<?xml version="1.0"encoding="US-ASCII"?>encoding="utf-8"?> <!DOCTYPE rfcSYSTEM "rfc2629.dtd"> <?rfc toc="yes"?> <?rfc tocompact="yes"?> <?rfc tocdepth="3"?> <?rfc tocindent="yes"?> <?rfc symrefs="yes"?> <?rfc sortrefs="yes"?> <?rfc comments="yes"?> <?rfc inline="yes"?> <?rfc compact="yes"?> <?rfc subcompact="no"?>[ <!ENTITY nbsp " "> <!ENTITY zwsp "​"> <!ENTITY nbhy "‑"> <!ENTITY wj "⁠"> ]> <rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-dots-telemetry-25"ipr="trust200902">number="9244" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" consensus="true" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3"> <!-- xml2rfc v2v3 conversion 3.12.2 --> <front> <title abbrev="DOTS Telemetry">Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry</title> <seriesInfo name="RFC" value="9244"/> <author fullname="Mohamed Boucadair" initials="M." role="editor" surname="Boucadair"> <organization>Orange</organization> <address> <postal><street></street><street/> <city>Rennes</city> <code>35000</code> <country>France</country> </postal> <email>mohamed.boucadair@orange.com</email> </address> </author> <author fullname="Tirumaleswar Reddy.K" initials="T." role="editor" surname="Reddy.K"> <organization>Akamai</organization> <address> <postal> <street>Embassy Golf Link Business Park</street> <city>Bangalore</city> <region>Karnataka</region> <code>560071</code> <country>India</country> </postal> <email>kondtir@gmail.com</email> </address> </author> <author fullname="Ehud Doron" initials="E." surname="Doron"> <organization>Radware Ltd.</organization> <address> <postal> <street>Raoul Wallenberg Street</street> <city>Tel-Aviv</city> <code>69710</code> <country>Israel</country> </postal> <email>ehudd@radware.com</email> </address> </author> <author fullname="Meiling Chen" initials="M." surname="Chen"> <organization>CMCC</organization> <address> <postal><street>32,<street>32 XuanwumenWest</street> <city>BeiJing</city> <region>BeiJing</region>West Street</street> <city>Beijing</city> <code>100053</code> <country>China</country> </postal> <email>chenmeiling@chinamobile.com</email> </address> </author> <author fullname="Jon Shallow" initials="J." surname="Shallow"><organization></organization><organization/> <address> <postal><street></street> <city></city> <region></region> <code></code><street/> <city/> <region/> <code/> <country>United Kingdom</country> </postal> <email>supjps-ietf@jpshallow.com</email> </address> </author> <date/>month="June" year="2022"/> <area>sec</area> <workgroup>DOTS</workgroup> <keyword>automation</keyword> <keyword>cybersecurity</keyword> <keyword>DDoS</keyword> <keyword>Resilience</keyword> <keyword>Intelligence</keyword> <keyword>Service delivery</keyword><keyword>Robsutness</keyword><keyword>Robustness</keyword> <keyword>Collaborative</keyword> <abstract> <t>This document aims to enrich theDOTSDistributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol with various telemetry attributes, allowing for optimal Distributed Denial-of-Service (DDoS) attack mitigation. It specifies the normal traffic baseline and attack traffic telemetry attributes a DOTS client can convey to its DOTS server in the mitigation request, the mitigation status telemetry attributes a DOTS server can communicate to a DOTS client, and the mitigation efficacy telemetry attributes a DOTS client can communicate to a DOTS server. The telemetry attributes can assist the mitigatorto choosein choosing the DDoS mitigation techniques andperformperforming optimal DDoS attack mitigation.</t> <t>This document specifiesatwo YANGmodulemodules: one for representing DOTS telemetry messagetypes. It also specifies a second YANG module to sharetypes and one for sharing the attack mapping details over the DOTS data channel.</t> </abstract> </front> <middle> <section anchor="introduction"title="Introduction">numbered="true" toc="default"> <name>Introduction</name> <t>IT organizations and service providers are facing DistributedDenial of ServiceDenial-of-Service (DDoS) attacks that fall into two broadcategories:<list style="numbers"> <t>Network/Transport layercategories:</t> <ol spacing="normal" type="1"><li> <t>Network-layer and transport-layer attacks target the victim's infrastructure. These attacks are not necessarily aimed at taking down the actual deliveredservices, but rather toservices; rather, these attacks prevent various network elements (routers, switches, firewalls, transit links, and so on) from serving legitimate users' traffic.<vspace blankLines="1" />The</t> <t>The main method of such attacks is to send a large volumeor high packet per second (pps)of traffic (e.g., high-pps (packets per second) traffic) toward the victim's infrastructure. Typically, attack volumes may vary from a few100hundred Mbps to100shundreds of Gbps or even Tbps. Attacks are commonly carried out leveraging botnets and attack reflectors for amplification attacks(Section 3.1 of <xref target="RFC4732"></xref>)(<xref target="RFC4732" sectionFormat="of" section="3.1"/>) such as NTP (Network Time Protocol), DNS (Domain Name System), SNMP (Simple Network Management Protocol), or SSDP (Simple Service Discovery Protocol).</t><t>Application layer</li> <li> <t>Application-layer attacks target various applications. Typical examples include attacks against HTTP/HTTPS, DNS, SIP (Session Initiation Protocol), or SMTP (Simple Mail Transfer Protocol). However, all applications with their port numbers open at network edges can be attractive attack targets.<vspace blankLines="1" />Application layer</t> <t>Application-layer attacks are considered more complex and harder tocategorize,categorize and are therefore harder to detect and mitigate efficiently.</t></list></t></li> </ol> <t>To compound the problem, attackers also leverage multi-vectored attacks. These attacks are assembled from dynamic network-layer and application-layer attack vectors(Network/Application)and other tactics. As such, multiple attack vectors formed by multiple attack types and volumes are launched simultaneouslytowardstoward a victim. Multi-vector attacks are harder to detect and defend against. Multiple and simultaneous mitigation techniques are needed to defeat such attack campaigns. It is also common for attackers to change attack vectors right after a successful mitigation, burdening their opponents with changing their defense methods.</t> <t>The conclusion derived from the aforementioned attack scenarios is that modernattacksattack detection and mitigation are most certainly complicated and highly convoluted tasks. They demand a comprehensive knowledge of the attackattributes,attributes and the normal behavior of the targeted systems (including normal traffic patterns), as well as the attacker's ongoing and past actions. Even more challenging, retrieving all the analytics needed for detecting these attacks is not simple with the industry's current reporting capabilities.</t> <t>TheDOTSDistributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol <xreftarget="RFC9132"></xref>target="RFC9132" format="default"/> is used to carry information about a network resource or a network (or a part thereof) that is under a DDoS attack. Such information is sent by a DOTS client to one or multiple DOTS servers so that appropriate mitigation actions are undertaken on traffic deemed suspicious. Various use cases are discussed in <xreftarget="RFC8903"></xref>.</t>target="RFC8903" format="default"/>.</t> <t>DOTS clients can be integrated within a DDoS attackdetector,detector or within network and security elements that have been actively engaged with ongoing attacks. The DOTS client mitigation environment determines that it is no longer possible or practical for it to handle these attacks itself. This can be due to a lack of resources or security capabilities, as derived from the complexities andtheintensity of these attacks. In this circumstance, the DOTS client has invaluable knowledge about the actual attacks that need to be handled by its DOTS server(s). By enabling the DOTS client to share this comprehensive knowledge of an ongoing attack under specific circumstances, the DOTS server can drastically increase its ability to accomplish successful mitigation. While the attack is being handled by the mitigation resources associated with the DOTS server, the DOTS server has knowledge about the ongoing attack mitigation. The DOTS server can share this information with the DOTS client so that the client can better assess and evaluate the actual mitigation realized.</t> <t>DOTS clients can send mitigation hints derived from attack details to DOTS servers, with the full understanding thatthea DOTS server may ignore mitigation hints, as described in <xreftarget="RFC8612"></xref>target="RFC8612" format="default"/> (Gen-004). Mitigation hints will be transmitted across the DOTS signal channel, as the data channel may not be functional during an attack. How a DOTS serveris handlinghandles normal and attack traffic attributes, and mitigation hints, is implementation specific.</t> <t>Both DOTS clients and servers can benefit from this information by presenting various information details in relevant management, reporting, and portal systems.</t> <t>This document defines DOTS telemetry attributes that can be conveyed by DOTS clients to DOTS servers, and vice versa. The DOTS telemetry attributes are not mandatory attributes of the DOTS signal channel protocol <xreftarget="RFC9132"></xref>.target="RFC9132" format="default"/>. When no limitation policy is provided to a DOTS agent, it can signal available telemetry attributes toitits peers in order to optimize the overall mitigation service provisioned using DOTS. The aforementioned policy can be, for example, agreed upon during a service subscription(that(which is out ofscope)scope for this document) to identify a subset of DOTS clients among those deployed in a DOTS client domain that are allowed to send or receive telemetry data.</t><t>Also, the<t><xref target="data" format="default"/> of this document specifies a YANG module(<xref target="data"></xref>)that augments the DOTS data channel <xreftarget="RFC8783"></xref>target="RFC8783" format="default"/> with information related to attackdetails information.details. Sharing such details during 'idle' time is meant to optimize the data exchanged over the DOTS signal channel.</t> </section> <section anchor="notation"title="Terminology">numbered="true" toc="default"> <name>Terminology</name> <t>The key words"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY","<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>", "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>", "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>", "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>", "<bcp14>MAY</bcp14>", and"OPTIONAL""<bcp14>OPTIONAL</bcp14>" in this document are to be interpreted as described inBCP 14BCP 14 <xref target="RFC2119"/> <xreftarget="RFC2119"></xref><xref target="RFC8174"></xref>target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t> <t>The reader should be familiar with the terms defined in <xreftarget="RFC8612"></xref>.</t>target="RFC8612" format="default"/>.</t> <t>"DOTSTelemetry"telemetry" is defined as the collection of attributes that are used to characterize the normal traffic baseline, attacks and their mitigation measures, and any related information that may help in enforcing countermeasures.DOTS Telemetry"DOTS telemetry" is an optional set of attributes that can be signaled in the DOTS signal channel protocol.</t><t>Telemetry<t>The Telemetry Setup Identifier (tsid) is an identifier that is generated by DOTS clients to uniquely identify DOTS telemetry setup configuration data. See <xreftarget="PUT"></xref>target="PUT" format="default"/> for more details.</t><t>Telemetry<t>The Telemetry Identifier (tmid) is an identifier that is generated by DOTS clients to uniquely identify DOTS telemetry data that is communicated prior to or during a mitigation. See <xreftarget="preCtoS"></xref>target="preCtoS" format="default"/> for more details.</t><t>When two telemetry requests overlap, "overlapped"<t>"Overlapped" lower numeric 'tsid' (or 'tmid') refers to the lower 'tsid' (or 'tmid') value ofthesetwo overlapping telemetry requests.</t> <t>The term "pipe" represents the maximum level of traffic that the DOTS client domain can receive. Whether a "pipe" is mapped to one or a group of network interfaces isdeployment-specific.deployment specific. For example, each interconnection link may be considered as a specific pipe if the DOTS server is hosted by each upstream provider, while the aggregate of all links to connect to upstream network providers can be considered by a DOTS client domain as a single pipe when communicating with a DOTS server not hosted by these upstream providers.</t><t>The<t>This document uses IANA-assigned Enterprise Numbers. These numbers are also known as "Private Enterprise Numbers" and "SMI (Structure of Management Information) Network Management Private Enterprise Codes" <xreftarget="Private-Enterprise-Numbers"></xref>.</t>target="Private-Enterprise-Numbers" format="default"/>.</t> <t>Themeaningmeanings of the symbols in YANG tree diagrams are defined in <xreftarget="RFC8340"></xref>target="RFC8340" format="default"/> and <xreftarget="RFC8791"></xref>.</t>target="RFC8791" format="default"/>.</t> <t>Consistent with the convention set inSection 2 of<xreftarget="RFC8783"></xref>,target="RFC8783" sectionFormat="of" section="2"/>, the examples in <xreftarget="vam"></xref>target="vam" format="default"/> use "/restconf" as the discovered RESTCONF API root path. Within these examples, some protocol header lines are split into multiple lines for display purposes only. When a line ends with a backslash('\')("\") as the last character, the line is wrapped for display purposes. It is considered to be joined to the next line by deleting the backslash, the following line break, and the leading whitespace of the next line.</t> </section> <section anchor="overview"title="DOTSnumbered="true" toc="default"> <name>DOTS Telemetry: Overview andPurpose">Purpose</name> <t>Timely and effective signaling of up-to-date DDoS telemetry to all elements involved in the mitigation process is essential and improves the overall DDoS mitigationserviceservice's effectiveness. Bidirectional feedback between DOTS agents is required for increased awareness by each party of the attack and mitigation efforts, supporting a superior and highly efficient attack mitigation service.</t> <sectiontitle="Neednumbered="true" toc="default"> <name>Need for MoreVisibility">Visibility</name> <t>When signaling a mitigation request, it is most certainly beneficial for DOTS clients to signal to DOTS servers any knowledge regarding ongoing attacks. This can happen in cases where DOTS clients are asking DOTS servers for support in defending against attacks that they have already detected and/or (partially) mitigated.</t> <t>If attacks are already detected and categorized within a DOTS client domain, the DOTS server, and its associated mitigation services, can proactively benefit from this information and optimize the overall service delivery. It is important to note that DOTS client domains' and DOTS server domains' detection and mitigation approaches can bedifferent,different and can potentially result in different results and attack classifications. The DDoS mitigation service treats the ongoing attack details received from DOTS clients as hints and cannot completely rely on or trust the attack details conveyed by DOTS clients.</t> <t>In addition to the DOTS server directly using telemetry data as operational hints, the DOTSserverserver's security operation team also benefits from telemetry data. A basic requirement of security operation teams is to be aware of and get visibility into the attacks they need to handle. This holds especially for the case of ongoing attacks, where DOTS telemetry provides data about the current attack status. Even if some mitigation can be automated, operational teams can use the DOTS telemetry information to be prepared for attack mitigation and to assign the correct resources(operation(e.g., operation staff, networkingand mitigation)resources, mitigation resources) for the specific service. Similarly, security operations personnel at the DOTS client side ask for feedback about their requests for protection. Therefore, it is valuable for DOTS servers to share DOTS telemetry with DOTS clients.</t> <t>Mutual sharing of information is thus crucial for "closing the mitigation loop" between DOTS clients and servers. For theserver sideserver-side team, it is important to confirm that the same attacks that the DOTS server's mitigation resources are seeing are thosethatfor which a DOTS client isasking for mitigation of.requesting mitigation. For the DOTSclient sideclient-side team, it is important to realize that the DOTS clients receive the requiredservice. Forservice -- for example, understanding that "I asked for mitigation of twoattacksattacks, and my DOTS server detects and mitigates only one ofthem".them." Cases of inconsistency in attack classification between DOTS clients and servers can be highlighted, and maybe handled, using the DOTS telemetry attributes.</t> <t>In addition, management and orchestration systems, at both the DOTS client and server sides, can use DOTS telemetry as feedback to automate various control and management activities derived from signaled telemetry information.</t> <t>If the DOTS server's mitigation resources have the capabilities to facilitate the DOTS telemetry, the DOTS server adapts its protection strategy and activates the required countermeasures immediately (automation enabled) for the sake of optimized attack mitigation decisions and actions.TheDiscussion regarding the interface from the DOTS server to the mitigator to signal the telemetry data is out ofscope.</t>scope for this document.</t> </section> <sectiontitle="Enhanced Detection">numbered="true" toc="default"> <name>Enhanced Detection</name> <t>DOTS telemetry can also be used as input for determining what values to use for the tuning parameters available on the mitigation resources. During the last few years, DDoS attack detection technologies have evolved from threshold-based detection (that is, cases when all or specific parts of traffic cross a predefined threshold for a certain period of time is considered as an attack) to an "anomaly detection" approach. For the latter, it is required to maintain rigorous learning of "normal" behavior, and an "anomaly" (or an attack) is identified and categorized based on the knowledge about the normal behavior and a deviation from this normal behavior. Statistical and artificial intelligence algorithms (e.g., machine learning) are used such that the actual traffic thresholds are automatically calculated by learning the protected entity's normal traffic behavior during 'idle' time (i.e., no mitigation is active). The normal traffic characterization learned is referred to as the "normal traffic baseline". An attack is detected when the victim's actual traffic is deviating from this normal baseline pattern.</t> <t>In addition, subsequent activities toward mitigating an attack are much more challenging. The ability to distinguish legitimate traffic from attacker traffic on a per-packet basis is complex. For example, a packet may look "legitimate" and no attack signature can be identified. The anomaly can be identified only after detailed statistical analysis. DDoS attack mitigators use the normal baseline during the mitigation of an attack to identify and categorize the expected appearance of a specific traffic pattern. Particularly, the mitigators use the normal baseline to recognize the "level of normality" that needs to be achieved during the various mitigationprocess.</t>processes.</t> <t>Normal baseline calculation is performed based on continuous learning of the normal behavior of the protected entities. The minimum learning period varies from hours to days and even weeks, depending on the protectedapplicationapplications' behavior. The baseline cannot be learned during active attacks because attack conditions do not characterize the protected entities' normal behavior.</t> <t>If the DOTS client has calculated the normal baseline of its protected entities, signaling such information to the DOTS server along with the attack traffic levels provides value. The DOTS server benefits from this telemetry by tuning its mitigation resources with the DOTS client's normal baseline. The DOTSserverserver's mitigators use the baseline to familiarize themselves with the attack victim's normal behavior and target the baseline as the level of normality they need to achieve. Fed with this information, the overall mitigationperformancesperformance is expected to be improved in terms of time to mitigate, accuracy, and false-negative and false-positive rates.</t> <t>Mitigation of attacks without having certain knowledge of normal traffic can be inaccurate at best. This is especially true for recursive signaling (seeSection 3.2.3 of<xreftarget="RFC8811"></xref>).target="RFC8811" sectionFormat="of" section="3.2.3"/>). Given that DOTS clients can be integrated in a highly diverse set of scenarios and use cases, this emphasizes the need for knowledge of the behavior of each DOTS client domainbehavior,-- especially given that common global thresholds for attack detectionpractically cannotcan almost never be realized. Each DOTS client domain can have its own levels of traffic and normal behavior. Without facilitating normal baseline signaling, it may be very difficult for DOTS servers in some cases to detect and mitigate the attacksaccurately: <list style="empty"> <t>Itaccurately:</t> <ul spacing="normal"> <li>It is important to emphasize that it is practically impossible for the DOTS server's mitigators to calculate the normal baseline in cases where they do not have any knowledge of the trafficbeforehand.</t> </list></t>beforehand.</li> </ul> <t>Of course, this information can be provided using out-of-band mechanisms or manualconfigurationconfiguration, at the risk of unmaintained information becoming inaccurate as the network evolves and "normal" patterns change. The use of a dynamic and collaborative means between the DOTS client and server to identify and share key parameters for the sake of efficient DDoS protection is valuable.</t> </section> <sectiontitle="Efficient Mitigation">numbered="true" toc="default"> <name>Efficient Mitigation</name> <t>During ahigh volumehigh-volume attack, DOTS client pipes can be totally saturated. DOTS clients ask their DOTS servers to handle the attack upstream so that DOTS client pipes return to a reasonable load level (normal pattern, ideally). At this point, it is essential to ensure that the mitigator does not overwhelm the DOTS client pipes by sending back large volumes of "clean traffic", or what it believes is "clean". This can happen when the mitigator has not managed to detect and mitigate all the attacks launchedtowardstoward the DOTS client domain.</t> <t>In this case, it can be valuable to DOTS clients to signal to DOTS servers the total pipe capacity, which is the level of traffic the DOTS client domain can absorb from its upstream network. Thisusuallyis usually the circuitsizesize, which includes all the packet overheads. Dynamic updates of the condition of pipes between DOTS agents while they are under a DDoS attackisare essential (e.g., where multiple DOTS clients share the same physical connectivity pipes). The DOTS server should activate other mechanisms to ensure that it does not allow the DOTS client domain's pipes to be saturated unintentionally. The rate-limit action defined in <xreftarget="RFC8783"></xref>target="RFC8783" format="default"/> is a reasonable candidate to achieve this objective; the DOTS client can indicate the type(s) of traffic (such as ICMP, UDP, TCP port number 80) it prefers to limit. The rate-limit action can be controlled via the signal channel <xreftarget="RFC9133"></xref>target="RFC9133" format="default"/> even when the pipe is overwhelmed.</t> </section> </section> <sectiontitle="Design Overview"> <t></t>numbered="true" toc="default"> <name>Design Overview</name> <sectiontitle="Overviewnumbered="true" toc="default"> <name>Overview of TelemetryOperations">Operations</name> <t>The DOTS protocol suite is divided into two logical channels: the signal channel <xreftarget="RFC9132"></xref>target="RFC9132" format="default"/> and data channel <xreftarget="RFC8783"></xref>.target="RFC8783" format="default"/>. This division is due to the vastly different requirements placed upon the traffic they carry. The DOTS signal channel must remain available and usable even in the face of attack traffic that might,e.g.,for example, saturate one direction of the links involved, rendering acknowledgment-based mechanisms unreliable and strongly incentivizing messages to be small enough to be contained in a single IP packet(Section 2.2 of <xref target="RFC8612"></xref>).(<xref target="RFC8612" sectionFormat="of" section="2.2"/>). In contrast, the DOTS data channel is available for high-bandwidth data transfer before or after an attack, using more conventional transport protocol techniques(Section 2.3 of <xref target="RFC8612"></xref>).(<xref target="RFC8612" sectionFormat="of" section="2.3"/>). It is generally preferable to perform advance configuration over the DOTS data channel, including configuring aliases for static or nearly static data sets such as sets of network addresses/prefixes that might be subject to related attacks. This design helps to optimize the use of the DOTS signal channel for the small messages that are important to deliver during an attack. As a reminder,boththe DOTS signal channel and datachannelschannel both require secure communication channels(Section 11 of <xref target="RFC9132"></xref>(<xref target="RFC9132" sectionFormat="of" section="11"/> andSection 10 of<xreftarget="RFC8783"></xref>).</t>target="RFC8783" sectionFormat="of" section="10"/>).</t> <t>Telemetry information has aspects that correspond to both operational modes (i.e., signal channel and datachannels):channel): there is certainly a need to convey updated information about ongoing attack traffic and targets during an attack, so as to convey detailed information about mitigation status and inform updates to mitigation strategy in the face of adaptive attacks. However, it is also useful to provide mitigation services with a picture of normal or "baseline" traffictowardstoward potential targets to aid in detecting when incoming traffic deviates from normal into being an attack. Also, one might populate a "database" of classifications of known types ofattackattacks so that a short attack identifier can be used during an attacktimeperiod to describe an observed attack. This specification does make provision for use of the DOTS data channel for the latter function (<xreftarget="vam"></xref>),target="vam" format="default"/>) but otherwise retains most telemetry functionality in the DOTS signal channel.</t> <t>Note that it is a functional requirement to convey information about ongoing attack traffic during an attack, and information about baseline traffic uses an essentially identical data structure that is naturally defined to sit next to the description of attack traffic. The related telemetry setup information used to parameterize actual traffic data is also sent over the signal channel, out of expediency.</t> <t>This document specifies an extension to the DOTS signal channel protocol. Considerations about how to establish, maintain, and make use of the DOTS signal channel are specified in <xreftarget="RFC9132"></xref>.</t>target="RFC9132" format="default"/>.</t> <t>Once the DOTS signal channel is established, DOTS clients that support the DOTS telemetry extension proceed with the telemetry setup configuration (e.g., measurement interval, telemetry notification interval, pipe capacity, normal traffic baseline) as detailed in <xreftarget="conf"></xref>.target="conf" format="default"/>. DOTS agents can then include DOTS telemetry attributes using the DOTS signal channel (<xreftarget="pre"></xref>).target="pre" format="default"/>). A DOTS client can use separate messages to share with its DOTS server(s) a set of telemetry data bound to an ongoing mitigation (<xreftarget="preCtoS"></xref>).target="preCtoS" format="default"/>). Also, a DOTS client that is interested in receiving telemetry notifications related to some of its resources follows the procedure defined in <xreftarget="preStoC"></xref>. Thetarget="preStoC" format="default"/>. A DOTS client that receives such notifications can then decide to send a mitigation request ifthe notifiedan attack cannot be mitigated locally within the DOTS client domain.</t> <t>Aggregate DOTS telemetry data can also be included in efficacy update (<xreftarget="effu-S"></xref>)target="effu-S" format="default"/>) or mitigation update (<xreftarget="premStoC"></xref>)target="premStoC" format="default"/>) messages.</t> </section> <sectiontitle="Block-wise Transfer">numbered="true" toc="default"> <name>Block-Wise Transfers</name> <t>DOTS clients can useblock wisea block-wise transfer <xreftarget="RFC7959"></xref>target="RFC7959" format="default"/> with the recommendation detailed inSection 4.4.2 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.2"/> to control the size of a response when the data to be returned does not fit within a single datagram.</t> <t>DOTS clients can also useCoAPthe Constrained Application Protocol (CoAP) Block1 Option in a PUT request(Section 2.5 of <xref target="RFC7959"></xref>)(<xref target="RFC7959" sectionFormat="of" section="2.5"/>) to initiate large transfers, but these Block1 transfers are likely to fail if the inbound "pipe" is running full because the transfer requires a message from the server for each block, which would likely be lost in the incoming flood. Consideration needs to be made to try to fit this PUT into a single transfer or to separate out the PUT into several discrete PUTs where each of them fits into a single packet.</t> <t>Q-Block1 and Q-Block2 Options that are similar to the CoAP Block1 and Block2 Options, but enable robust transmissions of big blocks of data with less packet interchanges using NON messages, are defined in <xreftarget="I-D.ietf-core-new-block"></xref>.target="RFC9177" format="default"/>. DOTS implementations can consider the use of Q-Block1 and Q-Block2 Options <xreftarget="I-D.ietf-dots-robust-blocks"></xref>.</t>target="I-D.ietf-dots-robust-blocks" format="default"/>.</t> </section> <sectiontitle="DOTS Multi-homing Considerations">numbered="true" toc="default"> <name>DOTS Multihoming Considerations</name> <t>Considerations formulti-homedmultihomed DOTS clients to select which DOTS server to contact and which IP prefixes to include in a telemetry message to a given peer DOTS server are discussed in <xreftarget="I-D.ietf-dots-multihoming"></xref>.target="I-D.ietf-dots-multihoming" format="default"/>. For example, if each upstream network exposes a DOTS server and the DOTS client maintains DOTS channels with all of them, only the information related to prefixes assigned by an upstream network to the DOTS client domain will be signaled via the DOTS channel established with the DOTS server of that upstream network.</t> <t>Considerations related to whether (and how) a DOTS client gleans some telemetry information (e.g., attack details) it receives from a first DOTS server andshareshares it with a second DOTS server are implementation and deployment specific.</t> </section> <sectiontitle="YANG Considerations">numbered="true" toc="default"> <name>YANG Considerations</name> <t>Telemetry messages exchanged between DOTS agents are serialized using Concise Binary Object Representation (CBOR) <xreftarget="RFC8949"></xref>.target="RFC8949" format="default"/>. CBOR-encoded payloads are used to carry signal-channel-specific payload messageswhichthat convey request parameters and response information such as errors.</t> <t>This document specifies a YANG module <xreftarget="RFC7950"></xref>target="RFC7950" format="default"/> for representing DOTS telemetry message types (<xreftarget="module"></xref>).target="module" format="default"/>). All parameters in the payload of the DOTS signal channel are mapped to CBOR types as specified in <xreftarget="map1"></xref>.target="map1" format="default"/>. As a reminder,Section 3 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="3"/> defines the rules for mapping YANG-modeled data to CBOR.</t> <t>The DOTS telemetry module (<xreftarget="module"></xref>)target="module" format="default"/>) is not intended to be used viaNETCONF/RESTCONFthe Network Configuration Protocol (NETCONF) / RESTCONF for DOTS server management purposes. It serves only to provide a data model and encoding following <xreftarget="RFC8791"></xref>.target="RFC8791" format="default"/>. Server deviations(Section 5.6.3 of <xref target="RFC7950"></xref>)(<xref target="RFC7950" sectionFormat="of" section="5.6.3"/>) are strongly discouraged, as the peer DOTS agent does not have the means to retrieve the list of deviations and thus interoperability issues are likely to be encountered.</t> <t>The DOTS telemetry module (<xreftarget="module"></xref>)target="module" format="default"/>) uses "enumerations" rather than "identities" to define units, samples, and intervals because otherwise the namespace identifier "ietf-dots-telemetry" must be included when a telemetry attribute is included (e.g., in a mitigation efficacy update). The use of "identities" is thus suboptimal fromathe standpoint of message compactness, as message compactnessstandpoint;is one of the key requirements for DOTSSignal Channelsignal channel messages.</t> <t>The DOTS telemetry module (<xreftarget="module"></xref>)target="module" format="default"/>) includes some lists for which nokey"key" statement is included. This behavior is compliant with <xreftarget="RFC8791"></xref>.target="RFC8791" format="default"/>. The reason for not including these keys isbecausethat they are not included in the message body of DOTS requests; such keys are included as mandatory Uri-Paths in requests(Sections <xref(Sections <xref format="counter"target="conf"></xref>target="conf"/> and <xref format="counter"target="pre-t"></xref>).target="pre-t"/>). Otherwise, whenever akey"key" statement is used in the module, the same definition as the definition provided inSection 7.8.2 of<xreftarget="RFC7950"></xref>target="RFC7950" sectionFormat="of" section="7.8.2"/> is assumed.</t> <t>Some parameters (e.g.,low percentilelow-percentile values) may be associated with different YANG types (e.g., decimal64 and yang:gauge64). To easily distinguish the types of these parameters while using meaningful names, the following suffixes are used:</t><texttable> <ttcol>Suffix</ttcol> <ttcol>YANG Type</ttcol> <ttcol>Example</ttcol> <c>-g</c> <c>yang:gauge64</c> <c>low-percentile-g</c> <c>-c</c> <c>container</c> <c>connection-c</c> <c>-ps</c> <c>per second</c> <c>connection-ps</c> </texttable><table anchor="tab-1" align="center"> <name>Suffixes and YANG Types</name> <thead> <tr> <th align="left">Suffix</th> <th align="left">YANG Type</th> <th align="left">Example</th> </tr> </thead> <tbody> <tr> <td align="left">-g</td> <td align="left">yang:gauge64</td> <td align="left">low-percentile-g</td> </tr> <tr> <td align="left">-c</td> <td align="left">container</td> <td align="left">connection-c</td> </tr> <tr> <td align="left">-ps</td> <td align="left">per second</td> <td align="left">connection-ps</td> </tr> </tbody> </table> <t>The full tree diagram of the DOTS telemetry module can be generated using the "pyang" tool <xreftarget="PYANG"></xref>.target="PYANG" format="default"/>. That tree is not included here because it is too long(Section 3.3 of <xref target="RFC8340"></xref>).(<xref target="RFC8340" sectionFormat="of" section="3.3"/>). Instead, subtrees are provided for the reader's convenience.</t> <t>In order to optimize the data exchanged over the DOTS signal channel,thethis document specifies a second YANG module("ietf-dots-mapping",("ietf-dots-mapping"; see <xreftarget="data"></xref>)target="data" format="default"/>) that augments the DOTS data channel <xreftarget="RFC8783"></xref>.target="RFC8783" format="default"/>. This augmentation can be used during 'idle' time to share the attack mapping details (<xreftarget="attackdetails"></xref>).target="attackdetails" format="default"/>). DOTS clients can use tools, e.g., the YANG Library <xreftarget="RFC8525"></xref>,target="RFC8525" format="default"/>, to retrieve the list of features and deviations supported by the DOTS server over the data channel.</t> </section> </section> <sectiontitle="Generic Considerations"> <t></t>numbered="true" toc="default"> <name>Generic Considerations</name> <sectiontitle="DOTSnumbered="true" toc="default"> <name>DOTS ClientIdentification">Identification</name> <t>Following the rules inSection 4.4.1 of<xreftarget="RFC9132"></xref>,target="RFC9132" sectionFormat="of" section="4.4.1"/>, a unique identifier is generated by a DOTS client to prevent request collisions ('cuid').</t> <t>As a reminder, <xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.1.3"/> forbids 'cuid' to be returned in a response message body.</t> </section> <sectiontitle="DOTS Gateways">numbered="true" toc="default"> <name>DOTS Gateways</name> <t>DOTS gateways may be located between DOTS clients and servers. The considerations elaborated inSection 4.4.1 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.1"/> must be followed. In particular, the 'cdid' attribute is used to unambiguously identify a DOTS client domain.</t> <t>As a reminder,Section 4.4.1.3 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.1.3"/> forbids 'cdid' (if present) to be returned in a response message body.</t> </section> <sectiontitle="Empty URI Paths">numbered="true" toc="default"> <name>Uri-Path Parameters and Empty Values</name> <t>Uri-Path parameters and attributes with empty valuesMUST NOT<bcp14>MUST NOT</bcp14> be present in a request. The presence of such an empty value renders the entire containing message invalid.</t> </section> <section anchor="control"title="Controllingnumbered="true" toc="default"> <name>Controlling ConfigurationData">Data</name> <t>The DOTS server follows the same considerations discussed inSection of 4.5.3 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.5.3"/> for managing DOTS telemetry configuration freshness andnotification.</t>notifications.</t> <t>Likewise, a DOTS client may control the selection of configuration and non-configuration data nodes when sending a GET request by means of the 'c' (content) Uri-Query option and following the procedure specified inSection of 4.4.2 of<xreftarget="RFC9132"></xref>.target="RFC9132" sectionFormat="of" section="4.4.2"/>. These considerations are not reiterated in the following sections.</t> </section> <sectiontitle="Message Validation">numbered="true" toc="default"> <name>Message Validation</name> <t>The authoritativereferencereferences for validating telemetry messages exchanged over the DOTS signal channel areSections <xrefSections <xref format="counter"target="conf"></xref>,target="conf"/>, <xref format="counter"target="pre-t"></xref>,target="pre-t"/>, and <xref format="counter"target="status"></xref>target="status"/> together with the mapping tableestablishedprovided in <xreftarget="map1"></xref>.target="map1" format="default"/>. The structure of telemetry message bodies is represented as a YANG data structure (<xreftarget="module"></xref>).</t>target="module" format="default"/>).</t> </section> <section anchor="note-examples"title="Anumbered="true" toc="default"> <name>A NoteAbout Examples">about Examples</name> <t>Examples are provided for illustration purposes.TheThis document does not aim to provide a comprehensive list of message examples.</t> <t>JSON encoding of YANG-modeled data is used to illustrate the various telemetry operations. To ease readability, parameter names and their JSON typesare, thus,are thus used in the examples rather than their CBOR key values and CBOR types following the mappings in <xreftarget="map1"></xref>.target="map1" format="default"/>. These conventions are inherited from <xreftarget="RFC9132"></xref>.</t>target="RFC9132" format="default"/>.</t> <t>The examples usetheEnterprise Number3247332473, which is defined for documentationuseuse; see <xreftarget="RFC5612"></xref>.</t>target="RFC5612" format="default"/>.</t> </section> </section> <sectiontitle="Telemetryanchor="tel-op-paths" numbered="true" toc="default"> <name>Telemetry OperationPaths">Paths</name> <t>As discussed inSection 4.2 of<xreftarget="RFC9132"></xref>,target="RFC9132" sectionFormat="of" section="4.2"/>, each DOTS operation is indicated by a path suffix that indicates the intended operation. The operation path is appended to the path prefix to form the URI used with a CoAP request to perform the desired DOTS operation. The following telemetry path suffixes are defined(Table 2):<figure> <artwork><![CDATA[ +-----------------+----------------+-----------+ | Operation | Operation Path | Details | +=================+================+===========+ | Telemetry Setup | /tm-setup | Section 6 | | Telemetry | /tm | Section 7 | +-----------------+----------------+-----------+ Table 2: DOTS(<xref target="tab-2"/>):</t> <table anchor="tab-2"> <name>DOTS TelemetryOperations]]></artwork> </figure></t>Operations</name> <thead> <tr> <th>Operation</th> <th>Operation Path</th> <th>Details</th> </tr> </thead> <tbody> <tr> <td>Telemetry Setup</td> <td>/tm-setup</td> <td><xref target="conf"/></td> </tr> <tr> <td>Telemetry</td> <td>/tm</td> <td><xref target="pre-t"/></td> </tr> </tbody> </table> <t>Consequently, the "ietf-dots-telemetry" YANG module defined in <xreftarget="module"></xref>target="module" format="default"/> defines a data structure to represent new DOTS message types called 'telemetry-setup' and 'telemetry'. The tree structure is shown in <xreftarget="abstract"></xref>.target="abstract-basic" format="default"/>. More details are provided inSections <xrefSections <xref format="counter"target="conf"></xref>target="conf"/> and <xref format="counter"target="pre-t"></xref>target="pre-t"/> about the exact structure of 'telemetry-setup' and 'telemetry' message types.</t><t><figure anchor="abstract" title="New<figure anchor="abstract-basic"> <name>New DOTS Message Types (YANG TreeStructure)"> <artwork><![CDATA[Structure)</name> <sourcecode name="" type="yangtree"><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | ... | +-- telemetry* [] | ... | +-- (setup-type)? | +--:(telemetry-config) | | ... | +--:(pipe) | | ... | +--:(baseline) | ... +--:(telemetry) ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>DOTS implementationsMUST<bcp14>MUST</bcp14> support the Observe Option <xreftarget="RFC7641"></xref>target="RFC7641" format="default"/> for 'tm' (<xreftarget="pre-t"></xref>).</t>target="pre-t" format="default"/>).</t> </section> <section anchor="conf"title="DOTSnumbered="true" toc="default"> <name>DOTS Telemetry SetupConfiguration">Configuration</name> <t>In reference to <xreftarget="abstract"></xref>,target="abstract-basic" format="default"/>, a DOTS telemetry setup messageMUST<bcp14>MUST</bcp14> include only telemetry-related configuration parameters (<xreftarget="tconfig"></xref>) ortarget="tconfig" format="default"/>), information about DOTS client domain pipe capacity (<xreftarget="tpipe"></xref>)target="tpipe" format="default"/>), or information about the telemetry traffic baseline (<xreftarget="tbl"></xref>).target="tbl" format="default"/>). As such, requests that include a mix of telemetry configuration, pipe capacity, and traffic baselineMUSTinformation <bcp14>MUST</bcp14> be rejected by DOTS servers with a 4.00 (BadRequest).</t>Request) Response Code.</t> <t>A DOTS client can reset all installed DOTS telemetry setup configuration data following the considerations detailed in <xreftarget="reseta"></xref>.</t>target="reseta" format="default"/>.</t> <t>A DOTS server may detect conflicts when processing requests related to DOTS client domain pipe capacity or telemetry traffic baseline information with requests from other DOTS clients of the same DOTS client domain. More details are included in <xreftarget="conflict"></xref>.</t>target="conflict" format="default"/>.</t> <t>Telemetry setup configuration is bound to a DOTS client domain. DOTS serversMUST NOT<bcp14>MUST NOT</bcp14> expect DOTS clients to send regular requests to refresh the telemetry setup configuration. Any available telemetry setup configuration is validtilluntil the DOTS server ceases to service a DOTS client domain. DOTS serversMUST NOT<bcp14>MUST NOT</bcp14> reset 'tsid' because a session failed with a DOTS client. DOTS clients update their telemetry setup configuration upon change of a parameter that may impact attack mitigation.</t> <t>DOTS telemetry setup configuration request and response messages are marked as Confirmable messages(Section 2.1 of <xref target="RFC7252"></xref>).</t>(<xref target="RFC7252" sectionFormat="of" section="2.1"/>).</t> <section anchor="tconfig"title="Telemetry Configuration">numbered="true" toc="default"> <name>Telemetry Configuration</name> <t>DOTS telemetry uses several percentile values to provide a picture of a traffic distribution overall, as opposed to just a single snapshot of observed traffic at a single point in time. Modeling raw traffic flow data as a distribution and describing that distribution entails choosing a measurement period that the distribution will describe, and a number of sampling intervals, or "buckets", within that measurement period. Traffic within each bucket is treated as a single event (i.e., averaged), and then the distribution of buckets is used to describe the distribution of traffic over the measurement period. A distribution can be characterized by statistical measures (e.g., mean, median, and standarddeviation),deviation) and also by reporting the value of the distribution at various percentile levels of the data set in question (e.g., "quartiles" that correspond to 25th, 50th, and 75thpercentile).percentiles). More details about percentile values and their computation are found inSection 11.3 of<xreftarget="RFC2330"></xref>.</t>target="RFC2330" sectionFormat="of" section="11.3"/>.</t> <t>DOTS telemetry uses up to three percentile values, plus the overall peak, to characterize traffic distributions. Which percentile thresholds are used for these"low", "medium","low-percentile", "mid-percentile", and"high" percentile"high-percentile" values is configurable. Default values are defined in <xreftarget="PUT"></xref>.</t>target="PUT" format="default"/>.</t> <t>A DOTS client can negotiate with its server(s) a set of telemetry configuration parameters to be used for telemetry. Such parameters include:</t><t><list style="symbols"> <t>Percentile-related<ul spacing="normal"> <li>Percentile-related measurement parameters. In particular, 'measurement-interval' defines the periodonduring which percentiles are computed, while 'measurement-sample' defines the time distribution for measuring values that are used to computepercentiles.</t> <t>Measurement units</t> <t>Acceptablepercentiles.</li> <li>Measurement units.</li> <li>Acceptable percentilevalues</t> <t>Telemetryvalues.</li> <li>Telemetry notificationinterval</t> <t>Acceptable Server-originated telemetry</t> </list></t> <t></t>interval.</li> <li>Acceptable server-originated telemetry.</li> </ul> <section anchor="acc"title="Retrievenumbered="true" toc="default"> <name>Retrieving the Current DOTS TelemetryConfiguration">Configuration</name> <t>A GET request is used to obtain acceptable and current telemetry configuration parameters on the DOTS server. This request may include a 'cdid' Uri-Path when the request is relayed by a DOTS gateway. An example of such a GET request (without a gateway) is depicted in <xreftarget="GETa"></xref>.</t> <t><figure anchor="GETa" title="GETtarget="GETa" format="default"/>.</t> <figure anchor="GETa"> <name>GET to Retrieve the Current and Acceptable DOTS TelemetryConfiguration "> <artwork><![CDATA[Header:Configuration</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path:"cuid=dz6pHjaADkaFTbjr0JGBpw"]]></artwork> </figure></t>"cuid=dz6pHjaADkaFTbjr0JGBpw" ]]></sourcecode> </figure> <t>Upon receipt of such a request, and assuming that no error is encountered when processing the request, the DOTS server replies with a 2.05 (Content) response that conveys the telemetry parameters that are acceptablebyto the DOTS server, any pipe information (<xreftarget="tpipe"></xref>),target="tpipe" format="default"/>), and the current baseline information (<xreftarget="tbl"></xref>)target="tbl" format="default"/>) maintained by the DOTS server for this DOTS client. The tree structure of the response message body is provided in <xreftarget="tree-acceptable"></xref>.</t>target="tree-acceptable" format="default"/>.</t> <t>DOTS servers that support the capability of sending telemetry information to DOTS clients prior to or during a mitigation (<xreftarget="premStoC"></xref>) setstarget="premStoC" format="default"/>) set 'server-originated-telemetry' under 'max-config-values' to 'true' ('false' is used otherwise). If 'server-originated-telemetry' is not present in a response, this is equivalent to receiving a response with 'server-originated-telemetry' set to 'false'.</t><t><figure anchor="tree-acceptable" title="Telemetry<figure anchor="tree-acceptable"> <name>Telemetry Configuration TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | +-- (direction)? | | +--:(server-to-client-only) | | +-- max-config-values | | | +-- measurement-interval? interval | | | +-- measurement-sample? sample | | | +-- low-percentile? percentile | | | +-- mid-percentile? percentile | | | +-- high-percentile? percentile | | | +-- server-originated-telemetry? boolean | | | +-- telemetry-notify-interval? uint16 | | +-- min-config-values | | | +-- measurement-interval? interval | | | +-- measurement-sample? sample | | | +-- low-percentile? percentile | | | +-- mid-percentile? percentile | | | +-- high-percentile? percentile | | | +-- telemetry-notify-interval? uint16 | | +-- supported-unit-classes | | | +-- unit-config* [unit] | | | +-- unit unit-class | | | +-- unit-status boolean | | +-- supported-query-type* query-type | +-- telemetry* [] | +-- (direction)? | | +--:(server-to-client-only) | | +-- tsid? uint32 | +-- (setup-type)? | +--:(telemetry-config) | | +-- current-config | | +-- measurement-interval? interval | | +-- measurement-sample? sample | | +-- low-percentile? percentile | | +-- mid-percentile? percentile | | +-- high-percentile? percentile | | +-- unit-config* [unit] | | | +-- unit unit-class | | | +-- unit-status boolean | | +-- server-originated-telemetry? boolean | | +-- telemetry-notify-interval? uint16 | +--:(pipe) | | ... | +--:(baseline) | ... +--:(telemetry) ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>When both 'min-config-values' and 'max-config-values' attributes are present, the values carried in 'max-config-values' attributesMUST<bcp14>MUST</bcp14> be greater than or equal to theircounterpartcounterparts in 'min-config-values' attributes.</t> </section> <section anchor="PUT"title="Conveyingnumbered="true" toc="default"> <name>Conveying the DOTS TelemetryConfiguration">Configuration</name> <t>A PUT request is used to convey the configuration parameters for the telemetry data (e.g.,low, mid,low-, mid-, orhigh percentilehigh-percentile values). For example, a DOTS client may contact its DOTS server to change the default percentile values used as the baseline for telemetry data. <xreftarget="tree-acceptable"></xref>target="tree-acceptable" format="default"/> lists the attributes that can be set by a DOTS client in such a PUT request. An example of a DOTS client that modifies all percentile reference values is shown in <xreftarget="tput"></xref>. <list style="empty"> <t>Note:target="tput" format="default"/>. </t> <aside><t> Note: The payload of the message depicted in <xreftarget="tput"></xref>target="tput" format="default"/> is CBOR-encoded as indicated by setting the Content-Formatsetentry to "application/dots+cbor"(Section 10.3 of <xref target="RFC9132"></xref>).(<xref target="RFC9132" sectionFormat="of" section="10.3"/>). However, and for the sake of better readability, the example (and other similar figures depicting a DOTS telemetry message body) follows the conventions set in <xreftarget="note-examples"></xref>:target="note-examples" format="default"/>: use the JSON names and types defined in <xreftarget="map1"></xref>.</t> </list></t> <t><figure anchor="tput" title="PUTtarget="map1" format="default"/>. </t></aside> <figure anchor="tput"> <name>PUT to Convey the DOTS Telemetry Configuration,depictedDepicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=123" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "current-config": { "low-percentile": "5.00", "mid-percentile": "65.00", "high-percentile": "95.00" } } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>'cuid' is a mandatory Uri-Path parameter for PUT requests.</t> <t>The following additional Uri-Path parameter is defined:<list hangIndent="5" style="hanging"> <t hangText="tsid:">Telemetry</t> <dl newline="false" spacing="normal"> <dt>tsid:</dt> <dd> <t>The Telemetry Setup Identifier is an identifier for the DOTS telemetry setup configuration data represented as an integer. This identifierMUST<bcp14>MUST</bcp14> be generated by DOTS clients. 'tsid' valuesMUST<bcp14>MUST</bcp14> increase monotonically whenever new configuration parameters (not just for changed values) need to be conveyed by the DOTS client.<vspace blankLines="1" />The</t> <t>The procedure specified inSection 4.4.1 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.1"/> for 'mid' rolloverMUST<bcp14>MUST</bcp14> also be followed for 'tsid'rollover.<vspace blankLines="1" />Thisrollover.</t> <t>This is a mandatory attribute.'tsid' MUST 'tsid' <bcp14>MUST</bcp14> appear after 'cuid' in the Uri-Path options.</t></list></t></dd> </dl> <t>'cuid' and 'tsid'MUST NOT<bcp14>MUST NOT</bcp14> appear in the PUT request message body.</t> <t>At least one configurable attributeMUST<bcp14>MUST</bcp14> be present in the PUT request.</t> <t>A PUT request with a higher numeric 'tsid' value overrides the DOTS telemetry configuration data installed by a PUT request with a lower numeric 'tsid' value. To avoid maintaining a long list of 'tsid' requests for requests carrying telemetry configuration data from a DOTS client, the lower numeric 'tsid'MUST<bcp14>MUST</bcp14> be automatically deleted and no longer be available at the DOTS server.</t> <t>The DOTS server indicates the result of processing the PUT request using the following ResponseCodes:<list style="symbols"> <t>IfCodes:</t> <ul spacing="normal"> <li>If the request is missing a mandatory attribute, does not include 'cuid' or 'tsid' Uri-Path parameters, or contains one or more invalid or unknown parameters, a 4.00 (Bad Request)MUSTResponse Code <bcp14>MUST</bcp14> be returned in theresponse.</t> <t>Ifresponse.</li> <li>If the DOTS server does not find the 'tsid' parameter value conveyed in the PUT request in its configuration data and if the DOTS server has accepted the configuration parameters, then a 2.01 (Created) Response CodeMUST<bcp14>MUST</bcp14> be returned in theresponse.</t> <t>Ifresponse.</li> <li>If the DOTS server finds the 'tsid' parameter value conveyed in the PUT request in its configuration data and if the DOTS server has accepted the updated configuration parameters, a 2.04 (Changed)MUSTResponse Code <bcp14>MUST</bcp14> be returned in theresponse.