Information Awareness System for Computing-Aware Service Function Chain (IAS-CASFC): Security Service Aspect
draft-wang-cats-awareness-system-for-casfc-01
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Weilin Wang , Hua-chun Zhou , Jingfu Yan | ||
| Last updated | 2024-04-01 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-wang-cats-awareness-system-for-casfc-01
cats W. Wang
Internet-Draft H. Zhou
Intended Status: Informational J. Yan
Expires: 1 October 2024 Beijing Jiao Tong University
1 April 2024
Information Awareness System for Computing-Aware Service Function
Chain (IAS-CASFC): Security Service Aspect
draft-wang-cats-awareness-system-for-casfc-01
Abstract
This document describes the Information Awareness System of the
Computing-Aware Service Function Chain (ISA-CASFC) from the
security service aspect, including the system architecture, network,
and computing information details. The SFC enables traffic to pass
through the ordered Network Security Function (NSF) path, enabling
end-to-end security services. Differences in the available network
and computing resources cause performance differences between
NSF instances deployed on different service sites. It can be seen
that the routing decision on NSF instances will affect the quality of
the security service. Therefore, it is necessary to implement the
CA-SFC to ensure the quality of security service. This document
extends the CATS framework and the CATS Computing and Network
Information Awareness (CNIA) architecture for CA-SFC, and describes
the network and computing information content for security service.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current
Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on 1 October 2024.
Wang, et al. Expires – October 2024 [Page 1]
Awareness System for CASFC April 2024
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document.
Please review these documents carefully, as they describe your
rights and restrictions with respect to this document. Code
Components extracted from this document must include Revised
BSD License text as described in Section 4.e of the Trust Legal
Provisions and are provided without warranty as described in the
Revised BSD License.
Table of Contents
1. Introduction......................................2
2. Terminology.......................................3
3. Information Awareness System for Computing-Aware
Service Function Chain............................4
4. Information Details...............................5
4.1 Network Information..............................6
4.2 Computing Information............................7
5. Security Consideration............................7
6. IANA Considerations...............................8
7. References........................................8
7.1 Normative References.............................8
7.2 Informative References...........................8
8. Acknowledgments...................................9
Author's Addresses...................................9
1. Introduction
To guarantee the quality of security service, it is necessary to
realize the Computing-Aware Service Function Chain (CA-SFC). Service
function chain (SFC) [RFC7665] can provide a logically independent
network function path. Network Security Function (NSF) [RFC8192]
refers to a series of security-related network functions, such as
firewalls and intrusion detection systems. By combining multiple NSFs
through the SFC, providers can provide users with customized security
services. Multiple instances of the same NSF may be deployed on
different service sites within one or more management domains. Their
available network and computing resources differ. These differences
lead to performance differences between NSF instances deployed on
different service sites. Routing decisions will affect the
performance of NSF, and then affect the quality of the security
service.
Wang, et al. Expires – October 2024 [Page 2]
Awareness System for CASFC April 2024
As described in [I-D.ldbc-cats-framework], the goal of Computing-
Aware Traffic Steering (CATS) is to solve the problem of how to route
between the user requesting the service and the service site in the
network edge. The basis to achieve this goal is network and computing
information awareness. Therefore, Computing and Network Information
Awareness (CNIA) system architecture
[I-D.yao-cats-awareness-architecture] is proposed. As the control plane
of the CATS framework, CNIA introduces the control center component
on top of the CAIS framework to realize the management and
comprehensive analysis of network information and computing information
and facilitate the making of comput- and network-aware traffic steering
decisions.
However, the CATS framework and CNIA architecture only consider the
routing between users and service sites and need to be further
extended and improved in the scenario of CA-SFC. It is necessary to
resolve routing issues between UEs and multiple service sites for the
CA-SFC routes. In the security service scenario, traffic features or
NSF instance output may also affect routing decisions
[I-D.wang-i2nsf-intelligent-detection][I-D.li-dots-knowledge-trans].
