| < draft-ietf-detnet-architecture-12-initial.txt | draft-ietf-detnet-architecture-12.txt > | |||
|---|---|---|---|---|
| skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
| 4.7.1. Exporting flow identification . . . . . . . . . . . . 32 | 4.7.1. Exporting flow identification . . . . . . . . . . . . 32 | |||
| 4.7.2. Flow attribute mapping between layers . . . . . . . . 34 | 4.7.2. Flow attribute mapping between layers . . . . . . . . 34 | |||
| 4.7.3. Flow-ID mapping examples . . . . . . . . . . . . . . 35 | 4.7.3. Flow-ID mapping examples . . . . . . . . . . . . . . 35 | |||
| 4.8. Advertising resources, capabilities and adjacencies . . . 36 | 4.8. Advertising resources, capabilities and adjacencies . . . 36 | |||
| 4.9. Scaling to larger networks . . . . . . . . . . . . . . . 37 | 4.9. Scaling to larger networks . . . . . . . . . . . . . . . 37 | |||
| 4.10. Compatibility with Layer-2 . . . . . . . . . . . . . . . 37 | 4.10. Compatibility with Layer-2 . . . . . . . . . . . . . . . 37 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | |||
| 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | |||
| 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | |||
| 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 | |||
| 9. Informative References . . . . . . . . . . . . . . . . . . . 40 | 9. Informative References . . . . . . . . . . . . . . . . . . . 39 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
| 1. Introduction | 1. Introduction | |||
| This document provides the overall architecture for Deterministic | This document provides the overall architecture for Deterministic | |||
| Networking (DetNet), which provides a capability for the delivery of | Networking (DetNet), which provides a capability for the delivery of | |||
| data flows with extremely low packet loss rates and bounded end-to- | data flows with extremely low packet loss rates and bounded end-to- | |||
| end delivery latency. DetNet is for networks that are under a single | end delivery latency. DetNet is for networks that are under a single | |||
| administrative control or within a closed group of administrative | administrative control or within a closed group of administrative | |||
| control; these include campus-wide networks and private WANs. DetNet | control; these include campus-wide networks and private WANs. DetNet | |||
| skipping to change at page 37, line 51 ¶ | skipping to change at page 37, line 51 ¶ | |||
| service to, a higher layer DetNet system. | service to, a higher layer DetNet system. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| Security considerations for DetNet are described in detail in | Security considerations for DetNet are described in detail in | |||
| [I-D.ietf-detnet-security]. This section considers exclusively | [I-D.ietf-detnet-security]. This section considers exclusively | |||
| security considerations which are specific to the DetNet | security considerations which are specific to the DetNet | |||
| Architecture. | Architecture. | |||
| Security aspects which are unique to DetNet are those whose aim is to | Security aspects which are unique to DetNet are those whose aim is to | |||
| secure the specific quality of service aspects of DetNet, which are | provide the specific quality of service aspects of DetNet, which are | |||
| primarily to deliver data flows with extremely low packet loss rates | primarily to deliver data flows with extremely low packet loss rates | |||
| and bounded end-to-end delivery latency. A DetNet is implemented | and bounded end-to-end delivery latency. A DetNet may be implemented | |||
| using MPLS and IP (including both v4 and v6) technologies, and thus | using MPLS and/or IP (including both v4 and v6) technologies, and | |||
| inherits the security properties of those technologies at both the | thus inherits the security properties of those technologies at both | |||
| control plane and the data plane. | the control plane and the data plane. | |||
| Security considerations for DetNet are constrained (compared to, for | Security considerations for DetNet are constrained (compared to, for | |||
| example, the open Internet) because DetNet is defined to operate only | example, the open Internet) because DetNet is defined to operate only | |||
| within a single administrative domain (see Section 1). The primary | within a single administrative domain (see Section 1). The primary | |||
| considerations are to secure the request and control of DetNet | considerations are to secure the request and control of DetNet | |||
| resources, maintain confidentiality of data traversing the DetNet, | resources, maintain confidentiality of data traversing the DetNet, | |||
| and provide uninterrupted availability of the DetNet quality of | and provide the availability of the DetNet quality of service. | |||
| service. | ||||
| To secure the request and control of DetNet resources, authentication | To secure the request and control of DetNet resources, authentication | |||
| and authorization must be provided for each device connected to a | and authorization can be used for each device connected to a DetNet | |||
| DetNet domain, most importantly to network controller devices. | domain, most importantly to network controller devices. Control of a | |||
| Control of a DetNet network may be centralized or distributed (within | DetNet network may be centralized or distributed (within a single | |||
| a single administrative domain). In the case of centralized control, | administrative domain). In the case of centralized control, | |||
| precedent for security considerations as defined for Abstraction and | precedent for security considerations as defined for Abstraction and | |||
| Control of Traffic Engineered Networks (ACTN) can be found in | Control of Traffic Engineered Networks (ACTN) can be found in | |||
