Security Considerations for Computing-Aware Traffic Steering

Security Considerations for Computing-Aware Traffic Steering China Unicom

Beijing China wangcc107@chinaunicom.cn

China Unicom

Beijing China fuy186@chinaunicom.cn

routing cats Internet-Draft Computing-Aware Traffic Steering (CATS) inherits potential security vulnerabilities from the network, computing nodes as well as workflows of CATS procedures. This document describes various threats and security concerns related to CATS and existing approaches to solve these threats.

Introduction The CATS framework is an ingress-based overlay framework for the selection of the suitable service instance(s) from a set of instance candidates. By taking into account both networking and computing metrics, the CATS framework achieve a global of dispatching service demands over the various and available edge computing resources. However, ubiquitous distributed computing resources in CATS also pose challenges to security protection. The operators of CATS may not have complete control over the nodes and therefore guarantee the security and credibility of the computing nodes themselves. Moreover, there are great differences in the security capabilities provided by computing nodes in the network, which greatly improves the breadth and difficulty of security protection. This document describes various threats and security concerns related to CATS networks and existing approaches to solve these threats.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

Terminology This document makes use of the following terms: Computing-Aware Traffic Steering (CATS): A traffic engineering approach [I-D ietf-teas-rfc3272bis] that takes into account the dynamic nature of computing resources and network state to optimize service-specific traffic forwarding towards a given service instance. Various relevant metrics may be used to enforce such computing-aware traffic steering policies. CATS Service ID (CS-ID): An identifier representing a service, which the clients use to access it. Service: An offering provided by a service provider and which is delivered using one or more service functions . CATS Service Metric Agent (C-SMA): An agent that is responsible for collecting service capabilities and status, and for reporting them to a CATS Path Selector (C-PS). Service request: The request for a specific service instance.

Security Issues of The Computing Resource The ubiquitous and flexible characterictics of computing resource and the frequent connections to the computing resource will lead to the increasing risks of resource attacks. At the same time, network attack patterns are constantly iterating and upgrading, which will also increases the probability of computing resources being attacked. Therefore security solutions of CATS must support identity authentication and access control against these attacks. Identity authentication is required for clients of CATS. Zero trust is the preferred approach to meet this demand. Besides, security monitoring and auditing of computing resources should be carried out using technologies such as security log management and intrusion detection to monitor the security status of computing resources.

Computing Path Selector Security Issues The operation of a C-PS could be damaged through a variety of denial-of-service attacks. Such attacks can cause the C-PS to become congested with the result that traffic forwarding are too slowly . In extreme cases, it may be that service requests are not satisfied. C-PS could be the target of the following attacks :

interception of C-PS service requests or responses;
impersonation of C-PS;
falsification of computing service information, policy information, or C-PS capabilities; and
denial-of-service attacks on C-PS communication mechanisms.

Additionally, snooping of C-PS requests and responses may give an attacker information about the operation of the network. Simply by viewing the C-PS messages someone can know where traffic is being routed, thereby making the network susceptible to targeted attacks. It is expected that C-PS solutions will address these issues in detail using authentication and security techniques.

Computing Service Announcement Security Issues A computing service is associated with a unique identifier called a CS-ID. The CS-ID should keep confidentiality of the service, for example, using an IP address as the CS-ID may expose the location of the edge node. The mapping of CS-IDs to network identifiers may be learned through a NRS(Name Resolution Service), such as DNS, so it is important for the NRS to support access control for certain name mapping records, and authentication of the computing service that want to be registered with the NRS must be required so that only authenticated entities can store and update name mapping records. Besides, the NRS should be resilient against denial-of- service attacks and other common attacks.

Metrics Distribution Security Issues The C-SMA aggregates both service-related capabilities and then advertises the CS-IDs along with the metrics to be received by all C-PS in the network. The service metrics include computing-related metrics and potentially other service-specific metrics like the number of end-users who access the service instance at any given time, their location, etc. Therefore, verification mechanism is needed for both C-SMA and C-PS to ensure the authenticity and integrity of the infomation they received. The information distributed by the C-SMA and C-NMA may be sensitive. Such information could indeed disclose intel about the network and the location of computing resources hosted in edge sites. Furthermore, such information may be modified by an attacker resulting in disrupted service delivery for the clients, including misdirection of traffic to an attacker's service implementation. The computing resource information changes over time very frequently, especially with the creation and termination of service instances. When such an information is carried in a routing protocol, too many updates may affect network stability. This issue could be exploited by an attacker (e.g. by spawning and deleting service instances very rapidly). CATS solutions must support guards against such misbehaviors. For example, these solutions should support aggregation techniques, dampening mechanisms, and threshold triggered distribution updates.

Security-related Metrics The service and network metrics could include the security-related capabilities which could be used by the CATS Path selector to compute paths with security guarantee. The security capabilities of nodes could be one of the metrics for C-PS to computing the traffic forwarding path and form a secure routing path. And C-PS will fetch the real-time awareness of the security capabilities available in the network and computing services and finally provide security protection for users. Clients with high security requirements could choose the service with desired security attributes and achieve dependable forwarding on top of only devices that satisfies certain trust requirements, which will avoid the risks of traffic eavesdropping, sensitive data leakage etc.

Security Considerations The security considerations of CATS are presented throughout this document. .

IANA Considerations This document has no IANA actions.

References Normative References Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Path Computation Element (PCE) Communication Protocol (PCEP) This document specifies the Path Computation Element (PCE) Communication Protocol (PCEP) for communications between a Path Computation Client (PCC) and a PCE, or between two PCEs. Such interactions include path computation requests and path computation replies as well as notifications of specific states related to the use of a PCE in the context of Multiprotocol Label Switching (MPLS) and Generalized MPLS (GMPLS) Traffic Engineering. PCEP is designed to be flexible and extensible so as to easily allow for the addition of further messages and objects, should further requirements be expressed in the future. [STANDARDS-TRACK] Informative References A Framework for Computing-Aware Traffic Steering (CATS) Huawei Technologies China Mobile Orange Telefonica Juniper Networks, Inc. This document describes a framework for Computing-Aware Traffic Steering (CATS). Particularly, the document identifies a set of CATS components, describes their interactions, and exemplifies the workflow of the control and data planes. Service Function Chaining (SFC) Architecture This document describes an architecture for the specification, creation, and ongoing maintenance of Service Function Chains (SFCs) in a network. It includes architectural concepts, principles, and components used in the construction of composite services through deployment of SFCs, with a focus on those to be standardized in the IETF. This document does not propose solutions, protocols, or extensions to existing protocols.

Acknowledgements TBD