Ecosyste.ms: Repos
An open API service providing repository metadata for many open source software ecosystems.
GitHub / chrislockard21 / P2PTask2
JSON API: https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/chrislockard21%2FP2PTask2
Stars: 0
Forks: 0
Open Issues: 0
License: None
Language: Python
Repo Size: 930 KB
Dependencies:
2,649
Created: almost 5 years ago
Updated: 2 months ago
Last pushed: almost 5 years ago
Last synced: 2 months ago
Files
Loading...
Readme
Loading...
Dependencies
docker-compose.yml
docker
- python latest
- 1.1.RequirementsLanguage *
- 1.1.RequirementsLanguage..................4 *
- 1.Introduction *
- 1.Introduction........................3 *
- 10-12KBsbecausemostofthecodebaseissharedamongseveral *
- 10.1.NormativeReferences *
- 10.1.NormativeReferences..................13 *
- 10.2.InformativeReferences *
- 10.2.InformativeReferences.................16 *
- 10.References *
- 10.References.........................13 *
- 17595MountHerrmannSt. *
- 2-3 ,Kanda
- 2.Terminology *
- 2.Terminology.........................5 *
- 2119KeyWords *
- 3.1.LAN-SideConfiguration *
- 3.1.LAN-SideConfiguration.................5 *
- 3.2.1.464XLAT *
- 3.2.1.464XLAT.......................7 *
- 3.2.2.Dual-StackLite *
- 3.2.3.Lightweight4over6 *
- 3.2.4.MAP-E *
- 3.2.4.MAP-E........................10 *
- 3.2.5.MAP-T *
- 3.2.5.MAP-T........................10 *
- 3.2.TransitionTechnologiesSupportforIPv4Service *
- 3.2.TransitionTechnologiesSupportforIPv4ServiceContinuity *
- 3.Requirements *
- 3.Requirements........................5 *
- 4.IPv4MulticastSupport *
- 4.IPv4MulticastSupport...................11 *
- 464XLAT isatechniquetoprovideIPv4serviceoveran
- 464XLAT-1 *
- 464XLAT-2 *
- 464XLAT-3 *
- 464XLAT-4 *
- 464XLAT-5 *
- 464XLAT-6 *
- 464XLATissupported ,itMUSTbeimplementedaccordingto
- 464XLATrequirements *
- 5.UPnPSupport *
- 5.UPnPSupport........................11 *
- 6.ComparisontoRFC7084 *
- 6.ComparisontoRFC7084...................12 *
- 7.CodeConsiderations *
- 7.CodeConsiderations.....................12 *
- 8.SecurityConsiderations *
- 8.SecurityConsiderations...................13 *
- 9.IANAConsiderations *
- 9.IANAConsiderations.....................13 *
- Abstract *
- AccessnetworkarchitectureforsecuringDHCPwithintheaccess *
- Acknowledgements *
- Acknowledgements........................21 *
- AddressFamilyTransitionRouter *
- AddressTranslation *
- AllocationofSharedIPv4Addressesasdescribedin *
- AnAddAnyPortMapping *
- AnAddPortMapping *
- Anend-usernetworkwilllikelysupportbothIPv4andIPv6 *
- AnewLANrequirementisadded ,whichis,infact,commoninregular
- AnotherconsequenceofusingIPv4privateaddressspaceintheend- *
- AppendicesAandBcontainacompletedescriptionoftheusage *
- AppendixA.UsageScenarios *
- AppendixA.UsageScenarios..................17 *
- AppendixB.End-UserNetworkArchitecture *
- AppendixB.End-UserNetworkArchitecture...........18 *
- AsdescribedintheSecurityConsiderationsof and
- Atthetimeofthiswriting ,oneoftheapparentmainissuesfor
- AtypicalIPv4end-usernetworkconsistsofa *
- Authors *
- Automaticprovisioningandconfigurationaredescribedforasingle *
- Automaticprovisioningofmorecomplextopologythanasinglerouter *
- BCP14 when,andonlywhen,theyappearinall
- BCP152 ,RFC5625,DOI10.17487
- Basedonthesepremises ,thisdocumentensuresthattheIPv6
- Because464XLAThasnoDHCPv6configurationoptions ,itcan
- Beijnum ,
- Boucadair ,
- CERouterMUSTfollowthefollowingconfigurationsteps *
- CEisusedatdifferenttimesindifferentscenariosorevenwith *
- CEroutersasdescribedinRFC7084toallowtheprovisioningofIPv6 *
- CLIorAPI *
- CONFIG-1 *
- CONFIG-2 *
- CONFIG-3 *
- CPUs ,ifcomparedtothecostofNAT44code.Thus,existinghardware
- Campbell ,SpencerDawkins,MirjaKuhlewind,andAdamRoach
- Carpenter ,LorenzoColitti,AlejandroD
- Category *
- Ceccarelli *
- Chiyoda-ku ,Tokyo101
- Clients *
- ClientstoIPv4Servers *
- CombinationofStatefulandStatelessTranslation *
- ConfigurationofSoftwireAddressandPort-Mapped *
- Considerationsin aswellasthoseforeachtransition
- Consideringthatsituationanddifferentpossibleusagecases ,the
- Continuity *
- ControlProtocol *
- Copyright *
- CopyrightNotice *
- CustomerEdgeRouterthatprovidesfeaturesforthedeliveryofIPv4 *
- D-LinkSystems ,Inc.
- DHCPv6 *
- DHCPv6-BasedPrioritizationMechanism *
- DOI10.17487 *
- DS-Lite enablescontinuedsupportforIPv4services.
- DS-LiteenablesabroadbandserviceprovidertoshareIPv4addresses *
- DS-Literequirements *
- DSLITE-1 *
- DSLITE-2 *
- DSLITE-3 *
- DSLITE-4 *
- DanRomascanu *
- Differentstudies *
- Email *
- Exhaustion *
- ExistingIPv4deploymentssupportIPv4multicastforservicessuchas *
- Farrer ,
- Figure1 *
- Figure2 *
- Finally ,insomecases,operatorssupportingseveraltransition
- FountainValley ,California92708
- FromtheperspectiveofanIPv4userbehindanIPv6TransitionCE *
- Function *
- GatewayDevice-PortControlProtocolInterworking *
- Generaltransitionrequirements *
- HansM.-H.Liu *
- Howard ,RichardPatterson,BarbaraStark,OleTroan,andJames
- However ,whileatypicalIPv4NATdeployment,bydefault,blocksall
- However ,inthecaseofIPv4aaS,becauseoftheusageofprivateIPv4
- IESG *
- IGD-PCPIWF ,andtheprioritizationofthetransition
- IPTV.Inthetransitionphase ,itisexpectedthatmulticast
- IPencapsulation.MAP-Eincludesanalgorithmicmechanismfor *
- IPv4-in-IPv6encapsulation *
- IPv4-onlyandIPv6-onlyapplicationsanddevices ,locatedintheLAN
- IPv4-onlydevicesandapplicationsontheInternet. *
- IPv4-onlyforanundeterminedperiodoftime ,IPv4servicecontinuity
- IPv4aaS ,i.e.,transitiontechnologiesfordeliveringIPv4in
- IPv4aaS. *
- IPv4aaSmechanismlimitstheavailableports *
- IPv4aaStransitionmechanismkeepsrunningtheNATinterfacetowards *
- IPv4architecture. *
- IPv6-onlyaccessnetworks.IPv4aaSisnecessarybecausetherearen *
- IPv6-onlyaccessnetworkwithoutencapsulation.Thisarchitecture *
- IPv6-onlynetworkforresidentialorsmallofficerouters *
- IPv6CustomerEdge *
- IPv6Prefixes *
- IPv6SoftwireCustomerPremisesEquipment *
- IPv6TransitionCERouterMUSTperformIPv4Network *
- IPv6TransitionCERouterareabletoreachtheIPv4-onlyservices. *
- IPv6TransitionCERouterattachmenttoanIPv6-onlylinkusedto *
- IPv6TransitionCERouterdescribedinthisdocumentisexpectedto *
- IPv6TransitionCERouteronly. *
- IPv6TransitionCERouters ,andisrequiredbymostofthetransition
- ISPs.Therefore ,thedevelopmentcostisnegligible,andonly
- ISPshave ,orwanttohave,anIPv6
- ISPthatprovidesIPv4-onlyoranISPthatprovidesIPv6with *
- ISSN *
- IftheIPv6TransitionCERoutersupportsdeliveryofIPv4multicast *
- IftheUPnPWANIPConnection *
- Informationaboutthecurrentstatusofthisdocument ,anyerrata,
- Infrastructures *
- Ingeneral ,theend
- Ingeneral ,thenewrequirementsdon
- Inordertoallowtheserviceprovidertodisableallthetransition *
- InordertoseamlesslyprovideIPv4servicecontinuityinthe *
- Internet-layer *
- InternetEngineeringSteeringGroup *
- InternetEngineeringTaskForce *
- Internetaccess *
- January2018 ,
- Japan *
- JordiPaletMartinez *
- L-1 *
- LANA *
- LW4O6-1 *
- LW4O6-2 *
- LW4O6-3 *
- LaNavata-Galapagar ,Madrid28420
- M.Kawashima *
- MAP-Eparameters.Suchmechanismsareoutsidethescopeof *
- MAP-Erequirements *
- MAP-EviatheMAP-EDHCPv6options .TheIPv6
- MAP-T isamechanismsimilartoMAP
- MAP-Tparameters.Suchmechanismsareoutsidethescopeof *
- MAP-Trequirements *
- MAP-TviatheMAP-TDHCPv6options .TheIPv6
- MAPE-1 *
- MAPE-2 *
- MAPT-1 *
- MAPT-2 *
- MappedClients *
- MappingofAddressandPortwithEncapsulation *
- MasanobuKawashima *
- May2019 *
- MolinodelaNavata ,75
- Moreadvancedrouterssupportdynamicrouting *
- Moreover ,becausesomeservicesandserviceproviderswillremain
- Murakami ,T.,andT.Taylor,Ed.,
- NAT64 *
- NECPlatforms ,Ltd.
- NetworkA *
- NetworkAddressTranslation *
- NetworkC *
- NetworkingControlProtocol *
- Networks *
- NotethatIGD *
- NotethatthisdocumentonlyconfiguresIPv4aaSintheIPv6 *
- OptionforDual-StackLite *
- OptionforIPv4-EmbeddedMulticastandUnicastIPv6 *
- OptionsforConfigurationofSoftwireAddressandPort- *
- P.Selkirk ,
- PLAT-sidetranslationIPv4andIPv6prefix *
- PaletMartinez ,etal.Informational
- PaletMartinez ,J.,
- Play *
- PlugandPlayInternetGatewayDevice *
- PortControlProtocol *
- PortwithEncapsulation *
- Prefixes *
- PrioritizationMechanism *
- Protocol *
- ProtocolInterworkingFunction *
- ProtocolforIPv6 *
- ProvisionsRelatingtoIETFDocuments *
- RAMmemory ,norotherhardwarerequirementssuchasmorepowerful
- RFC5969 ,DOI10.17487
- RFC6334 ,DOI10.17487
- RFC6877 ,DOI10.17487
- RFC7050 ,DOI10.17487
- RFC7341 ,DOI10.17487
- RFC7618 ,DOI10.17487
- RFC8415 ,DOI10.17487
- RFC8585RequirementsforIPv6CEtoSupportIPv4aaSMay2019 *
- RegardingDS-LITE ,thisdocumentincludesslightly
- RequestforComments *
- RequirementLevels *
- RequirementsforIPv6CustomerEdgeRouters *
- Richardson ,M.,Jiang,S.,Lemon,T.,andT.Winters,
- Router ,thisdoesn
- Router *
- RouterMAYuseothermechanismstoconfigureDS-Lite *
- RouterSHOULDimplement .IfPCP
- RouterintendedfortheretailmarketMUSTsupportalltheIPv4aaS *
- Routerisrequired ,atleastfromtheperspectiveoftransition
- RoutersalreadyprovideaGUI ,CLI,orAPItomanuallyconfigure
- SHOULDresultinasuccessfulmappingwithanalternative *
- Section1andAppendixA *
- ServicestoIPv4ClientsoveranIPv6MulticastNetwork *
- Sinceitisimpossibletoknowpriortosalewhichtransition *
- So ,tocoverallthoseevolvingsituations,anIPv6TransitionCE
- SoftwireCustomerPremisesEquipment *
- Spain *
- Specifically ,thisdocumentextendsthebasicrequirementsforIPv6
- StackLiteArchitecture *
- StackLiteBroadbandDeploymentsFollowingIPv4 *
- Standard *
- StatusofThisMemo *
- Synthesis *
- TRANS-1 *
- TRANS-2 *
- TRANS-3 *
- TableofContents *
- ThankstoMikaelAbrahamsson ,FredBaker,MohamedBoucadair,Brian
- TheIPv6Company *
- TheIPv6TransitionCERouterMUSTcomplywith *
- TheIPv6TransitionCERouterMUSTimplementDS-LiteB4functionality *
- TheIPv6TransitionCERouterMUSTimplementlwB4functionality *
- TheIPv6TransitionCERouterMUSTsupportMAP-ECEfunctionality *
- TheIPv6TransitionCERouterMUSTsupportMAP-TCEfunctionality *
- TheIPv6TransitionCERouterMUSTsupportcustomer-sidetranslator *
- TheIPv6TransitionCERouterMUSTuseplainIPv6mode *
- TheIPv6TransitionCERouterdescribedinthisdocumentisnot *
- TheIPv6TransitionCERoutermaybemanuallyconfiguredinan *
- TheIPv6TransitionCERoutermustcomplywiththeSecurity *
- TheNAT64prefixcouldbediscoveredbymeansofthemethoddefined *
- Theaboveisnotintendedtobeacomprehensivelistofallthe *
- Theend-usernetworkisastubnetworkinthesensethatisnot *
- ThefollowingIPv6TransitionCERouterrequirementsalsoapply. *
- Thefollowingsubsectionsdescribetherequirementsforsupporting *
- Thekeywords *
- ThemaintargetofthisdocumentisthesupportofIPv6-onlyWAN *
- Themechanismsforallowinginboundconnectionsarenaturally *
- Theotherissueseemstobethecostofdevelopingthecodeforthose *
- TherearesomedifferencesinhowIPv6worksandisprovisioned *
- TheseroutersrelyuponrequirementsforIPv6CEroutersdefinedin *
- ThesituationofongoingIPv6deploymentandalackofIPv4addresses *
- Theterm *
- Thisarchitecturedescribesthe *
- ThisdocumentcoversasetofIPtransitiontechniquesrequiredwhen *
- ThisdocumentdefinesIPv4servicecontinuityfeaturesoveran *
- Thisdocumentdoesn *
- ThisdocumenthasnoIANAactions. *
- ThisdocumentisaproductoftheInternetEngineeringTaskForce *
- ThisdocumentisnotanInternetStandardsTrackspecification *
- Thisdocumentisnotarecommendationforserviceproviderstouse *
- ThisdocumentissubjecttoBCP78andtheIETFTrust *
- ThisdocumentspecifiestheIPv4servicecontinuitymechanismstobe *
- ThisdocumentspecifiestheIPv4servicecontinuityrequirementsfor *
- Thisdocumenttakesnopositiononsimultaneousoperationofoneor *
- Thisdocumentusesthesametermsasin ,withminor
- TransitionCERouter.ThisunderscorestheimportanceoftheIPv6 *
- TransitionCERouterMAYuseothermechanismstoconfigure *
- TransitionCERouterMUSTassume ,bydefault,thatthe
- TransitionCERouterMUSTuseplainIPv6mode *
- TransitionCERouterallowsthecontinuedtransitionfromnetworks *
- TransitionCERouteritself *
- TransitionCERouterrequirementsalsoapply. *
- TransitionCERoutersfulfillingtherequirementsdefinedinthis *
- Translation *
- TranslationfromIPv6ClientstoIPv4Servers *
- UPnP-gw-InternetGatewayDevice-v2-Device.pdf >.
- UPnP-gw-WANIPConnection-v2-Service.pdf >.
- UPnPForum ,
- UnitedStatesofAmerica *
- W. ,Bao,C.,Yeh,L.,andX.Deng,
- Wang ,
- WhoprovidestheIPv6TransitionCERouterisnotrelevant.Inmost *
- Woodyattfortheirreviewandcommentsinthisand *
- aboveusagesarealsopossible ,alongwithsituationswherethesame
- access.ToenablelegacyIPv4functionality ,thisdocumentalso
- accessandIPv4aaS ,thatmaynotbefeasibledependingonspecific
- accessnetwork.TheseISPaccessnetworksaretypicallyreferredto *
- actionMUSTberejectedwitherrorcode729 *
- activation. *
- addingthesupportforthenewtransitionmechanismsrequiresaround *
- addressesandNATanddependingonthespecifictransitionmechanism ,
- addressesarealwaysusableevenwhentheWANinterfaceisdownor *
- addressestobecomeprohibitivelyexpensive.This ,inturn,may
- allowsenabling *
- amongcustomersbycombiningtwowell-knowntechnologies *
- anIPv6-in-IPv4tunneling. *
- and2 *
- andT.Murakami ,
- andWANinterfacesofanIPv6TransitionCERouter. *
- andhowtoprovidefeedbackonitmaybeobtainedat *
- andseveralvendorsalreadyhaveimplementationsandprovidedthemto *
- andsmall *
- anotherRouterbehindtheoriginalCE ,takescareofinbound
- anyspecifictransitionmechanism. *
- appendices ,alongwith
- appropriatesubnettingandconfigurationoftheaddress *
- approvedbytheIESGarecandidatesforanylevelofInternet *
- arbitrarytopologywithadynamicroutingprotocolorHNCP .
- architecture. *
- as-a-Service *
- asWideAreaNetworks *
- asassignedbyPCPasperSection5.6.1of .
