Ecosyste.ms: Repos

An open API service providing repository metadata for many open source software ecosystems.

GitHub / chrislockard21 / P2PTask2

JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrislockard21%2FP2PTask2

Stars: 0
Forks: 0
Open Issues: 0

License: None
Language: Python
Repo Size: 930 KB
Dependencies: 2,649

Created: almost 5 years ago
Updated: 2 months ago
Last pushed: almost 5 years ago
Last synced: 2 months ago

Files

Loading...

Readme

Loading...

Dependencies

docker-compose.yml docker

python latest

RFCsMaster/8585requirements_for_ipv6_customer_edge_routers.txt pypi

1.1.RequirementsLanguage *
1.1.RequirementsLanguage..................4 *
1.Introduction *
1.Introduction........................3 *
10-12KBsbecausemostofthecodebaseissharedamongseveral *
10.1.NormativeReferences *
10.1.NormativeReferences..................13 *
10.2.InformativeReferences *
10.2.InformativeReferences.................16 *
10.References *
10.References.........................13 *
17595MountHerrmannSt. *
2-3 ,Kanda
2.Terminology *
2.Terminology.........................5 *
2119KeyWords *
3.1.LAN-SideConfiguration *
3.1.LAN-SideConfiguration.................5 *
3.2.1.464XLAT *
3.2.1.464XLAT.......................7 *
3.2.2.Dual-StackLite *
3.2.3.Lightweight4over6 *
3.2.4.MAP-E *
3.2.4.MAP-E........................10 *
3.2.5.MAP-T *
3.2.5.MAP-T........................10 *
3.2.TransitionTechnologiesSupportforIPv4Service *
3.2.TransitionTechnologiesSupportforIPv4ServiceContinuity *
3.Requirements *
3.Requirements........................5 *
4.IPv4MulticastSupport *
4.IPv4MulticastSupport...................11 *
464XLAT isatechniquetoprovideIPv4serviceoveran
464XLAT-1 *
464XLAT-2 *
464XLAT-3 *
464XLAT-4 *
464XLAT-5 *
464XLAT-6 *
464XLATissupported ,itMUSTbeimplementedaccordingto
464XLATrequirements *
5.UPnPSupport *
5.UPnPSupport........................11 *
6.ComparisontoRFC7084 *
6.ComparisontoRFC7084...................12 *
7.CodeConsiderations *
7.CodeConsiderations.....................12 *
8.SecurityConsiderations *
8.SecurityConsiderations...................13 *
9.IANAConsiderations *
9.IANAConsiderations.....................13 *
Abstract *
AccessnetworkarchitectureforsecuringDHCPwithintheaccess *
Acknowledgements *
Acknowledgements........................21 *
AddressFamilyTransitionRouter *
AddressTranslation *
AllocationofSharedIPv4Addressesasdescribedin *
AnAddAnyPortMapping *
AnAddPortMapping *
Anend-usernetworkwilllikelysupportbothIPv4andIPv6 *
AnewLANrequirementisadded ,whichis,infact,commoninregular
AnotherconsequenceofusingIPv4privateaddressspaceintheend- *
AppendicesAandBcontainacompletedescriptionoftheusage *
AppendixA.UsageScenarios *
AppendixA.UsageScenarios..................17 *
AppendixB.End-UserNetworkArchitecture *
AppendixB.End-UserNetworkArchitecture...........18 *
AsdescribedintheSecurityConsiderationsof and
Atthetimeofthiswriting ,oneoftheapparentmainissuesfor
AtypicalIPv4end-usernetworkconsistsofa *
Authors *
Automaticprovisioningandconfigurationaredescribedforasingle *
Automaticprovisioningofmorecomplextopologythanasinglerouter *
BCP14 when,andonlywhen,theyappearinall
BCP152 ,RFC5625,DOI10.17487
Basedonthesepremises ,thisdocumentensuresthattheIPv6
Because464XLAThasnoDHCPv6configurationoptions ,itcan
Beijnum ,
Boucadair ,
CERouterMUSTfollowthefollowingconfigurationsteps *
CEisusedatdifferenttimesindifferentscenariosorevenwith *
CEroutersasdescribedinRFC7084toallowtheprovisioningofIPv6 *
CLIorAPI *
CONFIG-1 *
CONFIG-2 *
CONFIG-3 *
CPUs ,ifcomparedtothecostofNAT44code.Thus,existinghardware
Campbell ,SpencerDawkins,MirjaKuhlewind,andAdamRoach
Carpenter ,LorenzoColitti,AlejandroD
Category *
Ceccarelli *
Chiyoda-ku ,Tokyo101
Clients *
ClientstoIPv4Servers *
CombinationofStatefulandStatelessTranslation *
ConfigurationofSoftwireAddressandPort-Mapped *
Considerationsin aswellasthoseforeachtransition
Consideringthatsituationanddifferentpossibleusagecases ,the
Continuity *
ControlProtocol *
Copyright *
CopyrightNotice *
CustomerEdgeRouterthatprovidesfeaturesforthedeliveryofIPv4 *
D-LinkSystems ,Inc.
DHCPv6 *
DHCPv6-BasedPrioritizationMechanism *
DOI10.17487 *
DS-Lite enablescontinuedsupportforIPv4services.
DS-LiteenablesabroadbandserviceprovidertoshareIPv4addresses *
DS-Literequirements *
DSLITE-1 *
DSLITE-2 *
DSLITE-3 *
DSLITE-4 *
DanRomascanu *
Differentstudies *
Email *
Exhaustion *
ExistingIPv4deploymentssupportIPv4multicastforservicessuchas *
Farrer ,
Figure1 *
Figure2 *
Finally ,insomecases,operatorssupportingseveraltransition
FountainValley ,California92708
FromtheperspectiveofanIPv4userbehindanIPv6TransitionCE *
Function *
GatewayDevice-PortControlProtocolInterworking *
Generaltransitionrequirements *
HansM.-H.Liu *
Howard ,RichardPatterson,BarbaraStark,OleTroan,andJames
However ,whileatypicalIPv4NATdeployment,bydefault,blocksall
However ,inthecaseofIPv4aaS,becauseoftheusageofprivateIPv4
IESG *
IGD-PCPIWF ,andtheprioritizationofthetransition
IPTV.Inthetransitionphase ,itisexpectedthatmulticast
IPencapsulation.MAP-Eincludesanalgorithmicmechanismfor *
IPv4-in-IPv6encapsulation *
IPv4-onlyandIPv6-onlyapplicationsanddevices ,locatedintheLAN
IPv4-onlydevicesandapplicationsontheInternet. *
IPv4-onlyforanundeterminedperiodoftime ,IPv4servicecontinuity
IPv4aaS ,i.e.,transitiontechnologiesfordeliveringIPv4in
IPv4aaS. *
IPv4aaSmechanismlimitstheavailableports *
IPv4aaStransitionmechanismkeepsrunningtheNATinterfacetowards *
IPv4architecture. *
IPv6-onlyaccessnetworks.IPv4aaSisnecessarybecausetherearen *
IPv6-onlyaccessnetworkwithoutencapsulation.Thisarchitecture *
IPv6-onlynetworkforresidentialorsmallofficerouters *
IPv6CustomerEdge *
IPv6Prefixes *
IPv6SoftwireCustomerPremisesEquipment *
IPv6TransitionCERouterMUSTperformIPv4Network *
IPv6TransitionCERouterareabletoreachtheIPv4-onlyservices. *
IPv6TransitionCERouterattachmenttoanIPv6-onlylinkusedto *
IPv6TransitionCERouterdescribedinthisdocumentisexpectedto *
IPv6TransitionCERouteronly. *
IPv6TransitionCERouters ,andisrequiredbymostofthetransition
ISPs.Therefore ,thedevelopmentcostisnegligible,andonly
ISPshave ,orwanttohave,anIPv6
ISPthatprovidesIPv4-onlyoranISPthatprovidesIPv6with *
ISSN *
IftheIPv6TransitionCERoutersupportsdeliveryofIPv4multicast *
IftheUPnPWANIPConnection *
Informationaboutthecurrentstatusofthisdocument ,anyerrata,
Infrastructures *
Ingeneral ,theend
Ingeneral ,thenewrequirementsdon
Inordertoallowtheserviceprovidertodisableallthetransition *
InordertoseamlesslyprovideIPv4servicecontinuityinthe *
Internet-layer *
InternetEngineeringSteeringGroup *
InternetEngineeringTaskForce *
Internetaccess *
January2018 ,
Japan *
JordiPaletMartinez *
L-1 *
LANA *
LW4O6-1 *
LW4O6-2 *
LW4O6-3 *
LaNavata-Galapagar ,Madrid28420
M.Kawashima *
MAP-Eparameters.Suchmechanismsareoutsidethescopeof *
MAP-Erequirements *
MAP-EviatheMAP-EDHCPv6options .TheIPv6
MAP-T isamechanismsimilartoMAP
MAP-Tparameters.Suchmechanismsareoutsidethescopeof *
MAP-Trequirements *
MAP-TviatheMAP-TDHCPv6options .TheIPv6
MAPE-1 *
MAPE-2 *
MAPT-1 *
MAPT-2 *
MappedClients *
MappingofAddressandPortwithEncapsulation *
MasanobuKawashima *
May2019 *
MolinodelaNavata ,75
Moreadvancedrouterssupportdynamicrouting *
Moreover ,becausesomeservicesandserviceproviderswillremain
Murakami ,T.,andT.Taylor,Ed.,
NAT64 *
NECPlatforms ,Ltd.
NetworkA *
NetworkAddressTranslation *
NetworkC *
NetworkingControlProtocol *
Networks *
NotethatIGD *
NotethatthisdocumentonlyconfiguresIPv4aaSintheIPv6 *
OptionforDual-StackLite *
OptionforIPv4-EmbeddedMulticastandUnicastIPv6 *
OptionsforConfigurationofSoftwireAddressandPort- *
P.Selkirk ,
PLAT-sidetranslationIPv4andIPv6prefix *
PaletMartinez ,etal.Informational
PaletMartinez ,J.,
Play *
PlugandPlayInternetGatewayDevice *
PortControlProtocol *
PortwithEncapsulation *
Prefixes *
PrioritizationMechanism *
Protocol *
ProtocolInterworkingFunction *
ProtocolforIPv6 *
ProvisionsRelatingtoIETFDocuments *
RAMmemory ,norotherhardwarerequirementssuchasmorepowerful
RFC5969 ,DOI10.17487
RFC6334 ,DOI10.17487
RFC6877 ,DOI10.17487
RFC7050 ,DOI10.17487
RFC7341 ,DOI10.17487
RFC7618 ,DOI10.17487
RFC8415 ,DOI10.17487
RFC8585RequirementsforIPv6CEtoSupportIPv4aaSMay2019 *
RegardingDS-LITE ,thisdocumentincludesslightly
RequestforComments *
RequirementLevels *
RequirementsforIPv6CustomerEdgeRouters *
Richardson ,M.,Jiang,S.,Lemon,T.,andT.Winters,
Router ,thisdoesn
Router *
RouterMAYuseothermechanismstoconfigureDS-Lite *
RouterSHOULDimplement .IfPCP
RouterintendedfortheretailmarketMUSTsupportalltheIPv4aaS *
Routerisrequired ,atleastfromtheperspectiveoftransition
RoutersalreadyprovideaGUI ,CLI,orAPItomanuallyconfigure
SHOULDresultinasuccessfulmappingwithanalternative *
Section1andAppendixA *
ServicestoIPv4ClientsoveranIPv6MulticastNetwork *
Sinceitisimpossibletoknowpriortosalewhichtransition *
So ,tocoverallthoseevolvingsituations,anIPv6TransitionCE
SoftwireCustomerPremisesEquipment *
Spain *
Specifically ,thisdocumentextendsthebasicrequirementsforIPv6
StackLiteArchitecture *
StackLiteBroadbandDeploymentsFollowingIPv4 *
Standard *
StatusofThisMemo *
Synthesis *
TRANS-1 *
TRANS-2 *
TRANS-3 *
TableofContents *
ThankstoMikaelAbrahamsson ,FredBaker,MohamedBoucadair,Brian
TheIPv6Company *
TheIPv6TransitionCERouterMUSTcomplywith *
TheIPv6TransitionCERouterMUSTimplementDS-LiteB4functionality *
TheIPv6TransitionCERouterMUSTimplementlwB4functionality *
TheIPv6TransitionCERouterMUSTsupportMAP-ECEfunctionality *
TheIPv6TransitionCERouterMUSTsupportMAP-TCEfunctionality *
TheIPv6TransitionCERouterMUSTsupportcustomer-sidetranslator *
TheIPv6TransitionCERouterMUSTuseplainIPv6mode *
TheIPv6TransitionCERouterdescribedinthisdocumentisnot *
TheIPv6TransitionCERoutermaybemanuallyconfiguredinan *
TheIPv6TransitionCERoutermustcomplywiththeSecurity *
TheNAT64prefixcouldbediscoveredbymeansofthemethoddefined *
Theaboveisnotintendedtobeacomprehensivelistofallthe *
Theend-usernetworkisastubnetworkinthesensethatisnot *
ThefollowingIPv6TransitionCERouterrequirementsalsoapply. *
Thefollowingsubsectionsdescribetherequirementsforsupporting *
Thekeywords *
ThemaintargetofthisdocumentisthesupportofIPv6-onlyWAN *
Themechanismsforallowinginboundconnectionsarenaturally *
Theotherissueseemstobethecostofdevelopingthecodeforthose *
TherearesomedifferencesinhowIPv6worksandisprovisioned *
TheseroutersrelyuponrequirementsforIPv6CEroutersdefinedin *
ThesituationofongoingIPv6deploymentandalackofIPv4addresses *
Theterm *
Thisarchitecturedescribesthe *
ThisdocumentcoversasetofIPtransitiontechniquesrequiredwhen *
ThisdocumentdefinesIPv4servicecontinuityfeaturesoveran *
Thisdocumentdoesn *
ThisdocumenthasnoIANAactions. *
ThisdocumentisaproductoftheInternetEngineeringTaskForce *
ThisdocumentisnotanInternetStandardsTrackspecification *
Thisdocumentisnotarecommendationforserviceproviderstouse *
ThisdocumentissubjecttoBCP78andtheIETFTrust *
ThisdocumentspecifiestheIPv4servicecontinuitymechanismstobe *
ThisdocumentspecifiestheIPv4servicecontinuityrequirementsfor *
Thisdocumenttakesnopositiononsimultaneousoperationofoneor *
Thisdocumentusesthesametermsasin ,withminor
TransitionCERouter.ThisunderscorestheimportanceoftheIPv6 *
TransitionCERouterMAYuseothermechanismstoconfigure *
TransitionCERouterMUSTassume ,bydefault,thatthe
TransitionCERouterMUSTuseplainIPv6mode *
TransitionCERouterallowsthecontinuedtransitionfromnetworks *
TransitionCERouteritself *
TransitionCERouterrequirementsalsoapply. *
