| rfc8903xml2.original.xml | rfc8903.xml | |||
|---|---|---|---|---|
| <?xml version="1.0" encoding="utf-8"?> | <?xml version="1.0" encoding="UTF-8"?> | |||
| <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?> | <!DOCTYPE rfc SYSTEM "rfc2629-xhtml.ent"> | |||
| <!-- generated by https://github.com/cabo/kramdown-rfc2629 version 1.3.8 --> | ||||
| <!DOCTYPE rfc SYSTEM "rfc2629.dtd" [ | ||||
| <!ENTITY RFC8612 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.8612.xml"> | ||||
| <!ENTITY RFC8782 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.8782.xml"> | ||||
| <!ENTITY RFC8783 SYSTEM "https://xml2rfc.tools.ietf.org/public/rfc/bibxml/refere | ||||
| nce.RFC.8783.xml"> | ||||
| <!ENTITY I-D.ietf-dots-multihoming SYSTEM "https://xml2rfc.tools.ietf.org/public | ||||
| /rfc/bibxml3/reference.I-D.ietf-dots-multihoming.xml"> | ||||
| ]> | ||||
| <?rfc rfcedstyle="yes"?> | ||||
| <?rfc toc="yes"?> | ||||
| <?rfc tocindent="yes"?> | ||||
| <?rfc sortrefs="yes"?> | ||||
| <?rfc symrefs="yes"?> | ||||
| <?rfc strict="yes"?> | ||||
| <?rfc comments="yes"?> | ||||
| <?rfc inline="yes"?> | ||||
| <?rfc docmapping="yes"?> | ||||
| <rfc docName="draft-ietf-dots-use-cases-25" category="info"> | <rfc xmlns:xi="http://www.w3.org/2001/XInclude" ipr="trust200902" docName="draft -ietf-dots-use-cases-25" number="8903" submissionType="IETF" category="info" con sensus="true" obsoletes="" updates="" xml:lang="en" tocInclude="true" sortRefs=" true" symRefs="true" version="3"> | |||
| <front> | <front> | |||
| <title abbrev="DOTS Use Cases">Use cases for DDoS Open Threat Signaling</tit | <title abbrev="DOTS Use Cases">Use Cases for DDoS Open Threat Signaling</tit | |||
| le> | le> | |||
| <seriesInfo name="RFC" value="8903"/> | ||||
| <author initials="R." surname="Dobbins" fullname="Roland Dobbins"> | <author initials="R." surname="Dobbins" fullname="Roland Dobbins"> | |||
| <organization>Arbor Networks</organization> | <organization>Netscout, Inc.</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street></street> | <street/> | |||
| <city></city> | <city/> | |||
| <code></code> | <code/> | |||
| <country>Singapore</country> | <country>Singapore</country> | |||
| </postal> | </postal> | |||
| <email>rdobbins@arbor.net</email> | <email>roland.dobbins@netscout.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="D." surname="Migault" fullname="Daniel Migault"> | <author initials="D." surname="Migault" fullname="Daniel Migault"> | |||
| <organization>Ericsson</organization> | <organization>Ericsson</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street>8275 Trans Canada Route</street> | <street>8275 Trans Canada Route</street> | |||
| <city>Saint Laurent, QC</city> | <city>Saint Laurent,</city> | |||
| <region>Quebec</region> | ||||
| <code>4S 0B6</code> | <code>4S 0B6</code> | |||
| <country>Canada</country> | <country>Canada</country> | |||
| </postal> | </postal> | |||
| <email>daniel.migault@ericsson.com</email> | <email>daniel.migault@ericsson.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="R." surname="Moskowitz" fullname="Robert Moskowitz"> | <author initials="R." surname="Moskowitz" fullname="Robert Moskowitz"> | |||
| <organization>HTT Consulting</organization> | <organization>HTT Consulting</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street></street> | <street/> | |||
| <city>Oak Park, MI</city> | <city>Oak Park</city> | |||
| <region>MI</region> | ||||
| <code>48237</code> | <code>48237</code> | |||
| <country>USA</country> | <country>United States of America</country> | |||
| </postal> | </postal> | |||
| <email>rgm@labs.htt-consult.com</email> | <email>rgm@labs.htt-consult.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="N." surname="Teague" fullname="Nik Teague"> | <author initials="N." surname="Teague" fullname="Nik Teague"> | |||
| <organization>Iron Mountain Data Centers</organization> | <organization>Iron Mountain Data Centers</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street></street> | <street/> | |||
| <city></city> | <city/> | |||
| <code></code> | <code/> | |||
| <country>UK</country> | <country>United Kingdom</country> | |||
| </postal> | </postal> | |||
| <email>nteague@ironmountain.co.uk</email> | <email>nteague@ironmountain.co.uk</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="L." surname="Xia" fullname="Liang Xia"> | <author initials="L." surname="Xia" fullname="Liang Xia"> | |||
| <organization>Huawei</organization> | <organization>Huawei</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street>No. 101, Software Avenue, Yuhuatai District</street> | <street>No. 101, Software Avenue, Yuhuatai District</street> | |||
| <city>Nanjing</city> | <city>Nanjing</city> | |||
| <country>China</country> | <country>China</country> | |||
| </postal> | </postal> | |||
| <email>Frank.xialiang@huawei.com</email> | <email>Frank.xialiang@huawei.com</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka"> | <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka"> | |||
| <organization>NTT Communications</organization> | <organization>NTT Communications</organization> | |||
| <address> | <address> | |||
| <postal> | <postal> | |||
| <street>GranPark 16F 3-4-1 Shibaura, Minato-ku</street> | <street>3-4-1 Shibaura, Minato-ku</street> | |||
| <city>Tokyo</city> | <extaddr>GranPark 16F</extaddr> | |||
| <region>Tokyo</region> | ||||
| <code>108-8118</code> | <code>108-8118</code> | |||
| <country>Japan</country> | <country>Japan</country> | |||
| </postal> | </postal> | |||
| <email>kaname@nttv6.jp</email> | <email>kaname@nttv6.jp</email> | |||
| </address> | </address> | |||
| </author> | </author> | |||
| <date year="2021" month="May"/> | ||||
| <date year="2020" month="July" day="05"/> | ||||
| <area>Security</area> | <area>Security</area> | |||
| <workgroup>DOTS</workgroup> | <workgroup>DOTS</workgroup> | |||
| <keyword>Internet-Draft</keyword> | ||||
| <abstract> | <abstract> | |||
| <t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide | ||||
| <t>The DDoS Open Threat Signaling (DOTS) effort is intended to provide | ||||
| protocols to facilitate interoperability across disparate DDoS | protocols to facilitate interoperability across disparate DDoS | |||
| mitigation solutions. This document presents sample use cases which describe | Mitigation solutions. This document presents sample use cases that describe | |||
| the interactions expected between the DOTS components as well as DOTS | the interactions expected between the DOTS components as well as DOTS | |||
| messaging exchanges. These use cases are meant to identify the | messaging exchanges. These use cases are meant to identify the | |||
| interacting DOTS components, how they collaborate, and what are the | interacting DOTS components, how they collaborate, and what the | |||
| typical information to be exchanged.</t> | typical information to be exchanged is.</t> | |||
| </abstract> | </abstract> | |||
| </front> | </front> | |||
| <middle> | <middle> | |||
| <section anchor="introduction" numbered="true" toc="default"> | ||||
| <section anchor="introduction" title="Introduction"> | <name>Introduction</name> | |||
| <t>At the time of writing, distributed denial-of-service (DDoS) attack | ||||
| <t>At the time of writing, distributed denial-of-service (DDoS) attack | ||||
| mitigation solutions are largely based upon siloed, proprietary | mitigation solutions are largely based upon siloed, proprietary | |||
| communications schemes with vendor lock-in as a side-effect. This can | communications schemes with vendor lock-in as a side effect. This can | |||
| result in the configuration, provisioning, operation, and activation of | result in the configuration, provisioning, operation, and activation of | |||
| these solutions being a highly manual and often time-consuming process. | these solutions being a highly manual and often time-consuming process. | |||
| Additionally, coordinating multiple DDoS mitigation solutions | Additionally, coordinating multiple DDoS Mitigation solutions | |||
| simultaneously is fraught with both technical and process-related | simultaneously is fraught with both technical and process-related | |||
| hurdles. This greatly increases operational complexity which, in turn, | hurdles. This greatly increases operational complexity, which in turn | |||
| can degrade the efficacy of mitigations that are generally highly dependent on | can degrade the efficacy of mitigations that are generally highly dependent on | |||
| a timely reaction by the system.</t> | a timely reaction by the system.</t> | |||
| <t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify | ||||
| <t>The DDoS Open Threat Signaling (DOTS) effort is intended to specify | ||||
| protocols that facilitate interoperability between diverse DDoS | protocols that facilitate interoperability between diverse DDoS | |||
| mitigation solutions and ensure greater integration in term of | Mitigation solutions and ensure greater integration in terms of | |||
