cats W. Wang Internet-Draft H. Zhou Intended Status: Informational J. Yan Expires: 1 October 2024 Beijing Jiao Tong University 1 April 2024 Information Awareness System for Computing-Aware Service Function Chain (IAS-CASFC): Security Service Aspect draft-wang-cats-awareness-system-for-casfc-01 Abstract This document describes the Information Awareness System of the Computing-Aware Service Function Chain (ISA-CASFC) from the security service aspect, including the system architecture, network, and computing information details. The SFC enables traffic to pass through the ordered Network Security Function (NSF) path, enabling end-to-end security services. Differences in the available network and computing resources cause performance differences between NSF instances deployed on different service sites. It can be seen that the routing decision on NSF instances will affect the quality of the security service. Therefore, it is necessary to implement the CA-SFC to ensure the quality of security service. This document extends the CATS framework and the CATS Computing and Network Information Awareness (CNIA) architecture for CA-SFC, and describes the network and computing information content for security service. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on 1 October 2024. Wang, et al. Expires – October 2024 [Page 1] Awareness System for CASFC April 2024 Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/ license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License. Table of Contents 1. Introduction......................................2 2. Terminology.......................................3 3. Information Awareness System for Computing-Aware Service Function Chain............................4 4. Information Details...............................5 4.1 Network Information..............................6 4.2 Computing Information............................7 5. Security Consideration............................7 6. IANA Considerations...............................8 7. References........................................8 7.1 Normative References.............................8 7.2 Informative References...........................8 8. Acknowledgments...................................9 Author's Addresses...................................9 1. Introduction To guarantee the quality of security service, it is necessary to realize the Computing-Aware Service Function Chain (CA-SFC). Service function chain (SFC) [RFC7665] can provide a logically independent network function path. Network Security Function (NSF) [RFC8192] refers to a series of security-related network functions, such as firewalls and intrusion detection systems. By combining multiple NSFs through the SFC, providers can provide users with customized security services. Multiple instances of the same NSF may be deployed on different service sites within one or more management domains. Their available network and computing resources differ. These differences lead to performance differences between NSF instances deployed on different service sites. Routing decisions will affect the performance of NSF, and then affect the quality of the security service. Wang, et al. Expires – October 2024 [Page 2] Awareness System for CASFC April 2024 As described in [I-D.ldbc-cats-framework], the goal of Computing- Aware Traffic Steering (CATS) is to solve the problem of how to route between the user requesting the service and the service site in the network edge. The basis to achieve this goal is network and computing information awareness. Therefore, Computing and Network Information Awareness (CNIA) system architecture [I-D.yao-cats-awareness-architecture] is proposed. As the control plane of the CATS framework, CNIA introduces the control center component on top of the CAIS framework to realize the management and comprehensive analysis of network information and computing information and facilitate the making of comput- and network-aware traffic steering decisions. However, the CATS framework and CNIA architecture only consider the routing between users and service sites and need to be further extended and improved in the scenario of CA-SFC. It is necessary to resolve routing issues between UEs and multiple service sites for the CA-SFC routes. In the security service scenario, traffic features or NSF instance output may also affect routing decisions [I-D.wang-i2nsf-intelligent-detection][I-D.li-dots-knowledge-trans]. For example, the NSF used for anomaly detection outputs the result of traffic detection and determines the traffic as normal or abnormal. Routing decisions must consider NSFs' output and respond promptly to anomalies. This document extends the CATS framework and CNIA system architecture and describes network and computing information details using security services as an example to facilitate the implementation of end-to-end security services enabled by the CA-SFC. This document proposes the Information Awareness System for the CA-SFC (IAS-CASFC) for routing decision-making between UEs and multiple service sites based on the CATS framework and CNIA system architecture. 