idnits 2.17.1 draft-jilongwang-opsawg-cybersmap-05.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- == There are 1 instance of lines with non-RFC2606-compliant FQDNs in the document. == There are 1 instance of lines with non-RFC6890-compliant IPv4 addresses in the document. If these are example addresses, they should be changed. == There are 2 instances of lines with private range IPv4 addresses in the document. If these are generic example addresses, they should be changed to use any of the ranges defined in RFC 6890 (or successor): 192.0.2.x, 198.51.100.x or 203.0.113.x. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (5 December 2021) is 873 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- No issues found here. Summary: 0 errors (**), 0 flaws (~~), 4 warnings (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 opsawg WJL. Wang, Ed. 3 Internet-Draft MCC. Miao, Ed. 4 Intended status: Informational ACQ. An, Ed. 5 Expires: 8 June 2022 ZSY. Zhuang, Ed. 6 Tsinghua University 7 5 December 2021 9 Design of the native Cyberspace Map 10 draft-jilongwang-opsawg-cybersmap-05 12 Abstract 14 This memo discusses the design of the native cyberspace map which is 15 stable and flexible to describe cyberspace. Although we have 16 accepted the cyberspace as a parallel new world, we even have not 17 defined its basic coordinate system, which means cyberspace have no 18 its basic space dimension till now. The objective of this draft is 19 to illustrate the basic design methodology of the native coordinate 20 system of cyberspace, and show how to design cyberspace map on this 21 basis. 23 Status of This Memo 25 This Internet-Draft is submitted in full conformance with the 26 provisions of BCP 78 and BCP 79. 28 Internet-Drafts are working documents of the Internet Engineering 29 Task Force (IETF). Note that other groups may also distribute 30 working documents as Internet-Drafts. The list of current Internet- 31 Drafts is at https://datatracker.ietf.org/drafts/current/. 33 Internet-Drafts are draft documents valid for a maximum of six months 34 and may be updated, replaced, or obsoleted by other documents at any 35 time. It is inappropriate to use Internet-Drafts as reference 36 material or to cite them other than as "work in progress." 38 This Internet-Draft will expire on 8 June 2022. 40 Copyright Notice 42 Copyright (c) 2021 IETF Trust and the persons identified as the 43 document authors. All rights reserved. 45 This document is subject to BCP 78 and the IETF Trust's Legal 46 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 47 license-info) in effect on the date of publication of this document. 48 Please review these documents carefully, as they describe your rights 49 and restrictions with respect to this document. Code Components 50 extracted from this document must include Revised BSD License text as 51 described in Section 4.e of the Trust Legal Provisions and are 52 provided without warranty as described in the Revised BSD License. 54 Table of Contents 56 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 57 1.1. Requirements Language . . . . . . . . . . . . . . . . . . 3 58 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Use cases . . . . . . . . . . . . . . . . . . . . . . . . . . 4 60 3.1. Network Management . . . . . . . . . . . . . . . . . . . 4 61 3.2. Network Security . . . . . . . . . . . . . . . . . . . . 5 62 4. Selection on Basic Coordinate Vectors . . . . . . . . . . . . 5 63 4.1. IP address . . . . . . . . . . . . . . . . . . . . . . . 5 64 4.2. Port . . . . . . . . . . . . . . . . . . . . . . . . . . 6 65 4.3. AS number . . . . . . . . . . . . . . . . . . . . . . . . 6 66 4.4. MAC Address . . . . . . . . . . . . . . . . . . . . . . . 6 67 4.5. Domain Name . . . . . . . . . . . . . . . . . . . . . . . 7 68 4.6. Conclusion . . . . . . . . . . . . . . . . . . . . . . . 7 69 5. Construction of native Cyberspace Map . . . . . . . . . . . . 7 70 5.1. IP Map . . . . . . . . . . . . . . . . . . . . . . . . . 7 71 5.2. IP-Port Map . . . . . . . . . . . . . . . . . . . . . . . 8 72 5.3. AS Map . . . . . . . . . . . . . . . . . . . . . . . . . 9 73 6. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 10 74 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 75 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 76 9. Normative References . . . . . . . . . . . . . . . . . . . . 