</t>response.</li> <li> <t>If any of the enclosed configurable attribute values are not acceptable to the DOTS server (<xreftarget="acc"></xref>),target="acc" format="default"/>), a 4.22 (Unprocessable Entity)MUSTResponse Code <bcp14>MUST</bcp14> be returned in the response.<vspace blankLines="1" />The</t> <t>The DOTS client may retry and send the PUT request with updated attribute values acceptable to the DOTS server.</t></list></t></li> </ul> <t>By default,low percentilelow-percentile (10th percentile),mid percentilemid-percentile (50th percentile),high percentilehigh-percentile (90th percentile), and peak (100th percentile) values are used to represent telemetry data. Nevertheless, a DOTS client can disable some percentile types (low, mid, high). In particular, setting 'low-percentile' to'0.00'"0.00" indicates that the DOTS client is not interested in receiving low-percentiles. Likewise, setting 'mid-percentile' (or 'high-percentile') to the same value as 'low-percentile' (or 'mid-percentile') indicates that the DOTS client is not interested in receiving mid-percentiles (or high-percentiles). For example, a DOTS client can send the request depicted in <xreftarget="tput1"></xref>target="tput1" format="default"/> to inform the server that it is interested in receiving only high-percentiles. This assumes that the client will only use that percentile type when sharing telemetry data with the server.</t><t><figure anchor="tput1" title="PUT<figure anchor="tput1"> <name>PUT to Disable Low- and Mid-Percentiles,depictedDepicted as per Section5.6 "> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=124" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "current-config": { "low-percentile": "0.00", "mid-percentile": "0.00", "high-percentile": "95.00" } } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>DOTS clients can also configure the unit class(es) to be used for traffic-related telemetry data among the following supported unit classes: packets per second, bits per second, and bytes per second. Supplying both bits per second and bytes per secondunit-classesunit classes is allowed for a given set of telemetry data. However, receipt of conflicting values is treated as invalid parameters and rejected with a 4.00 (BadRequest).</t>Request) Response Code.</t> <t>DOTS clients that are interestedto receive pre or ongoingin receiving pre-or-ongoing- mitigation telemetry(pre-or-ongoing-mitigation)('pre-or-ongoing-mitigation') information from a DOTS server (<xreftarget="premStoC"></xref>) MUSTtarget="premStoC" format="default"/>) <bcp14>MUST</bcp14> set 'server-originated-telemetry' to 'true'. If 'server-originated-telemetry' is not present in a PUT request, this is equivalent to receiving a request with 'server-originated-telemetry' set to 'false'. An example of a request to enable pre-or-ongoing-mitigation telemetry from DOTS servers is shown in <xreftarget="tput2"></xref>.</t> <t><figure anchor="tput2" title="PUTtarget="tput2" format="default"/>.</t> <figure anchor="tput2"> <name>PUT to EnablePre-or-ongoing-mitigationPre-or-Ongoing-Mitigation Telemetry from the DOTSserver, depictedServer, Depicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=125" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "current-config": { "server-originated-telemetry": true } } ] } }]]></artwork> </figure></t> <t></t> <t></t>]]></sourcecode> </figure> </section> <section anchor="GET"title="Retrievenumbered="true" toc="default"> <name>Retrieving the Installed DOTS TelemetryConfiguration">Configuration</name> <t>A DOTS client may issue a GET message with a 'tsid' Uri-Path parameter to retrieve the current DOTS telemetry configuration. An example of such a request is depicted in <xreftarget="GETs"></xref>.</t> <t><figure anchor="GETs" title="GETtarget="GETs" format="default"/>.</t> <figure anchor="GETs"> <name>GET to Retrieve the Current DOTS TelemetryConfiguration"> <artwork><![CDATA[Header:Configuration</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path:"tsid=123"]]></artwork> </figure></t>"tsid=123" ]]></sourcecode> </figure> <t>If the DOTS server does not find the 'tsid' Uri-Path value conveyed in the GET request in its configuration data for the requesting DOTS client, itMUST<bcp14>MUST</bcp14> respond with a 4.04 (Not Found) error Response Code.</t> </section> <section anchor="DEL"title="Deletenumbered="true" toc="default"> <name>Deleting the DOTS TelemetryConfiguration">Configuration</name> <t>A DELETE request is used to delete the installed DOTS telemetry configuration data (<xreftarget="cdelete"></xref>). 'cuid'target="cdelete" format="default"/>). 'cuid' and 'tsid' are mandatory Uri-Path parameters for such DELETE requests.</t> <figureanchor="cdelete" title="Deleteanchor="cdelete"> <name>Deleting the TelemetryConfiguration"> <artwork align="left"><![CDATA[Header:Configuration</name> <sourcecode name="" type="json"><![CDATA[Header: DELETE (Code=0.04) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=123"]]></artwork>]]></sourcecode> </figure><t></t><t>The DOTS server resets the DOTS telemetry configuration back to the default values and acknowledges a DOTS client's request to remove the DOTS telemetry configuration using a 2.02 (Deleted) Response Code. A 2.02 (Deleted) Response Code is returned even if the 'tsid' parameter value conveyed in the DELETE request does not exist in its configuration data before the request.</t> <t><xreftarget="reseta"></xref>target="reseta" format="default"/> discusses the procedure to reset all DOTS telemetry setupconfiguration.</t>configuration data.</t> </section> </section> <section anchor="tpipe"title="Totalnumbered="true" toc="default"> <name>Total PipeCapacity">Capacity</name> <t>A DOTS client can communicate to the DOTS server(s) its DOTS client domain pipe information. The tree structure of the pipe information is shown in <xreftarget="ptree"></xref>.</t> <t><figure anchor="ptree" title="Pipetarget="ptree" format="default"/>.</t> <figure anchor="ptree"> <name>Pipe TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | ... | +-- telemetry* [] | +-- (direction)? | | +--:(server-to-client-only) | | +-- tsid? uint32 | +-- (setup-type)? | +--:(telemetry-config) | | ... | +--:(pipe) | | +-- total-pipe-capacity* [link-id unit] | | +-- link-id nt:link-id | | +-- capacity uint64 | | +-- unit unit | +--:(baseline) | ... +--:(telemetry) ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>A DOTS client domain pipe is defined as a list of limitsofon (incoming) traffic volume ('total-pipe-capacity') that can be forwarded over ingress interconnection links of a DOTS client domain. Each of these links is identified with a 'link-id' <xreftarget="RFC8345"></xref>.</t>target="RFC8345" format="default"/>.</t> <t>The unit used by a DOTS client when conveying pipe information is captured in the 'unit' attribute. The DOTS clientMUST<bcp14>MUST</bcp14> auto-scale so that the appropriate unit is used. That is, for a given unit class, the DOTS client uses the largest unit that gives a value greater than one. As such, only one unit per unit class is allowed.</t> <sectiontitle="Conveyingnumbered="true" toc="default"> <name>Conveying DOTS Client Domain PipeCapacity"> <t>Similar considerationsCapacity</name> <t>Considerations similar to those specified in <xreftarget="PUT"></xref>target="PUT" format="default"/> arefollowedfollowed, with oneexception:<list style="empty"> <t>Theexception:</t> <ul spacing="normal"> <li>The relative order of two PUT requests carrying DOTS client domain pipe attributes from a DOTS client is determined by comparing their respective 'tsid' values. Ifsuchthese two requests have overlapping 'link-id' and'unit','unit' settings, the PUT request with a higher numeric 'tsid' value will override the request with a lower numeric 'tsid' value. The overlapped lower numeric 'tsid'MUST<bcp14>MUST</bcp14> be automatically deleted and no longer beavailable.</t> </list></t>available.</li> </ul> <t>DOTS clientsSHOULD<bcp14>SHOULD</bcp14> minimize the number of active 'tsid's used for pipe information. In order to avoid maintaining a long list of 'tsid's for pipe information, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that DOTS clients include in any request to update information related to a given link the informationofregarding other links (already communicated using a lower 'tsid' value).DoingBy doing so, this update request will override these existing requests and hence optimize the number of 'tsid'requestrequests per DOTS client.<list style="symbols"> <t>Note:</t> <aside><t> Note: This assumes that all link information can fit in one singlemessage.</t> </list></t>message. </t></aside> <t>As an example of configuring pipe information, a DOTS client managing asingle homedsingle-homed domain (<xreftarget="single"></xref>)target="single" format="default"/>) can send a PUT request (shown in <xreftarget="putp1"></xref>)target="putp1" format="default"/>) to communicate the capacity of "link1" used to connect to its ISP.</t><t><figure anchor="single" title="Single Homed<figure anchor="single"> <name>Single-Homed DOTS ClientDomain"> <artwork><![CDATA[Domain</name> <artwork name="" type="" align="left" alt=""><![CDATA[ ,--,--,--. ,--,--,--. ,-' `-. ,-' `-. ( DOTS Client )=====( ISP#A ) `-. Domain ,-' link1 `-. ,-' `--'--'--'`--'--'--']]></artwork> </figure></t> <t><figure anchor="putp1" title="Example`--'--'--' ]]></artwork> </figure> <figure anchor="putp1"> <name>Example of a PUT Request to Convey Pipe Information(Single Homed), depicted(Single-Homed), Depicted as per Section5.6 "> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=126" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "total-pipe-capacity": [ { "link-id": "link1", "capacity": "500", "unit": "megabit-ps" } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>DOTS clients may be instructed to signal a link aggregate instead of individual links. For example, a DOTS client that manages a DOTS client domain having two interconnection links with an upstream ISP (<xreftarget="singleagg"></xref>)target="singleagg" format="default"/>) can send a PUT request (shown in <xreftarget="putp1a"></xref>)target="putp1a" format="default"/>) to communicate the aggregate link capacity with its ISP. Signaling individual or aggregate link capacity is deployment specific.</t><t><figure anchor="singleagg" title="DOTS<figure anchor="singleagg"> <name>DOTS Client Domain with Two InterconnectionLinks"> <artwork><![CDATA[Links</name> <artwork name="" type="" align="left" alt=""><![CDATA[ ,--,--,--. ,--,--,--. ,-' `-.===== ,-' `-. ( DOTS Client ) ( ISP#C ) `-. Domain ,-'====== `-. ,-' `--'--'--'`--'--'--']]></artwork> </figure></t> <t><figure anchor="putp1a" title="Example`--'--'--' ]]></artwork> </figure> <figure anchor="putp1a"> <name>Example of a PUT Request to Convey Pipe Information (Aggregated Link),depictedDepicted as per Section5.6 "> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=hmcpH87lmPGsSTjkhXCbin" Uri-Path: "tsid=896" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "total-pipe-capacity": [ { "link-id": "aggregate", "capacity": "700", "unit": "megabit-ps" } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>Now consider that the DOTS client domain was upgraded to connect to an additional ISP (e.g., ISP#Bofin <xreftarget="multi"></xref>);target="multi" format="default"/>); the DOTS client can inform a DOTS server that is not hosted with ISP#A and ISP#B domains about this update by sending the PUT request depicted in <xreftarget="putp2"></xref>.target="putp2" format="default"/>. This request also includes information related to "link1" even if that link is not upgraded. Upon receipt of this request, the DOTS server removes the request with 'tsid=126' and updates its configuration base to maintain two links(link#1(link1 andlink#2).</t> <t><figure anchor="multi" title="Multi-Homedlink2).</t> <figure anchor="multi"> <name>Multihomed DOTS ClientDomain"> <artwork><![CDATA[Domain</name> <artwork name="" type="" align="left" alt=""><![CDATA[ ,--,--,--. ,-' `-. ( ISP#B ) `-. ,-' `--'--'--' || || link2 ,--,--,--. ,--,--,--. ,-' `-. ,-' `-. ( DOTS Client )=====( ISP#A ) `-. Domain ,-' link1 `-. ,-' `--'--'--' `--'--'--' ]]></artwork></figure></t> <t><figure anchor="putp2" title="Example</figure> <figure anchor="putp2"> <name>Example of a PUT Request to Convey Pipe Information(Multi-Homed), depicted(Multihomed), Depicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=127" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "total-pipe-capacity": [ { "link-id": "link1", "capacity": "500", "unit": "megabit-ps" }, { "link-id": "link2", "capacity": "500", "unit": "megabit-ps" } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>A DOTS client can delete a link by sending a PUT request with the 'capacity' attribute set to "0" if other links are still active for the same DOTS clientdomain (see <xref target="pdel"></xref> for other delete cases).domain. For example, if a DOTS client domain re-homes (that is, it changes its ISP), the DOTS client can inform its DOTS server about this update (e.g., from the network configuration in <xreftarget="single"></xref>target="single" format="default"/> to theonenetwork configuration shown in <xreftarget="single2"></xref>)target="single2" format="default"/>) by sending the PUT request depicted in <xreftarget="putp3"></xref>.target="putp3" format="default"/>. Upon receipt of this request, and assuming that no error is encountered when processing the request, the DOTS server removes "link1" from its configuration bases for this DOTS client domain. Note that if the DOTS server receives a PUT request with a 'capacity' attribute set to "0" for all included links, itMUST<bcp14>MUST</bcp14> reject the request with a 4.00 (BadRequest).Request) Response Code. Instead, the DOTS client can use a DELETE request to delete all links (<xreftarget="pdel"></xref>).</t> <t><figure anchor="single2" title="Multi-Homedtarget="pdel" format="default"/>).</t> <figure anchor="single2"> <name>Multihomed DOTS ClientDomain"> <artwork><![CDATA[Domain</name> <artwork name="" type="" align="left" alt=""><![CDATA[ ,--,--,--. ,-' `-. ( ISP#B ) `-. ,-' `--'--'--' || || link2 ,--,--,--. ,-' `-. ( DOTS Client ) `-. Domain ,-' `--'--'--' ]]></artwork></figure><figure anchor="putp3" title="Example</figure> <figure anchor="putp3"> <name>Example of a PUT Request to Convey Pipe Information(Multi-Homed), depicted(Multihomed), Depicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=128" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "total-pipe-capacity": [ { "link-id": "link1", "capacity": "0", "unit": "megabit-ps" }, { "link-id": "link2", "capacity": "500", "unit": "megabit-ps" } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <sectiontitle="Retrievenumbered="true" toc="default"> <name>Retrieving Installed DOTS Client Domain PipeCapacity">Capacity</name> <t>A GET request with a 'tsid' Uri-Path parameter is used to retrieveathe specific information related to an installed DOTS client domainpipe related information.pipe. The same procedure as that defined in <xreftarget="GET"></xref>target="GET" format="default"/> is followed.</t> <t>To retrieve all pipe information bound to a DOTS client, the DOTS client proceeds as specified in <xreftarget="acc"></xref>.</t>target="acc" format="default"/>.</t> </section> <section anchor="pdel"title="Deletenumbered="true" toc="default"> <name>Deleting Installed DOTS Client Domain PipeCapacity">Capacity</name> <t>A DELETE request is used to delete the specific information related to an installed DOTS client domainpipe related information.pipe. The same procedure as that defined in <xreftarget="DEL"></xref>target="DEL" format="default"/> is followed.</t> </section> </section> <section anchor="tbl"title="Telemetry Baseline">numbered="true" toc="default"> <name>Telemetry Baseline</name> <t>A DOTS client can communicate to its DOTS server(s) its normal traffic baseline andconnections capacity:<list style="hanging"> <t hangText="Totalconnection capacity:</t> <dl newline="false" spacing="normal"> <dt>Total traffic normal baseline:</dt> <dd> <t>Total traffic normalbaseline:">Thebaseline data provides the percentile values representing the total traffic normal baseline. It can be represented for a target using'total-traffic-normal'.<vspace blankLines="1" />The'total-traffic-normal'.</t> <t>The traffic normal per-protocol ('total-traffic-normal-per-protocol') baseline is represented for a target and is transport-protocolspecific.<vspace blankLines="1" />Thespecific.</t> <t>The traffic normal per-port-number ('total-traffic-normal-per-port') baseline is represented for each port number bound to atarget.<vspace blankLines="1" />Iftarget.</t> <t>If the DOTS client negotiated percentile values and units (<xreftarget="tconfig"></xref>),target="tconfig" format="default"/>), these negotiated parameters will be used instead of the defaultones.parameters. For eachusedunitclass,class used, the DOTS clientMUST<bcp14>MUST</bcp14> auto-scale so that the appropriate unit is used.</t><t hangText="Total connections capacity:">If</dd> <dt>Total connection capacity:</dt> <dd> <t>If the target is susceptible to resource-consuming DDoS attacks, the following optional attributes for the target per transport protocol are usefulto detectfor detecting resource-consuming DDoSattacks:<list style="symbols"> <t>Theattacks:</t> <ul spacing="normal"> <li>The maximum number of simultaneous connections that are allowed to thetarget.</t> <t>Thetarget.</li> <li>The maximum number of simultaneous connections that are allowed to the target perclient.</t> <t>Theclient.</li> <li>The maximum number of simultaneous embryonic connections that are allowed to the target. The term "embryonic connection" refers to a connection whose connection handshake is not finished. Embryonicconnection isconnections are only possible in connection-oriented transport protocols like TCP or the Stream Control Transmission Protocol (SCTP) <xreftarget="RFC4960"></xref>.</t> <t>Thetarget="RFC9260" format="default"/>.</li> <li>The maximum number of simultaneous embryonic connections that are allowed to the target perclient.</t> <t>Theclient.</li> <li>The maximum number of connections allowed per second to thetarget.</t> <t>Thetarget.</li> <li>The maximum number of connections allowed per second to the target perclient.</t> <t>Theclient.</li> <li>The maximum number of requests (e.g., HTTP/DNS/SIP requests) allowed per second to thetarget.</t> <t>Thetarget.</li> <li>The maximum number of requests allowed per second to the target perclient.</t> <t>Theclient.</li> <li>The maximum number of outstanding partial requests allowed to the target. Attacks relying upon partial requests create a connection with a target but do not send a complete request (e.g., an HTTPrequest).</t> <t>Therequest).</li> <li>The maximum number of outstanding partial requests allowed to the target perclient.</t> </list><vspace blankLines="1" />Theclient.</li> </ul> <t>The aggregate per transport protocol is captured in 'total-connection-capacity', while port-specific capabilities are represented using 'total-connection-capacity-per-port'.</t></list></t></dd> </dl> <t>Note that a target resource is identified using the attributes 'target-prefix', 'target-port-range', 'target-protocol', 'target- fqdn', 'target-uri', or 'alias-name' as defined inSection 4.4.1.1 of<xreftarget="RFC9132"></xref>.</t>target="RFC9132" sectionFormat="of" section="4.4.1.1"/>.</t> <t>The tree structure of the normal traffic baseline is shown in <xreftarget="bltree"></xref>.</t> <t><figure anchor="bltree" title="Telemetrytarget="bltree" format="default"/>.</t> <figure anchor="bltree"> <name>Telemetry Baseline TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | ... | +-- telemetry* [] | +-- (direction)? | | +--:(server-to-client-only) | | +-- tsid? uint32 | +-- (setup-type)? | +--:(telemetry-config) | | ... | +--:(pipe) | | ... | +--:(baseline) | +-- baseline* [id] | +-- id| |uint32 | +-- target-prefix* | | inet:ip-prefix | +-- target-port-range* [lower-port] | | +-- lower-port inet:port-number | | +-- upper-port? inet:port-number | +-- target-protocol* uint8 | +-- target-fqdn* | | inet:domain-name | +-- target-uri* | | inet:uri | +-- alias-name* | | string | +-- total-traffic-normal* [unit] | | +-- unit unit | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | +-- total-traffic-normal-per-protocol* | | [unit protocol] | | +-- protocol uint8 | | +-- unit unit | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | +-- total-traffic-normal-per-port* [unit port] | | +-- port inet:port-number | | +-- unit unit | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | +-- total-connection-capacity* [protocol] | | +-- protocol uint8 | | +-- connection? uint64 | | +-- connection-client? uint64 | | +-- embryonic? uint64 | | +-- embryonic-client? uint64 | | +-- connection-ps? uint64 | | +-- connection-client-ps? uint64 | | +-- request-ps? uint64 | | +-- request-client-ps? uint64 | | +-- partial-request-max? uint64 | | +-- partial-request-client-max? uint64 | +-- total-connection-capacity-per-port* | [protocol port] | +-- port | | inet:port-number | +-- protocol uint8 | +-- connection? uint64 | +-- connection-client? uint64 | +-- embryonic? uint64 | +-- embryonic-client? uint64 | +-- connection-ps? uint64 | +-- connection-client-ps? uint64 | +-- request-ps? uint64 | +-- request-client-ps? uint64 | +-- partial-request-max? uint64 | +-- partial-request-client-max? uint64 +--:(telemetry) ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>A DOTS client can share one or multiple normal traffic baselines (e.g., aggregate or per-prefixbaselines),baselines); eachareis uniquely identified within the DOTS client domain with an identifier'id'.('id'). This identifier can be used to update a baseline entry, delete a specific entry, etc.</t> <sectiontitle="Conveyingnumbered="true" toc="default"> <name>Conveying DOTS Client Domain BaselineInformation"> <t>Similar considerationsInformation</name> <t>Considerations similar to those specified in <xreftarget="PUT"></xref>target="PUT" format="default"/> arefollowedfollowed, with oneexception:<list style="empty"> <t>Theexception:</t> <ul spacing="normal"> <li>The relative order of two PUT requests carrying DOTS client domain baseline attributes from a DOTS client is determined by comparing their respective 'tsid' values. Ifsuchthese two requests have overlapping targets, the PUT request with a higher numeric 'tsid' value will override the request with a lower numeric 'tsid' value. The overlapped lower numeric 'tsid'MUST<bcp14>MUST</bcp14> be automatically deleted and no longer beavailable.</t> </list></t>available.</li> </ul> <t>Two PUT requests from a DOTS client have overlapping targets if there is a common IP address, IP prefix, FQDN, URI, oralias-name.alias name. Also, two PUT requests from a DOTS client have overlapping targets from the perspective of the DOTS server if the addresses associated with the FQDN, URI, or alias are overlapping with each other or with 'target-prefix'.</t> <t>DOTS clientsSHOULD<bcp14>SHOULD</bcp14> minimize the number of active 'tsid's used for baseline information. In order to avoid maintaining a long list of 'tsid's for baseline information, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that DOTS clients include inaany request to update information related to a giventarget,target the informationofregarding other targets (already communicated using a lower 'tsid' value) (assuming that this information fits within one single datagram). This update request will override these existing requests and hence optimize the number of 'tsid'requestrequests per DOTS client.</t> <t>If no target attribute is included in the request, this is an indication that the baseline information applies for the DOTS client domain as a whole.</t> <t>An example of a PUT request to convey the baseline information is shown in <xreftarget="tputs"></xref>.</t> <t><figure anchor="tputs" title="PUTtarget="tputs" format="default"/>.</t> <figure anchor="tputs"> <name>PUT toConveying theConvey DOTS TrafficBaseline, depictedBaseline Information, Depicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=129" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "baseline": [ { "id": 1, "target-prefix": [ "2001:db8:6401::1/128", "2001:db8:6401::2/128" ], "total-traffic-normal": [ { "unit": "megabit-ps", "peak-g": "60" } ] } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>The DOTS client may shareprotocol specificprotocol-specific baseline information (e.g., TCP and UDP) as shown in <xreftarget="tputs2"></xref>.<figure anchor="tputs2" title="PUTtarget="tputs2" format="default"/>.</t> <figure anchor="tputs2"> <name>PUT to ConveytheDOTS Traffic Baseline Information (2),depictedDepicted as per Section5.6"> <artwork align="left"><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tsid=130" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry-setup": { "telemetry": [ { "baseline": [ { "id": 1, "target-prefix": [ "2001:db8:6401::1/128", "2001:db8:6401::2/128" ], "total-traffic-normal-per-protocol": [ { "unit": "megabit-ps", "protocol": 6, "peak-g": "50" }, { "unit": "megabit-ps", "protocol": 17, "peak-g": "10" } ] } ] } ] } }]]></artwork> </figure></t>]]></sourcecode> </figure> <t>The normal traffic baseline information should be updated to reflect legitimate overloads (e.g., flash crowds) to prevent unnecessary mitigation.</t> </section> <sectiontitle="Retrievenumbered="true" toc="default"> <name>Retrieving Installed Normal TrafficBaseline">Baseline Information</name> <t>A GET request with a 'tsid' Uri-Path parameter is used to retrieve a specific installed DOTS clientdomaindomain's baseline traffic information. The same procedure as that defined in <xreftarget="GET"></xref>target="GET" format="default"/> is followed.</t> <t>To retrieve all baseline information bound to a DOTS client, the DOTS client proceeds as specified in <xreftarget="acc"></xref>.</t>target="acc" format="default"/>.</t> </section> <section anchor="basedel"title="Deletenumbered="true" toc="default"> <name>Deleting Installed Normal TrafficBaseline">Baseline Information</name> <t>A DELETE request is used to delete the installed DOTS clientdomaindomain's normal trafficbaseline.baseline information. The same procedure as that defined in <xreftarget="DEL"></xref>target="DEL" format="default"/> is followed.</t> </section> </section> <section anchor="reseta"title="Resetnumbered="true" toc="default"> <name>Resetting the Installed TelemetrySetup">Setup</name> <t>Upon bootstrapping (or reboot or any other event that may alter the DOTS client setup), a DOTS clientMAY<bcp14>MAY</bcp14> send a DELETE request to set the telemetry parameters to default values. Such a request does not include any'tsid'.'tsid' parameters. An example of such a request is depicted in <xreftarget="bdel"></xref>.</t> <t><figure anchor="bdel" title="Deletetarget="bdel" format="default"/>.</t> <figure anchor="bdel"> <name>Deleting the TelemetryConfiguration"> <artwork align="left"><![CDATA[Header:Configuration</name> <sourcecode name="" type="json"><![CDATA[Header: DELETE (Code=0.04) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm-setup" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <section anchor="conflict"title="Conflictnumbered="true" toc="default"> <name>Conflict with Other DOTS Clients of the SameDomain">Domain</name> <t>A DOTS server may detect conflicts between requests conveying pipe and baseline information received from DOTS clients of the same DOTS client domain.'conflict-information' 'conflict-information' is used to report the conflict to the DOTSclientclient, followingsimilarguidelines for conflict handling similar to those discussed inSection 4.4.1 of<xreftarget="RFC9132"></xref>.target="RFC9132" sectionFormat="of" section="4.4.1"/>. The conflict cause can be set to one of thesevalues:<list style="empty"> <t>1: Overlappingvalues:</t> <dl newline="false" spacing="normal"> <dt>1:</dt><dd>Overlapping targets(Section 4.4.1 of <xref target="RFC9132"></xref>).