< draft-ietf-detnet-architecture-12-initial.txt | draft-ietf-detnet-architecture-12.txt > | |||
---|---|---|---|---|
skipping to change at page 3, line 20 ¶ | skipping to change at page 3, line 20 ¶ | |||
4.7.1. Exporting flow identification . . . . . . . . . . . . 32 | 4.7.1. Exporting flow identification . . . . . . . . . . . . 32 | |||
4.7.2. Flow attribute mapping between layers . . . . . . . . 34 | 4.7.2. Flow attribute mapping between layers . . . . . . . . 34 | |||
4.7.3. Flow-ID mapping examples . . . . . . . . . . . . . . 35 | 4.7.3. Flow-ID mapping examples . . . . . . . . . . . . . . 35 | |||
4.8. Advertising resources, capabilities and adjacencies . . . 36 | 4.8. Advertising resources, capabilities and adjacencies . . . 36 | |||
4.9. Scaling to larger networks . . . . . . . . . . . . . . . 37 | 4.9. Scaling to larger networks . . . . . . . . . . . . . . . 37 | |||
4.10. Compatibility with Layer-2 . . . . . . . . . . . . . . . 37 | 4.10. Compatibility with Layer-2 . . . . . . . . . . . . . . . 37 | |||
5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 37 | |||
6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 39 | |||
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 39 | |||
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 | 8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 39 | |||
9. Informative References . . . . . . . . . . . . . . . . . . . 40 | 9. Informative References . . . . . . . . . . . . . . . . . . . 39 | |||
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 44 | |||
1. Introduction | 1. Introduction | |||
This document provides the overall architecture for Deterministic | This document provides the overall architecture for Deterministic | |||
Networking (DetNet), which provides a capability for the delivery of | Networking (DetNet), which provides a capability for the delivery of | |||
data flows with extremely low packet loss rates and bounded end-to- | data flows with extremely low packet loss rates and bounded end-to- | |||
end delivery latency. DetNet is for networks that are under a single | end delivery latency. DetNet is for networks that are under a single | |||
administrative control or within a closed group of administrative | administrative control or within a closed group of administrative | |||
control; these include campus-wide networks and private WANs. DetNet | control; these include campus-wide networks and private WANs. DetNet | |||
skipping to change at page 37, line 51 ¶ | skipping to change at page 37, line 51 ¶ | |||
service to, a higher layer DetNet system. | service to, a higher layer DetNet system. | |||
5. Security Considerations | 5. Security Considerations | |||
Security considerations for DetNet are described in detail in | Security considerations for DetNet are described in detail in | |||
[I-D.ietf-detnet-security]. This section considers exclusively | [I-D.ietf-detnet-security]. This section considers exclusively | |||
security considerations which are specific to the DetNet | security considerations which are specific to the DetNet | |||
Architecture. | Architecture. | |||
Security aspects which are unique to DetNet are those whose aim is to | Security aspects which are unique to DetNet are those whose aim is to | |||
secure the specific quality of service aspects of DetNet, which are | provide the specific quality of service aspects of DetNet, which are | |||
primarily to deliver data flows with extremely low packet loss rates | primarily to deliver data flows with extremely low packet loss rates | |||
and bounded end-to-end delivery latency. A DetNet is implemented | and bounded end-to-end delivery latency. A DetNet may be implemented | |||
using MPLS and IP (including both v4 and v6) technologies, and thus | using MPLS and/or IP (including both v4 and v6) technologies, and | |||
inherits the security properties of those technologies at both the | thus inherits the security properties of those technologies at both | |||
control plane and the data plane. | the control plane and the data plane. | |||
Security considerations for DetNet are constrained (compared to, for | Security considerations for DetNet are constrained (compared to, for | |||
example, the open Internet) because DetNet is defined to operate only | example, the open Internet) because DetNet is defined to operate only | |||
within a single administrative domain (see Section 1). The primary | within a single administrative domain (see Section 1). The primary | |||
considerations are to secure the request and control of DetNet | considerations are to secure the request and control of DetNet | |||
resources, maintain confidentiality of data traversing the DetNet, | resources, maintain confidentiality of data traversing the DetNet, | |||
and provide uninterrupted availability of the DetNet quality of | and provide the availability of the DetNet quality of service. | |||
service. | ||||
To secure the request and control of DetNet resources, authentication | To secure the request and control of DetNet resources, authentication | |||
and authorization must be provided for each device connected to a | and authorization can be used for each device connected to a DetNet | |||
DetNet domain, most importantly to network controller devices. | domain, most importantly to network controller devices. Control of a | |||
Control of a DetNet network may be centralized or distributed (within | DetNet network may be centralized or distributed (within a single | |||
a single administrative domain). In the case of centralized control, | administrative domain). In the case of centralized control, | |||
precedent for security considerations as defined for Abstraction and | precedent for security considerations as defined for Abstraction and | |||
Control of Traffic Engineered Networks (ACTN) can be found in | Control of Traffic Engineered Networks (ACTN) can be found in | |||
