Internet DRAFT - draft-xyz-ideas-gap-analysis


Network Working Group                                         Y. Qu, Ed.
Internet-Draft                                                    Huawei
Intended status: Informational                               A. Cabellos
Expires: January 4, 2018               Technical University of Catalonia
                                                            R. Moskowitz
                                                          HTT Consulting
                                                                  B. Liu
                                                           A. Stockmayer
                                                 University of Tuebingen
                                                            July 3, 2017

               Gap Analysis for Identity Enabled Networks


   Currently there are several identifier/locator separation protocols,
   such as HIP, ILA, ILNA and LISP.  This document analyzes the
   technical gaps between existing solutions and today's privacy

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on January 4, 2018.

Copyright Notice

   Copyright (c) 2017 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   ( in effect on the date of

Qu, et al.               Expires January 4, 2018                [Page 1]
Internet-Draft                                                 July 2017

   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   2
   2.  Specification of Requirements . . . . . . . . . . . . . . . .   3
   3.  Definition of Terms . . . . . . . . . . . . . . . . . . . . .   3
   4.  Overview of ID/LOC Protocols  . . . . . . . . . . . . . . . .   4
     4.1.  LISP  . . . . . . . . . . . . . . . . . . . . . . . . . .   4
     4.2.  HIP . . . . . . . . . . . . . . . . . . . . . . . . . . .   5
     4.3.  ILA . . . . . . . . . . . . . . . . . . . . . . . . . . .   6
   5.  Gap Analysis  . . . . . . . . . . . . . . . . . . . . . . . .   6
     5.1.  The Split of Identity and Identifier  . . . . . . . . . .   6
     5.2.  A Common Identifier-to-Locator Mapping System . . . . . .   7
     5.3.  User-Defined Access Policies in the Mapping System  . . .   7
   6.  Analysis of DNS . . . . . . . . . . . . . . . . . . . . . . .   7
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   8
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   8
   9.  Contributors  . . . . . . . . . . . . . . . . . . . . . . . .   8
   10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . .   8
   11. References  . . . . . . . . . . . . . . . . . . . . . . . . .   8
     11.1.  Normative References . . . . . . . . . . . . . . . . . .   8
     11.2.  Informative References . . . . . . . . . . . . . . . . .  10
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  11

1.  Introduction

   The separation of location and identifier has been discussed for many
   years, as documented in [RFC4984].  IP addresses have been overloaded
   to serve as both locators and identifiers.  Several identifier and
   locator separation (ID/LOC) protocols have been proposed, such as HIP
   [RFC7401], [ILA] and LISP [RFC6830].  They create two separate
   namespaces: identifiers (IDfs) and Locators (LOCs).  Identifiers
   uniquely identify network entities no matter where they are located,
   and locators are assigned based on topology information and are
   typically routable.

   In an ID/LOC protocol, a service is needed to maintain mappings
   between identifiers and locators and to perform lookups from
   identifiers to locators (and probably vice-verse).  Currently each
   ID-based protocol uses its own mapping database and mechanism to get
   this mapping information [RFC6836][RFC8005].

Qu, et al.               Expires January 4, 2018                [Page 2]
Internet-Draft                                                 July 2017

   As pointed out by [IDEAS-PS][IDEAS-IDY-USE], the concept of identity
   (IDy) tied to a network entity can help to solve some of the privacy
   issues that are associated with today's networks.  The goal of this
   document is to analyze the technical gaps between the existing ID/LOC
   protocols and today's requirements.  The following gaps are
   summarized: the split of identifier and identity; a common mapping
   system supporting both IDf/LOC mapping and IDy/IDf mapping; and user-
   defined access policies.

2.  Specification of Requirements

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   document are to be interpreted as described in [RFC2119].

3.  Definition of Terms

   This document makes use of the terms that have been already defined
   in the problem statement draft of IDEAS [IDEAS-PS].  They are
   included here for reader's convenience.  In case of any discrepancies
   between the two drafts, the problem statement draft overrides.

   Entity: An entity is a communication endpoint.  It can be a device, a
   node, or a virtual machine (VM), that needs to be identified.  An
   entity may have one or multiple identifiers (long-lived or ephemeral)
   simultaneously.  An entity is reached by the resolution of one or
   more of its identifiers to one or more locators.

