]> Network Attestation for Secure Routing (NASR) Architecture Huawei
liuchunchi@huawei.com
China Mobile
chenmeiling@chinamobile.com
Sandelman Software Works
mcr@sandelman.ca
Telefonica
diego.r.lopez@telefonica.com
SEC NASR NASR Secure Routing This document provides an architecture overview of NASR entities, interactive procedures and messages.
Introduction Endpoints typically perceives no information of the properties of the paths over which their traffic is carried, especially when the properties are security-related. Therefore, data security (confidentiality, integrity and authenticity) has been insofar primarily protected by traffic signing and encryption mechanisms. Endpoint cannot choose devices with specific properties to bear transmission. However, clients with high security and privacy requirements are not anymore satisfied with traffic signing and encryption mechanisms only; they now request information of the trustworthiness or security properties of the network paths over which the traffic is carried, preferably to choose the desired properties. For example, some clients may require their data to traverse through trusted devices and trusted links only, in order to avoid data being exposed to insecure devices, causing leakage. Remote Attestation Procedures (RATS) working group developed procedures to establish a level of confidence in the trustworthiness of a device or a system. RATS provide 1. objective, appraisable evidence of a device’s trust or security properties, and 2. verifiable integrity proof to the evidence (Attestation Result). Devices with integrity proof are expected to function correctly and deterministically, as anticipated. Following the same RATS philosophy and building on top of it, Network Attestation for Secure Routing (NASR) aims at a solution specifically designed for the routing use case. NASR aims to provide 1. objective, appraisable evidence of a routing path’s trust or security properties, 2. verifiable integrity proof in the path-level, and 3. verifiable proof that certain packets/flows traveled such paths. Altogether, the NASR goal is to 1. Allow clients to choose desired security attributes of his received network service, 2. Achieve dependable forwarding by routing on top of only devices that satisfies certain trust requirements, and 3. prove to the clients that certain packets or flows traversed a network path that has certain trust or security properties. This document introduces the architecture, entities, interactive procedures, and messages sent between the entities, so to achieve the NASR objective.
Use Cases Please refer to the use cases identified in
Terminology Please refer to the terminologies identified in . Terminology from RATS Architecture document also applies. NASR will leverage RATS implementations and specifications, including but not limited to .
Architectural Overview
Single client - single operator (An Oversimplification) Attester...+-----> Attester | | | | | | | +--------------+ +-------------+ +-----------+ Update with Update with AR/RE/PoT AR/RE/PoT ]]> Figure 1. NASR Architecture-- Oversimplified Fig. 1 is an oversimplification to ease understanding of the concept. In a single client - single operator scenario, a client (Relying Party) sends a Path Request containing his security or trustworthiness requirements of a leased line. The Orchestrator, run by the operator, would choose qualifying devices (Attesters) and send out an empty Path Evidence inquiry. The Attesters update the Path Evidence with its own Raw Evidence or Attestation Results one-by-one. The Verifier verifies the filled Path Evidence, produce a Path Attestation Result (PAR), and sends it back to the Relying Party. The Relying Party now have confidence over the trustworthiness of received network. After the end-to-end service is delivered, during service, Proof-of-Transits are also created by each Attester, being sent in-band accumulatively or out-of-band, to detect unexpected routing deviation. This process is repeated periodically to continuously assure compliance.
