EP3815335A1

EP3815335A1 - Methods for verifying the validity of an ip resource, and associated access control server, validation server, client node, relay node and computer program

Info

Publication number: EP3815335A1
Application number: EP19750134.9A
Authority: EP
Inventors: Mohamed Boucadair; Christian Jacquenet
Original assignee: Orange SA
Current assignee: Orange SA
Priority date: 2018-06-29
Filing date: 2019-06-28
Publication date: 2021-05-05
Also published as: CN112514350A; FR3081573A1; US20210273974A1; CN112514350B; WO2020002856A1

Abstract

The invention relates to a method for verifying the validity of an IP resource associated with a client domain, implemented in an access control server, said method involving: - receiving (23S) a list of at least one IP resource associated with said client domain, transmitted from a client node of said client domain to said access control server; - selecting (24S) at least one IP resource to be validated from among said list; and - checking (27S) the validity of said at least one selected IP resource.

Description

Methods for verifying the validity of an IP resource, access control server, validation server, client node, relay node and corresponding computer program.

1. Field of the invention

The field of the invention is that of communications within a communication network, for example an IP network, and in particular that of value-added IP services.

More specifically, the invention offers a solution for verifying the validity of an IP resource associated with a domain, ie, verifying that an IP address, an IP prefix (set of IP addresses), a domain name, etc. , is effectively associated with this domain.

The invention finds in particular, but not exclusively, applications in the field of mitigation of attacks by distributed denial of services (in English DDoS, for “Distributed Déniai of Service”), in particular for facilitating the coordination of mitigation actions . It can in particular be implemented before or during a mitigation procedure.

2. Prior art

We will focus more particularly in the rest of this document on describing an existing problem in the field of mitigation of attacks by distributed denial of service. The invention is of course not limited to this particular field of applications, but, more generally, the invention is of interest for any technique in which the validity of an IP resource must be verified before taking any action. relating to said resource.

As a reminder, a DDoS attack is an attempt to make resources, for example network or computing resources, unavailable to their users. Such attacks can be massively deployed by compromising a large number of hosts, and by using these hosts to amplify attacks.

In order to overcome these DDoS attacks, services for detecting and mitigating DDoS attacks are offered by certain access or service providers to their customers. Such mitigation services (in English DPS for "DDoS Protection Services") can be hosted within the infrastructures operated by access providers or in the "cloud" (in French "cloud"). They allow in particular to distinguish "legitimate" traffic, i.e., data consented by the user, from "suspicious" traffic.

When a DPS type service is hosted in the “cloud”, it is difficult to identify a DDoS attack in advance, because such a service is not present on the routing paths (by default) allowing to reach the network victim of a DDoS attack.

To solve this problem, it was notably proposed to set up tunnels to force the invocation of the DPS service for all traffic (incoming or outgoing) of a network. However, this approach considerably increases the latency observed by the users and imposes constraints on the dimensioning of the DPS service in order to be able to handle all the traffic of all the users of the network.

When a DPS service is hosted within an infrastructure operated by an access provider, even if the DPS service is present on the routing path of incoming traffic from a network, difficulties may arise for the identification of suspicious traffic. In particular, with the increase in encrypted traffic carried in particular on UDP (for example, QUIC traffic, for "Quick UDP Internet Connection" in English), it is difficult to distinguish legitimate traffic from suspicious traffic. The difficulty of clearly accessing control messages, such as the messages (SYN / SYN-ACK / ACK) provided for in the TCP protocol, can indeed make it difficult to determine the consent of a network node to receive traffic. .

To help identify suspicious traffic, a specific architecture has been standardized by the IETF. Such an architecture, called DOTS ("DDoS Open Threat Signaling"), allows a client node, called DOTS client, to inform a server, called DOTS server, that its network is under DDoS attack and that appropriate actions are required.

So, if a client domain is the target of a DDoS attack, a DOTS client attached to that client domain can send a message to the DOTS server asking for help. The latter coordinates, with a mitigation entity (in English “mitigator”), the actions to be carried out so that the suspicious traffic, associated with the denial of service attack, is no longer routed to the client domain, while the traffic legitimate continues to be routed normally to the client domain.

This solution uses two communication channels between the DOTS client and the server

DOTS:

a DOTS signaling channel (“DOTS Signal Channel”), and

a DOTS data channel (in English "DOTS Data Channel").

The DOTS signaling channel is only used when a DDoS attack is in progress. Thus, a DOTS client can use this channel to request assistance from the DOTS server. For example, a DOTS client uses this signaling channel to send a request to its server informing it that the prefix "1.2.3.0/24" is undergoing a DDoS attack, so that the server can take actions to end the attack. Such a signaling channel is described in particular in the document “Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification”, draft-ietf-dots-signal-channel, Reddy, T. et al., January 2018.

The DOTS data channel is used when no DDoS attack is in progress. Classes. For example, a DOTS client can use this channel to install filtering rules, such as filtering traffic received from certain addresses or traffic destined for a given node. For example, a DOTS client can use this DOTS data channel to request the server to block all traffic to the prefix "1.2.3.0/24". Such a data channel is described in particular in the document “Distributed Denial-of-Service Open Threat Signaling (DOTS) Data Channel”, draft-ietf-dots-data-channel, Reddy, T. et al., December 2017.

Note that if the server does not have a mechanism to verify that the prefix "1.2.3.0/24" is actually associated with the domain of the DOTS client, service disruptions may be observed by the legitimate owner of this prefix ( ie, the entity in charge of managing this prefix, for example the access provider). In particular, the nodes to which an address extracted from this prefix is allocated may no longer receive traffic in the event of the implementation of traffic circumvention measures associated with this prefix or of filtering on all traffic having a destination address falling under this prefix.

In addition, the DDoS mitigation service may be billed to legitimate owners, even though they were not the source of the mitigation request.

In addition, to resolve the IP spoofing problem, the IETF recommends activating BCP 38 ("Network Ingress Filtering: Defeating Déniai of Service Attacks which employ IP Source Address Spoofing", P. Ferguson et al. , May 2000), and the uRPF (“Unicast Reverse Path Forwarding” function, RFC2504: “Users' Security Handbook” E. Guttman et al., February 1999). However, these mechanisms only apply for validating the source address of an IP packet.

Solutions called “SAVI” (“Source Address Validation Improvements”) have also been proposed, but these solutions do not make it possible to validate the IP addresses / prefixes indicated in the content (“payload” or payload) of the protocols using references ( e.g. Session Description Protocol (SDP), Session Initiation Protocol (SIP), or DOTS).

Thus, the techniques of the prior art have at least one of the following drawbacks:

the validation of the addresses is done on the basis of the source address of a packet, the available databases, for example a database managed by a RIR ("Regional Internet Registry"), are informed by the resource owners IP (i.e., generally, operators) or provide only the identity of the owners of IP resources,

there is no uniformly deployed IP resource validation solution in the Internet by different actors - content providers, services and network operators,

attacks intended to weaken the security of communications or terminals connected to the Internet are always possible.

There is therefore a need for a new technique for verifying the validity of an IP prefix, or more generally of an IP resource, in particular when the DPS service is hosted in the "cloud".

3. Statement of the invention

The invention provides a new solution for verifying the validity of an IP resource associated with a client domain, i.e., for verifying the membership of an IP resource in a client domain. For example, such an IP resource belongs to the group comprising:

an IP address (for example an IPv4 or IPv6 address),

an IP prefix (for example an IPv4 or IPv6 prefix),

a domain name.

According to at least one embodiment, a method for verifying the validity of an IP resource associated with a client domain implements the following steps in a server, called an access control server:

receiving a list of at least one IP resource associated with the client domain, transmitted from a client node of the client domain to the access control server;

selecting at least one IP resource to validate from the list; and

checking the validity of the selected IP resource or resources, that is to say that the resource or resources are associated with said domain.

