| Network Working Group | Y. Qu, Ed. |
| Internet-Draft | Huawei |
| Intended status: Informational | A. Cabellos |
| Expires: January 4, 2018 | Technical University of Catalonia |
| R. Moskowitz | |
| HTT Consulting | |
| B. Liu | |
| Huawei | |
| A. Stockmayer | |
| University of Tuebingen | |
| July 3, 2017 |
Gap Analysis for Identity Enabled Networks
draft-xyz-ideas-gap-analysis-00
Currently there are several identifier/locator separation protocols, such as HIP, ILA, ILNA and LISP. This document analyzes the technical gaps between existing solutions and today's privacy requirements.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 4, 2018.
Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
The separation of location and identifier has been discussed for many years, as documented in [RFC4984]. IP addresses have been overloaded to serve as both locators and identifiers. Several identifier and locator separation (ID/LOC) protocols have been proposed, such as HIP [RFC7401], [ILA] and LISP [RFC6830]. They create two separate namespaces: identifiers (IDfs) and Locators (LOCs). Identifiers uniquely identify network entities no matter where they are located, and locators are assigned based on topology information and are typically routable.
In an ID/LOC protocol, a service is needed to maintain mappings between identifiers and locators and to perform lookups from identifiers to locators (and probably vice-verse). Currently each ID-based protocol uses its own mapping database and mechanism to get this mapping information [RFC6836][RFC8005].
As pointed out by [IDEAS-PS][IDEAS-IDY-USE], the concept of identity (IDy) tied to a network entity can help to solve some of the privacy issues that are associated with today's networks. The goal of this document is to analyze the technical gaps between the existing ID/LOC protocols and today’s requirements. The following gaps are summarized: the split of identifier and identity; a common mapping system supporting both IDf/LOC mapping and IDy/IDf mapping; and user-defined access policies.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].
This document makes use of the terms that have been already defined in the problem statement draft of IDEAS [IDEAS-PS]. They are included here for reader's convenience. In case of any discrepancies between the two drafts, the problem statement draft overrides.
Entity: An entity is a communication endpoint. It can be a device, a node, or a virtual machine (VM), that needs to be identified. An entity may have one or multiple identifiers (long-lived or ephemeral) simultaneously. An entity is reached by the resolution of one or more of its identifiers to one or more locators.
Identity (IDy): the essence of "being" of a specific entity. An identity is not to be confused with an identifier: while an identifier may be used to refer to an entity, an identifier's lifecycle is not necessarily tied to the lifecycle of the Identity it is referencing. On the other hand, the identity's lifecycle is inherently tied to the lifecycle of the entity itself.
Identifier (IDf): denotes information to unambiguously identify an entity within a given scope (e.g. HIP HIT, LISP EID). There is no constraint on the format, obfuscation or routability of an IDy. The IDy may or may not be present in the packet whose format is defined by ID-based protocols (HIP/LISP).
Identifier-based (ID-based): When an entity is only reachable through one or more communication access then a protocol or a solution is said to be ID-based if it uses an ID-LOC decoupling and a mapping system (MS) as base components of the architecture. Examples of ID-based protocols are HIP, LISP and ILA.
IDentity Enabled Networks (IDEAS): IDEAS are networks that support the identifier/locator decoupling. Reaching an entity is achieved by the resolution of identifier(s) to locator(s).
Locator (LOC): denotes information that is topology-dependent and which is used to forward packets to a given entity attached to a network (IPv4/IPv6/L2/L2.5 Address). An entity can be reached using one or multiple locators; these locators may have a limited validity lifetime.
ID/LOC: Identifier and Locator Separation.
LISP: Locator/ID Separation Protocol.
HIP: Host Identity Protocol.
ILNP: Identifier-Locator Network Protocol.
ILA: Identifier-Locator Addressing.
DNS: Domain Name System.
The Locator/ID Separation Protocol (LISP) [RFC6830] is structured around four main components: the data plane, the control plane (both specified in [RFC6830]), the LISP Mapping System Interface [RFC6833] and the Mapping System (e.g., LISP-DDT [RFC8111] and LISP+ALT [RFC6836]).
The LISP architecture decouples identifier and locator by means of the mapping system interface. This well-defined interface separates data/control from the mapping system architecture. As a result, LISP does not assume any mapping system architecture. The LISP WG has, at the time of this writing, specified two mapping systems: LISP-DDT [RFC8111] and LISP-ALT [RFC6836].
Both mapping system assume hierarchical identifiers, but the WG has explored other architectures such as DHT for flat identifiers, or monolithic mapping systems.
One of the main design principles behind LISP is to decouple the identifier (EIDs) from the locators (RLOCs). By means of the LISP Canonical Address Format (LCAF) [RFC8060] LISP provides a flexible syntax to encode both EIDs and RLOCs.
In terms of security, LISP supports authorization for mapping updates and the authentication of the clients updating such information. This is achieved by means of the authentication data field in the Map-Register message. In addition, LISP clients can verify the security of data origin, authentication and delegation. This is specified in [LISP-SEC] and the security mechanisms incorporated in LISP-DDT [RFC8111].
The Host Identity Protocol (HIP) [RFC7401] is a SIGMA-security compliant exchange of current entity location for a pair of cryptographically ownership provable Identifiers (HITs). HIP is, at its inception, focused on the management of the Identifier/Location mapping. HITs are valid, non-routable IPv6 addresses that carry the cryptographic protocol suite and a hash of the HI (Host Identity public key).
