AAA for Hierarchical Network Slices
draft-zhang-rtgwg-aaa-hierarchical-network-slices-00
| Document | Type | Active Internet-Draft (individual) | |
|---|---|---|---|
| Authors | Xiaoqiu Zhang , Changwang Lin , Yuanxiang Qiu | ||
| Last updated | 2024-01-07 | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | I-D Exists | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
draft-zhang-rtgwg-aaa-hierarchical-network-slices-00
RTGWG X. Zhang
Internet-Draft China Mobile
Intended status: Standards Track C. Lin
Expires: July 8, 2024 Y. Qiu
New H3C Technologies
January 8, 2024
AAA for Hierarchical Network Slices
draft-zhang-rtgwg-aaa-hierarchical-network-slices-00
Abstract
This document describes an enhanced AAA mechanism for hierarchical
network slice service when users access to the network and use the
network slice resources of different SLA levels.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as
reference material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html
This Internet-Draft will expire on July 6, 2024.
Copyright Notice
Copyright (c) 2024 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
Zhang, et al. Expires July, 2024 [Page 1]
Internet-Draft AAA for Hierarchical Network Slices January 2024
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Table of Contents
1. Introduction ................................................ 2
1.1. Requirements Language .................................. 4
1.2. Terminology ............................................ 4
2. Gap analysis for current AAA mechanism ...................... 4
3. AAA Method for hierarchical IETF network slices ............. 4
4. IANA Considerations ......................................... 6
5. Security Considerations ..................................... 6
6. References .................................................. 7
6.1. Normative References ................................... 7
6.2. Informative References ................................. 7
7. Acknowledgments ............................................. 8
Authors' Addresses ............................................. 9
1. Introduction
Network slicing provides the ability to partition a physical network
into multiple isolated logical networks of varying sizes,
structures, and functions so that each slice can be dedicated to
specific services or customers. Hierarchical composition of IETF
Network Slice means that a network slice can be further sliced into
other network slices, as shown in Figure 1.
Zhang, et al. Expires July, 2024 [Page 2]
Internet-Draft AAA for Hierarchical Network Slices January 2024
+-------------------+
| Underlay |
| Network |
+---------+---------+
|
+-------------+-------------+
| |
V V
+-----------+ +-----------+
| Level-1 | | Level-1 |
| Network | | Network |
| Slice | | Slice |
| 1 | | 2 |
+-----+-----+ +-----+-----+
| |
+------+------+ +------+------+
| | | |
V V V V
+---------+ +---------+ +---------+ +---------+
| Level-2 | | Level-2 | | Level-2 | | Level-2 |
| Network | | Network | | Network | | Network |
| Slice | | Slice | | Slice | | Slice |
| 1-1 | | 1-2 | | 2-1 | | 2-2 |
+---------+ +---------+ +---------+ +---------+
Figure 1: Architecture of Two-level Hierarchical IETF Network
Slices
[I-D.dong-teas-hierarchical-ietf-network-slice] describes several
possible scenarios of hierarchical IETF network slices. For example,
Level-1 can be industry slices which are used to deliver services
for different vertical industries, and Level-2 can be customer
slices which are created to meet specific requirements of some or
all of the customers within the corresponding industry of level-1.
[I-D.draft-gong-teas-hierarchical-slice-solution] describes a
Segment Routing based solution for two-level hierarchical IETF
network slices. Level-1 network slice is realized by associating
Flex-Algo with dedicated sub-interfaces, and level-2 network slice
is realized by using SR Policy with additional NRP-ID on data plane.
[I-D.draft-cheng-spring-sr-policy-group] describes another Segment
Routing based solution for two-level hierarchical network slices.
Level-1 network slice is realized by SR policy group which is a
group of constituent Parent SR policies to different destination
endpoints with the same service forwarding model, and level-2
network slice is realized by SR policy or Parent SR policy which can
provide paths for different SLAs.
Zhang, et al. Expires July, 2024 [Page 3]
Internet-Draft AAA for Hierarchical Network Slices January 2024
As the above solutions for hierarchical network slices have been
proposed and the current AAA mechanism cannot meet this new
requirements, this document describes an enhanced AAA mechanism for
hierarchical network slice service when users access to the network
and use the network slice resources of different SLA levels.
1.1. Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
1.2. Terminology
The terms in this document are defined in [RFC8402], [I-D.ietf-teas-
ietf-network-slices] and [I-D.ietf-lsr-flex-algo].
