Network Working Group Y. Qu, Ed. Internet-Draft Huawei Intended status: Informational A. Cabellos Expires: January 4, 2018 Technical University of Catalonia R. Moskowitz HTT Consulting B. Liu Huawei A. Stockmayer University of Tuebingen July 3, 2017 Gap Analysis for Identity Enabled Networks draft-xyz-ideas-gap-analysis-00 Abstract Currently there are several identifier/locator separation protocols, such as HIP, ILA, ILNA and LISP. This document analyzes the technical gaps between existing solutions and today's privacy requirements. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 4, 2018. Copyright Notice Copyright (c) 2017 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Qu, et al. Expires January 4, 2018 [Page 1] Internet-Draft July 2017 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 2. Specification of Requirements . . . . . . . . . . . . . . . . 3 3. Definition of Terms . . . . . . . . . . . . . . . . . . . . . 3 4. Overview of ID/LOC Protocols . . . . . . . . . . . . . . . . 4 4.1. LISP . . . . . . . . . . . . . . . . . . . . . . . . . . 4 4.2. HIP . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 4.3. ILA . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 5. Gap Analysis . . . . . . . . . . . . . . . . . . . . . . . . 6 5.1. The Split of Identity and Identifier . . . . . . . . . . 6 5.2. A Common Identifier-to-Locator Mapping System . . . . . . 7 5.3. User-Defined Access Policies in the Mapping System . . . 7 6. Analysis of DNS . . . . . . . . . . . . . . . . . . . . . . . 7 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 8 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 8 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 8 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 11.1. Normative References . . . . . . . . . . . . . . . . . . 8 11.2. Informative References . . . . . . . . . . . . . . . . . 10 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 1. Introduction The separation of location and identifier has been discussed for many years, as documented in [RFC4984]. IP addresses have been overloaded to serve as both locators and identifiers. Several identifier and locator separation (ID/LOC) protocols have been proposed, such as HIP [RFC7401], [ILA] and LISP [RFC6830]. They create two separate namespaces: identifiers (IDfs) and Locators (LOCs). Identifiers uniquely identify network entities no matter where they are located, and locators are assigned based on topology information and are typically routable. In an ID/LOC protocol, a service is needed to maintain mappings between identifiers and locators and to perform lookups from identifiers to locators (and probably vice-verse). Currently each ID-based protocol uses its own mapping database and mechanism to get this mapping information [RFC6836][RFC8005]. Qu, et al. Expires January 4, 2018 [Page 2] Internet-Draft July 2017 As pointed out by [IDEAS-PS][IDEAS-IDY-USE], the concept of identity (IDy) tied to a network entity can help to solve some of the privacy issues that are associated with today's networks. The goal of this document is to analyze the technical gaps between the existing ID/LOC protocols and today's requirements. The following gaps are summarized: the split of identifier and identity; a common mapping system supporting both IDf/LOC mapping and IDy/IDf mapping; and user- defined access policies. 2. Specification of Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119]. 3. Definition of Terms This document makes use of the terms that have been already defined in the problem statement draft of IDEAS [IDEAS-PS]. They are included here for reader's convenience. In case of any discrepancies between the two drafts, the problem statement draft overrides. Entity: An entity is a communication endpoint. It can be a device, a node, or a virtual machine (VM), that needs to be identified. An entity may have one or multiple identifiers (long-lived or ephemeral) simultaneously. An entity is reached by the resolution of one or more of its identifiers to one or more locators. Identity (IDy): the essence of "being" of a specific entity. An identity is not to be confused with an identifier: while an identifier may be used to refer to an entity, an identifier's lifecycle is not necessarily tied to the lifecycle of the Identity it is referencing. On the other hand, the identity's lifecycle is inherently tied to the lifecycle of the entity itself. Identifier (IDf): denotes information to unambiguously identify an entity within a given scope (e.g. HIP HIT, LISP EID). There is no constraint on the format, obfuscation or routability of an IDy. The IDy may or may not be present in the packet whose format is defined by ID-based protocols (HIP/LISP). Identifier-based (ID-based): When an entity is only reachable through one or more communication access then a protocol or a solution is said to be ID-based if it uses an ID-LOC decoupling and a mapping system (MS) as base components of the architecture. Examples