   Identity (IDy): the essence of "being" of a specific entity.  An
   identity is not to be confused with an identifier: while an
   identifier may be used to refer to an entity, an identifier's
   lifecycle is not necessarily tied to the lifecycle of the Identity it
   is referencing.  On the other hand, the identity's lifecycle is
   inherently tied to the lifecycle of the entity itself.

   Identifier (IDf): denotes information to unambiguously identify an
   entity within a given scope (e.g.  HIP HIT, LISP EID).  There is no
   constraint on the format, obfuscation or routability of an IDy.  The
   IDy may or may not be present in the packet whose format is defined
   by ID-based protocols (HIP/LISP).

   Identifier-based (ID-based): When an entity is only reachable through
   one or more communication access then a protocol or a solution is
   said to be ID-based if it uses an ID-LOC decoupling and a mapping
   system (MS) as base components of the architecture.  Examples of ID-
   based protocols are HIP, LISP and ILA.

Qu, et al.               Expires January 4, 2018                [Page 3]
Internet-Draft                                                 July 2017

   IDentity Enabled Networks (IDEAS): IDEAS are networks that support
   the identifier/locator decoupling.  Reaching an entity is achieved by
   the resolution of identifier(s) to locator(s).

   Locator (LOC): denotes information that is topology-dependent and
   which is used to forward packets to a given entity attached to a
   network (IPv4/IPv6/L2/L2.5 Address).  An entity can be reached using
   one or multiple locators; these locators may have a limited validity

   ID/LOC: Identifier and Locator Separation.

   LISP: Locator/ID Separation Protocol.

   HIP: Host Identity Protocol.

   ILNP: Identifier-Locator Network Protocol.

   ILA: Identifier-Locator Addressing.

   DNS: Domain Name System.

4.  Overview of ID/LOC Protocols

4.1.  LISP

   The Locator/ID Separation Protocol (LISP) [RFC6830] is structured
   around four main components: the data plane, the control plane (both
   specified in [RFC6830]), the LISP Mapping System Interface [RFC6833]
   and the Mapping System (e.g., LISP-DDT [RFC8111] and LISP+ALT

   The LISP architecture decouples identifier and locator by means of
   the mapping system interface.  This well-defined interface separates
   data/control from the mapping system architecture.  As a result, LISP
   does not assume any mapping system architecture.  The LISP WG has, at
   the time of this writing, specified two mapping systems: LISP-DDT
   [RFC8111] and LISP-ALT [RFC6836].

   Both mapping system assume hierarchical identifiers, but the WG has
   explored other architectures such as DHT for flat identifiers, or
   monolithic mapping systems.

   One of the main design principles behind LISP is to decouple the
   identifier (EIDs) from the locators (RLOCs).  By means of the LISP
   Canonical Address Format (LCAF) [RFC8060] LISP provides a flexible
   syntax to encode both EIDs and RLOCs.

Qu, et al.               Expires January 4, 2018                [Page 4]
Internet-Draft                                                 July 2017

   In terms of security, LISP supports authorization for mapping updates
   and the authentication of the clients updating such information.
   This is achieved by means of the authentication data field in the
   Map-Register message.  In addition, LISP clients can verify the
   security of data origin, authentication and delegation.  This is
   specified in [LISP-SEC] and the security mechanisms incorporated in
   LISP-DDT [RFC8111].

4.2.  HIP

   The Host Identity Protocol (HIP) [RFC7401] is a SIGMA-security
   compliant exchange of current entity location for a pair of
   cryptographically ownership provable Identifiers (HITs).  HIP is, at
   its inception, focused on the management of the Identifier/Location
   mapping.  HITs are valid, non-routable IPv6 addresses that carry the
   cryptographic protocol suite and a hash of the HI (Host Identity
   public key).

   One method of discovery of a peer's HIT and initial location is
   either via DNS RR 55 [RFC8005] with A|AAAA RR to the peer or A|AAAA
   RR pointing to the peer's Rendezvous Service (RVS) server [RFC8004].
   The Initiating peer cannot detect from DNS the difference in
   destination.  The RVS server "slingshots" the I1 packet to the
   recipient.  The recipient decides, based on local policy, to respond
   with the next exchange packet, R1.  Thus using an RVS server not only
   supports client mobility, it also hides a peer's location unless it
   wants to be 'found'.

