idnits 2.17.1 draft-jilongwang-opsawg-cybersmap-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (June 14, 2019) is 1776 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg WJL. Wang, Ed. 3 Internet-Draft MCC. Miao, Ed. 4 Intended status: Informational ACQ. An, Ed. 5 Expires: December 16, 2019 ZSY. Zhuang, Ed. 6 Tsinghua University 7 June 14, 2019 9 Design of the native Cyberspace Map 10 draft-jilongwang-opsawg-cybersmap-00 12 Abstract 14 This memo discusses the design of the native cyberspace map which is 15 stable and flexible to describe cyberspace. Although we have 16 accepted the cyberspace as a parallel new world, we even have not 17 defined its basic coordinate system, which means cyberspace have no 18 its basic space dimension till now. The objective of this draft is 19 to illustrate the basic design methodology of the native coordinate 20 system of cyberspace, and show how to design cyberspace map on this 21 basis. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on December 16, 2019. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3.1. Network Management . . . . . . . . . . . . . . . . . . . 4 62 3.2. Network Security . . . . . . . . . . . . . . . . . . . . 4 63 4. Selection on Basic Coordinate Vectors . . . . . . . . . . . . 5 64 4.1. IP address . . . . . . . . . . . . . . . . . . . . . . . 5 65 4.2. Port . . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 4.3. AS number . . . . . . . . . . . . . . . . . . . . . . . . 6 67 4.4. MAC Address . . . . . . . . . . . . . . . . . . . . . . . 6 68 4.5. Domain Name . . . . . . . . . . . . . . . . . . . . . . . 6 69 4.6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 7 70 5. Construction of native Cyberspace Map . . . . . . . . . . . . 7 71 5.1. IP Map . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 5.2. IP-Port Map . . . . . . . . . . . . . . . . . . . . . . . 8 73 5.3. AS Map . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 75 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 76 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 77 9. Normative References . . . . . . . . . . . . . . . . . . . . 10 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 80 1. Introduction 82 There is a new space created by Internet, together with computer 83 networks, telecommunication networks, termed as cyberspace. It is an 84 interactive domain that includes users, softwares, processes, 85 information in storage or communication, applications, services .etc. 86 Unfortunately, we even have not defined its basic coordinate system 87 and even the native map. 89 Traditional well known coordinate systems seem feasible to visualize 90 and represent cyberspace. However, both coordinate systems have some 91 drawbacks. Although geographic coordinate system(GCS) vividly shows 92 geographic information of cyberspace in geographic map, it only 93 visualizes a tip of iceberg of cyberspace and hardly describes the 94 characteristics of cyberspace (e.g. host, service) all at the once 95 from cyberspace point of view. Network coordinate system (NCS) 96 focuses on visualizing network topology with node representing host 97 (or IP address) and edge representing network distance between two 98 hosts. NCS tries to represent and visualize cyberspace from network 99 perspective. It is easy to hierarchically represent different parts 100 of cyberspace in network topology map. However, NCS is a frequent 101 change network due to distance changes and host connection status and 102 it is difficult to visualize the whole cyberspace. 104 This demo discusses and defines a native cyberspace coordination 105 model based on AS number and IP address following the principle of 106 robustness, orthogonality and effectiveness. It can present 107 cyberspace in a concise and intuitive manner and user can easily 108 filter out the specific details of interest. Based on our cyberspace 109 coordination model, we also propose a prototype system of native 110 cyberspace map which can be used as the basic tool for network 111 management, network security and network resources search .etc. The 112 firstly proposed overall design methodology can help to establish the 113 native cyberspace map as a unified backplane for visualization in the 114 future. 116 1.1. Requirements Language 118 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 119 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 120 document are to be interpreted as described in RFC 2119 [RFC2119]. 122 2. Terminology 124 This document does not describe standard requirements. Therefore, 125 key words from RFC 2119 [RFC2119] are not used in the document. 127 Manager:An entity that acts in a manager role, either a user or an 128 application. The counterpart to an agent. A 'management client' in 129 NETCONF terminology. 