idnits 2.17.1 draft-carpenter-limited-domains-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 12, 2018) is 1955 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- == Unused Reference: 'I-D.herbert-fast' is defined on line 825, but no explicit reference was found in the text == Outdated reference: A later version (-07) exists of draft-herbert-fast-03 == Outdated reference: A later version (-26) exists of draft-ietf-6man-segment-routing-header-15 == Outdated reference: A later version (-30) exists of draft-ietf-anima-autonomic-control-plane-18 == Outdated reference: A later version (-13) exists of draft-ietf-detnet-architecture-09 == Outdated reference: A later version (-20) exists of draft-ietf-detnet-use-cases-19 == Outdated reference: A later version (-17) exists of draft-ietf-intarea-frag-fragile-04 == Outdated reference: A later version (-30) exists of draft-ietf-ipwave-vehicular-networking-07 == Outdated reference: A later version (-10) exists of draft-ietf-opsec-ipv6-eh-filtering-06 == Outdated reference: A later version (-10) exists of draft-voyer-6man-extension-header-insertion-04 Summary: 0 errors (**), 0 flaws (~~), 11 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group B. Carpenter 3 Internet-Draft Univ. of Auckland 4 Intended status: Informational B. Liu 5 Expires: June 15, 2019 Huawei Technologies 6 December 12, 2018 8 Limited Domains and Internet Protocols 9 draft-carpenter-limited-domains-05 11 Abstract 13 There is a noticeable trend towards network requirements, behaviours 14 and semantics that are specific to a limited region of the Internet 15 and a particular set of requirements. Policies, default parameters, 16 the options supported, the style of network management and security 17 requirements may vary. This document reviews examples of such 18 limited domains, also known as controlled environments, and emerging 19 solutions, and develops a related taxonomy. It then briefly 20 discusses the standardization of protocols for limited domains. 21 Finally, it shows the needs for a precise definition of limited 22 domain membership and for mechanisms to allow nodes to join a domain 23 securely and to find other members, including boundary nodes. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on June 15, 2019. 42 Copyright Notice 44 Copyright (c) 2018 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Failure Modes in Today's Internet . . . . . . . . . . . . . . 4 61 3. Examples of Limited Domain Requirements . . . . . . . . . . . 4 62 4. Examples of Limited Domain Solutions . . . . . . . . . . . . 7 63 5. Taxonomy of Limited Domains . . . . . . . . . . . . . . . . . 10 64 5.1. The Domain as a Whole . . . . . . . . . . . . . . . . . . 10 65 5.2. Individual Nodes . . . . . . . . . . . . . . . . . . . . 11 66 5.3. The Domain Boundary . . . . . . . . . . . . . . . . . . . 11 67 5.4. Topology . . . . . . . . . . . . . . . . . . . . . . . . 11 68 5.5. Technology . . . . . . . . . . . . . . . . . . . . . . . 12 69 5.6. Connection to the Internet . . . . . . . . . . . . . . . 12 70 5.7. Security, Trust and Privacy Model . . . . . . . . . . . . 12 71 5.8. Operations . . . . . . . . . . . . . . . . . . . . . . . 13 72 5.9. Making use of this taxonomy . . . . . . . . . . . . . . . 13 73 6. The Scope of Protocols in Limited Domains . . . . . . . . . . 13 74 7. Functional Requirements of Limited Domains . . . . . . . . . 15 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 76 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 17 77 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 17 78 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 17 79 12. Informative References . . . . . . . . . . . . . . . . . . . 17 80 Appendix A. Change log [RFC Editor: Please remove] . . . . . . . 22 81 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 83 1. Introduction 85 As the Internet continues to grow and diversify, with a realistic 86 prospect of tens of billions of nodes being connected directly and 87 indirectly, there is a noticeable trend towards local requirements, 88 behaviours and semantics. The word "local" should be understood in a 89 special sense, however. In some cases it may refer to geographical 90 and physical locality - all the nodes in a single building, on a 91 single campus, or in a given vehicle. In other cases it may refer to 92 a defined set of users or nodes distributed over a much wider area, 93 but drawn together by a single virtual network over the Internet, or 94 a single physical network running partially in parallel with the 95 Internet. We expand on these possibilities below. To capture the 96 topic, this document refers to such networks as "limited domains". 98 Some people have concerns about splintering of the Internet along 99 political or linguistic boundaries by mechanisms that block the free 100 flow of information across the network. That is not the topic of 101 this document, which does not discuss filtering mechanisms and does 102 not apply to protocols that are designed for use across the whole 103 Internet. It is only concerned with domains that have specific 104 technical requirements. 106 The word "domain" in this document does not refer to naming domains 107 in the DNS, although in some cases a limited domain might 108 incidentally be congruent with a DNS domain. 110 Another term that has been used in some contexts is "controlled 111 environment". For example, [RFC8085] uses this to delimit the scope 112 within which a particular tunnel encapsulation might be used. A 113 specific example is GRE-in-UDP encapsulation [RFC8086] which 114 explicitly states that "The controlled environment has less 115 restrictive requirements than the general Internet." For example, 116 non-congestion-controlled traffic might be acceptable within the 117 controlled environment. The same phrase has been used to delimit the 118 scope of quality of service or security protocols, e.g. [RFC6398], 119 [RFC6455]. In this document, we assume that "limited domain" and 120 "controlled environment" mean the same thing. 