Network Working Group | L. Iannone |
Internet-Draft | Telecom ParisTech |
Intended status: Standards Track | D. von Hugo |
Expires: November 28, 2019 | Deutsche Telekom |
B. Sarikaya | |
Denpel Informatique | |
May 27, 2019 |
Requirements to Secure End to End Privacy in IdLoc Systems
draft-xyz-pidloc-reqs-00.txt
Use of Identifier Locator separation systems is proposed for various use cases to allow for efficient and service aware flexible end-to-end routing. A statement on the issue of privacy preservation of both users and devices identity and location describes major challenges identified for this problem. This document attempts to derive requirements towards a potential solution space of approaches to preserve privacy in Identifier-Locator split (PidLoc) protocols.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 28, 2019.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
[I-D.xyz-pidloc-ps] has identified and described typical use cases for application of privacy preserving Identifier-Locator split (PidLoc) approaches and derived thereof a problem statement describing corresponding issues and challenges. Privacy in this respect includes prevention of acquisition of personal information, behavioral details, and location information by unauthorised parties. This document tries to assess that set of issues and challenges to come up with a set of requirements for approaches towards service specific and optimized packet routing based on Id-Loc principle providing privacy and security.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 and [I-D.xyz-pidloc-ps].
This section summarizes the specifics and commonalities of existing Identifier Locator (Id-Loc) Separation Protocols and highlights the corresponding challenges and issues identified in [I-D.xyz-pidloc-ps].
This section lists requirements which emerge from the use case analysis and will apply (beside the general requirements to fit with privacy considerations for Internet Protocols as laid down in RFC 6973 and partly also on design criteria for confidentiality in the data plane of LISP described in RFC 8061) for the solution space providing privacy and security in generic Identifier Locator Split Approaches.
The measures to ensure privacy to Id-Loc systems shall not require additional infrastructure and external third party provided resources to be used nor increase the overall effort such that network and service performance is strongly degraded. Successful privacy measures shall not impact availability.
Because Id-Loc approaches can be used in mobile environments, flexibility in time and space should be provided. The same Id, associated to a specific device, can move around and at different times can have different privacy requirements, may be depending on the specific connection or provider used. Still because of mobility, a certain device can have different privacy requirements depending of where it is.
Because some of the ID-Loc proposals aim at being deployed in datacenters, the methods to ensure privacy has to be able to function at very large scale.
The measure shall not rely on a potential single point of failure nor a single mechanism and allow for automatic rebooting or relying on alternative solutions in case of compromise and attacks.
The Id-Loc system may need to use measures for binding one or more identifiers to one or more locators. This is usually achieved by a mapping or lookup system (e.g. DNS) which has to be protected against unauthorised access and may allow for different policy-based chosen levels of security. Like any other software-based service, the mapping system has to be protected against DDoS attacks and the like. However, there are specific points to be tackled:
The above may be defined on various criteria, like for instance administrative criteria "devices part of the same company", or geographical criteria "only close by devices", or service-aware "devices operating the same service".
TBD.
[I-D.ietf-lisp-rfc6830bis] | Farinacci, D., Fuller, V., Meyer, D., Lewis, D. and A. Cabellos-Aparicio, "The Locator/ID Separation Protocol (LISP)", Internet-Draft draft-ietf-lisp-rfc6830bis-26, November 2018. |
[I-D.ietf-lisp-rfc6833bis] | Fuller, V., Farinacci, D. and A. Cabellos-Aparicio, "Locator/ID Separation Protocol (LISP) Control-Plane", Internet-Draft draft-ietf-lisp-rfc6833bis-24, February 2019. |
[RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |