Internet-Draft | Use Cases | September 2022 |
Chen & Su | Expires 2 April 2023 | [Page] |
At present, the routing process is to look up its own routing table through the router to realize packet forwarding or data discarding. With the development of the network, attention is paid not only to reachability but also to security capability in the routing process. With the frequent occurrence of security incidents, more and more network devices have security functions, secure routing and secure path is required by many scenarios.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 2 April 2023.¶
Copyright (c) 2022 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
At present, the routing process is to find its own routing table through the router to realize packet forwarding or data discarding. The routing methods include programmable and non programmable, and the data is forwarded based on the principle of fast access. With the development of network, people not only pay attention to the reachability in the routing process, but also pay more attention to the link security. Link security includes routing security and node security. In addition to the traditional ground network, the future development of satellite network will also involve link security. Due to the higher openness of satellite network, the security vulnerability of inter satellite nodes will affect the security of the whole network.¶
Security attacks are happening almost every moment in the world, so network devices are also updating and iterating to cope with complex security environments. In addition to proprietary security devices, many network devices have integrated security functions, such as routers with anti DDoS attack functions. At present, most routers have anti DDoS functions in advanced settings. Usually, this function is not turned on by default. If a route is DDoS protected, the whole network speed will drop dramatically. For example, the switch has anti DDoS function, intrusion detection (IDS) function and firewall function. For example, the gateway has anti-virus, intrusion detection, firewall, VPN and other security functions.¶
Starting from the requirements of network operators and users, it is necessary to take the security attribute as the key factor to select the route and transmission path to measure the link transmission security. To achieve this goal, the following contents may need to be studied.¶
Transmission security generally adopts encryption, IPSec and other measures to ensure end-to-end security. The operator channel is responsible for data transmission, but lacks the ability to provide security consultation for users. The network is more complex and the intersection is more obvious. The traditional security domain is gradually broken. The online real-time streaming security needs are obvious. The operator needs to obtain the security status of each device in the network.¶
For customers with high security requirements, operators need to transmit data at the security level expected by customers. For example, in addition to the IP address, each node also has a description of its own security functions, that is, security vectors. When the user sends a request, the security requirement is converted into a security vector. When forwarding data, the IP address and security vector are selected as the elements to achieve best delivery.¶
A(ip,sv) B(ip,sv) C(ip,sv) ---------- ---------- ---------- ────►│ Router ├──────┤ Router ├─────►│ Router ├────────┐ └───┬────┘ └───┬────┘ └───┬────┘ │ │ │ │ │ │ │ │ │ │ │ │ │ │ ┌───▼────┐ ┌───▼────┐ ┌────▼───┐ └───────────► Router ├──────► Router ├───► Router ├──► └────────┘ └────────┘ └────────┘ D(ip,sv) E(ip,sv) F(ip,sv) Figure1: Select path according to IP address and security vector¶
The user's security awareness is at the highest level in history. The application security measures at the upper level can no longer meet the needs. The user needs the pipeline to provide an objective presentation of security. Security needs to be quantified, objective and authoritative.¶
Users need to convert security requirements into security vectors, and general users may not have security background knowledge. Therefore, in most cases, a security vector translator is required to convert perceptual requirements into objective security vectors. How to use the security vector for route selection and data forwarding, for example, you can choose the route according to the best effort delivery principle and the maximum satisfaction security vector.¶
(ip,sv) (ip,sv) ┌───────┐ ┌───────┐ ──────────► Router├─────►Router ├──────┐ (Src,Dst,sv) └──┬────┘ └───────┘ │ │ │ │ │ │ (ip,sv) │ │ ┌───────┐ ┌───▼──┐ └────►│Router ├──────►│Router├───►DST └───────┘ └──────┘ (ip,sv) Figure2: Select the path according to the user's security vector requirements¶
This memo includes no request to IANA.¶