dots first interoperability test
TRANSCRIPT
DOTSFirstInteroperabilityTest
IETF100HackathonReportKanameNishizuka/NTTCommunicaCons
JonShallow/NCCGroupLiangXia/Huawei
DOTSisnowworking!
• DOTSWGisaimingtomakeitstandardizedinthisyear
• NowwehaveseveralindividualimplementaCons
• go-dots(open-sourcedproject)fromNTT• NCCGroup’sproprietaryimplementaCon
• Thisfirstinteroperabilitytestatthehackathonisagiantstepforprovingitworks.
WhathappenedintheHackathon
• 3acCveprojectswith7parCcipants– include3remotelyfromTokyo,London,Nanjing
• 3Projectsare:1. FirstInteroperabilitytestof2individual
implementaCons2. Addingnewfeaturesandextensionstothe
open-sourcedimplementaCon3. (IntegraConwithadetecConsystemofMirai
botnet)
1. FirstInteroperabilitytestof2individualimplementaCons
– go-dots(open-sourcedproject)fromNTT• KanameNishizuka,TakahikoNagata(Remote)
– NCCGroup’sproprietaryimplementaCon• JonShallow(Remote)
WhatweprovedintheInterop
• WecanstartandhandleamiCgaConfromeachclientoverDOTSsignal-channel(CoAPoverDTLS)
• Plus,NCCGroup’simplementaConcanactasaDOTSrelay(gateway),soweprovedthatrelayedmiCgaConrequestscanworkovermulCpleorganizaCons.
go-dots
DOTSclient
NCCGroup
DOTSserver/DOTSclient
MiCgaConAcCon
go-dots
DOTSserver
MiCgaConRequest(PUT,GET,DELETE)
OKMiCgaConRequest
OK
MiCgaConAcCon(RTBH)
MiCgaConRequestModel
DOTS Signal Channel Layers
IP TCP UDP TLS DTLS
CoAP DOTS
GeneralFeedbacktoDOTSWG
• ImplementaConExperiences– ForexamplemostofthecodemodificaConwasrelatedtoencode/decodeofCoAPmapping
– thereweremanyimplicitspecificaConsweneedtofigureoutandagreeon
• NeedmoredescripConofthecontentandcode• approx.60%ofthesignal-channelspechasbeenprovedtowork– Therestwillbedoneat/bythenextIETF
go-dotsFeedbacktoDOTSWG• PreparaConfortheinteroptest
– Agreeonportnumber(-06)andURIpath(-07)– FixedCBORmapping– Updateddatamodels
• CodeUpdatesduringHackathon– Omitempty(NULL)entriesinrequests– Fixedresponsebody
• Testscenariosshouldbelistedandshared– togeteverypadernsofrequest/responsetypeandseenormal/errorbehavior
– unintendedbehaviorcanbefoundonlybyinterop
NCCGroupFeedbacktoDOTSWG(Pt1)
• CodeUpdatesduringHackathon– CBOR<->JSONmappingfixesforNULLentries– RemoveNULLentriesconfusionanddeletedNULLentriesinanyresponse
– AddedsupportformulCplemiCgaConrequestswithinasinglePUT
• NCCDOTSClientcrashinggo-dotsDOTSserver– DisabledSignalConfiguraConrequests– DisabledHeartbeats– SCllgo-dotsserverissueshandlingNCCclientrequests-tobeworkedon
NCCGroupFeedbacktoDOTSWG(Pt2)
• OutstandingNCCGrouptobefixed– DOTSClienthandlingbadCoAPPingresponses– SupportofGETemptyrequeststhatarenotCBORencoded
• QuesCons– ShouldNULLentriesbeallowed?– ShouldaNULLentryoftypeObjectbeallowedwhendefiniConisArray?
– WhatshouldhappenwhenlifeCme=0isrequested?– ShouldtherebesupportformulCplemiCgaConrequestswithinasinglePUT?
UsingDOTSVendor-SpecificAdributesforGlobalIPReputaConSharing
DOTS Client DOTS Server
mitigation-scopes … Vendor-Specific: attack-event * [target-ip] { target-ip top-attack *[botnet-ip] { botnet-ip attack-type peak-traffic {bps pps} start-time period } }
Mitigation Request
response
Signal Channel
CoAP PUT
IP Reputation
CoAP Response
Global IP Reputation Database
botnet-ip1
attack-type peak-traffic start-time period
botnet-ip2
attack-type peak-traffic start-time period
botnet-ipN
attack-type peak-traffic start-time period
UsingDOTSVendor-SpecificAdributesforOutboundAdackMiCgaCon
DOTS Client DOTS Server
mitigation-scopes … Vendor-Specific: attack-event * [target-ip] { target-ip top-attack *[botnet-ip] { botnet-ip attack-type peak-traffic {bps pps} start-time period } }
Mitigation Request
response
Signal Channel
CoAP PUT
Attack Source Information
CoAP Response
Outbound Attack Repository
botnet-ip1
target-ip attack-type peak-traffic start-time period
botnet-ipN
target-ip attack-type peak-traffic start-time period
Attack Source at Botnet-IP
SendMiCgaConRequesttoAdackSourcetoEnabletheOutboundAdackMiCgaCon
DOTSSignalChannelorOthers