- assumesaStatefulNAT64 functiondeployedattheservice
- atleastontheWANside.Commonly ,theuserhasaccesstoconfigure
- availabilityofnativeIPv4orIPv4aaSaretransparentforthe *
- availableforeverypossiblecustomeranddevice ,whichcausesIPv4
- availableinanyIPv6routerwhenusingIPv6GlobalUnicastAddresses *
- baselinefortransitionfeaturestobeimplementedonsuchrouters. *
- becauseofbusinessdecisions. *
- bereliablyestimated. *
- beusedinresidential *
- bothIPv4-onlyandIPv6-onlydevicesinthecustomer-sideLANsofthe *
- byusingDHCPv6-PD *
- capitals ,asshownhere.
- carefully ,astheydescribeyourrightsandrestrictionswithrespect
- cases ,theserviceproviderisresponsibleforprovisioning
- changetheirexistingnetworktopologywiththeintroductionofIPv6. *
- checkforavalidmatchinOPTION_S46_PRIORITY ,which
- clarifications. *
- combinedwithadynamicroutingprotocol.Onceagain ,thisistrue
- commercial *
- commonsituationwhensufficientIPv4addressesarenolonger *
- communicatewithIPv4-onlyservicesontheInternet. *
- communications. *
- complexnetworksusingmanualconfigurationofaddressprefixes *
- connections.Therequirementsforthatsupportareoutofthescope *
- continuitysupportfordevicesintheLANside.Thisensuresthat *
- currentlybeincludedintheOPTION_S46_PRIORITY.Inthefuture ,an
- customerLANs ,aswellasIPv4
- customerLANsandallowautomatedIPv6transitionmechanism *
- datacenters ,contentproviders,etc.Evenifthedocumented
- defineadifferentsetoffeaturesfromthoseincludedinthis *
- defined. *
- deploymentisachangingsituation.Inasinglecountry ,notall
- deprecatedbyOCF *
- describedin *
- describedintheSimplifiedBSDLicense. *
- determinedthroughPCPoraccesstoaconfiguredportset *
- device.However ,devicesorapplicationsinthecustomerLocalArea
- devicesandapplicationsinthecustomernetworkscanstillreach *
- devicesattachedtotheLANs. *
- devicesattachedtotheLANs.Thus ,theWANconfigurationand
- differentIPv4aaSesatdifferentserviceproviders. *
- differentrequirementsrelatedtothesupportofPCP ,
- disabledatthisstep. *
- discovery *
- document ,forexample,featuresthatsupportonlysomeofthe
- document. *
- documentauthors.Allrightsreserved. *
- doesn *
- eachoneofthetransitionmechanisms.AnIPv6TransitionCERouter *
- enabledonaCErouter ,butcannotbeassociatedwithanIPv4
- encapsulatedusingDS-Lite .
- equivalent *
- equivalentorbettercapabilitiesandfunctionalitythanthecurrent *
- everycountryforeveryISP.Fordifferenttechnical ,financial,
- follow *
- followingIPv6TransitionCERouterrequirementsalsoapply. *
- forIPv6PrefixDelegation *
- foranAFTR *
- forbothIPv4andIPv6. *
- fornewtransitionmechanisms ,isthelackofspaceintheflash
- foundbetweentheprioritylistandthecandidatelist ,
- fromotherrouters *
- functionfromtheDS-Litetunnelconcentratortothetunnelclient *
- hostsbehindtheCE *
- ifthecostsarenotdirectlycausedbysupportingthisdocumentbut *
- ifthedefaultgatewayortheNAT64isthePCPserver. *
- implement *
- implemented ,lw4o6SHOULDbeimplementedaswell.Iflw4o6is
- implemented ,theIPv6TransitionCERouterMUSTalso
- implementedandaPCPserverisnotconfigured ,theIPv6
- in onlyiftheserviceproviderusesDNS64
- inboundconnectionstypicallyrequiresomedegreeofmorecomplex *
- includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
- includesthesupportofIPv4-onlydevicesandapplicationsinthe *
- incomingconnectionsandmayallowopeningofportsusingaUniversal *
- indefinitely. *
- inmanycases ,theusermustsupplyormayreplacetheIPv6
- integrationandtestingcostmaybecomeanissue. *
- intendedfortheretailmarketMUSTsupportallofthem. *
- intendedforusageinotherscenarios ,suchaslargeenterprises,
- interfaceestablishedbyanIPv4aaSmechanismorcannotdetermine *
- isalsonotinscope.DHCPpacketsMUSTNOTbeforwardedbetweenLAN *
- isconfigured ,theIPv6TransitionCERouterMAYverify
- isnothappeningatthesamepaceineverycountryandevenwithin *
- isrequired.Thus ,thereisaneedforCEstosupportIPv4aaS
- it.Meanwhile ,ifanoperatorprovides464XLAT,itneedstoensure
- itMUSTbeimplementedaccordingto .ThefollowingIPv6
- ithasbeenconfirmedthatthereareseveralopen-sourceversionsof *
- locatedintheIPv6TransitionCERouter ,removingtherequirement
- lw4o6 specifiesanextensiontoDS
- lw4o6requirements *
- lw4o6viathelw4o6DHCPv6options *
- manualconfiguration ,suchassettingupaDMZ,settingupvirtual
- mappingbetweenIPv6andIPv4addresses. *
- material *
- maybethecasethattheserviceproviderdoesnotuseordoesnot *
- meansofnewtransitionmechanisms.Thedocumentonlycovers *
- mechanismadevicewillneedoveritslifetime ,anIPv6TransitionCE
- mechanismfortransportingIPv4packetsacrossanIPv6networkusing *
- mechanismimplementedbytheIPv6TransitionCERouter. *
- mechanisms ,thismayrequiredifferentiatingmappings
- mechanisms *
- mechanisms ,includingdual
- mechanismsand *
- mechanismsareoutsidethescopeofthisdocument. *
- mechanismsmayneedtoconsidertrainingcostsforstaffinallthe *
- mechanismtotherelevantcustomers. *
- moreadvancedrequirementsincludeinboundconnections *
- network. *
- networkisoutofscopeforthisdocument.SecuringDHCPintheLAN *
- newfunctionalities.However ,atthetimeofwritingthisdocument,
- newrequirements ,asdescribedinthefollowingsubsections.
- oBasiccapabilitiesoftheIPv6TransitionCERouter *
- oProvisioningoftheLANinterfaces *
- oProvisioningoftheWANinterfaceconnectingtotheservice *
- ofDS-LiteviatheDS-LiteDHCPv6option *
- ofIPv6-onlyaccess ,privateIPv4addressesarealsoavailableifthe
- ofSharedIPv4Addressesasdescribedin .
- oftheoptiondefinedin .Thiscanalsobeusedifthe
- ofthisdocument ,meanthatmaliciousnodesmayalterthepriorityof
- ofthisdocument. *
- onlyabout0.15 *
- open-sourceimplementations *
- operators *
- operatorswillnecessarilyprovideIPv6support.Consumersmayalso *
- orconfigurationinformationdifferencesfrom .
- orsomeotherfirewallcontrolprotocol ,inthecaseofanIPv6
- othermechanismstoconfigurelw4o6parameters.Such *
- overanIPv6MulticastNetwork *
- parameters.Suchmechanismsareoutsidethescopeofthis *
- persistentvsnon-persistentandwhatsizetochoose *
- pertainingtoaconfigurationasappliedbyavendorprior *
- popularCEsalreadyinthemarket ,thenewrequiredcodeis
- possibleusagecases ,justanoverview.Infact,combinationsofthe
- prefix *
- priorityoptionsdescribedin *
- provideconnectivitytoaserviceprovidernetwork ,includinglink
- provider *
- providerorathird-partynetwork. *
- providingtransittootherexternalnetworks.However ,HNCP
- provisioning ,thefollowinggeneraltransitionrequirementsare
- publicationofthisdocument.Pleasereviewthesedocuments *
- publishedforinformationalpurposes. *
- receivedpublicreviewandhasbeenapprovedforpublicationbythe *
- regionalinsomecases.Figure1presentsasimplifiedviewofthis *
- remoteIPv4-onlyservicescontinuetobeaccessible ,forboth
- requeststotheserver. *
- requirementsmeettheirneeds ,theymayhaveadditionalrequirements,
- resultin *
- resultinserviceprovidersprovisioningIPv6-onlyWANaccess.At *
- routers.Figure2illustratesthemodeltopologyfortheend-user *
- scenariosandend-usernetworkarchitecture ,respectively.These
- scopeofthisdocument. *
- server.Theterm *
- servers ,orsettingupport
- serviceprovidernetwork. *
- serviceproviderorbyvendorswhosellthroughtheretailmarket. *
- serviceproviderusesDNS64 .
- services ,thenitMUSTsupport
- servicesoveranIPv6-onlyWANnetwork ,includingIPv6
- serviceswillstillbeprovidedusingIPv4tothecustomerLANs. *
- severaltransitionmechanismsand *
- shouldbeabletosupportallofthemwithminimalimpact. *
- sidebehindanIPv6TransitionCERouterconnectedtoanIPv6-only *
- singledataplaneiscommontoallofthem ,whichtypicallymeans,in
- solution. *
- somemanualconfiguration. *
- spaceamongseveralinterfaces.Insometransition *
- subnet ,theIPv6TransitionCERouterMUSTallow
- sufficientIPv4addressesavailableforeverypossiblecustomer *
- support. *
- supported ,itMUSTbeimplementedaccordingto
- supportedbyanIPv6TransitionCERouterandrelevantprovisioning *
- supportedtransitionmechanisms ,whichMUSTremain
- supportedtransitionmechanisms. *
- switchISPsandusethesameIPv6TransitionCERouterwitheitheran *
- techniquesfortheoperationandmanagementofthesemechanisms ,even
- technologiesfordeliveringIPv4inIPv6-onlyconnectivity. *
- thatDS-LitetrafficisforwardedovertheIPv6TransitionCE *
- thatMAP-TusesIPv4-IPv6translation ,insteadofencapsulation,as
- thatOPTION_S46_PRIORITYisnotsentforanyothertransition *
- thatspecifyfeaturesetsfortheIPv6TransitionCERoutermay *
- thattodaymayprovideaccesswithdual-stackorIPv6-in-IPv4 *
- theIPv6PrefixUsedforIPv6AddressSynthesis *
- theLANinterfaces ,firewall,DMZ,andmanyotherfeatures.However,
- theLANsidewhentheWANinterfaceisdown. *
- thePortControlProtocol *
- theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
- theamountofcentralizedstate. *
- thecustomeredgerouterhasnotyetbeenprovisioned.Inthecase *
- theformofIPv6domaintransport. *
- them ,orprovidethepossibilitytosetuptheCEinbridgemode,so
- therequiredcodeforsupportingallthenewtransitionmechanisms ,
- thesametime ,theyneedtoensurethatbothIPv4
- thesedifferenceshaveimplicationsforthenetworkarchitecture. *
- theserviceprovidermayopttoconfiguretheNAT64prefixbymeans *
- thetransitionmechanisms. *
- thisdocument. *
- toSupportIPv4-as-a-Service *
- toas *
- totheadministratorchangingitforitsinitial *
- tothisdocument.CodeComponentsextractedfromthisdocumentmust *
- transitioningattheirownpace *
- transitionmechanismdetails.PCP maybeanalternative
- transitionmechanisms ,whicharealreadysupportedby
- transitionmechanismsenumeratedinthisdocument. *
- transitionmechanismslistedinthisdocument.Serviceproviders *
- transitionservicesforthesupportofIPv4-as-a-Service *
- translationsonaper-interfacebasis. *
- translator *
- trustDNS64 becausetheDNSconfigurationattheCE
- tunnel. *
- tunnels. *
- understandingofthisdocument. *
- unlessaNAT64 prefixhasbeenconfigured,in
- updateof oraNAT64DHCPv6configurationoptionmayenable
- upnp-resources *
- usedbyanupstreamPCP-controlledNAT64device. *
- useoneortheotherMUSTfollowthisorder *
- usernetworkisthatitprovidesstableaddressing *
- usingtheCLAT. *
- vendorswithregardtoincludingnewfunctionalities ,suchassupport
- versionsofthisdocument.ThanksalsofortheLastCallreviewsby *
- web ,DNS,email,VPN,etc.
- whichareoutofthescopeofthisdocument. *
- whichcase ,464XLAT
- whichportsareavailable ,anAddPortMapping
- withIPv4aaS. *
- withNATfunctionalityandasinglelinkupstream ,connectedtothe
- withmultipleLANinterfacesmaybehandledbymeansoftheHome *
- 1.1.ContextandMotivation *
- 1.1.ContextandMotivation.................2 *
- 1.2.Terminology *
- 1.2.Terminology.......................3 *
- 1.Introduction *
- 1.Introduction........................2 *
- 2.1.GeneralRequirements *
- 2.1.GeneralRequirements..................7 *
- 2.2.SignalChannelRequirements *
- 2.2.SignalChannelRequirements...............8 *
- 2.3.DataChannelRequirements *
- 2.3.DataChannelRequirements................13 *
- 2.4.SecurityRequirements *
- 2.4.SecurityRequirements..................14 *
- 2.5.DataModelRequirements *
- 2.5.DataModelRequirements.................16 *
- 2.Requirements *
- 2.Requirements........................5 *
- 2119KeyWords *
- 2727S.StateSt. *
- 3.1.SignalChannel *
- 3.1.SignalChannel.....................17 *
- 3.2.DataChannel *
- 3.2.DataChannel......................17 *
- 3.CongestionControlConsiderations *
- 3.CongestionControlConsiderations..............17 *
- 4.SecurityConsiderations *
- 4.SecurityConsiderations...................17 *
- 5.IANAConsiderations *
- 5.IANAConsiderations.....................18 *
- 6.1.NormativeReferences *
- 6.1.NormativeReferences..................18 *
- 6.2.InformativeReferences *
- 6.2.InformativeReferences.................20 *
- 6.References *
- 6.References.........................18 *
- A. ,andH.Ashida,
- A. ,Peterson,J.,Sparks,R.,Handley,M.,andE.
- ADOTSclientMAYwithdrawamitigationrequestatanytime *
- ADOTSclientmayobtainthemitigationscopethroughdirect *
- Abstract *
- Accept-list *
- Acknowledgments *
- Acknowledgments.........................21 *
- AdditionalDOTSsecurityconsiderationsmaybefoundin *
- AddressTextRepresentation *
- AndrewMortensen *
- AnnArbor ,MI48104
- ArborNetworks *
- Architecture *
- Asanactiveattackevolves ,DOTSclientsMUSTbeabletoadjust
- AspartofaprotocolexpectedtooperateoverlinksaffectedbyDDoS *
- AsspecifiedinDATA-001 ,thedatachannelrequiresreliable,in
- Astandardizedmethodtocoordinateareal-timeresponseamong *
- AstheresiliencerequirementsfortheDOTSsignalchannelmandate *
- Authors *
- Awell-structuredDOTSdatamodeliscriticaltothedevelopmentof *
- BCP14 when,andonlywhen,theyappearinall
- Bangalore ,Karnataka560071
- BlockingcommunicationbetweenDOTSagentshasthepotentialto *
- Bonica ,R.,Baker,F.,Huston,G.,Hinden,R.,Troan,O.,
- Category *
- CiscoSystems ,Inc.
