INTERNET-DRAFT T. Herbert Intended Status: Experimental Quantonium Expires: August 2018 February 3, 2018 Identifier groups draft-herbert-idgroups-00 Abstract This draft describes a means to create logical identifier groups to manage identifiers in a mapping system for identifier-locator protocols. An identifier group consists of identifiers that have similar properties in the context of the mapping system. Identifier groups facilitate bulk operations on the mapping system that would affect multiple identifiers. A primary use case for this is to facilitate mobility of devices that are associated with possibly thousands or even millions of identifiers. Status of this Memo This Internet-Draft is submitted to IETF in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet-Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html Copyright and License Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. T. Herbert Expires August 7, 2018 [Page 1] INTERNET DRAFT draft-herbert-idgroups-00 This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2 Characteristics of identifiers . . . . . . . . . . . . . . . . 3 2.1 Identifier addresses . . . . . . . . . . . . . . . . . . . . 3 2.2 Desired properties . . . . . . . . . . . . . . . . . . . . . 4 2.2 Policy mechanisms for identifiers . . . . . . . . . . . . . 4 3 Structure of identifier groups . . . . . . . . . . . . . . . . 5 4 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . 7 4.1 Management interface . . . . . . . . . . . . . . . . . . . . 7 4.2 Query interface . . . . . . . . . . . . . . . . . . . . . . 7 5 Security Considerations . . . . . . . . . . . . . . . . . . . . 8 6 IANA Considerations . . . . . . . . . . . . . . . . . . . . . . 10 7 References . . . . . . . . . . . . . . . . . . . . . . . . . . 10 7.1 Normative References . . . . . . . . . . . . . . . . . . . 10 7.2 Informative References . . . . . . . . . . . . . . . . . . 10 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 10 T. Herbert Expires August 7, 2018 [Page 2] INTERNET DRAFT draft-herbert-idgroups-00 1 Introduction This document describes identifier groups for identifier-locator mapping systems. Identifier-locator protocols include the concept of identifiers as a type of node addressing. Identifiers are logical endpoints of communications and only differ from canonical addresses in that they are not topological. A node may be assigned multiple ephemeral identifiers so that they be can used to create different source addresses for different communications to benefit privacy and anonymity. It is expected that individual end devices may have thousands of active ephemeral identifiers; a device that connects backend subnets could have millions of associated identifiers. An identifier-group is an group of identifiers within a mapping system that share some common properties. A grouping is arbitrary, the given application or mapping system may create identifier groups as needed. An identifier may belong to multiple groups, however when an operation is performed it must be clear as to which group applicable properties are be derived from. Groups may also be hierarchical such that groups may be members of other groups and thus inherit properties from their parent groups. A primary application of identifier groups is mobility where a device has a number of identifiers associated with it. When such a device moves in the network and is assigned a new locator, all of the identifiers associated with the device assume the new locator also. Identifier groups provide a level of indirection so that the locator can be set for all of the associated identifiers for the device in a single operation on the mapping system. 2 Characteristics of identifiers This section list some salient properties of identifiers that are relevant to a mapping system and privacy. 2.1 Identifier addresses Identifier addresses are full IP addresses that are either an identifier or contain an identifier as part of the address. Identifier addresses are used by endpoints to achieve communications. In order to reach the end host where the node indicated by an identifier resides, somewhere in the path an identifier-locator operation is performed and the packet is typically modified (either by encapsulation or address translation) to reach the correct node. At the destination node, a reverse operation is done to restore the originally sent packet before presenting the packet to the end node T. Herbert Expires August 7, 2018 [Page 3] INTERNET DRAFT draft-herbert-idgroups-00 or application. Identifier addresses should have the following properties: 2.2 Desired properties o They are composed of a global routing prefix and a suffix that is internal to an orgnization. This is the same property for IP addresses [RFC3513]. o The registry and organization of an address can be determined by the network prefix. This is true for any global address. o The organizational bits in the address should have minimal hierarchy to prevent inferences. It might be reasonable to have an internal prefix that divides identifiers based on broad geographic regions, but detailed information such as location, department in an enterprise, or device type should not be encoded in a globally visible address. o Given two identifier addresses and no other information, the desired properties of correlating them are: o It can be inferred if they belong the same organization and registry. This is true for any two global IP addresses. o It may be inferred that they belong to the same broad grouping, such as a geographic region, if the information is encoded in the organizational bits of the address. o No other correlation can be established. For example, it cannot be inferred that the IP addresses address the same device, the IP addresses reside in the same subnet or department, or that the nodes for the two addresses have any geographic proximity to one another. 