reference for validating telemetry messages is the
YANG module (Section 10.1) and the mapping table established in
Section 11.
5. Telemetry Operation Paths
As discussed in Section 4.2 of [I-D.ietf-dots-rfc8782-bis], each DOTS
operation is indicated by a path suffix that indicates the intended
operation. The operation path is appended to the path prefix to form
the URI used with a CoAP request to perform the desired DOTS
operation. The following telemetry path suffixes are defined
(Table 1):
+-----------------+----------------+-----------+
| Operation | Operation Path | Details |
+=================+================+===========+
| Telemetry Setup | /tm-setup | Section 6 |
| Telemetry | /tm | Section 7 |
+-----------------+----------------+-----------+
Table 1: DOTS Telemetry Operations
Consequently, the "ietf-dots-telemetry" YANG module defined in
Section 10.1 defines data structure to represent new DOTS message
types called 'telemetry-setup' and 'telemetry'. The tree structure
is shown in Figure 1. More details are provided in Sections 6 and 7
Boucadair, et al. Expires May 28, 2021 [Page 12]
Internet-Draft DOTS Telemetry November 2020
about the exact structure of 'telemetry-setup' and 'telemetry'
message types.
structure dots-telemetry:
+-- (telemetry-message-type)?
+--:(telemetry-setup)
| ...
| +-- telemetry* []
| ...
| +-- (setup-type)?
| +--:(telemetry-config)
| | ...
| +--:(pipe)
| | ...
| +--:(baseline)
| ...
+--:(telemetry)
...
Figure 1: New DOTS Message Types (YANG Tree Structure)
6. DOTS Telemetry Setup Configuration
In reference to Figure 1, a DOTS telemetry setup message MUST include
only telemetry-related configuration parameters (Section 6.1) or
information about DOTS client domain pipe capacity (Section 6.2) or
telemetry traffic baseline (Section 6.3). As such, requests that
include a mix of telemetry configuration, pipe capacity, or traffic
baseline MUST be rejected by DOTS servers with a 4.00 (Bad Request).
A DOTS client can reset all installed DOTS telemetry setup
configuration data following the considerations detailed in
Section 6.4.
A DOTS server may detect conflicts when processing requests related
to DOTS client domain pipe capacity or telemetry traffic baseline
with requests from other DOTS clients of the same DOTS client domain.
More details are included in Section 6.5.
Telemetry setup configuration is bound to a DOTS client domain. DOTS
servers MUST NOT expect DOTS clients to send regular requests to
refresh the telemetry setup configuration. Any available telemetry
setup configuration has a validity timeout of the DOTS association
with a DOTS client domain. DOTS servers MUST NOT reset 'tsid'
because a session failed with a DOTS client. DOTS clients update
their telemetry setup configuration upon change of a parameter that
may impact attack mitigation.
Boucadair, et al. Expires May 28, 2021 [Page 13]
Internet-Draft DOTS Telemetry November 2020
DOTS telemetry setup configuration request and response messages are
marked as Confirmable messages (Section 2.1 of [RFC7252]).
6.1. Telemetry Configuration
A DOTS client can negotiate with its server(s) a set of telemetry
configuration parameters to be used for telemetry. Such parameters
include:
o Percentile-related measurement parameters
o Measurement units
o Acceptable percentile values
o Telemetry notification interval
o Acceptable Server-originated telemetry
Section 11.3 of [RFC2330] includes more details about computing
percentiles.
6.1.1. Retrieve Current DOTS Telemetry Configuration
A GET request is used to obtain acceptable and current telemetry
configuration parameters on the DOTS server. This request may
include a 'cdid' Uri-Path when the request is relayed by a DOTS
gateway. An example of such request is depicted in Figure 2.
Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Figure 2: GET to Retrieve Current and Acceptable DOTS Telemetry
Configuration
Upon receipt of such request, and assuming no error is encountered by
processing the request, the DOTS server replies with a 2.05 (Content)
response that conveys the current and telemetry parameters acceptable
by the DOTS server. The tree structure of the response message body
is provided in Figure 3. Note that the response also includes any
pipe (Section 6.2) and baseline information (Section 6.3) maintained
by the DOTS server for this DOTS client.
DOTS servers that support the capability of sending telemetry
information to DOTS clients prior or during a mitigation
Boucadair, et al. Expires May 28, 2021 [Page 14]
Internet-Draft DOTS Telemetry November 2020
(Section 8.2) sets 'server-originated-telemetry' under 'max-config-
values' to 'true' ('false' is used otherwise). If 'server-
originated-telemetry' is not present in a response, this is
equivalent to receiving a request with 'server-originated-telemetry'
set to 'false'.
structure dots-telemetry:
+-- (telemetry-message-type)?