| attack detection, mitigation requests, and attack characterization patterns.</t> | attack detection, mitigation requests, and attack characterization patterns.</t> | |||
| <t>As DDoS solutions are broadly heterogeneous among vendors, the | ||||
| <t>As DDoS solutions are broadly heterogeneous among vendors, the | ||||
| primary goal of DOTS is to provide high-level interaction amongst | primary goal of DOTS is to provide high-level interaction amongst | |||
| differing DDoS solutions, such as detecting DDoS attacks, | differing DDoS solutions, such as detecting DDoS attacks, | |||
| initiating/terminating DDoS mitigation assistance, or requesting the | initiating/terminating DDoS Mitigation assistance, or requesting the | |||
| status of a DDoS mitigation.</t> | status of a DDoS Mitigation.</t> | |||
| <t>This document provides sample use cases that provided input for the req | ||||
| <t>This document provides sample use cases that provided input for the requireme | uirements <xref target="RFC8612" format="default"/> and design of | |||
| nts <xref target="RFC8612"/> and design of | the DOTS protocols <xref target="RFC8782" format="default"/><xref target="RFC878 | |||
| the DOTS protocols <xref target="RFC8782"/><xref target="RFC8783"/>. The use cas | 3" format="default"/>. The use cases are not exhaustive, and future use cases ar | |||
| es are not exhaustive and future use cases are | e | |||
| expected to emerge as DOTS is adopted and evolves.</t> | expected to emerge as DOTS is adopted and evolves.</t> | |||
| </section> | ||||
| </section> | <section anchor="terminology-and-acronyms" numbered="true" toc="default"> | |||
| <section anchor="terminology-and-acronyms" title="Terminology and Acronyms"> | <name>Terminology and Acronyms</name> | |||
| <t>This document makes use of the same terminology and definitions as | ||||
| <t>This document makes use of the same terminology and definitions as | <xref target="RFC8612" format="default"/>. In addition, it uses the terms define | |||
| <xref target="RFC8612"/>. In addition it uses the terms defined | d | |||
| below:</t> | below:</t> | |||
| <dl newline="true" spacing="normal"> | ||||
| <t><list style="symbols"> | <dt>DDoS Mitigation System (DMS):</dt><dd>A system that performs DDoS | |||
| <t>DDoS Mitigation System (DMS): A system that performs DDoS mitigation. | Mitigation. The DDoS Mitigation System may be composed of a cluster of | |||
| The DDoS Mitigation System may be composed of a cluster of hardware | hardware and/or software resources but could also involve an orchestrator that | |||
| and/or software resources, but could also involve an orchestrator that | may make decisions, such as outsourcing some or all of the mitigation to | |||
| may take decisions such as outsourcing some or all of the mitigation | another DDoS Mitigation System.</dd> | |||
| to another DDoS Mitigation System.</t> | <dt>DDoS Mitigation:</dt><dd>The action performed by the DDoS Mitigation System. | |||
| <t>DDoS Mitigation: The action performed by the DDoS Mitigation System.</t> | </dd> | |||
| <t>DDoS Mitigation Service: designates a service provided to a | <dt>DDoS Mitigation Service:</dt><dd>Designates a service provided to a | |||
| customer to mitigate DDoS attacks. Each service subscription usually involve Ser | customer to mitigate DDoS attacks. Each service subscription usually involve | |||
| vice | Service Level Agreement (SLA) that has to be met. It is the responsibility of | |||
| Level Agreement (SLA) that has to be met. It is the responsibility of | the DDoS Service provider to instantiate the DDoS Mitigation System to meet | |||
| the DDoS Service provider to instantiate the DDoS Mitigation System to | these SLAs.</dd> | |||
| meet these SLAs.</t> | <dt>DDoS Mitigation Service Provider:</dt><dd>Designates the administrative | |||
| <t>DDoS Mitigation Service Provider: designates the administrative entity | entity providing the DDoS Mitigation Service.</dd> | |||
| providing the DDoS Mitigation Service.</t> | <dt>Internet Transit Provider (ITP):</dt><dd>Designates the entity that | |||
| <t>Internet Transit Provider (ITP): designates the entity that delivers | delivers the traffic to a customer network. It can be an Internet Service | |||
| the traffic to a customer network. It can be an Internet Service Provider | Provider (ISP) or an upstream entity delivering the traffic to the ISP. | |||
| (ISP), or an upstream entity delivering the traffic to the ISP.</t> | </dd> | |||
| </list></t> | </dl> | |||
| </section> | ||||
| </section> | <section anchor="use-cases" numbered="true" toc="default"> | |||
| <section anchor="use-cases" title="Use Cases"> | <name>Use Cases</name> | |||
| <section anchor="use-case-1" numbered="true" toc="default"> | ||||
| <section anchor="use-case-1" title="Upstream DDoS Mitigation by an Upstream Inte | <name>Upstream DDoS Mitigation by an Upstream Internet Transit Provider< | |||
| rnet Transit Provider"> | /name> | |||
| <t>This use case describes how an enterprise or a residential customer | ||||
| <t>This use case describes how an enterprise or a residential customer | ||||
| network may take advantage of a pre-existing relation with its ITP in order to m itigate a DDoS attack targeting its | network may take advantage of a pre-existing relation with its ITP in order to m itigate a DDoS attack targeting its | |||
| network.</t> | network.</t> | |||
| <t>For clarity of discussion, the targeted network is indicated as an en | ||||
| <t>For clarity of discussion, the targeted network is indicated as an enterprise | terprise | |||
| network, but the same scenario applies to any downstream network, including | network, but the same scenario applies to any downstream network, including | |||
| residential and cloud hosting networks.</t> | residential and cloud hosting networks.</t> | |||
| <t>As the ITP provides connectivity to the enterprise | ||||
| <t>As the ITP provides connectivity to the enterprise | ||||
| network, it is already on the path of the inbound and outbound traffic of | network, it is already on the path of the inbound and outbound traffic of | |||
| the enterprise network and well aware of the networking parameters | the enterprise network and is well aware of the networking parameters | |||
| associated to the enterprise network WAN connectivity. This eases both the | associated with the enterprise network WAN connectivity. This eases both the | |||
| configuration and the instantiation of a DDoS Mitigation Service.</t> | configuration and the instantiation of a DDoS Mitigation Service.</t> | |||
| <t>This | ||||
| <t>This | ||||
| section considers two kinds of DDoS Mitigation Service between an | section considers two kinds of DDoS Mitigation Service between an | |||
| enterprise network and an ITP:</t> | enterprise network and an ITP:</t> | |||
| <ul spacing="normal"> | ||||
| <t><list style="symbols"> | <li>The upstream ITP may instantiate a DMS upon | |||
| <t>The upstream ITP may instantiate a DDoS Mitigation System (DMS) upon | ||||
| receiving a request from the enterprise network. This typically | receiving a request from the enterprise network. This typically | |||
| corresponds to the case when the enterprise network is under attack.</t> | corresponds to a case when the enterprise network is under attack.</li> | |||
| <t>On the other hand, the ITP may identify an enterprise network as the | <li>On the other hand, the ITP may identify an enterprise network as t | |||
| he | ||||
| source of an attack and send a mitigation request to the enterprise DMS | source of an attack and send a mitigation request to the enterprise DMS | |||
| to mitigate this at the source.</t> | to mitigate this at the source.</li> | |||
| </list></t> | </ul> | |||
| <t>The two scenarios, though different, have similar interactions betwee | ||||
| <t>The two scenarios, though different, have similar interactions between | n | |||
| the DOTS client and server. For the sake of simplicity, only the first | the DOTS client and server. For the sake of simplicity, only the first | |||
| scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t> | scenario will be detailed in this section. Nevertheless, the second scenario is also in scope for DOTS.</t> | |||
| <t>In the first scenario, as depicted in <xref target="fig-1"/>, an ente | ||||
| <t>In the first scenario, as depicted in Figure 1, an enterprise network | rprise network | |||
| with self-hosted Internet-facing properties such as Web servers, | with self-hosted Internet-facing properties such as web servers, | |||
| authoritative DNS servers, and VoIP servers has a DMS deployed to | authoritative DNS servers, and Voice over IP (VoIP) servers has a DMS deployed t | |||
| o | ||||
| protect those servers and applications from DDoS attacks. In addition to | protect those servers and applications from DDoS attacks. In addition to | |||
| on-premise DDoS defense capability, the enterprise has contracted with | on-premise DDoS defense capabilities, the enterprise has contracted with | |||
