draft-ietf-sfc-proof-of-transit-04.txt   draft-ietf-sfc-proof-of-transit-05.txt 
Network Working Group F. Brockners, Ed. Network Working Group F. Brockners, Ed.
Internet-Draft S. Bhandari, Ed. Internet-Draft S. Bhandari, Ed.
Intended status: Experimental Cisco Intended status: Experimental Cisco
Expires: May 24, 2020 T. Mizrahi, Ed. Expires: November 26, 2020 T. Mizrahi, Ed.
Huawei Network.IO Innovation Lab Huawei Network.IO Innovation Lab
S. Dara S. Dara
Seconize Seconize
S. Youell S. Youell
JPMC JPMC
November 21, 2019 May 25, 2020
Proof of Transit Proof of Transit
draft-ietf-sfc-proof-of-transit-04 draft-ietf-sfc-proof-of-transit-05
Abstract Abstract
Several technologies such as Traffic Engineering (TE), Service Several technologies such as Traffic Engineering (TE), Service
Function Chaining (SFC), and policy based routing are used to steer Function Chaining (SFC), and policy based routing are used to steer
traffic through a specific, user-defined path. This document defines traffic through a specific, user-defined path. This document defines
mechanisms to securely prove that traffic transited said defined mechanisms to securely prove that traffic transited said defined
path. These mechanisms allow to securely verify whether, within a path. These mechanisms allow to securely verify whether, within a
given path, all packets traversed all the nodes that they are given path, all packets traversed all the nodes that they are
supposed to visit. supposed to visit.
skipping to change at page 1, line 42 skipping to change at page 1, line 42
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 24, 2020. This Internet-Draft will expire on November 26, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 5, line 25 skipping to change at page 5, line 25
SFC: Service Function Chain SFC: Service Function Chain
SSSS: Shamir's Secret Sharing Scheme SSSS: Shamir's Secret Sharing Scheme
SR: Segment Routing SR: Segment Routing
3. Proof of Transit 3. Proof of Transit
This section discusses methods and algorithms to provide for a "proof This section discusses methods and algorithms to provide for a "proof
of transit" for packets traversing a specific path. A path which is of transit" (POT) for packets traversing a specific path. A path
to be verified consists of a set of nodes. Transit of the data which is to be verified consists of a set of nodes. Transit of the
packets through those nodes is to be proven. Besides the nodes, the data packets through those nodes is to be proven. Besides the nodes,
setup also includes a Controller that creates secrets and secrets the setup also includes a Controller that creates secrets and secrets
shares and configures the nodes for POT operations. shares and configures the nodes for POT operations.
The methods how traffic is identified and associated to a specific The methods how traffic is identified and associated to a specific
path is outside the scope of this document. Identification could be path is outside the scope of this document. Identification could be
done using a filter (e.g., 5-tuple classifier), or an identifier done using a filter (e.g., 5-tuple classifier), or an identifier
which is already present in the packet (e.g., path or service which is already present in the packet (e.g., path or service
identifier, NSH Service Path Identifier (SPI), flow-label, etc.) identifier, NSH Service Path Identifier (SPI), flow-label, etc.)
The POT information is encapsulated in packets as an IOAM Proof Of The POT information is encapsulated in packets as an IOAM Proof of
Transit Option. The details and format of the encapsulation and the Transit Option-Type. The details and format of the encapsulation and
POT Option format are specified in [I-D.ietf-ippm-ioam-data]. the IOAM POT Option-Type format are specified in
[I-D.ietf-ippm-ioam-data].
The solution approach is detailed in two steps. Initially the The solution approach is detailed in two steps. Initially the
concept of the approach is explained. This concept is then further concept of the approach is explained. This concept is then further
refined to make it operationally feasible. refined to make it operationally feasible.
3.1. Basic Idea 3.1. Basic Idea
The method relies on adding POT data to all packets that traverse a The method relies on adding POT data to all packets that traverse a
path. The added POT data allows a verifying node (egress node) to path. The added POT data allows a verifying node (egress node) to
check whether a packet traversed the identified set of nodes on a check whether a packet traversed the identified set of nodes on a
skipping to change at page 27, line 43 skipping to change at page 27, line 43
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-ippm-ioam-data] [I-D.ietf-ippm-ioam-data]
Brockners, F., Bhandari, S., Pignataro, C., Gredler, H., Brockners, F., Bhandari, S., Pignataro, C., Gredler, H.,
Leddy, J., Youell, S., Mizrahi, T., Mozes, D., Lapukhov, Leddy, J., Youell, S., Mizrahi, T., Mozes, D., Lapukhov,
P., remy@barefootnetworks.com, r., daniel.bernier@bell.ca, P., remy@barefootnetworks.com, r., daniel.bernier@bell.ca,
d., and J. Lemon, "Data Fields for In-situ OAM", draft- d., and J. Lemon, "Data Fields for In-situ OAM", draft-
ietf-ippm-ioam-data-08 (work in progress), October 2019. ietf-ippm-ioam-data-09 (work in progress), March 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
Chaining (SFC) Architecture", RFC 7665, Chaining (SFC) Architecture", RFC 7665,
DOI 10.17487/RFC7665, October 2015, DOI 10.17487/RFC7665, October 2015,
<https://www.rfc-editor.org/info/rfc7665>. <https://www.rfc-editor.org/info/rfc7665>.
 End of changes. 8 change blocks. 
13 lines changed or deleted 14 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/