Internet Draft T. Yamada Internet Engineering Task Force Toshiba File: draft-yamada-active-trace-00.txt October 2002 Expires April 2003 Active Traceback Protocol Status of this Memo This document is an Internet-Draft and is subject to all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Distribution of this memo is unlimited. Abstract General traceback protocols (e.g. itrace) only consider to send traceback information from Generator to Tracer. But they are not helpful when victims and/or Tracer want to know who attacks them because of conventional traceback mechanisms have not been reflected in Tracer intention. Therefore this draft proposes an additional protocol for conventional traceback protocols, T. Yamada [Page 1] Internet Draft Active Traceback Protocol October 2002 especially itrace, to reflect in Tracer intention and be able to control generation of traceback information by Generator. 1. Introduction Conventional traceback protocols only send traceback information from information generators (e.g. routers) to a tracer which collects and analyses traceback information at random or any fashion. But, for subjective and minute traceback, it is necessary for a tracer to control generators' behavior to collect more in- depth data about attacking packets. Therefore we propose new protocol options for itrace to enable controlling generator and enhance tracing ability of tracer. This draft defines that traceback protocol families are divided into two categories such as "passive" one and "active" one, furthermore, passive traceback protocols are also divided into two schemes such as messaging one and marking one. "Passive" one is a conventional method which is to generate traceback messages and send them to a tracer. In respect to two passive scheme, marking method is to insert traceback information into rest of packet header which is not used for generic use. Messaging method (e.g. itrace) is to send traceback information in different messages from general traffic (but this does not intend to out band traffic). "Active" one is proposal of this draft, which is supplement for passive traceback methods in order to control generators. This protocol is used when a tracer want to know whom a victim is attacked from. It is not supposed to use which passive traceback scheme, but messaging scheme is useful than marking scheme for this proposal as described later. This proposal is called Active Traceback Protocol, shortly ATP, which can control generators to start/stop their activity and investigate their ability. ATP has been designed to be an option to itrace, i.e. also designed to be sufficient to compatibility against ICMPv4 and ICMPv6. From another angle, there is a defect in ICMP based traceback protocols (e.g. itrace), which is not applicable for DoS attack using reflectors. But use of proxy tracer system in our proposal enables them to cope with such attack by using proxy tracer system and protocol proposed by us. T. Yamada [Page 2] Internet Draft Active Traceback Protocol October 2002 1.1. Requirements Keywords The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", "SHOULD NOT", and "MAY" that appear in this document are to be interpreted as described in [RFC2119]. 1.2. Definitions Basic terminology definitions in this draft follows [BLT01]. Tracer: the entity which collects Traced Packets, defines tracing policy and sends control packets such as Begin/End Trace. It is supposed that some Tracers will be implemented by IDS et al. Original Tracer: the entity which sends Active Traceback messages at first. Proxy Tracer: the entity which is designated by Original Tracer and sends Active Traceback messages to generators which are not accessible by Original Tracer because of transparently unaccessible network such as NAT'ed network. Passive Traceback Protocol: a protocol which produce traceback information originated by Generators. Active Traceback Protocol: a protocol which controls Generators to produce appropriate traceback information in response to user demand. Moreover, ATP has two modes such as Basic one and Proxy one. 2. Hybrid Traceback Architecture This draft proposes new concept for IP traceback architecture, which is "Hybrid Traceback Architecture". Conventional traceback method is categorized into passive traceback scheme, as described above. But it is not sufficient intuitively to minute and timely tracebacking by them only , because they are not controllable for starting and stopping generator's activity. This traceback architecture is not intended to trace attacking paths, but to find out the true source of attacking packets. The generic tracebacking process of using Hybrid Traceback Architecture is shown below. T. Yamada [Page 3] Internet Draft Active Traceback Protocol October 2002 Phase 1. Traceback Request When Tracer detects indication of attack, it decides initial Generator to traceback actively. It is supposed that an initial tracing point is most far Generator of Generators from Tracer which sends to passive traceback information to Tracer. Then Tracer requests the Generator to begin active traceback. Generator at a beginning point is referred to as "initial Generator". On ahead of beginning active traceback, Tracer and Generator must negotiate security association (SA) such as IPsec SA to enable using secure channel between them. Phase 2. Notification of Traceback Information Initial Generator sends to Tracer traceback information which is adjacent link information designated by Tracer. Its adjacent link information includes these elements shown below. - IPv4/v6 Address - Interface name It is supposed that a career protocol of adjacent link information is itrace. Phase 3. Traceback Tracer analyses traced information and decide it whether it is attacking packets or not. When it is decided as attacking packets, Tracer specifies attacker based on adjacent link information noticed by initial Generator. If adjacent link information points other Generator, traceback process continues invoking another active traceback protocol assuming that another Generator is a next initial Generator. 