- CommunicationLayers *
- Contributors *
- Contributors..........................21 *
- Copyright *
- CopyrightNotice *
- Countermeasure *
- DATA-001Reliabletransport *
- DATA-003ResourceConfiguration *
- DATA-004PolicyManagement *
- DDoS *
- DDoSOpenThreatSignaling *
- DDoSattackcausingnetworkcongestion. *
- DDoSattacktarget *
- DDoSattacktelemetry *
- DM-001Structure *
- DM-002Versioning *
- DM-003MitigationStatusRepresentation *
- DM-004MitigationScopeRepresentation *
- DM-005MitigationLifetimeRepresentation *
- DM-006MitigationEfficacyRepresentation *
- DM-007AcceptableSignalLossRepresentation *
- DM-008HeartbeatIntervalRepresentation *
- DM-009RelationshiptoTransport *
- DOI10.17487 *
- DOTSagent *
- DOTSagentsMUSTassumeaPMTUof1280bytes ,asIPv6requires
- DOTSagentsMUSTsupportmitigationscopealiases ,allowingDOTS
- DOTSagentsbeingcompromised. *
- DOTSagentscanalsosignificantlyaugmentattackresponse *
- DOTSagentscanattempttolearnPMTUusingtheprocedures *
- DOTSclient *
- DOTSclientandmodifyingthembeforetransmissiontotheDOTSserver *
- DOTSclientforupstreamDOTSservers.Client-domainDOTS *
- DOTSclientintoasingleDOTSagent.Thisfunctionalityis *
- DOTSclientisnotauthorizedtomanage. *
- DOTSclients ,whileserver
- DOTSclientsMAYtakethesemetricsintoaccountwhendetermining *
- DOTSclientsMUSTbeabletotransmitametricofperceived *
- DOTSclientsMUSTincludeamitigationlifetimeinallmitigation *
- DOTSclientsshouldsimilarlybeabletowithdrawaidrequests.DOTS *
- DOTSclientsthatpertaintomitigation ,configuration,filtering,
- DOTSclientstomanagedrop-andaccept-listsoftrafficdestined *
- DOTSclientwithinaDOTSgatewayareimplementation-specific ,
- DOTSgateway *
- DOTSmustoperatewithinaparticularlystrictsecuritycontext ,as
- DOTSprotocolimplementationsfacecompetingoperationalgoalswhen *
- DOTSprotocols. *
- DOTSprotocolsMUSTbeencryptedusingsecuretransports *
- DOTSprotocolsdesign. *
- DOTSserver *
- DOTSserverMUSTbelongtothesameadministrativedomain. *
- DOTSserverdoesnotgrantamitigationrequestwithanindefinite *
- DOTSserversMUSTbeabletoresolvedomainnamesand *
- DOTSserversMUSTregularlysendmitigationstatusupdatesto *
- DOTSserversMUSTrejectmitigationrequestswithscopesthatthe *
- DOTSserversMUSTtreatamitigationterminatedduetolifetime *
- DOTSserversSHOULDsupportindefinitemitigationlifetimes ,
- DOTSsignal *
- DTLS *
- Datachannel *
- DaveDolson *
- Denial-of-ServiceConsiderations *
- Denial-of-serviceconsiderationsarediscussedindetailin *
- DistributedDenial-of-Service *
- Dobbins ,R.,Migault,D.,Fouant,S.,Moskowitz,R.,
- Drop-list *
- Duetotheincreasedlikelihoodofpacketlosscausedbylink *
- Email *
- EmbassyGolfLinkBusinessPark *
- FYI36 ,RFC4949,DOI10.17487
- Filter *
- Finally ,DOTSshouldbesufficientlyextensibletomeetfutureneeds
- Firewallbindingsdonotexpire ,byusingthekeep
- Firewallbindingstoavoidcryptographichandshakefornew *
- FlemmingAndreasen *
- Followingmutualauthentication ,asignalchannelMUSTbe
- Forexample ,aDOTSclientshouldbeabletocreateadrop
- GEN-001Extensibility *
- GEN-002ResilienceandRobustness *
- GEN-003BulkDataExchange *
- GEN-004MitigationHinting *
- GEN-005LoopHandling *
- Guidelines *
- Heartbeat *
- HowaDOTSserverauthorizesDOTSclientmanagementofdrop-and *
- Huawei *
- IPv4datagrams ,aseveryIPv4hostmustbecapableofreceivinga
- ISSN *
- IfUDPisusedasthetransportfortheDOTSsignalchannel ,all
- Ifthereisadditionalinformationavailablenarrowingthescope *
- ImpersonationofeitheraDOTSserveroraDOTSclientcouldhave *
- India *
- Informationaboutthecurrentstatusofthisdocument ,anyerrata,
- InitiationProtocol *
- InorderforDOTSprotocolstoremainsecuredespiteadvancements *
- InternetEngineeringSteeringGroup *
- InternetEngineeringTaskForce *
- Likewise ,DOTSserversMUSTrefusetoallowcreation,
- MAYexposeadditionalconfigurability.Additionalconfigurability *
- MUSTallowreferencestodescribetheoveralldatamodel *
- MUSTbedeliveredreliablyintheordersent. *
- MUSTregularlysendheartbeatstoeachotherwhileamitigation *
- MUSTsupportthefollowingrequiredscopetypes *
- MUSTthereforebecapableoftraversingNATs. *
- May2019 *
- McAfee *
- Mitigation *
- Mitigationmethodologyisoutofscopeforthisdocument. *
- Mitigator *
- MohamedBoucadair *
- Mortensen ,etal.Informational
- Mortensen ,A.,Ed.,Reddy,T.,Ed.,Andreasen,F.,Teague,
- MultihomedDOTSclient *
- N. ,andR.Compton,
- NATs *
- OakPark ,MI42837
- OpenThreatSignaling *
- OperatorsofpeerDOTS-enableddomainsmayenableeitherquality-of- *
- Orange *
- Plan *
- ProvisionsRelatingtoIETFDocuments *
- R.Moskowitz *
- RFC3986 ,DOI10.17487
- RFC7092 ,DOI10.17487
- RFC793 ,DOI10.17487
- RFC8612DOTSRequirementsMay2019 *
- ReachabilityinformationofpeerDOTSagentsisprovisionedtoaDOTS *
- RequestforComments *
- RequirementLevels *
- ResourceIdentifier *
- Retana ,SureshKrishnan,BenCampbell,MirjaKuehlewind,andJon
- RobertMoskowitz *
- RobertSparks ,BrianWeis,BenjaminKaduk,EricRescorla,Alvaro
- S. ,andK.Naito,
- SEC-001PeerMutualAuthentication *
- SEC-002MessageConfidentiality ,Integrity,andAuthenticity
- SEC-003DataPrivacyandIntegrity *
- SEC-004MessageReplayProtection *
- SEC-005Authorization *
- SIG-001UseofCommonTransportProtocols *
- SIG-002Sub-MTUMessageSize *
- SIG-003Bidirectionality *
- SIG-004ChannelHealthMonitoring *
- SIG-005ChannelRedirection *
- SIG-006MitigationRequestsandStatus *
- SIG-007MitigationLifetime *
- SIG-008MitigationScope *
- SIG-009MitigationEfficacy *
- SIG-010ConflictDetectionandNotification *
- SIG-011NetworkAddressTranslatorTraversal *
- Sandvine *
- Schooler ,
- Section2.2 ,thesignalchannelprotocolmustbedesignedforminimal
- Security *
- Service *
- Shallowfortheircarefulreadingandfeedback. *
- Signalchannel *
- SignalchannelimplementationsusinganIETFstandardcongestion- *
- Similarly ,animpersonatedDOTSservermaybeabletoactasasort
- Standard *
- StatusofThisMemo *
- TableofContents *
- Teague ,N.,Xia,L.,andK.Nishizuka,
- ThankstoRomanDanyliw ,MattRichardson,JoeTouch,ScottBradner,
- TheDOTSprotocolmust ,ataminimum,makeitpossibleforaDOTS
- TheDOTSserverandclientmustalsohavesomestandardizedmethodof *
- Thedatachannelisintendedtobeusedforbulkdataexchanges *
- Thedatachannelisnotexpectedtooperateinsuchconditions. *
- ThedatachannelprovidesaprotocolforDOTSconfigurationand *
- TheexpectedlayoutandinteractionsamongstDOTSentitiesis *
- ThefollowingmitigationscopetypeisOPTIONAL *
- ThegoalofDOTSprotocolsistoenableandmanagemitigationon *
- ThegoaloftheDOTSrequirementsspecificationistospecifythe *
- Theinitialactive-but-terminatingperiodisbothimplementation- *
- Thekeywords *
- Themodesofauthorizationareimplementation-specific. *
- TheprevalenceandimpactoftheseDDoSattackshasledtoan *
- Thereasonsthemselvesareoutofscopeforthisdocument.Ifthe *
- Thesecapitalizedwordsareusedtosignifytherequirementsforthe *
- ThisdefensecouldbecoordinatedbyaDOTSserverandinclude *
- Thisdocumentadoptsthefollowingterms *
- ThisdocumentdefinestherequirementsfortheDistributedDenial-of- *
- ThisdocumenthasnoIANAactions. *
- Thisdocumentinformsfutureprotocolsunderdevelopmentandsodoes *
- ThisdocumentisaproductoftheInternetEngineeringTaskForce *
- ThisdocumentisnotanInternetStandardsTrackspecification *
- ThisdocumentissubjecttoBCP78andtheIETFTrust *
- ThreatSignaling *
- TirumaleswarReddy *
- Today ,theseservicesofferproprietaryinterfacesforsubscribersto
- TodetectcompromisedDOTSagents ,DOTSoperatorsshouldcarefully
- Todetectmisuse ,asdetailedinSection2.4,DOTSimplementations
- ToprotectagainstrouteorDNSflappingcausedbyaclient *
- Tosupportscenariosinwhichlossofheartbeatisusedtotrigger *
- Translation *
- TransmissionControlProtocol *
- UDP *
- UnitedStatesofAmerica *
- WhenDOTSclient-requestedmitigationisactive ,DOTSserver
- Whennoattacktrafficispresent ,thesignalchannelMUSTbe
- WhileconnectionlesstransportsuchastheUserDatagramProtocol *
- WhiletheinterfacesbetweendownstreamDOTSserverandupstream *
- Withinthesignalchannel ,messagesMUSTbeuniquelyidentified
- aDDoSattack.Potentialtargetsinclude *
- abletorepresenttheDOTSagent *
- absence. *
- absorblatencyincurredbyroutepropagation.IfaDOTSclient *
- abuse ,enablingorsupplementingtheveryattacksDOTSpurportsto
- accept-listedsourceaddresses ,addressorprefixgroupaliasing,
- accept-listentriesisimplementation-specific. *
- accept-listentry ,retrievealistofcurrententriesfromeither
- actioninanticipationoforinresponsetoanattack ,butitdoes
- active-but-terminatingperiodelapses ,theDOTSserverMUSTtreat
- activeDOTSclienthasnotrequestedmitigation ,inorderto
- activeorexpectedDDoSattacks.TheDOTSsignalchannelisexpected *
- additionalattackdetails.DOTSserversMAYignoresuch *
- addressestowhichthedomainnameorURIresolverepresentthe *
- administrativedomainattemptingtohonorconflictingrequestsmay *
- affectpolicyonthenetworkpathtotheDOTSclient *
- agent *
- agentimpersonationandsignalblockingarediscussedhere. *
- agents. *
- allowingclientstoextendmitigationasnecessaryforthe *
- analogoustoaSessionInitiationProtocol *
- and .
- andDOTSprotocoldocuments. *
- andF.Gont ,
- anddeployment-specific ,butSHOULDbesufficientlylongenoughto
- andfilteringoutspecifictypesofDDoSattacktrafficwhile *
- andforwardonlythelatter. *
- andhowtoprovidefeedbackonitmaybeobtainedat *
- andincludinginstantiationofdrop-listsblockingallinbound *
- andthenewprefixgroupalias ,oranerrorstatusandmessageinthe
- aninsufficientlyprotectedsignalordatachannelmaybesubjectto *
- anyassumptionsaboutspecificcharacteristicsofanygiven *
- applytoDOTS.Regardlessoftransport ,DOTSprotocolsMUST
- approvedbytheIESGarecandidatesforanylevelofInternet *
- arediscussedin ,andtheDOTSarchitectureisdiscussed
- arerequestedofitareoutofscopeforthisdocument.The *
- asdescribedinSIG-003. *
- asmallsignalmessagesize ,aseparate,securedatachannel
- asnecessarythescopeofrequestedmitigationbyrefiningthe *
- aspartofnewerprotocolversions. *
- assumedtobelongtothesameadministrativeentity. *
- attack ,usingfeedbackfromthemitigatorandotheravailable
- attack ,wherecountermeasureenforcementismanagedbyanentity
- attack.DOTS-serverhandlingofmitigationhintsis *
- attackdetailsmightincludelocallycollectedfingerprintsforan *
- attackmitigationandreducetheimpactoftheseattacks.This *
- attackmitigationsolutionsthemselves ,orareconstrainedbylocal
- attackresponsecoordinationwithotherDOTS-awareelements. *
- attackresponsesmaybefragmentedorotherwiseincomplete ,leaving
- attacktraffic ,theDOTSsignalchannelMUSTNOTcontribute
- attemptingtoparticipateinattackresponsewiththeDOTS *
- authenticatedsignalchannelbetweenDOTSagents ,usedtoindicate
- authentication.Client-domainDOTSgatewaysaremoretrustedthan *
- authentication.WhenDOTSagentsareexchangingheartbeatsandno *
- authorizedDOTSclientsthathaverequestedandbeengranted *
- bandwidthlimitations.Toaddresssuchgaps ,serviceprovidershave
- basedonotherthreatintelligence.DOTSclientsMAYsend *
- beabletorequestscopedmitigationfromDOTSservers.DOTS *
- bedescribedbyasinglemoduleorbedividedintorelated *
- beguntoofferon-demandtrafficscrubbingservices ,whichare
- behalfofanetworkdomainorresourcethatisormaybecomethe *
- behalfoftheDOTSclient ,ifrequested,bycommunicatingtheDOTS
- bestpractices forencryptionandmessage
- betweenDOTSagents.Unlikethesignalchannel ,thedatachannelis
- betweenpeerDOTSagents. *
- bidirectional ,withclientandservertransmittingsignalstoeach
- bulkexchangeofdatanoteasilyorappropriatelycommunicated *
- businessorservice-levelagreements ,arealreadycomplete.
- but-terminatingperiod ,asdescribedaboveinSIG
- butMUSTcontinuetosendheartbeatsonthecurrentsessionso *
- butterminating.DOTSclientsMAYreversethemitigation *
- byanopaqueidentifiercreatedthroughthedatachannel ,direct
- byteoverheadofanyencapsulation ,transportheaders,and
- bytheprotocol ,suchasDTLSsessionresumption,butMUSTbe
- capitals ,asshownhere.
- carefully ,astheydescribeyourrightsandrestrictionswithrespect
- catastrophicimpactonoperationsineitherdomain.Ifanattacker *
- channel ,asthedatachannelmaynotbefunctionalduringan
- channel ,usedasakeep
- channelbetweentwoDOTSagentsusedforinfrequentbutreliable *
- channelimplementationsshouldbepreparedtodetectandterminate *
- channelprotocol ,duetothehigherlikelihoodofpacketloss
- channelrequirementsinSections2.1and2.2 ,DOTSserver
- characteristics ,DOTSagentsneedtoensureitson
- characteristics.AbsentinformationabouttheNAT *
- characteristicsdefiningthenatureofaDDoSattack. *
- characteristicssuchassmallmessagesize ,asynchronous
- client *
- client-facingside ,whichbehavesasaDOTSserverfordownstream
- clientheartbeatsasanindicationthesignalchannelis *
- clients ,andaserver
- clients.DOTSserversinasingleadministrativedomainSHALL *
- clientsMAYattempttoestablishanewsignalchannelsession *
- clientsMUSTNOTassumetheredirectiontargetDOTSservershares *
- clientsandserverstorefertocollectionsofprotectedresources *
- clientsmustbeabletoselecttheappropriateDOTSserver *
- clienttorequestaidmountingadefenseagainstasuspectedattack. *
- clientusingavarietyofmanualordynamicmethods.Oncea *
- collectionofprefixesitwantstorefertobyaliaswhenrequesting *
- collectionsofhierarchicalmodulesandsubmodules.Ifthedata *
- common ,widelydeployedandstandardizedtransportprotocols.
- communicatewithDOTSserversthroughtheNAT.DOTSprotocols *
- communicationbetweenDOTSagentstoloop.Signalanddata *
- communicationbetweenDOTSclientsandserversenablesacommon *
- communicationchannelbetweenDOTSagents.Indeed ,establishinga
- communicationchannelbetweenDOTSagentsthatisresilienteven *
- communicationstoreduceattacksurface. *
- compatible.ImplementationsofolderprotocolversionsMUST *
- configuration ,orothermeans.DomainnameandURImitigation
- configurations. *
- configuredlocally.ThatvalueMUSTbereturnedinareplytothe *
- conflictingmitigationrequest. *
- congestedlink ,signalingprotocolmessagesizeMUSTbekeptunder
- congestion ,asdiscussedin
- congestionduringanattack ,DOTSserversSHOULDNOTredirect
- connectedtotheInternet ,plaguingnetworkoperatorsatservice
- consecutivemissedheartbeatmessages ,retransmissioncount,or
- consequentlydecreasedprobabilityofmessagedeliveryovera *
- considerationsin *
- consideredactiveuntilaDOTSagentexplicitlyendsthesession. *
- consideredactiveuntileitherDOTSagentfailstoreceive *
- contactbetweenDOTSagentsevenasattacktrafficsaturatesthe *
- continuetoincrease. *
- contributetotherobustnessdemandedbyaviableDOTSprotocol. *
- controlledbyasingleadministrativeentitymaysendconflicting *
- controlledtransportprotocol *
- controllingtheDOTSclientneednotbepresentbeforeestablishinga *
- controlload. *
- coordinatedresponsetoDDoSattacks. *
- coordination ,permittingsuchtasksaspopulationofdrop
- couldbesplitintomultiplelistsandeachlistconveyedinanew *
- countermeasurescanbelayeredtodefendagainstattackscombining *
- datatransfertoreducetheincidenceofsignalloss. *
- ddolson *
- decisionislocaltotheDOTSclients *
- definingthescopeofanymitigation ,aswellasmanagingother
- defunct. *
- deliverysuccessorfailure. *
- deployedbehindaNetworkAddressTranslator *
- describedintheDOTSArchitecture .
- describedintheSimplifiedBSDLicense. *
- designedtomaximizetheprobabilityofsignaldeliveryevenunder *
- designedtoseparatetheDDoSattacktrafficfromlegitimatetraffic *
- destinedforthetargetortargetsofadetectedorreportedDDoS *
- detailsthatcanbeusedtoinformmitigationtechniques.Example *
- detectionandprevention. *
- detectsuchconflictingrequestsandSHALLnotifytheDOTSclients *
- discarded.UniquemitigationrequestsMUSTbeprocessedatmost *
- discovery.DOTSclientsMUSTsupportatleastonemechanismto *
- discreteDOTSclientconnectionsandmayaggregatetheseintoone *
- discussedin .IfthePMTUcannotbediscovered,
- discussedinSection3.5of .
- disruptingorinfluencingthenetworkpolicyofthereceivingDOTS *
- disruptthecorefunctionofDOTS ,whichistorequestmitigationof
- documentauthors.Allrightsreserved. *
- documentbutshouldfollowcurrentIETFbestpractices *
- documentdescribestherequiredcharacteristicsofprotocolsthat *
- domain.Amongotherthings ,thismaliciousDOTSgatewaymight
- draft-ietf-dots-architecture-13 ,April2019.
- durationofanattack. *
- duringaDDoSattack ,DOTSserversneedtosendthemitigation
- duringactivemitigationarediscussedbelow *
- duringvolumetricattack ,DOTSagentsSHOULDavoidsignalchannel
- eachotherbeforeaDOTSsignalordatachannelisconsidered *
- efficacymetrictoadjustcountermeasuresactivatedonamitigator *
- efficacyofamitigationenabledthroughamitigationrequest. *
- elapses ,theDOTSserverMAYincreasetheactive
- enableattackresponsecoordinationandmitigationofDDoSattacks. *
- enablingarchitecturesinwhichthemitigatorisalwaysinthe *
- ensuringnorequestedmitigationiseverapplied. *
- enterpriseslacktheresourcesorexpertisetooperateon-premise *
- entitiesparticipatinginDOTSmaydetailwhatdatamaybe *
- error ,orcompromisedDOTSclients.DOTSserversinthesame
- eventtheDOTSclient *
- exceedsthePMTU ,theDOTSagentMUSTsplitthemessageinto
- exceptioncircumstancestoterminatingthesignalchannelsession *
- exchange.However ,reliablebulkdataexchangemaynotbe
- exchangeofincidentreports ,andotherhintingorconfiguration
- expirationexactlyasiftheDOTSclientoriginatingthe *
- failuresandtheircauses. *
- fandreas *
- feedbacktotherequestingDOTSclient. *
- flapnetworkrouteorDNSinformation ,degradingthenetworks
- flexibilityandscalability ,DOTSserversSHOULDbeableto
- flows.Thefilterwilltypicallyhaveapolicyassociatedwith *
- focusofaDDoSattack.AnactiveDDoSattackagainsttheentity *
- followestablishedbestcommonpracticesestablishedinBCP127 *
- forNATtraversal .
- foralimitedperiodafteracknowledgingaDOTSclient *
- foranegotiatedtimeintervalandMUSTterminateamitigation *
- forresourcesbelongingtoaclient. *
- freetoattemptabbreviatedsecuritynegotiationmethodssupported *
- frombecomingadditionalvectorsfortheveryattacksitismeantto *
- fromcapturingandreplayingoldmessages ,andtherebypotentially
- fullscopeofthemitigation. *
- functionwelloratallduringattackscausingnetworkcongestion. *
- futureattacks ,asallinteractionssettingupDOTS,includingany
- gatewaysareDOTSgatewaysthatareintheDOTSclient *
- grantedmitigationswithindefinitelifetimes.DOTSserversMAY *
- greaterasspecifiedin .IfIPv4supportonlegacyor
- hand ,DOTSmustincludemeasurestoensuremessageconfidentiality,
- handlemiddle-boxesandfirewalltraversal. *
- hastheabilitytoimpersonateaDOTSclient ,thatattackercan
- havedifferentapplicationandtransport-layerrequirements.This *
- health.Thesekeep-alivesservetomaintainanyon-pathNATor *
- heartbeatsfromtheotherpeerafteramutuallyagreedupon *
- helpfightoff.Ontheotherhand ,theprotocolmustberesilient
- hints.MitigationhintsMUSTbetransmittedacrossthesignal *
- identifiers ,asdescribedinSIG
- ignoreoptionalinformationaddedtoDOTSmessagesaspartof *
- impersonationmoredifficult.However ,impersonationmaystillbe
- implementation-specific. *
- implementations ,datamodelsMUSTbeversioned.Howtheprotocols
- implementationsMUSTprovideaninterfacetoconfigureresource *
- implementationsusingsuchconnectionlesstransports ,suchasUDP,
- in .
- inProgress ,draft
- inaDOTSsignalordatachannel.ItcanbeaDOTSclient ,DOTS
- inadetectedattack. *
- inclientmitigationrequests.DOTSclientsMAYalsoinclude *
- includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
- includingmitigationswithnospecifiedendtime. *
- inconditionsleadingtoseverepacketlosssuchasavolumetric *
- inconflict.ThenotificationMUSTindicatethenatureandscope *
- incoordinatedattackdefense ,althoughthisconsiderationis
- increasedfocusoncoordinatedattackresponse.However ,many
- incryptanalysisandtrafficanalysis ,DOTSagentsMUSTsupport
- informationleaksormalicioustransactionsonbehalfofthe *
- informationorinstructionsfromtheremoteDOTSagent.Theft ,
- inscopeforthisdocument. *
- integrity ,andauthenticityofmessagessentbetweenclientand
- integrity ,authenticity,andreplayprotectiontokeeptheprotocols
- inthenetworkpathbetweenattacksourcesandtheattacktarget. *
- involvedoperatorswillincreasethespeedandeffectivenessofDDoS *
- isimplementation-specific. *
- it ,e.g.,rate
- link.Suchresiliencymaybedevelopedseveralways ,but
- list ,updatethecontentofeitherlist,anddeleteentriesas
- listswhentheDOTSclientisunauthorized. *
- logicalconcatenationofthefunctionalityofaDOTSserveranda *
- lossmightinclude ,butarenotrestrictedto,numberof
- maintainanactivesignalchannel ,andtoincreasetheprobability
- maintainingthisbidirectionalcommunicationstream.Ontheone *
- management.Forexample ,aDOTSclientmaysubmittoaDOTSservera
- meansbywhichthisentityperformsthesemitigationsandhowthey *
- message. *
- messagesfromDOTSclients.TheDOTSserverenablesmitigationon *
- misconfigurationofDNSorroutingpolicy ,itmaybepossiblefor
- mitigate. *
- mitigation ,theDOTSserverMUSTincludeareasonforthe
- mitigation ,towhichtheserverwouldrespondwithasuccessstatus
- mitigation ,andtokeepthechannelactive,DOTSserversMUST
- mitigation-relatedconfigurations. *
- mitigation.Asaresultofsignalinginterfaceincompatibility ,
- mitigation.Ifunreliabletransportisusedforthesignal *
- mitigation.ThebidirectionalsignalchannelMUSTsupport *
- mitigationcouldbenegotiablebasedonNAT *
- mitigationefficacytotheDOTSserver.DOTSserversMAYusethe *
- mitigationhadaskedtoendthemitigation ,includingtheactive
- mitigationhintsderivedfromattackdetailstoDOTSservers ,with
- mitigationlifetime ,itMUSTsetthelifetimetoavaluethatis
- mitigationrequestforthesamescope.TheDOTSserverMUSTtreat *
- mitigationrequestisactive ,eitheragentMAYrequestchangesto
- mitigationrequests.Theheartbeatintervalduringactive *
- mitigationrequestsasaresultofmisconfiguration ,operator
- mitigationscope. *
- mitigationscope.Thescopetypewillvarydependingonthe *
- mitigator. *
- mitigatorandDOTSserverreceivingamitigationrequestare *
- modelstructureissplitacrossmodules ,thosedistinctmodules
- modification ,ordeletionofscopealiasesanddrop
- modification ,orreplayofmessagetransmissionscouldleadto
- mohamed.boucadair *
- monitorandauditDOTSagentstodetectmisbehavioranddetermisuse *
- multipleDDoSattacktypes. *
- multipleDOTSservers ,eachinaseparateadministrativedomain.
- necessarilysupersededbytheotheroperationalrequirements. *
- necessary. *
- necessaryduetonetworkpolicyormiddleboxcapabilitiesor *
- network.DDoSattacksareintendedtocauseanegativeimpacton *
- networkelements ,networklinks,servers,andservices.
- newerprotocolversions.Implementationsofolderprotocol *
- newsessionissuccessfullyestablished ,theDOTSclientcan
- nordoDOTSclientsneedtojustifywithdrawinghelprequests *
- notdictatetheimplementationoftheseactions.TheDOTSusecases *
- notexpectedtobeconstructedtodealwithattackconditions.As *
- nothavesecurityconsiderationsofitsown.However ,operators
- notifications ,redundantmessagedelivery,andminimalconnection
- obtainmitigationscope. *
- of-lineblocking.TheserequirementsareatSHOULDstrengthto *
- ofDOTSMUSTbeextensibleinordertokeepDOTSadaptableto *
- ofanyrequestedattackresponse ,suchastargetedportrange,
- ofheartbeatmessagesoverthesignalchanneltomonitorchannel *
- ofmaliciousDOTSgateway ,interceptingrequestsfromthedownstream
- ofmitigationlifetimesinmitigationrequestsfromDOTSclients ,
- ofsignaldeliveryduringanattack ,thesignalchannelMUSTbe
- oftheconflict ,forexample,theoverlappingprefixrangeina
- on-goingattack ,oranticipatedoractiveattackfocalpoints
- onbehalfofaDOTSclient. *
- once. *
- operationallyorprivacy-sensitivedata.Althoughadministrative *
- operatorsintheattackpathunabletoassistinthedefense. *
- optionsarenotspecified ,theprotocolsMUSTfollowcurrentIETF
- ordermessagedelivery.DatachannelimplementationsusinganIETF *
- originatingfrommultiplesourcesisdirectedatatargetona *
- ormoreconnections.DOTSgatewaysaredescribedfurtherin *
- orstatus. *
- oscillatingattacks ,DOTSserversMAYallowmitigationtocontinue
- otheratregularintervalsregardlessofanyclientrequestfor *
- otherwiseunusualnetworksisaconsiderationandthePMTUis *
- out-of-orderorredundantmessagedelivery.Insupportof *
- overhead *
- overtransportandapplicationprotocolsnotsusceptibletohead- *
- packetwhoselengthisequalto576bytesasdiscussedin *
- passinglegitimatetraffictotheattacktarget.Distinct *
- path.Forexample ,whenaDOTSgatewayconsistingofaDOTS
- performingmitigationofadetectedorreportedDDoSattack.The *
- perioduptoamaximumof300seconds *
- possibleasaresultofcredentialtheft ,implementationflaws,or
- possibleduringattackscausingnetworkcongestion. *
- preparedtonegotiatenewsecuritystatewiththeredirection *
- probabilityofsuccessfulDOTSsignaldelivery ,butDOTSdoesnot
- proprietaryDDoSdefenses.FutureextensionsMUSTbebackward *
- protocol ,orservice,DOTSclientsSHOULDincludethatinformation
- protocols ,includingwhenmultipleDOTSserversareprovisionedto
- protocolsMUSTtakestepstoprotecttheconfidentiality ,
- protocolsarelikelytocontainoperationallyorprivacy-sensitive *
- providersandenterprisesaroundtheworld.High-volumeattacks *
- providesthefoundationforamorerapidattackresponseagainst *
- provisioningorthroughimplementation-specificmethodsof *
- publicationofthisdocument.Pleasereviewthesedocuments *
- publishedforinformationalpurposes. *
- rapidlytogglingmitigation ,andtodampentheeffectof
- receiveanddiscardmitigationrequestsfromtheDOTSclient ,
- receivedbyeitherDOTSagentforanextendedperiod.The *
- receivedpublicreviewandhasbeenapprovedforpublicationbythe *
- redirectDOTSclientstoanotherDOTSserveratanytime.DOTS *
- reduceheartbeatfrequencyorceaseheartbeatexchangeswhenan *
- refreshesthemitigationbeforetheactive-but-terminatingperiod *
- refusemitigationswithindefinitelifetimesforpolicyreasons. *
- regardlessofwhethermitigationiscurrentlyactive.TheDOTS *
- rejectioninthestatusmessagesenttotheclient. *
- relationshipbetweenDOTSagentsisestablished ,regular
- relationshipwithpeerDOTSagentsduringnormalnetworkconditions *
- remotepeer. *
- representationofarequestedmitigation *
- representationofcurrently-requestedmitigationstatus ,including
- representdata-modelversionsisnotdefinedinthisdocument. *
- requestattackmitigation.Suchproprietaryinterfacestiea *
- requestedmitigation. *
- requestingDOTSclient. *
- requestingprotection.DOTSclientsMUSTbepreparedtonotbe *
- requestisactive.Becauseheartbeatlossismuchmorelikely *
- requestmitigation. *
- requests. *
- requests.IfaDOTSserverrejectsanauthorizedrequestfor *
- requesttimeouts. *
- requirementsabove ,DOTSsignalchannelimplementationsSHOULD
- requirementsforDOTSsignalchannelanddatachannelprotocolsthat *
- requirementsinSection2.2. *
- requiremutualauthenticationofDOTSagentsinordertomakeagent *
- requiresnojustificationfromDOTSclientsforrequestsforhelp ,
- requiresuchpoliciesbeinplaceandshouldbeviableintheir *
- resilient ,thatis,continueoperatingdespitemessagelossand
- resourcesrequiringmitigation.AllDOTSagentimplementations *
- responsibleforthemitigation. *
- retransmissionprocedurehasbeenexhausted.PeerDOTSagents *
- revealedtothird-partyDOTSagents ,suchconsiderationsarenot
- saturatinginboundlinksarenowcommonasattackscaleandfrequency *
- scopeforthisdocument. *
- scopemayberepresentedinseveraldifferentways ,perSIG
- scopeofresourcesrequiringmitigation. *
- scopesmaybethoughtofasaformofscopealiasinwhichthe *
- sectiondescribestherequiredfeaturesandcharacteristicsofthe *
- securenegotiationofthetermsandmechanismsofprotocol *
- security ,subjecttotheinteroperabilityandsignalmessagesize
- securityboundary. *
- securitystatewiththeredirectingDOTSserver.DOTSclientsare *
- sendingagent *
- separatemessages *
- server ,or,asalogicalagent,aDOTSgateway.
- server.Whilespecifictransport-andmessage-levelsecurity *
- serverMUSTimmediatelyacknowledgeaDOTSclient *
- serverandDOTSclientisrunningonthesamelogicaldevice ,the
- serverisimplementation-specific. *
- serversMUSTsendstatustotheDOTSclientsaboutmitigation *
- serverstatusmessagesSHOULDindicatethatmitigationisactive *
- serviceorclass-of-servicetraffictaggingtoincreasethe *
- sharethesameleveloftrust.Asecuritymechanismatthe *
- shouldalwaysbeallowedregardlessofcontradictorydatagleaned *
- shouldbeawareofpotentialrisksinvolvedindeployingDOTS.DOTS *
- shouldbeblockedregardlessoftrafficcontent. *
- signalingprotocolrobustness ,DOTSsignalsSHOULDbeconveyed
- signalingwithinorbetweendomainsasrequestedbylocaloperators. *
- signallosswhenestablishingasignalchannel.Measurementsof *
- significantlytolinkcongestion.Tomeetthesignalchannel *
- solicitheartbeatexchangesaftersuccessfulmutual *
- sources ,andMAYusetheabsenceofattacktrafficandlackof
- specification *
- standardcongestion-controlledtransportprotocolmayrelyonthe *
- statusmessagesMUSTincludethefollowingmitigationmetrics *
- statusmultipletimesatregularintervalsfollowingthedata *
- stopmitigation. *
- structuraldependencies. *
- subscribertoaserviceandlimittheabilitiesofnetworkelements *
- successfulDOTSprotocols. *
- suchloopstopreventservicedisruption. *
- suchthatreplayedorduplicatedmessagescanbedetectedand *
- supplementalinformationwhenenablingcountermeasuresonthe *
- supplementingattackresponses. *
- supportconnectionlesstransports.However ,someconnectionless
- supported *
- supportrepresentationofaDOTSclient *
- supportrepresentationofamitigationrequest *
- targetDOTSserver.TheredirectionDOTSserverandredirecting *
- targetintheDOTSclient *
- terminatethecurrentsession. *
- terminationduringthisactive-but-terminatingperiodwithanew *
- terminationwhenmitigationisactiveandheartbeatsarenot *
- thateverylinkintheInternethaveanMTUof1280octetsor *
- thatofthesignalchannelsbridgedbygatewaysinthesignaling *
- thattheDOTSserverknowsthesessionisstillalive.Ifthe *
- thatwouldotherwisebecapableofparticipatinginattack *
- theDOTSclients ,SHOULDbeconsidered.TheprotocolMUSTbe
- theDOTSserver *
- theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
- theabilitytorepresentarequestformitigationandthe *
- theappropriateDOTSserverinamultihomedenvironmentisoutof *
- theavailabilityand *
- theclient *
- thedatamodelMUSTincludeextensiblerepresentationof *
- thefullunderstandingthattheDOTSserverMAYignoremitigation *
- theheartbeatrate.Forexample ,aDOTSservermightwantto
- themitigationasterminated ,astheDOTSclientisnolonger
- themodelexplicitly. *
- theprimaryfunctionofthedatachannelisdataexchange ,areliable
- thereforeMUSTincludeacongestioncontrolmechanism. *
- theseverelyconstrainednetworkconditionscausedbyattack *
- thesignalingPathMaximumTransmissionUnit *
- thisrequestasamitigationlifetimeextension *
- thoseinterfacesneverthelessMUSTprovidesecurityequivalentto *
- throughthesignalchannel.Reliablebulkdataexchangemaynot *
- to-BackUserAgent *
- toinflictthedesiredimpactontraffictoorfromtheDOTSclient *
- tooperateovercongestedinboundlinks ,and,asdescribedin
- tothisdocument.CodeComponentsextractedfromthisdocumentmust *
- traffic.AdditionalmeanstoenhancetheresilienceofDOTS *
- trafficpathtotheresourcesforwhichtheDOTSclientis *
- traffictonetworksforwhichtheDOTSclientisauthorizedto *
- transmissionguidelinesdiscussedinSection3.1.3of .
- transport-ormessage-levelsecurity.Ifthetotalmessagesize *
- transportcongestioncontrolsupport. *
- transportimplementation *
- transportintothedatamodel ,butinsteadrepresentthefieldsin
- transportisrequiredinorderforDOTSagentstodetectdata *
- transportlayer *
- transports ,whendeployednaively,canbeasourceofnetwork
- twoDOTSagentscouldbeimplementedwithinthesameprocess *
- underextremelyhostilenetworkconditions ,providingcontinued
- understandingoftheDOTSagents *
- unidirectionalmessagingtoenablenotificationsbetweenDOTS *
- unknown ,DOTSimplementationsMAYassumeaPMTUof576bytesfor
- use-cases-17 ,January2019.
- utilizingareliabletransportprotocolMUSTbeusedforbulkdata *
- valid.Themethodofauthenticationisnotspecifiedinthis *
- versionsMUSTrejectDOTSmessagescarryingmandatoryinformation *
- whenthelifetimeelapses.DOTSserversalsoMUSTsupportrenewal *
- whethertoasktheDOTSservertoceasemitigation. *
- whichamitigationrequestistobesent.Themethodforselecting *
- whichtheclientmayincludewhenestablishingthesignalchannel ,
- whileemployingbestcurrentpracticestosecurenetwork *
- whilemitigationisenabledduringanactiveattackagainsta *
- whileserver-domainDOTSgatewaysdenoteDOTSgatewaysthatarein *
- withdrawalofamitigationrequest.Duringthisperiod ,DOTS
- withdrawalofsucharequest.ThedatamodelMUSTalsosupporta *
- withrespecttoanycryptographicmechanismstoauthenticatethe *
- 1.1.RequirementsLanguage *
- 1.1.RequirementsLanguage..................4 *
- 1.Introduction *
- 1.Introduction........................3 *
- 10-12KBsbecausemostofthecodebaseissharedamongseveral *
- 10.1.NormativeReferences *
- 10.1.NormativeReferences..................13 *
- 10.2.InformativeReferences *
- 10.2.InformativeReferences.................16 *
- 10.References *
- 10.References.........................13 *
- 17595MountHerrmannSt. *
- 2-3 ,Kanda
- 2.Terminology *
- 2.Terminology.........................5 *
- 2119KeyWords *
- 3.1.LAN-SideConfiguration *
- 3.1.LAN-SideConfiguration.................5 *
- 3.2.1.464XLAT *
- 3.2.1.464XLAT.......................7 *
- 3.2.2.Dual-StackLite *
- 3.2.3.Lightweight4over6 *
- 3.2.4.MAP-E *
- 3.2.4.MAP-E........................10 *
- 3.2.5.MAP-T *
- 3.2.5.MAP-T........................10 *
- 3.2.TransitionTechnologiesSupportforIPv4Service *
- 3.2.TransitionTechnologiesSupportforIPv4ServiceContinuity *
- 3.Requirements *
- 3.Requirements........................5 *
- 4.IPv4MulticastSupport *
- 4.IPv4MulticastSupport...................11 *
- 464XLAT isatechniquetoprovideIPv4serviceoveran
- 464XLAT-1 *
- 464XLAT-2 *
- 464XLAT-3 *
- 464XLAT-4 *
- 464XLAT-5 *
- 464XLAT-6 *
- 464XLATissupported ,itMUSTbeimplementedaccordingto
- 464XLATrequirements *
- 5.UPnPSupport *
- 5.UPnPSupport........................11 *
- 6.ComparisontoRFC7084 *
- 6.ComparisontoRFC7084...................12 *
- 7.CodeConsiderations *
- 7.CodeConsiderations.....................12 *
- 8.SecurityConsiderations *
- 8.SecurityConsiderations...................13 *
- 9.IANAConsiderations *
- 9.IANAConsiderations.....................13 *
- Abstract *
- AccessnetworkarchitectureforsecuringDHCPwithintheaccess *
- Acknowledgements *
- Acknowledgements........................21 *
- AddressFamilyTransitionRouter *
- AddressTranslation *
- AllocationofSharedIPv4Addressesasdescribedin *
- AnAddAnyPortMapping *
- AnAddPortMapping *
- Anend-usernetworkwilllikelysupportbothIPv4andIPv6 *
- AnewLANrequirementisadded ,whichis,infact,commoninregular
- AnotherconsequenceofusingIPv4privateaddressspaceintheend- *
- AppendicesAandBcontainacompletedescriptionoftheusage *
- AppendixA.UsageScenarios *
- AppendixA.UsageScenarios..................17 *
- AppendixB.End-UserNetworkArchitecture *
- AppendixB.End-UserNetworkArchitecture...........18 *
- AsdescribedintheSecurityConsiderationsof and
- Atthetimeofthiswriting ,oneoftheapparentmainissuesfor
- AtypicalIPv4end-usernetworkconsistsofa *
- Authors *
- Automaticprovisioningandconfigurationaredescribedforasingle *
- Automaticprovisioningofmorecomplextopologythanasinglerouter *
- BCP14 when,andonlywhen,theyappearinall
- BCP152 ,RFC5625,DOI10.17487
- Basedonthesepremises ,thisdocumentensuresthattheIPv6
- Because464XLAThasnoDHCPv6configurationoptions ,itcan
- Beijnum ,
- Boucadair ,
- CERouterMUSTfollowthefollowingconfigurationsteps *
- CEisusedatdifferenttimesindifferentscenariosorevenwith *
- CEroutersasdescribedinRFC7084toallowtheprovisioningofIPv6 *
- CLIorAPI *
- CONFIG-1 *
- CONFIG-2 *
- CONFIG-3 *
- CPUs ,ifcomparedtothecostofNAT44code.Thus,existinghardware
- Campbell ,SpencerDawkins,MirjaKuhlewind,andAdamRoach
- Carpenter ,LorenzoColitti,AlejandroD
- Category *
- Ceccarelli *
- Chiyoda-ku ,Tokyo101
- Clients *
- ClientstoIPv4Servers *
- CombinationofStatefulandStatelessTranslation *
- ConfigurationofSoftwireAddressandPort-Mapped *
- Considerationsin aswellasthoseforeachtransition
- Consideringthatsituationanddifferentpossibleusagecases ,the
- Continuity *
- ControlProtocol *
- Copyright *
- CopyrightNotice *
- CustomerEdgeRouterthatprovidesfeaturesforthedeliveryofIPv4 *
- D-LinkSystems ,Inc.
- DHCPv6 *
- DHCPv6-BasedPrioritizationMechanism *
- DOI10.17487 *
- DS-Lite enablescontinuedsupportforIPv4services.
- DS-LiteenablesabroadbandserviceprovidertoshareIPv4addresses *
- DS-Literequirements *
- DSLITE-1 *
- DSLITE-2 *
- DSLITE-3 *
- DSLITE-4 *
- DanRomascanu *
- Differentstudies *
- Email *
- Exhaustion *
- ExistingIPv4deploymentssupportIPv4multicastforservicessuchas *
- Farrer ,
- Figure1 *
- Figure2 *
- Finally ,insomecases,operatorssupportingseveraltransition
- FountainValley ,California92708
- FromtheperspectiveofanIPv4userbehindanIPv6TransitionCE *
- Function *
- GatewayDevice-PortControlProtocolInterworking *
- Generaltransitionrequirements *
- HansM.-H.Liu *
- Howard ,RichardPatterson,BarbaraStark,OleTroan,andJames
- However ,inthecaseofIPv4aaS,becauseoftheusageofprivateIPv4
- However ,whileatypicalIPv4NATdeployment,bydefault,blocksall
- IESG *
- IGD-PCPIWF ,andtheprioritizationofthetransition
- IPTV.Inthetransitionphase ,itisexpectedthatmulticast
- IPencapsulation.MAP-Eincludesanalgorithmicmechanismfor *
- IPv4-in-IPv6encapsulation *
- IPv4-onlyandIPv6-onlyapplicationsanddevices ,locatedintheLAN
- IPv4-onlydevicesandapplicationsontheInternet. *
- IPv4-onlyforanundeterminedperiodoftime ,IPv4servicecontinuity
- IPv4aaS ,i.e.,transitiontechnologiesfordeliveringIPv4in
- IPv4aaS. *
- IPv4aaSmechanismlimitstheavailableports *
- IPv4aaStransitionmechanismkeepsrunningtheNATinterfacetowards *
- IPv4architecture. *
- IPv6-onlyaccessnetworks.IPv4aaSisnecessarybecausetherearen *
- IPv6-onlyaccessnetworkwithoutencapsulation.Thisarchitecture *
- IPv6-onlynetworkforresidentialorsmallofficerouters *
- IPv6CustomerEdge *
- IPv6Prefixes *
- IPv6SoftwireCustomerPremisesEquipment *
- IPv6TransitionCERouterMUSTperformIPv4Network *
- IPv6TransitionCERouterareabletoreachtheIPv4-onlyservices. *
- IPv6TransitionCERouterattachmenttoanIPv6-onlylinkusedto *
- IPv6TransitionCERouterdescribedinthisdocumentisexpectedto *
- IPv6TransitionCERouteronly. *
- IPv6TransitionCERouters ,andisrequiredbymostofthetransition
- ISPs.Therefore ,thedevelopmentcostisnegligible,andonly
- ISPshave ,orwanttohave,anIPv6
- ISPthatprovidesIPv4-onlyoranISPthatprovidesIPv6with *
- ISSN *
- IftheIPv6TransitionCERoutersupportsdeliveryofIPv4multicast *
- IftheUPnPWANIPConnection *
- Informationaboutthecurrentstatusofthisdocument ,anyerrata,
- Infrastructures *
- Ingeneral ,theend
- Ingeneral ,thenewrequirementsdon
- Inordertoallowtheserviceprovidertodisableallthetransition *
- InordertoseamlesslyprovideIPv4servicecontinuityinthe *
- Internet-layer *
- InternetEngineeringSteeringGroup *
- InternetEngineeringTaskForce *
- Internetaccess *
- January2018 ,
- Japan *
- JordiPaletMartinez *
- L-1 *
- LANA *
- LW4O6-1 *
- LW4O6-2 *
- LW4O6-3 *
- LaNavata-Galapagar ,Madrid28420
- M.Kawashima *
- MAP-Eparameters.Suchmechanismsareoutsidethescopeof *
- MAP-Erequirements *
- MAP-EviatheMAP-EDHCPv6options .TheIPv6
- MAP-T isamechanismsimilartoMAP
- MAP-Tparameters.Suchmechanismsareoutsidethescopeof *
- MAP-Trequirements *
- MAP-TviatheMAP-TDHCPv6options .TheIPv6
- MAPE-1 *
- MAPE-2 *
- MAPT-1 *
- MAPT-2 *
- MappedClients *
- MappingofAddressandPortwithEncapsulation *
- MasanobuKawashima *
- May2019 *
- MolinodelaNavata ,75
- Moreadvancedrouterssupportdynamicrouting *
- Moreover ,becausesomeservicesandserviceproviderswillremain
- Murakami ,T.,andT.Taylor,Ed.,
- NAT64 *
- NECPlatforms ,Ltd.
- NetworkA *
- NetworkAddressTranslation *
- NetworkC *
- NetworkingControlProtocol *
- Networks *
- NotethatIGD *
- NotethatthisdocumentonlyconfiguresIPv4aaSintheIPv6 *
- OptionforDual-StackLite *
- OptionforIPv4-EmbeddedMulticastandUnicastIPv6 *
- OptionsforConfigurationofSoftwireAddressandPort- *
- P.Selkirk ,
- PLAT-sidetranslationIPv4andIPv6prefix *
- PaletMartinez ,etal.Informational
- PaletMartinez ,J.,
- Play *
- PlugandPlayInternetGatewayDevice *
- PortControlProtocol *
- PortwithEncapsulation *
- Prefixes *
- PrioritizationMechanism *
- Protocol *
- ProtocolInterworkingFunction *
- ProtocolforIPv6 *
- ProvisionsRelatingtoIETFDocuments *
- RAMmemory ,norotherhardwarerequirementssuchasmorepowerful
- RFC5969 ,DOI10.17487
- RFC6334 ,DOI10.17487
- RFC6877 ,DOI10.17487
- RFC7050 ,DOI10.17487
- RFC7341 ,DOI10.17487
- RFC7618 ,DOI10.17487
- RFC8415 ,DOI10.17487
- RFC8585RequirementsforIPv6CEtoSupportIPv4aaSMay2019 *
- RegardingDS-LITE ,thisdocumentincludesslightly
- RequestforComments *
- RequirementLevels *
- RequirementsforIPv6CustomerEdgeRouters *
- Richardson ,M.,Jiang,S.,Lemon,T.,andT.Winters,
- Router ,thisdoesn
- Router *
- RouterMAYuseothermechanismstoconfigureDS-Lite *
- RouterSHOULDimplement .IfPCP
- RouterintendedfortheretailmarketMUSTsupportalltheIPv4aaS *
- Routerisrequired ,atleastfromtheperspectiveoftransition
- RoutersalreadyprovideaGUI ,CLI,orAPItomanuallyconfigure
- SHOULDresultinasuccessfulmappingwithanalternative *
- Section1andAppendixA *
- ServicestoIPv4ClientsoveranIPv6MulticastNetwork *
- Sinceitisimpossibletoknowpriortosalewhichtransition *
- So ,tocoverallthoseevolvingsituations,anIPv6TransitionCE
- SoftwireCustomerPremisesEquipment *
- Spain *
- Specifically ,thisdocumentextendsthebasicrequirementsforIPv6
- StackLiteArchitecture *
- StackLiteBroadbandDeploymentsFollowingIPv4 *
- Standard *
- StatusofThisMemo *
- Synthesis *
- TRANS-1 *
- TRANS-2 *
- TRANS-3 *
- TableofContents *
- ThankstoMikaelAbrahamsson ,FredBaker,MohamedBoucadair,Brian
- TheIPv6Company *
- TheIPv6TransitionCERouterMUSTcomplywith *
- TheIPv6TransitionCERouterMUSTimplementDS-LiteB4functionality *
- TheIPv6TransitionCERouterMUSTimplementlwB4functionality *
- TheIPv6TransitionCERouterMUSTsupportMAP-ECEfunctionality *
- TheIPv6TransitionCERouterMUSTsupportMAP-TCEfunctionality *
- TheIPv6TransitionCERouterMUSTsupportcustomer-sidetranslator *
- TheIPv6TransitionCERouterMUSTuseplainIPv6mode *
- TheIPv6TransitionCERouterdescribedinthisdocumentisnot *
- TheIPv6TransitionCERoutermaybemanuallyconfiguredinan *
- TheIPv6TransitionCERoutermustcomplywiththeSecurity *
- TheNAT64prefixcouldbediscoveredbymeansofthemethoddefined *
- Theaboveisnotintendedtobeacomprehensivelistofallthe *
- Theend-usernetworkisastubnetworkinthesensethatisnot *
- ThefollowingIPv6TransitionCERouterrequirementsalsoapply. *
- Thefollowingsubsectionsdescribetherequirementsforsupporting *
- Thekeywords *
- ThemaintargetofthisdocumentisthesupportofIPv6-onlyWAN *
- Themechanismsforallowinginboundconnectionsarenaturally *
- Theotherissueseemstobethecostofdevelopingthecodeforthose *
- TherearesomedifferencesinhowIPv6worksandisprovisioned *
- TheseroutersrelyuponrequirementsforIPv6CEroutersdefinedin *
- ThesituationofongoingIPv6deploymentandalackofIPv4addresses *
- Theterm *
- Thisarchitecturedescribesthe *
- ThisdocumentcoversasetofIPtransitiontechniquesrequiredwhen *
- ThisdocumentdefinesIPv4servicecontinuityfeaturesoveran *
- Thisdocumentdoesn *
- ThisdocumenthasnoIANAactions. *
- ThisdocumentisaproductoftheInternetEngineeringTaskForce *
- ThisdocumentisnotanInternetStandardsTrackspecification *
- Thisdocumentisnotarecommendationforserviceproviderstouse *
- ThisdocumentissubjecttoBCP78andtheIETFTrust *
- ThisdocumentspecifiestheIPv4servicecontinuitymechanismstobe *
- ThisdocumentspecifiestheIPv4servicecontinuityrequirementsfor *
- Thisdocumenttakesnopositiononsimultaneousoperationofoneor *
- Thisdocumentusesthesametermsasin ,withminor
- TransitionCERouter.ThisunderscorestheimportanceoftheIPv6 *
- TransitionCERouterMAYuseothermechanismstoconfigure *
- TransitionCERouterMUSTassume ,bydefault,thatthe
- TransitionCERouterMUSTuseplainIPv6mode *
- TransitionCERouterallowsthecontinuedtransitionfromnetworks *
- TransitionCERouteritself *
- TransitionCERouterrequirementsalsoapply. *
- TransitionCERoutersfulfillingtherequirementsdefinedinthis *
- Translation *
- TranslationfromIPv6ClientstoIPv4Servers *
- UPnP-gw-InternetGatewayDevice-v2-Device.pdf >.
- UPnP-gw-WANIPConnection-v2-Service.pdf >.
- UPnPForum ,
- UnitedStatesofAmerica *
- W. ,Bao,C.,Yeh,L.,andX.Deng,
- Wang ,
- WhoprovidestheIPv6TransitionCERouterisnotrelevant.Inmost *
- Woodyattfortheirreviewandcommentsinthisand *
- aboveusagesarealsopossible ,alongwithsituationswherethesame
- access.ToenablelegacyIPv4functionality ,thisdocumentalso
- accessandIPv4aaS ,thatmaynotbefeasibledependingonspecific
- accessnetwork.TheseISPaccessnetworksaretypicallyreferredto *
- actionMUSTberejectedwitherrorcode729 *
- activation. *
- addingthesupportforthenewtransitionmechanismsrequiresaround *
- addressesandNATanddependingonthespecifictransitionmechanism ,
- addressesarealwaysusableevenwhentheWANinterfaceisdownor *
- addressestobecomeprohibitivelyexpensive.This ,inturn,may
- allowsenabling *
- amongcustomersbycombiningtwowell-knowntechnologies *
- anIPv6-in-IPv4tunneling. *
- and2 *
- andT.Murakami ,
- andWANinterfacesofanIPv6TransitionCERouter. *
- andhowtoprovidefeedbackonitmaybeobtainedat *
- andseveralvendorsalreadyhaveimplementationsandprovidedthemto *
- andsmall *
- anotherRouterbehindtheoriginalCE ,takescareofinbound
- anyspecifictransitionmechanism. *
- appendices ,alongwith
- appropriatesubnettingandconfigurationoftheaddress *
- approvedbytheIESGarecandidatesforanylevelofInternet *
- arbitrarytopologywithadynamicroutingprotocolorHNCP .
- architecture. *
- as-a-Service *
- asWideAreaNetworks *
- asassignedbyPCPasperSection5.6.1of .
- assumesaStatefulNAT64 functiondeployedattheservice
- atleastontheWANside.Commonly ,theuserhasaccesstoconfigure
- availabilityofnativeIPv4orIPv4aaSaretransparentforthe *
- availableforeverypossiblecustomeranddevice ,whichcausesIPv4
- availableinanyIPv6routerwhenusingIPv6GlobalUnicastAddresses *
- baselinefortransitionfeaturestobeimplementedonsuchrouters. *
- becauseofbusinessdecisions. *
- bereliablyestimated. *
- beusedinresidential *
- bothIPv4-onlyandIPv6-onlydevicesinthecustomer-sideLANsofthe *
- byusingDHCPv6-PD *
- capitals ,asshownhere.
