<?xml version="1.0"encoding="utf-8"?> <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 -->encoding="UTF-8"?> <!DOCTYPE rfc SYSTEM"rfc2629.dtd" [ <!ENTITY RFC8612 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml"> <!ENTITY RFC8782 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8782.xml"> <!ENTITY RFC8783 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"> <!ENTITY I-D.ietf-dots-multihoming SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml3/reference.I-D.ietf-dots-multihoming.xml"> ]> <?rfc rfcedstyle="yes"?> <?rfc toc="yes"?> <?rfc tocindent="yes"?> <?rfc sortrefs="yes"?> <?rfc symrefs="yes"?> <?rfc strict="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc docmapping="yes"?>"rfc2629-xhtml.ent"> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft-ietf-dots-use-cases-25"category="info">number="8903" submissionType="IETF" category="info" consensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" sortRefs="true" symRefs="true" version="3"> <front> <title abbrev="DOTS Use Cases">UsecasesCases for DDoS Open Threat Signaling</title> <seriesInfo name="RFC" value="8903"/> <author initials="R." surname="Dobbins" fullname="Roland Dobbins"><organization>Arbor Networks</organization><organization>Netscout, Inc.</organization> <address> <postal><street></street> <city></city> <code></code><street/> <city/> <code/> <country>Singapore</country> </postal><email>rdobbins@arbor.net</email><email>roland.dobbins@netscout.com</email> </address> </author> <author initials="D." surname="Migault" fullname="Daniel Migault"> <organization>Ericsson</organization> <address> <postal> <street>8275 Trans Canada Route</street> <city>SaintLaurent, QC</city>Laurent,</city> <region>Quebec</region> <code>4S 0B6</code> <country>Canada</country> </postal> <email>daniel.migault@ericsson.com</email> </address> </author> <author initials="R." surname="Moskowitz" fullname="Robert Moskowitz"> <organization>HTT Consulting</organization> <address> <postal><street></street><street/> <city>OakPark, MI</city>Park</city> <region>MI</region> <code>48237</code><country>USA</country><country>United States of America</country> </postal> <email>rgm@labs.htt-consult.com</email> </address> </author> <author initials="N." surname="Teague" fullname="Nik Teague"> <organization>Iron Mountain Data Centers</organization> <address> <postal><street></street> <city></city> <code></code> <country>UK</country><street/> <city/> <code/> <country>United Kingdom</country> </postal> <email>nteague@ironmountain.co.uk</email> </address> </author> <author initials="L." surname="Xia" fullname="Liang Xia"> <organization>Huawei</organization> <address> <postal> <street>No. 101, Software Avenue, Yuhuatai District</street> <city>Nanjing</city> <country>China</country> </postal> <email>Frank.xialiang@huawei.com</email> </address> </author> <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka"> <organization>NTT Communications</organization> <address> <postal><street>GranPark 16F 3-4-1<street>3-4-1 Shibaura, Minato-ku</street><city>Tokyo</city><extaddr>GranPark 16F</extaddr> <region>Tokyo</region> <code>108-8118</code> <country>Japan</country> </postal> <email>kaname@nttv6.jp</email> </address> </author> <dateyear="2020" month="July" day="05"/>year="2021" month="May"/> <area>Security</area> <workgroup>DOTS</workgroup><keyword>Internet-Draft</keyword><abstract> <t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide protocols to facilitate interoperability across disparate DDoSmitigationMitigation solutions. This document presents sample use caseswhichthat describe the interactions expected between the DOTS components as well as DOTS messaging exchanges. These use cases are meant to identify the interacting DOTS components, how they collaborate, and whatarethe typical information to beexchanged.</t>exchanged is.</t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>At the time of writing, distributed denial-of-service (DDoS) attack mitigation solutions are largely based upon siloed, proprietary communications schemes with vendor lock-in as aside-effect.side effect. This can result in the configuration, provisioning, operation, and activation of these solutions being a highly manual and often time-consuming process. Additionally, coordinating multiple DDoSmitigationMitigation solutions simultaneously is fraught with both technical and process-related hurdles. This greatly increases operationalcomplexity which,complexity, which inturn,turn can degrade the efficacy of mitigations that are generally highly dependentonon a timely reaction by the system.</t> <t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify protocols that facilitate interoperability between diverse DDoSmitigationMitigation solutions and ensure greater integration intermterms of attack detection, mitigation requests, and attack characterization patterns.</t> <t>As DDoS solutions are broadly heterogeneous among vendors, the primary goal of DOTS is to provide high-level interaction amongst differing DDoS solutions, such as detecting DDoS attacks, initiating/terminating DDoSmitigationMitigation assistance, or requesting the status of a DDoSmitigation.</t>Mitigation.