TransitionCERoutersfulfillingtherequirementsdefinedinthis *
Translation *
TranslationfromIPv6ClientstoIPv4Servers *
UPnP-gw-InternetGatewayDevice-v2-Device.pdf >.
UPnP-gw-WANIPConnection-v2-Service.pdf >.
UPnPForum ,
UnitedStatesofAmerica *
W. ,Bao,C.,Yeh,L.,andX.Deng,
Wang ,
WhoprovidestheIPv6TransitionCERouterisnotrelevant.Inmost *
Woodyattfortheirreviewandcommentsinthisand *
aboveusagesarealsopossible ,alongwithsituationswherethesame
access.ToenablelegacyIPv4functionality ,thisdocumentalso
accessandIPv4aaS ,thatmaynotbefeasibledependingonspecific
accessnetwork.TheseISPaccessnetworksaretypicallyreferredto *
actionMUSTberejectedwitherrorcode729 *
activation. *
addingthesupportforthenewtransitionmechanismsrequiresaround *
addressesandNATanddependingonthespecifictransitionmechanism ,
addressesarealwaysusableevenwhentheWANinterfaceisdownor *
addressestobecomeprohibitivelyexpensive.This ,inturn,may
allowsenabling *
amongcustomersbycombiningtwowell-knowntechnologies *
anIPv6-in-IPv4tunneling. *
and2 *
andT.Murakami ,
andWANinterfacesofanIPv6TransitionCERouter. *
andhowtoprovidefeedbackonitmaybeobtainedat *
andseveralvendorsalreadyhaveimplementationsandprovidedthemto *
andsmall *
anotherRouterbehindtheoriginalCE ,takescareofinbound
anyspecifictransitionmechanism. *
appendices ,alongwith
appropriatesubnettingandconfigurationoftheaddress *
approvedbytheIESGarecandidatesforanylevelofInternet *
arbitrarytopologywithadynamicroutingprotocolorHNCP .
architecture. *
as-a-Service *
asWideAreaNetworks *
asassignedbyPCPasperSection5.6.1of .
assumesaStatefulNAT64 functiondeployedattheservice
atleastontheWANside.Commonly ,theuserhasaccesstoconfigure
availabilityofnativeIPv4orIPv4aaSaretransparentforthe *
availableforeverypossiblecustomeranddevice ,whichcausesIPv4
availableinanyIPv6routerwhenusingIPv6GlobalUnicastAddresses *
baselinefortransitionfeaturestobeimplementedonsuchrouters. *
becauseofbusinessdecisions. *
bereliablyestimated. *
beusedinresidential *
bothIPv4-onlyandIPv6-onlydevicesinthecustomer-sideLANsofthe *
byusingDHCPv6-PD *
capitals ,asshownhere.
carefully ,astheydescribeyourrightsandrestrictionswithrespect
cases ,theserviceproviderisresponsibleforprovisioning
changetheirexistingnetworktopologywiththeintroductionofIPv6. *
checkforavalidmatchinOPTION_S46_PRIORITY ,which
clarifications. *
combinedwithadynamicroutingprotocol.Onceagain ,thisistrue
commercial *
commonsituationwhensufficientIPv4addressesarenolonger *
communicatewithIPv4-onlyservicesontheInternet. *
communications. *
complexnetworksusingmanualconfigurationofaddressprefixes *
connections.Therequirementsforthatsupportareoutofthescope *
continuitysupportfordevicesintheLANside.Thisensuresthat *
currentlybeincludedintheOPTION_S46_PRIORITY.Inthefuture ,an
customerLANs ,aswellasIPv4
customerLANsandallowautomatedIPv6transitionmechanism *
datacenters ,contentproviders,etc.Evenifthedocumented
defineadifferentsetoffeaturesfromthoseincludedinthis *
defined. *
deploymentisachangingsituation.Inasinglecountry ,notall
deprecatedbyOCF *
describedin *
describedintheSimplifiedBSDLicense. *
determinedthroughPCPoraccesstoaconfiguredportset *
device.However ,devicesorapplicationsinthecustomerLocalArea
devicesandapplicationsinthecustomernetworkscanstillreach *
devicesattachedtotheLANs. *
devicesattachedtotheLANs.Thus ,theWANconfigurationand
differentIPv4aaSesatdifferentserviceproviders. *
differentrequirementsrelatedtothesupportofPCP ,
disabledatthisstep. *
discovery *
document ,forexample,featuresthatsupportonlysomeofthe
document. *
documentauthors.Allrightsreserved. *
doesn *
eachoneofthetransitionmechanisms.AnIPv6TransitionCERouter *
enabledonaCErouter ,butcannotbeassociatedwithanIPv4
encapsulatedusingDS-Lite .
equivalent *
equivalentorbettercapabilitiesandfunctionalitythanthecurrent *
everycountryforeveryISP.Fordifferenttechnical ,financial,
follow *
followingIPv6TransitionCERouterrequirementsalsoapply. *
forIPv6PrefixDelegation *
foranAFTR *
forbothIPv4andIPv6. *
fornewtransitionmechanisms ,isthelackofspaceintheflash
foundbetweentheprioritylistandthecandidatelist ,
fromotherrouters *
functionfromtheDS-Litetunnelconcentratortothetunnelclient *
hostsbehindtheCE *
ifthecostsarenotdirectlycausedbysupportingthisdocumentbut *
ifthedefaultgatewayortheNAT64isthePCPserver. *
implement *
implemented ,lw4o6SHOULDbeimplementedaswell.Iflw4o6is
implemented ,theIPv6TransitionCERouterMUSTalso
implementedandaPCPserverisnotconfigured ,theIPv6
in onlyiftheserviceproviderusesDNS64
inboundconnectionstypicallyrequiresomedegreeofmorecomplex *
includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
includesthesupportofIPv4-onlydevicesandapplicationsinthe *
incomingconnectionsandmayallowopeningofportsusingaUniversal *
indefinitely. *
inmanycases ,theusermustsupplyormayreplacetheIPv6
integrationandtestingcostmaybecomeanissue. *
intendedfortheretailmarketMUSTsupportallofthem. *
intendedforusageinotherscenarios ,suchaslargeenterprises,
interfaceestablishedbyanIPv4aaSmechanismorcannotdetermine *
isalsonotinscope.DHCPpacketsMUSTNOTbeforwardedbetweenLAN *
isconfigured ,theIPv6TransitionCERouterMAYverify
isnothappeningatthesamepaceineverycountryandevenwithin *
isrequired.Thus ,thereisaneedforCEstosupportIPv4aaS
it.Meanwhile ,ifanoperatorprovides464XLAT,itneedstoensure
itMUSTbeimplementedaccordingto .ThefollowingIPv6
ithasbeenconfirmedthatthereareseveralopen-sourceversionsof *
locatedintheIPv6TransitionCERouter ,removingtherequirement
lw4o6 specifiesanextensiontoDS
lw4o6requirements *
lw4o6viathelw4o6DHCPv6options *
manualconfiguration ,suchassettingupaDMZ,settingupvirtual
mappingbetweenIPv6andIPv4addresses. *
material *
maybethecasethattheserviceproviderdoesnotuseordoesnot *
meansofnewtransitionmechanisms.Thedocumentonlycovers *
mechanismadevicewillneedoveritslifetime ,anIPv6TransitionCE
mechanismfortransportingIPv4packetsacrossanIPv6networkusing *
mechanismimplementedbytheIPv6TransitionCERouter. *
mechanisms ,thismayrequiredifferentiatingmappings
mechanisms *
mechanisms ,includingdual
mechanismsand *
mechanismsareoutsidethescopeofthisdocument. *
mechanismsmayneedtoconsidertrainingcostsforstaffinallthe *
mechanismtotherelevantcustomers. *
moreadvancedrequirementsincludeinboundconnections *
network. *
networkisoutofscopeforthisdocument.SecuringDHCPintheLAN *
newfunctionalities.However ,atthetimeofwritingthisdocument,
newrequirements ,asdescribedinthefollowingsubsections.
oBasiccapabilitiesoftheIPv6TransitionCERouter *
oProvisioningoftheLANinterfaces *
oProvisioningoftheWANinterfaceconnectingtotheservice *
ofDS-LiteviatheDS-LiteDHCPv6option *
ofIPv6-onlyaccess ,privateIPv4addressesarealsoavailableifthe
ofSharedIPv4Addressesasdescribedin .
oftheoptiondefinedin .Thiscanalsobeusedifthe
ofthisdocument ,meanthatmaliciousnodesmayalterthepriorityof
ofthisdocument. *
onlyabout0.15 *
open-sourceimplementations *
operators *
operatorswillnecessarilyprovideIPv6support.Consumersmayalso *
orconfigurationinformationdifferencesfrom .
orsomeotherfirewallcontrolprotocol ,inthecaseofanIPv6
othermechanismstoconfigurelw4o6parameters.Such *
overanIPv6MulticastNetwork *
parameters.Suchmechanismsareoutsidethescopeofthis *
persistentvsnon-persistentandwhatsizetochoose *
pertainingtoaconfigurationasappliedbyavendorprior *
popularCEsalreadyinthemarket ,thenewrequiredcodeis
possibleusagecases ,justanoverview.Infact,combinationsofthe
prefix *
priorityoptionsdescribedin *
provideconnectivitytoaserviceprovidernetwork ,includinglink
provider *
providerorathird-partynetwork. *
providingtransittootherexternalnetworks.However ,HNCP
provisioning ,thefollowinggeneraltransitionrequirementsare
publicationofthisdocument.Pleasereviewthesedocuments *
publishedforinformationalpurposes. *
receivedpublicreviewandhasbeenapprovedforpublicationbythe *
regionalinsomecases.Figure1presentsasimplifiedviewofthis *
remoteIPv4-onlyservicescontinuetobeaccessible ,forboth
requeststotheserver. *
requirementsmeettheirneeds ,theymayhaveadditionalrequirements,
resultin *
resultinserviceprovidersprovisioningIPv6-onlyWANaccess.At *
routers.Figure2illustratesthemodeltopologyfortheend-user *
scenariosandend-usernetworkarchitecture ,respectively.These
scopeofthisdocument. *
server.Theterm *
servers ,orsettingupport
serviceprovidernetwork. *
serviceproviderorbyvendorswhosellthroughtheretailmarket. *
serviceproviderusesDNS64 .
services ,thenitMUSTsupport
servicesoveranIPv6-onlyWANnetwork ,includingIPv6
serviceswillstillbeprovidedusingIPv4tothecustomerLANs. *
severaltransitionmechanismsand *
shouldbeabletosupportallofthemwithminimalimpact. *
sidebehindanIPv6TransitionCERouterconnectedtoanIPv6-only *
singledataplaneiscommontoallofthem ,whichtypicallymeans,in
solution. *
somemanualconfiguration. *
spaceamongseveralinterfaces.Insometransition *
subnet ,theIPv6TransitionCERouterMUSTallow
sufficientIPv4addressesavailableforeverypossiblecustomer *
support. *
supported ,itMUSTbeimplementedaccordingto
supportedbyanIPv6TransitionCERouterandrelevantprovisioning *
supportedtransitionmechanisms ,whichMUSTremain
supportedtransitionmechanisms. *
switchISPsandusethesameIPv6TransitionCERouterwitheitheran *
techniquesfortheoperationandmanagementofthesemechanisms ,even
technologiesfordeliveringIPv4inIPv6-onlyconnectivity. *
thatDS-LitetrafficisforwardedovertheIPv6TransitionCE *
thatMAP-TusesIPv4-IPv6translation ,insteadofencapsulation,as
thatOPTION_S46_PRIORITYisnotsentforanyothertransition *
thatspecifyfeaturesetsfortheIPv6TransitionCERoutermay *
thattodaymayprovideaccesswithdual-stackorIPv6-in-IPv4 *
theIPv6PrefixUsedforIPv6AddressSynthesis *
theLANinterfaces ,firewall,DMZ,andmanyotherfeatures.However,
theLANsidewhentheWANinterfaceisdown. *
thePortControlProtocol *
theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
theamountofcentralizedstate. *
thecustomeredgerouterhasnotyetbeenprovisioned.Inthecase *
theformofIPv6domaintransport. *
them ,orprovidethepossibilitytosetuptheCEinbridgemode,so
therequiredcodeforsupportingallthenewtransitionmechanisms ,
thesametime ,theyneedtoensurethatbothIPv4
thesedifferenceshaveimplicationsforthenetworkarchitecture. *
theserviceprovidermayopttoconfiguretheNAT64prefixbymeans *
thetransitionmechanisms. *
thisdocument. *
toSupportIPv4-as-a-Service *
toas *
totheadministratorchangingitforitsinitial *
tothisdocument.CodeComponentsextractedfromthisdocumentmust *
transitioningattheirownpace *
transitionmechanismdetails.PCP maybeanalternative
transitionmechanisms ,whicharealreadysupportedby
transitionmechanismsenumeratedinthisdocument. *
transitionmechanismslistedinthisdocument.Serviceproviders *
transitionservicesforthesupportofIPv4-as-a-Service *
translationsonaper-interfacebasis. *
translator *
trustDNS64 becausetheDNSconfigurationattheCE
tunnel. *
tunnels. *
understandingofthisdocument. *
unlessaNAT64 prefixhasbeenconfigured,in
updateof oraNAT64DHCPv6configurationoptionmayenable
upnp-resources *
usedbyanupstreamPCP-controlledNAT64device. *
useoneortheotherMUSTfollowthisorder *
usernetworkisthatitprovidesstableaddressing *
usingtheCLAT. *
vendorswithregardtoincludingnewfunctionalities ,suchassupport
versionsofthisdocument.ThanksalsofortheLastCallreviewsby *
web ,DNS,email,VPN,etc.
whichareoutofthescopeofthisdocument. *
whichcase ,464XLAT
whichportsareavailable ,anAddPortMapping
withIPv4aaS. *
withNATfunctionalityandasinglelinkupstream ,connectedtothe
withmultipleLANinterfacesmaybehandledbymeansoftheHome *

RFCsMaster/8612ddos_open_threat_signaling_dots_requirements.txt pypi

1.1.ContextandMotivation *
1.1.ContextandMotivation.................2 *
1.2.Terminology *
1.2.Terminology.......................3 *
1.Introduction *
1.Introduction........................2 *
2.1.GeneralRequirements *
2.1.GeneralRequirements..................7 *
2.2.SignalChannelRequirements *
2.2.SignalChannelRequirements...............8 *
2.3.DataChannelRequirements *
2.3.DataChannelRequirements................13 *
2.4.SecurityRequirements *
2.4.SecurityRequirements..................14 *
2.5.DataModelRequirements *
2.5.DataModelRequirements.................16 *
2.Requirements *
2.Requirements........................5 *
2119KeyWords *
2727S.StateSt. *
3.1.SignalChannel *
3.1.SignalChannel.....................17 *
3.2.DataChannel *
3.2.DataChannel......................17 *
3.CongestionControlConsiderations *
3.CongestionControlConsiderations..............17 *
4.SecurityConsiderations *
4.SecurityConsiderations...................17 *
5.IANAConsiderations *
5.IANAConsiderations.....................18 *
6.1.NormativeReferences *
6.1.NormativeReferences..................18 *
6.2.InformativeReferences *
6.2.InformativeReferences.................20 *
6.References *
6.References.........................18 *
A. ,andH.Ashida,
A. ,Peterson,J.,Sparks,R.,Handley,M.,andE.
ADOTSclientMAYwithdrawamitigationrequestatanytime *
ADOTSclientmayobtainthemitigationscopethroughdirect *
Abstract *
Accept-list *
Acknowledgments *
Acknowledgments.........................21 *
AdditionalDOTSsecurityconsiderationsmaybefoundin *
AddressTextRepresentation *
AndrewMortensen *
AnnArbor ,MI48104
ArborNetworks *
Architecture *
Asanactiveattackevolves ,DOTSclientsMUSTbeabletoadjust
AspartofaprotocolexpectedtooperateoverlinksaffectedbyDDoS *
AsspecifiedinDATA-001 ,thedatachannelrequiresreliable,in
Astandardizedmethodtocoordinateareal-timeresponseamong *
AstheresiliencerequirementsfortheDOTSsignalchannelmandate *
Authors *
Awell-structuredDOTSdatamodeliscriticaltothedevelopmentof *
BCP14 when,andonlywhen,theyappearinall
Bangalore ,Karnataka560071
BlockingcommunicationbetweenDOTSagentshasthepotentialto *
Bonica ,R.,Baker,F.,Huston,G.,Hinden,R.,Troan,O.,
Category *
CiscoSystems ,Inc.
CommunicationLayers *
Contributors *
Contributors..........................21 *
Copyright *
CopyrightNotice *
Countermeasure *
DATA-001Reliabletransport *
DATA-003ResourceConfiguration *
DATA-004PolicyManagement *
DDoS *
DDoSOpenThreatSignaling *
DDoSattackcausingnetworkcongestion. *
DDoSattacktarget *
DDoSattacktelemetry *
DM-001Structure *
DM-002Versioning *
DM-003MitigationStatusRepresentation *
DM-004MitigationScopeRepresentation *
DM-005MitigationLifetimeRepresentation *
DM-006MitigationEfficacyRepresentation *
DM-007AcceptableSignalLossRepresentation *
DM-008HeartbeatIntervalRepresentation *
DM-009RelationshiptoTransport *
DOI10.17487 *
DOTSagent *
DOTSagentsMUSTassumeaPMTUof1280bytes ,asIPv6requires
DOTSagentsMUSTsupportmitigationscopealiases ,allowingDOTS
DOTSagentsbeingcompromised. *
DOTSagentscanalsosignificantlyaugmentattackresponse *
DOTSagentscanattempttolearnPMTUusingtheprocedures *
DOTSclient *
DOTSclientandmodifyingthembeforetransmissiontotheDOTSserver *
DOTSclientforupstreamDOTSservers.Client-domainDOTS *
DOTSclientintoasingleDOTSagent.Thisfunctionalityis *
DOTSclientisnotauthorizedtomanage. *
DOTSclients ,whileserver
DOTSclientsMAYtakethesemetricsintoaccountwhendetermining *
DOTSclientsMUSTbeabletotransmitametricofperceived *
DOTSclientsMUSTincludeamitigationlifetimeinallmitigation *
DOTSclientsshouldsimilarlybeabletowithdrawaidrequests.DOTS *
DOTSclientsthatpertaintomitigation ,configuration,filtering,
DOTSclientstomanagedrop-andaccept-listsoftrafficdestined *
DOTSclientwithinaDOTSgatewayareimplementation-specific ,
DOTSgateway *
DOTSmustoperatewithinaparticularlystrictsecuritycontext ,as
DOTSprotocolimplementationsfacecompetingoperationalgoalswhen *
DOTSprotocols. *
DOTSprotocolsMUSTbeencryptedusingsecuretransports *
DOTSprotocolsdesign. *
DOTSserver *
DOTSserverMUSTbelongtothesameadministrativedomain. *
DOTSserverdoesnotgrantamitigationrequestwithanindefinite *
DOTSserversMUSTbeabletoresolvedomainnamesand *
DOTSserversMUSTregularlysendmitigationstatusupdatesto *
DOTSserversMUSTrejectmitigationrequestswithscopesthatthe *
DOTSserversMUSTtreatamitigationterminatedduetolifetime *
DOTSserversSHOULDsupportindefinitemitigationlifetimes ,
DOTSsignal *
DTLS *
Datachannel *
DaveDolson *
Denial-of-ServiceConsiderations *
Denial-of-serviceconsiderationsarediscussedindetailin *
DistributedDenial-of-Service *
Dobbins ,R.,Migault,D.,Fouant,S.,Moskowitz,R.,
Drop-list *
Duetotheincreasedlikelihoodofpacketlosscausedbylink *
Email *
EmbassyGolfLinkBusinessPark *
FYI36 ,RFC4949,DOI10.17487
Filter *
Finally ,DOTSshouldbesufficientlyextensibletomeetfutureneeds
Firewallbindingsdonotexpire ,byusingthekeep
Firewallbindingstoavoidcryptographichandshakefornew *
FlemmingAndreasen *
Followingmutualauthentication ,asignalchannelMUSTbe
Forexample ,aDOTSclientshouldbeabletocreateadrop
GEN-001Extensibility *
GEN-002ResilienceandRobustness *
GEN-003BulkDataExchange *
GEN-004MitigationHinting *
GEN-005LoopHandling *
Guidelines *
Heartbeat *
HowaDOTSserverauthorizesDOTSclientmanagementofdrop-and *
Huawei *
IPv4datagrams ,aseveryIPv4hostmustbecapableofreceivinga
ISSN *
IfUDPisusedasthetransportfortheDOTSsignalchannel ,all
Ifthereisadditionalinformationavailablenarrowingthescope *
ImpersonationofeitheraDOTSserveroraDOTSclientcouldhave *
India *
Informationaboutthecurrentstatusofthisdocument ,anyerrata,
InitiationProtocol *
InorderforDOTSprotocolstoremainsecuredespiteadvancements *
InternetEngineeringSteeringGroup *
InternetEngineeringTaskForce *
Likewise ,DOTSserversMUSTrefusetoallowcreation,
MAYexposeadditionalconfigurability.Additionalconfigurability *
MUSTallowreferencestodescribetheoveralldatamodel *
MUSTbedeliveredreliablyintheordersent. *
MUSTregularlysendheartbeatstoeachotherwhileamitigation *
MUSTsupportthefollowingrequiredscopetypes *
MUSTthereforebecapableoftraversingNATs. *
May2019 *
McAfee *
Mitigation *
Mitigationmethodologyisoutofscopeforthisdocument. *
Mitigator *
MohamedBoucadair *
Mortensen ,etal.Informational
Mortensen ,A.,Ed.,Reddy,T.,Ed.,Andreasen,F.,Teague,
MultihomedDOTSclient *
N. ,andR.Compton,
NATs *
OakPark ,MI42837
OpenThreatSignaling *
OperatorsofpeerDOTS-enableddomainsmayenableeitherquality-of- *
Orange *
Plan *
ProvisionsRelatingtoIETFDocuments *
R.Moskowitz *
RFC3986 ,DOI10.17487
RFC7092 ,DOI10.17487
RFC793 ,DOI10.17487
RFC8612DOTSRequirementsMay2019 *
ReachabilityinformationofpeerDOTSagentsisprovisionedtoaDOTS *
RequestforComments *
RequirementLevels *
ResourceIdentifier *
Retana ,SureshKrishnan,BenCampbell,MirjaKuehlewind,andJon
RobertMoskowitz *
RobertSparks ,BrianWeis,BenjaminKaduk,EricRescorla,Alvaro
S. ,andK.Naito,
SEC-001PeerMutualAuthentication *
SEC-002MessageConfidentiality ,Integrity,andAuthenticity
SEC-003DataPrivacyandIntegrity *
SEC-004MessageReplayProtection *
SEC-005Authorization *
SIG-001UseofCommonTransportProtocols *
SIG-002Sub-MTUMessageSize *
SIG-003Bidirectionality *
SIG-004ChannelHealthMonitoring *
SIG-005ChannelRedirection *
SIG-006MitigationRequestsandStatus *
SIG-007MitigationLifetime *
SIG-008MitigationScope *
SIG-009MitigationEfficacy *
SIG-010ConflictDetectionandNotification *
SIG-011NetworkAddressTranslatorTraversal *
Sandvine *
Schooler ,
Section2.2 ,thesignalchannelprotocolmustbedesignedforminimal
Security *
Service *
Shallowfortheircarefulreadingandfeedback. *
Signalchannel *
SignalchannelimplementationsusinganIETFstandardcongestion- *
Similarly ,animpersonatedDOTSservermaybeabletoactasasort
Standard *
StatusofThisMemo *
TableofContents *
Teague ,N.,Xia,L.,andK.Nishizuka,
ThankstoRomanDanyliw ,MattRichardson,JoeTouch,ScottBradner,
TheDOTSprotocolmust ,ataminimum,makeitpossibleforaDOTS
TheDOTSserverandclientmustalsohavesomestandardizedmethodof *
Thedatachannelisintendedtobeusedforbulkdataexchanges *
Thedatachannelisnotexpectedtooperateinsuchconditions. *
ThedatachannelprovidesaprotocolforDOTSconfigurationand *
TheexpectedlayoutandinteractionsamongstDOTSentitiesis *
ThefollowingmitigationscopetypeisOPTIONAL *
ThegoalofDOTSprotocolsistoenableandmanagemitigationon *
ThegoaloftheDOTSrequirementsspecificationistospecifythe *
Theinitialactive-but-terminatingperiodisbothimplementation- *
Thekeywords *
Themodesofauthorizationareimplementation-specific. *
TheprevalenceandimpactoftheseDDoSattackshasledtoan *
Thereasonsthemselvesareoutofscopeforthisdocument.Ifthe *
Thesecapitalizedwordsareusedtosignifytherequirementsforthe *
ThisdefensecouldbecoordinatedbyaDOTSserverandinclude *
Thisdocumentadoptsthefollowingterms *
ThisdocumentdefinestherequirementsfortheDistributedDenial-of- *
ThisdocumenthasnoIANAactions. *
Thisdocumentinformsfutureprotocolsunderdevelopmentandsodoes *
ThisdocumentisaproductoftheInternetEngineeringTaskForce *
ThisdocumentisnotanInternetStandardsTrackspecification *
ThisdocumentissubjecttoBCP78andtheIETFTrust *
ThreatSignaling *
TirumaleswarReddy *
Today ,theseservicesofferproprietaryinterfacesforsubscribersto
TodetectcompromisedDOTSagents ,DOTSoperatorsshouldcarefully
Todetectmisuse ,asdetailedinSection2.4,DOTSimplementations
ToprotectagainstrouteorDNSflappingcausedbyaclient *
Tosupportscenariosinwhichlossofheartbeatisusedtotrigger *
Translation *
TransmissionControlProtocol *
UDP *
UnitedStatesofAmerica *
WhenDOTSclient-requestedmitigationisactive ,DOTSserver
Whennoattacktrafficispresent ,thesignalchannelMUSTbe
WhileconnectionlesstransportsuchastheUserDatagramProtocol *
WhiletheinterfacesbetweendownstreamDOTSserverandupstream *
Withinthesignalchannel ,messagesMUSTbeuniquelyidentified
aDDoSattack.Potentialtargetsinclude *
abletorepresenttheDOTSagent *
absence. *
absorblatencyincurredbyroutepropagation.IfaDOTSclient *
abuse ,enablingorsupplementingtheveryattacksDOTSpurportsto
accept-listedsourceaddresses ,addressorprefixgroupaliasing,
accept-listentriesisimplementation-specific. *
accept-listentry ,retrievealistofcurrententriesfromeither
actioninanticipationoforinresponsetoanattack ,butitdoes
active-but-terminatingperiodelapses ,theDOTSserverMUSTtreat
activeDOTSclienthasnotrequestedmitigation ,inorderto
activeorexpectedDDoSattacks.TheDOTSsignalchannelisexpected *
additionalattackdetails.DOTSserversMAYignoresuch *
addressestowhichthedomainnameorURIresolverepresentthe *
administrativedomainattemptingtohonorconflictingrequestsmay *
affectpolicyonthenetworkpathtotheDOTSclient *
agent *
agentimpersonationandsignalblockingarediscussedhere. *
agents. *
allowingclientstoextendmitigationasnecessaryforthe *
analogoustoaSessionInitiationProtocol *
and .
andDOTSprotocoldocuments. *
andF.Gont ,
anddeployment-specific ,butSHOULDbesufficientlylongenoughto
andfilteringoutspecifictypesofDDoSattacktrafficwhile *
andforwardonlythelatter. *
andhowtoprovidefeedbackonitmaybeobtainedat *
andincludinginstantiationofdrop-listsblockingallinbound *
andthenewprefixgroupalias ,oranerrorstatusandmessageinthe
aninsufficientlyprotectedsignalordatachannelmaybesubjectto *
anyassumptionsaboutspecificcharacteristicsofanygiven *
applytoDOTS.Regardlessoftransport ,DOTSprotocolsMUST
approvedbytheIESGarecandidatesforanylevelofInternet *
arediscussedin ,andtheDOTSarchitectureisdiscussed
arerequestedofitareoutofscopeforthisdocument.The *
asdescribedinSIG-003. *
asmallsignalmessagesize ,aseparate,securedatachannel
asnecessarythescopeofrequestedmitigationbyrefiningthe *
aspartofnewerprotocolversions. *
assumedtobelongtothesameadministrativeentity. *
attack ,usingfeedbackfromthemitigatorandotheravailable
attack ,wherecountermeasureenforcementismanagedbyanentity
attack.DOTS-serverhandlingofmitigationhintsis *
attackdetailsmightincludelocallycollectedfingerprintsforan *
attackmitigationandreducetheimpactoftheseattacks.This *
attackmitigationsolutionsthemselves ,orareconstrainedbylocal
attackresponsecoordinationwithotherDOTS-awareelements. *
attackresponsesmaybefragmentedorotherwiseincomplete ,leaving
attacktraffic ,theDOTSsignalchannelMUSTNOTcontribute
attemptingtoparticipateinattackresponsewiththeDOTS *
authenticatedsignalchannelbetweenDOTSagents ,usedtoindicate
authentication.Client-domainDOTSgatewaysaremoretrustedthan *
authentication.WhenDOTSagentsareexchangingheartbeatsandno *
authorizedDOTSclientsthathaverequestedandbeengranted *
bandwidthlimitations.Toaddresssuchgaps ,serviceprovidershave
basedonotherthreatintelligence.DOTSclientsMAYsend *
beabletorequestscopedmitigationfromDOTSservers.DOTS *
bedescribedbyasinglemoduleorbedividedintorelated *
beguntoofferon-demandtrafficscrubbingservices ,whichare
behalfofanetworkdomainorresourcethatisormaybecomethe *
behalfoftheDOTSclient ,ifrequested,bycommunicatingtheDOTS
bestpractices forencryptionandmessage
betweenDOTSagents.Unlikethesignalchannel ,thedatachannelis
betweenpeerDOTSagents. *
bidirectional ,withclientandservertransmittingsignalstoeach
bulkexchangeofdatanoteasilyorappropriatelycommunicated *
businessorservice-levelagreements ,arealreadycomplete.
but-terminatingperiod ,asdescribedaboveinSIG
butMUSTcontinuetosendheartbeatsonthecurrentsessionso *
butterminating.DOTSclientsMAYreversethemitigation *
byanopaqueidentifiercreatedthroughthedatachannel ,direct
byteoverheadofanyencapsulation ,transportheaders,and
bytheprotocol ,suchasDTLSsessionresumption,butMUSTbe
capitals ,asshownhere.
carefully ,astheydescribeyourrightsandrestrictionswithrespect
catastrophicimpactonoperationsineitherdomain.Ifanattacker *
channel ,asthedatachannelmaynotbefunctionalduringan
channel ,usedasakeep
channelbetweentwoDOTSagentsusedforinfrequentbutreliable *
channelimplementationsshouldbepreparedtodetectandterminate *
channelprotocol ,duetothehigherlikelihoodofpacketloss
channelrequirementsinSections2.1and2.2 ,DOTSserver
characteristics ,DOTSagentsneedtoensureitson
characteristics.AbsentinformationabouttheNAT *
characteristicsdefiningthenatureofaDDoSattack. *
characteristicssuchassmallmessagesize ,asynchronous
client *
client-facingside ,whichbehavesasaDOTSserverfordownstream
clientheartbeatsasanindicationthesignalchannelis *
clients ,andaserver
clients.DOTSserversinasingleadministrativedomainSHALL *
clientsMAYattempttoestablishanewsignalchannelsession *
clientsMUSTNOTassumetheredirectiontargetDOTSservershares *
clientsandserverstorefertocollectionsofprotectedresources *
clientsmustbeabletoselecttheappropriateDOTSserver *
clienttorequestaidmountingadefenseagainstasuspectedattack. *
clientusingavarietyofmanualordynamicmethods.Oncea *
collectionofprefixesitwantstorefertobyaliaswhenrequesting *
collectionsofhierarchicalmodulesandsubmodules.Ifthedata *
common ,widelydeployedandstandardizedtransportprotocols.
communicatewithDOTSserversthroughtheNAT.DOTSprotocols *
communicationbetweenDOTSagentstoloop.Signalanddata *
communicationbetweenDOTSclientsandserversenablesacommon *
communicationchannelbetweenDOTSagents.Indeed ,establishinga
communicationchannelbetweenDOTSagentsthatisresilienteven *
communicationstoreduceattacksurface. *
compatible.ImplementationsofolderprotocolversionsMUST *
configuration ,orothermeans.DomainnameandURImitigation
configurations. *
configuredlocally.ThatvalueMUSTbereturnedinareplytothe *
conflictingmitigationrequest. *
congestedlink ,signalingprotocolmessagesizeMUSTbekeptunder
congestion ,asdiscussedin
congestionduringanattack ,DOTSserversSHOULDNOTredirect
connectedtotheInternet ,plaguingnetworkoperatorsatservice
consecutivemissedheartbeatmessages ,retransmissioncount,or
consequentlydecreasedprobabilityofmessagedeliveryovera *
considerationsin *
consideredactiveuntilaDOTSagentexplicitlyendsthesession. *
consideredactiveuntileitherDOTSagentfailstoreceive *
contactbetweenDOTSagentsevenasattacktrafficsaturatesthe *
continuetoincrease. *
contributetotherobustnessdemandedbyaviableDOTSprotocol. *
controlledbyasingleadministrativeentitymaysendconflicting *
controlledtransportprotocol *
controllingtheDOTSclientneednotbepresentbeforeestablishinga *
controlload. *
coordinatedresponsetoDDoSattacks. *
coordination ,permittingsuchtasksaspopulationofdrop
couldbesplitintomultiplelistsandeachlistconveyedinanew *
countermeasurescanbelayeredtodefendagainstattackscombining *
datatransfertoreducetheincidenceofsignalloss. *
ddolson *
decisionislocaltotheDOTSclients *
definingthescopeofanymitigation ,aswellasmanagingother
defunct. *
deliverysuccessorfailure. *
deployedbehindaNetworkAddressTranslator *
describedintheDOTSArchitecture .