- carefully ,astheydescribeyourrightsandrestrictionswithrespect
- cases ,theserviceproviderisresponsibleforprovisioning
- changetheirexistingnetworktopologywiththeintroductionofIPv6. *
- checkforavalidmatchinOPTION_S46_PRIORITY ,which
- clarifications. *
- combinedwithadynamicroutingprotocol.Onceagain ,thisistrue
- commercial *
- commonsituationwhensufficientIPv4addressesarenolonger *
- communicatewithIPv4-onlyservicesontheInternet. *
- communications. *
- complexnetworksusingmanualconfigurationofaddressprefixes *
- connections.Therequirementsforthatsupportareoutofthescope *
- continuitysupportfordevicesintheLANside.Thisensuresthat *
- currentlybeincludedintheOPTION_S46_PRIORITY.Inthefuture ,an
- customerLANs ,aswellasIPv4
- customerLANsandallowautomatedIPv6transitionmechanism *
- datacenters ,contentproviders,etc.Evenifthedocumented
- defineadifferentsetoffeaturesfromthoseincludedinthis *
- defined. *
- deploymentisachangingsituation.Inasinglecountry ,notall
- deprecatedbyOCF *
- describedin *
- describedintheSimplifiedBSDLicense. *
- determinedthroughPCPoraccesstoaconfiguredportset *
- device.However ,devicesorapplicationsinthecustomerLocalArea
- devicesandapplicationsinthecustomernetworkscanstillreach *
- devicesattachedtotheLANs. *
- devicesattachedtotheLANs.Thus ,theWANconfigurationand
- differentIPv4aaSesatdifferentserviceproviders. *
- differentrequirementsrelatedtothesupportofPCP ,
- disabledatthisstep. *
- discovery *
- document ,forexample,featuresthatsupportonlysomeofthe
- document. *
- documentauthors.Allrightsreserved. *
- doesn *
- eachoneofthetransitionmechanisms.AnIPv6TransitionCERouter *
- enabledonaCErouter ,butcannotbeassociatedwithanIPv4
- encapsulatedusingDS-Lite .
- equivalent *
- equivalentorbettercapabilitiesandfunctionalitythanthecurrent *
- everycountryforeveryISP.Fordifferenttechnical ,financial,
- follow *
- followingIPv6TransitionCERouterrequirementsalsoapply. *
- forIPv6PrefixDelegation *
- foranAFTR *
- forbothIPv4andIPv6. *
- fornewtransitionmechanisms ,isthelackofspaceintheflash
- foundbetweentheprioritylistandthecandidatelist ,
- fromotherrouters *
- functionfromtheDS-Litetunnelconcentratortothetunnelclient *
- hostsbehindtheCE *
- ifthecostsarenotdirectlycausedbysupportingthisdocumentbut *
- ifthedefaultgatewayortheNAT64isthePCPserver. *
- implement *
- implemented ,lw4o6SHOULDbeimplementedaswell.Iflw4o6is
- implemented ,theIPv6TransitionCERouterMUSTalso
- implementedandaPCPserverisnotconfigured ,theIPv6
- in onlyiftheserviceproviderusesDNS64
- inboundconnectionstypicallyrequiresomedegreeofmorecomplex *
- includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
- includesthesupportofIPv4-onlydevicesandapplicationsinthe *
- incomingconnectionsandmayallowopeningofportsusingaUniversal *
- indefinitely. *
- inmanycases ,theusermustsupplyormayreplacetheIPv6
- integrationandtestingcostmaybecomeanissue. *
- intendedfortheretailmarketMUSTsupportallofthem. *
- intendedforusageinotherscenarios ,suchaslargeenterprises,
- interfaceestablishedbyanIPv4aaSmechanismorcannotdetermine *
- isalsonotinscope.DHCPpacketsMUSTNOTbeforwardedbetweenLAN *
- isconfigured ,theIPv6TransitionCERouterMAYverify
- isnothappeningatthesamepaceineverycountryandevenwithin *
- isrequired.Thus ,thereisaneedforCEstosupportIPv4aaS
- it.Meanwhile ,ifanoperatorprovides464XLAT,itneedstoensure
- itMUSTbeimplementedaccordingto .ThefollowingIPv6
- ithasbeenconfirmedthatthereareseveralopen-sourceversionsof *
- locatedintheIPv6TransitionCERouter ,removingtherequirement
- lw4o6 specifiesanextensiontoDS
- lw4o6requirements *
- lw4o6viathelw4o6DHCPv6options *
- manualconfiguration ,suchassettingupaDMZ,settingupvirtual
- mappingbetweenIPv6andIPv4addresses. *
- material *
- maybethecasethattheserviceproviderdoesnotuseordoesnot *
- meansofnewtransitionmechanisms.Thedocumentonlycovers *
- mechanismadevicewillneedoveritslifetime ,anIPv6TransitionCE
- mechanismfortransportingIPv4packetsacrossanIPv6networkusing *
- mechanismimplementedbytheIPv6TransitionCERouter. *
- mechanisms ,thismayrequiredifferentiatingmappings
- mechanisms *
- mechanisms ,includingdual
- mechanismsand *
- mechanismsareoutsidethescopeofthisdocument. *
- mechanismsmayneedtoconsidertrainingcostsforstaffinallthe *
- mechanismtotherelevantcustomers. *
- moreadvancedrequirementsincludeinboundconnections *
- network. *
- networkisoutofscopeforthisdocument.SecuringDHCPintheLAN *
- newfunctionalities.However ,atthetimeofwritingthisdocument,
- newrequirements ,asdescribedinthefollowingsubsections.
- oBasiccapabilitiesoftheIPv6TransitionCERouter *
- oProvisioningoftheLANinterfaces *
- oProvisioningoftheWANinterfaceconnectingtotheservice *
- ofDS-LiteviatheDS-LiteDHCPv6option *
- ofIPv6-onlyaccess ,privateIPv4addressesarealsoavailableifthe
- ofSharedIPv4Addressesasdescribedin .
- oftheoptiondefinedin .Thiscanalsobeusedifthe
- ofthisdocument ,meanthatmaliciousnodesmayalterthepriorityof
- ofthisdocument. *
- onlyabout0.15 *
- open-sourceimplementations *
- operators *
- operatorswillnecessarilyprovideIPv6support.Consumersmayalso *
- orconfigurationinformationdifferencesfrom .
- orsomeotherfirewallcontrolprotocol ,inthecaseofanIPv6
- othermechanismstoconfigurelw4o6parameters.Such *
- overanIPv6MulticastNetwork *
- parameters.Suchmechanismsareoutsidethescopeofthis *
- persistentvsnon-persistentandwhatsizetochoose *
- pertainingtoaconfigurationasappliedbyavendorprior *
- popularCEsalreadyinthemarket ,thenewrequiredcodeis
- possibleusagecases ,justanoverview.Infact,combinationsofthe
- prefix *
- priorityoptionsdescribedin *
- provideconnectivitytoaserviceprovidernetwork ,includinglink
- provider *
- providerorathird-partynetwork. *
- providingtransittootherexternalnetworks.However ,HNCP
- provisioning ,thefollowinggeneraltransitionrequirementsare
- publicationofthisdocument.Pleasereviewthesedocuments *
- publishedforinformationalpurposes. *
- receivedpublicreviewandhasbeenapprovedforpublicationbythe *
- regionalinsomecases.Figure1presentsasimplifiedviewofthis *
- remoteIPv4-onlyservicescontinuetobeaccessible ,forboth
- requeststotheserver. *
- requirementsmeettheirneeds ,theymayhaveadditionalrequirements,
- resultin *
- resultinserviceprovidersprovisioningIPv6-onlyWANaccess.At *
- routers.Figure2illustratesthemodeltopologyfortheend-user *
- scenariosandend-usernetworkarchitecture ,respectively.These
- scopeofthisdocument. *
- server.Theterm *
- servers ,orsettingupport
- serviceprovidernetwork. *
- serviceproviderorbyvendorswhosellthroughtheretailmarket. *
- serviceproviderusesDNS64 .
- services ,thenitMUSTsupport
- servicesoveranIPv6-onlyWANnetwork ,includingIPv6
- serviceswillstillbeprovidedusingIPv4tothecustomerLANs. *
- severaltransitionmechanismsand *
- shouldbeabletosupportallofthemwithminimalimpact. *
- sidebehindanIPv6TransitionCERouterconnectedtoanIPv6-only *
- singledataplaneiscommontoallofthem ,whichtypicallymeans,in
- solution. *
- somemanualconfiguration. *
- spaceamongseveralinterfaces.Insometransition *
- subnet ,theIPv6TransitionCERouterMUSTallow
- sufficientIPv4addressesavailableforeverypossiblecustomer *
- support. *
- supported ,itMUSTbeimplementedaccordingto
- supportedbyanIPv6TransitionCERouterandrelevantprovisioning *
- supportedtransitionmechanisms ,whichMUSTremain
- supportedtransitionmechanisms. *
- switchISPsandusethesameIPv6TransitionCERouterwitheitheran *
- techniquesfortheoperationandmanagementofthesemechanisms ,even
- technologiesfordeliveringIPv4inIPv6-onlyconnectivity. *
- thatDS-LitetrafficisforwardedovertheIPv6TransitionCE *
- thatMAP-TusesIPv4-IPv6translation ,insteadofencapsulation,as
- thatOPTION_S46_PRIORITYisnotsentforanyothertransition *
- thatspecifyfeaturesetsfortheIPv6TransitionCERoutermay *
- thattodaymayprovideaccesswithdual-stackorIPv6-in-IPv4 *
- theIPv6PrefixUsedforIPv6AddressSynthesis *
- theLANinterfaces ,firewall,DMZ,andmanyotherfeatures.However,
- theLANsidewhentheWANinterfaceisdown. *
- thePortControlProtocol *
- theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
- theamountofcentralizedstate. *
- thecustomeredgerouterhasnotyetbeenprovisioned.Inthecase *
- theformofIPv6domaintransport. *
- them ,orprovidethepossibilitytosetuptheCEinbridgemode,so
- therequiredcodeforsupportingallthenewtransitionmechanisms ,
- thesametime ,theyneedtoensurethatbothIPv4
- thesedifferenceshaveimplicationsforthenetworkarchitecture. *
- theserviceprovidermayopttoconfiguretheNAT64prefixbymeans *
- thetransitionmechanisms. *
- thisdocument. *
- toSupportIPv4-as-a-Service *
- toas *
- totheadministratorchangingitforitsinitial *
- tothisdocument.CodeComponentsextractedfromthisdocumentmust *
- transitioningattheirownpace *
- transitionmechanismdetails.PCP maybeanalternative
- transitionmechanisms ,whicharealreadysupportedby
- transitionmechanismsenumeratedinthisdocument. *
- transitionmechanismslistedinthisdocument.Serviceproviders *
- transitionservicesforthesupportofIPv4-as-a-Service *
- translationsonaper-interfacebasis. *
- translator *
- trustDNS64 becausetheDNSconfigurationattheCE
- tunnel. *
- tunnels. *
- understandingofthisdocument. *
- unlessaNAT64 prefixhasbeenconfigured,in
- updateof oraNAT64DHCPv6configurationoptionmayenable
- upnp-resources *
- usedbyanupstreamPCP-controlledNAT64device. *
- useoneortheotherMUSTfollowthisorder *
- usernetworkisthatitprovidesstableaddressing *
- usingtheCLAT. *
- vendorswithregardtoincludingnewfunctionalities ,suchassupport
- versionsofthisdocument.ThanksalsofortheLastCallreviewsby *
- web ,DNS,email,VPN,etc.
- whichareoutofthescopeofthisdocument. *
- whichcase ,464XLAT
- whichportsareavailable ,anAddPortMapping
- withIPv4aaS. *
- withNATfunctionalityandasinglelinkupstream ,connectedtothe
- withmultipleLANinterfacesmaybehandledbymeansoftheHome *
- 1.1.ContextandMotivation *
- 1.1.ContextandMotivation.................2 *
- 1.2.Terminology *
- 1.2.Terminology.......................3 *
- 1.Introduction *
- 1.Introduction........................2 *
- 2.1.GeneralRequirements *
- 2.1.GeneralRequirements..................7 *
- 2.2.SignalChannelRequirements *
- 2.2.SignalChannelRequirements...............8 *
- 2.3.DataChannelRequirements *
- 2.3.DataChannelRequirements................13 *
- 2.4.SecurityRequirements *
- 2.4.SecurityRequirements..................14 *
- 2.5.DataModelRequirements *
- 2.5.DataModelRequirements.................16 *
- 2.Requirements *
- 2.Requirements........................5 *
- 2119KeyWords *
- 2727S.StateSt. *
- 3.1.SignalChannel *
- 3.1.SignalChannel.....................17 *
- 3.2.DataChannel *
- 3.2.DataChannel......................17 *
- 3.CongestionControlConsiderations *
- 3.CongestionControlConsiderations..............17 *
- 4.SecurityConsiderations *
- 4.SecurityConsiderations...................17 *
- 5.IANAConsiderations *
- 5.IANAConsiderations.....................18 *
- 6.1.NormativeReferences *
- 6.1.NormativeReferences..................18 *
- 6.2.InformativeReferences *
- 6.2.InformativeReferences.................20 *
- 6.References *
- 6.References.........................18 *
- A. ,andH.Ashida,
- A. ,Peterson,J.,Sparks,R.,Handley,M.,andE.
- ADOTSclientMAYwithdrawamitigationrequestatanytime *
- ADOTSclientmayobtainthemitigationscopethroughdirect *
- Abstract *
- Accept-list *
- Acknowledgments *
- Acknowledgments.........................21 *
- AdditionalDOTSsecurityconsiderationsmaybefoundin *
- AddressTextRepresentation *
- AndrewMortensen *
- AnnArbor ,MI48104
- ArborNetworks *
- Architecture *
- Asanactiveattackevolves ,DOTSclientsMUSTbeabletoadjust
- AspartofaprotocolexpectedtooperateoverlinksaffectedbyDDoS *
- AsspecifiedinDATA-001 ,thedatachannelrequiresreliable,in
- Astandardizedmethodtocoordinateareal-timeresponseamong *
- AstheresiliencerequirementsfortheDOTSsignalchannelmandate *
- Authors *
- Awell-structuredDOTSdatamodeliscriticaltothedevelopmentof *
- BCP14 when,andonlywhen,theyappearinall
- Bangalore ,Karnataka560071
- BlockingcommunicationbetweenDOTSagentshasthepotentialto *
- Bonica ,R.,Baker,F.,Huston,G.,Hinden,R.,Troan,O.,
- Category *
- CiscoSystems ,Inc.
