Internet DRAFT - draft-urien-coin-sec
draft-urien-coin-sec
Internet Draft P. Urien
Intended status: Informational Telecom Paris
Expires: January 2024 July 7 2023
COIN Security
draft-urien-coin-sec-01.txt
Abstract
This draft introduces some security issues for COIN systems.
Requirements Language
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in RFC 2119.
Status of this Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other documents
at any time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 2024
Urien Expires January 2024 [Page 1]
Copyright Notice
Copyright (c) 2023 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document. Code Components extracted from this
document must include Simplified BSD License text as described in
Section 4.e of the Trust Legal Provisions and are provided without
warranty as described in the Simplified BSD License.
Urien Expires January 2024 [page 2]
COIN Security July 2023
Table of Contents
Abstract........................................................... 1
Requirements Language.............................................. 1
Status of this Memo................................................ 1
Copyright Notice................................................... 2
1 Overview......................................................... 4
2 COIN Security.................................................... 4
3 Program Security................................................. 5
4 Identity......................................................... 5
5 IANA Considerations.............................................. 6
6 Security Considerations.......................................... 6
7 References....................................................... 6
7.1 Normative References........................................ 6
7.2 Informative References...................................... 6
8 Authors' Addresses............................................... 6
Urien Expires January 2024 [Page 3]
COIN Security July 2023
1 Overview
Computing in the Network (COIN) is a concept [COIN-TERMINOLOGY] that
aims at deploying and using programs, based on computing resources
hosted in Programmable Network Devices (PNDs). Such infrastructures
could be integrated in edge computing or 5G slicing [COIN-USECASES].
A program works with several PNDs exchanging data over secure
communications.
In that context there is a need for security either for intrinsic
COIN needs or for programs running in COIN systems.
2 COIN Security
COIN should rely on fully encrypted communications, what implies
authentication and keying mechanisms based on symmetric or
asymmetric secrets.
Some research items for COIN security are the following:
1) Security Architecture
2) PND security model
3) Key Management System (KMS)
4) Identity Model
5) Authentication Center
+-------+
| PND |
+------------+ ID +------------+
| | KMS | |
| +---+---+ |
| | |
| +---+---+ |
| | Auth. | |
| +----+ Center+----+ |
| / | KMS | \ |
| / +-------+ \ |
| / \ |
+---+---+ +---+---+
| PND | | PND |
| ID +-------------------------+ ID |
| KMS | | KMS |
+-------+ +-------+
PND could include a Key Management System (KMS) in order to provide
these security features.
If COIN services rely on centralized architecture an Authentication
Center (AC) should provide KMS functionalities.
Urien Expires January 2024 [Page 4]
COIN Security July 2023
PND processors can also include a physical entity with isolated (for
example Trusted Execution Environment, TEE) or tamper resistant
computing resources (sometimes refers as integrated secure element
iSE).
A classical approach in cloud computing relies on the deployment of
Hardware Secure Module (HSM) in data centers, typically performing
offload or KMS operations, i.e. computing cryptographic procedures
in a trusted environment.
3 Program Security
Programs could have security requirements. For example the
generation of blockchain transactions implies secure key storage and
trusted signature.
Some research items for program security are the following:
-1) Secure program deployment
-2) Attestation and secure cryptographic provisioning
-3) Level of security & trust
-4) Scalability & Performances
The IoSE [IOSE] draft introduces on-demand secure computing
resources, identified by Uniform Resources Identifier (URI), and
could be a use case for COIN
+-------+ +-------+
| PND | URI | IoSE |
| +-------------+ |
| KMS | | Server|
+-------+ +-------+
\ /
\ /URI
+-------+
| COIN |
| [
| Client|
+-------+
4 Identity
Identity is used to identify and authenticate PNDs.
Identity knowledge should provide information about computing
resources and trust level.
An entirely distributed architecture could use asymmetric
cryptographic and certificates to identify participating PNDs and
associated computing resources.
Urien Expires January 2024 [Page 5]
COIN Security July 2023
Single tenant architectures will likely used symmetric cryptographic
algorithms and single authentication center. Secure data exchanges
could occur in a way similar to cellular network communications.
Multi tenant architectures should involve several authentication
centers. Secure data exchanges could occur in a way similar to
cellular network communications.
5 IANA Considerations
This draft does not require any action from IANA.
6 Security Considerations
This entire document is about security.
7 References
7.1 Normative References
[COIN-TERMINOLOGY] draft-irtf-coinrg-coin-terminology-00,
"Terminology for Computing in the Network"
[COIN-USECASES] draft-irtf-coinrg-use-cases-04, "Use Cases for In-
Network Computing"
7.2 Informative References
[IOSE] draft-urien-coinrg-iose-07.txt, "Internet of Secure Elements"
8 Authors' Addresses
Pascal Urien
Telecom Paris
19 place Marguerite Perey
91120 Palaiseau Phone: NA
France Email: Pascal.Urien@telecom-paris.fr
Urien Expires January 2024 [Page 6]