According to at least one embodiment, a method for declaring an IP resource associated with a client domain implements the following steps in a client node of the client domain:

obtaining a list of at least one IP resource associated with the client domain; and transmitting the list to an access control server.

In a particular embodiment, the access control server is configured to verify that said at least one IP resource is associated with the client domain.

According to at least one embodiment, a method of processing a request for validation of an IP resource associated with a client domain implements the following steps in a relay node of the client domain, associated with at least one selected IP resource by a access control server from a list of at least one IP resource associated with the client domain, previously transmitted from a client node of the client domain to the access control server:

receiving or intercepting said request from the access control server, said request comprising a control message; and

the transmission of the request (s) to the client node.

According to at least one embodiment, a method of verifying the validity of an IP resource associated with a client domain implements the following steps in a validation server associated with at least one IP resource selected by a control server d access from a list of at least one IP resource associated with the client domain, previously transmitted from a client node of the client domain to the access control server:

the reception of at least one request comprising information representative of the identity of a client domain and of the selected IP resource or resources,

identification of the client domain from information representative of the identity of the client domain, and

verification of the association of the selected IP resource (s) with the client domain, taking into account the identity of the client domain.

In a particular embodiment, the verification method further comprises the transmission of a confirmation message or an error message to the access control server.

The proposed solution thus makes it possible to verify that an IP resource is actually (and legitimately) associated with a client domain.

In particular, if a client node in the client domain issues a request asking the access control server to perform an action on at least one other node identified by an IP resource, the proposed solution makes it possible to check whether the IP resource identifying the at least one other node is effectively associated with the client domain, for example allocated to at least one node in the client domain, or if the traffic destined for this IP resource is legitimately routed to this client domain.

Thus, in the context of a DDoS attack for example, the access control server can verify whether a mitigation or filtering request transmitted by a client node of the client domain, actually concerns this client node or another node of the domain client, before taking any action so that suspicious traffic is no longer routed to the client domain.

Furthermore, according to at least one embodiment, the proposed solution does not require to use the infrastructure of the access provider. Thus, the proposed solution makes it possible to verify the validity of an IP resource associated with a client domain, whether the DPS mitigation service is hosted within the infrastructure operated by the access provider, in the "cloud", or elsewhere.

According to at least one embodiment, the proposed solution makes it possible to improve the reliability, the robustness and / or the efficiency of the responses to DDoS attacks.

In particular, unlike current solutions which rely on static consultation of databases, the method of verifying the validity of an IP resource according to at least one embodiment of the invention makes it possible to verify in real time the information relating to allocating IP resources to customers, without disclosing their identity, including in the context of dynamic allocation of IP resources.

According to at least one embodiment, the list is updated periodically and / or if an IP resource associated with the client domain is added, deleted or modified.

Thus, the proposed solution allows to validate an IP resource regularly, and / or in case of addition, deletion or modification of an IP resource associated with the client domain.

In this way, in the context of a DOTS architecture for example, it is not necessary to wait for the reception of a request for installation of a filter (such an installation can for example correspond to the response to a attack), which optimizes the processing times for DOTS requests.

Furthermore, according to at least one embodiment, it is possible to associate a period of validity with the list of at least one IP resource associated with the client domain, with each of the IP resources or even several IP resources. In this case, the access control server can automatically delete the IP resource or resources concerned from its tables at the end of the validity period.

In particular, a client node can update the list of IP resources associated with the client domain without waiting for the expiration of the validity period.

In this way, it is possible to detect that a resource validation is obsolete, which is particularly of interest in the case of networks with frequent renumbering (that is to say, the IP addresses or prefixes allocated to the nodes of the network are frequently changed). For example, as part of a mitigation request, if a node in a client domain requests the access control server to filter (incoming) traffic to the 1.2.3.0/24 prefix associated with the client domain at at time T0, the access control server must check at time Tl that the 1.2.3.0/24 prefix is always associated with the same client domain to decide whether to filter or route traffic to this 1.2.3.0/24 prefix.

According to a particular characteristic of the invention, the method of verifying the validity of an IP resource also takes account of at least one previously defined data filtering rule.

Other embodiments of the invention relate to an access control server, a client node, a relay node, and a corresponding validation server.

In another embodiment, the invention relates to one or more computer programs comprising instructions for implementing a method for verifying the validity of an IP resource associated with a client domain according to at least one mode for carrying out the invention, one or more computer programs comprising instructions for implementing a method for declaring an IP resource associated with a client domain according to at least one embodiment of the invention, one or more computer programs comprising instructions for implementing a method for processing at least one request for validation of an IP resource associated with a client domain according to at least one embodiment of the invention , when this or these programs is / are executed by a processor.

In yet another embodiment, the invention relates to one or more non-removable, or partially or completely removable, information carriers, readable by a computer, and comprising instructions for one or more computer programs for execution steps of the method of verifying the validity of an IP resource associated with a client domain, and / or of the method of declaring an IP resource associated with a client domain and / or of the method of processing at least one request validation of an IP resource associated with a client domain according to at least one embodiment of the invention.

The methods according to the invention can therefore be implemented in various ways, in particular in wired form and / or in software form.

4. List of figures

Other characteristics and advantages of the invention will appear more clearly on reading the following description of a particular embodiment, given by way of simple illustrative and nonlimiting example, and of the appended drawings, among which:

FIG. 1 illustrates an example of a communication network implementing a method for verifying the validity of an IP resource associated with a client domain, according to an embodiment of the invention;

FIG. 2 presents the main steps of the method for verifying the validity of an IP resource associated with a client domain, according to at least one embodiment of the invention;

Figures 3 and 4 illustrate two embodiments of the invention;

FIG. 5 presents the main steps implemented by a DOTS client for the declaration of IP resources associated with a DOTS domain, according to one embodiment; Figures 6A and 6B illustrate two examples of declaring IP resources;

FIG. 7 illustrates a detection of address conflicts between several domains;

Figure 8 illustrates the removal of IP resources that are not part of the list declared by a DOTS client;

FIG. 9 illustrates the refusal of a request for mitigation on an address which is not part of the list declared by a DOTS client;

FIG. 10 illustrates the communications authorized or not between client nodes and relay nodes;

Figures 11 to 15 show examples of implementation of the verification procedure according to a first embodiment called "DOTS Probing";

FIG. 16 shows an example of implementation of the verification procedure according to a second embodiment called "Cooperating DOTS / ISPs"; and

FIG. 17 shows the simplified structure of an access control server, validation server, client node or relay node according to a particular embodiment.

5. Description of an embodiment of the invention

5.1 General principle

The general principle of the invention is based on a declaration to a server, called an access control server, of the IP resources associated with a client domain, and on a verification of the validity of these IP resources, ie, verification that the declared resources are actually associated with the client domain.

We present in relation to FIG. 1 various pieces of equipment of a communication network implementing a method of verifying the validity of an IP resource associated with a client domain.

Consider for example a client node C1 111, belonging to a client domain 11, communicating with an access control server S 14. For example, the client domain 11 comprises one or more machines, also called nodes. In particular, the client domain includes at least one RI relay node 112. Here, the term "domain" means a set of machines or nodes placed under the responsibility of the same entity.

A first access provider 12 has equipment allowing customers to client domain 11 to access the Internet network 13 to which the access control server 14 is connected. According to at least one embodiment, the first access provider 12 comprises at least one validation server VI 121.

According to the example illustrated, the access control server 14 does not belong to the client domain 11, and can therefore be connected to the Internet network 13 via a second access provider. According to another example not illustrated, the access control server 14 may belong to the client domain, or else to another domain connected to the Internet network 13 through the first access provider 12.

