Skip to main content

Security Considerations for Computing-Aware Traffic Steering
draft-wang-cats-security-considerations-01

Document Type Active Internet-Draft (individual)
Authors Cuicui Wang , Yu Fu
Last updated 2024-10-21
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-wang-cats-security-considerations-01
cats                                                             C. Wang
Internet-Draft                                                     Y. Fu
Intended status: Standards Track                            China Unicom
Expires: 24 April 2025                                   21 October 2024

      Security Considerations for Computing-Aware Traffic Steering
               draft-wang-cats-security-considerations-01

Abstract

   Computing-Aware Traffic Steering (CATS) inherits potential security
   vulnerabilities from the network, computing nodes as well as
   workflows of CATS procedures.  This document describes various
   threats and security concerns related to CATS and existing approaches
   to solve these threats.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 April 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Wang & Fu                 Expires 24 April 2025                 [Page 1]
Internet-Draft        CATS Security Considerations          October 2024

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
     1.1.  Requirements Language . . . . . . . . . . . . . . . . . .   2
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   2
   3.  Security Issues of The Computing Resource . . . . . . . . . .   3
   4.  Computing Path Selector Security Issues . . . . . . . . . . .   3
   5.  Computing Service Announcement Security Issues  . . . . . . .   4
   6.  Metrics Distribution Security Issues  . . . . . . . . . . . .   4
   7.  Security-related Metrics  . . . . . . . . . . . . . . . . . .   5
   8.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   5
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . .   5
     10.1.  Normative References . . . . . . . . . . . . . . . . . .   5
     10.2.  Informative References . . . . . . . . . . . . . . . . .   6
   Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   The CATS framework is an ingress-based overlay framework for the
   selection of the suitable service instance(s) from a set of instance
   candidates.  By taking into account both networking and computing
   metrics, the CATS framework achieve a global of dispatching service
   demands over the various and available edge computing resources.
   However, ubiquitous distributed computing resources in CATS also pose
   challenges to security protection.  The operators of CATS may not
   have complete control over the nodes and therefore guarantee the
   security and credibility of the computing nodes themselves.
   Moreover, there are great differences in the security capabilities
   provided by computing nodes in the network, which greatly improves
   the breadth and difficulty of security protection.

   This document describes various threats and security concerns related
   to CATS networks and existing approaches to solve these threats.

1.1.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

2.  Terminology

   This document makes use of the following terms:

Wang & Fu                 Expires 24 April 2025                 [Page 2]
Internet-Draft        CATS Security Considerations          October 2024

   *Computing-Aware Traffic Steering (CATS):* A traffic engineering
   approach [I-D ietf-teas-rfc3272bis] that takes into account the
   dynamic nature of computing resources and network state to optimize
   service-specific traffic forwarding towards a given service instance.
   Various relevant metrics may be used to enforce such computing-aware
   traffic steering policies.  [I-D.ldbc-cats-framework]

   *CATS Service ID (CS-ID):* An identifier representing a service,
   which the clients use to access it.

   *Service:* An offering provided by a service provider and which is
   delivered using one or more service functions [RFC7665].

   *CATS Service Metric Agent (C-SMA):* An agent that is responsible for
   collecting service capabilities and status, and for reporting them to
   a CATS Path Selector (C-PS).

   *Service request:* The request for a specific service instance.

3.  Security Issues of The Computing Resource

   The ubiquitous and flexible characterictics of computing resource and
   the frequent connections to the computing resource will lead to the
   increasing risks of resource attacks.  At the same time, network
   attack patterns are constantly iterating and upgrading, which will
   also increases the probability of computing resources being attacked.
   Therefore security solutions of CATS must support identity
   authentication and access control against these attacks.  Identity
   authentication is required for clients of CATS.  Zero trust is the
   preferred approach to meet this demand.  Besides, security monitoring
   and auditing of computing resources should be carried out using
   technologies such as security log management and intrusion detection
   to monitor the security status of computing resources.

4.  Computing Path Selector Security Issues

   The operation of a C-PS could be damaged through a variety of denial-
   of-service attacks.  Such attacks can cause the C-PS to become
   congested with the result that traffic forwarding are too slowly . In
   extreme cases, it may be that service requests are not satisfied.
   C-PS could be the target of the following attacks [RFC5440]:

   *  interception of C-PS service requests or responses;

   *  impersonation of C-PS;

   *  falsification of computing service information, policy
      information, or C-PS capabilities; and

Wang & Fu                 Expires 24 April 2025                 [Page 3]
Internet-Draft        CATS Security Considerations          October 2024

   *  denial-of-service attacks on C-PS communication mechanisms.