of ID- based protocols are HIP, LISP and ILA. Qu, et al. Expires January 4, 2018 [Page 3] Internet-Draft July 2017 IDentity Enabled Networks (IDEAS): IDEAS are networks that support the identifier/locator decoupling. Reaching an entity is achieved by the resolution of identifier(s) to locator(s). Locator (LOC): denotes information that is topology-dependent and which is used to forward packets to a given entity attached to a network (IPv4/IPv6/L2/L2.5 Address). An entity can be reached using one or multiple locators; these locators may have a limited validity lifetime. ID/LOC: Identifier and Locator Separation. LISP: Locator/ID Separation Protocol. HIP: Host Identity Protocol. ILNP: Identifier-Locator Network Protocol. ILA: Identifier-Locator Addressing. DNS: Domain Name System. 4. Overview of ID/LOC Protocols 4.1. LISP The Locator/ID Separation Protocol (LISP) [RFC6830] is structured around four main components: the data plane, the control plane (both specified in [RFC6830]), the LISP Mapping System Interface [RFC6833] and the Mapping System (e.g., LISP-DDT [RFC8111] and LISP+ALT [RFC6836]). The LISP architecture decouples identifier and locator by means of the mapping system interface. This well-defined interface separates data/control from the mapping system architecture. As a result, LISP does not assume any mapping system architecture. The LISP WG has, at the time of this writing, specified two mapping systems: LISP-DDT [RFC8111] and LISP-ALT [RFC6836]. Both mapping system assume hierarchical identifiers, but the WG has explored other architectures such as DHT for flat identifiers, or monolithic mapping systems. One of the main design principles behind LISP is to decouple the identifier (EIDs) from the locators (RLOCs). By means of the LISP Canonical Address Format (LCAF) [RFC8060] LISP provides a flexible syntax to encode both EIDs and RLOCs. Qu, et al. Expires January 4, 2018 [Page 4] Internet-Draft July 2017 In terms of security, LISP supports authorization for mapping updates and the authentication of the clients updating such information. This is achieved by means of the authentication data field in the Map-Register message. In addition, LISP clients can verify the security of data origin, authentication and delegation. This is specified in [LISP-SEC] and the security mechanisms incorporated in LISP-DDT [RFC8111]. 4.2. HIP The Host Identity Protocol (HIP) [RFC7401] is a SIGMA-security compliant exchange of current entity location for a pair of cryptographically ownership provable Identifiers (HITs). HIP is, at its inception, focused on the management of the Identifier/Location mapping. HITs are valid, non-routable IPv6 addresses that carry the cryptographic protocol suite and a hash of the HI (Host Identity public key). One method of discovery of a peer's HIT and initial location is either via DNS RR 55 [RFC8005] with A|AAAA RR to the peer or A|AAAA RR pointing to the peer's Rendezvous Service (RVS) server [RFC8004]. The Initiating peer cannot detect from DNS the difference in destination. The RVS server "slingshots" the I1 packet to the recipient. The recipient decides, based on local policy, to respond with the next exchange packet, R1. Thus using an RVS server not only supports client mobility, it also hides a peer's location unless it wants to be 'found'. HIP provides Identity/Location separation through changes in the peer IP stack behavior with only needing RVS added to the infrastructure. HIP aware systems register to their RVS server(s) via a HIP exchange, augmented with an RVS registration parameter [RFC8003]. All location changes are made securely over HIP [RFC8046]. Location changes are sent directly to peers and to the RVS server(s). HIP fully supports double jumps (both peers move) and state lose recovery (full protocol state machine). HIP supports multihomed systems [RFC8047], fully decoupling Identifier (HITs) from all interfaces. Multiple data-paths are enabled with HIP. ESP via BEET mode [rfc7402] is most commonly used. L2VPNs support is defined in [HIP-VPLS] and provided in commercial products targeting SCADA environments. A non-cryptographic envelope is proposed [HIP-IP]. HIP works equally well over IPv4 or IPv6 networks. The HIP data-path can be either IPv4 (via the HIP 32-bit Local Scope Identifier) or IPv6 using the HIT. IPv4 applications can run transparently over IPv6 and IPv6 over IPv4. Qu, et al. Expires January 4, 2018 [Page 5] Internet-Draft July 2017 HIP well supports Identifiers to location, and weakly Identity to Identifiers. Besides DNS support, identities may be supported in HIP with X.509 certificates [rfc8002] to provide 3rd party assertions of HITs and HIs. Identifiers to Identity reversal is poorly handled, though potentially needed for support of FTP PASV and other protocols with embedded addresses. DHT has been demonstrated [RFC6537], but not fielded. The new work on Hierarchical HITs [HHIT] proposes new methods to couple DNS and a registry for the reverse lookup. 