| its ITP for DDoS Mitigation Services when attacks | its ITP for DDoS Mitigation Services when attacks | |||
| threaten to overwhelm the bandwidth of their WAN link(s).</t> | threaten to overwhelm the bandwidth of their WAN link(s).</t> | |||
| <figure anchor="fig-1"> | ||||
| <figure><artwork><![CDATA[ | <name>Upstream Internet Transit Provider DDoS Mitigation</name> | |||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| | Enterprise | | Upstream | | | Enterprise | | Upstream | | |||
| | Network | | Internet Transit | | | Network | | Internet Transit | | |||
| | | | Provider | | | | | Provider | | |||
| | +--------+ | | DDoS Attack | | +--------+ | | DDoS Attack | |||
| | | DDoS | | <================================= | | | DDoS | | <================================= | |||
| | | Target | | <================================= | | | Target | | <================================= | |||
| | +--------+ | | +------------+ | | | +--------+ | | +------------+ | | |||
| | | +-------->| DDoS | | | | | +-------->| DDoS | | | |||
| | | | |S | Mitigation | | | | | | |S | Mitigation | | | |||
| skipping to change at line 243 ¶ | skipping to change at line 211 ¶ | |||
| | | | | | | | | | | | | |||
| | +------------+ | | | | | | +------------+ | | | | | |||
| | | DDoS |<---+ | | | | | DDoS |<---+ | | | |||
| | | Mitigation |C | | | | | | Mitigation |C | | | | |||
| | | System | | | | | | | System | | | | | |||
| | +------------+ | | | | | +------------+ | | | | |||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS server functionality | * S is for DOTS server functionality | |||
| ]]></artwork> | ||||
| Figure 1: Upstream Internet Transit Provider DDoS Mitigation | </figure> | |||
| ]]></artwork></figure> | <t>The enterprise DMS is configured such that if the incoming Internet | |||
| <t>The enterprise DMS is configured such that if the incoming Internet | ||||
| traffic volume exceeds 50% of the provisioned upstream Internet WAN | traffic volume exceeds 50% of the provisioned upstream Internet WAN | |||
| link capacity, the DMS will request DDoS mitigation assistance from the | link capacity, the DMS will request DDoS Mitigation assistance from the | |||
| upstream transit provider. More sophisticated detection means may be considered | upstream transit provider. More sophisticated detection means may be considered | |||
| as well.</t> | as well.</t> | |||
| <t>The requests to trigger, manage, and finalize a DDoS Mitigation betwe | ||||
| <t>The requests to trigger, manage, and finalize a DDoS Mitigation between | en | |||
| the enterprise DMS and the ITP is performed using DOTS. The enterprise | the enterprise DMS and the ITP are made using DOTS. The enterprise | |||
| DMS implements a DOTS client while the ITP implements a DOTS server | DMS implements a DOTS client while the ITP implements a DOTS server, | |||
| which is integrated with their DMS in this example.</t> | which is integrated with their DMS in this example.</t> | |||
| <t>When the enterprise DMS locally detects an inbound DDoS attack target | ||||
| <t>When the enterprise DMS locally detects an inbound DDoS attack targeting | ing | |||
| its resources (e.g., servers, hosts, or applications), it immediately | its resources (e.g., servers, hosts, or applications), it immediately | |||
| begins a DDoS Mitigation.</t> | begins a DDoS Mitigation.</t> | |||
| <t>During the course of the attack, the inbound traffic volume to the en | ||||
| <t>During the course of the attack, the inbound traffic volume to the enterprise | terprise network exceeds the | |||
| network exceeds the | 50% threshold, and the enterprise DMS escalates the DDoS Mitigation. The | |||
| 50% threshold and the enterprise DMS escalates the DDoS mitigation. The | ||||
| enterprise DMS DOTS client signals to the DOTS server on the upstream ITP | enterprise DMS DOTS client signals to the DOTS server on the upstream ITP | |||
| to initiate DDoS Mitigation. The DOTS server replies to the DOTS client | to initiate DDoS Mitigation. The DOTS server replies to the DOTS client | |||
| that it can serve this request, and mitigation is initiated on the ITP | that it can serve this request, and mitigation is initiated on the ITP | |||
| network by the ITP DMS.</t> | network by the ITP DMS.</t> | |||
| <t>Over the course of the attack, the DOTS server of the ITP periodicall | ||||
| <t>Over the course of the attack, the DOTS server of the ITP periodically | y | |||
| informs the DOTS client on the mitigation status, | informs the DOTS client on the mitigation status, | |||
| statistics related to DDoS attack traffic mitigation, and related | statistics related to DDoS attack traffic mitigation, and related | |||
| information. Once the DDoS attack has ended, or decreased to a certain | information. Once the DDoS attack has ended or decreased to a certain | |||
| level that the enterprise DMS might handle by itself, the DOTS server | level that the enterprise DMS might handle by itself, the DOTS server | |||
| signals the enterprise DMS DOTS client that the attack has subsided.</t> | signals the enterprise DMS DOTS client that the attack has subsided.</t> | |||
| <t>The DOTS client on the enterprise DMS then requests that the ITP term | ||||
| <t>The DOTS client on the enterprise DMS then requests the ITP to terminate | inate | |||
| the DDoS Mitigation. The DOTS server on the ITP receives this request | the DDoS Mitigation. The DOTS server on the ITP receives this request | |||
| and once the mitigation has ended, confirms the end of upstream DDoS | and, once the mitigation has ended, confirms the end of upstream DDoS | |||
| Mitigation to the enterprise DMS DOTS client.</t> | Mitigation to the enterprise DMS DOTS client.</t> | |||
| <t>The following is an overview of the DOTS communication model for this | ||||
| <t>The following is an overview of the DOTS communication model for this | use case:</t> | |||
| use-case:</t> | <ol spacing="normal" type="1"> | |||
| <li>A DDoS attack is initiated against resources of a | ||||
| <t><list style="numbers"> | network organization (here, the enterprise), which has deployed a | |||
| <t>A DDoS attack is initiated against resources of a | DOTS-capable DMS -- typically a DOTS client.</li> | |||
| network organization (here, the enterprise) which has deployed a | <li>The enterprise DMS detects, classifies, and begins the DDoS | |||
| DOTS-capable DMS - typically a DOTS client.</t> | Mitigation.</li> | |||
| <t>The enterprise DMS detects, classifies, and begins the DDoS | <li>The enterprise DMS determines that its capacity and/or capability | |||
| Mitigation.</t> | to mitigate the DDoS attack is insufficient and sends a DOTS DDoS Mitigation req | |||
| <t>The enterprise DMS determines that its capacity and/or capability | uest via its DOTS | |||
| to mitigate the DDoS attack is insufficient, and sends via its DOTS | client to one or more DOTS servers | |||
| client a DOTS DDoS Mitigation request to one or more DOTS servers | residing on the upstream ITP.</li> | |||
| residing on the upstream ITP.</t> | <li>The DOTS server, which receives the DOTS Mitigation request, | |||
| <t>The DOTS server which receives the DOTS Mitigation request | ||||
| determines that it has been configured to honor requests from the | determines that it has been configured to honor requests from the | |||
| requesting DOTS client, and honors the request by orchestrating | requesting DOTS client and does so by orchestrating | |||
| its own DMS.</t> | its own DMS.</li> | |||
| <t>While the DDoS Mitigation is active, the DOTS server | <li>While the DDoS Mitigation is active, the DOTS server | |||
| regularly transmits DOTS DDoS Mitigation status updates to the DOTS | regularly transmits DOTS DDoS Mitigation status updates to the DOTS | |||
| client.</t> | client.</li> | |||
| <t>Informed by the DOTS server status update that the attack has | <li>Informed by the DOTS server status update that the attack has | |||
| ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation | ended or subsided, the DOTS client transmits a DOTS DDoS Mitigation | |||
| termination request to the DOTS server.</t> | termination request to the DOTS server.</li> | |||
| <t>The DOTS server terminates DDoS Mitigation, and sends the | <li>The DOTS server terminates DDoS Mitigation and sends the | |||
| notification to the DOTS client.</t> | notification to the DOTS client.</li> | |||
| </list></t> | </ol> | |||
| <t>Note that communications between the enterprise DOTS client and the | ||||
| <t>Note that communications between the enterprise DOTS client and the | upstream ITP DOTS server may take place in band within the main Internet | |||
| upstream ITP DOTS server may take place in-band within the main Internet | WAN link between the enterprise and the ITP; out of band via a separate, | |||
| WAN link between the enterprise and the ITP; out-of-band via a separate, | ||||
