idnits 2.17.1 draft-jilongwang-opsawg-cybersmap-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (December 11, 2019) is 1591 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg WJL. Wang, Ed. 3 Internet-Draft MCC. Miao, Ed. 4 Intended status: Informational ACQ. An, Ed. 5 Expires: June 13, 2020 ZSY. Zhuang, Ed. 6 Tsinghua University 7 December 11, 2019 9 Design of the native Cyberspace Map 10 draft-jilongwang-opsawg-cybersmap-01 12 Abstract 14 This memo discusses the design of the native cyberspace map which is 15 stable and flexible to describe cyberspace. Although we have 16 accepted the cyberspace as a parallel new world, we even have not 17 defined its basic coordinate system, which means cyberspace have no 18 its basic space dimension till now. The objective of this draft is 19 to illustrate the basic design methodology of the native coordinate 20 system of cyberspace and show how to design a cyberspace map on this 21 basis. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on June 13, 2020. 40 Copyright Notice 42 Copyright (c) 2019 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents 47 (https://trustee.ietf.org/license-info) in effect on the date of 48 publication of this document. Please review these documents 49 carefully, as they describe your rights and restrictions with respect 50 to this document. Code Components extracted from this document must 51 include Simplified BSD License text as described in Section 4.e of 52 the Trust Legal Provisions and are provided without warranty as 53 described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 59 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 60 3. Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 61 3.1. Network Management . . . . . . . . . . . . . . . . . . . 4 62 3.2. Network Security . . . . . . . . . . . . . . . . . . . . 4 63 4. Selection on Basic Coordinate Vectors . . . . . . . . . . . . 5 64 4.1. IP address . . . . . . . . . . . . . . . . . . . . . . . 5 65 4.2. Port . . . . . . . . . . . . . . . . . . . . . . . . . . 6 66 4.3. AS number . . . . . . . . . . . . . . . . . . . . . . . . 6 67 4.4. MAC Address . . . . . . . . . . . . . . . . . . . . . . . 6 68 4.5. Domain Name . . . . . . . . . . . . . . . . . . . . . . . 6 69 4.6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 7 70 5. Construction of native Cyberspace Map . . . . . . . . . . . . 7 71 5.1. IP Map . . . . . . . . . . . . . . . . . . . . . . . . . 7 72 5.2. IP-Port Map . . . . . . . . . . . . . . . . . . . . . . . 8 73 5.3. AS Map . . . . . . . . . . . . . . . . . . . . . . . . . 9 74 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 75 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 76 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 77 9. Normative References . . . . . . . . . . . . . . . . . . . . 10 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 80 1. Introduction 82 There is a new space created by the Internet, together with computer 83 networks, telecommunication networks, termed as cyberspace. It is an 84 interactive domain that includes users, software, processes, the 85 information in storage or communication, applications, services .etc. 86 Unfortunately, we even have not defined its basic coordinate system 87 and even the native map. 89 Traditional well known coordinate systems seem feasible to visualize 90 and represent cyberspace. However, both coordinate systems have some 91 drawbacks. Although the geographic coordinate system(GCS) vividly 92 shows geographic information of cyberspace in the geographic map, it 93 only visualizes a tip of the iceberg of cyberspace and hardly 94 describes the characteristics of cyberspace (e.g. host, service) all 95 at the once from cyberspace point of view. Network coordinate system 96 (NCS) focuses on visualizing network topology with node representing 97 host (or IP address) and edge representing network distance between 98 two hosts. NCS tries to represent and visualize cyberspace from the 99 network perspective. It is easy to hierarchically represent 100 different parts of cyberspace in the network topology map. However, 101 NCS is a frequent change network due to distance changes and host 102 connection status and it is difficult to visualize the whole 103 cyberspace. 105 This demo discusses and defines a native cyberspace coordination 106 model based on AS number and IP address following the principle of 107 robustness, orthogonality and effectiveness. It can present 108 cyberspace in a concise and intuitive manner and the user can easily 109 filter out the specific details of interest. Based on our cyberspace 110 coordination model, we also propose a prototype system of native 111 cyberspace map which can be used as the basic tool for network 112 management, network security, and network resources search .etc. The 113 firstly proposed overall design methodology can help to establish the 114 native cyberspace map as a unified backplane for visualization in the 115 future. 