<?xml version="1.0" encoding="US-ASCII"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd">
<?rfc toc="yes"?>
<?rfc tocompact="yes"?>
<?rfc tocdepth="3"?>
<?rfc tocindent="yes"?>
<?rfc symrefs="yes"?>
<?rfc sortrefs="yes"?>
<?rfc comments="yes"?>
<?rfc inline="yes"?>
<?rfc compact="yes"?>
<?rfc subcompact="no"?>
<rfc category="std" docName="draft-xyz-pidloc-reqs-00.txt" ipr="trust200902">
  <front>
    <title abbrev="Pidloc Requirements">
     Requirements to Secure End to End Privacy in IdLoc Systems</title>


      
		    <author fullname="Luigi Iannone" initials="L.I." surname="Iannone">
      <organization>Telecom ParisTech</organization>

      <address>


        <email>ggx@gigix.net</email>
      </address>
    </author>
   

	 <author fullname="Dirk von Hugo" initials="D.H." surname="von Hugo">
      <organization abbrev="Deutsche Telekom">Deutsche Telekom</organization>

      <address>
        <postal>
          <street>Deutsche-Telekom-Allee 7</street>

          <city>D-64295 Darmstadt</city>

          <code></code>

          <country>Germany</country>
        </postal>

        <phone></phone>

        <email>Dirk.von-Hugo@telekom.de</email>
      </address>
    </author>

    <author fullname="Behcet Sarikaya" initials="B.S." surname="Sarikaya">
      <organization>Denpel Informatique</organization>

      <address>
        <postal>
          <street></street>

          <street></street>

          <city></city>

          <region></region>

          <code></code>
        </postal>

        <email>sarikaya@ieee.org</email>
      </address>
    </author>





    <date  year="2019" />

    <abstract>
      <t>
       Use of Identifier Locator separation systems is proposed for various use cases to allow 
       for efficient and service aware flexible end-to-end routing.  A statement on the issue of 
       privacy preservation of both users and devices identity and location describes major challenges identified for this problem.  This document attempts to derive requirements towards a potential solution space of approaches to preserve privacy in Identifier-Locator
   split (PidLoc) protocols.
      </t>

    </abstract>
  </front>

  <middle>
    <section title="Introduction">


      <t>
   <xref target="I-D.xyz-pidloc-ps"/> has identified and described typical use cases for application of privacy preserving Identifier-Locator split (PidLoc) approaches and derived thereof
     a problem statement describing corresponding issues and challenges. Privacy in this respect includes prevention of acquisition of personal
information, behavioral details,
and location information by unauthorised parties. This document tries to assess that set of issues and challenges to come up with a set of requirements for approaches towards service specific and optimized packet routing based on Id-Loc principle providing privacy and security.

      </t>
      <t>

      </t>


    </section>

    <section title="Conventions and Terminology">
      <t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
      "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
      document are to be interpreted as described in <xref
      target="RFC2119">RFC 2119</xref> and  <xref target="I-D.xyz-pidloc-ps"/>.</t>

      <t>
    </t>

    </section>





    <section title="Identifier Locator Separation Protocols">
    	<t>
This section summarizes the specifics and commonalities of existing Identifier Locator (Id-Loc) Separation Protocols and highlights the corresponding challenges and issues identified in <xref target="I-D.xyz-pidloc-ps"/>.
      </t>
       </section>
          <section anchor="requirements" title="PId-Loc Requirements">
      <t>

This section lists requirements which emerge from the use case analysis and will apply (beside  the general requirements to fit with privacy considerations for Internet Protocols as laid down in <xref target="RFC6973">RFC 6973</xref> and partly also on design criteria for confidentiality in the data plane of LISP described in <xref target="RFC8061">RFC 8061</xref>) for the solution space providing privacy and security in   generic Identifier Locator Split Approaches.
      </t>

         <section anchor="effort" title="Limited Effort">
      <t>
   The measures to ensure privacy to Id-Loc systems shall not require additional infrastructure and 
   external third party provided resources to be used nor increase the overall effort such that network 
   and service performance is strongly degraded. Successful privacy measures shall not impact availability.
    
