Internet-Draft | Use Cases | March 2023 |
Chen, et al. | Expires 10 September 2023 | [Page] |
Current routing mechanism based on the shortest path, only the path accessibility is considered, but the security of links and forwarding nodes is not considered. As security has become an important factor in the service layer. this paper proposes to add a new factor: security.¶
The frequent occurrence of security incidents, users' demand for security services is essential. As there are many security devices in the ISP's network, this draft proposes secure routing, the purpose of secure routing is to converge security and routing to ensure the security of the transmission process.¶
The scope is transmission process security, while end-to-end security and application layer security are out of scope.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 10 September 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
With the frequent occurrence of network security accidents, users' demand for network security is greatly increased, there is no doubt that security of services is required. The current security risk mainly comes from attacks, users need security services to ensure the continuity of business.¶
Some users build security centers by themselves, some buy third-party cloud security services, and some hope that ISPs can provide security services by secure routing. Secure routing provided by ISPs can be implemented which can forward traffic to security functions. With the development of programmable network (such as SDN) and SRv6 technology, the forwarding requirements of the application layer can be completed through routing programming; accessibility and security in the routing process can be processed synchronously to provide users with secure routing.¶
Network functions are also updating and integrated security functions to cope with complex security environments, such as routers with anti-DDoS attack functions.¶
From ISPs' perspect, the nodes' trustworthiness is different, it is necessary to provide routing policy from the security protection for the important users.¶
For users, different users have different security requirements which depend on their services. For example, e-commerce and Internet companies focus on phishing prevention, anti-DDoS attacks and data security; Medical companies focus on data security and security isolation, and so on.¶
If security functions and network functions are highly integrated, security can be as available as network connection. Optimize existing routing protocols to obtain information about security functions in the network, secure routing can be implemented by combine security policy and routing policy. Figure1 describes the relationship between the Network Programming controller and network functions and security functions.¶
In this draft, Nodes are used to represent network elements. What is Node with security function? There are two deployment methods. 1. The security function and routing function are independent, but they are deployed in one site, as show in Figure1-1; 2. The security functions and routing functions are integrated, as show in Figure1-2.¶
+------------+ | Network | | Programming| | Controller | +------+-----+ | +---------------------+--------------------+ | | | | +-------+-------+ +----------------------------+--------+ | | | | | | | +---+---+ | | +----------+ +---+---+ | | | Route +---+-----+-+ Security +-----------+ Route | | | +---+---+ | | | Function | +-------+ | | | | | +----------+ | | +----+----+ | | | | |Security | | +-------------------------------------+ | |Function | | Node | +---------+ | | | +---------------+ Node Figure 1-1: Functions independent mode of Node¶
+------------+ | Network | | Programming| | Controller | +------+-----+ | +---------------------+--------------------+ | | +-----+-------------+ +----+----+ | Network function | | Route | | Security function | +---------+ +-------------------+ Node Node Figure 1-2: Functions integration mode of Node¶
Two use cases are described below.¶
This scenario occurs in the network. High security users require the link and forwarding node physical isolation, and through a specific link path. To satisfied this requirement, it is necessary for the network programming controller to collect the network node information.¶
Network programming controller obtain the information of nodes and appraise the trustworthiness can improve nodes security awareness. Figure2 describes nodes security appraisement.¶