131 IANA:Internet Assigned Numbers Authority, an organization that 132 oversees global IP address allocation, autonomous system number 133 allocation, media types, and other IP-related code point allocations. 135 Different granularities of cyberspace: representing the degree of 136 visual cyberspace such as AS, Metropolitan area network, Local area 137 network, IP blocks .etc. 139 Network resources: including physical resources such as traditional 140 network facilities and access devices, as well as virtual resources 141 such as application services and information resources, which can be 142 detected using software or hardware tools based on certain methods, 143 techniques and standards 145 3. Use cases 147 Our cyberspace map CAN provide a unified drawing backplane, and 148 express the cyberspace in a multi-scale, multi-dimensional and multi- 149 view way. Drawing the measured network data on the unified backplane 150 CAN be skillfully applied to the expression of network resources, the 151 monitoring and management RFC 1052 [RFC1052] of network elements and 152 the prevention of cyberspace security, etc. The following sections 153 highlight some of the most common framework for native cyberspace map 154 use case scenarios and are in no way exhaustive. 156 3.1. Network Management 158 Network resources management: The main concern of network managers is 159 to have a direct and macroscopical visualization of network 160 resources, so that they could manage network resources efficiently. 161 In other words, based on the different sizes of network they manage, 162 network managers have the demands to visualize network resources at 163 different granularity. For example, network carriers mainly focus on 164 the AS-level network and consider the resources with IP blocks, while 165 the campus network administrators take care of the local area network 166 and manage the resources at the specific IP addresses. Fortunately, 167 our following Cyberspace map provides the ability to show the 168 different granularities of cyberspace by setting the order n of 169 Hilbert curve mapping algorithm. 171 Network traffic monitoring:Network traffic contains the information 172 of IP addresses RFC 791 [RFC791] and port. Therefore, the 173 representing of network traffic in our cyberspace map is helpful for 174 network managers to monitor the current network traffic status and 175 realize network anomaly detection concisely and intuitively. At the 176 large network level, monitoring traffic exchange between ISP networks 177 is helpful to understand network traffic status, to realize quality 178 of service analysis and congestion prediction, and to achieve 179 reasonable bandwidth allocation between large networks. At the LAN 180 level, regional traffic analysis is helpful to extract user network 181 behavior characteristics. For example, monitoring TCP135 port 182 traffic activity of target IP and discovering potential infection 183 mode of Blaster worm CAN prompt closing abnormal host port to repair 184 vulnerabilities for security management. 186 3.2. Network Security 188 At present, network security problems are emerging one after another 189 RFC 3631 [RFC3631], how to detect and visualize these phenomena has 190 always been the focus and difficulty of the network security and 191 management field. Instead of physically attacking the physical host 192 of geospatial, the security attacks usually involve virus infection 193 against IP addresses and the vulnerabilities of corresponding hosts 194 or perform DDoS attacks on specific IPs. Therefore, the traditional 195 geographic coordinate system is difficult to reveal the original 196 attack form of network. 198 Our cyberspace map based on IP addresses CAN reveal security issues 199 from a higher level. In detail, it CAN intuitively express the 200 distribution of DDoS attackers and attacked IP addresses, and further 201 express the spread of infected IP addresses. To Assist security 202 analysts to better understand and prevent attacks, effectively cut 203 off the infection transmission path, and implement attack shielding 204 and prevention. In addition, by telescopically displaying more 205 specific information such as the AS, Network, and Organization to 206 which the attacker IP belongs, it CAN help the corresponding network 207 security administrators carry out effective vulnerability repair. 209 4. Selection on Basic Coordinate Vectors 211 It is still suffering a big challenge to construct a native 212 coordinate system, given the large amounts of network data and the 213 ability to represent sufficient level of detail of interest to the 214 different level of administrators. To tackle these problems, we look 215 for the stable numbering system (coordination) in cyberspace as the 216 basic coordinate vectors to construct the cyberspace coordinate 217 system. With deep understanding of cyberspace, we observes a number 218 of alternative choices such as IP address space, Autonomous System 219 (AS) number space RFC 4983 [RFC4983] , MAC address space, Domain name 220 space RFC 1034 [RFC1034] and port number space RFC 6056 [RFC6056]. 