   HIP provides Identity/Location separation through changes in the peer
   IP stack behavior with only needing RVS added to the infrastructure.
   HIP aware systems register to their RVS server(s) via a HIP exchange,
   augmented with an RVS registration parameter [RFC8003].  All location
   changes are made securely over HIP [RFC8046].  Location changes are
   sent directly to peers and to the RVS server(s).  HIP fully supports
   double jumps (both peers move) and state lose recovery (full protocol
   state machine).

   HIP supports multihomed systems [RFC8047], fully decoupling
   Identifier (HITs) from all interfaces.  Multiple data-paths are
   enabled with HIP.  ESP via BEET mode [rfc7402] is most commonly used.
   L2VPNs support is defined in [HIP-VPLS] and provided in commercial
   products targeting SCADA environments.  A non-cryptographic envelope
   is proposed [HIP-IP].

   HIP works equally well over IPv4 or IPv6 networks.  The HIP data-path
   can be either IPv4 (via the HIP 32-bit Local Scope Identifier) or
   IPv6 using the HIT.  IPv4 applications can run transparently over
   IPv6 and IPv6 over IPv4.

Qu, et al.               Expires January 4, 2018                [Page 5]
Internet-Draft                                                 July 2017

   HIP well supports Identifiers to location, and weakly Identity to
   Identifiers.  Besides DNS support, identities may be supported in HIP
   with X.509 certificates [rfc8002] to provide 3rd party assertions of
   HITs and HIs.  Identifiers to Identity reversal is poorly handled,
   though potentially needed for support of FTP PASV and other protocols
   with embedded addresses.  DHT has been demonstrated [RFC6537], but
   not fielded.  The new work on Hierarchical HITs [HHIT] proposes new
   methods to couple DNS and a registry for the reverse lookup.

4.3.  ILA

   In [ILA], an IPv6 address is divided into two parts: a locator and an
   identifier.  As other ID/LOC protocol, the locator indicates the
   topological location of a network entity, and the identifier
   identifies the entity in communications.  ILA can be used to
   implement overlay networks for network virtualization, and also
   addresses use cases in mobility.

   However, the mapping service in ILA is still TBD [ILA-MS-TBD].

5.  Gap Analysis

5.1.  The Split of Identity and Identifier

   In existing ID/LOC Protocols, the IDf/LOC mappings stored in the
   mapping system are assumed to be public.  A legitimate requestor can
   lookup any record, and escape access control policy, if there is any,
   by changing to a different identifier.  Also a network entity may
   want to hide its true identity for privacy protection by using
   ephemeral identifiers [LISP-ANNOY].

   To address these issues, [IDEAS-PS] introduces the concept of
   identity (IDy).  An IDy uniquely identifies "who" is a communication
   entity.  Identifier and locator together identifies "where" is the
   entity.  With this 2-tier identification, multiple identifiers can be
   bound to the same entity (IDy) and exchanged in clear on the wire,
   without having to worry about the identity being compromised by
   outside observers.

   Since the lifecycle of an identity is the same as the entity, the
   lifecycles of identity and its associated identifiers are decoupled.
   It is possible for identifiers to be added or removed without
   affecting the identity.  This further abstraction can bring
   additional benefits.  [IDEAS-IDY-USE] describes the identity use

   In summary:

Qu, et al.               Expires January 4, 2018                [Page 6]
Internet-Draft                                                 July 2017

   o  The notion of identity is not adequately supported.

   o  Two tiers of identification are needed, with identifiers anchored
      at the identity.

5.2.  A Common Identifier-to-Locator Mapping System

   IDf/LOC mapping service is essential for ID/LOC protocols [RFC6833],
   however now each protocol is using its own mapping database even
   within the same administrative domain.  This potentially adds
   additional operational cost and management complexity.

   A common mapping system supporting both IDf/LOC mapping and IDy/IDf
   mapping can work with existing ID/LOC protocols, as well as add extra
   identity based services.  It can provide consistent access control,
   common interface for services such as registration, discovery and
   resolution.  A unified database can help to ease network management

5.3.  User-Defined Access Policies in the Mapping System

   Different from DNS, which generally maintains public name-to-IP
   mapping information, an IDf/LOC mapping system maintains more private
   information.  However existing mapping systems assume the information
   stored is public, and this may cause privacy violation.  A network
   entity may want to set a customized access policy to control who can
   get its identifier and location information.  This policy should be
   tied to identity, so it is not affected by identifier changes of the

   General system-wide access control (e.g., an operator can set a
   system-wide access control list for a DNS server, only permitting the
   customer network prefixes to access it) can provide some privacy, but
   it is not sufficient.  What is needed are: fine-grained level of
   access control at the level of data records associated with each
   individual entity; and reinforcement of the access policies.

6.  Analysis of DNS

   Since the 1980s, DNS has been pivotal to translate human readable
   names that are easy to remember into hard-to-remember IP addresses.
   It provides a global distributed directory service and is a very
   powerful and useful technology to translate the domain name hierarchy
   to IP address space.

   Even though the DNS was designed to be resilient, it is prone to DDOS
   attacks as discussed extensively in the Technical Plenary of IETF97.
   Furthermore, some studies have also described challenges in the

Qu, et al.               Expires January 4, 2018                [Page 7]
Internet-Draft                                                 July 2017

   response time and caching techniques and latency in the Internet
   [DNS1] [DNS2] [DNS3] [GNRS].

   [DNS-DUP] proposed a mobility solution using DNS dynamic updating
   protocol.  However for a communication session when both hosts are
   moving, the session fails and the hosts SHOULD query DNS and get the
   new address and then restart the communications.

   The use of a mapping system rather than using DNS system has been
   discussed extensively in [IVIP], [RFC6115], on the lisp-wg mailing
   list [LISP-DIS], and initial HIP design team (circa 1999-2003).

7.  Security Considerations

   IDEAS control plane may be used to maintain and transmit confidential
   data, such as identity, access policy and metadata.  Access to the
   data needs to be authorized/authenticated.  Control plane messages
   containing such data need to be encrypted.  The exact details of
   encryption/authentication are topics for future research.

8.  IANA Considerations

   This document has no actions for IANA.

9.  Contributors


10.  Acknowledgments

   The authors would like to thank Dino Farinacci, Michael Menth, Padma
   Pillay-Esnault, Alex Clemm, Uma Chunduri for their review and input
   on this document.

   This document was produced using Marshall Rose's xml2rfc tool.

11.  References

11.1.  Normative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,

   [RFC6115]  Li, T., Ed., "Recommendation for a Routing Architecture",
              RFC 6115, DOI 10.17487/RFC6115, February 2011,

Qu, et al.               Expires January 4, 2018                [Page 8]
Internet-Draft                                                 July 2017

   [RFC6537]  Ahrenholz, J., "Host Identity Protocol Distributed Hash
              Table Interface", RFC 6537, DOI 10.17487/RFC6537, February
              2012, <>.

   [RFC6830]  Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The
              Locator/ID Separation Protocol (LISP)", RFC 6830,
              DOI 10.17487/RFC6830, January 2013,

   [RFC6833]  Fuller, V. and D. Farinacci, "Locator/ID Separation
              Protocol (LISP) Map-Server Interface", RFC 6833,
              DOI 10.17487/RFC6833, January 2013,

   [RFC6836]  Fuller, V., Farinacci, D., Meyer, D., and D. Lewis,
              "Locator/ID Separation Protocol Alternative Logical
              Topology (LISP+ALT)", RFC 6836, DOI 10.17487/RFC6836,
              January 2013, <>.

   [RFC7401]  Moskowitz, R., Ed., Heer, T., Jokela, P., and T.
              Henderson, "Host Identity Protocol Version 2 (HIPv2)",
              RFC 7401, DOI 10.17487/RFC7401, April 2015,

   [RFC7402]  Jokela, P., Moskowitz, R., and J. Melen, "Using the
              Encapsulating Security Payload (ESP) Transport Format with
              the Host Identity Protocol (HIP)", RFC 7402,
              DOI 10.17487/RFC7402, April 2015,

   [RFC8003]  Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
              Registration Extension", RFC 8003, DOI 10.17487/RFC8003,
              October 2016, <>.

