]> China Mobile

BeiJing China chenmeiling@chinamobile.com

China Mobile

BeiJing China suli@chinamobile.com

Security Internet Engineering Task Force Internet-Draft keyword2 Traditional path selection conditions include the shortest path, the lowest delay, and the least jitter, this paper proposes to add a new factor: security, which determines the forwarding path from security dimension. The frequent occurrence of security incidents, users' demand for security services is increasingly strong. As there are many security devices in the ISP's network, this draft proposes secure routing, the purpose of secure routing is to converge security and routing to ensure the security of the transmission process. The scope is transmission process security, end-to-end security and processing security are out of scope.

Introduction With the frequent occurrence of network security events, users' demand for network security is increasingly strong, there is no doubt that multi-level security is needed to ensure the security of users. The current security risk mainly comes from attacks, users need security services to ensure the normal use of business. Some companies build security centers by themselves, some buy third-party cloud security services, and some hope that ISPs can provide security services by secure routing. Security routing provided by ISPs can be implemented which can guide traffic through security devices. With the development of programmable network and SRv6 technology, the forwarding requirements of the upper layer can be completed through routing programming; Accessibility and security in the routing process can be processed synchronously to provide users with secure routing. In addition to special security equipment, network devices are also updating and integrated security functions to cope with complex security environments, such as routers with anti DDoS attack functions, the switch has detection (IDS) function and firewall function.

Analysis of security requirements For ISPs, the user's credibility is different, it is necessary to strategy path from the security protection of the basic network. For users, different users have different security requirements which depend on their business. For example, e-commerce and Internet companies focus on phishing prevention, anti-DDoS attacks, and data security; Medical companies focus on data security and security isolation, and so on. In a word, users have differentiated security requirements.

Security and network convergence If security functions and network functions are highly integrated, security can be as flexible as network connection. Optimize existing routing protocols to obtain information about security devices in the network, security routing can be realized by taking into account the security policy when routing strategy. The following figure describes the relationship between the controller and network devices and security devices.

Secure Routing Use Cases Two use cases are described below.

1. Strategy routing path ensure basic network security, and network node security evaluation ensures the security of the transmission node itself;
2. Differentiated security path to meet user requirements.

Basic path for secure routing This scenario occurs in the 5G network vertical industry. The power industry slicing requires physical isolation, that is, running on an independent physical machine. To achieve this requirement, it is necessary to collect the network node information to the controller. When it is time to provide services for power slicing, just obtain information from the controller, and then strategy secure routing. For security, obtain the information of nodes and appraise the trustworthiness can help improve basic nodes security awareness, the draft draft-voit-rats-trustworthy-path-routing focus on this field. Also, the credibility of users is differentiated, for users with poor credibility or potential attack behaviors, avoid critical nodes when forming routing paths. As shown in the figure, user A with poor credibility, key node3 will be avoided when forming a path<1,2,3,4> for user A. | Node1+--------> Node3 +-----+ Node5| +--------+ +---+--+ +----+----+ +---+--+ | | | | | | | 2 |7 |8 | | | | | | | | | +---+--+ 3 +---v--+ 4 +---+--+ | Node2+---------+ Node4+-------> Node6+----> +------+ +------+ +------+ Egress Figure 3: Key network node protection ]]>

Differentiated service for secure routing. ISPs have built many security devices and security resource pools in the basic network, once the network node is attacked, it needs fast and efficient scheduling security function to mitigate. Users have clear requirements for their own security services. For ToB users, the types of users are different, and the corresponding security requirements are different. The security requirement is no longer simply divided into high, medium and low levels, but more specific. For example, in addition to considering low-latency connections, customers in the game industry should first consider anti-DDoS services for security requirements,therefore, ISPs are required to provide anti-DDoS security services. For financial customers, data security is the most important, it is required that data cannot be tampered with, eavesdropped or copied, and so on. For customers with specific security requirements, ISPs need to transmit data at the security level expected by customers. For example, if the user needs anti-D and IPS services, the secure routing is path<1,5,7,4>. If the user need WAF service, the secure routing is path<1,2,3,4>. | Node1+-------->Anti-ddos+-----+ Node5| +--------+ +---+--+ +----+----+ +---+--+ | | | | | | | 2 |7 |8 | | | | | | | | | +---+--+ 3 +---v--+ 4 +---+--+ | Node2+---------+ Node4+-------> Node6+----> | WAF | | IPS | +------+ +------+ +------+ Egress Figure 4: User require anti-ddos and IPS service ]]>

IANA Considerations This memo includes no request to IANA.

Security Considerations TBD