<?xml version="1.0" encoding="US-ASCII"?> encoding="utf-8"?>

<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?> [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>
<rfc xmlns:xi="http://www.w3.org/2001/XInclude" category="std" docName="draft-ietf-dots-telemetry-25" ipr="trust200902"> number="9244" ipr="trust200902" obsoletes="" updates="" submissionType="IETF" consensus="true" xml:lang="en" tocInclude="true" tocDepth="3" symRefs="true" sortRefs="true" version="3">
  <!-- xml2rfc v2v3 conversion 3.12.2 -->
  <front>
    <title abbrev="DOTS Telemetry">Distributed Denial-of-Service Open Threat
    Signaling (DOTS) Telemetry</title>

<!-- [rfced] Document title:  This document's title does not follow
the style of other YANG RFCs (although we see that RFCs 8783 and 9132
are exceptions).  May we update the full and running titles as
suggested?

Original:
   Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry
...
   DOTS Telemetry

Suggested:
   A YANG Data Model for Distributed Denial-of-Service
        Open Threat Signaling (DOTS) Telemetry
...
   YANG Data Model for DOTS Telemetry
 -->

    <seriesInfo name="RFC" value="9244"/>
    <author fullname="Mohamed Boucadair" initials="M." role="editor" surname="Boucadair">
      <organization>Orange</organization>
      <address>
        <postal>
          <street></street>
          <street/>
          <city>Rennes</city>
          <code>35000</code>
          <country>France</country>
        </postal>
        <email>mohamed.boucadair@orange.com</email>
      </address>
    </author>
    <author fullname="Tirumaleswar Reddy.K" initials="T." role="editor" surname="Reddy.K">
      <organization>Akamai</organization>
      <address>
        <postal>
          <street>Embassy Golf Link Business Park</street>
          <city>Bangalore</city>
          <region>Karnataka</region>
          <code>560071</code>
          <country>India</country>
        </postal>
        <email>kondtir@gmail.com</email>
      </address>
    </author>
    <author fullname="Ehud Doron" initials="E." surname="Doron">
      <organization>Radware Ltd.</organization>
      <address>
        <postal>
          <street>Raoul Wallenberg Street</street>
          <city>Tel-Aviv</city>
          <code>69710</code>
          <country>Israel</country>
        </postal>
        <email>ehudd@radware.com</email>
      </address>
    </author>
    <author fullname="Meiling Chen" initials="M." surname="Chen">
      <organization>CMCC</organization>
      <address>
        <postal>
          <street>32,
          <street>32 Xuanwumen West</street>

          <city>BeiJing</city>

          <region>BeiJing</region> West Street</street>
          <city>Beijing</city>
          <code>100053</code>
          <country>China</country>
        </postal>
        <email>chenmeiling@chinamobile.com</email>
      </address>
    </author>
    <author fullname="Jon Shallow" initials="J." surname="Shallow">
      <organization></organization>
      <organization/>
      <address>
        <postal>
          <street></street>

          <city></city>

          <region></region>

          <code></code>
          <street/>
          <city/>
          <region/>
          <code/>
          <country>United Kingdom</country>
        </postal>
        <email>supjps-ietf@jpshallow.com</email>
      </address>
    </author>
    <date /> month="May" year="2022"/>
    <area>sec</area>
    <workgroup>DOTS</workgroup>
    <keyword>automation</keyword>
    <keyword>cybersecurity</keyword>
    <keyword>DDoS</keyword>
    <keyword>Resilience</keyword>
    <keyword>Intelligence</keyword>
    <keyword>Service delivery</keyword>

    <keyword>Robsutness</keyword>
    <keyword>Robustness</keyword>
    <keyword>Collaborative</keyword>
    <abstract>
      <t>This document aims to enrich the DOTS Distributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol with
      various telemetry attributes, allowing for optimal Distributed
      Denial-of-Service (DDoS) attack mitigation. It specifies the normal
      traffic baseline and attack traffic telemetry attributes a DOTS client
      can convey to its DOTS server in the mitigation request, the mitigation
      status telemetry attributes a DOTS server can communicate to a DOTS
      client, and the mitigation efficacy telemetry attributes a DOTS client
      can communicate to a DOTS server.

<!-- [rfced] Please clarify this sentence. Do the telemetry attributes
assist the mitigator and perform DDoS attack mitigation (Option
A), or do the attributes assist the mitigator in choosing the
techniques and performing DDoS attack mitigation (Option B)?

Original:
   The telemetry attributes can assist the mitigator
   to choose the DDoS mitigation techniques
   and perform optimal DDoS attack mitigation.

Perhaps:
A) The telemetry attributes can assist the mitigator
   in choosing the DDoS mitigation techniques
   and perform optimal DDoS attack mitigation.

Or

B) The telemetry attributes can assist the mitigator
   in choosing the DDoS mitigation techniques
   and performing optimal DDoS attack mitigation. -->

      The telemetry attributes can assist
      the mitigator to choose the DDoS mitigation techniques and perform
      optimal DDoS attack mitigation.</t>
      <t>This document specifies a two YANG module modules: one for representing DOTS telemetry
      message types. It also specifies a second YANG module to share types and one for sharing the attack mapping details over the DOTS data channel.</t>
    </abstract>
  </front>
  <middle>
    <section anchor="introduction" title="Introduction"> numbered="true" toc="default">
      <name>Introduction</name>
      <t>IT organizations and service providers are facing Distributed Denial
      of Service Denial-of-Service
      (DDoS) attacks that fall into two broad categories:<list
          style="numbers">
          <t>Network/Transport layer categories:</t>
      <ol spacing="normal" type="1"><li>
          <t>Network-layer and transport-layer attacks target the victim's
          infrastructure. These attacks are not necessarily aimed at taking
          down the actual delivered services, but rather to services; rather, these attacks prevent various
          network elements (routers, switches, firewalls, transit links, and
          so on) from serving legitimate users' traffic. <vspace
          blankLines="1" />The </t>
          <t>The main method of such attacks is to send a large
          volume or high packet per second (pps) of traffic (e.g., high-pps (packets per second) traffic) toward the
          victim's infrastructure. Typically, attack volumes may vary from a
          few 100 hundred Mbps to 100s hundreds of Gbps or even Tbps. Attacks are commonly
          carried out leveraging botnets and attack reflectors for
          amplification attacks (Section 3.1 of <xref
          target="RFC4732"></xref>) (<xref target="RFC4732" sectionFormat="of" section="3.1"/>) such as NTP (Network Time Protocol), DNS
          (Domain Name System), SNMP (Simple Network Management Protocol), or
          SSDP (Simple Service Discovery Protocol).</t>

          <t>Application layer

<!-- [rfced] Section 1:  As it appears that one type of high-volume
traffic is high-pps traffic, we updated this sentence accordingly.
If this is not correct, please clarify the text.

Original:
   The main method of such attacks is to send a large volume or high
   packet per second (pps) of traffic toward the victim's
   infrastructure.

Currently:
   The main method of such attacks is to send a large volume of
   traffic (e.g., high-pps (packets per second) traffic) toward the
   victim's infrastructure. -->

        </li>
        <li>
          <t>Application-layer attacks target various applications. Typical
          examples include attacks against HTTP/HTTPS, DNS, SIP (Session
          Initiation Protocol), or SMTP (Simple Mail Transfer Protocol).
          However, all applications with their port numbers open at network
          edges can be attractive attack targets. <vspace
          blankLines="1" />Application layer </t>
          <t>Application-layer attacks are considered more
          complex and harder to categorize, categorize and are therefore harder to detect and
          mitigate efficiently.</t>
        </list></t>
        </li>
      </ol>
      <t>To compound the problem, attackers also leverage multi-vectored
      attacks. These attacks are assembled from dynamic attack vectors
      (Network/Application) and tactics. As such, multiple attack vectors
      formed by multiple attack types and volumes are launched simultaneously
      towards
      toward a victim. Multi-vector attacks are harder to detect and defend
      against. Multiple and simultaneous mitigation techniques are needed to
      defeat such attack campaigns. It is also common for attackers to change
      attack vectors right after a successful mitigation, burdening their
      opponents with changing their defense methods.</t>

<!-- [rfced] Section 1:  To what does "Network/Application" refer in
this sentence?

Original:
   These attacks are assembled from dynamic attack vectors
   (Network/Application) and tactics.

Possibly:
   These attacks are assembled from dynamic network-layer and
   application-layer attack vectors and other tactics. -->

      <t>The conclusion derived from the aforementioned attack scenarios is
      that modern attacks attack detection and mitigation are most certainly
      complicated and highly convoluted tasks. They demand a comprehensive
      knowledge of the attack attributes, attributes and the normal behavior of the targeted
      systems (including normal traffic patterns), as well as the attacker's
      ongoing and past actions. Even more challenging, retrieving all the
      analytics needed for detecting these attacks is not simple with the
      industry's current reporting capabilities.</t>
      <t>The DOTS Distributed Denial-of-Service Open Threat Signaling (DOTS) signal channel protocol <xref target="RFC9132"></xref> target="RFC9132" format="default"/> is
      used to carry information about a network resource or a network (or a
      part thereof) that is under a DDoS attack. Such information is sent by a
      DOTS client to one or multiple DOTS servers so that appropriate
      mitigation actions are undertaken on traffic deemed suspicious. Various
      use cases are discussed in <xref target="RFC8903"></xref>.</t> target="RFC8903" format="default"/>.</t>
      <t>DOTS clients can be integrated within a DDoS attack detector, detector or
      within network and security elements that have been actively engaged with
      ongoing attacks. The DOTS client mitigation environment determines that
      it is no longer possible or practical for it to handle these attacks
      itself. This can be due to a lack of resources or security capabilities,
      as derived from the complexities and the intensity of these attacks. In
      this circumstance, the DOTS client has invaluable knowledge about the
      actual attacks that need to be handled by its DOTS server(s). By
      enabling the DOTS client to share this comprehensive knowledge of an
      ongoing attack under specific circumstances, the DOTS server can
      drastically increase its ability to accomplish successful mitigation.
      While the attack is being handled by the mitigation resources associated
      with the DOTS server, the DOTS server has knowledge about the ongoing
      attack mitigation. The DOTS server can share this information with the
      DOTS client so that the client can better assess and evaluate the actual
      mitigation realized.</t>
      <t>DOTS clients can send mitigation hints derived from attack details to
      DOTS servers, with the full understanding that the a DOTS server may
      ignore mitigation hints, as described in <xref target="RFC8612"></xref> target="RFC8612" format="default"/>
      (Gen-004). Mitigation hints will be transmitted across the DOTS signal
      channel, as the data channel may not be functional during an attack. How
      a DOTS server is handling handles normal and attack traffic attributes, and
      mitigation hints, is implementation specific.</t>
      <t>Both DOTS clients and servers can benefit from this information by
      presenting various information details in relevant management, reporting, and
      portal systems.</t>
      <t>This document defines DOTS telemetry attributes that can be conveyed
      by DOTS clients to DOTS servers, and vice versa. The DOTS telemetry
      attributes are not mandatory attributes of the DOTS signal channel
      protocol <xref target="RFC9132"></xref>. target="RFC9132" format="default"/>. When no limitation policy is
      provided to a DOTS agent, it can signal available telemetry attributes
      to it its peers in order to optimize the overall mitigation service
      provisioned using DOTS. The aforementioned policy can be, for example,
      agreed upon during a service subscription (that (which is out of scope) scope for this document) to identify
      a subset of DOTS clients among those deployed in a DOTS client domain
      that are allowed to send or receive telemetry data.</t>

      <t>Also, the
      <t><xref target="data" format="default"/> of this document specifies a YANG module (<xref
      target="data"></xref>) that augments the DOTS data channel <xref
      target="RFC8783"></xref> target="RFC8783" format="default"/> with information related to attack details information. details. Sharing such
      details during 'idle' time is meant to optimize the data exchanged over
      the DOTS signal channel.</t>
    </section>
    <section anchor="notation" title="Terminology"> numbered="true" toc="default">
      <name>Terminology</name>
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
      "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
      "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
      "<bcp14>SHOULD NOT</bcp14>",
      "<bcp14>RECOMMENDED</bcp14>", "<bcp14>NOT RECOMMENDED</bcp14>",
      "<bcp14>MAY</bcp14>", and
      "OPTIONAL" "<bcp14>OPTIONAL</bcp14>" in this document
      are to be interpreted as described in BCP 14 BCP&nbsp;14
      <xref target="RFC2119"></xref><xref target="RFC8174"></xref> target="RFC2119"/> <xref target="RFC8174"/> when, and only
      when, they appear in all capitals, as shown here.</t>
      <t>The reader should be familiar with the terms defined in <xref
      target="RFC8612"></xref>.</t> target="RFC8612" format="default"/>.</t>
      <t>"DOTS Telemetry" telemetry" is defined as the collection of attributes that are
      used to characterize the normal traffic baseline, attacks and their
      mitigation measures, and any related information that may help in
      enforcing countermeasures. DOTS Telemetry "DOTS telemetry" is an optional set of
      attributes that can be signaled in the DOTS signal channel protocol.</t>

      <t>Telemetry
      <t>The Telemetry Setup Identifier (tsid) is an identifier that is generated
      by DOTS clients to uniquely identify DOTS telemetry setup configuration
      data. See <xref target="PUT"></xref> target="PUT" format="default"/> for more details.</t>

      <t>Telemetry
      <t>The Telemetry Identifier (tmid) is an identifier that is generated by
      DOTS clients to uniquely identify DOTS telemetry data that is
      communicated prior to or during a mitigation. See <xref
      target="preCtoS"></xref> target="preCtoS" format="default"/> for more details.</t>
      <t>When two telemetry requests overlap, "overlapped" lower numeric
      'tsid' (or 'tmid') refers to the lower 'tsid' (or 'tmid') value of these
      overlapping requests.</t>

<!-- [rfced] Section 2:  This sentence does not parse; it appears
that some words are missing.  Please clarify this text.

Original:
   When two telemetry requests overlap, "overlapped" lower numeric
   'tsid' (or 'tmid') refers to the lower 'tsid' (or 'tmid') value of
   these overlapping requests. -->

      <t>The term "pipe" represents the maximum level of traffic that the DOTS
      client domain can receive. Whether a "pipe" is mapped to one or a group
      of network interfaces is deployment-specific. deployment specific. For example, each
      interconnection link may be considered as a specific pipe if the DOTS
      server is hosted by each upstream provider, while the aggregate of all
      links to connect to upstream network providers can be considered by a
      DOTS client domain as a single pipe when communicating with a DOTS
      server not hosted by these upstream providers.</t>

      <t>The
      <t>This document uses IANA-assigned Enterprise Numbers. These numbers are
      also known as "Private Enterprise Numbers" and "SMI (Structure of
      Management Information) Network Management Private Enterprise Codes"
      <xref target="Private-Enterprise-Numbers"></xref>.</t> target="Private-Enterprise-Numbers" format="default"/>.</t>
      <t>The meaning meanings of the symbols in YANG tree diagrams are defined in <xref
      target="RFC8340"></xref> target="RFC8340" format="default"/> and <xref target="RFC8791"></xref>.</t> target="RFC8791" format="default"/>.</t>
      <t>Consistent with the convention set in Section 2 of <xref
      target="RFC8783"></xref>, target="RFC8783" sectionFormat="of" section="2"/>, the examples in <xref target="vam"></xref> target="vam" format="default"/> use
      "/restconf" as the discovered RESTCONF API root path. Within these
      examples, some protocol header lines are split into multiple lines for
      display purposes only. When a line ends with a backslash ('\') ("\") as the last
      character, the line is wrapped for display purposes. It is considered to
      be joined to the next line by deleting the backslash, the following line
      break, and the leading whitespace of the next line.</t>
    </section>
    <section anchor="overview" title="DOTS numbered="true" toc="default">
      <name>DOTS Telemetry: Overview and Purpose"> Purpose</name>
      <t>Timely and effective signaling of up-to-date DDoS telemetry to all
      elements involved in the mitigation process is essential and improves
      the overall DDoS mitigation service service's effectiveness. Bidirectional
      feedback between DOTS agents is required for increased awareness by each
      party of the attack and mitigation efforts, supporting a superior and
      highly efficient attack mitigation service.</t>
      <section title="Need numbered="true" toc="default">
        <name>Need for More Visibility"> Visibility</name>
        <t>When signaling a mitigation request, it is most certainly
        beneficial for DOTS clients to signal to DOTS servers any knowledge
        regarding ongoing attacks. This can happen in cases where DOTS clients
        are asking DOTS servers for support in defending against attacks that
        they have already detected and/or (partially) mitigated.</t>
        <t>If attacks are already detected and categorized within a DOTS
        client domain, the DOTS server, and its associated mitigation
        services, can proactively benefit from this information and optimize
        the overall service delivery. It is important to note that DOTS client
        domains' and DOTS server domains' detection and mitigation approaches
        can be different, different and can potentially result in different results and
        attack classifications. The DDoS mitigation service treats the ongoing
        attack details received from DOTS clients as hints and cannot
        completely rely on or trust the attack details conveyed by DOTS
        clients.</t>
        <t>In addition to the DOTS server directly using telemetry data as
        operational hints, the DOTS server server's security operation team also
        benefits from telemetry data. A basic requirement of security
        operation teams is to be aware of and get visibility into the attacks
        they need to handle. This holds especially for the case of ongoing
        attacks, where DOTS telemetry provides data about the current attack
        status. Even if some mitigation can be automated, operational teams
        can use the DOTS telemetry information to be prepared for attack
        mitigation and to assign the correct resources (operation (e.g., operation staff,
        networking and mitigation) resources, mitigation resources) for the specific service. Similarly,
        security operations personnel at the DOTS client side ask for feedback
        about their requests for protection. Therefore, it is valuable for
        DOTS servers to share DOTS telemetry with DOTS clients.</t>
        <t>Mutual sharing of information is thus crucial for "closing the
        mitigation loop" between DOTS clients and servers. For the server side server-side
        team, it is important to confirm that the same attacks that the DOTS
        server's mitigation resources are seeing are those that for which a DOTS client
        is asking for mitigation of. requesting mitigation. For the DOTS client side client-side team, it is
        important to realize that the DOTS clients receive the required
        service. For
        service -- for example, understanding that "I asked for mitigation of
        two attacks attacks, and my DOTS server detects and mitigates only one of
        them".
        them." Cases of inconsistency in attack classification between DOTS
        clients and servers can be highlighted, and maybe handled, using the
        DOTS telemetry attributes.</t>
        <t>In addition, management and orchestration systems, at both the DOTS
        client and server sides, can use DOTS telemetry as feedback to
        automate various control and management activities derived from
        signaled telemetry information.</t>
        <t>If the DOTS server's mitigation resources have the capabilities to
        facilitate the DOTS telemetry, the DOTS server adapts its protection
        strategy and activates the required countermeasures immediately
        (automation enabled) for the sake of optimized attack mitigation
        decisions and actions. The Discussion regarding the interface from the DOTS server to the
        mitigator to signal the telemetry data is out of scope.</t> scope for this document.</t>
      </section>
      <section title="Enhanced Detection"> numbered="true" toc="default">
        <name>Enhanced Detection</name>
        <t>DOTS telemetry can also be used as input for determining what
        values to use for the tuning parameters available on the mitigation
        resources. During the last few years, DDoS attack detection
        technologies have evolved from threshold-based detection (that is,
        cases when all or specific parts of traffic cross a predefined
        threshold for a certain period of time is considered as an attack) to
        an "anomaly detection" approach. For the latter, it is required to
        maintain rigorous learning of "normal" behavior, and an "anomaly" (or
        an attack) is identified and categorized based on the knowledge about
        the normal behavior and a deviation from this normal behavior.
        Statistical and artificial intelligence algorithms (e.g., machine
        learning) are used such that the actual traffic thresholds are
        automatically calculated by learning the protected entity's normal
        traffic behavior during 'idle' time (i.e., no mitigation is active).
        The normal traffic characterization learned is referred to as the
        "normal traffic baseline". An attack is detected when the victim's
        actual traffic is deviating from this normal baseline pattern.</t>
        <t>In addition, subsequent activities toward mitigating an attack are
        much more challenging. The ability to distinguish legitimate traffic
        from attacker traffic on a per-packet basis is complex. For example, a
        packet may look "legitimate" and no attack signature can be
        identified. The anomaly can be identified only after detailed
        statistical analysis. DDoS attack mitigators use the normal baseline
        during the mitigation of an attack to identify and categorize the
        expected appearance of a specific traffic pattern. Particularly, the
        mitigators use the normal baseline to recognize the "level of
        normality" that needs to be achieved during the various mitigation
        process.</t>
        processes.</t>
        <t>Normal baseline calculation is performed based on continuous
        learning of the normal behavior of the protected entities. The minimum
        learning period varies from hours to days and even weeks, depending on
        the protected application applications' behavior. The baseline cannot be learned
        during active attacks because attack conditions do not characterize
        the protected entities' normal behavior.</t>
        <t>If the DOTS client has calculated the normal baseline of its
        protected entities, signaling such information to the DOTS server
        along with the attack traffic levels provides value. The DOTS server
        benefits from this telemetry by tuning its mitigation resources with
        the DOTS client's normal baseline. The DOTS server server's mitigators use the
        baseline to familiarize themselves with the attack victim's normal
        behavior and target the baseline as the level of normality they need
        to achieve. Fed with this information, the overall mitigation
        performances
        performance is expected to be improved in terms of time to mitigate,
        accuracy, and false-negative and false-positive rates.</t>
        <t>Mitigation of attacks without having certain knowledge of normal
        traffic can be inaccurate at best. This is especially true for
        recursive signaling (see Section 3.2.3 of <xref
        target="RFC8811"></xref>). target="RFC8811" sectionFormat="of" section="3.2.3"/>). Given that DOTS clients can be integrated
        in a highly diverse set of scenarios and use cases, this emphasizes
        the need for knowledge of the behavior of each DOTS client domain behavior, -- especially
        given that common global thresholds for attack detection practically
        cannot can almost never
        be realized. Each DOTS client domain can have its own levels of
        traffic and normal behavior. Without facilitating normal baseline
        signaling, it may be very difficult for DOTS servers in some cases to
        detect and mitigate the attacks accurately: <list style="empty">
            <t>It

<!-- [rfced] Section 3.2:  This sentence was difficult to follow.
We updated it as noted below.  If this is incorrect, please clarify
"each DOTS client domain behavior" and "thresholds for attack
detection practically cannot be realized".

Original:
   Given that
   DOTS clients can be integrated in a highly diverse set of scenarios
   and use cases, this emphasizes the need for knowledge of each DOTS
   client domain behavior, especially given that common global
   thresholds for attack detection practically cannot be realized.

Currently:
   Given that
   DOTS clients can be integrated in a highly diverse set of scenarios
   and use cases, this emphasizes the need for knowledge of the behavior
   of each DOTS client domain - especially given that common global
   thresholds for attack detection can almost never be realized. -->
</t>
        <ul spacing="normal">
          <li>It is important to emphasize that it is practically impossible
            for the DOTS server's mitigators to calculate the normal baseline
            in cases where they do not have any knowledge of the traffic
            beforehand.</t>
          </list></t>
            beforehand.</li>
        </ul>
        <t>Of course, this information can be provided using out-of-band
        mechanisms or manual configuration configuration, at the risk of unmaintained
        information becoming inaccurate as the network evolves and "normal"
        patterns change. The use of a dynamic and collaborative means between
        the DOTS client and server to identify and share key parameters for
        the sake of efficient DDoS protection is valuable.</t>
      </section>
      <section title="Efficient Mitigation"> numbered="true" toc="default">
        <name>Efficient Mitigation</name>
        <t>During a high volume high-volume attack, DOTS client pipes can be totally
        saturated. DOTS clients ask their DOTS servers to handle the attack
        upstream so that DOTS client pipes return to a reasonable load level
        (normal pattern, ideally). At this point, it is essential to ensure
        that the mitigator does not overwhelm the DOTS client pipes by sending
        back large volumes of "clean traffic", or what it believes is "clean".
        This can happen when the mitigator has not managed to detect and
        mitigate all the attacks launched towards toward the DOTS client domain.</t>
        <t>In this case, it can be valuable to DOTS clients to signal to DOTS
        servers the total pipe capacity, which is the level of traffic the
        DOTS client domain can absorb from its upstream network. This usually is usually
        the circuit size size, which includes all the packet overheads. Dynamic
        updates of the condition of pipes between DOTS agents while they are
        under a DDoS attack is are essential (e.g., where multiple DOTS clients
        share the same physical connectivity pipes). The DOTS server should
        activate other mechanisms to ensure that it does not allow the DOTS client
        domain's pipes to be saturated unintentionally. The rate-limit action
        defined in <xref target="RFC8783"></xref> target="RFC8783" format="default"/> is a reasonable candidate to
        achieve this objective; the DOTS client can indicate the type(s) of
        traffic (such as ICMP, UDP, TCP port number 80) it prefers to limit.
        The rate-limit action can be controlled via the signal channel <xref
        target="RFC9133"></xref> target="RFC9133" format="default"/> even when the pipe is overwhelmed.</t>
      </section>
    </section>
    <section title="Design Overview">
      <t></t> numbered="true" toc="default">
      <name>Design Overview</name>
      <section title="Overview numbered="true" toc="default">
        <name>Overview of Telemetry Operations"> Operations</name>
        <t>The DOTS protocol suite is divided into two logical channels: the
        signal channel <xref target="RFC9132"></xref> target="RFC9132" format="default"/> and data channel <xref
        target="RFC8783"></xref>. target="RFC8783" format="default"/>. This division is due to the vastly different
        requirements placed upon the traffic they carry. The DOTS signal
        channel must remain available and usable even in the face of attack
        traffic that might, e.g., for example, saturate one direction of the links
        involved, rendering acknowledgment-based mechanisms unreliable and
        strongly incentivizing messages to be small enough to be contained in
        a single IP packet (Section 2.2 of <xref target="RFC8612"></xref>). (<xref target="RFC8612" sectionFormat="of" section="2.2"/>). In
        contrast, the DOTS data channel is available for high-bandwidth data
        transfer before or after an attack, using more conventional transport
        protocol techniques (Section 2.3 of <xref target="RFC8612"></xref>). (<xref target="RFC8612" sectionFormat="of" section="2.3"/>).
        It is generally preferable to perform advance configuration over the
        DOTS data channel, including configuring aliases for static or nearly
        static data sets such as sets of network addresses/prefixes that might
        be subject to related attacks. This design helps to optimize the use
        of the DOTS signal channel for the small messages that are important
        to deliver during an attack. As a reminder, both DOTS signal channels and data
        channels both require secure communication channels (Section 11 of <xref
        target="RFC9132"></xref> (<xref target="RFC9132" sectionFormat="of" section="11"/> and Section 10 of <xref
        target="RFC8783"></xref>).</t> target="RFC8783" sectionFormat="of" section="10"/>).</t>
        <t>Telemetry information has aspects that correspond to both
        operational modes (i.e., signal channels and data channels): there is certainly
        a need to convey updated information about ongoing attack traffic and
        targets during an attack, so as to convey detailed information about
        mitigation status and inform updates to mitigation strategy in the
        face of adaptive attacks. However, it is also useful to provide
        mitigation services with a picture of normal or "baseline" traffic
        towards
        toward potential targets to aid in detecting when incoming traffic
        deviates from normal into being an attack. Also, one might populate a
        "database" of classifications of known types of attack attacks so that a short
        attack identifier can be used during an attack time period to describe an
        observed attack. This specification does make provision for use of the
        DOTS data channel for the latter function (<xref
        target="vam"></xref>), target="vam" format="default"/>) but otherwise retains most telemetry
        functionality in the DOTS signal channel.</t>
        <t>Note that it is a functional requirement to convey information
        about ongoing attack traffic during an attack, and information about
        baseline traffic uses an essentially identical data structure that is
        naturally defined to sit next to the description of attack traffic.
        The related telemetry setup information used to parameterize actual
        traffic data is also sent over the signal channel, out of
        expediency.</t>
        <t>This document specifies an extension to the DOTS signal channel
        protocol. Considerations about how to establish, maintain, and make
        use of the DOTS signal channel are specified in <xref
        target="RFC9132"></xref>.</t> target="RFC9132" format="default"/>.</t>
        <t>Once the DOTS signal channel is established, DOTS clients that
        support the DOTS telemetry extension proceed with the telemetry setup
        configuration (e.g., measurement interval, telemetry notification
        interval, pipe capacity, normal traffic baseline) as detailed in <xref
        target="conf"></xref>. target="conf" format="default"/>. DOTS agents can then include DOTS telemetry
        attributes using the DOTS signal channel (<xref target="pre"></xref>). target="pre" format="default"/>).
        A DOTS client can use separate messages to share with its DOTS
        server(s) a set of telemetry data bound to an ongoing mitigation
        (<xref target="preCtoS"></xref>). target="preCtoS" format="default"/>). Also, a DOTS client that is
        interested in receiving telemetry notifications related to some of its
        resources follows the procedure defined in <xref
        target="preStoC"></xref>. target="preStoC" format="default"/>. The DOTS client can then decide to send a
        mitigation request if the notified attack cannot be mitigated locally
        within the DOTS client domain.</t>

<!-- [rfced] Section 4.1:  We had trouble following this sentence,
as it appears that the DOTS client, and not the attack, is notified.
If the suggested text is not correct, please clarify the text.

Original:
   The DOTS client can then decide to send a mitigation
   request if the notified attack cannot be mitigated locally within the
   DOTS client domain.

Suggested:
   A DOTS client that receives such notifications can then decide to
   send a mitigation request if an attack cannot be mitigated locally
   within the DOTS client domain. -->

        <t>Aggregate DOTS telemetry data can also be included in efficacy
        update (<xref target="effu-S"></xref>) target="effu-S" format="default"/>) or mitigation update (<xref
        target="premStoC"></xref>) target="premStoC" format="default"/>) messages.</t>
      </section>
      <section title="Block-wise Transfer"> numbered="true" toc="default">
        <name>Block-Wise Transfers</name>
        <t>DOTS clients can use block wise a block-wise transfer <xref
        target="RFC7959"></xref> target="RFC7959" format="default"/> with the recommendation detailed in Section
        4.4.2 of <xref target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.4.2"/> to control the size of a
        response when the data to be returned does not fit within a single
        datagram.</t>
        <t>DOTS clients can also use CoAP the Constrained Application Protocol (CoAP) Block1 Option in a PUT request
        (Section 2.5 of <xref target="RFC7959"></xref>)
        (<xref target="RFC7959" sectionFormat="of" section="2.5"/>) to initiate large
        transfers, but these Block1 transfers are likely to fail if the
        inbound "pipe" is running full because the transfer requires a message
        from the server for each block, which would likely be lost in the
        incoming flood. Consideration needs to be made to try to fit this PUT
        into a single transfer or to separate out the PUT into several
        discrete PUTs where each of them fits into a single packet.</t>
        <t>Q-Block1 and Q-Block2 Options that are similar to the CoAP Block1
        and Block2 Options, but enable robust transmissions of big blocks of
        data with less packet interchanges using NON messages, are defined in
        <xref target="I-D.ietf-core-new-block"></xref>. target="RFC9177" format="default"/>. DOTS implementations
        can consider the use of Q-Block1 and Q-Block2 Options <xref
        target="I-D.ietf-dots-robust-blocks"></xref>.</t> target="I-D.ietf-dots-robust-blocks" format="default"/>.</t>
      </section>
      <section title="DOTS Multi-homing Considerations"> numbered="true" toc="default">
        <name>DOTS Multihoming Considerations</name>
        <t>Considerations for multi-homed multihomed DOTS clients to select which DOTS
        server to contact and which IP prefixes to include in a telemetry
        message to a given peer DOTS server are discussed in <xref
        target="I-D.ietf-dots-multihoming"></xref>. target="I-D.ietf-dots-multihoming" format="default"/>. For example, if each
        upstream network exposes a DOTS server and the DOTS client maintains
        DOTS channels with all of them, only the information related to
        prefixes assigned by an upstream network to the DOTS client domain
        will be signaled via the DOTS channel established with the DOTS server
        of that upstream network.</t>
        <t>Considerations related to whether (and how) a DOTS client gleans
        some telemetry information (e.g., attack details) it receives from a
        first DOTS server and share shares it with a second DOTS server are
        implementation and deployment specific.</t>
      </section>
      <section title="YANG Considerations"> numbered="true" toc="default">
        <name>YANG Considerations</name>
        <t>Telemetry messages exchanged between DOTS agents are serialized
        using Concise Binary Object Representation (CBOR) <xref
        target="RFC8949"></xref>. target="RFC8949" format="default"/>. CBOR-encoded payloads are used to carry
        signal-channel-specific payload messages which that convey request
        parameters and response information such as errors.</t>
        <t>This document specifies a YANG module <xref
        target="RFC7950"></xref> target="RFC7950" format="default"/> for representing DOTS telemetry message types
        (<xref target="module"></xref>). target="module" format="default"/>). All parameters in the payload of the
        DOTS signal channel are mapped to CBOR types as specified in <xref
        target="map1"></xref>. target="map1" format="default"/>. As a reminder, Section 3 of <xref
        target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="3"/> defines the rules for mapping YANG-modeled
        data to CBOR.</t>
        <t>The DOTS telemetry module (<xref target="module"></xref>) target="module" format="default"/>) is not
        intended to be used via NETCONF/RESTCONF the Network Configuration Protocol (NETCONF) / RESTCONF for DOTS server management
        purposes. It serves only to provide a data model and encoding
        following <xref target="RFC8791"></xref>. target="RFC8791" format="default"/>. Server deviations (Section
        5.6.3 of <xref target="RFC7950"></xref>) (<xref target="RFC7950" sectionFormat="of" section="5.6.3"/>) are strongly discouraged, as
        the peer DOTS agent does not have the means to retrieve the list of
        deviations and thus interoperability issues are likely to be
        encountered.</t>
        <t>The DOTS telemetry module (<xref target="module"></xref>) target="module" format="default"/>) uses
        "enumerations" rather than "identities" to define units, samples, and
        intervals because otherwise the namespace identifier
        "ietf-dots-telemetry" must be included when a telemetry attribute is
        included (e.g., in a mitigation efficacy update). The use of
        "identities" is thus suboptimal from a message compactness standpoint;
        one of the key requirements for DOTS signal channel messages.</t>

<!-- [rfced] Section 4.4:  This sentence does not parse.  If the
suggested text is not correct, please clarify.