4.3. ILA In [ILA], an IPv6 address is divided into two parts: a locator and an identifier. As other ID/LOC protocol, the locator indicates the topological location of a network entity, and the identifier identifies the entity in communications. ILA can be used to implement overlay networks for network virtualization, and also addresses use cases in mobility. However, the mapping service in ILA is still TBD [ILA-MS-TBD]. 5. Gap Analysis 5.1. The Split of Identity and Identifier In existing ID/LOC Protocols, the IDf/LOC mappings stored in the mapping system are assumed to be public. A legitimate requestor can lookup any record, and escape access control policy, if there is any, by changing to a different identifier. Also a network entity may want to hide its true identity for privacy protection by using ephemeral identifiers [LISP-ANNOY]. To address these issues, [IDEAS-PS] introduces the concept of identity (IDy). An IDy uniquely identifies "who" is a communication entity. Identifier and locator together identifies "where" is the entity. With this 2-tier identification, multiple identifiers can be bound to the same entity (IDy) and exchanged in clear on the wire, without having to worry about the identity being compromised by outside observers. Since the lifecycle of an identity is the same as the entity, the lifecycles of identity and its associated identifiers are decoupled. It is possible for identifiers to be added or removed without affecting the identity. This further abstraction can bring additional benefits. [IDEAS-IDY-USE] describes the identity use cases. In summary: Qu, et al. Expires January 4, 2018 [Page 6] Internet-Draft July 2017 o The notion of identity is not adequately supported. o Two tiers of identification are needed, with identifiers anchored at the identity. 5.2. A Common Identifier-to-Locator Mapping System IDf/LOC mapping service is essential for ID/LOC protocols [RFC6833], however now each protocol is using its own mapping database even within the same administrative domain. This potentially adds additional operational cost and management complexity. A common mapping system supporting both IDf/LOC mapping and IDy/IDf mapping can work with existing ID/LOC protocols, as well as add extra identity based services. It can provide consistent access control, common interface for services such as registration, discovery and resolution. A unified database can help to ease network management [IDEAS-PS]. 5.3. User-Defined Access Policies in the Mapping System Different from DNS, which generally maintains public name-to-IP mapping information, an IDf/LOC mapping system maintains more private information. However existing mapping systems assume the information stored is public, and this may cause privacy violation. A network entity may want to set a customized access policy to control who can get its identifier and location information. This policy should be tied to identity, so it is not affected by identifier changes of the requestor. General system-wide access control (e.g., an operator can set a system-wide access control list for a DNS server, only permitting the customer network prefixes to access it) can provide some privacy, but it is not sufficient. What is needed are: fine-grained level of access control at the level of data records associated with each individual entity; and reinforcement of the access policies. 6. Analysis of DNS Since the 1980s, DNS has been pivotal to translate human readable names that are easy to remember into hard-to-remember IP addresses. It provides a global distributed directory service and is a very powerful and useful technology to translate the domain name hierarchy to IP address space. Even though the DNS was designed to be resilient, it is prone to DDOS attacks as discussed extensively in the Technical Plenary of IETF97. Furthermore, some studies have also described challenges in the Qu, et al. Expires January 4, 2018 [Page 7] Internet-Draft July 2017 response time and caching techniques and latency in the Internet [DNS1] [DNS2] [DNS3] [GNRS]. [DNS-DUP] proposed a mobility solution using DNS dynamic updating protocol. However for a communication session when both hosts are moving, the session fails and the hosts SHOULD query DNS and get the new address and then restart the communications. The use of a mapping system rather than using DNS system has been discussed extensively in [IVIP], [RFC6115], on the lisp-wg mailing list [LISP-DIS], and initial HIP design team (circa 1999-2003). 7. Security Considerations IDEAS control plane may be used to maintain and transmit confidential data, such as identity, access policy and metadata. Access to the data needs to be authorized/authenticated. Control plane messages containing such data need to be encrypted. The exact details of encryption/authentication are topics for future research. 