| DOTS | Y. Hayashi |
| Internet-Draft | NTT |
| Intended status: Experimental | K. Nishizuka |
| Expires: April 18, 2019 | NTT Communications |
| October 15, 2018 |
DDoS mitigation offload usecase and YANG module expansion in signal channel
draft-h-dots-mitigation-offload-expansion-00
This document describes a DDoS Mitigation offload usecase and an expansion of the YANG module in the DOTS signal channel for mitigating DDoS attack traffic correctly with general routers or switches. The proposed usecase and YANG module enhance DOTS capability to send attacker information and enable service providers to mitigate DDoS attack traffic by using general routers or switches in their intra-domain NW.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 18, 2019.
Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Volume based distributed denial-of-service (DDoS) attacks such as DNS amplification attacks are threats for internet service providers because of their impact on network services. When such attacks occur, service providers have to mitigate them immediately to protect or recover their service. Therefore, for the service providers to immediately protect their network services from DDoS attacks, DDoS mitigation needs to be automated. To automate DDoS attack mitigation, it is desirable that multi-vendor elements concerned with DDoS attack detection, mitigation and so on collaborate.
On the other hand, the number of DDoS Mitigation Systems (DMS) that can be deployed in a service providers network is limited due to equipment cost. Thus, DMS's utilization rate can reach maximum capacity soon when the volume of DDoS attacks is enormous. When the rate reaches maximum capacity, the network needs to offload mitigation action from the DMS to cost-effective network devices such as switches and routers.
DDoS Open Threat Signaling (DOTS) is a protocol to standardize real-time signaling, threat-handling requests, and data between the multi-vendor elements [I-D.ietf-dots-use-cases]. This document describes an automated DDoS Mitigation offload usecase inherited from a DOTS usecase [I-D.ietf-dots-use-cases], which enables cost-effective DDoS Mitigation in an intra-domain network. Furthermore, this document describes an expansion of the YANG module in the DOTS signal channel [I-D.ietf-dots-signal-channel], which enables a service provider's network to mitigate attack traffic correctly in the usecase.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]
The readers should be familiar with the terms defined in [I-D.ietf-dots-requirements] [I-D.ietf-dots-use-cases]
The terminology related to YANG data modules is defined in [RFC7950]
In addition, this document uses the terms defined below:
The purpose of this usecase is to protect intra-domain network from volume-based DDoS attacks automatically, cost-effectively, and vendor-independently. The usecase is inherited from the DDoS Orchestration usecase in [I-D.ietf-dots-use-cases] and works on an intra-domain network.
Figure 1 and Figure 2 show a component diagram and C-plane sequence diagram of the usecase, respectively.
+----------+
| network |C
| adminis |-+
| trator | |
+----------+ |
|
+----------+ | S+--------------+C S+-----------+
|telemetry/| +-->| |---->| DDoS |+
|monitoring|---->| Orchestrator |<----| mitigation||
|systems |C S| |S C| systems ||
+----------+ +--------------+ +-----------+|
| +----------+
| ex. BGP, BGP Flowspec
|
| +------------------+
+->| Routers/Switches |+
+------------------+|
+-----------------+
* C is for DOTS Client functionality
* S is for DOTS Server functionality
Figure 1: Component diagram of DDoS Mitigation offload usecase
This component diagram shown in Figure 1 differs from that of DDoS Orchestration usecase in [I-D.ietf-dots-use-cases] in some respects. First, the DDoS mitigation systems have a DOTS client function to send mitigation requests to the orchestrator. Second, the orchestrator sends a request to routers or switches to block attack traffic.
+-------+ +----------+ +------------+ +----------+ +----------+
|network| |telemetry/|+ | | |DDoS |+ |Routers |+
|adminis| |monitoring|| |Orchestrator| |Mitigation|| |Switches ||
|trator | |systems || | | |Systems || | ||
+-------+ +----------+| +------------+ +----------+| +---------+|
| +----------+ | +----------+ +---------+
| | DOTS: | | |
| | Mitigation | | |
| | Request | | |
| DOTS: |C------------>S| | |
| Mitigation | | ex. BGP: | |
| Request | | Redirect | |
|C------------------------->S| Attack Traffic | |
| | | to DMS | |
| | |---------------------------------->|
| | | | |
| | | DOTS: | |
| | | Mitigation Request | |
| | |S<-----------------C| |
| | | | |
| | | ex. BGP Flowspec | |
| | | Mitigate | |
| | | Attack Traffic | |
| | |---------------------------------->|
| | | | |
* C is for DOTS Client functionality
* S is for DOTS Server functionality
Figure 2: C-plane Sequence diagram of DDoS Mitigation offload usecase
In this usecase, when the telemetry/monitoring system detects a volume-based DDoS attack in the network, it sends a DOTS mitigation request to the orchestrator with target information such as target-prefix. Then, the network administrator confirms the request and sends a DOTS mitigation request to the orchestrator with the target information.
After that, the orchestrator requests the routers or switches to redirect attack traffic to the DMS by a configuration protocol such as a routing protocol like BGP [RFC4271] on the basis of the target information. Then the DMS analyzes attack traffic in detail and detects not only target but also attacker information, such as top-talker, and mitigates the attack traffic on the basis of the detected information.