FIG. 2 illustrates the main steps implemented for the verification of an IP resource associated with a client domain 11.

A node of the client domain 11, for example the client node C1 111, obtains (21 c) a list of at least one IP resource associated with the client domain 11. For example, such a list includes the IP addresses of the various nodes of the domain client 11, an IP prefix associated with a connection router in the client domain 11, a domain name associated with the client domain 11, etc.

The client node Cl 111, or possibly another node of the client domain 11, transmits (22c) this list to a server, for example the access control server 14. In other words, the client node Cl 111 declares to the access control server 14 the IP resources associated with the client domain 11. The source address is therefore the address of the client node, but the IP resources to be validated are those transmitted to the access control server, in the content of the message. The declaration of IP resources can be explicit (using a dedicated message) or be implicit (part of a signaling request or filtering request).

According to a first example, the list of at least one IP resource associated with the client domain is transmitted in a single message. In this case, a single request, say aggregated request, can be sent to the access control server.

According to a second example, the list of at least one IP resource associated with the client domain is distributed in a plurality of messages. In this case, several separate requests can be sent to the access control server.

The access control server 14 therefore receives ( _$ 23) the list of at least one IP resource associated with the client domain 11, transmitted from a client node of the client domain 11 to the access control server 14.

The access control server 14 selects ( _$ 24) at least one IP resource to validate from the list.

Optionally, the access control server 14 transmits ( _$ 25) to the client node Cl 111 the or the selected IP resources. The client node C1 111 therefore receives (26 c) the IP resource or resources selected by the access control server 14.

The access control server 14 then checks ( _$ 27) the validity of said at least one selected IP resource. In other words, the access control server checks whether the selected IP resource is actually associated with the client domain 11.

Figures 3 and 4 illustrate two embodiments of the invention. The first embodiment makes it possible to dispense with the access provider managing the client domain for the validation of the IP resources associated with this client domain. The second embodiment makes it possible to use the equipment of the access provider for the validation of the IP resources associated with a client domain, while preserving the confidentiality of the identity of the client domain.

FIG. 3 illustrates the main steps of the method for verifying the validity of the IP resource according to the first embodiment.

According to this embodiment, the verification ( _$ 27) of the validity of the selected IP resource or resources, implemented by the access control server 14, is based on the transmission ( _$ 31) of at least one request to said IP resource to be validated, received or intercepted by at least one relay node in the client domain associated with said at least one selected IP resource, for example the relay node RI 112. Optionally, the relay node RI 112 and the client node Cl 111 are the same. As a variant, the relay node RI 112 and the client node Cl 111 are two separate nodes belonging to the same domain. Similarly, the client node and the relay node can be two software instances embedded in the same physical node.

More specifically, the selected IP resource can be an IP address. In this case, the access control server transmits the request to the IP address. The selected resource can also be an IP prefix. In this case, the access control server transmits the request to one or more addresses extracted from this prefix; these requests will typically be intercepted by the client domain connection router (s) to the Internet. The selected resource can also be a domain name. In this case, the access control server can implement a resolution procedure (for example, DNS), to obtain the IP address of the entity managing the associated domain (access provider).

Such a request includes a message or control data. In particular, such a control message can be associated with any information enabling the request to be identified unambiguously. In particular, this control message should not be trivial to avoid its usurpation. For example, such a control message is generated randomly. The relay node RI 112 intercepts (32R) therefore at least one request from the access control server 14, and comprising the control message. The request can be sent directly to the relay node if the destination address is allocated to the machine where the relay node resides.

The relay node RI 112 transmits (33R) the request or requests to the client node C1 111, i.e., relays the request or requests coming from the access control server 14.

The client node Cl 111 receives (34V) therefore at least one request from the access control server, and comprising the message or control data, via at least one relay node of the client domain associated with at least one IP resource. , selected by the access control server from the list.

In particular, if the relay node RI 112 and the client node Cl 111 are two separate nodes belonging to the same domain, the exchanges between the relay node RI 112 and the client node Cl 111 can be implemented via a secure connection.

If the relay node RI 112 and the client node Cl 111 are the same node, the client node Cl 111 directly receives the request from the access control server 14, or the request is relayed internally.

The client node C1 111 responds by transmitting (35V) to the access control server 14 a response including information characteristic of the message or of the control data.

The access control server 14 receives (36 _$ ) the response including the characteristic information of the control message, coming from the client node Cl 111. The characteristic information of the control message can be identical or different from the control message .

The access control server 14 performs a correlation ( _$ 37) of the request and the response, or more particularly of the control data conveyed in the request and of the information characteristic of the control data conveyed in the response, and validate or not the membership of the selected IP resource in the client domain.

We now present, in relation to FIG. 4, the main steps of the method for checking the validity of the IP resource according to the second embodiment.

This second embodiment involves a validation server associated with the access provider, for example the validation server VI 121 associated with the first access provider 12 in the client domain 11.

More precisely, according to this second embodiment, the verification 27 of the validity of the selected IP resource or resources, implemented by the access control server 14, is based on the reception ( _$ 41) of representative information the identity of the client domain. For example, such information is representative of the identity of the client domain or of the entity which manages the client domain, such as a subscriber to a connectivity service. In particular, such information is a digest, or "hash", of the identity of the client domain 11 or of the entity which manages the client domain.

The access control server S 14 also implements the identification ( _$ 42) of at least one validation server associated with the IP resource or resources selected in step _$ 24, for example the validation server VI 121.

Finally, the access control server S 14 transmits ( _$ 43) to the validation server (s) identified at least one request comprising, on the one hand, information representative of the identity of the client domain. and on the other hand the selected IP resource (s). According to this second embodiment, the request is therefore not sent to a destination address extracted from an IP prefix or from a list of IP addresses to be validated, but to a validation server.

Optionally, such a request includes a control message associated with any information allowing the request to be identified unambiguously. As for the first embodiment, such a control message can be generated randomly.

The validation server V 121, associated with at least one IP resource selected by the access control server 14 from the list of at least one IP resource associated with the client domain (list previously sent by the client node C1 111 to the server access control S 14), receives (44v) the request or requests comprising, on the one hand, information representative of the identity of the client domain, and, on the other hand, the selected IP resource or resources.

From the information representative of the identity of the client domain, the validation server V 121 can identify (45v) the client domain.

Finally, the validation server V 121 can check (46v) the association / membership of the selected IP resource or resources with the client domain, taking account of the identity of the client domain.

Prior to the implementation of the verification ( _$ 27) of the validity of the IP resource or resources selected by the access control server 14, the validation server VI 121 can implement the determination (401v) of information representative of the identity of the client domain 11, directly or at the request of a client of the client domain. As indicated above, such information is representative of the identity of the client domain or of the entity which manages the client domain, and may for example take the form of a digest of the identity of the client domain 11.

The validation server VI 121 transmits (402v) to the client domain 11, for example to client node Cl 111, the information representative of the identity of the client domain.

The client node C1 111 receives (403c) therefore the information representative of the identity of the client domain from the validation server attached to the client domain 11, and can transmit it (404c) ^{to the} access control server 14, directly or on request from the access control server 14.

It is noted that these preliminary steps of determining 401v and of transmitting 402v / receiving 403c of information representative of the identity of the client domain 11 can be implemented during an initialization phase, or when a client domain 11 is connected to a network activating a validation server, or when a mitigation procedure is triggered, etc.

5.2 Examples of application in the field of mitigation services (DPS)

Examples of implementation of the invention are described below in a DOTS type architecture, according to which the client node Cl 111 is a DOTS client and the access control server S 14 is a control server. DOTS access, allowing the client node C1 111 to inform the access control server S 14 that the client domain is undergoing a DDoS attack and that appropriate actions are required. The client node C1 111 and the access control server S 14 can thus communicate via the DOTS signaling and data channels defined in relation to the prior art.

