Skip to main content

IFIT-based anomaly monitoring and tracing in data circulation
draft-zhang-srv6ops-abn-mon-data-circulation-00

Document Type Active Internet-Draft (individual)
Authors Naihan Zhang , Xinxin Yi
Last updated 2024-10-21
RFC stream (None)
Intended RFC status (None)
Formats
Stream Stream state (No stream defined)
Consensus boilerplate Unknown
RFC Editor Note (None)
IESG IESG state I-D Exists
Telechat date (None)
Responsible AD (None)
Send notices to (None)
draft-zhang-srv6ops-abn-mon-data-circulation-00
srv6ops                                                    N. Zhang, Ed.
Internet-Draft                                                X. Yi, Ed.
Intended status: Standards Track                            China Unicom
Expires: 24 April 2025                                   21 October 2024

     IFIT-based anomaly monitoring and tracing in data circulation
            draft-zhang-srv6ops-abn-mon-data-circulation-00

Abstract

   This document proposes a deployment scheme of IFIT-based anomaly
   monitoring and tracing in data circulation.  Use cases and
   requirements are discussed, and a deployment scheme is described in
   detail.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 April 2025.

Copyright Notice

   Copyright (c) 2024 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Zhang & Yi                Expires 24 April 2025                 [Page 1]
Internet-Draft  IFIT-based anomaly monitoring and tracin    October 2024

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Conventions and Definitions . . . . . . . . . . . . . . . . .   3
   3.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . .   3
     3.1.  Data sharing between enterprises  . . . . . . . . . . . .   3
     3.2.  Data sharing of technology project  . . . . . . . . . . .   3
   4.  Requirement . . . . . . . . . . . . . . . . . . . . . . . . .   3
     4.1.  Monitoring and tracing of attacked nodes  . . . . . . . .   3
     4.2.  Monitoring and tracing of illegal nodes . . . . . . . . .   4
   5.  Deployment scheme of IFIT-based anomaly monitoring and tracing
           in data circulation . . . . . . . . . . . . . . . . . . .   4
   6.  Deployment effect . . . . . . . . . . . . . . . . . . . . . .   5
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   5
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   6
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   6
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   6
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   6
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   6

1.  Introduction

   In this era of booming digital economy, data has become an important
   asset, and the value of data is increasingly prominent.  Data
   circulation and sharing can enhance the efficiency of resource
   utilization and promote technological innovation.  However, there are
   some problems in data circulation.  First, the systems between
   different institutions and different regions are heterogeneous, and
   the data formats and encoding methods are different, so it is
   necessary to solve the problem of sharing and circulation of these
   differentiated data.  Second, the new data circulation supervision
   platform requires users to rent server resources, resulting in an
   increase in user costs.  Third, the platform and the network need to
   collaborate to solve the leakage risk of shared data at the network
   layer.

   In order to solve the above problems, network is suitable as a medium
   for cross-institution and cross-region data circulation supervision.
   The process of data circulation can be monitored and traced through
   network technology.  IFIT is one of the preferred method for
   monitoring and tracing abnormal paths in data circulation.  Compared
   with traditional network operation and maintenance technology, it has
   the characteristics of high precision, real-time and visualization.
   IFIT [I-D.song-opsawg-ifit-framework] performs feature marking by
   inserting IFIT headers into real service messages to directly detect
   performance indicators such as network delay, packet loss, and
   jitter.

Zhang & Yi                Expires 24 April 2025                 [Page 2]
Internet-Draft  IFIT-based anomaly monitoring and tracin    October 2024

2.  Conventions and Definitions

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in BCP
   14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.  Abbreviations and definitions used in this
   document:

   *IFIT: In-situ Flow Information Telemetry.

3.  Use Cases

3.1.  Data sharing between enterprises

   Data sharing between enterprises can enable faster access to
   necessary information and improve productivity.  However, data
   sharing between enterprises involves compliance and commercial
   confidentiality issues, and cross-enterprise data interactions need
   to avoid the risk of sensitive data leakage.  Therefore, regulators
   need to control the process of data interaction and trace the
   behavior.

3.2.  Data sharing of technology project

   Medical data sharing can bring more convenient and efficient
   healthcare services to patients by reducing duplication of
   examinations and increasing information transparency.  However,
   medical data involves personal privacy and sensitive information,
   which may have serious consequences for individuals in case of
   leakage.  Therefore, the process of circulation needs to be
   monitored.

4.  Requirement

   The monitoring of data circulation process based on network
   technology mainly requires the network to have monitoring and tracing
   function of attacked nodes and illegal nodes.

