Internet-Draft BGP-LS2C August 2024
Chen & Su Expires 27 February 2025 [Page]
Workgroup:
Internet Engineering Task Force
Internet-Draft:
draft-chen-idr-bgp-ls-security-capability-04
Published:
Intended Status:
Informational
Expires:
Authors:
Chen, Ed.
China Mobile
L. Su
China Mobile

the extensions of BGP-LS to carry security capabilities

Abstract

As users' traffic faces more unpredictable attacks during transmission, there are more and more end-users now need high security data transmission guarantee, they need ISPs to provide security protection capabilities on the data forwarding path, but it is very difficult for operators to manage the security attributes of nodes through control surfaces.

ISPs need to have real-time awareness of the security capabilities available in the network, then form a security capability map, finally provide security protection for users at the routing level. The goal of this draft is to collect the security capabilities of nodes, which will be one of the factors to form the routing topology, and use the routing programming capabilities to form a secure routing path. The security capability includes healthy information(such as the device software is up-to-date), security service information, device information(such as the manufacturer information of the equipment).

The BGP-LS protocol is extended to carry the security capabilities of the node. The controller collects topology information, forms a topology path with security capabilities according to security requirements, and supports SRv6 path sending to execute node forwarding through programming.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 27 February 2025.

Table of Contents

1. Introduction

SRv6 (Segment Routing IPv6, IPv6 segment routing) is based on source routing and centralized routing. It can realize network intelligent programming and select forwarding paths according to customer needs. At present, there is a lack of effective technical means to inject security factors into the process of collecting network topology and centralized routing to achieve safe routing path forwarding.

The most important reason for using BGP-LS as the extended basic protocol is that BGP-LS shields the differences of other routing protocols, and the underlying routing protocol types do not need to be considered when transmitting security capabilities.

RFC7752 standardized North-Bound Distribution of Link-State and Traffic Engineering (TE) Information Using BGP, describes a mechanism by which link-state and TE information can be collected from networks and shared with external components using the BGP routing protocol, using a new BGP Network Layer Reachability Information (NLRI) encoding format.

BGP-LS is a new way to collect network topology. The topology information discovered by the IGP protocol is summarized by the BGP protocol and sent to the upper controller. With the powerful routing and routing capabilities of the BGP protocol, there are three types of BGP-LS routes, which are used to carry node, link and route prefix information respectively. The three routes cooperate with each other to complete the transmission of topology information. The node routing function is to record the node information of the topology, the link routing function is to record the link information between two devices, and the address prefix routing function is to record the network segment information that the node can reach.

The state information NLRI collected by BGP-LS is described in TLV (type/length/value triplet) format. Each link state described by NLRI can identify a node, link or prefix. Therefore, three types of NLRI are newly set in the standard, of which type 3 and 4 are used to distinguish the prefix of IPv4 and IPv6. There are only two types of NLRI attributes in the original BGP protocol: MP_ REACH_ NLRI, attribute type 14; MP_ UNREACH_ NLRI, attribute type 15.

2. BGP-LS node type carries security capability

2.1. Collection model of security capabilities

                   +----------+
          +--------+Controller+-----------+
          |        +----------+           |
    BGP-LS(Node)                          |
          |                               |
xxxxxxxx|xxxxxxxxx                        |
x         |      x                        |
x   +-----+-+    x                  +-----+-+
x   |Router |    x                  |Router |
x   +----+--+    x                  +-+---+-+
x        |       x                    |   |
x        |       x             +------+   |
x        |       x             |          |
x   +----+----+  x          +---+----+  +--+-----+
x   |Security |  x          |Security|  |Security|
x   |Products |  x          |Products|  |Products|
x   +---------+  x          +--------+  +--------+
xxxxxxxxxxxxxxxxxx

Figure 1: Router and attached security products are used as node units

2.2. New Node Attribute TLVs

The Local Node Descriptors TLV contains Node Descriptors for the node anchoring the local end of the link. This is a mandatory TLV in all three types of NLRIs (node, link, and prefix).