+-------------+ | Network | | Programming | | Controller | +-------------+ | appraise | trustworthiness +--------------+---------------+ ^ ^ ^ | | | | | | +---+----+ +---+---+ +----+---+ | Node1 | | Node2 | | Node3 | +--------+ +-------+ +--------+ Figure2 : Node security appraisement¶
Also, the trustworthiness of node is different, for Node3 with poor trustworthiness, important users will avoid Node3 for routing policy. Figure3 describes userA's link forwarding process avoids Node3,select path<1,2,3,4>.¶
Ingress +--------+ 1 +------+ 5 +---------+ 6 +-------+ | UserA |------>| Node1|--------| Node3 |-----| Node5 | +--------+ +------+ +---------+ +-------+ | | | | | | | 2 |7 |8 | | | | | | v | | +-------+ 3 +-------+ 4 +-------+ | Node2 |------->| Node4 |------>| Node6 |----> +-------+ +-------+ +-------+ Egress Figure3 : Link forwarding protection¶
ISPs have built many security functions and security resource pools in the network, once the network node is attacked, it needs fast and efficient scheduling security function to mitigate. Users have clear requirements for their own security services.¶
The types of users are different, and the corresponding security requirements are different. The security requirement is no longer simply divided into high, medium and low levels, but more specific. For example, in addition to considering low-latency connections, customers in the game industry should first consider anti-DDoS services for security requirements,therefore, ISPs are required to provide anti-DDoS security services. For financial customers, data security is the most important requirement, it is required that data cannot be tampered with, eavesdropped or copied, and so on.¶
For customers with specific security requirements, ISPs need to transmit data at the security level expected by customers. For example, if the user needs anti-ddos and IPS services, the secure routing must pass through Node4 and Node5.¶
When userA needs Anti-ddos services, the secure routing must pass through Node5, Figure4-1 shows the path<1,5,6,10> selected for UserA which require anti-ddos service.¶
+----------+ +--------+ 1 +------+ 5 +---------+ 6 | Node5 | | UserA |------>| Node1|------->| Node3 |---->| Anti-ddos|----+ +--------+ +---+--+ +----+----+ +----------+ | ingress | | | | | | | | | 2 |7 |8 |10 | | | | | | | | | | | V +------+ 3 +------+ 4 +-------+ 9 +------+ | Node2|---------| Node4|-------| Node6 |-----|Egress|---> | WAF | | IPS | +-------+ +------+ +------+ +------+ | | 11 | +-------------------------------------------+ Figure4-1 : User require anti-ddos service¶
When userA needs IPS services, the secure routing must pass through Node4, Figure4-2 shows the path<1,5,7,4,9> selected for UserA which require IPS service.¶
+----------+ +--------+ 1 +------+ 5 +---------+ 6 | Node5 | | UserA |------>| Node1|------->| Node3 |-----| Anti-ddos|----+ +--------+ +---+--+ +----+----+ +----------+ | ingress | | | | | | | | | 2 |7 |8 |10 | | | | | | | | | | | | +------+ 3 +---v--+ 4 +-------+ 9 +------+ | Node2|---------| Node4|------>| Node6 |---->|Egress|---> | WAF | | IPS | +-------+ +------+ +------+ +------+ | | 11 | +-------------------------------------------+ Figure4-2 : User require IPS service¶
When userA needs WAF services, the secure routing must pass through Node2, Figure4-3 shows the path<1,2,11> selected for UserA which require IPS service.¶
+----------+ +--------+ 1 +------+ 5 +---------+ 6 | Node5 | | UserA |------>| Node1|--------| Node3 |-----| Anti-ddos|----+ +--------+ +---+--+ +----+----+ +----------+ | ingress | | | | | | | | | 2 |7 |8 |10 | | | | | | | | V | | | +------+ 3 +------+ 4 +-------+ 9 +------+ | Node2|---------| Node4|-------| Node6 |-----|Egress|---> | WAF | | IPS | +-------+ +------+ +------+ +------+ ^ | 11 | +-------------------------------------------+ Figure4-3 : User require WAF service¶
When userA needs IPS, WAF and Anti-ddos services, the secure routing must pass through Node4, Node2 and Node5, Figure4-4 shows the path<1,2,3,7,6,10> selected for UserA which require IPS, WAF and Anti-ddos services.¶
+----------+ +--------+ 1 +------+ 5 +---------+ 6 | Node5 | | UserA |------>| Node1|--------| Node3 |---->| Anti-ddos|----+ +--------+ +---+--+ +----+----+ +----------+ | ingress | ^ | | | | | | | 2 |7 |8 |10 | | | | | | | | V | | V +------+ 3 +------+ 4 +-------+ 9 +------+ | Node2|-------->| Node4|-------| Node6 |-----|Egress|---> | WAF | | IPS | +-------+ +------+ +------+ +------+ | | 11 | +-------------------------------------------+ Figure4-4 : User require WAF IPS and Anti-ddos services¶
This memo includes no request to IANA.¶