Internet DRAFT - draft-wang-cats-awareness-system-for-casfc

draft-wang-cats-awareness-system-for-casfc



cats                                                       W. Wang   
Internet-Draft                                             H. Zhou                                        
Intended Status: Informational                              J. Yan
Expires: 11 April 2024                Beijing Jiao Tong University
                                                   10 October 2023


Information Awareness System for Computing-Aware Service Function 
          Chain (IAS-CASFC): Security Service Aspect
          draft-wang-cats-awareness-system-for-casfc-00

Abstract

This document describes the Information Awareness System of the 
Computing-Aware Service Function Chain (ISA-CASFC) from the 
security service aspect, including the system architecture, network, 
and computing information details. The SFC enables traffic to pass 
through the ordered Network Security Function (NSF) path, enabling 
end-to-end security services. Differences in the available network 
and computing resources cause performance differences between 
NSF instances deployed on different service sites. It can be seen 
that the routing decision on NSF instances will affect the quality of 
the security service. Therefore, it is necessary to implement the 
CA-SFC to ensure the quality of security service. This document 
extends the CATS framework and the CATS Computing and Network 
Information Awareness (CNIA) architecture for CA-SFC, and describes 
the network and computing information content for security service.


Status of this Memo

This Internet-Draft is submitted in full conformance with the 
provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering 
Task Force (IETF).  Note that other groups may also distribute 
working documents as Internet-Drafts.  The list of current 
Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six 
months and may be updated, replaced, or obsoleted by other documents 
at any time. It is inappropriate to use Internet-Drafts as reference 
material or to cite them other than as "work in progress."

This Internet-Draft will expire on 11 April 2024.



Wang, et al.              Expires – April 2024              [Page 1]
                  Awareness System for CASFC       October 2023

Copyright Notice

Copyright (c) 2023 IETF Trust and the persons identified as the 
document authors. All rights reserved.

This document is subject to BCP 78 and the IETF Trust's Legal 
Provisions Relating to IETF Documents (https://trustee.ietf.org/
license-info) in effect on the date of publication of this document. 
Please review these documents carefully, as they describe your 
rights and restrictions with respect to this document.  Code 
Components extracted from this document must include Revised 
BSD License text as described in Section 4.e of the Trust Legal 
Provisions and are provided without warranty as described in the 
Revised BSD License.


Table of Contents

1. Introduction......................................2
2. Terminology.......................................3
3. Information Awareness System for Computing-Aware 
   Service Function Chain............................4
4. Information Details...............................5
4.1 Network Information..............................6
4.2 Computing Information............................7
5. Security Consideration............................7
6. IANA Considerations...............................8
7. References........................................8
7.1 Normative References.............................8
7.2 Informative References...........................8
8. Acknowledgments...................................9
Author's Addresses...................................9


1. Introduction

To guarantee the quality of security service, it is necessary to 
realize the Computing-Aware Service Function Chain (CA-SFC). Service 
function chain (SFC) [RFC7665] can provide a logically independent 
network function path. Network Security Function (NSF) [RFC8192]
refers to a series of security-related network functions, such as 
firewalls and intrusion detection systems. By combining multiple NSFs 
through the SFC, providers can provide users with customized security 
services. Multiple instances of the same NSF may be deployed on 
different service sites within one or more management domains. Their 
available network and computing resources differ. These differences
lead to performance differences between NSF instances deployed on 
different service sites. Routing decisions will affect the 
performance of NSF, and then affect the quality of the security 
service.

Wang, et al.              Expires – April 2024              [Page 2]
                  Awareness System for CASFC       October 2023

As described in [I-D.ldbc-cats-framework], the goal of Computing-
Aware Traffic Steering (CATS) is to solve the problem of how to route 
between the user requesting the service and the service site in the 
network edge. The basis to achieve this goal is network and computing 
information awareness. Therefore, Computing and Network Information 
Awareness (CNIA) system architecture 
[I-D.yao-cats-awareness-architecture] is proposed. As the control plane 
of the CATS framework, CNIA introduces the control center component 
on top of the CAIS framework to realize the management and 
comprehensive analysis of network information and computing information 
and facilitate the making of comput- and network-aware traffic steering 
decisions.