Original:
   The use of "identities" is thus
   suboptimal from a message compactness standpoint; one of the key
   requirements for DOTS Signal Channel messages.</t> messages.

Suggested:
   The use of "identities" is thus
   suboptimal from the standpoint of message compactness, as message
   compactness is one of the key requirements for DOTS signal channel
   messages. -->

        <t>The DOTS telemetry module (<xref target="module"></xref>) target="module" format="default"/>) includes
        some lists for which no key "key" statement is included. This behavior is
        compliant with <xref target="RFC8791"></xref>. target="RFC8791" format="default"/>. The reason for not
        including these keys is because that they are not included in the message
        body of DOTS requests; such keys are included as mandatory Uri-Paths
        in requests (Sections <xref (Sections&nbsp;<xref format="counter" target="conf"></xref> target="conf"/> and
        <xref format="counter" target="pre-t"></xref>). target="pre-t"/>). Otherwise, whenever a
        key
        "key" statement is used in the module, the same definition as the definition provided in Section
        7.8.2 of <xref target="RFC7950"></xref> target="RFC7950" sectionFormat="of" section="7.8.2"/> is assumed.</t>
        <t>Some parameters (e.g., low percentile values) may be associated
        with different YANG types (e.g., decimal64 and yang:gauge64). To
        easily distinguish the types of these parameters while using
        meaningful names, the following suffixes are used:</t>

        <texttable>
          <ttcol>Suffix</ttcol>

          <ttcol>YANG Type</ttcol>

          <ttcol>Example</ttcol>

          <c>-g</c>

          <c>yang:gauge64</c>

          <c>low-percentile-g</c>

          <c>-c</c>

          <c>container</c>

          <c>connection-c</c>

          <c>-ps</c>

          <c>per second</c>

          <c>connection-ps</c>
        </texttable>
        <table anchor="tab-1" align="center">
         <name>YANG Types and Suffixes</name>
          <thead>
            <tr>
              <th align="left">Suffix</th>
              <th align="left">YANG Type</th>
              <th align="left">Example</th>
            </tr>
          </thead>
          <tbody>
            <tr>
              <td align="left">-g</td>
              <td align="left">yang:gauge64</td>
              <td align="left">low-percentile-g</td>
            </tr>
            <tr>
              <td align="left">-c</td>
              <td align="left">container</td>
              <td align="left">connection-c</td>
            </tr>
            <tr>
              <td align="left">-ps</td>
              <td align="left">per second</td>
              <td align="left">connection-ps</td>
            </tr>
          </tbody>
        </table>

<!-- [rfced] Table 1 was the only table that did not have a title.
We gave it a title.  Please let us know any objections (or if you
prefer a different title, please provide it).

Original:
   Table 1

Currently:
   Table 1: YANG Types and Suffixes -->

        <t>The full tree diagram of the DOTS telemetry module can be generated
        using the "pyang" tool <xref target="PYANG"></xref>. target="PYANG" format="default"/>. That tree is not
        included here because it is too long (Section 3.3 of <xref
        target="RFC8340"></xref>). (<xref target="RFC8340" sectionFormat="of" section="3.3"/>). Instead, subtrees are provided for the
        reader's convenience.</t>
        <t>In order to optimize the data exchanged over the DOTS signal
        channel, the this document specifies a second YANG module
        ("ietf-dots-mapping",
        ("ietf-dots-mapping"; see <xref target="data"></xref>) target="data" format="default"/>) that augments the
        DOTS data channel <xref target="RFC8783"></xref>. target="RFC8783" format="default"/>. This augmentation
        can be used during 'idle' time to share the attack mapping details
        (<xref target="attackdetails"></xref>). target="attackdetails" format="default"/>). DOTS clients can use tools,
        e.g., a YANG Library library <xref target="RFC8525"></xref>, target="RFC8525" format="default"/>, to retrieve the
        list of features and deviations supported by the DOTS server over the
        data channel.</t>
      </section>
    </section>
    <section title="Generic Considerations">
      <t></t> numbered="true" toc="default">
      <name>Generic Considerations</name>
      <section title="DOTS numbered="true" toc="default">
        <name>DOTS Client Identification"> Identification</name>
        <t>Following the rules in Section 4.4.1 of <xref
        target="RFC9132"></xref>, target="RFC9132" sectionFormat="of" section="4.4.1"/>, a unique identifier is generated by a DOTS
        client to prevent request collisions ('cuid').</t>
        <t>As a reminder, <xref target="RFC9132"></xref> target="RFC9132" format="default"/> forbids 'cuid' to be
        returned in a response message body.</t>

<!-- [rfced] Section 5.1:  This is the only "As a reminder" sentence
that does not provide a section number for the cited RFC.  May we
update as suggested?

Original:
   As a reminder, [RFC9132] forbids 'cuid' to be returned in a response
   message body.

Suggested:
   As a reminder, Section 4.4.1.3 of [RFC9132] forbids 'cuid' (if
   present) to be returned in a response message body. -->

      </section>
      <section title="DOTS Gateways"> numbered="true" toc="default">
        <name>DOTS Gateways</name>
        <t>DOTS gateways may be located between DOTS clients and servers. The
        considerations elaborated in Section 4.4.1 of <xref
        target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.4.1"/> must be followed. In particular, the 'cdid'
        attribute is used to unambiguously identify a DOTS client domain.</t>
        <t>As a reminder, Section 4.4.1.3 of <xref target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.4.1.3"/>
        forbids 'cdid' (if present) to be returned in a response message
        body.</t>
      </section>
      <section title="Empty numbered="true" toc="default">
        <name>Empty URI Paths</name>

<!-- [rfced] Section 5.3:  Should "URI Paths" be hyphenated here?
We see "URI-Paths" used three times in running text, and the singular
"URI-Path" is always hyphenated.

Original:
   5.3.  Empty URI Paths"> Paths

Perhaps:
   5.3.  Uri-Path Parameters and Attributes with Empty Values

Or possibly:
   5.3.  Empty URI-Path Settings -->

        <t>Uri-Path parameters and attributes with empty values MUST NOT <bcp14>MUST NOT</bcp14> be
        present in a request. The presence of such an empty value renders the
        entire containing message invalid.</t>
      </section>
      <section anchor="control" title="Controlling numbered="true" toc="default">
        <name>Controlling Configuration Data"> Data</name>
        <t>The DOTS server follows the same considerations discussed in
        Section of 4.5.3 of
        <xref target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.5.3"/> for managing DOTS
        telemetry configuration freshness and notification.</t> notifications.</t>
        <t>Likewise, a DOTS client may control the selection of configuration
        and non-configuration data nodes when sending a GET request by means
        of the 'c' (content) Uri-Query option and following the procedure specified in
        Section of 4.4.2 of
        <xref target="RFC9132"></xref>. target="RFC9132" sectionFormat="of" section="4.4.2"/>. These
        considerations are not reiterated in the following sections.</t>
      </section>
      <section title="Message Validation"> numbered="true" toc="default">
        <name>Message Validation</name>
        <t>The authoritative reference references for validating telemetry messages
        exchanged over the DOTS signal channel are Sections <xref Sections&nbsp;<xref format="counter" target="conf"></xref>, target="conf"/>, <xref format="counter"
        target="pre-t"></xref>, target="pre-t"/>, and <xref format="counter"
        target="status"></xref> target="status"/> together with the mapping table established provided in
        <xref target="map1"></xref>. target="map1" format="default"/>. The structure of telemetry message bodies
        is represented as a YANG data structure (<xref
        target="module"></xref>).</t> target="module" format="default"/>).</t>

<!-- [rfced] Section 5.5:  We found "The authoritative reference ...
are Sections ..." confusing, as it introduced a subject-verb
disagreement.  We changed "reference" to "references", but please let
us know if a different word was intended here.

Original:
   The authoritative reference for validating telemetry messages
   exchanged over the DOTS signal channel are Sections 7, 8, and 9
   together with the mapping table established in Section 12.

Currently:
   The authoritative references for validating telemetry messages
   exchanged over the DOTS signal channel are Sections 7, 8, and 9
   together with the mapping table provided in Section 12.

Possibly (assuming that "corresponding" is correct):
   The authoritative references for validating telemetry messages
   exchanged over the DOTS signal channel are provided in
   Sections 7, 8, and 9.  A corresponding mapping table is provided in
   Section 12. -->

      </section>
      <section anchor="note-examples" title="A numbered="true" toc="default">
        <name>A Note About Examples"> about Examples</name>
        <t>Examples are provided for illustration purposes. The This document does
        not aim to provide a comprehensive list of message examples.</t>
        <t>JSON encoding of YANG-modeled data is used to illustrate the
        various telemetry operations. To ease readability, parameter names and
        their JSON types are, thus, are thus used in the examples rather than their
        CBOR key values and CBOR types following the mappings in <xref
        target="map1"></xref>. target="map1" format="default"/>. These conventions are inherited from <xref
        target="RFC9132"></xref>.</t> target="RFC9132" format="default"/>.</t>
        <t>The examples use the Enterprise Number 32473 32473, which is defined for
        documentation use use; see <xref target="RFC5612"></xref>.</t> target="RFC5612" format="default"/>.</t>
      </section>
    </section>
    <section title="Telemetry anchor="tel-op-paths" numbered="true" toc="default">
      <name>Telemetry Operation Paths"> Paths</name>
      <t>As discussed in Section 4.2 of <xref target="RFC9132"></xref>, target="RFC9132" sectionFormat="of" section="4.2"/>, each
      DOTS operation is indicated by a path suffix that indicates the intended
      operation. The operation path is appended to the path prefix to form the
      URI used with a CoAP request to perform the desired DOTS operation. The
      following telemetry path suffixes are defined (Table 2):<figure>
          <artwork><![CDATA[           +-----------------+----------------+-----------+ (<xref target="tab-2"/>):</t>

<table anchor="tab-2">
  <name>DOTS Telemetry Operations</name>
  <thead>
    <tr>
      <th>Operation</th>
      <th>Operation Path</th>
      <th>Details</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>Telemetry Setup</td>
      <td>/tm-setup</td>
      <td><xref target="conf"/></td>
    </tr>
    <tr>
      <td>Telemetry</td>
      <td>/tm</td>
      <td><xref target="pre-t"/></td>
    </tr>
  </tbody>
</table>

<!-- [rfced] Table 2 (Section 6):  Per the text in the paragraph
after this table ("More details are provided in Sections 7 and 8
about the exact structure of 'telemetry-setup' and 'telemetry'
message types") and after finding that "tm-setup" does not appear
again until Section 7.1.1 (i.e., Uri-Path: "tm-setup"), we changed
the "Section 6" and "Section 7" entries in this table to
"Section 7" and "Section 8", respectively.  If this is not correct,
is clarifying text needed to explain these citations?  If yes, please
provide it.

Original (dashed lines are broken so that xml2rfc doesn't
  confuse them with comments):
   +- - - - - - - - -+- - - - - - - - +- - - - - -+
   | Operation       | Operation Path | Details   |
   +=================+================+===========+
   | Telemetry Setup | /tm-setup      | Section 6 |
   | Telemetry       | /tm            | Section 7 |
           +-----------------+----------------+-----------+

                  Table 2: DOTS
   +- - - - - - - - -+- - - - - - - - +- - - - - -+

Currently:
   +=================+================+===========+
   | Operation       | Operation Path | Details   |
   +=================+================+===========+
   | Telemetry Operations]]></artwork>
        </figure></t> Setup | /tm-setup      | Section 7 |
   +- - - - - - - - -+- - - - - - - - +- - - - - -+
   | Telemetry       | /tm            | Section 8 |
   +- - - - - - - - -+- - - - - - - - +- - - - - -+ -->

      <t>Consequently, the "ietf-dots-telemetry" YANG module defined in <xref
      target="module"></xref> target="module" format="default"/> defines a data structure to represent new DOTS
      message types called 'telemetry-setup' and 'telemetry'. The tree
      structure is shown in <xref target="abstract"></xref>. target="abstract-basic" format="default"/>. More details are
      provided in Sections <xref Sections&nbsp;<xref format="counter" target="conf"></xref> target="conf"/> and
      <xref format="counter" target="pre-t"></xref> target="pre-t"/> about the exact structure
      of 'telemetry-setup' and 'telemetry' message types.</t>

      <t><figure anchor="abstract"
          title="New
      <figure anchor="abstract-basic">
        <name>New DOTS Message Types (YANG Tree Structure)">
          <artwork><![CDATA[ Structure)</name>
<sourcecode name="" type="yangtree"><![CDATA[  structure dots-telemetry:
    +-- (telemetry-message-type)?
       +--:(telemetry-setup)
       |  ...
       |  +-- telemetry* []
       |     ...
       |     +-- (setup-type)?
       |        +--:(telemetry-config)
       |        |  ...
       |        +--:(pipe)
       |        |  ...
       |        +--:(baseline)
       |           ...
       +--:(telemetry)
          ...
]]></artwork>
        </figure></t>
]]></sourcecode>
      </figure>
      <t>DOTS implementations MUST <bcp14>MUST</bcp14> support the Observe Option <xref
      target="RFC7641"></xref> target="RFC7641" format="default"/> for 'tm' (<xref target="pre-t"></xref>).</t> target="pre-t" format="default"/>).</t>
    </section>
    <section anchor="conf" title="DOTS numbered="true" toc="default">
      <name>DOTS Telemetry Setup Configuration"> Configuration</name>
      <t>In reference to <xref target="abstract"></xref>, target="abstract-basic" format="default"/>, a DOTS telemetry
      setup message MUST <bcp14>MUST</bcp14> include only telemetry-related configuration
      parameters (<xref target="tconfig"></xref>) or target="tconfig" format="default"/>), information about DOTS
      client domain pipe capacity (<xref target="tpipe"></xref>) target="tpipe" format="default"/>), or information about the telemetry
      traffic baseline (<xref target="tbl"></xref>). target="tbl" format="default"/>). As such, requests that
      include a mix of telemetry configuration, pipe capacity, and traffic
      baseline MUST information <bcp14>MUST</bcp14> be rejected by DOTS servers with a 4.00 (Bad Request).</t> Request) Response Code.</t>
      <t>A DOTS client can reset all installed DOTS telemetry setup
      configuration data following the considerations detailed in <xref
      target="reseta"></xref>.</t> target="reseta" format="default"/>.</t>
      <t>A DOTS server may detect conflicts when processing requests related
      to DOTS client domain pipe capacity or telemetry traffic baseline information with
      requests from other DOTS clients of the same DOTS client domain. More
      details are included in <xref target="conflict"></xref>.</t> target="conflict" format="default"/>.</t>
      <t>Telemetry setup configuration is bound to a DOTS client domain. DOTS
      servers MUST NOT <bcp14>MUST NOT</bcp14> expect DOTS clients to send regular requests to refresh
      the telemetry setup configuration. Any available telemetry setup
      configuration is valid till until the DOTS server ceases to service a DOTS
      client domain. DOTS servers MUST NOT <bcp14>MUST NOT</bcp14> reset 'tsid' because a session
      failed with a DOTS client. DOTS clients update their telemetry setup
      configuration upon change of a parameter that may impact attack
      mitigation.</t>
      <t>DOTS telemetry setup configuration request and response messages are
      marked as Confirmable messages (Section 2.1 of <xref
      target="RFC7252"></xref>).</t> (<xref target="RFC7252" sectionFormat="of" section="2.1"/>).</t>
      <section anchor="tconfig" title="Telemetry Configuration"> numbered="true" toc="default">
        <name>Telemetry Configuration</name>
        <t>DOTS telemetry uses several percentile values to provide a picture
        of a traffic distribution overall, as opposed to just a single
        snapshot of observed traffic at a single point in time. Modeling raw
        traffic flow data as a distribution and describing that distribution
        entails choosing a measurement period that the distribution will
        describe, and a number of sampling intervals, or "buckets", within
        that measurement period. Traffic within each bucket is treated as a
        single event (i.e., averaged), and then the distribution of buckets is
        used to describe the distribution of traffic over the measurement
        period. A distribution can be characterized by statistical measures
        (e.g., mean, median, and standard deviation), deviation) and also by reporting
        the value of the distribution at various percentile levels of the data
        set in question (e.g., "quartiles" that correspond to 25th, 50th, and
        75th percentile). percentiles). More details about percentile values and their
        computation are found in Section 11.3 of <xref
        target="RFC2330"></xref>.</t> target="RFC2330" sectionFormat="of" section="11.3"/>.</t>
        <t>DOTS telemetry uses up to three percentile values, plus the overall
        peak, to characterize traffic distributions. Which percentile
        thresholds are used for these "low", "medium", and "high" percentile
        values is configurable. Default values are defined in <xref
        target="PUT"></xref>.</t> target="PUT" format="default"/>.</t>
        <t>A DOTS client can negotiate with its server(s) a set of telemetry
        configuration parameters to be used for telemetry. Such parameters
        include:</t>

        <t><list style="symbols">
            <t>Percentile-related
        <ul spacing="normal">
          <li>Percentile-related measurement parameters. In particular,
            'measurement-interval' defines the period on during which percentiles are
            computed, while 'measurement-sample' defines the time distribution
            for measuring values that are used to compute percentiles.</t>

            <t>Measurement units</t>

            <t>Acceptable percentiles.</li>
          <li>Measurement units.</li>
          <li>Acceptable percentile values</t>

            <t>Telemetry values.</li>
          <li>Telemetry notification interval</t>

            <t>Acceptable Server-originated telemetry</t>
          </list></t>

        <t></t> interval.</li>
          <li>Acceptable server-originated telemetry.</li>
        </ul>
        <section anchor="acc"
                 title="Retrieve numbered="true" toc="default">
          <name>Retrieving the Current DOTS Telemetry Configuration"> Configuration</name>
          <t>A GET request is used to obtain acceptable and current telemetry
          configuration parameters on the DOTS server. This request may
          include a 'cdid' Uri-Path when the request is relayed by a DOTS
          gateway. An example of such a GET request (without a gateway) is
          depicted in <xref target="GETa"></xref>.</t>

          <t><figure anchor="GETa"
              title="GET target="GETa" format="default"/>.</t>
          <figure anchor="GETa">
            <name>GET to Retrieve the Current and Acceptable DOTS Telemetry Configuration ">
              <artwork><![CDATA[Header: Configuration</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"]]></artwork>
            </figure></t> "cuid=dz6pHjaADkaFTbjr0JGBpw"
]]></artwork>
          </figure>

<!-- [rfced] Please review the figures that contain Uri-Path options
(e.g., Figures 2, 4, 5, 6, 7, 8, 11, ... 48).  Should these
figures be labeled as <sourcecode>?  Please see
<https://www.rfc-editor.org/materials/sourcecode-types.txt> for
the list of acceptable <sourcecode> types. -->

          <t>Upon receipt of such a request, and assuming that no error is
          encountered when processing the request, the DOTS server replies
          with a 2.05 (Content) response that conveys the telemetry parameters
          that are acceptable by to the DOTS server, any pipe information (<xref
          target="tpipe"></xref>), target="tpipe" format="default"/>), and the current baseline information (<xref
          target="tbl"></xref>) target="tbl" format="default"/>) maintained by the DOTS server for this DOTS
          client. The tree structure of the response message body is provided
          in <xref target="tree-acceptable"></xref>.</t> target="tree-acceptable" format="default"/>.</t>
          <t>DOTS servers that support the capability of sending telemetry
          information to DOTS clients prior to or during a mitigation (<xref
          target="premStoC"></xref>) sets target="premStoC" format="default"/>) set 'server-originated-telemetry' under
          'max-config-values' to 'true' ('false' is used otherwise). If
          'server-originated-telemetry' is not present in a response, this is
          equivalent to receiving a response with
          'server-originated-telemetry' set to 'false'.</t>

          <t><figure anchor="tree-acceptable"
              title="Telemetry
          <figure anchor="tree-acceptable">
            <name>Telemetry Configuration Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  structure dots-telemetry:
    +-- (telemetry-message-type)?
       +--:(telemetry-setup)
       |  +-- (direction)?
       |  |  +--:(server-to-client-only)
       |  |     +-- max-config-values
       |  |     |  +-- measurement-interval?          interval
       |  |     |  +-- measurement-sample?            sample
       |  |     |  +-- low-percentile?                percentile
       |  |     |  +-- mid-percentile?                percentile
       |  |     |  +-- high-percentile?               percentile
       |  |     |  +-- server-originated-telemetry?   boolean
       |  |     |  +-- telemetry-notify-interval?     uint16
       |  |     +-- min-config-values
       |  |     |  +-- measurement-interval?        interval
       |  |     |  +-- measurement-sample?          sample
       |  |     |  +-- low-percentile?              percentile
       |  |     |  +-- mid-percentile?              percentile
       |  |     |  +-- high-percentile?             percentile
       |  |     |  +-- telemetry-notify-interval?   uint16
       |  |     +-- supported-unit-classes
       |  |     |  +-- unit-config* [unit]
       |  |     |     +-- unit           unit-class
       |  |     |     +-- unit-status    boolean
       |  |     +-- supported-query-type*  query-type
       |  +-- telemetry* []
       |     +-- (direction)?
       |     |  +--:(server-to-client-only)
       |     |     +-- tsid?                  uint32
       |     +-- (setup-type)?
       |        +--:(telemetry-config)
       |        |  +-- current-config
       |        |     +-- measurement-interval?          interval
       |        |     +-- measurement-sample?            sample
       |        |     +-- low-percentile?                percentile
       |        |     +-- mid-percentile?                percentile
       |        |     +-- high-percentile?               percentile
       |        |     +-- unit-config* [unit]
       |        |     |  +-- unit           unit-class
       |        |     |  +-- unit-status    boolean
       |        |     +-- server-originated-telemetry?   boolean
       |        |     +-- telemetry-notify-interval?     uint16
       |        +--:(pipe)
       |        |  ...
       |        +--:(baseline)
       |           ...
       +--:(telemetry)
          ...
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
          <t>When both 'min-config-values' and 'max-config-values' attributes
          are present, the values carried in 'max-config-values' attributes
          MUST
          <bcp14>MUST</bcp14> be greater than or equal to their counterpart counterparts in 'min-config-values'
          attributes.</t>
        </section>
        <section anchor="PUT" title="Conveying numbered="true" toc="default">
          <name>Conveying the DOTS Telemetry Configuration"> Configuration</name>
          <t>A PUT request is used to convey the configuration parameters for
          the telemetry data (e.g., low, mid, or high percentile values). For
          example, a DOTS client may contact its DOTS server to change the
          default percentile values used as the baseline for telemetry data. <xref
          target="tree-acceptable"></xref> target="tree-acceptable" format="default"/> lists the attributes that can be
          set by a DOTS client in such a PUT request. An example of a DOTS
          client that modifies all percentile reference values is shown in
          <xref target="tput"></xref>. <list style="empty">
              <t>Note: target="tput" format="default"/>. </t>
          <t indent="3">
              Note: The payload of the message depicted in <xref
              target="tput"></xref> target="tput" format="default"/> is CBOR-encoded as indicated by setting the
              Content-Format set entry to "application/dots+cbor" (Section 10.3 of
              <xref target="RFC9132"></xref>). (<xref target="RFC9132" sectionFormat="of" section="10.3"/>). However, and for the sake of
              better readability, the example (and other similar figures
              depicting a DOTS telemetry message body) follows the conventions
              set in <xref target="note-examples"></xref>: target="note-examples" format="default"/>: use the JSON names
              and types defined in <xref target="map1"></xref>.</t>
            </list></t>

          <t><figure anchor="tput"
              title="PUT target="map1" format="default"/>.
          </t>

<!-- [rfced] Sections 7.1.2 and subsequent:  Please review whether
any of the "Note:" items in this document should be in the <aside>
element.  <aside> is defined as "a container for content that is
semantically less important or tangential to the content that
surrounds it"
(https://xml2rfc.tools.ietf.org/xml2rfc-doc.html#name-aside-2). -->

          <figure anchor="tput">
            <name>PUT to Convey the DOTS Telemetry Configuration, depicted Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=123"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "current-config": {
          "low-percentile": "5.00",
          "mid-percentile": "65.00",
          "high-percentile": "95.00"
        }
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>

<!-- [rfced] Figures 4 and subsequent (14 figures, by our count):
Because the instances of "Section 5.6" ("..., depicted as per
Section 5.6") in the figure titles cannot be hyperlinked and the
title text looks a bit awkward, may we (1) remove the instances of
", depicted as per Section 5.6" from the figure titles, (2) instead
preface the titles with "Example of a " per Figures 11, 13, 15, and
17, and (3) update this sentence as follows?

Original:
   However, and for the sake
   of better readability, the example (and other similar figures
   depicting a DOTS telemetry message body) follows the conventions
   set in Section 5.6: use the JSON names and types defined in
   Section 12.
...
   Figure 4: PUT to Convey the DOTS Telemetry Configuration,
                depicted as per Section 5.6
...
   Figure 5: PUT to Disable Low- and Mid-Percentiles, depicted as
                        per Section 5.6
...
  etc.

Suggested (Please note that we suggest "parameter names and JSON
types", along the lines of text in Section 5.6 and per Table 3
in Section 12):
   However, and for the sake
   of better readability, this example, and other similar "Example"
   figures depicting a DOTS telemetry message body (Figures 4, 5, 6,
   11, etc.) follow the conventions set in Section 5.6: use the
   parameter names and JSON types listed in Section 12.
...
   Figure 4: Example of a PUT to Convey the DOTS Telemetry
                        Configuration
...
   Figure 5: Example of a PUT to Disable Low- and Mid-Percentiles
...
  etc. -->

          <t>'cuid' is a mandatory Uri-Path parameter for PUT requests.</t>
          <t>The following additional Uri-Path parameter is defined: <list
              hangIndent="5" style="hanging">
              <t hangText="tsid:">Telemetry </t>
          <dl newline="false" spacing="normal">
            <dt>tsid:</dt>
            <dd>
              <t>The Telemetry Setup Identifier is an identifier
              for the DOTS telemetry setup configuration data represented as
              an integer. This identifier MUST <bcp14>MUST</bcp14> be generated by DOTS clients.
              'tsid' values MUST <bcp14>MUST</bcp14> increase monotonically whenever new
              configuration parameters (not just for changed values) need to
              be conveyed by the DOTS client. <vspace blankLines="1" />The </t>
              <t>The
              procedure specified in Section 4.4.1 of <xref
              target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.4.1"/> for 'mid' rollover MUST <bcp14>MUST</bcp14> also be
              followed for 'tsid' rollover.<vspace blankLines="1" />This rollover.</t>
              <t>This is a
              mandatory attribute. 'tsid' MUST &nbsp;'tsid' <bcp14>MUST</bcp14> appear after 'cuid' in the
              Uri-Path options.</t>
            </list></t>
            </dd>
          </dl>
          <t>'cuid' and 'tsid' MUST NOT <bcp14>MUST NOT</bcp14> appear in the PUT request message
          body.</t>
          <t>At least one configurable attribute MUST <bcp14>MUST</bcp14> be present in the PUT
          request.</t>
          <t>A PUT request with a higher numeric 'tsid' value overrides the
          DOTS telemetry configuration data installed by a PUT request with a
          lower numeric 'tsid' value. To avoid maintaining a long list of
          'tsid' requests for requests carrying telemetry configuration data
          from a DOTS client, the lower numeric 'tsid' MUST <bcp14>MUST</bcp14> be automatically
          deleted and no longer be available at the DOTS server.</t>
          <t>The DOTS server indicates the result of processing the PUT
          request using the following Response Codes:<list style="symbols">
              <t>If Codes:</t>
          <ul spacing="normal">
            <li>If the request is missing a mandatory attribute, does not
              include 'cuid' or 'tsid' Uri-Path parameters, or contains one or
              more invalid or unknown parameters, a 4.00 (Bad Request) MUST Response Code <bcp14>MUST</bcp14> be
              returned in the response.</t>

              <t>If response.</li>
            <li>If the DOTS server does not find the 'tsid' parameter value
              conveyed in the PUT request in its configuration data and if the
              DOTS server has accepted the configuration parameters, then a
              2.01 (Created) Response Code MUST <bcp14>MUST</bcp14> be returned in the
              response.</t>

              <t>If
              response.</li>
            <li>If the DOTS server finds the 'tsid' parameter value conveyed
              in the PUT request in its configuration data and if the DOTS
              server has accepted the updated configuration parameters, a 2.04
              (Changed) MUST Response Code <bcp14>MUST</bcp14> be returned in the response.</t> response.</li>
            <li>
              <t>If any of the enclosed configurable attribute values are not
              acceptable to the DOTS server (<xref target="acc"></xref>), target="acc" format="default"/>), a 4.22
              (Unprocessable Entity) MUST Response Code <bcp14>MUST</bcp14> be returned in the response. <vspace
              blankLines="1" />The </t>
              <t>The DOTS client may retry and send the PUT
              request with updated attribute values acceptable to the DOTS
              server.</t>
            </list></t>
            </li>
          </ul>
          <t>By default, low percentile (10th percentile), mid percentile
          (50th percentile), high percentile (90th percentile), and peak
          (100th percentile) values are used to represent telemetry data.
          Nevertheless, a DOTS client can disable some percentile types (low,
          mid, high). In particular, setting 'low-percentile' to '0.00' "0.00"
          indicates that the DOTS client is not interested in receiving
          low-percentiles. Likewise, setting 'mid-percentile' (or
          'high-percentile') to the same value as 'low-percentile' (or
          'mid-percentile') indicates that the DOTS client is not interested
          in receiving mid-percentiles (or high-percentiles). For example, a
          DOTS client can send the request depicted in <xref
          target="tput1"></xref> target="tput1" format="default"/> to inform the server that it is interested in
          receiving only high-percentiles. This assumes that the client will
          only use that percentile type when sharing telemetry data with the
          server.</t>

          <t><figure anchor="tput1"
              title="PUT
          <figure anchor="tput1">
            <name>PUT to Disable Low- and Mid-Percentiles, depicted Depicted as per Section 5.6 "> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=124"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "current-config": {
          "low-percentile": "0.00",
          "mid-percentile": "0.00",
          "high-percentile": "95.00"
        }
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>DOTS clients can also configure the unit class(es) to be used for
          traffic-related telemetry data among the following supported unit
          classes: packets per second, bits per second, and bytes per second.
          Supplying both bits per second and bytes per second unit-classes unit classes is
          allowed for a given set of telemetry data. However, receipt of conflicting
          values is treated as invalid parameters and rejected with a 4.00 (Bad
          Request).</t>
          Request) Response Code.</t>
          <t>DOTS clients that are interested in receiving pre-or-ongoing-
          mitigation telemetry (pre-or-ongoing-mitigation) information from a
          DOTS server (<xref target="premStoC" format="default"/>) <bcp14>MUST</bcp14> set
          'server-originated-telemetry' to 'true'.

<!-- [rfced] Section 7.1.2:  We found this sentence confusing.  Is
"pre or ongoing mitigation telemetry (pre-or-ongoing-mitigation)
information" necessary?  If the suggested text is not correct, please
provide clarifying text.

Original:
   DOTS clients that are interested to receive pre or ongoing mitigation
   telemetry (pre-or-ongoing-mitigation) information from a DOTS server (<xref target="premStoC"></xref>)
   (Section 9.2) MUST set 'server-originated-telemetry' to 'true'.

