Network Working Group S. Peng
Internet-Draft Z. Li
Intended status: Informational Huawei Technologies
Expires: December 19, 2021 D. Voyer
Bell Canada
C. Li
China Telecom
P. Liu
China Mobile
C. Cao
China Unicom
June 17, 2021
APN Security and Privacy Considerations
draft-peng-apn-security-privacy-consideration-02
Abstract
Application-aware Networking (APN) aims to convey Application-aware
Information (APN attribute) including APN ID and APN parameters
indicating application group-level and user group-level requirements
along with the data packets into the network and enable the network
to provide corresponding fine-granular network services.
There have been challenges of the privacy and security issues that
could potentially be introduced by conveying the APN attribute into
the network. This document describes the security and privacy
considerations of APN in various possible scenarios wherein APN will
be deployed.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119 [RFC2119].
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Peng, et al. Expires December 19, 2021 [Page 1]
Internet-Draft APN Security and Privacy June 2021
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 19, 2021.
Copyright Notice
Copyright (c) 2021 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminologies . . . . . . . . . . . . . . . . . . . . . . . . 3
3. APN Framework . . . . . . . . . . . . . . . . . . . . . . . . 3
4. Privacy Considerations . . . . . . . . . . . . . . . . . . . 4
5. Security Considerations . . . . . . . . . . . . . . . . . . . 4
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6
7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 6
8. Normative References . . . . . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 7
1. Introduction
Application-aware Networking (APN) is introduced in
[I-D.li-apn-framework] and [I-D.li-apn-problem-statement-usecases].
APN conveys Application-aware Information (APN attribute) along with
data packets into network and make the network aware of applications'
requirements in order to provide corresponding network services. The
ever-emerging network services such as network slicing and iOAM can
be further enhanced with the application awareness in the network
enabled by APN.
Since APN conveys an APN attribute along with the data packets into
network, APN has been challenged that it may potentially impose
privacy and security issues.
Peng, et al. Expires December 19, 2021 [Page 2]
Internet-Draft APN Security and Privacy June 2021
This document describes the privacy and security considerations of
APN.
2. Terminologies
AI: Artificial Intelligence
APN: Application-aware Networking
BNG: Broadband Network Gateway
CPE: Customer Premise Equipment
DPI: Deep Packet Inspection
OS: Operating System
RG: Residential Gateway
UPF: User Plane Function
5GC: 5G Core
3. APN Framework
The APN framework is introduced in [I-D.li-apn-framework], as shown
in the Figure 1.
+-----+ +-----+
|App x|-\ /-|App x|
+-----+ | +-----+ +-----------------------+ +-----+ | +-----+
\-|APN | | Application-aware | |APN |-/
|- |---| Network |---|- |
/-|Edge | | Service Provisioning | |Edge |-\
+-----+ | +-----+ +-----------------------+ +-----+ | +-----+
|App y|-/ | | \-|App y|
+-----+ |<--- Network Operator Controlled --->| +-----+
Figure 1. APN6 Framework
With APN, the APN attribute is acquired based on the existing
information in the packet header such as 5-tuple and/or QinQ (S-VLAN
and C-VLAN) at the edge devices of the APN domain (i.e. APN-Edge in
the Figure 1), added to the data packets in the tunnel encapsulation,
and delivered to the network, wherein, according to the carried APN
attribute, the fine-granular network services are provisioned.
Peng, et al. Expires December 19, 2021 [Page 3]
Internet-Draft APN Security and Privacy June 2021
The APN attribute is added by the edge device of an APN domain
according to the local policy at the network edge device (i.e. APN-
Edge), which is under the control of the network operator.
4. Privacy Considerations
The APN attribute is only used within the network operator's
controlled limited domain. A limited domain is intended as a portion
of the operator infrastructure where APN is deployed. When a packet
reaches the boundary of the limited domain, an APN attribute is added
to the packet, used in order to steer the packet within the limited
domain and then removed when the packet leaves the limited domain.
Within the APN network domain, the APN attribute is added at the
ingress node and removed from the egress node. In the APN network
domain, the APN attribute only serves for the fine-granular network
service provisioning, and there is no harm for the outside of the APN
network domain.
5. Security Considerations
There are two typical scenarios besides the SD-WAN scenario described
in the draft [I-D.yang-apn-sd-wan-usecase]: the home broadband
scenario and the mobile broadband scenario.
In the home broadband scenario, generally a home broadband user is
authorized by the BNG. If the validation is passed and the access
control is released, so the user group can start enjoying the value-
added service. With APN, when the traffic traverses the metro
network, the traffic flow can be indicated by the APN attribute that
is added/removed at the edge devices of the Metro Network (APN
domain) based on the mapping from the existing information (e.g. the
QinQ which is composed of C-VLAN and S-VLAN) in the packet header and
then carried in the tunnel encapsulation header. The APN attribute
will facilitate the fine-granular service in the APN domain. Once
the packets leave the APN domain, the APN attribute will be removed
together with the tunnel encapsulation header.