However, the CATS framework and CNIA architecture only consider the 
routing between users and service sites and need to be further
extended and improved in the scenario of CA-SFC. It is necessary to
resolve routing issues between UEs and multiple service sites for the 
CA-SFC routes. In the security service scenario, traffic features or 
NSF instance output may also affect routing decisions 
[I-D.wang-i2nsf-intelligent-detection][I-D.li-dots-knowledge-trans]. 
For example, the NSF used for anomaly detection outputs the result 
of traffic detection and determines the traffic as normal or abnormal. 
Routing decisions must consider NSFs' output and respond promptly 
to anomalies.

This document extends the CATS framework and CNIA system architecture 
and describes network and computing information details using 
security services as an example to facilitate the implementation of 
end-to-end security services enabled by the CA-SFC. This document 
proposes the Information Awareness System for the CA-SFC (IAS-CASFC) 
for routing decision-making between UEs and multiple service sites 
based on the CATS framework and CNIA system architecture.


2. Terminology

This document makes use of the following terms:

Network Security Function (NSF): An NSF is a network function 
that has security capabilities, such as authentication, 
authorization, encryption, and detecting and mitigating network 
anomalies [RFC8192].

Security Service: A security offering that a provider provides to 
users by orchestrating a set of resources (network, compute, 
storage, etc.). A security service can be composed of multiple 
NSFs. The provider can use SFC technology to combine NSFs 
and offer users customized security services.

Wang, et al.              Expires – April 2024              [Page 3]
                  Awareness System for CASFC       October 2023

Computing-Aware Service Function Chain (CA-SFC): A service function 
path selection approach that takes into account the dynamic nature 
of computing and network state to optimize service-specific traffic 
forwarding between different function instances.

CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder 
[RFC7665] forwarding function can deploy multiple NSF instances of 
different types.

CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC 
Classifier [RFC7665] forwarding function can classify, encapsulate 
(for example, add a packet header with a service path identifier 
using the NSH protocol [RFC8300]), and forward incoming traffic.

CATS Egress Forwarder (CATS-EF): A network node with a similar SFC 
Classifier [RFC7665] forwarding function can classify, decapsulate, 
and forward outgoing traffic.

CATS Forwarder ID (CF-ID): An identifier for a specific CATS-F.

CATS Network Security Function ID (CNSF-ID): An identifier for a 
specific type of the NSF. CF-ID and CNSF-ID label an NSF instance 
together.


3. Information Awareness System for Computing-Aware Service 
Function Chain

The following are system components for the IAS-CASFC.

CATS Control Center (CATS-C): Store and manage network information 
and computing information, and make routing decisions through a 
comprehensive analysis of this information. CATS-C can be implemented 
by adding information storage, management, and analysis functions to 
the SDN controller [ITU-TY.3300]. CATS-C consists of the CATS Path 
Calculation Unit (C-PCE), CATS Network Metric Information Base(C-NIB), 
and CATS Computing Information Base(C-CIB), and network and computing 
information is collected through the CATS-SBI Interface. The above 
function components and interfaces are defined in 
[I-D.yao-cats-awareness-architecture].

CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC 
Classifier [RFC7665] forwarding function can classify, encapsulate 
(for example, add a packet header with a service path identifier 
using the NSH protocol [RFC8300]), and forward incoming traffic.

CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder 
[RFC7665] forwarding function can deploy multiple NSF instances of 
different types.

Wang, et al.              Expires – April 2024              [Page 4]
                  Awareness System for CASFC       October 2023

CATS Egress Forwarder (CATS-EF): A network node with a similar SFC 
Classifier [RFC7665] forwarding function can classify, decapsulate, 
and forward outgoing traffic.

CAT-IF and CAT-EF have a CATS Network Metric Agent (C-NMA), 
responsible for collecting network information. Unlike C-NMA defined 
in [I-D.ldbc-cats-framework], in IAS-CASFC, C-NMA reports the 
collected network information to CATS-C through the CATS-SBI 
Interface.

In addition to C-NMA, CAT-F also has CATS Service Metric Agent (C-
SMA), which is responsible for collecting computing information of 
NSF instances and CATS-F. In IAS-CASFC, C-SMA reports the collected 
computing information to CATS-C through the CATS-SBI Interface.

The architecture of IAS-CASFC is shown in Figure 1.

