Merge branch 'develop' of https://github.com/nttdots/dots-go-implemen…

…tation into masterpublic

README.md

@@ -6,11 +6,12 @@
 
 "go-dots" is a DDoS Open Threat Signaling (dots) implementation written in Go. This implmentation is based on the Internet drafts below. 
 
-* draft-ietf-dots-signal-channel-25
-* draft-ietf-dots-data-channel-22
+* draft-ietf-dots-signal-channel-26
+* draft-ietf-dots-data-channel-24
 * draft-ietf-dots-architecture-06
 * draft-ietf-dots-requirements-14
 * draft-ietf-dots-use-cases-14
+* draft-nishizuka-dots-signal-control-filtering-01
 
 This implementation is not fully compliant with the documents listed above.  For example, we are utilizing CoAP as the data channel protocol while the current version of the data channel document specifies RESTCONF as the data channel protocol.
 
@@ -117,6 +118,9 @@ For more detailed information about the configuration of 'goeapi', refer to the
 * [arista-goeapi](https://github.com/aristanetworks/goeapi)
 
 
+##  Signal Channel
+The primary purpose of the signal channel is for a DOTS client to ask a DOTS server for help in mitigating an attack, and for the DOTS server to inform the DOTS client about the status of such mitigation.
+
 ### Client Controller [mitigation_request]
 
     $ $GOPATH/bin/dots_client_controller -request mitigation_request -method Put \
@@ -200,6 +204,7 @@ Configure dots_client to use 'mitigating-config' parameters
     -json $GOPATH/src/github.com/nttdots/go-dots/dots_client/sampleClientConfigurationRequest_Mitigating.json
 
 ##  Data Channel
+The primary purpose of the data channel is to support DOTS related configuration and policy information exchange between the DOTS client and the DOTS server.
 
 All shell-script and sample json files are located in below directory:
     $ cd $GOPATH/src/github.com/nttdots/go-dots/dots_client/data/
@@ -323,6 +328,16 @@ Remove Filtering Rules
 
     $ ./do_request_from_file.sh DELETE {href}/data/ietf-dots-data-channel:dots-data/dots-client=123/acls/acl=sample-ipv4-acl
 
+## Signal Channel Control Filtering
+Unlike the DOTS signal channel, the DOTS data channel is not expected to deal with attack conditions.
+Therefore, when DOTS client is under attacked by DDoS, the DOTS client can use DOTS signal channel protocol to manage the filtering rule in DOTS Data Channel to enhance the protection capability of DOTS protocols.
+
+### Client Controller [mitigation_control_filtering]
+
+    $ $GOPATH/bin/dots_client_controller -request mitigation_request -method Put \
+     -cuid=dz6pHjaADkaFTbjr0JGBpw -mid=123 \
+     -json $GOPATH/src/github.com/nttdots/go-dots/dots_client/sampleMitigationRequestDraftControlFiltering.json
+
 ## DB
 
 To set up your database, refer to the [Database configuration document](./docs/DATABASE.md)  

dots_client/config/config.go

@@ -13,6 +13,8 @@ type SignalConfiguration struct {
 	AckTimeout        float64 `yaml:"ackTimeout"`
 	AckRandomFactor   float64 `yaml:"ackRandomFactor"`
 	IntervalBeforeMaxAge  int `yaml:"intervalBeforeMaxAge"`
+	InitialRequestBlockSize *int `yaml:"initialRequestBlockSize"`
+	SecondRequestBlockSize  *int `yaml:"secondRequestBlockSize"`
 }
 