122 The requirements of limited domains will be different in different 123 scenarios. Policies, default parameters, and the options supported 124 may vary. Also, the style of network management may vary, between a 125 completely unmanaged network, one with fully autonomic management, 126 one with traditional central management, and mixtures of the above. 127 Finally, the requirements and solutions for security and privacy may 128 vary. 130 This documents analyses and discusses some of the consequences of 131 this trend, and how it impacts the idea of universal interoperability 132 in the Internet. Firstly we list examples of limited domain 133 scenarios and of technical solutions for limited domains, with the 134 main focus being the Internet layer of the protocol stack. Then we 135 develop a taxonomy of the features to be found in limited domains. 136 With this background, we discuss the resulting challenge to the idea 137 that all Internet standards must be universal in scope and 138 applicability. To the contrary, we assert that some protocols need 139 to be specifically limited in their applicability. This implies that 140 the concepts of a limited domain, and of its membership, need to be 141 formalised and supported by secure mechanisms. While this document 142 does not propose a design for such mechanisms, it does outline some 143 resulting functional requirements. 145 2. Failure Modes in Today's Internet 147 Today, the Internet does not have a well-defined concept of limited 148 domains. One result of this is that certain protocols and features 149 fail on certain paths. Earlier analyses of this topic have focused 150 either on the loss of transparency of the Internet [RFC2775], 151 [RFC4924] or on the middleboxes responsible for that loss [RFC3234], 152 [RFC7663], [I-D.dolson-plus-middlebox-benefits]. Unfortunately the 153 problems persist, both in application protocols, and even in very 154 fundamental mechanisms. For example, the Internet is not transparent 155 to IPv6 extension headers [RFC7872], and Path MTU Discovery has been 156 unreliable for many years [RFC2923], [RFC4821]. IP fragmentation is 157 also unreliable [I-D.ietf-intarea-frag-fragile], and problems in TCP 158 MSS negotiation have been reported 159 [I-D.andrews-tcp-and-ipv6-use-minmtu]. 161 On the security side, the widespread insertion of firewalls at domain 162 boundaries that are perceived by humans but unknown to protocols 163 results in arbitrary failure modes as far as the application layer is 164 concerned. There are operational recommendations and practices that 165 effectively guarantee arbitrary failures in realistic scenarios 166 [I-D.ietf-opsec-ipv6-eh-filtering]. 168 The recent discussions about the unreliability of IP fragmentation 169 and the filtering of IPv6 extension headers have clearly shown that 170 at least for some protocol elements, transparency is a lost cause and 171 middleboxes are here to stay. In summary, some application 172 environments require protocol features that cannot cross the whole 173 Internet. Ignoring this during protocol design is not an option. 175 3. Examples of Limited Domain Requirements 177 This section describes various examples where limited domain 178 requirements can easily be identified, either based on an application 179 scenario or on a technical imperative. It is of course not a 180 complete list, and it is presented in an arbitrary order, loosely 181 from smaller to bigger. 183 1. A home network. It will be unmanaged, constructed by a non- 184 specialist, and will possibly include wiring errors such as 185 physical loops. It must work with devices "out of the box" as 186 shipped by their manufacturers and must create adequate security 187 by default. Remote access may be required. The requirements 188 and applicable principles are summarised in [RFC7368]. 190 2. A small office network. This is sometimes very similar to a 191 home network, if whoever is in charge has little or no 192 specialist knowledge, but may have differing security and 193 privacy requirements. In other cases it may be professionally 194 constructed using recommended products and configurations, but 195 operate unmanaged. Remote access may be required. 197 3. A vehicle network. This will be designed by the vehicle 198 manufacturer but may include devices added by the vehicle's 199 owner or operator. Parts of the network will have demanding 200 performance and reliability requirements with implications for 201 human safety. Remote access may be required to certain 202 functions, but absolutely forbidden for others. Communication 203 with other vehicles, roadside infrastructure, and external data 204 sources will be required. See 205 [I-D.ietf-ipwave-vehicular-networking] for a survey of use 206 cases. 208 4. Supervisory Control And Data Acquisition (SCADA) networks, and 209 other hard real time networks. These will exhibit specific 210 technical requirements, including tough real-time performance 211 targets. See for example [I-D.ietf-detnet-use-cases] for 212 numerous use cases. An example is a building services network. 213 This will be designed specifically for a particular building, 214 but using standard components. Additional devices may need to 215 be added at any time. Parts of the network may have demanding 216 reliability requirements with implications for human safety. 217 Remote access may be required to certain functions, but 218 absolutely forbidden for others. 220 5. Sensor networks. The two preceding cases will all include 221 sensors, but some networks may be specifically limited to 222 sensors and the collection and processing of sensor data. They 223 may be in remote or technically challenging locations and 224 installed by non-specialists. 