2. Terminology This document makes use of the following terms: Network Security Function (NSF): An NSF is a network function that has security capabilities, such as authentication, authorization, encryption, and detecting and mitigating network anomalies [RFC8192]. Security Service: A security offering that a provider provides to users by orchestrating a set of resources (network, compute, storage, etc.). A security service can be composed of multiple NSFs. The provider can use SFC technology to combine NSFs and offer users customized security services. Wang, et al. Expires – October 2024 [Page 3] Awareness System for CASFC April 2024 Computing-Aware Service Function Chain (CA-SFC): A service function path selection approach that takes into account the dynamic nature of computing and network state to optimize service-specific traffic forwarding between different function instances. CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder [RFC7665] forwarding function can deploy multiple NSF instances of different types. CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC Classifier [RFC7665] forwarding function can classify, encapsulate (for example, add a packet header with a service path identifier using the NSH protocol [RFC8300]), and forward incoming traffic. CATS Egress Forwarder (CATS-EF): A network node with a similar SFC Classifier [RFC7665] forwarding function can classify, decapsulate, and forward outgoing traffic. CATS Forwarder ID (CF-ID): An identifier for a specific CATS-F. CATS Network Security Function ID (CNSF-ID): An identifier for a specific type of the NSF. CF-ID and CNSF-ID label an NSF instance together. 3. Information Awareness System for Computing-Aware Service Function Chain The following are system components for the IAS-CASFC. CATS Control Center (CATS-C): Store and manage network information and computing information, and make routing decisions through a comprehensive analysis of this information. CATS-C can be implemented by adding information storage, management, and analysis functions to the SDN controller [ITU-TY.3300]. CATS-C consists of the CATS Path Calculation Unit (C-PCE), CATS Network Metric Information Base(C-NIB), and CATS Computing Information Base(C-CIB), and network and computing information is collected through the CATS-SBI Interface. The above function components and interfaces are defined in [I-D.yao-cats-awareness-architecture]. CATS Ingress Forwarder (CATS-IF): A network node with a similar SFC Classifier [RFC7665] forwarding function can classify, encapsulate (for example, add a packet header with a service path identifier using the NSH protocol [RFC8300]), and forward incoming traffic. CATS Forwarder (CATS-F): A service site with a similar SFC Forwarder [RFC7665] forwarding function can deploy multiple NSF instances of different types. Wang, et al. Expires – October 2024 [Page 4] Awareness System for CASFC April 2024 CATS Egress Forwarder (CATS-EF): A network node with a similar SFC Classifier [RFC7665] forwarding function can classify, decapsulate, and forward outgoing traffic. CAT-IF and CAT-EF have a CATS Network Metric Agent (C-NMA), responsible for collecting network information. Unlike C-NMA defined in [I-D.ldbc-cats-framework], in IAS-CASFC, C-NMA reports the collected network information to CATS-C through the CATS-SBI Interface. In addition to C-NMA, CAT-F also has CATS Service Metric Agent (C- SMA), which is responsible for collecting computing information of NSF instances and CATS-F. In IAS-CASFC, C-SMA reports the collected computing information to CATS-C through the CATS-SBI Interface. The architecture of IAS-CASFC is shown in Figure 1. +-----------------+ | CATS-C | | +-----+ | | |C-PCE| | | +-----+ | | +-----+ +-----+ | | |C-CIB| |C-NIB| | | +-----+ +-----+ | +--------+--------+ | CATS-SBI +-------------------------------+-------------------------------+ | +--------------+-------------------+--------------+ | | | | | | | | +----+----+ +------+------+ +------+------+ +----+----+ | | | CATS-IF | | CATS-F-1 | | CATS-F-m | | CATS-EF | | | | C-NMA | | C-NMA | | C-NMA | | C-NMA | | | +---------+ | C-SMA | | C-SMA | +---------+ | | | +---------+ | | +---------+ | | | | |Instances| | ... | |Instances| | | | | | NSF-1 | | | | NSF-3 | | | | | | ... | | | | ... | | | | | | NSF-n | | | | NSF-n | | | | | +---------+ | | +---------+ | | | +-------------+ +-------------+ | +---------------------------------------------------------------+ Figure 1: IAS-CASFC Architecture 4. Information Details Wang, et al. Expires – October 2024 [Page 5] Awareness System for CASFC April 2024 Table 1 shows awareness information content examples for computing- aware SFC which is used to provide security services. +-------------+----------------------+---------------------+ | Awareness | Network | Computing | | information | information | information | +-------------+----------------------+---------------------+ | | CATS-F location; | CNSF-ID; NSF | | | CATS-F type; | computing energy | | Capability | CATS-F ID; | consumption; | | parameters | Topology information.| Computing cost; | | | | CATS-F maximum | | | | available computing | | | | resources; CATS-F | | | | CATS-F computing | | | | types. | +-------------+----------------------+---------------------+ | | Service request | CATS-F computing | | Status | information; | load; CATS-F | | parameters | Traffic features; | available computing | | | Communication | resources; NSF | | | information. | instance output. | +-------------+----------------------+---------------------+ Table 1: Awareness information content examples In the security service scenario, routing decisions may also be affected by traffic features or NSF instance output [I-D.wang-i2nsf-intelligent-detection]. For example, C-PCE can adjust the NSF instances to be passed according to the traffic features collected by CATS-IF. Or C-PCE makes different routing decisions for normal and abnormal traffic based on the output of the NSF instance. 