</t> <t>This document provides sample use cases that provided input for the requirements <xreftarget="RFC8612"/>target="RFC8612" format="default"/> and design of the DOTS protocols <xreftarget="RFC8782"/><xref target="RFC8783"/>.target="RFC8782" format="default"/><xref target="RFC8783" format="default"/>. The use cases are notexhaustiveexhaustive, and future use cases are expected to emerge as DOTS is adopted and evolves.</t> </section> <section anchor="terminology-and-acronyms"title="Terminologynumbered="true" toc="default"> <name>Terminology andAcronyms">Acronyms</name> <t>This document makes use of the same terminology and definitions as <xreftarget="RFC8612"/>.target="RFC8612" format="default"/>. Inadditionaddition, it uses the terms defined below:</t><t><list style="symbols"> <t>DDoS<dl newline="true" spacing="normal"> <dt>DDoS Mitigation System(DMS): A(DMS):</dt><dd>A system that performs DDoSmitigation.Mitigation. The DDoS Mitigation System may be composed of a cluster of hardware and/or softwareresources,resources but could also involve an orchestrator that maytake decisionsmake decisions, such as outsourcing some or all of the mitigation to another DDoS MitigationSystem.</t> <t>DDoS Mitigation: TheSystem.</dd> <dt>DDoS Mitigation:</dt><dd>The action performed by the DDoS MitigationSystem.</t> <t>DDoSSystem.</dd> <dt>DDoS MitigationService: designatesService:</dt><dd>Designates a service provided to a customer to mitigate DDoS attacks. Each service subscription usually involve Service Level Agreement (SLA) that has to be met. It is the responsibility of the DDoS Service provider to instantiate the DDoS Mitigation System to meet theseSLAs.</t> <t>DDoSSLAs.</dd> <dt>DDoS Mitigation ServiceProvider: designatesProvider:</dt><dd>Designates the administrative entity providing the DDoS MitigationService.</t> <t>InternetService.</dd> <dt>Internet Transit Provider(ITP): designates(ITP):</dt><dd>Designates the entity that delivers the traffic to a customer network. It can be an Internet Service Provider(ISP),(ISP) or an upstream entity delivering the traffic to theISP.</t> </list></t>ISP. </dd> </dl> </section> <section anchor="use-cases"title="Use Cases">numbered="true" toc="default"> <name>Use Cases</name> <section anchor="use-case-1"title="Upstreamnumbered="true" toc="default"> <name>Upstream DDoS Mitigation by an Upstream Internet TransitProvider">Provider</name> <t>This use case describes how an enterprise or a residential customer network may take advantage of a pre-existing relation with its ITP in order to mitigate a DDoS attack targeting its network.</t> <t>For clarity of discussion, the targeted network is indicated as an enterprise network, but the same scenario applies to any downstream network, including residential and cloud hosting networks.</t> <t>As the ITP provides connectivity to the enterprise network, it is already on the path of the inbound and outbound traffic of the enterprise network and is well aware of the networking parameters associatedtowith the enterprise network WAN connectivity. This eases both the configuration and the instantiation of a DDoS Mitigation Service.</t> <t>This section considers two kinds of DDoS Mitigation Service between an enterprise network and an ITP:</t><t><list style="symbols"> <t>The<ul spacing="normal"> <li>The upstream ITP may instantiate aDDoS Mitigation System (DMS)DMS upon receiving a request from the enterprise network. This typically corresponds tothea case when the enterprise network is underattack.</t> <t>Onattack.</li> <li>On the other hand, the ITP may identify an enterprise network as the source of an attack and send a mitigation request to the enterprise DMS to mitigate this at thesource.</t> </list></t>source.</li> </ul> <t>The two scenarios, though different, have similar interactions between the DOTS client and server. For the sake of simplicity, only the first scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t> <t>In the first scenario, as depicted inFigure 1,<xref target="fig-1"/>, an enterprise network with self-hosted Internet-facing properties such asWebweb servers, authoritative DNS servers, andVoIPVoice over IP (VoIP) servers has a DMS deployed to protect those servers and applications from DDoS attacks. In addition to on-premise DDoS defensecapability,capabilities, the enterprise has contracted with its ITP for DDoS Mitigation Services when attacks threaten to overwhelm the bandwidth of their WAN link(s).</t><figure><artwork><![CDATA[<figure anchor="fig-1"> <name>Upstream Internet Transit Provider DDoS Mitigation</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +------------------+ +------------------+ | Enterprise | | Upstream | | Network | | Internet Transit | | | | Provider | | +--------+ | | DDoS Attack | | DDoS | | <================================= | | Target | | <================================= | +--------+ | | +------------+ | | | +-------->| DDoS | | | | | |S | Mitigation | | | | | | | System | | | | | | +------------+ | | | | | | | | | | | | | | | | | +------------+ | | | | | | DDoS |<---+ | | | | Mitigation |C | | | | | System | | | | | +------------+ | | | +------------------+ +------------------+ * C is for DOTS client functionality * S is for DOTS server functionalityFigure 1: Upstream Internet Transit Provider DDoS Mitigation ]]></artwork></figure>]]></artwork> </figure> <t>The enterprise DMS is configured such that if the incoming Internet traffic volume exceeds 50% of the provisioned upstream Internet WAN link capacity, the DMS will request DDoSmitigationMitigation assistance from the upstream transit provider. More sophisticated detection means may be considered as well.