draft-ietf-sfc-proof-of-transit-05.txt   draft-ietf-sfc-proof-of-transit-06.txt 
Network Working Group F. Brockners, Ed. Network Working Group F. Brockners, Ed.
Internet-Draft S. Bhandari, Ed. Internet-Draft S. Bhandari, Ed.
Intended status: Experimental Cisco Intended status: Experimental Cisco
Expires: November 26, 2020 T. Mizrahi, Ed. Expires: December 18, 2020 T. Mizrahi, Ed.
Huawei Network.IO Innovation Lab Huawei Network.IO Innovation Lab
S. Dara S. Dara
Seconize Seconize
S. Youell S. Youell
JPMC JPMC
May 25, 2020 June 16, 2020
Proof of Transit Proof of Transit
draft-ietf-sfc-proof-of-transit-05 draft-ietf-sfc-proof-of-transit-06
Abstract Abstract
Several technologies such as Traffic Engineering (TE), Service Several technologies such as Traffic Engineering (TE), Service
Function Chaining (SFC), and policy based routing are used to steer Function Chaining (SFC), and policy based routing are used to steer
traffic through a specific, user-defined path. This document defines traffic through a specific, user-defined path. This document defines
mechanisms to securely prove that traffic transited said defined mechanisms to securely prove that traffic transited a defined path.
path. These mechanisms allow to securely verify whether, within a These mechanisms allow to securely verify whether, within a given
given path, all packets traversed all the nodes that they are path, all packets traversed all the nodes that they are supposed to
supposed to visit. visit.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on November 26, 2020. This Internet-Draft will expire on December 18, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2020 IETF Trust and the persons identified as the Copyright (c) 2020 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 5, line 37 skipping to change at page 5, line 37
data packets through those nodes is to be proven. Besides the nodes, data packets through those nodes is to be proven. Besides the nodes,
the setup also includes a Controller that creates secrets and secrets the setup also includes a Controller that creates secrets and secrets
shares and configures the nodes for POT operations. shares and configures the nodes for POT operations.
The methods how traffic is identified and associated to a specific The methods how traffic is identified and associated to a specific
path is outside the scope of this document. Identification could be path is outside the scope of this document. Identification could be
done using a filter (e.g., 5-tuple classifier), or an identifier done using a filter (e.g., 5-tuple classifier), or an identifier
which is already present in the packet (e.g., path or service which is already present in the packet (e.g., path or service
identifier, NSH Service Path Identifier (SPI), flow-label, etc.) identifier, NSH Service Path Identifier (SPI), flow-label, etc.)
The POT information is encapsulated in packets as an IOAM Proof of When used in the context of IOAM, the POT information MUST be
Transit Option-Type. The details and format of the encapsulation and encapsulated in packets as an IOAM Proof of Transit Option-Type. The
the IOAM POT Option-Type format are specified in details and format of the encapsulation and the IOAM POT Option-Type
[I-D.ietf-ippm-ioam-data]. format are specified in [I-D.ietf-ippm-ioam-data]. When used in
conjunction with NSH [RFC8300], the POT Option-Type MUST be carried
as specified in [I-D.ietf-sfc-ioam-nsh].
The solution approach is detailed in two steps. Initially the The solution approach is detailed in two steps. Initially the
concept of the approach is explained. This concept is then further concept of the approach is explained. This concept is then further
refined to make it operationally feasible. refined to make it operationally feasible.
3.1. Basic Idea 3.1. Basic Idea
The method relies on adding POT data to all packets that traverse a The method relies on adding POT data to all packets that traverse a
path. The added POT data allows a verifying node (egress node) to path. The added POT data allows a verifying node (egress node) to
check whether a packet traversed the identified set of nodes on a check whether a packet traversed the identified set of nodes on a
skipping to change at page 28, line 5 skipping to change at page 28, line 5
10.1. Normative References 10.1. Normative References
[I-D.ietf-ippm-ioam-data] [I-D.ietf-ippm-ioam-data]
Brockners, F., Bhandari, S., Pignataro, C., Gredler, H., Brockners, F., Bhandari, S., Pignataro, C., Gredler, H.,
Leddy, J., Youell, S., Mizrahi, T., Mozes, D., Lapukhov, Leddy, J., Youell, S., Mizrahi, T., Mozes, D., Lapukhov,
P., remy@barefootnetworks.com, r., daniel.bernier@bell.ca, P., remy@barefootnetworks.com, r., daniel.bernier@bell.ca,
d., and J. Lemon, "Data Fields for In-situ OAM", draft- d., and J. Lemon, "Data Fields for In-situ OAM", draft-
ietf-ippm-ioam-data-09 (work in progress), March 2020. ietf-ippm-ioam-data-09 (work in progress), March 2020.
[I-D.ietf-sfc-ioam-nsh]
Brockners, F. and S. Bhandari, "Network Service Header
(NSH) Encapsulation for In-situ OAM (IOAM) Data", draft-
ietf-sfc-ioam-nsh-03 (work in progress), March 2020.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, Requirement Levels", BCP 14, RFC 2119,
DOI 10.17487/RFC2119, March 1997, DOI 10.17487/RFC2119, March 1997,
<https://www.rfc-editor.org/info/rfc2119>. <https://www.rfc-editor.org/info/rfc2119>.
[RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function
Chaining (SFC) Architecture", RFC 7665, Chaining (SFC) Architecture", RFC 7665,
DOI 10.17487/RFC7665, October 2015, DOI 10.17487/RFC7665, October 2015,
<https://www.rfc-editor.org/info/rfc7665>. <https://www.rfc-editor.org/info/rfc7665>.
[RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed.,
"Network Service Header (NSH)", RFC 8300,
DOI 10.17487/RFC8300, January 2018,
<https://www.rfc-editor.org/info/rfc8300>.
[SSS] "Shamir's Secret Sharing", [SSS] "Shamir's Secret Sharing",
<https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing>. <https://en.wikipedia.org/wiki/Shamir%27s_Secret_Sharing>.
10.2. Informative References 10.2. Informative References
[I-D.ietf-anima-autonomic-control-plane] [I-D.ietf-anima-autonomic-control-plane]
Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic
Control Plane (ACP)", draft-ietf-anima-autonomic-control- Control Plane (ACP)", draft-ietf-anima-autonomic-control-
plane-18 (work in progress), August 2018. plane-18 (work in progress), August 2018.
 End of changes. 8 change blocks. 
12 lines changed or deleted 24 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/