Suggested:
   DOTS clients that are interested in receiving
   pre-or-ongoing-mitigation telemetry information from a DOTS server
   (Section 9.2) MUST set 'server-originated-telemetry' to 'true'. -->

 If
          'server-originated-telemetry' is not present in a PUT request, this
          is equivalent to receiving a request with
          'server-originated-telemetry' set to 'false'. An example of a
          request to enable pre-or-ongoing-mitigation telemetry from DOTS
          servers is shown in <xref target="tput2"></xref>.</t>

          <t><figure anchor="tput2"
              title="PUT target="tput2" format="default"/>.</t>
          <figure anchor="tput2">
            <name>PUT to Enable Pre-or-ongoing-mitigation Pre-or-Ongoing-Mitigation Telemetry from the DOTS server, depicted Server, Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=125"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "current-config": {
          "server-originated-telemetry": true
        }
      }
    ]
  }
}
]]></artwork>
            </figure></t>

          <t></t>

          <t></t>
          </figure>
        </section>
        <section anchor="GET"
                 title="Retrieve numbered="true" toc="default">
          <name>Retrieving the Installed DOTS Telemetry Configuration"> Configuration</name>
          <t>A DOTS client may issue a GET message with a 'tsid' Uri-Path
          parameter to retrieve the current DOTS telemetry configuration. An
          example of such a request is depicted in <xref
          target="GETs"></xref>.</t>

          <t><figure anchor="GETs"
              title="GET target="GETs" format="default"/>.</t>
          <figure anchor="GETs">
            <name>GET to Retrieve the Current DOTS Telemetry Configuration">
              <artwork><![CDATA[Header: Configuration</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=123"]]></artwork>
            </figure></t> "tsid=123"
]]></artwork>
          </figure>
          <t>If the DOTS server does not find the 'tsid' Uri-Path value
          conveyed in the GET request in its configuration data for the
          requesting DOTS client, it MUST <bcp14>MUST</bcp14> respond with a 4.04 (Not Found)
          error Response Code.</t>
        </section>
        <section anchor="DEL" title="Delete numbered="true" toc="default">
          <name>Deleting the DOTS Telemetry Configuration"> Configuration</name>
          <t>A DELETE request is used to delete the installed DOTS telemetry
          configuration data (<xref target="cdelete"></xref>). 'cuid' target="cdelete" format="default"/>). &nbsp;'cuid' and
          'tsid' are mandatory Uri-Path parameters for such DELETE
          requests.</t>
          <figure anchor="cdelete" title="Delete anchor="cdelete">
            <name>Deleting the Telemetry Configuration"> Configuration</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: DELETE (Code=0.04)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=123"
]]></artwork>
          </figure>

          <t></t>
          <t>The DOTS server resets the DOTS telemetry configuration back to
          the default values and acknowledges a DOTS client's request to
          remove the DOTS telemetry configuration using a 2.02 (Deleted)
          Response Code. A 2.02 (Deleted) Response Code is returned even if
          the 'tsid' parameter value conveyed in the DELETE request does not
          exist in its configuration data before the request.</t>
          <t><xref target="reseta"></xref> target="reseta" format="default"/> discusses the procedure to reset
          all DOTS telemetry setup configuration.</t> configuration data.</t>
        </section>
      </section>
      <section anchor="tpipe" title="Total numbered="true" toc="default">
        <name>Total Pipe Capacity"> Capacity</name>
        <t>A DOTS client can communicate to the DOTS server(s) its DOTS client
        domain pipe information. The tree structure of the pipe information is
        shown in <xref target="ptree"></xref>.</t>

        <t><figure anchor="ptree" title="Pipe target="ptree" format="default"/>.</t>
        <figure anchor="ptree">
          <name>Pipe Tree Structure">
            <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  structure dots-telemetry:
    +-- (telemetry-message-type)?
       +--:(telemetry-setup)
       |  ...
       |  +-- telemetry* []
       |     +-- (direction)?
       |     |  +--:(server-to-client-only)
       |     |     +-- tsid?                  uint32
       |     +-- (setup-type)?
       |        +--:(telemetry-config)
       |        |  ...
       |        +--:(pipe)
       |        |  +-- total-pipe-capacity* [link-id unit]
       |        |     +-- link-id     nt:link-id
       |        |     +-- capacity    uint64
       |        |     +-- unit        unit
       |        +--:(baseline)
       |           ...
       +--:(telemetry)
          ...
]]></artwork>
          </figure></t>
]]></sourcecode>
        </figure>
        <t>A DOTS client domain pipe is defined as a list of limits of on
        (incoming) traffic volume ('total-pipe-capacity') that can be
        forwarded over ingress interconnection links of a DOTS client domain.
        Each of these links is identified with a 'link-id' <xref
        target="RFC8345"></xref>.</t> target="RFC8345" format="default"/>.</t>
        <t>The unit used by a DOTS client when conveying pipe information is
        captured in the 'unit' attribute. The DOTS client MUST <bcp14>MUST</bcp14> auto-scale so
        that the appropriate unit is used. That is, for a given unit class,
        the DOTS client uses the largest unit that gives a value greater than
        one. As such, only one unit per unit class is allowed.</t>
        <section title="Conveying numbered="true" toc="default">
          <name>Conveying DOTS Client Domain Pipe Capacity">
          <t>Similar considerations Capacity</name>
          <t>Considerations similar to those specified in <xref
          target="PUT"></xref> target="PUT" format="default"/> are followed followed, with one exception:<list
              style="empty">
              <t>The exception:</t>
          <ul spacing="normal">
            <li>The relative order of two PUT requests carrying DOTS client
              domain pipe attributes from a DOTS client is determined by
              comparing their respective 'tsid' values. If such these two requests
              have overlapping 'link-id' and 'unit', 'unit' settings, the PUT request with a
              higher numeric 'tsid' value will override the request with a
              lower numeric 'tsid' value. The overlapped lower numeric 'tsid'
              MUST
              <bcp14>MUST</bcp14> be automatically deleted and no longer be available.</t>
            </list></t> available.</li>
          </ul>
          <t>DOTS clients SHOULD <bcp14>SHOULD</bcp14> minimize the number of active 'tsid's used
          for pipe information. In order to avoid maintaining a long list of
          'tsid's for pipe information, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that DOTS clients
          include in any request to update information related to a given link
          the information of regarding other links (already communicated using a lower
          'tsid' value). Doing By doing so, this update request will override these
          existing requests and hence optimize the number of 'tsid' request requests
          per DOTS client. <list style="symbols">
              <t>Note: </t>
          <t indent="3">
              Note: This assumes that all link information can fit in one
              single message.</t>
            </list></t> message.
          </t>
          <t>As an example of configuring pipe information, a DOTS client
          managing a single homed single-homed domain (<xref target="single"></xref>) target="single" format="default"/>) can
          send a PUT request (shown in <xref target="putp1"></xref>) target="putp1" format="default"/>) to
          communicate the capacity of "link1" used to connect to its ISP.</t>

          <t><figure anchor="single" title="Single Homed
          <figure anchor="single">
            <name>Single-Homed DOTS Client Domain">
              <artwork><![CDATA[ Domain</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[                      ,--,--,--.             ,--,--,--.
                   ,-'          `-.       ,-'          `-.
                  (  DOTS Client   )=====(     ISP#A      )
                   `-.  Domain  ,-' link1 `-.          ,-'
                      `--'--'--'             `--'--'--']]></artwork>
            </figure></t>

          <t><figure anchor="putp1"
              title="Example             `--'--'--'
]]></artwork>
          </figure>
          <figure anchor="putp1">
            <name>Example of a PUT Request to Convey Pipe Information (Single Homed), depicted (Single-Homed), Depicted as per Section 5.6 "> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=126"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "total-pipe-capacity": [
          {
            "link-id": "link1",
            "capacity": "500",
            "unit": "megabit-ps"
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>DOTS clients may be instructed to signal a link aggregate instead
          of individual links. For example, a DOTS client that manages a DOTS
          client domain having two interconnection links with an upstream ISP
          (<xref target="singleagg"></xref>) target="singleagg" format="default"/>) can send a PUT request (shown in
          <xref target="putp1a"></xref>) target="putp1a" format="default"/>) to communicate the aggregate link
          capacity with its ISP. Signaling individual or aggregate link
          capacity is deployment specific.</t>

          <t><figure anchor="singleagg"
              title="DOTS
          <figure anchor="singleagg">
            <name>DOTS Client Domain with Two Interconnection Links">
              <artwork><![CDATA[ Links</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[                      ,--,--,--.             ,--,--,--.
                   ,-'          `-.===== ,-'          `-.
                  (  DOTS Client   )    (     ISP#C      )
                   `-.  Domain  ,-'====== `-.          ,-'
                      `--'--'--'             `--'--'--']]></artwork>
            </figure></t>

          <t><figure anchor="putp1a"
              title="Example             `--'--'--'
]]></artwork>
          </figure>
          <figure anchor="putp1a">
            <name>Example of a PUT Request to Convey Pipe Information (Aggregated Link), depicted Depicted as per Section 5.6 "> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=hmcpH87lmPGsSTjkhXCbin"
Uri-Path: "tsid=896"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "total-pipe-capacity": [
          {
            "link-id": "aggregate",
            "capacity": "700",
            "unit": "megabit-ps"
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>Now consider that the DOTS client domain was upgraded to connect
          to an additional ISP (e.g., ISP#B of in <xref target="multi"></xref>); target="multi" format="default"/>);
          the DOTS client can inform a DOTS server that is not hosted with
          ISP#A and ISP#B domains about this update by sending the PUT request
          depicted in <xref target="putp2"></xref>. target="putp2" format="default"/>. This request also includes
          information related to "link1" even if that link is not upgraded.
          Upon receipt of this request, the DOTS server removes the request
          with 'tsid=126' and updates its configuration base to maintain two
          links (link#1 (link1 and link#2).</t>

          <t><figure anchor="multi" title="Multi-Homed link2).</t>
          <figure anchor="multi">
            <name>Multihomed DOTS Client Domain">
              <artwork><![CDATA[ Domain</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[                     ,--,--,--.
                   ,-'          `-.
                  (     ISP#B      )
                   `-.          ,-'
                      `--'--'--'
                          ||
                          || link2
                     ,--,--,--.             ,--,--,--.
                   ,-'          `-.       ,-'          `-.
                  (  DOTS Client   )=====(     ISP#A      )
                   `-.  Domain  ,-' link1 `-.          ,-'
                      `--'--'--'             `--'--'--'
]]></artwork>
            </figure></t>

          <t><figure anchor="putp2"
              title="Example
          </figure>
          <figure anchor="putp2">
            <name>Example of a PUT Request to Convey Pipe Information (Multi-Homed), depicted (Multihomed), Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=127"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "total-pipe-capacity": [
          {
            "link-id": "link1",
            "capacity": "500",
            "unit": "megabit-ps"
          },
          {
            "link-id": "link2",
            "capacity": "500",
            "unit": "megabit-ps"
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>A DOTS client can delete a link by sending a PUT request with the
          'capacity' attribute set to "0" if other links are still active for
          the same DOTS client domain (see <xref target="pdel"></xref> target="pdel" format="default"/> for
          other delete DELETE cases). For example, if a DOTS client domain re-homes
          (that is, it changes its ISP), the DOTS client can inform its DOTS
          server about this update (e.g., from the network configuration in
          <xref target="single"></xref> target="single" format="default"/> to the one network configuration shown in <xref
          target="single2"></xref>) target="single2" format="default"/>) by sending the PUT request depicted in
          <xref target="putp3"></xref>. target="putp3" format="default"/>. Upon receipt of this request, and
          assuming that no error is encountered when processing the request, the
          DOTS server removes "link1" from its configuration bases for this
          DOTS client domain. Note that if the DOTS server receives a PUT
          request with a 'capacity' attribute set to "0" for all included
          links, it MUST <bcp14>MUST</bcp14> reject the request with a 4.00 (Bad Request). Request) Response Code.
          Instead, the DOTS client can use a DELETE request to delete all
          links (<xref target="pdel"></xref>).</t>

          <t><figure anchor="single2" title="Multi-Homed target="pdel" format="default"/>).</t>

<!-- [rfced] Section 7.2.1:  Please confirm that these two citations
for Section 7.2.3 are correct and will be clear to readers.  We ask
because Section 7.2.3 is very brief and does not contain multiple
cases regarding the use of DELETE requests.  Would it be more
appropriate to also (or instead) cite Section 7.1.4?

Original:
   A DOTS client can delete a link by sending a PUT request with the
   'capacity' attribute set to "0" if other links are still active for
   the same DOTS client domain (see Section 7.2.3 for other delete
   cases).
...
   Instead, the DOTS client can use
   a DELETE request to delete all links (Section 7.2.3). -->

          <figure anchor="single2">
            <name>Multihomed DOTS Client Domain">
              <artwork><![CDATA[ Domain</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[                     ,--,--,--.
                   ,-'          `-.
                  (     ISP#B      )
                   `-.          ,-'
                      `--'--'--'
                          ||
                          || link2
                     ,--,--,--.
                   ,-'          `-.
                  (  DOTS Client   )
                   `-.  Domain  ,-'
                      `--'--'--'
]]></artwork>
            </figure><figure anchor="putp3"
              title="Example
          </figure>
          <figure anchor="putp3">
            <name>Example of a PUT Request to Convey Pipe Information (Multi-Homed), depicted (Multihomed), Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=128"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "total-pipe-capacity": [
          {
            "link-id": "link1",
            "capacity": "0",
            "unit": "megabit-ps"
          },
          {
            "link-id": "link2",
            "capacity": "500",
            "unit": "megabit-ps"
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
        </section>
        <section title="Retrieve numbered="true" toc="default">
          <name>Retrieving Installed DOTS Client Domain Pipe Capacity"> Capacity</name>
          <t>A GET request with a 'tsid' Uri-Path parameter is used to retrieve
          a the
          specific information related to an installed DOTS client domain pipe related information. pipe.
          The same procedure as that defined in <xref target="GET"></xref> target="GET" format="default"/> is
          followed.</t>
          <t>To retrieve all pipe information bound to a DOTS client, the DOTS
          client proceeds as specified in <xref target="acc"></xref>.</t> target="acc" format="default"/>.</t>
        </section>
        <section anchor="pdel"
                 title="Delete numbered="true" toc="default">
          <name>Deleting Installed DOTS Client Domain Pipe Capacity"> Capacity</name>
          <t>A DELETE request is used to delete the specific information related to an installed DOTS client domain pipe related information. pipe. The same procedure as that defined in
          <xref target="DEL"></xref> target="DEL" format="default"/> is followed.</t>
        </section>
      </section>
      <section anchor="tbl" title="Telemetry Baseline"> numbered="true" toc="default">
        <name>Telemetry Baseline</name>
        <t>A DOTS client can communicate to its DOTS server(s) its normal
        traffic baseline and connections capacity:<list style="hanging">
            <t hangText="Total capacity:</t>
        <dl newline="false" spacing="normal">
          <dt>Total traffic normal baseline:">The baseline:</dt>
          <dd>
            <t>Total traffic normal baseline data provides the percentile values
            representing the total traffic normal baseline. It can be
            represented for a target using 'total-traffic-normal'.<vspace
            blankLines="1" />The 'total-traffic-normal'.</t>
            <t>The traffic normal per-protocol
            ('total-traffic-normal-per-protocol') baseline is represented for
            a target and is transport-protocol specific.<vspace
            blankLines="1" />The specific.</t>
            <t>The traffic normal per-port-number
            ('total-traffic-normal-per-port') baseline is represented for each
            port number bound to a target.<vspace blankLines="1" />If target.</t>
            <t>If the DOTS
            client negotiated percentile values and units (<xref
            target="tconfig"></xref>), target="tconfig" format="default"/>), these negotiated parameters will be
            used instead of the default ones. parameters. For each used unit class, class used, the
            DOTS client MUST <bcp14>MUST</bcp14> auto-scale so that the appropriate unit is
            used.</t>

            <t hangText="Total
          </dd>
          <dt>Total connections capacity:">If capacity:</dt>
          <dd>
            <t>If the target is
            susceptible to resource-consuming DDoS attacks, the following
            optional attributes for the target per transport protocol are
            useful to detect for detecting resource-consuming DDoS attacks:<list
                style="symbols">
                <t>The attacks:</t>
            <ul spacing="normal">
              <li>The maximum number of simultaneous connections that are
                allowed to the target.</t>

                <t>The target.</li>
              <li>The maximum number of simultaneous connections that are
                allowed to the target per client.</t>

                <t>The client.</li>
              <li>The maximum number of simultaneous embryonic connections
                that are allowed to the target. The term "embryonic
                connection" refers to a connection whose connection handshake
                is not finished. Embryonic connection is connections are only possible in
                connection-oriented transport protocols like TCP or the Stream
                Control Transmission Protocol (SCTP) <xref
                target="RFC4960"></xref>.</t>

                <t>The target="RFC4960" format="default"/>.</li>
<!-- Changed "connection is only possible" to "connections are only
     possible" per similar text in the module. -->
              <li>The maximum number of simultaneous embryonic connections
                that are allowed to the target per client.</t>

                <t>The client.</li>
              <li>The maximum number of connections allowed per second to the
                target.</t>

                <t>The
                target.</li>
              <li>The maximum number of connections allowed per second to the
                target per client.</t>

                <t>The client.</li>
              <li>The maximum number of requests (e.g., HTTP/DNS/SIP
                requests) allowed per second to the target.</t>

                <t>The target.</li>
              <li>The maximum number of requests allowed per second to the
                target per client.</t>

                <t>The client.</li>
              <li>The maximum number of outstanding partial requests allowed
                to the target. Attacks relying upon partial requests create a
                connection with a target but do not send a complete request
                (e.g., an HTTP request).</t>

                <t>The request).</li>
              <li>The maximum number of outstanding partial requests allowed
                to the target per client.</t>
              </list><vspace blankLines="1" />The client.</li>
            </ul>
            <t>The aggregate per transport
            protocol is captured in 'total-connection-capacity', while
            port-specific capabilities are represented using
            'total-connection-capacity-per-port'.</t>
          </list></t>
          </dd>
        </dl>
        <t>Note that a target resource is identified using the attributes
        'target-prefix', 'target-port-range', 'target-protocol', 'target-
        fqdn', 'target-uri', or 'alias-name' as defined in Section 4.4.1.1 of <xref target="RFC9132"></xref>.</t> target="RFC9132" sectionFormat="of" section="4.4.1.1"/>.</t>
        <t>The tree structure of the normal traffic baseline is shown in <xref
        target="bltree"></xref>.</t>

        <t><figure anchor="bltree" title="Telemetry target="bltree" format="default"/>.</t>
        <figure anchor="bltree">
          <name>Telemetry Baseline Tree Structure">
            <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  structure dots-telemetry:
    +-- (telemetry-message-type)?
       +--:(telemetry-setup)
       |  ...
       |  +-- telemetry* []
       |     +-- (direction)?
       |     |  +--:(server-to-client-only)
       |     |     +-- tsid?                  uint32
       |     +-- (setup-type)?
       |        +--:(telemetry-config)
       |        |  ...
       |        +--:(pipe)
       |        |  ...
       |        +--:(baseline)
       |           +-- baseline* [id]
       |              +-- id
       |              |       uint32
       |              +-- target-prefix*
       |              |       inet:ip-prefix
       |              +-- target-port-range* [lower-port]
       |              |  +-- lower-port    inet:port-number
       |              |  +-- upper-port?   inet:port-number
       |              +-- target-protocol*                      uint8
       |              +-- target-fqdn*
       |              |       inet:domain-name
       |              +-- target-uri*
       |              |       inet:uri
       |              +-- alias-name*
       |              |       string
       |              +-- total-traffic-normal* [unit]
       |              |  +-- unit                 unit
       |              |  +-- low-percentile-g?    yang:gauge64
       |              |  +-- mid-percentile-g?    yang:gauge64
       |              |  +-- high-percentile-g?   yang:gauge64
       |              |  +-- peak-g?              yang:gauge64
       |              +-- total-traffic-normal-per-protocol*
       |              |       [unit protocol]
       |              |  +-- protocol             uint8
       |              |  +-- unit                 unit
       |              |  +-- low-percentile-g?    yang:gauge64
       |              |  +-- mid-percentile-g?    yang:gauge64
       |              |  +-- high-percentile-g?   yang:gauge64
       |              |  +-- peak-g?              yang:gauge64
       |              +-- total-traffic-normal-per-port* [unit port]
       |              |  +-- port                 inet:port-number
       |              |  +-- unit                 unit
       |              |  +-- low-percentile-g?    yang:gauge64
       |              |  +-- mid-percentile-g?    yang:gauge64
       |              |  +-- high-percentile-g?   yang:gauge64
       |              |  +-- peak-g?              yang:gauge64
       |              +-- total-connection-capacity* [protocol]
       |              |  +-- protocol                     uint8
       |              |  +-- connection?                  uint64
       |              |  +-- connection-client?           uint64
       |              |  +-- embryonic?                   uint64
       |              |  +-- embryonic-client?            uint64
       |              |  +-- connection-ps?               uint64
       |              |  +-- connection-client-ps?        uint64
       |              |  +-- request-ps?                  uint64
       |              |  +-- request-client-ps?           uint64
       |              |  +-- partial-request-max?         uint64
       |              |  +-- partial-request-client-max?  uint64
       |              +-- total-connection-capacity-per-port*
       |                      [protocol port]
       |                 +-- port
       |                 |       inet:port-number
       |                 +-- protocol                     uint8
       |                 +-- connection?                  uint64
       |                 +-- connection-client?           uint64
       |                 +-- embryonic?                   uint64
       |                 +-- embryonic-client?            uint64
       |                 +-- connection-ps?               uint64
       |                 +-- connection-client-ps?        uint64
       |                 +-- request-ps?                  uint64
       |                 +-- request-client-ps?           uint64
       |                 +-- partial-request-max?         uint64
       |                 +-- partial-request-client-max?  uint64
       +--:(telemetry)
          ...
]]></artwork>
          </figure></t>
]]></sourcecode>

<!-- [rfced] Figure 18:  Should "uint32" be on the same line as "id"?
We ask because we do not see any lone "uint32" lines anywhere else in
this document.

Original (dashed line broken to prevent xml2rfc from interpreting the
line as a comment):
   |              +- - id
   |              |       uint32 -->

        </figure>
        <t>A DOTS client can share one or multiple normal traffic baselines
        (e.g., aggregate or per-prefix baselines), baselines); each are is uniquely
        identified within the DOTS client domain with an identifier 'id'. ('id'). This
        identifier can be used to update a baseline entry, delete a specific
        entry, etc.</t>
        <section title="Conveying numbered="true" toc="default">
          <name>Conveying DOTS Client Domain Baseline Information">
          <t>Similar considerations Information</name>
          <t>Considerations similar to those specified in <xref
          target="PUT"></xref> target="PUT" format="default"/> are followed followed, with one exception:<list
              style="empty">
              <t>The exception:</t>
          <ul spacing="normal">
            <li>The relative order of two PUT requests carrying DOTS client
              domain baseline attributes from a DOTS client is determined by
              comparing their respective 'tsid' values. If such these two requests
              have overlapping targets, the PUT request with a higher numeric
              'tsid' value will override the request with a lower numeric
              'tsid' value. The overlapped lower numeric 'tsid' MUST <bcp14>MUST</bcp14> be
              automatically deleted and no longer be available.</t>
            </list></t> available.</li>
          </ul>
          <t>Two PUT requests from a DOTS client have overlapping targets if
          there is a common IP address, IP prefix, FQDN, URI, or alias-name. alias name.
          Also, two PUT requests from a DOTS client have overlapping targets
          from the perspective of the DOTS server if the addresses associated
          with the FQDN, URI, or alias are overlapping with each other or with
          'target-prefix'.</t>
          <t>DOTS clients SHOULD <bcp14>SHOULD</bcp14> minimize the number of active 'tsid's used
          for baseline information. In order to avoid maintaining a long list
          of 'tsid's for baseline information, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that DOTS
          clients include in a any request to update information related to a
          given target, target the information of regarding other targets (already communicated
          using a lower 'tsid' value) (assuming that this information fits within one single
          datagram). This update request will override these existing requests
          and hence optimize the number of 'tsid' request requests per DOTS client.</t>
          <t>If no target attribute is included in the request, this is an
          indication that the baseline information applies for the DOTS client
          domain as a whole.</t>
          <t>An example of a PUT request to convey the baseline information is
          shown in <xref target="tputs"></xref>.</t>

          <t><figure anchor="tputs"
              title="PUT target="tputs" format="default"/>.</t>
          <figure anchor="tputs">
            <name>PUT to Conveying the Convey DOTS Traffic Baseline, depicted Baseline Information, Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=129"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "baseline": [
          {
            "id": 1,
            "target-prefix": [
              "2001:db8:6401::1/128",
              "2001:db8:6401::2/128"
            ],
            "total-traffic-normal": [
              {
                "unit": "megabit-ps",
                "peak-g": "60"
              }
            ]
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>The DOTS client may share protocol specific protocol-specific baseline information
          (e.g., TCP and UDP) as shown in <xref
          target="tputs2"></xref>.<figure anchor="tputs2"
              title="PUT target="tputs2" format="default"/>.</t>
          <figure anchor="tputs2">
            <name>PUT to Convey the DOTS Traffic Baseline Information (2), depicted Depicted as per Section 5.6"> 5.6</name>
            <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tsid=130"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry-setup": {
    "telemetry": [
      {
        "baseline": [
          {
            "id": 1,
            "target-prefix": [
              "2001:db8:6401::1/128",
              "2001:db8:6401::2/128"
            ],
            "total-traffic-normal-per-protocol": [
              {
                "unit": "megabit-ps",
                "protocol": 6,
                "peak-g": "50"
              },
              {
                "unit": "megabit-ps",
                "protocol": 17,
                "peak-g": "10"
              }
            ]
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>The normal traffic baseline information should be updated to
          reflect legitimate overloads (e.g., flash crowds) to prevent
          unnecessary mitigation.</t>
        </section>
        <section title="Retrieve numbered="true" toc="default">
          <name>Retrieving Installed Normal Traffic Baseline"> Baseline Information</name>
          <t>A GET request with a 'tsid' Uri-Path parameter is used to retrieve
          a specific installed DOTS client domain domain's baseline traffic
          information. The same procedure as that defined in <xref
          target="GET"></xref> target="GET" format="default"/> is followed.</t>
          <t>To retrieve all baseline information bound to a DOTS client, the
          DOTS client proceeds as specified in <xref target="acc"></xref>.</t> target="acc" format="default"/>.</t>
        </section>
        <section anchor="basedel"
                 title="Delete numbered="true" toc="default">
          <name>Deleting Installed Normal Traffic Baseline"> Baseline Information</name>
          <t>A DELETE request is used to delete the installed DOTS client
          domain
          domain's normal traffic baseline. baseline information. The same procedure as that defined in
          <xref target="DEL"></xref> target="DEL" format="default"/> is followed.</t>
        </section>
      </section>
      <section anchor="reseta" title="Reset numbered="true" toc="default">
        <name>Resetting the Installed Telemetry Setup"> Setup</name>
        <t>Upon bootstrapping (or reboot or any other event that may alter the
        DOTS client setup), a DOTS client MAY <bcp14>MAY</bcp14> send a DELETE request to set the
        telemetry parameters to default values. Such a request does not
        include any 'tsid'. 'tsid' parameters. An example of such a request is depicted in <xref
        target="bdel"></xref>.</t>

        <t><figure anchor="bdel" title="Delete target="bdel" format="default"/>.</t>
        <figure anchor="bdel">
          <name>Deleting the Telemetry Configuration"> Configuration</name>
          <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: DELETE (Code=0.04)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm-setup"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
]]></artwork>
          </figure></t>
        </figure>
      </section>
      <section anchor="conflict"
               title="Conflict numbered="true" toc="default">
        <name>Conflict with Other DOTS Clients of the Same Domain"> Domain</name>
        <t>A DOTS server may detect conflicts between requests conveying pipe
        and baseline information received from DOTS clients of the same DOTS
        client domain. 'conflict-information' &nbsp;'conflict-information' is used to report the conflict
        to the DOTS client client, following similar guidelines for conflict handling similar to those discussed in
        Section 4.4.1 of
        <xref target="RFC9132"></xref>. target="RFC9132" sectionFormat="of" section="4.4.1"/>. The conflict cause
        can be set to one of these values:<list style="empty">
            <t>1: Overlapping values:</t>
        <dl newline="false" spacing="normal">
          <dt>1:</dt><dd>Overlapping targets (Section 4.4.1 of <xref
            target="RFC9132"></xref>).</t>

            <t>TBA: Overlapping (<xref target="RFC9132" sectionFormat="of" section="4.4.1"/>).</dd>
          <dt>5:</dt><dd>Overlapping pipe scope (see <xref
            target="IANA"></xref>).</t>
          </list></t>

        <t></t> target="IANA" format="default"/>).</dd>
        </dl>
      </section>
    </section>
    <section anchor="pre-t" title="DOTS Pre-or-Ongoing Mitigation Telemetry"> numbered="true" toc="default">
      <name>DOTS Pre-or-Ongoing-Mitigation Telemetry</name>
      <t>There are two broad types of DDoS attacks: one is a bandwidth
      consuming attack, the other is a bandwidth-consuming attacks and  target-resource-consuming attack. attacks. This
      section outlines the set of DOTS telemetry attributes (<xref
      target="pre"></xref>) target="pre" format="default"/>) that covers both types of attack. attacks. The objective of
      these attributes is to allow for the complete knowledge of attacks and
      the various particulars that can best characterize attacks.</t>
      <t>The "ietf-dots-telemetry" YANG module (<xref target="module"></xref>) target="module" format="default"/>)
      defines the data structure of a new message type called 'telemetry'. The
      tree structure of the 'telemetry' message type is shown in <xref
      target="tt"></xref>.</t>

      <t>The target="tt" format="default"/>.</t>

<!-- [rfced] Section 8:  The citation for Figure 24 seems premature, in
that it appears before the citations for Figures 22 and 23 and is not
in proximity to Figure 24 itself.  May we move Figure 24 so that it
appears just after this paragraph?  This would then renumber the
figures accordingly and would make it easier for the reader to view
the information.

Note:  We suggest applying the same technique for the premature
citation for Figure 34 in Section 8.1.6; that citation appears ahead
of Figures 30, 31, 32, and 33).  Those citations and figures would
also be renumbered accordingly.

Original (Section 8, re. Figures 22, 23, and 24):
   The "ietf-dots-telemetry" YANG module (Section 11.1) defines the data
   structure of a new message type called 'telemetry'.  The tree
   structure of the 'telemetry' message type is shown in Figure 24.

   The pre-or-ongoing-mitigation telemetry attributes are indicated by
   the path suffix '/tm'.  The '/tm' is appended to the path prefix to
   form the URI used with a CoAP request to signal the DOTS telemetry.
   Pre-or-ongoing-mitigation telemetry attributes specified in
   Section 8.1 can be signaled between DOTS agents.

   Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS
   client or a DOTS server.

   DOTS agents SHOULD bind pre-or-ongoing-mitigation telemetry data to
   mitigation requests associated with the resources under attack.  In
   particular, a telemetry PUT request sent after a mitigation request
   may include a reference to that mitigation request ('mid-list') as
   shown in Figure 22.  An example illustrating request correlation by
   means of 'target-prefix' is shown in Figure 23.
...

Suggested (dashed lines are broken so that xml2rfc doesn't confuse
them with comments):
   The "ietf-dots-telemetry" YANG module (Section 11.1) defines the data
   structure of a new message type called 'telemetry'.  The tree
   structure of the 'telemetry' message type is shown in Figure 22.

   structure dots-telemetry:
     +- - (telemetry-message-type)?
        +- -:(telemetry-setup)
        |  ...
...
   Figure 22: Telemetry Message Type Tree Structure

   The pre-or-ongoing-mitigation telemetry attributes are indicated by
   the path suffix '/tm'.  '/tm' is appended to the path prefix to
   form the URI used with a CoAP request to signal the DOTS telemetry.
   Pre-or-ongoing-mitigation telemetry attributes as specified in
   Section 8.1 can be signaled between DOTS agents.

   Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS
   client or a DOTS server.