226 6. Internet of Things (IoT) networks. While this term is very 227 flexible and covers many innovative types of network, including 228 ad hoc networks that are formed spontaneously, it seems 229 reasonable to expect that IoT edge networks will have special 230 requirements and protocols that are useful only within a 231 specific domain, and that these protocols cannot, and for 232 security reasons should not, run over the Internet as a whole. 234 7. An important subclass of IoT networks consists of constrained 235 networks [RFC7228] in which the nodes are limited in power 236 consumption and communications bandwidth, and are therefore 237 limited to using very frugal protocols. 239 8. Delay tolerant networks may consist of domains that are 240 relatively isolated and constrained in power (e.g. deep space 241 networks) and are connected only intermittently to the outside, 242 with a very long latency on such connections [RFC4838]. Clearly 243 the protocol requirements and possibilities are very specialised 244 in such networks. 246 9. "Traditional" enterprise and campus networks, which may be 247 spread over many kilometres and over multiple separate sites, 248 with multiple connections to the Internet. Interestingly, the 249 IETF appears never to have analysed this long-established class 250 of networks in a general way, except in connection with IPv6 251 deployment (e.g. [RFC7381]). 253 10. Data centres and hosting centres, or distributed services acting 254 as such centres. These will have high performance, security and 255 privacy requirements and will typically include large numbers of 256 independent "tenant" networks overlaid on shared infrastructure. 258 11. Content Delivery Networks (CDNs), comprising distributed data 259 centres and the paths between them, spanning thousands of 260 kilometres, with numerous connections to the Internet. 262 12. Massive Web Service Provider Networks. This is a small class of 263 networks with well known trademarked names, combining aspects of 264 distributed enterprise networks, data centres and CDNs. They 265 have their own international networks bypassing the generic 266 carriers. Like CDNs, they have numerous connections to the 267 Internet, typically offering a tailored service in each economy. 269 Three other aspects, while not tied to specific network types, also 270 strongly depend on the concept of limited domains: 272 1. Intent Based Networking. In this concept, a network domain is 273 configured and managed in accordance with an abstract policy 274 known as "Intent", to ensure that the network performs as 275 required [I-D.moulchan-nmrg-network-intent-concepts]. Whatever 276 technologies are used to support this, they will be applied 277 within the domain boundary. 279 2. Many of the above types of network may be extended throughout the 280 Internet by a variety of virtual private network (VPN) 281 techniques. Therefore we argue that limited domains may overlap 282 each other in an arbitrary fashion by use of virtualization 283 techniques. As noted above in the discussion of controlled 284 environments, specific tunneling and encapsulation techniques may 285 only be usable within a given domain. 287 3. Network Slicing. A network slice is a virtual network that 288 consists of a managed set of resources carved off from a larger 289 network [I-D.geng-netslices-architecture]. Whatever technologies 290 are used to support slicing, they will require a clear definition 291 of the boundary of a given slice. 293 While it is clearly desirable to use common solutions, and therefore 294 common standards, wherever possible, it is increasingly difficult to 295 do so while satisfying the widely varying requirements outlined 296 above. However, there is a tendency when new protocols and protocol 297 extensions are proposed to always ask the question "How will this 298 work across the open Internet?" This document suggests that this is 299 not always the right question. There are protocols and extensions 300 that are not intended to work across the open Internet. On the 301 contrary, their requirements and semantics are specifically limited 302 (in the sense defined above). 304 A common argument is that if a protocol is intended for limited use, 305 the chances are very high that it will in fact be used (or misused) 306 in other scenarios including the so-called open Internet. This is 307 undoubtedly true and means that limited use is not an excuse for bad 308 design or poor security. In fact, a limited use requirement 309 potentially adds complexity to both the protocol and its security 310 design, as discussed later. 312 Nevertheless, because of the diversity of limited domainss with 313 specific requirements that is now emerging, specific standards (and 314 ad hoc standards) will probably emerge for different types of domain. 315 There will be attempts to capture each market sector, but the market 316 will demand standardised solutions. In addition, operational choices 317 will be made that can in fact only work within a limited domain. The 318 history of RSVP illustrates that a standard defined as if it could 319 work over the open Internet may not in fact do so. In general we 320 cannot assume that a protocol designed according to classical 321 Internet guidelines will in fact work reliably across the network as 322 a whole. However, the "open Internet" must remain as the universal 323 method of interconnection. Reconciling these two aspects is a major 324 challenge. 326 4. Examples of Limited Domain Solutions 328 This section lists various examples of specific limited domain 329 solutions that have been proposed or defined. It intentionally does 330 not include Layer 2 technology solutions, which by definition apply 331 to limited domains. 333 1. Differentiated Services. This mechanism [RFC2474] allows a 334 network to assign locally significant values to the 6-bit 335 Differentiated Services Code Point field in any IP packet. 