describedintheSimplifiedBSDLicense. *
designedtomaximizetheprobabilityofsignaldeliveryevenunder *
designedtoseparatetheDDoSattacktrafficfromlegitimatetraffic *
destinedforthetargetortargetsofadetectedorreportedDDoS *
detailsthatcanbeusedtoinformmitigationtechniques.Example *
detectionandprevention. *
detectsuchconflictingrequestsandSHALLnotifytheDOTSclients *
discarded.UniquemitigationrequestsMUSTbeprocessedatmost *
discovery.DOTSclientsMUSTsupportatleastonemechanismto *
discreteDOTSclientconnectionsandmayaggregatetheseintoone *
discussedin .IfthePMTUcannotbediscovered,
discussedinSection3.5of .
disruptingorinfluencingthenetworkpolicyofthereceivingDOTS *
disruptthecorefunctionofDOTS ,whichistorequestmitigationof
documentauthors.Allrightsreserved. *
documentbutshouldfollowcurrentIETFbestpractices *
documentdescribestherequiredcharacteristicsofprotocolsthat *
domain.Amongotherthings ,thismaliciousDOTSgatewaymight
draft-ietf-dots-architecture-13 ,April2019.
durationofanattack. *
duringaDDoSattack ,DOTSserversneedtosendthemitigation
duringactivemitigationarediscussedbelow *
duringvolumetricattack ,DOTSagentsSHOULDavoidsignalchannel
eachotherbeforeaDOTSsignalordatachannelisconsidered *
efficacymetrictoadjustcountermeasuresactivatedonamitigator *
efficacyofamitigationenabledthroughamitigationrequest. *
elapses ,theDOTSserverMAYincreasetheactive
enableattackresponsecoordinationandmitigationofDDoSattacks. *
enablingarchitecturesinwhichthemitigatorisalwaysinthe *
ensuringnorequestedmitigationiseverapplied. *
enterpriseslacktheresourcesorexpertisetooperateon-premise *
entitiesparticipatinginDOTSmaydetailwhatdatamaybe *
error ,orcompromisedDOTSclients.DOTSserversinthesame
eventtheDOTSclient *
exceedsthePMTU ,theDOTSagentMUSTsplitthemessageinto
exceptioncircumstancestoterminatingthesignalchannelsession *
exchange.However ,reliablebulkdataexchangemaynotbe
exchangeofincidentreports ,andotherhintingorconfiguration
expirationexactlyasiftheDOTSclientoriginatingthe *
failuresandtheircauses. *
fandreas *
feedbacktotherequestingDOTSclient. *
flapnetworkrouteorDNSinformation ,degradingthenetworks
flexibilityandscalability ,DOTSserversSHOULDbeableto
flows.Thefilterwilltypicallyhaveapolicyassociatedwith *
focusofaDDoSattack.AnactiveDDoSattackagainsttheentity *
followestablishedbestcommonpracticesestablishedinBCP127 *
forNATtraversal .
foralimitedperiodafteracknowledgingaDOTSclient *
foranegotiatedtimeintervalandMUSTterminateamitigation *
forresourcesbelongingtoaclient. *
freetoattemptabbreviatedsecuritynegotiationmethodssupported *
frombecomingadditionalvectorsfortheveryattacksitismeantto *
fromcapturingandreplayingoldmessages ,andtherebypotentially
fullscopeofthemitigation. *
functionwelloratallduringattackscausingnetworkcongestion. *
futureattacks ,asallinteractionssettingupDOTS,includingany
gatewaysareDOTSgatewaysthatareintheDOTSclient *
grantedmitigationswithindefinitelifetimes.DOTSserversMAY *
greaterasspecifiedin .IfIPv4supportonlegacyor
hand ,DOTSmustincludemeasurestoensuremessageconfidentiality,
handlemiddle-boxesandfirewalltraversal. *
hastheabilitytoimpersonateaDOTSclient ,thatattackercan
havedifferentapplicationandtransport-layerrequirements.This *
health.Thesekeep-alivesservetomaintainanyon-pathNATor *
heartbeatsfromtheotherpeerafteramutuallyagreedupon *
helpfightoff.Ontheotherhand ,theprotocolmustberesilient
hints.MitigationhintsMUSTbetransmittedacrossthesignal *
identifiers ,asdescribedinSIG
ignoreoptionalinformationaddedtoDOTSmessagesaspartof *
impersonationmoredifficult.However ,impersonationmaystillbe
implementation-specific. *
implementations ,datamodelsMUSTbeversioned.Howtheprotocols
implementationsMUSTprovideaninterfacetoconfigureresource *
implementationsusingsuchconnectionlesstransports ,suchasUDP,
in .
inProgress ,draft
inaDOTSsignalordatachannel.ItcanbeaDOTSclient ,DOTS
inadetectedattack. *
inclientmitigationrequests.DOTSclientsMAYalsoinclude *
includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
includingmitigationswithnospecifiedendtime. *
inconditionsleadingtoseverepacketlosssuchasavolumetric *
inconflict.ThenotificationMUSTindicatethenatureandscope *
incoordinatedattackdefense ,althoughthisconsiderationis
increasedfocusoncoordinatedattackresponse.However ,many
incryptanalysisandtrafficanalysis ,DOTSagentsMUSTsupport
informationleaksormalicioustransactionsonbehalfofthe *
informationorinstructionsfromtheremoteDOTSagent.Theft ,
inscopeforthisdocument. *
integrity ,andauthenticityofmessagessentbetweenclientand
integrity ,authenticity,andreplayprotectiontokeeptheprotocols
inthenetworkpathbetweenattacksourcesandtheattacktarget. *
involvedoperatorswillincreasethespeedandeffectivenessofDDoS *
isimplementation-specific. *
it ,e.g.,rate
link.Suchresiliencymaybedevelopedseveralways ,but
list ,updatethecontentofeitherlist,anddeleteentriesas
listswhentheDOTSclientisunauthorized. *
logicalconcatenationofthefunctionalityofaDOTSserveranda *
lossmightinclude ,butarenotrestrictedto,numberof
maintainanactivesignalchannel ,andtoincreasetheprobability
maintainingthisbidirectionalcommunicationstream.Ontheone *
management.Forexample ,aDOTSclientmaysubmittoaDOTSservera
meansbywhichthisentityperformsthesemitigationsandhowthey *
message. *
messagesfromDOTSclients.TheDOTSserverenablesmitigationon *
misconfigurationofDNSorroutingpolicy ,itmaybepossiblefor
mitigate. *
mitigation ,theDOTSserverMUSTincludeareasonforthe
mitigation ,towhichtheserverwouldrespondwithasuccessstatus
mitigation ,andtokeepthechannelactive,DOTSserversMUST
mitigation-relatedconfigurations. *
mitigation.Asaresultofsignalinginterfaceincompatibility ,
mitigation.Ifunreliabletransportisusedforthesignal *
mitigation.ThebidirectionalsignalchannelMUSTsupport *
mitigationcouldbenegotiablebasedonNAT *
mitigationefficacytotheDOTSserver.DOTSserversMAYusethe *
mitigationhadaskedtoendthemitigation ,includingtheactive
mitigationhintsderivedfromattackdetailstoDOTSservers ,with
mitigationlifetime ,itMUSTsetthelifetimetoavaluethatis
mitigationrequestforthesamescope.TheDOTSserverMUSTtreat *
mitigationrequestisactive ,eitheragentMAYrequestchangesto
mitigationrequests.Theheartbeatintervalduringactive *
mitigationrequestsasaresultofmisconfiguration ,operator
mitigationscope. *
mitigationscope.Thescopetypewillvarydependingonthe *
mitigator. *
mitigatorandDOTSserverreceivingamitigationrequestare *
modelstructureissplitacrossmodules ,thosedistinctmodules
modification ,ordeletionofscopealiasesanddrop
modification ,orreplayofmessagetransmissionscouldleadto
mohamed.boucadair *
monitorandauditDOTSagentstodetectmisbehavioranddetermisuse *
multipleDDoSattacktypes. *
multipleDOTSservers ,eachinaseparateadministrativedomain.
necessarilysupersededbytheotheroperationalrequirements. *
necessary. *
necessaryduetonetworkpolicyormiddleboxcapabilitiesor *
network.DDoSattacksareintendedtocauseanegativeimpacton *
networkelements ,networklinks,servers,andservices.
newerprotocolversions.Implementationsofolderprotocol *
newsessionissuccessfullyestablished ,theDOTSclientcan
nordoDOTSclientsneedtojustifywithdrawinghelprequests *
notdictatetheimplementationoftheseactions.TheDOTSusecases *
notexpectedtobeconstructedtodealwithattackconditions.As *
nothavesecurityconsiderationsofitsown.However ,operators
notifications ,redundantmessagedelivery,andminimalconnection
obtainmitigationscope. *
of-lineblocking.TheserequirementsareatSHOULDstrengthto *
ofDOTSMUSTbeextensibleinordertokeepDOTSadaptableto *
ofanyrequestedattackresponse ,suchastargetedportrange,
ofheartbeatmessagesoverthesignalchanneltomonitorchannel *
ofmaliciousDOTSgateway ,interceptingrequestsfromthedownstream
ofmitigationlifetimesinmitigationrequestsfromDOTSclients ,
ofsignaldeliveryduringanattack ,thesignalchannelMUSTbe
oftheconflict ,forexample,theoverlappingprefixrangeina
on-goingattack ,oranticipatedoractiveattackfocalpoints
onbehalfofaDOTSclient. *
once. *
operationallyorprivacy-sensitivedata.Althoughadministrative *
operatorsintheattackpathunabletoassistinthedefense. *
optionsarenotspecified ,theprotocolsMUSTfollowcurrentIETF
ordermessagedelivery.DatachannelimplementationsusinganIETF *
originatingfrommultiplesourcesisdirectedatatargetona *
ormoreconnections.DOTSgatewaysaredescribedfurtherin *
orstatus. *
oscillatingattacks ,DOTSserversMAYallowmitigationtocontinue
otheratregularintervalsregardlessofanyclientrequestfor *
otherwiseunusualnetworksisaconsiderationandthePMTUis *
out-of-orderorredundantmessagedelivery.Insupportof *
overhead *
overtransportandapplicationprotocolsnotsusceptibletohead- *
packetwhoselengthisequalto576bytesasdiscussedin *
passinglegitimatetraffictotheattacktarget.Distinct *
path.Forexample ,whenaDOTSgatewayconsistingofaDOTS
performingmitigationofadetectedorreportedDDoSattack.The *
perioduptoamaximumof300seconds *
possibleasaresultofcredentialtheft ,implementationflaws,or
possibleduringattackscausingnetworkcongestion. *
preparedtonegotiatenewsecuritystatewiththeredirection *
probabilityofsuccessfulDOTSsignaldelivery ,butDOTSdoesnot
proprietaryDDoSdefenses.FutureextensionsMUSTbebackward *
protocol ,orservice,DOTSclientsSHOULDincludethatinformation
protocols ,includingwhenmultipleDOTSserversareprovisionedto
protocolsMUSTtakestepstoprotecttheconfidentiality ,
protocolsarelikelytocontainoperationallyorprivacy-sensitive *
providersandenterprisesaroundtheworld.High-volumeattacks *
providesthefoundationforamorerapidattackresponseagainst *
provisioningorthroughimplementation-specificmethodsof *
publicationofthisdocument.Pleasereviewthesedocuments *
publishedforinformationalpurposes. *
rapidlytogglingmitigation ,andtodampentheeffectof
receiveanddiscardmitigationrequestsfromtheDOTSclient ,
receivedbyeitherDOTSagentforanextendedperiod.The *
receivedpublicreviewandhasbeenapprovedforpublicationbythe *
redirectDOTSclientstoanotherDOTSserveratanytime.DOTS *
reduceheartbeatfrequencyorceaseheartbeatexchangeswhenan *
refreshesthemitigationbeforetheactive-but-terminatingperiod *
refusemitigationswithindefinitelifetimesforpolicyreasons. *
regardlessofwhethermitigationiscurrentlyactive.TheDOTS *
rejectioninthestatusmessagesenttotheclient. *
relationshipbetweenDOTSagentsisestablished ,regular
relationshipwithpeerDOTSagentsduringnormalnetworkconditions *
remotepeer. *
representationofarequestedmitigation *
representationofcurrently-requestedmitigationstatus ,including
representdata-modelversionsisnotdefinedinthisdocument. *
requestattackmitigation.Suchproprietaryinterfacestiea *
requestedmitigation. *
requestingDOTSclient. *
requestingprotection.DOTSclientsMUSTbepreparedtonotbe *
requestisactive.Becauseheartbeatlossismuchmorelikely *
requestmitigation. *
requests. *
requests.IfaDOTSserverrejectsanauthorizedrequestfor *
requesttimeouts. *
requirementsabove ,DOTSsignalchannelimplementationsSHOULD
requirementsforDOTSsignalchannelanddatachannelprotocolsthat *
requirementsinSection2.2. *
requiremutualauthenticationofDOTSagentsinordertomakeagent *
requiresnojustificationfromDOTSclientsforrequestsforhelp ,
requiresuchpoliciesbeinplaceandshouldbeviableintheir *
resilient ,thatis,continueoperatingdespitemessagelossand
resourcesrequiringmitigation.AllDOTSagentimplementations *
responsibleforthemitigation. *
retransmissionprocedurehasbeenexhausted.PeerDOTSagents *
revealedtothird-partyDOTSagents ,suchconsiderationsarenot
saturatinginboundlinksarenowcommonasattackscaleandfrequency *
scopeforthisdocument. *
scopemayberepresentedinseveraldifferentways ,perSIG
scopeofresourcesrequiringmitigation. *
scopesmaybethoughtofasaformofscopealiasinwhichthe *
sectiondescribestherequiredfeaturesandcharacteristicsofthe *
securenegotiationofthetermsandmechanismsofprotocol *
security ,subjecttotheinteroperabilityandsignalmessagesize
securityboundary. *
securitystatewiththeredirectingDOTSserver.DOTSclientsare *
sendingagent *
separatemessages *
server ,or,asalogicalagent,aDOTSgateway.
server.Whilespecifictransport-andmessage-levelsecurity *
serverMUSTimmediatelyacknowledgeaDOTSclient *
serverandDOTSclientisrunningonthesamelogicaldevice ,the
serverisimplementation-specific. *
serversMUSTsendstatustotheDOTSclientsaboutmitigation *
serverstatusmessagesSHOULDindicatethatmitigationisactive *
serviceorclass-of-servicetraffictaggingtoincreasethe *
sharethesameleveloftrust.Asecuritymechanismatthe *
shouldalwaysbeallowedregardlessofcontradictorydatagleaned *
shouldbeawareofpotentialrisksinvolvedindeployingDOTS.DOTS *
shouldbeblockedregardlessoftrafficcontent. *
signalingprotocolrobustness ,DOTSsignalsSHOULDbeconveyed
signalingwithinorbetweendomainsasrequestedbylocaloperators. *
signallosswhenestablishingasignalchannel.Measurementsof *
significantlytolinkcongestion.Tomeetthesignalchannel *
solicitheartbeatexchangesaftersuccessfulmutual *
sources ,andMAYusetheabsenceofattacktrafficandlackof
specification *
standardcongestion-controlledtransportprotocolmayrelyonthe *
statusmessagesMUSTincludethefollowingmitigationmetrics *
statusmultipletimesatregularintervalsfollowingthedata *
stopmitigation. *
structuraldependencies. *
subscribertoaserviceandlimittheabilitiesofnetworkelements *
successfulDOTSprotocols. *
suchloopstopreventservicedisruption. *
suchthatreplayedorduplicatedmessagescanbedetectedand *
supplementalinformationwhenenablingcountermeasuresonthe *
supplementingattackresponses. *
supportconnectionlesstransports.However ,someconnectionless
supported *
supportrepresentationofaDOTSclient *
supportrepresentationofamitigationrequest *
targetDOTSserver.TheredirectionDOTSserverandredirecting *
targetintheDOTSclient *
terminatethecurrentsession. *
terminationduringthisactive-but-terminatingperiodwithanew *
terminationwhenmitigationisactiveandheartbeatsarenot *
thateverylinkintheInternethaveanMTUof1280octetsor *
thatofthesignalchannelsbridgedbygatewaysinthesignaling *
thattheDOTSserverknowsthesessionisstillalive.Ifthe *
thatwouldotherwisebecapableofparticipatinginattack *
theDOTSclients ,SHOULDbeconsidered.TheprotocolMUSTbe
theDOTSserver *
theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
theabilitytorepresentarequestformitigationandthe *
theappropriateDOTSserverinamultihomedenvironmentisoutof *
theavailabilityand *
theclient *
thedatamodelMUSTincludeextensiblerepresentationof *
thefullunderstandingthattheDOTSserverMAYignoremitigation *
theheartbeatrate.Forexample ,aDOTSservermightwantto
themitigationasterminated ,astheDOTSclientisnolonger
themodelexplicitly. *
theprimaryfunctionofthedatachannelisdataexchange ,areliable
thereforeMUSTincludeacongestioncontrolmechanism. *
theseverelyconstrainednetworkconditionscausedbyattack *
thesignalingPathMaximumTransmissionUnit *
thisrequestasamitigationlifetimeextension *
thoseinterfacesneverthelessMUSTprovidesecurityequivalentto *
throughthesignalchannel.Reliablebulkdataexchangemaynot *
to-BackUserAgent *
toinflictthedesiredimpactontraffictoorfromtheDOTSclient *
tooperateovercongestedinboundlinks ,and,asdescribedin
tothisdocument.CodeComponentsextractedfromthisdocumentmust *
traffic.AdditionalmeanstoenhancetheresilienceofDOTS *
trafficpathtotheresourcesforwhichtheDOTSclientis *
traffictonetworksforwhichtheDOTSclientisauthorizedto *
transmissionguidelinesdiscussedinSection3.1.3of .
transport-ormessage-levelsecurity.Ifthetotalmessagesize *
transportcongestioncontrolsupport. *
transportimplementation *
transportintothedatamodel ,butinsteadrepresentthefieldsin
transportisrequiredinorderforDOTSagentstodetectdata *
transportlayer *
transports ,whendeployednaively,canbeasourceofnetwork
twoDOTSagentscouldbeimplementedwithinthesameprocess *
underextremelyhostilenetworkconditions ,providingcontinued
understandingoftheDOTSagents *
unidirectionalmessagingtoenablenotificationsbetweenDOTS *
unknown ,DOTSimplementationsMAYassumeaPMTUof576bytesfor
use-cases-17 ,January2019.
utilizingareliabletransportprotocolMUSTbeusedforbulkdata *
valid.Themethodofauthenticationisnotspecifiedinthis *
versionsMUSTrejectDOTSmessagescarryingmandatoryinformation *
whenthelifetimeelapses.DOTSserversalsoMUSTsupportrenewal *
whethertoasktheDOTSservertoceasemitigation. *
whichamitigationrequestistobesent.Themethodforselecting *
whichtheclientmayincludewhenestablishingthesignalchannel ,
whileemployingbestcurrentpracticestosecurenetwork *
whilemitigationisenabledduringanactiveattackagainsta *
whileserver-domainDOTSgatewaysdenoteDOTSgatewaysthatarein *
withdrawalofamitigationrequest.Duringthisperiod ,DOTS
withdrawalofsucharequest.ThedatamodelMUSTalsosupporta *
withrespecttoanycryptographicmechanismstoauthenticatethe *