   DOTS agents SHOULD bind pre-or-ongoing-mitigation telemetry data to
   mitigation requests associated with the resources under attack.  In
   particular, a telemetry PUT request sent after a mitigation request
   may include a reference to that mitigation request ('mid-list') as
   shown in Figure 23.  An example illustrating request correlation by
   means of 'target-prefix' is shown in Figure 24.
... -->

      <t>The pre-or-ongoing-mitigation telemetry attributes are indicated by
      the path suffix '/tm'. &nbsp;'/tm' is appended to the path prefix to form
      the URI used with a CoAP request to signal the DOTS telemetry.
      Pre-or-ongoing-mitigation telemetry attributes as specified in <xref
      target="pre"></xref> target="pre" format="default"/> can be signaled between DOTS agents.</t>
      <t>Pre-or-ongoing-mitigation telemetry attributes may be sent by a DOTS
      client or a DOTS server.</t>
      <t>DOTS agents SHOULD <bcp14>SHOULD</bcp14> bind pre-or-ongoing-mitigation telemetry data to
      mitigation requests associated with the resources under attack. In
      particular, a telemetry PUT request sent after a mitigation request may
      include a reference to that mitigation request ('mid-list') as shown in
      <xref target="mid-co"></xref>. target="mid-co" format="default"/>. An example illustrating request
      correlation by means of 'target-prefix' is shown in <xref
      target="mid-co2"></xref>.</t>

      <t>Many target="mid-co2" format="default"/>.</t>
      <t>Much of the pre-or-ongoing-mitigation telemetry data use uses a unit that
      falls under the unit class that is configured following the procedure
      described in <xref target="PUT"></xref>. target="PUT" format="default"/>. When generating telemetry data
      to send to a peer, the DOTS agent MUST <bcp14>MUST</bcp14> auto-scale so that one or more appropriate
      unit(s)
      units are used.</t>

      <t><figure anchor="mid-co"
          title="Example
      <figure anchor="mid-co">
        <name>Example of Request Correlation using 'mid'">
          <artwork><![CDATA[ Using 'mid'</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[ +-----------+                                         +-----------+
 |DOTS client|                                         |DOTS server|
 +-----------+                                         +-----------+
       |                                                     |
         |===============Mitigation
       |==============Mitigation Request (mid)===============>| (mid)==============>|
       |                                                     |
         |===============Telemetry (mid-list{mid})==============>|
       |==============Telemetry (mid-list{mid})=============>|
       |                                                     |
]]></artwork>
        </figure></t>

      <t><figure anchor="mid-co2"
          title="Example
      </figure>
      <figure anchor="mid-co2">
        <name>Example of Request Correlation using Target Prefix">
          <artwork><![CDATA[ Using &apos;target-prefix&apos;</name>
        <artwork name="" type="" align="left" alt=""><![CDATA[ +-----------+                                         +-----------+
 |DOTS client|                                         |DOTS server|
 +-----------+                                         +-----------+
       |                                                     |
         |<================Telemetry (target-prefix)=============|
       |<===============Telemetry (target-prefix)============|
       |                                                     |
         |=========Mitigation
       |========Mitigation Request (target-prefix)===========>| (target-prefix)==========>|
       |                                                     |
]]></artwork>
        </figure></t>
      </figure>
      <t>DOTS agents MUST NOT <bcp14>MUST NOT</bcp14> send pre-or-ongoing-mitigation telemetry
      notifications to the same peer more frequently than once every
      'telemetry-notify-interval' (<xref target="tconfig"></xref>). target="tconfig" format="default"/>). If a
      telemetry notification is sent using a block-like transfer mechanism
      (e.g., <xref target="I-D.ietf-core-new-block"></xref>), target="RFC9177" format="default"/>), this rate limit
      rate-limit
      policy MUST NOT <bcp14>MUST NOT</bcp14> consider these individual blocks as separate
      notifications, but as a single notification.</t>
      <t>DOTS pre-or-ongoing-mitigation telemetry request and response
      messages MUST <bcp14>MUST</bcp14> be marked as Non-Confirmable Non-confirmable messages (Section 2.1 of
      <xref target="RFC7252"></xref>).</t>

      <t><figure anchor="tt" title="Telemetry (<xref target="RFC7252" sectionFormat="of" section="2.1"/>).</t>
      <figure anchor="tt">
        <name>Telemetry Message Type Tree Structure ">
          <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  structure dots-telemetry:
    +-- (telemetry-message-type)?
       +--:(telemetry-setup)
       |  ...
       |  +-- telemetry* []
       |     +-- (direction)?
       |     |  +--:(server-to-client-only)
       |     |     +-- tsid?                  uint32
       |     +-- (setup-type)?
       |        +--:(telemetry-config)
       |        |  ...
       |        +--:(pipe)
       |        |  ...
       |        +--:(baseline)
       |           ...
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  ...
             +-- total-traffic* [unit]
             |  ...
             +-- total-traffic-protocol* [unit protocol]
             |  ...
             +-- total-traffic-port* [unit port]
             |  ...
             +-- total-attack-traffic* [unit]
             |  ...
             +-- total-attack-traffic-protocol* [unit protocol]
             |  ...
             +-- total-attack-traffic-port* [unit port]
             |  ...
             +-- total-attack-connection-protocol* [protocol]
             |  ...
             +-- total-attack-connection-port* [protocol port]
             |  ...
             +-- attack-detail* [vendor-id attack-id]
                ...
]]></artwork>
        </figure></t>
]]></sourcecode>
      </figure>
      <section anchor="pre"
               title="Pre-or-Ongoing-Mitigation numbered="true" toc="default">
        <name>Pre-or-Ongoing-Mitigation DOTS Telemetry Attributes"> Attributes</name>
        <t>The description and motivation behind each attribute are presented
        in <xref target="overview"></xref>.</t> target="overview" format="default"/>.</t>

<!-- [rfced] Section 8.1:  We do not see any attribute descriptions
in Section 3.  If the suggested text is not correct, please clarify.

Original:
   The description and motivation behind each attribute are presented in
   Section 3.

Suggested:
   Section 3 discusses the motivation for using the DOTS telemetry
   attributes. -->

        <section title="Target"> numbered="true" toc="default">
          <name>Target</name>
          <t>A target resource (<xref target="targett"></xref>) target="targett" format="default"/>) is identified
          using the attributes 'target-prefix', 'target-port-range',
          'target-protocol', 'target-fqdn', 'target-uri', 'alias-name', or a
          pointer to a mitigation request ('mid-list').</t>

          <t><figure anchor="targett" title="Target
          <figure anchor="targett">
            <name>Target Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  +-- target-prefix*       inet:ip-prefix
             |  +-- target-port-range* [lower-port]
             |  |  +-- lower-port    inet:port-number
             |  |  +-- upper-port?   inet:port-number
             |  +-- target-protocol*     uint8
             |  +-- target-fqdn*         inet:domain-name
             |  +-- target-uri*          inet:uri
             |  +-- alias-name*          string
             |  +-- mid-list*            uint32
             +-- total-traffic* [unit]
             |  ...
             +-- total-traffic-protocol* [unit protocol]
             |  ...
             +-- total-traffic-port* [unit port]
             |  ...
             +-- total-attack-traffic* [unit]
             |  ...
             +-- total-attack-traffic-protocol* [unit protocol]
             |  ...
             +-- total-attack-traffic-port* [unit port]
             |  ...
             +-- total-attack-connection-protocol* [protocol]
             |  ...
             +-- total-attack-connection-port* [protocol port]
             |  ...
             +-- attack-detail* [vendor-id attack-id]
                ...
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
          <t>At least one of the attributes 'target-prefix', 'target-fqdn',
          'target-uri', 'alias-name', or 'mid-list' MUST <bcp14>MUST</bcp14> be present in the
          target definition.</t>
          <t>If the target is susceptible to bandwidth-consuming attacks, the
          attributes representing the percentile values of the 'attack-id'
          attack traffic are included.</t>
          <t>If the target is susceptible to resource-consuming DDoS attacks,
          the attributes defined in <xref target="attackconn"></xref> target="attackconn" format="default"/> are
          applicable for representing the attack.</t>
          <t>At least the 'target' attribute and one other
          pre-or-ongoing-mitigation attribute MUST <bcp14>MUST</bcp14> be present in the DOTS
          telemetry message.</t>
        </section>
        <section anchor="tot" title="Total Traffic"> numbered="true" toc="default">
          <name>Total Traffic</name>
          <t>The 'total-traffic' attribute (<xref target="ttt"></xref>) target="ttt" format="default"/>)
          conveys the percentile values (including peak and current observed
          values) of the total observed traffic. More fine-grained information
          about the total traffic can be conveyed in the
          'total-traffic-protocol' and 'total-traffic-port' attributes.</t>
          <t>The 'total-traffic-protocol' attribute represents the total
          traffic for a target and is transport-protocol specific.</t>
          <t>The 'total-traffic-port' attribute represents the total traffic for a
          target per port number.</t>

          <t><figure anchor="ttt" title="Total
          <figure anchor="ttt">
            <name>Total Traffic Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  ...
             +-- total-traffic* [unit]
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-traffic-protocol* [unit protocol]
             |  +-- protocol             uint8
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-traffic-port* [unit port]
             |  +-- port                 inet:port-number
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-traffic* [unit]
             |  ...
             +-- total-attack-traffic-protocol* [unit protocol]
             |  ...
             +-- total-attack-traffic-port* [unit port]
             |  ...
             +-- total-attack-connection-protocol* [protocol]
             |  ...
             +-- total-attack-connection-port* [protocol port]
             |  ...
             +-- attack-detail* [vendor-id attack-id]
                ...

]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
        </section>
        <section anchor="tat" title="Total numbered="true" toc="default">
          <name>Total Attack Traffic "> Traffic</name>
          <t>The 'total-attack-traffic' attribute (<xref
          target="tatt"></xref>) target="tatt" format="default"/>) conveys the total observed attack traffic.
          More fine-grained information about the total attack traffic can be
          conveyed in the 'total-attack-traffic-protocol' and
          'total-attack-traffic-port' attributes.</t>
          <t>The 'total-attack-traffic-protocol' attribute represents the
          total attack traffic for a target and is transport-protocol
          specific.</t>
          <t>The 'total-attack-traffic-port' attribute represents the total
          attack traffic for a target per port number.</t>

          <t><figure anchor="tatt" title="Total
          <figure anchor="tatt">
            <name>Total Attack Traffic Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  ...
             +-- total-traffic* [unit]
             |  ...
             +-- total-traffic-protocol* [unit protocol]
             |  ...
             +-- total-traffic-port* [unit port]
             |  ...
             +-- total-attack-traffic* [unit]
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-traffic-protocol* [unit protocol]
             |  +-- protocol             uint8
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-traffic-port* [unit port]
             |  +-- port                 inet:port-number
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-connection-protocol* [protocol]
             |  ...
             +-- total-attack-connection-port* [protocol port]
             |  ...
             +-- attack-detail* [vendor-id attack-id]
                ...
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
        </section>
        <section anchor="attackconn" title="Total numbered="true" toc="default">
          <name>Total Attack Connections"> Connections</name>
          <t>If the target is susceptible to resource-consuming DDoS attacks,
          the 'total-attack-connection-protocol' attribute is used to convey
          the percentile values (including peak and current observed values)
          of various attributes related to the total attack connections. The
          following optional sub-attributes for the target per transport
          protocol are included to represent the attack characteristics:<?rfc subcompact="yes" ?><list
              style="symbols">
              <t>The characteristics:</t>
          <ul spacing="normal">
            <li>The number of simultaneous attack connections to the
              target.</t>

              <t>The
              target.</li>
            <li>The number of simultaneous embryonic connections to the
              target.</t>

              <t>The
              target.</li>
            <li>The number of attack connections per second to the
              target.</t>

              <t>The
              target.</li>
            <li>The number of attack requests per second to the target.</t>

              <t>The target.</li>
            <li>The number of attack partial requests to the target.<?rfc subcompact="no" ?></t>
            </list>The target.</li>
          </ul>
          <t>The total attack connections per port number is are represented
          using the 'total-attack-connection-port' attribute.<figure
              anchor="tact" title="Total attribute.</t>
          <figure anchor="tact">
            <name>Total Attack Connections Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  ...
             +-- total-traffic* [unit]
             |  ...
             +-- total-traffic-protocol* [unit protocol]
             |  ...
             +-- total-traffic-port* [unit port]
             |  ...
             +-- total-attack-traffic* [unit]
             |  ...
             +-- total-attack-traffic-protocol* [unit protocol]
             |  ...
             +-- total-attack-traffic-port* [unit port]
             |  ...
             +-- total-attack-connection-protocol* [protocol]
             |  +-- protocol              uint8
             |  +-- connection-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- embryonic-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- connection-ps-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- request-ps-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- partial-request-c
             |     +-- low-percentile-g?    yang:gauge64
             |     +-- mid-percentile-g?    yang:gauge64
             |     +-- high-percentile-g?   yang:gauge64
             |     +-- peak-g?              yang:gauge64
             |     +-- current-g?           yang:gauge64
             +-- total-attack-connection-port* [protocol port]
             |  +-- protocol              uint8
             |  +-- port                  inet:port-number
             |  +-- connection-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- embryonic-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- connection-ps-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- request-ps-c
             |  |  +-- low-percentile-g?    yang:gauge64
             |  |  +-- mid-percentile-g?    yang:gauge64
             |  |  +-- high-percentile-g?   yang:gauge64
             |  |  +-- peak-g?              yang:gauge64
             |  |  +-- current-g?           yang:gauge64
             |  +-- partial-request-c
             |     +-- low-percentile-g?    yang:gauge64
             |     +-- mid-percentile-g?    yang:gauge64
             |     +-- high-percentile-g?   yang:gauge64
             |     +-- peak-g?              yang:gauge64
             |     +-- current-g?           yang:gauge64
             +-- attack-detail* [vendor-id attack-id]
                ...
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
        </section>
        <section anchor="attackdetails" title="Attack Details"> numbered="true" toc="default">
          <name>Attack Details</name>
          <t>This attribute (depicted in <xref target="adt"></xref>) target="adt" format="default"/>) is used
          to signal a set of details characterizing an attack. The following
          sub-attributes describing the ongoing attack can be signalled signaled as
          attack details:</t>

          <t><list style="hanging">
              <t hangText="vendor-id:">Vendor ID is
          <dl newline="false" spacing="normal">
            <dt>vendor-id:</dt>
            <dd>Vendor ID. This parameter represents a security vendor's
              enterprise number as registered in the IANA's IANA "Private
              Enterprise Numbers" registry <xref
              target="Private-Enterprise-Numbers"></xref>.</t>

              <t hangText="attack-id:">Unique target="Private-Enterprise-Numbers" format="default"/>.</dd>
            <dt>attack-id:</dt>
            <dd>Unique identifier assigned for the
              attack by a vendor. This parameter MUST <bcp14>MUST</bcp14> be present independent present, independently
              of whether 'attack-description' is included or not.</t>

              <t hangText="description-lang:">Indicates not.</dd>
            <dt>description-lang:</dt>
            <dd>Indicates the language tag that
              is used for the text that is included in the
              'attack-description' attribute. The This attribute is encoded
              following the rules in Section 2.1 of <xref
              target="RFC5646"></xref>. target="RFC5646" sectionFormat="of" section="2.1"/>. The default language tag is
              "en-US".</t>

              <t hangText="attack-description:">Textual
              "en-US".</dd>
            <dt>attack-description:</dt>
            <dd>Textual representation of the
              attack description. This description is related to the class of
              attack rather than a specific instance of it. Natural Language
              Processing techniques (e.g., word embedding) might provide some
              utility in mapping the attack description to an attack type.
              Textual representation of an attack solves two problems: (a) it avoids
              the need to (a) create mapping tables manually between vendors and
              (b) avoids the need to standardize attack types which that keep
              evolving.</t>

              <t hangText="attack-severity:">Attack
              evolving.</dd>
            <dt>attack-severity:</dt>
            <dd>Attack severity level. This
              attribute takes one of the values defined in Section 3.12.2 of <xref target="RFC7970"></xref>.</t>

              <t hangText="start-time:">The target="RFC7970" sectionFormat="of" section="3.12.2"/>.</dd>
            <dt>start-time:</dt>
            <dd>The time the attack started. The
              attack's start time is expressed in seconds relative to
              1970-01-01T00:00Z (Section 3.4.2 of <xref
              target="RFC8949"></xref>). (<xref target="RFC8949" sectionFormat="of" section="3.4.2"/>). The CBOR encoding is modified so that
              the leading tag 1 (epoch-based date/time) MUST <bcp14>MUST</bcp14> be omitted.</t>

              <t hangText="end-time:">The omitted.</dd>
            <dt>end-time:</dt>
            <dd>The time the attack ended. The attack attack's
              end time is expressed in seconds relative to 1970-01-01T00:00Z
              (Section 3.4.2 of <xref target="RFC8949"></xref>).
              (<xref target="RFC8949" sectionFormat="of" section="3.4.2"/>). The CBOR
              encoding is modified so that the leading tag 1 (epoch-based
              date/time) MUST <bcp14>MUST</bcp14> be omitted.</t>

              <t hangText="source-count:">A omitted.</dd>
            <dt>source-count:</dt>
            <dd>A count of sources involved in the
              attack targeting the victim.</t>

              <t hangText="top-talker:">A victim.</dd>
            <dt>top-talker:</dt>
            <dd>
              <t>A list of attack sources that are
              involved in an attack and which that are generating an important part
              of the attack traffic. The top talkers are represented using the
              'source-prefix'.<vspace blankLines="1" />'spoofed-status'
              'source-prefix'.</t>
              <t>'spoofed-status'
              indicates whether a top talker is a spoofed IP address (e.g.,
              reflection attacks) or not. If no 'spoofed-status' data node is
              included, this means that the spoofing status is unknown.<vspace
              blankLines="1" />If unknown.</t>
              <t>If the target is being subjected to a
              bandwidth-consuming attack, a statistical profile of the attack
              traffic from each of the top talkers is included
              ('total-attack-traffic',
              ('total-attack-traffic'; see <xref target="tat"></xref>). <vspace
              blankLines="1" />If target="tat" format="default"/>). </t>
              <t>If the target is being subjected to a
              resource-consuming DDoS attack, the same attributes as those defined in
              <xref target="attackconn"></xref> target="attackconn" format="default"/> are applicable for
              characterizing the attack on a per-talker basis.</t>
            </list></t>

          <t><figure anchor="adt" title="Attack Detail
            </dd>
          </dl>
          <figure anchor="adt">
            <name>Attack Details Tree Structure">
              <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
       +--:(telemetry)
          +-- pre-or-ongoing-mitigation* []
             +-- (direction)?
             |  +--:(server-to-client-only)
             |     +-- tmid?                      uint32
             +-- target
             |  ...
             +-- total-traffic* [unit]
             |  ...
             +-- total-traffic-protocol* [unit protocol]
             |  ...
             +-- total-traffic-port* [unit port]
             |  ...
             +-- total-attack-traffic* [unit]
             |  ...
             +-- total-attack-traffic-protocol* [unit protocol]
             |  ...
             +-- total-attack-traffic-port* [unit port]
             |  ...
             +-- total-attack-connection-protocol* [protocol]
             |  ...
             +-- total-attack-connection-port* [protocol port]
             |  ...
             +-- attack-detail* [vendor-id attack-id]
                +-- vendor-id             uint32
                +-- attack-id             uint32
                +-- description-lang?     string
                +-- attack-description?   string
                +-- attack-severity?      attack-severity
                +-- start-time?           uint64
                +-- end-time?             uint64
                +-- source-count
                |  +-- low-percentile-g?    yang:gauge64
                |  +-- mid-percentile-g?    yang:gauge64
                |  +-- high-percentile-g?   yang:gauge64
                |  +-- peak-g?              yang:gauge64
                |  +-- current-g?           yang:gauge64
                +-- top-talker
                   +-- talker* [source-prefix]
                      +-- spoofed-status?            boolean
                      +-- source-prefix              inet:ip-prefix
                      +-- source-port-range* [lower-port]
                      |  +-- lower-port    inet:port-number
                      |  +-- upper-port?   inet:port-number
                      +-- source-icmp-type-range* [lower-type]
                      |  +-- lower-type    uint8
                      |  +-- upper-type?   uint8
                      +-- total-attack-traffic* [unit]
                      |  +-- unit                 unit
                      |  +-- low-percentile-g?    yang:gauge64
                      |  +-- mid-percentile-g?    yang:gauge64
                      |  +-- high-percentile-g?   yang:gauge64
                      |  +-- peak-g?              yang:gauge64
                      |  +-- current-g?           yang:gauge64
                      +-- total-attack-connection-protocol*
                              [protocol]
                         +-- protocol              uint8
                         +-- connection-c
                         |  +-- low-percentile-g?    yang:gauge64
                         |  +-- mid-percentile-g?    yang:gauge64
                         |  +-- high-percentile-g?   yang:gauge64
                         |  +-- peak-g?              yang:gauge64
                         |  +-- current-g?           yang:gauge64
                         +-- embryonic-c
                         |  +-- low-percentile-g?    yang:gauge64
                         |  +-- mid-percentile-g?    yang:gauge64
                         |  +-- high-percentile-g?   yang:gauge64
                         |  +-- peak-g?              yang:gauge64
                         |  +-- current-g?           yang:gauge64
                         +-- connection-ps-c
                         |  +-- low-percentile-g?    yang:gauge64
                         |  +-- mid-percentile-g?    yang:gauge64
                         |  +-- high-percentile-g?   yang:gauge64
                         |  +-- peak-g?              yang:gauge64
                         |  +-- current-g?           yang:gauge64
                         +-- request-ps-c
                         |  +-- low-percentile-g?    yang:gauge64
                         |  +-- mid-percentile-g?    yang:gauge64
                         |  +-- high-percentile-g?   yang:gauge64
                         |  +-- peak-g?              yang:gauge64
                         |  +-- current-g?           yang:gauge64
                         +-- partial-request-c
                            +-- low-percentile-g?    yang:gauge64
                            +-- mid-percentile-g?    yang:gauge64
                            +-- high-percentile-g?   yang:gauge64
                            +-- peak-g?              yang:gauge64
                            +-- current-g?           yang:gauge64
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
          <t>In order to optimize the size of telemetry data conveyed over the
          DOTS signal channel, DOTS agents MAY <bcp14>MAY</bcp14> use the DOTS data channel <xref
          target="RFC8783"></xref> target="RFC8783" format="default"/> to exchange vendor specific vendor-specific attack mapping
          details (that is, {vendor identifier, attack identifier} ==&gt;
          textual representation of the attack description). As such, DOTS
          agents do not have to convey systematically an attack description systematically in
          their telemetry messages over the DOTS signal channel. Refer to
          <xref target="vam"></xref>.</t> target="vam" format="default"/>.</t>
        </section>
        <section anchor="vam" title="Vendor numbered="true" toc="default">
          <name>Vendor Attack Mapping"> Mapping</name>
          <t>Multiple mappings for different vendor identifiers may be used;
          the DOTS agent transmitting telemetry information can elect to use
          one or more vendor mappings even in the same telemetry message.<list
              style="empty">
              <t>Note: message.</t>
          <t indent="3">
              Note: It is possible that a DOTS server is making use of
              multiple DOTS mitigators; mitigators, each from a different vendor. How
              telemetry information and vendor mappings are exchanged between
              DOTS servers and DOTS mitigators is outside the scope of this
              document.</t>
            </list></t>
              document.
          </t>
          <t>DOTS clients and servers may be provided with mappings from
          different vendors and so have their own different sets of vendor
          attack mappings. A DOTS agent MUST <bcp14>MUST</bcp14> accept receipt of telemetry data
          with a vendor identifier that is different to than the one identifier it uses to
          transmit telemetry data. Furthermore, it is possible that the DOTS
          client and DOTS server are provided by the same vendor, vendor but the
          vendor mapping tables are at different revisions. The DOTS client
          SHOULD
          <bcp14>SHOULD</bcp14> transmit telemetry information using any vendor mapping(s)
          that it provided to the DOTS server (e.g., using a POST as depicted
          in <xref target="installmap"></xref>) target="installmap" format="default"/>), and the DOTS server SHOULD <bcp14>SHOULD</bcp14> use
          any vendor mappings(s) provided to the DOTS client when transmitting
          telemetry data to the peer DOTS agent.</t>
          <t>The "ietf-dots-mapping" YANG module defined in <xref
          target="data"></xref> target="data" format="default"/> augments the "ietf-dots-data-channel" module <xref
          target="RFC8783"></xref> module. target="RFC8783" format="default"/>. The tree structure of the
          "ietf-dots-mapping" module is shown in <xref
          target="abstract-data"></xref>.</t>

          <t><figure anchor="abstract-data"
              title="Vendor target="abstract-data" format="default"/>.</t>
          <figure anchor="abstract-data">
            <name>Vendor Attack Mapping Tree Structure">
              <artwork><![CDATA[module: Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[
module: ietf-dots-mapping
  augment /data-channel:dots-data/data-channel:dots-client:
    +--rw vendor-mapping {dots-telemetry}?
       +--rw vendor* [vendor-id]
          +--rw vendor-id         uint32
          +--rw vendor-name?      string
          +--rw description-lang?   string
          +--rw last-updated      uint64
          +--rw attack-mapping* [attack-id]
             +--rw attack-id             uint32
             +--rw attack-description    string
  augment /data-channel:dots-data/data-channel:capabilities:
    +--ro vendor-mapping-enabled?   boolean {dots-telemetry}?
  augment /data-channel:dots-data:
    +--ro vendor-mapping {dots-telemetry}?
       +--ro vendor* [vendor-id]
          +--ro vendor-id         uint32
          +--ro vendor-name?      string
          +--ro description-lang?   string
          +--ro last-updated      uint64
          +--ro attack-mapping* [attack-id]
             +--ro attack-id             uint32
             +--ro attack-description    string
]]></artwork>
            </figure></t>
]]></sourcecode>
          </figure>
          <t>A DOTS client sends a GET request over the DOTS data channel to
          retrieve the capabilities supported by a DOTS server as per Section
          7.1 of <xref target="RFC8783"></xref>. target="RFC8783" sectionFormat="of" section="7.1"/>. This request is meant to
          assess whether the capability of sharing vendor attack mapping
          details is supported by the server (i.e., check the value of
          'vendor-mapping-enabled').</t>
          <t>If 'vendor-mapping-enabled' is set to 'true', a DOTS client MAY <bcp14>MAY</bcp14>
          send a GET request to retrieve the DOTS server's vendor attack
          mapping details. An example of such a GET request is shown in <xref
          target="MfS"></xref>.</t>

          <t><figure anchor="MfS"
              title="GET target="MfS" format="default"/>.</t>
          <figure anchor="MfS">
            <name>GET to Retrieve the Vendor Attack Mappings of a DOTS Server">
              <artwork><![CDATA[GET Server</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\
    /ietf-dots-mapping:vendor-mapping HTTP/1.1
Host: example.com
Accept: application/yang-data+json
]]></artwork>
            </figure></t>
          </figure>
          <t>A DOTS client can retrieve only the list of vendors supported by
          the DOTS server. It does so by setting the "depth" parameter
          (Section 4.8.2 of <xref target="RFC8040"></xref>)
          (<xref target="RFC8040" sectionFormat="of" section="4.8.2"/>) to "3" in the GET
          request as shown in <xref target="MfSd"></xref>. target="MfSd" format="default"/>. An example of a
          response body received from the DOTS server as a response to such a
          request is illustrated in <xref target="MfSdr"></xref>.</t>

          <t><figure anchor="MfSd"
              title="GET target="MfSdr" format="default"/>.</t>
          <figure anchor="MfSd">
            <name>GET to Retrieve the Vendors List used Used by a DOTS Server">
              <artwork><![CDATA[GET Server</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\
    /ietf-dots-mapping:vendor-mapping?depth=3 HTTP/1.1
Host: example.com
Accept: application/yang-data+json
]]></artwork>
            </figure></t>

          <t><figure anchor="MfSdr"
              title="Response
          </figure>
          <figure anchor="MfSdr">
            <name>Response Message Body to a GET to Retrieve the Vendors List used Used by a DOTS Server">
              <artwork><![CDATA[{ Server</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[{
  "ietf-dots-mapping:vendor-mapping": {
    "vendor": [
      {
        "vendor-id": 32473,
        "vendor-name": "mitigator-s",
        "last-updated": "1629898758",
        "attack-mapping": []
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>The DOTS client repeats the above procedure regularly (e.g., once
          a week) to update the DOTS server's vendor attack mapping
          details.</t>
          <t>If the DOTS client concludes that the DOTS server does not have
          any reference to the specific vendor attack mapping details, the
          DOTS client uses a POST request to install its vendor attack mapping
          details. An example of such a POST request is depicted in <xref
          target="installmap"></xref>.</t>

          <t><figure anchor="installmap"
              title="POST target="installmap" format="default"/>.</t>
          <figure anchor="installmap">
            <name>POST to Install Vendor Attack Mapping Details">
              <artwork><![CDATA[POST Details</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[POST /restconf/data/ietf-dots-data-channel:dots-data\
     /dots-client=dz6pHjaADkaFTbjr0JGBpw HTTP/1.1
Host: example.com
Content-Type: application/yang-data+json

{
  "ietf-dots-mapping:vendor-mapping": {
    "vendor": [
      {
        "vendor-id": 345,
        "vendor-name": "mitigator-c",
        "last-updated": "1629898958",
        "attack-mapping": [
          {
            "attack-id": 1,
            "attack-description":
               "Include a description of this attack"
          },
          {
            "attack-id": 2,
            "attack-description":
               "Again, include a description of the attack"
          }
        ]
      }
    ]
  }
}
]]></artwork>
            </figure></t>
          </figure>
          <t>The DOTS server indicates the result of processing the POST
          request using the status-line. A "201 Created" status-line MUST <bcp14>MUST</bcp14> be
          returned in the response if the DOTS server has accepted the vendor
          attack mapping details. If the request is missing a mandatory
          attribute or contains an invalid or unknown parameter, a "400 Bad
          Request" status-line MUST <bcp14>MUST</bcp14> be returned by the DOTS server in the
          response. The error-tag is set to "missing-attribute",
          "invalid-value", or "unknown-element" as a function of the
          encountered error.</t>
          <t>If the request is received via a server-domain DOTS gateway, gateway but
          the DOTS server does not maintain a 'cdid' for this 'cuid' while a
          'cdid' is expected to be supplied, the DOTS server MUST <bcp14>MUST</bcp14> reply with a
          "403 Forbidden" status-line and the error-tag "access-denied". Upon
          receipt of this message, the DOTS client MUST <bcp14>MUST</bcp14> register (Section 5.1
          of <xref target="RFC8783"></xref>).</t> (<xref target="RFC8783" sectionFormat="of" section="5.1"/>).</t>
          <t>The DOTS client uses the PUT request to modify its vendor attack
          mapping details maintained by the DOTS server (e.g., add a new
          mapping entry, update an existing mapping).</t>
          <t>A DOTS client uses a GET request to retrieve its vendor attack
          mapping details as maintained by the DOTS server (<xref
          target="allD"></xref>).</t>

          <t><figure anchor="allD"
              title="GET target="allD" format="default"/>).</t>
          <figure anchor="allD">
            <name>GET to Retrieve Installed Vendor Attack Mapping Details">
              <artwork><![CDATA[GET Details</name>
            <artwork name="" type="" align="left" alt=""><![CDATA[GET /restconf/data/ietf-dots-data-channel:dots-data\
    /dots-client=dz6pHjaADkaFTbjr0JGBpw\
    /ietf-dots-mapping:vendor-mapping?\
    content=all HTTP/1.1
Host: example.com
Accept: application/yang-data+json]]></artwork>
            </figure></t> application/yang-data+json
]]></artwork>
          </figure>
          <t>When conveying attack details in DOTS telemetry messages
          (Sections <xref
          (Sections&nbsp;<xref format="counter" target="preCtoS"></xref>, target="preCtoS"/>, <xref format="counter" target="preStoC"></xref>, target="preStoC"/>, and <xref format="counter" target="status"></xref>), target="status"/>), DOTS agents MUST NOT <bcp14>MUST NOT</bcp14>
          include the 'attack-description' attribute unless the corresponding
          attack mapping details were not previously shared with the peer DOTS
          agent.</t>
        </section>
      </section>
      <section anchor="preCtoS" title="From numbered="true" toc="default">
        <name>From DOTS Clients to DOTS Servers"> Servers</name>
        <t>DOTS clients use PUT requests to signal pre-or-ongoing-mitigation
        telemetry to DOTS servers. An example of such a request is shown in
        <xref target="put-tmid-c"></xref>.</t>

        <t><figure anchor="put-tmid-c"
            title="PUT target="put-tmid-c" format="default"/>.</t>
        <figure anchor="put-tmid-c">
          <name>PUT to Send Pre-or-Ongoing-Mitigation Telemetry, depicted Depicted as per Section 5.6">
            <artwork><![CDATA[Header: 5.6</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tmid=123"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry": {
    "pre-or-ongoing-mitigation": [
      {
        "target": {
          "target-prefix": [
            "2001:db8::1/128"
          ]
        },
        "total-attack-traffic-protocol": [
          {
            "protocol": 17,
            "unit": "megabit-ps",
            "mid-percentile-g": "900"
          }
        ],
        "attack-detail": [
          {
            "vendor-id": 32473,
            "attack-id": 77,
            "start-time": "1608336568",
            "attack-severity": "high"
          }
        ]
      }
    ]
  }
}]]></artwork>
          </figure></t>
}
]]></artwork>
        </figure>
        <t>'cuid' is a mandatory Uri-Path parameter for DOTS PUT requests.</t>
        <t>The following additional Uri-Path parameter is defined: <list
            hangIndent="5" style="hanging">
            <t hangText="tmid:">Telemetry </t>
        <dl newline="false" spacing="normal">
          <dt>tmid:</dt>
          <dd>
            <t>The Telemetry Identifier is an identifier for the
            DOTS pre-or-ongoing-mitigation telemetry data represented as an
            integer. This identifier MUST <bcp14>MUST</bcp14> be generated by DOTS clients. 'tmid' &nbsp;'tmid'
            values MUST <bcp14>MUST</bcp14> increase monotonically whenever a DOTS client needs to
            convey a new set of pre-or-ongoing-mitigation telemetry. <vspace
            blankLines="1" />The telemetry data. </t>
            <t>The procedure specified in Section 4.4.1 of <xref
            target="RFC9132"></xref> target="RFC9132" sectionFormat="of" section="4.4.1"/> for 'mid' rollover MUST <bcp14>MUST</bcp14> be followed for
            'tmid' rollover.<vspace blankLines="1" />This rollover.</t>
            <t>This is a mandatory
            attribute. 'tmid' MUST &nbsp;'tmid' <bcp14>MUST</bcp14> appear after 'cuid' in the Uri-Path
            options.</t>
          </list></t>
          </dd>
        </dl>
        <t>'cuid' and 'tmid' MUST NOT <bcp14>MUST NOT</bcp14> appear in the PUT request message
        body.</t>
        <t>At least the 'target' attribute and another
        pre-or-ongoing-mitigation attribute (<xref target="pre"></xref>) MUST target="pre" format="default"/>) <bcp14>MUST</bcp14>
        be present in the PUT request. If only the 'target' attribute is
        present, this request is handled as per <xref
        target="preStoC"></xref>.</t> target="preStoC" format="default"/>.</t>
        <t>The relative order of two PUT requests carrying DOTS
        pre-or-ongoing-mitigation telemetry from a DOTS client is determined
        by comparing their respective 'tmid' values. If these two such requests have
        an overlapping 'target', the PUT request with a higher numeric 'tmid'
        value will override the request with a lower numeric 'tmid' value. The
        overlapped lower numeric 'tmid' MUST <bcp14>MUST</bcp14> be automatically deleted and no
        longer be available.</t>
        <t>The DOTS server indicates the result of processing a PUT request
        using CoAP Response Codes. In particular, the 2.04 (Changed) Response
        Code is returned if the DOTS server has accepted the
        pre-or-ongoing-mitigation telemetry. The 5.03 (Service Unavailable)
        Response Code is returned if the DOTS server has erred. The 5.03 Response Code uses the
        Max-Age Option to indicate the number of seconds after which to
        retry.</t>
        <t>How long a DOTS server maintains a 'tmid' as active or logs the
        enclosed telemetry information is implementation specific. Note that
        if a 'tmid&rsquo; 'tmid' is still active, then logging details are updated by
        the DOTS server as a function of the updates received from the peer
        DOTS client.</t>
        <t>A DOTS client that lost the state of its active 'tmid's or has to
        set 'tmid' back to zero (e.g., crash or restart) MUST <bcp14>MUST</bcp14> send a GET
        request to the DOTS server to retrieve the list of active 'tmid'
        values. The DOTS client may then delete 'tmid's that should not be
        active anymore (<xref target="spa"></xref>). target="spa" format="default"/>). Sending a DELETE with no
        'tmid' indicates that all 'tmid's must be deactivated (<xref
        target="dpa"></xref>).</t>

        <t><figure anchor="spa"
            title="Delete target="dpa" format="default"/>).</t>
        <figure anchor="spa">
          <name>Deleting a Pre-or-Ongoing-Mitigation Telemetry"> Telemetry</name>
          <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: DELETE (Code=0.04)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tmid=123"
]]></artwork>
          </figure><figure anchor="dpa"
            title="Delete
        </figure>
        <figure anchor="dpa">
          <name>Deleting All Pre-or-Ongoing-Mitigation Telemetry"> Telemetry</name>
          <artwork align="left"><![CDATA[Header: align="left" name="" type="" alt=""><![CDATA[Header: DELETE (Code=0.04)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
]]></artwork>
          </figure></t>
        </figure>

<!-- [rfced] Figures 37 and 38:  "a ... telemetry" and "all ...
telemetry" read oddly.  May we update as suggested?