In particular, at least one embodiment of the invention can be implemented to verify the validity of the IP resources associated with a client domain when the DPS mitigation services are not hosted within the infrastructures operated by the provider. access connected to the client domain (ie, if the DOTS access control server is not operated by the access provider connected to the client domain), but in the infrastructures operated by another access provider or in the " cloud ”.

5.2.1 DOTS architecture reminders

A DOTS request can be, for example:

an alias management message, for example intended to associate an identifier with one or more network resources located in the client's domain,

a signaling message to request the mitigation of a denial of service attack with a DOTS access control server, the access control server being able, on reception of such a message, to trigger the actions necessary to end the attack, or

a message to manage filtering rules, such as a request from a DOTS access control to install (or have installed) an access control list (ACL).

A DOTS request can be sent from a DOTS client, belonging to a DOTS client domain, to a DOTS access control server or a plurality of DOTS access control servers.

A DOTS domain can accommodate one or more DOTS clients. In other words, several client nodes in a client domain can have DOTS functions.

DOTS communications between a client domain and an access control server can be direct, or established via DOTS gateways (in English "DOTS gateways"). These gateways can be hosted within the client domain, the access control server domain, or both. In other words, a client domain node can communicate directly with the access control server, or transmit a request to a client domain gateway which communicates directly with the access control server or with a domain gateway server, or transmit a request to a gateway in the server domain which communicates with the access control server.

A DOTS gateway located in a client domain is considered by a DOTS access control server as a DOTS client.

A DOTS gateway located in a server domain is considered by a DOTS client to be a DOTS access control server. If there is a DOTS gateway in a server domain, authentication of DOTS clients can be entrusted to the DOTS gateway in the server domain. A DOTS access control server can be configured with the list of active DOTS gateways within its domain and the access control server can delegate some of its functions to these trusted gateways. In particular, the access control server can safely use the information provided by a gateway appearing in a list declared to the access control server and maintained by it, by means of an ad hoc authentication procedure ( for example, explicit configuration of the list by the authorized administrator of the access control server, retrieval of the list from an authentication server such as an AAA server for "Authentication, Authorization and Accounting", etc. ).

The embodiments presented below can be implemented regardless of the configuration of the DOTS architecture (one or more DOTS clients in a client domain, no DOTS gateway, one or more DOTS gateways in the client domain or in the server domain, client domain separate from the server domain, etc.). The establishment of a secure DOTS session can take place in accordance with the procedure described in the document “Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification” mentioned above. For example, sessions can be established using a procedure described in one of the following documents:

"Datagram Transport Loyer Security Version 1.2", Rescorla E. et al., RFC 6347, DOI 10.17487 / RFC6347, January 2012,

"The Datagram Transport Loyer Security (DTLS) Protocol Version 1.3", Rescorla E. et al., Draft-ietf-tls-dtlsl3-22, November 2017,

"The Transport Loyer Security (TLS) Protocol Version 1.2", Dierks T. et al., RFC 5246, DOI 10.17487 / RFC5246, August 2008, and

"The Transport Loyer Security (TLS) Protocol Version 1.3", Rescorla E., draft-ietf-tls- tlsl3-23, January 2018.

In the following, it is assumed that the DOTS agents (client (s), access control server (s)) authenticate each other. There is therefore a secure communication channel, for example of the (D) TLS type, between a DOTS client and a DOTS access control server.

Thus, messages received from another server usurping the identity of the legitimate access control server can be rejected by a DOTS client. Likewise, requests from DOTS clients not authorized to access the mitigation service can be ignored by the DOTS access control server. It is assumed below that this procedure is implemented by DOTS agents.

The details of the (D) TLS exchanges, and those concerning the management of the security keys for mutual authentication of the DOTS agents, are not the subject of the present invention and are not detailed here.

We present below the different steps implemented by a DOTS client and a DOTS server, with reference to FIG. 2. We consider by way of example that the client node 111 in FIG. 1 is a DOTS client and that the access control server 14 of FIG. 1 is a DOTS server. The client domain is therefore a DOTS domain.

5.2.2 Declaration of the list of IP resources associated with a client domain

With reference to FIG. 2, the DOTS client obtains (21 _Q ) a list of at least one IP resource associated with the DOTS domain, then transmits it (22c) to one or more DOTS access control server (s), for example using DOTS data or signaling communication channels. A DOTS client can therefore declare to the DOTS access control server the IP resources that it manages, or more generally the IP resources that are associated with the domain. DOTS customer.

An advantage of such an IP resource declaration is that it makes it possible to trigger the verification of the validity of the associated IP resources without waiting for the reception of a DOTS request and therefore without waiting for an attack to be in progress. As a result, signaling messages transmitted from the DOTS client to the DOTS access control server to request mitigation of a denial of service attack can be processed quickly.

As already mentioned, IP resources can be IP addresses, IP prefixes or domain names. Domain names can be resolved to IP addresses. The IP prefixes below denote the IP prefixes directly communicated by a DOTS client or the addresses retrieved via a name resolution system (eg DNS). The prefixes can be from the same address family or belong to different families (IPv4, IPv6). IP prefixes are not necessarily contiguous, nor managed by the same access provider. In addition, these prefixes can be PA type prefixes (in English “Provider Assigned”), that is to say prefixes owned by the service provider, or PI type prefixes (in English “Provider Independent”) ), that is to say prefixes allocated at the request of a client, for example by an organization of the Regional Internet Registry type, or RIR, independently of the access provider.

The main steps implemented by the DOTS client for the declaration of IP resources associated with a DOTS domain are described below, in relation to FIG. 5.

During an initialization step 51c, secure communication channels between the DOTS client and one or more DOTS access control server (s) are established.

In an obtaining step 52c, 21c similar to the step, I ^e DOTS customer gets the list of IP resources it manages, or more generally, the IP resource list associated with his field (client) DOTS .

During a transmission step 53c, 22c similar to the stage, I ^e DOTS customer declares the list of IP resources by transmitting to one or more server (s) DOTS access control.

In an update step 54c, I ^e DOTS client verifies the validity of entries in the list or finding new resources. This updating step can be carried out periodically, and / or with each addition, modification, deletion of an IP resource associated with the domain. Once the list has been updated, the list is again transmitted to the DOTS access control server according to the transmission step 53c. This transmission can be implemented periodically or as soon as an update of the list is performed.

When transmitting the list of IP resources to the access control server (s), the DOTS client can indicate the validity period associated with this list, or with certain IP resources from this list, for example in a "Lifetime" field. Such a period of validity is expressed for example in minutes.

If the client does not renew his declaration / list before the expiration of the validity period defined in the initial declaration request, the DOTS access control server can automatically remove the associated IP resource (s) (s) of its active prefix / resource tables for this client / client domain.

For example, the "Lifetime" field can indicate the value "-1" to indicate an indefinite period of validity.

As illustrated in FIG. 6A, separate requests can be sent by the DOTS client to declare to the access control server (s) each of the IP resources associated with the DOTS domain of the DOTS client (a first request to declare the address "1.2.3.4" and a second request to declare the address "11.22.33.44" for example). Optionally, as illustrated in FIG. 6B, a single request can be sent to declare all the IP resources associated with the DOTS domain of the DOTS client (a single request to declare the address "1.2.3.4" and the address "11.22.33.44" for example).

If several DOTS clients are deployed in the same domain, the declaration of IP resources can be carried out by one or more clients. In other words, declarations are, by default, associated with the domain and not with a DOTS client.