| dedicated wireline network link utilized solely for DOTS signaling; or | dedicated wireline network link utilized solely for DOTS signaling; or | |||
| out-of-band via some other form of network connectivity such as a | out of band via some other form of network connectivity such as | |||
| third-party wireless 4G network connectivity.</t> | third-party wireless 4G network connectivity.</t> | |||
| <t>Note also that a DOTS client that sends a DOTS Mitigation request | ||||
| <t>Note also that a DOTS client that sends a DOTS Mitigation request | may also be triggered by a network admin that manually confirms the | |||
| may be also triggered by a network admin that manually confirms the | ||||
| request to the upstream ITP, in which case the request may be sent from | request to the upstream ITP, in which case the request may be sent from | |||
| an application such as a web browser or a dedicated mobile application.</t> | an application such as a web browser or a dedicated mobile application.</t> | |||
| <t>Note also that when the enterprise is multihomed and connected to | ||||
| <t>Note also that when the enterprise is multihomed and connected to | ||||
| multiple upstream ITPs, each ITP is only able to provide a DDoS | multiple upstream ITPs, each ITP is only able to provide a DDoS | |||
| Mitigation Service for the traffic it transits. As a result, the | Mitigation Service for the traffic it transits. As a result, the | |||
| enterprise network may be required to coordinate the various DDoS Mitigation | enterprise network may be required to coordinate the various DDoS Mitigation | |||
| Services associated to each link. More multi-homing considerations are | Services associated with each link. More multihoming considerations are | |||
| discussed in <xref target="I-D.ietf-dots-multihoming"/>.</t> | discussed in <xref target="I-D.ietf-dots-multihoming" format="default"/>.</t> | |||
| </section> | ||||
| </section> | <section anchor="use-case-2" numbered="true" toc="default"> | |||
| <section anchor="use-case-2" title="DDoS Mitigation by a Third Party DDoS Mitiga | <name>DDoS Mitigation by a Third-Party DDoS Mitigation Service Provider< | |||
| tion Service Provider"> | /name> | |||
| <t>This use case differs from the previous use case described in <xref | ||||
| <t>This use case differs from the previous use case described in Section | target="use-case-1"/> in that the DDoS Mitigation Service is not provided | |||
| 3.1 in that the DDoS Mitigation Service is not provided by an upstream | by an upstream | |||
| ITP. In other words, as represented in Figure 2, the traffic is not | ITP. In other words, as represented in <xref target="fig-2"/>, the traffic is no | |||
| t | ||||
| forwarded through the DDoS Mitigation Service Provider by default. In | forwarded through the DDoS Mitigation Service Provider by default. In | |||
| order to steer the traffic to the DDoS Mitigation Service Provider, some | order to steer the traffic to the DDoS Mitigation Service Provider, some | |||
| network configuration changes are required. As such, this use case is | network configuration changes are required. As such, this use case is | |||
| likely to apply to large enterprises or large data centers, but as for | likely to apply to large enterprises or large data centers but, as for | |||
| the other use cases is not exclusively limited to them.</t> | the other use cases, is not exclusively limited to them.</t> | |||
| <t>Another typical scenario for this use case is for there to be a relat | ||||
| <t>Another typical scenario for this use case is for there to be a relationship | ionship | |||
| between DDoS Mitigation Service Providers, forming an overlay of DMS. When | between DDoS Mitigation Service Providers, forming an overlay of DMS. When | |||
| a DDoS Mitigation Service Provider mitigating a DDoS attack reaches its | a DDoS Mitigation Service Provider mitigating a DDoS attack reaches its | |||
| resources capacity, it may chose to delegate the DDoS Mitigation to | resource capacity, it may choose to delegate the DDoS Mitigation to | |||
| another DDoS Mitigation Service Provider.</t> | another DDoS Mitigation Service Provider.</t> | |||
| <figure anchor="fig-2"> | ||||
| <figure><artwork><![CDATA[ | <name>DDoS Mitigation between an Enterprise Network and a Third-Party DDoS Mitig | |||
| ation Service Provider</name> | ||||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| | Enterprise | | Upstream | | | Enterprise | | Upstream | | |||
| | Network | | Internet Transit | | | Network | | Internet Transit | | |||
| | | | Provider | | | | | Provider | | |||
| | +--------+ | | DDoS Attack | | +--------+ | | DDoS Attack | |||
| | | DDoS | | <================================= | | | DDoS | | <================================= | |||
| | | Target | | <================================= | | | Target | | <================================= | |||
| | +--------+ | | | | | +--------+ | | | | |||
| | | | | | | | | | | |||
| | | +------------------+ | | | +------------------+ | |||
| skipping to change at line 370 ¶ | skipping to change at line 325 ¶ | |||
| | | | | | | | | | | |||
| | +------------+ | | +------------+ | | | +------------+ | | +------------+ | | |||
| | | DDoS |<------------>| DDoS | | | | | DDoS |<------------>| DDoS | | | |||
| | | Mitigation |C | | S| Mitigation | | | | | Mitigation |C | | S| Mitigation | | | |||
| | | System | | | | System | | | | | System | | | | System | | | |||
| | +------------+ | | +------------+ | | | +------------+ | | +------------+ | | |||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS server functionality | * S is for DOTS server functionality | |||
| ]]></artwork> | ||||
| Figure 2: DDoS Mitigation between an Enterprise Network and Third | </figure> | |||
| Party DDoS Mitigation Service Provider | <t>In this scenario, an enterprise network has entered into a prearrange | |||
| ]]></artwork></figure> | d | |||
| DDoS Mitigation assistance agreement with one or more third-party DDoS | ||||
| <t>In this scenario, an enterprise network has entered into a pre-arranged | ||||
| DDoS mitigation assistance agreement with one or more third-party DDoS | ||||
| Mitigation Service Providers in order to ensure that sufficient DDoS | Mitigation Service Providers in order to ensure that sufficient DDoS | |||
| mitigation capacity and/or capabilities may be activated in the event | Mitigation capacity and/or capabilities may be activated in the event | |||
| that a given DDoS attack threatens to overwhelm the ability of the | that a given DDoS attack threatens to overwhelm the ability of the | |||
| enterprise’s or any other given DMS to mitigate the attack on its own.</t> | enterprise or any other given DMS to mitigate the attack on its own.</t> | |||
| <t>The prearrangement typically includes agreement on the mechanisms | ||||
| <t>The pre-arrangement typically includes agreement on the mechanisms | ||||
| used to redirect the traffic to the DDoS Mitigation Service Provider, as | used to redirect the traffic to the DDoS Mitigation Service Provider, as | |||
| well as the mechanism to re-inject the traffic back to the Enterprise | well as the mechanism to re-inject the traffic back to the Enterprise | |||
| Network. Redirection to the DDoS Mitigation Service Provider typically | Network. Redirection to the DDoS Mitigation Service Provider typically | |||
| involves BGP prefix announcement or DNS redirection, while re-injection | involves BGP prefix announcement or DNS redirection, while re-injection | |||
| of the scrubbed traffic to the enterprise network may be performed via | of the scrubbed traffic to the enterprise network may be performed via | |||
| tunneling mechanisms (e.g., GRE). The exact mechanisms | tunneling mechanisms (e.g., GRE). The exact mechanisms | |||
| used for traffic steering are out of scope of DOTS, but will need to be pre-arra | used for traffic steering are out of scope of DOTS but will need to be prearrang | |||
| nged, while in some contexts such changes could be detected and considered as an | ed, while in some contexts such changes could be detected and considered as an a | |||
| attack.</t> | ttack.</t> | |||
| <t>In some cases, the communication between the enterprise DOTS client a | ||||
| <t>In some cases the communication between the enterprise DOTS client and | nd | |||
| the DOTS server of the DDoS Mitigation Service Provider may go through | the DOTS server of the DDoS Mitigation Service Provider may go through | |||
| the ITP carrying the DDoS attack, which would affect the communication. | the ITP carrying the DDoS attack, which would affect the communication. | |||
| On the other hand, the communication between the DOTS client and DOTS | On the other hand, the communication between the DOTS client and DOTS | |||
| server may take a path that is not undergoing a DDoS attack.</t> | server may take a path that is not undergoing a DDoS attack.</t> | |||
| <figure anchor="fig-3"> | ||||