</t> <t>TBA: Overlapping(<xref target="RFC9132" sectionFormat="of" section="4.4.1"/>).</dd> <dt>5:</dt><dd>Overlapping pipe scope (see <xreftarget="IANA"></xref>).</t> </list></t> <t></t>target="IANA" format="default"/>).</dd> </dl> </section> </section> <section anchor="pre-t"title="DOTS Pre-or-Ongoing Mitigation Telemetry">numbered="true" toc="default"> <name>DOTS Pre-or-Ongoing-Mitigation Telemetry</name> <t>There are two broad types of DDoS attacks:one is a bandwidth consuming attack, the other is abandwidth-consuming attacks and target-resource-consumingattack.attacks. This section outlines the set of DOTS telemetry attributes (<xreftarget="pre"></xref>)target="pre" format="default"/>) that covers both types ofattack.attacks. The objective of these attributes is to allow for the complete knowledge of attacks and the various particulars that can best characterize attacks.</t> <t>The "ietf-dots-telemetry" YANG module (<xreftarget="module"></xref>)target="module" format="default"/>) defines the data structure of a new message type called 'telemetry'. The tree structure of the 'telemetry' message type is shown in <xreftarget="tt"></xref>.</t>target="tt" format="default"/>.</t> <figure anchor="tt"> <name>Telemetry Message Type Tree Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | ... | +-- telemetry* [] | +-- (direction)? | | +--:(server-to-client-only) | | +-- tsid? uint32 | +-- (setup-type)? | +--:(telemetry-config) | | ... | +--:(pipe) | | ... | +--:(baseline) | ... +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] ... ]]></sourcecode> </figure> <t>The pre-or-ongoing-mitigation telemetry attributes are indicated by the path suffix '/tm'.The '/tm' '/tm' is appended to the path prefix to form the URI used with a CoAP request to signal the DOTS telemetry. Pre-or-ongoing-mitigation telemetry attributes as specified in <xreftarget="pre"></xref>target="pre" format="default"/> can be signaled between DOTS agents.</t> <t>Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS client or a DOTS server.</t> <t>DOTS agentsSHOULD<bcp14>SHOULD</bcp14> bind pre-or-ongoing-mitigation telemetry data to mitigation requests associated with the resources under attack. In particular, a telemetry PUT request sent after a mitigation request may include a reference to that mitigation request ('mid-list') as shown in <xreftarget="mid-co"></xref>.target="mid-co" format="default"/>. An example illustrating request correlation by means of 'target-prefix' is shown in <xreftarget="mid-co2"></xref>.</t> <t>Manytarget="mid-co2" format="default"/>.</t> <t>Much of the pre-or-ongoing-mitigation telemetry datauseuses a unit that falls under the unit class that is configured following the procedure described in <xreftarget="PUT"></xref>.target="PUT" format="default"/>. When generating telemetry data to send to a peer, the DOTS agentMUST<bcp14>MUST</bcp14> auto-scale so that one or more appropriateunit(s)units are used.</t><t><figure anchor="mid-co" title="Example<figure anchor="mid-co"> <name>Example of Request Correlationusing 'mid'"> <artwork><![CDATA[Using 'mid'</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +-----------+ +-----------+ |DOTS client| |DOTS server| +-----------+ +-----------+ | ||===============Mitigation|==============Mitigation Request(mid)===============>|(mid)==============>| | ||===============Telemetry (mid-list{mid})==============>||==============Telemetry (mid-list{mid})=============>| | | ]]></artwork></figure></t> <t><figure anchor="mid-co2" title="Example</figure> <figure anchor="mid-co2"> <name>Example of Request Correlationusing Target Prefix"> <artwork><![CDATA[Using 'target-prefix'</name> <artwork name="" type="" align="left" alt=""><![CDATA[ +-----------+ +-----------+ |DOTS client| |DOTS server| +-----------+ +-----------+ | ||<================Telemetry (target-prefix)=============||<===============Telemetry (target-prefix)============| | ||=========Mitigation|========Mitigation Request(target-prefix)===========>|(target-prefix)==========>| | | ]]></artwork></figure></t></figure> <t>DOTS agentsMUST NOT<bcp14>MUST NOT</bcp14> send pre-or-ongoing-mitigation telemetry notifications to the same peer more frequently than once every 'telemetry-notify-interval' (<xreftarget="tconfig"></xref>).target="tconfig" format="default"/>). If a telemetry notification is sent using a block-like transfer mechanism (e.g., <xreftarget="I-D.ietf-core-new-block"></xref>),target="RFC9177" format="default"/>), thisrate limitrate-limit policyMUST NOT<bcp14>MUST NOT</bcp14> consider these individual blocks as separate notifications, but as a single notification.</t> <t>DOTS pre-or-ongoing-mitigation telemetry request and response messagesMUST<bcp14>MUST</bcp14> be marked asNon-ConfirmableNon-confirmable messages(Section 2.1 of <xref target="RFC7252"></xref>).</t> <t><figure anchor="tt" title="Telemetry Message Type Tree Structure "> <artwork><![CDATA[ structure dots-telemetry: +-- (telemetry-message-type)? +--:(telemetry-setup) | ... | +-- telemetry* [] | +-- (direction)? | | +--:(server-to-client-only) | | +-- tsid? uint32 | +-- (setup-type)? | +--:(telemetry-config) | | ... | +--:(pipe) | | ... | +--:(baseline) | ... +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] ... ]]></artwork> </figure></t>(<xref target="RFC7252" sectionFormat="of" section="2.1"/>).</t> <section anchor="pre"title="Pre-or-Ongoing-Mitigationnumbered="true" toc="default"> <name>Pre-or-Ongoing-Mitigation DOTS TelemetryAttributes"> <t>The description andAttributes</name> <t><xref target="overview" format="default"/> discusses the motivationbehind each attributefor using the DOTS telemetry attributes. These attributes arepresentedspecified in<xref target="overview"></xref>.</t>the following subsections.</t> <sectiontitle="Target">numbered="true" toc="default"> <name>Target</name> <t>A target resource (<xreftarget="targett"></xref>)target="targett" format="default"/>) is identified using the attributes 'target-prefix', 'target-port-range', 'target-protocol', 'target-fqdn', 'target-uri', 'alias-name', or a pointer to a mitigation request ('mid-list').</t><t><figure anchor="targett" title="Target<figure anchor="targett"> <name>Target TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | +-- target-prefix* inet:ip-prefix | +-- target-port-range* [lower-port] | | +-- lower-port inet:port-number | | +-- upper-port? inet:port-number | +-- target-protocol* uint8 | +-- target-fqdn* inet:domain-name | +-- target-uri* inet:uri | +-- alias-name* string | +-- mid-list* uint32 +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>At least one of the attributes 'target-prefix', 'target-fqdn', 'target-uri', 'alias-name', or 'mid-list'MUST<bcp14>MUST</bcp14> be present in the target definition.</t> <t>If the target is susceptible to bandwidth-consuming attacks, the attributes representing the percentile values of the 'attack-id' attack traffic are included.</t> <t>If the target is susceptible to resource-consuming DDoS attacks, the attributes defined in <xreftarget="attackconn"></xref>target="attackconn" format="default"/> are applicable for representing the attack.</t> <t>At least the 'target' attribute and one other pre-or-ongoing-mitigation attributeMUST<bcp14>MUST</bcp14> be present in the DOTS telemetry message.</t> </section> <section anchor="tot"title="Total Traffic">numbered="true" toc="default"> <name>Total Traffic</name> <t>The 'total-traffic' attribute (<xreftarget="ttt"></xref>)target="ttt" format="default"/>) conveys the percentile values (including peak and current observed values) of the total observed traffic. More fine-grained information about the total traffic can be conveyed in the 'total-traffic-protocol' and 'total-traffic-port' attributes.</t> <t>The 'total-traffic-protocol' attribute represents the total traffic for a target and is transport-protocol specific.</t> <t>The 'total-traffic-port' attribute represents the total traffic for a target per port number.</t><t><figure anchor="ttt" title="Total<figure anchor="ttt"> <name>Total Traffic TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-traffic-protocol* [unit protocol] | +-- protocol uint8 | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-traffic-port* [unit port] | +-- port inet:port-number | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] ...]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <section anchor="tat"title="Totalnumbered="true" toc="default"> <name>Total AttackTraffic ">Traffic</name> <t>The 'total-attack-traffic' attribute (<xreftarget="tatt"></xref>)target="tatt" format="default"/>) conveys the total observed attack traffic. More fine-grained information about the total attack traffic can be conveyed in the 'total-attack-traffic-protocol' and 'total-attack-traffic-port' attributes.</t> <t>The 'total-attack-traffic-protocol' attribute represents the total attack traffic for a target and is transport-protocol specific.</t> <t>The 'total-attack-traffic-port' attribute represents the total attack traffic for a target per port number.</t><t><figure anchor="tatt" title="Total<figure anchor="tatt"> <name>Total Attack Traffic TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-traffic-protocol* [unit protocol] | +-- protocol uint8 | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-traffic-port* [unit port] | +-- port inet:port-number | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] ...]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <section anchor="attackconn"title="Totalnumbered="true" toc="default"> <name>Total AttackConnections">Connections</name> <t>If the target is susceptible to resource-consuming DDoS attacks, the 'total-attack-connection-protocol' attribute is used to convey the percentile values (including peak and current observed values) of various attributes related to the total attack connections. The following optional sub-attributes for the target per transport protocol are included to represent the attackcharacteristics:<?rfc subcompact="yes" ?><list style="symbols"> <t>Thecharacteristics:</t> <ul spacing="normal"> <li>The number of simultaneous attack connections to thetarget.</t> <t>Thetarget.</li> <li>The number of simultaneous embryonic connections to thetarget.</t> <t>Thetarget.</li> <li>The number of attack connections per second to thetarget.</t> <t>Thetarget.</li> <li>The number of attack requests per second to thetarget.</t> <t>Thetarget.</li> <li>The number of attack partial requests to thetarget.<?rfc subcompact="no" ?></t> </list>Thetarget.</li> </ul> <t>The total attack connections per port numberisare represented using the 'total-attack-connection-port'attribute.<figure anchor="tact" title="Totalattribute.</t> <figure anchor="tact"> <name>Total Attack Connections TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | +-- protocol uint8 | +-- connection-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- embryonic-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- connection-ps-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- request-ps-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- partial-request-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-connection-port* [protocol port] | +-- protocol uint8 | +-- port inet:port-number | +-- connection-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- embryonic-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- connection-ps-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- request-ps-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- partial-request-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- attack-detail* [vendor-id attack-id] ...]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <section anchor="attackdetails"title="Attack Details">numbered="true" toc="default"> <name>Attack Details</name> <t>This attribute (depicted in <xreftarget="adt"></xref>)target="adt" format="default"/>) is used to signal a set of details characterizing an attack. The following sub-attributes describing the ongoing attack can besignalledsignaled as attack details:</t><t><list style="hanging"> <t hangText="vendor-id:">Vendor ID is<dl newline="false" spacing="normal"> <dt>vendor-id:</dt> <dd>Vendor ID. This parameter represents a security vendor's enterprise number as registered in theIANA'sIANA "Private Enterprise Numbers" registry <xreftarget="Private-Enterprise-Numbers"></xref>.</t> <t hangText="attack-id:">Uniquetarget="Private-Enterprise-Numbers" format="default"/>.</dd> <dt>attack-id:</dt> <dd>Unique identifier assigned for the attack by a vendor. This parameterMUST<bcp14>MUST</bcp14> bepresent independentpresent, independently of whether 'attack-description' is included ornot.</t> <t hangText="description-lang:">Indicatesnot.</dd> <dt>description-lang:</dt> <dd>Indicates the language tag that is used for the text that is included in the 'attack-description' attribute.TheThis attribute is encoded following the rules inSection 2.1 of<xreftarget="RFC5646"></xref>.target="RFC5646" sectionFormat="of" section="2.1"/>. The default language tag is"en-US".</t> <t hangText="attack-description:">Textual"en-US".</dd> <dt>attack-description:</dt> <dd>Textual representation of the attack description. This description is related to the class of attack rather than a specific instance of it. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type. Textual representation of an attack solves two problems:(a)it avoids the need to (a) create mapping tables manually between vendors and (b)avoids the need tostandardize attack typeswhichthat keepevolving.</t> <t hangText="attack-severity:">Attackevolving.</dd> <dt>attack-severity:</dt> <dd>Attack severity level. This attribute takes one of the values defined inSection 3.12.2 of<xreftarget="RFC7970"></xref>.</t> <t hangText="start-time:">Thetarget="RFC7970" sectionFormat="of" section="3.12.2"/>.</dd> <dt>start-time:</dt> <dd>The time the attack started. The attack's start time is expressed in seconds relative to 1970-01-01T00:00Z(Section 3.4.2 of <xref target="RFC8949"></xref>).(<xref target="RFC8949" sectionFormat="of" section="3.4.2"/>). The CBOR encoding is modified so that the leading tag 1 (epoch-based date/time)MUST<bcp14>MUST</bcp14> beomitted.</t> <t hangText="end-time:">Theomitted.</dd> <dt>end-time:</dt> <dd>The time the attack ended. Theattackattack's end time is expressed in seconds relative to 1970-01-01T00:00Z(Section 3.4.2 of <xref target="RFC8949"></xref>).(<xref target="RFC8949" sectionFormat="of" section="3.4.2"/>). The CBOR encoding is modified so that the leading tag 1 (epoch-based date/time)MUST<bcp14>MUST</bcp14> beomitted.</t> <t hangText="source-count:">Aomitted.</dd> <dt>source-count:</dt> <dd>A count of sources involved in the attack targeting thevictim.</t> <t hangText="top-talker:">Avictim.</dd> <dt>top-talker:</dt> <dd> <t>A list of attack sources that are involved in an attack andwhichthat are generating an important part of the attack traffic. The top talkers are represented usingthe 'source-prefix'.<vspace blankLines="1" />'spoofed-status''source-prefix'.</t> <t>'spoofed-status' indicates whether a top talker is a spoofed IP address (e.g., reflection attacks) or not. If no 'spoofed-status' data node is included, this means that the spoofing status isunknown.<vspace blankLines="1" />Ifunknown.</t> <t>If the target is being subjected to a bandwidth-consuming attack, a statistical profile of the attack traffic from each of the top talkers is included('total-attack-traffic',('total-attack-traffic'; see <xreftarget="tat"></xref>). <vspace blankLines="1" />Iftarget="tat" format="default"/>). </t> <t>If the target is being subjected to a resource-consuming DDoS attack, the same attributes as those defined in <xreftarget="attackconn"></xref>target="attackconn" format="default"/> are applicable for characterizing the attack on a per-talker basis.</t></list></t> <t><figure anchor="adt" title="Attack Detail</dd> </dl> <figure anchor="adt"> <name>Attack Details TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ +--:(telemetry) +-- pre-or-ongoing-mitigation* [] +-- (direction)? | +--:(server-to-client-only) | +-- tmid? uint32 +-- target | ... +-- total-traffic* [unit] | ... +-- total-traffic-protocol* [unit protocol] | ... +-- total-traffic-port* [unit port] | ... +-- total-attack-traffic* [unit] | ... +-- total-attack-traffic-protocol* [unit protocol] | ... +-- total-attack-traffic-port* [unit port] | ... +-- total-attack-connection-protocol* [protocol] | ... +-- total-attack-connection-port* [protocol port] | ... +-- attack-detail* [vendor-id attack-id] +-- vendor-id uint32 +-- attack-id uint32 +-- description-lang? string +-- attack-description? string +-- attack-severity? attack-severity +-- start-time? uint64 +-- end-time? uint64 +-- source-count | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- top-talker +-- talker* [source-prefix] +-- spoofed-status? boolean +-- source-prefix inet:ip-prefix +-- source-port-range* [lower-port] | +-- lower-port inet:port-number | +-- upper-port? inet:port-number +-- source-icmp-type-range* [lower-type] | +-- lower-type uint8 | +-- upper-type? uint8 +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-connection-protocol* [protocol] +-- protocol uint8 +-- connection-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- embryonic-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- connection-ps-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- request-ps-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- partial-request-c +-- low-percentile-g? yang:gauge64 +-- mid-percentile-g? yang:gauge64 +-- high-percentile-g? yang:gauge64 +-- peak-g? yang:gauge64 +-- current-g? yang:gauge64]]></artwork> </figure></t>]]></sourcecode> </figure> <t>In order to optimize the size of telemetry data conveyed over the DOTS signal channel, DOTS agentsMAY<bcp14>MAY</bcp14> use the DOTS data channel <xreftarget="RFC8783"></xref>target="RFC8783" format="default"/> to exchangevendor specificvendor-specific attack mapping details (that is, {vendor identifier, attack identifier} ==> textual representation of the attack description). As such, DOTS agents do not have to conveysystematicallyan attack description systematically in their telemetry messages over the DOTS signal channel. Refer to <xreftarget="vam"></xref>.</t>target="vam" format="default"/>.</t> </section> <section anchor="vam"title="Vendornumbered="true" toc="default"> <name>Vendor AttackMapping">Mapping</name> <t>Multiple mappings for different vendor identifiers may be used; the DOTS agent transmitting telemetry information can elect to use one or more vendor mappings even in the same telemetrymessage.<list style="empty"> <t>Note:message.</t> <aside><t> Note: It is possible that a DOTS server is making use of multiple DOTSmitigators;mitigators, each from a different vendor. How telemetry information and vendor mappings are exchanged between DOTS servers and DOTS mitigators is outside the scope of thisdocument.</t> </list></t>document. </t></aside> <t>DOTS clients and servers may be provided with mappings from different vendors and so have their own different sets of vendor attack mappings. A DOTS agentMUST<bcp14>MUST</bcp14> accept receipt of telemetry data with a vendor identifier that is differenttothan theoneidentifier it uses to transmit telemetry data. Furthermore, it is possible that the DOTS client and DOTS server are provided by the samevendor,vendor but the vendor mapping tables are at different revisions. The DOTS clientSHOULD<bcp14>SHOULD</bcp14> transmit telemetry information using any vendor mapping(s) that it provided to the DOTS server (e.g., using a POST as depicted in <xreftarget="installmap"></xref>)target="installmap" format="default"/>), and the DOTS serverSHOULD<bcp14>SHOULD</bcp14> use any vendor mappings(s) provided to the DOTS client when transmitting telemetry data to the peer DOTS agent.</t> <figure anchor="installmap"> <name>POST to Install Vendor Attack Mapping Details</name> <artwork name="" type="" align="left" alt=""><![CDATA[POST /restconf/data/ietf-dots-data-channel:dots-data\ /dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1 Host: example.com Content-Type: application/yang-data+json { "ietf-dots-mapping:vendor-mapping": { "vendor": [ { "vendor-id": 345, "vendor-name": "mitigator-c", "last-updated": "1629898958", "attack-mapping": [ { "attack-id": 1, "attack-description": "Include a description of this attack" }, { "attack-id": 2, "attack-description": "Again, include a description of the attack" } ] } ] } } ]]></artwork> </figure> <t>The "ietf-dots-mapping" YANG module defined in <xreftarget="data"></xref>target="data" format="default"/> augments the "ietf-dots-data-channel" module <xreftarget="RFC8783"></xref> module.target="RFC8783" format="default"/>. The tree structure of the "ietf-dots-mapping" module is shown in <xreftarget="abstract-data"></xref>.</t> <t><figure anchor="abstract-data" title="Vendortarget="abstract-data" format="default"/>.</t> <figure anchor="abstract-data"> <name>Vendor Attack Mapping TreeStructure"> <artwork><![CDATA[module:Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ module: ietf-dots-mapping augment /data-channel:dots-data/data-channel:dots-client: +--rw vendor-mapping {dots-telemetry}? +--rw vendor* [vendor-id] +--rw vendor-id uint32 +--rw vendor-name? string +--rw description-lang? string +--rw last-updated uint64 +--rw attack-mapping* [attack-id] +--rw attack-id uint32 +--rw attack-description string augment /data-channel:dots-data/data-channel:capabilities: +--ro vendor-mapping-enabled? boolean {dots-telemetry}? augment /data-channel:dots-data: +--ro vendor-mapping {dots-telemetry}? +--ro vendor* [vendor-id] +--ro vendor-id uint32 +--ro vendor-name? string +--ro description-lang? string +--ro last-updated uint64 +--ro attack-mapping* [attack-id] +--ro attack-id uint32 +--ro attack-description string]]></artwork> </figure></t>]]></sourcecode> </figure> <t>A DOTS client sends a GET request over the DOTS data channel to retrieve the capabilities supported by a DOTS server as perSection 7.1 of<xreftarget="RFC8783"></xref>.target="RFC8783" sectionFormat="of" section="7.1"/>. This request is meant to assess whether the capability of sharing vendor attack mapping details is supported by the server (i.e., check the value of 'vendor-mapping-enabled').</t> <t>If 'vendor-mapping-enabled' is set to 'true', a DOTS clientMAY<bcp14>MAY</bcp14> send a GET request to retrieve the DOTS server's vendor attack mapping details. An example of such a GET request is shown in <xreftarget="MfS"></xref>.</t> <t><figure anchor="MfS" title="GETtarget="MfS" format="default"/>.</t> <figure anchor="MfS"> <name>GET to Retrieve the Vendor Attack Mappings of a DOTSServer"> <artwork><![CDATA[GETServer</name> <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\ /ietf-dots-mapping:vendor-mapping HTTP/1.1 Host: example.com Accept: application/yang-data+json ]]></artwork></figure></t></figure> <t>A DOTS client can retrieve only the list of vendors supported by the DOTS server. It does so by setting the "depth" parameter(Section 4.8.2 of <xref target="RFC8040"></xref>)(<xref target="RFC8040" sectionFormat="of" section="4.8.2"/>) to "3" in the GET request as shown in <xreftarget="MfSd"></xref>.target="MfSd" format="default"/>. An example of a response body received from the DOTS server as a response to such a request is illustrated in <xreftarget="MfSdr"></xref>.</t> <t><figure anchor="MfSd" title="GETtarget="MfSdr" format="default"/>.</t> <figure anchor="MfSd"> <name>GET to Retrieve the Vendors ListusedUsed by a DOTSServer"> <artwork><![CDATA[GETServer</name> <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\ /ietf-dots-mapping:vendor-mapping?depth=3 HTTP/1.1 Host: example.com Accept: application/yang-data+json ]]></artwork></figure></t> <t><figure anchor="MfSdr" title="Response</figure> <figure anchor="MfSdr"> <name>Response Message Body to a GET to Retrieve the Vendors ListusedUsed by a DOTSServer"> <artwork><![CDATA[{Server</name> <artwork name="" type="" align="left" alt=""><![CDATA[{ "ietf-dots-mapping:vendor-mapping": { "vendor": [ { "vendor-id": 32473, "vendor-name": "mitigator-s", "last-updated": "1629898758", "attack-mapping": [] } ] } } ]]></artwork></figure></t></figure> <t>The DOTS client repeats the above procedure regularly (e.g., once a week) to update the DOTS server's vendor attack mapping details.</t> <t>If the DOTS client concludes that the DOTS server does not have any reference to the specific vendor attack mapping details, the DOTS client uses a POST request to install its vendor attack mapping details. An example of such a POST request is depicted in <xreftarget="installmap"></xref>.</t> <t><figure anchor="installmap" title="POST to Install Vendor Attack Mapping Details"> <artwork><![CDATA[POST /restconf/data/ietf-dots-data-channel:dots-data\ /dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1 Host: example.com Content-Type: application/yang-data+json { "ietf-dots-mapping:vendor-mapping": { "vendor": [ { "vendor-id": 345, "vendor-name": "mitigator-c", "last-updated": "1629898958", "attack-mapping": [ { "attack-id": 1, "attack-description": "Include a description of this attack" }, { "attack-id": 2, "attack-description": "Again, include a description of the attack" } ] } ] } } ]]></artwork> </figure></t>target="installmap" format="default"/>.</t> <t>The DOTS server indicates the result of processing the POST request using the status-line. A "201 Created" status-lineMUST<bcp14>MUST</bcp14> be returned in the response if the DOTS server has accepted the vendor attack mapping details. If the request is missing a mandatory attribute or contains an invalid or unknown parameter, a "400 Bad Request" status-lineMUST<bcp14>MUST</bcp14> be returned by the DOTS server in the response. The error-tag is set to "missing-attribute", "invalid-value", or "unknown-element" as a function of the encountered error.</t> <t>If the request is received via a server-domain DOTSgateway,gateway but the DOTS server does not maintain a 'cdid' for this 'cuid' while a 'cdid' is expected to be supplied, the DOTS serverMUST<bcp14>MUST</bcp14> reply with a "403 Forbidden" status-line and the error-tag "access-denied". Upon receipt of this message, the DOTS clientMUST<bcp14>MUST</bcp14> register(Section 5.1 of <xref target="RFC8783"></xref>).</t>(<xref target="RFC8783" sectionFormat="of" section="5.1"/>).</t> <t>The DOTS client uses the PUT request to modify its vendor attack mapping details maintained by the DOTS server (e.g., add a new mapping entry, update an existing mapping).</t> <t>A DOTS client uses a GET request to retrieve its vendor attack mapping details as maintained by the DOTS server (<xreftarget="allD"></xref>).</t> <t><figure anchor="allD" title="GETtarget="allD" format="default"/>).</t> <figure anchor="allD"> <name>GET to Retrieve Installed Vendor Attack MappingDetails"> <artwork><![CDATA[GETDetails</name> <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\ /dots-client=dz6pHjaADkaFTbjr0JGBpw\ /ietf-dots-mapping:vendor-mapping?\ content=all HTTP/1.1 Host: example.com Accept:application/yang-data+json]]></artwork> </figure></t>application/yang-data+json ]]></artwork> </figure> <t>When conveying attack details in DOTS telemetry messages(Sections <xref(Sections <xref format="counter"target="preCtoS"></xref>,target="preCtoS"/>, <xref format="counter"target="preStoC"></xref>,target="preStoC"/>, and <xref format="counter"target="status"></xref>),target="status"/>), DOTS agentsMUST NOT<bcp14>MUST NOT</bcp14> include the 'attack-description' attribute unless the corresponding attack mapping details were not previously shared with the peer DOTS agent.