   Additionally, snooping of C-PS requests and responses may give an
   attacker information about the operation of the network.  Simply by
   viewing the C-PS messages someone can know where traffic is being
   routed, thereby making the network susceptible to targeted attacks.
   It is expected that C-PS solutions will address these issues in
   detail using authentication and security techniques.

5.  Computing Service Announcement Security Issues

   A computing service is associated with a unique identifier called a
   CS-ID.  The CS-ID should keep confidentiality of the service, for
   example, using an IP address as the CS-ID may expose the location of
   the edge node.  The mapping of CS-IDs to network identifiers may be
   learned through a NRS(Name Resolution Service), such as DNS, so it is
   important for the NRS to support access control for certain name
   mapping records, and authentication of the computing service that
   want to be registered with the NRS must be required so that only
   authenticated entities can store and update name mapping records.
   Besides, the NRS should be resilient against denial-of- service
   attacks and other common attacks.

6.  Metrics Distribution Security Issues

   The C-SMA aggregates both service-related capabilities and then
   advertises the CS-IDs along with the metrics to be received by all
   C-PS in the network.  The service metrics include computing-related
   metrics and potentially other service-specific metrics like the
   number of end-users who access the service instance at any given
   time, their location, etc.  Therefore, verification mechanism is
   needed for both C-SMA and C-PS to ensure the authenticity and
   integrity of the infomation they received.

   The information distributed by the C-SMA and C-NMA may be sensitive.
   Such information could indeed disclose intel about the network and
   the location of computing resources hosted in edge sites.
   Furthermore, such information may be modified by an attacker
   resulting in disrupted service delivery for the clients, including
   misdirection of traffic to an attacker's service implementation.

Wang & Fu                 Expires 24 April 2025                 [Page 4]
Internet-Draft        CATS Security Considerations          October 2024

   The computing resource information changes over time very frequently,
   especially with the creation and termination of service instances.
   When such an information is carried in a routing protocol, too many
   updates may affect network stability.  This issue could be exploited
   by an attacker (e.g. by spawning and deleting service instances very
   rapidly).  CATS solutions must support guards against such
   misbehaviors.  For example, these solutions should support
   aggregation techniques, dampening mechanisms, and threshold triggered
   distribution updates.

7.  Security-related Metrics

   The service and network metrics could include the security-related
   capabilities which could be used by the CATS Path selector to compute
   paths with security guarantee.

   The security capabilities of nodes could be one of the metrics for
   C-PS to computing the traffic forwarding path and form a secure
   routing path.  And C-PS will fetch the real-time awareness of the
   security capabilities available in the network and computing services
   and finally provide security protection for users.  Clients with high
   security requirements could choose the service with desired security
   attributes and achieve dependable forwarding on top of only devices
   that satisfies certain trust requirements, which will avoid the risks
   of traffic eavesdropping, sensitive data leakage etc.

8.  Security Considerations

   The security considerations of CATS are presented throughout this
   document. .

9.  IANA Considerations

   This document has no IANA actions.

10.  References

10.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

Wang & Fu                 Expires 24 April 2025                 [Page 5]
Internet-Draft        CATS Security Considerations          October 2024

   [RFC5440]  Vasseur, JP., Ed. and JL. Le Roux, Ed., "Path Computation
              Element (PCE) Communication Protocol (PCEP)", RFC 5440,
              DOI 10.17487/RFC5440, March 2009,
              <https://www.rfc-editor.org/info/rfc5440>.

10.2.  Informative References

   [I-D.ldbc-cats-framework]
              Li, C., Du, Z., Boucadair, M., Contreras, L. M., and J.
              Drake, "A Framework for Computing-Aware Traffic Steering
              (CATS)", Work in Progress, Internet-Draft, draft-ldbc-
              cats-framework-06, 8 February 2024,
              <https://datatracker.ietf.org/doc/html/draft-ldbc-cats-
              framework-06>.

   [RFC7665]  Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
              Chaining (SFC) Architecture", RFC 7665,
              DOI 10.17487/RFC7665, October 2015,
              <https://www.rfc-editor.org/info/rfc7665>.

Acknowledgements

   TBD

Authors' Addresses

   Cuicui Wang
   China Unicom
   Beijing
   China
   Email: wangcc107@chinaunicom.cn

   Yu Fu
   China Unicom
   Beijing
   China
   Email: fuy186@chinaunicom.cn

Wang & Fu                 Expires 24 April 2025                 [Page 6]