| <figure><artwork><![CDATA[ | <name>Redirection to a DDoS Mitigation Service Provider</name> | |||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| | Enterprise | | Upstream | | | Enterprise | | Upstream | | |||
| | Network | | Internet Transit | | | Network | | Internet Transit | | |||
| | | | Provider | | | | | Provider | | |||
| | +--------+ | | DDoS Attack | | +--------+ | | DDoS Attack | |||
| | | DDoS | |<----------------+ | ++==== | | | DDoS | |<----------------+ | ++==== | |||
| | | Target | | Mitigated | | || ++= | | | Target | | Mitigated | | || ++= | |||
| | +--------+ | | | | || || | | +--------+ | | | | || || | |||
| | | | | | || || | | | | | | || || | |||
| | | +--------|---------+ || || | | | +--------|---------+ || || | |||
| skipping to change at line 422 ¶ | skipping to change at line 373 ¶ | |||
| | | | | | || || | | | | | | || || | |||
| | +------------+ | | +------------+ | || || | | +------------+ | | +------------+ | || || | |||
| | | DDoS |<------------>| DDoS | | || || | | | DDoS |<------------>| DDoS | | || || | |||
| | | mitigation |C | |S | mitigation |<===++ || | | | mitigation |C | |S | mitigation |<===++ || | |||
| | | system | | | | system |<======++ | | | system | | | | system |<======++ | |||
| | +------------+ | | +------------+ | | | +------------+ | | +------------+ | | |||
| +------------------+ +------------------+ | +------------------+ +------------------+ | |||
| * C is for DOTS client functionality | * C is for DOTS client functionality | |||
| * S is for DOTS server functionality | * S is for DOTS server functionality | |||
| ]]></artwork> | ||||
| Figure 3: Redirection to a DDoS Mitigation Service Provider | </figure> | |||
| ]]></artwork></figure> | <t>When the enterprise network is under attack or at least is reaching i | |||
| ts | ||||
| <t>When the enterprise network is under attack or at least is reaching its | ||||
| capacity or ability to mitigate a given DDoS attack, the DOTS | capacity or ability to mitigate a given DDoS attack, the DOTS | |||
| client sends a DOTS request to the DDoS Mitigation Service Provider to | client sends a DOTS request to the DDoS Mitigation Service Provider to | |||
| initiate network traffic diversion – as represented in Figure 3 – and | initiate network traffic diversion -- as represented in <xref target="fig-3"/> - | |||
| DDoS mitigation activities. Ongoing attack and mitigation status | - and | |||
| DDoS Mitigation activities. Ongoing attack and mitigation status | ||||
| messages may be passed between the enterprise network and the DDoS | messages may be passed between the enterprise network and the DDoS | |||
| Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the | Mitigation Service Provider using DOTS. If the DDoS attack has stopped or the | |||
| severity of the attack has subsided, the DOTS client can request the | severity of the attack has subsided, the DOTS client can request that the | |||
| DDoS Mitigation Service Provider to terminate the DDoS Mitigation.</t> | DDoS Mitigation Service Provider terminate the DDoS Mitigation.</t> | |||
| </section> | ||||
| </section> | <section anchor="use-case-3" numbered="true" toc="default"> | |||
| <section anchor="use-case-3" title="DDoS Orchestration"> | <name>DDoS Orchestration</name> | |||
| <t>In this use case, one or more DDoS telemetry systems or monitoring | ||||
| <t>In this use case, one or more DDoS telemetry systems or monitoring | devices monitor a network -- typically an ISP network, an enterprise | |||
| devices monitor a network – typically an ISP network, an enterprise | ||||
| network, or a data center. Upon detection of a DDoS attack, these DDoS | network, or a data center. Upon detection of a DDoS attack, these DDoS | |||
| telemetry systems alert an orchestrator in charge of coordinating the | telemetry systems alert an orchestrator in charge of coordinating the | |||
| various DMS’s within the domain. The DDoS telemetry systems may be | various DMSs within the domain. The DDoS telemetry systems may be | |||
| configured to provide required information, such as a preliminary | configured to provide required information, such as a preliminary | |||
| analysis of the observation, to the orchestrator.</t> | analysis of the observation, to the orchestrator.</t> | |||
| <t>The orchestrator analyzes the various sets of information it receives | ||||
| <t>The orchestrator analyses the various sets of information it receives from DD | from DDoS | |||
| oS | telemetry systems and initiates one or more DDoS Mitigation | |||
| telemetry systems, and initiates one or more DDoS mitigation | strategies. For example, the orchestrator could select the DMS in the enterprise | |||
| strategies. For example, the orchestrator could select the DDoS | network or one provided by the ITP.</t> | |||
| mitigation system in the enterprise network or one provided by the ITP.</t> | <t>DMS selection and DDoS Mitigation techniques may | |||
| depend on the type of the DDoS attack. In some cases, a manual confirmation | ||||
| <t>DDoS Mitigation System selection and DDoS Mitigation techniques may | ||||
| depend on the type of the DDoS attack. In some case, a manual confirmation | ||||
| or selection may also be required to choose a proposed strategy to | or selection may also be required to choose a proposed strategy to | |||
| initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple | initiate a DDoS Mitigation. The DDoS Mitigation may consist of multiple | |||
| steps such as configuring the network, or of updating already instantiated | steps such as configuring the network or updating already-instantiated | |||
| DDoS mitigation functions. Eventually, the coordination of the | DDoS Mitigation functions. Eventually, the coordination of the | |||
| mitigation may involve external DDoS mitigation resources such as a | mitigation may involve external DDoS Mitigation resources such as a | |||
| transit provider or a Third Party DDoS Mitigation Service Provider.</t> | transit provider or a third-party DDoS Mitigation Service Provider.</t> | |||
| <t>The communication used to trigger a DDoS Mitigation between the DDoS | ||||
| <t>The communication used to trigger a DDoS Mitigation between the DDoS | ||||
| telemetry and monitoring systems and the orchestrator is performed using | telemetry and monitoring systems and the orchestrator is performed using | |||
| DOTS. The DDoS telemetry system implements a DOTS client while the | DOTS. The DDoS telemetry system implements a DOTS client while the | |||
| orchestrator implements a DOTS server.</t> | orchestrator implements a DOTS server.</t> | |||
| <t>The communication between a network administrator and the orchestrato | ||||
| <t>The communication between a network administrator and the orchestrator | r | |||
| is also performed using DOTS. The network administrator uses, for example, a web | is also performed using DOTS. The network administrator uses, for example, a web | |||
| interface which interacts with a DOTS client, while the orchestrator | interface that interacts with a DOTS client, while the orchestrator | |||
| implements a DOTS server.</t> | implements a DOTS server.</t> | |||
| <t>The communication between the orchestrator and the DMSs is performed | ||||
| <t>The communication between the orchestrator and the DDoS Mitigation | using DOTS. The orchestrator implements a DOTS | |||
| Systems is performed using DOTS. The orchestrator implements a DOTS | client while the DMSs implement a DOTS server.</t> | |||
| client while the DDoS Mitigation Systems implement a DOTS server.</t> | <t>The configuration aspects of each DMS, as well as the | |||
| instantiations of DDoS Mitigation functions or network configuration, are | ||||
| <t>The configuration aspects of each DDoS Mitigation System, as well as the | not part of DOTS. Similarly, the discovery of available DDoS Mitigation | |||
| instantiations of DDoS mitigation functions or network configuration is | functions is not part of DOTS and, as such, is out of scope.</t> | |||
| not part of DOTS. Similarly, the discovery of available DDoS mitigation | <figure anchor="fig-4"> | |||
| functions is not part of DOTS; and as such is out of scope.</t> | <name>DDoS Orchestration</name> | |||
| <artwork name="" type="" align="left" alt=""><![CDATA[ | ||||
| <figure><artwork><![CDATA[ | ||||
| +----------+ | +----------+ | |||
| | network |C (Enterprise Network) | | network |C (Enterprise Network) | |||
| | adminis |<-+ | | admini- |<-+ | |||
| | trator | | | | strator | | | |||
| +----------+ | | +----------+ | | |||
| | | | | |||
| +----------+ | S+--------------+ +-----------+ | +----------+ | S+--------------+ +-----------+ | |||
| |telemetry/| +->| |C S| DDoS |+ | |telemetry/| +->| |C S| DDoS |+ | |||
| |monitoring|<--->| Orchestrator |<--->| mitigation|| | |monitoring|<--->| Orchestrator |<--->| mitigation|| | |||
| |systems |C S| |<-+ | systems || | |systems |C S| |<-+ | systems || | |||
| +----------+ +--------------+C | +-----------+| | +----------+ +--------------+C | +-----------+| | |||