Peng, et al. Expires December 19, 2021 [Page 4]
Internet-Draft APN Security and Privacy June 2021
|---- APN Domain ---|
+----+ .-----.
| PC | \ ( )
+----+ \--\ .--( )--.
+-----+ \+----+ +----+ ( ) +-------+
| STB |----| RG |--| AN |----( Metro Network )-----| BNG |--->
+-----+ /+----+ +----+ ( ) +-------+
+-----+ /--/ '--( )--'
|Phone|/ ( )
+-----+ '-----'
QinQ QinQ
|----|---- Tunnel ----|----|
Figure 2. Home Broadband Scenario
In the mobile broadband scenario, a UE is authorized by the 5GC
function, and the traffic steering and QoS policy are enforced by the
UPF (User Plane Function) node. If the validation is passed and the
access control is released, so the user can start enjoying the value-
added service. With APN, when the traffic traverses the mobile
transport network, the traffic flow can be indicated by the APN
attribute that is added at the edge devices of the mobile transport
network (APN domain) based on mapping from the existing information
(e.g. GTP-u tunnel encapsulation information) in the packet header
and then carried in the tunnel encapsulation header. The APN
attribute will facilitate the fine-granular service in the APN
domain. Once the packets leave the APN domain, the APN attribute
will be removed together with the tunnel encapsulation header. In
fact, the APN attribute can also be acquired at the gNB based on the
mapping of the existing information of the packet header (e.g.
5-tuple information) and carried along with the GTP-u tunnel
encapsulation. The mobile transport network can provide the
corresponding service according to the APN attribute. When the
packet leaves the UPF, the APN attribute can be removed together with
the GTP-u tunnel encapsulation.
Peng, et al. Expires December 19, 2021 [Page 5]
Internet-Draft APN Security and Privacy June 2021
|-- APN Domain ---|
+----+ .-----.
| PC | ( )
+----+ .--( )--.
+----+ +------+ ( ) +-------+
| UE | --- | gNB |------( Mobile Transport )------| UPF |---->
+----+ +------+ ( Network ) +-------+
+-----+ '--( )--'
| CPE | ( )
+-----+ '-----'
|---- Tunnel ----|
|--------- GTP-u Tunnel --------|
Figure 3. Mobile Broadband Scenario
In the typical APN scenarios like the home broadband scenario and the
mobile broadband scenario, before the traffic is delivered to the
network domain, the end user must be authenticated and authorized
firstly to guarantee the security of the network domain. When the
traffic traverses the APN domain, the APN attribute is added and
removed at the edge of the APN domain along with the tunnel
encapsulation. That is, the APN attribute is only used locally in
the APN domain and will not introduce the extra security issues.
6. IANA Considerations
There are no IANA considerations in this document.
7. Contributors
Chongfeng Xie
China Telecom
China
Email: xiechf@chinatelecom.cn
Liang Geng
China Mobile
China
Email: gengliang@chinamobile.com
Peng, et al. Expires December 19, 2021 [Page 6]
Internet-Draft APN Security and Privacy June 2021
Shuai Zhang
China Unicom
China
Email: zhangs366@chinaunicom.cn
8. Normative References
[I-D.li-6man-app-aware-ipv6-network]
Li, Z., Peng, S., Li, C., Xie, C., Voyer, D., Li, X., Liu,
P., Cao, C., and K. Ebisawa, "Application-aware IPv6
Networking (APN6) Encapsulation", draft-li-6man-app-aware-
ipv6-network-03 (work in progress), February 2021.
[I-D.li-apn-framework]
Li, Z., Peng, S., Voyer, D., Li, C., Liu, P., Cao, C.,
Ebisawa, K., Previdi, S., and J. N. Guichard,
"Application-aware Networking (APN) Framework", draft-li-
apn-framework-02 (work in progress), February 2021.
[I-D.li-apn-problem-statement-usecases]
Li, Z., Peng, S., Voyer, D., Xie, C., Liu, P., Qin, Z.,
Ebisawa, K., Previdi, S., and J. N. Guichard, "Problem
Statement and Use Cases of Application-aware Networking
(APN)", draft-li-apn-problem-statement-usecases-01 (work
in progress), September 2020.
[I-D.yang-apn-sd-wan-usecase]
Yang, F., Cheng, W., Peng, S., and Z. Li, "Usage scenarios
of Application-aware Networking (APN) for SD-WAN", draft-
yang-apn-sd-wan-usecase-01 (work in progress), February
2021.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>.
Authors' Addresses
Shuping Peng
Huawei Technologies
Beijing
China
Email: pengshuping@huawei.com
Peng, et al. Expires December 19, 2021 [Page 7]
Internet-Draft APN Security and Privacy June 2021
Zhenbin Li
Huawei Technologies
Beijing
China
Email: lizhenbin@huawei.com
Daniel Voyer
Bell Canada
Canada
Email: daniel.voyer@bell.ca
Cong Li
China Telecom
China
Email: licong@chinatelecom.cn
Peng Liu
China Mobile
China
Email: liupengyjy@chinamobile.com
Chang Cao
China Unicom
China
Email: caoc15@chinaunicom.cn
Peng, et al. Expires December 19, 2021 [Page 8]