Skip to main content

The Requirements for Secure Routing
draft-chen-secure-routing-requirements-00

The information below is for an old version of the document.
Document Type
This is an older version of an Internet-Draft whose latest revision state is "Expired".
Authors Meiling Chen , Li Su
Last updated 2022-09-28
RFC stream (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-chen-secure-routing-requirements-00
Internet Engineering Task Force                                Chen, Ed.
Internet-Draft                                                     L. Su
Intended status: Informational                              China Mobile
Expires: 2 April 2023                                  29 September 2022

                  The Requirements for Secure Routing
               draft-chen-secure-routing-requirements-00

Abstract

   At present, the routing process is to look up its own routing table
   through the router to realize packet forwarding or data discarding.
   With the development of the network, attention is paid not only to
   reachability but also to security capability in the routing process.
   With the frequent occurrence of security incidents, more and more
   network devices have security functions, secure routing and secure
   path is required by many scenarios.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 2 April 2023.

Copyright Notice

   Copyright (c) 2022 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

Chen & Su                 Expires 2 April 2023                  [Page 1]
Internet-Draft                  Use Cases                 September 2022

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Secure Routing Use Cases  . . . . . . . . . . . . . . . . . .   3
     2.1.  Requirements of network operators . . . . . . . . . . . .   3
     2.2.  Requirements of users . . . . . . . . . . . . . . . . . .   4
   3.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   4
   4.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   5

1.  Introduction

   At present, the routing process is to find its own routing table
   through the router to realize packet forwarding or data discarding.
   The routing methods include programmable and non programmable, and
   the data is forwarded based on the principle of fast access.  With
   the development of network, people not only pay attention to the
   reachability in the routing process, but also pay more attention to
   the link security.  Link security includes routing security and node
   security.  In addition to the traditional ground network, the future
   development of satellite network will also involve link security.
   Due to the higher openness of satellite network, the security
   vulnerability of inter satellite nodes will affect the security of
   the whole network.

   Security attacks are happening almost every moment in the world, so
   network devices are also updating and iterating to cope with complex
   security environments.  In addition to proprietary security devices,
   many network devices have integrated security functions, such as
   routers with anti DDoS attack functions.  At present, most routers
   have anti DDoS functions in advanced settings.  Usually, this
   function is not turned on by default.  If a route is DDoS protected,
   the whole network speed will drop dramatically.  For example, the
   switch has anti DDoS function, intrusion detection (IDS) function and
   firewall function.  For example, the gateway has anti-virus,
   intrusion detection, firewall, VPN and other security functions.

Chen & Su                 Expires 2 April 2023                  [Page 2]
Internet-Draft                  Use Cases                 September 2022

   Starting from the requirements of network operators and users, it is
   necessary to take the security attribute as the key factor to select
   the route and transmission path to measure the link transmission
   security.  To achieve this goal, the following contents may need to
   be studied.

   1.  A method or protocol for routing and data transmission according
       to security capabilities;

   2.  An interactive protocol that allows the perception and
       measurement of the security of the link in the path;

   3.  Security measurement and feedback model: the authorized third
       party makes decisions on security measurement and gives the
       results as reference suggestions then provide the results to the
       user, the user can determine the degree of dependence and trust
       on the security of the link;

   4.  Atomized description and definition of security functions:
       reorganize and define the security functions supported by
       existing network devices, and encode them.  Generally, the
       security functions of a device can be described as a collection.

2.  Secure Routing Use Cases

2.1.  Requirements of network operators

   Transmission security generally adopts encryption, IPSec and other
   measures to ensure end-to-end security.  The operator channel is
   responsible for data transmission, but lacks the ability to provide
   security consultation for users.  The network is more complex and the
   intersection is more obvious.  The traditional security domain is
   gradually broken.  The online real-time streaming security needs are
   obvious.  The operator needs to obtain the security status of each
   device in the network.

   For customers with high security requirements, operators need to
   transmit data at the security level expected by customers.  For
   example, in addition to the IP address, each node also has a
   description of its own security functions, that is, security vectors.
   When the user sends a request, the security requirement is converted
   into a security vector.  When forwarding data, the IP address and
   security vector are selected as the elements to achieve best
   delivery.

Chen & Su                 Expires 2 April 2023                  [Page 3]
Internet-Draft                  Use Cases                 September 2022

        A(ip,sv)          B(ip,sv)       C(ip,sv)
        ----------      ----------      ----------
   ────►│ Router ├──────┤ Router ├─────►│ Router ├────────┐
        └───┬────┘      └───┬────┘      └───┬────┘        │
            │               │               │             │
            │               │               │             │
            │               │               │             │
            │           ┌───▼────┐      ┌───▼────┐   ┌────▼───┐
            └───────────► Router ├──────► Router ├───► Router ├──►
                        └────────┘      └────────┘   └────────┘
                         D(ip,sv)        E(ip,sv)     F(ip,sv)
    Figure1: Select path according to IP address and security vector

2.2.  Requirements of users

   The user's security awareness is at the highest level in history.
   The application security measures at the upper level can no longer
   meet the needs.  The user needs the pipeline to provide an objective
   presentation of security.  Security needs to be quantified, objective
   and authoritative.

   Users need to convert security requirements into security vectors,
   and general users may not have security background knowledge.
   Therefore, in most cases, a security vector translator is required to
   convert perceptual requirements into objective security vectors.  How
   to use the security vector for route selection and data forwarding,
   for example, you can choose the route according to the best effort
   delivery principle and the maximum satisfaction security vector.

(ip,sv)      (ip,sv)
             ┌───────┐     ┌───────┐
   ──────────► Router├─────►Router ├──────┐
(Src,Dst,sv) └──┬────┘     └───────┘      │
                │                         │
                │                         │
                │      (ip,sv)            │
                │     ┌───────┐       ┌───▼──┐
                └────►│Router ├──────►│Router├───►DST
                      └───────┘       └──────┘
                                       (ip,sv)
Figure2: Select the path according to the user's security vector requirements

3.  IANA Considerations

   This memo includes no request to IANA.

Chen & Su                 Expires 2 April 2023                  [Page 4]
Internet-Draft                  Use Cases                 September 2022

4.  Security Considerations

   TBD

Authors' Addresses

   Meiling Chen (editor)
   China Mobile
   BeiJing
   China
   Email: chenmeiling@chinamobile.com

   Li Su
   China Mobile
   BeiJing
   China
   Email: suli@chinamobile.com

Chen & Su                 Expires 2 April 2023                  [Page 5]