One method of discovery of a peer’s HIT and initial location is either via DNS RR 55 [RFC8005] with A|AAAA RR to the peer or A|AAAA RR pointing to the peer’s Rendezvous Service (RVS) server [RFC8004]. The Initiating peer cannot detect from DNS the difference in destination. The RVS server “slingshots” the I1 packet to the recipient. The recipient decides, based on local policy, to respond with the next exchange packet, R1. Thus using an RVS server not only supports client mobility, it also hides a peer’s location unless it wants to be ‘found’.
HIP provides Identity/Location separation through changes in the peer IP stack behavior with only needing RVS added to the infrastructure. HIP aware systems register to their RVS server(s) via a HIP exchange, augmented with an RVS registration parameter [RFC8003]. All location changes are made securely over HIP [RFC8046]. Location changes are sent directly to peers and to the RVS server(s). HIP fully supports double jumps (both peers move) and state lose recovery (full protocol state machine).
HIP supports multihomed systems [RFC8047], fully decoupling Identifier (HITs) from all interfaces. Multiple data-paths are enabled with HIP. ESP via BEET mode [rfc7402] is most commonly used. L2VPNs support is defined in [HIP-VPLS] and provided in commercial products targeting SCADA environments. A non-cryptographic envelope is proposed [HIP-IP].
HIP works equally well over IPv4 or IPv6 networks. The HIP data-path can be either IPv4 (via the HIP 32-bit Local Scope Identifier) or IPv6 using the HIT. IPv4 applications can run transparently over IPv6 and IPv6 over IPv4.
HIP well supports Identifiers to location, and weakly Identity to Identifiers. Besides DNS support, identities may be supported in HIP with X.509 certificates [rfc8002] to provide 3rd party assertions of HITs and HIs. Identifiers to Identity reversal is poorly handled, though potentially needed for support of FTP PASV and other protocols with embedded addresses. DHT has been demonstrated [RFC6537], but not fielded. The new work on Hierarchical HITs [HHIT] proposes new methods to couple DNS and a registry for the reverse lookup.
In [ILA], an IPv6 address is divided into two parts: a locator and an identifier. As other ID/LOC protocol, the locator indicates the topological location of a network entity, and the identifier identifies the entity in communications. ILA can be used to implement overlay networks for network virtualization, and also addresses use cases in mobility.
However, the mapping service in ILA is still TBD [ILA-MS-TBD].
In existing ID/LOC Protocols, the IDf/LOC mappings stored in the mapping system are assumed to be public. A legitimate requestor can lookup any record, and escape access control policy, if there is any, by changing to a different identifier. Also a network entity may want to hide its true identity for privacy protection by using ephemeral identifiers [LISP-ANNOY].
To address these issues, [IDEAS-PS] introduces the concept of identity (IDy). An IDy uniquely identifies "who" is a communication entity. Identifier and locator together identifies "where" is the entity. With this 2-tier identification, multiple identifiers can be bound to the same entity (IDy) and exchanged in clear on the wire, without having to worry about the identity being compromised by outside observers.
Since the lifecycle of an identity is the same as the entity, the lifecycles of identity and its associated identifiers are decoupled. It is possible for identifiers to be added or removed without affecting the identity. This further abstraction can bring additional benefits. [IDEAS-IDY-USE] describes the identity use cases.
In summary:
IDf/LOC mapping service is essential for ID/LOC protocols [RFC6833], however now each protocol is using its own mapping database even within the same administrative domain. This potentially adds additional operational cost and management complexity.
A common mapping system supporting both IDf/LOC mapping and IDy/IDf mapping can work with existing ID/LOC protocols, as well as add extra identity based services. It can provide consistent access control, common interface for services such as registration, discovery and resolution. A unified database can help to ease network management [IDEAS-PS].
Different from DNS, which generally maintains public name-to-IP mapping information, an IDf/LOC mapping system maintains more private information. However existing mapping systems assume the information stored is public, and this may cause privacy violation. A network entity may want to set a customized access policy to control who can get its identifier and location information. This policy should be tied to identity, so it is not affected by identifier changes of the requestor.
General system-wide access control (e.g., an operator can set a system-wide access control list for a DNS server, only permitting the customer network prefixes to access it) can provide some privacy, but it is not sufficient. What is needed are: fine-grained level of access control at the level of data records associated with each individual entity; and reinforcement of the access policies.
Since the 1980s, DNS has been pivotal to translate human readable names that are easy to remember into hard-to-remember IP addresses. It provides a global distributed directory service and is a very powerful and useful technology to translate the domain name hierarchy to IP address space.
Even though the DNS was designed to be resilient, it is prone to DDOS attacks as discussed extensively in the Technical Plenary of IETF97. Furthermore, some studies have also described challenges in the response time and caching techniques and latency in the Internet [DNS1] [DNS2] [DNS3] [GNRS].
[DNS-DUP] proposed a mobility solution using DNS dynamic updating protocol. However for a communication session when both hosts are moving, the session fails and the hosts SHOULD query DNS and get the new address and then restart the communications.
The use of a mapping system rather than using DNS system has been discussed extensively in [IVIP], [RFC6115], on the lisp-wg mailing list [LISP-DIS], and initial HIP design team (circa 1999-2003).
IDEAS control plane may be used to maintain and transmit confidential data, such as identity, access policy and metadata. Access to the data needs to be authorized/authenticated. Control plane messages containing such data need to be encrypted. The exact details of encryption/authentication are topics for future research.
This document has no actions for IANA.
The authors would like to thank Dino Farinacci, Michael Menth, Padma Pillay-Esnault, Alex Clemm, Uma Chunduri for their review and input on this document.
This document was produced using Marshall Rose's xml2rfc tool.