Multi-party Multi-Domain Trust Architecture Recommendations for SDN Deployment in Carrier Network
draft-chattopadhyay-sdnrg-multi-party-sdn-trust-03

Document Type Active Internet-Draft (individual)
Last updated 2016-09-21
Stream (None)
Intended RFC status (None)
Formats plain text pdf html bibtex
Stream Stream state (No stream defined)
Consensus Boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date
Responsible AD (None)
Send notices to (None)
SDNRG                                             Saurabh Chattopadhyay
Internet-Draft                                    HCL Technologies
Intended status: Informational                    Kaushik Datta
Expires: March 21, 2017                           HCL Technologies
                                                  September 21, 2016

 
   Multi-party Multi-Domain Trust Architecture Recommendations for SDN 
Deployment in Carrier Network
         draft-chattopadhyay-sdnrg-multi-party-sdn-trust-03

Abstract

   This draft analyzes the complexities involved in setting up the
   certification infrastructure for multi-tenant, multi-domain SDN 
   adopted network environment. There are certain architectural options 
   available to address these complexities, and the same have been 
   consolidated and analyzed in the draft. However, there are certain 
   implementation level challenges that create difficulties to 
   operationalize these options. And these challenges have been 
   recognized in the draft and further translated into requirements for 
   setting up an operational framework suitable for managing certificate
   chains for SDN integrated environment. Finally, a next level of 
   assessment has been carried out to consolidate contemporary work 
   happening in different Work Groups and their likely coverage over 
   identified operational framework requirements.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.
   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on March 21, 2017.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors.  All rights reserved.
   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Chattopadhyay, et al.   Expires March 21, 2017                  [Page 1]
Internet Draft    Multi-Party SDN Trust Architecture      September 2016

Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
     1.1.  Overview . . . . . . . . . . . . . . . . . . . . . . . . .  2
     1.2.  Document Outline . . . . . . . . . . . . . . . . . . . . .  3
   2.  Basics Terminologies . . . . . . . . . . . . . . . . . . . . .  3
     2.1.  Basic PKI Terminologies  . . . . . . . . . . . . . . . . .  3
     2.2.  Basic SDN Terminologies  . . . . . . . . . . . . . . . . .  5
   3.  Prime Requirements for Setting up Authentication Infrastructure 
   in SDN adopted Environment  . . . . .  . . . . . . . . . . . . . .  6
     3.1.  Identity Declaration and Certification Scenarios in 
     Multi-Tenant SDN Environment . . . . . . . . . . . . . . . . . .  6
     3.2.  Multi-Domain Certification Policy Diversities. . . . . . .  8
     3.3.  Layer of Security Enforcement  . . . . . . . . . . . . . .  8
   4.  SDN aligned Certification Architecture - Building Blocks . . .  8
   5.  Continuous Certificate Chaining  . . . . . . . . . . . . . . .  9
     5.1.  SDN Multi-Domain Bridge Model  . . . . . . . . . . . . . . 10
     5.2.  SDN Multi-Domain Direct Cross Certification. . . . . . . . 11
     5.3.  SDN Unifying Domain Model  . . . . . . . . . . . . . . . . 12
   6.  Discontinuous Certificate Chaining . . . . . . . . . . . . . . 13
     6.1.  SDN-security domains with independent PKI infrastructure . 13
     6.2.  Discontinuous SDN-security domains with varying
     Authentication Infrastructure. . . . . . . . . . . . . . . . . . 15
   7.  Need for Integrated Operational Framework for Certificate 
   Chain Management . . . . . .. . . . . . . . .. . . . . . . . . . . 16
   8.  Contemporary Work aligning to Operational Framework 
   requirements for Certificate Chaining . . . .. . . . . . . . . . . 18
     8.1.  Automatic Certificate Management Environment (ACME). . . . 18
     8.2.  Application Bridging for Federated Access Beyond
Show full document text