336 Although there are some recommended codepoint values for 337 specific per-hop queue management behaviours, these are 338 specifically intended to be domain-specific codepoints with 339 traffic being classified, conditioned and re-marked at domain 340 boundaries (unless there is an inter-domain agreement that makes 341 re-marking unnecessary). 343 2. Integrated Services. Although it is not intrinsic in the design 344 of RSVP [RFC2205], it is clear from many years' experience that 345 Integrated Services can only be deployed successfully within a 346 limited domain that is configured with adequate equipment and 347 resources. 349 3. Network function virtualisation. As described in 350 [I-D.irtf-nfvrg-gaps-network-virtualization], this general 351 concept is an open research topic, in which virtual network 352 functions are orchestrated as part of a distributed system. 353 Inevitably such orchestration applies to an administrative 354 domain of some kind, even though cross-domain orchestration is 355 also a research area. 357 4. Service Function Chaining (SFC). This technique [RFC7665] 358 assumes that services within a network are constructed as 359 sequences of individual functions within a specific SFC-enabled 360 domain. As that RFC states: "Specific features may need to be 361 enforced at the boundaries of an SFC-enabled domain, for example 362 to avoid leaking SFC information". A Network Service Header 363 (NSH) [RFC8300] is used to encapsulate packets flowing through 364 the service function chain: "The intended scope of the NSH is 365 for use within a single provider's operational domain." 367 5. Firewall and Service Tickets (FAST). Such tickets would 368 accompany a packet to claim the right to traverse a network or 369 request a specific network service [I-D.herbert-fast]". They 370 would only be valid within a particular domain. 372 6. Data Centre Network Virtualization Overlays. A common 373 requirement in data centres that host many tenants (clients) is 374 to provide each one with a secure private network, all running 375 over the same physical infrastructure. [RFC8151] describes 376 various use cases for this, and specifications are under 377 development. These include use cases in which the tenant 378 network is physically split over several data centres, but which 379 must appear to the user as a single secure domain. 381 7. Segment Routing. This is a technique which "steers a packet 382 through an ordered list of instructions, called segments" 383 [I-D.ietf-spring-segment-routing]. The semantics of these 384 instructions are explicitly local to a segment routing domain or 385 even to a single node. Technically, these segments or 386 instructions are represented as an MPLS label or an IPv6 387 address, which clearly adds a semantic interpretation to them 388 within the domain. 390 8. Autonomic Networking. As explained in 391 [I-D.ietf-anima-reference-model], an autonomic network is also a 392 security domain within which an autonomic control plane 393 [I-D.ietf-anima-autonomic-control-plane] is used by service 394 agents. These service agents manage technical objectives, which 395 may be locally defined, subject to domain-wide policy. Thus the 396 domain boundary is important for both security and protocol 397 purposes. 399 9. Homenet. As shown in [RFC7368], a home networking domain has 400 specific protocol needs that differ from those in an enterprise 401 network or the Internet as a whole. These include the Home 402 Network Control Protocol (HNCP) [RFC7788] and a naming and 403 discovery solution [I-D.ietf-homenet-simple-naming]. 405 10. Creative uses of IPv6 features. As IPv6 enters more general 406 use, engineers notice that it has much more flexibility than 407 IPv4. Innovative suggestions have been made for: 409 * The flow label, e.g. [RFC6294], 410 [I-D.fioccola-v6ops-ipv6-alt-mark]. 412 * Extension headers, e.g. for segment routing 413 [I-D.ietf-6man-segment-routing-header]. 415 * Meaningful address bits, e.g. [I-D.jiang-semantic-prefix]. 416 Also, segment routing uses IPv6 addresses as segment 417 identifiers with specific local meanings 418 [I-D.ietf-spring-segment-routing]. 420 All of these suggestions are only viable within a specified 421 domain. The case of the extension header is particularly 422 interesting, since its existence has been a major "selling 423 point" for IPv6, but it is notorious that new extension headers 424 are virtually impossible to deploy across the whole Internet 425 [RFC7045], [RFC7872]. It is worth noting that extension header 426 filtering is considered as an important security issue 427 [I-D.ietf-opsec-ipv6-eh-filtering]. There is considerable 428 appetite among vendors or operators to have flexibility in 429 defining extension headers for use in limited or specialised 430 domains, e.g. [I-D.voyer-6man-extension-header-insertion] and 431 [BIGIP]. 433 11. Deterministic Networking (DetNet). The Deterministic Networking 434 Architecture [I-D.ietf-detnet-architecture] and encapsulation 435 [I-D.ietf-detnet-dp-sol] aim to support flows with extremely low 436 data loss rates and bounded latency, but only within a part of 437 the network that is "DetNet aware". Thus, as for differentiated 438 services above, the concept of a domain is fundamental. 440 12. Provisioning Domains (PvDs). An architecture for Multiple 441 Provisioning Domains has been defined [RFC7556] to allow hosts 442 attached to multiple networks to learn explicit details about 443 the services provided by each of those networks. 445 5. Taxonomy of Limited Domains 447 This section develops a taxonomy for describing limited domains. 448 Several major aspects are considered in this taxonomy: 450 o The domain as a whole. 452 o The individual nodes. 454 o The domain boundary. 456 o The domain's topology. 458 o The domain's technology. 460 o How the domain connects to the Internet. 462 o The security, trust and privacy model. 464 o Operations. 466 The following sub-sections analyse each of these aspects. 