</t> <t>The requests to trigger, manage, and finalize a DDoS Mitigation between the enterprise DMS and the ITPis performedare made using DOTS. The enterprise DMS implements a DOTS client while the ITP implements a DOTSserverserver, which is integrated with their DMS in this example.</t> <t>When the enterprise DMS locally detects an inbound DDoS attack targeting its resources (e.g., servers, hosts, or applications), it immediately begins a DDoS Mitigation.</t> <t>During the course of the attack, the inbound traffic volume to the enterprise network exceeds the 50%thresholdthreshold, and the enterprise DMS escalates the DDoSmitigation.Mitigation. The enterprise DMS DOTS client signals to the DOTS server on the upstream ITP to initiate DDoS Mitigation. The DOTS server replies to the DOTS client that it can serve this request, and mitigation is initiated on the ITP network by the ITP DMS.</t> <t>Over the course of the attack, the DOTS server of the ITP periodically informs the DOTS client on the mitigation status, statistics related to DDoS attack traffic mitigation, and related information. Once the DDoS attack hasended,ended or decreased to a certain level that the enterprise DMS might handle by itself, the DOTS server signals the enterprise DMS DOTS client that the attack has subsided.</t> <t>The DOTS client on the enterprise DMS then requests that the ITPtoterminate the DDoS Mitigation. The DOTS server on the ITP receives this requestandand, once the mitigation has ended, confirms the end of upstream DDoS Mitigation to the enterprise DMS DOTS client.</t> <t>The following is an overview of the DOTS communication model for thisuse-case:</t> <t><list style="numbers"> <t>Ause case:</t> <ol spacing="normal" type="1"> <li>A DDoS attack is initiated against resources of a network organization (here, theenterprise)enterprise), which has deployed a DOTS-capable DMS--- typically a DOTSclient.</t> <t>Theclient.</li> <li>The enterprise DMS detects, classifies, and begins the DDoSMitigation.</t> <t>TheMitigation.</li> <li>The enterprise DMS determines that its capacity and/or capability to mitigate the DDoS attack isinsufficient,insufficient and sendsvia its DOTS clienta DOTS DDoS Mitigation request via its DOTS client to one or more DOTS servers residing on the upstreamITP.</t> <t>TheITP.</li> <li>The DOTSserverserver, which receives the DOTS Mitigationrequestrequest, determines that it has been configured to honor requests from the requesting DOTSclient,client andhonors the requestdoes so by orchestrating its ownDMS.</t> <t>WhileDMS.</li> <li>While the DDoS Mitigation is active, the DOTS server regularly transmits DOTS DDoS Mitigation status updates to the DOTSclient.</t> <t>Informedclient.</li> <li>Informed by the DOTS server status update that the attack has ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation termination request to the DOTSserver.</t> <t>Theserver.</li> <li>The DOTS server terminates DDoSMitigation,Mitigation and sends the notification to the DOTSclient.</t> </list></t>client.</li> </ol> <t>Note that communications between the enterprise DOTS client and the upstream ITP DOTS server may take placein-bandin band within the main Internet WAN link between the enterprise and the ITP;out-of-bandout of band via a separate, dedicated wireline network link utilized solely for DOTS signaling; orout-of-bandout of band via some other form of network connectivity such asathird-party wireless 4G network connectivity.</t> <t>Note also that a DOTS client that sends a DOTS Mitigation request maybealso be triggered by a network admin that manually confirms the request to the upstream ITP, in which case the request may be sent from an application such as a web browser or a dedicated mobile application.</t> <t>Note also that when the enterprise is multihomed and connected to multiple upstream ITPs, each ITP is only able to provide a DDoS Mitigation Service for the traffic it transits. As a result, the enterprise network may be required to coordinate the various DDoS Mitigation Services associatedtowith each link. Moremulti-homingmultihoming considerations are discussed in <xreftarget="I-D.ietf-dots-multihoming"/>.</t>target="I-D.ietf-dots-multihoming" format="default"/>.</t> </section> <section anchor="use-case-2"title="DDoSnumbered="true" toc="default"> <name>DDoS Mitigation by aThird PartyThird-Party DDoS Mitigation ServiceProvider">Provider</name> <t>This use case differs from the previous use case described inSection 3.1<xref target="use-case-1"/> in that the DDoS Mitigation Service is not provided by an upstream ITP. In other words, as represented inFigure 2,<xref target="fig-2"/>, the traffic is not forwarded through the DDoS Mitigation Service Provider by default. In order to steer the traffic to the DDoS Mitigation Service Provider, some network configuration changes are required. As such, this use case is likely to apply to large enterprises or large datacenters, butcenters but, as for the other usecasescases, is not exclusively limited to them.