A DOTS access control server is capable of identifying DOTS clients in the same domain. To do this, the DOTS access control server relies on the security keys used for authentication, such as for example the public key information SPKI (“Subject Public Key Information”) of a certificate associated with the DOTS client (for example the X.509 certificate, as defined in document RFC 5280 entitled "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", D. Cooper et al., May 2008), or the PSK shared key identifiers (“PSK Identity”) used by customers during the authentication procedure (“TLS ClientKeyExchange”).

Here is an example of a program for declaring the prefix "1.2.3.0/24" of a DOTS client to its DOTS access control server. The message "POST" is used for illustration purposes, but other messages can of course be used (for example "HTTP PUT"):

POST / restconf / data / ietf-dots-data-channel: dots-data \ / dots-client = mydotsclient HTTP / l .1 Host: {host}: {port}

Content-Type: application / yang-data + j sound

{

"ietf-dots-data-channel: prefixes {

"prefix-list": [

{

"name": "my_first_prefix",

"prefix": "1.2.3.0/24",

"lifetime": 1504

As indicated above, the list of IP resources associated with the client domain can be updated regularly and / or each time an IP resource associated with the client domain is added / modified / deleted.

In a first example, acquisition operations can give rise to the allocation and use of new IP resources, for example new prefixes which are managed by an active DOTS client. The DOTS client can declare such new prefixes. To do this, the DOTS client can for example send a POST message.

In a second example, a DOTS client can also update the list of IP resources by removing those that are no longer valid (for example, a prefix that is no longer delegated by the access network, or whose duration of validity has expired).

In this case, the DOTS client can delete the IP resource (s) which are no longer valid without waiting for the expiration of the validity date indicated during the declaration.

We present below an example of a program for the removal of the prefix "my_first_prefix" by a DOTS client. Again, the message "POST" is used for illustration purposes, but other messages can of course be used (for example "HTTP PUT"):

DELETE / restconf / data / ietf-dots-data-channel: dots-data \

/ dot s-client = mydot sclient

/ prefixes / prefix-list = my_first_prefix HTTP / l .1 Host: {host}: {port}

5.2.3 Selection of IP resources to be validated by a DOTS access control server Once the IP resources associated with a domain have been declared by the DOTS client to a DOTS access control server, the DOTS access control server can verify that the declared resources are actually associated with the declaring client domain.

To do this, the DOTS access control server can select one or more IP resources to validate from the list (step _$ 24 with reference to FIG. 2), then apply a verification procedure to each of the selected IP resources.

Optionally, the verification procedure applies to other entries maintained by the access control server (for example, filtering entries, or entries from other clients belonging to the same domain).

In particular, generalizing the verification procedure to the other types of entries maintained by an access control server is advantageous for clients who do not support the procedure for declaring IP resources. It is indeed possible to check the validity of the IP resources managed by a client who is not able to implement the procedure for declaring IP resources, if another client in the domain has previously declared all of the IP resources. associated with this area.

We present below various examples of selection of IP resources to be validated by a DOTS access control server:

the DOTS access control server can systematically execute the verification procedure upon receipt of a declaration from a client, or during the period of validity of the filtering or signaling rules, or both;

the DOTS access control server can implement the verification procedure periodically to ask DOTS clients to confirm the validity of the filtering rules, particularly the destination addresses entered in the filtering rules;

the access control server can select all or part of the entries to be validated; to do this, the access control server performs a selection procedure, such as random mode, selection of the entries having exceeded a certain lifetime (while remaining theoretically valid by virtue of the value of the "Lifetime" parameter allocated by the access control server when creating the entry), etc .;

the DOTS access control server can implement the verification procedure on detection of conflict between the destination addresses indicated by clients belonging to separate DOTS domains. According to this last example, illustrated in FIG. 7, a DOTS access control server can detect an address conflict between several domains by comparing the destination prefix or prefixes indicated in the DOTS requests. For example, a first client C1, belonging to a first domain 71, indicates the destination address "1.2.3.4/32" in a DOTS request, while this address is covered by the request of a second client C2, belonging to a second domain 72, for the prefix "1.2.3.0/24". As the two clients C1 and C2 do not belong to the same domain, the access control server S can detect a conflict between the destination addresses and not select any destination address as "IP resource to be validated".

5.2.4 Validation of selected IP resources

Once the IP resources to validate selected by the DOTS access control server, the DOTS access control server implements a verification of the validity of the selected resource (s) (step 27 _$ with reference to FIG. 2 ).

According to at least one embodiment, the DOTS access control server can, before or simultaneously with the verification procedure, delete the DOTS entries indicating IP resources which are not part of the list declared by a DOTS client. Thus, as illustrated in FIG. 8, if the client C1 declares the address "1.2.3.4" to the access control server S, and the DOTS entries contain the addresses "1.2.3.4" and "11.2.3.4", the access control server detects an anomaly in the filtering rules associated with the Cl client and can proceed to delete the corresponding entries from its tables. Optionally, the access control server can send a notification to the client to report on the cleaning operation.

Likewise, DOTS requests indicating an IP resource that is not part of the declared IP resources may be rejected by the access control server, before or simultaneously with the verification procedure. Thus, as illustrated in FIG. 9, if the client C1 declares the address 1.2.3.4 with the access control server S, and the access control server receives a signaling / mitigation request on the address " 15.45.45.78 ”, the access control server can refuse the signaling request because the address indicated as the target of the attack in the request does not appear in the list of IP resources declared by the Cl client or the clients belonging to the same client domain.

Two embodiments are presented below for implementing the verification procedure, consisting in verifying the validity of the selected resource or resources (step _$ 27 with reference to FIG. 2). The first embodiment, called “DOTS probing”, the main steps of which are illustrated in FIG. 3, makes it possible to dispense with the access provider for the validation of IP resources. The second embodiment, known as “Cooperating DOTS / ISPs”, the main steps of which are illustrated in FIG. 4, makes it possible to process the data maintained by an access provider without infringing the privacy of the customers.

The first embodiment ("DOTS probing") is described below in more detail.

According to this first embodiment, at least one node in the client domain activates a "DOTS_CHECK_RELAY" function allowing the incoming traffic to be inspected and redirected to a client node. Such a node is subsequently called a “relay node”.

Several nodes in the client domain having the "DOTS_CHECK_RELAY" function can be requested. For example, a client domain connected to the Internet via several links (context of “Multi-homing”) can activate the “DOTS_CHECK_RELAY” function on all the nodes connecting it to the Internet.

A DOTS client can coexist with the "DOTS_CHECK_RELAY" function. In other words, a client node can activate the "DOTS_CHECK_RELAY" function, for example when the DOTS client is embedded in a network connection router such as a residential gateway ("Customer Premises Equipment"). . The client node is then a relay node. In this case, the DOTS client is advantageously located on the path of all traffic intended for the client domain.

It is assumed below that a DOTS client has the list of relay nodes activating the "DOTS_CHECK_RELAY" function. This relay list can contain one or more relays, and can be declared explicitly to the client (static configuration) or supplied dynamically (for example, using the resources of a DHCP option). However, it is not necessary to communicate such a relay list to the access control server. In addition to one or more addresses to reach a relay node and security information (for example, authentication token to verify that the DOTS client is authorized to communicate with a relay node), additional information may be filled in, for example, the service listening port number or the list of IP resources managed by a relay node.

If no details regarding IP resources are provided for a relay in the relay list, then a DOTS client can use this relay for all IP resources associated with the domain.

The function "DOTS_CHECK_RELAY" is described below in more detail.

The "DOTS_CHECK_RELAY" function can be: a software module dedicated to the DOTS service,

a traffic capture function activated on a node in the client domain, for example one of the routers connecting the client domain to the Internet.

According to a particular embodiment, the communication between the relays activating the "DOTS_CHECK_RELAY" function and the DOTS clients in the domain can be secured. For example, a relay activating the "DOTS_CHECK_RELAY" function can communicate information or receive requests to / duly authorized trusted customers.