4.1.  Monitoring and tracing of attacked nodes

   Current attack tracing schemes can be roughly divided into two types:
   attack path reconstruction based on traffic characteristics or packet
   marking.  Attack path reconstruction based on traffic characteristics
   reconstructs the attack path according to the difference between the
   attack traffic and the normal traffic characteristics, which is easy
   to deploy as it is executed at the controller.  However, this scheme
   requires the controller to collect data circulation information for a

Zhang & Yi                Expires 24 April 2025                 [Page 3]
Internet-Draft  IFIT-based anomaly monitoring and tracin    October 2024

   certain period of time, so the real-time performance of tracing is
   poor.  In addition, the comparison of traffic characteristics and
   network path tracing are both completed by the controller, which
   increases the data transmission volume and controller processing
   pressure when the network scale is large.  The attack path
   reconstruction algorithm based on packet marking carries path
   information by inserting markers in the packet header, and
   finally,restores the forwarding path according to the markers.  In
   this scheme, the extra marking field increases the packet length,
   causing the extra bandwidth consumption.  Meanwhile, during the
   packet forwarding process, the attacker’s modification of packet
   header markers will cause the path reconstruction failure.

4.2.  Monitoring and tracing of illegal nodes

   The current network tracing technology mainly focuses on attack
   traffic, and there is no scheme to monitor and trace illegal nodes in
   the circulation process.

5.  Deployment scheme of IFIT-based anomaly monitoring and tracing in
    data circulation

   Figure 1 shows the architectural schematic of the deployment scheme.

   +------------------------------+
   |Management and Controll System|
   +------------------------------+
   /              |               \ 
+-------+       +------------+       +-------+ 
|Ingress|       |Intermediate|       |Egress |        
|Geteway| <-->  |    Node    | <-->  |Geteway|    
+-------+       +------------+       +-------+ 
<--------------------IFIT-------------------->

                  Figure 1: IFIT-Anomaly-Monitoring

   The specific implementation process is as follows:

   a.The management and control system sets the jitter threshold
   according to the service type, and initializes the packet loss
   threshold and delay threshold according to the routing result.

   b.The management and control system sends an IFIT end-to-end
   detection command to the ingress gateway, and the ingress gateway
   adds the IFIT packet header for the data traffic.

   c.The egress gateway collects data of the data traffic and reports it
   to the management and control system.  When the control system finds
   an anomaly (delay or packet loss exceeding the threshold), it sends a
   hop-by-hop detection command to the ingress gateway.  The ingress
   gateway adds an IFIT hop-by-hop mode marker for the data traffic.

Zhang & Yi                Expires 24 April 2025                 [Page 4]
Internet-Draft  IFIT-based anomaly monitoring and tracin    October 2024

   d.The network intermediate node reports the detection data, and the
   control system summarizes and analyzes the detection data.  First,
   according to the analysis results, the system determines whether
   there is an increase in delay or packet loss due to path switching
   triggered by physical link failures.  Second, the queue length in the
   node is detected to determine whether there is a congestion.  If
   neither, then anomaly analysis is performed.

   d1.  When the packet loss exceeds the threshold, the system starts to
   locate nodes with increased packet loss, and then it is determined
   that the node may be an attacked node.

   d2.  When the delay exceeds the threshold, the system start to locate
   that the abnormal delay jitter is occured between which two nodes,
   and then it is determined that the data traffic goes out from here to
   the illegal node.

   e.  The management and control system reconstructs the network path
   of attack and illegal traffic based on the hop-by-hop detection
   result.

6.  Deployment effect

   The scheme monitors the real packet traffic based on IFIT, which has
   high real-time performance.  And the accuracy of anomaly detection is
   improved by excluding path switching and congestion through a fine
   hop-by-hop detection mode.

   The scheme detects the delay and jitter of data traffic through the
   IFIT, which can simultaneously realize network attack detection and
   illegal path traffic detection.

   The scheme triggers the hop-by-hop detection mode only when the delay
   or packet loss exceeds the threshold, and performs only end-to-end
   detection at other times, thus greatly reducing the data transmission
   volume and processing pressure of the network equipment and the
   management and control system.

   The scheme does not need to add long markers to the packet header at
   each network node, and only adds the IFIT packet header to the packet
   at the ingress gateway, so there is no additional bandwidth
   consumption.

7.  Security Considerations

   TBD

Zhang & Yi                Expires 24 April 2025                 [Page 5]
Internet-Draft  IFIT-based anomaly monitoring and tracin    October 2024

8.  IANA Considerations

   TBD

9.  References

9.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/info/rfc2119>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/info/rfc8174>.

9.2.  Informative References

   [I-D.song-opsawg-ifit-framework]
              Song, H., Qin, F., Chen, H., Jin, J., and J. Shin,
              "Framework for In-situ Flow Information Telemetry", Work
              in Progress, Internet-Draft, draft-song-opsawg-ifit-
              framework-21, 23 October 2023,
              <https://datatracker.ietf.org/doc/html/draft-song-opsawg-
              ifit-framework-21>.

Authors' Addresses

   Naihan Zhang (editor)
   China Unicom
   Beijing
   China
   Email: zhangnh12@chinaunicom.cn

   Xinxin Yi (editor)
   China Unicom
   Beijing
   China
   Email: yixx3@chinaunicom.cn

Zhang & Yi                Expires 24 April 2025                 [Page 6]