</t> <t>Another typical scenario for this use case is for there to be a relationship between DDoS Mitigation Service Providers, forming an overlay of DMS. When a DDoS Mitigation Service Provider mitigating a DDoS attack reaches itsresourcesresource capacity, it maychosechoose to delegate the DDoS Mitigation to another DDoS Mitigation Service Provider.</t><figure><artwork><![CDATA[<figure anchor="fig-2"> <name>DDoS Mitigation between an Enterprise Network and a Third-Party DDoS Mitigation Service Provider</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +------------------+ +------------------+ | Enterprise | | Upstream | | Network | | Internet Transit | | | | Provider | | +--------+ | | DDoS Attack | | DDoS | | <================================= | | Target | | <================================= | +--------+ | | | | | | | | | +------------------+ | | | | +------------------+ | | | DDoS Mitigation | | | | Service Provider | | | | | | +------------+ | | +------------+ | | | DDoS |<------------>| DDoS | | | | Mitigation |C | | S| Mitigation | | | | System | | | | System | | | +------------+ | | +------------+ | +------------------+ +------------------+ * C is for DOTS client functionality * S is for DOTS server functionalityFigure 2: DDoS Mitigation between an Enterprise Network and Third Party DDoS Mitigation Service Provider ]]></artwork></figure>]]></artwork> </figure> <t>In this scenario, an enterprise network has entered into apre-arrangedprearranged DDoSmitigationMitigation assistance agreement with one or more third-party DDoS Mitigation Service Providers in order to ensure that sufficient DDoSmitigationMitigation capacity and/or capabilities may be activated in the event that a given DDoS attack threatens to overwhelm the ability of theenterprise’senterprise or any other given DMS to mitigate the attack on its own.</t> <t>Thepre-arrangementprearrangement typically includes agreement on the mechanisms used to redirect the traffic to the DDoS Mitigation Service Provider, as well as the mechanism to re-inject the traffic back to the Enterprise Network. Redirection to the DDoS Mitigation Service Provider typically involves BGP prefix announcement or DNS redirection, while re-injection of the scrubbed traffic to the enterprise network may be performed via tunneling mechanisms (e.g., GRE). The exact mechanisms used for traffic steering are out of scope ofDOTS,DOTS but will need to bepre-arranged,prearranged, while in some contexts such changes could be detected and considered as an attack.</t> <t>In somecasescases, the communication between the enterprise DOTS client and the DOTS server of the DDoS Mitigation Service Provider may go through the ITP carrying the DDoS attack, which would affect the communication. On the other hand, the communication between the DOTS client and DOTS server may take a path that is not undergoing a DDoS attack.</t><figure><artwork><![CDATA[<figure anchor="fig-3"> <name>Redirection to a DDoS Mitigation Service Provider</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +------------------+ +------------------+ | Enterprise | | Upstream | | Network | | Internet Transit | | | | Provider | | +--------+ | | DDoS Attack | | DDoS | |<----------------+ | ++==== | | Target | | Mitigated | | || ++= | +--------+ | | | | || || | | | | | || || | | +--------|---------+ || || | | | || || | | +--------|---------+ || || | | | DDoS Mitigation | || || | | | Service Provider | || || | | | | | || || | +------------+ | | +------------+ | || || | | DDoS |<------------>| DDoS | | || || | | mitigation |C | |S | mitigation |<===++ || | | system | | | | system |<======++ | +------------+ | | +------------+ | +------------------+ +------------------+ * C is for DOTS client functionality * S is for DOTS server functionalityFigure 3: Redirection to a DDoS Mitigation Service Provider ]]></artwork></figure>]]></artwork> </figure> <t>When the enterprise network is under attack or at least is reaching its capacity or ability to mitigate a given DDoS attack, the DOTS client sends a DOTS request to the DDoS Mitigation Service Provider to initiate network traffic diversion–-- as represented inFigure 3 –<xref target="fig-3"/> -- and DDoSmitigationMitigation activities. Ongoing attack and mitigation status messages may be passed between the enterprise network and the DDoS Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the severity of the attack has subsided, the DOTS client can request that the DDoS Mitigation Service Providertoterminate the DDoS Mitigation.</t> </section> <section anchor="use-case-3"title="DDoS Orchestration">numbered="true" toc="default"> <name>DDoS Orchestration</name> <t>In this use case, one or more DDoS telemetry systems or monitoring devices monitor a network–-- typically an ISP network, an enterprise network, or a data center. Upon detection of a DDoS attack, these DDoS telemetry systems alert an orchestrator in charge of coordinating the variousDMS’sDMSs within the domain. The DDoS telemetry systems may be configured to provide required information, such as a preliminary analysis of the observation, to the orchestrator.