+--:(telemetry-setup)
| +-- (direction)?
| | +--:(server-to-client-only)
| | +-- max-config-values
| | | +-- measurement-interval? interval
| | | +-- measurement-sample? sample
| | | +-- low-percentile? percentile
| | | +-- mid-percentile? percentile
| | | +-- high-percentile? percentile
| | | +-- server-originated-telemetry? boolean
| | | +-- telemetry-notify-interval? uint32
| | +-- min-config-values
| | | +-- measurement-interval? interval
| | | +-- measurement-sample? sample
| | | +-- low-percentile? percentile
| | | +-- mid-percentile? percentile
| | | +-- high-percentile? percentile
| | | +-- telemetry-notify-interval? uint32
| | +-- supported-units
| | | +-- unit-config* [unit]
| | | +-- unit unit-type
| | | +-- unit-status boolean
| | +-- query-type* query-type
| +-- telemetry* []
| +-- (direction)?
| | +--:(server-to-client-only)
| | +-- tsid? uint32
| +-- (setup-type)?
| +--:(telemetry-config)
| | +-- current-config
| | +-- measurement-interval? interval
| | +-- measurement-sample? sample
| | +-- low-percentile? percentile
| | +-- mid-percentile? percentile
| | +-- high-percentile? percentile
| | +-- unit-config* [unit]
| | | +-- unit unit-type
| | | +-- unit-status boolean
| | +-- server-originated-telemetry? boolean
| | +-- telemetry-notify-interval? uint32
Boucadair, et al. Expires May 28, 2021 [Page 15]
Internet-Draft DOTS Telemetry November 2020
| +--:(pipe)
| | ...
| +--:(baseline)
| ...
+--:(telemetry)
...
Figure 3: Telemetry Configuration Tree Structure
When both 'min-config-values' and 'max-config-values' attributes are
present, the values carried in 'max-config-values' attributes MUST be
greater or equal to their counterpart in 'min-config-values'
attributes.
6.1.2. Convey DOTS Telemetry Configuration
PUT request is used to convey the configuration parameters for the
telemetry data (e.g., low, mid, or high percentile values). For
example, a DOTS client may contact its DOTS server to change the
default percentile values used as baseline for telemetry data.
Figure 3 lists the attributes that can be set by a DOTS client in
such PUT request. An example of a DOTS client that modifies all
percentile reference values is shown in Figure 4.
Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=123"
Content-Format: "application/dots+cbor"
{
"ietf-dots-telemetry:telemetry-setup": {
"telemetry": [
{
"current-config": {
"low-percentile": "5.00",
"mid-percentile": "65.00",
"high-percentile": "95.00"
}
}
]
}
}
Figure 4: PUT to Convey the DOTS Telemetry Configuration
Boucadair, et al. Expires May 28, 2021 [Page 16]
Internet-Draft DOTS Telemetry November 2020
'cuid' is a mandatory Uri-Path parameter for PUT requests.
The following additional Uri-Path parameter is defined:
tsid: Telemetry Setup Identifier is an identifier for the DOTS
telemetry setup configuration data represented as an integer.
This identifier MUST be generated by DOTS clients. 'tsid'
values MUST increase monotonically (when a new PUT is generated
by a DOTS client to convey new configuration parameters for the
telemetry).
The procedure specified in Section 4.4.1 of
[I-D.ietf-dots-rfc8782-bis] MUST be followed for 'tsid'
rollover.
This is a mandatory attribute. 'tsid' MUST follow 'cuid'.
'cuid' and 'tsid' MUST NOT appear in the PUT request message body.
At least one configurable attribute MUST be present in the PUT
request.
The PUT request with a higher numeric 'tsid' value overrides the DOTS
telemetry configuration data installed by a PUT request with a lower
numeric 'tsid' value. To avoid maintaining a long list of 'tsid'
requests for requests carrying telemetry configuration data from a
DOTS client, the lower numeric 'tsid' MUST be automatically deleted
and no longer be available at the DOTS server.
The DOTS server indicates the result of processing the PUT request
using the following Response Codes:
o If the request is missing a mandatory attribute, does not include
'cuid' or 'tsid' Uri-Path parameters, or contains one or more
invalid or unknown parameters, 4.00 (Bad Request) MUST be returned
in the response.
o If the DOTS server does not find the 'tsid' parameter value
conveyed in the PUT request in its configuration data and if the
DOTS server has accepted the configuration parameters, then a 2.01
(Created) Response Code MUST be returned in the response.
o If the DOTS server finds the 'tsid' parameter value conveyed in
the PUT request in its configuration data and if the DOTS server
has accepted the updated configuration parameters, 2.04 (Changed)
MUST be returned in the response.
Boucadair, et al. Expires May 28, 2021 [Page 17]
Internet-Draft DOTS Telemetry November 2020
o If any of the enclosed configurable attribute values are not
acceptable to the DOTS server (Section 6.1.1), 4.22 (Unprocessable
Entity) MUST be returned in the response.
The DOTS client may retry and send the PUT request with updated
attribute values acceptable to the DOTS server.
By default, low percentile (10th percentile), mid percentile (50th
percentile), high percentile (90th percentile), and peak (100th
percentile) values are used to represent telemetry data.
Nevertheless, a DOTS client can disable some percentile types (low,
mid, high). In particular, setting 'low-percentile' to '0.00'
indicates that the DOTS client is not interested in receiving low-
percentiles. Likewise, setting 'mid-percentile' (or 'high-
percentile') to the same value as 'low-percentile' (or 'mid-
percentile') indicates that the DOTS client is not interested in
receiving mid-percentiles (or high-percentiles). For example, a DOTS
client can send the request depicted in Figure 5 to inform the server
that it is interested in receiving only high-percentiles. This
assumes that the client will only use that percentile type when
sharing telemetry data with the server.
Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=569"
Content-Format: "application/dots+cbor"
{
"ietf-dots-telemetry:telemetry-setup": {
"telemetry": [
{
"current-config": {
"low-percentile": "0.00",
"mid-percentile": "0.00",
"high-percentile": "95.00"
}
}
]
}
}