For example, the NSF used for anomaly detection outputs the result
of traffic detection and determines the traffic as normal or abnormal.
Routing decisions must consider NSFs' output and respond promptly
to anomalies.
This document extends the CATS framework and CNIA system architecture
and describes network and computing information details using
security services as an example to facilitate the implementation of
end-to-end security services enabled by the CA-SFC. This document
proposes the Information Awareness System for the CA-SFC (IAS-CASFC)
for routing decision-making between UEs and multiple service sites
based on the CATS framework and CNIA system architecture.
2. Terminology
This document makes use of the following terms:
Network Security Function (NSF): An NSF is a network function
that has security capabilities, such as authentication,
authorization, encryption, and detecting and mitigating network
anomalies [RFC8192].
Security Service: A security offering that a provider provides to
users by orchestrating a set of resources (network, compute,
storage, etc.). A security service can be composed of multiple
NSFs. The provider can use SFC technology to combine NSFs
and offer users customized security services.
Wang, et al. Expires – October 2024 [Page 3]
Awareness System for CASFC April 2024
Computing-Aware Service Function Chain (CA-SFC): A service function
path selection approach that takes into account the dynamic nature
of computing and network state to optimize service-specific traffic
forwarding between different function instances.
CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder
[RFC7665] forwarding function can deploy multiple NSF instances of
different types.
CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC
Classifier [RFC7665] forwarding function can classify, encapsulate
(for example, add a packet header with a service path identifier
using the NSH protocol [RFC8300]), and forward incoming traffic.
CATS Egress Forwarder (CATS-EF): A network node with a similar SFC
Classifier [RFC7665] forwarding function can classify, decapsulate,
and forward outgoing traffic.
CATS Forwarder ID (CF-ID): An identifier for a specific CATS-F.
CATS Network Security Function ID (CNSF-ID): An identifier for a
specific type of the NSF. CF-ID and CNSF-ID label an NSF instance
together.
3. Information Awareness System for Computing-Aware Service
Function Chain
The following are system components for the IAS-CASFC.
CATS Control Center (CATS-C): Store and manage network information
and computing information, and make routing decisions through a
comprehensive analysis of this information. CATS-C can be implemented
by adding information storage, management, and analysis functions to
the SDN controller [ITU-TY.3300]. CATS-C consists of the CATS Path
Calculation Unit (C-PCE), CATS Network Metric Information Base(C-NIB),
and CATS Computing Information Base(C-CIB), and network and computing
information is collected through the CATS-SBI Interface. The above
function components and interfaces are defined in
[I-D.yao-cats-awareness-architecture].
CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC
Classifier [RFC7665] forwarding function can classify, encapsulate
(for example, add a packet header with a service path identifier
using the NSH protocol [RFC8300]), and forward incoming traffic.
CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder
[RFC7665] forwarding function can deploy multiple NSF instances of
different types.
Wang, et al. Expires – October 2024 [Page 4]
Awareness System for CASFC April 2024
CATS Egress Forwarder (CATS-EF): A network node with a similar SFC
Classifier [RFC7665] forwarding function can classify, decapsulate,
and forward outgoing traffic.
CAT-IF and CAT-EF have a CATS Network Metric Agent (C-NMA),
responsible for collecting network information. Unlike C-NMA defined
in [I-D.ldbc-cats-framework], in IAS-CASFC, C-NMA reports the
collected network information to CATS-C through the CATS-SBI
Interface.
In addition to C-NMA, CAT-F also has CATS Service Metric Agent (C-
SMA), which is responsible for collecting computing information of
NSF instances and CATS-F. In IAS-CASFC, C-SMA reports the collected
computing information to CATS-C through the CATS-SBI Interface.
The architecture of IAS-CASFC is shown in Figure 1.
+-----------------+
| CATS-C |
| +-----+ |
| |C-PCE| |
| +-----+ |
| +-----+ +-----+ |
| |C-CIB| |C-NIB| |
| +-----+ +-----+ |
+--------+--------+
| CATS-SBI
+-------------------------------+-------------------------------+
| +--------------+-------------------+--------------+ |
| | | | | |
| +----+----+ +------+------+ +------+------+ +----+----+ |
| | CATS-IF | | CATS-F-1 | | CATS-F-m | | CATS-EF | |
| | C-NMA | | C-NMA | | C-NMA | | C-NMA | |
| +---------+ | C-SMA | | C-SMA | +---------+ |
| | +---------+ | | +---------+ | |
| | |Instances| | ... | |Instances| | |
| | | NSF-1 | | | | NSF-3 | | |
| | | ... | | | | ... | | |
| | | NSF-n | | | | NSF-n | | |
| | +---------+ | | +---------+ | |
| +-------------+ +-------------+ |
+---------------------------------------------------------------+
Figure 1: IAS-CASFC Architecture
4. Information Details
Wang, et al. Expires – October 2024 [Page 5]
Awareness System for CASFC April 2024
Table 1 shows awareness information content examples for computing-
aware SFC which is used to provide security services.
+-------------+----------------------+---------------------+
| Awareness | Network | Computing |
| information | information | information |
+-------------+----------------------+---------------------+
| | CATS-F location; | CNSF-ID; NSF |
| | CATS-F type; | computing energy |
| Capability | CATS-F ID; | consumption; |
| parameters | Topology information.| Computing cost; |
| | | CATS-F maximum |
| | | available computing |
| | | resources; CATS-F |
| | | CATS-F computing |
| | | types. |
+-------------+----------------------+---------------------+
| | Service request | CATS-F computing |
| Status | information; | load; CATS-F |
| parameters | Traffic features; | available computing |
| | Communication | resources; NSF |
| | information. | instance output. |
+-------------+----------------------+---------------------+
Table 1: Awareness information content examples
In the security service scenario, routing decisions may also be
affected by traffic features or NSF instance output
[I-D.wang-i2nsf-intelligent-detection]. For example, C-PCE can
adjust the NSF instances to be passed according to the traffic
features collected by CATS-IF. Or C-PCE makes different routing
decisions for normal and abnormal traffic based on the output
of the NSF instance.
4.1 Network Information
The network information capability parameters are as follows.
CATS-F location: Geographic location information or relative location
information of CATS-F (including CATS-IF and CATS-EF).
CATS-F Type: The type of CATS-F includes CATS-EF, CATS-IF, and
CATS-F where NSF instances can be deployed.
CATS-F ID: All CAT-F identification information.
Topology information: Network topology information includes
information about nodes and links between nodes.
The network information status parameters are as follows.
Wang, et al. Expires – October 2024 [Page 6]
Awareness System for CASFC April 2024
Service request information: Information about the service
requirements proposed by users. The security service requested by
the user may be to detect anomalies, ensure the security of private
data during the communication process, etc.
Communication information: Communication information includes
information about the communication status, such as bandwidth,
delay, packet loss rate, and delay jitter.
Traffic features: Traffic features, such as the average packet
length, IP entropy, port entropy, and TTL entropy, are observed
within a certain period of time before the current time
[I-D.wang-i2nsf-intelligent-detection].
4.2 Computing Information
The computing information capability parameters are as follows.
CNSF-ID: All types of NSFs identification information.
NSF computing energy consumption: The computing energy consumption of
a specific type of NSF to deal with per workload.
Computing cost: The cost per unit of computing resources is generally
set by the infrastructure provider.
CATS-F maximum available computing resources: The maximum available
computing resources on CAT-F where NSF instances can be deployed.
CATS-F computing types: Compute resource types of CATS-F, such as
CPU, GPU, FPGA, etc.
The computing information status parameters are as follows.
CATS-F computing load: Computing resources consumed by running NSF
instances.
CATS-F available computing resources: The available compute resources
on CATS-F at a given time are the maximum available computing
resources minus the compute load.
