RTGWG X. Zhang Internet-Draft China Mobile Intended status: Standards Track C. Lin Expires: July 8, 2024 Y. Qiu New H3C Technologies January 8, 2024 AAA for Hierarchical Network Slices draft-zhang-rtgwg-aaa-hierarchical-network-slices-00 Abstract This document describes an enhanced AAA mechanism for hierarchical network slice service when users access to the network and use the network slice resources of different SLA levels. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html This Internet-Draft will expire on July 6, 2024. Copyright Notice Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of Zhang, et al. Expires July, 2024 [Page 1] Internet-Draft AAA for Hierarchical Network Slices January 2024 publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction ................................................ 2 1.1. Requirements Language .................................. 4 1.2. Terminology ............................................ 4 2. Gap analysis for current AAA mechanism ...................... 4 3. AAA Method for hierarchical IETF network slices ............. 4 4. IANA Considerations ......................................... 6 5. Security Considerations ..................................... 6 6. References .................................................. 7 6.1. Normative References ................................... 7 6.2. Informative References ................................. 7 7. Acknowledgments ............................................. 8 Authors' Addresses ............................................. 9 1. Introduction Network slicing provides the ability to partition a physical network into multiple isolated logical networks of varying sizes, structures, and functions so that each slice can be dedicated to specific services or customers. Hierarchical composition of IETF Network Slice means that a network slice can be further sliced into other network slices, as shown in Figure 1. Zhang, et al. Expires July, 2024 [Page 2] Internet-Draft AAA for Hierarchical Network Slices January 2024 +-------------------+ | Underlay | | Network | +---------+---------+ | +-------------+-------------+ | | V V +-----------+ +-----------+ | Level-1 | | Level-1 | | Network | | Network | | Slice | | Slice | | 1 | | 2 | +-----+-----+ +-----+-----+ | | +------+------+ +------+------+ | | | | V V V V +---------+ +---------+ +---------+ +---------+ | Level-2 | | Level-2 | | Level-2 | | Level-2 | | Network | | Network | | Network | | Network | | Slice | | Slice | | Slice | | Slice | | 1-1 | | 1-2 | | 2-1 | | 2-2 | +---------+ +---------+ +---------+ +---------+ Figure 1: Architecture of Two-level Hierarchical IETF Network Slices [I-D.dong-teas-hierarchical-ietf-network-slice] describes several possible scenarios of hierarchical IETF network slices. For example, Level-1 can be industry slices which are used to deliver services for different vertical industries, and Level-2 can be customer slices which are created to meet specific requirements of some or all of the customers within the corresponding industry of level-1. [I-D.draft-gong-teas-hierarchical-slice-solution] describes a Segment Routing based solution for two-level hierarchical IETF network slices. Level-1 network slice is realized by associating Flex-Algo with dedicated sub-interfaces, and level-2 network slice is realized by using SR Policy with additional NRP-ID on data plane. [I-D.draft-cheng-spring-sr-policy-group] describes another Segment Routing based solution for two-level hierarchical network slices. Level-1 network slice is realized by SR policy group which is a group of constituent Parent SR policies to different destination endpoints with the same service forwarding model, and level-2 network slice is realized by SR policy or Parent SR policy which can provide paths for different SLAs. Zhang, et al. Expires July, 2024 [Page 3] Internet-Draft AAA for Hierarchical Network Slices January 2024 As the above solutions for hierarchical network slices have been proposed and the current AAA mechanism cannot meet this new requirements, this document describes an enhanced AAA mechanism for hierarchical network slice service when users access to the network and use the network slice resources of different SLA levels. 1.1. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 1.2. Terminology The terms in this document are defined in [RFC8402], [I-D.ietf-teas- ietf-network-slices] and [I-D.ietf-lsr-flex-algo]. The following lists widely used terms in this document. AAA: Authentication, Authorization and Accounting FA: Flexible Algorithm NRP: Network Resource Partition 2. Gap analysis for current AAA mechanism In traditional network architecture, network nodes such as BRAS devices and AAA servers which provide AAA abilities especially accounting only need to concern the consumption of network resources, such as access time, bandwidth, etc. For the new business scenarios of hierarchical IETF network slices the current AAA mechanism need to recognize the levels of network slice and related information, which can achieve the fine-grained management of authentication authorization and accounting and meet the diverse and multi-quantity business requirements of cloud-network convergence. To address this issue, this document proposes an enhanced AAA method for hierarchical IETF network slices. 3. AAA Method for hierarchical IETF network slices The following figure shows a typical architecture of AAA process based on hierarchical IETF network slice service. There are three Zhang, et al. Expires July, 2024 [Page 4] Internet-Draft AAA for Hierarchical Network Slices January 2024 roles here, including user device, network device such as BRAS and AAA server such as Radius server. user device +------+ | A |----+ +------+ | | user device | +-------------------+ +-------------------+ +------+ +---->| |<-------| | | B |--------->| Network device | | AAA server | +------+ +---->| |------->| | | +-------------------+ +-------------------+ user device | +------+ | | C |----+ +------+ Figure 1: AAA Process for hierarchical network slices This document proposes an enhanced AAA method for hierarchical IETF network slices. All the processes below are describes as an example of two-level network slices. 