</t> </section> </section> <section anchor="preCtoS"title="Fromnumbered="true" toc="default"> <name>From DOTS Clients to DOTSServers">Servers</name> <t>DOTS clients use PUT requests to signal pre-or-ongoing-mitigation telemetry to DOTS servers. An example of such a request is shown in <xreftarget="put-tmid-c"></xref>.</t> <t><figure anchor="put-tmid-c" title="PUTtarget="put-tmid-c" format="default"/>.</t> <figure anchor="put-tmid-c"> <name>PUT to Send Pre-or-Ongoing-Mitigation Telemetry,depictedDepicted as per Section5.6"> <artwork><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tmid=123" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry": { "pre-or-ongoing-mitigation": [ { "target": { "target-prefix": [ "2001:db8::1/128" ] }, "total-attack-traffic-protocol": [ { "protocol": 17, "unit": "megabit-ps", "mid-percentile-g": "900" } ], "attack-detail": [ { "vendor-id": 32473, "attack-id": 77, "start-time": "1608336568", "attack-severity": "high" } ] } ] }}]]></artwork> </figure></t>} ]]></sourcecode> </figure> <t>'cuid' is a mandatory Uri-Path parameter for DOTS PUT requests.</t> <t>The following additional Uri-Path parameter is defined:<list hangIndent="5" style="hanging"> <t hangText="tmid:">Telemetry</t> <dl newline="false" spacing="normal"> <dt>tmid:</dt> <dd> <t>The Telemetry Identifier is an identifier for the DOTS pre-or-ongoing-mitigation telemetry data represented as an integer. This identifierMUST<bcp14>MUST</bcp14> be generated by DOTS clients.'tmid' 'tmid' valuesMUST<bcp14>MUST</bcp14> increase monotonically whenever a DOTS client needs to convey a new set of pre-or-ongoing-mitigationtelemetry. <vspace blankLines="1" />Thetelemetry data. </t> <t>The procedure specified inSection 4.4.1 of<xreftarget="RFC9132"></xref>target="RFC9132" sectionFormat="of" section="4.4.1"/> for 'mid' rolloverMUST<bcp14>MUST</bcp14> be followed for 'tmid'rollover.<vspace blankLines="1" />Thisrollover.</t> <t>This is a mandatory attribute.'tmid' MUST 'tmid' <bcp14>MUST</bcp14> appear after 'cuid' in the Uri-Path options.</t></list></t></dd> </dl> <t>'cuid' and 'tmid'MUST NOT<bcp14>MUST NOT</bcp14> appear in the PUT request message body.</t> <t>At least the 'target' attribute and another pre-or-ongoing-mitigation attribute (<xreftarget="pre"></xref>) MUSTtarget="pre" format="default"/>) <bcp14>MUST</bcp14> be present in the PUT request. If only the 'target' attribute is present, this request is handled as per <xreftarget="preStoC"></xref>.</t>target="preStoC" format="default"/>.</t> <t>The relative order of two PUT requests carrying DOTS pre-or-ongoing-mitigation telemetry from a DOTS client is determined by comparing their respective 'tmid' values. If these twosuchrequests have an overlapping 'target', the PUT request with a higher numeric 'tmid' value will override the request with a lower numeric 'tmid' value. The overlapped lower numeric 'tmid'MUST<bcp14>MUST</bcp14> be automatically deleted and no longer be available.</t> <t>The DOTS server indicates the result of processing a PUT request using CoAP Response Codes. In particular, the 2.04 (Changed) Response Code is returned if the DOTS server has accepted the pre-or-ongoing-mitigation telemetry. The 5.03 (Service Unavailable) Response Code is returned if the DOTS server has erred. The 5.03 Response Code uses the Max-Age Option to indicate the number of seconds after which to retry.</t> <t>How long a DOTS server maintains a 'tmid' as active or logs the enclosed telemetry information is implementation specific. Note that if a'tmid’'tmid' is still active, then logging details are updated by the DOTS server as a function of the updates received from the peer DOTS client.</t> <t>A DOTS client that lost the state of its active 'tmid's or has to set 'tmid' back to zero (e.g., crash or restart)MUST<bcp14>MUST</bcp14> send a GET request to the DOTS server to retrieve the list of active 'tmid' values. The DOTS client may then delete 'tmid's that should not be active anymore (<xreftarget="spa"></xref>).target="spa" format="default"/>). Sending a DELETE with no 'tmid' indicates that all 'tmid's must be deactivated (<xreftarget="dpa"></xref>).</t> <t><figure anchor="spa" title="Delete atarget="dpa" format="default"/>).</t> <figure anchor="spa"> <name>Deleting Specific Pre-or-Ongoing-MitigationTelemetry"> <artwork align="left"><![CDATA[Header:Telemetry Information</name> <sourcecode name="" type="json"><![CDATA[Header: DELETE (Code=0.04) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tmid=123"]]></artwork> </figure><figure anchor="dpa" title="Delete]]></sourcecode> </figure> <figure anchor="dpa"> <name>Deleting All Pre-or-Ongoing-MitigationTelemetry"> <artwork align="left"><![CDATA[Header:Telemetry Information</name> <sourcecode name="" type="json"><![CDATA[Header: DELETE (Code=0.04) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"]]></artwork> </figure></t>]]></sourcecode> </figure> </section> <section anchor="preStoC"title="Fromnumbered="true" toc="default"> <name>From DOTS Servers to DOTSClients">Clients</name> <t>The pre-or-ongoing-mitigation data (attackdetails,details in particular) can also be signaled from DOTS servers to DOTS clients. For example, a DOTS server co-located with a DDoS detector can collect monitoring information from the target network, identify a DDoS attack using statistical analysis or deep learning techniques, and signal the attack details to the DOTS client.</t> <t>The DOTS client can use the attack details to decide whether to trigger a DOTS mitigation request or not. Furthermore, the security operations personnel at the DOTS client domain can use the attack details to determine the protection strategy and select the appropriate DOTS server for mitigating the attack.</t> <t>In order to receive pre-or-ongoing-mitigation telemetry notifications from a DOTS server, a DOTS clientMUST<bcp14>MUST</bcp14> send a PUT (followed by a GET) with the target filter. An example of such a PUT request is shown in <xreftarget="put-tmid"></xref>.target="put-tmid" format="default"/>. In order to avoid maintaining a long list of such requests, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that DOTS clients include all targets in the same request (assuming that this information fits within one single datagram). DOTS servers may be instructed to restrict the number of pre-or-ongoing-mitigation requests per DOTS client domain. Thepre-or-ongoing mitigationpre-or-ongoing-mitigation requestsMUST<bcp14>MUST</bcp14> be maintained in an active state by the DOTS server until adeleteDELETE request is received from the same DOTS client to clear this pre-or-ongoing-mitigation telemetry or when the DOTS client is considered inactive (e.g.,Section 3.5 of<xreftarget="RFC8783"></xref>).</t>target="RFC8783" sectionFormat="of" section="3.5"/>).</t> <t>The relative order of two PUT requests carrying DOTS pre-or-ongoing-mitigation telemetry from a DOTS client is determined by comparing their respective 'tmid' values. Ifsuchthese two requests have an overlapping 'target', the PUT request with a higher numeric 'tmid' value will override the request with a lower numeric 'tmid' value. The overlapped lower numeric 'tmid'MUST<bcp14>MUST</bcp14> be automatically deleted and no longer be available.</t><t><figure anchor="put-tmid" title="PUT<figure anchor="put-tmid"> <name>PUT to Request Pre-or-Ongoing-Mitigation Telemetry,depictedDepicted as per Section5.6"> <artwork><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tmid=567" Content-Format: "application/dots+cbor" { "ietf-dots-telemetry:telemetry": { "pre-or-ongoing-mitigation": [ { "target": { "target-prefix": [ "2001:db8::/32" ] } } ] }}]]></artwork> </figure></t>} ]]></sourcecode> </figure> <t>DOTS clients of the same domain canrequestask to receive pre-or-ongoing-mitigation telemetry bound to the same target without being considered to be "overlapping" and in conflict.</t> <t>Once the PUT request to instantiate request state on the server has succeeded, the DOTS client issues a GET request to receive ongoingtelemtrytelemetry updates. The client uses the Observe Option, set to'0'"0" (register), in the GET request to receive asynchronous notifications carrying pre-or-ongoing-mitigation telemetry data from the DOTS server. The GET request can specify a specific 'tmid' (<xreftarget="gettmid"></xref>)target="gettmid" format="default"/>) or omit the 'tmid' (<xreftarget="getall"></xref>)target="getall" format="default"/>) to receive updates on all active requests from that client.</t><t><figure anchor="gettmid" title="GET<figure anchor="gettmid"> <name>GET to Subscribe to Telemetry Asynchronous Notifications for a Specific'tmid'"> <artwork><![CDATA[Header:'tmid'</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "tmid=567" Observe:0]]></artwork> </figure></t> <t></t> <t><figure anchor="getall" title="GET0 ]]></sourcecode> </figure> <figure anchor="getall"> <name>GET to Subscribe to Telemetry Asynchronous Notifications for All'tmids'"> <artwork><![CDATA[Header:'tmid's</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Observe:0]]></artwork> </figure></t>0 ]]></sourcecode> </figure> <t>The DOTS client can use a filter to request a subset of the asynchronous notifications from the DOTS server by indicating one or more Uri-Query options in its GET request. A Uri-Query option can include the following parameters to restrict the notifications based on the attack target: 'target-prefix', 'target-port', 'target-protocol', 'target-fqdn', 'target-uri', 'alias-name', 'mid', and 'c' (content) (<xreftarget="control"></xref>). Furthermore:<list style="empty"> <t>Iftarget="control" format="default"/>). Furthermore:</t> <ul spacing="normal"> <li>If more than one Uri-Query option is included in a request, these options are interpreted in the same way as when multiple target attributes are included in a message body(Section 4.4.1 of <xref target="RFC9132"></xref>).</t> <t>If(<xref target="RFC9132" sectionFormat="of" section="4.4.1"/>).</li> <li>If multiple values of a query parameter are to be included in a request, these valuesMUST<bcp14>MUST</bcp14> be included in the same Uri-Query option and separated by a "," character without anyspaces.</t> <t>Rangespaces.</li> <li>Range values (i.e., a contiguous inclusive block) can be included for the 'target-port', 'target-protocol', and 'mid' parameters by indicating the two boundary values separated by a "-"character.</t> <t>Wildcardcharacter.</li> <li>Wildcard names (i.e., a name with the leftmost label is the "*" character) can be included in 'target-fqdn' or 'target-uri' parameters. DOTS clientsMUST NOT<bcp14>MUST NOT</bcp14> include a name in which the "*" character is included in a label other than the leftmost label. "*.example.com" is an example of a valid wildcard name that can be included as a value of the 'target-fqdn' parameter inana Uri-Queryoption.</t> </list></t>option.</li> </ul> <t>DOTS clients may also filter out the asynchronous notifications from the DOTS server by indicating information about a specific attack source. To that aim, a DOTS client may include 'source-prefix', 'source-port', or 'source-icmp-type' in a Uri-Query option. The same considerations (ranges, multiple values) specified for target attributes apply for source attributes. Special careSHOULD<bcp14>SHOULD</bcp14> be taken when using thesefiltersfilters, as their use may cause some attacksmayto be hiddentofrom the requesting DOTS client (e.g., if the attack changes its source information).</t> <t>Requests with invalid query types (e.g., not supported, malformed) received by the DOTS serverMUST<bcp14>MUST</bcp14> be rejected with a 4.00 (Bad Request)response code.</t>Response Code.</t> <t>An example of a request to subscribe to asynchronous telemetry notifications regarding UDP traffic is shown in <xreftarget="notif_filter-tm"></xref>.target="notif_filter-tm" format="default"/>. This filter will be applied for all 'tmid's.</t><t><figure anchor="notif_filter-tm" title="GET<figure anchor="notif_filter-tm"> <name>GET Request to Receive Telemetry Asynchronous Notifications Filteredusing Uri-Query"> <artwork><![CDATA[Header:Using Uri-Query</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "tm" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Query: "target-protocol=17" Observe:0]]></artwork> </figure></t>0 ]]></sourcecode> </figure> <t>The DOTS server will send asynchronous notifications to the DOTS client when an attack event isdetecteddetected, followingsimilarconsiderationsassimilar to those discussed inSection 4.4.2.1 of<xreftarget="RFC9132"></xref>.target="RFC9132" sectionFormat="of" section="4.4.2.1"/>. An example of a pre-or-ongoing-mitigation telemetry notification is shown in <xreftarget="noti"></xref>.</t> <t><figure anchor="noti" title="Messagetarget="noti" format="default"/>.</t> <figure anchor="noti"> <name>Message Body of a Pre-or-Ongoing-Mitigation Telemetry Notification from the DOTS Server,depictedDepicted as per Section5.6"> <artwork><![CDATA[{5.6</name> <artwork name="" type="" align="left" alt=""><![CDATA[{ "ietf-dots-telemetry:telemetry": { "pre-or-ongoing-mitigation": [ { "tmid": 567, "target": { "target-prefix": [ "2001:db8::1/128" ] }, "target-protocol": [ 17 ], "total-attack-traffic": [ { "unit": "megabit-ps", "mid-percentile-g": "900" } ], "attack-detail": [ { "vendor-id": 32473, "attack-id": 77, "start-time": "1618339785", "attack-severity": "high" } ] } ] }}]]></artwork> </figure></t>} ]]></artwork> </figure> <t>A DOTS server sends the aggregate data for a target using the 'total-attack-traffic' attribute. The aggregate assumes that Uri-Query filters are applied on the target. The DOTS serverMAY<bcp14>MAY</bcp14> include more fine-grained data when needed (that is, 'total-attack-traffic-protocol' and 'total-attack-traffic-port'). If a port filter (or protocol filter) is included in a request, 'total-attack-traffic-protocol' (or 'total-attack-traffic-port') conveys the data with the port (or protocol) filter applied.</t> <t>A DOTS server may aggregate pre-or-ongoing-mitigation data (e.g., 'top-talker') for all targets of adomain, ordomain or, when justified, send specific information (e.g., 'top-talker')per individual targets.</t>for a specific target.</t> <t>The DOTS client may log pre-or-ongoing-mitigation telemetry data with an alert sent to an administrator or a network controller. The DOTS client may send a mitigation request if the attack cannot be handled locally.</t> <t>A DOTS client that is not interestedto receivein receiving pre-or-ongoing-mitigation telemetry data for a target sends adeleteDELETE request similar to theoneDELETE request depicted in <xreftarget="spa"></xref>.</t>target="spa" format="default"/>.</t> </section> </section> <section anchor="status"title="DOTSnumbered="true" toc="default"> <name>DOTS Telemetry Mitigation StatusUpdate"> <t></t>Update</name> <section anchor="effu-S"title="DOTSnumbered="true" toc="default"> <name>From DOTS Clients toServersDOTS Servers: Mitigation Efficacy DOTS TelemetryAttributes">Attributes</name> <t>The mitigation efficacy telemetry attributes can be signaled from DOTS clients to DOTS servers as part of the periodic mitigation efficacy updates to the server(Section 4.4.3 of <xref target="RFC9132"></xref>).</t> <t><list style="hanging"> <t hangText="Total Attack Traffic: ">The(<xref target="RFC9132" sectionFormat="of" section="4.4.3"/>).</t> <dl newline="false" spacing="normal"> <dt>Total attack traffic: </dt> <dd>The overall attack traffic as observed from the DOTSclientclient's perspective during an active mitigation. See <xreftarget="tatt"></xref>.</t> <t hangText="Attack Details: ">Thetarget="tatt" format="default"/>.</dd> <dt>Attack details: </dt> <dd>The overall attack details as observed from the DOTSclientclient's perspective during an active mitigation. See <xreftarget="attackdetails"></xref>.</t> </list></t>target="attackdetails" format="default"/>.</dd> </dl> <t>The "ietf-dots-telemetry" YANG module (<xreftarget="module"></xref>)target="module" format="default"/>) augments the 'mitigation-scope' message type defined in the"ietf-dots-signal""ietf-dots-signal-channel" module <xreftarget="RFC9132"></xref>target="RFC9132" format="default"/> so that these attributes can besignalledsignaled by a DOTS client in a mitigation efficacy update (<xreftarget="eff"></xref>).<figure anchor="eff" title="Telemetrytarget="eff" format="default"/>).</t> <figure anchor="eff"> <name>Telemetry Efficacy Update TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ augment-structure /dots-signal:dots-signal/dots-signal:message-type /dots-signal:mitigation-scope/dots-signal:scope: +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- attack-detail* [vendor-id attack-id] +-- vendor-id uint32 +-- attack-id uint32 +-- attack-description? string +-- attack-severity? attack-severity +-- start-time? uint64 +-- end-time? uint64 +-- source-count | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- top-talker +-- talker* [source-prefix] +-- spoofed-status? boolean +-- source-prefix inet:ip-prefix +-- source-port-range* [lower-port] | +-- lower-port inet:port-number | +-- upper-port? inet:port-number +-- source-icmp-type-range* [lower-type] | +-- lower-type uint8 | +-- upper-type? uint8 +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-connection +-- connection-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- embryonic-c | ... +-- connection-ps-c | ... +-- request-ps-c | ... +-- partial-request-c ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t>In order to signal telemetry data in a mitigation efficacy update, it isRECOMMENDED<bcp14>RECOMMENDED</bcp14> that the DOTS clienthashave already established a DOTS telemetry setup session with the server in 'idle' time. Such a session is primarily meant to assess whether the peer DOTS server supports telemetry extensionsand, thus,and to thus prevent message processing failure(Section 3.1 of <xref target="RFC9132"></xref>).</t>(<xref target="RFC9132" sectionFormat="of" section="3.1"/>).</t> <t>An example of an efficacy update with telemetry attributes is depicted in <xreftarget="effu"></xref>.</t> <t><figure anchor="effu" title="An Exampletarget="effu" format="default"/>.</t> <figure anchor="effu"> <name>Example of Mitigation Efficacy Update with Telemetry Attributes,depictedDepicted as per Section5.6"> <artwork><![CDATA[Header:5.6</name> <sourcecode name="" type="json"><![CDATA[Header: PUT (Code=0.03) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "mitigate" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "mid=123" If-Match: Content-Format: "application/dots+cbor" { "ietf-dots-signal-channel:mitigation-scope": { "scope": [ { "alias-name": [ "https1", "https2" ], "attack-status": "under-attack", "ietf-dots-telemetry:total-attack-traffic": [ { "unit": "megabit-ps", "mid-percentile-g": "900" } ] } ] }}]]></artwork> </figure></t>} ]]></sourcecode> </figure> </section> <section anchor="premStoC"title="DOTSnumbered="true" toc="default"> <name>From DOTS Servers toClientsDOTS Clients: Mitigation Status DOTS TelemetryAttributes ">Attributes</name> <t>The mitigation status telemetry attributes can be signaled from the DOTS server to the DOTS client as part of the periodic mitigation status update(Section 4.4.2 of <xref target="RFC9132"></xref>).(<xref target="RFC9132" sectionFormat="of" section="4.4.2"/>). In particular, DOTS clients can receive asynchronous notifications of the attack details from DOTS servers using the ObserveoptionOption defined in <xreftarget="RFC7641"></xref>.</t>target="RFC7641" format="default"/>.</t> <t>In order to make use of this feature, DOTS clientsMUST<bcp14>MUST</bcp14> establish a telemetry session with the DOTS server in 'idle' time andMUST<bcp14>MUST</bcp14> set the 'server-originated-telemetry' attribute to 'true'.</t> <t>DOTS serversMUST NOT<bcp14>MUST NOT</bcp14> include telemetry attributes in mitigation status updates sent to DOTS clients for telemetry sessions in which the 'server-originated-telemetry' attribute is set to 'false'.</t> <t>As defined in <xreftarget="RFC8612"></xref>,target="RFC8612" format="default"/>, the actual mitigation activities can include several countermeasure mechanisms. The DOTS server signals the current operational status of relevant countermeasures. A list of attacks detected by these countermeasuresMAY<bcp14>MAY</bcp14> also be included. The same attributes as those defined in <xreftarget="attackdetails"></xref>target="attackdetails" format="default"/> are applicable for describing the attacks detected and mitigated at the DOTS server domain.</t> <t>The "ietf-dots-telemetry" YANG module (<xreftarget="module"></xref>)target="module" format="default"/>) augments the 'mitigation-scope' message type defined in"ietf-dots-signal"the "ietf-dots-signal-channel" module <xreftarget="RFC9132"></xref>target="RFC9132" format="default"/> with telemetry data as depicted in <xreftarget="miscope"></xref>.<figure anchor="miscope" title="DOTS Servers to Clientstarget="miscope" format="default"/>.</t> <figure anchor="miscope"> <name>DOTS Server-to-Client Mitigation Status Telemetry TreeStructure"> <artwork><![CDATA[Structure</name> <sourcecode name="" type="yangtree"><![CDATA[ augment-structure /dots-signal:dots-signal/dots-signal:message-type /dots-signal:mitigation-scope/dots-signal:scope: +-- (direction)? | +--:(server-to-client-only) | +-- total-traffic* [unit] | | +-- unit unit | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- total-attack-connection | +-- connection-c | | +-- low-percentile-g? yang:gauge64 | | +-- mid-percentile-g? yang:gauge64 | | +-- high-percentile-g? yang:gauge64 | | +-- peak-g? yang:gauge64 | | +-- current-g? yang:gauge64 | +-- embryonic-c | | ... | +-- connection-ps-c | | ... | +-- request-ps-c | | ... | +-- partial-request-c | ... +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- attack-detail* [vendor-id attack-id] +-- vendor-id uint32 +-- attack-id uint32 +-- attack-description? string +-- attack-severity? attack-severity +-- start-time? uint64 +-- end-time? uint64 +-- source-count | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- top-talker +-- talker* [source-prefix] +-- spoofed-status? boolean +-- source-prefix inet:ip-prefix +-- source-port-range* [lower-port] | +-- lower-port inet:port-number | +-- upper-port? inet:port-number +-- source-icmp-type-range* [lower-type] | +-- lower-type uint8 | +-- upper-type? uint8 +-- total-attack-traffic* [unit] | +-- unit unit | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- total-attack-connection +-- connection-c | +-- low-percentile-g? yang:gauge64 | +-- mid-percentile-g? yang:gauge64 | +-- high-percentile-g? yang:gauge64 | +-- peak-g? yang:gauge64 | +-- current-g? yang:gauge64 +-- embryonic-c | ... +-- connection-ps-c | ... +-- request-ps-c | ... +-- partial-request-c ...]]></artwork> </figure></t>]]></sourcecode> </figure> <t><xreftarget="upex"></xref>target="upex" format="default"/> shows an example of an asynchronous notification of attack mitigation status from the DOTS server. This notification signals both the mid-percentile value of processed attack traffic and the peak count of unique sources involved in the attack.</t><t><figure anchor="upex" title="Response<figure anchor="upex"> <name>Response Body of a Mitigation StatusWithwith Telemetry Attributes,depictedDepicted as per Section5.6"> <artwork><![CDATA[{5.6</name> <artwork name="" type="" align="left" alt=""><![CDATA[{ "ietf-dots-signal-channel:mitigation-scope": { "scope": [ { "mid": 12332, "mitigation-start": "1507818434", "alias-name": [ "https1", "https2" ], "lifetime": 1600, "status": "attack-successfully-mitigated", "bytes-dropped": "134334555", "bps-dropped": "43344", "pkts-dropped": "333334444", "pps-dropped": "432432", "ietf-dots-telemetry:total-attack-traffic": [ { "unit": "megabit-ps", "mid-percentile-g": "752" } ], "ietf-dots-telemetry:attack-detail": [ { "vendor-id": 32473, "attack-id": 77, "source-count": { "peak-g": "12683" } } ] } ] }}]]></artwork> </figure></t>} ]]></artwork> </figure> <t>DOTS clients can filter out the asynchronous notifications from the DOTS server by indicating one or more Uri-Query options in its GET request. A Uri-Query option can include the following parameters: 'target-prefix', 'target-port', 'target-protocol', 'target-fqdn', 'target-uri', 'alias-name', and 'c' (content) (<xreftarget="control"></xref>).target="control" format="default"/>). The considerations discussed in <xreftarget="preStoC"></xref> MUSTtarget="preStoC" format="default"/> <bcp14>MUST</bcp14> be followed to include multiple query values, ranges ('target-port', 'target-protocol'), and wildcard names ('target-fqdn', 'target-uri').</t> <t>An example of a request to subscribe to asynchronous notifications bound to the "https1" alias is shown in <xreftarget="notif_filter"></xref>.</t> <t><figure anchor="notif_filter" title="GETtarget="notif_filter" format="default"/>.</t> <figure anchor="notif_filter"> <name>GET Request to Receive Asynchronous Notifications Filteredusing Uri-Query"> <artwork><![CDATA[Header:Using Uri-&wj;Query</name> <sourcecode name="" type="json"><![CDATA[Header: GET (Code=0.01) Uri-Path: ".well-known" Uri-Path: "dots" Uri-Path: "mitigate" Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw" Uri-Path: "mid=12332" Uri-Query: "target-alias=https1" Observe:0]]></artwork> </figure></t>0 ]]></sourcecode> </figure> <t>If the target query does not match the target of the enclosed 'mid' as maintained by the DOTS server, the latterMUST<bcp14>MUST</bcp14> respond with a 4.04 (Not Found) error Response Code. The DOTS serverMUST NOT<bcp14>MUST NOT</bcp14> add a newobserveObserve entry if this query overlaps with an existingone.Observe entry. In such a case, the DOTS server replies with a 4.09(Conflict).</t>(Conflict) Response Code.</t> </section> </section> <sectiontitle="Error Handling">numbered="true" toc="default"> <name>Error Handling</name> <t>A list of common CoAP errors that are implemented by DOTS serversareis provided inSection 9 of<xreftarget="RFC9132"></xref>.target="RFC9132" sectionFormat="of" section="9"/>. The following additional error cases apply for the telemetry extension:</t><t><list style="symbols"> <t>4.00<ul spacing="normal"> <li>4.00 (Bad Request) is returned by the DOTS server when the DOTS client has sent a request that violates the DOTS telemetryextension.</t> <t>4.04extension.</li> <li>4.04 (Not Found) is returned by the DOTS server when the DOTS client is requesting a 'tsid' or 'tmid' that is notvalid.</t> <t>4.00valid.</li> <li>4.00 (Bad Request) is returned by the DOTS server when the DOTS client has sent a request with invalid query types (e.g., not supported,malformed).</t> <t>4.04malformed).</li> <li>4.04 (Not Found) is returned by the DOTS server when the DOTS client has sent a request with a target query that does not match the target of the enclosed 'mid' as maintained by the DOTSserver.</t> </list></t>server.</li> </ul> <t>As indicated inSection 9 of<xreftarget="RFC9132"></xref>,target="RFC9132" sectionFormat="of" section="9"/>, an additionalplain textplaintext diagnostic payload(Section 5.5.2 of <xref target="RFC7252"></xref>)(<xref target="RFC7252" sectionFormat="of" section="5.5.2"/>) to help with troubleshooting is returned in the body of the response.</t> </section> <sectiontitle="YANG Modules"> <t></t>numbered="true" toc="default"> <name>YANG Modules</name> <section anchor="module"title="DOTSnumbered="true" toc="default"> <name>DOTS Signal Channel Telemetry YANGModule">Module</name> <t>This module uses types defined in <xreftarget="RFC6991"></xref>target="RFC6991" format="default"/> and <xreftarget="RFC8345"></xref>.</t> <t><figure> <artwork><![CDATA[<CODE BEGINS> file "ietf-dots-telemetry@2022-02-04.yang"target="RFC8345" format="default"/>. It also reuses a grouping from <xref target="RFC8783"/>.