Multi Client - Multi Operator +--+------>| Verifier || | | Attester | | Orchestrator | | || Vendor A || | | Vendor A <-------+ <--+------++ || | +--+--------+ AR +------+--------+ | AR |+-----------+| +----+-----------------------+-----------+ | | | Update | Intra | | | Path | ISP | | | Evidence | API | | +----+-----------------------+-----------+ | | | | | | | | | | | Operator 2| | | | | | | | | | +--v--------+ RE +------v--------+ | RE |+-----------+| | | +-------> +--+------>| Verifier || | | Attester | | Orchestrator | | || Vendor B || | | Vendor B <-------+ <--+------++ || | +--+--------+ AR +---^-----------+ | AR |+-----------+| +----+--------------------+--------------+ | | | Update | Path | | | Path | Attestation | ... | | Evidence | Result (PAR) | | +----+--------------------+----------+ | | | | Path | | +-------------+ | +--v-------+Evidence+---+-------+ | | | Attester +--------> Relying | | | +----------+ | Party | | | +-----------+ | | Client Y | +------------------------------------+ ]]> Figure 2. NASR Architecture In a more generalized scenario, due to geographic distances, a single operator cannot span across a long distance to deliver an end-to-end service-- multiple operators collaborate to deliver it. The Customer A would send the Path Request to the Operator nearest to him (Operator 1). Operator 1 pass down the Path Request to the collaborating operators, through an intra-ISP API. Operators of different domains choose qualifying devices to altogether orchestrate the path. Relying Party (customer) then sends the Path Evidence inquiry to check and attest to this path. Following the same procedure, the client of other side would return the Path Attestation Result back, through the operators. The Operator 1 would send back a comprehensive answer/report to the Client. Also, the operators may have heterogeneous network devices from different vendors. Since vendors provide Verifier software/hardware and Reference Values, Verifiers can be deployed either outside the operators (Fig 2) or inside of the operators (Fig 3). +----> of | | || Verifier || | | Attester | | Orches- | |Vendor <-+---++ Owner || | | Vendor A <----+ trator <----| A | | || Vendor A || | +--+--------+ AR +------+---+ AR +--------+ | |+-----------+| +----+--------------------+-------------------+ | | | Update | Intra Verifier | | Path | ISP Software/Hardware | | Evidence | API Reference Value | +----+--------------------+-------------------+ | | | | | | | | | | | Operator 2 | | | | | | +--------+ | | | | +--v--------+ RE +------v---+ RE |Verifier| | |+-----------+| | | +----> +----> of | | || Verifier || | | Attester | | Orches- | |Vendor <-+---++ Owner || | | Vendor B <----+ trator <----| B | | || Vendor B || | +--+--------+ AR +---^------+ AR +--------+ | |+-----------+| +----+-----------------+----------------------+ | | | Update | Path | ... | | Path | Attestation +-------------+ | Evidence | Result (PAR) +----+-----------------+----------+ | | Path | | | +--v-------+Evid.+---+-------+ | | | Attester +-----> Relying | | | +----------+ | Party | | | +-----------+ | | Client Y | +---------------------------------+ ]]> Figure 3. Verifier deployed in operators
Roles The existing roles from RATS Architecture document applies.
  • Attester: The definition in applies. Additionally, it can be performed by either a physical device or a virtual function. The Attester can update Path Evidence with his Attestation Result/Raw Evidence/Proof of Transit.
    • Produces: (updated) Path Evidence
  • Relying Party: The definition in applies. Additionally, it creates Path Request to the Orchestrator, and receive Reports from Orchestrator as an auditable result, comparing the actually received network service versus the requested PR attributes.
    • Produces: Path Request
    • Consumes: Report
In the case where an Attester is deployed in the customer premises, the Relying Party could also start the unfilled Path Evidence inquiry at his side. New role(s) are defined below.
  • Orchestrator: A role performed by an entity (typically a controller or a special device) that performs two functions: path orchestration and path attestation. The input and output of different functions are different.
    • Path Orchestration: The Orchestrator receives a Path Request from the Relying Party. After path computation/orchestration, he creates configurations to be distributed to the Attesters/devices.
      • Consumes: Path Request
      • Produces: Configurations
    • Path Attestation: The Orchestrator receives a Path Request from the Relying Party, send unfilled Path Evidence (PE) inquiry to Attesters, collects Path Attestation Result (PAR) from the Verifier, and send PAR back to the Relying Party.
      • Consumes: Path Request, Path Attestation Result
      • Produces: (unfilled) Path Evidence
  • Verifier: A role performed by an entity that appraises the validity of filled Path Evidence about a set of Attesters and produces Path Attestation Results to be used by an Orchestrator.