</t> <t>The orchestratoranalysesanalyzes the various sets of information it receives from DDoS telemetrysystems,systems and initiates one or more DDoSmitigationMitigation strategies. For example, the orchestrator could select theDDoS mitigation systemDMS in the enterprise network or one provided by the ITP.</t><t>DDoS Mitigation System<t>DMS selection and DDoS Mitigation techniques may depend on the type of the DDoS attack. In somecase,cases, a manual confirmation or selection may also be required to choose a proposed strategy to initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple steps such as configuring thenetwork,network orofupdatingalready instantiatedalready-instantiated DDoSmitigationMitigation functions. Eventually, the coordination of the mitigation may involve external DDoSmitigationMitigation resources such as a transit provider or aThird Partythird-party DDoS Mitigation Service Provider.</t> <t>The communication used to trigger a DDoS Mitigation between the DDoS telemetry and monitoring systems and the orchestrator is performed using DOTS. The DDoS telemetry system implements a DOTS client while the orchestrator implements a DOTS server.</t> <t>The communication between a network administrator and the orchestrator is also performed using DOTS. The network administrator uses, for example, a web interfacewhichthat interacts with a DOTS client, while the orchestrator implements a DOTS server.</t> <t>The communication between the orchestrator and theDDoS Mitigation SystemsDMSs is performed using DOTS. The orchestrator implements a DOTS client while theDDoS Mitigation SystemsDMSs implement a DOTS server.</t> <t>The configuration aspects of eachDDoS Mitigation System,DMS, as well as the instantiations of DDoSmitigationMitigation functions or networkconfiguration isconfiguration, are not part of DOTS. Similarly, the discovery of available DDoSmitigationMitigation functions is not part ofDOTS; andDOTS and, assuchsuch, is out of scope.</t><figure><artwork><![CDATA[<figure anchor="fig-4"> <name>DDoS Orchestration</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +----------+ | network |C (Enterprise Network) |adminisadmini- |<-+ |tratorstrator | | +----------+ | | +----------+ | S+--------------+ +-----------+ |telemetry/| +->| |C S| DDoS |+ |monitoring|<--->| Orchestrator |<--->| mitigation|| |systems |C S| |<-+ | systems || +----------+ +--------------+C | +-----------+| | +----------+ -----------------------------------|----------------- | | (Internet Transit Provider) | | +-----------+ | S| DDoS |+ +->| mitigation|| | systems || +-----------+| * C is for DOTS client functionality +----------+ * S is for DOTS server functionalityFigure 4: DDoS Orchestration ]]></artwork></figure>]]></artwork> </figure> <t>The DDoS telemetry systems monitor various aspects of the network traffic and perform some measurement tasks.</t> <t>These systems are configured so that when an event or some measurement indicators reach a predefinedlevellevel, their associated DOTS client sends a DOTS mitigation request to the orchestrator DOTS server. The DOTS mitigation request may be associated with some optional mitigation hints to let the orchestrator know what has triggered the request. In particular, it is possible for something that looks like an attack locally to one telemetry systemlooks like an attackis not actually an attack when seen from the broader scope (e.g., of theorchestrator)</t>orchestrator).</t> <t>Upon receipt of the DOTS mitigation request from the DDoS telemetry system, the orchestrator DOTS server responds with anacknowledgment,acknowledgment to avoid retransmission of the request for mitigation. The orchestrator may begin collecting additional fine-grained and specific information from various DDoS telemetry systems in order to correlate the measurements and provide an analysis of the event. Eventually, the orchestrator may ask for additional information from the DDoS telemetry system; however, the collection of this information is out of scope of DOTS.</t> <t>The orchestrator may be configured to start a DDoS Mitigation upon approval from a network administrator. The analysis from the orchestrator is reported to the network administrator via, for example, a web interface. If the network administrator decides to start the mitigation, the network administrator triggers the DDoSmitigationMitigation request using, for example, a web interface of a DOTS client communicating to the orchestrator DOTS server. This request is expected to be associated with a context that provides sufficient information to the orchestrator DOTS server to infer,elaborateelaborate, and coordinate the appropriate DDoS Mitigation.</t> <t>Upon receiving a request to mitigate a DDoS attack aimed at a target, the orchestrator may evaluate the volume of the attack as well as the value that the target represents. The orchestrator may select the DDoS Mitigation Service Provider based on the attack severity. It may also coordinate the DDoS Mitigation performed by the DDoS Mitigation Service Provider with some other tasks such as, for example, moving the target to another network so new sessions will not be impacted. The orchestrator requests a DDoS Mitigation by the selectedDDoS mitigation systemsDMSs via its DOTS client, as described inSection 3.1.