Skip to main content

Computing Resource Authenticity Evaluation in Computing-Aware Traffic Steering
draft-ma-cats-computing-authenticity-evaluation-00

Document Type Active Internet-Draft (individual)
Authors Xiaoting Ma , Shuai Gao , Zixuan Lei , 徐子恒
Last updated 2024-11-05
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-ma-cats-computing-authenticity-evaluation-00
cats                                                               X. Ma
Internet-Draft                                             China Telecom
Intended status: Standards Track                                  S. Gao
Expires: 10 May 2025                                              Z. Lei
                                             Beijing Jiaotong University
                                                                   Z. Xu
                                                           China Telecom
                                                         6 November 2024

 Computing Resource Authenticity Evaluation in Computing-Aware Traffic
                                Steering
           draft-ma-cats-computing-authenticity-evaluation-00

Abstract

   This draft introduces an evaluation scheme for computing resource
   authenticity.  The scheme aims to verify and evaluate the
   authenticity of computing resources in the network using application
   layer method.  This draft describes the basic principle of the scheme
   and authentication mechanism.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 10 May 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights

Ma, et al.                 Expires 10 May 2025                  [Page 1]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   4
   2.  The Definition of Terms . . . . . . . . . . . . . . . . . . .   4
   3.  Node Registration . . . . . . . . . . . . . . . . . . . . . .   5
     3.1.  Client Node Registration  . . . . . . . . . . . . . . . .   5
     3.2.  Service Site Node Registration  . . . . . . . . . . . . .   5
   4.  Service Instance Allocation . . . . . . . . . . . . . . . . .   5
   5.  Bilateral Evaluation Mechanism  . . . . . . . . . . . . . . .   6
     5.1.  Bilateral Evaluation  . . . . . . . . . . . . . . . . . .   6
     5.2.  Data Updating . . . . . . . . . . . . . . . . . . . . . .   6
   6.  Unresolved Issues . . . . . . . . . . . . . . . . . . . . . .   6
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   6
     7.1.  Security Risk . . . . . . . . . . . . . . . . . . . . . .   6
     7.2.  Response  . . . . . . . . . . . . . . . . . . . . . . . .   7
   8.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     8.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     8.2.  Informative References  . . . . . . . . . . . . . . . . .   7
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8

1.  Introduction

   Computing resources play an important role in Computing-Aware Traffic
   Steering.  Attackers may publish false computing resources
   advertisements for profit or malicious purposes, which will cause
   security issues.

   This security issue was also mentioned in
   [I-D.ietf-cats-usecases-requirements]:

   The behavior of the network can be adversely affected by modifying or
   interfering with advertisements of computing resource availability.
   Such attacks could deprive users of the services they desire, and
   might be used to divert traffic to interception points.  Therefore,

   R23: secure advertisements are *REQUIRED* to prevent rogue nodes from
   participating in the network.

Ma, et al.                 Expires 10 May 2025                  [Page 2]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

   Many security requirements are also mentioned in
   [I-D.wang-cats-security-considerations].  The security mechanism
   needs to be able to address the anonymity and uniqueness issues of
   service identification.

   In traditional networks, routing information is commonly regarded as
   a publicly verifiable resource, which can enable rapid detection.
   However, the false advertisements of computing resource are difficult
   to detect.

   Considering the particularity of CATS work scenarios and
   requirements, this scheme chooses to use application layer technology
   to solve this security issue.  This scheme proposed in this draft
   aims to solve this problem by coming up with a bilateral evaluation
   mechanism in the network.  The main steps of this scheme are node
   registration, task allocation and bilateral evaluation.

   The structural design is shown in Figure 1.

                       +---------+               +---------+
                       |  Client |               |  Client |
                       +----+----+               +----+----+
                            |                         |
              +---+---------+---------+-----+---------+---------+---+
              |   | CATS Path Selector|     | CATS Path Selector|   |
              |   +-------------------+     +-------------------+   |
              |                                                     |
              |                                                     |
              |                      Underlay                       |
              |                   Infrastructure                    |
              |                                                     |
              |                                                     |
              |   +-------------------+     +-------------------+   |
              |   | CATS Path Selector|     | CATS Path Selector|   |
              +---+---------+---------+-----+---------+---------+---+
                            |                         |
                   +--------+--------+       +--------+--------+
                   |  Service site 1 |       |  Service site 2 |
                   +-----------------+       +-----------------+

                        Figure 1: Structural Design

Ma, et al.                 Expires 10 May 2025                  [Page 3]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  The Definition of Terms

   This document makes use of the following terms.  The terminology
   echoes what is in [I-D.ietf-cats-framework]:

   *Computing-Aware Traffic Steering (CATS):* A traffic engineering
   approach [I-D.ietf-teas-rfc3272bis] that takes into account the
   dynamic nature of computing resources and network state to optimize
   service-specific traffic forwarding towards a given service contact
   instance.  Various relevant metrics may be used to enforce such
   computing-aware traffic steering policies.

   *Client:* An endpoint that is connected to a service provider
   network.

   *Service instance:* An instance of running resources according to a
   given service logic.  Many such instances can be enabled by a
   provider.  Instances that adhere to the same service logic provide
   the same service.  An instance is typically running in a service
   site.  Clients' requests are serviced by one of these instances.

   *Service site:* A location that hosts the resources that are required
   to offer a service.  A service site may be a node or a set of nodes.
   A CATS-serviced site is a service site that is connected to a CATS-
   Forwarder.