 /**

dots_client/data/sampleAcl.json

@@ -1,27 +1,37 @@
 {
-    "ietf-dots-data-channel:acls":{
-       "acl":[
-          {
-             "name":"sample-ipv4-acl",
-             "type":"ipv4-acl-type",
-             "activation-type":"activate-when-mitigating",
-             "aces":{
-                "ace":[
-                   {
-                      "name":"rule1",
-                      "matches":{
-                         "ipv4":{
-                            "destination-ipv4-network":"198.51.100.0/24",
-                            "source-ipv4-network":"192.0.2.0/24"
-                         }
-                      },
-                      "actions":{
-                         "forwarding":"drop"
-                      }
-                   }
-                ]
-             }
-          }
-       ]
-    }
+    "ietf-dots-data-channel:acls":{  
+        "acl":[  
+           {  
+              "name":"sample-ipv4-acl",
+              "type":"ipv4-acl-type",
+              "activation-type":"immediate",
+              "aces":{  
+                 "ace":[  
+                    {  
+                       "name":"rule1",
+                       "matches":{  
+                          "ipv4":{
+                             "source-ipv4-network":"192.168.17.0/24",
+                             "destination-ipv4-network":"1.1.2.0/24",
+                             "ttl":10,
+                             "protocol":6,
+                             "flags":"more",
+                             "dscp": 3
+                          },
+                          "tcp":{
+                              "destination-port":{
+                                  "lower-port":443,
+                                  "upper-port":445
+                              }
+                          }
+                       },
+                       "actions":{  
+                          "forwarding":"accept"
+                       }
+                    }
+                 ]
+              }
+           }
+        ]
+     }
  }

dots_client/data/sampleAlias.json

@@ -7,8 +7,7 @@
                 6
              ],
              "target-prefix":[
-                "2001:db8:6401::1/128",
-                "2001:db8:6401::2/128"
+                "1.1.2.0/24"
              ],
              "target-port-range":[
                 {

dots_client/dots_client.yaml

@@ -6,4 +6,11 @@ ackTimeout: 2
 ackRandomFactor: 1.5
 
 # Time (seconds) before max-age to refresh Get session config
-intervalBeforeMaxAge: 15
+intervalBeforeMaxAge: 15
+
+# Client request with block2 option at the first time
+initialRequestBlockSize : 5
+
+# Client request without the block2 option at the first time.
+# If client does not accept with the recommended block size from server, client can send a request with block2 option (new block size)
+secondRequestBlockSize: 3

dots_client/dots_client.yaml.template

@@ -6,4 +6,11 @@ ackTimeout: 2
 ackRandomFactor: 1.5
 
 # Time (seconds) before max-age to refresh Get session config
-intervalBeforeMaxAge: 15
+intervalBeforeMaxAge: 15
+
+# Client request with block2 option at the first time
+initialRequestBlockSize : 5
+
+# Client request without the block2 option at the first time.
+# If client does not accept with the recommended block size from server, client can send a request with block2 option (new block size)
+secondRequestBlockSize: 3

dots_client/main.go

@@ -200,9 +200,9 @@ func makeServerHandler(env *task.Env) http.HandlerFunc {
 			requestQuerys = tmpPaths[i+1:]
 			break
 		}
+		options := make(map[messages.Option]string)
 		// Create observe option
 		observeStr := r.Header.Get(string(messages.OBSERVE))
-		options := make(map[messages.Option]string)
 		if observeStr != "" {
 			options[messages.OBSERVE] = observeStr
 		}
@@ -211,7 +211,6 @@ func makeServerHandler(env *task.Env) http.HandlerFunc {
 			options[messages.IFMATCH] = val[0]
 		}
 
-
 		log.Debugf("Parsed URI, requestName=%+v, requestQuerys=%+v, options=%+v", requestName, requestQuerys, options)
 
 		if requestName == "" || (!isClientConfigRequest(requestName) && !messages.IsRequest(requestName)) {
@@ -380,6 +379,12 @@ func loadConfig(env *task.Env) error{
 	// Set max-retransmit, ack-timeout, ack-random-factor to libcoap
 	env.SetRetransmitParams(config.MaxRetransmit, decimal.NewFromFloat(config.AckTimeout).Round(2), decimal.NewFromFloat(config.AckRandomFactor).Round(2))
 	env.SetIntervalBeforeMaxAge(config.IntervalBeforeMaxAge)
+	if config.InitialRequestBlockSize != nil && *config.InitialRequestBlockSize >= 0 {
+		env.SetInitialRequestBlockSize(config.InitialRequestBlockSize)
+	}
+	if config.SecondRequestBlockSize != nil && *config.SecondRequestBlockSize >= 0 {
+		env.SetSecondRequestBlockSize(config.SecondRequestBlockSize)
+	}
 	return nil
 }
 

dots_client/request.go

@@ -138,8 +138,8 @@ func (r *Request) CreateRequest() {
 	r.pdu.Options = make([]libcoap.Option, 0)
 	observeStr := r.options[messages.OBSERVE]
 	if observeStr != "" {
-		observeValue, error := strconv.ParseUint(observeStr, 10, 16)
-		if error != nil {
+		observeValue, err := strconv.ParseUint(observeStr, 10, 16)
+		if err != nil {
 			log.Errorf("Observe is not uint type.")
 			goto SKIP_OBSERVE
 		}
@@ -169,6 +169,20 @@ SKIP_OBSERVE:
 		r.pdu.SetOption(libcoap.OptionIfMatch, val)
 	}
 