117 1.1. Requirements Language 119 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 120 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 121 document are to be interpreted as described in RFC 2119 [RFC2119]. 123 2. Terminology 125 This document does not describe standard requirements. Therefore, 126 key words from RFC 2119 [RFC2119] are not used in the document. 128 Manager:An entity that acts in a manager role, either a user or an 129 application. The counterpart to an agent. A 'management client' in 130 NETCONF terminology. 132 IANA:Internet Assigned Numbers Authority, an organization that 133 oversees global IP address allocation, autonomous system number 134 allocation, media types, and other IP-related code point allocations. 136 Different granularities of cyberspace: representing the degree of 137 visual cyberspace such as AS, Metropolitan area network, Local area 138 network, IP blocks .etc. 140 Network resources: including physical resources such as traditional 141 network facilities and access devices, as well as virtual resources 142 such as application services and information resources, which can be 143 detected using software or hardware tools based on certain methods, 144 techniques and standards 146 3. Use cases 148 Our cyberspace map CAN provide a unified drawing backplane, and 149 express the cyberspace in a multi-scale, multi-dimensional and multi- 150 view way. Drawing the measured network data on the unified backplane 151 CAN be skillfully applied to the expression of network resources, the 152 monitoring and management RFC 1052 [RFC1052] of network elements and 153 the prevention of cyberspace security, etc. The following sections 154 highlight some of the most common frameworks for native cyberspace 155 map use case scenarios and are in no way exhaustive. 157 3.1. Network Management 159 Network resources management: The main concern of network managers is 160 to have a direct and macroscopical visualization of network resources 161 so that they could manage network resources efficiently. In other 162 words, based on the different sizes of network they manage, network 163 managers have the demands to visualize network resources at different 164 granularity. For example, network carriers mainly focus on the AS- 165 level network and consider the resources with IP blocks, while the 166 campus network administrators take care of the local area network and 167 manage the resources at the specific IP addresses. Fortunately, our 168 following Cyberspace map provides the ability to show the different 169 granularities of cyberspace by setting the order n of Hilbert curve 170 mapping algorithm. 172 Network traffic monitoring:Network traffic contains the information 173 of IP addresses RFC 791 [RFC791] and port. Therefore, the 174 representing of network traffic in our cyberspace map is helpful for 175 network managers to monitor the current network traffic status and 176 realize network anomaly detection concisely and intuitively. At the 177 large network level, monitoring traffic exchange between ISP networks 178 is helpful to understand network traffic status, to realize quality 179 of service analysis and congestion prediction, and to achieve 180 reasonable bandwidth allocation between large networks. At the LAN 181 level, regional traffic analysis is helpful to extract user network 182 behavior characteristics. For example, monitoring TCP135 port 183 traffic activity of target IP and discovering potential infection 184 mode of Blaster worm CAN prompt closing abnormal host port to repair 185 vulnerabilities for security management. 187 3.2. Network Security 189 At present, network security problems are emerging one after another 190 RFC 3631 [RFC3631], how to detect and visualize these phenomena has 191 always been the focus and difficulty of the network security and 192 management field. Instead of physically attacking the physical host 193 of geospatial, the security attacks usually involve virus infection 194 against IP addresses and the vulnerabilities of corresponding hosts 195 or perform DDoS attacks on specific IPs. Therefore, the traditional 196 geographic coordinate system is difficult to reveal the original 197 attack form of network. 199 Our cyberspace map based on IP addresses CAN reveal security issues 200 from a higher level. In detail, it CAN intuitively express the 201 distribution of DDoS attackers and attacked IP addresses, and further 202 express the spread of infected IP addresses. To Assist security 203 analysts to better understand and prevent attacks, effectively cut 204 off the infection transmission path, and implement attack shielding 205 and prevention. In addition, by telescopically displaying more 206 specific information such as the AS, Network, and Organization to 207 which the attacker IP belongs, it CAN help the corresponding network 208 security administrators carry out effective vulnerability repair. 