468 5.1. The Domain as a Whole 470 o Why does the domain exist? (e.g., human choice, administrative 471 policy, orchestration requirements, technical requirements) 473 o If there are special requirements, are they at Layer 2, Layer 3 or 474 an upper layer? 476 o Is the domain managed by humans or fully autonomic? 478 o If managed, what style of management applies? (Manual 479 configuration, automated configuration, orchestration?) 481 o Is there a policy model? (Intent, configuration policies?) 483 o Does the domain provide controlled or paid service or open access? 485 5.2. Individual Nodes 487 o Is a domain member a complete node, or only one interface of a 488 node? 490 o Are nodes permanent members of a given domain, or are join and 491 leave operations possible? 493 o Are nodes physical or virtual devices? 495 o Are virtual nodes general-purpose, or limited to specific 496 functions, applications or users? 498 o Are nodes constrained (by battery etc)? 500 o Are devices installed "out of the box" or pre-configured? 502 5.3. The Domain Boundary 504 o How is the domain boundary identified or defined? 506 o Is the domain boundary fixed or dynamic? 508 o Are boundary nodes special? Or can any node be at the boundary? 510 5.4. Topology 512 o Is the domain a subset of a layer 2 or 3 connectivity domain? 514 o In IP addressing terms, is the domain Link-local, Site-local, or 515 Global? 517 o Does the domain overlap other domains? (In other words, a node 518 may or may not be allowed to be a member of multiple domains.) 520 o Does the domain match physical topology, or does it have a virtual 521 (overlay) topology? 523 o Is the domain in a single building, vehicle or campus? Or is it 524 distributed? 526 o If distributed, are the interconnections private or over the 527 Internet? 529 o In IP addressing terms, is the domain Link-local, Site-local, or 530 Global? 532 5.5. Technology 534 o In routing terms, what routing protocol(s) are used, or even 535 different forwarding mechanisms (MPLS or other non-IP mechanism)? 537 o In an overlay domain, what overlay technique is used (L2VPN, 538 L3VPN,...)? 540 o Are there specific QoS requirements? 542 o Link latency - normal or long latency links? 544 o Mobility - are nodes mobile? Is the whole network mobile? 546 o Which specific technologies, such as those in Section 4, are 547 applicable? 549 5.6. Connection to the Internet 551 o Is the Internet connection permanent or intermittent? (Never 552 connected is out of scope.) 554 o What traffic is blocked, in and out? 556 o What traffic is allowed, in and out? 558 o What traffic is transformed, in and out? 560 o Is secure and privileged remote access needed? 562 o Does the domain allow unprivileged remote sessions? 564 5.7. Security, Trust and Privacy Model 566 o Must domain members be authorized? 568 o Are all nodes in the domain at the same trust level? 570 o Is traffic authenticated? 572 o Is traffic encrypted? 574 o What is hidden from the outside? 576 5.8. Operations 578 o Safety level - does the domain have a critical (human) safety 579 role? 581 o Reliability requirement - normal or 99.999% ? 583 o Environment - hazardous conditions? 585 o Installation - are specialists needed? 587 o Service visits - easy, difficult, impossible? 589 o Software/firmware updates - possible or impossible? 591 5.9. Making use of this taxonomy 593 This taxonomy could be used to design or analyse a specific type of 594 limited domain. For the present document, it is intended to form a 595 background to the following two sections, concerning the scope of 596 protocols used in limited domains, and mechanisms reuqired to 597 securely define domain membership and properties. 599 6. The Scope of Protocols in Limited Domains 601 One consequence of the deployment of limited domains in the Internet 602 is that some protocols will be designed, extended or configured so 603 that they only work correctly between end systems in such domains. 604 This is to some extent encouraged by some existing standards and by 605 the assignment of code points for local or experimental use. In any 606 case it cannot be prevented. Also, by endorsing efforts such as 607 Service Function Chaining, Segment Routing and Deterministic 608 Networking, the IETF is in effect encouraging such deployments. 609 Furthermore, it seems inevitable, if the "Internet of Things" becomes 610 reality, that millions of edge networks containing completely novel 611 types of node will be connected to the Internet; each one of these 612 edge networks will be a limited domain. 614 It is therefore appropriate to discuss whether protocols or protocol 615 extensions should sometimes be standardised to interoperate only 616 within a Limited Domain Boundary. Such protocols would not be 617 required to interoperate across the Internet as a whole. Several 618 possibly overlapping scenarios could then arise: 620 A. If a limited domain is split into two parts connected over the 621 Internet directly at the IP layer (i.e. with no tunnel 622 encapsulating the packets), a limited-domain protocol could be 623 operated between those two parts regardless of its special nature, 624 as long as it respects standard IP formats and is not arbitrarily 625 blocked by firewalls. A simple example is any protocol using a 626 port number assigned to a specific non-IETF protocol. 628 Such a protocol could reasonably be described as an "inter-domain" 629 protocol because the Internet is transparent to it, even if it is 630 meaningless except in the two parts of the limited domain. This 631 is of course nothing new in the Internet architecture. 633 B. If a limited-domain protocol does not respect standard IP 634 formats (for example, if it includes a non-standard IPv6 extension 635 header), it could not be operated between two parts of a domain 636 split at the IP layer. 