</t> <sourcecode name="ietf-dots-telemetry@2022-05-18.yang" type="yang" markers="true"><![CDATA[ module ietf-dots-telemetry { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-telemetry"; prefix dots-telemetry; import ietf-dots-signal-channel { prefix dots-signal; reference "RFC 9132: Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification"; } import ietf-dots-data-channel { prefix data-channel; reference "RFC 8783: Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specification"; } import ietf-yang-types { prefix yang; reference"Section 3 of RFC 6991";"RFC 6991: Common YANG Data Types, Section 3"; } import ietf-inet-types { prefix inet; reference"Section 4 of RFC 6991";"RFC 6991: Common YANG Data Types, Section 4"; } import ietf-network-topology { prefix nt; reference"Section 6.2 of RFC"RFC 8345: A YANG Data Model for NetworkTopologies";Topologies, Section 6.2"; } import ietf-yang-structure-ext { prefix sx; reference "RFC 8791: YANG Data Structure Extensions"; } organization "IETF DDoS Open Threat Signaling (DOTS) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/dots/> WG List: <mailto:dots@ietf.org> Author: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Author: Konda, Tirumaleswar Reddy.K <mailto:kondtir@gmail.com>"; description "This module contains YANG definitions for the signaling of DOTS telemetry data exchanged between a DOTS client and a DOTS server by means of the DOTS signal channel. Copyright (c) 2022 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFCXXXX;9244; see the RFC itself for full legal notices."; revision2022-02-042022-05-18 { description "Initial revision."; reference "RFCXXXX:9244: Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry"; } typedef attack-severity { type enumeration { enum none { value 1; description "No effect on the DOTS client domain."; } enum low { value 2; description "Minimal effect on the DOTS client domain."; } enum medium { value 3; description "A subset of DOTS client domain resourcesareis out of service."; } enum high { value 4; description "The DOTS client domain is under extremely severe conditions."; } enum unknown { value 5; description "The impact of the attack is not known."; } } description "Enumeration for attack severity."; reference "RFC 7970: The Incident Object Description Exchange Format Version 2, Section 3.12.2"; } typedef unit-class { type enumeration { enum packet-ps { value 1; description "Packets per second (pps)."; } enum bit-ps { value 2; description "Bits perSecond (bit/s).";second (bps)."; } enum byte-ps { value 3; description "Bytes per second(Byte/s).";(Bps)."; } } description "Enumeration to indicate which unit class is used. These classes are supported: pps,bit/s,bps, andByte/s.";Bps."; } typedef unit { type enumeration { enum packet-ps { value 1; description "Packets per second (pps)."; } enum bit-ps { value 2; description "Bits perSecondsecond (bps)."; } enum byte-ps { value 3; description "Bytes per second (Bps)."; } enum kilopacket-ps { value 4; description "Kilo packets per second (kpps)."; } enum kilobit-ps { value 5; description "Kilobits per second (kbps)."; } enum kilobyte-ps { value 6; description "Kilobytes per second (kBps)."; } enum megapacket-ps { value 7; description "Mega packets per second (Mpps)."; } enum megabit-ps { value 8; description "Megabits per second (Mbps)."; } enum megabyte-ps { value 9; description "Megabytes per second (MBps)."; } enum gigapacket-ps { value 10; description "Giga packets per second (Gpps)."; } enum gigabit-ps { value 11; description "Gigabits per second (Gbps)."; } enum gigabyte-ps { value 12; description "Gigabytes per second (GBps)."; } enum terapacket-ps { value 13; description "Tera packets per second (Tpps)."; } enum terabit-ps { value 14; description "Terabits per second (Tbps)."; } enum terabyte-ps { value 15; description "Terabytes per second (TBps)."; } enum petapacket-ps { value 16; description "Peta packets per second (Ppps)."; } enum petabit-ps { value 17; description "Petabits per second (Pbps)."; } enum petabyte-ps { value 18; description "Petabytes per second (PBps)."; } enum exapacket-ps { value 19; description "Exa packets per second (Epps)."; } enum exabit-ps { value 20; description "Exabits per second (Ebps)."; } enum exabyte-ps { value 21; description "Exabytes per second (EBps)."; } enum zettapacket-ps { value 22; description "Zetta packets per second (Zpps)."; } enum zettabit-ps { value 23; description "Zettabits per second (Zbps)."; } enum zettabyte-ps { value 24; description "Zettabytes per second (ZBps)."; } } description "Enumeration to indicate which unit is used. Only one unit per unit class is used owing to unit auto-scaling."; } typedef interval { type enumeration { enum 5-minutes { value 1; description "5 minutes."; } enum 10-minutes { value 2; description "10 minutes."; } enum 30-minutes { value 3; description "30 minutes."; } enum hour { value 4; description "Hour."; } enum day { value 5; description "Day."; } enum week { value 6; description "Week."; } enum month { value 7; description "Month."; } } description "Enumeration to indicate the overall measurement period."; } typedef sample { type enumeration { enum second { value 1; description"A one-second"One-second measurement period."; } enum 5-seconds { value 2; description "5-second measurement period."; } enum 30-seconds { value 3; description "30-second measurement period."; } enum minute { value 4; description "One-minute measurement period."; } enum 5-minutes { value 5; description "5-minute measurement period."; } enum 10-minutes { value 6; description "10-minute measurement period."; } enum 30-minutes { value 7; description "30-minute measurement period."; } enum hour { value 8; description "One-hour measurement period."; } } description "Enumeration to indicate the sampling period."; } typedef percentile { type decimal64 { fraction-digits 2; } description "The nth percentile of a set of data is the value at which n percent of the data is below it."; } typedef query-type { type enumeration { enum target-prefix { value 1; description "Query based on target prefix."; } enum target-port { value 2; description "Query based on target port number."; } enum target-protocol { value 3; description "Query based on target protocol."; } enum target-fqdn { value 4; description "Query based on target FQDN."; } enum target-uri { value 5; description "Query based on target URI."; } enum target-alias { value 6; description "Query based on target alias."; } enum mid { value 7; description "Query based on mitigation identifier (mid)."; } enum source-prefix { value 8; description "Query based on source prefix."; } enum source-port { value 9; description "Query based on source port number."; } enum source-icmp-type { value 10; description "Query based on ICMPtype";type."; } enum content { value 11; description "Query based on the 'c' (content) Uri-Queryoption thatoption, which is used to control the selection of configuration and non-configuration data nodes."; reference"Section 4.4.2 of RFC 9132.";"RFC 9132: Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification, Section 4.4.2"; } } description "Enumeration of support for query types that can be used in a GET request to filter out data. Requests with invalid query types (e.g., not supported, malformed) received by the DOTS server are rejected with a 4.00 (Bad Request)response code.";Response Code."; } grouping telemetry-parameters { description "A grouping that includes a set of parameters that are used to prepare the reported telemetry data. The grouping indicates a measurement interval, a measurement sample period, andlow/mid/high percentilelow-percentile/mid-percentile/high-percentile values."; leaf measurement-interval { type interval; description "Defines the periodonduring which percentiles are computed."; } leaf measurement-sample { type sample; description "Defines the time distribution for measuring values that are used to compute percentiles. The measurement sample value must be less than the measurement interval value."; } leaf low-percentile { type percentile; default "10.00"; description"Low percentile."Low-percentile. If set to '0', this meanslow-percentiles arethat the use of low-percentile values is disabled."; } leaf mid-percentile { type percentile; must '. >= ../low-percentile' { error-message "The mid-percentile must be greater than or equal to the low-percentile."; } default "50.00"; description"Mid percentile."Mid-percentile. If set to the same value aslow-percentile,'low-percentile', this meansmid-percentiles arethat the use of mid-percentile values is disabled."; } leaf high-percentile { type percentile; must '. >= ../mid-percentile' { error-message "The high-percentile must be greater than or equal to the mid-percentile."; } default "90.00"; description"High percentile."High-percentile. If set to the same value asmid-percentile,'mid-percentile', this meanshigh-percentiles arethat the use of high-percentile values is disabled."; } } grouping percentile-and-peak { description "Generic grouping for percentile and peak values."; leaf low-percentile-g { type yang:gauge64; description"Low percentile"Low-percentile value."; } leaf mid-percentile-g { type yang:gauge64; description"Mid percentile"Mid-percentile value."; } leaf high-percentile-g { type yang:gauge64; description"High percentile"High-percentile value."; } leaf peak-g { type yang:gauge64; description "Peak value."; } } grouping percentile-peak-and-current { description "Generic grouping for percentile and peak values."; uses percentile-and-peak; leaf current-g { type yang:gauge64; description "Current value."; } } grouping unit-config { description "Generic grouping for unit configuration."; list unit-config { key "unit"; description "Controls which unit classes are allowed when sharing telemetry data."; leaf unit { type unit-class; description "Can bepacket-ps, bit-ps,'packet-ps', 'bit-ps', orbyte-ps.";'byte-ps'."; } leaf unit-status { type boolean; mandatory true; description "Enable/disable the use of the measurement unit class."; } } } grouping traffic-unit { description "Grouping of traffic as a function of the measurement unit."; leaf unit { type unit; description "The traffic can be measured using unit classes:packet-ps, bit-ps,'packet-ps', 'bit-ps', orbyte-ps.'byte-ps'. DOTS agents auto-scale to the appropriate units (e.g.,megabit-ps, kilobit-ps).";'megabit-ps', 'kilobit-ps')."; } uses percentile-and-peak; } grouping traffic-unit-all { description "Grouping of traffic as a function of the measurement unit, including current values."; uses traffic-unit; leaf current-g { type yang:gauge64; description "Current observed value."; } } grouping traffic-unit-protocol { description "Grouping of traffic of a given transport protocol as a function of the measurement unit."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>. For example, this parameter contains 6 for TCP, 17 for UDP, 33 forDCCP,the Datagram Congestion Control Protocol (DCCP), or 132 forSCTP.";the Stream Control Transmission Protocol (SCTP)."; } uses traffic-unit; } grouping traffic-unit-protocol-all { description "Grouping of traffic of a given transport protocol as a function of the measurement unit, including current values."; uses traffic-unit-protocol; leaf current-g { type yang:gauge64; description "Current observed value."; } } grouping traffic-unit-port { description "Grouping of traffic bound to a port number as a function of the measurement unit."; leaf port { type inet:port-number; description "Port number used by a transport protocol."; } uses traffic-unit; } grouping traffic-unit-port-all { description "Grouping of traffic bound to a port number as a function of the measurement unit, including current values."; uses traffic-unit-port; leaf current-g { type yang:gauge64; description "Current observed value."; } } grouping total-connection-capacity { description "Total connection capacities for various types of connections, as well as overall capacity. These data nodes are usefulto detectfor detecting resource-consuming DDoS attacks."; leaf connection { type uint64; description "The maximum number of simultaneous connections that are allowed to the target server."; } leaf connection-client { type uint64; description "The maximum number of simultaneous connections that are allowed to the target server per client."; } leaf embryonic { type uint64; description "The maximum number of simultaneous embryonic connections that are allowed to the target server. The term 'embryonic connection' refers to a connection whose connection handshake is not finished. Embryonic connections are only possible in connection-oriented transport protocols like TCP or SCTP."; } leaf embryonic-client { type uint64; description "The maximum number of simultaneous embryonic connections that are allowed to the target server per client."; } leaf connection-ps { type uint64; description "The maximum number of new connections allowed per second to the target server."; } leaf connection-client-ps { type uint64; description "The maximum number of new connections allowed per second to the target server per client."; } leaf request-ps { type uint64; description "The maximum number of requests allowed per second to the target server."; } leaf request-client-ps { type uint64; description "The maximum number of requests allowed per second to the target server per client."; } leaf partial-request-max { type uint64; description "The maximum number of outstanding partial requests that are allowed to the target server."; } leaf partial-request-client-max { type uint64; description "The maximum number of outstanding partial requests that are allowed to the target server per client."; } } grouping total-connection-capacity-protocol { description "Totalconnectionsconnection capacity per protocol. These data nodes are usefulto detect resource consumingfor detecting resource-consuming DDoS attacks."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>."; } uses total-connection-capacity; } grouping connection-percentile-and-peak { description "A set of data nodeswhichthat represent the attack characteristics."; container connection-c { uses percentile-and-peak; description "The number of simultaneous attack connections to the target server."; } container embryonic-c { uses percentile-and-peak; description "The number of simultaneous embryonic connections to the target server."; } container connection-ps-c { uses percentile-and-peak; description "The number of attack connections per second to the target server."; } container request-ps-c { uses percentile-and-peak; description "The number of attack requests per second to the target server."; } container partial-request-c { uses percentile-and-peak; description "The number of attack partial requests to the target server."; } } grouping connection-all { description "Total attackconnectionsconnections, including current values."; container connection-c { uses percentile-peak-and-current; description "The number of simultaneous attack connections to the target server."; } container embryonic-c { uses percentile-peak-and-current; description "The number of simultaneous embryonic connections to the target server."; } container connection-ps-c { uses percentile-peak-and-current; description "The number of attack connections per second to the target server."; } container request-ps-c { uses percentile-peak-and-current; description "The number of attack requests per second to the target server."; } container partial-request-c { uses percentile-peak-and-current; description "The number of attack partial requests to the target server."; } } grouping connection-protocol { description "Total attack connections."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>."; } uses connection-percentile-and-peak; } grouping connection-port { description "Total attack connections per port number."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>."; } leaf port { type inet:port-number; description "Port number."; } uses connection-percentile-and-peak; } grouping connection-protocol-all { description "Total attack connections per protocol, including current values."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>."; } uses connection-all; } grouping connection-protocol-port-all { description "Total attack connections per port number, including current values."; leaf protocol { type uint8; description "The transport protocol. Values are taken from the IANAProtocol Numbers'Protocol Numbers' registry: <https://www.iana.org/assignments/protocol-numbers/>."; } leaf port { type inet:port-number; description "Port number."; } uses connection-all; } grouping attack-detail { description "Various details that describe the ongoing attacks that need to be mitigated by the DOTS server. The attack details need to cover well-known and common attacks (such as a SYNFlood)flood) along with new emerging or vendor-specific attacks."; leaf vendor-id { type uint32; description"Vendor"The Vendor ID is a security vendor's Private Enterprise Number as registered with IANA."; reference "IANA: Private EnterpriseNumbers";Numbers (https://www.iana.org/assignments/enterprise-numbers/)"; } leaf attack-id { type uint32; description "Unique identifier assigned by the vendor for the attack."; } leaf description-lang { type string { pattern'(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})''((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})' +'{0,2})?|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?''{0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})' +'(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}''?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}' +'|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WY-Za-wy-z]''|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz]' + '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]' + '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|' + '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-' + '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-' + '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-' + '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]' + '|[Ii]-[Hh][Aa][Kk]|' + '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|' + '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|' + '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|' + '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|' + '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|' + '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-' + '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-' + '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-' + '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|' + '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-' + '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|' + '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-' + '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-' + '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))'; } default "en-US"; description "Indicates the language tag that is used for 'attack-description'."; reference "RFC 5646: Tags for Identifying Languages, Section 2.1"; } leaf attack-description { type string; description "Textual representation of the attack description. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type."; } leaf attack-severity { type attack-severity; description "Severity level of an attack. How this level is determined isimplementation-specific.";implementation specific."; } leaf start-time { type uint64; description "The time the attack started.StartThe start time is represented in seconds relative to 1970-01-01T00:00:00Z."; } leaf end-time { type uint64; description "The time the attack ended.EndThe end time is represented in seconds relative to 1970-01-01T00:00:00Z."; } container source-count { description "Indicates the count of unique sources involved in the attack."; uses percentile-and-peak; leaf current-g { type yang:gauge64; description "Current observed value."; } } } grouping talker { description "Defines generic data related totop-talkers.";top talkers."; leaf spoofed-status { type boolean; description "When set to 'true', it indicates whether this address is spoofed."; } leaf source-prefix { type inet:ip-prefix; description "IPv4 or IPv6 prefix identifying the attacker(s)."; } list source-port-range { key "lower-port"; description "Port range. When onlylower-port'lower-port' is present, it represents a single port number."; leaf lower-port { type inet:port-number; description "Lower port number of the port range."; } leaf upper-port { type inet:port-number; must '. >= ../lower-port' { error-message "The upper port number must be greater than or equal to the lower port number."; } description "Upper port number of the port range."; } } list source-icmp-type-range { key "lower-type"; description "ICMP type range. When onlylower-type'lower-type' is present, it represents a single ICMP type."; leaf lower-type { type uint8; description "Lower ICMP type of the ICMP type range."; } leaf upper-type { type uint8; must '. >= ../lower-type' { error-message "The upper ICMP type must be greater than or equal to the lower ICMP type."; } description "Upper type of the ICMP type range."; } } list total-attack-traffic { key "unit"; description "Total attack traffic issued from this source."; uses traffic-unit-all; } } grouping top-talker-aggregate { description "An aggregate of top attack sources. This aggregate is typically used when included in a mitigation request."; list talker { key "source-prefix"; description "Refers to atop-talkertop talker that is identified by an IPv4 or IPv6 prefix identifying the attacker(s)."; uses talker; container total-attack-connection { description "Total attack connections issued from this source."; uses connection-all; } } } grouping top-talker { description "Top attack sources with detailed per-protocol structure."; list talker { key "source-prefix"; description "Refers to atop-talkertop talker that is identified by an IPv4 or IPv6 prefix identifying the attacker(s)."; uses talker; list total-attack-connection-protocol { key "protocol"; description "Total attack connections issued from this source."; uses connection-protocol-all; } } } grouping baseline { description "Grouping for the telemetry baseline."; uses data-channel:target; leaf-list alias-name { type string; description "An alias name that points to an IP resource. An IP resource can be a router, a host, anIoTInternet of Things (IoT) object, a server, etc."; } list total-traffic-normal { key "unit"; description "Total traffic normal baselines."; uses traffic-unit; } list total-traffic-normal-per-protocol { key "unit protocol"; description "Total traffic normal baselines per protocol."; uses traffic-unit-protocol; } list total-traffic-normal-per-port { key "unit port"; description "Total traffic normal baselines per port number."; uses traffic-unit-port; } list total-connection-capacity { key "protocol"; description "Total connection capacity."; uses total-connection-capacity-protocol; } list total-connection-capacity-per-port { key "protocol port"; description "Total connection capacity per port number."; leaf port { type inet:port-number; description "The target port number."; } uses total-connection-capacity-protocol; } } grouping pre-or-ongoing-mitigation { description "Grouping for the telemetry data."; list total-traffic { key "unit"; description "Total traffic."; uses traffic-unit-all; } list total-traffic-protocol { key "unit protocol"; description "Total traffic per protocol."; uses traffic-unit-protocol-all; } list total-traffic-port { key "unit port"; description "Total traffic per port number."; uses traffic-unit-port-all; } list total-attack-traffic { key "unit"; description "Total attack traffic."; uses traffic-unit-all; } list total-attack-traffic-protocol { key "unit protocol"; description "Total attack traffic per protocol."; uses traffic-unit-protocol-all; } list total-attack-traffic-port { key "unit port"; description "Total attack traffic per port number."; uses traffic-unit-port-all; } list total-attack-connection-protocol { key "protocol"; description "Total attack connections."; uses connection-protocol-all; } list total-attack-connection-port { key "protocol port"; description "Total attack connections per target port number."; uses connection-protocol-port-all; } list attack-detail { key "vendor-id attack-id"; description "Provides a set of attack details."; uses attack-detail; container top-talker { description "Lists the top attack sources."; uses top-talker; } } } sx:augment-structure "/dots-signal:dots-signal" + "/dots-signal:message-type" + "/dots-signal:mitigation-scope" + "/dots-signal:scope" { description "Extends mitigation scope with telemetry update data."; choice direction { description "Indicates the communication direction in which the data nodes can be included."; case server-to-client-only { description "These data nodes appear only in a mitigation message sent from the server to the client."; list total-traffic { key "unit"; description "Total traffic."; uses traffic-unit-all; } container total-attack-connection { description "Total attack connections."; uses connection-all; } } } list total-attack-traffic { key "unit"; description "Total attack traffic."; uses traffic-unit-all; } list attack-detail { key "vendor-id attack-id"; description "Attackdetails";details."; uses attack-detail; container top-talker { description "Top attack sources."; uses top-talker-aggregate; } } } sx:structure dots-telemetry { description "Main structure for DOTS telemetry messages."; choice telemetry-message-type { description "Can bea telemetry-setup'telemetry-setup' or telemetry data."; case telemetry-setup { description "Indicates that the message is about telemetrysteup.";setup."; choice direction { description "Indicates the communication direction in which the data nodes can be included."; case server-to-client-only { description "These data nodes appear only in a telemetry message sent from the server to the client."; container max-config-values { description "Maximum acceptable configuration values."; uses telemetry-parameters; leaf server-originated-telemetry { type boolean; default "false"; description "Indicates whether the DOTS server can be instructed to send pre-or-ongoing-mitigation telemetry. If set to 'false' or the data node is not present, this is an indication that the server does not support this capability."; } leaf telemetry-notify-interval { type uint16 { range "1 .. 3600"; } units "seconds"; must '. >= ../../min-config-values' + '/telemetry-notify-interval' { error-message "The value must be greater than or equal to thetelemetry-notify-interval'telemetry-notify-interval' value in themin-config-values";'min-config-values' attribute"; } description "Minimum number of seconds between successive telemetry notifications."; } } container min-config-values { description "Minimum acceptable configuration values."; uses telemetry-parameters; leaf telemetry-notify-interval { type uint16 { range "1 .. 