210 4. Selection on Basic Coordinate Vectors 212 It is still suffering a big challenge to construct a native 213 coordinate system, given the large amounts of network data and the 214 ability to represent a sufficient level of detail of interest to the 215 different level of administrators. To tackle these problems, we look 216 for the stable numbering system (coordination) in cyberspace as the 217 basic coordinate vectors to construct the cyberspace coordinate 218 system. With deep understanding of cyberspace, we observes a number 219 of alternative choices such as IP address space, Autonomous System 220 (AS) number space RFC 4983 [RFC4983] , MAC address space, Domain name 221 space RFC 1034 [RFC1034] and port number space RFC 6056 [RFC6056]. 222 These coordinates are stable and widely adopted that almost all 223 objects in cyberspace possess them as identifiers so that they are 224 able to project the cyberspace in its own space. We are discussing 225 each coordination in the following: 227 4.1. IP address 229 An IP address is a unique fingerprint assigned to each host when 230 connecting to the network. It serves two primary functions. It is 231 used as a network interface identification of host and it also 232 provides the location of that host in cyberspace, similar to a 233 physical address(longitude and latitude) in geographic space. An IP 234 address is a unique address that makes it very suitable as a base 235 vector in cyberspace. It locates the host and allows the host to 236 send and receive information and communicate with a specific host in 237 cyberspace. An IP address is composed of a fixed bit number, the 238 total number of IP address is constant. Since the total number of IP 239 address doesn't change with network status, it is a robust vector in 240 cyberspace, defined as Address Space. 242 4.2. Port 244 A port number is composed of a 16-bit binary number with the fixed 245 total number. A port number is often comes up with an IP address 246 when establishing a connection and is orthogonal to IP address. An 247 IP address is the network address of a host in address space, while 248 the port number is the logical address of a specific service in that 249 host. For instance, an address may be "IP address:216.38.1.15, port 250 number:80", written as 216.38.1.15:80 which represents a web service 251 on a specific host. A port number combining with an IP address 252 locates relevant information in cyberspace at a finer granularity. 253 While the total number of the port also doesn't change with network 254 status and it is orthogonal to address space, it is a suitable and 255 robust vector for representing and visualizing cyberspace, defined as 256 Logic Space. 258 4.3. AS number 260 ASN, defined for routing policy on the internet, is a collection of 261 connected IP under the control of network operators. The AS number 262 is composed of a 16-bit binary number with the fixed total number and 263 the AS number is also a stable numbering system. Each AS contains a 264 set of IP addresses and the relationship between IP address and AS is 265 operated by RIRs. Therefore, AS is also regarded as the location of 266 aggregated objects in cyberspace. Projecting the cyberspace into AS 267 space provide the aggregated characteristics of IP address space. It 268 is also an effective way to demonstrate cyberspace if the viewer 269 wants to visualize the AS level information of cyberspace such as the 270 AS topology. 272 4.4. MAC Address 274 MAC address, defined as the Media Access Control Address, is a unique 275 identifier of network interfaces through a physical network segment. 276 In other words, it's an identifier of hardware that uses Ethernet, 277 which can also be referred as a physical address or hardware address. 278 Since the MAC address is the stable numbering system that is composed 279 of 12 characters, so it could be used for the coordination of 280 cyberspace. Furthermore, the cyberspace is created by the physical 281 network resource with MAC address, so that we can project the 282 cyberspace into MAC address space which is traced into each physical 283 host. 285 4.5. Domain Name 287 Domain name is alphabetic which is easier to remember. For example, 288 the domain name has a formed name e.g. www.apple.com, which is the 289 identification of Apple company. Domain name is a stable numbering 290 system which does not change with network status, however, it is 291 impossible to enumerate because the length of domain name can be 292 variable. Projecting the cyberspace into domain name space only 293 provides the detailed web information of cyberspace. 295 4.6. Conclusion 297 We discuss some alternatives that can be used as network space 298 coordinates. Each coordinate is a candidate for constructing a 299 cyberspace coordinate system. Obviously, projecting network space to 300 MAC address space and domain namespace is not very effective, which 301 may lead to poor visualization of cyberspace. The former may lead to 302 sparse visualization, because most MAC addresses are not connected to 303 the Internet, while the latter only provides detailed network 304 information considered as a small part of the cyberspace. As for IP 305 address space, port space and AS space which can be regarded as the 306 location of object in cyberspace, they can be selected as the basic 307 coordinate vectors to demonstrate cyberspace. 