                       +-----------------+
                       |     CATS-C      |
                       |     +-----+     |
                       |     |C-PCE|     |
                       |     +-----+     |
                       | +-----+ +-----+ |
                       | |C-CIB| |C-NIB| |
                       | +-----+ +-----+ |
                       +--------+--------+
                                | CATS-SBI
+-------------------------------+-------------------------------+
|      +--------------+-------------------+--------------+      |
|      |              |                   |              |      |
| +----+----+  +------+------+     +------+------+  +----+----+ |
| | CATS-IF |  |  CATS-F-1   |     |  CATS-F-m   |  | CATS-EF | |
| |  C-NMA  |  |   C-NMA     |     |   C-NMA     |  |  C-NMA  | |
| +---------+  |   C-SMA     |     |   C-SMA     |  +---------+ |
|              | +---------+ |     | +---------+ |              |
|              | |Instances| | ... | |Instances| |              |
|              | |  NSF-1  | |     | |  NSF-3  | |              |
|              | |   ...   | |     | |   ...   | |              |
|              | |  NSF-n  | |     | |  NSF-n  | |              |
|              | +---------+ |     | +---------+ |              |
|              +-------------+     +-------------+              |
+---------------------------------------------------------------+

Figure 1: IAS-CASFC Architecture


4. Information Details

Wang, et al.              Expires – April 2024              [Page 5]
                  Awareness System for CASFC       October 2023

Table 1 shows awareness information content examples for computing-
aware SFC which is used to provide security services.

+-------------+----------------------+---------------------+
| Awareness   | Network              |  Computing          |
| information | information          |  information        |
+-------------+----------------------+---------------------+
|             | CATS-F location;     | CNSF-ID; NSF        |
|             | CATS-F type;         | computing energy    |
| Capability  | CATS-F ID;           | consumption;        |
| parameters  | Topology information.| Computing cost;     |
|             |                      | CATS-F maximum      |
|             |                      | available computing |
|             |                      | resources; CATS-F   |
|             |                      | CATS-F computing    |
|             |                      | types.              |
+-------------+----------------------+---------------------+
|             | Service request      | CATS-F computing    |
| Status      | information;         | load; CATS-F        |
| parameters  | Traffic features;    | available computing |
|             | Communication        | resources; NSF      |
|             | information.         | instance output.    |
+-------------+----------------------+---------------------+

Table 1: Awareness information content examples

In the security service scenario, routing decisions may also be 
affected by traffic features or NSF instance output 
[I-D.wang-i2nsf-intelligent-detection]. For example, C-PCE can 
adjust the NSF instances to be passed according to the traffic 
features collected by CATS-IF. Or C-PCE makes different routing 
decisions for normal and abnormal traffic based on the output 
of the NSF instance.

4.1 Network Information

The network information capability parameters are as follows.

CATS-F location: Geographic location information or relative location 
information of CATS-F (including CATS-IF and CATS-EF).

CATS-F Type: The type of CATS-F includes CATS-EF, CATS-IF, and 
CATS-F where NSF instances can be deployed.

CATS-F ID: All CAT-F identification information.

Topology information: Network topology information includes 
information about nodes and links between nodes.

The network information status parameters are as follows.

Wang, et al.              Expires – April 2024              [Page 6]
                  Awareness System for CASFC       October 2023

Service request information: Information about the service 
requirements proposed by users. The security service requested by 
the user may be to detect anomalies, ensure the security of private 
data during the communication process, etc.

Communication information: Communication information includes 
information about the communication status, such as bandwidth, 
delay, packet loss rate, and delay jitter.

Traffic features: Traffic features, such as the average packet 
length, IP entropy, port entropy, and TTL entropy, are observed 
within a certain period of time before the current time 
[I-D.wang-i2nsf-intelligent-detection].

4.2 Computing Information

The computing information capability parameters are as follows.

CNSF-ID: All types of NSFs identification information.

NSF computing energy consumption: The computing energy consumption of 
a specific type of NSF to deal with per workload.

Computing cost: The cost per unit of computing resources is generally 
set by the infrastructure provider.

CATS-F maximum available computing resources: The maximum available 
computing resources on CAT-F where NSF instances can be deployed.

CATS-F computing types: Compute resource types of CATS-F, such as 
CPU, GPU, FPGA, etc.

The computing information status parameters are as follows.