[RFC8453], Section 9. In the case of a distributed control | [RFC8453], Section 9. In the case of a distributed control | |||
protocols, DetNet security is expected to be provided by the security | protocols, DetNet security is expected to be provided by the security | |||
properties of the protocols in use. In any case, the result must be | properties of the protocols in use. In any case, the result is that | |||
that manipulation of administratively configurable parameters is | manipulation of administratively configurable parameters is limited | |||
limited to authorized entities. | to authorized entities. | |||
To maintain confidentiality of data traversing the DetNet, | To maintain confidentiality of data traversing the DetNet, | |||
application flows must be protected through whatever means is | application flows can be protected through whatever means is provided | |||
provided by the underlying technology. For example, encryption may | by the underlying technology. For example, encryption may be used, | |||
be used, such as that provided by IPSec for IP (Layer 3) flows and by | such as that provided by IPSec [RFC4301] for IP (Layer 3) flows and | |||
MACSec for Ethernet (Layer 2) flows. DetNet flows are identified on | by MACSec [IEEE802.1AE-2018] for Ethernet (Layer 2) flows. | |||
a per-flow basis, which may provide attackers with additional | ||||
information about the data flows (when compared to networks that do | DetNet flows are identified on a per-flow basis, which may provide | |||
not include per-flow identification); this is an inherent property of | attackers with additional information about the data flows (when | |||
DetNet which has security implications which must be considered when | compared to networks that do not include per-flow identification). | |||
determining if DetNet is a suitable technology for any given use | This is an inherent property of DetNet which has security | |||
case. Similar consideration may need to be given to the use of | implications which should be considered when determining if DetNet is | |||
replicated packet flows, which result in increased surface for | a suitable technology for any given use case. | |||
Reconnaissance attacks. In any case, the result must be that the | ||||
confidentiality of the data is maintained to a degree sufficient for | ||||
the use cases addressed by the given DetNet implementation. | ||||
To provide uninterrupted availability of the DetNet quality of | To provide uninterrupted availability of the DetNet quality of | |||
service, provisions must be made against DOS attacks and delay | service, provisions can be made against DOS attacks and delay | |||
attacks. To protect against DOS attacks, excess traffic due to | attacks. To protect against DOS attacks, excess traffic due to | |||
malicious or malfunctioning devices must be prevented or mitigated, | malicious or malfunctioning devices can be prevented or mitigated, | |||
for example through the use of traffic admission control applied at | for example through the use of traffic admission control applied at | |||
the input of a DetNet domain, as described in Section 3.2.1, and | the input of a DetNet domain, as described in Section 3.2.1, and | |||
through the fault mitigation methods described in Section 3.3.2. | through the fault mitigation methods described in Section 3.3.2. To | |||
prevent DetNet packets from being delayed by an entity external to a | ||||
To prevent DetNet packets from being delayed, protection must be | DetNet domain, DetNet technology definition can allow for the | |||
provided against Man-In-The-Middle attacks, for example through use | mitigation of Man-In-The-Middle attacks, for example through use of | |||
of authentication and authorization of devices within the DetNet | authentication and authorization of devices within the DetNet domain. | |||
domain. | ||||
Time synchronization methods are not specified by DetNet, however any | ||||
time synchronization method used with DetNet must also be secured, | ||||
using the security methods available for the given time | ||||
synchronization mechanism, for example as described in [RFC7384]. | ||||
In any case, the result must be that the DetNet is protected from | Because DetNet mechanisms or applications that rely on DetNet can | |||
DOS, delay, and time manipulation attacks to the extent sufficient | make heavy use of methods that require precise time synchronization, | |||
for the use cases addressed by the given DetNet implementation. | the accuracy, availability, and integrity of time synchronization is | |||
of critical importance. Extensive discussion of this topic can be | ||||
found in [RFC7384]. | ||||
DetNet use cases are known to have widely divergent security | DetNet use cases are known to have widely divergent security | |||
requirements. The intent of this section is to provide a baseline | requirements. The intent of this section is to provide a baseline | |||
for security considerations which are common to all DetNet designs | for security considerations which are common to all DetNet designs | |||
and implementations, without burdening individual designs with | and implementations, without burdening individual designs with | |||
specifics of security infrastructure which may not be germane to the | specifics of security infrastructure which may not be germane to the | |||
given use case. Designers and Implementers of DetNet systems are | given use case. Designers and Implementers of DetNet systems are | |||
expected to take use case specific considerations into account in | expected to take use case specific considerations into account in | |||
their DetNet designs and implementations. | their DetNet designs and implementations. | |||
End of changes. 11 change blocks. | ||||
45 lines changed or deleted | 37 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ |