rfc8783v3.txt		rfc8783.txt
	skipping to change at line 2946 ¶		skipping to change at line 2946 ¶
	Figure 34 shows the content of the POST request to be issued by a		Figure 34 shows the content of the POST request to be issued by a
	DOTS client to its DOTS server to allow the traffic destined to		DOTS client to its DOTS server to allow the traffic destined to
	198.51.100.0/24 and UDP port number 53, but to drop all fragmented		198.51.100.0/24 and UDP port number 53, but to drop all fragmented
	packets. The following ACEs are defined (in this order):		packets. The following ACEs are defined (in this order):
	* "drop-all-fragments" ACE: discards all fragments.		* "drop-all-fragments" ACE: discards all fragments.
	* "allow-dns-packets" ACE: accepts DNS packets destined to		* "allow-dns-packets" ACE: accepts DNS packets destined to
	198.51.100.0/24.		198.51.100.0/24.
	POST /restconf/data/ietf-dots-data-channel:dots-data\		POST /restconf/data/ietf-dots-data-channel:dots-data\
	/dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1		/dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1
	Host: example.com		Host: example.com
	Content-Type: application/yang-data+json		Content-Type: application/yang-data+json
	{		{
	"ietf-dots-data-channel:acls": {		"ietf-dots-data-channel:acls": {
	"acl": [		"acl": [
	{		{
	"name": "dns-fragments",		"name": "dns-fragments",
	"type": "ipv4-acl-type",		"type": "ipv4-acl-type",
	"aces": {		"aces": {
	"ace": [		"ace": [
	{		{
	"name": "drop-all-fragments",		"name": "drop-all-fragments",
	"matches": {		"matches": {
	"ipv4": {		"ipv4": {
	"fragment": {		"fragment": {
	"operator": "match",		"operator": "match",
	"type": "isf"		"type": "isf"
	}		}
	}		}
	},		},
	"actions": {		"actions": {
	"forwarding": "drop"		"forwarding": "drop"
	}		}
	}		},
	]
	"ace": [
	{		{
	"name": "allow-dns-packets",		"name": "allow-dns-packets",
	"matches": {		"matches": {
	"ipv4": {		"ipv4": {
	"destination-ipv4-network": "198.51.100.0/24"		"destination-ipv4-network": "198.51.100.0/24"
	}		},
	"udp": {		"udp": {
	"destination-port": {		"destination-port-range-or-operator": {
	"operator": "eq",		"operator": "eq",
	"port": 53		"port": 53
			}
			},
			"actions": {
			"forwarding": "accept"
	}		}
	},
	"actions": {
	"forwarding": "accept"
	}		}
	}		}
	]		]
	}		}
	}		}
	]		]
	}		}
	}		}
	Figure 34: Filtering IPv4 Fragmented Packets		Figure 34: Filtering IPv4 Fragmented Packets
	Figure 35 shows an example of a POST request issued by a DOTS client		Figure 35 shows an example of a POST request issued by a DOTS client
	to its DOTS server to allow the traffic destined to 2001:db8::/32 and		to its DOTS server to allow the traffic destined to 2001:db8::/32 and
	UDP port number 53, but to drop all fragmented packets. The		UDP port number 53, but to drop all fragmented packets. The
	following ACEs are defined (in this order):		following ACEs are defined (in this order):
	* "drop-all-fragments" ACE: discards all fragments (including atomic		* "drop-all-fragments" ACE: discards all fragments (including atomic
	fragments). That is, IPv6 packets that include a Fragment header		fragments). That is, IPv6 packets that include a Fragment header
	(44) are dropped.		(44) are dropped.
	* "allow-dns-packets" ACE: accepts DNS packets destined to		* "allow-dns-packets" ACE: accepts DNS packets destined to
	2001:db8::/32.		2001:db8::/32.
	POST /restconf/data/ietf-dots-data-channel:dots-data\		POST /restconf/data/ietf-dots-data-channel:dots-data\
	/dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1		/dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1
	Host: example.com		Host: example.com
	Content-Type: application/yang-data+json		Content-Type: application/yang-data+json
	{		{
	"ietf-dots-data-channel:acls": {		"ietf-dots-data-channel:acls": {
	"acl": [		"acl": [
	{		{
	"name": "dns-fragments",		"name": "dns-fragments",
	"type": "ipv6-acl-type",		"type": "ipv6-acl-type",
	"aces": {		"aces": {
	"ace": [		"ace": [
	{		{
	"name": "drop-all-fragments",		"name": "drop-all-fragments",
	"matches": {		"matches": {
	"ipv6": {		"ipv6": {
	"fragment": {		"fragment": {
	"operator": "match",		"operator": "match",
	"type": "isf"		"type": "isf"
	}		}
	}		}
	},		},
	"actions": {		"actions": {
	"forwarding": "drop"		"forwarding": "drop"
	}		}
	}		},
	]
	"ace": [
	{		{
	"name": "allow-dns-packets",		"name": "allow-dns-packets",
	"matches": {		"matches": {
	"ipv6": {		"ipv6": {
	"destination-ipv6-network": "2001:db8::/32"		"destination-ipv6-network": "2001:db8::/32"
	}		},
	"udp": {		"udp": {
	"destination-port": {		"destination-port-range-or-operator": {
	"operator": "eq",		"operator": "eq",
	"port": 53		"port": 53
	}		}
	}		}
	},		},
	"actions": {		"actions": {
	"forwarding": "accept"		"forwarding": "accept"
	}		}
	}		}
	]		]
	}		}
	}		}
	]		]
	}		}
	}		}
	Figure 35: Filtering IPv6 Fragmented Packets		Figure 35: Filtering IPv6 Fragmented Packets
	Appendix B. Examples: Filtering TCP Messages		Appendix B. Examples: Filtering TCP Messages
	This section provides examples to illustrate TCP-specific filtering		This section provides examples to illustrate TCP-specific filtering
	based on the flag bits. These examples should not be interpreted as		based on the flag bits. These examples should not be interpreted as
	recommended filtering behaviors under specific DDoS attacks.		recommended filtering behaviors under specific DDoS attacks.
	B.1. Discard TCP Null Attack		B.1. Discard TCP Null Attack
End of changes. 14 change blocks.
	25 lines changed or deleted		22 lines changed or added
This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/