Internet-Draft SMAM for CATS October 2024
Lu, et al. Expires 21 April 2025 [Page]
Workgroup:
Internet Engineering Task Force
Internet-Draft:
draft-lu-cats-smam-security-00
Published:
Intended Status:
Informational
Expires:
Authors:
Lu, Ed.
China Mobile
M. Chen
China Mobile
L. Su
China Mobile

A mechanism of security monitoring and management for service resources in Computing-Aware Traffic Steering (CATS)

Abstract

The goal is to This draft proposes a mechanism to realize monitoring and management of service resources.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 21 April 2025.

1. Introduction

As described in [I-D.ietf-cats-usecases-requirements], traffic steering that takes into account both the computing resource metric and network metric would improve the QoE of several services, e.g., AR/VR and intelligent transportation. But when executing services, efficiency is not the only factor to consider. Security requirements are important for users, service providers and network providers, such as following security requirements:

1. The services should not be interrupted abnormally, and data of services should not be leaked or unauthorized access;

2. The network should run stably and is not subject to attacks from service resources;

3. The service resources are prevented from being attacked by other resources.

Many resolutions need to be designed and applyed to fully meet security requirements above. But a basic resolution is to monitor and discover corrupted service resources and limit them from providing services and interact with network components as well as other service resources, and more secure service resources should be selected under same conditions. This draft proposes a mechanism to realize monitoring and management of service resources.

2. Problem statement

Service resources face kinds of attacks from inside and outside. Successful attacks may bring security risks for services, such as service unavailable, service data stolen etc, and service resources may become attack tools to interfere activities of other computing resources and functional components in CATS if they are manipulated maliciously. The more vulnerable the resource, the greater the likelihood of being breached. And when service resources have been breached, they will be threats in network.

For protecting service availability, security of services and maintaining network stability, computing resources in CATS should be in security status and services should run on reliable resources. So there should be a mechanism to monitor security status of service resources and discover the resources that are likely to be breached and those that have already been breached in CATS. Then different policies can be applyed for above service resources such as excluding the service resources from CATS or reduce usage of them.

3. Framework and Components

In [I-D.ldbc-cats-framework], a CATS framework for computing-aware traffic steering according to computing metrics of service resources and network metrics is proposed. In this draft, the new functional component C-SeMA is introduced based on the existing CATS framework.

The CATS Security Metric Agent(C-SeMA) is responsible for collecting security information of computing resources that used to carry service instances. Computing resources could be servers, virtual machines or containers. Details of security information are listed in 5.2.

The C-SeMA gathers the security information and decides the security status of the computing resources, then generates security policy according to the security status of computing resources and sends it to C-PS. C-PS could adjust resource selection policy according to the security policy.

4. Workflow

4.1. Overview

Figure 2 shows the main workflow of monitoring and management of computing resources. Two stages are included in the workflow. In stage 1, C-SeMA acquire security information from computing resources or security functions. In stage 2, security policies will be generated according to security information and will be sent to C-PS. In stage 3, C-PS can select service nodes according to the security policies.

+-----------------+          +----------------+           +---------------+
|sefunction/      |          |                |           |               |
|service resources|      -   |    C-SeMA      |           |      C-PS     |
+--------+--------+          +--------+-------+           +--------+------+
         <----------------------------+                            |
         |                            |                            |
         |requirements of             |                            |
         |security metrics            |                            |
         |                            |                            |
         +---------------------------->                            |
         |security                    |                            |
         |information                 |                            |
         |                            |                            |
         |                     processing of                       |
         |                     security                            |
         |                     information                         |
         |                            ++---------------------------+
         |                            |         security policy    |
         |                            |                            |
         |                            |                         service
         |                            |                     decision-making
         |                            |                            |

                                Figure2: overview of workflow

4.2. Collection of security information

C-SeMA need to collect security capability information and security status information of computing resources. Security capability information indicates the security capabilities that are depolyed for protecting computing resources and services running on them from attacks. Security status information including predefined dynamic security metrics of computing resources, such as abnormal traffic, adnormal behaviors, and vulnerability situation etc. C-SeMA need to distribute requirements of security metrics to computing resources or security functions.

C-SeMA collects security information from computing resources or security functions deployed in service sites or network. Different collection methods can be used, such as C-SeMA collects security information periodically or security function push the information when security status changes.

Security information should be associated with a specific computing resource and is associated with service instances by computing resources. Table 1 shows the examples of security information for service resources.

+--------------+-----------------+---------------------+
| Types of     |    Security     |       Details       |
| security     |    metrics      |                     |
| information  |                 |                     |
+--------------+-----------------+---------------------+
|              |   Security      |                     |
|  Security    |   capabilities  |  Such as X-san      |
|  capability  |   of computing  |  , IPS and IDS etc  |
|              |   resources     |                     |
+--------------+-----------------+---------------------+
|              |                 |  Current            |
|              |   Vulnerability |  vulnerabilities in |
|              |   information   |  computing resources|
|              +-----------------+---------------------+
|              |                 |  Current virus      |
|              |   Virus         |  in computing       |
|              |   information   |  resources          |
|              +-----------------+---------------------+
|   Security   |                 |  Attack events      |
|   status     |   Attack        |  faced by computing |
|              |   information   |  resources          |
|              +-----------------+---------------------+
|              |                 | Abnormal behavior   |
|              |                 | information         |
|              |                 | of service resources|
|              |   Abnormal      | such as frequent    |
|              |   behavior      | submission of data, |
|              |   information   | single submission   |
|              |                 | of large amounts of |
|              |                 | data etc            |
+--------------+-----------------+---------------------+
        Table 1: examples of security information

4.3. Processing of security information

C-SeMA processes the received security information and determines the corresponding security policies for specific computing resources or service instances according to predefined decision rules.

Two examples of decision rules are as following:

1. Rule 1: Predefine rule of value assignment and weighs of every security metric. Then assign values to security metrics according to received security information and the rules. And use method of weighting to compute the final security value. Security policies will be determined according to the final value;

2. Rule 2: Set trigger rules of every kind of policy, such as if high risk vulnerabilities are found in computing resources, then priority of the corresponding resources should be reduced.

Specific decision logic is out of the scope of this draft.

The policies include but not limited to the following types:

1 Suggests to prohibit using the computing resources;

2 Suggests to prohibit using the service instances;

3 Suggests to reduce the priority of the computing resources;

4 Suggests to reduce the priority of the service instances;

5 Suggests to prioritize the computing resources;

6 Suggests to enable the computing resources;

7 None.

4.4. Service decision-making based on security information

C-SeMA submits the policies for specific computing resources or service instances to C-PS. C-PS could take these policies as references and adjust selection policies when conducting service decision-making. According to different policies, operations of C-PS include but not limited to the following types:

1. If C-SeMA suggests to prohibit specific computing resources/instances, C-PS excludes these computing resources/instances from alternative lists;

2. If C-SeMA suggests to reduce the priority of specific computing resources/instances, C-PS selects other computing resources/instances to provide service under the same network and computing conditions;

3. If C-SeMA suggests to prioritize specific computing resources/instances, C-PS selects these computing resources/instances to provide service among computing resources/instances with same network and computing conditions;

4. If C-SeMA suggests to enable specific computing resources, C-PS puts them into alternative lists;

5. IANA Considerations

This memo includes no request to IANA.

Authors' Addresses

Li Lu (editor)
China Mobile
BeiJing
China
Meiling Chen
China Mobile
BeiJing
China
Li Su
China Mobile
BeiJing
China