0                   1                   2                   3
      0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |              Type             |             Length            |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
     |                                                               |
     //              Node Descriptor Sub-TLVs (variable)            //
     |                                                               |
     +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

               Figure 2: Local Node Descriptors TLV Format

Node attribute TLVs are the TLVs that may be encoded in the BGP-LS attribute with a Node NLRI. The following Node Attribute TLVs are defined:

   +-------------+----------------------+----------+
   |   TLV Code  | Description          |   Length |
   |    Point    |                      |          |
   +-------------+----------------------+----------+
   |     263     | Multi-Topology       | variable |
   |             | Identifier           |          |
   |     1024    | Node Flag Bits       |        1 |
   |     1025    | Opaque Node          | variable |
   |             | Attribute            |          |
   |     1026    | Node Name            | variable |
   |     1027    | IS-IS Area           | variable |
   |             | Identifier           |          |
   |     1028    | IPv4 Router-ID of    |        4 |
   |             | Local Node           |          |
   |     1029    | IPv6 Router-ID of    |       16 |
   |             | Local Node           |          |
   +-------------+----------------------+----------+
              Table 3: Node Attribute TLVs

The security capability is transferred by adding the security capability attribute to the attributes of the local node.

   +-------------+----------------------+----------+
   |   TLV Code  | Description          |   Length |
   |    Point    |                      |          |
   +-------------+----------------------+----------+
   |     TBD1    | Node Security        | variable |
   |             | Capability           |          |
   +-------------+----------------------+----------+
              Table 4: New Node Attribute TLV

2.3. Usage of new attribute

When programming the routing path, take the security capability requirement as one of the inputs. The description of the security capability requirement can be structured or one-dimensional matrix, which only needs to be consistent with the router's security capability description; There are many routing rules. After introducing security capability requirements, it is necessary to dynamically adjust the security capability as the position of routing rules according to the requirements. The main rule strategies are: ① Select the routing node that meets the security requirements as the forwarding node when the path is reachable; ② Select the shortest path when all the safety requirements are met; ③ When the same path length and security requirements are met, select the path with small load for forwarding.

4. BGP-LS Prefix type carries security capability

4.1. Collection model of security capabilities

      +----------+                  +----------+
      +Controller+                  +Controller+
      +----------+                  +----------+
          |                               |
          | AS 100                        |
xxxxxxxxxxxxxxxxxx                        |AS 200
x         |      x                 xxxxxxx|xxxxxxxx
x   +-----+-+    x  BGP-LS(Prefix) x  +-----+-+   x
x   |RouterA|----x-----------------x--|RouterE|   x
x   +----+--+    x                 x  +-+---+-+   x
x        |       x       xxxxxxxxxxx  |   |       x
x        |       x       x     +------+   |       x
x        |       x       x     |          |       x
x   +----+--+    x       x  +---+--+  +--+---+    x
x   |Router |    x       x  |Router|--|Router|    x
x   +-------+    x       x  +------+  +------+    x
xxxxxxxxxxxxxxxxxx       xxxxxxxxxxxxxxxxxxxxxxxxxx

Figure 10: Security capability is transferred between ASs through Prefix

The router and its attached security products are the basic units. When collecting the status information, only some nodes can directly transmit the node status information to the controller through the BGP-LS protocol. Other nodes that do not directly transmit the node information need to transmit the node information to the directly connected node to achieve the transmission of security capability information. In the figure, nodes A and E are direct connected nodes, which are connected to their respective controllers. Nodes A and E are responsible for collecting the security capabilities of other nodes in their respective fields.

5. IANA Considerations

This memo includes no request to IANA.

6. Security Considerations

TBD

Authors' Addresses

Meiling Chen (editor)
China Mobile
BeiJing
China
Li Su
China Mobile
BeiJing
China