221 These coordinates are stable and widely adopted that almost all 222 objects in cyberspace possess them as identifiers so that they are 223 able to project the cyberspace in its own space. We are discussing 224 each coordination in the following: 226 4.1. IP address 228 An IP address is a unique fingerprint assigned to each host when 229 connecting to network. It serves two primary functions. It is used 230 as a network interface identification of host and it also provides 231 the location of that host in cyberspace, similar to a physical 232 address(longitude and latitude) in geographic space. An IP address 233 is a unique address that makes it very suitable as a base vector in 234 cyberspace. It locates host and allows host to send and receive 235 information and communicate with a specific host in cyberspace. An 236 IP address is composed of a fixed bit number, the total number of IP 237 address is constant. Since the total number of IP address doesn't 238 change with network status, it is a robust vector in cyberspace, 239 defined as Address Space. 241 4.2. Port 243 An port number is composed of a 16-bit binary number with the fixed 244 total number. An port number is often come up with an IP address 245 when establishing a connection and is orthogonal to IP address. An 246 IP address is the network address of a host in address space, while 247 port number is the logic address of a specific service in that host. 248 For instance, an address may be "IP address:216.38.1.15,port 249 number:80", written as 216.38.1.15:80 which represents a web service 250 on a specific host. An port number combining with an IP address 251 locates relevant information in cyberspace at a finer granularity. 252 While the total number of port also doesn't change with network 253 status and it is orthogonal to address space, it is a suitable and 254 robust vector for representing and visualizing cyberspace, defined as 255 Logic Space. 257 4.3. AS number 259 ASN, defined for routing policy on the internet, is a collection of 260 connected IP under the control of network operators. The AS number 261 is composed of a 16-bit binary number with the fixed total number and 262 the AS number is also a stable numbering system. Each AS contains a 263 set of IP addresses and the relationship between IP address and AS 264 are operated by RIRs. Therefore, AS is also regarded as the location 265 of aggregated objects in cyberspace. Projecting the cyberspace into 266 AS space provide the aggregated characteristics of IP address space. 267 It is also an effective way to demonstrate cyberspace if the viewer 268 want to visualize the AS level information of cyberspace such as the 269 AS topology. 271 4.4. MAC Address 273 MAC address, defined as Media Access Control Address, is a unique 274 identifier of network interfaces through a physical network segment. 275 In other words, it's an identifier of hardware that uses Ethernet, 276 which can also be referred as physical address or hardware address. 277 Since the MAC address is the stable numbering system that is composed 278 of 12 characters, so it could be used for the coordination of 279 cyberspace. Furthermore, the cyberspace is created by the physical 280 network resource with MAC address, so that we can project the 281 cyberspace into MAC address space which is traced into each physical 282 host. 284 4.5. Domain Name 286 Domain name is alphabetic which is easier to remember. For example, 287 the domain name has a formed name e.g. www.apple.com, which is the 288 identification of Apple company. Domain name is a stable numbering 289 system which is not change with network status, however, it is 290 impossible to enumerate because the length of domain name can be 291 variable. Projecting the cyberspace into domain name space only 292 provide the detailed web information of cyberspace. 294 4.6. Conclusion 296 We discuss some alternatives that can be used as network space 297 coordinates. Each coordinate is a candidate for constructing a 298 cyberspace coordinate system. Obviously, projecting network space to 299 MAC address space and domain name space is not very effective, which 300 may lead to poor visualization of cyberspace. The former may lead to 301 sparse visualization, because most MAC addresses are not connected to 302 the Internet, while the latter only provides detailed network 303 information considered as a small part of the cyberspace. As for IP 304 address space, port space and AS space which can be regarded as the 305 location of object in cyberspace, they can be selected as the basic 306 coordinate vectors to demonstrate cyberspace. 