Multi-homing Considerations for DOTS Prague, July 2017

Transcription

1 Multi-homing onsiderations for DOT Prague, July 2017 M. Boucadair (Orange) T. Reddy (McAfee) 1

2 Objectives omplete the base DOT architecture with multihoming specifics Identify DOT deployment schemes in a multi-homing context Where the upstream transit provider(s) is offering DDo mitigation service Without recommending any favorite scheme ketch guidelines and recommendations for placing DOT requests in multi-homed networks, e.g.,: elect the appropriate DOT server(s) Identify cases where anycast is not recommended 2

3 Why is This Document Needed? end a DOT mitigation request to an arbitrary DOT server won t help mitigating a DDo attack Blindly forking all DOT mitigation requests among all available DOT servers is suboptimal equentially contacting DOT servers may increase the delay before a mitigation plan is enforced Guidance is therefore needed for DOT client/gateway implementations 3

4 Methodology Rely upon draft-ietf-dots-use-case to identify and extract viable deployment candidates Augment the description with multi-homing technicalities, e.g., One vs. multiple upstream network providers One vs. multiple interconnect routers Provider-Independent (PI) vs. Provider-Aggregatable (PA) Describe the recommended behavior of DOT clients and gateways for each case 4

5 ample Multi-Homing cenarios 1 2 R2 Provider 3 4 H1 PLMN R2 H2 LAN PE Fixed Access e.g., Enterprise s Residential PE 5

6 DOT in Multi-Homed s: erver ide DOT service can be offered by all or a subset of upstream providers, e.g., H1 PLMN H2 LAN PE Fixed Access The The server can can be be reached only from this this network H1 PLMN R2 H2 LAN PE Fixed Access 6

7 DOT in Multi-Homed s: lient ide Decides whether a request from is to be forked or not. Then, it forwards it to the appropriate server(s) G R2 R2 G G Provider Provider It decide whether a request is to be forwarded or not to its upstream server G R2 G H2 H1 LAN PE PLMN Fixed Access 7

8 Typical DOT Associations ingle PE, Multiple Upstream IPs Residential PE G Multiple PEs, Multiple Upstream IPs G2 1 2 G1 Guidance and recommendations are further elaborated in the draft ee the sample in the next slide 1 G2 G1 1 2 ingle upstream IP 8

9 ample Recommendations 1 2 The DOT client MUT be able to associate a DOT server with each upstream network The DOT client MUT resolve the DOT server's name provided by an upstream network using the DN servers learned from the same network The DOT client MUT use the source address selection algorithm as per RF6724 to select the candidate source addresses to contact each of these DOT servers DOT signaling sessions MUT be established and maintained with each of the DOT servers because the mitigation scope of these servers is restricted When conveying a mitigation request to protect the attack target(s), the DOT client among the DOT servers available MUT select a DOT server whose network has assigned the prefixes from which target prefixes and target IP addresses are derived 9

10 amples where Anycast is not Recommended PI G R2 G PA G R2 G Do traffic is still received from NP2 Do traffic is still received from NP2 10

11 Next teps ontributions are welcome onsider adopting this document as a WG to complement the DOT Architecture Questions? 11