11 77 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 79 1. Introduction 81 There is a new space created by Internet, together with computer 82 networks, telecommunication networks, termed as cyberspace. It is an 83 interactive domain that includes users, softwares, processes, 84 information in storage or communication, applications, services .etc. 85 Unfortunately, we even have not defined its basic coordinate system 86 and even the native map. 88 Traditional well known coordinate systems seem feasible to visualize 89 and represent cyberspace. However, both coordinate systems have some 90 drawbacks. Although geographic coordinate system(GCS) vividly shows 91 geographic information of cyberspace in geographic map, it only 92 visualizes a tip of iceberg of cyberspace and hardly describes the 93 characteristics of cyberspace (e.g. host, service) all at the once 94 from cyberspace point of view. Network coordinate system (NCS) 95 focuses on visualizing network topology with node representing host 96 (or IP address) and edge representing network distance between two 97 hosts. NCS tries to represent and visualize cyberspace from network 98 perspective. It is easy to hierarchically represent different parts 99 of cyberspace in network topology map. However, NCS is a frequent 100 change network due to distance changes and host connection status and 101 it is difficult to visualize the whole cyberspace. 103 This demo discusses and defines a native cyberspace coordination 104 model based on AS number and IP address following the principle of 105 robustness, orthogonality and effectiveness. It can present 106 cyberspace in a concise and intuitive manner and user can easily 107 filter out the specific details of interest. Based on our cyberspace 108 coordination model, we also propose a prototype system of native 109 cyberspace map which can be used as the basic tool for network 110 management, network security and network resources search .etc. The 111 firstly proposed overall design methodology can help to establish the 112 native cyberspace map as a unified backplane for visualization in the 113 future. 115 1.1. Requirements Language 117 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 118 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 119 document are to be interpreted as described in RFC 2119 [RFC2119]. 121 2. Terminology 123 This document does not describe standard requirements. Therefore, 124 key words from RFC 2119 [RFC2119] are not used in the document. 126 Manager:An entity that acts in a manager role, either a user or an 127 application. The counterpart to an agent. A 'management client' in 128 NETCONF terminology. 130 IANA:Internet Assigned Numbers Authority, an organization that 131 oversees global IP address allocation, autonomous system number 132 allocation, media types, and other IP-related code point allocations. 134 Different granularities of cyberspace: representing the degree of 135 visual cyberspace such as AS, Metropolitan area network, Local area 136 network, IP blocks .etc. 138 Network resources: including physical resources such as traditional 139 network facilities and access devices, as well as virtual resources 140 such as application services and information resources, which can be 141 detected using software or hardware tools based on certain methods, 142 techniques and standards 144 3. Use cases 146 Our cyberspace map CAN provide a unified drawing backplane, and 147 express the cyberspace in a multi-scale, multi-dimensional and multi- 148 view way. Drawing the measured network data on the unified backplane 149 CAN be skillfully applied to the expression of network resources, the 150 monitoring and management RFC 1052 [RFC1052] of network elements and 151 the prevention of cyberspace security, etc. The following sections 152 highlight some of the most common framework for native cyberspace map 153 use case scenarios and are in no way exhaustive. 155 3.1. Network Management 157 Network resources management: The main concern of network managers is 158 to have a direct and macroscopical visualization of network 159 resources, so that they could manage network resources efficiently. 