308 5. Construction of native Cyberspace Map 310 After determining the basic coordinate vectors, i.e. IP address, port 311 and AS, the specifications for the design of cyberspace maps based on 312 these coordinates will be described in detail. Similar to ground 313 military systems with 2-D horizontal coordinates or 3-D Cartesian 314 coordinates, we define three types of map suitable for different 315 scenarios. 317 5.1. IP Map 319 Effectively presenting the IP address in our IP map is an extremely 320 challenging problem for decades. One of the primary causes of this 321 problem is that the total unique IP addresses is about 4 billion 322 (IPv4), each of which needs to be visualized in the map. We have to 323 make creative use of various techniques, and it is also significant 324 to visualize IP addresses with meaningful aggregations where 325 possible. The one-dimensional IP map expresses the network elements 326 in the form of lines and points discretely and unintuitively. 327 Therefore, we introduce the space filling curves to design a unified 328 drawing backplane, and realize the association mapping between one- 329 dimensional IP address space and two-dimensional IP address space. 330 That is, the network is gathered to two-dimensional space plane with 331 length and width are both the n-th power of 2, where n represents 332 two-dimensional space order. The space filling curves mainly include 333 Z curve, C curve, Gray curve, Hilbert curve. 335 Hilbert space algorithm is optimal for the continuity and regional of 336 space filling. It can shows a two-dimensional visualization of an IP 337 block of 10.0.0.0.0/24, where the IP sub-blocks of 338 10.0.0.0/26,10.0.0.64/26,10.0.0.128/26 and 10.0.0.192/26 are 339 adjacent. The Hilbert curves CAN provide people the ability to view 340 cyberspace elements in aggregated or non-aggregated mode. For non- 341 aggregated mode, the IPv4 address space REQUIRED the order n equals 342 32, which is preferable when detailed IP addresses need to be 343 examined. While for aggregation mode, the order n needs changing for 344 visualizing different granularities of cyberspace elements, which is 345 beneficial when viewing data from an AS or a network backbone. For 346 example, prefix 10.0.0.0/16 CAN be aggregated to a grid with setting 347 the order equal to 8. Based on the Hilbert curve, the IP address 348 could be extrapolated from one dimension into two dimension to 349 generate the 2-D IP Map with coordinate(X,Y). 351 It CAN be used in various security-related applications, such as 352 network resources management, Internet interruption and secret 353 scanning of Botnet coordination. compared to the geographic 354 coordinate system ,it CAN realize the search, positioning and 355 description of managed elements at different network levels (AS, 356 Network, Organization, IP address) instead of continuously zooming in 357 geographic locations without a clear network hierarchy. It CAN 358 represent multi-aspect information of cyberspace all at the once. In 359 additional, benefit from the regionality and aggregation of our 360 coordinate system, the administrator CAN perform unified management 361 and configuration and operates on IP address blocks of key resources 362 such as links and backbone networks. 364 5.2. IP-Port Map 366 In order to represent the detail information for cyberspace, it can 367 extent the basic two-dimensional spatial plane drawn by the Hilbert 368 curve mapping algorithm into the three-dimensional map by adding the 369 logical port orthogonal to the IP address. Although the basic 370 coordinate system constructed by the IP address can better locate the 371 cyberspace elements to the corresponding hosts and visualize the IP 372 attribute of the them, it would be difficult to describe cyberspace 373 from different cognitive perspectives such as services, which are of 374 great interest to people. Therefore, aside from the IP address, the 375 logical port is RECOMMENDED to be used effectively to visualize 376 cyberspace by constructing the 3-D IP-Port map. 378 Specifically, the port numbers from 1 to 65536 CAN be represented on 379 the z-axis and the height of each item CAN be used to visualize the 380 traffic data of this port. In this three-dimensional IP-Port map, 381 the traffic volume data that people concern about can be easily 382 represented to perform diagnosis of flow anomaly. In addition, the 383 different network aggregation of traffic data can be simply realized 384 by zooming in/out. It CAN reflect the cyberspace elements more 385 accurately and comprehensively compared to the two-dimensional IP 386 map. It also CAN be used for application layer management, such as 387 abnormal application monitoring and application layer traffic 388 monitoring. 