]> China Mobile

BeiJing China chenmeiling@chinamobile.com

China Mobile

BeiJing China suli@chinamobile.com

Security Internet Engineering Task Force Internet-Draft keyword2 Both ISPs and users have put forward requirements for secure routing, the scenarios are analyzed in the draft draft-chen-secure-routing-use-cases. This draft analyzes the functions required to implement secure routing. Attack detection and users security requirements translateion are out of scope.

Introduction Starting from the requirements of network operators and users, it is necessary to take the security attribute as the key factor to select the route and transmission path to measure the link transmission security. To achieve this goal, the following contents need to be studied.

1. Static node security, by appraising the trustworthiness;
2. Expression of node security capability, by YANG Model;
3. Type of security functions: reorganize and define the security functions supported by existing network devices, and encode them, such as security monitoring, traffic filtering. Generally, the security functions of a device can be described as a collection.
4. Protocol for collecting node security capabilities, such as adding new parameters to BGP-LS;
5. A protocol for distributing security policy configuration, by SRv6;

Requirements for Secure Routing

Appraise trustworthiness TBD

Expression of security capability YANG model is used to describe the security capability of nodes, such as security service type and remaining capacity.

Type of security functions Fine-grained security functions, more detail in draft draft-chen-atomized-security-functions.

Node security capability collection protocol Collect the security capabilities of all nodes in the network through BGP-LS, more detail in draft draft-chen-idr-bgp-ls-security-capability.

Distribution of security policy Security policies can be distributed through extended SRv6 SRH.

IANA Considerations This memo includes no request to IANA.

Security Considerations TBD