Original:
   Figure 37: Delete a Pre-or-Ongoing-Mitigation Telemetry
...
   Figure 38: Delete All Pre-or-Ongoing-Mitigation Telemetry

Suggested:
   Figure 37: Deleting Specific Pre-or-Ongoing-Mitigation Telemetry
                            Information
...
   Figure 38: Deleting All Pre-or-Ongoing-Mitigation Telemetry
                            Information
-->

      </section>
      <section anchor="preStoC" title="From numbered="true" toc="default">
        <name>From DOTS Servers to DOTS Clients"> Clients</name>
        <t>The pre-or-ongoing-mitigation data (attack details, details in particular)
        can also be signaled from DOTS servers to DOTS clients. For example, a
        DOTS server co-located with a DDoS detector can collect monitoring
        information from the target network, identify a DDoS attack using
        statistical analysis or deep learning techniques, and signal the
        attack details to the DOTS client.</t>
        <t>The DOTS client can use the attack details to decide whether to
        trigger a DOTS mitigation request or not. Furthermore, the security
        operations personnel at the DOTS client domain can use the attack
        details to determine the protection strategy and select the
        appropriate DOTS server for mitigating the attack.</t>
        <t>In order to receive pre-or-ongoing-mitigation telemetry
        notifications from a DOTS server, a DOTS client MUST <bcp14>MUST</bcp14> send a PUT
        (followed by a GET) with the target filter. An example of such a PUT
        request is shown in <xref target="put-tmid"></xref>. target="put-tmid" format="default"/>. In order to avoid
        maintaining a long list of such requests, it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that DOTS
        clients include all targets in the same request (assuming that this information fits
        within one single datagram). DOTS servers may be instructed to
        restrict the number of pre-or-ongoing-mitigation requests per DOTS
        client domain. The pre-or-ongoing mitigation pre-or-ongoing-mitigation requests MUST <bcp14>MUST</bcp14> be
        maintained in an active state by the DOTS server until a delete DELETE
        request is received from the same DOTS client to clear this
        pre-or-ongoing-mitigation telemetry or when the DOTS client is
        considered inactive (e.g., Section 3.5 of <xref
        target="RFC8783"></xref>).</t> target="RFC8783" sectionFormat="of" section="3.5"/>).</t>
        <t>The relative order of two PUT requests carrying DOTS
        pre-or-ongoing-mitigation telemetry from a DOTS client is determined
        by comparing their respective 'tmid' values. If such these two requests have an
        overlapping 'target', the PUT request with a higher numeric 'tmid' value
        will override the request with a lower numeric 'tmid' value. The
        overlapped lower numeric 'tmid' MUST <bcp14>MUST</bcp14> be automatically deleted and no
        longer be available.</t>

        <t><figure anchor="put-tmid"
            title="PUT
        <figure anchor="put-tmid">
          <name>PUT to Request Pre-or-Ongoing-Mitigation Telemetry, depicted Depicted as per Section 5.6">
            <artwork><![CDATA[Header: 5.6</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tmid=567"
Content-Format: "application/dots+cbor"

{
  "ietf-dots-telemetry:telemetry": {
    "pre-or-ongoing-mitigation": [
      {
        "target": {
          "target-prefix": [
            "2001:db8::/32"
          ]
        }
      }
    ]
  }
}]]></artwork>
          </figure></t>
}
]]></artwork>
        </figure>
        <t>DOTS clients of the same domain can request ask to receive
        pre-or-ongoing-mitigation telemetry bound to the same target without
        being considered to be "overlapping" and in conflict.</t>
        <t>Once the PUT request to instantiate request state on the server has
        succeeded, the DOTS client issues a GET request to receive ongoing
        telemtry
        telemetry updates. The client uses the Observe Option, set to '0' "0"
        (register), in the GET request to receive asynchronous notifications
        carrying pre-or-ongoing-mitigation telemetry data from the DOTS
        server. The GET request can specify a specific 'tmid' (<xref
        target="gettmid"></xref>) target="gettmid" format="default"/>) or omit the 'tmid' (<xref
        target="getall"></xref>) target="getall" format="default"/>) to receive updates on all active requests
        from that client.</t>

        <t><figure anchor="gettmid"
            title="GET
        <figure anchor="gettmid">
          <name>GET to Subscribe to Telemetry Asynchronous Notifications for a Specific 'tmid'">
            <artwork><![CDATA[Header: 'tmid'</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "tmid=567"
Observe: 0]]></artwork>
          </figure></t>

        <t></t>

        <t><figure anchor="getall"
            title="GET 0
]]></artwork>
        </figure>
        <figure anchor="getall">
          <name>GET to Subscribe to Telemetry Asynchronous Notifications for All 'tmid's</name>

<!-- [rfced] Figure 41:  We changed 'tmids' to 'tmid's per the four
instances of 'tmid's seen elsewhere in this document.  Please let us
know any concerns.

Original:
   Figure 41: GET to Subscribe to Telemetry Asynchronous
              Notifications for All 'tmids'">
            <artwork><![CDATA[Header: 'tmids'

Currently:
   Figure 41: GET to Subscribe to Telemetry Asynchronous
              Notifications for All 'tmid's -->

          <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Observe: 0]]></artwork>
          </figure></t> 0
]]></artwork>
        </figure>
        <t>The DOTS client can use a filter to request a subset of the
        asynchronous notifications from the DOTS server by indicating one or
        more Uri-Query options in its GET request. A Uri-Query option can
        include the following parameters to restrict the notifications based
        on the attack target: 'target-prefix', 'target-port',
        'target-protocol', 'target-fqdn', 'target-uri', 'alias-name', 'mid',
        and 'c' (content) (<xref target="control"></xref>). Furthermore:<list
            style="empty">
            <t>If target="control" format="default"/>). Furthermore:</t>
        <ul spacing="normal">
          <li>If more than one Uri-Query option is included in a request,
            these options are interpreted in the same way as when multiple
            target attributes are included in a message body (Section 4.4.1 of
            <xref target="RFC9132"></xref>).</t>

            <t>If (<xref target="RFC9132" sectionFormat="of" section="4.4.1"/>).</li>
          <li>If multiple values of a query parameter are to be included in a
            request, these values MUST <bcp14>MUST</bcp14> be included in the same Uri-Query
            option and separated by a "," character without any spaces.</t>

            <t>Range spaces.</li>
          <li>Range values (i.e., a contiguous inclusive block) can be
            included for the 'target-port', 'target-protocol', and 'mid'
            parameters by indicating the two boundary values separated by a
            "-" character.</t>

            <t>Wildcard character.</li>
          <li>Wildcard names (i.e., a name with the leftmost label is the "*"
            character) can be included in 'target-fqdn' or 'target-uri'
            parameters. DOTS clients MUST NOT <bcp14>MUST NOT</bcp14> include a name in which the "*"
            character is included in a label other than the leftmost label.
            "*.example.com" is an example of a valid wildcard name that can be
            included as a value of the 'target-fqdn' parameter in an a Uri-Query
            option.</t>
          </list></t>
            option.</li>
        </ul>
        <t>DOTS clients may also filter out the asynchronous notifications
        from the DOTS server by indicating information about a specific attack
        source. To that aim, a DOTS client may include 'source-prefix',
        'source-port', or 'source-icmp-type' in a Uri-Query option. The same
        considerations (ranges, multiple values) specified for target
        attributes apply for source attributes. Special care <bcp14>SHOULD</bcp14> be taken
        when using these filters, as their use may cause some attacks to be
        hidden from the requesting DOTS client (e.g., if the attack changes its
        source information).</t>

<!-- [rfced] Section 8.3:  We changed "may cause some attacks may be
hidden to" to "may cause some attacks to be hidden from".  If this is
incorrect, please provide appropriate text.

Original:
   Special care SHOULD be taken
   when using these filters as their use may cause some attacks may be
   hidden to the requesting DOTS client (e.g., if the attack changes its
   source information).</t> information).

Currently:
   Special care SHOULD be taken
   when using these filters, as their use may cause some attacks to be
   hidden from the requesting DOTS client (e.g., if the attack changes
   its source information). -->

        <t>Requests with invalid query types (e.g., not supported, malformed)
        received by the DOTS server MUST <bcp14>MUST</bcp14> be rejected with a 4.00 (Bad Request)
        response code.</t> Response Code.</t>
        <t>An example of a request to subscribe to asynchronous telemetry
        notifications regarding UDP traffic is shown in <xref
        target="notif_filter-tm"></xref>. target="notif_filter-tm" format="default"/>. This filter will be applied for all
        'tmid's.</t>

        <t><figure anchor="notif_filter-tm"
            title="GET
        <figure anchor="notif_filter-tm">
          <name>GET Request to Receive Telemetry Asynchronous Notifications Filtered using Uri-Query">
            <artwork><![CDATA[Header: Using Uri-Query</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "tm"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Query: "target-protocol=17"
Observe: 0]]></artwork>
          </figure></t> 0
]]></artwork>
        </figure>
        <t>The DOTS server will send asynchronous notifications to the DOTS
        client when an attack event is detected detected, following similar considerations as similar
        to those discussed in Section 4.4.2.1 of <xref
        target="RFC9132"></xref>. target="RFC9132" sectionFormat="of" section="4.4.2.1"/>. An example of a pre-or-ongoing-mitigation
        telemetry notification is shown in <xref target="noti"></xref>.</t>

        <t><figure anchor="noti"
            title="Message target="noti" format="default"/>.</t>
        <figure anchor="noti">
          <name>Message Body of a Pre-or-Ongoing-Mitigation Telemetry Notification from the DOTS Server, depicted Depicted as per Section 5.6">
            <artwork><![CDATA[{ 5.6</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[{
  "ietf-dots-telemetry:telemetry": {
    "pre-or-ongoing-mitigation": [
      {
        "tmid": 567,
        "target": {
          "target-prefix": [
            "2001:db8::1/128"
          ]
        },
        "target-protocol": [
          17
        ],
        "total-attack-traffic": [
          {
            "unit": "megabit-ps",
            "mid-percentile-g": "900"
          }
        ],
        "attack-detail": [
          {
            "vendor-id": 32473,
            "attack-id": 77,
            "start-time": "1618339785",
            "attack-severity": "high"
          }
        ]
      }
    ]
  }
}]]></artwork>
          </figure></t>
}
]]></artwork>
        </figure>
        <t>A DOTS server sends the aggregate data for a target using the
        'total-attack-traffic' attribute. The aggregate assumes that Uri-Query
        filters are applied on the target. The DOTS server MAY <bcp14>MAY</bcp14> include more
        fine-grained data when needed (that is,
        'total-attack-traffic-protocol' and 'total-attack-traffic-port'). If a
        port filter (or protocol filter) is included in a request,
        'total-attack-traffic-protocol' (or 'total-attack-traffic-port')
        conveys the data with the port (or protocol) filter applied.</t>

<!-- [rfced] Section 8.3:  We had trouble following this sentence.
May we swap the ordering of attributes as suggested below?  We ask
because of similar sentences in Sections 2 and 7.1.2 (listed below
our suggested text, to provide examples).

Otherwise, if 'total-attack-traffic-protocol' carries port
information and 'total-attack-traffic-port' carries protocol
information, is clarifying text needed?

Original:
   If a port filter (or
   protocol filter) is included in a request, 'total-attack-traffic-
   protocol' (or 'total-attack-traffic-port') conveys the data with the
   port (or protocol) filter applied.

Suggested:
   If a port filter (or
   protocol filter) is included in a request, 'total-attack-traffic-
   port' (or 'total-attack-traffic-protocol') conveys the data with the
   port (or protocol) filter applied.

From Section 2:
   When two telemetry requests overlap, "overlapped" lower numeric
   'tsid' (or 'tmid') refers to the lower 'tsid' (or 'tmid') value of
   these overlapping requests.

From Section 7.1.2:
   Likewise, setting 'mid-percentile' (or 'high-
   percentile') to the same value as 'low-percentile' (or 'mid-
   percentile') indicates that the DOTS client is not interested in
   receiving mid-percentiles (or high-percentiles). -->

        <t>A DOTS server may aggregate pre-or-ongoing-mitigation data (e.g.,
        'top-talker') for all targets of a domain or, when justified, send
        specific information (e.g., 'top-talker') per individual targets.</t>

<!-- [rfced] Section 8.3:  Does "per individual targets" mean
"according to individual targets", or should "targets" be "target"
(as in one data point per target)?

Original:
   A DOTS server may aggregate pre-or-ongoing-mitigation data (e.g.,
   'top-talker') for all targets of a domain, or when justified, send
   specific information (e.g., 'top-talker') per individual targets.</t> targets. -->

        <t>The DOTS client may log pre-or-ongoing-mitigation telemetry data
        with an alert sent to an administrator or a network controller. The
        DOTS client may send a mitigation request if the attack cannot be
        handled locally.</t>
        <t>A DOTS client that is not interested to receive in receiving
        pre-or-ongoing-mitigation telemetry data for a target sends a delete DELETE
        request similar to the one DELETE request depicted in <xref target="spa"></xref>.</t> target="spa" format="default"/>.</t>
      </section>
    </section>
    <section anchor="status" title="DOTS numbered="true" toc="default">
      <name>DOTS Telemetry Mitigation Status Update">
      <t></t> Update</name>
      <section anchor="effu-S"
               title="DOTS numbered="true" toc="default">
        <name>From DOTS Clients to DOTS Servers: Mitigation Efficacy DOTS Telemetry Attributes</name>

<!-- [rfced] Sections 9.1 and 9.2:  These section titles were
difficult to follow.  We updated them as listed below.  If these
updates are incorrect, please let us know how the meanings of these
titles can be clarified.

Original:
   9.1.  DOTS Clients to Servers Mitigation Efficacy DOTS Telemetry Attributes">
         Attributes  . . . . . . . . . . . . . . . . . . . . . . .  65
   9.2.  DOTS Servers to Clients Mitigation Status DOTS Telemetry
         Attributes  . . . . . . . . . . . . . . . . . . . . . . .  67

Currently:
   9.1.  From DOTS Clients to DOTS Servers: Mitigation Efficacy DOTS
         Telemetry Attributes
   9.2.  From DOTS Servers to DOTS Clients: Mitigation Status DOTS
         Telemetry Attributes -->

        <t>The mitigation efficacy telemetry attributes can be signaled from
        DOTS clients to DOTS servers as part of the periodic mitigation
        efficacy updates to the server (Section 4.4.3 of <xref
        target="RFC9132"></xref>).</t>

        <t><list style="hanging">
            <t hangText="Total Attack Traffic: ">The (<xref target="RFC9132" sectionFormat="of" section="4.4.3"/>).</t>
        <dl newline="false" spacing="normal">
          <dt>Total attack traffic: </dt>
          <dd>The overall attack traffic as
            observed from the DOTS client client's perspective during an active
            mitigation. See <xref target="tatt"></xref>.</t>

            <t hangText="Attack Details: ">The target="tatt" format="default"/>.</dd>
          <dt>Attack details: </dt>
          <dd>The overall attack details as
            observed from the DOTS client client's perspective during an active
            mitigation. See <xref target="attackdetails"></xref>.</t>
          </list></t> target="attackdetails" format="default"/>.</dd>
        </dl>
        <t>The "ietf-dots-telemetry" YANG module (<xref
        target="module"></xref>) target="module" format="default"/>) augments the 'mitigation-scope' message type
        defined in the "ietf-dots-signal" "ietf-dots-signal-channel" module <xref
        target="RFC9132"></xref> target="RFC9132" format="default"/> so that these attributes can be signalled signaled by
        a DOTS client in a mitigation efficacy update (<xref
        target="eff"></xref>).<figure anchor="eff"
            title="Telemetry target="eff" format="default"/>).</t>

<!-- [rfced] Sections 9.1 and 9.2:  We do not see an entity called
"ietf-dots-signal" in RFC 9132.  We changed these instances to
"ietf-dots-signal-channel" per RFC 9132.  Please let us know any
objections.

Original:
   The "ietf-dots-telemetry" YANG module (Section 11.1) augments the
   'mitigation-scope' message type defined in the "ietf-dots-signal"
   module [RFC9132] so that these attributes can be signalled by a DOTS
   client in a mitigation efficacy update (Figure 44).
...
   The "ietf-dots-telemetry" YANG module (Section 11.1) augments the
   'mitigation-scope' message type defined in "ietf-dots-signal"
   [RFC9132] with telemetry data as depicted in Figure 46.

Currently:
   The "ietf-dots-telemetry" YANG module (Section 11.1) augments the
   'mitigation-scope' message type defined in the "ietf-dots-signal-
   channel" module [RFC9132] so that these attributes can be signaled by
   a DOTS client in a mitigation efficacy update (Figure 44).
...
   The "ietf-dots-telemetry" YANG module (Section 11.1) augments the
   'mitigation-scope' message type defined in the "ietf-dots-signal-
   channel" module [RFC9132] with telemetry data as depicted in
   Figure 46. -->

        <figure anchor="eff">
          <name>Telemetry Efficacy Update Tree Structure">
            <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  augment-structure /dots-signal:dots-signal/dots-signal:message-type
                    /dots-signal:mitigation-scope/dots-signal:scope:
    +-- total-attack-traffic* [unit]
    |  +-- unit                 unit
    |  +-- low-percentile-g?    yang:gauge64
    |  +-- mid-percentile-g?    yang:gauge64
    |  +-- high-percentile-g?   yang:gauge64
    |  +-- peak-g?              yang:gauge64
    |  +-- current-g?           yang:gauge64
    +-- attack-detail* [vendor-id attack-id]
       +-- vendor-id             uint32
       +-- attack-id             uint32
       +-- attack-description?   string
       +-- attack-severity?      attack-severity
       +-- start-time?           uint64
       +-- end-time?             uint64
       +-- source-count
       |  +-- low-percentile-g?    yang:gauge64
       |  +-- mid-percentile-g?    yang:gauge64
       |  +-- high-percentile-g?   yang:gauge64
       |  +-- peak-g?              yang:gauge64
       |  +-- current-g?           yang:gauge64
       +-- top-talker
          +-- talker* [source-prefix]
             +-- spoofed-status?            boolean
             +-- source-prefix              inet:ip-prefix
             +-- source-port-range* [lower-port]
             |  +-- lower-port    inet:port-number
             |  +-- upper-port?   inet:port-number
             +-- source-icmp-type-range* [lower-type]
             |  +-- lower-type    uint8
             |  +-- upper-type?   uint8
             +-- total-attack-traffic* [unit]
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-connection
                +-- connection-c
                |  +-- low-percentile-g?    yang:gauge64
                |  +-- mid-percentile-g?    yang:gauge64
                |  +-- high-percentile-g?   yang:gauge64
                |  +-- peak-g?              yang:gauge64
                |  +-- current-g?           yang:gauge64
                +-- embryonic-c
                |  ...
                +-- connection-ps-c
                |  ...
                +-- request-ps-c
                |  ...
                +-- partial-request-c
                   ...
]]></artwork>
          </figure></t>
]]></sourcecode>
        </figure>
        <t>In order to signal telemetry data in a mitigation efficacy update,
        it is RECOMMENDED <bcp14>RECOMMENDED</bcp14> that the DOTS client has have already established a DOTS
        telemetry setup session with the server in 'idle' time. Such a session
        is primarily meant to assess whether the peer DOTS server supports
        telemetry extensions and, thus, and to thus prevent message processing failure
        (Section 3.1 of <xref target="RFC9132"></xref>).</t>
        (<xref target="RFC9132" sectionFormat="of" section="3.1"/>).</t>
        <t>An example of an efficacy update with telemetry attributes is
        depicted in <xref target="effu"></xref>.</t>

        <t><figure anchor="effu"
            title="An Example target="effu" format="default"/>.</t>
        <figure anchor="effu">
          <name>Example of Mitigation Efficacy Update with Telemetry Attributes, depicted Depicted as per Section 5.6">
            <artwork><![CDATA[Header: 5.6</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: PUT (Code=0.03)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "mitigate"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "mid=123"
If-Match:
Content-Format: "application/dots+cbor"

{
  "ietf-dots-signal-channel:mitigation-scope": {
    "scope": [
      {
        "alias-name": [
          "https1",
          "https2"
        ],
        "attack-status": "under-attack",
        "ietf-dots-telemetry:total-attack-traffic": [
          {
            "unit": "megabit-ps",
            "mid-percentile-g": "900"
          }
        ]
      }
    ]
  }
}]]></artwork>
          </figure></t>
}
]]></artwork>
        </figure>
      </section>
      <section anchor="premStoC"
               title="DOTS numbered="true" toc="default">
        <name>From DOTS Servers to Clients DOTS Clients: Mitigation Status DOTS Telemetry Attributes "> Attributes</name>
        <t>The mitigation status telemetry attributes can be signaled from the
        DOTS server to the DOTS client as part of the periodic mitigation
        status update (Section 4.4.2 of <xref target="RFC9132"></xref>). (<xref target="RFC9132" sectionFormat="of" section="4.4.2"/>). In
        particular, DOTS clients can receive asynchronous notifications of the
        attack details from DOTS servers using the Observe option Option defined in
        <xref target="RFC7641"></xref>.</t> target="RFC7641" format="default"/>.</t>
        <t>In order to make use of this feature, DOTS clients MUST <bcp14>MUST</bcp14> establish a
        telemetry session with the DOTS server in 'idle' time and MUST <bcp14>MUST</bcp14> set the
        'server-originated-telemetry' attribute to 'true'.</t>
        <t>DOTS servers MUST NOT <bcp14>MUST NOT</bcp14> include telemetry attributes in mitigation
        status updates sent to DOTS clients for telemetry sessions in which
        the 'server-originated-telemetry' attribute is set to 'false'.</t>
        <t>As defined in <xref target="RFC8612"></xref>, target="RFC8612" format="default"/>, the actual mitigation
        activities can include several countermeasure mechanisms. The DOTS
        server signals the current operational status of relevant
        countermeasures. A list of attacks detected by these countermeasures
        MAY
        <bcp14>MAY</bcp14> also be included. The same attributes as those defined in <xref
        target="attackdetails"></xref> target="attackdetails" format="default"/> are applicable for describing the
        attacks detected and mitigated at the DOTS server domain.</t>
        <t>The "ietf-dots-telemetry" YANG module (<xref
        target="module"></xref>) target="module" format="default"/>) augments the 'mitigation-scope' message type
        defined in "ietf-dots-signal" the "ietf-dots-signal-channel" module <xref target="RFC9132"></xref> target="RFC9132" format="default"/> with
        telemetry data as depicted in <xref target="miscope"></xref>.<figure
            anchor="miscope"
            title="DOTS Servers to Clients target="miscope" format="default"/>.</t>
        <figure anchor="miscope">
          <name>DOTS Server-to-Client Mitigation Status Telemetry Tree Structure">
            <artwork><![CDATA[ Structure</name>
<sourcecode name="" type="yangtree"><![CDATA[  augment-structure /dots-signal:dots-signal/dots-signal:message-type
                    /dots-signal:mitigation-scope/dots-signal:scope:
    +-- (direction)?
    |  +--:(server-to-client-only)
    |     +-- total-traffic* [unit]
    |     |  +-- unit                 unit
    |     |  +-- low-percentile-g?    yang:gauge64
    |     |  +-- mid-percentile-g?    yang:gauge64
    |     |  +-- high-percentile-g?   yang:gauge64
    |     |  +-- peak-g?              yang:gauge64
    |     |  +-- current-g?           yang:gauge64
    |     +-- total-attack-connection
    |        +-- connection-c
    |        |  +-- low-percentile-g?    yang:gauge64
    |        |  +-- mid-percentile-g?    yang:gauge64
    |        |  +-- high-percentile-g?   yang:gauge64
    |        |  +-- peak-g?              yang:gauge64
    |        |  +-- current-g?           yang:gauge64
    |        +-- embryonic-c
    |        |  ...
    |        +-- connection-ps-c
    |        |  ...
    |        +-- request-ps-c
    |        |  ...
    |        +-- partial-request-c
    |           ...
    +-- total-attack-traffic* [unit]
    |  +-- unit                 unit
    |  +-- low-percentile-g?    yang:gauge64
    |  +-- mid-percentile-g?    yang:gauge64
    |  +-- high-percentile-g?   yang:gauge64
    |  +-- peak-g?              yang:gauge64
    |  +-- current-g?           yang:gauge64
    +-- attack-detail* [vendor-id attack-id]
       +-- vendor-id             uint32
       +-- attack-id             uint32
       +-- attack-description?   string
       +-- attack-severity?      attack-severity
       +-- start-time?           uint64
       +-- end-time?             uint64
       +-- source-count
       |  +-- low-percentile-g?    yang:gauge64
       |  +-- mid-percentile-g?    yang:gauge64
       |  +-- high-percentile-g?   yang:gauge64
       |  +-- peak-g?              yang:gauge64
       |  +-- current-g?           yang:gauge64
       +-- top-talker
          +-- talker* [source-prefix]
             +-- spoofed-status?            boolean
             +-- source-prefix              inet:ip-prefix
             +-- source-port-range* [lower-port]
             |  +-- lower-port    inet:port-number
             |  +-- upper-port?   inet:port-number
             +-- source-icmp-type-range* [lower-type]
             |  +-- lower-type    uint8
             |  +-- upper-type?   uint8
             +-- total-attack-traffic* [unit]
             |  +-- unit                 unit
             |  +-- low-percentile-g?    yang:gauge64
             |  +-- mid-percentile-g?    yang:gauge64
             |  +-- high-percentile-g?   yang:gauge64
             |  +-- peak-g?              yang:gauge64
             |  +-- current-g?           yang:gauge64
             +-- total-attack-connection
                +-- connection-c
                |  +-- low-percentile-g?    yang:gauge64
                |  +-- mid-percentile-g?    yang:gauge64
                |  +-- high-percentile-g?   yang:gauge64
                |  +-- peak-g?              yang:gauge64
                |  +-- current-g?           yang:gauge64
                +-- embryonic-c
                |  ...
                +-- connection-ps-c
                |  ...
                +-- request-ps-c
                |  ...
                +-- partial-request-c
                   ...

]]></artwork>
          </figure></t>
]]></sourcecode>
        </figure>
        <t><xref target="upex"></xref> target="upex" format="default"/> shows an example of an asynchronous
        notification of attack mitigation status from the DOTS server. This
        notification signals both the mid-percentile value of processed attack
        traffic and the peak count of unique sources involved in the
        attack.</t>

        <t><figure anchor="upex"
            title="Response
        <figure anchor="upex">
          <name>Response Body of a Mitigation Status With with Telemetry Attributes, depicted Depicted as per Section 5.6">
            <artwork><![CDATA[{ 5.6</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[{
  "ietf-dots-signal-channel:mitigation-scope": {
    "scope": [
      {
        "mid": 12332,
        "mitigation-start": "1507818434",
        "alias-name": [
          "https1",
          "https2"
        ],
        "lifetime": 1600,
        "status": "attack-successfully-mitigated",
        "bytes-dropped": "134334555",
        "bps-dropped": "43344",
        "pkts-dropped": "333334444",
        "pps-dropped": "432432",
        "ietf-dots-telemetry:total-attack-traffic": [
          {
            "unit": "megabit-ps",
            "mid-percentile-g": "752"
          }
        ],
        "ietf-dots-telemetry:attack-detail": [
          {
            "vendor-id": 32473,
            "attack-id": 77,
            "source-count": {
              "peak-g": "12683"
            }
          }
        ]
      }
    ]
  }
}]]></artwork>
          </figure></t>
}
]]></artwork>
        </figure>
        <t>DOTS clients can filter out the asynchronous notifications from the
        DOTS server by indicating one or more Uri-Query options in its GET
        request. A Uri-Query option can include the following parameters:
        'target-prefix', 'target-port', 'target-protocol', 'target-fqdn',
        'target-uri', 'alias-name', and 'c' (content) (<xref
        target="control"></xref>). target="control" format="default"/>). The considerations discussed in <xref
        target="preStoC"></xref> MUST target="preStoC" format="default"/> <bcp14>MUST</bcp14> be followed to include multiple query
        values, ranges ('target-port', 'target-protocol'), and wildcard names
        ('target-fqdn', 'target-uri').</t>
        <t>An example of a request to subscribe to asynchronous notifications
        bound to the "https1" alias is shown in <xref
        target="notif_filter"></xref>.</t>

        <t><figure anchor="notif_filter"
            title="GET target="notif_filter" format="default"/>.</t>
        <figure anchor="notif_filter">
          <name>GET Request to Receive Asynchronous Notifications
Filtered using Uri-Query">
            <artwork><![CDATA[Header: Using Uri-&wj;Query</name>
          <artwork name="" type="" align="left" alt=""><![CDATA[Header: GET (Code=0.01)
Uri-Path: ".well-known"
Uri-Path: "dots"
Uri-Path: "mitigate"
Uri-Path: "cuid=dz6pHjaADkaFTbjr0JGBpw"
Uri-Path: "mid=12332"
Uri-Query: "target-alias=https1"
Observe: 0]]></artwork>
          </figure></t> 0
]]></artwork>
        </figure>
        <t>If the target query does not match the target of the enclosed 'mid'
        as maintained by the DOTS server, the latter MUST <bcp14>MUST</bcp14> respond with a 4.04
        (Not Found) error Response Code. The DOTS server MUST NOT <bcp14>MUST NOT</bcp14> add a new
        observe
        Observe entry if this query overlaps with an existing one. In such a
        case, the DOTS server replies with a 4.09 (Conflict).</t> (Conflict) Response Code.</t>

<!-- [rfced] Section 9.2:  Does "existing one" mean "existing Observe
entry" or "existing query"?

Original:
   The DOTS server MUST NOT add a new
   observe entry if this query overlaps with an existing one. -->

      </section>
    </section>
    <section title="Error Handling"> numbered="true" toc="default">
      <name>Error Handling</name>
      <t>A list of common CoAP errors that are implemented by DOTS servers are is
      provided in Section 9 of <xref target="RFC9132"></xref>. target="RFC9132" sectionFormat="of" section="9"/>. The following
      additional error cases apply for the telemetry extension:</t>

      <t><list style="symbols">
          <t>4.00
      <ul spacing="normal">
        <li>4.00 (Bad Request) is returned by the DOTS server when the DOTS
          client has sent a request that violates the DOTS telemetry
          extension.</t>

          <t>4.04
          extension.</li>
        <li>4.04 (Not Found) is returned by the DOTS server when the DOTS
          client is requesting a 'tsid' or 'tmid' that is not valid.</t>

          <t>4.00 valid.</li>
        <li>4.00 (Bad Request) is returned by the DOTS server when the DOTS
          client has sent a request with invalid query types (e.g., not
          supported, malformed).</t>

          <t>4.04 malformed).</li>
        <li>4.04 (Not Found) is returned by the DOTS server when the DOTS
          client has sent a request with a target query that does not match
          the target of the enclosed 'mid' as maintained by the DOTS
          server.</t>
        </list></t>
          server.</li>
      </ul>
      <t>As indicated in Section 9 of <xref target="RFC9132"></xref>, target="RFC9132" sectionFormat="of" section="9"/>, an
      additional plain text plaintext diagnostic payload (Section 5.5.2 of <xref
      target="RFC7252"></xref>) (<xref target="RFC7252" sectionFormat="of" section="5.5.2"/>) to help with troubleshooting is returned in the
      body of the response.</t>
    </section>
    <section title="YANG Modules">
      <t></t> numbered="true" toc="default">
      <name>YANG Modules</name>
      <section anchor="module"
               title="DOTS numbered="true" toc="default">
        <name>DOTS Signal Channel Telemetry YANG Module"> Module</name>
        <t>This module uses imports types defined in <xref target="RFC6991"></xref> target="RFC9132"/>, <xref target="RFC8783"/>, <xref target="RFC6991" format="default"/>,
        <xref target="RFC8345" format="default"/>, and <xref target="RFC8345"></xref>.</t>

        <t><figure>
            <artwork><![CDATA[<CODE BEGINS> file "ietf-dots-telemetry@2022-02-04.yang" target="RFC8791"/>.</t>

<!-- [rfced] Section 11.1:  As commonly done in YANG RFCs, we updated
this introductory paragraph as follows.  Please let us know if this is
incorrect.  For example, is it accurate to refer to all of the
imports as "types"? If not, please consider if the "Perhaps" text is
agreeable.

Original:
   This module uses types defined in [RFC6991] and [RFC8345].

Current:
   This module imports types defined in [RFC9132], [RFC8783], [RFC6991],
   [RFC8345], and [RFC8791].

Or

Perhaps:
   This module imports types defined in [RFC6991] and [RFC8345]. It also draws
   information from [RFC8783], [RFC8791], and [RFC9132]. -->

<!--[rfced] Section 11.1: While running checks on the YANG module
(ietf-dots-telemetry@2022-05-18.yang), we received the following
warning: "imported module "ietf-dots-signal-channel" not
used". Please confirm if this is acceptable or if any further
changes are needed. -->

        <sourcecode name="ietf-dots-telemetry@2022-05-18.yang" type="yang" markers="true"><![CDATA[
module ietf-dots-telemetry {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-dots-telemetry";
  prefix dots-telemetry;

  import ietf-dots-signal-channel {
    prefix dots-signal;
    reference
      "RFC 9132: Distributed Denial-of-Service Open Threat
                 Signaling (DOTS) Signal Channel Specification";
  }
  import ietf-dots-data-channel {
    prefix data-channel;
    reference
      "RFC 8783: Distributed Denial-of-Service Open Threat
                 Signaling (DOTS) Data Channel Specification";
  }
  import ietf-yang-types {
    prefix yang;
    reference
      "Section 3 of RFC 6991";
      "RFC 6991: Common YANG Data Types, Section 3";
  }
  import ietf-inet-types {
    prefix inet;
    reference
      "Section 4 of RFC 6991";
      "RFC 6991: Common YANG Data Types, Section 4";
  }
  import ietf-network-topology {
    prefix nt;
    reference
      "Section 6.2 of RFC
      "RFC 8345: A YANG Data Model for Network
       Topologies"; Topologies,
                 Section 6.2";
  }
  import ietf-yang-structure-ext {
    prefix sx;
    reference
      "RFC 8791: YANG Data Structure Extensions";
  }

  organization
    "IETF DDoS Open Threat Signaling (DOTS) Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/dots/>
     WG List:  <mailto:dots@ietf.org>

     Author:

     Editor:   Mohamed Boucadair
               <mailto:mohamed.boucadair@orange.com>

     Author:

     Editor:   Konda, Tirumaleswar Reddy.K
               <mailto:kondtir@gmail.com>";
  description
    "This module contains YANG definitions for the signaling
     of DOTS telemetry data exchanged between a DOTS client and
     a DOTS server by means of the DOTS signal channel.

     Copyright (c) 2022 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX; 9244; see the
     RFC itself for full legal notices.";

  revision 2022-02-04 2022-05-18 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: 9244: Distributed Denial-of-Service Open Threat
                 Signaling (DOTS) Telemetry";
  }

  typedef attack-severity {
    type enumeration {
      enum none {
        value 1;
        description
          "No effect on the DOTS client domain.";
      }
      enum low {
        value 2;
        description
          "Minimal effect on the DOTS client domain.";
      }
      enum medium {
        value 3;
        description
          "A subset of DOTS client domain resources are is
           out of service.";
      }
      enum high {
        value 4;
        description
          "The DOTS client domain is under extremely severe
           conditions.";
      }
      enum unknown {
        value 5;
        description
          "The impact of the attack is not known.";
      }
    }
    description
      "Enumeration for attack severity.";
    reference
      "RFC 7970: The Incident Object Description Exchange
                 Format Version 2, Section 3.12.2";
  }

  typedef unit-class {
    type enumeration {
      enum packet-ps {
        value 1;
        description
          "Packets per second (pps).";
      }
      enum bit-ps {
        value 2;
        description
          "Bits per Second second (bit/s).";
      }
      enum byte-ps {
        value 3;
        description
          "Bytes per second (Byte/s).";
      }
    }
    description
      "Enumeration to indicate which unit class is used.
       These classes are supported: pps, bit/s, and Byte/s.";
  }

  typedef unit {
    type enumeration {
      enum packet-ps {
        value 1;
        description
          "Packets per second (pps).";
      }
      enum bit-ps {
        value 2;
        description
          "Bits per Second second (bps).";
      }
      enum byte-ps {
        value 3;
        description
          "Bytes per second (Bps).";
      }
      enum kilopacket-ps {
        value 4;
        description
          "Kilo packets per second (kpps).";
      }
      enum kilobit-ps {
        value 5;
        description
          "Kilobits per second (kbps).";
      }
      enum kilobyte-ps {
        value 6;
        description
          "Kilobytes per second (kBps).";
      }
      enum megapacket-ps {
        value 7;
        description
          "Mega packets per second (Mpps).";
      }
      enum megabit-ps {
        value 8;
        description
          "Megabits per second (Mbps).";
      }
      enum megabyte-ps {
        value 9;
        description
          "Megabytes per second (MBps).";
      }
      enum gigapacket-ps {
        value 10;
        description
          "Giga packets per second (Gpps).";
      }
      enum gigabit-ps {
        value 11;
        description
          "Gigabits per second (Gbps).";
      }
      enum gigabyte-ps {
        value 12;
        description
          "Gigabytes per second (GBps).";
      }
      enum terapacket-ps {
        value 13;
        description
          "Tera packets per second (Tpps).";
      }
      enum terabit-ps {
        value 14;
        description
          "Terabits per second (Tbps).";
      }
      enum terabyte-ps {
        value 15;
        description
          "Terabytes per second (TBps).";
      }
      enum petapacket-ps {
        value 16;
        description
          "Peta packets per second (Ppps).";
      }
      enum petabit-ps {
        value 17;
        description
          "Petabits per second (Pbps).";
      }
      enum petabyte-ps {
        value 18;
        description
          "Petabytes per second (PBps).";
      }
      enum exapacket-ps {
        value 19;
        description
          "Exa packets per second (Epps).";
      }
      enum exabit-ps {
        value 20;
        description
          "Exabits per second (Ebps).";
      }
      enum exabyte-ps {
        value 21;
        description
          "Exabytes per second (EBps).";
      }
      enum zettapacket-ps {
        value 22;
        description
          "Zetta packets per second (Zpps).";
      }
      enum zettabit-ps {
        value 23;
        description
          "Zettabits per second (Zbps).";
      }
      enum zettabyte-ps {
        value 24;
        description
          "Zettabytes per second (ZBps).";
      }
    }
    description
      "Enumeration to indicate which unit is used.
       Only one unit per unit class is used owing to
       unit auto-scaling.";
  }

  typedef interval {
    type enumeration {
      enum 5-minutes {
        value 1;
        description
          "5 minutes.";
      }
      enum 10-minutes {
        value 2;
        description
          "10 minutes.";
      }
      enum 30-minutes {
        value 3;
        description
          "30 minutes.";
      }
      enum hour {
        value 4;
        description
          "Hour.";
      }
      enum day {
        value 5;
        description
          "Day.";
      }
      enum week {
        value 6;
        description
          "Week.";
      }
      enum month {
        value 7;
        description
          "Month.";
      }
    }
    description
      "Enumeration to indicate the overall measurement period.";
  }

  typedef sample {
    type enumeration {
      enum second {
        value 1;
        description
          "A one-second
          "One-second measurement period.";
      }
      enum 5-seconds {
        value 2;
        description
          "5-second measurement period.";
      }
      enum 30-seconds {
        value 3;
        description
          "30-second measurement period.";
      }
      enum minute {
        value 4;
        description
          "One-minute measurement period.";
      }
      enum 5-minutes {
        value 5;
        description
          "5-minute measurement period.";
      }
      enum 10-minutes {
        value 6;
        description
          "10-minute measurement period.";
      }
      enum 30-minutes {
        value 7;
        description
          "30-minute measurement period.";
      }
      enum hour {
        value 8;
        description
          "One-hour measurement period.";
      }
    }
    description
      "Enumeration to indicate the sampling period.";
  }

  typedef percentile {
    type decimal64 {
      fraction-digits 2;
    }
    description
      "The nth percentile of a set of data is the
       value at which n percent of the data is below it.";
  }

  typedef query-type {
    type enumeration {
      enum target-prefix {
        value 1;
        description
          "Query based on target prefix.";
      }
      enum target-port {
        value 2;
        description
          "Query based on target port number.";
      }
      enum target-protocol {
        value 3;
        description
          "Query based on target protocol.";
      }
      enum target-fqdn {
        value 4;
        description
          "Query based on target FQDN.";
      }
      enum target-uri {
        value 5;
        description
          "Query based on target URI.";
      }
      enum target-alias {
        value 6;
        description
          "Query based on target alias.";
      }
      enum mid {
        value 7;
        description
          "Query based on mitigation identifier (mid).";
      }
      enum source-prefix {
        value 8;
        description
          "Query based on source prefix.";
      }
      enum source-port {
        value 9;
        description
          "Query based on source port number.";
      }
      enum source-icmp-type {
        value 10;
        description
          "Query based on ICMP type"; type.";
      }
      enum content {
        value 11;
        description
          "Query based on the 'c' (content) Uri-Query option that option,
           which is used to control the selection of configuration
           and non-configuration data nodes.";
        reference
          "Section 4.4.2 of RFC 9132.";
          "RFC 9132: Distributed Denial-of-Service Open Threat
                     Signaling (DOTS) Signal Channel
                     Specification, Section 4.4.2";
      }
    }
    description
      "Enumeration of support for query types that can be used
       in a GET request to filter out data.  Requests with
       invalid query types (e.g., not supported, malformed)
       received by the DOTS server are rejected with
       a 4.00 (Bad Request) response code."; Response Code.";
  }

  grouping telemetry-parameters {
    description
      "A grouping that includes a set of parameters that
       are used to prepare the reported telemetry data.

       The grouping indicates a measurement interval,
       a measurement sample period, and low/mid/high
       percentile values.";
    leaf measurement-interval {
      type interval;
      description
        "Defines the period on during which percentiles are
         computed.";
    }
    leaf measurement-sample {
      type sample;
      description
        "Defines the time distribution for measuring
         values that are used to compute percentiles.

         The measurement sample value must be less than the
         measurement interval value.";
    }
    leaf low-percentile {
      type percentile;
      default "10.00";
      description
        "Low percentile.  If set to '0', this means that
         low-percentiles are disabled.";
    }
    leaf mid-percentile {
      type percentile;
      must '. >= ../low-percentile' {
        error-message
          "The mid-percentile must be greater than
           or equal to the low-percentile.";
      }
      default "50.00";
      description
        "Mid percentile.  If set to the same value as low-percentile,
         'low-percentile', this means that mid-percentiles are
         disabled.";
    }
    leaf high-percentile {
      type percentile;
      must '. >= ../mid-percentile' {
        error-message
          "The high-percentile must be greater than
           or equal to the mid-percentile.";
      }
      default "90.00";
      description
        "High percentile.  If set to the same value as mid-percentile,
         'mid-percentile', this means that high-percentiles are
         disabled.";
    }
  }

  grouping percentile-and-peak {
    description
      "Generic grouping for percentile and peak values.";
    leaf low-percentile-g {
      type yang:gauge64;
      description
        "Low percentile value.";
    }
    leaf mid-percentile-g {
      type yang:gauge64;
      description
        "Mid percentile value.";
    }
    leaf high-percentile-g {
      type yang:gauge64;
      description
        "High percentile value.";
    }
    leaf peak-g {
      type yang:gauge64;
      description
        "Peak value.";
    }
  }

  grouping percentile-peak-and-current {
    description
      "Generic grouping for percentile and peak values.";
    uses percentile-and-peak;
    leaf current-g {
      type yang:gauge64;
      description
        "Current value.";
    }
  }

  grouping unit-config {
    description
      "Generic grouping for unit configuration.";
    list unit-config {
      key "unit";
      description
        "Controls which unit classes are allowed when sharing
         telemetry data.";
      leaf unit {
        type unit-class;
        description
          "Can be packet-ps, bit-ps, 'packet-ps', 'bit-ps', or byte-ps."; 'byte-ps'.";
      }
      leaf unit-status {
        type boolean;
        mandatory true;
        description
          "Enable/disable the use of the measurement unit class.";
      }
    }
  }

  grouping traffic-unit {
    description
      "Grouping of traffic as a function of the
       measurement unit.";
    leaf unit {
      type unit;
      description
        "The traffic can be measured using unit classes: packet-ps,
         bit-ps,
         'packet-ps', 'bit-ps', or byte-ps. 'byte-ps'.  DOTS agents
         auto-scale to the appropriate units (e.g., megabit-ps, kilobit-ps)."; 'megabit-ps',
         'kilobit-ps').";
    }
    uses percentile-and-peak;
  }

  grouping traffic-unit-all {
    description
      "Grouping of traffic as a function of the measurement unit,
       including current values.";
    uses traffic-unit;
    leaf current-g {
      type yang:gauge64;
      description
        "Current observed value.";
    }
  }

  grouping traffic-unit-protocol {
    description
      "Grouping of traffic of a given transport protocol as
       a function of the measurement unit.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.

         For example, this parameter contains 6 for TCP,
         17 for UDP, 33 for DCCP, the Datagram Congestion Control
         Protocol (DCCP), or 132 for SCTP."; the Stream Control
         Transmission Protocol (SCTP).";
    }
    uses traffic-unit;
  }

  grouping traffic-unit-protocol-all {
    description
      "Grouping of traffic of a given transport protocol as
       a function of the measurement unit, including current
       values.";
    uses traffic-unit-protocol;
    leaf current-g {
      type yang:gauge64;
      description
        "Current observed value.";
    }
  }

  grouping traffic-unit-port {
    description
      "Grouping of traffic bound to a port number as
       a function of the measurement unit.";
    leaf port {
      type inet:port-number;
      description
        "Port number used by a transport protocol.";
    }
    uses traffic-unit;
  }

  grouping traffic-unit-port-all {
    description
      "Grouping of traffic bound to a port number as
       a function of the measurement unit, including
       current values.";
    uses traffic-unit-port;
    leaf current-g {
      type yang:gauge64;
      description
        "Current observed value.";
    }
  }

  grouping total-connection-capacity {
    description
      "Total connection capacities for various types of
       connections, as well as overall capacity.  These data nodes
       are useful to detect for detecting resource-consuming DDoS attacks.";
    leaf connection {
      type uint64;
      description
        "The maximum number of simultaneous connections that
         are allowed to the target server.";
    }
    leaf connection-client {
      type uint64;
      description
        "The maximum number of simultaneous connections that
         are allowed to the target server per client.";
    }
    leaf embryonic {
      type uint64;
      description
        "The maximum number of simultaneous embryonic connections
         that are allowed to the target server.  The term
         'embryonic connection' refers to a connection whose
         connection handshake is not finished.  Embryonic
         connections are only possible in connection-oriented
         transport protocols like TCP or SCTP.";
    }
    leaf embryonic-client {
      type uint64;
      description
        "The maximum number of simultaneous embryonic connections
         that are allowed to the target server per client.";
    }
    leaf connection-ps {
      type uint64;
      description
        "The maximum number of new connections allowed per second
         to the target server.";
    }
    leaf connection-client-ps {
      type uint64;
      description
        "The maximum number of new connections allowed per second
         to the target server per client.";
    }
    leaf request-ps {
      type uint64;
      description
        "The maximum number of requests allowed per second
         to the target server.";
    }
    leaf request-client-ps {
      type uint64;
      description
        "The maximum number of requests allowed per second
         to the target server per client.";
    }
    leaf partial-request-max {
      type uint64;
      description
        "The maximum number of outstanding partial requests
         that are allowed to the target server.";
    }
    leaf partial-request-client-max {
      type uint64;
      description
        "The maximum number of outstanding partial requests
         that are allowed to the target server per client.";
    }
  }

  grouping total-connection-capacity-protocol {
    description
      "Total connections capacity per protocol.  These data nodes
       are useful to detect resource consuming for detecting resource-consuming DDoS attacks.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.";
    }
    uses total-connection-capacity;
  }

  grouping connection-percentile-and-peak {
    description
      "A set of data nodes which that represent the attack
       characteristics.";
    container connection-c {
      uses percentile-and-peak;
      description
        "The number of simultaneous attack connections to
         the target server.";
    }
    container embryonic-c {
      uses percentile-and-peak;
      description
        "The number of simultaneous embryonic connections to
         the target server.";
    }
    container connection-ps-c {
      uses percentile-and-peak;
      description
        "The number of attack connections per second to
         the target server.";
    }
    container request-ps-c {
      uses percentile-and-peak;
      description
        "The number of attack requests per second to
         the target server.";
    }
    container partial-request-c {
      uses percentile-and-peak;
      description
        "The number of attack partial requests to
         the target server.";
    }
  }

  grouping connection-all {
    description
      "Total attack connections connections, including current values.";
    container connection-c {
      uses percentile-peak-and-current;
      description
        "The number of simultaneous attack connections to
         the target server.";
    }
    container embryonic-c {
      uses percentile-peak-and-current;
      description
        "The number of simultaneous embryonic connections to
         the target server.";
    }
    container connection-ps-c {
      uses percentile-peak-and-current;
      description
        "The number of attack connections per second to
         the target server.";
    }
    container request-ps-c {
      uses percentile-peak-and-current;
      description
        "The number of attack requests per second to
         the target server.";
    }
    container partial-request-c {
      uses percentile-peak-and-current;
      description
        "The number of attack partial requests to
         the target server.";
    }
  }

  grouping connection-protocol {
    description
      "Total attack connections.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.";
    }
    uses connection-percentile-and-peak;
  }

  grouping connection-port {
    description
      "Total attack connections per port number.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.";
    }
    leaf port {
      type inet:port-number;
      description
        "Port number.";
    }
    uses connection-percentile-and-peak;
  }

  grouping connection-protocol-all {
    description
      "Total attack connections per protocol, including current
       values.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.";
    }
    uses connection-all;
  }

  grouping connection-protocol-port-all {
    description
      "Total attack connections per port number, including current
       values.";
    leaf protocol {
      type uint8;
      description
        "The transport protocol.
         Values are taken from the IANA Protocol Numbers 'Protocol Numbers'
         registry:
         <https://www.iana.org/assignments/protocol-numbers/>.";
    }
    leaf port {
      type inet:port-number;
      description
        "Port number.";
    }
    uses connection-all;
  }

  grouping attack-detail {
    description
      "Various details that describe the ongoing
       attacks that need to be mitigated by the DOTS server.
       The attack details need to cover well-known and common
       attacks (such as a SYN Flood) flood) along with new emerging or
       vendor-specific attacks.";
    leaf vendor-id {
      type uint32;
      description
        "Vendor
        "The Vendor ID is a security vendor's Private Enterprise
         Number as registered with IANA.";
      reference
        "IANA: Private Enterprise Numbers"; Numbers
         (https://www.iana.org/assignments/enterprise-numbers/)";
    }
    leaf attack-id {
      type uint32;
      description
        "Unique identifier assigned by the vendor for the attack.";
    }
    leaf description-lang {
      type string {
        pattern '(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})'
              + '{0,2})?|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?'
              + '(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}'
              + '|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WY-Za-wy-z]'
              + '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]'
              + '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|'
              + '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-'
              + '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-'
              + '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-'
              + '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]'
              + '|[Ii]-[Hh][Aa][Kk]|'
              + '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|'
              + '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|'
              + '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|'
              + '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|'
              + '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|'
              + '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-'
              + '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-'
              + '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-'
              + '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|'
              + '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-'
              + '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|'
              + '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-'
              + '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-'
              + '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))';
      }
      default "en-US";
      description
        "Indicates the language tag that is used for
         'attack-description'.";
      reference
        "RFC 5646: Tags for Identifying Languages, Section 2.1";
    }
    leaf attack-description {
      type string;
      description
        "Textual representation of the attack description.
         Natural Language Processing techniques (e.g.,
         word embedding) might provide some utility in mapping
         the attack description to an attack type.";
    }
    leaf attack-severity {
      type attack-severity;
      description
        "Severity level of an attack.  How this level is
         determined is implementation-specific."; implementation specific.";
    }
    leaf start-time {
      type uint64;
      description
        "The time the attack started. Start  The start time is
         represented in seconds relative to
         1970-01-01T00:00:00Z.";
    }
    leaf end-time {
      type uint64;
      description
        "The time the attack ended. End  The end time is represented
         in seconds relative to 1970-01-01T00:00:00Z.";
    }
    container source-count {
      description
        "Indicates the count of unique sources involved
         in the attack.";
      uses percentile-and-peak;
      leaf current-g {
        type yang:gauge64;
        description
          "Current observed value.";
      }
    }
  }

  grouping talker {
    description
      "Defines generic data related to top-talkers."; top talkers.";
    leaf spoofed-status {
      type boolean;
      description
        "When set to 'true', it indicates whether this address
         is spoofed.";
    }
    leaf source-prefix {
      type inet:ip-prefix;
      description
        "IPv4 or IPv6 prefix identifying the attacker(s).";
    }
    list source-port-range {
      key "lower-port";
      description
        "Port range.  When only lower-port 'lower-port' is
         present, it represents a single port number.";
      leaf lower-port {
        type inet:port-number;
        description
          "Lower port number of the port range.";
      }
      leaf upper-port {
        type inet:port-number;
        must '. >= ../lower-port' {
          error-message
            "The upper port number must be greater than
             or equal to the lower port number.";
        }
        description
          "Upper port number of the port range.";
      }
    }
    list source-icmp-type-range {
      key "lower-type";
      description
        "ICMP type range.  When only lower-type 'lower-type' is
         present, it represents a single ICMP type.";
      leaf lower-type {
        type uint8;
        description
          "Lower ICMP type of the ICMP type range.";
      }
      leaf upper-type {
        type uint8;
        must '. >= ../lower-type' {
          error-message
            "The upper ICMP type must be greater than
             or equal to the lower ICMP type.";
        }
        description
          "Upper type of the ICMP type range.";
      }
    }
    list total-attack-traffic {
      key "unit";
      description
        "Total attack traffic issued from this source.";
      uses traffic-unit-all;
    }
  }

  grouping top-talker-aggregate {
    description
      "An aggregate of top attack sources.  This aggregate is
       typically used when included in a mitigation request.";
    list talker {
      key "source-prefix";
      description
        "Refers to a top-talker top talker that is identified by an IPv4
         or IPv6 prefix identifying the attacker(s).";
      uses talker;
      container total-attack-connection {
        description
          "Total attack connections issued from this source.";
        uses connection-all;
      }
    }
  }

  grouping top-talker {
    description
      "Top attack sources with detailed per-protocol
       structure.";
    list talker {
      key "source-prefix";
      description
        "Refers to a top-talker top talker that is identified by an IPv4
         or IPv6 prefix identifying the attacker(s).";
      uses talker;
      list total-attack-connection-protocol {
        key "protocol";
        description
          "Total attack connections issued from this source.";
        uses connection-protocol-all;
      }
    }
  }

  grouping baseline {
    description
      "Grouping for the telemetry baseline.";
    uses data-channel:target;
    leaf-list alias-name {
      type string;
      description
        "An alias name that points to an IP resource.
         An IP resource can be a router, a host,
         an IoT Internet of Things (IoT) object, a server, etc.";
    }
    list total-traffic-normal {
      key "unit";
      description
        "Total traffic normal baselines.";
      uses traffic-unit;
    }
    list total-traffic-normal-per-protocol {
      key "unit protocol";
      description
        "Total traffic normal baselines per protocol.";
      uses traffic-unit-protocol;
    }
    list total-traffic-normal-per-port {
      key "unit port";
      description
        "Total traffic normal baselines per port number.";
      uses traffic-unit-port;
    }
    list total-connection-capacity {
      key "protocol";
      description
        "Total connection capacity.";
      uses total-connection-capacity-protocol;
    }
    list total-connection-capacity-per-port {
      key "protocol port";
      description
        "Total connection capacity per port number.";
      leaf port {
        type inet:port-number;
        description
          "The target port number.";
      }
      uses total-connection-capacity-protocol;
    }
  }

  grouping pre-or-ongoing-mitigation {
    description
      "Grouping for the telemetry data.";
    list total-traffic {
      key "unit";
      description
        "Total traffic.";
      uses traffic-unit-all;
    }
    list total-traffic-protocol {
      key "unit protocol";
      description
        "Total traffic per protocol.";
      uses traffic-unit-protocol-all;
    }
    list total-traffic-port {
      key "unit port";
      description
        "Total traffic per port number.";
      uses traffic-unit-port-all;
    }
    list total-attack-traffic {
      key "unit";
      description
        "Total attack traffic.";
      uses traffic-unit-all;
    }
    list total-attack-traffic-protocol {
      key "unit protocol";
      description
        "Total attack traffic per protocol.";
      uses traffic-unit-protocol-all;
    }
    list total-attack-traffic-port {
      key "unit port";
      description
        "Total attack traffic per port number.";
      uses traffic-unit-port-all;
    }
    list total-attack-connection-protocol {
      key "protocol";
      description
        "Total attack connections.";
      uses connection-protocol-all;
    }
    list total-attack-connection-port {
      key "protocol port";
      description
        "Total attack connections per target port number.";
      uses connection-protocol-port-all;
    }
    list attack-detail {
      key "vendor-id attack-id";
      description
        "Provides a set of attack details.";
      uses attack-detail;
      container top-talker {
        description
          "Lists the top attack sources.";
        uses top-talker;
      }
    }
  }

  sx:augment-structure "/dots-signal:dots-signal"
                     + "/dots-signal:message-type"
                     + "/dots-signal:mitigation-scope"
                     + "/dots-signal:scope" {
    description
      "Extends mitigation scope with telemetry update data.";
    choice direction {
      description
        "Indicates the communication direction in which the
         data nodes can be included.";
      case server-to-client-only {
        description
          "These data nodes appear only in a mitigation message
           sent from the server to the client.";
        list total-traffic {
          key "unit";
          description
            "Total traffic.";
          uses traffic-unit-all;
        }
        container total-attack-connection {
          description
            "Total attack connections.";
          uses connection-all;
        }
      }
    }
    list total-attack-traffic {
      key "unit";
      description
        "Total attack traffic.";
      uses traffic-unit-all;
    }
    list attack-detail {
      key "vendor-id attack-id";
      description
        "Attack details"; details.";
      uses attack-detail;
      container top-talker {
        description
          "Top attack sources.";
        uses top-talker-aggregate;
      }
    }
  }
  sx:structure dots-telemetry {
    description
      "Main structure for DOTS telemetry messages.";
    choice telemetry-message-type {
      description
        "Can be a telemetry-setup 'telemetry-setup' or telemetry data.";
      case telemetry-setup {
        description
          "Indicates that the message is about telemetry steup."; setup.";
        choice direction {
          description
            "Indicates the communication direction in which the
             data nodes can be included.";
          case server-to-client-only {
            description
              "These data nodes appear only in a telemetry message
               sent from the server to the client.";
            container max-config-values {
              description
                "Maximum acceptable configuration values.";
              uses telemetry-parameters;
              leaf server-originated-telemetry {
                type boolean;
                default "false";
                description
                  "Indicates whether the DOTS server can be
                   instructed to send pre-or-ongoing-mitigation
                   telemetry.  If set to 'false' or the data node
                   is not present, this is an indication that
                   the server does not support this capability.";
              }
              leaf telemetry-notify-interval {
                type uint16 {
                  range "1 .. 3600";
                }
                units "seconds";
                must '. >= ../../min-config-values'
                   + '/telemetry-notify-interval' {
                  error-message
                    "The value must be greater than or equal
                     to the telemetry-notify-interval 'telemetry-notify-interval' value in
                     the
                     min-config-values"; 'min-config-values' attribute";
                }
                description
                  "Minimum number of seconds between successive
                   telemetry notifications.";
              }
            }
            container min-config-values {
              description
                "Minimum acceptable configuration values.";
              uses telemetry-parameters;
              leaf telemetry-notify-interval {
                type uint16 {
                  range "1 .. 3600";
                }
                units "seconds";
                description
                  "Minimum number of seconds between successive
                   telemetry notifications.";
              }
            }
            container supported-unit-classes {
              description
                "Supported unit classes and default activation
                 status.";
              uses unit-config;
            }
            leaf-list supported-query-type {
              type query-type;
              description
                "Indicates which query types are supported by
                 the server.  If the server does not announce
                 the query types it supports, the client will
                 be unable to use any of the potential
                 query-type
                 'query-type' values to reduce the returned data
                 content from the server.";
            }
          }
        }
        list telemetry {
          description
            "The telemetry data per DOTS client.  The keys
             of the list are 'cuid' and 'tsid', but these keys are
             not represented here because these keys are conveyed
             as mandatory Uri-Paths in requests.  Omitting keys
             is compliant with RFC8791."; RFC 8791.";
          reference
            "RFC 8791: YANG Data Structure Extensions";
          choice direction {
            description
              "Indicates the communication direction in which the
               data nodes can be included.";
            case server-to-client-only {
              description
                "These data nodes appear only in a telemetry
                 message sent from the server to the client.";
              leaf tsid {
                type uint32;
                description
                  "A client-assigned identifier for the DOTS
                   telemetry setup data.";
              }
            }
          }
          choice setup-type {
            description
              "Can be a mitigation configuration, a pipe capacity,
               or a baseline message.";
            case telemetry-config {
              description
                "Used to set telemetry parameters such as setting
                 low, mid, and high percentile values.";
              container current-config {
                description
                  "Current telemetry configuration values.";
                uses telemetry-parameters;
                uses unit-config;
                leaf server-originated-telemetry {
                  type boolean;
                  description
                    "Used by a DOTS client to enable/disable
                     whether it requests pre-or-ongoing-mitigation
                     telemetry from the DOTS server.";
                }
                leaf telemetry-notify-interval {
                  type uint16 {
                    range "1 .. 3600";
                  }
                  units "seconds";
                  description
                    "Minimum number of seconds between successive
                     telemetry notifications.";
                }
              }
            }
            case pipe {
              description
                "Total pipe capacity of a DOTS client domain.";
              list total-pipe-capacity {
                key "link-id unit";
                description
                  "Total pipe capacity of a DOTS client domain.";
                leaf link-id {
                  type nt:link-id;
                  description
                    "Identifier of an interconnection link of
                     the DOTS client domain.";
                }
                leaf capacity {
                  type uint64;
                  mandatory true;
                  description
                    "Pipe capacity.  This attribute is mandatory
                     when
                     total-pipe-capacity 'total-pipe-capacity' is included in a
                     message.";
                }
                leaf unit {
                  type unit;
                  description
                    "The traffic can be measured using unit
                     classes: packets per second (pps), bits per
                     second (bit/s), and/or bytes per second
                     (Byte/s).

                     For a given unit class, the DOTS agents
                     auto-scales
                     auto-scale to the appropriate units (e.g.,
                     megabit-ps, kilobit-ps).";
                     'megabit-ps', 'kilobit-ps').";
                }
              }
            }
            case baseline {
              description
                "Traffic baseline information of related to a DOTS
                 client domain.";
              list baseline {
                key "id";
                description
                  "Traffic baseline information of related to a DOTS
                   client domain.";
                leaf id {
                  type uint32;
                  must '. >= 1';
                  description
                    "An identifier that uniquely identifies a
                     baseline entry communicated by a
                     DOTS client.";
                }
                uses baseline;
              }
            }
          }
        }
      }
      case telemetry {
        description
          "Telemetry information.";
        list pre-or-ongoing-mitigation {
          description
            "Pre-or-ongoing-mitigation telemetry per DOTS client.
             The keys of the list are 'cuid' and 'tmid', but these
             keys are not represented here because these keys are
             conveyed as mandatory Uri-Paths in requests.
             Omitting keys is compliant with RFC8791."; RFC 8791.";
          reference
            "RFC 8791: YANG Data Structure Extensions";
          choice direction {
            description
              "Indicates the communication direction in which the
               data nodes can be included.";
            case server-to-client-only {
              description
                "These data nodes appear only in a telemetry
                 message sent from the server to the client.";
              leaf tmid {
                type uint32;
                description
                  "A client-assigned identifier for the DOTS
                   telemetry data.";
              }
            }
          }
          container target {
            description
              "Indicates the target.  At least one of the
               attributes 'target-prefix', 'target-fqdn',
               'target-uri', 'alias-name', or 'mid-list'
               must be present in the target definition.";
            uses data-channel:target;
            leaf-list alias-name {
              type string;
              description
                "An alias name that points to a resource.";
            }
            leaf-list mid-list {
              type uint32;
              description
                "Reference to a list of associated mitigation
                 requests.";
              reference
                "RFC 9132: Distributed Denial-of-Service Open
                           Threat Signaling (DOTS) Signal Channel
                           Specification, Section 4.4.1";
            }
          }
          uses pre-or-ongoing-mitigation;
        }
      }
    }
  }
}
<CODE ENDS>
]]></artwork>
          </figure></t>
]]></sourcecode>
      </section>

<!-- [rfced] Sections 11.1 and 11.2:  Because Mohamed Boucadair and
Tirumaleswar Reddy.K are listed as editors of this document, we
changed "Author:" to "Editor:" next to their names.  Please let us
know any concerns.