| | +----------+ | | +----------+ | |||
| -----------------------------------|----------------- | -----------------------------------|----------------- | |||
| | | | | |||
| | | | | |||
| (Internet Transit Provider) | | (Internet Transit Provider) | | |||
| | +-----------+ | | +-----------+ | |||
| | S| DDoS |+ | | S| DDoS |+ | |||
| +->| mitigation|| | +->| mitigation|| | |||
| | systems || | | systems || | |||
| +-----------+| | +-----------+| | |||
| * C is for DOTS client functionality +----------+ | * C is for DOTS client functionality +----------+ | |||
| * S is for DOTS server functionality | * S is for DOTS server functionality | |||
| ]]></artwork> | ||||
| Figure 4: DDoS Orchestration | </figure> | |||
| ]]></artwork></figure> | <t>The DDoS telemetry systems monitor various aspects of the network tra | |||
| ffic and perform | ||||
| <t>The DDoS telemetry systems monitor various aspects of the network traffic and | ||||
| perform | ||||
| some measurement tasks.</t> | some measurement tasks.</t> | |||
| <t>These systems are configured so that when an event or some measuremen | ||||
| <t>These systems are configured so that when an event or some measurement | t | |||
| indicators reach a predefined level their associated DOTS client sends a | indicators reach a predefined level, their associated DOTS client sends a | |||
| DOTS mitigation request to the orchestrator DOTS server. The DOTS | DOTS mitigation request to the orchestrator DOTS server. The DOTS | |||
| mitigation request may be associated with some optional mitigation hints | mitigation request may be associated with some optional mitigation hints | |||
| to let the orchestrator know what has triggered the request. In particular, it i | to let the orchestrator know what has triggered the request. In particular, it | |||
| s possible for something that locally to one telemetry system looks like an atta | is possible for something that looks like an attack locally to one | |||
| ck is not actually an attack when seen from the broader scope (e.g., of the orch | telemetry system is not actually an attack when seen from the broader sco | |||
| estrator)</t> | pe (e.g., of the orchestrator).</t> | |||
| <t>Upon receipt of the DOTS mitigation request from the DDoS telemetry | ||||
| <t>Upon receipt of the DOTS mitigation request from the DDoS telemetry | system, the orchestrator DOTS server responds with an acknowledgment to | |||
| system, the orchestrator DOTS server responds with an acknowledgment, to | ||||
| avoid retransmission of the request for mitigation. The orchestrator | avoid retransmission of the request for mitigation. The orchestrator | |||
| may begin collecting additional fine-grained and specific information | may begin collecting additional fine-grained and specific information | |||
| from various DDoS telemetry systems in order to correlate the | from various DDoS telemetry systems in order to correlate the | |||
| measurements and provide an analysis of the event. Eventually, the | measurements and provide an analysis of the event. Eventually, the | |||
| orchestrator may ask for additional information from the DDoS telemetry | orchestrator may ask for additional information from the DDoS telemetry | |||
| system; however, the collection of this information is out of scope of DOTS.</t> | system; however, the collection of this information is out of scope of DOTS.</t> | |||
| <t>The orchestrator may be configured to start a DDoS Mitigation upon | ||||
| <t>The orchestrator may be configured to start a DDoS Mitigation upon | ||||
| approval from a network administrator. The analysis from the | approval from a network administrator. The analysis from the | |||
| orchestrator is reported to the network administrator via, for example, a web | orchestrator is reported to the network administrator via, for example, a web | |||
| interface. If the network administrator decides to start the mitigation, | interface. If the network administrator decides to start the mitigation, | |||
| the network administrator triggers the DDoS mitigation request using, for exampl e, a | the network administrator triggers the DDoS Mitigation request using, for exampl e, a | |||
| web interface of a DOTS client communicating to the orchestrator DOTS | web interface of a DOTS client communicating to the orchestrator DOTS | |||
| server. This request is expected to be associated with a context that | server. This request is expected to be associated with a context that | |||
| provides sufficient information to the orchestrator DOTS server to infer, elabo rate and coordinate | provides sufficient information to the orchestrator DOTS server to infer, elabor ate, and coordinate | |||
| the appropriate DDoS Mitigation.</t> | the appropriate DDoS Mitigation.</t> | |||
| <t>Upon receiving a request to mitigate a DDoS attack aimed at a | ||||
| <t>Upon receiving a request to mitigate a DDoS attack aimed at a | ||||
| target, the orchestrator may evaluate the volume of the attack as | target, the orchestrator may evaluate the volume of the attack as | |||
| well as the value that the target represents. The orchestrator may | well as the value that the target represents. The orchestrator may | |||
| select the DDoS Mitigation Service Provider based on the attack | select the DDoS Mitigation Service Provider based on the attack | |||
| severity. It may also coordinate the DDoS Mitigation performed by the | severity. It may also coordinate the DDoS Mitigation performed by the | |||
| DDoS Mitigation Service Provider with some other tasks such as, for | DDoS Mitigation Service Provider with some other tasks such as, for | |||
| example, moving the target to another network so new sessions will not | example, moving the target to another network so new sessions will not | |||
| be impacted. The orchestrator requests a DDoS Mitigation by the selected | be impacted. The orchestrator requests a DDoS Mitigation by the selected | |||
| DDoS mitigation systems via its DOTS client, as described in Section | DMSs via its DOTS client, as described in <xref target="use-case-1"/>.</t> | |||
| 3.1.</t> | <t>The orchestrator DOTS client is notified that the DDoS Mitigation is | |||
| effective by the selected DMSs. The orchestrator DOTS | ||||
| <t>The orchestrator DOTS client is notified that the DDoS Mitigation is | server returns this information to the network administrator.</t> | |||
| effective by the selected DDoS mitigation systems. The orchestrator DOTS | <t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS | |||
| server returns this information back to the network administrator.</t> | client is notified and the orchestrator's DOTS server indicates the end of the | |||
| DDoS Mitigation to the DDoS telemetry systems as well as to the network a | ||||
| <t>Similarly, when the DDoS attack has stopped, the orchestrator DOTS | dministrator.</t> | |||
| client is notified and the orchestrator’s DOTS server indicates | <t>In addition to the DDoS orchestration shown in <xref target="fig-4"/> | |||
| to the DDoS telemetry systems as well as to the network administrator | , the selected DMS can return a mitigation request to the | |||
| the end of the DDoS Mitigation.</t> | ||||
| <t>In addition to the above DDoS Orchestration, the selected DDoS | ||||
| mitigation system can return back a mitigation request to the | ||||
| orchestrator as an offloading. For example, when the DDoS attack becomes severe and | orchestrator as an offloading. For example, when the DDoS attack becomes severe and | |||
| the DDoS mitigation system’s utilization rate reaches its maximum | the DMS's utilization rate reaches its maximum | |||
| capacity, the DDoS mitigation system can send mitigation requests with | capacity, the DMS can send mitigation requests with | |||
| additional hints such as its blocked traffic information to the | additional hints, such as its blocked traffic information, to the | |||
| orchestrator. Then the orchestrator can take further actions such as | orchestrator. Then the orchestrator can take further actions such as | |||
| requesting forwarding nodes such as routers to filter the traffic. In | requesting forwarding nodes (e.g., routers) to filter the traffic. In | |||
| this case, the DDoS mitigation system implements a DOTS client while the | this case, the DMS implements a DOTS client while the | |||
| orchestrator implements a DOTS server. Similar to other DOTS use cases, the offl | orchestrator implements a DOTS server. Similar to other DOTS use cases, the offl | |||
| oading scenario assumes that some validation checks are followed by the DMS, the | oading scenario assumes that some validation checks are followed by the DMS, the | |||
| orchestrator, or both (e.g., avoid exhausting the resources of the forwarding n | orchestrator, or both (e.g., avoid exhausting the resources of the forwarding n | |||
| odes or inadvertent disruption of legitimate services). These validation checks | odes or inadvertent disruption of legitimate services). These validation checks | |||