3600"; } units "seconds"; description "Minimum number of seconds between successive telemetry notifications."; } } container supported-unit-classes { description "Supported unit classes and default activation status."; uses unit-config; } leaf-list supported-query-type { type query-type; description "Indicates which query types are supported by the server. If the server does not announce the query types it supports, the client will be unable to use any of the potentialquery-type'query-type' values to reduce the returned data content from the server."; } } } list telemetry { description "The telemetry data per DOTS client. The keys of the list are 'cuid' and 'tsid', but these keys are not represented here because these keys are conveyed as mandatory Uri-Paths in requests. Omitting keys is compliant withRFC8791.";RFC 8791."; reference "RFC 8791: YANG Data Structure Extensions"; choice direction { description "Indicates the communication direction in which the data nodes can be included."; case server-to-client-only { description "These data nodes appear only in a telemetry message sent from the server to the client."; leaf tsid { type uint32; description "A client-assigned identifier for the DOTS telemetry setup data."; } } } choice setup-type { description "Can be a mitigation configuration, a pipe capacity, or a baseline message."; case telemetry-config { description "Used to set telemetry parameters such as settinglow, mid,low-, mid-, andhigh percentilehigh-percentile values."; container current-config { description "Current telemetry configuration values."; uses telemetry-parameters; uses unit-config; leaf server-originated-telemetry { type boolean; description "Used by a DOTS client to enable/disable whether it requests pre-or-ongoing-mitigation telemetry from the DOTS server."; } leaf telemetry-notify-interval { type uint16 { range "1 .. 3600"; } units "seconds"; description "Minimum number of seconds between successive telemetry notifications."; } } } case pipe { description "Total pipe capacity of a DOTS client domain."; list total-pipe-capacity { key "link-id unit"; description "Total pipe capacity of a DOTS client domain."; leaf link-id { type nt:link-id; description "Identifier of an interconnection link of the DOTS client domain."; } leaf capacity { type uint64; mandatory true; description "Pipe capacity. This attribute is mandatory whentotal-pipe-capacity'total-pipe-capacity' is included in a message."; } leaf unit { type unit; description "The traffic can be measured using unit classes: packets per second (pps), bits per second(bit/s),(bps), and/or bytes per second(Byte/s).(Bps). For a given unit class, the DOTS agentsauto-scalesauto-scale to the appropriate units (e.g.,megabit-ps, kilobit-ps).";'megabit-ps', 'kilobit-ps')."; } } } case baseline { description "Traffic baseline informationofrelated to a DOTS client domain."; list baseline { key "id"; description "Traffic baseline informationofrelated to a DOTS client domain."; leaf id { type uint32; must '. >= 1'; description "An identifier that uniquely identifies a baseline entry communicated by a DOTS client."; } uses baseline; } } } } } case telemetry { description "Telemetry information."; list pre-or-ongoing-mitigation { description "Pre-or-ongoing-mitigation telemetry per DOTS client. The keys of the list are 'cuid' and 'tmid', but these keys are not represented here because these keys are conveyed as mandatory Uri-Paths in requests. Omitting keys is compliant withRFC8791.";RFC 8791."; reference "RFC 8791: YANG Data Structure Extensions"; choice direction { description "Indicates the communication direction in which the data nodes can be included."; case server-to-client-only { description "These data nodes appear only in a telemetry message sent from the server to the client."; leaf tmid { type uint32; description "A client-assigned identifier for the DOTS telemetry data."; } } } container target { description "Indicates the target. At least one of the attributes 'target-prefix', 'target-fqdn', 'target-uri', 'alias-name', or 'mid-list' must be present in the target definition."; uses data-channel:target; leaf-list alias-name { type string; description "An alias name that points to a resource."; } leaf-list mid-list { type uint32; description "Reference to a list of associated mitigation requests."; reference "RFC 9132: Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification, Section 4.4.1"; } } uses pre-or-ongoing-mitigation; } } } } }<CODE ENDS> ]]></artwork> </figure></t>]]></sourcecode> </section> <section anchor="data"title="Vendornumbered="true" toc="default"> <name>Vendor Attack Mapping Details YANGModule"> <t><figure> <artwork><![CDATA[<CODE BEGINS> file "ietf-dots-mapping@2022-02-04.yang"Module</name> <sourcecode name="ietf-dots-mapping@2022-05-18.yang" type="yang" markers="true"><![CDATA[ module ietf-dots-mapping { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-dots-mapping"; prefix dots-mapping; import ietf-dots-data-channel { prefix data-channel; reference "RFC 8783: Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel Specification"; } organization "IETF DDoS Open Threat Signaling (DOTS) Working Group"; contact "WG Web: <https://datatracker.ietf.org/wg/dots/> WG List: <mailto:dots@ietf.org> Author: Mohamed Boucadair <mailto:mohamed.boucadair@orange.com> Author: Jon Shallow <mailto:supjps-ietf@jpshallow.com>"; description "This module contains YANG definitions for the sharing of DDoS attack mapping details between a DOTS client and a DOTSserver,server by means of the DOTS data channel. Copyright (c) 2022 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Revised BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFCXXXX;9244; see the RFC itself for full legal notices."; revision2022-02-042022-05-18 { description "Initial revision."; reference "RFCXXXX:9244: Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry"; } feature dots-telemetry { description "This feature indicates that DOTS telemetry data can be shared between DOTS clients and servers."; } grouping attack-mapping { description "A set of information used for sharing vendor attack mapping information with a peer."; list vendor { key "vendor-id"; description "Vendor attack mapping informationofrelated to theclient/server";client/server."; leaf vendor-id { type uint32; description"Vendor"The Vendor ID is a security vendor's Private Enterprise Number as registered with IANA."; reference "IANA: Private EnterpriseNumbers";Numbers (https://www.iana.org/assignments/enterprise-numbers/)"; } leaf vendor-name { type string; description "The name of the vendor (e.g., company A)."; } leaf description-lang { type string { pattern'(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})''((([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})' +'{0,2})?|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?''{0,2})?)|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})' +'(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}''?(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}' +'|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WY-Za-wy-z]''|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WYZa-wyz]' + '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]' + '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|' + '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-' + '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-' + '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-' + '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]' + '|[Ii]-[Hh][Aa][Kk]|' + '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|' + '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|' + '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|' + '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|' + '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|' + '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-' + '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-' + '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-' + '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|' + '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-' + '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|' + '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-' + '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-' + '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))'; } default "en-US"; description "Indicates the language tag that is used for 'attack-description'."; reference "RFC 5646: Tags for Identifying Languages, Section 2.1"; } leaf last-updated { type uint64; mandatory true; description "The time the mapping table was updated. It is represented in seconds relative to 1970-01-01T00:00:00Z."; } list attack-mapping { key "attack-id"; description "Attack mapping details."; leaf attack-id { type uint32; description "Unique identifier assigned by the vendor for the attack."; } leaf attack-description { type string; mandatory true; description "Textual representation of the attack description. Natural Language Processing techniques (e.g., word embedding) might provide some utility in mapping the attack description to an attack type."; } } } } augment "/data-channel:dots-data/data-channel:dots-client" { if-feature "dots-telemetry"; description "Augments the data channel with a vendor attack mapping table of the DOTS client."; container vendor-mapping { description "Used by DOTS clients to share their vendor attack mapping information with DOTS servers."; uses attack-mapping; } } augment "/data-channel:dots-data/data-channel:capabilities" { if-feature "dots-telemetry"; description "Augments the DOTS server capabilities with a parameter to indicate whether they can share attack mapping details."; leaf vendor-mapping-enabled { type boolean; config false; description "Indicates that the DOTS server supports sharing attack vendor mapping details with DOTS clients."; } } augment "/data-channel:dots-data" { if-feature "dots-telemetry"; description "Augments the data channel with a vendor attack mapping table of the DOTS server."; container vendor-mapping { config false; description "Includes the list of vendor attack mapping details that will be sharedupon requestwith DOTSclients.";clients upon request."; uses attack-mapping; } } }<CODE ENDS> ]]></artwork> </figure></t>]]></sourcecode> </section> </section> <section anchor="map1"title="YANG/JSONnumbered="true" toc="default"> <name>YANG/JSON Mapping Parameters toCBOR">CBOR</name> <t>All DOTS telemetry parameters in the payload of the DOTS signal channelMUST<bcp14>MUST</bcp14> be mapped to CBOR types as shown inTable 3:</t> <t><list style="symbols"> <t>Note:<xref target="tab-3"/>:</t> <aside><t> Note: Implementers must check that the mapping output provided by their YANG-to-CBOR encoding schemes is aligned with thecontentcontents ofTable 2.</t> </list></t> <t><figure align="center"> <artwork align="center"><![CDATA[+----------------------+-------------+------+---------------+--------+ | Parameter Name | YANG | CBOR | CBOR<xref target="tab-3"/>. </t></aside> <table anchor="tab-3"> <name>YANG/JSON Mapping Parameters to CBOR</name> <thead> <tr> <th>Parameter Name</th> <th>YANG Type</th> <th>CBOR Key</th> <th>CBOR Major| JSON | | | Type | Key | Type & |Type| | | | | Information | | +======================+=============+======+===============+========+ | tsid | uint32 |TBA1 | 0 unsigned | Number | | telemetry | list |TBA2 | 4 array | Array | | low-percentile | decimal64 |TBA3 | 6& Information</th> <th>JSON Type</th> </tr> </thead> <tbody> <tr> <td>tsid</td> <td>uint32</td> <td>128</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>telemetry</td> <td>list</td> <td>129</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>low-percentile</td> <td>decimal64</td> <td>130</td> <td>6 tag 4| | | | | |[-2,integer]| String | | mid-percentile | decimal64 |TBA4 | 6integer]</td> <td>String</td> </tr> <tr> <td>mid-percentile</td> <td>decimal64</td> <td>131</td> <td>6 tag 4| | | | | |[-2,integer]| String | | high-percentile | decimal64 |TBA5 | 6integer]</td> <td>String</td> </tr> <tr> <td>high-percentile</td> <td>decimal64</td> <td>132</td> <td>6 tag 4| | | | | |[-2,integer]| String | | unit-config | list |TBA6 | 4 array | Array | | unit | enumeration |TBA7 | 0 unsigned | String | | unit-status | boolean |TBA8 | 7integer]</td> <td>String</td> </tr> <tr> <td>unit-config</td> <td>list</td> <td>133</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>unit</td> <td>enumeration</td> <td>134</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td rowspan="2">unit-status</td> <td rowspan="2">boolean</td> <td rowspan="2">135</td> <td>7 bits20 | False | | | | | 720</td> <td>False</td> </tr> <tr> <td>7 bits21 | True | | total-pipe-capacity | list |TBA9 | 4 array | Array | | link-id | string |TBA10 | 321</td> <td>True</td> </tr> <tr> <td>total-pipe-capacity</td> <td>list</td> <td>136</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>link-id</td> <td>string</td> <td>137</td> <td>3 textstring | String | | pre-or-ongoing- | list |TBA11 | 4 array | Array | | mitigation | | | | | | total-traffic-normal | list |TBA12 | 4 array | Array | | low-percentile-g | yang:gauge64|TBA13 | 0 unsigned | String | | mid-percentile-g | yang:gauge64|TBA14 | 0 unsigned | String | | high-percentile-g | yang:gauge64|TBA15 | 0 unsigned | String | | peak-g | yang:gauge64|TBA16 | 0 unsigned | String | | total-attack-traffic | list |TBA17 | 4 array | Array | | total-traffic | list |TBA18 | 4 array | Array | | total-connection- | | | | | | capacity | list |TBA19 | 4 array | Array | | connection | uint64 |TBA20 | 0 unsigned | String | | connection-client | uint64 |TBA21 | 0 unsigned | String | | embryonic | uint64 |TBA22 | 0 unsigned | String | | embryonic-client | uint64 |TBA23 | 0 unsigned | String | | connection-ps | uint64 |TBA24 | 0 unsigned | String | | connection-client-ps | uint64 |TBA25 | 0 unsigned | String | | request-ps | uint64 |TBA26 | 0 unsigned | String | | request-client-ps | uint64 |TBA27 | 0 unsigned | String | | partial-request-max | uint64 |TBA28 | 0 unsigned | String | | partial-request- | | | | | | client-max | uint64 |TBA29 | 0 unsigned | String | | total-attack- | | | | | | connection | container |TBA30 | 5 map | Object | | connection-c | container |TBA31 | 5 map | Object | | embryonic-c | container |TBA32 | 5 map | Object | | connection-ps-c | container |TBA33 | 5 map | Object | | request-ps-c | container |TBA34 | 5 map | Object | | attack-detail | list |TBA35 | 4 array | Array | | id | uint32 |TBA36 | 0 unsigned | Number | | attack-id | uint32 |TBA37 | 0 unsigned | Number | | attack-description | string |TBA38 | 3string</td> <td>String</td> </tr> <tr> <td>pre-or-ongoing-mitigation</td> <td>list</td> <td>138</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-traffic-normal</td> <td>list</td> <td>139</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>low-percentile-g</td> <td>yang:gauge64</td> <td>140</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>mid-percentile-g</td> <td>yang:gauge64</td> <td>141</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>high-percentile-g</td> <td>yang:gauge64</td> <td>142</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>peak-g</td> <td>yang:gauge64</td> <td>143</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>total-attack-traffic</td> <td>list</td> <td>144</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-traffic</td> <td>list</td> <td>145</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-connection-capacity</td> <td>list</td> <td>146</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>connection</td> <td>uint64</td> <td>147</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>connection-client</td> <td>uint64</td> <td>148</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>embryonic</td> <td>uint64</td> <td>149</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>embryonic-client</td> <td>uint64</td> <td>150</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>connection-ps</td> <td>uint64</td> <td>151</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>connection-client-ps</td> <td>uint64</td> <td>152</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>request-ps</td> <td>uint64</td> <td>153</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>request-client-ps</td> <td>uint64</td> <td>154</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>partial-request-max</td> <td>uint64</td> <td>155</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>partial-request-client-max</td> <td>uint64</td> <td>156</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>total-attack-connection</td> <td>container</td> <td>157</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>connection-c</td> <td>container</td> <td>158</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>embryonic-c</td> <td>container</td> <td>159</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>connection-ps-c</td> <td>container</td> <td>160</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>request-ps-c</td> <td>container</td> <td>161</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>attack-detail</td> <td>list</td> <td>162</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>id</td> <td>uint32</td> <td>163</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>attack-id</td> <td>uint32</td> <td>164</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>attack-description</td> <td>string</td> <td>165</td> <td>3 textstring | String | | attack-severity | enumeration |TBA39 | 0 unsigned | String | | start-time | uint64 |TBA40 | 0 unsigned | String | | end-time | uint64 |TBA41 | 0 unsigned | String | | source-count | container |TBA42 | 5 map | Object | | top-talker | container |TBA43 | 5 map | Object | | spoofed-status | boolean |TBA44 | 7string</td> <td>String</td> </tr> <tr> <td>attack-severity</td> <td>enumeration</td> <td>166</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>start-time</td> <td>uint64</td> <td>167</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>end-time</td> <td>uint64</td> <td>168</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>source-count</td> <td>container</td> <td>169</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>top-talker</td> <td>container</td> <td>170</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td rowspan="2">spoofed-status</td> <td rowspan="2">boolean</td> <td rowspan="2">171</td> <td>7 bits20 | False | | | | | 720</td> <td>False</td> </tr> <tr> <td>7 bits21 | True | | partial-request-c | container |TBA45 | 5 map | Object | | total-attack- | | | | | | connection-protocol | list |TBA46 | 4 array | Array | | baseline | list |TBA49 | 4 array | Array | | current-config | container |TBA50 | 5 map | Object | | max-config-values | container |TBA51 | 5 map | Object | | min-config-values | container |TBA52 | 5 map | Object | |supported-unit-classes| container |TBA53 | 5 map | Object | | server-originated- | boolean |TBA54 | 721</td> <td>True</td> </tr> <tr> <td>partial-request-c</td> <td>container</td> <td>172</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>total-attack-connection-protocol</td> <td>list</td> <td>173</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>baseline</td> <td>list</td> <td>174</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>current-config</td> <td>container</td> <td>175</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>max-config-values</td> <td>container</td> <td>176</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>min-config-values</td> <td>container</td> <td>177</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>supported-unit-classes</td> <td>container</td> <td>178</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td rowspan="2">server-originated-telemetry</td> <td rowspan="2">boolean</td> <td rowspan="2">179</td> <td>7 bits20 | False | | telemetry | | | 720</td> <td>False</td> </tr> <tr> <td>7 bits21 | True | | telemetry-notify- | uint16 |TBA55 | 0 unsigned | Number | | interval | | | | | | tmid | uint32 |TBA56 | 0 unsigned | Number | | measurement-interval | enumeration |TBA57 | 0 unsigned | String | | measurement-sample | enumeration |TBA58 | 0 unsigned | String | | talker | list |TBA59 | 4 array | Array | | source-prefix | inet: |TBA60 | 321</td> <td>True</td> </tr> <tr> <td>telemetry-notify-interval</td> <td>uint16</td> <td>180</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>tmid</td> <td>uint32</td> <td>181</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>measurement-interval</td> <td>enumeration</td> <td>182</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>measurement-sample</td> <td>enumeration</td> <td>183</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>talker</td> <td>list</td> <td>184</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>source-prefix</td> <td>inet:ip-prefix</td> <td>185</td> <td>3 textstring | String | | | ip-prefix | | | | | mid-list | leaf-list |TBA61 | 4 array | Array | | | uint32 | | 0 unsigned | Number | | source-port-range | list |TBA62 | 4 array | Array | | source-icmp-type- | list |TBA63 | 4 array | Array | | range | | | | | | target | container |TBA64 | 5 map | Object | | capacity | uint64 |TBA65 | 0 unsigned | String | | protocol | uint8 |TBA66 | 0 unsigned | Number | | total-traffic- | | | | | | normal-per-protocol | list |TBA67 | 4 array | Array | | total-traffic- | | | | | | normal-per-port | list |TBA68 | 4 array | Array | | total-connection- | | | | | | capacity-per-port | list |TBA69 | 4 array | Array | | total-traffic- | | | | | | protocol | list |TBA70 | 4 array | Array | | total-traffic-port | list |TBA71 | 4 array | Array | | total-attack- | | | | | | traffic-protocol | list |TBA72 | 4 array | Array | | total-attack- | | | | | | traffic-port | list |TBA73 | 4 array | Array | | total-attack- | | | | | | connection-port | list |TBA74 | 4 array | Array | | port | inet: | | | | | | port-number|TBA75 | 0 unsigned | Number | | supported-query-type | leaf-list |TBA76 | 4 array | Array | | | | | 0 unsigned | String | | vendor-id | uint32 |TBA77 | 0 unsigned | Number | | ietf-dots-telemetry: | | | | | | telemetry-setup | container |TBA78 | 5 map | Object | | ietf-dots-telemetry: | | | | | | total-traffic | list |TBA79 | 4 array | Array | | ietf-dots-telemetry: | | | | | | total-attack-traffic | list |TBA80 | 4 array | Array | | ietf-dots-telemetry: | | | | | | total-attack- | | | | | | connection | container |TBA81 | 5 map | Object | | ietf-dots-telemetry: | | | | | | attack-detail | list |TBA82 | 4 array | Array | | ietf-dots-telemetry: | | | | | | telemetry | container |TBA83 | 5 map | Object | | current-g | yang:gauge64|TBA84 | 0 unsigned | String | | description-lang | string |TBA85 | 3string</td> <td>String</td> </tr> <tr> <td rowspan="2">mid-list</td> <td>leaf-list</td> <td>186</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>uint32</td> <td></td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>source-port-range</td> <td>list</td> <td>187</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>source-icmp-type-range</td> <td>list</td> <td>188</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>target</td> <td>container</td> <td>189</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>capacity</td> <td>uint64</td> <td>190</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>protocol</td> <td>uint8</td> <td>191</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>total-traffic-normal-per-protocol</td> <td>list</td> <td>192</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-traffic-normal-per-port</td> <td>list</td> <td>193</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-connection-capacity-per-port</td> <td>list</td> <td>194</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-traffic-protocol</td> <td>list</td> <td>195</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-traffic-port</td> <td>list</td> <td>196</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-attack-traffic-protocol</td> <td>list</td> <td>197</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-attack-traffic-port</td> <td>list</td> <td>198</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>total-attack-connection-port</td> <td>list</td> <td>199</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>port</td> <td>inet:port-number</td> <td>200</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td rowspan="2">supported-query-type</td> <td>leaf-list</td> <td>201</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td></td> <td></td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>vendor-id</td> <td>uint32</td> <td>202</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>ietf-dots-telemetry:telemetry-setup</td> <td>container</td> <td>203</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>ietf-dots-telemetry:total-traffic</td> <td>list</td> <td>204</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>ietf-dots-telemetry:total-attack-traffic</td> <td>list</td> <td>205</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>ietf-dots-telemetry:total-attack-connection</td> <td>container</td> <td>206</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>ietf-dots-telemetry:attack-detail</td> <td>list</td> <td>207</td> <td>4 array</td> <td>Array</td> </tr> <tr> <td>ietf-dots-telemetry:telemetry</td> <td>container</td> <td>208</td> <td>5 map</td> <td>Object</td> </tr> <tr> <td>current-g</td> <td>yang:gauge64</td> <td>209</td> <td>0 unsigned</td> <td>String</td> </tr> <tr> <td>description-lang</td> <td>string</td> <td>210</td> <td>3 textstring | String | | lower-type | uint8 |32771 | 0 unsigned | Number | | upper-type | uint8 |32772 | 0 unsigned | Number | +----------------------+-------------+------+---------------+--------+ Table 3: YANG/JSON Mapping Parameters to CBOR ]]></artwork> </figure></t>string</td> <td>String</td> </tr> <tr> <td>lower-type</td> <td>uint8</td> <td>32771</td> <td>0 unsigned</td> <td>Number</td> </tr> <tr> <td>upper-type</td> <td>uint8</td> <td>32772</td> <td>0 unsigned</td> <td>Number</td> </tr> </tbody> </table> </section> <section anchor="IANA"title="IANA Considerations">numbered="true" toc="default"> <name>IANA Considerations</name> <section anchor="map"title="DOTSnumbered="true" toc="default"> <name>DOTS Signal Channel CBOR KeyValues">Values</name> <t>This specification registers theDOTS telemetry attributesfollowing comprehension-optional parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry <xreftarget="Key-Map"></xref>.</t> <t>The DOTS telemetry attributes defined in this specification are comprehension-optional parameters.</t> <t><list style="symbols"> <t>Note to the IANA: CBOR keys are assigned from the "128-255" range. This specification meets the requirements listed in Section 3.1 <xref target="RFC9132"></xref> for assignments in the "128-255" range.</t> <t>Note to the RFC Editor: Please replace all occurrences of "TBA1-TBA84" with the assigned values.