peer5/RFCs/8585requirements_for_ipv6_customer_edge_routers.txt pypi

1.1.RequirementsLanguage *
1.1.RequirementsLanguage..................4 *
1.Introduction *
1.Introduction........................3 *
10-12KBsbecausemostofthecodebaseissharedamongseveral *
10.1.NormativeReferences *
10.1.NormativeReferences..................13 *
10.2.InformativeReferences *
10.2.InformativeReferences.................16 *
10.References *
10.References.........................13 *
17595MountHerrmannSt. *
2-3 ,Kanda
2.Terminology *
2.Terminology.........................5 *
2119KeyWords *
3.1.LAN-SideConfiguration *
3.1.LAN-SideConfiguration.................5 *
3.2.1.464XLAT *
3.2.1.464XLAT.......................7 *
3.2.2.Dual-StackLite *
3.2.3.Lightweight4over6 *
3.2.4.MAP-E *
3.2.4.MAP-E........................10 *
3.2.5.MAP-T *
3.2.5.MAP-T........................10 *
3.2.TransitionTechnologiesSupportforIPv4Service *
3.2.TransitionTechnologiesSupportforIPv4ServiceContinuity *
3.Requirements *
3.Requirements........................5 *
4.IPv4MulticastSupport *
4.IPv4MulticastSupport...................11 *
464XLAT isatechniquetoprovideIPv4serviceoveran
464XLAT-1 *
464XLAT-2 *
464XLAT-3 *
464XLAT-4 *
464XLAT-5 *
464XLAT-6 *
464XLATissupported ,itMUSTbeimplementedaccordingto
464XLATrequirements *
5.UPnPSupport *
5.UPnPSupport........................11 *
6.ComparisontoRFC7084 *
6.ComparisontoRFC7084...................12 *
7.CodeConsiderations *
7.CodeConsiderations.....................12 *
8.SecurityConsiderations *
8.SecurityConsiderations...................13 *
9.IANAConsiderations *
9.IANAConsiderations.....................13 *
Abstract *
AccessnetworkarchitectureforsecuringDHCPwithintheaccess *
Acknowledgements *
Acknowledgements........................21 *
AddressFamilyTransitionRouter *
AddressTranslation *
AllocationofSharedIPv4Addressesasdescribedin *
AnAddAnyPortMapping *
AnAddPortMapping *
Anend-usernetworkwilllikelysupportbothIPv4andIPv6 *
AnewLANrequirementisadded ,whichis,infact,commoninregular
AnotherconsequenceofusingIPv4privateaddressspaceintheend- *
AppendicesAandBcontainacompletedescriptionoftheusage *
AppendixA.UsageScenarios *
AppendixA.UsageScenarios..................17 *
AppendixB.End-UserNetworkArchitecture *
AppendixB.End-UserNetworkArchitecture...........18 *
AsdescribedintheSecurityConsiderationsof and
Atthetimeofthiswriting ,oneoftheapparentmainissuesfor
AtypicalIPv4end-usernetworkconsistsofa *
Authors *
Automaticprovisioningandconfigurationaredescribedforasingle *
Automaticprovisioningofmorecomplextopologythanasinglerouter *
BCP14 when,andonlywhen,theyappearinall
BCP152 ,RFC5625,DOI10.17487
Basedonthesepremises ,thisdocumentensuresthattheIPv6
Because464XLAThasnoDHCPv6configurationoptions ,itcan
Beijnum ,
Boucadair ,
CERouterMUSTfollowthefollowingconfigurationsteps *
CEisusedatdifferenttimesindifferentscenariosorevenwith *
CEroutersasdescribedinRFC7084toallowtheprovisioningofIPv6 *
CLIorAPI *
CONFIG-1 *
CONFIG-2 *
CONFIG-3 *
CPUs ,ifcomparedtothecostofNAT44code.Thus,existinghardware
Campbell ,SpencerDawkins,MirjaKuhlewind,andAdamRoach
Carpenter ,LorenzoColitti,AlejandroD
Category *
Ceccarelli *
Chiyoda-ku ,Tokyo101
Clients *
ClientstoIPv4Servers *
CombinationofStatefulandStatelessTranslation *
ConfigurationofSoftwireAddressandPort-Mapped *
Considerationsin aswellasthoseforeachtransition
Consideringthatsituationanddifferentpossibleusagecases ,the
Continuity *
ControlProtocol *
Copyright *
CopyrightNotice *
CustomerEdgeRouterthatprovidesfeaturesforthedeliveryofIPv4 *
D-LinkSystems ,Inc.
DHCPv6 *
DHCPv6-BasedPrioritizationMechanism *
DOI10.17487 *
DS-Lite enablescontinuedsupportforIPv4services.
DS-LiteenablesabroadbandserviceprovidertoshareIPv4addresses *
DS-Literequirements *
DSLITE-1 *
DSLITE-2 *
DSLITE-3 *
DSLITE-4 *
DanRomascanu *
Differentstudies *
Email *
Exhaustion *
ExistingIPv4deploymentssupportIPv4multicastforservicessuchas *
Farrer ,
Figure1 *
Figure2 *
Finally ,insomecases,operatorssupportingseveraltransition
FountainValley ,California92708
FromtheperspectiveofanIPv4userbehindanIPv6TransitionCE *
Function *
GatewayDevice-PortControlProtocolInterworking *
Generaltransitionrequirements *
HansM.-H.Liu *
Howard ,RichardPatterson,BarbaraStark,OleTroan,andJames
However ,inthecaseofIPv4aaS,becauseoftheusageofprivateIPv4
However ,whileatypicalIPv4NATdeployment,bydefault,blocksall
IESG *
IGD-PCPIWF ,andtheprioritizationofthetransition
IPTV.Inthetransitionphase ,itisexpectedthatmulticast
IPencapsulation.MAP-Eincludesanalgorithmicmechanismfor *
IPv4-in-IPv6encapsulation *
IPv4-onlyandIPv6-onlyapplicationsanddevices ,locatedintheLAN
IPv4-onlydevicesandapplicationsontheInternet. *
IPv4-onlyforanundeterminedperiodoftime ,IPv4servicecontinuity
IPv4aaS ,i.e.,transitiontechnologiesfordeliveringIPv4in
IPv4aaS. *
IPv4aaSmechanismlimitstheavailableports *
IPv4aaStransitionmechanismkeepsrunningtheNATinterfacetowards *
IPv4architecture. *
IPv6-onlyaccessnetworks.IPv4aaSisnecessarybecausetherearen *
IPv6-onlyaccessnetworkwithoutencapsulation.Thisarchitecture *
IPv6-onlynetworkforresidentialorsmallofficerouters *
IPv6CustomerEdge *
IPv6Prefixes *
IPv6SoftwireCustomerPremisesEquipment *
IPv6TransitionCERouterMUSTperformIPv4Network *
IPv6TransitionCERouterareabletoreachtheIPv4-onlyservices. *
IPv6TransitionCERouterattachmenttoanIPv6-onlylinkusedto *
IPv6TransitionCERouterdescribedinthisdocumentisexpectedto *
IPv6TransitionCERouteronly. *
IPv6TransitionCERouters ,andisrequiredbymostofthetransition
ISPs.Therefore ,thedevelopmentcostisnegligible,andonly
ISPshave ,orwanttohave,anIPv6
ISPthatprovidesIPv4-onlyoranISPthatprovidesIPv6with *
ISSN *
IftheIPv6TransitionCERoutersupportsdeliveryofIPv4multicast *
IftheUPnPWANIPConnection *
Informationaboutthecurrentstatusofthisdocument ,anyerrata,
Infrastructures *
Ingeneral ,theend
Ingeneral ,thenewrequirementsdon
Inordertoallowtheserviceprovidertodisableallthetransition *
InordertoseamlesslyprovideIPv4servicecontinuityinthe *
Internet-layer *
InternetEngineeringSteeringGroup *
InternetEngineeringTaskForce *
Internetaccess *
January2018 ,
Japan *
JordiPaletMartinez *
L-1 *
LANA *
LW4O6-1 *
LW4O6-2 *
LW4O6-3 *
LaNavata-Galapagar ,Madrid28420
M.Kawashima *
MAP-Eparameters.Suchmechanismsareoutsidethescopeof *
MAP-Erequirements *
MAP-EviatheMAP-EDHCPv6options .TheIPv6
MAP-T isamechanismsimilartoMAP
MAP-Tparameters.Suchmechanismsareoutsidethescopeof *
MAP-Trequirements *
MAP-TviatheMAP-TDHCPv6options .TheIPv6
MAPE-1 *
MAPE-2 *
MAPT-1 *
MAPT-2 *
MappedClients *
MappingofAddressandPortwithEncapsulation *
MasanobuKawashima *
May2019 *
MolinodelaNavata ,75
Moreadvancedrouterssupportdynamicrouting *
Moreover ,becausesomeservicesandserviceproviderswillremain
Murakami ,T.,andT.Taylor,Ed.,
NAT64 *
NECPlatforms ,Ltd.
NetworkA *
NetworkAddressTranslation *
NetworkC *
NetworkingControlProtocol *
Networks *
NotethatIGD *
NotethatthisdocumentonlyconfiguresIPv4aaSintheIPv6 *
OptionforDual-StackLite *
OptionforIPv4-EmbeddedMulticastandUnicastIPv6 *
OptionsforConfigurationofSoftwireAddressandPort- *
P.Selkirk ,
PLAT-sidetranslationIPv4andIPv6prefix *
PaletMartinez ,etal.Informational
PaletMartinez ,J.,
Play *
PlugandPlayInternetGatewayDevice *
PortControlProtocol *
PortwithEncapsulation *
Prefixes *
PrioritizationMechanism *
Protocol *
ProtocolInterworkingFunction *
ProtocolforIPv6 *
ProvisionsRelatingtoIETFDocuments *
RAMmemory ,norotherhardwarerequirementssuchasmorepowerful
RFC5969 ,DOI10.17487
RFC6334 ,DOI10.17487
RFC6877 ,DOI10.17487
RFC7050 ,DOI10.17487
RFC7341 ,DOI10.17487
RFC7618 ,DOI10.17487
RFC8415 ,DOI10.17487
RFC8585RequirementsforIPv6CEtoSupportIPv4aaSMay2019 *
RegardingDS-LITE ,thisdocumentincludesslightly
RequestforComments *
RequirementLevels *
RequirementsforIPv6CustomerEdgeRouters *
Richardson ,M.,Jiang,S.,Lemon,T.,andT.Winters,
Router ,thisdoesn
Router *
RouterMAYuseothermechanismstoconfigureDS-Lite *
RouterSHOULDimplement .IfPCP
RouterintendedfortheretailmarketMUSTsupportalltheIPv4aaS *
Routerisrequired ,atleastfromtheperspectiveoftransition
RoutersalreadyprovideaGUI ,CLI,orAPItomanuallyconfigure
SHOULDresultinasuccessfulmappingwithanalternative *
Section1andAppendixA *
ServicestoIPv4ClientsoveranIPv6MulticastNetwork *
Sinceitisimpossibletoknowpriortosalewhichtransition *
So ,tocoverallthoseevolvingsituations,anIPv6TransitionCE
SoftwireCustomerPremisesEquipment *
Spain *
Specifically ,thisdocumentextendsthebasicrequirementsforIPv6
StackLiteArchitecture *
StackLiteBroadbandDeploymentsFollowingIPv4 *
Standard *
StatusofThisMemo *
Synthesis *
TRANS-1 *
TRANS-2 *
TRANS-3 *
TableofContents *
ThankstoMikaelAbrahamsson ,FredBaker,MohamedBoucadair,Brian
TheIPv6Company *
TheIPv6TransitionCERouterMUSTcomplywith *
TheIPv6TransitionCERouterMUSTimplementDS-LiteB4functionality *
TheIPv6TransitionCERouterMUSTimplementlwB4functionality *
TheIPv6TransitionCERouterMUSTsupportMAP-ECEfunctionality *
TheIPv6TransitionCERouterMUSTsupportMAP-TCEfunctionality *
TheIPv6TransitionCERouterMUSTsupportcustomer-sidetranslator *
TheIPv6TransitionCERouterMUSTuseplainIPv6mode *
TheIPv6TransitionCERouterdescribedinthisdocumentisnot *
TheIPv6TransitionCERoutermaybemanuallyconfiguredinan *
TheIPv6TransitionCERoutermustcomplywiththeSecurity *
TheNAT64prefixcouldbediscoveredbymeansofthemethoddefined *
Theaboveisnotintendedtobeacomprehensivelistofallthe *
Theend-usernetworkisastubnetworkinthesensethatisnot *
ThefollowingIPv6TransitionCERouterrequirementsalsoapply. *
Thefollowingsubsectionsdescribetherequirementsforsupporting *
Thekeywords *
ThemaintargetofthisdocumentisthesupportofIPv6-onlyWAN *
Themechanismsforallowinginboundconnectionsarenaturally *
Theotherissueseemstobethecostofdevelopingthecodeforthose *
TherearesomedifferencesinhowIPv6worksandisprovisioned *
TheseroutersrelyuponrequirementsforIPv6CEroutersdefinedin *
ThesituationofongoingIPv6deploymentandalackofIPv4addresses *
Theterm *
Thisarchitecturedescribesthe *
ThisdocumentcoversasetofIPtransitiontechniquesrequiredwhen *
ThisdocumentdefinesIPv4servicecontinuityfeaturesoveran *
Thisdocumentdoesn *
ThisdocumenthasnoIANAactions. *
ThisdocumentisaproductoftheInternetEngineeringTaskForce *
ThisdocumentisnotanInternetStandardsTrackspecification *
Thisdocumentisnotarecommendationforserviceproviderstouse *
ThisdocumentissubjecttoBCP78andtheIETFTrust *
ThisdocumentspecifiestheIPv4servicecontinuitymechanismstobe *
ThisdocumentspecifiestheIPv4servicecontinuityrequirementsfor *
Thisdocumenttakesnopositiononsimultaneousoperationofoneor *
Thisdocumentusesthesametermsasin ,withminor
TransitionCERouter.ThisunderscorestheimportanceoftheIPv6 *
TransitionCERouterMAYuseothermechanismstoconfigure *
TransitionCERouterMUSTassume ,bydefault,thatthe
TransitionCERouterMUSTuseplainIPv6mode *
TransitionCERouterallowsthecontinuedtransitionfromnetworks *
TransitionCERouteritself *
TransitionCERouterrequirementsalsoapply. *
TransitionCERoutersfulfillingtherequirementsdefinedinthis *
Translation *
TranslationfromIPv6ClientstoIPv4Servers *
UPnP-gw-InternetGatewayDevice-v2-Device.pdf >.
UPnP-gw-WANIPConnection-v2-Service.pdf >.
UPnPForum ,
UnitedStatesofAmerica *
W. ,Bao,C.,Yeh,L.,andX.Deng,