| [RFC8453], Section 9. In the case of a distributed control | [RFC8453], Section 9. In the case of a distributed control | |||
| protocols, DetNet security is expected to be provided by the security | protocols, DetNet security is expected to be provided by the security | |||
| properties of the protocols in use. In any case, the result must be | properties of the protocols in use. In any case, the result is that | |||
| that manipulation of administratively configurable parameters is | manipulation of administratively configurable parameters is limited | |||
| limited to authorized entities. | to authorized entities. | |||
| To maintain confidentiality of data traversing the DetNet, | To maintain confidentiality of data traversing the DetNet, | |||
| application flows must be protected through whatever means is | application flows can be protected through whatever means is provided | |||
| provided by the underlying technology. For example, encryption may | by the underlying technology. For example, encryption may be used, | |||
| be used, such as that provided by IPSec for IP (Layer 3) flows and by | such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and | |||
| MACSec for Ethernet (Layer 2) flows. DetNet flows are identified on | by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows. | |||
| a per-flow basis, which may provide attackers with additional | ||||
| information about the data flows (when compared to networks that do | DetNet flows are identified on a per-flow basis, which may provide | |||
| not include per-flow identification); this is an inherent property of | attackers with additional information about the data flows (when | |||
| DetNet which has security implications which must be considered when | compared to networks that do not include per-flow identification). | |||
| determining if DetNet is a suitable technology for any given use | This is an inherent property of DetNet which has security | |||
| case. Similar consideration may need to be given to the use of | implications which should be considered when determining if DetNet is | |||
| replicated packet flows, which result in increased surface for | a suitable technology for any given use case. | |||
| Reconnaissance attacks. In any case, the result must be that the | ||||
| confidentiality of the data is maintained to a degree sufficient for | ||||
| the use cases addressed by the given DetNet implementation. | ||||
| To provide uninterrupted availability of the DetNet quality of | To provide uninterrupted availability of the DetNet quality of | |||
| service, provisions must be made against DOS attacks and delay | service, provisions can be made against DOS attacks and delay | |||
| attacks. To protect against DOS attacks, excess traffic due to | attacks. To protect against DOS attacks, excess traffic due to | |||
| malicious or malfunctioning devices must be prevented or mitigated, | malicious or malfunctioning devices can be prevented or mitigated, | |||
| for example through the use of traffic admission control applied at | for example through the use of traffic admission control applied at | |||
| the input of a DetNet domain, as described in Section 3.2.1, and | the input of a DetNet domain, as described in Section 3.2.1, and | |||
| through the fault mitigation methods described in Section 3.3.2. | through the fault mitigation methods described in Section 3.3.2. To | |||
| prevent DetNet packets from being delayed by an entity external to a | ||||
| To prevent DetNet packets from being delayed, protection must be | DetNet domain, DetNet technology definition can allow for the | |||
| provided against Man-In-The-Middle attacks, for example through use | mitigation of Man-In-The-Middle attacks, for example through use of | |||
| of authentication and authorization of devices within the DetNet | authentication and authorization of devices within the DetNet domain. | |||
| domain. | ||||
| Time synchronization methods are not specified by DetNet, however any | ||||
| time synchronization method used with DetNet must also be secured, | ||||
| using the security methods available for the given time | ||||
| synchronization mechanism, for example as described in [RFC7384]. | ||||
| In any case, the result must be that the DetNet is protected from | Because DetNet mechanisms or applications that rely on DetNet can | |||
| DOS, delay, and time manipulation attacks to the extent sufficient | make heavy use of methods that require precise time synchronization, | |||
| for the use cases addressed by the given DetNet implementation. | the accuracy, availability, and integrity of time synchronization is | |||
| of critical importance. Extensive discussion of this topic can be | ||||
| found in [RFC7384]. | ||||
| DetNet use cases are known to have widely divergent security | DetNet use cases are known to have widely divergent security | |||
| requirements. The intent of this section is to provide a baseline | requirements. The intent of this section is to provide a baseline | |||
| for security considerations which are common to all DetNet designs | for security considerations which are common to all DetNet designs | |||
| and implementations, without burdening individual designs with | and implementations, without burdening individual designs with | |||
| specifics of security infrastructure which may not be germane to the | specifics of security infrastructure which may not be germane to the | |||
| given use case. Designers and Implementers of DetNet systems are | given use case. Designers and Implementers of DetNet systems are | |||
| expected to take use case specific considerations into account in | expected to take use case specific considerations into account in | |||
| their DetNet designs and implementations. | their DetNet designs and implementations. | |||
| End of changes. 11 change blocks. | ||||
| 45 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||