4.1 Network Information The network information capability parameters are as follows. CATS-F location: Geographic location information or relative location information of CATS-F (including CATS-IF and CATS-EF). CATS-F Type: The type of CATS-F includes CATS-EF, CATS-IF, and CATS-F where NSF instances can be deployed. CATS-F ID: All CAT-F identification information. Topology information: Network topology information includes information about nodes and links between nodes. The network information status parameters are as follows. Wang, et al. Expires – October 2024 [Page 6] Awareness System for CASFC April 2024 Service request information: Information about the service requirements proposed by users. The security service requested by the user may be to detect anomalies, ensure the security of private data during the communication process, etc. Communication information: Communication information includes information about the communication status, such as bandwidth, delay, packet loss rate, and delay jitter. Traffic features: Traffic features, such as the average packet length, IP entropy, port entropy, and TTL entropy, are observed within a certain period of time before the current time [I-D.wang-i2nsf-intelligent-detection]. 4.2 Computing Information The computing information capability parameters are as follows. CNSF-ID: All types of NSFs identification information. NSF computing energy consumption: The computing energy consumption of a specific type of NSF to deal with per workload. Computing cost: The cost per unit of computing resources is generally set by the infrastructure provider. CATS-F maximum available computing resources: The maximum available computing resources on CAT-F where NSF instances can be deployed. CATS-F computing types: Compute resource types of CATS-F, such as CPU, GPU, FPGA, etc. The computing information status parameters are as follows. CATS-F computing load: Computing resources consumed by running NSF instances. CATS-F available computing resources: The available compute resources on CATS-F at a given time are the maximum available computing resources minus the compute load. NSF instance output: For example, an NSF instance used for anomaly detection outputs a traffic flow as normal or abnormal. 5. Security Considerations Wang, et al. Expires – October 2024 [Page 7] Awareness System for CASFC April 2024 CATS-C stores the computing and network information of all CATS-Fs in the network management domain. If an attacker steals or tampers with the information in C-CIB and C-NIB, it will lead to the disclosure of service privacy information or incorrect routing decisions. Therefore, CAT-C should have the necessary defense mechanisms to defend against intrusions by attackers and prevent single points of failure. 6. IANA Considerations This document makes no requests for IANA action. 7. References 7.1 Normative References [RFC7665] J. Halpern and C. Pignataro, "Service Function Chaining (SFC) Architecture", RFC 7665, DOI 10.17487/ RFC7665, October 2015, . [RFC8192] Hares, S. Lopez, D. Zarny, M. Jacquenet, C. Kumar, R. and J. Jeong, "Interface to Network Security Functions (I2NSF): Problem Statement and Use Cases", RFC8192, DOI 10.17487/RFC8192, July 2017, . [RFC8300] P. Quinn, U. Elzur and C. Pignataro, "Network Service Header (NSH)", RFC8300, DOI 10.17487/RFC8300, January 2020, . [ITU-TY.3300] International Telecommunications Union, "Y.3300: Framework of software defined networking", June 2014, . 7.2 Informative References [I-D.ldbc-cats-framework] C. Li, Z. Du, M. Boucadair, L. M. Contreras, J. Drake, G. Huang, and G. Mishra, "A Framework for Computing-Aware Traffic Steering (CATS)", Work in Progress, Internet-Draft, draft-ldbc-cats-framework-03, August 2023, . [I-D.yao-cats-awareness-architecture] H. Yao, X. Wang, Z. Li, and D.H. Daniel, "Computing and Network Information Awareness (CNIA) system architecture for CATS", Work in Progress, Internet-Draft, draft-yao-cats-awareness-architecture-01, July 2023, < https://datatracker.ietf.org/doc/html/draft- yao-cats-awareness-architecture-01>. Wang, et al. Expires – October 2024 [Page 8] Awareness System for CASFC April 2024 [I-D.wang-i2nsf-intelligent-detection] W. Wang, H. Zhou, M. Li, Q. Guo, and S. Deng, "YANG Data Models for Attacks Intelligent Detection", Work in Progress, Internet-Draft, draft-wang-i2nsf-intelligent-detection-01, April 2023, < https://datatracker.ietf.org/doc/html/draft-wang-i2nsf- intelligent-detection-01>. [I-D.li-dots-knowledge-trans] K. Li, H. Zhou, Z. Tu, F. Liu, W. Wang, "Knowledge Transmission Using Distributed Denial-of- Service Open Threat Signaling (DOTS) Data Channel", Work in Progress, Internet-Draft, draft-li-dots-knowledge- trans-05, August 2023, < https://datatracker.ietf.org/doc /html/draft-li-dots-knowledge-trans-05>. 8. Acknowledgments TBC Author's Addresses Weilin Wang Beijing Jiao Tong University China Email: 21111026@bjtu.edu.cn Huachun Zhou Beijing Jiao Tong University China Email: hchzhou@bjtu.edu.cn Jingfu Yan Beijing Jiao Tong University China Email: 22110030@bjtu.edu.cn Wang, et al. Expires – October 2024 [Page 9]