Thus, as illustrated in FIG. 10, the messages coming from the clients Cl and Cm of the client domain 11 are authorized by the relays RI and Ri, while the messages coming from a usurper client "F_C" are rejected by the relays RI and Ri .

According to a particular embodiment, the “DOTS_CHECK_RELAY” function can be activated on demand. According to this mode, the activation of this function is controlled by at least one DOTS client in the domain. The function is activated for a limited time; it is then deactivated. This mode is preferably used to associate an address or a temporary prefix with the relay activating this function.

According to another embodiment, the “DOTS_CHECK_RELAY” function can be activated permanently. According to this mode, the "DOTS_CHECK_RELAY" function can be achieved by reusing the traffic capture functions. This mode is preferably used when the relay node activating the "DOTS_CHECK_RELAY" function is located on a path which makes it possible to route all or part of the traffic intended for the client domain (for example a router for connection to the Internet network, such as a CPE). The use of temporary addresses / prefixes is not necessary for this mode.

The verification procedure according to the first embodiment is described below ("DOTS probing").

As indicated previously in relation to FIG. 2, the access control server receives (23 _$ ) a list of at least one IP resource associated with the client domain, and selects (24 _$ ), from the list, one or more IP resources to be validated. It is noted that the content of this list can vary over time, since the list can be updated (step 54c of FIG. 5).

For example, upon identification of a DOTS entry to be validated by the access control server, the latter extracts associated destination prefixes.

Optionally, the access control server communicates the list of IP resources (or the associated prefixes / IP addresses) thus selected to the client (step 25 _$ in FIG. 2). For example, such a list can be communicated to the client in the case of the deployment of a module. software dedicated to the DOTS service which exploits, for example, virtualization techniques to dynamically instantiate service functions (“on demand” mode above).

In particular, these service functions can be configured to intercept traffic intended for at least one of the addresses communicated by the DOTS access control server.

According to a particular embodiment, the client can configure the "DOTS_CHECK_RELAY" function (s) in accordance with the instructions of the access control server.

Optionally, the client can inform the access control server that the client domain is ready to process IP resource validation messages.

Once the IP resources to validate have been selected by the access control server, the access control server can implement verification ( _$ 27) of the validity of the selected IP resource (s), or addresses / prefixes associates.

To do this, according to this first embodiment (“DOTS Probing”), the access control server sends requests having as destination address said address to be validated (ie, an address extracted from a selected IP resource), and intercepted by the identified relay node (s) (step _$ 31 in Figure 3).

For example, validation messages "DOTS_PROBE_REQUEST" are transmitted to each of the addresses in the list of selected IP resources.

The access control server can send validation messages "DOTS_PROBE_REQUEST" as soon as the IP resources to be validated are selected, or after a certain delay, or upon receipt of a message from the client, for example a message confirmation of receipt when the access control server communicates the list of selected IP resources to the client ( _$ 25).

The sending of such messages to the nodes identified by the selected IP resource or resources can be carried out successively or simultaneously.

In particular, it should be noted that such validation messages include a control message associated with any information making it possible to identify the validation message unambiguously.

For example, the DOTS access control server generates "DOTS_PROBE_REQUEST" messages with random payloads to prevent suspicious clients from easily guessing messages and sending spoofed responses. Thus, as examples, the access control server can:

insert one or more unique identifiers, such as identifiers of type UUID - Universally Unique Identifier - version 4 (as described in document RFC 4122 “A Universally Unique IDentifier (UUID) URN Namespace” P. Leach, July 2005), randomly generated:

1. 263afd79-835c-4ee7-9535-df245cf28d9a

2. 246813cd-2bf3-46a9-adle-b4bb0f356189

3. 730d0839-0267-4216-8b62-66844bb30711

4. 61319aa3-555d-445c-8918-f2e9cfd67e06

calculate one or more digests that it inserts in the message "DOTS_PROBE_REQUEST", such as digests SHA-256:

1. bdl0ab3db20f6830feb53a8f295013e2934cdc674c32343341445082a73830f7

2. 00ba021fe38dcl2c0ceefd709be9a2d08c8ebea3f231c785f25d03623ee566c5

3.b9c8740f9a4f59c3311f2b027d055dfdd7ba3184754e7451ed649e05cc779385

4. b9e44dflb5f0dc788a068225f422b7cflb4858b62188a47b7504fe202c25e973 use a technique to ensure the integrity and authenticity of the control message, for example of type AEAD "Authenticated Encryption with Associated Data", as described in the document RFC5116: "Authenticated Algorithm , D. McGrew, January 2008;

use any other random generation procedure, such as those specified in document RFC4086 entitled “Randomness Requirements for Security”, D. Eastlake, January 2005;

use a random file (for example an image);

etc.

For example, the generation of a validation message "DOTS_PROBE_REQUEST" by the DOTS access control server includes:

generation of packets with random data (control data);

the definition of the destination address (address of the relay node identified by the selected IP resource);

maintaining a characteristic state of the transmission of said packets with random data;

sending the message ( _$ 31) to the relay identified by the selected IP resource.

The same message can be transmitted several times, in particular in the case where one of the messages was destroyed during its routing towards its destination.

If the destination address extracted from the selected IP resource is not associated with the client domain, two cases must be considered by the access control server: either the access control server receives an error message (via the ICMP protocol, for example);

or the access control server receives no response.

In both cases, the access control server can conclude that the address associated with the DOTS_PROBE_REQUEST message is not legitimately associated with the DOTS client. The access control server can thus invalidate the corresponding entries in its tables. Other actions can be taken, for example, blocking the DOTS client who indicated this address / prefix.

If the destination address is effectively associated with the client domain, then at least one domain relay can intercept the DOTS_PROBE_REQUEST message (s) (step 32R of FIG. 3). These messages can be explicitly intended for the relay (on-demand mode) or for relays with a domain address. In both cases, these messages must be relayed (33R) to the DOTS client. Preferably, the content of the DOTS_PROBE_REQUEST message is not modified by the relay.

Upon receipt (34V) of the DOTS_PROBE_REQUEST message by the client, the DOTS client sends (35c) ^a DOTS_PROBE_REPLY response to the access control server. Preferably, the content of the message is not modified by the client. In particular, the response includes information characteristic of the control message.

On reception (36 _$ ) of the DOTS_PROBE_ REPLY message by the access control server, the access control server correlates (37 _$ ) the response (DOTS_PROBE_REPLY) with the request (DOTS_PROBE_REQUEST) to verify the authenticity and message integrity.

If the correlation has been successful, the associated IP resource is validated.

For example, the processing of a "DOTS_PROBE_REPLY" response message by the DOTS access control server includes:

verification that the message sender is a legitimate DOTS client: if this is not the case, the corresponding IP resource is discarded;

extracting the content of the response message (control message or information characteristic of the control message);

checking the integrity of the message content: if the message content is not correlated with the control message, the corresponding IP resource is discarded; checking the content of the tables: if the IP resource does not correspond to any of the entries in the table maintained by the access control server, then this corresponding IP resource is discarded; validation of the corresponding IP resource.

Such steps can be repeated for all the addresses selected and which must be validated.

FIGS. 11 to 15 show examples of implementation of the verification procedure according to this first embodiment ("DOTS Probing").

Figure 11 illustrates an example of successful validation of all IP resources associated with a DOTS client. It is assumed in this example that the access control server 14 informs the client of the list of addresses selected to be validated ( _$ 25), for example the addresses PI to Pi. It will be recalled that this step is optional. On reception (26V) of this list, the DOTS client proceeds to the configuration ("Setup") of the relays necessary so that they are ready to receive validation messages DOTS_PROBE_REQUEST. A "ACK" confirmation message can be sent by the DOTS client to the access control server to indicate that the client domain is ready. Then, the access control server can send (31s) DOTS_PROBE_REQUEST validation messages to the relay (s) for each of the addresses to be validated. These messages are relayed (33R) successfully by the relays RI, ..., Ri to the DOTS client. The latter then transmits (35V) the DOTS_PROBE_REPLY messages to the DOTS access control server. The latter verifies the integrity of the content of the message and, after consulting its tables, validates the addresses. These addresses are associated with this domain for a configurable period on the access control server. The state of the addresses PI to Pi is therefore "validated".

