Internet Engineering Task Force C. Eckel
Internet-Draft T. Reddy
Intended status: Informational Cisco Systems, Inc.
Expires: August 18, 2014 February 14, 2014

Application Enabled Open Networking: Problem Statement and Requirements
draft-eckel-aeon-problem-statement-00

Abstract

Identification and treatment of application flows are critical for the successful deployment and operation of applications. Historically, this functionality has been accomplished to the extent possible using heuristics, which inspect and infer flow characteristics. Heuristics may be based on port ranges, network separation, or deep packet inspection (DPI). But many application flows in current usages are dynamic, time-bound (short lived for some of them), possibly encrypted (TLS for signaling), peer-to-peer, possibly asymmetric, and used on non-dedicated devices, any combination of which renders such techniques less effective or results in compromises to application security or user privacy.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on August 18, 2014.

Copyright Notice

Copyright (c) 2014 IETF Trust and the persons identified as the document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.


Table of Contents

1. Introduction

Networks today, whether public or private, are challenged with demands to support rapidly increasing amounts of traffic. New channels for creating and consuming rich media are deployed at a rapid pace. Pervasive video and access on demand are becoming second nature to consumers. Communication applications make extensive use of rich media, placing unprecedented quality of experience demands on the network.

Now more so than ever before, identification and treatment of application flows are critical for the successful deployment and operation of applications. These applications are based on wide range of signaling protocols and deployed by a diverse set of application providers that is not necessarily affiliated with the network providers across which the applications are used.

Historically, identification of application flows has been accomplished using heuristics, which inspect and infer flow characteristics. Heuristics may be based on port ranges, network separation, or deep packet inspection (DPI). Each of these techniques suffers from a set of limitations, particularly in the face of challenges on the network outlined previously.

Port based solutions suffer from port overloading and inconsistent port usage. Network separation techniques like IP subnetting are error prone and increase network management complexity. DPI is computationally expensive and becomes a greater challenge with the wider adoption of encrypted signaling and secured media. An additional drawback of DPI is that any insights are not available, or need to be recomputed, at network nodes further down the application flow path.

2. Typical Workflows

Various heuristic based approaches are used prevalently and successfully for two types of work flows:

  1. Provide network operators with visibility into traffic for troubleshooting, capacity planning, accounting and billing, and other off network work flows. This is done by exporting observed traffic analysis via protocols such as IPFIX and SNMP.
  2. Provide differentiated network services for specific traffic according to network operator defined rule sets, including policing and shaping of traffic, providing admission control, impacting routing, and permitting passage of specific traffic (e.g. firewall functions).

3. Limitations of Existing Solutions

These typical work flows, visibility and differentiated network services, are critical in many networks. However, their reliance on inspection and observation limits the ability to enable these work flows more widely. Reasons for this include the following:

4. Efforts in Progress

There are a variety of existing and evolving signaling options that can provide explicit application to network signaling and serve the visibility and differentiated network services work flows where heuristics are currently being used. It seems clear that there will be no single one-protocol-fits-all solution. Every protocol is currently defined in its own silo, creating duplicate or inconsistent information models. This results in duplicate work, more operational complexity and an inability to easily convert information between protocols to easily leverage the best protocol option for each specific use case. Examples of existing and evolving signaling options include the following:

5. Requirements

Rather than encourage independent, protocol specific solutions to this problem, this draft calls for a protocol and application independent solution that can be applied in a consistent fashion across a variety of protocols. The requirements are:

Req-1:
Allow applications to explicitly signal their flow characteristics to the network.
Req-2:
Provide network nodes visibility to application flow characteristics.
Req-3:
Enable network nodes to contribute to application flow descriptions.
Req-4:
Allow applications to receive resulting flow descriptions as feedback from the network.
Req-5:
Complement existing heuristic based mechanisms.
Req-6:
Provide differentiated service for both directions of a flow, including flows that cross administrative boundaries.
Req-7:
Provide mechanism to authenticate and authorize endpoints/applications to signal flow characteristics.
Req-8:
Provide mechanism for integrity and replay protection of messages exchanged between the application and the network.

6. Acknowledgements

The authors thank Toerless Eckert, Reinaldo Penno, Dan Wing, Amine Choukir, and Paul Jones for their contributions to this draft.

7. References

Authors' Addresses

Charles Eckel Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134 USA EMail: eckelcu@cisco.com
Tirumaleswar Reddy Cisco Systems, Inc. Cessna Business Park, Varthur Hobli Sarjapur Marathalli Outer Ring Road Bangalore, Karnataka 560103 India EMail: tireddy@cisco.com