</t><xref target="use-case-1"/>.</t> <t>The orchestrator DOTS client is notified that the DDoS Mitigation is effective by the selectedDDoS mitigation systems.DMSs. The orchestrator DOTS server returns this informationbackto the network administrator.</t> <t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS client is notified and theorchestrator’sorchestrator's DOTS server indicates the end of the DDoS Mitigation to the DDoS telemetry systems as well as to the networkadministrator the end of the DDoS Mitigation.</t>administrator.</t> <t>In addition to theaboveDDoSOrchestration,orchestration shown in <xref target="fig-4"/>, the selectedDDoS mitigation systemDMS can returnbacka mitigation request to the orchestrator as an offloading. For example, when the DDoS attack becomes severe and theDDoS mitigation system’sDMS's utilization rate reaches its maximum capacity, theDDoS mitigation systemDMS can send mitigation requests with additionalhintshints, such as its blocked trafficinformationinformation, to the orchestrator. Then the orchestrator can take further actions such as requesting forwarding nodessuch as routers(e.g., routers) to filter the traffic. In this case, theDDoS mitigation systemDMS implements a DOTS client while the orchestrator implements a DOTS server. Similar to other DOTS use cases, the offloading scenario assumes that some validation checks are followed by the DMS, the orchestrator, or both (e.g., avoid exhausting the resources of the forwarding nodes or inadvertent disruption of legitimate services). These validation checks are part of themitigation,mitigation and are therefore out of the scope of the document.</t> </section> </section> <section anchor="security-considerations"title="Security Considerations">numbered="true" toc="default"> <name>Security Considerations</name> <t>The document does not describe any protocol, though there are still a few high-level security considerations to discuss.</t> <t>DOTS is at risk from three primary attacks: DOTS agent impersonation, traffic injection, and signaling blocking.</t> <t>Impersonation and traffic injection mitigation can be mitigated through current secure communications bestpracticespractices, including mutual authentication. Preconfigured mitigation steps to take on the loss of keepalive traffic can partially mitigate signalblocking, butblocking. But ingeneralgeneral, it is impossible to comprehensively defend against an attacker that can selectively block any or all traffic. Alternate communication paths that are (hopefully) not subject to blocking by the attacker in question is another potential mitigation.</t> <t>Additional details of DOTS security requirements can be found in <xreftarget="RFC8612"/>.</t>target="RFC8612" format="default"/>.</t> <t>Service disruption may be experienced if inadequate mitigation actions are applied. These considerations are out of the scope of DOTS.</t> </section> <section anchor="iana-considerations"title="IANA Considerations"> <t>Nonumbered="true" toc="default"> <name>IANA Considerations</name> <t>This document has no IANAconsiderations exist for this document.</t>actions.</t> </section> </middle> <back> <displayreference target="I-D.ietf-dots-multihoming" to="DOTS-MULTIHOMING"/> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8782.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.ietf-dots-multihoming.xml"/> </references> <section anchor="acknowledgments"title="Acknowledgments">numbered="false" toc="default"> <name>Acknowledgments</name> <t>The authors would like tothankthank, amongothers Tirumaleswar Reddy; Andrew Mortensen; Mohamed Boucadair; Artyom Gavrichenkov; Jon Shallow, Yuuhei Hayashi, Elwyn Davies,others, <contact fullname="Tirumaleswar Reddy.K"/>, <contact fullname="Andrew Mortensen"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Artyom Gavrichenkov"/>, <contact fullname="Jon Shallow"/>, <contact fullname="Yuuhei Hayashi"/>, <contact fullname="Elwyn Davies"/>, the DOTS WGchairs, Roman Danyliw and Tobias GondromChairs (at the time of writing) <contact fullname="Roman Danyliw"/> and <contact fullname="Tobias Gondrom"/>, as well as the Security ADBenjamin Kaduk<contact fullname="Benjamin Kaduk"/> for their valuable feedback.</t> <t>We also would like to thankStephan Fouant that<contact fullname="Stephan Fouant"/>, who waspartone of the initialco-authorscoauthors of the documents.</t> </section></middle> <back> <references title='Informative References'> &RFC8612; &RFC8782; &RFC8783; &I-D.ietf-dots-multihoming; </references></back><!-- ##markdown-source: H4sIALWHAl8AA809a3MbN5Lf8StQtXW11orkxnYeLiW3G8VOvN7Eci7SXu4+ ghyQRDQz4A5mSDOR/8v9lvtl1w8Ag3nRsry3d6xULHEGQHej392A5vO5qE2d 6wv5N6flSjnt5NpW8sULey3f7HQpb7aVVrW8NptS5abcCLVcVnp/IV+8ubmm Uc9xlMjsqlQFTJRVal3Pja7X88zWbt44PaeJ508+E0IomO5CXutVU5n6KA4b nkncHi7kq7LWVanr+QucQ6xUfSFNubZCrGwGa1/IBmZ9JnbmQkhZrVc6c/UR oT8CBFLWdpX8aMpMl3X4wtmqrvTaxd+PRefXujKr+PLKFgWMjU9NCajHZQDV Qu12BBB+I1RTb22FMOFn7v/FYTDDTwv5wi6X8HP8ngn1k81VmQ0e2gqmvayW sAtXuj7Y6rZ9BlBqXV/E39ulVkDM0e9tpse/b8q6OsJOABpqZysdH+lCmfxC VhkD9rVCWBawLeP4vVjI12ajmrzu4fdClUbng4eE37dAbeds2cdMPnvyxWfy plKlA74qVaaATE2tu3jKa2XKWv6gmgp2aSb/7XkXX/nptfzkm8+HyPKUfUwz AnRRMKBfaw/bArhgcktfW3drD6b+dbCpS13VI48J7b/c3MjntnSwDIrSPbdV vlG38kdV3c7k61d9TJ89efrFENG/XV8O9nNTfJ2rpVts63q+YiCmUbxayBut No3u4XdlbvsPCLNXlS0Ba1getga2vlbyuUZxdnKwx5N4TvHv+IOA6vd9TGFZ BPBrAzAVHiTAdNHcjuP6w0L+h1E9RH8wqtx0vucdbNRBmwFKV3YhH3/yeCav 7bo+gI6Tl3tdNnom/7PZNkANI18Y1jE9nK9U+UvKCy2vbk05YNXvQDJuF28N qGIA7+stQTO9i98vYMPc1vza3Pbx+17hvyOPCc0rYtSiaEoDWtjYcqCD5EsA BZlSPv78O/l0/un8sbzemiXIpAI+BdhrO79tetje2Nuj7W3u40+ezZ89fvxs SIK/qp0q+yS4JcC/Lut6//nilx2YlPl8LoGx60oBdcXNVp8wX/IRWpszqddg 5mppHBCq1mApMjAZclfZvcm0gH/BgNjc4ZdrtTK5qVWt6d3K7nSllvjVUapV ZZ2TmXE7VeEbuLIoTA26BMkGZidviH4gT1tYDWxHg6YFltIOTYx0qtjlWjbR /h62ZrWVmXaryiy1qLd+XcAOJ5L67U6vagB4CeZBA474Bllj4IOdLWlWBfPo PMd/ybwW2jm1QQLot6st8I4miACGZGXk20IrgA7QNmg9zfqI04sIAEzQW2om t/aALx3hyxw0jEVCzCTatsMWaI+z4hz1cQfMlJNFrwomD6yz1BGkbMGbWZgs y7UQ4A9UNmsIb/nb70zy6zvxr8lHiMuayFAb4Gm7lgdwLgDWGe4MSN2yQXoB QiA4c7ueO13tzUoDM8B2nUlV12p1O7ptBH2uqo3Oj3IJVMpks8MXTG51NkOO 2VXg7KjqKFYdgZFutdUF7qeptxK0QQYWPber2zkoSNgWBXNkeg6MCLvpuWMF 7A58AZoZqEQIgaJemw3IFM45YwZ18CMhR5zID5DauD97ht+ukW9gY1tElho3 T8mt2WwBl0KVDWwGjgOVhVwEpGO7UOCLsNIKeGYhLrPM4Awqz48zgMdWGQo3 vlOgHUPmJXkbI59wBl9SpbaNg1UBx3Wlms22ZrIsLfyv1qttSayB0PiF55XO gY8ysW0qYIYgPxsUZ5yoXMFPyLSRCDAeuTLXb1EySYpmRMamKmfgTJbAAJtK ZcSNqABgydURuaWFHAQ+sOxGlzAxIB0olumdJpdS2vK//wsoiRSD7wEO5tAl yQp4lq7WxeLjNJEDGQfhSzURAnZKFwV1kJk9mN0TqojIrGGjEUsESlc024bp SDTTVYFMxJIBqMMeMaMlE1b67412qAGI+/hVkGRUFOBE/cpv7eABePWwgSCl jgnSFa9lZVWGdNaIEdIdmEWqwgKRWG5gCdQgIGkFCJrcWNhr2DfSRMYlmpv2 ap7rvc5TpcmTuVpkBsStIi3WgWMmXQNKF8TSoxreYKzcDDQgIE5s/0ckThCB Pucr50DjqHIFGhDk3ZMI30QE4EkNqAHoqj+S+KVrIAijEQNBnOAfZ4Dmrqkp aEPmwwVNpSl6kb/99uefvnv+7PPHT969oz2C6YD9vHZg8rUM5t/+4hm8HX9+ +u4d2YmelShtDVp7qxrAba9p7nVTI0N13hPRVsEWAVCgRoNFwn1Tmd3hQ+LH vc33IOZgz2+Ivja3myM9ugQjWx4LgPB3dftoDo/myj/qmoOuaeiStVC3ABtC CbtA4opuUN1bMtNr2nBiUSdSQi4gTAXIWSlKU+Ncjo0PTOJ4KOitpc7t4UKI P/BOv2555JoUBMj/6+szCPW8wvDbqiu0jm7IHlGbDGcqFEo/22S0UMRfqxw2 ByQbfgGRzNApFYDaH4FRXHBSwdbYpgJ1O5NgItHxymE3cgfWv6T9AGIAG4Mh Q++qJh5TtcD1aqAj4Loia+Si+ECwRlMixzuLxriCCfNA7BYhARyhgI22uppA azFCuwviRS/UnlboCbHmnZhHjm4CuwAXXiZACZJJ9o5BlC6EUqyAkoBLhb95 DHRHPSzktwrwD6Nds0TnbUcLNa4hKxIo6hcWP5CSugQFTNIqH13/cHnGTLBV zntGhQbX4BVZB5ZuB86HM17jBzlGSK67kBOsEAOAKkK1pU/QB94E91CTAwVi AWC4MdLHFX70K3RIh9OrDGTIEKegUkD3sSYLBq97DTg1KSwo/xDzP5wAANEK S8lHr25+PBssyCswzTKdk90jigAIaN5p92TcvZLTKURQdAeWxN5x0T5+4tGr 6x/PSI3Da80OAx9VhEX9egGvZEX8FUYi24mYHwPdFRNho8oK3g0r9Gm0RJ0k 4+NpKrVrzB+/Q0965OP1YVDTMc5w5MbDOhS1g6V1LLvIcxwKoH/lSSk8KWXU BCrbA6epjWblA9HNHPwwtnzkySEi5PIZMEywm+hlgCvZEyqVihXMDAaDpoBB Im6fEN8BZCvwylkI0MkHyBz5J7QZNA6kN4BJzlWGnjlaG9dFM0zMOjCaBLfS JawAHLTb5UaTRKoSNt4eSr8TcSB4o3mDPC5SaqEhWeW2yYC0TAk/IPhCxClA imjqwf0u0fvYE1vbwOQDQA1pBJUDFBlQgEMFcLS2Qc+acglBNFtWUMn8S+BR rzaSjQ50opiNwkYyD34y/5SiAnDuCnTTnABPx66M8sZ9YsKfL686SHkvnj13 dv7BLeoEOQQE4xC0F0c0gTlGtIdkrhaOvVRcErehAhIfrATIM3K6pjRa8Jwh +pogCuqJmx/JmpMzFGURdg9lINW0I2AmBp/CR2CTlQaCUEDmfUQIjGwxQUdP Nh9B5xhqVmwLMheoT9J82Pp8wAgeKPUlChxLF+n4N/w2m2GIwbNZZEpCK+QA unohUsaxV0s+BO1QGUQXieY0Um4kYhhhGCCNSBVBjfgqL440vw+ocEODaFJY YCGalOzXUzJ4q8D2QNhpQD90Eyd+m1vfdwVyDZaXYa1Amy/kd96PdqjUACOY CKQfk1dgCMqc/Yy1qSCWiAriYEBilqhKa2VycskZfs+OC3kFtr6CkRDHciiD jywuG+YgcSa/C76DqI6rMAAk8varsl02DplxtAIcUfOS36EIafl4Nr5bgrSv 0/l6juoIxsRyC0aVHPKDS1Wjrgvu3M966UkDIRCXOTD6RPP+4uo6PiIS/rt9 9WP4hlwYhbuKIOb2SFqColmgCe4a5ib8uyRgqGRD5oQkoetfpT43TGTLOZiY wvgwF51uCGhRCHY+HJ71OQwhAppTlhCgQWqIYItiyWuoHBzLlAcEeIcCZspc WYAeHuYstUtA42CyqINNRdoPQv3bR+4M45qQyDwfWuXzU8/iwDv5bYtP+Cr+ EB2E+FUy0JeSZPuw/WHgUKQDB59kYHQ8xlbsonPeGZh+iO6XnIHrvXHHD+n3 O/nVVIjX+lCD8TfkCTx0/BT0nU06H0G7S6/4+p8iQv7d9wwMaFzDTwln3n8g /ueNz4et+ME43k0/+78dOMDjvgO7e/VVK6TvH5ju1fMpvh8b2Nur+w4c4nif gR+shkQyzR/kc0rmeisVTOm6KVeci8XQr/P+ded91v299+OAYMou7hP19BQ3 uwld1wKXDk4m6H6ybhQ1muAuryxlvcMqIvjKELM3BVUotAZf67NP/iV4xTEV TyWBPpSg+gWqfrJIq2iPEBZyF4InNJ0/jP6giLPXHvUQ42MZukL/aLfFUIvD m5irpVKOa5ND7BLrTPjakHeoQhaXnLLKbDa6mmF1AGI5tutrg9vz65hjm3pU PYoHL55CPZfkahoXikicWEziG9opTHZy+lJ1WOuwBd+qnXLwGnOU4OqZz6Zj Rtvbem+SaQnvnum3lFkFOvw84jbjm7kld9vTlOLGEFmNxqnkUMSkmnykF5vF rPWS0O9ynFBI3J0zjucKIA7GD+DdL/XGlG5Ib4D0RRNTDitYpU1jMiizTvTX Y+LpMC2wN3Ibsjh6OW5r8yxuY48w2gFhYh6mn6vEfRW9EelWUhInj5FLqhB8 LJsGWIIyWYaDqz5FiIXSCSodo/Weny9Y4jn3Q28zG3gBYGZPRJF4iJfNAlwI TiCaTzoiNwKCsDdvcP3TO9NBdd0mADQ49JmP7bg+6vrgBxDSig6VE2ZUViAF 4KSvmiH6HQ71nNAOZnRDkS2pyS4gKFwl+UI/A7rPVJ0i/s00l98yn2KDsEGZ UnDhheg8wjSFwbofRpkgyEA9EBaIRgaEEZE9hlOk9IjLJBBi5hXztqH6NiRf b8IaJb9VgX4/kHl8kUe3KdZTbNfyh+TYnkSj5S5BmZhA2GQPE7qShQo7r6kw 2woCVfMS1TsaQqcIexKsbZ7bA+XQSH9h0LI3+hDYL1Tz28q1LGwGu8gVJeNE yCleCPF4IS87XNGREbVRmAdJFCCmBKK82GqjylAVfLQFU9SP0c5878OWI1sO G5VAEOcU2eWM5bzNhHSNBOD8pG9VfBBKCnyGWUOwsGujfdDqVW3YY9HVtk8H k8XZkDtCLQ61frDz0tdY2ki0l9fQQwK6BoXTUPoiJE6c3BtFM1P/RkhVMLZ9 O5zkVcAfQQEt0DFIGNRxZhL5YETFAqqfDnmaNyNhZ/94uLAYUoQ2cYlZtcTx Avi2tmzroq51cpJKabKhTA8aEyogjCmoj7YuFSyvPZReFX+2kD9Hf6FPLRQE zEfqoeqp9KbJVYV5HvS1ikD/wRy+ktvsMraCrbURkRU/x7RFr0KVkLczxZg2 E9wNgAU7r9YSgIMSjGCOs4aIxeph+i0BBqD9YsgAUQe6/rQpn+LulbY266A/ hqYXsx9XNmDZ65NJ25hSse1l6DqeMBndBNJYh9jlaoUO0HxJuWxw/HwjTYF9 idG9D5mZqcUT7/VLTKBj0xDNiEKJZUJu95oB44eywsGAMQUJiE4Vzd/UBn3n DFsNsFmkDYBCHwjMX4n+Elw6pawsMhAq0jBtp0YQ8nQKrJSpsjmAhb0vCIp2 Tn76cnTYwu8GZRy54WVoWXlz1aTI+7iC5+C4gflctflhLAjybNxulB87Rk70 