Figure 12 illustrates another example of successful validation of all IP resources associated with a DOTS client. According to this second example, the DOTS_PROBE_REQUEST validation messages are transmitted ( _$ 31) to the same relay and without prior notification to the client. The state of the addresses PI to Pi is also "validated".

Figure 13 illustrates an example of partial address validation success. Only the PI address is validated while the Pi address is not. The state of the PI address is therefore "validated" while the state of the address at Pi is "not validated".

In particular, we note that if no response is received from the client, or if the response received has not been validated, the access control server concludes that this IP resource is not associated with this DOTS client domain. It thus proceeds to the deletion of said address in its tables.

FIG. 14 illustrates an example of address validation failure, in the case where the access control server does not receive responses to the DOTS_PROBE_REQUEST messages. The state of the PI and Pi addresses is therefore "not validated". Figure 15 illustrates another example where a client generates DOTS_PROBE_REPLY response messages to simulate that relays in their domain have actually received DOTS_PROBE_REQUEST validation messages. These DOTS_PROBE_REPLY messages are not validated by the access control server, because the payloads of the DOTS_PROBE_REQUEST and DOTS_PROBE_REPLY messages are not correlated.

The second embodiment is now described (“Cooperating DOTS / ISPs”) for verifying the validity of the selected resource (s) (step _$ 27 with reference to FIG. 2) ·

This second embodiment consists in requesting the access providers to verify that an address or a prefix declared by a DOTS client is actually allocated by this provider to this client. This mode assumes that access providers expose a programming interface (API) to offer third-party value-added services such as the validation of IP resources. Also, and in order to preserve the confidentiality of customer data, certain information is not disclosed to these third parties, or only on the express agreement of customers. In addition, and in order to avoid data theft, customer information is not passed on to third parties.

The steps of reception (23 _$ ), by the access control server, of a list of at least one IP resource associated with the client domain, of selection (24 _$ ) of at least one IP resource to be validated among the list, and optionally of transmission (25 _$ ) of the IP resource (s) selected to validate to DOTS clients, are also implemented according to this second embodiment, and are similar to those implemented according to the first embodiment .

The verification step ( _$ 27) of the validity of the selected IP resource (s) involves one or more validation servers.

More precisely, as illustrated in FIG. 4, the access control server receives ( _$ 41), according to this second embodiment, information representative of the identity of the client domain or of the entity which manages the client domain.

For example, the DOTS access control server retrieves the identity of the supplier (s) owning the IP resource. Such information may indeed be publicly available. To do this, the access control server interrogates, for example, the base of European IP Networks (RIPE). An example of a request using the resources of the RIPE database to retrieve the identity of the client domain or of the entity that manages the IP resource "80.12.102.157" of the client domain is given below:

https: / / apps. db. ripe. net / db-web-ui \

/#/query?searchtext=80.12.102.157iresultsSection

As indicated above, this second embodiment assumes that the access providers expose a programming interface (API) for the validation of IP resources, for example in one or more validation servers hosted by these access providers. The addresses of the validation servers are also accessible / available to the customers of these access providers.

If the access providers expose said API for the validation of IP resources, and if the RIPE database is modified to inform the validation server (s), the response to this request indicates that the IP resource "80.12.102.157" is allocated, according to this example, to the access provider "Orange SA", and that the validation server (s) for this IP resource are located by the addresses "80.12.102.15" and "80.12.102.16".

An example of response to the request is given below:

Organization manager: Orange S.A.

inetnum: 80.12.102.144 - 80.12.102.159 validation server (s): 80.12.102.15, 80.12.102.16 netname: VISION

descr: France Telecom NDC

country: FR

admin-c: FT09-RIPE

tech-c: FT09-RIPE

status: ASSIGNED PA

mnt -by: FT-BRX

created: 2014-11-20110: 56: 45Z

last-modified: 2018-02-09115: 00: 11Z

source: RIPE

The steps implemented to validate a selected IP resource are presented below in more detail.

The DOTS access control server communicates ( _$ 25) to the DOTS client, optionally, the selected IP resource, or the list of selected IP resources. The server of DOTS access control also identifies (42 _$ ) the owner of the resource and at least one associated validation server.

Once the list received (26V) by the DOTS client, the latter establishes secure communication with a validation server managed by the client's access provider to retrieve information representative of the identity of the client domain or of the entity who manages the client area. For example, the validation server determines (401v) a unique digest of the identity of the client domain. A period of validity can be assigned to the digest.

Such a summary makes it possible to identify a client domain in a simple and unambiguous manner without disclosing other confidential information concerning the client.

For example, the validation server can generate a digest corresponding to the entity which manages the client domain whose identifier is “45979230632” with a time stamp “2018-02- 08T00: 00: 11Z” according to the nomenclature “subscriber_45979230632_timestamp_2018-02 - 08T00: 00: 11Z ":

f4b542f76be38153ecc66b7c4aaa87a04c46def8116dl85cl32elc4alf 515203

The DOTS client can obtain (403V) the digest if it is a client of the access provider hosting the validation server.

If no digest is received, the IP resource is not validated.

This / these digest (s) are then transmitted (404c) ^{to the} DOTS access control server by the client.

On receipt ( _$ 41) of the digest, the DOTS access control server sends ( _$ 43) validation messages DOTS_PROBE_REQUEST to the validation servers RI, ..., Ri. These messages include the digest previously communicated by the client, as well as the IP resource to be validated. In the absence of a digest, the access control server cannot identify the client concerned, and the IP resource is not validated.

On receipt (44v) of a validation message by a validation server Ri, the latter checks whether the IP resource to be validated (address / prefix) is actually allocated to the client identified by said digest.

If yes, the IP resource is validated, otherwise the IP resource is not validated.

A confirmation message (DOTS_PROBE_REPLY) or an error message can be transmitted to the access control server.

The rest of the operations are similar to that of the first embodiment "DOTS Probing". Figure 16 illustrates an example of successful validation of all IP resources associated with a DOTS client. It is assumed in this example that the access control server 14 informs the client of the list of addresses selected to be validated ( _$ 25), for example the addresses RI to Ri. Remember that this step is optional. On receipt of this list, the DOTS client interrogates the validation servers VI of a first access provider 12 and Vi of an i-th access provider 16, associated with the IP resources RI, ..., Ri to validate, to obtain (403c) information ^{representative} of the identity of the client domain, and then transmits (404V) this information to the access control server.

Then, the access control server can send ( _$ 43) DOTS_PROBE_REQUEST validation messages to the validation server (s), carrying the IP resource to be validated and the information representative of the identity of the client domain.

The validation server (s) verify that the IP resource carried by the DOTS_PROBE_REQUEST validation message is effectively associated with the domain identified by the information representative of the identity of the client domain. If this is the case, the state of the addresses RI to Ri is therefore "validated".

Optionally, the validation server (s) send a DOTS_PROBE_REPLY response to the DOTS access control server.

5.3 Structures

Finally, in relation to FIG. 17, the simplified structures of an access control server, a client node, a relay node and a validation server according to one of the embodiments are presented. described above.

According to a particular embodiment, an access control server comprises a memory _$ 171 comprising a buffer memory, a processing unit _$ 172, equipped for example with a programmable calculation machine or a dedicated calculation machine, for example a processor P, and controlled by the computer program 173 _$ , implementing steps of the method for verifying the validity of an IP resource according to an embodiment of the invention.