638 Such a protocol could reasonably be described as an "intra-domain" 639 protocol, and the Internet is opaque to it. 641 C. If a limited-domain protocol is clearly specified to be 642 invalid outside its domain of origin, neither scenario A nor B 643 applies. The two domains need to be unified as a single virtual 644 domain. For example, an encapsulating tunnel between the parts of 645 the split domain could be used. Also, nodes at the domain 646 boundary must drop all packets using the limited-domain protocol. 648 D. If a limited-domain protocol has domain-specific variants, 649 such that implementations in different domains could not 650 interoperate if those domains were unified by some mechanism, the 651 protocol is not interoperable in the normal sense. If two domains 652 using it were merged, the protocol might fail unpredictably. A 653 simple example is any protocol using a port number assigned for 654 experimental use. Such a protocol usually also falls into 655 scenario C. 657 To provide an existing example, consider Differentiated Services 658 [RFC2474]. A packet containing any value whatever in the 6 bits of 659 the Differentiated Service Code Point (DSCP) is well-formed and falls 660 into scenario A. However, because the semantics of DSCP values are 661 locally significant, the packet also falls into scenario D. In fact, 662 differentiated services are only interoperable across domain 663 boundaries if there is a corresponding agreement between the 664 operators; otherwise a specific gateway function is required for 665 meaningful interoperability. Much more detailed discussion is to be 666 found in [RFC2474] and [RFC8100]. 668 To provide a provocative example, consider the proposal in 669 [I-D.voyer-6man-extension-header-insertion] that the restrictions in 670 [RFC8200] should be relaxed to allow IPv6 extension headers to be 671 inserted on the fly in IPv6 packets. If this is done in such a way 672 that the affected packets can never leave the specific limited domain 673 in which they were modified, scenario C applies. If the semantic 674 content of the inserted headers is locally defined, scenario D also 675 applies. In neither case is the Internet disturbed. 677 We conclude that it is reasonable to explicitly define limited-domain 678 protocols, either as standards or as proprietary mechanisms, as long 679 as they describe which of the above scenarios apply and they clarify 680 how the domain is defined. As long as all relevant standards are 681 respected outside the domain boundary, a well-specified limited- 682 domain protocol is not harmful to the Internet. However, as 683 described in the next section, mechanisms are needed to support 684 domain membership operations. 686 7. Functional Requirements of Limited Domains 688 As the preceding taxonomy shows, there are very numerous aspects to a 689 domain, so the common features are not immediately obvious. It would 690 be possible, but tedious, to apply the taxonomy to each of the domain 691 types described in Section 3. However, we can deduce some generally 692 required features and functions without doing so. 694 A basic assumption is that domains should be created and managed as 695 automatically as possible, with minimal human configuration required. 696 We therefore investigate protocol requirements for automating domain 697 creation and management. 699 Firstly, if we drew a topology map, any domain -- virtual or physical 700 -- will have a well defined boundary between "inside" and "outside". 701 However, that boundary in itself has no technical meaning. What 702 matters in reality is whether a node is a member of the domain, and 703 whether it is at the boundary between the domain and the rest of the 704 Internet. Thus the boundary in itself does not need to be 705 identified. However, a sending node needs to know whether it is 706 sending to an inside or outside destination; a receiving node needs 707 to know whether a packet originated inside or outside; and a boundary 708 node needs to know which of its interfaces are inward-facing or 709 outward-facing. It is irrelevant whether the interfaces involved are 710 physical or virtual. 712 With this perspective, we can list some general functional 713 requirements. An underlying assumption here is that domain 714 membership operations should be cryptographically secured; a domain 715 without such security cannot be reliably protected from attack. 717 1. Domain Identity. A domain must have a unique and verifiable 718 identifier; effectively this should be a public key for the 719 domain. Without this, there is no way to secure domain 720 operations and domain membership. The holder of the 721 corresponding private key becomes the trust anchor for the 722 domain. 724 2. Node Eligibility. It must be possible for a node to determine 725 which domain(s) it can potentially join, and on which 726 interface(s). 728 3. Secure Enrolment. A node must be able to enrol in a given domain 729 via secure node identfication and to acquire relevant security 730 credentials (authorization) for operations within the domain. If 731 a node has multiple physical or virtual interfaces, they may 732 require to be individually enrolled. 734 4. Withdrawal. A node must be able to cancel enrolment in a given 735 domain. 737 5. Dynamic Membership. Optionally, a node should be able 738 temporarily leave or rejoin a domain (i.e. enrolment is 739 persistent but membership is intermittent). 741 6. Role, implying authorization to perform a certain set of actions. 742 A node must have a verifiable role. In the simplest case, the 743 choices of role are "interior node" and "boundary node". In a 744 boundary node, individual interfaces may have different roles, 745 e.g. "inward facing" and "outward facing". 747 7. Verify Peer. A node must be able to verify whether another node 748 is a member of the domain. 750 8. Verify Role. A node must be able to learn the verified role of 751 another node. In particular, it must be possible for a node to 752 find boundary nodes (interfacing to the Internet). 