The Use Cases for Secure Routing
draft-chen-secure-routing-use-cases-00
The information below is for an old version of the document.
| Document | Type |
This is an older version of an Internet-Draft whose latest revision state is "Active".
|
|
|---|---|---|---|
| Authors | Meiling Chen , Li Su | ||
| Last updated | 2023-03-05 | ||
| RFC stream | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-chen-secure-routing-use-cases-00
Internet Engineering Task Force Chen
Internet-Draft L. Su
Intended status: Informational China Mobile
Expires: 7 September 2023 6 March 2023
The Use Cases for Secure Routing
draft-chen-secure-routing-use-cases-00
Abstract
Traditional path selection conditions include the shortest path, the
lowest delay, and the least jitter, this paper proposes to add a new
factor: security, which determines the forwarding path from security
dimension.
The frequent occurrence of security incidents, users' demand for
security services is increasingly strong. As there are many security
devices in the ISP's network, this draft proposes secure routing, the
purpose of secure routing is to converge security and routing to
ensure the security of the transmission process.
The scope is transmission process security, end-to-end security and
processing security are out of scope.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 7 September 2023.
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
Chen & Su Expires 7 September 2023 [Page 1]
Internet-Draft Use Cases March 2023
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document. Code Components
extracted from this document must include Revised BSD License text as
described in Section 4.e of the Trust Legal Provisions and are
provided without warranty as described in the Revised BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Analysis of security requirements . . . . . . . . . . . . . . 3
3. Security and network convergence . . . . . . . . . . . . . . 3
4. Secure Routing Use Cases . . . . . . . . . . . . . . . . . . 3
4.1. Basic path for secure routing . . . . . . . . . . . . . . 4
4.2. Differentiated service for secure routing. . . . . . . . 5
5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
6. Security Considerations . . . . . . . . . . . . . . . . . . . 6
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6
1. Introduction
With the frequent occurrence of network security events, users'
demand for network security is increasingly strong, there is no doubt
that multi-level security is needed to ensure the security of users.
The current security risk mainly comes from attacks, users need
security services to ensure the normal use of business.
Some companies build security centers by themselves, some buy third-
party cloud security services, and some hope that ISPs can provide
security services by secure routing. Security routing provided by
ISPs can be implemented which can guide traffic through security
devices. With the development of programmable network and SRv6
technology, the forwarding requirements of the upper layer can be
completed through routing programming; Accessibility and security in
the routing process can be processed synchronously to provide users
with secure routing.
In addition to special security equipment, network devices are also
updating and integrated security functions to cope with complex
security environments, such as routers with anti DDoS attack
functions, the switch has detection (IDS) function and firewall
function.
Chen & Su Expires 7 September 2023 [Page 2]
Internet-Draft Use Cases March 2023
2. Analysis of security requirements
For ISPs, the user's credibility is different, it is necessary to
strategy path from the security protection of the basic network.
For users, different users have different security requirements which
depend on their business. For example, e-commerce and Internet
companies focus on phishing prevention, anti-DDoS attacks, and data
security; Medical companies focus on data security and security
isolation, and so on. In a word, users have differentiated security
requirements.
3. Security and network convergence
If security functions and network functions are highly integrated,
security can be as flexible as network connection. Optimize existing
routing protocols to obtain information about security devices in the
network, security routing can be realized by taking into account the
security policy when routing strategy. The following figure
describes the relationship between the controller and network devices
and security devices.
+-----------+
| IP |
|programming|
| controller|
+-----x-----+
x
x
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
x x
x +---------+ x
+---x----+ |security | +---x----+
| router +-------+ device +-------+ router |
+---+----+ +---------+ +--------+
|
+----+----+
|security |
| device |
+---------+
Figure 1: Secure routing model
4. Secure Routing Use Cases
Two use cases are described below.
Chen & Su Expires 7 September 2023 [Page 3]
Internet-Draft Use Cases March 2023
1. Strategy routing path ensure basic network security, and network
node security evaluation ensures the security of the transmission
node itself;
2. Differentiated security path to meet user requirements.
4.1. Basic path for secure routing
This scenario occurs in the 5G network vertical industry. The power
industry slicing requires physical isolation, that is, running on an
independent physical machine. To achieve this requirement, it is
necessary to collect the network node information to the controller.
When it is time to provide services for power slicing, just obtain
information from the controller, and then strategy secure routing.
For security, obtain the information of nodes and appraise the
trustworthiness can help improve basic nodes security awareness, the
draft draft-voit-rats-trustworthy-path-routing focus on this field.
+-------------+
| Controller |
+------+------+
appraise|trustworthiness
+--------------+---------------+
| | |
+---+----+ +---+---+ +----+---+
| Node1 +-----+ Node2 +------+ Node3 |
+--------+ +-------+ +--------+
Figure 2: Node security appraisement
Also, the credibility of users is differentiated, for users with poor
credibility or potential attack behaviors, avoid critical nodes when
forming routing paths. As shown in the figure, user A with poor
credibility, key node3 will be avoided when forming a path<1,2,3,4>
for user A.
Chen & Su Expires 7 September 2023 [Page 4]
Internet-Draft Use Cases March 2023
Ingress
+---------+
+--------+ 1 +------+ 5 | Key | 6 +------+
| User A +------>| Node1+--------> Node3 +-----+ Node5|
+--------+ +---+--+ +----+----+ +---+--+
| | |
| | |
| 2 |7 |8
| | |
| | |
| | |
+---+--+ 3 +---v--+ 4 +---+--+
| Node2+---------+ Node4+-------> Node6+---->
+------+ +------+ +------+
Egress
Figure 3: Key network node protection
4.2. Differentiated service for secure routing.
ISPs have built many security devices and security resource pools in
the basic network, once the network node is attacked, it needs fast
and efficient scheduling security function to mitigate. Users have
clear requirements for their own security services.
For ToB users, the types of users are different, and the
corresponding security requirements are different. The security
requirement is no longer simply divided into high, medium and low
levels, but more specific. For example, in addition to considering
low-latency connections, customers in the game industry should first
consider anti-DDoS services for security requirements,therefore, ISPs
are required to provide anti-DDoS security services. For financial
customers, data security is the most important, it is required that
data cannot be tampered with, eavesdropped or copied, and so on.
For customers with specific security requirements, ISPs need to
transmit data at the security level expected by customers. For
example, if the user needs anti-D and IPS services, the secure
routing is path<1,5,7,4>. If the user need WAF service, the secure
routing is path<1,2,3,4>.
Chen & Su Expires 7 September 2023 [Page 5]
Internet-Draft Use Cases March 2023
Ingress
+---------+
+--------+ 1 +------+ 5 | Node3 | 6 +------+
| User A +------>| Node1+-------->Anti-ddos+-----+ Node5|
+--------+ +---+--+ +----+----+ +---+--+
| | |
| | |
| 2 |7 |8
| | |
| | |
| | |
+---+--+ 3 +---v--+ 4 +---+--+
| Node2+---------+ Node4+-------> Node6+---->
| WAF | | IPS | +------+
+------+ +------+ Egress
Figure 4: User require anti-ddos and IPS service
5. IANA Considerations
This memo includes no request to IANA.
6. Security Considerations
TBD
Authors' Addresses
Meiling Chen
China Mobile
BeiJing
China
Email: chenmeiling@chinamobile.com
Li Su
China Mobile
BeiJing
China
Email: suli@chinamobile.com
Chen & Su Expires 7 September 2023 [Page 6]