</t> </list><figure align="center"> <artwork><![CDATA[ +----------------------+-------+-------+------------+---------------+ | Parameter Name | CBOR | CBOR | Change | Specification | | | Key | Major | Controller | Document(s) | | | Value | Type | | | +======================+=======+=======+============+===============+ | tsid | TBA1 | 0 | IESG | [RFCXXXX] | | telemetry | TBA2 | 4 | IESG | [RFCXXXX] | | low-percentile | TBA3 | 6tag4 | IESG | [RFCXXXX] | | mid-percentile | TBA4 | 6tag4 | IESG | [RFCXXXX] | | high-percentile | TBA5 | 6tag4 | IESG | [RFCXXXX] | | unit-config | TBA6 | 4 | IESG | [RFCXXXX] | | unit | TBA7 | 0 | IESG | [RFCXXXX] | | unit-status | TBA8 | 7 | IESG | [RFCXXXX] | | total-pipe-capacity | TBA9 | 4 | IESG | [RFCXXXX] | | link-id | TBA10 | 3 | IESG | [RFCXXXX] | | pre-or-ongoing- | TBA11 | 4 | IESG | [RFCXXXX] | | mitigation | | | | | | total-traffic-normal | TBA12 | 4 | IESG | [RFCXXXX] | | low-percentile-g | TBA13 | 0 | IESG | [RFCXXXX] | | mid-percentile-g | TBA14 | 0 | IESG | [RFCXXXX] | | high-percentile-g | TBA15 | 0 | IESG | [RFCXXXX] | | peak-g | TBA16 | 0 | IESG | [RFCXXXX] | | total-attack-traffic | TBA17 | 4 | IESG | [RFCXXXX] | | total-traffic | TBA18 | 4 | IESG | [RFCXXXX] | | total-connection- | TBA19 | 4 | IESG | [RFCXXXX] | | capacity | | | | | | connection | TBA20 | 0 | IESG | [RFCXXXX] | | connection-client | TBA21 | 0 | IESG | [RFCXXXX] | | embryonic | TBA22 | 0 | IESG | [RFCXXXX] | | embryonic-client | TBA23 | 0 | IESG | [RFCXXXX] | | connection-ps | TBA24 | 0 | IESG | [RFCXXXX] | | connection-client-ps | TBA25 | 0 | IESG | [RFCXXXX] | | request-ps | TBA26 | 0 | IESG | [RFCXXXX] | | request-client-ps | TBA27 | 0 | IESG | [RFCXXXX] | | partial-request-max | TBA28 | 0 | IESG | [RFCXXXX] | | partial-request- | TBA29 | 0 | IESG | [RFCXXXX] | | client-max | | | | | | total-attack- | TBA30 | 5 | IESG | [RFCXXXX] | | connection | | | | | | connection-c | TBA31 | 5 | IESG | [RFCXXXX] | | embryonic-c | TBA32 | 5 | IESG | [RFCXXXX] | | connection-ps-c | TBA33 | 5 | IESG | [RFCXXXX] | | request-ps-c | TBA34 | 5 | IESG | [RFCXXXX] | | attack-detail | TBA35 | 4 | IESG | [RFCXXXX] | | id | TBA36 | 0 | IESG | [RFCXXXX] | | attack-id | TBA37 | 0 | IESG | [RFCXXXX] | | attack-description | TBA38 | 3 | IESG | [RFCXXXX] | | attack-severity | TBA39 | 0 | IESG | [RFCXXXX] | | start-time | TBA40 | 0 | IESG | [RFCXXXX] | | end-time | TBA41 | 0 | IESG | [RFCXXXX] | | source-count | TBA42 | 5 | IESG | [RFCXXXX] | | top-talker | TBA43 | 5 | IESG | [RFCXXXX] | | spoofed-status | TBA44 | 7 | IESG | [RFCXXXX] | | partial-request-c | TBA45 | 5 | IESG | [RFCXXXX] | | total-attack- | TBA46 | 4 | IESG | [RFCXXXX] | | connection-protocol | | | | | | baseline | TBA49 | 4 | IESG | [RFCXXXX] | | current-config | TBA50 | 5 | IESG | [RFCXXXX] | | max-config-value | TBA51 | 5 | IESG | [RFCXXXX] | | min-config-values | TBA52 | 5 | IESG | [RFCXXXX] | |supported-unit-classes| TBA53 | 5 | IESG | [RFCXXXX] | | server-originated- | TBA54 | 7 | IESG | [RFCXXXX] | | telemetry | | | | | | telemetry-notify- | TBA55 | 0 | IESG | [RFCXXXX] | | interval | | | | | | tmid | TBA56 | 0 | IESG | [RFCXXXX] | | measurement-interval | TBA57 | 0 | IESG | [RFCXXXX] | | measurement-sample | TBA58 | 0 | IESG | [RFCXXXX] | | talker | TBA59 | 4 | IESG | [RFCXXXX] | | source-prefix | TBA60 | 3 | IESG | [RFCXXXX] | | mid-list | TBA61 | 4 | IESG | [RFCXXXX] | | source-port-range | TBA62 | 4 | IESG | [RFCXXXX] | | source-icmp-type- | TBA63 | 4 | IESG | [RFCXXXX] | | range | | | | | | target | TBA64 | 5 | IESG | [RFCXXXX] | | capacity | TBA65 | 0 | IESG | [RFCXXXX] | | protocol | TBA66 | 0 | IESG | [RFCXXXX] | | total-traffic- | TBA67 | 4 | IESG | [RFCXXXX] | | normal-per-protocol | | | | | | total-traffic- | TBA68 | 4 | IESG | [RFCXXXX] | | normal-per-port | | | | | | total-connection- | TBA69 | 4 | IESG | [RFCXXXX] | | capacity-per-port | | | | | | total-traffic- | TBA70 | 4 | IESG | [RFCXXXX] | | protocol | | | | | | total-traffic-port | TBA71 | 4 | IESG | [RFCXXXX] | | total-attack- | TBA72 | 4 | IESG | [RFCXXXX] | | traffic-protocol | | | | | | total-attack- | TBA73 | 4 | IESG | [RFCXXXX] | | traffic-port | | | | | | total-attack- | TBA74 | 4 | IESG | [RFCXXXX] | | connection-port | | | | | | port | TBA75 | 0 | IESG | [RFCXXXX] | | supported-query-type | TBA76 | 4 | IESG | [RFCXXXX] | | vendor-id | TBA77 | 0 | IESG | [RFCXXXX] | | ietf-dots-telemetry: | TBA78 | 5 | IESG | [RFCXXXX] | | telemetry-setup | | | | | | ietf-dots-telemetry: | TBA79 | 4 | IESG | [RFCXXXX] | | total-traffic | | | | | | ietf-dots-telemetry: | TBA80 | 4 | IESG | [RFCXXXX] | | total-attack-traffic | | | | | | ietf-dots-telemetry: | TBA81 | 5 | IESG | [RFCXXXX] | | total-attack- | | | | | | connection | | | | | | ietf-dots-telemetry: | TBA82 | 4 | IESG | [RFCXXXX] | | attack-detail | | | | | | ietf-dots-telemetry: | TBA83 | 5 | IESG | [RFCXXXX] | | telemetry | | | | | | current-g | TBA84 | 0 | IESG | [RFCXXXX] | | description-lang | TBA85 | 3 | IESG | [RFCXXXX] | +----------------------+-------+-------+------------+---------------+ Table 4: Registeredtarget="Key-Map" format="default"/>.</t> <table anchor="tab-4"> <name>Registered DOTS Signal Channel CBOR KeyValues ]]></artwork> </figure></t>Values</name> <thead> <tr> <th>Parameter Name</th> <th>CBOR Key Value</th> <th>CBOR Major Type</th> <th>Change Controller</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>tsid</td> <td>128</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>telemetry</td> <td>129</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>low-percentile</td> <td>130</td> <td>6tag4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>mid-percentile</td> <td>131</td> <td>6tag4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>high-percentile</td> <td>132</td> <td>6tag4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>unit-config</td> <td>133</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>unit</td> <td>134</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>unit-status</td> <td>135</td> <td>7</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-pipe-capacity</td> <td>136</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>link-id</td> <td>137</td> <td>3</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>pre-or-ongoing-mitigation</td> <td>138</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic-normal</td> <td>139</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>low-percentile-g</td> <td>140</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>mid-percentile-g</td> <td>141</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>high-percentile-g</td> <td>142</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>peak-g</td> <td>143</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-traffic</td> <td>144</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic</td> <td>145</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-connection-capacity</td> <td>146</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection</td> <td>147</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection-client</td> <td>148</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>embryonic</td> <td>149</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>embryonic-client</td> <td>150</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection-ps</td> <td>151</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection-client-ps</td> <td>152</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>request-ps</td> <td>153</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>request-client-ps</td> <td>154</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>partial-request-max</td> <td>155</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>partial-request-client-max</td> <td>156</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-connection</td> <td>157</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection-c</td> <td>158</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>embryonic-c</td> <td>159</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>connection-ps-c</td> <td>160</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>request-ps-c</td> <td>161</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>attack-detail</td> <td>162</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>id</td> <td>163</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>attack-id</td> <td>164</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>attack-description</td> <td>165</td> <td>3</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>attack-severity</td> <td>166</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>start-time</td> <td>167</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>end-time</td> <td>168</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>source-count</td> <td>169</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>top-talker</td> <td>170</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>spoofed-status</td> <td>171</td> <td>7</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>partial-request-c</td> <td>172</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-connection-protocol</td> <td>173</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>baseline</td> <td>174</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>current-config</td> <td>175</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>max-config-values</td> <td>176</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>min-config-values</td> <td>177</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>supported-unit-classes</td> <td>178</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>server-originated-telemetry</td> <td>179</td> <td>7</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>telemetry-notify-interval</td> <td>180</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>tmid</td> <td>181</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>measurement-interval</td> <td>182</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>measurement-sample</td> <td>183</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>talker</td> <td>184</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>source-prefix</td> <td>185</td> <td>3</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>mid-list</td> <td>186</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>source-port-range</td> <td>187</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>source-icmp-type-range</td> <td>188</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>target</td> <td>189</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>capacity</td> <td>190</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>protocol</td> <td>191</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic-normal-per-protocol</td> <td>192</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic-normal-per-port</td> <td>193</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-connection-capacity-per-port</td> <td>194</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic-protocol</td> <td>195</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-traffic-port</td> <td>196</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-traffic-protocol</td> <td>197</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-traffic-port</td> <td>198</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>total-attack-connection-port</td> <td>199</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>port</td> <td>200</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>supported-query-type</td> <td>201</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>vendor-id</td> <td>202</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:telemetry-setup</td> <td>203</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:total-traffic</td> <td>204</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:total-attack-traffic</td> <td>205</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:total-attack-connection</td> <td>206</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:attack-detail</td> <td>207</td> <td>4</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>ietf-dots-telemetry:telemetry</td> <td>208</td> <td>5</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>current-g</td> <td>209</td> <td>0</td> <td>IESG</td> <td>RFC 9244</td> </tr> <tr> <td>description-lang</td> <td>210</td> <td>3</td> <td>IESG</td> <td>RFC 9244</td> </tr> </tbody> </table> </section> <sectiontitle="DOTSnumbered="true" toc="default"> <name>DOTS Signal Channel Conflict CauseCodes"> <t>This specification requestsCodes</name> <t>Per this document, IANAto assignhas assigned a new code from the "DOTS Signal Channel Conflict Cause Codes" registry <xreftarget="Cause"></xref>.</t> <t><figure> <artwork align="center"><![CDATA[+------+-------------------+------------------------+-------------+ | Code | Label | Description | Reference | +======+===================+========================+=============+ | TBA | overlapping-pipes | Overlapping pipe scope | [RFCXXXX] | +------+-------------------+------------------------+-------------+ Table 5: Registeredtarget="Cause" format="default"/>.</t> <table anchor="tab-5"> <name>Registered DOTS Signal Channel Conflict CauseCode ]]></artwork> </figure><list style="symbols"> <t>Note to the RFC Editor: Please replace all occurrences of "TBA" with the assigned value.</t> </list></t>Code</name> <thead> <tr> <th>Code</th> <th>Label</th> <th>Description</th> <th>Reference</th> </tr> </thead> <tbody> <tr> <td>5</td> <td>overlapping-pipes</td> <td>Overlapping pipe scope</td> <td>RFC 9244</td> </tr> </tbody> </table> </section> <section anchor="yang"title="DOTS Signalnumbered="true" toc="default"> <name>DOTS Telemetry URIs and YANGModule"> <t>This document requestsModule Registrations</name> <t>Per this document, IANAto registerhas registered the following URIs in the "ns" subregistry within the "IETF XML Registry" <xreftarget="RFC3688"></xref>: <figure> <artwork><![CDATA[ URI: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry Registrant Contact: The IESG. XML: N/A;target="RFC3688" format="default"/>: </t> <dl newline="false" spacing="compact"> <dt>URI:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-telemetry</dd> <dt>Registrant Contact:</dt><dd>The IESG.</dd> <dt>XML:</dt><dd>N/A; the requested URI is an XMLnamespace. URI: urn:ietf:params:xml:ns:yang:ietf-dots-mapping Registrant Contact: The IESG. XML: N/A;namespace.</dd> </dl> <dl newline="false" spacing="compact"> <dt>URI:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-mapping</dd> <dt>Registrant Contact:</dt><dd>The IESG.</dd> <dt>XML:</dt><dd>N/A; the requested URI is an XMLnamespace.]]></artwork> </figure>This document requestsnamespace.</dd> </dl> <t>Per this document, IANAto registerhas registered the following YANG modules in the "YANG Module Names" subregistry <xreftarget="RFC6020"></xref>target="RFC6020" format="default"/> within the "YANG Parameters"registry.<figure> <artwork><![CDATA[ name: ietf-dots-telemetry namespace: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry maintained by IANA: N prefix: dots-telemetry reference: RFC XXXX name: ietf-dots-mapping namespace: urn:ietf:params:xml:ns:yang:ietf-dots-mapping maintained by IANA: N prefix: dots-mapping reference: RFC XXXX ]]></artwork> </figure></t>registry.</t> <dl newline="false" spacing="compact"> <dt>Name:</dt><dd>ietf-dots-telemetry</dd> <dt>Namespace:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-telemetry</dd> <dt>Maintained by IANA:</dt><dd>N</dd> <dt>Prefix:</dt><dd>dots-telemetry</dd> <dt>Reference:</dt><dd>RFC 9244</dd> </dl> <dl newline="false" spacing="compact"> <dt>Name:</dt><dd>ietf-dots-mapping</dd> <dt>Namespace:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-mapping</dd> <dt>Maintained by IANA:</dt><dd>N</dd> <dt>Prefix:</dt><dd>dots-mapping</dd> <dt>Reference:</dt><dd>RFC 9244</dd> </dl> </section> </section> <section anchor="security"title="Security Considerations"> <t></t>numbered="true" toc="default"> <name>Security Considerations</name> <sectionanchor="sec1" title="DOTSanchor="sec-cons-1" numbered="true" toc="default"> <name>DOTS Signal ChannelTelemetry">Telemetry</name> <t>The security considerations for the DOTS signal channel protocol are discussed inSection 11 of<xreftarget="RFC9132"></xref>.target="RFC9132" sectionFormat="of" section="11"/>. The following discusses the security considerations that are specific to the DOTS signal channel extension defined in this document.</t> <t>The DOTS telemetry information includes DOTS client network topology, DOTS client domain pipe capacity, normal traffic baseline andconnections'connection capacity, and threat and mitigation information. Such information is sensitive; itMUST<bcp14>MUST</bcp14> be protected at rest by the DOTS server domain to prevent data leakage. Note that sharing this sensitive data with a trusted DOTS server does not introduce any new significant considerations otherthatthan the need for the aforementioned protection. Such a DOTS server is already trusted to have access to that kind of information by being in the position to observe and mitigate attacks.</t> <t>DOTS clients are typically considered to be trusted devices by the DOTS client domain. DOTS clients may be co-located on network security services (e.g., firewall devices), and a compromised security service potentially can do a lot more damage to the network than just the DOTS client component. This assumption differs from theoften heldoften-held viewthat devices are untrusted, often(often referred to as the "zero-trustmodel".model") that devices are untrusted. A compromised DOTS client can send fake DOTS telemetry data to a DOTS server to mislead the DOTS server. This attack can be prevented by monitoring and auditing DOTS clients to detect misbehavior and to deter misuse, and by only authorizing the DOTS client to convey DOTS telemetry information for specific target resources (e.g., an application server is authorized to exchange DOTS telemetry for its IP addresses but a DDoS mitigator can exchange DOTS telemetry for any target resource in the network). As a reminder, this is a variation of dealing with compromised DOTS clients as discussed inSection 11 of<xreftarget="RFC9132"></xref>.</t>target="RFC9132" sectionFormat="of" section="11"/>.</t> <t>DOTS servers must be capable of defending themselves against DoS attacks from compromised DOTS clients. The following non-comprehensive list of mitigation techniques can be used by a DOTS server to handle misbehaving DOTS clients:</t><t><list style="symbols"> <t>The<ul spacing="normal"> <li>The probing rate (defined inSection 4.5 of<xreftarget="RFC9132"></xref>)target="RFC9132" sectionFormat="of" section="4.5"/>) can be used to limit the average data rate to the DOTSserver.</t> <t>Rate-limitingserver.</li> <li>Rate-limiting DOTS telemetry, includingthosepackets with new 'tmid'values,values from the same DOTSclientclient, defends against DoS attacks that would result in varying the 'tmid' to exhaust DOTS server resources. Likewise, the DOTS server can enforce a quota andtime-limittime limit on the number of active pre-or-ongoing-mitigation telemetry data items (identified by 'tmid') from the DOTSclient.</t> </list></t>client.</li> </ul> <t>Note also that the telemetry notification interval may be used to rate-limit the pre-or-ongoing-mitigation telemetry notifications received by a DOTS client domain.</t> </section> <sectiontitle="Vendoranchor="sec-cons-2" numbered="true" toc="default"> <name>Vendor AttackMapping">Mapping</name> <t>The security considerations for the DOTS data channel protocol are discussed inSection 10 of<xreftarget="RFC8783"></xref>.target="RFC8783" sectionFormat="of" section="10"/>. The following discusses the security considerations that are specific to the DOTS data channel extension defined in this document.</t> <t>All data nodes defined in the YANG module specified in <xreftarget="data"></xref> whichtarget="data" format="default"/> that can be created, modified, and deleted (i.e., config true, which is the default) are considered sensitive. Write operations to these data nodes without proper protection can have a negative effect on network operations. Appropriate security measures are recommended to prevent illegitimate users from invoking DOTS data channel primitives as discussed in <xreftarget="RFC8783"></xref>.target="RFC8783" format="default"/>. Nevertheless, an attacker who can access a DOTS client is technically capable of undertaking various attacks, such as:<list style="symbols"> <t>Communicating</t> <ul spacing="normal"> <li>Communicating invalid attack mapping details to the server ('/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping'), which will mislead the server when correlating attackdetails.</t> </list></t>details.</li> </ul> <t>Some of the readable data nodes in the YANG module specified in <xreftarget="data"></xref>target="data" format="default"/> may be considered sensitive. It is thus important to control read access to these data nodes. These are the data nodes and theirsensitivity:<list style="symbols"> <t>'/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping'sensitivity:</t> <ul spacing="normal"> <li>'/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping' can be misused to infer the DDoS protection technology deployed in a DOTS clientdomain.</t> <t>'/data-channel:dots-data/dots-telemetry:vendor-mapping'domain.</li> <li>'/data-channel:dots-data/dots-telemetry:vendor-mapping' can be used by a compromised DOTS client to leak the attack detection capabilities of the DOTS server. This is a variation of the compromised DOTS client attacks discussed in <xreftarget="sec1"></xref>.</t> </list></t> <t></t>target="sec-cons-1" format="default"/>.</li> </ul> </section> </section><section anchor="contr" title="Contributors"> <t>The following individuals have contributed to this document:<list style="symbols"> <t>Li Su, CMCC, Email: suli@chinamobile.com</t> <t>Pan Wei, Huawei, Email: william.panwei@huawei.com</t> </list></t> </section></middle> <back> <displayreference target="I-D.ietf-dots-multihoming" to="DOTS-Multihoming"/> <displayreference target="I-D.ietf-dots-robust-blocks" to="DOTS-Robust-Blocks"/> <references> <name>References</name> <references> <name>Normative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7641.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6991.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8345.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7970.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9132.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8791.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5646.xml"/> <reference anchor="Private-Enterprise-Numbers" target="https://www.iana.org/assignments/enterprise-numbers/"> <front> <title>Private Enterprise Numbers</title> <author> <organization>IANA</organization> </author> </front> </reference> </references> <references> <name>Informative References</name> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9133.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4732.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8811.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2330.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8525.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8903.xml"/> <!-- draft-doron-dots-telemetry ("long way"; error in author name) (Expired) --> <reference anchor="DOTS-Telemetry-Specs"> <front> <title>Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry Specifications</title> <author initials="E." surname="Doron" fullname="Ehud Doron"> </author> <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy"> </author> <author initials="F." surname="Andreasen" fullname="Flemming Andreasen"> </author> <author initials="L." surname="Xia" fullname="Liang Xia"> </author> <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka"> </author> <date month="October" day="30" year="2016" /> </front> <seriesInfo name="Internet-Draft" value="draft-doron-dots-telemetry-00" /> </reference> <!-- draft-ietf-dots-multihoming (IESG Eval / AD Followup) --> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-dots-multihoming.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9260.xml"/> <!-- draft-ietf-core-new-block (RFC 9177; published March 2022) --> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9177.xml"/> <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-dots-robust-blocks.xml"/> <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5612.xml"/> <reference anchor="Key-Map" target="https://www.iana.org/assignments/dots/"> <front> <title>DOTS Signal Channel CBOR Key Values</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="Cause" target="https://www.iana.org/assignments/dots/"> <front> <title>DOTS Signal Channel Conflict Cause Codes</title> <author> <organization>IANA</organization> </author> <date/> </front> </reference> <reference anchor="PYANG" target="https://github.com/mbj4668/pyang"> <front> <title>pyang</title> <author> <organization/> </author> <date month="April" year="2022"/> </front> <refcontent>commit dad5c68</refcontent> </reference> </references> </references> <section anchor="ack"title="Acknowledgements">numbered="false" toc="default"> <name>Acknowledgments</name> <t>The authors would like to thankFlemming Andreasen, Liang Xia, and Kaname Nishizuka, co-authors<contact fullname="Flemming Andreasen"/>, <contact fullname="Liang Xia"/>, and <contact fullname="Kaname Nishizuka"/>, coauthors of <xreftarget="I-D.doron-dots-telemetry"></xref>,target="DOTS-Telemetry-Specs" format="default"/>, and everyone who had contributed to that document.</t> <t>Thanks toKaname Nishizuka, Wei Pan, Yuuhei Hayashi, and Tom Petch<contact fullname="Kaname Nishizuka"/>, <contact fullname="Yuhei Hayashi"/>, and <contact fullname="Tom Petch"/> for comments and review.</t> <t>Special thanks toJon Shallow<contact fullname="Jon Shallow"/> andKaname Nishizuka<contact fullname="Kaname Nishizuka"/> for their implementation and interoperability work.</t> <t>Many thanks toJan Lindblad<contact fullname="Jan Lindblad"/> for the yangdoctors review,Nagendra Nainar<contact fullname="Nagendra Nainar"/> for the opsdir review,James Gruessing<contact fullname="James Gruessing"/> for the artart review,Michael Scharf<contact fullname="Michael Scharf"/> for the tsv-art review,Ted Lemon<contact fullname="Ted Lemon"/> for the int-dir review, andRobert Sparks<contact fullname="Robert Sparks"/> for the gen-art review.</t> <t>Thanks toBenjamin Kaduk<contact fullname="Benjamin Kaduk"/> for the detailed AD review.</t> <t>Thanks toRoman Danyliw, Éric Vyncke, Francesca Palombini, Warren Kumari, Erik Kline, Lars Eggert, and Robert Wilton<contact fullname="Roman Danyliw"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Francesca Palombini"/>, <contact fullname="Warren Kumari"/>, <contact fullname="Erik Kline"/>, <contact fullname="Lars Eggert"/>, and <contact fullname="Robert Wilton"/> for the IESG review.</t> </section></middle> <back> <references title="Normative References"> <?rfc include="reference.RFC.2119"?> <?rfc include="reference.RFC.7950"?> <?rfc include="reference.RFC.3688"?> <?rfc include='reference.RFC.8174'?> <?rfc include='reference.RFC.7641'?> <?rfc include='reference.RFC.6991'?> <?rfc include='reference.RFC.8949'?> <?rfc include='reference.RFC.7959'?> <?rfc include="reference.RFC.8783" ?> <?rfc include='reference.RFC.8345'?> <?rfc include='reference.RFC.7970'?> <?rfc include='reference.RFC.8040'?> <?rfc include='reference.RFC.7252'?> <?rfc ?> <?rfc include='reference.RFC.6020'?> <?rfc include='reference.RFC.9132'?> <?rfc include='reference.RFC.8791'?> <?rfc include='reference.RFC.5646'?> <reference anchor="Private-Enterprise-Numbers" target="https://www.iana.org/assignments/enterprise-numbers"> <front> <title>Private Enterprise Numbers</title> <author> <organization></organization> </author> <date day="04" month="May" year="2020" /> </front> </reference> </references> <references title="Informative References"> <?rfc include='reference.RFC.9133'?> <?rfc include='reference.RFC.4732'?> <?rfc include='reference.RFC.8811'?> <?rfc include='reference.RFC.2330'?> <?rfc include='reference.RFC.8525'?> <?rfc include='reference.RFC.8903'?> <?rfc include='reference.I-D.doron-dots-telemetry'?> <?rfc include='reference.I-D.ietf-dots-multihoming'?> <?rfc include="reference.RFC.8612"?> <?rfc include='reference.RFC.8340'?> <?rfc include='reference.RFC.4960'?> <?rfc include='reference.I-D.ietf-core-new-block'?> <?rfc include='reference.I-D.ietf-dots-robust-blocks'?> <?rfc include='reference.RFC.5612'?> <reference anchor="Key-Map" target="https://www.iana.org/assignments/dots/dots.xhtml#dots-signal-channel-cbor-key-values"> <front> <title>DOTS Signal Channel CBOR Key Values</title> <author fullname="IANA"> <organization></organization> </author> <date /> </front> </reference> <reference anchor="Cause" target="https://www.iana.org/assignments/dots/dots.xhtml#dots-signal-channel-conflict-cause-codes"> <front> <title>DOTS Signal Channel Conflict Cause Codes</title> <author fullname="IANA"> <organization></organization> </author> <date /> </front> </reference> <reference anchor="PYANG" target="https://github.com/mbj4668/pyang"> <front> <title>pyang</title> <author> <organization></organization> </author> <date month="November" year="2020" /> </front> </reference> </references><section anchor="contr" numbered="false" toc="default"> <name>Contributors</name> <t>The following individuals have contributed to this document:</t> <contact fullname="Li Su"> <organization>CMCC</organization> <address> <email>suli@chinamobile.com</email> </address> </contact> <contact fullname="Pan Wei"> <organization>Huawei</organization> <address> <email>william.panwei@huawei.com</email> </address> </contact> </section> </back> </rfc>