390 5.3. AS Map 392 The above IP map and IP-Port map constructed based on the IP address 393 can better express cyberspace in most scenarios. They visualize the 394 essential characteristics of the cyberspace (IP dimension space) 395 compared to the geographic map, and retain the adjacent attributes 396 between the IP addresses,express different granularities of 397 cyberspace IP address prefixes, services, traffic .etc in aggregated 398 or non-aggregated mode. In additional, the inherent existence of the 399 IP address makes them more stable than the topological map. However, 400 in some scenarios, such as representing the network traffic and 401 attack characteristics of an AS in cyberspace, the assignment of IP 402 address segments under an AS MAY be discontinuous, resulting in poor 403 visualization of the IP address-based map, although continuous IP 404 addresses remain adjacent through the Hilbert curve. 406 Here we define a native AS map model to represent cyberspace. 407 Similar to the IP map, we use the Hilbert mapping algorithm to 408 visualize the one-dimensional ASN, and construct the two-dimensional 409 coordinate plane(2-D AS Map) to represent the AS information, which 410 is similar to the expression of national information by latitude and 411 longitude in the geospatial model. 413 Next, considering the IP address is a critical element of cyberspace, 414 we also construct the 3-D IP-AS map model. The allocation time 415 sequence of the IP address under the AS is RECOMMENDED to be a third- 416 dimensional basic vector, which is orthogonal to the AS address, and 417 its positive direction indicates the sequence is increasing, 418 realizing the analysis and mapping of the IP address in cyberspace. 419 Specifically, the Z-axis mapping algorithm is defined as follows: 421 Input : an IP address P 423 Output : the coordinate of Z-axis 425 1. Get the AS where the address P is located based on the IP 426 database. 428 2. There are n IP addresses IPs=[IP1,IP2,IP3,IP4,IP5,IP6,...,IPn ] 429 under this AS, and their corresponding allocation time is 430 T=[T1,T2,T3,T4,T5,T6,...,Tn ], where the unallocated IP address 431 allocation time is defined as MAXINT > max Allocated 432 time[T1,T2,T3,T4,T5,T6,...,Tm], accurate to the second. 434 3. for i from 1 to n: 436 4. dict[IPs[i]]=T[i] 438 5. dictnew=sort(dict) 440 6. z= dictnew.index(P) 442 7. return z 444 z=10000 indicates that an IP address is located at the 10000th 445 position after being sorted according to the allocation time. 446 According to the Hilbert algorithm and the Z-axis mapping algorithm, 447 the positioning coordinate (X, Y, Z) are used to analyze and map an 448 IP address, and many cyberspace resource elements can be located 449 based on the key identification IP address of communication. 451 Instead of representing the topological relationship using abstract 452 points and lines, it provides the ability to describe and express in 453 a detail and native manner compared to the map of Internet topology. 454 At the same time, the AS backplane is fixed so that some changes in 455 links will not affect the entire map, which also reflects the 456 superiority of AS Map. 458 6. Acknowledgements 460 The authors would like to thank the support of Tsinghua University 461 and National Key Research and Development Program of China under 462 Grant No.2016YFB0801301 and 2016QY12Z2103. 464 7. IANA Considerations 466 This memo includes no request to IANA. 468 8. Security Considerations 470 This document only defines a framework for network resources 471 categorization. This document itself does not directly introduce 472 security issues. 474 9. Normative References 476 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIE", 477 RFC 1034, November 1987. 479 [RFC1052] Cerf, V., "IAB Recommendations for the Development of 480 Internet Network Management Standards", RFC 1052, April 481 1988. 483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 484 Requirement Levels", RFC 2119, March 1997. 486 [RFC3631] Bellovin, S., "Security Mechanisms for the Internet", 487 RFC 3631, December 2003. 489 [RFC4983] Vohra, Q., "BGP Support for Four-octet AS Number Space", 490 RFC 4983, May 2007. 492 [RFC6056] Larsen, M., "Recommendations for Transport-Protocol Port 493 Randomization", RFC 6056, January 2011. 495 [RFC791] Postel, JB., "Internet protocol", RFC 791, September 1981. 497 Authors' Addresses 499 Jilong Wang (editor) 500 Tsinghua University 501 Beijing 100084 502 China 504 Email: wjl@tsinghua.edu.cn 506 Congcong Miao (editor) 507 Tsinghua University 508 Beijing 100084 509 China 511 Email: mccmiao@163.com 513 Changqing An (editor) 514 Tsinghua University 515 Beijing 100084 516 China 518 Email: acq@tsinghua.edu.cn 520 Shuying Zhuang (editor) 521 Tsinghua University 522 Beijing 100084 523 China 525 Email: 17751034616@163.com