160 In other words, based on the different sizes of network they manage, 161 network managers have the demands to visualize network resources at 162 different granularity. For example, network carriers mainly focus on 163 the AS-level network and consider the resources with IP blocks, while 164 the campus network administrators take care of the local area network 165 and manage the resources at the specific IP addresses. Fortunately, 166 our following Cyberspace map provides the ability to show the 167 different granularities of cyberspace by setting the order n of 168 Hilbert curve mapping algorithm. 170 Network traffic monitoring:Network traffic contains the information 171 of IP addresses RFC 791 [RFC791] and port. Therefore, the 172 representing of network traffic in our cyberspace map is helpful for 173 network managers to monitor the current network traffic status and 174 realize network anomaly detection concisely and intuitively. At the 175 large network level, monitoring traffic exchange between ISP networks 176 is helpful to understand network traffic status, to realize quality 177 of service analysis and congestion prediction, and to achieve 178 reasonable bandwidth allocation between large networks. At the LAN 179 level, regional traffic analysis is helpful to extract user network 180 behavior characteristics. For example, monitoring TCP135 port 181 traffic activity of target IP and discovering potential infection 182 mode of Blaster worm CAN prompt closing abnormal host port to repair 183 vulnerabilities for security management. 185 3.2. Network Security 187 At present, network security problems are emerging one after another 188 RFC 3631 [RFC3631], how to detect and visualize these phenomena has 189 always been the focus and difficulty of the network security and 190 management field. Instead of physically attacking the physical host 191 of geospatial, the security attacks usually involve virus infection 192 against IP addresses and the vulnerabilities of corresponding hosts 193 or perform DDoS attacks on specific IPs. Therefore, the traditional 194 geographic coordinate system is difficult to reveal the original 195 attack form of network. 197 Our cyberspace map based on IP addresses CAN reveal security issues 198 from a higher level. In detail, it CAN intuitively express the 199 distribution of DDoS attackers and attacked IP addresses, and further 200 express the spread of infected IP addresses. To Assist security 201 analysts to better understand and prevent attacks, effectively cut 202 off the infection transmission path, and implement attack shielding 203 and prevention. In addition, by telescopically displaying more 204 specific information such as the AS, Network, and Organization to 205 which the attacker IP belongs, it CAN help the corresponding network 206 security administrators carry out effective vulnerability repair. 208 4. Selection on Basic Coordinate Vectors 210 It is still suffering a big challenge to construct a native 211 coordinate system, given the large amounts of network data and the 212 ability to represent sufficient level of detail of interest to the 213 different level of administrators. To tackle these problems, we look 214 for the stable numbering system (coordination) in cyberspace as the 215 basic coordinate vectors to construct the cyberspace coordinate 216 system. With deep understanding of cyberspace, we observes a number 217 of alternative choices such as IP address space, Autonomous System 218 (AS) number space RFC 4983 [RFC4983] , MAC address space, Domain name 219 space RFC 1034 [RFC1034] and port number space RFC 6056 [RFC6056]. 220 These coordinates are stable and widely adopted that almost all 221 objects in cyberspace possess them as identifiers so that they are 222 able to project the cyberspace in its own space. We are discussing 223 each coordination in the following: 225 4.1. IP address 227 An IP address is a unique fingerprint assigned to each host when 228 connecting to network. It serves two primary functions. It is used 229 as a network interface identification of host and it also provides 230 the location of that host in cyberspace, similar to a physical 231 address(longitude and latitude) in geographic space. An IP address 232 is a unique address that makes it very suitable as a base vector in 233 cyberspace. It locates host and allows host to send and receive 234 information and communicate with a specific host in cyberspace. An 235 IP address is composed of a fixed bit number, the total number of IP 236 address is constant. Since the total number of IP address doesn't 237 change with network status, it is a robust vector in cyberspace, 238 defined as Address Space. 