CATS-F computing load: Computing resources consumed by running NSF 
instances.

CATS-F available computing resources: The available compute resources 
on CATS-F at a given time are the maximum available computing 
resources minus the compute load.

NSF instance output: For example, an NSF instance used for anomaly 
detection outputs a traffic flow as normal or abnormal.


5. Security Considerations

Wang, et al.              Expires – April 2024              [Page 7]
                  Awareness System for CASFC       October 2023

CATS-C stores the computing and network information of all CATS-Fs in 
the network management domain. If an attacker steals or tampers with 
the information in C-CIB and C-NIB, it will lead to the disclosure of 
service privacy information or incorrect routing decisions. 
Therefore, CAT-C should have the necessary defense mechanisms to 
defend against intrusions by attackers and prevent single points of 
failure.


6. IANA Considerations

This document makes no requests for IANA action.


7. References
7.1 Normative References

[RFC7665] J. Halpern and C. Pignataro, "Service Function Chaining 
          (SFC) Architecture", RFC 7665, DOI 10.17487/
           RFC7665, October 2015, <https://www.rfc-editor.org
          /info/rfc7665>.

[RFC8192] Hares, S. Lopez, D. Zarny, M. Jacquenet, C. Kumar, R. and 
          J. Jeong, "Interface to Network Security Functions 
          (I2NSF): Problem Statement and Use Cases", RFC8192, 
          DOI 10.17487/RFC8192, July 2017, <https://www.rfc-
          editor.org/info/rfc8192>.

[RFC8300] P. Quinn, U. Elzur and C. Pignataro, "Network Service 
          Header (NSH)", RFC8300, DOI 10.17487/RFC8300, January 
          2020, <https://www.rfc-editor.org/info/rfc8192>.

[ITU-TY.3300] International Telecommunications Union, "Y.3300: 
          Framework of software defined networking", June 2014, 
          <https://www.itu.int/rec/T-REC-Y.3300/en>.

7.2 Informative References

[I-D.ldbc-cats-framework] C. Li, Z. Du, M. Boucadair, L. M. 
         Contreras, J. Drake, G. Huang, and G. Mishra, "A Framework 
         for Computing-Aware Traffic Steering (CATS)", Work in 
         Progress, Internet-Draft, draft-ldbc-cats-framework-03, 
         August 2023, <https://datatracker.ietf.org/doc/html/draft-
         ldbc-cats-framework-03>.

[I-D.yao-cats-awareness-architecture] H. Yao, X. Wang, Z. Li, and 
         D.H. Daniel, "Computing and Network Information Awareness 
         (CNIA) system architecture for CATS", Work in Progress, 
         Internet-Draft, draft-yao-cats-awareness-architecture-01, 
         July 2023, < https://datatracker.ietf.org/doc/html/draft-
         yao-cats-awareness-architecture-01>.

Wang, et al.              Expires – April 2024              [Page 8]
                  Awareness System for CASFC       October 2023

[I-D.wang-i2nsf-intelligent-detection] W. Wang, H. Zhou, M. Li, Q. 
         Guo, and S. Deng, "YANG Data Models for Attacks 
         Intelligent Detection", Work in Progress, Internet-Draft, 
         draft-wang-i2nsf-intelligent-detection-01, April 2023, < 
         https://datatracker.ietf.org/doc/html/draft-wang-i2nsf-
         intelligent-detection-01>.

[I-D.li-dots-knowledge-trans] K. Li, H. Zhou, Z. Tu, F. Liu, W. Wang, 
         "Knowledge Transmission Using Distributed Denial-of-
         Service Open Threat Signaling (DOTS) Data Channel", Work 
         in Progress, Internet-Draft, draft-li-dots-knowledge-
         trans-05, August 2023, < https://datatracker.ietf.org/doc
         /html/draft-li-dots-knowledge-trans-05>.


8. Acknowledgments

TBC


Author's Addresses

Weilin Wang
Beijing Jiao Tong University
China
Email: 21111026@bjtu.edu.cn

Huachun Zhou
Beijing Jiao Tong University
China
Email: hchzhou@bjtu.edu.cn

Jingfu Yan
Beijing Jiao Tong University
China
Email: 22110030@bjtu.edu.cn


Wang, et al.              Expires – April 2024              [Page 9]