The following lists widely used terms in this document.
AAA: Authentication, Authorization and Accounting
FA: Flexible Algorithm
NRP: Network Resource Partition
2. Gap analysis for current AAA mechanism
In traditional network architecture, network nodes such as BRAS
devices and AAA servers which provide AAA abilities especially
accounting only need to concern the consumption of network
resources, such as access time, bandwidth, etc. For the new business
scenarios of hierarchical IETF network slices the current AAA
mechanism need to recognize the levels of network slice and related
information, which can achieve the fine-grained management of
authentication authorization and accounting and meet the diverse
and multi-quantity business requirements of cloud-network
convergence.
To address this issue, this document proposes an enhanced AAA method
for hierarchical IETF network slices.
3. AAA Method for hierarchical IETF network slices
The following figure shows a typical architecture of AAA process
based on hierarchical IETF network slice service. There are three
Zhang, et al. Expires July, 2024 [Page 4]
Internet-Draft AAA for Hierarchical Network Slices January 2024
roles here, including user device, network device such as BRAS and
AAA server such as Radius server.
user device
+------+
| A |----+
+------+ |
|
user device | +-------------------+ +-------------------+
+------+ +---->| |<-------| |
| B |--------->| Network device | | AAA server |
+------+ +---->| |------->| |
| +-------------------+ +-------------------+
user device |
+------+ |
| C |----+
+------+
Figure 1: AAA Process for hierarchical network slices
This document proposes an enhanced AAA method for hierarchical IETF
network slices. All the processes below are describes as an example
of two-level network slices.
3.1. The authentication and authorization process for network slices
1. When user device accesses to the network, it sends the request
message for authentication which includes username password, user
characteristics and service information.
2. The network device receives the authentication request message
carrying the information of username password, user
characteristics and service from user device, and sends it to the
AAA server.
3. The AAA server receives the request and completes the
authentication process. Based on the user's characteristics and
service information in the request message, it selects an
appropriate network slicing strategy for the user, encapsulates it
in the user authorization message, and sends it to the network
device.
The network device allows users to be online and consume the
corresponding slice resources based on the authorization
information.
Zhang, et al. Expires July, 2024 [Page 5]
Internet-Draft AAA for Hierarchical Network Slices January 2024
The first level slice is divided based on the first object, which
can be SRv6 policy group or SR FlexAlgo (FA for short) protocol
with dedicated sub-interfaces. The second level slice is divided
based on the second object on the basis of the first level slice,
which can SR Policy with additional NRP-ID/Slice-ID on data plane.
The information mainly is the two-level slice identification (id
for short), the first level slice id can use the id introduced by
the control plane technology such as FA-id, the second level slice
id can use the id introduced by the data plane technology such as
NRP-ID.
4. When the users access online, the AAA server starts accounting for
the users within the slice.
3.2. The accounting process for network slices
1. The network device sends an accounting start request message,
which at least includes information about the network slice
currently used by the user, that is, the first and second level
slices.
The information of two-level slices mainly is as follows: The
first level slice id could be FA-id as an example, the second
level slice id could be NRP-ID as an example.
2. If the request is legal, the accounting servers would record the
users and corresponding two-level slices information in the
database and returns a reply message to the network device.
3. When the user logs out, the server would receive a request message
for accounting stop which includes the information of two-level
network slices, time, and reason for stopping accounting. Then the
server can record the users and corresponding two-level slices
information for stopping accounting in the database.
We consider to add the information of two-level slices such as FA-id
and NRP-ID in the accounting messages by extending the Attribute
field of Radius protocol message.
4. IANA Considerations
TBD
5. Security Considerations
The potential security threats of Alternate-Marking method have been
described in detail in Section 10 of [I-D.draft-ietf-ippm-
Zhang, et al. Expires July, 2024 [Page 6]
Internet-Draft AAA for Hierarchical Network Slices January 2024
rfc8321bis]. The performance measurement method described in this
document does not introduce additional new security issues.
6. References
6.1. Normative References
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, DOI
10.17487/RFC2119, March 1997, <https://www.rfc-
editor.org/info/rfc2119>.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
May 2017, <https://www.rfc-editor.org/info/rfc8174>.
[RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L.,
Decraene, B., Litkowski, S., and R. Shakir, "Segment
Routing Architecture", RFC 8402, DOI 10.17487/RFC8402,
July 2018, <https://www.rfc-editor.org/info/rfc8402>.
[I-D.ietf-teas-ietf-network-slices] Farrel, A., Drake, J., Rokui,
R., Homma, S., Makhijani, K., Contreras, L. M., and J.
Tantsura, "Framework for IETF Network Slices", Work in
Progress, Internet-Draft, draft-ietf-teas-ietf-network-
slices-12, 30 June 2022,
<https://www.ietf.org/archive/id/draft-ietf-teas-ietf-
network-slices-12.txt>.
[I-D.ietf-lsr-flex-algo] Psenak, P., Hegde, S., Filsfils, C.,
Talaulikar, K., and A. Gulko, "IGP Flexible Algorithm",
draft-ietf-lsr-flex-algo-20 (work in progress), May 2022.
[I-D.ietf-spring-segment-routing-policy] Filsfils, C., Talaulikar,
K., Voyer, D., Bogdanov, A., and P. Mattes, "Segment
Routing Policy Architecture", Work in Progress, Internet-
Draft, draft-ietf-spring-segment-routing-policy-22, 22
March 2022, <http://www.ietf.org/internet-drafts/draft-
ietf-spring-segment-routing-policy-22.txt>.
6.2. Informative References
[I-D.dong-teas-hierarchical-ietf-network-slice] Dong, J., and Z. Li,
"Considerations about Hierarchical IETF Network Slices",
Work in Progress, Internet-Draft, draft-dong-teas-
hierarchical-ietf-network-slice-01, 7 March 2022,
<http://www.ietf.org/internet-drafts/draft-dong-teas-
hierarchical-ietf-network-slice-01.txt>.
Zhang, et al. Expires July, 2024 [Page 7]
Internet-Draft AAA for Hierarchical Network Slices January 2024
[I-D.ietf-6man-enhanced-vpn-vtn-id] Dong, J., Li, Z., Xie, C., Ma,
C., and G. Mishra, "Carrying Virtual Transport Network
(VTN) Identifier in IPv6 Extension Header", Work in
Progress, Internet-Draft, draft-ietf-6man-enhanced-vpn-
vtn-id-00, 5 March 2022, <http://www.ietf.org/internet-
drafts/draft-ietf-6man-enhanced-vpn-vtn-id-00.txt>.
[I-D.cheng-spring-srv6-encoding-network-sliceid] Cheng, W., Lin, C.,
Gong, L., Zadok, S., and X. Wang, "Encoding Network Slice
Identification for SRv6", Work in Progress, Internet-
Draft, draft-cheng-spring-srv6-encoding-network-sliceid-
04, 8 July 2022, <http://www.ietf.org/internet-
drafts/draft-cheng-spring-srv6-encoding-network-sliceid-
04.txt>.
[I-D.decraene-mpls-slid-encoded-entropy-label-id] Decraene B.,
Filsfils, C., Henderickx W., Saad T., Beeram V., "Using
Entropy Label for Network Slice Identification in MPLS
networks", Work in Progress, Internet-Draft, draft-
decraene-mpls-slid-encoded-entropy-label-id-04, 14 June
2022, <http://www.ietf.org/internet-drafts/draft-decraene-
mpls-slid-encoded-entropy-label-id-04.txt>.
[I-D.li-mpls-enhanced-vpn-vtn-id] Li, Z. and J. Dong, "Carrying
Virtual Transport Network Identifier in MPLS Packet", Work
in Progress, Internet-Draft, draft-li-mpls-enhanced-vpn-
vtn-id-02, 7 March 2022, <http://www.ietf.org/internet-
drafts/draft-li-mpls-enhanced-vpn-vtn-id-02.txt>.
7. Acknowledgments
The authors would like to thank the following for their valuable
contributions of this document:
TBD
Zhang, et al. Expires July, 2024 [Page 8]
Internet-Draft AAA for Hierarchical Network Slices January 2024
Authors' Addresses
Xiaoqiu Zhang
China Mobile
Email: zhangxiaoqiu@chinamobile.com
Changwang Lin
New H3C Technologies
Email: linchangwang.04414@h3c.com
Yuanxiang Qiu
New H3C Technologies
Email: qiuyuanxiang@h3c.com
Zhang, et al. Expires July, 2024 [Page 9]