+	// Block 2 option
+	if (r.requestName == "mitigation_request") && (r.method == "GET") {
+		blockSize := r.env.InitialRequestBlockSize()
+		if blockSize != nil {
+			block := &libcoap.Block{}
+			block.NUM = 0
+			block.M   = 0
+			block.SZX = *blockSize
+			r.pdu.SetOption(libcoap.OptionBlock2, uint32(block.ToInt()))
+		} else {
+			log.Debugf("Not set block 2 option")
+		}
+	}
+
 	if r.Message != nil {
 		r.pdu.Data = r.dumpCbor()
 		r.pdu.SetOption(libcoap.OptionContentFormat, uint16(libcoap.AppCbor))
@@ -180,6 +194,32 @@ SKIP_OBSERVE:
 	log.Debugf("r.pdu=%+v", r.pdu)
 }
 
+/*
+ * Handle response from server
+ */
+func (r *Request) handleResponse(task *task.MessageTask, response *libcoap.Pdu) {
+	isMoreBlock, eTag, block := r.env.CheckBlock(response)
+	// if block is more block, sent request to server with block option
+	// else display data received from server
+	if isMoreBlock {
+		r.pdu.MessageID = r.env.CoapSession().NewMessageID()
+		r.pdu.SetOption(libcoap.OptionBlock2, uint32(block.ToInt()))
+		r.Send()
+	} else {
+		if eTag != nil {
+			response.Data = r.env.GetBlockData(*eTag)
+			delete(r.env.Blocks(), *eTag)
+		}
+		r.logMessage(response)
+	}
+	// If this is response of session config Get without abnormal, restart ping task with latest parameters
+	if (r.requestName == "session_configuration") && (r.method == "GET") &&
+		(response.Code == libcoap.ResponseContent) {
+		RestartPingTask(response, r.env)
+		RefreshSessionConfig(response, r.env, r.pdu)
+	}
+}
+
 func handleTimeout(task *task.MessageTask, request map[string] *task.MessageTask) {
 	key := fmt.Sprintf("%x", task.GetMessage().Token)
 	delete(request, key)
@@ -205,15 +245,7 @@ func (r *Request) Send() {
 		retry,
 		time.Duration(timeout) * time.Second,
 		false,
-		func (_ *task.MessageTask, response *libcoap.Pdu) {
-			r.logMessage(response)
-			// If this is response of session config Get without abnormal, restart ping task with latest parameters
-			if (r.requestName == "session_configuration") && (r.method == "GET") && 
-				(response.Code == libcoap.ResponseContent) {
-				RestartPingTask(response, r.env)
-				RefreshSessionConfig(response, r.env, r.pdu)
-			}
-		},
+		r.handleResponse,
 		handleTimeout)
 
 	r.env.Run(task)

dots_client/sampleMitigationRequestDraftControlFiltering.json

@@ -0,0 +1,34 @@
+{
+  "ietf-dots-signal-channel:mitigation-scope": {
+    "scope": [
+      {
+        "target-prefix": [
+            "2001:db8:6401::1/128",
+            "2001:db8:6401::2/128"
+        ],
+        "target-port-range": [
+          {
+            "lower-port": 80
+          },
+          {
+            "lower-port": 443
+          },
+          {
+           "lower-port": 8080
+          }
+        ],
+        "target-protocol": [
+         6
+        ],
+        "acl-list": [
+          {
+              "acl-name": "sample-ipv6-acl",
+              "activation-type": "deactivate"
+          }
+        ],
+        "lifetime": 100,
+        "trigger-mitigation": true
+      }
+    ]
+  }
+}