      </t>
      </section>
      <section anchor="flexibility" title="Flexibility">
      <t>
        Because Id-Loc approaches can be used in mobile environments, flexibility in time and space should be provided. The same Id, associated to a specific device, can move around and at different times can have different privacy requirements, may be depending on the specific connection or provider used. Still because of mobility, a certain device can have different privacy requirements depending of where it is.
      </t>
      </section>
      <section anchor="scaling" title="Scalability">
      <t>
        Because some of the ID-Loc proposals aim at being deployed in datacenters, the methods to 
        ensure privacy has to be able to function at very large scale.
      </t>
      </section>
      <section anchor="resilient" title="Resiliency">
      <t>
The measure shall not rely on a potential single point of failure nor a single mechanism and allow for 
automatic rebooting or relying on alternative solutions in case of compromise and attacks.


      </t>

      </section>
      <section anchor="savemapping" title="ID to Locator Association  Protection">
      <t>
The Id-Loc system may need to use measures for binding one or more identifiers to one or more locators. 
This is usually achieved by a mapping or lookup system (e.g. DNS) which has to be protected against 
unauthorised access and may allow for different policy-based chosen levels of security. Like any other 
software-based service, the mapping system has to be protected against DDoS attacks and the like.
However, there are specific points to be tackled:
<list style="symbols">
  <t> Mapping System Access Control: Who can access the mapping system?
  </t>
  <t> Mapping Access Control: Someone authorized to access the mapping system does not mean 
  that is authorized to access the mapping of a specific Identifier.
  </t>
  <t>Byzantines Attacks: What if someone is able to inject tempered information to attack either 
  the mapping system itself of a specific identifier?
  </t>
</list>
The above may be defined on various criteria, like for instance administrative criteria 
"devices part of the same company", or geographical criteria "only close by devices", or service-aware 
"devices operating the same service".

      </t>


     </section>







    </section>



    <section anchor="IANA" title="IANA Considerations ">
      <t>
      TBD.
      </t>
    </section>

    <section anchor="Security" title="Security Considerations">
      <t>

      </t>
      <t>
     </t>
    </section>



    <section anchor="acks" title="Acknowledgements">
      <t>


   </t>
      <t>

      </t>
    </section>

  </middle>

  <back>
    <references title="Normative References">
      <?rfc include="reference.RFC.2119"?>




					<?rfc include='reference.I-D.ietf-lisp-rfc6830bis'?>
					<?rfc include='reference.I-D.ietf-lisp-rfc6833bis'?>





    </references>

    <references title="Informative References">
      <?rfc include="reference.RFC.6740"?>
      <?rfc include="reference.RFC.6830"?>
      <?rfc include="reference.RFC.6833"?>
     <?rfc include="reference.RFC.6973"?>
      <?rfc include="reference.RFC.8061"?>


      <?rfc include="reference.RFC.7217"?>

  	         <?rfc include='reference.I-D.xyz-pidloc-ps'?>

     	         <?rfc include='reference.I-D.ietf-intarea-tunnels'?>
     <?rfc include='reference.I-D.herbert-intarea-ila'?>
     <?rfc include='reference.I-D.nordmark-id-loc-privacy'?>

  	<?rfc include='reference.I-D.ietf-lisp-sec'?>
	 <reference anchor="NYC_cab">
        <front>
          <title>Anonymizing NYC Taxi Data: Does It Matter?</title>
          <author initials="M" surname="Douriez, et al.">
          </author>

          <date year="2016"/>
        </front>
        <seriesInfo name="Proc. of IEEE Intl.
Conf. on Data Science and Advanced Analytics (DSAA'16)" value=""/>
        <seriesInfo name="pp." value="140-148"/>
      </reference>

    </references>

  </back>

</rfc>