240 4.2. Port 242 An port number is composed of a 16-bit binary number with the fixed 243 total number. An port number is often come up with an IP address 244 when establishing a connection and is orthogonal to IP address. An 245 IP address is the network address of a host in address space, while 246 port number is the logic address of a specific service in that host. 247 For instance, an address may be "IP address:216.38.1.15,port 248 number:80", written as 216.38.1.15:80 which represents a web service 249 on a specific host. An port number combining with an IP address 250 locates relevant information in cyberspace at a finer granularity. 251 While the total number of port also doesn't change with network 252 status and it is orthogonal to address space, it is a suitable and 253 robust vector for representing and visualizing cyberspace, defined as 254 Logic Space. 256 4.3. AS number 258 ASN, defined for routing policy on the internet, is a collection of 259 connected IP under the control of network operators. The AS number 260 is composed of a 16-bit binary number with the fixed total number and 261 the AS number is also a stable numbering system. Each AS contains a 262 set of IP addresses and the relationship between IP address and AS 263 are operated by RIRs. Therefore, AS is also regarded as the location 264 of aggregated objects in cyberspace. Projecting the cyberspace into 265 AS space provide the aggregated characteristics of IP address space. 266 It is also an effective way to demonstrate cyberspace if the viewer 267 want to visualize the AS level information of cyberspace such as the 268 AS topology. 270 4.4. MAC Address 272 MAC address, defined as Media Access Control Address, is a unique 273 identifier of network interfaces through a physical network segment. 274 In other words, it's an identifier of hardware that uses Ethernet, 275 which can also be referred as physical address or hardware address. 276 Since the MAC address is the stable numbering system that is composed 277 of 12 characters, so it could be used for the coordination of 278 cyberspace. Furthermore, the cyberspace is created by the physical 279 network resource with MAC address, so that we can project the 280 cyberspace into MAC address space which is traced into each physical 281 host. 283 4.5. Domain Name 285 Domain name is alphabetic which is easier to remember. For example, 286 the domain name has a formed name e.g. www.apple.com, which is the 287 identification of Apple company. Domain name is a stable numbering 288 system which is not change with network status, however, it is 289 impossible to enumerate because the length of domain name can be 290 variable. Projecting the cyberspace into domain name space only 291 provide the detailed web information of cyberspace. 293 4.6. Conclusion 295 We discuss some alternatives that can be used as network space 296 coordinates. Each coordinate is a candidate for constructing a 297 cyberspace coordinate system. Obviously, projecting network space to 298 MAC address space and domain name space is not very effective, which 299 may lead to poor visualization of cyberspace. The former may lead to 300 sparse visualization, because most MAC addresses are not connected to 301 the Internet, while the latter only provides detailed network 302 information considered as a small part of the cyberspace. As for IP 303 address space, port space and AS space which can be regarded as the 304 location of object in cyberspace, they can be selected as the basic 305 coordinate vectors to demonstrate cyberspace. 307 5. Construction of native Cyberspace Map 309 After determining the basic coordinate vectors, i.e. IP address, port 310 and AS, the specifications for the design of cyberspace maps based on 311 these coordinates will be described in detail. Similar to ground 312 military systems with 2-D horizontal coordinates or 3-D Cartesian 313 coordinates, we define three types of map suitable for different 314 scenarios. 316 5.1. IP Map 318 Effectively presenting the IP address in our IP map is an extremely 319 challenging problem for decades. One of the primary causes of this 320 problem is that the total unique IP addresses is about 4 billion 321 (IPv4), each of which needs to be visualized in the map. We have to 322 make creative use of various techniques, and it is also significant 323 to visualize IP addresses with meaningful aggregations where 324 possible. The one-dimensional IP map expresses the network elements 325 in the form of lines and points discretely and unintuitively. 