309 5. Construction of native Cyberspace Map 311 After determining the basic coordinate vectors, i.e. IP address, port 312 and AS, the specifications for the design of cyberspace maps based on 313 these coordinates will be described in detail. Similar to ground 314 military systems with 2-D horizontal coordinates or 3-D Cartesian 315 coordinates, we define three types of map suitable for different 316 scenarios. 318 5.1. IP Map 320 Effectively presenting the IP address in our IP map is an extremely 321 challenging problem for decades. One of the primary causes of this 322 problem is that the total unique IP addresses are about 4 billion 323 (IPv4), each of which needs to be visualized in the map. We have to 324 make creative use of various techniques, and it is also significant 325 to visualize IP addresses with meaningful aggregations where 326 possible. The one-dimensional IP map expresses the network elements 327 in the form of lines and points discretely and unintuitively. 328 Therefore, we introduce the space filling curves to design a unified 329 drawing backplane, and realize the association mapping between one- 330 dimensional IP address space and two-dimensional IP address space. 331 That is, the network is gathered to two-dimensional space plane with 332 length and width are both the n-th power of 2, where n represents 333 two-dimensional space order. The space filling curves mainly include 334 Z curve, C curve, Gray curve, Hilbert curve. 336 Hilbert space algorithm is optimal for the continuity and regional of 337 space filling. It can shows a two-dimensional visualization of an IP 338 block of 10.0.0.0.0/24, where the IP sub-blocks of 339 10.0.0.0/26,10.0.0.64/26,10.0.0.128/26 and 10.0.0.192/26 are 340 adjacent. The Hilbert curves CAN provide people the ability to view 341 cyberspace elements in aggregated or non-aggregated mode. For non- 342 aggregated mode, the IPv4 address space REQUIRED the order n equals 343 32, which is preferable when detailed IP addresses need to be 344 examined. While for aggregation mode, the order n needs changing for 345 visualizing different granularities of cyberspace elements, which is 346 beneficial when viewing data from an AS or a network backbone. For 347 example, prefix 10.0.0.0/16 CAN be aggregated to a grid with setting 348 the order equal to 8. Based on the Hilbert curve, the IP address 349 could be extrapolated from one dimension into two dimensions to 350 generate the 2-D IP Map with coordinate(X, Y). 352 It CAN be used in various security-related applications, such as 353 network resources management, Internet interruption and secret 354 scanning of Botnet coordination. compared to the geographic 355 coordinate system, it CAN realize the search, positioning and 356 description of managed elements at different network levels (AS, 357 Network, Organization, IP address) instead of continuously zooming in 358 geographic locations without a clear network hierarchy. It CAN 359 represent multi-aspect information of cyberspace all at the once. In 360 addition, benefit from the regionality and aggregation of our 361 coordinate system, the administrator CAN perform unified management 362 and configuration and operates on IP address blocks of key resources 363 such as links and backbone networks. 365 5.2. IP-Port Map 367 In order to represent the detail information for cyberspace, it can 368 extend the basic two-dimensional spatial plane drawn by the Hilbert 369 curve mapping algorithm into the three-dimensional map by adding the 370 logical port orthogonal to the IP address. Although the basic 371 coordinate system constructed by the IP address can better locate the 372 cyberspace elements to the corresponding hosts and visualize the IP 373 attribute of them, it would be difficult to describe cyberspace from 374 different cognitive perspectives such as services, which are of great 375 interest to people. Therefore, aside from the IP address, the 376 logical port is RECOMMENDED to be used effectively to visualize 377 cyberspace by constructing the 3-D IP-Port map. 379 Specifically, the port numbers from 1 to 65536 CAN be represented on 380 the z-axis and the height of each item CAN be used to visualize the 381 traffic data of this port. In this three-dimensional IP-Port map, 382 the traffic volume data that people concern about can be easily 383 represented to perform a diagnosis of flow anomaly. In addition, the 384 different network aggregation of traffic data can be simply realized 385 by zooming in/out. It CAN reflect the cyberspace elements more 386 accurately and comprehensively compared to the two-dimensional IP 387 map. It also CAN be used for application layer management, such as 388 abnormal application monitoring and application layer traffic 389 monitoring. 