754 9. Domain Data. In a domain with management requirements, it must 755 be possible for a node to acquire domain policy and/or domain 756 configuration data. This would include, for example, filtering 757 policy to ensure that inappropriate packets do not leave the 758 domain. 760 These requirements could form the basis for further analysis and 761 solution design. 763 Another aspect is whether individual packets within a limited domain 764 need to carry any sort of indicator that they belong to that domain, 765 or whether this information will be implicit in the IP addresses of 766 the packet. A related question is whether individual packets need 767 cryptographic authentication. This topic is for further study. 769 8. Security Considerations 771 Clearly, the boundary of a limited domain will almost always also act 772 as a security boundary. In particular, it will serve as a trust 773 boundary, and as a boundary of authority for defining capabilities. 774 Within the boundary, limited-domain protocols or protocol features 775 will be useful, but they will be meaningless if they enter or leave 776 the domain. 778 The security model for a limited-scope protocol must allow for the 779 boundary, and in particular for a trust model that changes at the 780 boundary. Typically, credentials will need to be signed by a domain- 781 specific authority. 783 9. IANA Considerations 785 This document makes no request of the IANA. 787 10. Contributors 789 Sheng Jiang made important contributions to this document. 791 11. Acknowledgements 793 Useful comments were received from Amelia Andersdotter, Edward 794 Birrane, David Black, Ron Bonica, Tim Chown, Darren Dukes, Tom 795 Herbert, John Klensin, Michael Richardson, Rick Taylor, Niels ten 796 Oever, and other members of the ANIMA and INTAREA WGs. 798 12. Informative References 800 [BIGIP] Li, R., "HUAWEI - Big IP Initiative.", 2018, 801 . 803 [I-D.andrews-tcp-and-ipv6-use-minmtu] 804 Andrews, M., "TCP Fails To Respect IPV6_USE_MIN_MTU", 805 draft-andrews-tcp-and-ipv6-use-minmtu-04 (work in 806 progress), October 2015. 808 [I-D.dolson-plus-middlebox-benefits] 809 Dolson, D., Snellman, J., Boucadair, M., and C. Jacquenet, 810 "Beneficial Functions of Middleboxes", draft-dolson-plus- 811 middlebox-benefits-03 (work in progress), March 2017. 813 [I-D.fioccola-v6ops-ipv6-alt-mark] 814 Fioccola, G., Velde, G., Cociglio, M., and P. Muley, "IPv6 815 Performance Measurement with Alternate Marking Method", 816 draft-fioccola-v6ops-ipv6-alt-mark-01 (work in progress), 817 June 2018. 819 [I-D.geng-netslices-architecture] 820 67, 4., Dong, J., Bryant, S., kiran.makhijani@huawei.com, 821 k., Galis, A., Foy, X., and S. Kuklinski, "Network Slicing 822 Architecture", draft-geng-netslices-architecture-02 (work 823 in progress), July 2017. 825 [I-D.herbert-fast] 826 Herbert, T., "Firewall and Service Tickets", draft- 827 herbert-fast-03 (work in progress), September 2018. 829 [I-D.ietf-6man-segment-routing-header] 830 Filsfils, C., Previdi, S., Leddy, J., Matsushima, S., and 831 d. daniel.voyer@bell.ca, "IPv6 Segment Routing Header 832 (SRH)", draft-ietf-6man-segment-routing-header-15 (work in 833 progress), October 2018. 835 [I-D.ietf-anima-autonomic-control-plane] 836 Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic 837 Control Plane (ACP)", draft-ietf-anima-autonomic-control- 838 plane-18 (work in progress), August 2018. 840 [I-D.ietf-anima-reference-model] 841 Behringer, M., Carpenter, B., Eckert, T., Ciavaglia, L., 842 and J. Nobre, "A Reference Model for Autonomic 843 Networking", draft-ietf-anima-reference-model-10 (work in 844 progress), November 2018. 846 [I-D.ietf-detnet-architecture] 847 Finn, N., Thubert, P., Varga, B., and J. Farkas, 848 "Deterministic Networking Architecture", draft-ietf- 849 detnet-architecture-09 (work in progress), October 2018. 851 [I-D.ietf-detnet-dp-sol] 852 Korhonen, J., Andersson, L., Jiang, Y., Finn, N., Varga, 853 B., Farkas, J., Bernardos, C., Mizrahi, T., and L. Berger, 854 "DetNet Data Plane Encapsulation", draft-ietf-detnet-dp- 855 sol-04 (work in progress), March 2018. 857 [I-D.ietf-detnet-use-cases] 858 Grossman, E., "Deterministic Networking Use Cases", draft- 859 ietf-detnet-use-cases-19 (work in progress), October 2018. 861 [I-D.ietf-homenet-simple-naming] 862 Lemon, T., Migault, D., and S. Cheshire, "Homenet Naming 863 and Service Discovery Architecture", draft-ietf-homenet- 864 simple-naming-03 (work in progress), October 2018. 866 [I-D.ietf-intarea-frag-fragile] 867 Bonica, R., Baker, F., Huston, G., Hinden, R., Troan, O., 868 and F. Gont, "IP Fragmentation Considered Fragile", draft- 869 ietf-intarea-frag-fragile-04 (work in progress), November 870 2018. 872 [I-D.ietf-ipwave-vehicular-networking] 873 Jeong, J., "IP Wireless Access in Vehicular Environments 874 (IPWAVE): Problem Statement and Use Cases", draft-ietf- 875 ipwave-vehicular-networking-07 (work in progress), 876 November 2018. 878 [I-D.ietf-opsec-ipv6-eh-filtering] 879 Gont, F. and W. LIU, "Recommendations on the Filtering of 880 IPv6 Packets Containing IPv6 Extension Headers", draft- 881 ietf-opsec-ipv6-eh-filtering-06 (work in progress), July 882 2018. 884 [I-D.ietf-spring-segment-routing] 885 Filsfils, C., Previdi, S., Ginsberg, L., Decraene, B., 886 Litkowski, S., and R. Shakir, "Segment Routing 887 Architecture", draft-ietf-spring-segment-routing-15 (work 888 in progress), January 2018. 890 [I-D.irtf-nfvrg-gaps-network-virtualization] 891 Bernardos, C., Rahman, A., Zuniga, J., Contreras, L., 892 Aranda, P., and P. Lynch, "Network Virtualization Research 893 Challenges", draft-irtf-nfvrg-gaps-network- 894 virtualization-10 (work in progress), September 2018. 896 [I-D.jiang-semantic-prefix] 897 Jiang, S., Qiong, Q., Farrer, I., Bo, Y., and T. Yang, 898 "Analysis of Semantic Embedded IPv6 Address Schemas", 899 draft-jiang-semantic-prefix-06 (work in progress), July 900 2013. 