At initialization, the code instructions of the computer program 173 _$ are for example loaded into a RAM memory before being executed by the processor of the processing unit 172 _$ .

The processor of the processing unit 172 _$ implements steps of the method for verifying the validity of an IP resource described above, according to the instructions of the computer program 173 _$ , for: receiving a list of at least one IP resource associated with a client domain, transmitted from a client node of the client domain to the access control server;

select at least one IP resource to validate from the list;

check the validity of the selected IP resource (s).

According to a particular embodiment, a client node comprises a memory 171V comprising a buffer memory, a processing unit 172c, equipped for example with a programmable calculation machine or with a dedicated calculation machine, for example a processor P, and controlled by the computer program 173c, implementing steps of the method for declaring an IP resource according to an embodiment of the invention.

At initialization, the computer 173c program code instructions are F ^or example loaded into a RAM before being executed by the processor of the processing unit 172c-

The processor of the processing unit 172c ^implements steps of the reporting process of an IP resource described above, according to the instructions of the computer program 173c, T ^o:

obtain a list of at least one IP resource associated with the client domain to which the client node belongs;

forward the list to an access control server.

According to a particular embodiment, a relay node comprises a memory 171R comprising a buffer memory, a processing unit 172R, equipped for example with a programmable calculation machine or with a dedicated calculation machine, for example a processor P, and controlled by the computer program 173R, implementing steps of the method for processing a request for validation of an IP resource according to an embodiment of the invention.

On initialization, the code instructions of the computer program 173R are for example loaded into a RAM memory before being executed by the processor of the processing unit 172R.

The processor of the processing unit 172R implements steps of the method for processing a request for validation of an IP resource described above, according to the instructions of the computer program 173R, for:

receive at least one request including a control message from an access control server,

transmit the request (s) to a client node in the client domain, said relay node being associated with at least one IP resource selected by the access control server from a list of at least one IP resource associated with the client domain, the list being previously transmitted from a client node of the client domain to the server access control.

In particular, such a relay node can activate the “DOTS_CHECK_RELAY” function defined above.

According to a particular embodiment, a validation server comprises a memory 171v comprising a buffer memory, a processing unit 172v, equipped for example with a programmable calculation machine or with a dedicated calculation machine, for example a processor P , and controlled by the computer program 173v, implementing steps of the method for verifying the validity of an IP resource according to an embodiment of the invention.

At initialization, the code instructions of the computer program 173v are for example loaded into a RAM memory before being executed by the processor of the processing unit 172v-

The processor of the processing unit 172v implements steps of the method for verifying the validity of an IP resource described above, according to the instructions of the computer program 173v, for:

receive or intercept at least one request comprising information representative of the identity of a client domain and of at least one selected IP resource, identify the client domain from information representative of the identity of the client domain,

verify the association of the selected IP resource with the client domain, taking into account the identity of the client domain.

Claims

1. Method for verifying the validity of an IP resource associated with a client domain, implemented in a server, called an access control server (14), said method comprising:

receiving ( _$ 23) a list of at least one IP resource associated with said client domain, transmitted from a client node (111) of said client domain to said access control server (14);

selecting ( _$ 24) at least one IP resource to validate from said list; and

verification (27 _$ ) that said at least one selected IP resource is associated with said client domain.

2. Method according to claim 1, characterized in that said verification ( _$ 27) comprises:

the transmission ( _$ 31) of at least one request to at least one selected IP resource, intended to be received or intercepted by at least one relay node (112) of said client domain associated with said at least one selected IP resource, said request including a control message;

reception ( _$ 36) of a response including information characteristic of said control message, transmitted by said client node (111) to said access control server (14), said relay node (112) having previously relayed said request to said audit client node (111); and

validation ( _$ 37) of said at least one IP resource selected by correlation of said request and said response.

3. Method according to claim 1, characterized in that said verification comprises: obtaining information representative of the identity of said client domain;

identifying at least one validation server associated with said at least one selected IP resource; and

the transmission to said at least one validation server of at least one request comprising said information representative of the identity of said client domain and said at least one selected IP resource.

4. Method for declaring an IP resource associated with a client domain, implemented in a client node (111) of said client domain, said method comprising:

obtaining (21V) a list of at least one IP resource associated with the client domain; and transmitting (22c) said list to an access control server (14) configured to verify that said at least one IP resource is associated with said client domain.

5. Method according to claim 4, characterized in that it also comprises:

receiving (34c) at least one request from said access control server (14), via at least one relay node (112) of said client domain associated with at least one IP resource selected from said list by said server access control, said request comprising a control message; and

transmitting (35c) to said access control server (14) a response including information characteristic of said control message.

6. Method according to claim 4, characterized in that it also comprises:

receiving information representative of the identity of said client domain, generated by a validation server associated with at least one IP resource selected from said list by said access control server; and

the transmission to said access control server of said information representative of the identity of said client domain.

7. Method for processing at least one validation request for an IP resource associated with a client domain, implemented in a relay node (112) of said client domain associated with at least one IP resource selected by a control server access (14) from a list of at least one IP resource associated with the client domain, previously transmitted from a client node (111) of said client domain to said access control server,

said method comprising:

receiving or intercepting (32R) said at least one request from said access control server, said request comprising a control message; and transmitting (33R) said at least one request to said client node.

8. Method for verifying the validity of an IP resource associated with a client domain, implemented in a validation server associated with at least one IP resource selected by an access control server from a list of at least an IP resource associated with the client domain, previously transmitted from a client node of said client domain to said access control server,

said method comprising:

receiving at least one request comprising information representative of the identity of a client domain and of said at least one selected IP resource;

identifying said client domain from said information representative of the identity of the client domain; and

verification of the association of said at least one selected IP resource with the client domain taking into account the identity of the client domain.

9. Method according to claim 8, characterized in that it implements beforehand: the determination of said information representative of the identity of said client domain (HASH); and

the transmission, to said client node, of said information representative of the identity of the client domain.

10. Method according to any one of claims 1 to 9, characterized in that a period of validity is associated with said list of at least one IP resource associated with the client domain.

11. Access control server comprising at least one programmable calculation machine or a dedicated calculation machine configured to check the validity of an IP resource associated with a client domain, implementing:

receiving a list of at least one IP resource associated with said client domain, transmitted from a client node of said client domain to said access control server;

selecting at least one IP resource to validate from said list; and

verification that said at least one selected IP resource is associated with said client domain.

12. Client node comprising at least one programmable computing machine or a dedicated computing machine configured to check the validity of an IP resource associated with the client domain to which said client node belongs, implementing:

obtaining a list of at least one IP resource associated with the client domain; and transmitting said list to an access control server configured to verify that said at least one IP resource is associated with said client domain.

13. Relay node comprising at least one programmable calculation machine or a dedicated calculation machine configured to process at least one request for validation of an IP resource associated with a client domain to which said relay node belongs, implementing:

receiving or intercepting said at least one request from an access control server, said request comprising a control message; and

the transmission of said at least one request to a client node of said client domain, said relay node being associated with at least one IP resource selected by said access control server from a list of at least one IP resource associated with said client domain , previously transmitted from a client node of said client domain to said access control server.

14. Validation server associated with at least one IP resource selected by a access control from a list of at least one IP resource associated with a client domain, previously transmitted from a client node of said client domain to said access control server,

comprising at least one programmable calculation machine or a dedicated calculation machine configured to check the validity of said at least one selected IP resource, implementing:

verification of the association of said at least one selected IP resource with the client domain, taking into account the identity of the client domain.

15. Computer program comprising instructions for implementing a method according to any one of claims 1 to 10 when this program is executed by a processor.