Wang ,
WhoprovidestheIPv6TransitionCERouterisnotrelevant.Inmost *
Woodyattfortheirreviewandcommentsinthisand *
aboveusagesarealsopossible ,alongwithsituationswherethesame
access.ToenablelegacyIPv4functionality ,thisdocumentalso
accessandIPv4aaS ,thatmaynotbefeasibledependingonspecific
accessnetwork.TheseISPaccessnetworksaretypicallyreferredto *
actionMUSTberejectedwitherrorcode729 *
activation. *
addingthesupportforthenewtransitionmechanismsrequiresaround *
addressesandNATanddependingonthespecifictransitionmechanism ,
addressesarealwaysusableevenwhentheWANinterfaceisdownor *
addressestobecomeprohibitivelyexpensive.This ,inturn,may
allowsenabling *
amongcustomersbycombiningtwowell-knowntechnologies *
anIPv6-in-IPv4tunneling. *
and2 *
andT.Murakami ,
andWANinterfacesofanIPv6TransitionCERouter. *
andhowtoprovidefeedbackonitmaybeobtainedat *
andseveralvendorsalreadyhaveimplementationsandprovidedthemto *
andsmall *
anotherRouterbehindtheoriginalCE ,takescareofinbound
anyspecifictransitionmechanism. *
appendices ,alongwith
appropriatesubnettingandconfigurationoftheaddress *
approvedbytheIESGarecandidatesforanylevelofInternet *
arbitrarytopologywithadynamicroutingprotocolorHNCP .
architecture. *
as-a-Service *
asWideAreaNetworks *
asassignedbyPCPasperSection5.6.1of .
assumesaStatefulNAT64 functiondeployedattheservice
atleastontheWANside.Commonly ,theuserhasaccesstoconfigure
availabilityofnativeIPv4orIPv4aaSaretransparentforthe *
availableforeverypossiblecustomeranddevice ,whichcausesIPv4
availableinanyIPv6routerwhenusingIPv6GlobalUnicastAddresses *
baselinefortransitionfeaturestobeimplementedonsuchrouters. *
becauseofbusinessdecisions. *
bereliablyestimated. *
beusedinresidential *
bothIPv4-onlyandIPv6-onlydevicesinthecustomer-sideLANsofthe *
byusingDHCPv6-PD *
capitals ,asshownhere.
carefully ,astheydescribeyourrightsandrestrictionswithrespect
cases ,theserviceproviderisresponsibleforprovisioning
changetheirexistingnetworktopologywiththeintroductionofIPv6. *
checkforavalidmatchinOPTION_S46_PRIORITY ,which
clarifications. *
combinedwithadynamicroutingprotocol.Onceagain ,thisistrue
commercial *
commonsituationwhensufficientIPv4addressesarenolonger *
communicatewithIPv4-onlyservicesontheInternet. *
communications. *
complexnetworksusingmanualconfigurationofaddressprefixes *
connections.Therequirementsforthatsupportareoutofthescope *
continuitysupportfordevicesintheLANside.Thisensuresthat *
currentlybeincludedintheOPTION_S46_PRIORITY.Inthefuture ,an
customerLANs ,aswellasIPv4
customerLANsandallowautomatedIPv6transitionmechanism *
datacenters ,contentproviders,etc.Evenifthedocumented
defineadifferentsetoffeaturesfromthoseincludedinthis *
defined. *
deploymentisachangingsituation.Inasinglecountry ,notall
deprecatedbyOCF *
describedin *
describedintheSimplifiedBSDLicense. *
determinedthroughPCPoraccesstoaconfiguredportset *
device.However ,devicesorapplicationsinthecustomerLocalArea
devicesandapplicationsinthecustomernetworkscanstillreach *
devicesattachedtotheLANs. *
devicesattachedtotheLANs.Thus ,theWANconfigurationand
differentIPv4aaSesatdifferentserviceproviders. *
differentrequirementsrelatedtothesupportofPCP ,
disabledatthisstep. *
discovery *
document ,forexample,featuresthatsupportonlysomeofthe
document. *
documentauthors.Allrightsreserved. *
doesn *
eachoneofthetransitionmechanisms.AnIPv6TransitionCERouter *
enabledonaCErouter ,butcannotbeassociatedwithanIPv4
encapsulatedusingDS-Lite .
equivalent *
equivalentorbettercapabilitiesandfunctionalitythanthecurrent *
everycountryforeveryISP.Fordifferenttechnical ,financial,
follow *
followingIPv6TransitionCERouterrequirementsalsoapply. *
forIPv6PrefixDelegation *
foranAFTR *
forbothIPv4andIPv6. *
fornewtransitionmechanisms ,isthelackofspaceintheflash
foundbetweentheprioritylistandthecandidatelist ,
fromotherrouters *
functionfromtheDS-Litetunnelconcentratortothetunnelclient *
hostsbehindtheCE *
ifthecostsarenotdirectlycausedbysupportingthisdocumentbut *
ifthedefaultgatewayortheNAT64isthePCPserver. *
implement *
implemented ,lw4o6SHOULDbeimplementedaswell.Iflw4o6is
implemented ,theIPv6TransitionCERouterMUSTalso
implementedandaPCPserverisnotconfigured ,theIPv6
in onlyiftheserviceproviderusesDNS64
inboundconnectionstypicallyrequiresomedegreeofmorecomplex *
includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
includesthesupportofIPv4-onlydevicesandapplicationsinthe *
incomingconnectionsandmayallowopeningofportsusingaUniversal *
indefinitely. *
inmanycases ,theusermustsupplyormayreplacetheIPv6
integrationandtestingcostmaybecomeanissue. *
intendedfortheretailmarketMUSTsupportallofthem. *
intendedforusageinotherscenarios ,suchaslargeenterprises,
interfaceestablishedbyanIPv4aaSmechanismorcannotdetermine *
isalsonotinscope.DHCPpacketsMUSTNOTbeforwardedbetweenLAN *
isconfigured ,theIPv6TransitionCERouterMAYverify
isnothappeningatthesamepaceineverycountryandevenwithin *
isrequired.Thus ,thereisaneedforCEstosupportIPv4aaS
it.Meanwhile ,ifanoperatorprovides464XLAT,itneedstoensure
itMUSTbeimplementedaccordingto .ThefollowingIPv6
ithasbeenconfirmedthatthereareseveralopen-sourceversionsof *
locatedintheIPv6TransitionCERouter ,removingtherequirement
lw4o6 specifiesanextensiontoDS
lw4o6requirements *
lw4o6viathelw4o6DHCPv6options *
manualconfiguration ,suchassettingupaDMZ,settingupvirtual
mappingbetweenIPv6andIPv4addresses. *
material *
maybethecasethattheserviceproviderdoesnotuseordoesnot *
meansofnewtransitionmechanisms.Thedocumentonlycovers *
mechanismadevicewillneedoveritslifetime ,anIPv6TransitionCE
mechanismfortransportingIPv4packetsacrossanIPv6networkusing *
mechanismimplementedbytheIPv6TransitionCERouter. *
mechanisms ,thismayrequiredifferentiatingmappings
mechanisms *
mechanisms ,includingdual
mechanismsand *
mechanismsareoutsidethescopeofthisdocument. *
mechanismsmayneedtoconsidertrainingcostsforstaffinallthe *
mechanismtotherelevantcustomers. *
moreadvancedrequirementsincludeinboundconnections *
network. *
networkisoutofscopeforthisdocument.SecuringDHCPintheLAN *
newfunctionalities.However ,atthetimeofwritingthisdocument,
newrequirements ,asdescribedinthefollowingsubsections.
oBasiccapabilitiesoftheIPv6TransitionCERouter *
oProvisioningoftheLANinterfaces *
oProvisioningoftheWANinterfaceconnectingtotheservice *
ofDS-LiteviatheDS-LiteDHCPv6option *
ofIPv6-onlyaccess ,privateIPv4addressesarealsoavailableifthe
ofSharedIPv4Addressesasdescribedin .
oftheoptiondefinedin .Thiscanalsobeusedifthe
ofthisdocument ,meanthatmaliciousnodesmayalterthepriorityof
ofthisdocument. *
onlyabout0.15 *
open-sourceimplementations *
operators *
operatorswillnecessarilyprovideIPv6support.Consumersmayalso *
orconfigurationinformationdifferencesfrom .
orsomeotherfirewallcontrolprotocol ,inthecaseofanIPv6
othermechanismstoconfigurelw4o6parameters.Such *
overanIPv6MulticastNetwork *
parameters.Suchmechanismsareoutsidethescopeofthis *
persistentvsnon-persistentandwhatsizetochoose *
pertainingtoaconfigurationasappliedbyavendorprior *
popularCEsalreadyinthemarket ,thenewrequiredcodeis
possibleusagecases ,justanoverview.Infact,combinationsofthe
prefix *
priorityoptionsdescribedin *
provideconnectivitytoaserviceprovidernetwork ,includinglink
provider *
providerorathird-partynetwork. *
providingtransittootherexternalnetworks.However ,HNCP
provisioning ,thefollowinggeneraltransitionrequirementsare
publicationofthisdocument.Pleasereviewthesedocuments *
publishedforinformationalpurposes. *
receivedpublicreviewandhasbeenapprovedforpublicationbythe *
regionalinsomecases.Figure1presentsasimplifiedviewofthis *
remoteIPv4-onlyservicescontinuetobeaccessible ,forboth
requeststotheserver. *
requirementsmeettheirneeds ,theymayhaveadditionalrequirements,
resultin *
resultinserviceprovidersprovisioningIPv6-onlyWANaccess.At *
routers.Figure2illustratesthemodeltopologyfortheend-user *
scenariosandend-usernetworkarchitecture ,respectively.These
scopeofthisdocument. *
server.Theterm *
servers ,orsettingupport
serviceprovidernetwork. *
serviceproviderorbyvendorswhosellthroughtheretailmarket. *
serviceproviderusesDNS64 .
services ,thenitMUSTsupport
servicesoveranIPv6-onlyWANnetwork ,includingIPv6
serviceswillstillbeprovidedusingIPv4tothecustomerLANs. *
severaltransitionmechanismsand *
shouldbeabletosupportallofthemwithminimalimpact. *
sidebehindanIPv6TransitionCERouterconnectedtoanIPv6-only *
singledataplaneiscommontoallofthem ,whichtypicallymeans,in
solution. *
somemanualconfiguration. *
spaceamongseveralinterfaces.Insometransition *
subnet ,theIPv6TransitionCERouterMUSTallow
sufficientIPv4addressesavailableforeverypossiblecustomer *
support. *
supported ,itMUSTbeimplementedaccordingto
supportedbyanIPv6TransitionCERouterandrelevantprovisioning *
supportedtransitionmechanisms ,whichMUSTremain
supportedtransitionmechanisms. *
switchISPsandusethesameIPv6TransitionCERouterwitheitheran *
techniquesfortheoperationandmanagementofthesemechanisms ,even
technologiesfordeliveringIPv4inIPv6-onlyconnectivity. *
thatDS-LitetrafficisforwardedovertheIPv6TransitionCE *
thatMAP-TusesIPv4-IPv6translation ,insteadofencapsulation,as
thatOPTION_S46_PRIORITYisnotsentforanyothertransition *
thatspecifyfeaturesetsfortheIPv6TransitionCERoutermay *
thattodaymayprovideaccesswithdual-stackorIPv6-in-IPv4 *
theIPv6PrefixUsedforIPv6AddressSynthesis *
theLANinterfaces ,firewall,DMZ,andmanyotherfeatures.However,
theLANsidewhentheWANinterfaceisdown. *
thePortControlProtocol *
theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
theamountofcentralizedstate. *
thecustomeredgerouterhasnotyetbeenprovisioned.Inthecase *
theformofIPv6domaintransport. *
them ,orprovidethepossibilitytosetuptheCEinbridgemode,so
therequiredcodeforsupportingallthenewtransitionmechanisms ,
thesametime ,theyneedtoensurethatbothIPv4
thesedifferenceshaveimplicationsforthenetworkarchitecture. *
theserviceprovidermayopttoconfiguretheNAT64prefixbymeans *
thetransitionmechanisms. *
thisdocument. *
toSupportIPv4-as-a-Service *
toas *
totheadministratorchangingitforitsinitial *
tothisdocument.CodeComponentsextractedfromthisdocumentmust *
transitioningattheirownpace *
transitionmechanismdetails.PCP maybeanalternative
transitionmechanisms ,whicharealreadysupportedby
transitionmechanismsenumeratedinthisdocument. *
transitionmechanismslistedinthisdocument.Serviceproviders *
transitionservicesforthesupportofIPv4-as-a-Service *
translationsonaper-interfacebasis. *
translator *
trustDNS64 becausetheDNSconfigurationattheCE
tunnel. *
tunnels. *
understandingofthisdocument. *
unlessaNAT64 prefixhasbeenconfigured,in
updateof oraNAT64DHCPv6configurationoptionmayenable
upnp-resources *
usedbyanupstreamPCP-controlledNAT64device. *
useoneortheotherMUSTfollowthisorder *
usernetworkisthatitprovidesstableaddressing *
usingtheCLAT. *
vendorswithregardtoincludingnewfunctionalities ,suchassupport
versionsofthisdocument.ThanksalsofortheLastCallreviewsby *
web ,DNS,email,VPN,etc.
whichareoutofthescopeofthisdocument. *
whichcase ,464XLAT
whichportsareavailable ,anAddPortMapping
withIPv4aaS. *
withNATfunctionalityandasinglelinkupstream ,connectedtothe
withmultipleLANinterfacesmaybehandledbymeansoftheHome *