| are part of the mitigation, and are therefore out of the scope of the document.< | are part of the mitigation and are therefore out of the scope of the document.</ | |||
| /t> | t> | |||
| </section> | ||||
| </section> | </section> | |||
| </section> | <section anchor="security-considerations" numbered="true" toc="default"> | |||
| <section anchor="security-considerations" title="Security Considerations"> | <name>Security Considerations</name> | |||
| <t>The document does not describe any protocol, though there are still a f | ||||
| <t>The document does not describe any protocol, though there are still a few | ew | |||
| high-level security considerations to discuss.</t> | high-level security considerations to discuss.</t> | |||
| <t>DOTS is at risk from three primary attacks: DOTS agent impersonation, t | ||||
| <t>DOTS is at risk from three primary attacks: DOTS agent impersonation, traffic | raffic | |||
| injection, and signaling blocking.</t> | injection, and signaling blocking.</t> | |||
| <t>Impersonation and traffic injection mitigation can be mitigated through | ||||
| <t>Impersonation and traffic injection mitigation can be mitigated through | current secure communications best practices, including mutual authentication. P | |||
| current secure communications best practices including mutual authentication. Pr | reconfigured mitigation | |||
| econfigured mitigation | ||||
| steps to take on the loss of keepalive traffic can partially mitigate | steps to take on the loss of keepalive traffic can partially mitigate | |||
| signal blocking, but in general it is impossible to comprehensively | signal blocking. But in general, it is impossible to comprehensively | |||
| defend against an attacker that can selectively block any or all traffic. | defend against an attacker that can selectively block any or all traffic. | |||
| Alternate communication paths that are (hopefully) not subject to blocking | Alternate communication paths that are (hopefully) not subject to blocking | |||
| by the attacker in question is another potential mitigation.</t> | by the attacker in question is another potential mitigation.</t> | |||
| <t>Additional details of DOTS security requirements can be found in | ||||
| <t>Additional details of DOTS security requirements can be found in | <xref target="RFC8612" format="default"/>.</t> | |||
| <xref target="RFC8612"/>.</t> | <t>Service disruption may be experienced if inadequate mitigation actions | |||
| are applied. These considerations are out of the scope of DOTS.</t> | ||||
| <t>Service disruption may be experienced if inadequate mitigation actions are ap | </section> | |||
| plied. These considerations are out of the scope of DOTS.</t> | <section anchor="iana-considerations" numbered="true" toc="default"> | |||
| <name>IANA Considerations</name> | ||||
| </section> | <t>This document has no IANA actions.</t> | |||
| <section anchor="iana-considerations" title="IANA Considerations"> | </section> | |||
| <t>No IANA considerations exist for this document.</t> | ||||
| </section> | ||||
| <section anchor="acknowledgments" title="Acknowledgments"> | ||||
| <t>The authors would like to thank among others Tirumaleswar Reddy; Andrew | ||||
| Mortensen; Mohamed Boucadair; Artyom Gavrichenkov; Jon Shallow, Yuuhei | ||||
| Hayashi, Elwyn Davies, the DOTS WG chairs, Roman Danyliw and Tobias Gondrom as w | ||||
| ell as | ||||
| the Security AD Benjamin Kaduk for their valuable feedback.</t> | ||||
| <t>We also would like to thank Stephan Fouant that was part of the initial | ||||
| co-authors of the documents.</t> | ||||
| </section> | ||||
| </middle> | </middle> | |||
| <back> | <back> | |||
| <references title='Informative References'> | <displayreference target="I-D.ietf-dots-multihoming" to="DOTS-MULTIHOMING"/> | |||
| &RFC8612; | <references> | |||
| &RFC8782; | <name>Informative References</name> | |||
| &RFC8783; | <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | |||
| &I-D.ietf-dots-multihoming; | .8612.xml"/> | |||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .8782.xml"/> | ||||
| <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC | ||||
| .8783.xml"/> | ||||
| <xi:include href="https://datatracker.ietf.org/doc/bibxml3/reference.I-D.i etf-dots-multihoming.xml"/> | ||||
| </references> | </references> | |||
| <section anchor="acknowledgments" numbered="false" toc="default"> | ||||
| <name>Acknowledgments</name> | ||||
| <t>The authors would like to thank, among others, <contact fullname="Tirum | ||||
| aleswar Reddy.K"/>, <contact fullname="Andrew | ||||
| Mortensen"/>, <contact fullname="Mohamed Boucadair"/>, <contact fullname="Artyom | ||||
| Gavrichenkov"/>, <contact fullname="Jon Shallow"/>, <contact fullname="Yuuhei | ||||
| Hayashi"/>, <contact fullname="Elwyn Davies"/>, the DOTS WG Chairs (at the | ||||
| time of writing) <contact fullname="Roman Danyliw"/> and <contact fullname | ||||
| ="Tobias Gondrom"/>, as well as | ||||
| the Security AD <contact fullname="Benjamin Kaduk"/> for their valuable feedback | ||||
| .</t> | ||||
| <t>We also would like to thank <contact fullname="Stephan Fouant"/>, who | ||||
| was one of the initial coauthors of the documents.</t> | ||||
| </section> | ||||
| </back> | </back> | |||
| <!-- ##markdown-source: | ||||
| H4sIALWHAl8AA809a3MbN5Lf8StQtXW11orkxnYeLiW3G8VOvN7Eci7SXu4+ | ||||
| ghyQRDQz4A5mSDOR/8v9lvtl1w8Ag3nRsry3d6xULHEGQHej392A5vO5qE2d | ||||
| 6wv5N6flSjnt5NpW8sULey3f7HQpb7aVVrW8NptS5abcCLVcVnp/IV+8ubmm | ||||
| Uc9xlMjsqlQFTJRVal3Pja7X88zWbt44PaeJ508+E0IomO5CXutVU5n6KA4b | ||||
| nkncHi7kq7LWVanr+QucQ6xUfSFNubZCrGwGa1/IBmZ9JnbmQkhZrVc6c/UR | ||||
| oT8CBFLWdpX8aMpMl3X4wtmqrvTaxd+PRefXujKr+PLKFgWMjU9NCajHZQDV | ||||
| Qu12BBB+I1RTb22FMOFn7v/FYTDDTwv5wi6X8HP8ngn1k81VmQ0e2gqmvayW | ||||
| sAtXuj7Y6rZ9BlBqXV/E39ulVkDM0e9tpse/b8q6OsJOABpqZysdH+lCmfxC | ||||
| VhkD9rVCWBawLeP4vVjI12ajmrzu4fdClUbng4eE37dAbeds2cdMPnvyxWfy | ||||
| plKlA74qVaaATE2tu3jKa2XKWv6gmgp2aSb/7XkXX/nptfzkm8+HyPKUfUwz | ||||
| AnRRMKBfaw/bArhgcktfW3drD6b+dbCpS13VI48J7b/c3MjntnSwDIrSPbdV | ||||
| vlG38kdV3c7k61d9TJ89efrFENG/XV8O9nNTfJ2rpVts63q+YiCmUbxayBut | ||||
| No3u4XdlbvsPCLNXlS0Ba1getga2vlbyuUZxdnKwx5N4TvHv+IOA6vd9TGFZ | ||||
| BPBrAzAVHiTAdNHcjuP6w0L+h1E9RH8wqtx0vucdbNRBmwFKV3YhH3/yeCav | ||||
| 7bo+gI6Tl3tdNnom/7PZNkANI18Y1jE9nK9U+UvKCy2vbk05YNXvQDJuF28N | ||||
| qGIA7+stQTO9i98vYMPc1vza3Pbx+17hvyOPCc0rYtSiaEoDWtjYcqCD5EsA | ||||
| BZlSPv78O/l0/un8sbzemiXIpAI+BdhrO79tetje2Nuj7W3u40+ezZ89fvxs | ||||
| SIK/qp0q+yS4JcC/Lut6//nilx2YlPl8LoGx60oBdcXNVp8wX/IRWpszqddg | ||||
| 5mppHBCq1mApMjAZclfZvcm0gH/BgNjc4ZdrtTK5qVWt6d3K7nSllvjVUapV | ||||
| ZZ2TmXE7VeEbuLIoTA26BMkGZidviH4gT1tYDWxHg6YFltIOTYx0qtjlWjbR | ||||
| /h62ZrWVmXaryiy1qLd+XcAOJ5L67U6vagB4CeZBA474Bllj4IOdLWlWBfPo | ||||
| PMd/ybwW2jm1QQLot6st8I4miACGZGXk20IrgA7QNmg9zfqI04sIAEzQW2om | ||||
| t/aALx3hyxw0jEVCzCTatsMWaI+z4hz1cQfMlJNFrwomD6yz1BGkbMGbWZgs | ||||
| y7UQ4A9UNmsIb/nb70zy6zvxr8lHiMuayFAb4Gm7lgdwLgDWGe4MSN2yQXoB | ||||
| QiA4c7ueO13tzUoDM8B2nUlV12p1O7ptBH2uqo3Oj3IJVMpks8MXTG51NkOO | ||||
| 2VXg7KjqKFYdgZFutdUF7qeptxK0QQYWPber2zkoSNgWBXNkeg6MCLvpuWMF | ||||
| 7A58AZoZqEQIgaJemw3IFM45YwZ18CMhR5zID5DauD97ht+ukW9gY1tElho3 | ||||
| T8mt2WwBl0KVDWwGjgOVhVwEpGO7UOCLsNIKeGYhLrPM4Awqz48zgMdWGQo3 | ||||
| vlOgHUPmJXkbI59wBl9SpbaNg1UBx3Wlms22ZrIsLfyv1qttSayB0PiF55XO | ||||
| gY8ysW0qYIYgPxsUZ5yoXMFPyLSRCDAeuTLXb1EySYpmRMamKmfgTJbAAJtK | ||||
| ZcSNqABgydURuaWFHAQ+sOxGlzAxIB0olumdJpdS2vK//wsoiRSD7wEO5tAl | ||||
| yQp4lq7WxeLjNJEDGQfhSzURAnZKFwV1kJk9mN0TqojIrGGjEUsESlc024bp | ||||
| SDTTVYFMxJIBqMMeMaMlE1b67412qAGI+/hVkGRUFOBE/cpv7eABePWwgSCl | ||||
| jgnSFa9lZVWGdNaIEdIdmEWqwgKRWG5gCdQgIGkFCJrcWNhr2DfSRMYlmpv2 | ||||
| ap7rvc5TpcmTuVpkBsStIi3WgWMmXQNKF8TSoxreYKzcDDQgIE5s/0ckThCB | ||||
| Pucr50DjqHIFGhDk3ZMI30QE4EkNqAHoqj+S+KVrIAijEQNBnOAfZ4Dmrqkp | ||||
| aEPmwwVNpSl6kb/99uefvnv+7PPHT969oz2C6YD9vHZg8rUM5t/+4hm8HX9+ | ||||
| +u4d2YmelShtDVp7qxrAba9p7nVTI0N13hPRVsEWAVCgRoNFwn1Tmd3hQ+LH | ||||
| vc33IOZgz2+Ivja3myM9ugQjWx4LgPB3dftoDo/myj/qmoOuaeiStVC3ABtC | ||||
| CbtA4opuUN1bMtNr2nBiUSdSQi4gTAXIWSlKU+Ncjo0PTOJ4KOitpc7t4UKI | ||||
| P/BOv2555JoUBMj/6+szCPW8wvDbqiu0jm7IHlGbDGcqFEo/22S0UMRfqxw2 | ||||
| ByQbfgGRzNApFYDaH4FRXHBSwdbYpgJ1O5NgItHxymE3cgfWv6T9AGIAG4Mh | ||||
| Q++qJh5TtcD1aqAj4Loia+Si+ECwRlMixzuLxriCCfNA7BYhARyhgI22uppA | ||||
| azFCuwviRS/UnlboCbHmnZhHjm4CuwAXXiZACZJJ9o5BlC6EUqyAkoBLhb95 | ||||
| DHRHPSzktwrwD6Nds0TnbUcLNa4hKxIo6hcWP5CSugQFTNIqH13/cHnGTLBV | ||||
| zntGhQbX4BVZB5ZuB86HM17jBzlGSK67kBOsEAOAKkK1pU/QB94E91CTAwVi | ||||
| AWC4MdLHFX70K3RIh9OrDGTIEKegUkD3sSYLBq97DTg1KSwo/xDzP5wAANEK | ||||
| S8lHr25+PBssyCswzTKdk90jigAIaN5p92TcvZLTKURQdAeWxN5x0T5+4tGr | ||||
| 6x/PSI3Da80OAx9VhEX9egGvZEX8FUYi24mYHwPdFRNho8oK3g0r9Gm0RJ0k | ||||
| 4+NpKrVrzB+/Q0965OP1YVDTMc5w5MbDOhS1g6V1LLvIcxwKoH/lSSk8KWXU | ||||
| BCrbA6epjWblA9HNHPwwtnzkySEi5PIZMEywm+hlgCvZEyqVihXMDAaDpoBB | ||||
| Im6fEN8BZCvwylkI0MkHyBz5J7QZNA6kN4BJzlWGnjlaG9dFM0zMOjCaBLfS | ||||
| JawAHLTb5UaTRKoSNt4eSr8TcSB4o3mDPC5SaqEhWeW2yYC0TAk/IPhCxClA | ||||