   [RFC8004]  Laganier, J. and L. Eggert, "Host Identity Protocol (HIP)
              Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004,
              October 2016, <>.

   [RFC8005]  Laganier, J., "Host Identity Protocol (HIP) Domain Name
              System (DNS) Extension", RFC 8005, DOI 10.17487/RFC8005,
              October 2016, <>.

   [RFC8046]  Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Mobility
              with the Host Identity Protocol", RFC 8046,
              DOI 10.17487/RFC8046, February 2017,

Qu, et al.               Expires January 4, 2018                [Page 9]
Internet-Draft                                                 July 2017

   [RFC8047]  Henderson, T., Ed., Vogt, C., and J. Arkko, "Host
              Multihoming with the Host Identity Protocol", RFC 8047,
              DOI 10.17487/RFC8047, February 2017,

   [RFC8060]  Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical
              Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060,
              February 2017, <>.

   [RFC8111]  Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A.
              Smirnov, "Locator/ID Separation Protocol Delegated
              Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111,
              May 2017, <>.

11.2.  Informative References

   [DNS-DUP]  Yahya, B. and J. Ben-Othman, "Achieving host mobility
              using DNS dynamic updating protocol", October 2008,

   [DNS1]     Jung, J., Sit, E., Balakrishnan, H., and R. Morris, "DNS
              Performance and the Effectiveness of Caching", 2002,

   [DNS2]     Liston, R., Srinivasan, S., and E. Zegura, "DNS
              Performance and the Effectiveness of Caching", 2002,

   [DNS3]     Briscoe, B., Anna Brunstrom, A., Andreas Petlund, A.,
              David Hayes, D., David Ros, D., Ing-Jyh Tsang, I., Stein
              Gjessing, S., Gorry Fairhurst, G., Carsten Griwodz, C.,
              and M. Michael Welzl, "Reducing Internet Latency: A Survey
              of Techniques and their Merits", November 2014,

   [GNRS]     Karimi, P. and S. Mukherjee, "Global Name Resolution
              Service", March 2017, <

   [HHIT]     Moskowitz, R., Xu, X., and B. Liu, "Hierarchical HITs for
              HIPv2", June 2017, <

   [HIP-IP]   Moskowitz, R., Xu, X., and B. Liu, "Encapsulation of IP
              within IP managed by HIP", June 2017,

Qu, et al.               Expires January 4, 2018               [Page 10]
Internet-Draft                                                 July 2017

              "HIP-based Virtual Private LAN Service (HIPLS)", February
              2017, <

              "Identity Use Cases in IDEAS", June 2017,

              "Problem Statement for Identity Enabled Networks", March
              2017, <

   [ILA]      Herbert, T., "Identifier-Locator Addressing for Network
              Virtualization", March 2016,

              Herbert, T., "Re: [Ideas] A comment on the use case
              draft", March 2017, <

   [IVIP]     Whittle, R., "Ivip (Internet Vastly Improved Plumbing)
              Architecture", September 2010,

              "LISP EID Anonymity", April 2017,

              "LISP Discussion", <

              Maino, F., Ermagan, V., Cabellos, A., Saucez, D., and O.
              Bonaventure, "LISP-Security (LISP-SEC)", Work in Progress,
              October 2012.

Authors' Addresses

Qu, et al.               Expires January 4, 2018               [Page 11]
Internet-Draft                                                 July 2017

   Yingzhen Qu (editor)
   2330 Central Expressway
   Santa Clara,  CA 95050


   Albert Cabellos
   Technical University of Catalonia
   C/ Jordi Girona s/n
   Barcelona  08034


   Robert Moskowitz
   HTT Consulting
   Oak Park, MI  48237


   Bingyang Liu
   156 Beiqing Rd
   Beijing  100095


   Andreas Stockmayer
   University of Tuebingen
   room B305, Institute of Computer Science
   Tuebingen  72076


Qu, et al.               Expires January 4, 2018               [Page 12]