3. Message Definition 3.1. Compatibility For itrace Our proposal, Active Traceback Protocol, is defined as an option to ICMPv4/v6. Therefore ATP consequently has a compatibility for itrace. T. Yamada [Page 4] Internet Draft Active Traceback Protocol October 2002 3.2. Conventions For Presentation Packet format indicated below, there is no padding even if elements are not aligned on 32bits boundary. And fields in each element are concatenated with no space between them. Other notification for presentation follows as section 2.1 in [BLT01]. All values of this protocol are in network byte order. 3.3. Overall Message Format Basically, ATP packet format follows [BLT01] and uses ICMP message format and its payload. For remainder, this draft describes it again. 3.4. Traceback Message 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Type | Code=0 | Checksum | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Message body | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+- .... +-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Message body has TAG-LENGTH-VALUE scheme as follows: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG | LENGTH | VALUE ... . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ The TAG field is a single octet, with values defined by ATP as follows: T. Yamada [Page 5] Internet Draft Active Traceback Protocol October 2002 Tag Element Name Notes 0x81 Begin Trace 0x82 End Trace 0x83 Deny Trace 0x84 Capability Query 0x85 Capability Reply 0x86 Delegate Active Trace 0x87 Accept Delegation 0x88 Deny Delegation 0x89 Trace Result 0x8a IPv4 Address 0x8b IPv6 Address 0x8c Passive Traceback ID 0x8d Reason 0x8e Trace Rate And this tag number assignment is temporary, in future it will be assigned by IANA. LENGTH is always set to the length of the VALUE field in octets, and alway occupies two octets, even when the length of the VALUE field is less than 256 octets. 3.4.1. Begin Trace (TAG=0x81) The Begin Trace element provides sending a trace request from Tracer to Generator. Its arguments MUST have Timestamp (TAG=0x08), following it, MAY have Interface Identifier (TAG=0x03) or IPv4/IPv6 address pair (TAG=0x04 or 0x05), which are defined in [BLT01], and MAY have Passive Traceback ID (TAG=0x8c) and Trace Rate (TAG=0x8e), which are shown below. Arguments except Timestamp may appear in a different order from that shown. Timestamp holds a sending time from Tracer. Sending this message without Interface Identifier or IPv4/IPv6 Address Pair, Generator which is received this message generates traceback messages for all network interfaces which Tracer has. These elements are defined in [BLT01]. Without Passive Traceback ID, Generator received this message assumes that a default Passive Traceback method is itrace. Mac Address Pair element and Operator-Defined Link Identifier element are defined in [BLT01]. But this draft does not use them. Because they do not have versatility, i.e. former element depends on a specific hardware (Ethernet), and latter one depends on operator intention. T. Yamada [Page 6] Internet Draft Active Traceback Protocol October 2002 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x81 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Identifier (variable length) | | IPv4 or IPv6 Address Pair (11 or 35 octets) | | Passive Traceback ID (3 octets) | | Trace Rate (4 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.2. End Trace (TAG=0x82) The End Trace element provides sending a message to end sending Passive Traceback messages in response to Begin Trace. This message MUST have Timestamp argument, and MAY have other arguments. Timestamp argument holds correspondent time copied from Timestamp in Begin Traceback message which is initiating a series of passive traceback. Other arguments are copied from all of correspondent Begin Trace message or a part of them. If latter one is designated, passive traceback process by designated Passive Traceback ID ends on correspondent interface or interface assigned correspondent address. T. Yamada [Page 7] Internet Draft Active Traceback Protocol October 2002 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x82 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Identifier (variable length) | | IPv4 or IPv6 Address Pair (11 or 35 octets) | | Passive Traceback ID (3 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.3. Deny Trace (TAG=0x83) The Deny Trace element provides sending a message for denying an Active Traceback request from Generator to Tracer. This message is send to Tracer originated a corresponding Begin Traceback message, and if another node receives this message, it SHOULD be discard in no time. This message MUST have a Timestamp argument, and MAY have a Reason one. Timestamp element (TAG=0x08) is copied from a corresponding Begin Trace message for being able to get correspondence of a Begin Trace message and a Deny Trace message. a Reason argument is prepared for operational convenience. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x83 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Reason (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ T. Yamada [Page 8] Internet Draft Active Traceback Protocol October 2002 3.4.4. Capability Query (TAG=0x84) The Capability Query element provides sending a message for querying which method is implemented by Generator being requested Active Trace. Tracer expects getting an answer by Capability Reply in response to this message. Generator SHOULD reply an answer in response to this message. But when Generator cannot reply for some reason, Tracer MUST use itrace in default. This message has no VALUE. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x84 | LENGTH (=0) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.5. Capability Reply (TAG=0x85) The Capability Reply element provides a replying message in response to Capability Query message. And it contains which Passive Traceback method(s) is supported by requesting Generator. If Generator supports several Passive Traceback methods, it can contain plural ID values concatenated forward and backward. On the contrary, if Generator supports no methods, it sends without VALUE and its LENGTH value is equal to zero. Thus Tracer gives up using this Generator for active tracebacking. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x85 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Passive Traceback ID(s) (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.6. Delegate Active Trace (TAG=0x86) The Delegate Active Trace element provides sending a message which is requesting proxy trace from Original Tracer to (being) Proxy Tracer. This message MUST have a Timestamp argument, and MAY have other T. Yamada [Page 9] Internet Draft Active Traceback Protocol October 2002 arguments. A Timestamp argument holds delegating time by Original Tracer. Other arguments designate tracing address or interface are equipped in Proxy Tracer to Proxy tracer. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x86 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Interface Identifier (variable length) | | IPv4 or IPv6 Address (7 or 19 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.7. Accept Delegation (TAG=0x87) The Accept Delegation element provides that Proxy Tracer accepts proxy tracing request issued by Original Tracer. TIMESTAMP in VALUE is copied from the received Delegate Active Trace message. Then, Proxy Tracer begins proxy tracing for it's internal network as if Proxy Tracer is Original Tracer for inner network. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x87 | LENGTH (11) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TIMESTAMP (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.8. Deny Delegation (TAG=0x88) The Deny Delegation element provides a message that Proxy Tracer denies proxy tracing request issued by Original Tracer in some kind T. Yamada [Page 10] Internet Draft Active Traceback Protocol October 2002 of reasons. VALUE of this message MUST have Timestamp element and MAY have Reason element. Timestamp element (TAG=0x08) is copied from the corresponding Begin Trace message for being able to get correspondence of Begin Trace message and Deny Trace message by Original Tracer. Reason element is prepared for operational convenience. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x88 | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TIMESTAMP (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | REASON (variable length) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.9. Trace Result (TAG=0x89) The Trace Result element provides the result which is traced information by Proxy Tracer. The result represents traced IPv4/IPv6 address, which seems to true source address of Attacker. This element do not use IPv4 Address Pair (0x04) and IPv6 Address Pair (0x05) defined in [BLT01]. Because Trace Result is regarded as a certain node IPv4/IPv6 address, so it will be determined as only one address. Therefore, this draft defines elements which have only one IPv4/IPv6 address information. T. Yamada [Page 11] Internet Draft Active Traceback Protocol October 2002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x89 | LENGTH (=18 or 30) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Timestamp (11 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 or IPv6 Address (7 or 19 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.10. IPv4 Address (0x8a) In [BLT01], IPv4/IPv6 address elements are defined as paired. But this draft re-defines yet another elements which have only one IPv4/IPv6 address because of ATP doesn't use pair of addresses, but needs one address. Then TAG number 0x08a defines IPv4 address and TAG number 0x8b defines IPv6 address respectively. The IPv4 Address element provides one IPv4 address. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x8a | LENGTH (=4) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv4 Address (4 octets) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.11. IPv6 Address (0x8b) The IPv6 Address element provides one IPv6 address. T. Yamada [Page 12] Internet Draft Active Traceback Protocol October 2002 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x8b | LENGTH (=16) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | IPv6 Address (16 octets) . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.12. Passive Traceback ID (TAG=0x8c) The Passive Traceback ID provides the identification number for a passive traceback protocol. Each protocol id occupies 1 octet, and its number assignment is IANA matter. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x8c | LENGTH (=1) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | PTP ID (*) | +-+-+-+-+-+-+-+-+ (*) PTP ID = Passive Traceback Protocol ID Temporary, this draft only defines number 0 as itrace. 3.4.13. Reason (TAG=0x8d) The Reason element provides a reason why Generator refuses an Active Traceback request. This element MAY consists of human readable value, such as concrete reason for denying (e.g. "No resources", et al). It is assumed that this element is represented in English, but for Internationalization, REASON may be needed to be in other languages (e.g. French, Japanese, et al). This draft defines no internationalization matter, and further study will be needed. This message is prepared for optional use and operational convenience. Therefore it is not necessary to use this element in T. Yamada [Page 13] Internet Draft Active Traceback Protocol October 2002 refusing process. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x8d | LENGTH (variable) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | REASON . +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 3.4.14. Trace Rate (TAG=0x8e) This Trace Rate element provides a tracing probability used by Generator. Trace Rate is represented by 2 octets integer which value range is from 0 to 65535. Generator uses this value as a denominator of probability. For example, if this value is 1024, Generator generates tracing packets at a rate of 1/1024. When Trace Rate is 0, Generator stops generating tracing packets. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | TAG=0x8d | LENGTH (=2) | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Trace Rate | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ 4. Tracing Processes It is supposed three processes which are Request-Response one, Capability-Inspection one and Delegate-Proxy one. 4.1. Request-Response Process This process is basic situation using Active Traceback Protocol, when Tracer wants to receive minute information about coming packets. 1. Tracer sends a Begin Trace message to Generator. T. Yamada [Page 14] Internet Draft Active Traceback Protocol October 2002 2. Generator sends a. a Deny Trace message to Tracer in case that it refuse generating minute Passive Traceback messages. Then this traceback process ends. Tracer Generator Begin Trace -------> <------- Deny Trace b. Passive Traceback messages accordingly Tracer request. 3. Generator ends generating Passive Traceback messages by receiving an End Traceback message coming from requesting Tracer. Tracer Generator Begin Trace -------> Passive Traceback <------- Protocol End Trace -------> 4.2. Capability-Inspection Process This process occurs in a situation that Tracer wants to know what kind of Passive Protocols are Generator implemented. 1. Tracer sends a Capability Query message to Generator, and waits for a reply from Generator for a while. 2. Generator a. does not send any response by a certain reason, then Tracer ends waiting. T. Yamada [Page 15] Internet Draft Active Traceback Protocol October 2002 Tracer Generator Capability Query -------> | (does not respond) waits for a while | v end b. sends a Capability Reply message with concatenated Passive Traceback ID(s) ordered by preferable ID for Generator. 3. Tracer receives a Capability Reply message from Generator and recognizes preferable Passive Traceback ID, and ends this process. Tracer Generator Capability Query -------> <------- Capability Reply 4.3. Delegate-Proxy Process This process is occurred in a situation that Original Tracer wants to trace into network whose structure is not known for other organization (e.g. other AS) and/or NAT'ed private network, et al. 1. Original Tracer sends delegating request by sending a Delegate Active Trace message to (being) Proxy Tracer. 2. Proxy Tracer sends a. a Deny Delegation message to Original Tracer for refusing an active traceback request. T. Yamada [Page 16] Internet Draft Active Traceback Protocol October 2002 Original Tracer Proxy Tracer Delegate Active Trace -------> <------- Deny Delegation b. an Accept Delegation message to Original Tracer for accepting an active traceback request. Original Tracer Proxy Tracer Generator Delegate Active Trace -------> Accept <------- Delegation Begin Trace -------> Passive Traceback <------- Protocol End Trace -------> <------- Trace Result Note: Proxy Tracer acts as Original (generic) Tracer for Generator. Therefore, Generator cannot distinguish Original Generator and Proxy one. 5. Discussion 5.1. Messaging Scheme v.s. Marking Scheme As described above, messaging scheme is to send traceback information with another packets, and marking one is to send them in empty space inside normal traffic. Therefore messaging scheme completes sending information at one packet, on the other hand, marking scheme should send some more packets to complete sending traceback information to Tracer. From the standpoints from Hybrid Traceback Architecture, messaging scheme fits this architecture than marking one. Because, in messaging scheme, Tracer only waits one packet corresponding active trace packets sent by Tracer, but marking one should waits some much time to complete getting traced messages. T. Yamada [Page 17] Internet Draft Active Traceback Protocol October 2002 6. Future Work This draft does not define concrete directions from Tracer to Generator for minute tracebacking. 7. Security Consideration This draft does not matter methods for user and data authentication. Some means for preventing denial-of-service attacks against this traceback scheme are required. It is supposed that IPsec ESP without encryption is applicable. 8. References [BLT01] Bellovin, S., Leech, M., Taylor, T., "ICMP Traceback Messages", Internet-Draft, October 2001. [MMWZWH01] Massey, D., Mankin, A., Wu, C.L., Zhao, X.L., Wu, S.F., Huang, W., "Intention-Driven ICMP Trace-Back", Internet-Draft, November 2001. 9. Acknowledgments This Project has been sponsored by Telecommunications Advancement Organization of Japan. 10. Author's Address Tatsuya Yamada Toshiba Corporation Systems Integration Technology Center 3-22 Katamachi Fuchu Tokyo Japan 183-8512 phone: +81 42 340 6515 email: ymd@sitc.toshiba.co.jp T. Yamada [Page 18]