Original:
   Author:  Mohamed Boucadair
            <mailto:mohamed.boucadair@orange.com>

   Author:  Konda, Tirumaleswar Reddy.K
            <mailto:kondtir@gmail.com>";
...
   Author:  Mohamed Boucadair
            <mailto:mohamed.boucadair@orange.com>

   Author:  Jon Shallow
            <mailto:supjps-ietf@jpshallow.com>";

Currently:
   Editor:   Mohamed Boucadair
             <mailto:mohamed.boucadair@orange.com>

   Editor:   Konda, Tirumaleswar Reddy.K
             <mailto:kondtir@gmail.com>";
...
   Editor:   Mohamed Boucadair
             <mailto:mohamed.boucadair@orange.com>

   Author:   Jon Shallow
             <mailto:supjps-ietf@jpshallow.com>"; -->

      <section anchor="data" title="Vendor numbered="true" toc="default">
        <name>Vendor Attack Mapping Details YANG Module">
        <t><figure>
            <artwork><![CDATA[<CODE BEGINS> file "ietf-dots-mapping@2022-02-04.yang" Module</name>
        <t>This module imports "ietf-dots-data-channel" from <xref target="RFC8783"/>.</t>

<!-- [rfced] Section 11.2:  As commonly done in YANG RFCs, we added
an introductory paragraph as follows.  Please let us know any
concerns.

Original:
   No text

Currently:
   This module imports "ietf-dots-data-channel" from [RFC8783]. -->

        <sourcecode name="ietf-dots-mapping@2022-05-18.yang" type="yang" markers="true"><![CDATA[
module ietf-dots-mapping {
  yang-version 1.1;
  namespace "urn:ietf:params:xml:ns:yang:ietf-dots-mapping";
  prefix dots-mapping;

  import ietf-dots-data-channel {
    prefix data-channel;
    reference
      "RFC 8783: Distributed Denial-of-Service Open Threat
                 Signaling (DOTS) Data Channel Specification";
  }

  organization
    "IETF DDoS Open Threat Signaling (DOTS) Working Group";
  contact
    "WG Web:   <https://datatracker.ietf.org/wg/dots/>
     WG List:  <mailto:dots@ietf.org>

     Author:

     Editor:   Mohamed Boucadair
               <mailto:mohamed.boucadair@orange.com>

     Author:   Jon Shallow
               <mailto:supjps-ietf@jpshallow.com>";
  description
    "This module contains YANG definitions for the sharing
     of DDoS attack mapping details between a DOTS client and
     a DOTS server, server by means of the DOTS data channel.

     Copyright (c) 2022 IETF Trust and the persons identified as
     authors of the code.  All rights reserved.

     Redistribution and use in source and binary forms, with or
     without modification, is permitted pursuant to, and subject to
     the license terms contained in, the Revised BSD License set
     forth in Section 4.c of the IETF Trust's Legal Provisions
     Relating to IETF Documents
     (https://trustee.ietf.org/license-info).

     This version of this YANG module is part of RFC XXXX; 9244; see the
     RFC itself for full legal notices.";

  revision 2022-02-04 2022-05-18 {
    description
      "Initial revision.";
    reference
      "RFC XXXX: 9244: Distributed Denial-of-Service Open Threat
                 Signaling (DOTS) Telemetry";
  }

  feature dots-telemetry {
    description
      "This feature indicates that DOTS telemetry data can be
       shared between DOTS clients and servers.";
  }

  grouping attack-mapping {
    description
      "A set of information used for sharing vendor attack mapping
       information with a peer.";
    list vendor {
      key "vendor-id";
      description
        "Vendor attack mapping information of related to the client/server";
         client/server.";
      leaf vendor-id {
        type uint32;
        description
          "Vendor
          "The Vendor ID is a security vendor's Private Enterprise
           Number as registered with IANA.";
        reference
          "IANA: Private Enterprise Numbers"; Numbers
           (https://www.iana.org/assignments/enterprise-numbers/)";
      }
      leaf vendor-name {
        type string;
        description
          "The name of the vendor (e.g., company A).";
      }
      leaf description-lang {
        type string {
          pattern '(([A-Za-z]{2,3}(-[A-Za-z]{3}(-[A-Za-z]{3})'
                + '{0,2})?|[A-Za-z]{4}|[A-Za-z]{5,8})(-[A-Za-z]{4})?'
                + '(-([A-Za-z]{2}|[0-9]{3}))?(-([A-Za-z0-9]{5,8}'
                + '|([0-9][A-Za-z0-9]{3})))*(-[0-9A-WY-Za-wy-z]'
                + '(-([A-Za-z0-9]{2,8}))+)*(-[Xx](-([A-Za-z0-9]'
                + '{1,8}))+)?|[Xx](-([A-Za-z0-9]{1,8}))+|'
                + '(([Ee][Nn]-[Gg][Bb]-[Oo][Ee][Dd]|[Ii]-'
                + '[Aa][Mm][Ii]|[Ii]-[Bb][Nn][Nn]|[Ii]-'
                + '[Dd][Ee][Ff][Aa][Uu][Ll][Tt]|[Ii]-'
                + '[Ee][Nn][Oo][Cc][Hh][Ii][Aa][Nn]'
                + '|[Ii]-[Hh][Aa][Kk]|'
                + '[Ii]-[Kk][Ll][Ii][Nn][Gg][Oo][Nn]|'
                + '[Ii]-[Ll][Uu][Xx]|[Ii]-[Mm][Ii][Nn][Gg][Oo]|'
                + '[Ii]-[Nn][Aa][Vv][Aa][Jj][Oo]|[Ii]-[Pp][Ww][Nn]|'
                + '[Ii]-[Tt][Aa][Oo]|[Ii]-[Tt][Aa][Yy]|'
                + '[Ii]-[Tt][Ss][Uu]|[Ss][Gg][Nn]-[Bb][Ee]-[Ff][Rr]|'
                + '[Ss][Gg][Nn]-[Bb][Ee]-[Nn][Ll]|[Ss][Gg][Nn]-'
                + '[Cc][Hh]-[Dd][Ee])|([Aa][Rr][Tt]-'
                + '[Ll][Oo][Jj][Bb][Aa][Nn]|[Cc][Ee][Ll]-'
                + '[Gg][Aa][Uu][Ll][Ii][Ss][Hh]|'
                + '[Nn][Oo]-[Bb][Oo][Kk]|[Nn][Oo]-'
                + '[Nn][Yy][Nn]|[Zz][Hh]-[Gg][Uu][Oo][Yy][Uu]|'
                + '[Zz][Hh]-[Hh][Aa][Kk][Kk][Aa]|[Zz][Hh]-'
                + '[Mm][Ii][Nn]|[Zz][Hh]-[Mm][Ii][Nn]-'
                + '[Nn][Aa][Nn]|[Zz][Hh]-[Xx][Ii][Aa][Nn][Gg])))';
          }
        default "en-US";
        description
          "Indicates the language tag that is used for
           'attack-description'.";
        reference
          "RFC 5646: Tags for Identifying Languages, Section 2.1";
      }
      leaf last-updated {
        type uint64;
        mandatory true;
        description
          "The time the mapping table was updated.  It is
           represented in seconds relative to
           1970-01-01T00:00:00Z.";
      }
      list attack-mapping {
        key "attack-id";
        description
          "Attack mapping details.";
        leaf attack-id {
          type uint32;
          description
            "Unique identifier assigned by the vendor for the
             attack.";
        }
        leaf attack-description {
          type string;
          mandatory true;
          description
            "Textual representation of the attack description.
             Natural Language Processing techniques (e.g.,
             word embedding) might provide some utility in
             mapping the attack description to an attack type.";
        }
      }
    }
  }

  augment "/data-channel:dots-data/data-channel:dots-client" {
    if-feature "dots-telemetry";
    description
      "Augments the data channel with a vendor attack
       mapping table of the DOTS client.";
    container vendor-mapping {
      description
        "Used by DOTS clients to share their vendor
         attack mapping information with DOTS servers.";
      uses attack-mapping;
    }
  }

  augment "/data-channel:dots-data/data-channel:capabilities" {
    if-feature "dots-telemetry";
    description
      "Augments the DOTS server capabilities with a
       parameter to indicate whether they can share
       attack mapping details.";
    leaf vendor-mapping-enabled {
      type boolean;
      config false;
      description
        "Indicates that the DOTS server supports sharing
         attack vendor mapping details with DOTS clients.";
    }
  }

  augment "/data-channel:dots-data" {
    if-feature "dots-telemetry";
    description
      "Augments the data channel with a vendor attack
       mapping table of the DOTS server.";
    container vendor-mapping {
      config false;
      description
        "Includes the list of vendor attack mapping details
         that will be shared upon request with DOTS clients."; clients upon request.";
      uses attack-mapping;
    }
  }
}
<CODE ENDS>
]]></artwork>
          </figure></t>
]]></sourcecode>
      </section>
    </section>
    <section anchor="map1" title="YANG/JSON numbered="true" toc="default">
      <name>YANG/JSON Mapping Parameters to CBOR"> CBOR</name>
      <t>All DOTS telemetry parameters in the payload of the DOTS signal
      channel MUST <bcp14>MUST</bcp14> be mapped to CBOR types as shown in <xref target="tab-3"/>:</t>
        <t indent="3">
          Note: Implementers must check that the mapping output provided by
          their YANG-to-CBOR encoding schemes is aligned with the contents of
          <xref target="tab-2"/>.

<!-- [rfced] Section 12:  We could not see how Table 3:</t>

      <t><list style="symbols">
          <t>Note: 2 relates to
CBOR.  Please confirm that this citation is correct and will be
clear to readers.

Original:
   *  Note: Implementers must check that the mapping output provided by
      their YANG-to-CBOR encoding schemes is aligned with the content of
      Table 2.</t>
        </list></t>

      <t><figure align="center">
          <artwork align="center"><![CDATA[+----------------------+-------------+------+---------------+--------+
| Parameter Name       | YANG        | CBOR | CBOR 2. -->

        </t>
<table anchor="tab-3">
  <name>YANG/JSON Mapping Parameters to CBOR</name>
  <thead>
    <tr>
      <th>Parameter Name</th>
      <th>YANG Type</th>
      <th>CBOR Key</th>
      <th>CBOR Major    | JSON   |
|                      | Type        | Key  |    Type &     | Type   |
|                      |             |      | Information   |        |
+======================+=============+======+===============+========+
| tsid                 | uint32      |TBA1  | 0 unsigned    | Number |
| telemetry            | list        |TBA2  | 4 array       | Array  |
| low-percentile       | decimal64   |TBA3  | 6 &amp; Information</th>
      <th>JSON Type</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>tsid</td>
      <td>uint32</td>
      <td>128</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>telemetry</td>
      <td>list</td>
      <td>129</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>low-percentile</td>
      <td>decimal64</td>
      <td>130</td>
      <td>6 tag 4       |        |
|                      |             |      | [-2, integer]| String |
| mid-percentile       | decimal64   |TBA4  | 6 integer]</td>
      <td>String</td>
    </tr>
    <tr>
      <td>mid-percentile</td>
      <td>decimal64</td>
      <td>131</td>
      <td>6 tag 4       |        |
|                      |             |      | [-2, integer]| String |
| high-percentile      | decimal64   |TBA5  | 6 integer]</td>
      <td>String</td>
    </tr>
    <tr>
      <td>high-percentile</td>
      <td>decimal64</td>
      <td>132</td>
      <td>6 tag 4       |        |
|                      |             |      | [-2, integer]| String |
| unit-config          | list        |TBA6  | 4 array       | Array  |
| unit                 | enumeration |TBA7  | 0 unsigned    | String |
| unit-status          | boolean     |TBA8  | 7 integer]</td>
      <td>String</td>
    </tr>
    <tr>
      <td>unit-config</td>
      <td>list</td>
      <td>133</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>unit</td>
      <td>enumeration</td>
      <td>134</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td rowspan="2">unit-status</td>
      <td rowspan="2">boolean</td>
      <td rowspan="2">135</td>
      <td>7 bits 20     | False  |
|                      |             |      | 7 20</td>
      <td>False</td>
    </tr>
    <tr>
      <td>7 bits 21     | True   |
| total-pipe-capacity  | list        |TBA9  | 4 array       | Array  |
| link-id              | string      |TBA10 | 3 21</td>
      <td>True</td>
    </tr>
    <tr>
      <td>total-pipe-capacity</td>
      <td>list</td>
      <td>136</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>link-id</td>
      <td>string</td>
      <td>137</td>
      <td>3 text string | String |
| pre-or-ongoing-      | list        |TBA11 | 4 array       | Array  |
|      mitigation      |             |      |               |        |
| total-traffic-normal | list        |TBA12 | 4 array       | Array  |
| low-percentile-g     | yang:gauge64|TBA13 | 0 unsigned    | String |
| mid-percentile-g     | yang:gauge64|TBA14 | 0 unsigned    | String |
| high-percentile-g    | yang:gauge64|TBA15 | 0 unsigned    | String |
| peak-g               | yang:gauge64|TBA16 | 0 unsigned    | String |
| total-attack-traffic | list        |TBA17 | 4 array       | Array  |
| total-traffic        | list        |TBA18 | 4 array       | Array  |
| total-connection-    |             |      |               |        |
|        capacity      | list        |TBA19 | 4 array       | Array  |
| connection           | uint64      |TBA20 | 0 unsigned    | String |
| connection-client    | uint64      |TBA21 | 0 unsigned    | String |
| embryonic            | uint64      |TBA22 | 0 unsigned    | String |
| embryonic-client     | uint64      |TBA23 | 0 unsigned    | String |
| connection-ps        | uint64      |TBA24 | 0 unsigned    | String |
| connection-client-ps | uint64      |TBA25 | 0 unsigned    | String |
| request-ps           | uint64      |TBA26 | 0 unsigned    | String |
| request-client-ps    | uint64      |TBA27 | 0 unsigned    | String |
| partial-request-max  | uint64      |TBA28 | 0 unsigned    | String |
| partial-request-     |             |      |               |        |
|        client-max    | uint64      |TBA29 | 0 unsigned    | String |
| total-attack-        |             |      |               |        |
|        connection    | container   |TBA30 | 5 map         | Object |
| connection-c         | container   |TBA31 | 5 map         | Object |
| embryonic-c          | container   |TBA32 | 5 map         | Object |
| connection-ps-c      | container   |TBA33 | 5 map         | Object |
| request-ps-c         | container   |TBA34 | 5 map         | Object |
| attack-detail        | list        |TBA35 | 4 array       | Array  |
| id                   | uint32      |TBA36 | 0 unsigned    | Number |
| attack-id            | uint32      |TBA37 | 0 unsigned    | Number |
| attack-description   | string      |TBA38 | 3 string</td>
      <td>String</td>
    </tr>
    <tr>
      <td>pre-or-ongoing-mitigation</td>
      <td>list</td>
      <td>138</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-traffic-normal</td>
      <td>list</td>
      <td>139</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>low-percentile-g</td>
      <td>yang:gauge64</td>
      <td>140</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>mid-percentile-g</td>
      <td>yang:gauge64</td>
      <td>141</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>high-percentile-g</td>
      <td>yang:gauge64</td>
      <td>142</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>peak-g</td>
      <td>yang:gauge64</td>
      <td>143</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>total-attack-traffic</td>
      <td>list</td>
      <td>144</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-traffic</td>
      <td>list</td>
      <td>145</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-connection-capacity</td>
      <td>list</td>
      <td>146</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>connection</td>
      <td>uint64</td>
      <td>147</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>connection-client</td>
      <td>uint64</td>
      <td>148</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>embryonic</td>
      <td>uint64</td>
      <td>149</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>embryonic-client</td>
      <td>uint64</td>
      <td>150</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>connection-ps</td>
      <td>uint64</td>
      <td>151</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>connection-client-ps</td>
      <td>uint64</td>
      <td>152</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>request-ps</td>
      <td>uint64</td>
      <td>153</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>request-client-ps</td>
      <td>uint64</td>
      <td>154</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>partial-request-max</td>
      <td>uint64</td>
      <td>155</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>partial-request-client-max</td>
      <td>uint64</td>
      <td>156</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>total-attack-connection</td>
      <td>container</td>
      <td>157</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>connection-c</td>
      <td>container</td>
      <td>158</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>embryonic-c</td>
      <td>container</td>
      <td>159</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>connection-ps-c</td>
      <td>container</td>
      <td>160</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>request-ps-c</td>
      <td>container</td>
      <td>161</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>attack-detail</td>
      <td>list</td>
      <td>162</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>id</td>
      <td>uint32</td>
      <td>163</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>attack-id</td>
      <td>uint32</td>
      <td>164</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>attack-description</td>
      <td>string</td>
      <td>165</td>
      <td>3 text string | String |
| attack-severity      | enumeration |TBA39 | 0 unsigned    | String |
| start-time           | uint64      |TBA40 | 0 unsigned    | String |
| end-time             | uint64      |TBA41 | 0 unsigned    | String |
| source-count         | container   |TBA42 | 5 map         | Object |
| top-talker           | container   |TBA43 | 5 map         | Object |
| spoofed-status       | boolean     |TBA44 | 7 string</td>
      <td>String</td>
    </tr>
    <tr>
      <td>attack-severity</td>
      <td>enumeration</td>
      <td>166</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>start-time</td>
      <td>uint64</td>
      <td>167</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>end-time</td>
      <td>uint64</td>
      <td>168</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>source-count</td>
      <td>container</td>
      <td>169</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>top-talker</td>
      <td>container</td>
      <td>170</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td rowspan="2">spoofed-status</td>
      <td rowspan="2">boolean</td>
      <td rowspan="2">171</td>
      <td>7 bits 20     | False  |
|                      |             |      | 7 20</td>
      <td>False</td>
    </tr>
    <tr>
      <td>7 bits 21     | True   |
| partial-request-c    | container   |TBA45 | 5 map         | Object |
| total-attack-        |             |      |               |        |
|  connection-protocol | list        |TBA46 | 4 array       | Array  |
| baseline             | list        |TBA49 | 4 array       | Array  |
| current-config       | container   |TBA50 | 5 map         | Object |
| max-config-values    | container   |TBA51 | 5 map         | Object |
| min-config-values    | container   |TBA52 | 5 map         | Object |
|supported-unit-classes| container   |TBA53 | 5 map         | Object |
| server-originated-   | boolean     |TBA54 | 7 21</td>
      <td>True</td>
    </tr>
    <tr>
      <td>partial-request-c</td>
      <td>container</td>
      <td>172</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>total-attack-connection-protocol</td>
      <td>list</td>
      <td>173</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>baseline</td>
      <td>list</td>
      <td>174</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>current-config</td>
      <td>container</td>
      <td>175</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>max-config-values</td>
      <td>container</td>
      <td>176</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>min-config-values</td>
      <td>container</td>
      <td>177</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>supported-unit-classes</td>
      <td>container</td>
      <td>178</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td rowspan="2">server-originated-telemetry</td>
      <td rowspan="2">boolean</td>
      <td rowspan="2">179</td>
      <td>7 bits 20     | False  |
|          telemetry   |             |      | 7 20</td>
      <td>False</td>
    </tr>
    <tr>
      <td>7 bits 21     | True   |
| telemetry-notify-    | uint16      |TBA55 | 0 unsigned    | Number |
|           interval   |             |      |               |        |
| tmid                 | uint32      |TBA56 | 0 unsigned    | Number |
| measurement-interval | enumeration |TBA57 | 0 unsigned    | String |
| measurement-sample   | enumeration |TBA58 | 0 unsigned    | String |
| talker               | list        |TBA59 | 4 array       | Array  | 21</td>
      <td>True</td>
    </tr>
    <tr>
      <td>telemetry-notify-interval</td>
      <td>uint16</td>
      <td>180</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>tmid</td>
      <td>uint32</td>
      <td>181</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>measurement-interval</td>
      <td>enumeration</td>
      <td>182</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>measurement-sample</td>
      <td>enumeration</td>
      <td>183</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>talker</td>
      <td>list</td>
      <td>184</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>source-prefix</td>
      <td>inet: ip-prefix</td>
      <td>185</td>
      <td>3 text string</td>
      <td>String</td>
    </tr>
    <tr>
      <td rowspan="2">mid-list</td>
      <td>leaf-list</td>
      <td>186</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>uint32</td>
      <td></td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>source-port-range</td>
      <td>list</td>
      <td>187</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>source-icmp-type-range</td>
      <td>list</td>
      <td>188</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>target</td>
      <td>container</td>
      <td>189</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>capacity</td>
      <td>uint64</td>
      <td>190</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>protocol</td>
      <td>uint8</td>
      <td>191</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>total-traffic-normal-per-protocol</td>
      <td>list</td>
      <td>192</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-traffic-normal-per-port</td>
      <td>list</td>
      <td>193</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-connection-capacity-per-port</td>
      <td>list</td>
      <td>194</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-traffic-protocol</td>
      <td>list</td>
      <td>195</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-traffic-port</td>
      <td>list</td>
      <td>196</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-attack-traffic-protocol</td>
      <td>list</td>
      <td>197</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-attack-traffic-port</td>
      <td>list</td>
      <td>198</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>total-attack-connection-port</td>
      <td>list</td>
      <td>199</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>port</td>
      <td>inet: port-number</td>
      <td>200</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td rowspan="2">supported-query-type</td>
      <td>leaf-list</td>
      <td>201</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td></td>
      <td></td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>vendor-id</td>
      <td>uint32</td>
      <td>202</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: telemetry-setup</td>
      <td>container</td>
      <td>203</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-traffic</td>
      <td>list</td>
      <td>204</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-attack-traffic</td>
      <td>list</td>
      <td>205</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-attack-connection</td>
      <td>container</td>
      <td>206</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: attack-detail</td>
      <td>list</td>
      <td>207</td>
      <td>4 array</td>
      <td>Array</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: telemetry</td>
      <td>container</td>
      <td>208</td>
      <td>5 map</td>
      <td>Object</td>
    </tr>
    <tr>
      <td>current-g</td>
      <td>yang:gauge64</td>
      <td>209</td>
      <td>0 unsigned</td>
      <td>String</td>
    </tr>
    <tr>
      <td>description-lang</td>
      <td>string</td>
      <td>210</td>
      <td>3 text string</td>
      <td>String</td>
    </tr>
    <tr>
      <td>lower-type</td>
      <td>uint8</td>
      <td>32771</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
    <tr>
      <td>upper-type</td>
      <td>uint8</td>
      <td>32772</td>
      <td>0 unsigned</td>
      <td>Number</td>
    </tr>
  </tbody>
</table>

<!-- [rfced] Table 3:  We see "inet: ip-prefix" and
"inet: port-number" in this table but "inet:ip-prefix" and
"inet:port-number" used elsewhere.  Should the spaces be removed?

This question also applies to the spaces after "ietf-dots-telemetry:"
in the updated (xml2rfcv3) Tables 3 and 4; should the spaces be
removed per usage elsewhere (e.g.,
"ietf-dots-telemetry:telemetry-setup" as seen in several figures)
and to match the IANA registry?

Original (examples):
 | source-prefix     | inet:       |TBA60 ip-    | TBA60 | 3 text string      | String |
 |                   |   ip-prefix |      |               |        |
| mid-list prefix       | leaf-list   |TBA61       | 4 array string      | Array        |
...
 | port              | uint32 inet: port-  | TBA75 | 0 unsigned  | Number |
 | source-port-range    | list        |TBA62 | 4 array       | Array  |
| source-icmp-type-    | list        |TBA63 | 4 array       | Array  |
|    range             |             |      |               |                   | number       | target       | container   |TBA64             | 5 map        | Object

Currently (examples):
 | source-prefix     | capacity inet: ip-    | uint64      |TBA65 TBA60 | 0 unsigned 3 text      | String |
 | protocol             | uint8       |TBA66 | 0 unsigned    | Number |
| total-traffic-       |             |      |               |        |
|  normal-per-protocol | list        |TBA67 | 4 array       | Array  |
| total-traffic-       |             |      |               |        |
|  normal-per-port     | list        |TBA68 | 4 array       | Array  |
| total-connection-    |             |      |               |                   | prefix       |  capacity-per-port   | list        |TBA69 | 4 array       | Array  |
| total-traffic-       |             |      |               |        |
|   protocol           | list        |TBA70 | 4 array       | Array  |
| total-traffic-port   | list        |TBA71 | 4 array       | Array  |
| total-attack-        |             |      |               |        |
|  traffic-protocol    | list        |TBA72 | 4 array       | Array  |
| total-attack-        |             |      |               |        |
|  traffic-port        | list        |TBA73 | 4 array       | Array  |
| total-attack-        |             |      |               |        |
|  connection-port     | list        |TBA74       | 4 array string      | Array        |
...
 | port              | inet: port-  |      |               |        |
|                      |  port-number|TBA75 | 0 unsigned    | Number |
| supported-query-type | leaf-list   |TBA76 | 4 array       | Array  |
|                      |             |      | 0 unsigned    | String |
| vendor-id            | uint32      |TBA77 TBA75 | 0 unsigned  | Number |
 | ietf-dots-telemetry: |             |      |               |        |
|      telemetry-setup | container   |TBA78 | 5 map         | Object |
| ietf-dots-telemetry: |             |      |               |        |
|   total-traffic      | list        |TBA79 | 4 array       | Array  |
| ietf-dots-telemetry:                   | number       |       |             |        |
...
 | total-attack-traffic ietf-dots-        | list        |TBA80 | 4 array         | Array  |
| ietf-dots-telemetry: |             |      |               |        |
|    total-attack-     |             |      |               |        |
|        connection    | container   |TBA81 | 5 map         | Object |
| ietf-dots-telemetry: |             |      |               |        |
|    attack-detail     | list        |TBA82 TBA79 | 4 array     | Array  |
 | ietf-dots-telemetry: |             | telemetry: total- |              |       |             |         telemetry    | container   |TBA83        | 5 map         | Object |
| current-g            | yang:gauge64|TBA84 | 0 unsigned    | String
 |
| description-lang     | string      |TBA85 | 3 text string | String |
| lower-type           | uint8       |32771 | 0 unsigned    | Number traffic           |              | upper-type       | uint8       |32772             | 0 unsigned        | Number |
+----------------------+-------------+------+---------------+--------+

               Table 3: YANG/JSON Mapping Parameters to CBOR
]]></artwork>
        </figure></t> -->

    </section>
    <section anchor="IANA" title="IANA Considerations"> numbered="true" toc="default">
      <name>IANA Considerations</name>
      <section anchor="map" title="DOTS numbered="true" toc="default">
        <name>DOTS Signal Channel CBOR Key Values"> Values</name>
        <t>This specification registers the DOTS telemetry attributes following comprehension-optional parameters in the IANA "DOTS Signal Channel CBOR Key Values" registry <xref
        target="Key-Map"></xref>.</t>

        <t>The DOTS telemetry attributes defined in target="Key-Map" format="default"/>.</t>

<!-- [IANA FLAG]  Saving this specification are
        comprehension-optional parameters.</t>

        <t><list style="symbols">
            <t>Note IANA note for the reviewer.
     Note to the IANA: CBOR keys are assigned from the "128-255"
     range. This specification meets the requirements listed in Section
     3.1 <xref target="RFC9132"></xref> [of] [RFC9132] for assignments in the "128-255" range.</t>

            <t>Note to the RFC Editor: Please replace all occurrences of
            "TBA1-TBA84" with the assigned values.</t>
          </list><figure align="center">
            <artwork><![CDATA[   +----------------------+-------+-------+------------+---------------+
   | Parameter Name       | CBOR  | range. -->

<table anchor="tab-4">
  <name>Registered DOTS Signal Channel CBOR  | Change     | Specification |
   |                      | Key   | Values</name>
  <thead>
    <tr>
      <th>Parameter Name</th>
      <th>CBOR Key Value</th>
      <th>CBOR Major | Controller | Document(s)   |
   |                      | Value | Type  |            |               |
   +======================+=======+=======+============+===============+
   | tsid                 | TBA1  |   0   |    IESG    |   [RFCXXXX]   |
   | telemetry            | TBA2  |   4   |    IESG    |   [RFCXXXX]   |
   | low-percentile       | TBA3  | 6tag4 |    IESG    |   [RFCXXXX]   |
   | mid-percentile       | TBA4  | 6tag4 |    IESG    |   [RFCXXXX]   |
   | high-percentile      | TBA5  | 6tag4 |    IESG    |   [RFCXXXX]   |
   | unit-config          | TBA6  |   4   |    IESG    |   [RFCXXXX]   |
   | unit                 | TBA7  |   0   |    IESG    |   [RFCXXXX]   |
   | unit-status          | TBA8  |   7   |    IESG    |   [RFCXXXX]   |
   | total-pipe-capacity  | TBA9  |   4   |    IESG    |   [RFCXXXX]   |
   | link-id              | TBA10 |   3   |    IESG    |   [RFCXXXX]   |
   | pre-or-ongoing-      | TBA11 |   4   |    IESG    |   [RFCXXXX]   |
   |         mitigation   |       |       |            |               |
   | total-traffic-normal | TBA12 |   4   |    IESG    |   [RFCXXXX]   |
   | low-percentile-g     | TBA13 |   0   |    IESG    |   [RFCXXXX]   |
   | mid-percentile-g     | TBA14 |   0   |    IESG    |   [RFCXXXX]   |
   | high-percentile-g    | TBA15 |   0   |    IESG    |   [RFCXXXX]   |
   | peak-g               | TBA16 |   0   |    IESG    |   [RFCXXXX]   |
   | total-attack-traffic | TBA17 |   4   |    IESG    |   [RFCXXXX]   |
   | total-traffic        | TBA18 |   4   |    IESG    |   [RFCXXXX]   |
   | total-connection-    | TBA19 |   4   |    IESG    |   [RFCXXXX]   |
   |        capacity      |       |       |            |               |
   | connection           | TBA20 |   0   |    IESG    |   [RFCXXXX]   |
   | connection-client    | TBA21 |   0   |    IESG    |   [RFCXXXX]   |
   | embryonic            | TBA22 |   0   |    IESG    |   [RFCXXXX]   |
   | embryonic-client     | TBA23 |   0   |    IESG    |   [RFCXXXX]   |
   | connection-ps        | TBA24 |   0   |    IESG    |   [RFCXXXX]   |
   | connection-client-ps | TBA25 |   0   |    IESG    |   [RFCXXXX]   |
   | request-ps           | TBA26 |   0   |    IESG    |   [RFCXXXX]   |
   | request-client-ps    | TBA27 |   0   |    IESG    |   [RFCXXXX]   |
   | partial-request-max  | TBA28 |   0   |    IESG    |   [RFCXXXX]   |
   | partial-request-     | TBA29 |   0   |    IESG    |   [RFCXXXX]   |
   |        client-max    |       |       |            |               |
   | total-attack-        | TBA30 |   5   |    IESG    |   [RFCXXXX]   |
   |        connection    |       |       |            |               |
   | connection-c         | TBA31 |   5   |    IESG    |   [RFCXXXX]   |
   | embryonic-c          | TBA32 |   5   |    IESG    |   [RFCXXXX]   |
   | connection-ps-c      | TBA33 |   5   |    IESG    |   [RFCXXXX]   |
   | request-ps-c         | TBA34 |   5   |    IESG    |   [RFCXXXX]   |
   | attack-detail        | TBA35 |   4   |    IESG    |   [RFCXXXX]   |
   | id                   | TBA36 |   0   |    IESG    |   [RFCXXXX]   |
   | attack-id            | TBA37 |   0   |    IESG    |   [RFCXXXX]   |
   | attack-description   | TBA38 |   3   |    IESG    |   [RFCXXXX]   |
   | attack-severity      | TBA39 |   0   |    IESG    |   [RFCXXXX]   |
   | start-time           | TBA40 |   0   |    IESG    |   [RFCXXXX]   |
   | end-time             | TBA41 |   0   |    IESG    |   [RFCXXXX]   |
   | source-count         | TBA42 |   5   |    IESG    |   [RFCXXXX]   |
   | top-talker           | TBA43 |   5   |    IESG    |   [RFCXXXX]   |
   | spoofed-status       | TBA44 |   7   |    IESG    |   [RFCXXXX]   |
   | partial-request-c    | TBA45 |   5   |    IESG    |   [RFCXXXX]   |
   | total-attack-        | TBA46 |   4   |    IESG    |   [RFCXXXX]   |
   |  connection-protocol |       |       |            |               |
   | baseline             | TBA49 |   4   |    IESG    |   [RFCXXXX]   |
   | current-config       | TBA50 |   5   |    IESG    |   [RFCXXXX]   | Type</th>
      <th>Change Controller</th>
      <th>Reference</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>tsid</td>
      <td>128</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>telemetry</td>
      <td>129</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>low-percentile</td>
      <td>130</td>
      <td>6tag4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>mid-percentile</td>
      <td>131</td>
      <td>6tag4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>high-percentile</td>
      <td>132</td>
      <td>6tag4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>unit-config</td>
      <td>133</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>unit</td>
      <td>134</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>unit-status</td>
      <td>135</td>
      <td>7</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-pipe-capacity</td>
      <td>136</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>link-id</td>
      <td>137</td>
      <td>3</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>pre-or-ongoing-mitigation</td>
      <td>138</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic-normal</td>
      <td>139</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>low-percentile-g</td>
      <td>140</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>mid-percentile-g</td>
      <td>141</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>high-percentile-g</td>
      <td>142</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>peak-g</td>
      <td>143</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-traffic</td>
      <td>144</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic</td>
      <td>145</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-connection-capacity</td>
      <td>146</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection</td>
      <td>147</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection-client</td>
      <td>148</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>embryonic</td>
      <td>149</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>embryonic-client</td>
      <td>150</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection-ps</td>
      <td>151</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection-client-ps</td>
      <td>152</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>request-ps</td>
      <td>153</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>request-client-ps</td>
      <td>154</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>partial-request-max</td>
      <td>155</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>partial-request-client-max</td>
      <td>156</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-connection</td>
      <td>157</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection-c</td>
      <td>158</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>embryonic-c</td>
      <td>159</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>connection-ps-c</td>
      <td>160</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>request-ps-c</td>
      <td>161</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>attack-detail</td>
      <td>162</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>id</td>
      <td>163</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>attack-id</td>
      <td>164</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>attack-description</td>
      <td>165</td>
      <td>3</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>attack-severity</td>
      <td>166</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>start-time</td>
      <td>167</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>end-time</td>
      <td>168</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>source-count</td>
      <td>169</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>top-talker</td>
      <td>170</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>spoofed-status</td>
      <td>171</td>
      <td>7</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>partial-request-c</td>
      <td>172</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-connection-protocol</td>
      <td>173</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>baseline</td>
      <td>174</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>current-config</td>
      <td>175</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>max-config-values</td>
      <td>176</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>min-config-values</td>
      <td>177</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>supported-unit-classes</td>
      <td>178</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>server-originated-telemetry</td>
      <td>179</td>
      <td>7</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>telemetry-notify-interval</td>
      <td>180</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>tmid</td>
      <td>181</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>measurement-interval</td>
      <td>182</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>measurement-sample</td>
      <td>183</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>talker</td>
      <td>184</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>source-prefix</td>
      <td>185</td>
      <td>3</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>mid-list</td>
      <td>186</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>source-port-range</td>
      <td>187</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>source-icmp-type-range</td>
      <td>188</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>target</td>
      <td>189</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>capacity</td>
      <td>190</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>protocol</td>
      <td>191</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic-normal-per-protocol</td>
      <td>192</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic-normal-per-port</td>
      <td>193</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-connection-capacity-per-port</td>
      <td>194</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic-protocol</td>
      <td>195</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-traffic-port</td>
      <td>196</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-traffic-protocol</td>
      <td>197</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-traffic-port</td>
      <td>198</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>total-attack-connection-port</td>
      <td>199</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>port</td>
      <td>200</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>supported-query-type</td>
      <td>201</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>vendor-id</td>
      <td>202</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: telemetry-setup</td>
      <td>203</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-traffic</td>
      <td>204</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-attack-traffic</td>
      <td>205</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: total-attack-connection</td>
      <td>206</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: attack-detail</td>
      <td>207</td>
      <td>4</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>ietf-dots-telemetry: telemetry</td>
      <td>208</td>
      <td>5</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>current-g</td>
      <td>209</td>
      <td>0</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
    <tr>
      <td>description-lang</td>
      <td>210</td>
      <td>3</td>
      <td>IESG</td>
      <td>RFC 9244</td>
    </tr>
  </tbody>
</table>

<!-- [rfced] Table 4:  Because we see the plural "max-config-values"
used elsewhere and we don't see the singular "min-config-value", we
added the "s" here.  Please let us know if this is incorrect.