326 Therefore, we introduce the space filling curves to design a unified 327 drawing backplane, and realize the association mapping between one- 328 dimensional IP address space and two-dimensional IP address space. 330 That is, the network is gathered to two-dimensional space plane with 331 length and width are both the n-th power of 2, where n represents 332 two-dimensional space order. The space filling curves mainly include 333 Z curve, C curve, Gray curve, Hilbert curve. 335 Hilbert space algorithm is optimal for the continuity and regional of 336 space filling. It can shows a two-dimensional visualization of an IP 337 block of 10.0.0.0.0/24, where the IP sub-blocks of 338 10.0.0.0/26,10.0.0.64/26,10.0.0.128/26 and 10.0.0.192/26 are 339 adjacent. The Hilbert curves CAN provide people the ability to view 340 cyberspace elements in aggregated or non-aggregated mode. For non- 341 aggregated mode, the IPv4 address space REQUIRED the order n equals 342 32, which is preferable when detailed IP addresses need to be 343 examined. While for aggregation mode, the order n needs changing for 344 visualizing different granularities of cyberspace elements, which is 345 beneficial when viewing data from an AS or a network backbone. For 346 example, prefix 10.0.0.0/16 CAN be aggregated to a grid with setting 347 the order equal to 8. Based on the Hilbert curve, the IP address 348 could be extrapolated from one dimension into two dimension to 349 generate the 2-D IP Map with coordinate(X,Y). 351 It CAN be used in various security-related applications, such as 352 network resources management, Internet interruption and secret 353 scanning of Botnet coordination. compared to the geographic 354 coordinate system ,it CAN realize the search, positioning and 355 description of managed elements at different network levels (AS, 356 Network, Organization, IP address) instead of continuously zooming in 357 geographic locations without a clear network hierarchy. It CAN 358 represent multi-aspect information of cyberspace all at the once. In 359 additional, benefit from the regionality and aggregation of our 360 coordinate system, the administrator CAN perform unified management 361 and configuration and operates on IP address blocks of key resources 362 such as links and backbone networks. 364 5.2. IP-Port Map 366 In order to represent the detail information for cyberspace, it can 367 extent the basic two-dimensional spatial plane drawn by the Hilbert 368 curve mapping algorithm into the three-dimensional map by adding the 369 logical port orthogonal to the IP address. Although the basic 370 coordinate system constructed by the IP address can better locate the 371 cyberspace elements to the corresponding hosts and visualize the IP 372 attribute of the them, it would be difficult to describe cyberspace 373 from different cognitive perspectives such as services, which are of 374 great interest to people. Therefore, aside from the IP address, the 375 logical port is RECOMMENDED to be used effectively to visualize 376 cyberspace by constructing the 3-D IP-Port map. 378 Specifically, the port numbers from 1 to 65536 CAN be represented on 379 the z-axis and the height of each item CAN be used to visualize the 380 traffic data of this port. In this three-dimensional IP-Port map, 381 the traffic volume data that people concern about can be easily 382 represented to perform diagnosis of flow anomaly. In addition, the 383 different network aggregation of traffic data can be simply realized 384 by zooming in/out. It CAN reflect the cyberspace elements more 385 accurately and comprehensively compared to the two-dimensional IP 386 map. It also CAN be used for application layer management, such as 387 abnormal application monitoring and application layer traffic 388 monitoring. 390 5.3. AS Map 392 The above IP map and IP-Port map constructed based on the IP address 393 can better express cyberspace in most scenarios. They visualize the 394 essential characteristics of the cyberspace (IP dimension space) 395 compared to the geographic map, and retain the adjacent attributes 396 between the IP addresses,express different granularities of 397 cyberspace IP address prefixes, services, traffic .etc in aggregated 398 or non-aggregated mode. In additional, the inherent existence of the 399 IP address makes them more stable than the topological map. However, 400 in some scenarios, such as representing the network traffic and 401 attack characteristics of an AS in cyberspace, the assignment of IP 402 address segments under an AS MAY be discontinuous, resulting in poor 403 visualization of the IP address-based map, although continuous IP 404 addresses remain adjacent through the Hilbert curve. 