peer6/RFCs/8612ddos_open_threat_signaling_dots_requirements.txt pypi

1.1.ContextandMotivation *
1.1.ContextandMotivation.................2 *
1.2.Terminology *
1.2.Terminology.......................3 *
1.Introduction *
1.Introduction........................2 *
2.1.GeneralRequirements *
2.1.GeneralRequirements..................7 *
2.2.SignalChannelRequirements *
2.2.SignalChannelRequirements...............8 *
2.3.DataChannelRequirements *
2.3.DataChannelRequirements................13 *
2.4.SecurityRequirements *
2.4.SecurityRequirements..................14 *
2.5.DataModelRequirements *
2.5.DataModelRequirements.................16 *
2.Requirements *
2.Requirements........................5 *
2119KeyWords *
2727S.StateSt. *
3.1.SignalChannel *
3.1.SignalChannel.....................17 *
3.2.DataChannel *
3.2.DataChannel......................17 *
3.CongestionControlConsiderations *
3.CongestionControlConsiderations..............17 *
4.SecurityConsiderations *
4.SecurityConsiderations...................17 *
5.IANAConsiderations *
5.IANAConsiderations.....................18 *
6.1.NormativeReferences *
6.1.NormativeReferences..................18 *
6.2.InformativeReferences *
6.2.InformativeReferences.................20 *
6.References *
6.References.........................18 *
A. ,andH.Ashida,
A. ,Peterson,J.,Sparks,R.,Handley,M.,andE.
ADOTSclientMAYwithdrawamitigationrequestatanytime *
ADOTSclientmayobtainthemitigationscopethroughdirect *
Abstract *
Accept-list *
Acknowledgments *
Acknowledgments.........................21 *
AdditionalDOTSsecurityconsiderationsmaybefoundin *
AddressTextRepresentation *
AndrewMortensen *
AnnArbor ,MI48104
ArborNetworks *
Architecture *
Asanactiveattackevolves ,DOTSclientsMUSTbeabletoadjust
AspartofaprotocolexpectedtooperateoverlinksaffectedbyDDoS *
AsspecifiedinDATA-001 ,thedatachannelrequiresreliable,in
Astandardizedmethodtocoordinateareal-timeresponseamong *
AstheresiliencerequirementsfortheDOTSsignalchannelmandate *
Authors *
Awell-structuredDOTSdatamodeliscriticaltothedevelopmentof *
BCP14 when,andonlywhen,theyappearinall
Bangalore ,Karnataka560071
BlockingcommunicationbetweenDOTSagentshasthepotentialto *
Bonica ,R.,Baker,F.,Huston,G.,Hinden,R.,Troan,O.,
Category *
CiscoSystems ,Inc.
CommunicationLayers *
Contributors *
Contributors..........................21 *
Copyright *
CopyrightNotice *
Countermeasure *
DATA-001Reliabletransport *
DATA-003ResourceConfiguration *
DATA-004PolicyManagement *
DDoS *
DDoSOpenThreatSignaling *
DDoSattackcausingnetworkcongestion. *
DDoSattacktarget *
DDoSattacktelemetry *
DM-001Structure *
DM-002Versioning *
DM-003MitigationStatusRepresentation *
DM-004MitigationScopeRepresentation *
DM-005MitigationLifetimeRepresentation *
DM-006MitigationEfficacyRepresentation *
DM-007AcceptableSignalLossRepresentation *
DM-008HeartbeatIntervalRepresentation *
DM-009RelationshiptoTransport *
DOI10.17487 *
DOTSagent *
DOTSagentsMUSTassumeaPMTUof1280bytes ,asIPv6requires
DOTSagentsMUSTsupportmitigationscopealiases ,allowingDOTS
DOTSagentsbeingcompromised. *
DOTSagentscanalsosignificantlyaugmentattackresponse *
DOTSagentscanattempttolearnPMTUusingtheprocedures *
DOTSclient *
DOTSclientandmodifyingthembeforetransmissiontotheDOTSserver *
DOTSclientforupstreamDOTSservers.Client-domainDOTS *
DOTSclientintoasingleDOTSagent.Thisfunctionalityis *
DOTSclientisnotauthorizedtomanage. *
DOTSclients ,whileserver
DOTSclientsMAYtakethesemetricsintoaccountwhendetermining *
DOTSclientsMUSTbeabletotransmitametricofperceived *
DOTSclientsMUSTincludeamitigationlifetimeinallmitigation *
DOTSclientsshouldsimilarlybeabletowithdrawaidrequests.DOTS *
DOTSclientsthatpertaintomitigation ,configuration,filtering,
DOTSclientstomanagedrop-andaccept-listsoftrafficdestined *
DOTSclientwithinaDOTSgatewayareimplementation-specific ,
DOTSgateway *
DOTSmustoperatewithinaparticularlystrictsecuritycontext ,as
DOTSprotocolimplementationsfacecompetingoperationalgoalswhen *
DOTSprotocols. *
DOTSprotocolsMUSTbeencryptedusingsecuretransports *
DOTSprotocolsdesign. *
DOTSserver *
DOTSserverMUSTbelongtothesameadministrativedomain. *
DOTSserverdoesnotgrantamitigationrequestwithanindefinite *
DOTSserversMUSTbeabletoresolvedomainnamesand *
DOTSserversMUSTregularlysendmitigationstatusupdatesto *
DOTSserversMUSTrejectmitigationrequestswithscopesthatthe *
DOTSserversMUSTtreatamitigationterminatedduetolifetime *
DOTSserversSHOULDsupportindefinitemitigationlifetimes ,
DOTSsignal *
DTLS *
Datachannel *
DaveDolson *
Denial-of-ServiceConsiderations *
Denial-of-serviceconsiderationsarediscussedindetailin *
DistributedDenial-of-Service *
Dobbins ,R.,Migault,D.,Fouant,S.,Moskowitz,R.,
Drop-list *
Duetotheincreasedlikelihoodofpacketlosscausedbylink *
Email *
EmbassyGolfLinkBusinessPark *
FYI36 ,RFC4949,DOI10.17487
Filter *
Finally ,DOTSshouldbesufficientlyextensibletomeetfutureneeds
Firewallbindingsdonotexpire ,byusingthekeep
Firewallbindingstoavoidcryptographichandshakefornew *
FlemmingAndreasen *
Followingmutualauthentication ,asignalchannelMUSTbe
Forexample ,aDOTSclientshouldbeabletocreateadrop
GEN-001Extensibility *
GEN-002ResilienceandRobustness *
GEN-003BulkDataExchange *
GEN-004MitigationHinting *
GEN-005LoopHandling *
Guidelines *
Heartbeat *
HowaDOTSserverauthorizesDOTSclientmanagementofdrop-and *
Huawei *
IPv4datagrams ,aseveryIPv4hostmustbecapableofreceivinga
ISSN *
IfUDPisusedasthetransportfortheDOTSsignalchannel ,all
Ifthereisadditionalinformationavailablenarrowingthescope *
ImpersonationofeitheraDOTSserveroraDOTSclientcouldhave *
India *
Informationaboutthecurrentstatusofthisdocument ,anyerrata,
InitiationProtocol *
InorderforDOTSprotocolstoremainsecuredespiteadvancements *
InternetEngineeringSteeringGroup *
InternetEngineeringTaskForce *
Likewise ,DOTSserversMUSTrefusetoallowcreation,
MAYexposeadditionalconfigurability.Additionalconfigurability *
MUSTallowreferencestodescribetheoveralldatamodel *
MUSTbedeliveredreliablyintheordersent. *
MUSTregularlysendheartbeatstoeachotherwhileamitigation *
MUSTsupportthefollowingrequiredscopetypes *
MUSTthereforebecapableoftraversingNATs. *
May2019 *
McAfee *
Mitigation *
Mitigationmethodologyisoutofscopeforthisdocument. *
Mitigator *
MohamedBoucadair *
Mortensen ,etal.Informational
Mortensen ,A.,Ed.,Reddy,T.,Ed.,Andreasen,F.,Teague,
MultihomedDOTSclient *
N. ,andR.Compton,
NATs *
OakPark ,MI42837
OpenThreatSignaling *
OperatorsofpeerDOTS-enableddomainsmayenableeitherquality-of- *
Orange *
Plan *
ProvisionsRelatingtoIETFDocuments *
R.Moskowitz *
RFC3986 ,DOI10.17487
RFC7092 ,DOI10.17487
RFC793 ,DOI10.17487
RFC8612DOTSRequirementsMay2019 *
ReachabilityinformationofpeerDOTSagentsisprovisionedtoaDOTS *
RequestforComments *
RequirementLevels *
ResourceIdentifier *
Retana ,SureshKrishnan,BenCampbell,MirjaKuehlewind,andJon
RobertMoskowitz *
RobertSparks ,BrianWeis,BenjaminKaduk,EricRescorla,Alvaro
S. ,andK.Naito,
SEC-001PeerMutualAuthentication *
SEC-002MessageConfidentiality ,Integrity,andAuthenticity
SEC-003DataPrivacyandIntegrity *
SEC-004MessageReplayProtection *
SEC-005Authorization *
SIG-001UseofCommonTransportProtocols *
SIG-002Sub-MTUMessageSize *
SIG-003Bidirectionality *
SIG-004ChannelHealthMonitoring *
SIG-005ChannelRedirection *
SIG-006MitigationRequestsandStatus *
SIG-007MitigationLifetime *
SIG-008MitigationScope *
SIG-009MitigationEfficacy *
SIG-010ConflictDetectionandNotification *
SIG-011NetworkAddressTranslatorTraversal *
Sandvine *
Schooler ,
Section2.2 ,thesignalchannelprotocolmustbedesignedforminimal
Security *
Service *
Shallowfortheircarefulreadingandfeedback. *
Signalchannel *
SignalchannelimplementationsusinganIETFstandardcongestion- *
Similarly ,animpersonatedDOTSservermaybeabletoactasasort
Standard *
StatusofThisMemo *
TableofContents *
Teague ,N.,Xia,L.,andK.Nishizuka,
ThankstoRomanDanyliw ,MattRichardson,JoeTouch,ScottBradner,
TheDOTSprotocolmust ,ataminimum,makeitpossibleforaDOTS
TheDOTSserverandclientmustalsohavesomestandardizedmethodof *
Thedatachannelisintendedtobeusedforbulkdataexchanges *
Thedatachannelisnotexpectedtooperateinsuchconditions. *
ThedatachannelprovidesaprotocolforDOTSconfigurationand *
TheexpectedlayoutandinteractionsamongstDOTSentitiesis *
ThefollowingmitigationscopetypeisOPTIONAL *
ThegoalofDOTSprotocolsistoenableandmanagemitigationon *
ThegoaloftheDOTSrequirementsspecificationistospecifythe *
Theinitialactive-but-terminatingperiodisbothimplementation- *
Thekeywords *
Themodesofauthorizationareimplementation-specific. *
TheprevalenceandimpactoftheseDDoSattackshasledtoan *
Thereasonsthemselvesareoutofscopeforthisdocument.Ifthe *
Thesecapitalizedwordsareusedtosignifytherequirementsforthe *
ThisdefensecouldbecoordinatedbyaDOTSserverandinclude *
Thisdocumentadoptsthefollowingterms *
ThisdocumentdefinestherequirementsfortheDistributedDenial-of- *
ThisdocumenthasnoIANAactions. *
Thisdocumentinformsfutureprotocolsunderdevelopmentandsodoes *
ThisdocumentisaproductoftheInternetEngineeringTaskForce *
ThisdocumentisnotanInternetStandardsTrackspecification *
ThisdocumentissubjecttoBCP78andtheIETFTrust *
ThreatSignaling *
TirumaleswarReddy *
Today ,theseservicesofferproprietaryinterfacesforsubscribersto
TodetectcompromisedDOTSagents ,DOTSoperatorsshouldcarefully
Todetectmisuse ,asdetailedinSection2.4,DOTSimplementations
ToprotectagainstrouteorDNSflappingcausedbyaclient *
Tosupportscenariosinwhichlossofheartbeatisusedtotrigger *
Translation *
TransmissionControlProtocol *
UDP *
UnitedStatesofAmerica *
WhenDOTSclient-requestedmitigationisactive ,DOTSserver
Whennoattacktrafficispresent ,thesignalchannelMUSTbe
WhileconnectionlesstransportsuchastheUserDatagramProtocol *
WhiletheinterfacesbetweendownstreamDOTSserverandupstream *
Withinthesignalchannel ,messagesMUSTbeuniquelyidentified
aDDoSattack.Potentialtargetsinclude *
abletorepresenttheDOTSagent *
absence. *
absorblatencyincurredbyroutepropagation.IfaDOTSclient *
abuse ,enablingorsupplementingtheveryattacksDOTSpurportsto
accept-listedsourceaddresses ,addressorprefixgroupaliasing,
accept-listentriesisimplementation-specific. *
accept-listentry ,retrievealistofcurrententriesfromeither
actioninanticipationoforinresponsetoanattack ,butitdoes
active-but-terminatingperiodelapses ,theDOTSserverMUSTtreat
activeDOTSclienthasnotrequestedmitigation ,inorderto
activeorexpectedDDoSattacks.TheDOTSsignalchannelisexpected *
additionalattackdetails.DOTSserversMAYignoresuch *
addressestowhichthedomainnameorURIresolverepresentthe *
administrativedomainattemptingtohonorconflictingrequestsmay *
affectpolicyonthenetworkpathtotheDOTSclient *
agent *
agentimpersonationandsignalblockingarediscussedhere. *
agents. *
allowingclientstoextendmitigationasnecessaryforthe *
analogoustoaSessionInitiationProtocol *
and .
andDOTSprotocoldocuments. *
andF.Gont ,
anddeployment-specific ,butSHOULDbesufficientlylongenoughto
andfilteringoutspecifictypesofDDoSattacktrafficwhile *
andforwardonlythelatter. *
andhowtoprovidefeedbackonitmaybeobtainedat *
andincludinginstantiationofdrop-listsblockingallinbound *
andthenewprefixgroupalias ,oranerrorstatusandmessageinthe
aninsufficientlyprotectedsignalordatachannelmaybesubjectto *
anyassumptionsaboutspecificcharacteristicsofanygiven *
applytoDOTS.Regardlessoftransport ,DOTSprotocolsMUST
approvedbytheIESGarecandidatesforanylevelofInternet *
arediscussedin ,andtheDOTSarchitectureisdiscussed
arerequestedofitareoutofscopeforthisdocument.The *
asdescribedinSIG-003. *
asmallsignalmessagesize ,aseparate,securedatachannel
asnecessarythescopeofrequestedmitigationbyrefiningthe *
aspartofnewerprotocolversions. *
assumedtobelongtothesameadministrativeentity. *
attack ,usingfeedbackfromthemitigatorandotheravailable
attack ,wherecountermeasureenforcementismanagedbyanentity
attack.DOTS-serverhandlingofmitigationhintsis *
attackdetailsmightincludelocallycollectedfingerprintsforan *
attackmitigationandreducetheimpactoftheseattacks.This *
attackmitigationsolutionsthemselves ,orareconstrainedbylocal
attackresponsecoordinationwithotherDOTS-awareelements. *
attackresponsesmaybefragmentedorotherwiseincomplete ,leaving
attacktraffic ,theDOTSsignalchannelMUSTNOTcontribute
attemptingtoparticipateinattackresponsewiththeDOTS *
authenticatedsignalchannelbetweenDOTSagents ,usedtoindicate
authentication.Client-domainDOTSgatewaysaremoretrustedthan *
authentication.WhenDOTSagentsareexchangingheartbeatsandno *
authorizedDOTSclientsthathaverequestedandbeengranted *
bandwidthlimitations.Toaddresssuchgaps ,serviceprovidershave
basedonotherthreatintelligence.DOTSclientsMAYsend *
beabletorequestscopedmitigationfromDOTSservers.DOTS *
bedescribedbyasinglemoduleorbedividedintorelated *
beguntoofferon-demandtrafficscrubbingservices ,whichare
behalfofanetworkdomainorresourcethatisormaybecomethe *
behalfoftheDOTSclient ,ifrequested,bycommunicatingtheDOTS
bestpractices forencryptionandmessage
betweenDOTSagents.Unlikethesignalchannel ,thedatachannelis
betweenpeerDOTSagents. *
bidirectional ,withclientandservertransmittingsignalstoeach
bulkexchangeofdatanoteasilyorappropriatelycommunicated *
businessorservice-levelagreements ,arealreadycomplete.
but-terminatingperiod ,asdescribedaboveinSIG
butMUSTcontinuetosendheartbeatsonthecurrentsessionso *
butterminating.DOTSclientsMAYreversethemitigation *
byanopaqueidentifiercreatedthroughthedatachannel ,direct
byteoverheadofanyencapsulation ,transportheaders,and
bytheprotocol ,suchasDTLSsessionresumption,butMUSTbe
capitals ,asshownhere.
carefully ,astheydescribeyourrightsandrestrictionswithrespect
catastrophicimpactonoperationsineitherdomain.Ifanattacker *
channel ,asthedatachannelmaynotbefunctionalduringan
channel ,usedasakeep
channelbetweentwoDOTSagentsusedforinfrequentbutreliable *
channelimplementationsshouldbepreparedtodetectandterminate *
channelprotocol ,duetothehigherlikelihoodofpacketloss
channelrequirementsinSections2.1and2.2 ,DOTSserver
characteristics ,DOTSagentsneedtoensureitson
characteristics.AbsentinformationabouttheNAT *
characteristicsdefiningthenatureofaDDoSattack. *
characteristicssuchassmallmessagesize ,asynchronous
client *
client-facingside ,whichbehavesasaDOTSserverfordownstream
clientheartbeatsasanindicationthesignalchannelis *
clients ,andaserver
clients.DOTSserversinasingleadministrativedomainSHALL *
clientsMAYattempttoestablishanewsignalchannelsession *
clientsMUSTNOTassumetheredirectiontargetDOTSservershares *
clientsandserverstorefertocollectionsofprotectedresources *
clientsmustbeabletoselecttheappropriateDOTSserver *
clienttorequestaidmountingadefenseagainstasuspectedattack. *
clientusingavarietyofmanualordynamicmethods.Oncea *
collectionofprefixesitwantstorefertobyaliaswhenrequesting *
collectionsofhierarchicalmodulesandsubmodules.Ifthedata *
common ,widelydeployedandstandardizedtransportprotocols.
communicatewithDOTSserversthroughtheNAT.DOTSprotocols *
communicationbetweenDOTSagentstoloop.Signalanddata *
communicationbetweenDOTSclientsandserversenablesacommon *
communicationchannelbetweenDOTSagents.Indeed ,establishinga
communicationchannelbetweenDOTSagentsthatisresilienteven *
communicationstoreduceattacksurface. *
compatible.ImplementationsofolderprotocolversionsMUST *
configuration ,orothermeans.DomainnameandURImitigation
configurations. *
configuredlocally.ThatvalueMUSTbereturnedinareplytothe *
conflictingmitigationrequest. *
congestedlink ,signalingprotocolmessagesizeMUSTbekeptunder
congestion ,asdiscussedin
congestionduringanattack ,DOTSserversSHOULDNOTredirect
connectedtotheInternet ,plaguingnetworkoperatorsatservice
consecutivemissedheartbeatmessages ,retransmissioncount,or
consequentlydecreasedprobabilityofmessagedeliveryovera *
considerationsin *
consideredactiveuntilaDOTSagentexplicitlyendsthesession. *
consideredactiveuntileitherDOTSagentfailstoreceive *
contactbetweenDOTSagentsevenasattacktrafficsaturatesthe *
continuetoincrease. *
contributetotherobustnessdemandedbyaviableDOTSprotocol. *
controlledbyasingleadministrativeentitymaysendconflicting *
controlledtransportprotocol *
controllingtheDOTSclientneednotbepresentbeforeestablishinga *
controlload. *
coordinatedresponsetoDDoSattacks. *
coordination ,permittingsuchtasksaspopulationofdrop
couldbesplitintomultiplelistsandeachlistconveyedinanew *
countermeasurescanbelayeredtodefendagainstattackscombining *
datatransfertoreducetheincidenceofsignalloss. *
ddolson *
decisionislocaltotheDOTSclients *
definingthescopeofanymitigation ,aswellasmanagingother
defunct. *
deliverysuccessorfailure. *
deployedbehindaNetworkAddressTranslator *
describedintheDOTSArchitecture .