391 5.3. AS Map 393 The above IP map and IP-Port map constructed based on the IP address 394 can better express cyberspace in most scenarios. They visualize the 395 essential characteristics of the cyberspace (IP dimension space) 396 compared to the geographic map, and retain the adjacent attributes 397 between the IP addresses,express different granularities of 398 cyberspace IP address prefixes, services, traffic .etc in aggregated 399 or non-aggregated mode. In additional, the inherent existence of the 400 IP address makes them more stable than the topological map. However, 401 in some scenarios, such as representing the network traffic and 402 attack characteristics of an AS in cyberspace, the assignment of IP 403 address segments under an AS MAY be discontinuous, resulting in poor 404 visualization of the IP address-based map, although continuous IP 405 addresses remain adjacent through the Hilbert curve. 407 Here we define a native AS map model to represent cyberspace. 408 Similar to the IP map, we use the Hilbert mapping algorithm to 409 visualize the one-dimensional ASN, and construct the two-dimensional 410 coordinate plane(2-D AS Map) to represent the AS information, which 411 is similar to the expression of national information by latitude and 412 longitude in the geospatial model. 414 Next, considering the IP address is a critical element of cyberspace, 415 we also construct the 3-D IP-AS map model. The allocation time 416 sequence of the IP address under the AS is RECOMMENDED to be a third- 417 dimensional basic vector, which is orthogonal to the AS address, and 418 its positive direction indicates the sequence is increasing, 419 realizing the analysis and mapping of the IP address in cyberspace. 420 Specifically, the Z-axis mapping algorithm is defined as follows: 422 Input : an IP address P 424 Output : the coordinate of Z-axis 426 1. Get the AS where the address P is located based on the IP 427 database. 429 2. There are n IP addresses IPs=[IP1,IP2,IP3,IP4,IP5,IP6,...,IPn ] 430 under this AS, and their corresponding allocation time is 431 T=[T1,T2,T3,T4,T5,T6,...,Tn ], where the unallocated IP address 432 allocation time is defined as MAXINT > max Allocated 433 time[T1,T2,T3,T4,T5,T6,...,Tm], accurate to the second. 435 3. for i from 1 to n: 437 4. dict[IPs[i]]=T[i] 439 5. dictnew=sort(dict) 441 6. z= dictnew.index(P) 443 7. return z 445 z=10000 indicates that an IP address is located at the 10000th 446 position after being sorted according to the allocation time. 447 According to the Hilbert algorithm and the Z-axis mapping algorithm, 448 the positioning coordinate (X, Y, Z) are used to analyze and map an 449 IP address, and many cyberspace resource elements can be located 450 based on the key identification IP address of communication. 452 Instead of representing the topological relationship using abstract 453 points and lines, it provides the ability to describe and express in 454 a detail and native manner compared to the map of Internet topology. 455 At the same time, the AS backplane is fixed so that some changes in 456 links will not affect the entire map, which also reflects the 457 superiority of AS Map. 459 6. Acknowledgements 461 The authors would like to thank the support of Tsinghua University 462 and National Key Research and Development Program of China under 463 Grant No.2016YFB0801301 and 2016QY12Z2103. 465 7. IANA Considerations 467 This memo includes no request to IANA. 469 8. Security Considerations 471 This document only defines a framework for network resources 472 categorization. This document itself does not directly introduce 473 security issues. 475 9. Normative References 477 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIE", 478 RFC 1034, November 1987. 480 [RFC1052] Cerf, V., "IAB Recommendations for the Development of 481 Internet Network Management Standards", RFC 1052, April 482 1988. 484 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 485 Requirement Levels", RFC 2119, March 1997. 487 [RFC3631] Bellovin, S., "Security Mechanisms for the Internet", 488 RFC 3631, December 2003. 490 [RFC4983] Vohra, Q., "BGP Support for Four-octet AS Number Space", 491 RFC 4983, May 2007. 493 [RFC6056] Larsen, M., "Recommendations for Transport-Protocol Port 494 Randomization", RFC 6056, January 2011. 496 [RFC791] Postel, JB., "Internet protocol", RFC 791, September 1981. 498 Authors' Addresses 500 Jilong Wang (editor) 501 Tsinghua University 502 Beijing 100084 503 China 505 Email: wjl@tsinghua.edu.cn 507 Congcong Miao (editor) 508 Tsinghua University 509 Beijing 100084 510 China 512 Email: 1010988944@qq.com 514 Changqing An (editor) 515 Tsinghua University 516 Beijing 100084 517 China 519 Email: acq@tsinghua.edu.cn 521 Shuying Zhuang (editor) 522 Tsinghua University 523 Beijing 100084 524 China 526 Email: 17751034616@163.com