Internet Engineering Task Force Chen Internet-Draft L. Su Intended status: Informational China Mobile Expires: 7 September 2023 6 March 2023 The Use Cases for Secure Routing draft-chen-secure-routing-use-cases-00 Abstract Traditional path selection conditions include the shortest path, the lowest delay, and the least jitter, this paper proposes to add a new factor: security, which determines the forwarding path from security dimension. The frequent occurrence of security incidents, users' demand for security services is increasingly strong. As there are many security devices in the ISP's network, this draft proposes secure routing, the purpose of secure routing is to converge security and routing to ensure the security of the transmission process. The scope is transmission process security, end-to-end security and processing security are out of scope. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 7 September 2023. Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. Chen & Su Expires 7 September 2023 [Page 1] Internet-Draft Use Cases March 2023 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Analysis of security requirements . . . . . . . . . . . . . . 3 3. Security and network convergence . . . . . . . . . . . . . . 3 4. Secure Routing Use Cases . . . . . . . . . . . . . . . . . . 3 4.1. Basic path for secure routing . . . . . . . . . . . . . . 4 4.2. Differentiated service for secure routing. . . . . . . . 5 5. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 6 6. Security Considerations . . . . . . . . . . . . . . . . . . . 6 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 6 1. Introduction With the frequent occurrence of network security events, users' demand for network security is increasingly strong, there is no doubt that multi-level security is needed to ensure the security of users. The current security risk mainly comes from attacks, users need security services to ensure the normal use of business. Some companies build security centers by themselves, some buy third- party cloud security services, and some hope that ISPs can provide security services by secure routing. Security routing provided by ISPs can be implemented which can guide traffic through security devices. With the development of programmable network and SRv6 technology, the forwarding requirements of the upper layer can be completed through routing programming; Accessibility and security in the routing process can be processed synchronously to provide users with secure routing. In addition to special security equipment, network devices are also updating and integrated security functions to cope with complex security environments, such as routers with anti DDoS attack functions, the switch has detection (IDS) function and firewall function. Chen & Su Expires 7 September 2023 [Page 2] Internet-Draft Use Cases March 2023 2. Analysis of security requirements For ISPs, the user's credibility is different, it is necessary to strategy path from the security protection of the basic network. For users, different users have different security requirements which depend on their business. For example, e-commerce and Internet companies focus on phishing prevention, anti-DDoS attacks, and data security; Medical companies focus on data security and security isolation, and so on. In a word, users have differentiated security requirements. 3. Security and network convergence If security functions and network functions are highly integrated, security can be as flexible as network connection. Optimize existing routing protocols to obtain information about security devices in the network, security routing can be realized by taking into account the security policy when routing strategy. The following figure describes the relationship between the controller and network devices and security devices. +-----------+ | IP | |programming| | controller| +-----x-----+ x x xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx x x x +---------+ x +---x----+ |security | +---x----+ | router +-------+ device +-------+ router | +---+----+ +---------+ +--------+ | +----+----+ |security | | device | +---------+ Figure 1: Secure routing model 4. Secure Routing Use Cases Two use cases are described below. Chen & Su Expires 7 September 2023 [Page 3] Internet-Draft Use Cases March 2023 1. Strategy routing path ensure basic network security, and network node security evaluation ensures the security of the transmission node itself; 2. Differentiated security path to meet user requirements. 4.1. Basic path for secure routing This scenario occurs in the 5G network vertical industry. The power industry slicing requires physical isolation, that is, running on an independent physical machine. To achieve this requirement, it is necessary to collect the network node information to the controller. When it is time to provide services for power slicing, just obtain information from the controller, and then strategy secure routing. For security, obtain the information of nodes and appraise the trustworthiness can help improve basic nodes security awareness, the draft draft-voit-rats-trustworthy-path-routing focus on this field. +-------------+ | Controller | +------+------+ appraise|trustworthiness +--------------+---------------+ | | | +---+----+ +---+---+ +----+---+ | Node1 +-----+ Node2 +------+ Node3 | +--------+ +-------+ +--------+ Figure 2: Node security appraisement Also, the credibility of users is differentiated, for users with poor credibility or potential attack behaviors, avoid critical nodes when forming routing paths. As shown in the figure, user A with poor credibility, key node3 will be avoided when forming a path<1,2,3,4> for user A. Chen & Su Expires 7 September 2023 [Page 4] Internet-Draft Use Cases March 2023 Ingress +---------+ +--------+ 1 +------+ 5 | Key | 6 +------+ | User A +------>| Node1+--------> Node3 +-----+ Node5| +--------+ +---+--+ +----+----+ +---+--+ | | | | | | | 2 |7 |8 | | | | | | | | | +---+--+ 3 +---v--+ 4 +---+--+ | Node2+---------+ Node4+-------> Node6+----> +------+ +------+ +------+ Egress Figure 3: Key network node protection 4.2. Differentiated service for secure routing. ISPs have built many security devices and security resource pools in the basic network, once the network node is attacked, it needs fast and efficient scheduling security function to mitigate. Users have clear requirements for their own security services. For ToB users, the types of users are different, and the corresponding security requirements are different. The security requirement is no longer simply divided into high, medium and low levels, but more specific. For example, in addition to considering low-latency connections, customers in the game industry should first consider anti-DDoS services for security requirements,therefore, ISPs are required to provide anti-DDoS security services. For financial customers, data security is the most important, it is required that data cannot be tampered with, eavesdropped or copied, and so on. For customers with specific security requirements, ISPs need to transmit data at the security level expected by customers. For example, if the user needs anti-D and IPS services, the secure routing is path<1,5,7,4>. If the user need WAF service, the secure routing is path<1,2,3,4>. Chen & Su Expires 7 September 2023 [Page 5] Internet-Draft Use Cases March 2023 Ingress +---------+ +--------+ 1 +------+ 5 | Node3 | 6 +------+ | User A +------>| Node1+-------->Anti-ddos+-----+ Node5| +--------+ +---+--+ +----+----+ +---+--+ | | | | | | | 2 |7 |8 | | | | | | | | | +---+--+ 3 +---v--+ 4 +---+--+ | Node2+---------+ Node4+-------> Node6+----> | WAF | | IPS | +------+ +------+ +------+ Egress Figure 4: User require anti-ddos and IPS service 5. IANA Considerations This memo includes no request to IANA. 6. Security Considerations TBD Authors' Addresses Meiling Chen China Mobile BeiJing China Email: chenmeiling@chinamobile.com Li Su China Mobile BeiJing China Email: suli@chinamobile.com Chen & Su Expires 7 September 2023 [Page 6]