If we confirm from you that the plural form is correct, we will ask
IANA to update the corresponding entry on
<https://www.iana.org/assignments/dots/> accordingly.

Original:
   | max-config-value  | TBA51   |   5   | IESG   | [RFCXXXX]  |

Currently:
   | min-config-values    | TBA52 |   5   |    IESG    |   [RFCXXXX]   |
   |supported-unit-classes| TBA53 |   5   |    IESG    |   [RFCXXXX]   |
   | server-originated-   | TBA54 |   7   |    IESG    |   [RFCXXXX]   |
   |          telemetry   |       |       |            |               |
   | telemetry-notify-    | TBA55 |   0   |    IESG    |   [RFCXXXX]   |
   |           interval   |       |       |            |               |
   | tmid                 | TBA56 |   0   |    IESG    |   [RFCXXXX]   |
   | measurement-interval | TBA57 |   0   |    IESG    |   [RFCXXXX]   |
   | measurement-sample   | TBA58 |   0   |    IESG    |   [RFCXXXX]   |
   | talker               | TBA59 |   4   |    IESG    |   [RFCXXXX]   |
   | source-prefix        | TBA60 |   3   |    IESG    |   [RFCXXXX]   |
   | mid-list             | TBA61 |   4   |    IESG    |   [RFCXXXX]   |
   | source-port-range    | TBA62 |   4   |    IESG    |   [RFCXXXX]   |
   | source-icmp-type-    | TBA63 |   4   |    IESG    |   [RFCXXXX]   |
   |           range      |       |       |            |               |
   | target               | TBA64 |   5   |    IESG    |   [RFCXXXX]   |
   | capacity             | TBA65 |   0   |    IESG    |   [RFCXXXX]   |
   | protocol             | TBA66 |   0   |    IESG    |   [RFCXXXX]   |
   | total-traffic-       | TBA67 |   4   |    IESG    |   [RFCXXXX]   |
   |  normal-per-protocol |       |       |            |               |
   | total-traffic-       | TBA68 |   4   |    IESG    |   [RFCXXXX]   |
   |  normal-per-port     |       |       |            |               |
   | total-connection-    | TBA69 |   4   |    IESG    |   [RFCXXXX]   |
   |  capacity-per-port   |       |       |            |               |
   | total-traffic-       | TBA70 |   4   |    IESG    |   [RFCXXXX]   |
   |   protocol           |       |       |            |               |
   | total-traffic-port   | TBA71 |   4   |    IESG    |   [RFCXXXX]   |
   | total-attack-        | TBA72 |   4   |    IESG    |   [RFCXXXX]   |
   |  traffic-protocol    |       |       |            |               |
   | total-attack-        | TBA73 |   4   |    IESG    |   [RFCXXXX]   |
   |  traffic-port        |       |       |            |               |
   | total-attack-        | TBA74 |   4   |    IESG    |   [RFCXXXX]   |
   |  connection-port     |       |       |            |               |
   | port                 | TBA75 |   0   |    IESG    |   [RFCXXXX]   |
   | supported-query-type | TBA76 |   4   |    IESG    |   [RFCXXXX]   |
   | vendor-id            | TBA77 |   0   |    IESG    |   [RFCXXXX]   |
   | ietf-dots-telemetry: | TBA78 |   5   |    IESG    |   [RFCXXXX]   |
   |   telemetry-setup    |       |       |            |               |
   | ietf-dots-telemetry: | TBA79 |   4   |    IESG    |   [RFCXXXX]   |
   |   total-traffic      |       |       |            |               |
   | ietf-dots-telemetry: | TBA80 |   4   |    IESG    |   [RFCXXXX]   |
   | total-attack-traffic |       |       |            |               |
   | ietf-dots-telemetry: | TBA81 |   5   |    IESG    |   [RFCXXXX]   |
   | total-attack-        |       |       |            |               |
   |        connection    |       |       |            |               |
   | ietf-dots-telemetry: | TBA82 |   4   |    IESG    |   [RFCXXXX]   |
   |     attack-detail    |       |       |            |               |
   | ietf-dots-telemetry: max-config-values | TBA83 TBA51   |   5   | IESG   |   [RFCXXXX]   |
   |        telemetry     |       |       |            |               |
   | current-g            | TBA84 |   0   |    IESG    |   [RFCXXXX]   |
   | description-lang     | TBA85 |   3   |    IESG    |   [RFCXXXX] RFC 9244   |
   +----------------------+-------+-------+------------+---------------+

           Table 4: Registered DOTS Signal Channel CBOR Key Values
]]></artwork>
          </figure></t> -->

      </section>
      <section title="DOTS numbered="true" toc="default">
        <name>DOTS Signal Channel Conflict Cause Codes">
        <t>This specification requests Codes</name>
        <t>Per this document, IANA to assign has assigned a new code from the
        "DOTS Signal Channel Conflict Cause Codes" registry <xref
        target="Cause"></xref>.</t>

        <t><figure>
            <artwork align="center"><![CDATA[+------+-------------------+------------------------+-------------+
| Code | Label             |   Description          |  Reference  |
+======+===================+========================+=============+
| TBA  | overlapping-pipes | Overlapping pipe scope |  [RFCXXXX]  |
+------+-------------------+------------------------+-------------+

   Table 5: Registered target="Cause" format="default"/>.</t>

<table anchor="tab-5">
  <name>Registered DOTS Signal Channel Conflict Cause Code
]]></artwork>
          </figure><list style="symbols">
            <t>Note to the RFC Editor: Please replace all occurrences of "TBA"
            with the assigned value.</t>
          </list></t> Code</name>
  <thead>
    <tr>
      <th>Code</th>
      <th>Label</th>
      <th>Description</th>
      <th>Reference</th>
    </tr>
  </thead>
  <tbody>
    <tr>
      <td>5</td>
      <td>overlapping-pipes</td>
      <td>Overlapping pipe scope</td>
      <td>RFC 9244</td>
    </tr>
  </tbody>
</table>
      </section>
      <section anchor="yang" title="DOTS numbered="true" toc="default">
        <name>DOTS URI and YANG Module Registrations</name>

<!-- [rfced] Section 13.3:  This section title did not match the
contents of the section, as this section discusses registrations for
both of the YANG modules defined in this document.  Also, we do not
see "Signal Telemetry YANG Module" or "signal telemetry YANG module"
used anywhere else in this document.

We updated this title so that it reflects the text that follows.
Please let us know any objections.

Original:
   13.3.  DOTS Signal Telemetry YANG Module">
        <t>This document requests Module

Currently:
   13.3.  DOTS URI and YANG Module Registrations -->

        <t>Per this document, IANA to register has registered the following URIs in the
        "ns" subregistry within the "IETF XML Registry" <xref
        target="RFC3688"></xref>: <figure>
            <artwork><![CDATA[         URI: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry
         Registrant Contact: The IESG.
         XML: N/A; target="RFC3688" format="default"/>: </t>
  <dl newline="false" spacing="compact">
     <dt>URI:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-telemetry</dd>
     <dt>Registrant Contact:</dt><dd>The IESG.</dd>
     <dt>XML:</dt><dd>N/A; the requested URI is an XML namespace.

         URI: urn:ietf:params:xml:ns:yang:ietf-dots-mapping
         Registrant Contact: The IESG.
         XML: N/A; namespace.</dd>
  </dl>
  <dl newline="false" spacing="compact">
     <dt>URI:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-mapping</dd>
     <dt>Registrant Contact:</dt><dd>The IESG.</dd>
     <dt>XML:</dt><dd>N/A; the requested URI is an XML namespace.]]></artwork>
          </figure>This document requests namespace.</dd>
  </dl>

        <t>Per this document, IANA to register has registered the following YANG
        modules in the "YANG Module Names" subregistry <xref
        target="RFC6020"></xref> target="RFC6020" format="default"/> within the "YANG Parameters" registry.<figure>
            <artwork><![CDATA[         name: ietf-dots-telemetry
         namespace: urn:ietf:params:xml:ns:yang:ietf-dots-telemetry
         maintained by IANA: N
         prefix: dots-telemetry
         reference: RFC XXXX

         name: ietf-dots-mapping
         namespace: urn:ietf:params:xml:ns:yang:ietf-dots-mapping
         maintained by IANA: N
         prefix: dots-mapping
         reference: RFC XXXX
]]></artwork>
          </figure></t> registry.</t>
  <dl newline="false" spacing="compact">
     <dt>Name:</dt><dd>ietf-dots-telemetry</dd>
     <dt>Namespace:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-telemetry</dd>
     <dt>Maintained by IANA:</dt><dd>N</dd>
     <dt>Prefix:</dt><dd>dots-telemetry</dd>
     <dt>Reference:</dt><dd>RFC 9244</dd>
  </dl>

  <dl newline="false" spacing="compact">
     <dt>Name:</dt><dd>ietf-dots-mapping</dd>
     <dt>Namespace:</dt><dd>urn:ietf:params:xml:ns:yang:ietf-dots-mapping</dd>
     <dt>Maintained by IANA:</dt><dd>N</dd>
     <dt>Prefix:</dt><dd>dots-mapping</dd>
     <dt>Reference:</dt><dd>RFC 9244</dd>
  </dl>
      </section>
    </section>
    <section anchor="security" title="Security Considerations">
      <t></t> numbered="true" toc="default">
      <name>Security Considerations</name>
<!-- Reviewer:  Added YANG security DNE text Para.s 1 through 4 here
per <https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines> and
also pointed to Section 14.2 for the specifics.
(An "FYI" for the authors re. these updates is below.) -->
<t>The YANG modules specified in this document define a schema for data
that is designed to be accessed via network management protocols such
as NETCONF <xref target="RFC6241"/> or RESTCONF <xref target="RFC8040"/>.
The lowest NETCONF layer is the secure transport layer, and the
mandatory-to-implement secure transport is Secure Shell (SSH)
<xref target="RFC6242"/>. The lowest RESTCONF layer is HTTPS, and the
mandatory-to-implement secure transport is TLS <xref target="RFC8446"/>.</t>

<t>The Network Configuration Access Control Model (NACM) <xref target="RFC8341"/>
provides the means to restrict access for particular NETCONF or RESTCONF users
to a preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.</t>

<t>There are a number of data nodes defined in this document that are
writable/creatable/deletable (i.e., config true, which is the default). These
data nodes may be considered sensitive or vulnerable in some network
environments. Write operations (e.g., edit-config) to these data nodes without
proper protection can have a negative effect on network operations.
The subtrees and data nodes and their sensitivity/vulnerability are discussed
in <xref target="sec-cons-2"/>.</t>

<t>Some of the readable data nodes defined in this document may be considered
sensitive or vulnerable in some network environments. It is thus important to
control read access (e.g., via get, get-config, or notification) to these data
nodes. The subtrees and data nodes and their sensitivity/vulnerability are discussed in <xref target="sec-cons-2"/>.</t>
<!-- End YANG security DNE text Para.s 1 through 4 -->

<!-- [rfced] Authors and *[AD]:
Sections 14 and 14.2:  The Security Considerations section did not
follow the requirements listed on
<https://trac.ietf.org/trac/ops/wiki/yang-security-guidelines>,
which says "This section MUST be patterned after the latest
approved template."  We updated this section accordingly while
preserving the text specific to this document.  We also updated the
Normative References section per the security guidelines.

Please review, and let us know if further updates are needed.
For example, we see this text in Section 4.4, which seems to indicate
that no explanation is needed as relates to Section 14.1; please
confirm that no further explanation is needed:

  The DOTS telemetry module (Section 11.1) is not intended to be used
  via NETCONF/RESTCONF for DOTS server management purposes.  It serves
  only to provide a data model and encoding following [RFC8791].

It appears that RPC operations are not applicable to this document.
Please confirm. -->

      <section anchor="sec1" title="DOTS anchor="sec-cons-1" numbered="true" toc="default">
        <name>DOTS Signal Channel Telemetry"> Telemetry</name>
        <t>The security considerations for the DOTS signal channel protocol
        are discussed in Section 11 of <xref target="RFC9132"></xref>. target="RFC9132" sectionFormat="of" section="11"/>. The
        following discusses the security considerations that are specific to
        the DOTS signal channel extension defined in this document.</t>
        <t>The DOTS telemetry information includes DOTS client network
        topology, DOTS client domain pipe capacity, normal traffic baseline
        and connections' capacity, and threat and mitigation information. Such
        information is sensitive; it MUST <bcp14>MUST</bcp14> be protected at rest by the DOTS
        server domain to prevent data leakage. Note that sharing this
        sensitive data with a trusted DOTS server does not introduce any new
        significant considerations other that than the need for the aforementioned
        protection. Such a DOTS server is already trusted to have access to
        that kind of information by being in the position to observe and
        mitigate attacks.</t>
        <t>DOTS clients are typically considered to be trusted devices by the
        DOTS client domain. DOTS clients may be co-located on network security
        services (e.g., firewall devices), and a compromised security service
        potentially can do a lot more damage to the network than just the DOTS
        client component. This assumption differs from the often held often-held view
        that devices are untrusted, often
        (often referred to as the "zero-trust
        model". model") that devices are untrusted. A compromised DOTS client can send fake DOTS telemetry data to
        a DOTS server to mislead the DOTS server. This attack can be prevented
        by monitoring and auditing DOTS clients to detect misbehavior and to
        deter misuse, and by only authorizing the DOTS client to convey DOTS
        telemetry information for specific target resources (e.g., an
        application server is authorized to exchange DOTS telemetry for its IP
        addresses but a DDoS mitigator can exchange DOTS telemetry for any
        target resource in the network). As a reminder, this is a variation of
        dealing with compromised DOTS clients as discussed in Section 11 of <xref target="RFC9132"></xref>.</t> target="RFC9132" sectionFormat="of" section="11"/>.</t>
        <t>DOTS servers must be capable of defending themselves against DoS
        attacks from compromised DOTS clients. The following non-comprehensive
        list of mitigation techniques can be used by a DOTS server to handle
        misbehaving DOTS clients:</t>

        <t><list style="symbols">
            <t>The
        <ul spacing="normal">
          <li>The probing rate (defined in Section 4.5 of <xref
            target="RFC9132"></xref>) target="RFC9132" sectionFormat="of" section="4.5"/>) can be used to limit the average data
            rate to the DOTS server.</t>

            <t>Rate-limiting server.</li>
          <li>Rate-limiting DOTS telemetry, including those with new 'tmid'
            values, from the same DOTS client defends against DoS attacks that
            would result in varying the 'tmid' to exhaust DOTS server
            resources.

<!-- [rfced] Section 14.1:  This sentence is difficult to follow.
If the suggested text is not correct, please clarify what "those"
refers to.

Original:
   *  Rate-limiting DOTS telemetry, including those with new 'tmid'
      values, from the same DOTS client defends against DoS attacks that
      would result in varying the 'tmid' to exhaust DOTS server
      resources.

Suggested (assuming that the action of rate-limiting will defend
  against attacks):
   *  Rate-limiting DOTS telemetry data, including packets with new
      'tmid' values from the same DOTS client, defends against DoS
      attacks that would result in varying the 'tmid' to exhaust DOTS
      server resources. -->

 Likewise, the DOTS server can enforce a quota and
            time-limit
            time limit on the number of active pre-or-ongoing-mitigation
            telemetry data items (identified by 'tmid') from the DOTS
            client.</t>
          </list></t>
            client.</li>
        </ul>
        <t>Note also that the telemetry notification interval may be used to
        rate-limit the pre-or-ongoing-mitigation telemetry notifications
        received by a DOTS client domain.</t>
      </section>
      <section title="Vendor anchor="sec-cons-2" numbered="true" toc="default">
        <name>Vendor Attack Mapping"> Mapping</name>
        <t>The security considerations for the DOTS data channel protocol are
        discussed in Section 10 of <xref target="RFC8783"></xref>. target="RFC8783" sectionFormat="of" section="10"/>. The
        following discusses the security considerations that are specific to
        the DOTS data channel extension defined in this document.</t>
<t>All data nodes defined in the YANG module specified in <xref
        target="data"></xref> which target="data" format="default"/> that can be created, modified, and deleted (i.e., config true, which
   is the default) are considered sensitive.  Write operations to these
   data nodes without proper protection can have a negative effect on
   network operations. Appropriate security measures are recommended to prevent illegitimate users
        from invoking DOTS data channel primitives as discussed in <xref
        target="RFC8783"></xref>.
        target="RFC8783" format="default"/>. Nevertheless, an attacker who can access
        a DOTS client is technically capable of undertaking various attacks,
        such as: <list style="symbols">
            <t>Communicating </t>
        <ul spacing="normal">
          <li>Communicating invalid attack mapping details to the server
            ('/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping'),
            which will mislead the server when correlating attack details.</t>
          </list></t> details.</li>
        </ul>
        <t>Some of the readable data nodes in the YANG module specified in
        <xref target="data"></xref> target="data" format="default"/> may be considered sensitive. It is thus
        important to control read access to these data nodes. These are the
        data nodes and their sensitivity:<list style="symbols">
            <t>'/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping' sensitivity:</t>
        <ul spacing="normal">
          <li>'/data-channel:dots-data/data-channel:dots-client/dots-telemetry:vendor-mapping'
            can be misused to infer the DDoS protection technology deployed in
            a DOTS client domain.</t>

            <t>'/data-channel:dots-data/dots-telemetry:vendor-mapping' domain.</li>
          <li>'/data-channel:dots-data/dots-telemetry:vendor-mapping' can be
            used by a compromised DOTS client to leak the attack detection
            capabilities of the DOTS server. This is a variation of the
            compromised DOTS client attacks discussed in <xref
            target="sec1"></xref>.</t>
          </list></t>

        <t></t>
      </section> target="sec-cons-1" format="default"/>.</li>
        </ul>
      </section>

    <section anchor="contr" title="Contributors">
      <t>The following individuals have contributed to this document:<list
          style="symbols">
          <t>Li Su, CMCC, Email: suli@chinamobile.com</t>

          <t>Pan Wei, Huawei, Email: william.panwei@huawei.com</t>
        </list></t>
    </section>
  </middle>
  <back>

<displayreference target="I-D.ietf-dots-multihoming" to="DOTS-Multihoming"/>
<displayreference target="I-D.ietf-dots-robust-blocks" to="DOTS-Robust-Blocks"/>
    <references>
      <name>References</name>
      <references>
        <name>Normative References</name>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2119.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7950.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.3688.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8174.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7641.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6991.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8949.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7959.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8783.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8345.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7970.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8040.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.7252.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6020.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9132.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8791.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5646.xml"/>
       <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8446.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6242.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8341.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.6241.xml"/>

        <reference anchor="Private-Enterprise-Numbers" target="https://www.iana.org/assignments/enterprise-numbers/">
          <front>
            <title>Private Enterprise Numbers</title>
            <author>
              <organization>IANA</organization>
            </author>
          </front>
        </reference>
      </references>
      <references>
        <name>Informative References</name>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9133.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4732.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8811.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.2330.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8525.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8903.xml"/>

<!-- draft-doron-dots-telemetry ("long way"; error in author name) (Expired) -->
<reference anchor="DOTS-Telemetry-Specs">
   <front>
      <title>Distributed Denial-of-Service Open Threat Signaling (DOTS) Telemetry Specifications</title>
      <author initials="E." surname="Doron" fullname="Ehud Doron">
         </author>
      <author initials="T." surname="Reddy" fullname="Tirumaleswar Reddy">
         </author>
      <author initials="F." surname="Andreasen" fullname="Flemming Andreasen">
         </author>
      <author initials="L." surname="Xia" fullname="Liang Xia">
         </author>
      <author initials="K." surname="Nishizuka" fullname="Kaname Nishizuka">
         </author>
      <date month="October" day="30" year="2016" />
   </front>
   <seriesInfo name="Internet-Draft" value="draft-doron-dots-telemetry-00" />
</reference>

<!-- draft-ietf-dots-multihoming (IESG Eval / AD Followup) -->
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-dots-multihoming.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8612.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.8340.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.4960.xml"/>

<!-- draft-ietf-core-new-block (RFC 9177; published March 2022) -->
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.9177.xml"/>
        <xi:include href="https://datatracker.ietf.org/doc/bibxml3/draft-ietf-dots-robust-blocks.xml"/>
        <xi:include href="https://xml2rfc.ietf.org/public/rfc/bibxml/reference.RFC.5612.xml"/>
        <reference anchor="Key-Map" target="https://www.iana.org/assignments/dots/">
          <front>
            <title>DOTS Signal Channel CBOR Key Values</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="Cause" target="https://www.iana.org/assignments/dots/">
          <front>
            <title>DOTS Signal Channel Conflict Cause Codes</title>
            <author>
              <organization>IANA</organization>
            </author>
            <date/>
          </front>
        </reference>
        <reference anchor="PYANG" target="https://github.com/mbj4668/pyang">
          <front>
            <title>pyang</title>
            <author>
              <organization/>
            </author>
            <date month="April" year="2022"/>
          </front>
         <refcontent>commit dad5c68</refcontent>
        </reference>
      </references>
    </references>
    <section anchor="ack" title="Acknowledgements"> numbered="false" toc="default">
      <name>Acknowledgments</name>
      <t>The authors would like to thank Flemming Andreasen, Liang Xia, and
      Kaname Nishizuka, co-authors <contact fullname="Flemming Andreasen"/>, <contact fullname="Liang Xia"/>, and
      <contact fullname="Kaname Nishizuka"/>, coauthors of <xref
      target="I-D.doron-dots-telemetry"></xref>, target="DOTS-Telemetry-Specs" format="default"/>, and everyone who had
      contributed to that document.</t>
      <t>Thanks to Kaname Nishizuka, Wei Pan, Yuuhei Hayashi, and Tom Petch <contact fullname="Kaname Nishizuka"/>, <contact fullname="Wei Pan"/>, <contact fullname="Yuuhei Hayashi"/>, and <contact fullname="Tom Petch"/>
      for comments and review.</t>
      <t>Special thanks to Jon Shallow <contact fullname="Jon Shallow"/> and Kaname Nishizuka <contact fullname="Kaname Nishizuka"/> for their
      implementation and interoperability work.</t>
      <t>Many thanks to Jan Lindblad <contact fullname="Jan Lindblad"/> for the yangdoctors review, Nagendra
      Nainar <contact fullname="Nagendra Nainar"/> for the opsdir review, James Gruessing <contact fullname="James Gruessing"/> for the artart review,
      Michael Scharf
      <contact fullname="Michael Scharf"/> for the tsv-art review, Ted Lemon <contact fullname="Ted Lemon"/> for the int-dir review,
      and Robert Sparks <contact fullname="Robert Sparks"/> for the gen-art review.</t>

<!-- [rfced] Acknowledgments:  Please confirm that coauthor
Jon Shallow should also be listed in this section.

Original:
   Special thanks to Jon Shallow and Kaname Nishizuka for their
   implementation and interoperability work. -->

      <t>Thanks to Benjamin Kaduk <contact fullname="Benjamin Kaduk"/> for the detailed AD review.</t>
      <t>Thanks to Roman Danyliw, &Eacute;ric Vyncke, Francesca Palombini,
      Warren Kumari, Erik Kline, Lars Eggert, and Robert Wilton <contact fullname="Roman Danyliw"/>, <contact fullname="Éric Vyncke"/>, <contact fullname="Francesca Palombini"/>,
      <contact fullname="Warren Kumari"/>, <contact fullname="Erik Kline"/>, <contact fullname="Lars Eggert"/>, and <contact fullname="Robert Wilton"/> for the IESG
      review.</t>
    </section>
  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.2119"?>

      <?rfc include="reference.RFC.7950"?>

      <?rfc include="reference.RFC.3688"?>

      <?rfc include='reference.RFC.8174'?>

      <?rfc include='reference.RFC.7641'?>

      <?rfc include='reference.RFC.6991'?>

      <?rfc include='reference.RFC.8949'?>

      <?rfc include='reference.RFC.7959'?>

      <?rfc include="reference.RFC.8783" ?>

      <?rfc include='reference.RFC.8345'?>

      <?rfc include='reference.RFC.7970'?>

      <?rfc include='reference.RFC.8040'?>

      <?rfc include='reference.RFC.7252'?>

      <?rfc ?>

      <?rfc include='reference.RFC.6020'?>

      <?rfc include='reference.RFC.9132'?>

      <?rfc include='reference.RFC.8791'?>

      <?rfc include='reference.RFC.5646'?>

      <reference anchor="Private-Enterprise-Numbers"
                 target="https://www.iana.org/assignments/enterprise-numbers">
        <front>
          <title>Private Enterprise Numbers</title>

          <author>
            <organization></organization>
          </author>

          <date day="04" month="May" year="2020" />
        </front>
      </reference>
    </references>

    <references title="Informative References">
      <?rfc include='reference.RFC.9133'?>

      <?rfc include='reference.RFC.4732'?>

      <?rfc include='reference.RFC.8811'?>

      <?rfc include='reference.RFC.2330'?>

      <?rfc include='reference.RFC.8525'?>

      <?rfc include='reference.RFC.8903'?>

      <?rfc include='reference.I-D.doron-dots-telemetry'?>

      <?rfc include='reference.I-D.ietf-dots-multihoming'?>

      <?rfc include="reference.RFC.8612"?>

      <?rfc include='reference.RFC.8340'?>

      <?rfc include='reference.RFC.4960'?>

      <?rfc include='reference.I-D.ietf-core-new-block'?>

      <?rfc include='reference.I-D.ietf-dots-robust-blocks'?>

      <?rfc include='reference.RFC.5612'?>

      <reference anchor="Key-Map"
                 target="https://www.iana.org/assignments/dots/dots.xhtml#dots-signal-channel-cbor-key-values">
        <front>
          <title>DOTS Signal Channel CBOR Key Values</title>

          <author fullname="IANA">
            <organization></organization>
          </author>

          <date />
        </front>
      </reference>

      <reference anchor="Cause"
                 target="https://www.iana.org/assignments/dots/dots.xhtml#dots-signal-channel-conflict-cause-codes">
        <front>
          <title>DOTS Signal Channel Conflict Cause Codes</title>

          <author fullname="IANA">
            <organization></organization>
          </author>

          <date />
        </front>
      </reference>

      <reference anchor="PYANG" target="https://github.com/mbj4668/pyang">
        <front>
          <title>pyang</title>

          <author>
            <organization></organization>
          </author>

          <date month="November" year="2020" />
        </front>
      </reference>
    </references>
    <section anchor="contr" numbered="false" toc="default">
      <name>Contributors</name>
      <t>The following individuals have contributed to this document:</t>
      <contact fullname="Li Su">
        <organization>CMCC</organization>
        <address>
          <email>suli@chinamobile.com</email>
        </address>
      </contact>
      <contact fullname="Pan Wei">
        <organization>Huawei</organization>
        <address>
          <email>william.panwei@huawei.com</email>
        </address>
      </contact>
    </section>

<!-- [rfced] Contributors and Acknowledgments sections:  Please
confirm that (1) Pan Wei (Contributors) and Wei Pan (Acknowledgments)
are different people and (2) the "Yuuhei" spelling for
Yuuhei Hayashi's name is correct.

We ask because (1) we see "Wei Pan", with the same Huawei email
address, listed in [I-D.ietf-dots-multihoming] (now
[DOTS-Multihoming]) and (2) we also see the spelling "Yuhei Hayashi"
on <https://datatracker.ietf.org/person/yuuhei.hayashi@gmail.com> and
<https://datatracker.ietf.org/doc/html/draft-hayashi-dots-dms-offload-00>.

Original:
   *  Pan Wei, Huawei, Email: william.panwei@huawei.com
...
   Thanks to Kaname Nishizuka, Wei Pan, Yuuhei Hayashi, and Tom Petch ...-->

  </back>

<!-- [rfced] Please review the "Inclusive Language" portion of the
online Style Guide at
<https://www.rfc-editor.org/styleguide/part2/#inclusive_language>,
and let us know if any changes are needed.

For example, could "whitespace" be changed to "empty space"? -->

<!-- [rfced] Please let us know if any changes are needed for the
following:

a) The following terms were used inconsistently in this document.
We chose to use the latter forms.  Please let us know any objections.

 delete request (2 instances) / DELETE request (7 instances)

 pre-or-ongoing mitigation (3 instances) /
   pre-or-ongoing-mitigation (approx. 48 instances)
   (where used as a modifier)

 response code (2 instances) / Response Code (9 instances)

 unit-class ("unit-classes") (1 instance in text) /
   unit class(es) (14 instances in text)

b) The following terms appear to be used inconsistently in this
document.  Please let us know which form is preferred.

 "Bits per second (bit/s)."; / "Bits per second (bps)."; *

 "Bytes per second (byte/s)."; / "Bytes per second (Bps)."; *

 * If "bps" and "Bps" are preferred, should "bit/s" and
   "Byte/s" in other description clauses (2 instances each) also be
   written as "bps" and "Bps"?

 connections capacity / connections' capacity / connection capacity **

 ** We suggest "connection capacity" (per 'total-connection-capacity',
    '"Total connection capacity."', and '"Total connection capacity
    per port number."').

c) We had trouble following the usage of "low percentile values",
"mid-percentile value", "Mid percentile value", "low-percentiles",
"the low-percentile.", etc.  Should hyphenation be made
consistent?  If yes, please specify the desired style.

For example, does "low percentile values" mean "percentile values
that are low", "values that are low-percentile", or something else?

The following are a bit confusing as well:

 "Low percentile. If set to '0', this means low-percentiles
  are disabled.";
...
     "The mid-percentile must be greater than
      or equal to the low-percentile.";
 }
 default "50.00";
 description
   "Mid percentile. If set to the same value as low-percentile,
    this means mid-percentiles are disabled."; -->

</rfc>

mirror server hosted at Truenetwork, Russian Federation.