    • Consumes: (filled) Path Evidence
    • Produces: Path Attestation Results
Conceptual Messages The existing artifacts from RATS Architecture document applies. New conceptual message(s) are defined here.
  • Path Request: A set of claims, describing the properties of a network path that a Relying Party requested.
    • Consumed By: Orchestrator
    • Produced By: Relying Party
  • Path Attestation Result: The output generated by a Verifier, including information about a set of Attesters, where the Verifier vouches for the validity of the results.
    • Consumed By: Relying Party
    • Produced By: Verifier
  • Path Evidence: The output generated by the Orchestrator and a set of Attesters, to be appraised by a Verifier. Path Evidence may include each Attester's raw Evidence , Attestation Results, Proof-of-Transit, or other proof suggesting correctness of functioning of each Attester.
    • Consumed By: Verifier
    • Created By: Orchestrator
    • Updated By: Attester(s)
  • Report: An auditable result that compares the actually received network service versus the requested PR attributes.
    • Created By: Orchestrator
    • Consumed By: Relying Party
Orchestration The orchestration process collects client's path requests and output configurations. The Orchestrator/Controller then distribute them to the attester/device using NETCONF/YANG or other control plane protocols. In the first case, a new YANG module needs to be defined. | | +----------+-------------+ | |Path and Security Configuration |(YANG/NETCONF) | +-----v------------+ | Attester/Device | +------------------+ ]]>
Security Considerations TODO Security
IANA Considerations This document has no IANA actions.
Informative References CCNinfo: Discovering Content and Network Information in Content-Centric Networks This document describes a mechanism named "CCNinfo" that discovers information about the network topology and in-network cache in Content-Centric Networks (CCNs). CCNinfo investigates 1) the CCN routing path information per name prefix, 2) the Round-Trip Time (RTT) between the content forwarder and the consumer, and 3) the states of in-network cache per name prefix. CCNinfo is useful to understand and debug the behavior of testbed networks and other experimental deployments of CCN systems. This document is a product of the IRTF Information-Centric Networking Research Group (ICNRG). This document represents the consensus view of ICNRG and has been reviewed extensively by several members of the ICN community and the RG. The authors and RG chairs approve of the contents. The document is sponsored under the IRTF, is not issued by the IETF, and is not an IETF standard. This is an experimental protocol and the specification may change in the future. NASR Use Case and Requirements Huawei Huawei Telefonica Telefonica China Mobile China Mobile This document describes the use cases and requirements that guide the specification of a Network Attestation for Secure Routing framework (NASR). Terminology and Use cases for Secured Routing Infrastructure Sandelman Software Works Huawei Technologies This document collects terminology and use cases for Secured Routing. Attestation Results for Secure Interactions Cisco Systems Fraunhofer SIT MIT Linaro Intel This document defines reusable Attestation Result information elements. When these elements are offered to Relying Parties as Evidence, different aspects of Attester trustworthiness can be evaluated. Additionally, where the Relying Party is interfacing with a heterogeneous mix of Attesting Environment and Verifier types, consistent policies can be applied to subsequent information exchange between each Attester and the Relying Party. Concise Reference Integrity Manifest Fraunhofer SIT arm arm Intel Huawei Technologies Remote Attestation Procedures (RATS) enable Relying Parties to assess the trustworthiness of a remote Attester and therefore to decide whether to engage in secure interactions with it. Evidence about trustworthiness can be rather complex and it is deemed unrealistic that every Relying Party is capable of the appraisal of Evidence. Therefore that burden is typically offloaded to a Verifier. In order to conduct Evidence appraisal, a Verifier requires not only fresh Evidence from an Attester, but also trusted Endorsements and Reference Values from Endorsers and Reference Value Providers, such as manufacturers, distributors, or device owners. This document specifies the information elements for representing Endorsements and Reference Values in CBOR format.
Acknowledgments We sincerely thank contribution from NASR mailing list.