   *CATS Path Selector (C-PS):* CATS Path Selectors (C-PSes) use
   information to select where to forward traffic for a given service
   request.  C-PSes also determine the best paths (possibly using
   tunnels) to forward traffic, according to various criteria that
   include network state and traffic congestion conditions.  There might
   be one or more C-PSes used to compute CATS paths in a CATS
   infrastructure.

   *Trust Value:* a parameter to quantify the trust of clients and
   service sites.

Ma, et al.                 Expires 10 May 2025                  [Page 4]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

3.  Node Registration

3.1.  Client Node Registration

   When a client node connects to the network, to protect the privacy of
   users, the scheme employs a hashing algorithm to generate unique
   anonymous identity identifiers for each client during the
   registration process.

   When updating task states information, only anonymous identity
   identifiers are used and the real identity information of clients is
   not disclosed.

   The client node that has completed registration will be assigned an
   initialized trust value.

3.2.  Service Site Node Registration

   When the service site node connects to the network, in order to
   verify the computing resources owned by the service site, the service
   site will be required to complete a set of valid tasks.

   After receiving the valid task results from the service site, the
   computing resources of the service site are validated based on the
   valid task execution time and the correctness of the computation
   results.

   In order to protect the privacy of service site, this scheme will use
   a hash algorithm to generate a unique anonymous identity identifier
   for each verified service site node during the registration process.

   The service site node that has completed registration will be
   assigned an initialized trust value.  Afterwards, the service site
   node can be assigned computing tasks.

4.  Service Instance Allocation

   According to client requirements, computing resource information of
   service sites and trust values, the service instance will be
   assigned.

   The entire process of service instance publishing, allocation,
   completion, and feedback is recorded, which will be used for
   resolving business disputes and tracing attacks.

Ma, et al.                 Expires 10 May 2025                  [Page 5]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

5.  Bilateral Evaluation Mechanism

5.1.  Bilateral Evaluation

   When service site provides feedback on service instance completion,
   this scheme can verify whether the task has been completed within the
   specified time interval and obtain service site's evaluation of the
   client.

   After client s receive feedback, they are required to evaluate the
   service site that completed the service instance.

   Following the bilateral evaluation by the client and assuming the
   service instance was completed on time, the scheme can calculate the
   trust value of both the client and service site based on that
   evaluation information.

5.2.  Data Updating

   After each service instance is completed, the scheme will update the
   trust values of all participating clients and service sites in
   record.

   The magnitude of the trust value will affect service instance
   allocation priority, motivating clients and service sites to provide
   highly accurate computing resource information to maximize their
   rewards.

6.  Unresolved Issues

   TBD

7.  Security Considerations

7.1.  Security Risk

   *Traffic sniffing:* Attackers may use computing resource information
   to analyze network traffic patterns to infer sensitive information.

   *Identity impersonation:* Attackers may impersonate trusted nodes and
   launch denial of service or man in the middle attacks.

   *Information tampering:* Attackers may tamper with information in
   records for malicious purposes such as traffic hijacking.

Ma, et al.                 Expires 10 May 2025                  [Page 6]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

7.2.  Response

   *Encryption:* Deploying encryption technology to ensure that only
   authorized network entities can parse and use this information.

   *Access control:* Deploy access control mechanism, only requests from
   registered clients and service sites will be responded to by the
   network.

   *Identity authentication:* Using public key infrastructure and
   digital signatures for identity authentication.

   *Integrity protection:* Using hash functions, block chain and other
   methods to ensure the integrity of information.

   *Monitoring and auditing:* Implement monitoring systems to detect and
   record for tracking and responding to security incidents as they
   occur.

8.  References

8.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

8.2.  Informative References

   [I-D.ietf-cats-usecases-requirements]
              Yao, K., Trossen, D., Contreras, L. M., Shi, H., Li, Y.,
              Zhang, S., and Q. An, "Computing-Aware Traffic Steering
              (CATS) Problem Statement, Use Cases, and Requirements",
              Work in Progress, Internet-Draft, draft-ietf-cats-
              usecases-requirements-03, 3 July 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cats-
              usecases-requirements-03>.

Ma, et al.                 Expires 10 May 2025                  [Page 7]
Internet-Draft  Computing Resource Authenticity Evaluati   November 2024

   [I-D.ietf-cats-framework]
              Li, C., Du, Z., Boucadair, M., Contreras, L. M., and J.
              Drake, "A Framework for Computing-Aware Traffic Steering
              (CATS)", Work in Progress, Internet-Draft, draft-ietf-
              cats-framework-04, 17 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-ietf-cats-
              framework-04>.

   [I-D.wang-cats-security-considerations]
              Wang, C. and Y. Fu, "Security Considerations for
              Computing-Aware Traffic Steering", Work in Progress,
              Internet-Draft, draft-wang-cats-security-considerations-
              01, 21 October 2024,
              <https://datatracker.ietf.org/doc/html/draft-wang-cats-
              security-considerations-01>.

Acknowledgements

   TBD

Authors' Addresses

   Xiaoting Ma
   China Telecom
   Beijing
   China
   Email: maxt3@chinatelecom.cn

   Shuai Gao
   Beijing Jiaotong University
   Beijing
   China
   Email: shgao@bjtu.edu.cn

   Zixuan Lei
   Beijing Jiaotong University
   Beijing
   China
   Email: zixuanlei@bjtu.edu.cn

   Ziheng Xu
   China Telecom
   Beijing
   China
   Email: xuzh24@chinatelecom.cn

Ma, et al.                 Expires 10 May 2025                  [Page 8]