describedintheSimplifiedBSDLicense. *
designedtomaximizetheprobabilityofsignaldeliveryevenunder *
designedtoseparatetheDDoSattacktrafficfromlegitimatetraffic *
destinedforthetargetortargetsofadetectedorreportedDDoS *
detailsthatcanbeusedtoinformmitigationtechniques.Example *
detectionandprevention. *
detectsuchconflictingrequestsandSHALLnotifytheDOTSclients *
discarded.UniquemitigationrequestsMUSTbeprocessedatmost *
discovery.DOTSclientsMUSTsupportatleastonemechanismto *
discreteDOTSclientconnectionsandmayaggregatetheseintoone *
discussedin .IfthePMTUcannotbediscovered,
discussedinSection3.5of .
disruptingorinfluencingthenetworkpolicyofthereceivingDOTS *
disruptthecorefunctionofDOTS ,whichistorequestmitigationof
documentauthors.Allrightsreserved. *
documentbutshouldfollowcurrentIETFbestpractices *
documentdescribestherequiredcharacteristicsofprotocolsthat *
domain.Amongotherthings ,thismaliciousDOTSgatewaymight
draft-ietf-dots-architecture-13 ,April2019.
durationofanattack. *
duringaDDoSattack ,DOTSserversneedtosendthemitigation
duringactivemitigationarediscussedbelow *
duringvolumetricattack ,DOTSagentsSHOULDavoidsignalchannel
eachotherbeforeaDOTSsignalordatachannelisconsidered *
efficacymetrictoadjustcountermeasuresactivatedonamitigator *
efficacyofamitigationenabledthroughamitigationrequest. *
elapses ,theDOTSserverMAYincreasetheactive
enableattackresponsecoordinationandmitigationofDDoSattacks. *
enablingarchitecturesinwhichthemitigatorisalwaysinthe *
ensuringnorequestedmitigationiseverapplied. *
enterpriseslacktheresourcesorexpertisetooperateon-premise *
entitiesparticipatinginDOTSmaydetailwhatdatamaybe *
error ,orcompromisedDOTSclients.DOTSserversinthesame
eventtheDOTSclient *
exceedsthePMTU ,theDOTSagentMUSTsplitthemessageinto
exceptioncircumstancestoterminatingthesignalchannelsession *
exchange.However ,reliablebulkdataexchangemaynotbe
exchangeofincidentreports ,andotherhintingorconfiguration
expirationexactlyasiftheDOTSclientoriginatingthe *
failuresandtheircauses. *
fandreas *
feedbacktotherequestingDOTSclient. *
flapnetworkrouteorDNSinformation ,degradingthenetworks
flexibilityandscalability ,DOTSserversSHOULDbeableto
flows.Thefilterwilltypicallyhaveapolicyassociatedwith *
focusofaDDoSattack.AnactiveDDoSattackagainsttheentity *
followestablishedbestcommonpracticesestablishedinBCP127 *
forNATtraversal .
foralimitedperiodafteracknowledgingaDOTSclient *
foranegotiatedtimeintervalandMUSTterminateamitigation *
forresourcesbelongingtoaclient. *
freetoattemptabbreviatedsecuritynegotiationmethodssupported *
frombecomingadditionalvectorsfortheveryattacksitismeantto *
fromcapturingandreplayingoldmessages ,andtherebypotentially
fullscopeofthemitigation. *
functionwelloratallduringattackscausingnetworkcongestion. *
futureattacks ,asallinteractionssettingupDOTS,includingany
gatewaysareDOTSgatewaysthatareintheDOTSclient *
grantedmitigationswithindefinitelifetimes.DOTSserversMAY *
greaterasspecifiedin .IfIPv4supportonlegacyor
hand ,DOTSmustincludemeasurestoensuremessageconfidentiality,
handlemiddle-boxesandfirewalltraversal. *
hastheabilitytoimpersonateaDOTSclient ,thatattackercan
havedifferentapplicationandtransport-layerrequirements.This *
health.Thesekeep-alivesservetomaintainanyon-pathNATor *
heartbeatsfromtheotherpeerafteramutuallyagreedupon *
helpfightoff.Ontheotherhand ,theprotocolmustberesilient
hints.MitigationhintsMUSTbetransmittedacrossthesignal *
identifiers ,asdescribedinSIG
ignoreoptionalinformationaddedtoDOTSmessagesaspartof *
impersonationmoredifficult.However ,impersonationmaystillbe
implementation-specific. *
implementations ,datamodelsMUSTbeversioned.Howtheprotocols
implementationsMUSTprovideaninterfacetoconfigureresource *
implementationsusingsuchconnectionlesstransports ,suchasUDP,
in .
inProgress ,draft
inaDOTSsignalordatachannel.ItcanbeaDOTSclient ,DOTS
inadetectedattack. *
inclientmitigationrequests.DOTSclientsMAYalsoinclude *
includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
includingmitigationswithnospecifiedendtime. *
inconditionsleadingtoseverepacketlosssuchasavolumetric *
inconflict.ThenotificationMUSTindicatethenatureandscope *
incoordinatedattackdefense ,althoughthisconsiderationis
increasedfocusoncoordinatedattackresponse.However ,many
incryptanalysisandtrafficanalysis ,DOTSagentsMUSTsupport
informationleaksormalicioustransactionsonbehalfofthe *
informationorinstructionsfromtheremoteDOTSagent.Theft ,
inscopeforthisdocument. *
integrity ,andauthenticityofmessagessentbetweenclientand
integrity ,authenticity,andreplayprotectiontokeeptheprotocols
inthenetworkpathbetweenattacksourcesandtheattacktarget. *
involvedoperatorswillincreasethespeedandeffectivenessofDDoS *
isimplementation-specific. *
it ,e.g.,rate
link.Suchresiliencymaybedevelopedseveralways ,but
list ,updatethecontentofeitherlist,anddeleteentriesas
listswhentheDOTSclientisunauthorized. *
logicalconcatenationofthefunctionalityofaDOTSserveranda *
lossmightinclude ,butarenotrestrictedto,numberof
maintainanactivesignalchannel ,andtoincreasetheprobability
maintainingthisbidirectionalcommunicationstream.Ontheone *
management.Forexample ,aDOTSclientmaysubmittoaDOTSservera
meansbywhichthisentityperformsthesemitigationsandhowthey *
message. *
messagesfromDOTSclients.TheDOTSserverenablesmitigationon *
misconfigurationofDNSorroutingpolicy ,itmaybepossiblefor
mitigate. *
mitigation ,theDOTSserverMUSTincludeareasonforthe
mitigation ,towhichtheserverwouldrespondwithasuccessstatus
mitigation ,andtokeepthechannelactive,DOTSserversMUST
mitigation-relatedconfigurations. *
mitigation.Asaresultofsignalinginterfaceincompatibility ,
mitigation.Ifunreliabletransportisusedforthesignal *
mitigation.ThebidirectionalsignalchannelMUSTsupport *
mitigationcouldbenegotiablebasedonNAT *
mitigationefficacytotheDOTSserver.DOTSserversMAYusethe *
mitigationhadaskedtoendthemitigation ,includingtheactive
mitigationhintsderivedfromattackdetailstoDOTSservers ,with
mitigationlifetime ,itMUSTsetthelifetimetoavaluethatis
mitigationrequestforthesamescope.TheDOTSserverMUSTtreat *
mitigationrequestisactive ,eitheragentMAYrequestchangesto
mitigationrequests.Theheartbeatintervalduringactive *
mitigationrequestsasaresultofmisconfiguration ,operator
mitigationscope. *
mitigationscope.Thescopetypewillvarydependingonthe *
mitigator. *
mitigatorandDOTSserverreceivingamitigationrequestare *
modelstructureissplitacrossmodules ,thosedistinctmodules
modification ,ordeletionofscopealiasesanddrop
modification ,orreplayofmessagetransmissionscouldleadto
mohamed.boucadair *
monitorandauditDOTSagentstodetectmisbehavioranddetermisuse *
multipleDDoSattacktypes. *
multipleDOTSservers ,eachinaseparateadministrativedomain.
necessarilysupersededbytheotheroperationalrequirements. *
necessary. *
necessaryduetonetworkpolicyormiddleboxcapabilitiesor *
network.DDoSattacksareintendedtocauseanegativeimpacton *
networkelements ,networklinks,servers,andservices.
newerprotocolversions.Implementationsofolderprotocol *
newsessionissuccessfullyestablished ,theDOTSclientcan
nordoDOTSclientsneedtojustifywithdrawinghelprequests *
notdictatetheimplementationoftheseactions.TheDOTSusecases *
notexpectedtobeconstructedtodealwithattackconditions.As *
nothavesecurityconsiderationsofitsown.However ,operators
notifications ,redundantmessagedelivery,andminimalconnection
obtainmitigationscope. *
of-lineblocking.TheserequirementsareatSHOULDstrengthto *
ofDOTSMUSTbeextensibleinordertokeepDOTSadaptableto *
ofanyrequestedattackresponse ,suchastargetedportrange,
ofheartbeatmessagesoverthesignalchanneltomonitorchannel *
ofmaliciousDOTSgateway ,interceptingrequestsfromthedownstream
ofmitigationlifetimesinmitigationrequestsfromDOTSclients ,
ofsignaldeliveryduringanattack ,thesignalchannelMUSTbe
oftheconflict ,forexample,theoverlappingprefixrangeina
on-goingattack ,oranticipatedoractiveattackfocalpoints
onbehalfofaDOTSclient. *
once. *
operationallyorprivacy-sensitivedata.Althoughadministrative *
operatorsintheattackpathunabletoassistinthedefense. *
optionsarenotspecified ,theprotocolsMUSTfollowcurrentIETF
ordermessagedelivery.DatachannelimplementationsusinganIETF *
originatingfrommultiplesourcesisdirectedatatargetona *
ormoreconnections.DOTSgatewaysaredescribedfurtherin *
orstatus. *
oscillatingattacks ,DOTSserversMAYallowmitigationtocontinue
otheratregularintervalsregardlessofanyclientrequestfor *
otherwiseunusualnetworksisaconsiderationandthePMTUis *
out-of-orderorredundantmessagedelivery.Insupportof *
overhead *
overtransportandapplicationprotocolsnotsusceptibletohead- *
packetwhoselengthisequalto576bytesasdiscussedin *
passinglegitimatetraffictotheattacktarget.Distinct *
path.Forexample ,whenaDOTSgatewayconsistingofaDOTS
performingmitigationofadetectedorreportedDDoSattack.The *
perioduptoamaximumof300seconds *
possibleasaresultofcredentialtheft ,implementationflaws,or
possibleduringattackscausingnetworkcongestion. *
preparedtonegotiatenewsecuritystatewiththeredirection *
probabilityofsuccessfulDOTSsignaldelivery ,butDOTSdoesnot
proprietaryDDoSdefenses.FutureextensionsMUSTbebackward *
protocol ,orservice,DOTSclientsSHOULDincludethatinformation
protocols ,includingwhenmultipleDOTSserversareprovisionedto
protocolsMUSTtakestepstoprotecttheconfidentiality ,
protocolsarelikelytocontainoperationallyorprivacy-sensitive *
providersandenterprisesaroundtheworld.High-volumeattacks *
providesthefoundationforamorerapidattackresponseagainst *
provisioningorthroughimplementation-specificmethodsof *
publicationofthisdocument.Pleasereviewthesedocuments *
publishedforinformationalpurposes. *
rapidlytogglingmitigation ,andtodampentheeffectof
receiveanddiscardmitigationrequestsfromtheDOTSclient ,
receivedbyeitherDOTSagentforanextendedperiod.The *
receivedpublicreviewandhasbeenapprovedforpublicationbythe *
redirectDOTSclientstoanotherDOTSserveratanytime.DOTS *
reduceheartbeatfrequencyorceaseheartbeatexchangeswhenan *
refreshesthemitigationbeforetheactive-but-terminatingperiod *
refusemitigationswithindefinitelifetimesforpolicyreasons. *
regardlessofwhethermitigationiscurrentlyactive.TheDOTS *
rejectioninthestatusmessagesenttotheclient. *
relationshipbetweenDOTSagentsisestablished ,regular
relationshipwithpeerDOTSagentsduringnormalnetworkconditions *
remotepeer. *
representationofarequestedmitigation *
representationofcurrently-requestedmitigationstatus ,including
representdata-modelversionsisnotdefinedinthisdocument. *
requestattackmitigation.Suchproprietaryinterfacestiea *
requestedmitigation. *
requestingDOTSclient. *
requestingprotection.DOTSclientsMUSTbepreparedtonotbe *
requestisactive.Becauseheartbeatlossismuchmorelikely *
requestmitigation. *
requests. *
requests.IfaDOTSserverrejectsanauthorizedrequestfor *
requesttimeouts. *
requirementsabove ,DOTSsignalchannelimplementationsSHOULD
requirementsforDOTSsignalchannelanddatachannelprotocolsthat *
requirementsinSection2.2. *
requiremutualauthenticationofDOTSagentsinordertomakeagent *
requiresnojustificationfromDOTSclientsforrequestsforhelp ,
requiresuchpoliciesbeinplaceandshouldbeviableintheir *
resilient ,thatis,continueoperatingdespitemessagelossand
resourcesrequiringmitigation.AllDOTSagentimplementations *
responsibleforthemitigation. *
retransmissionprocedurehasbeenexhausted.PeerDOTSagents *
revealedtothird-partyDOTSagents ,suchconsiderationsarenot
saturatinginboundlinksarenowcommonasattackscaleandfrequency *
scopeforthisdocument. *
scopemayberepresentedinseveraldifferentways ,perSIG
scopeofresourcesrequiringmitigation. *
scopesmaybethoughtofasaformofscopealiasinwhichthe *
sectiondescribestherequiredfeaturesandcharacteristicsofthe *
securenegotiationofthetermsandmechanismsofprotocol *
security ,subjecttotheinteroperabilityandsignalmessagesize
securityboundary. *
securitystatewiththeredirectingDOTSserver.DOTSclientsare *
sendingagent *
separatemessages *
server ,or,asalogicalagent,aDOTSgateway.
server.Whilespecifictransport-andmessage-levelsecurity *
serverMUSTimmediatelyacknowledgeaDOTSclient *
serverandDOTSclientisrunningonthesamelogicaldevice ,the
serverisimplementation-specific. *
serversMUSTsendstatustotheDOTSclientsaboutmitigation *
serverstatusmessagesSHOULDindicatethatmitigationisactive *
serviceorclass-of-servicetraffictaggingtoincreasethe *
sharethesameleveloftrust.Asecuritymechanismatthe *
shouldalwaysbeallowedregardlessofcontradictorydatagleaned *
shouldbeawareofpotentialrisksinvolvedindeployingDOTS.DOTS *
shouldbeblockedregardlessoftrafficcontent. *
signalingprotocolrobustness ,DOTSsignalsSHOULDbeconveyed
signalingwithinorbetweendomainsasrequestedbylocaloperators. *
signallosswhenestablishingasignalchannel.Measurementsof *
significantlytolinkcongestion.Tomeetthesignalchannel *
solicitheartbeatexchangesaftersuccessfulmutual *
sources ,andMAYusetheabsenceofattacktrafficandlackof
specification *
standardcongestion-controlledtransportprotocolmayrelyonthe *
statusmessagesMUSTincludethefollowingmitigationmetrics *
statusmultipletimesatregularintervalsfollowingthedata *
stopmitigation. *
structuraldependencies. *
subscribertoaserviceandlimittheabilitiesofnetworkelements *
successfulDOTSprotocols. *
suchloopstopreventservicedisruption. *
suchthatreplayedorduplicatedmessagescanbedetectedand *
supplementalinformationwhenenablingcountermeasuresonthe *
supplementingattackresponses. *
supportconnectionlesstransports.However ,someconnectionless
supported *
supportrepresentationofaDOTSclient *
supportrepresentationofamitigationrequest *
targetDOTSserver.TheredirectionDOTSserverandredirecting *
targetintheDOTSclient *
terminatethecurrentsession. *
terminationduringthisactive-but-terminatingperiodwithanew *
terminationwhenmitigationisactiveandheartbeatsarenot *
thateverylinkintheInternethaveanMTUof1280octetsor *
thatofthesignalchannelsbridgedbygatewaysinthesignaling *
thattheDOTSserverknowsthesessionisstillalive.Ifthe *
thatwouldotherwisebecapableofparticipatinginattack *
theDOTSclients ,SHOULDbeconsidered.TheprotocolMUSTbe
theDOTSserver *
theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
theabilitytorepresentarequestformitigationandthe *
theappropriateDOTSserverinamultihomedenvironmentisoutof *
theavailabilityand *
theclient *
thedatamodelMUSTincludeextensiblerepresentationof *
thefullunderstandingthattheDOTSserverMAYignoremitigation *
theheartbeatrate.Forexample ,aDOTSservermightwantto
themitigationasterminated ,astheDOTSclientisnolonger
themodelexplicitly. *
theprimaryfunctionofthedatachannelisdataexchange ,areliable
thereforeMUSTincludeacongestioncontrolmechanism. *
theseverelyconstrainednetworkconditionscausedbyattack *
thesignalingPathMaximumTransmissionUnit *
thisrequestasamitigationlifetimeextension *
thoseinterfacesneverthelessMUSTprovidesecurityequivalentto *
throughthesignalchannel.Reliablebulkdataexchangemaynot *
to-BackUserAgent *
toinflictthedesiredimpactontraffictoorfromtheDOTSclient *
tooperateovercongestedinboundlinks ,and,asdescribedin
tothisdocument.CodeComponentsextractedfromthisdocumentmust *
traffic.AdditionalmeanstoenhancetheresilienceofDOTS *
trafficpathtotheresourcesforwhichtheDOTSclientis *
traffictonetworksforwhichtheDOTSclientisauthorizedto *
transmissionguidelinesdiscussedinSection3.1.3of .
transport-ormessage-levelsecurity.Ifthetotalmessagesize *
transportcongestioncontrolsupport. *
transportimplementation *
transportintothedatamodel ,butinsteadrepresentthefieldsin
transportisrequiredinorderforDOTSagentstodetectdata *
transportlayer *
transports ,whendeployednaively,canbeasourceofnetwork
twoDOTSagentscouldbeimplementedwithinthesameprocess *
underextremelyhostilenetworkconditions ,providingcontinued
understandingoftheDOTSagents *
unidirectionalmessagingtoenablenotificationsbetweenDOTS *
unknown ,DOTSimplementationsMAYassumeaPMTUof576bytesfor
use-cases-17 ,January2019.
utilizingareliabletransportprotocolMUSTbeusedforbulkdata *
valid.Themethodofauthenticationisnotspecifiedinthis *
versionsMUSTrejectDOTSmessagescarryingmandatoryinformation *
whenthelifetimeelapses.DOTSserversalsoMUSTsupportrenewal *
whethertoasktheDOTSservertoceasemitigation. *
whichamitigationrequestistobesent.Themethodforselecting *
whichtheclientmayincludewhenestablishingthesignalchannel ,
whileemployingbestcurrentpracticestosecurenetwork *
whilemitigationisenabledduringanactiveattackagainsta *
whileserver-domainDOTSgatewaysdenoteDOTSgatewaysthatarein *
withdrawalofamitigationrequest.Duringthisperiod ,DOTS
withdrawalofsucharequest.ThedatamodelMUSTalsosupporta *
withrespecttoanycryptographicmechanismstoauthenticatethe *