902 [I-D.moulchan-nmrg-network-intent-concepts] 903 Sivakumar, K. and M. Chandramouli, "Concepts of Network 904 Intent", draft-moulchan-nmrg-network-intent-concepts-00 905 (work in progress), October 2017. 907 [I-D.voyer-6man-extension-header-insertion] 908 daniel.voyer@bell.ca, d., Leddy, J., Filsfils, C., Dukes, 909 D., Previdi, S., and S. Matsushima, "Insertion of IPv6 910 Segment Routing Headers in a Controlled Domain", draft- 911 voyer-6man-extension-header-insertion-04 (work in 912 progress), June 2018. 914 [RFC2205] Braden, R., Ed., Zhang, L., Berson, S., Herzog, S., and S. 915 Jamin, "Resource ReSerVation Protocol (RSVP) -- Version 1 916 Functional Specification", RFC 2205, DOI 10.17487/RFC2205, 917 September 1997, . 919 [RFC2474] Nichols, K., Blake, S., Baker, F., and D. Black, 920 "Definition of the Differentiated Services Field (DS 921 Field) in the IPv4 and IPv6 Headers", RFC 2474, 922 DOI 10.17487/RFC2474, December 1998, 923 . 925 [RFC2775] Carpenter, B., "Internet Transparency", RFC 2775, 926 DOI 10.17487/RFC2775, February 2000, 927 . 929 [RFC2923] Lahey, K., "TCP Problems with Path MTU Discovery", 930 RFC 2923, DOI 10.17487/RFC2923, September 2000, 931 . 933 [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and 934 Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002, 935 . 937 [RFC4821] Mathis, M. and J. Heffner, "Packetization Layer Path MTU 938 Discovery", RFC 4821, DOI 10.17487/RFC4821, March 2007, 939 . 941 [RFC4838] Cerf, V., Burleigh, S., Hooke, A., Torgerson, L., Durst, 942 R., Scott, K., Fall, K., and H. Weiss, "Delay-Tolerant 943 Networking Architecture", RFC 4838, DOI 10.17487/RFC4838, 944 April 2007, . 946 [RFC4924] Aboba, B., Ed. and E. Davies, "Reflections on Internet 947 Transparency", RFC 4924, DOI 10.17487/RFC4924, July 2007, 948 . 950 [RFC6294] Hu, Q. and B. Carpenter, "Survey of Proposed Use Cases for 951 the IPv6 Flow Label", RFC 6294, DOI 10.17487/RFC6294, June 952 2011, . 954 [RFC6398] Le Faucheur, F., Ed., "IP Router Alert Considerations and 955 Usage", BCP 168, RFC 6398, DOI 10.17487/RFC6398, October 956 2011, . 958 [RFC6455] Fette, I. and A. Melnikov, "The WebSocket Protocol", 959 RFC 6455, DOI 10.17487/RFC6455, December 2011, 960 . 962 [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing 963 of IPv6 Extension Headers", RFC 7045, 964 DOI 10.17487/RFC7045, December 2013, 965 . 967 [RFC7228] Bormann, C., Ersue, M., and A. Keranen, "Terminology for 968 Constrained-Node Networks", RFC 7228, 969 DOI 10.17487/RFC7228, May 2014, 970 . 972 [RFC7368] Chown, T., Ed., Arkko, J., Brandt, A., Troan, O., and J. 973 Weil, "IPv6 Home Networking Architecture Principles", 974 RFC 7368, DOI 10.17487/RFC7368, October 2014, 975 . 977 [RFC7381] Chittimaneni, K., Chown, T., Howard, L., Kuarsingh, V., 978 Pouffary, Y., and E. Vyncke, "Enterprise IPv6 Deployment 979 Guidelines", RFC 7381, DOI 10.17487/RFC7381, October 2014, 980 . 982 [RFC7556] Anipko, D., Ed., "Multiple Provisioning Domain 983 Architecture", RFC 7556, DOI 10.17487/RFC7556, June 2015, 984 . 986 [RFC7663] Trammell, B., Ed. and M. Kuehlewind, Ed., "Report from the 987 IAB Workshop on Stack Evolution in a Middlebox Internet 988 (SEMI)", RFC 7663, DOI 10.17487/RFC7663, October 2015, 989 . 991 [RFC7665] Halpern, J., Ed. and C. Pignataro, Ed., "Service Function 992 Chaining (SFC) Architecture", RFC 7665, 993 DOI 10.17487/RFC7665, October 2015, 994 . 996 [RFC7788] Stenberg, M., Barth, S., and P. Pfister, "Home Networking 997 Control Protocol", RFC 7788, DOI 10.17487/RFC7788, April 998 2016, . 1000 [RFC7872] Gont, F., Linkova, J., Chown, T., and W. Liu, 1001 "Observations on the Dropping of Packets with IPv6 1002 Extension Headers in the Real World", RFC 7872, 1003 DOI 10.17487/RFC7872, June 2016, 1004 . 1006 [RFC8085] Eggert, L., Fairhurst, G., and G. Shepherd, "UDP Usage 1007 Guidelines", BCP 145, RFC 8085, DOI 10.17487/RFC8085, 1008 March 2017, . 1010 [RFC8086] Yong, L., Ed., Crabbe, E., Xu, X., and T. Herbert, "GRE- 1011 in-UDP Encapsulation", RFC 8086, DOI 10.17487/RFC8086, 1012 March 2017, . 1014 [RFC8100] Geib, R., Ed. and D. Black, "Diffserv-Interconnection 1015 Classes and Practice", RFC 8100, DOI 10.17487/RFC8100, 1016 March 2017, . 1018 [RFC8151] Yong, L., Dunbar, L., Toy, M., Isaac, A., and V. Manral, 1019 "Use Cases for Data Center Network Virtualization Overlay 1020 Networks", RFC 8151, DOI 10.17487/RFC8151, May 2017, 1021 . 1023 [RFC8200] Deering, S. and R. Hinden, "Internet Protocol, Version 6 1024 (IPv6) Specification", STD 86, RFC 8200, 1025 DOI 10.17487/RFC8200, July 2017, 1026 . 1028 [RFC8300] Quinn, P., Ed., Elzur, U., Ed., and C. Pignataro, Ed., 1029 "Network Service Header (NSH)", RFC 8300, 1030 DOI 10.17487/RFC8300, January 2018, 1031 . 1033 Appendix A. Change log [RFC Editor: Please remove] 1035 draft-carpenter-limited-domains-00, 2018-06-11: 1037 Initial version 1039 draft-carpenter-limited-domains-01, 2018-07-01: 1041 Minor terminology clarifications 1043 draft-carpenter-limited-domains-02, 2018-08-03: 1045 Additions following IETF102 discussions 1047 Updated authorship/contributors 1048 draft-carpenter-limited-domains-03, 2018-09-12: 1050 First draft of taxonomy 1052 Editorial improvements 1054 draft-carpenter-limited-domains-04, 2018-10-14: 1056 Reorganized section 3 1058 Newly written sections 6 and 7 1060 Editorial improvements 1062 draft-carpenter-limited-domains-05, 2018-12-12: 1064 Added discussion of transparency/filtering debates 1066 Added discussion of "controlled environment" 1068 Modified assertion about localized standards 1070 Editorial improvements 1072 Authors' Addresses 1074 Brian Carpenter 1075 Department of Computer Science 1076 University of Auckland 1077 PB 92019 1078 Auckland 1142 1079 New Zealand 1081 Email: brian.e.carpenter@gmail.com 1083 Bing Liu 1084 Huawei Technologies 1085 Q14, Huawei Campus 1086 No.156 Beiqing Road 1087 Hai-Dian District, Beijing 100095 1088 P.R. China 1090 Email: leo.liubing@huawei.com