8. IANA Considerations This document has no actions for IANA. 9. Contributors TBD. 10. Acknowledgments The authors would like to thank Dino Farinacci, Michael Menth, Padma Pillay-Esnault, Alex Clemm, Uma Chunduri for their review and input on this document. This document was produced using Marshall Rose's xml2rfc tool. 11. References 11.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6115] Li, T., Ed., "Recommendation for a Routing Architecture", RFC 6115, DOI 10.17487/RFC6115, February 2011, . Qu, et al. Expires January 4, 2018 [Page 8] Internet-Draft July 2017 [RFC6537] Ahrenholz, J., "Host Identity Protocol Distributed Hash Table Interface", RFC 6537, DOI 10.17487/RFC6537, February 2012, . [RFC6830] Farinacci, D., Fuller, V., Meyer, D., and D. Lewis, "The Locator/ID Separation Protocol (LISP)", RFC 6830, DOI 10.17487/RFC6830, January 2013, . [RFC6833] Fuller, V. and D. Farinacci, "Locator/ID Separation Protocol (LISP) Map-Server Interface", RFC 6833, DOI 10.17487/RFC6833, January 2013, . [RFC6836] Fuller, V., Farinacci, D., Meyer, D., and D. Lewis, "Locator/ID Separation Protocol Alternative Logical Topology (LISP+ALT)", RFC 6836, DOI 10.17487/RFC6836, January 2013, . [RFC7401] Moskowitz, R., Ed., Heer, T., Jokela, P., and T. Henderson, "Host Identity Protocol Version 2 (HIPv2)", RFC 7401, DOI 10.17487/RFC7401, April 2015, . [RFC7402] Jokela, P., Moskowitz, R., and J. Melen, "Using the Encapsulating Security Payload (ESP) Transport Format with the Host Identity Protocol (HIP)", RFC 7402, DOI 10.17487/RFC7402, April 2015, . [RFC8003] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Registration Extension", RFC 8003, DOI 10.17487/RFC8003, October 2016, . [RFC8004] Laganier, J. and L. Eggert, "Host Identity Protocol (HIP) Rendezvous Extension", RFC 8004, DOI 10.17487/RFC8004, October 2016, . [RFC8005] Laganier, J., "Host Identity Protocol (HIP) Domain Name System (DNS) Extension", RFC 8005, DOI 10.17487/RFC8005, October 2016, . [RFC8046] Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Mobility with the Host Identity Protocol", RFC 8046, DOI 10.17487/RFC8046, February 2017, . Qu, et al. Expires January 4, 2018 [Page 9] Internet-Draft July 2017 [RFC8047] Henderson, T., Ed., Vogt, C., and J. Arkko, "Host Multihoming with the Host Identity Protocol", RFC 8047, DOI 10.17487/RFC8047, February 2017, . [RFC8060] Farinacci, D., Meyer, D., and J. Snijders, "LISP Canonical Address Format (LCAF)", RFC 8060, DOI 10.17487/RFC8060, February 2017, . [RFC8111] Fuller, V., Lewis, D., Ermagan, V., Jain, A., and A. Smirnov, "Locator/ID Separation Protocol Delegated Database Tree (LISP-DDT)", RFC 8111, DOI 10.17487/RFC8111, May 2017, . 11.2. Informative References [DNS-DUP] Yahya, B. and J. Ben-Othman, "Achieving host mobility using DNS dynamic updating protocol", October 2008, . [DNS1] Jung, J., Sit, E., Balakrishnan, H., and R. Morris, "DNS Performance and the Effectiveness of Caching", 2002, . [DNS2] Liston, R., Srinivasan, S., and E. Zegura, "DNS Performance and the Effectiveness of Caching", 2002, . [DNS3] Briscoe, B., Anna Brunstrom, A., Andreas Petlund, A., David Hayes, D., David Ros, D., Ing-Jyh Tsang, I., Stein Gjessing, S., Gorry Fairhurst, G., Carsten Griwodz, C., and M. Michael Welzl, "Reducing Internet Latency: A Survey of Techniques and their Merits", November 2014, . [GNRS] Karimi, P. and S. Mukherjee, "Global Name Resolution Service", March 2017, . [HHIT] Moskowitz, R., Xu, X., and B. Liu, "Hierarchical HITs for HIPv2", June 2017, . [HIP-IP] Moskowitz, R., Xu, X., and B. Liu, "Encapsulation of IP within IP managed by HIP", June 2017, . Qu, et al. Expires January 4, 2018 [Page 10] Internet-Draft July 2017 [HIP-VPLS] "HIP-based Virtual Private LAN Service (HIPLS)", February 2017, . [IDEAS-IDY-USE] "Identity Use Cases in IDEAS", June 2017, . [IDEAS-PS] "Problem Statement for Identity Enabled Networks", March 2017, . [ILA] Herbert, T., "Identifier-Locator Addressing for Network Virtualization", March 2016, . [ILA-MS-TBD] Herbert, T., "Re: [Ideas] A comment on the use case draft", March 2017, . [IVIP] Whittle, R., "Ivip (Internet Vastly Improved Plumbing) Architecture", September 2010, . [LISP-ANNOY] "LISP EID Anonymity", April 2017, . [LISP-DIS] "LISP Discussion", . [LISP-SEC] Maino, F., Ermagan, V., Cabellos, A., Saucez, D., and O. Bonaventure, "LISP-Security (LISP-SEC)", Work in Progress, October 2012. Authors' Addresses Qu, et al. Expires January 4, 2018 [Page 11] Internet-Draft July 2017 Yingzhen Qu (editor) Huawei 2330 Central Expressway Santa Clara, CA 95050 USA Email: yingzhen.qu@huawei.com Albert Cabellos Technical University of Catalonia C/ Jordi Girona s/n Barcelona 08034 Spain Email: acabello@ac.upc.edu Robert Moskowitz HTT Consulting Oak Park, MI 48237 USA Email: rgm@labs.htt-consult.com Bingyang Liu Huawei 156 Beiqing Rd Beijing 100095 China Email: liubingyang@huawei.com Andreas Stockmayer University of Tuebingen room B305, Institute of Computer Science Tuebingen 72076 Germany Email: andreas.stockmayer@uni-tuebingen.de Qu, et al. Expires January 4, 2018 [Page 12]