2.2 Policy mechanisms for identifiers Other than a globally routable network prefix, identifier addresses require no hierarchy since they are not topological. Therefore all or most of the organizational bits in a publicly visible address form a flat, non-hierarchical space. To create identifier addresses with the properties listed above, the bits in this space are pseudo-randomly assigned to form addresses. While the routing requirements are satisfied by the identifier- locator protocols and mapping system, the lack of internal hierarchy in addresses is a potential disruption for network deployments that T. Herbert Expires August 7, 2018 [Page 4] INTERNET DRAFT draft-herbert-idgroups-00 rely on address hierarchy to implement policy. For instance, an enterprise might implement a firewall rule base on destination network prefix that prevents the engineering department from talking to human resources. In order to apply such policies and still maintain the properties to prevent inference, a firewall could create rules based on identifier groups. So when a packet arrives at the firewall, the mapping system may be consulted and information for a group is returned. A policy decision, i.e. forward or drop, may be made per this information. In the example above, identifier groups might be created for engineering and human resources. The policy is expressed that members of the engineering group are not allowed to send to members human resources group. Since the groups are not encoded in the addresses there is no means for an external party to infer which packets belong to engineering and which belong to human resources. This is a privacy benefit compared to common method of encoding the department in the address hierarchy. An additional benefit is that such groupings are arbitrarily flexible and are not constrained by the need to format information into addresses (address prefixes for instance). Since the addresses don't contain group information, group membership can be changed for an address without requiring the node to change its address. 3 Structure of identifier groups Identifier groups can form a hierarchical structure within a mapping system domain. The diagram below illustrates a hierarchy containing two levels of groups and six identifier mapping entries at the leaves. +-------+ | | | Group | | | +---+---+ | +------------+ +-----+-----+ +------------+ | Identifier |---+ | | +---| Identifier | +------------+ | +---+---+ +---+---+ | +------------+ +------------+ | | | | | | +------------+ | Identifier |---+--| Group | | Group |--+---| Identifier | +------------+ | | | | | | +------------+ +------------+ | +-------+ +-------+ | +------------+ | Identifier |---+ +---| Identifier | +------------+ +------------+ The diagram below provides an explicit example of using an identifier T. Herbert Expires August 7, 2018 [Page 5] INTERNET DRAFT draft-herbert-idgroups-00 group hierarchy for mobility. In this scenario, we consider a bus has an onboard WIFI network. There are two UEs attached to the WIFI, where both have been assigned three identifiers. +----------+ | WIFI | | Bus | | Locator | +-----+----+ | +------------+ +-----+-----+ +------------+ | Identifier |--+ | | +---| Identifier | +------------ | +-----+---+ +---+-----+ | +------------+ +------------+ | | UE | | UE | | +------------+ | Identifier |--+--| Locator | | Locator |--+---| Identifier | +------------+ | | | | | | +------------+ +------------+ | +---------+ +---------+ | +------------+ | Identifier |--+ +---| Identifier | +------------+ +------------+ In this hierarchy, each UE has an associated group that contains all the identifiers for the UE. The WIFI device has an associated group that contains the groups for the attached UE devices. With this structure, each identifier has two locator mappings. The first one maps the identifier to the WIFI device in the bus. The second maps the identifier to the UE attached to the WIFI network. When a packet from an external network is sent to one of the identifiers, the mapping system is consulted to retrieve the top level locator to forward the packet. This locator will direct the packet to the WIFI router on the bus. At the bus WIFI router, the second level locator mapping for the identifier is consulted to determine the locator of the UE that has the identifier. The resultant locator is used to forward