Inter-Domain DOTS Use Cases - PowerPoint PPT Presentation

Inter-Domain DOTS Use Cases draft-nishizuka-dots-inter-domain-usecases-00 Kaname Nishizuka, NTT Communications Nov. 2015 IETF94@yokohama

Draft Overview � Motivation � The volume of DDoS attack will exceed available anti- DDoS capability by one organization. � Inter-domain cooperative DDoS mitigation is essential. � Describe DDoS protection scenario in two stages � Provisioning stage & Signaling stage � Based on our production DDoS protection service � Willing to generalize it to be more vendor-agnostic to fit to DOTS. � Describe three Inter-domain usecases

Scenario Overview (1)Provisioning stage Attackers Provisioning of DDoS protection capability NW1 (2) DDoS Detection - Automatic detection DDoS Mitigator (4) - Automatic/manual trigger of DDoS protection Scope of Dots DDoS (3)Signaling stage (1) (3) “Call for help” signaling from supplicant (=flowcollector, in our case) to DDoS mitigator (2) Flow NW2 (4)Mitigation action from the mitigator to Collector NW elements - BGP injection(RTBH/Diversion) Victim - Controlling multi-vender mitigation box - Changing ACL of routers - Flowspec advertisement

Provisioning Stage What information should be confirmed between DDoS mitigator and supplicant in advance? 1. Protection capability 2. Restriction on the range of IP addresses and ports 3. Return path information of the mitigated traffic 4. Authorization information to restrict the supplicant

Signaling Stage Mandatory information � IP address of defense target � Instruction (Start/Stop) � Authorization information Optional information � Traffic volume, type of attack etc,… � Can be used for choice of DDoS protection methods � Though optional information is useful, let leave the final decision to upper DDoS protection entity.

Inter-domain usecase1: Multi-home model � one supplicant � multi mitigators Attackers Attackers � The common Domain A Domain B signaling protocol Mitigator Mitigator DDoS DDoS (dots server) (dots server) can protect a DDoS service in one- stop by protecting Supplicant (dots client) both links NW connected to different domain. dots signaling Victim

Inter-domain usecase2: Cloud model � multi supplicants Attackers Attackers � one mitigator Mitigator (dots server) � Cloud type of Cloud type DDoS DDoS mitigation DDoS service service provides common signaling Supplicant Supplicant interface, so any (dots client) (dots client) services in different Domain A Domain B domain can use the mitigator. Victim Victim dots signaling

Inter-domain usecase3: Delegation model � a mitigator can be supplicant and vice Mitigator Attackers (dots server) versa. Domain B � The mitigator in a DDoS Mitigator (dots server/client) domain can delegate Domain A the burden of DDoS protection to other domains by dots Supplicant (dots client) signaling. NW dots signaling Victim

Cooperative DDoS Mitigation with DOTS Signaling Attackers Attackers Mitigator Mitigator (dots server/client) (dots server/client) Domain A Domain B DDoS Supplicant Supplicant (dots client) (dots client) NW NW Victim Victim dots signaling

Nextstep Improvements � Align terminology with other drafts. � Illustrate inter-domain usecase in more detail. Nextstep � Can it be merged into one usecase draft?