| imjqwf0u0fvYE1vbwOQDQA1pBJUDFBlQgEMFcLS2Qc+acglBNFtWUMn8S+BR | ||||
| rzaSjQ50opiNwkYyD34y/5SiAnDuCnTTnABPx66M8sZ9YsKfL686SHkvnj13 | ||||
| dv7BLeoEOQQE4xC0F0c0gTlGtIdkrhaOvVRcErehAhIfrATIM3K6pjRa8Jwh | ||||
| +pogCuqJmx/JmpMzFGURdg9lINW0I2AmBp/CR2CTlQaCUEDmfUQIjGwxQUdP | ||||
| Nh9B5xhqVmwLMheoT9J82Pp8wAgeKPUlChxLF+n4N/w2m2GIwbNZZEpCK+QA | ||||
| unohUsaxV0s+BO1QGUQXieY0Um4kYhhhGCCNSBVBjfgqL440vw+ocEODaFJY | ||||
| YCGalOzXUzJ4q8D2QNhpQD90Eyd+m1vfdwVyDZaXYa1Amy/kd96PdqjUACOY | ||||
| CKQfk1dgCMqc/Yy1qSCWiAriYEBilqhKa2VycskZfs+OC3kFtr6CkRDHciiD | ||||
| jywuG+YgcSa/C76DqI6rMAAk8varsl02DplxtAIcUfOS36EIafl4Nr5bgrSv | ||||
| 0/l6juoIxsRyC0aVHPKDS1Wjrgvu3M966UkDIRCXOTD6RPP+4uo6PiIS/rt9 | ||||
| 9WP4hlwYhbuKIOb2SFqColmgCe4a5ib8uyRgqGRD5oQkoetfpT43TGTLOZiY | ||||
| wvgwF51uCGhRCHY+HJ71OQwhAppTlhCgQWqIYItiyWuoHBzLlAcEeIcCZspc | ||||
| WYAeHuYstUtA42CyqINNRdoPQv3bR+4M45qQyDwfWuXzU8/iwDv5bYtP+Cr+ | ||||
| EB2E+FUy0JeSZPuw/WHgUKQDB59kYHQ8xlbsonPeGZh+iO6XnIHrvXHHD+n3 | ||||
| O/nVVIjX+lCD8TfkCTx0/BT0nU06H0G7S6/4+p8iQv7d9wwMaFzDTwln3n8g | ||||
| /ueNz4et+ME43k0/+78dOMDjvgO7e/VVK6TvH5ju1fMpvh8b2Nur+w4c4nif | ||||
| gR+shkQyzR/kc0rmeisVTOm6KVeci8XQr/P+ded91v299+OAYMou7hP19BQ3 | ||||
| uwld1wKXDk4m6H6ybhQ1muAuryxlvcMqIvjKELM3BVUotAZf67NP/iV4xTEV | ||||
| TyWBPpSg+gWqfrJIq2iPEBZyF4InNJ0/jP6giLPXHvUQ42MZukL/aLfFUIvD | ||||
| m5irpVKOa5ND7BLrTPjakHeoQhaXnLLKbDa6mmF1AGI5tutrg9vz65hjm3pU | ||||
| PYoHL55CPZfkahoXikicWEziG9opTHZy+lJ1WOuwBd+qnXLwGnOU4OqZz6Zj | ||||
| Rtvbem+SaQnvnum3lFkFOvw84jbjm7kld9vTlOLGEFmNxqnkUMSkmnykF5vF | ||||
| rPWS0O9ynFBI3J0zjucKIA7GD+DdL/XGlG5Ib4D0RRNTDitYpU1jMiizTvTX | ||||
| Y+LpMC2wN3Ibsjh6OW5r8yxuY48w2gFhYh6mn6vEfRW9EelWUhInj5FLqhB8 | ||||
| LJsGWIIyWYaDqz5FiIXSCSodo/Weny9Y4jn3Q28zG3gBYGZPRJF4iJfNAlwI | ||||
| TiCaTzoiNwKCsDdvcP3TO9NBdd0mADQ49JmP7bg+6vrgBxDSig6VE2ZUViAF | ||||
| 4KSvmiH6HQ71nNAOZnRDkS2pyS4gKFwl+UI/A7rPVJ0i/s00l98yn2KDsEGZ | ||||
| UnDhheg8wjSFwbofRpkgyEA9EBaIRgaEEZE9hlOk9IjLJBBi5hXztqH6NiRf | ||||
| b8IaJb9VgX4/kHl8kUe3KdZTbNfyh+TYnkSj5S5BmZhA2GQPE7qShQo7r6kw | ||||
| 2woCVfMS1TsaQqcIexKsbZ7bA+XQSH9h0LI3+hDYL1Tz28q1LGwGu8gVJeNE | ||||
| yCleCPF4IS87XNGREbVRmAdJFCCmBKK82GqjylAVfLQFU9SP0c5878OWI1sO | ||||
| G5VAEOcU2eWM5bzNhHSNBOD8pG9VfBBKCnyGWUOwsGujfdDqVW3YY9HVtk8H | ||||
| k8XZkDtCLQ61frDz0tdY2ki0l9fQQwK6BoXTUPoiJE6c3BtFM1P/RkhVMLZ9 | ||||
| O5zkVcAfQQEt0DFIGNRxZhL5YETFAqqfDnmaNyNhZ/94uLAYUoQ2cYlZtcTx | ||||
| Avi2tmzroq51cpJKabKhTA8aEyogjCmoj7YuFSyvPZReFX+2kD9Hf6FPLRQE | ||||
| zEfqoeqp9KbJVYV5HvS1ikD/wRy+ktvsMraCrbURkRU/x7RFr0KVkLczxZg2 | ||||
| E9wNgAU7r9YSgIMSjGCOs4aIxeph+i0BBqD9YsgAUQe6/rQpn+LulbY266A/ | ||||
| hqYXsx9XNmDZ65NJ25hSse1l6DqeMBndBNJYh9jlaoUO0HxJuWxw/HwjTYF9 | ||||
| idG9D5mZqcUT7/VLTKBj0xDNiEKJZUJu95oB44eywsGAMQUJiE4Vzd/UBn3n | ||||
| DFsNsFmkDYBCHwjMX4n+Elw6pawsMhAq0jBtp0YQ8nQKrJSpsjmAhb0vCIp2 | ||||
| Tn76cnTYwu8GZRy54WVoWXlz1aTI+7iC5+C4gflctflhLAjybNxulB87Rk70 | ||||
| GDLdXmrdYQ1Eme1U+P3SjiJOUCAC886tR91SBeKcJbaXHByaaKxmtftV2CUq | ||||
| iGTckCxj6XTQHtT3tLWFb13wpOUUZ+yJSpEBY6OxQOyDIUokkzVLOlfUwMSH | ||||
| 8kTo7QhOnKlDJOjAHjuu0cGy3CQz4t57evneEFLDsY+LKbvHjHIzEHMRk6Dd | ||||
| ag8hg/ztI1BCer7lGDpEmip2+AhfoOM89W+//fnV/MWiPSEQyAmD373DGGek | ||||
| /okFkCrDLmjg7/dVptNC6JN7F0KphNBaJKxh7okog1opoXHNUTb4CI9l4PIT | ||||
| FW7cd+yaiZ0FXNUNXCLQCmOWm4Ueti1zlOGHeIY7RTtJ/iezLkfQ3AIY5aAq | ||||
| alvYVlQXOQVQpNYSA9w19r4jBCJWZV2tdZfzgmZ/z4wz0l8iUT1Jec93n0ru | ||||
| P2GOJDZGqZ2x0xwpDu5nbm5RcdZciKUfqB8zkUmHss1fZth5vuLOcy7oKso6 | ||||
| ibbM1XYo+S2B6DdvHPgDMHtuwJjGkib1jlz6LpXQvxprNsFDTsENwlpp38Gh | ||||
| Yvnbbc1OBHvzPhIC8Kj4qULITnuuqNaN/o3EfIWYLIe2OxviDKozpm4n9ixu | ||||
| kQI1OYbeXW9zVYaV7IrqNIAIBAR6M9VGAlpvspOnBxHS86Hpx5jTfFgR5KE1 | ||||
| kIeWQD6qAvKRBZCPrH/cH/RRlCdI9bBxp1lhetzY539zvbsB79+XLgOp/UfQ | ||||
| 81RJYLK0M1r1iJ9h9Up2Bk5WPa4nq1fvKXpMFq8eiuD/35JHsOsXUzl2NAOJ | ||||
| 4rtKmlPINUpX5s/9fCXfXYDdCm1jwWi3B2eqanLzTUl5P2zzUlVFZzfEiVKG | ||||
| il2OlIpPcxRp3DLlAEej2Gka8x3sHKzEDMqg7X0yMYNZ4hDE8MmJ0LoBvsU+ | ||||
| JoyV3IBrUHbTqb4LwA3bAFTszex547933El49G6InxVzkL38kF+EuospqeFT | ||||
| eQm1iZZtEoz7z9CpioQO2WKN/pZxBeXxyK+B/QOfa1U/zLNTToSDRZ35eea5 | ||||
| KX/pT70kivH8LQeLq9Da9JOHJ00dvM+xaTuhfFutk9+8xEY6vTZvgcilBSnz | ||||
| hKioVaVqV5n5WlIEF9340A2+qpolevg9wkxHVW1lCwJ3UTcQC9LxjpbyoQ70 | ||||
| 8qdvz3xC8S1w3GBvyHX0y5LvTX4b9uGBG4u9SNQY5M89sHNLtcRS88YuOyyS | ||||
| BTSxpQjTCdj8ot/WvrknuOHc883dSxzE+pDWVwt9u6TvGZPcjcTzqdD43k0f | ||||
| 3y+f03Zhdcsh7/dpFR4ACRGOCFn3FaB97HQZh7oLJxEO3NtOp62GQC/ERCfc | ||||
| NGr9/BTl/vrpKMVdmZwT5WiDevA2duCTt67xAz3jBzrGD/SLH+gWf4xXPOYU | ||||
| fzWgRgLO+Xni1Y76xPDxvAac3gHhTt7RBB8Cd2/03f1o9RGDIzh3Cf73HTz6 | ||||
| zT9l5TFf+QMGDx3mfyi1P8iz7A/+MP95MLiY8KGve88wljs/7w12Jxzp9JkP | ||||
| BM/PH4jzQ9XUP8uZ9r7004u+a/H+jMl4K8hEBzX5c7XMtXKk3SmpEk4rRLcT | ||||
| X/I+Yfekw8CtbKs7odzXycH3qzfv9ZGsiG0TAYPgXvAZURyGZ+ensoxP6Wk5 | ||||
| 4tpzIcHgsdw3pTdmbeP3oEXBHz9vHe6domzwhKuQdt7HyuwpVNOeolfrvgvA | ||||
| nQG13e24moZ+ucOO7NZPH+shGBbbsHEk7gJMco8taGtoY5sWkt1v2lImnXSP | ||||
| 2eun09nrELaF5OOsW/rFaWuNPVJ1dfTi7/gxMIVF31JkmpP7/qukcjPvlNhL | ||||
| PM/UnnaZOD3D9ZU2/7oAn8OWST9ae4Qj4fdwUHkIq8rxJpX+AURDGeSKDxp1 | ||||
| TqPjjsQ6xuvr37u0/JdZLAD6Euc4bZg1RbdcHaozsXaSdMrMkkLTDot/uNHV | ||||
| UShQR0dnXOAtu0Rt5Yd46U1x8uFdB02ew/vXASuna5o0vUHB1G2FPvbND6nJ | ||||
| BdugD9yQV5KTmQSD3pB043kI3yc3GwDugwcHi63a4kfnzDmbHTMp4rYiUNKq | ||||
| iPfoRwpBPhvE64WjQoNsNN0mgEKKOyr41H4Ih4GpdSfSCL53GtTM8NAKX4/g | ||||
| q5VMFyzEx6WRW6hQ2C+sbS3mzBWdpqDTuJ6cx45CHvb2tayZIENJeIzFHEWA | ||||
| obgIW6R37SmNwLIh/ElFknqIMl8D8AfGktNKQ90eTCoeasUsSMMXP3AwFMSN | ||||
| pRklrugCG065QqAJcQNQsD99W21Iate9vlZWJR9S8fMi1I3WQsLDV6en+1db | ||||
| 1m3lhuxYVJWtUvImqauTBv2tou1vHdU292hzFd0lJvpdRxGPKcNuJd60ymWI | ||||
| hAgnkKY7dccnw+PvVKxq9QTV3fnOmDW2Y/ieXH8Wy9+Iorp9Pm17bxeqh+A9 | ||||
| 2KDUkeiUt/2unmxQPr0PYtCePK61XDt0ApPOGUi8/4OVPdXax+ecpdf81HRN | ||||
| T3Jksj3yOCbdKGPjBVrjBBWqQfBCsmkhr/lAXdAEWNDHvCf5T2qv4NlyeA+M | ||||
| aFcL1e9k0i/54JdXBMZ10lzpealuPHEuO5/0rbuIEUZPyefRMHN+1h3oeZpi | ||||
| tvPuI7/z3QrEEKi7YQY+CaJGPycmk9e9EOq8/1YPzKhh/kgh2596axI9rtMI | ||||
| 9K47vtV1FLXC+Dcp34cv28296yB8FxRku1R3/a8YreS1E7SUgwjy/Hk/FD0/ | ||||
| QfDRz11/nXT8uJfd+dwNvvlQAD7y/UeTZ2DOAoIfTpJJjrrX8BMcdY/P+SmO | ||||
| ui8IUxx1XxCmOOo+GYreDOcPzVj4jw+7P/VFwE5UKERyodRI8OJDuBAqJAYk | ||||
| 8Qhj/E8XbbHFE+T3FlphNY3rSsrxFQU3fIVYcH0q3TlElfbIYUi499WW/nzC | ||||
| X72ALbyUIuFwyd+TI8OZATydk3SZpTT3aRByqk4cJ+8Y6tTCxsZWMTI4lADb | ||||
| pfmgNHVg7nirOg374Mc47OnO+cqU7rK3pT3wtXd0iUvsi0zaFynYQENoVthr | ||||
| HG5zgGDBGTSia0/Desv+PKaY/Dkk39898CZza2+dxE6p5Ai+N7ngcTUhjPdP | ||||
| aMscekqx2Y3u4MKmZKox+YJViF8TBM/wnhKiHsScu7pzimCEuHH+LtsK5/2X | ||||
| U9sm4w0H7C9i2gnJm+tsU5DPiI1He2vwGIvvg6ZLQAJQEQhb9U8ndZ1MZoEN | ||||
| phZsnvvrv1S89w5PwOn5plLEr9T4TLezYeNdG4kLwrXTSDkU07R+TXc45D4z | ||||
| JBKBceEePO4LLWU/oUCiNgjPugEDxafulpBPUElTB6c350u8EAazZCH2y/M2 | ||||
| j0OZp04awo1WKcdSG+2BxCTPAn5rVY9EaHRbhtohMXAjEOKJqIb3NZIqHizo | ||||
| R2qV3tkqubVkPKrZG3U6qImJxvHxeDNWxgcDGLW6c+xnJqaHeqUxerQu8jQF | ||||
| KX0IBbY7t2EX59vS/GUbLaFmmdCaotWa7fklaZKLR31nY09jqlBhJp0l2vvr | ||||
| 2t6M3tWfJ6WfTv2tkf2kDreK+tp0aF0mIhJzgGs/djowVVa921ambx1Shhq7 | ||||
| a0xMUKlwRE0hD2vgyCY2UPMRy242udcrge8nBz148jb17kbCTcxg9dJrp1t5 | ||||
| 6UyeT3b5a01DqpvuvYppq14DeH/m/t1q7891J1aT22XRiwhJHuJUETm1sPt4 | ||||
| cRZTIbkNLkgFAFnqA7CD4yvmuNfB1gJ4D2JpusZjhGTxaNFIusdf0EkEHUl9 | ||||
| BS2dnrxqDyK5yf5vaosYAJJKHttiPHeWTXeKQ+DNt8Hi9So9WIdXrDKsIwRI | ||||
| GxHAMDZV6Yb6Om3KmVCnQiRBfzwJMVFXmTDlYgT/sezT711H9sNlXeRnDS1U | ||||
| 65Im6Y8TuPjz6dlEj8mCiinJ9TK+kcvu9YgjPhvuy0jGm0tFSHwm9YlrkLoW | ||||
| ittt7Hqdg0MGQtJLwY/uw1KDZkdNi5Ku2+6aUZYBUvOhJA8LaoCkHRw0xFtT | ||||
| NIXoXVwwOpc/St0t+UUBpCt2Et+DPOeY9sW1lngfctJsNbQPHeKAnN1sx/J7 | ||||
| CAb126ybinRIuPIpLJYeL/SnJOg+NpsliegK/9JAxXd+m7zunn2goxE1X9Ls | ||||
| 9Emi/MNyuyHrRn4/4UVP4wEGL3SRV5I765xrinAYk5QyGB+ThRMYenXL8Ryf | ||||
| Dk7OJ76+Hkoy1RHosjYfF7DTHe5/9Yq8c+oXvxjQmap3KsOrsJAamXFVswse | ||||
| ZQ7+d20K5EZ/jaY7CzeUj8Mecok9z4qzinzneKXXtu2fI7kN3ikXBflSWNJ1 | ||||
| /i+S0N9nSI4v/fY755/MuwebJq+cZVMQL5zNrOZALFgP6gEN1+7GG8wIWoIb | ||||
| SIoqTa71QSTXGQcw+uer8HQGH6/Cilm4WRf8CoPeP3vBlcYSG1+e7G+y8n/A | ||||
| RW1IPRdg750tg4JjlhexO9If94xXV5PcknIC1ZmOZeUepfmXUCxL23Hp4s3g | ||||
| e8WjSgKwqzjYXzVVL7OPh0Qd1odQrpHF4oWLsmhquse8AQKWdWjnA7dEJwFG | ||||
| p7iJlTNULnTDGyuTHC/xB6a41Xqn8F7PiAOCS7E6hdABan9FQaQDN2OCU+Av | ||||
| DfchvSliUE/xXgGeHkDJR40E3VnWnpqP4bnmW3a9bs3ZH8Db53ExbiDmO3WD | ||||
| ZhKXORXb6n49BHsPkxvNH22B99cNIHJGDOmaJTfr2oiI8HogQgI4seL056a9 | ||||
| j7azKMKmkxkB9mvviveX4bl4TXdk384N1Z4b1nRdiSm7Fy2LcPwwVRU+esRY | ||||
| pAKlukJnbE16BeZFEvTaVMIl43yLZxZUyvCQ4qiW4OIHcvnl1WVPNYzf4npl | ||||
| Jb3bW4AuQ21PjEXNI4BonazGYFpWJ3z3nvNtrJTpIQOpylt/UzptjJM3pmoK | ||||
| lWsHuhf7n7Ljl/KyzCpQJq8x7i3BXH8pX9utQuf+G9usVKZMBS9V9RGUxUu1 | ||||
| rwxo2fLW7r+Uf0VPf6vQSOCfMmm22oi/qKNyWzOT3+aHI/6tl70Jpoh2+ueX | ||||
| 2KFh8AjbT7ZQ+EZ5zM2BzyrYpQFT+9ICSBjLRweOPJaohC9fyG90+YvC88Pf | ||||
| q6y5DefqTEVhFFWb1lpnS77J8md/aneMPNcg8fAD+FGNCoebD7Bwaj+4Lp+L | ||||
| lZ0HSvdshEM2+B9tAT9wMGsAAA== | ||||
| </rfc> | </rfc> | |||
| End of changes. 92 change blocks. | ||||
| 549 lines changed or deleted | 314 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||