GDLdXmrdYQ1Eme1U+P3SjiJOUCAC886tR91SBeKcJbaXHByaaKxmtftV2CUq iGTckCxj6XTQHtT3tLWFb13wpOUUZ+yJSpEBY6OxQOyDIUokkzVLOlfUwMSH 8kTo7QhOnKlDJOjAHjuu0cGy3CQz4t57evneEFLDsY+LKbvHjHIzEHMRk6Dd ag8hg/ztI1BCer7lGDpEmip2+AhfoOM89W+//fnV/MWiPSEQyAmD373DGGek /okFkCrDLmjg7/dVptNC6JN7F0KphNBaJKxh7okog1opoXHNUTb4CI9l4PIT FW7cd+yaiZ0FXNUNXCLQCmOWm4Ueti1zlOGHeIY7RTtJ/iezLkfQ3AIY5aAq alvYVlQXOQVQpNYSA9w19r4jBCJWZV2tdZfzgmZ/z4wz0l8iUT1Jec93n0ru P2GOJDZGqZ2x0xwpDu5nbm5RcdZciKUfqB8zkUmHss1fZth5vuLOcy7oKso6 ibbM1XYo+S2B6DdvHPgDMHtuwJjGkib1jlz6LpXQvxprNsFDTsENwlpp38Gh Yvnbbc1OBHvzPhIC8Kj4qULITnuuqNaN/o3EfIWYLIe2OxviDKozpm4n9ixu kQI1OYbeXW9zVYaV7IrqNIAIBAR6M9VGAlpvspOnBxHS86Hpx5jTfFgR5KE1 kIeWQD6qAvKRBZCPrH/cH/RRlCdI9bBxp1lhetzY539zvbsB79+XLgOp/UfQ 81RJYLK0M1r1iJ9h9Up2Bk5WPa4nq1fvKXpMFq8eiuD/35JHsOsXUzl2NAOJ 4rtKmlPINUpX5s/9fCXfXYDdCm1jwWi3B2eqanLzTUl5P2zzUlVFZzfEiVKG il2OlIpPcxRp3DLlAEej2Gka8x3sHKzEDMqg7X0yMYNZ4hDE8MmJ0LoBvsU+ JoyV3IBrUHbTqb4LwA3bAFTszex547933El49G6InxVzkL38kF+EuospqeFT eQm1iZZtEoz7z9CpioQO2WKN/pZxBeXxyK+B/QOfa1U/zLNTToSDRZ35eea5 KX/pT70kivH8LQeLq9Da9JOHJ00dvM+xaTuhfFutk9+8xEY6vTZvgcilBSnz hKioVaVqV5n5WlIEF9340A2+qpolevg9wkxHVW1lCwJ3UTcQC9LxjpbyoQ70 8qdvz3xC8S1w3GBvyHX0y5LvTX4b9uGBG4u9SNQY5M89sHNLtcRS88YuOyyS BTSxpQjTCdj8ot/WvrknuOHc883dSxzE+pDWVwt9u6TvGZPcjcTzqdD43k0f 3y+f03Zhdcsh7/dpFR4ACRGOCFn3FaB97HQZh7oLJxEO3NtOp62GQC/ERCfc NGr9/BTl/vrpKMVdmZwT5WiDevA2duCTt67xAz3jBzrGD/SLH+gWf4xXPOYU fzWgRgLO+Xni1Y76xPDxvAac3gHhTt7RBB8Cd2/03f1o9RGDIzh3Cf73HTz6 zT9l5TFf+QMGDx3mfyi1P8iz7A/+MP95MLiY8KGve88wljs/7w12Jxzp9JkP BM/PH4jzQ9XUP8uZ9r7004u+a/H+jMl4K8hEBzX5c7XMtXKk3SmpEk4rRLcT X/I+Yfekw8CtbKs7odzXycH3qzfv9ZGsiG0TAYPgXvAZURyGZ+ensoxP6Wk5 4tpzIcHgsdw3pTdmbeP3oEXBHz9vHe6domzwhKuQdt7HyuwpVNOeolfrvgvA nQG13e24moZ+ucOO7NZPH+shGBbbsHEk7gJMco8taGtoY5sWkt1v2lImnXSP 2eun09nrELaF5OOsW/rFaWuNPVJ1dfTi7/gxMIVF31JkmpP7/qukcjPvlNhL PM/UnnaZOD3D9ZU2/7oAn8OWST9ae4Qj4fdwUHkIq8rxJpX+AURDGeSKDxp1 TqPjjsQ6xuvr37u0/JdZLAD6Euc4bZg1RbdcHaozsXaSdMrMkkLTDot/uNHV UShQR0dnXOAtu0Rt5Yd46U1x8uFdB02ew/vXASuna5o0vUHB1G2FPvbND6nJ BdugD9yQV5KTmQSD3pB043kI3yc3GwDugwcHi63a4kfnzDmbHTMp4rYiUNKq iPfoRwpBPhvE64WjQoNsNN0mgEKKOyr41H4Ih4GpdSfSCL53GtTM8NAKX4/g q5VMFyzEx6WRW6hQ2C+sbS3mzBWdpqDTuJ6cx45CHvb2tayZIENJeIzFHEWA obgIW6R37SmNwLIh/ElFknqIMl8D8AfGktNKQ90eTCoeasUsSMMXP3AwFMSN pRklrugCG065QqAJcQNQsD99W21Iate9vlZWJR9S8fMi1I3WQsLDV6en+1db 1m3lhuxYVJWtUvImqauTBv2tou1vHdU292hzFd0lJvpdRxGPKcNuJd60ymWI hAgnkKY7dccnw+PvVKxq9QTV3fnOmDW2Y/ieXH8Wy9+Iorp9Pm17bxeqh+A9 2KDUkeiUt/2unmxQPr0PYtCePK61XDt0ApPOGUi8/4OVPdXax+ecpdf81HRN T3Jksj3yOCbdKGPjBVrjBBWqQfBCsmkhr/lAXdAEWNDHvCf5T2qv4NlyeA+M aFcL1e9k0i/54JdXBMZ10lzpealuPHEuO5/0rbuIEUZPyefRMHN+1h3oeZpi tvPuI7/z3QrEEKi7YQY+CaJGPycmk9e9EOq8/1YPzKhh/kgh2596axI9rtMI 9K47vtV1FLXC+Dcp34cv28296yB8FxRku1R3/a8YreS1E7SUgwjy/Hk/FD0/ QfDRz11/nXT8uJfd+dwNvvlQAD7y/UeTZ2DOAoIfTpJJjrrX8BMcdY/P+SmO ui8IUxx1XxCmOOo+GYreDOcPzVj4jw+7P/VFwE5UKERyodRI8OJDuBAqJAYk 8Qhj/E8XbbHFE+T3FlphNY3rSsrxFQU3fIVYcH0q3TlElfbIYUi499WW/nzC X72ALbyUIuFwyd+TI8OZATydk3SZpTT3aRByqk4cJ+8Y6tTCxsZWMTI4lADb pfmgNHVg7nirOg374Mc47OnO+cqU7rK3pT3wtXd0iUvsi0zaFynYQENoVthr HG5zgGDBGTSia0/Desv+PKaY/Dkk39898CZza2+dxE6p5Ai+N7ngcTUhjPdP aMscekqx2Y3u4MKmZKox+YJViF8TBM/wnhKiHsScu7pzimCEuHH+LtsK5/2X U9sm4w0H7C9i2gnJm+tsU5DPiI1He2vwGIvvg6ZLQAJQEQhb9U8ndZ1MZoEN phZsnvvrv1S89w5PwOn5plLEr9T4TLezYeNdG4kLwrXTSDkU07R+TXc45D4z JBKBceEePO4LLWU/oUCiNgjPugEDxafulpBPUElTB6c350u8EAazZCH2y/M2 j0OZp04awo1WKcdSG+2BxCTPAn5rVY9EaHRbhtohMXAjEOKJqIb3NZIqHizo R2qV3tkqubVkPKrZG3U6qImJxvHxeDNWxgcDGLW6c+xnJqaHeqUxerQu8jQF KX0IBbY7t2EX59vS/GUbLaFmmdCaotWa7fklaZKLR31nY09jqlBhJp0l2vvr 2t6M3tWfJ6WfTv2tkf2kDreK+tp0aF0mIhJzgGs/djowVVa921ambx1Shhq7 a0xMUKlwRE0hD2vgyCY2UPMRy242udcrge8nBz148jb17kbCTcxg9dJrp1t5 6UyeT3b5a01DqpvuvYppq14DeH/m/t1q7891J1aT22XRiwhJHuJUETm1sPt4 cRZTIbkNLkgFAFnqA7CD4yvmuNfB1gJ4D2JpusZjhGTxaNFIusdf0EkEHUl9 BS2dnrxqDyK5yf5vaosYAJJKHttiPHeWTXeKQ+DNt8Hi9So9WIdXrDKsIwRI GxHAMDZV6Yb6Om3KmVCnQiRBfzwJMVFXmTDlYgT/sezT711H9sNlXeRnDS1U 65Im6Y8TuPjz6dlEj8mCiinJ9TK+kcvu9YgjPhvuy0jGm0tFSHwm9YlrkLoW ittt7Hqdg0MGQtJLwY/uw1KDZkdNi5Ku2+6aUZYBUvOhJA8LaoCkHRw0xFtT NIXoXVwwOpc/St0t+UUBpCt2Et+DPOeY9sW1lngfctJsNbQPHeKAnN1sx/J7 CAb126ybinRIuPIpLJYeL/SnJOg+NpsliegK/9JAxXd+m7zunn2goxE1X9Ls 9Emi/MNyuyHrRn4/4UVP4wEGL3SRV5I765xrinAYk5QyGB+ThRMYenXL8Ryf Dk7OJ76+Hkoy1RHosjYfF7DTHe5/9Yq8c+oXvxjQmap3KsOrsJAamXFVswse ZQ7+d20K5EZ/jaY7CzeUj8Mecok9z4qzinzneKXXtu2fI7kN3ikXBflSWNJ1 /i+S0N9nSI4v/fY755/MuwebJq+cZVMQL5zNrOZALFgP6gEN1+7GG8wIWoIb SIoqTa71QSTXGQcw+uer8HQGH6/Cilm4WRf8CoPeP3vBlcYSG1+e7G+y8n/A RW1IPRdg750tg4JjlhexO9If94xXV5PcknIC1ZmOZeUepfmXUCxL23Hp4s3g e8WjSgKwqzjYXzVVL7OPh0Qd1odQrpHF4oWLsmhquse8AQKWdWjnA7dEJwFG p7iJlTNULnTDGyuTHC/xB6a41Xqn8F7PiAOCS7E6hdABan9FQaQDN2OCU+Av DfchvSliUE/xXgGeHkDJR40E3VnWnpqP4bnmW3a9bs3ZH8Db53ExbiDmO3WD ZhKXORXb6n49BHsPkxvNH22B99cNIHJGDOmaJTfr2oiI8HogQgI4seL056a9 j7azKMKmkxkB9mvviveX4bl4TXdk384N1Z4b1nRdiSm7Fy2LcPwwVRU+esRY pAKlukJnbE16BeZFEvTaVMIl43yLZxZUyvCQ4qiW4OIHcvnl1WVPNYzf4npl Jb3bW4AuQ21PjEXNI4BonazGYFpWJ3z3nvNtrJTpIQOpylt/UzptjJM3pmoK lWsHuhf7n7Ljl/KyzCpQJq8x7i3BXH8pX9utQuf+G9usVKZMBS9V9RGUxUu1 rwxo2fLW7r+Uf0VPf6vQSOCfMmm22oi/qKNyWzOT3+aHI/6tl70Jpoh2+ueX 2KFh8AjbT7ZQ+EZ5zM2BzyrYpQFT+9ICSBjLRweOPJaohC9fyG90+YvC88Pf q6y5DefqTEVhFFWb1lpnS77J8md/aneMPNcg8fAD+FGNCoebD7Bwaj+4Lp+L lZ0HSvdshEM2+B9tAT9wMGsAAA== --></rfc>