NSF instance output: For example, an NSF instance used for anomaly
detection outputs a traffic flow as normal or abnormal.
5. Security Considerations
Wang, et al. Expires – October 2024 [Page 7]
Awareness System for CASFC April 2024
CATS-C stores the computing and network information of all CATS-Fs in
the network management domain. If an attacker steals or tampers with
the information in C-CIB and C-NIB, it will lead to the disclosure of
service privacy information or incorrect routing decisions.
Therefore, CAT-C should have the necessary defense mechanisms to
defend against intrusions by attackers and prevent single points of
failure.
6. IANA Considerations
This document makes no requests for IANA action.
7. References
7.1 Normative References
[RFC7665] J. Halpern and C. Pignataro, "Service Function Chaining
(SFC) Architecture", RFC 7665, DOI 10.17487/
RFC7665, October 2015, <https://www.rfc-editor.org
/info/rfc7665>.
[RFC8192] Hares, S. Lopez, D. Zarny, M. Jacquenet, C. Kumar, R. and
J. Jeong, "Interface to Network Security Functions
(I2NSF): Problem Statement and Use Cases", RFC8192,
DOI 10.17487/RFC8192, July 2017, <https://www.rfc-
editor.org/info/rfc8192>.
[RFC8300] P. Quinn, U. Elzur and C. Pignataro, "Network Service
Header (NSH)", RFC8300, DOI 10.17487/RFC8300, January
2020, <https://www.rfc-editor.org/info/rfc8192>.
[ITU-TY.3300] International Telecommunications Union, "Y.3300:
Framework of software defined networking", June 2014,
<https://www.itu.int/rec/T-REC-Y.3300/en>.
7.2 Informative References
[I-D.ldbc-cats-framework] C. Li, Z. Du, M. Boucadair, L. M.
Contreras, J. Drake, G. Huang, and G. Mishra, "A Framework
for Computing-Aware Traffic Steering (CATS)", Work in
Progress, Internet-Draft, draft-ldbc-cats-framework-03,
August 2023, <https://datatracker.ietf.org/doc/html/draft-
ldbc-cats-framework-03>.
[I-D.yao-cats-awareness-architecture] H. Yao, X. Wang, Z. Li, and
D.H. Daniel, "Computing and Network Information Awareness
(CNIA) system architecture for CATS", Work in Progress,
Internet-Draft, draft-yao-cats-awareness-architecture-01,
July 2023, < https://datatracker.ietf.org/doc/html/draft-
yao-cats-awareness-architecture-01>.
Wang, et al. Expires – October 2024 [Page 8]
Awareness System for CASFC April 2024
[I-D.wang-i2nsf-intelligent-detection] W. Wang, H. Zhou, M. Li, Q.
Guo, and S. Deng, "YANG Data Models for Attacks
Intelligent Detection", Work in Progress, Internet-Draft,
draft-wang-i2nsf-intelligent-detection-01, April 2023, <
https://datatracker.ietf.org/doc/html/draft-wang-i2nsf-
intelligent-detection-01>.
[I-D.li-dots-knowledge-trans] K. Li, H. Zhou, Z. Tu, F. Liu, W. Wang,
"Knowledge Transmission Using Distributed Denial-of-
Service Open Threat Signaling (DOTS) Data Channel", Work
in Progress, Internet-Draft, draft-li-dots-knowledge-
trans-05, August 2023, < https://datatracker.ietf.org/doc
/html/draft-li-dots-knowledge-trans-05>.
8. Acknowledgments
TBC
Author's Addresses
Weilin Wang
Beijing Jiao Tong University
China
Email: 21111026@bjtu.edu.cn
Huachun Zhou
Beijing Jiao Tong University
China
Email: hchzhou@bjtu.edu.cn
Jingfu Yan
Beijing Jiao Tong University
China
Email: 22110030@bjtu.edu.cn
Wang, et al. Expires – October 2024 [Page 9]