When the volume-based attack becomes intense, DMS's utilization rate can reach maximum capacity. Then the DMS sends a DOTS mitigation request to the orchestrator as an offload request with the detection information. After that, the orchestrator requests the routers or switches to block attack traffic to the DMS by dissemination of flow specification rules protocols such as BGP flowspec [RFC5575] on the basis of the detected information.
It is desirable that the routers or switches mitigate attack traffic correctly after the DMS sends a DOTS Mitigation Request as an offload request in the usecase described in Section 3. For mitigating attack traffic correctly, this document proposes expanding DOTS signal channel [I-D.ietf-dots-signal-channel] so that it can send not only target information but also representative attacker information such as top talker. Note that it is difficult to send all attacker information because there is an enormous number of attackers when a volume-based DDoS attack occurs.
This section describes expansion of the YANG module [RFC7950] and mapping parameters to CBOR [RFC7049] of the DOTS Signal Channel.
Figure 3 shows an expanded YANG Module of the DOTS Signal Channel. Note that the "augment" statement allows a module to insert additional nodes into existing data models. The module defines a new grouping "attacker" and adds the grouping to an existing Signal Channel module by using an "augment" statement.
module ietf-dots-signal-channel-mitigation-offload-expansion {
yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:
ietf-dots-signal-channel:mitigation-offload-expansion";
import ietf-dots-signal-channel {
prefix signal;
}
import ietf-inet-types {
prefix inet;
}
organization
"IETF DDoS Open Threat Signaling (DOTS) Working Group";
contact
"WG Web: <https://datatracker.ietf.org/wg/dots/>
WG List: <mailto:dots@ietf.org>
Editor: Yuhei Hayashi
<mailto:hayashi.yuhei@lab.ntt.co.jp>
description
"This module contains the YANG definition for expanding signaling
messages exchanged between a DOTS client and a DOTS server.
Copyright (c) 2018 IETF Trust and the persons identified as
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or
without modification, is permitted pursuant to, and subject
to the license terms contained in, the Simplified BSD License
set forth in Section 4.c of the IETF Trust's Legal Provisions
Relating to IETF Documents
(http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see
the RFC itself for full legal notices.";
revision 2018-07-30 {
description
"Initial revision.";
reference
"RFC XXXX: ietf-dots-signal-channel";
}
/*
* Groupings
*/
grouping attacker {
description
"Specifies the attackers of the mitigation request.";
leaf-list attacker-top-talker-prefix {
type inet:ip-prefix;
description
"IPv4/IPv6 prefix identifying the top-talker in attackers.";
}
}
/*
* Main Container for DOTS Signal Channel Expansion
*/
augment "/signal:dots-signal/signal:scope/"{
uses attacker;
}
}
Figure 3: Expansion of YANG Module of DOTS Signal Channel
Figure 4 shows expansion of Mapping Parameters to CBOR [RFC7049] related to Figure 3.
+----------------------+-------------+-----+---------------+--------+
| Parameter Name | YANG | CBOR| CBOR Major | JSON |
| | Type | Key | Type & | Type |
| | | | Information | |
+----------------------+-------------+-----+---------------+--------+
| ... | ... | ...| ... | ... |
| attacker-top-talker | leaf-list | XX | 4 array | Array |
| -prefix | inet: | | | |
| | ip-prefix | | 3 text string | String |
+----------------------+-------------+-----+---------------+--------+
Figure 4: Expansion of Mapping Parameters to CBOR
TBD
TBD
TBD
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
| [RFC4271] | Rekhter, Y., Li, T. and S. Hares, "A Border Gateway Protocol 4 (BGP-4)", RFC 4271, DOI 10.17487/RFC4271, January 2006. |
| [RFC5575] | Marques, P., Sheth, N., Raszuk, R., Greene, B., Mauch, J. and D. McPherson, "Dissemination of Flow Specification Rules", RFC 5575, DOI 10.17487/RFC5575, August 2009. |
| [RFC7049] | Bormann, C. and P. Hoffman, "Concise Binary Object Representation (CBOR)", RFC 7049, DOI 10.17487/RFC7049, October 2013. |
| [RFC7950] | Bjorklund, M., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016. |
| [I-D.ietf-dots-requirements] | Mortensen, A., Moskowitz, R. and R. K, "Distributed Denial of Service (DDoS) Open Threat Signaling Requirements", Internet-Draft draft-ietf-dots-requirements-15, August 2018. |
| [I-D.ietf-dots-signal-channel] | K, R., Boucadair, M., Patil, P., Mortensen, A. and N. Teague, "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification", Internet-Draft draft-ietf-dots-signal-channel-25, September 2018. |
| [I-D.ietf-dots-use-cases] | Dobbins, R., Migault, D., Fouant, S., Moskowitz, R., Teague, N., Xia, L. and K. Nishizuka, "Use cases for DDoS Open Threat Signaling", Internet-Draft draft-ietf-dots-use-cases-16, July 2018. |