- CommunicationLayers *
- Contributors *
- Contributors..........................21 *
- Copyright *
- CopyrightNotice *
- Countermeasure *
- DATA-001Reliabletransport *
- DATA-003ResourceConfiguration *
- DATA-004PolicyManagement *
- DDoS *
- DDoSOpenThreatSignaling *
- DDoSattackcausingnetworkcongestion. *
- DDoSattacktarget *
- DDoSattacktelemetry *
- DM-001Structure *
- DM-002Versioning *
- DM-003MitigationStatusRepresentation *
- DM-004MitigationScopeRepresentation *
- DM-005MitigationLifetimeRepresentation *
- DM-006MitigationEfficacyRepresentation *
- DM-007AcceptableSignalLossRepresentation *
- DM-008HeartbeatIntervalRepresentation *
- DM-009RelationshiptoTransport *
- DOI10.17487 *
- DOTSagent *
- DOTSagentsMUSTassumeaPMTUof1280bytes ,asIPv6requires
- DOTSagentsMUSTsupportmitigationscopealiases ,allowingDOTS
- DOTSagentsbeingcompromised. *
- DOTSagentscanalsosignificantlyaugmentattackresponse *
- DOTSagentscanattempttolearnPMTUusingtheprocedures *
- DOTSclient *
- DOTSclientandmodifyingthembeforetransmissiontotheDOTSserver *
- DOTSclientforupstreamDOTSservers.Client-domainDOTS *
- DOTSclientintoasingleDOTSagent.Thisfunctionalityis *
- DOTSclientisnotauthorizedtomanage. *
- DOTSclients ,whileserver
- DOTSclientsMAYtakethesemetricsintoaccountwhendetermining *
- DOTSclientsMUSTbeabletotransmitametricofperceived *
- DOTSclientsMUSTincludeamitigationlifetimeinallmitigation *
- DOTSclientsshouldsimilarlybeabletowithdrawaidrequests.DOTS *
- DOTSclientsthatpertaintomitigation ,configuration,filtering,
- DOTSclientstomanagedrop-andaccept-listsoftrafficdestined *
- DOTSclientwithinaDOTSgatewayareimplementation-specific ,
- DOTSgateway *
- DOTSmustoperatewithinaparticularlystrictsecuritycontext ,as
- DOTSprotocolimplementationsfacecompetingoperationalgoalswhen *
- DOTSprotocols. *
- DOTSprotocolsMUSTbeencryptedusingsecuretransports *
- DOTSprotocolsdesign. *
- DOTSserver *
- DOTSserverMUSTbelongtothesameadministrativedomain. *
- DOTSserverdoesnotgrantamitigationrequestwithanindefinite *
- DOTSserversMUSTbeabletoresolvedomainnamesand *
- DOTSserversMUSTregularlysendmitigationstatusupdatesto *
- DOTSserversMUSTrejectmitigationrequestswithscopesthatthe *
- DOTSserversMUSTtreatamitigationterminatedduetolifetime *
- DOTSserversSHOULDsupportindefinitemitigationlifetimes ,
- DOTSsignal *
- DTLS *
- Datachannel *
- DaveDolson *
- Denial-of-ServiceConsiderations *
- Denial-of-serviceconsiderationsarediscussedindetailin *
- DistributedDenial-of-Service *
- Dobbins ,R.,Migault,D.,Fouant,S.,Moskowitz,R.,
- Drop-list *
- Duetotheincreasedlikelihoodofpacketlosscausedbylink *
- Email *
- EmbassyGolfLinkBusinessPark *
- FYI36 ,RFC4949,DOI10.17487
- Filter *
- Finally ,DOTSshouldbesufficientlyextensibletomeetfutureneeds
- Firewallbindingsdonotexpire ,byusingthekeep
- Firewallbindingstoavoidcryptographichandshakefornew *
- FlemmingAndreasen *
- Followingmutualauthentication ,asignalchannelMUSTbe
- Forexample ,aDOTSclientshouldbeabletocreateadrop
- GEN-001Extensibility *
- GEN-002ResilienceandRobustness *
- GEN-003BulkDataExchange *
- GEN-004MitigationHinting *
- GEN-005LoopHandling *
- Guidelines *
- Heartbeat *
- HowaDOTSserverauthorizesDOTSclientmanagementofdrop-and *
- Huawei *
- IPv4datagrams ,aseveryIPv4hostmustbecapableofreceivinga
- ISSN *
- IfUDPisusedasthetransportfortheDOTSsignalchannel ,all
- Ifthereisadditionalinformationavailablenarrowingthescope *
- ImpersonationofeitheraDOTSserveroraDOTSclientcouldhave *
- India *
- Informationaboutthecurrentstatusofthisdocument ,anyerrata,
- InitiationProtocol *
- InorderforDOTSprotocolstoremainsecuredespiteadvancements *
- InternetEngineeringSteeringGroup *
- InternetEngineeringTaskForce *
- Likewise ,DOTSserversMUSTrefusetoallowcreation,
- MAYexposeadditionalconfigurability.Additionalconfigurability *
- MUSTallowreferencestodescribetheoveralldatamodel *
- MUSTbedeliveredreliablyintheordersent. *
- MUSTregularlysendheartbeatstoeachotherwhileamitigation *
- MUSTsupportthefollowingrequiredscopetypes *
- MUSTthereforebecapableoftraversingNATs. *
- May2019 *
- McAfee *
- Mitigation *
- Mitigationmethodologyisoutofscopeforthisdocument. *
- Mitigator *
- MohamedBoucadair *
- Mortensen ,etal.Informational
- Mortensen ,A.,Ed.,Reddy,T.,Ed.,Andreasen,F.,Teague,
- MultihomedDOTSclient *
- N. ,andR.Compton,
- NATs *
- OakPark ,MI42837
- OpenThreatSignaling *
- OperatorsofpeerDOTS-enableddomainsmayenableeitherquality-of- *
- Orange *
- Plan *
- ProvisionsRelatingtoIETFDocuments *
- R.Moskowitz *
- RFC3986 ,DOI10.17487
- RFC7092 ,DOI10.17487
- RFC793 ,DOI10.17487
- RFC8612DOTSRequirementsMay2019 *
- ReachabilityinformationofpeerDOTSagentsisprovisionedtoaDOTS *
- RequestforComments *
- RequirementLevels *
- ResourceIdentifier *
- Retana ,SureshKrishnan,BenCampbell,MirjaKuehlewind,andJon
- RobertMoskowitz *
- RobertSparks ,BrianWeis,BenjaminKaduk,EricRescorla,Alvaro
- S. ,andK.Naito,
- SEC-001PeerMutualAuthentication *
- SEC-002MessageConfidentiality ,Integrity,andAuthenticity
- SEC-003DataPrivacyandIntegrity *
- SEC-004MessageReplayProtection *
- SEC-005Authorization *
- SIG-001UseofCommonTransportProtocols *
- SIG-002Sub-MTUMessageSize *
- SIG-003Bidirectionality *
- SIG-004ChannelHealthMonitoring *
- SIG-005ChannelRedirection *
- SIG-006MitigationRequestsandStatus *
- SIG-007MitigationLifetime *
- SIG-008MitigationScope *
- SIG-009MitigationEfficacy *
- SIG-010ConflictDetectionandNotification *
- SIG-011NetworkAddressTranslatorTraversal *
- Sandvine *
- Schooler ,
- Section2.2 ,thesignalchannelprotocolmustbedesignedforminimal
- Security *
- Service *
- Shallowfortheircarefulreadingandfeedback. *
- Signalchannel *
- SignalchannelimplementationsusinganIETFstandardcongestion- *
- Similarly ,animpersonatedDOTSservermaybeabletoactasasort
- Standard *
- StatusofThisMemo *
- TableofContents *
- Teague ,N.,Xia,L.,andK.Nishizuka,
- ThankstoRomanDanyliw ,MattRichardson,JoeTouch,ScottBradner,
- TheDOTSprotocolmust ,ataminimum,makeitpossibleforaDOTS
- TheDOTSserverandclientmustalsohavesomestandardizedmethodof *
- Thedatachannelisintendedtobeusedforbulkdataexchanges *
- Thedatachannelisnotexpectedtooperateinsuchconditions. *
- ThedatachannelprovidesaprotocolforDOTSconfigurationand *
- TheexpectedlayoutandinteractionsamongstDOTSentitiesis *
- ThefollowingmitigationscopetypeisOPTIONAL *
- ThegoalofDOTSprotocolsistoenableandmanagemitigationon *
- ThegoaloftheDOTSrequirementsspecificationistospecifythe *
- Theinitialactive-but-terminatingperiodisbothimplementation- *
- Thekeywords *
- Themodesofauthorizationareimplementation-specific. *
- TheprevalenceandimpactoftheseDDoSattackshasledtoan *
- Thereasonsthemselvesareoutofscopeforthisdocument.Ifthe *
- Thesecapitalizedwordsareusedtosignifytherequirementsforthe *
- ThisdefensecouldbecoordinatedbyaDOTSserverandinclude *
- Thisdocumentadoptsthefollowingterms *
- ThisdocumentdefinestherequirementsfortheDistributedDenial-of- *
- ThisdocumenthasnoIANAactions. *
- Thisdocumentinformsfutureprotocolsunderdevelopmentandsodoes *
- ThisdocumentisaproductoftheInternetEngineeringTaskForce *
- ThisdocumentisnotanInternetStandardsTrackspecification *
- ThisdocumentissubjecttoBCP78andtheIETFTrust *
- ThreatSignaling *
- TirumaleswarReddy *
- Today ,theseservicesofferproprietaryinterfacesforsubscribersto
- TodetectcompromisedDOTSagents ,DOTSoperatorsshouldcarefully
- Todetectmisuse ,asdetailedinSection2.4,DOTSimplementations
- ToprotectagainstrouteorDNSflappingcausedbyaclient *
- Tosupportscenariosinwhichlossofheartbeatisusedtotrigger *
- Translation *
- TransmissionControlProtocol *
- UDP *
- UnitedStatesofAmerica *
- WhenDOTSclient-requestedmitigationisactive ,DOTSserver
- Whennoattacktrafficispresent ,thesignalchannelMUSTbe
- WhileconnectionlesstransportsuchastheUserDatagramProtocol *
- WhiletheinterfacesbetweendownstreamDOTSserverandupstream *
- Withinthesignalchannel ,messagesMUSTbeuniquelyidentified
- aDDoSattack.Potentialtargetsinclude *
- abletorepresenttheDOTSagent *
- absence. *
- absorblatencyincurredbyroutepropagation.IfaDOTSclient *
- abuse ,enablingorsupplementingtheveryattacksDOTSpurportsto
- accept-listedsourceaddresses ,addressorprefixgroupaliasing,
- accept-listentriesisimplementation-specific. *
- accept-listentry ,retrievealistofcurrententriesfromeither
- actioninanticipationoforinresponsetoanattack ,butitdoes
- active-but-terminatingperiodelapses ,theDOTSserverMUSTtreat
- activeDOTSclienthasnotrequestedmitigation ,inorderto
- activeorexpectedDDoSattacks.TheDOTSsignalchannelisexpected *
- additionalattackdetails.DOTSserversMAYignoresuch *
- addressestowhichthedomainnameorURIresolverepresentthe *
- administrativedomainattemptingtohonorconflictingrequestsmay *
- affectpolicyonthenetworkpathtotheDOTSclient *
- agent *
- agentimpersonationandsignalblockingarediscussedhere. *
- agents. *
- allowingclientstoextendmitigationasnecessaryforthe *
- analogoustoaSessionInitiationProtocol *
- and .
- andDOTSprotocoldocuments. *
- andF.Gont ,
- anddeployment-specific ,butSHOULDbesufficientlylongenoughto
- andfilteringoutspecifictypesofDDoSattacktrafficwhile *
- andforwardonlythelatter. *
- andhowtoprovidefeedbackonitmaybeobtainedat *
- andincludinginstantiationofdrop-listsblockingallinbound *
- andthenewprefixgroupalias ,oranerrorstatusandmessageinthe
- aninsufficientlyprotectedsignalordatachannelmaybesubjectto *
- anyassumptionsaboutspecificcharacteristicsofanygiven *
- applytoDOTS.Regardlessoftransport ,DOTSprotocolsMUST
- approvedbytheIESGarecandidatesforanylevelofInternet *
- arediscussedin ,andtheDOTSarchitectureisdiscussed
- arerequestedofitareoutofscopeforthisdocument.The *
- asdescribedinSIG-003. *
- asmallsignalmessagesize ,aseparate,securedatachannel
- asnecessarythescopeofrequestedmitigationbyrefiningthe *
- aspartofnewerprotocolversions. *
- assumedtobelongtothesameadministrativeentity. *
- attack ,usingfeedbackfromthemitigatorandotheravailable
- attack ,wherecountermeasureenforcementismanagedbyanentity
- attack.DOTS-serverhandlingofmitigationhintsis *
- attackdetailsmightincludelocallycollectedfingerprintsforan *
- attackmitigationandreducetheimpactoftheseattacks.This *
- attackmitigationsolutionsthemselves ,orareconstrainedbylocal
- attackresponsecoordinationwithotherDOTS-awareelements. *
- attackresponsesmaybefragmentedorotherwiseincomplete ,leaving
- attacktraffic ,theDOTSsignalchannelMUSTNOTcontribute
- attemptingtoparticipateinattackresponsewiththeDOTS *
- authenticatedsignalchannelbetweenDOTSagents ,usedtoindicate
- authentication.Client-domainDOTSgatewaysaremoretrustedthan *
- authentication.WhenDOTSagentsareexchangingheartbeatsandno *
- authorizedDOTSclientsthathaverequestedandbeengranted *
- bandwidthlimitations.Toaddresssuchgaps ,serviceprovidershave
- basedonotherthreatintelligence.DOTSclientsMAYsend *
- beabletorequestscopedmitigationfromDOTSservers.DOTS *
- bedescribedbyasinglemoduleorbedividedintorelated *
- beguntoofferon-demandtrafficscrubbingservices ,whichare
- behalfofanetworkdomainorresourcethatisormaybecomethe *
- behalfoftheDOTSclient ,ifrequested,bycommunicatingtheDOTS
- bestpractices forencryptionandmessage
- betweenDOTSagents.Unlikethesignalchannel ,thedatachannelis
- betweenpeerDOTSagents. *
- bidirectional ,withclientandservertransmittingsignalstoeach
- bulkexchangeofdatanoteasilyorappropriatelycommunicated *
- businessorservice-levelagreements ,arealreadycomplete.
- but-terminatingperiod ,asdescribedaboveinSIG
- butMUSTcontinuetosendheartbeatsonthecurrentsessionso *
- butterminating.DOTSclientsMAYreversethemitigation *
- byanopaqueidentifiercreatedthroughthedatachannel ,direct
- byteoverheadofanyencapsulation ,transportheaders,and
- bytheprotocol ,suchasDTLSsessionresumption,butMUSTbe
- capitals ,asshownhere.
- carefully ,astheydescribeyourrightsandrestrictionswithrespect
- catastrophicimpactonoperationsineitherdomain.Ifanattacker *
- channel ,asthedatachannelmaynotbefunctionalduringan
- channel ,usedasakeep
- channelbetweentwoDOTSagentsusedforinfrequentbutreliable *
- channelimplementationsshouldbepreparedtodetectandterminate *
- channelprotocol ,duetothehigherlikelihoodofpacketloss
- channelrequirementsinSections2.1and2.2 ,DOTSserver
- characteristics ,DOTSagentsneedtoensureitson
- characteristics.AbsentinformationabouttheNAT *
- characteristicsdefiningthenatureofaDDoSattack. *
- characteristicssuchassmallmessagesize ,asynchronous
- client *
- client-facingside ,whichbehavesasaDOTSserverfordownstream
- clientheartbeatsasanindicationthesignalchannelis *
- clients ,andaserver
- clients.DOTSserversinasingleadministrativedomainSHALL *
- clientsMAYattempttoestablishanewsignalchannelsession *
- clientsMUSTNOTassumetheredirectiontargetDOTSservershares *
- clientsandserverstorefertocollectionsofprotectedresources *
- clientsmustbeabletoselecttheappropriateDOTSserver *
- clienttorequestaidmountingadefenseagainstasuspectedattack. *
- clientusingavarietyofmanualordynamicmethods.Oncea *
- collectionofprefixesitwantstorefertobyaliaswhenrequesting *
- collectionsofhierarchicalmodulesandsubmodules.Ifthedata *
- common ,widelydeployedandstandardizedtransportprotocols.
- communicatewithDOTSserversthroughtheNAT.DOTSprotocols *
- communicationbetweenDOTSagentstoloop.Signalanddata *
- communicationbetweenDOTSclientsandserversenablesacommon *
- communicationchannelbetweenDOTSagents.Indeed ,establishinga
- communicationchannelbetweenDOTSagentsthatisresilienteven *
- communicationstoreduceattacksurface. *
- compatible.ImplementationsofolderprotocolversionsMUST *
- configuration ,orothermeans.DomainnameandURImitigation
- configurations. *
- configuredlocally.ThatvalueMUSTbereturnedinareplytothe *
- conflictingmitigationrequest. *
- congestedlink ,signalingprotocolmessagesizeMUSTbekeptunder
- congestion ,asdiscussedin
- congestionduringanattack ,DOTSserversSHOULDNOTredirect
- connectedtotheInternet ,plaguingnetworkoperatorsatservice
- consecutivemissedheartbeatmessages ,retransmissioncount,or
- consequentlydecreasedprobabilityofmessagedeliveryovera *
- considerationsin *
- consideredactiveuntilaDOTSagentexplicitlyendsthesession. *
- consideredactiveuntileitherDOTSagentfailstoreceive *
- contactbetweenDOTSagentsevenasattacktrafficsaturatesthe *
- continuetoincrease. *
- contributetotherobustnessdemandedbyaviableDOTSprotocol. *
- controlledbyasingleadministrativeentitymaysendconflicting *
- controlledtransportprotocol *
- controllingtheDOTSclientneednotbepresentbeforeestablishinga *
- controlload. *
- coordinatedresponsetoDDoSattacks. *
- coordination ,permittingsuchtasksaspopulationofdrop
- couldbesplitintomultiplelistsandeachlistconveyedinanew *
- countermeasurescanbelayeredtodefendagainstattackscombining *
- datatransfertoreducetheincidenceofsignalloss. *
- ddolson *
- decisionislocaltotheDOTSclients *
- definingthescopeofanymitigation ,aswellasmanagingother
- defunct. *
- deliverysuccessorfailure. *
- deployedbehindaNetworkAddressTranslator *
- describedintheDOTSArchitecture .
- describedintheSimplifiedBSDLicense. *
- designedtomaximizetheprobabilityofsignaldeliveryevenunder *
- designedtoseparatetheDDoSattacktrafficfromlegitimatetraffic *
- destinedforthetargetortargetsofadetectedorreportedDDoS *
- detailsthatcanbeusedtoinformmitigationtechniques.Example *
- detectionandprevention. *
- detectsuchconflictingrequestsandSHALLnotifytheDOTSclients *
- discarded.UniquemitigationrequestsMUSTbeprocessedatmost *
- discovery.DOTSclientsMUSTsupportatleastonemechanismto *
- discreteDOTSclientconnectionsandmayaggregatetheseintoone *
- discussedin .IfthePMTUcannotbediscovered,
- discussedinSection3.5of .
- disruptingorinfluencingthenetworkpolicyofthereceivingDOTS *
- disruptthecorefunctionofDOTS ,whichistorequestmitigationof
- documentauthors.Allrightsreserved. *
- documentbutshouldfollowcurrentIETFbestpractices *
- documentdescribestherequiredcharacteristicsofprotocolsthat *
- domain.Amongotherthings ,thismaliciousDOTSgatewaymight
- draft-ietf-dots-architecture-13 ,April2019.
- durationofanattack. *
- duringaDDoSattack ,DOTSserversneedtosendthemitigation
- duringactivemitigationarediscussedbelow *
- duringvolumetricattack ,DOTSagentsSHOULDavoidsignalchannel
- eachotherbeforeaDOTSsignalordatachannelisconsidered *
- efficacymetrictoadjustcountermeasuresactivatedonamitigator *
- efficacyofamitigationenabledthroughamitigationrequest. *
- elapses ,theDOTSserverMAYincreasetheactive
- enableattackresponsecoordinationandmitigationofDDoSattacks. *
- enablingarchitecturesinwhichthemitigatorisalwaysinthe *
- ensuringnorequestedmitigationiseverapplied. *
- enterpriseslacktheresourcesorexpertisetooperateon-premise *
- entitiesparticipatinginDOTSmaydetailwhatdatamaybe *
- error ,orcompromisedDOTSclients.DOTSserversinthesame
- eventtheDOTSclient *
- exceedsthePMTU ,theDOTSagentMUSTsplitthemessageinto
- exceptioncircumstancestoterminatingthesignalchannelsession *
- exchange.However ,reliablebulkdataexchangemaynotbe
- exchangeofincidentreports ,andotherhintingorconfiguration
- expirationexactlyasiftheDOTSclientoriginatingthe *
- failuresandtheircauses. *
- fandreas *
- feedbacktotherequestingDOTSclient. *
- flapnetworkrouteorDNSinformation ,degradingthenetworks
- flexibilityandscalability ,DOTSserversSHOULDbeableto
- flows.Thefilterwilltypicallyhaveapolicyassociatedwith *
- focusofaDDoSattack.AnactiveDDoSattackagainsttheentity *
- followestablishedbestcommonpracticesestablishedinBCP127 *
- forNATtraversal .