the packet to the appropriate UE device. At the UE, the identifier is used to deliver the packet to the appropriate application. As the bus moves through a mobile network, the locator for the WIFI changes so effectively the top level locator for all the identifiers for all the UEs within the bus also must be changed. Identifier groups allow this to be done in one operation on the mapping system. When passengers disembark and leave the range of the WIFI, the group membership of the UE is disassociated from the WIFI bus group. The UE may attach to another network so that the locator or group membership for the UE would be set appropriately. Note that in the above example, an identifier group hierarchy is used T. Herbert Expires August 7, 2018 [Page 6] INTERNET DRAFT draft-herbert-idgroups-00 to create a locator hierarchy. That is, multiple identifier locator operations are performed to get packets to destination. This is expected to be common in identifier-locator deployments. It is analogous to a packet going through a routing hierarchy where at each level the information applied became progressively more specific to the final destination (i.e. at each layer the prefix match is longer). 4 Interfaces The mapping system interface is logically divided into the management interface and the query interface. 4.1 Management interface The management interface is used to create and manipulate mapping entries and identifier groups. The allowed operations on the management interface are: o Create groups o Set properties of a group, such as a locator or membership in another group in a group hierarchy o Change properties of a group o Create identifier mapping entries o Set identifier mapping properties such as locator or group membership o Change identifier mapping properties o Delete an identifier mapping entry o Remove all members from a group o Delete all identifier mappings in a group o Delete a group (that has no members) Note that there is no public interface defined that will return all the members of a group. This is intended to limit visibility to this sensitive information. 4.2 Query interface T. Herbert Expires August 7, 2018 [Page 7] INTERNET DRAFT draft-herbert-idgroups-00 The query interface is used by devices that require identifier to locator mappings. This interface is read-only. The basic operations in the query interface are: o Lookup locator for an identifier. In the case that a group hierarchy is present, the lookup request includes an indication as to which level in the hierarchy is applicable. o Lookup group information by group identifier. This is needed if the entry returned in a mapping entry indicates a group in a level of indirection. The internal structure for mapping entries which are members of the same group may reference a single group structure. o Request notifications of mapping entry changes if the mapping system supports pub/sub model. This includes notifications that a group membership has changed. o Request notifications of group changes. For example, if the locator for an identifier group changes. 5 Security Considerations Access to mappings of group identifier to member identifiers MUST be strictly controlled. If this information is compromised, then privacy and anonymity of users could be undermined. In the case that the group identifiers refer to a single device, such as a UE in a mobile network, breach of the mapping from group identifier to identifiers may be sufficient to compromise individual user identities. Note that these concerns are not specific to identifier-locator mapping systems, but in any scenario where address assignment is done for devices. The management interface should provide very strong authorization and employ encryption when communicating with the mapping system. The mapping system should enable security mechanisms associated with databases that contains sensitive information. The query interface is always read-only, however this should also have strong access authorization methods for security and privacy. A distributed identifier-locator mapping system should be deployed within a single administratively controlled domain. Low level information that potentially contains PII (Personally Identifiable Information) or specific location information should never be shared between administrative domains. It is conceivable that two networks could share a high level identifier-locator mapping system distinct T. Herbert Expires August 7, 2018 [Page 8] INTERNET DRAFT draft-herbert-idgroups-00 from their internal systems to support cross domain identifier- locator mappings. In this case, a locator hierarchy would be employed so as not to reveal any detailed information or PII. Specifically, identifier group information that refers specific devices and end locators for specific devices should not be visible. T. Herbert Expires August 7, 2018 [Page 9] INTERNET DRAFT draft-herbert-idgroups-00 6 IANA Considerations 7 References 7.1 Normative References 7.2 Informative References Author's Address Tom Herbert Quantonium Santa Clara, CA USA Email: tom@quantonium.net T. Herbert Expires August 7, 2018 [Page 10]