406 Here we define a native AS map model to represent cyberspace. 407 Similar to the IP map, we use the Hilbert mapping algorithm to 408 visualize the one-dimensional ASN, and construct the two-dimensional 409 coordinate plane(2-D AS Map) to represent the AS information, which 410 is similar to the expression of national information by latitude and 411 longitude in the geospatial model. 413 Next, considering the IP address is a critical element of cyberspace, 414 we also construct the 3-D IP-AS map model. The allocation time 415 sequence of the IP address under the AS is RECOMMENDED to be a third- 416 dimensional basic vector, which is orthogonal to the AS address, and 417 its positive direction indicates the sequence is increasing, 418 realizing the analysis and mapping of the IP address in cyberspace. 419 Specifically, the Z-axis mapping algorithm is defined as follows: 421 Input : an IP address P 423 Output : the coordinate of Z-axis 424 1. Get the AS where the address P is located based on the IP 425 database. 427 2. There are n IP addresses IPs=[IP1,IP2,IP3,IP4,IP5,IP6,...,IPn ] 428 under this AS, and their corresponding allocation time is 429 T=[T1,T2,T3,T4,T5,T6,...,Tn ], where the unallocated IP address 430 allocation time is defined as MAXINT > max Allocated 431 time[T1,T2,T3,T4,T5,T6,...,Tm], accurate to the second. 433 3. for i from 1 to n: 435 4. dict[IPs[i]]=T[i] 437 5. dictnew=sort(dict) 439 6. z= dictnew.index(P) 441 7. return z 443 z=10000 indicates that an IP address is located at the 10000th 444 position after being sorted according to the allocation time. 445 According to the Hilbert algorithm and the Z-axis mapping algorithm, 446 the positioning coordinate (X, Y, Z) are used to analyze and map an 447 IP address, and many cyberspace resource elements can be located 448 based on the key identification IP address of communication. 450 Instead of representing the topological relationship using abstract 451 points and lines, it provides the ability to describe and express in 452 a detail and native manner compared to the map of Internet topology. 453 At the same time, the AS backplane is fixed so that some changes in 454 links will not affect the entire map, which also reflects the 455 superiority of AS Map. 457 6. Acknowledgements 459 The authors would like to thank the support of Tsinghua University 460 and National Key Research and Development Program of China under 461 Grant No.2016YFB0801301 and 2016QY12Z2103. 463 7. IANA Considerations 465 This memo includes no request to IANA. 467 8. Security Considerations 469 This document only defines a framework for network resources 470 categorization. This document itself does not directly introduce 471 security issues. 473 9. Normative References 475 [RFC1034] Mockapetris, P., "DOMAIN NAMES - CONCEPTS AND FACILITIE", 476 RFC 1034, November 1987, 477 . 479 [RFC1052] Cerf, V., "IAB Recommendations for the Development of 480 Internet Network Management Standards", RFC 1052, April 481 1988, . 483 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 484 Requirement Levels", RFC 2119, March 1997, 485 . 487 [RFC3631] Bellovin, S., "Security Mechanisms for the Internet", 488 RFC 3631, December 2003, 489 . 491 [RFC4983] Vohra, Q., "BGP Support for Four-octet AS Number Space", 492 RFC 4983, May 2007, 493 . 495 [RFC6056] Larsen, M., "Recommendations for Transport-Protocol Port 496 Randomization", RFC 6056, January 2011, 497 . 499 [RFC791] Postel, JB., "Internet protocol", RFC 791, September 1981, 500 . 502 Authors' Addresses 504 Jilong Wang (editor) 505 Tsinghua University 506 Beijing 507 100084 508 China 510 Email: wjl@tsinghua.edu.cn 512 Congcong Miao (editor) 513 Tsinghua University 514 Beijing 515 100084 516 China 518 Email: 1010988944@qq.com 519 Changqing An (editor) 520 Tsinghua University 521 Beijing 522 100084 523 China 525 Email: acq@tsinghua.edu.cn 527 Shuying Zhuang (editor) 528 Tsinghua University 529 Beijing 530 100084 531 China 533 Email: 17751034616@163.com