- foralimitedperiodafteracknowledgingaDOTSclient *
- foranegotiatedtimeintervalandMUSTterminateamitigation *
- forresourcesbelongingtoaclient. *
- freetoattemptabbreviatedsecuritynegotiationmethodssupported *
- frombecomingadditionalvectorsfortheveryattacksitismeantto *
- fromcapturingandreplayingoldmessages ,andtherebypotentially
- fullscopeofthemitigation. *
- functionwelloratallduringattackscausingnetworkcongestion. *
- futureattacks ,asallinteractionssettingupDOTS,includingany
- gatewaysareDOTSgatewaysthatareintheDOTSclient *
- grantedmitigationswithindefinitelifetimes.DOTSserversMAY *
- greaterasspecifiedin .IfIPv4supportonlegacyor
- hand ,DOTSmustincludemeasurestoensuremessageconfidentiality,
- handlemiddle-boxesandfirewalltraversal. *
- hastheabilitytoimpersonateaDOTSclient ,thatattackercan
- havedifferentapplicationandtransport-layerrequirements.This *
- health.Thesekeep-alivesservetomaintainanyon-pathNATor *
- heartbeatsfromtheotherpeerafteramutuallyagreedupon *
- helpfightoff.Ontheotherhand ,theprotocolmustberesilient
- hints.MitigationhintsMUSTbetransmittedacrossthesignal *
- identifiers ,asdescribedinSIG
- ignoreoptionalinformationaddedtoDOTSmessagesaspartof *
- impersonationmoredifficult.However ,impersonationmaystillbe
- implementation-specific. *
- implementations ,datamodelsMUSTbeversioned.Howtheprotocols
- implementationsMUSTprovideaninterfacetoconfigureresource *
- implementationsusingsuchconnectionlesstransports ,suchasUDP,
- in .
- inProgress ,draft
- inaDOTSsignalordatachannel.ItcanbeaDOTSclient ,DOTS
- inadetectedattack. *
- inclientmitigationrequests.DOTSclientsMAYalsoinclude *
- includeSimplifiedBSDLicensetextasdescribedinSection4.eof *
- includingmitigationswithnospecifiedendtime. *
- inconditionsleadingtoseverepacketlosssuchasavolumetric *
- inconflict.ThenotificationMUSTindicatethenatureandscope *
- incoordinatedattackdefense ,althoughthisconsiderationis
- increasedfocusoncoordinatedattackresponse.However ,many
- incryptanalysisandtrafficanalysis ,DOTSagentsMUSTsupport
- informationleaksormalicioustransactionsonbehalfofthe *
- informationorinstructionsfromtheremoteDOTSagent.Theft ,
- inscopeforthisdocument. *
- integrity ,andauthenticityofmessagessentbetweenclientand
- integrity ,authenticity,andreplayprotectiontokeeptheprotocols
- inthenetworkpathbetweenattacksourcesandtheattacktarget. *
- involvedoperatorswillincreasethespeedandeffectivenessofDDoS *
- isimplementation-specific. *
- it ,e.g.,rate
- link.Suchresiliencymaybedevelopedseveralways ,but
- list ,updatethecontentofeitherlist,anddeleteentriesas
- listswhentheDOTSclientisunauthorized. *
- logicalconcatenationofthefunctionalityofaDOTSserveranda *
- lossmightinclude ,butarenotrestrictedto,numberof
- maintainanactivesignalchannel ,andtoincreasetheprobability
- maintainingthisbidirectionalcommunicationstream.Ontheone *
- management.Forexample ,aDOTSclientmaysubmittoaDOTSservera
- meansbywhichthisentityperformsthesemitigationsandhowthey *
- message. *
- messagesfromDOTSclients.TheDOTSserverenablesmitigationon *
- misconfigurationofDNSorroutingpolicy ,itmaybepossiblefor
- mitigate. *
- mitigation ,theDOTSserverMUSTincludeareasonforthe
- mitigation ,towhichtheserverwouldrespondwithasuccessstatus
- mitigation ,andtokeepthechannelactive,DOTSserversMUST
- mitigation-relatedconfigurations. *
- mitigation.Asaresultofsignalinginterfaceincompatibility ,
- mitigation.Ifunreliabletransportisusedforthesignal *
- mitigation.ThebidirectionalsignalchannelMUSTsupport *
- mitigationcouldbenegotiablebasedonNAT *
- mitigationefficacytotheDOTSserver.DOTSserversMAYusethe *
- mitigationhadaskedtoendthemitigation ,includingtheactive
- mitigationhintsderivedfromattackdetailstoDOTSservers ,with
- mitigationlifetime ,itMUSTsetthelifetimetoavaluethatis
- mitigationrequestforthesamescope.TheDOTSserverMUSTtreat *
- mitigationrequestisactive ,eitheragentMAYrequestchangesto
- mitigationrequests.Theheartbeatintervalduringactive *
- mitigationrequestsasaresultofmisconfiguration ,operator
- mitigationscope. *
- mitigationscope.Thescopetypewillvarydependingonthe *
- mitigator. *
- mitigatorandDOTSserverreceivingamitigationrequestare *
- modelstructureissplitacrossmodules ,thosedistinctmodules
- modification ,ordeletionofscopealiasesanddrop
- modification ,orreplayofmessagetransmissionscouldleadto
- mohamed.boucadair *
- monitorandauditDOTSagentstodetectmisbehavioranddetermisuse *
- multipleDDoSattacktypes. *
- multipleDOTSservers ,eachinaseparateadministrativedomain.
- necessarilysupersededbytheotheroperationalrequirements. *
- necessary. *
- necessaryduetonetworkpolicyormiddleboxcapabilitiesor *
- network.DDoSattacksareintendedtocauseanegativeimpacton *
- networkelements ,networklinks,servers,andservices.
- newerprotocolversions.Implementationsofolderprotocol *
- newsessionissuccessfullyestablished ,theDOTSclientcan
- nordoDOTSclientsneedtojustifywithdrawinghelprequests *
- notdictatetheimplementationoftheseactions.TheDOTSusecases *
- notexpectedtobeconstructedtodealwithattackconditions.As *
- nothavesecurityconsiderationsofitsown.However ,operators
- notifications ,redundantmessagedelivery,andminimalconnection
- obtainmitigationscope. *
- of-lineblocking.TheserequirementsareatSHOULDstrengthto *
- ofDOTSMUSTbeextensibleinordertokeepDOTSadaptableto *
- ofanyrequestedattackresponse ,suchastargetedportrange,
- ofheartbeatmessagesoverthesignalchanneltomonitorchannel *
- ofmaliciousDOTSgateway ,interceptingrequestsfromthedownstream
- ofmitigationlifetimesinmitigationrequestsfromDOTSclients ,
- ofsignaldeliveryduringanattack ,thesignalchannelMUSTbe
- oftheconflict ,forexample,theoverlappingprefixrangeina
- on-goingattack ,oranticipatedoractiveattackfocalpoints
- onbehalfofaDOTSclient. *
- once. *
- operationallyorprivacy-sensitivedata.Althoughadministrative *
- operatorsintheattackpathunabletoassistinthedefense. *
- optionsarenotspecified ,theprotocolsMUSTfollowcurrentIETF
- ordermessagedelivery.DatachannelimplementationsusinganIETF *
- originatingfrommultiplesourcesisdirectedatatargetona *
- ormoreconnections.DOTSgatewaysaredescribedfurtherin *
- orstatus. *
- oscillatingattacks ,DOTSserversMAYallowmitigationtocontinue
- otheratregularintervalsregardlessofanyclientrequestfor *
- otherwiseunusualnetworksisaconsiderationandthePMTUis *
- out-of-orderorredundantmessagedelivery.Insupportof *
- overhead *
- overtransportandapplicationprotocolsnotsusceptibletohead- *
- packetwhoselengthisequalto576bytesasdiscussedin *
- passinglegitimatetraffictotheattacktarget.Distinct *
- path.Forexample ,whenaDOTSgatewayconsistingofaDOTS
- performingmitigationofadetectedorreportedDDoSattack.The *
- perioduptoamaximumof300seconds *
- possibleasaresultofcredentialtheft ,implementationflaws,or
- possibleduringattackscausingnetworkcongestion. *
- preparedtonegotiatenewsecuritystatewiththeredirection *
- probabilityofsuccessfulDOTSsignaldelivery ,butDOTSdoesnot
- proprietaryDDoSdefenses.FutureextensionsMUSTbebackward *
- protocol ,orservice,DOTSclientsSHOULDincludethatinformation
- protocols ,includingwhenmultipleDOTSserversareprovisionedto
- protocolsMUSTtakestepstoprotecttheconfidentiality ,
- protocolsarelikelytocontainoperationallyorprivacy-sensitive *
- providersandenterprisesaroundtheworld.High-volumeattacks *
- providesthefoundationforamorerapidattackresponseagainst *
- provisioningorthroughimplementation-specificmethodsof *
- publicationofthisdocument.Pleasereviewthesedocuments *
- publishedforinformationalpurposes. *
- rapidlytogglingmitigation ,andtodampentheeffectof
- receiveanddiscardmitigationrequestsfromtheDOTSclient ,
- receivedbyeitherDOTSagentforanextendedperiod.The *
- receivedpublicreviewandhasbeenapprovedforpublicationbythe *
- redirectDOTSclientstoanotherDOTSserveratanytime.DOTS *
- reduceheartbeatfrequencyorceaseheartbeatexchangeswhenan *
- refreshesthemitigationbeforetheactive-but-terminatingperiod *
- refusemitigationswithindefinitelifetimesforpolicyreasons. *
- regardlessofwhethermitigationiscurrentlyactive.TheDOTS *
- rejectioninthestatusmessagesenttotheclient. *
- relationshipbetweenDOTSagentsisestablished ,regular
- relationshipwithpeerDOTSagentsduringnormalnetworkconditions *
- remotepeer. *
- representationofarequestedmitigation *
- representationofcurrently-requestedmitigationstatus ,including
- representdata-modelversionsisnotdefinedinthisdocument. *
- requestattackmitigation.Suchproprietaryinterfacestiea *
- requestedmitigation. *
- requestingDOTSclient. *
- requestingprotection.DOTSclientsMUSTbepreparedtonotbe *
- requestisactive.Becauseheartbeatlossismuchmorelikely *
- requestmitigation. *
- requests. *
- requests.IfaDOTSserverrejectsanauthorizedrequestfor *
- requesttimeouts. *
- requirementsabove ,DOTSsignalchannelimplementationsSHOULD
- requirementsforDOTSsignalchannelanddatachannelprotocolsthat *
- requirementsinSection2.2. *
- requiremutualauthenticationofDOTSagentsinordertomakeagent *
- requiresnojustificationfromDOTSclientsforrequestsforhelp ,
- requiresuchpoliciesbeinplaceandshouldbeviableintheir *
- resilient ,thatis,continueoperatingdespitemessagelossand
- resourcesrequiringmitigation.AllDOTSagentimplementations *
- responsibleforthemitigation. *
- retransmissionprocedurehasbeenexhausted.PeerDOTSagents *
- revealedtothird-partyDOTSagents ,suchconsiderationsarenot
- saturatinginboundlinksarenowcommonasattackscaleandfrequency *
- scopeforthisdocument. *
- scopemayberepresentedinseveraldifferentways ,perSIG
- scopeofresourcesrequiringmitigation. *
- scopesmaybethoughtofasaformofscopealiasinwhichthe *
- sectiondescribestherequiredfeaturesandcharacteristicsofthe *
- securenegotiationofthetermsandmechanismsofprotocol *
- security ,subjecttotheinteroperabilityandsignalmessagesize
- securityboundary. *
- securitystatewiththeredirectingDOTSserver.DOTSclientsare *
- sendingagent *
- separatemessages *
- server ,or,asalogicalagent,aDOTSgateway.
- server.Whilespecifictransport-andmessage-levelsecurity *
- serverMUSTimmediatelyacknowledgeaDOTSclient *
- serverandDOTSclientisrunningonthesamelogicaldevice ,the
- serverisimplementation-specific. *
- serversMUSTsendstatustotheDOTSclientsaboutmitigation *
- serverstatusmessagesSHOULDindicatethatmitigationisactive *
- serviceorclass-of-servicetraffictaggingtoincreasethe *
- sharethesameleveloftrust.Asecuritymechanismatthe *
- shouldalwaysbeallowedregardlessofcontradictorydatagleaned *
- shouldbeawareofpotentialrisksinvolvedindeployingDOTS.DOTS *
- shouldbeblockedregardlessoftrafficcontent. *
- signalingprotocolrobustness ,DOTSsignalsSHOULDbeconveyed
- signalingwithinorbetweendomainsasrequestedbylocaloperators. *
- signallosswhenestablishingasignalchannel.Measurementsof *
- significantlytolinkcongestion.Tomeetthesignalchannel *
- solicitheartbeatexchangesaftersuccessfulmutual *
- sources ,andMAYusetheabsenceofattacktrafficandlackof
- specification *
- standardcongestion-controlledtransportprotocolmayrelyonthe *
- statusmessagesMUSTincludethefollowingmitigationmetrics *
- statusmultipletimesatregularintervalsfollowingthedata *
- stopmitigation. *
- structuraldependencies. *
- subscribertoaserviceandlimittheabilitiesofnetworkelements *
- successfulDOTSprotocols. *
- suchloopstopreventservicedisruption. *
- suchthatreplayedorduplicatedmessagescanbedetectedand *
- supplementalinformationwhenenablingcountermeasuresonthe *
- supplementingattackresponses. *
- supportconnectionlesstransports.However ,someconnectionless
- supported *
- supportrepresentationofaDOTSclient *
- supportrepresentationofamitigationrequest *
- targetDOTSserver.TheredirectionDOTSserverandredirecting *
- targetintheDOTSclient *
- terminatethecurrentsession. *
- terminationduringthisactive-but-terminatingperiodwithanew *
- terminationwhenmitigationisactiveandheartbeatsarenot *
- thateverylinkintheInternethaveanMTUof1280octetsor *
- thatofthesignalchannelsbridgedbygatewaysinthesignaling *
- thattheDOTSserverknowsthesessionisstillalive.Ifthe *
- thatwouldotherwisebecapableofparticipatinginattack *
- theDOTSclients ,SHOULDbeconsidered.TheprotocolMUSTbe
- theDOTSserver *
- theTrustLegalProvisionsandareprovidedwithoutwarrantyas *
- theabilitytorepresentarequestformitigationandthe *
- theappropriateDOTSserverinamultihomedenvironmentisoutof *
- theavailabilityand *
- theclient *
- thedatamodelMUSTincludeextensiblerepresentationof *
- thefullunderstandingthattheDOTSserverMAYignoremitigation *
- theheartbeatrate.Forexample ,aDOTSservermightwantto
- themitigationasterminated ,astheDOTSclientisnolonger
- themodelexplicitly. *
- theprimaryfunctionofthedatachannelisdataexchange ,areliable
- thereforeMUSTincludeacongestioncontrolmechanism. *
- theseverelyconstrainednetworkconditionscausedbyattack *
- thesignalingPathMaximumTransmissionUnit *
- thisrequestasamitigationlifetimeextension *
- thoseinterfacesneverthelessMUSTprovidesecurityequivalentto *
- throughthesignalchannel.Reliablebulkdataexchangemaynot *
- to-BackUserAgent *
- toinflictthedesiredimpactontraffictoorfromtheDOTSclient *
- tooperateovercongestedinboundlinks ,and,asdescribedin
- tothisdocument.CodeComponentsextractedfromthisdocumentmust *
- traffic.AdditionalmeanstoenhancetheresilienceofDOTS *
- trafficpathtotheresourcesforwhichtheDOTSclientis *
- traffictonetworksforwhichtheDOTSclientisauthorizedto *
- transmissionguidelinesdiscussedinSection3.1.3of .
- transport-ormessage-levelsecurity.Ifthetotalmessagesize *
- transportcongestioncontrolsupport. *
- transportimplementation *
- transportintothedatamodel ,butinsteadrepresentthefieldsin
- transportisrequiredinorderforDOTSagentstodetectdata *
- transportlayer *
- transports ,whendeployednaively,canbeasourceofnetwork
- twoDOTSagentscouldbeimplementedwithinthesameprocess *
- underextremelyhostilenetworkconditions ,providingcontinued
- understandingoftheDOTSagents *
- unidirectionalmessagingtoenablenotificationsbetweenDOTS *
- unknown ,DOTSimplementationsMAYassumeaPMTUof576bytesfor
- use-cases-17 ,January2019.
- utilizingareliabletransportprotocolMUSTbeusedforbulkdata *
- valid.Themethodofauthenticationisnotspecifiedinthis *
- versionsMUSTrejectDOTSmessagescarryingmandatoryinformation *
- whenthelifetimeelapses.DOTSserversalsoMUSTsupportrenewal *
- whethertoasktheDOTSservertoceasemitigation. *
- whichamitigationrequestistobesent.Themethodforselecting *
- whichtheclientmayincludewhenestablishingthesignalchannel ,
- whileemployingbestcurrentpracticestosecurenetwork *
- whilemitigationisenabledduringanactiveattackagainsta *
- whileserver-domainDOTSgatewaysdenoteDOTSgatewaysthatarein *
- withdrawalofamitigationrequest.Duringthisperiod ,DOTS
- withdrawalofsucharequest.ThedatamodelMUSTalsosupporta *
- withrespecttoanycryptographicmechanismstoauthenticatethe *