3.1. The authentication and authorization process for network slices 1. When user device accesses to the network, it sends the request message for authentication which includes username password, user characteristics and service information. 2. The network device receives the authentication request message carrying the information of username password, user characteristics and service from user device, and sends it to the AAA server. 3. The AAA server receives the request and completes the authentication process. Based on the user's characteristics and service information in the request message, it selects an appropriate network slicing strategy for the user, encapsulates it in the user authorization message, and sends it to the network device. The network device allows users to be online and consume the corresponding slice resources based on the authorization information. Zhang, et al. Expires July, 2024 [Page 5] Internet-Draft AAA for Hierarchical Network Slices January 2024 The first level slice is divided based on the first object, which can be SRv6 policy group or SR FlexAlgo (FA for short) protocol with dedicated sub-interfaces. The second level slice is divided based on the second object on the basis of the first level slice, which can SR Policy with additional NRP-ID/Slice-ID on data plane. The information mainly is the two-level slice identification (id for short), the first level slice id can use the id introduced by the control plane technology such as FA-id, the second level slice id can use the id introduced by the data plane technology such as NRP-ID. 4. When the users access online, the AAA server starts accounting for the users within the slice. 3.2. The accounting process for network slices 1. The network device sends an accounting start request message, which at least includes information about the network slice currently used by the user, that is, the first and second level slices. The information of two-level slices mainly is as follows: The first level slice id could be FA-id as an example, the second level slice id could be NRP-ID as an example. 2. If the request is legal, the accounting servers would record the users and corresponding two-level slices information in the database and returns a reply message to the network device. 3. When the user logs out, the server would receive a request message for accounting stop which includes the information of two-level network slices, time, and reason for stopping accounting. Then the server can record the users and corresponding two-level slices information for stopping accounting in the database. We consider to add the information of two-level slices such as FA-id and NRP-ID in the accounting messages by extending the Attribute field of Radius protocol message. 4. IANA Considerations TBD 5. Security Considerations The potential security threats of Alternate-Marking method have been described in detail in Section 10 of [I-D.draft-ietf-ippm- Zhang, et al. Expires July, 2024 [Page 6] Internet-Draft AAA for Hierarchical Network Slices January 2024 rfc8321bis]. The performance measurement method described in this document does not introduce additional new security issues. 6. References 6.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8402] Filsfils, C., Ed., Previdi, S., Ed., Ginsberg, L., Decraene, B., Litkowski, S., and R. Shakir, "Segment Routing Architecture", RFC 8402, DOI 10.17487/RFC8402, July 2018, . [I-D.ietf-teas-ietf-network-slices] Farrel, A., Drake, J., Rokui, R., Homma, S., Makhijani, K., Contreras, L. M., and J. Tantsura, "Framework for IETF Network Slices", Work in Progress, Internet-Draft, draft-ietf-teas-ietf-network- slices-12, 30 June 2022, . [I-D.ietf-lsr-flex-algo] Psenak, P., Hegde, S., Filsfils, C., Talaulikar, K., and A. Gulko, "IGP Flexible Algorithm", draft-ietf-lsr-flex-algo-20 (work in progress), May 2022. [I-D.ietf-spring-segment-routing-policy] Filsfils, C., Talaulikar, K., Voyer, D., Bogdanov, A., and P. Mattes, "Segment Routing Policy Architecture", Work in Progress, Internet- Draft, draft-ietf-spring-segment-routing-policy-22, 22 March 2022, . 6.2. Informative References [I-D.dong-teas-hierarchical-ietf-network-slice] Dong, J., and Z. Li, "Considerations about Hierarchical IETF Network Slices", Work in Progress, Internet-Draft, draft-dong-teas- hierarchical-ietf-network-slice-01, 7 March 2022, . Zhang, et al. Expires July, 2024 [Page 7] Internet-Draft AAA for Hierarchical Network Slices January 2024 [I-D.ietf-6man-enhanced-vpn-vtn-id] Dong, J., Li, Z., Xie, C., Ma, C., and G. Mishra, "Carrying Virtual Transport Network (VTN) Identifier in IPv6 Extension Header", Work in Progress, Internet-Draft, draft-ietf-6man-enhanced-vpn- vtn-id-00, 5 March 2022, . [I-D.cheng-spring-srv6-encoding-network-sliceid] Cheng, W., Lin, C., Gong, L., Zadok, S., and X. Wang, "Encoding Network Slice Identification for SRv6", Work in Progress, Internet- Draft, draft-cheng-spring-srv6-encoding-network-sliceid- 04, 8 July 2022, . [I-D.decraene-mpls-slid-encoded-entropy-label-id] Decraene B., Filsfils, C., Henderickx W., Saad T., Beeram V., "Using Entropy Label for Network Slice Identification in MPLS networks", Work in Progress, Internet-Draft, draft- decraene-mpls-slid-encoded-entropy-label-id-04, 14 June 2022, . [I-D.li-mpls-enhanced-vpn-vtn-id] Li, Z. and J. Dong, "Carrying Virtual Transport Network Identifier in MPLS Packet", Work in Progress, Internet-Draft, draft-li-mpls-enhanced-vpn- vtn-id-02, 7 March 2022, . 7. Acknowledgments The authors would like to thank the following for their valuable contributions of this document: TBD Zhang, et al. Expires July, 2024 [Page 8] Internet-Draft AAA for Hierarchical Network Slices January 2024 Authors' Addresses Xiaoqiu Zhang China Mobile Email: zhangxiaoqiu@chinamobile.com Changwang Lin New H3C Technologies Email: linchangwang.04414@h3c.com Yuanxiang Qiu New H3C Technologies Email: qiuyuanxiang@h3c.com Zhang, et al. Expires July, 2024 [Page 9]