idnits 2.17.1 draft-wang-data-transmission-security-irii-00.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (16 April 2021) is 1106 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force B. Wang, Ed. 3 Internet-Draft K. Lin, Ed. 4 Intended status: Standards Track Hikvision 5 Expires: 18 October 2021 C. Wang, Ed. 6 IIE, CAS 7 X. Wang, Ed. 8 Hikvision 9 16 April 2021 11 Data Transmission Security of Identity Resolution in Industrial Internet 12 draft-wang-data-transmission-security-irii-00 14 Abstract 16 This draft provides an overview of the security of data transmission 17 in the identity resolution system for the Industrial Internet. 18 Identity resolution systems play a vital role in the Industrial 19 Internet by providing secure sharing and intelligent association of 20 heterogeneous information among different organizations. This draft 21 focuses on the security services that identity resolution systems 22 should provide for resolution data transmission. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 18 October 2021. 41 Copyright Notice 43 Copyright (c) 2021 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Simplified BSD License text 52 as described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Simplified BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 60 3.1. International Root Node . . . . . . . . . . . . . . . . . 3 61 3.2. National Root Node . . . . . . . . . . . . . . . . . . . 3 62 3.3. Secondary Node . . . . . . . . . . . . . . . . . . . . . 3 63 3.4. Enterprise Node . . . . . . . . . . . . . . . . . . . . . 3 64 3.5. Recursive Node . . . . . . . . . . . . . . . . . . . . . 4 65 3.6. Transmission Security . . . . . . . . . . . . . . . . . . 4 66 3.7. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 4. Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . 4 68 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 4 69 6. Security Protection Scope . . . . . . . . . . . . . . . . . . 6 70 7. Safety Technical Requirements . . . . . . . . . . . . . . . . 7 71 7.1. Data Transmission Integrity . . . . . . . . . . . . . . . 7 72 7.2. Data Transmission Availability . . . . . . . . . . . . . 8 73 7.3. Data Transmission Confidentiality . . . . . . . . . . . . 8 74 7.4. Data Transmission Authentication . . . . . . . . . . . . 8 75 7.5. Data Transmission Strategy . . . . . . . . . . . . . . . 9 76 7.6. Data Transmission Protocol . . . . . . . . . . . . . . . 9 77 7.7. Maintenance and Update of Transmission Protocol . . . . . 9 78 7.8. Log and Audit . . . . . . . . . . . . . . . . . . . . . . 9 79 8. Security Considerations . . . . . . . . . . . . . . . . . . . 10 80 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 10 81 10. Informative References . . . . . . . . . . . . . . . . . . . 10 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 10 84 1. Introduction 86 Identity resolution system is an important network infrastructure for 87 the Industrial Internet. It provides codes, registration and 88 resolution services for industrial equipment, machines, materials, 89 parts and products to achieve interoperability, secure sharing and 90 intelligent association of heterogeneous information, which is an 91 important cornerstone for the rapid development of the Industrial 92 Internet. Typical global identity resolution systems include the 93 Handle system [RFC3650] [RFC3651], the Object Identifier (OID) 94 resolution system [OID], etc. In order to ensure the security of 95 data transmission involved in the Industrial Internet identity 96 resolution system, the security technical requirements are formulated 97 to enhance the security of the entire Industrial Internet identity 98 resolution system and reduce the security risk caused by data 99 leakage. The security technical requirements can be applied to the 100 planning, construction, operation and management of data transmission 101 security of Industrial Internet identity resolution. 103 2. Scope 105 This draft specifies the security technical requirements for the 106 transmission of Industrial Internet identity resolution data. 108 This draft applies to the planning, construction, operation and 109 management of the Industrial Internet identity resolution data 110 transmission security of the relevant parties. 112 3. Terms and Definitions 114 3.1. International Root Node 116 International root nodes are the top-level service node of the 117 identity resolution system. They are not limited to specific 118 countries or regions to provide public root-level identity services 119 for the global scope on the one hand, and to provide services such as 120 data synchronization and registration resolution for different levels 121 of nodes in local country on the other hand. 123 3.2. National Root Node 125 The top-level node within a country or region, which is connected to 126 the international root node and secondary nodes, provides top-level 127 identity resolution services for the whole country. 129 3.3. Secondary Node 131 The public node providing identity services for specific industries 132 or multiple industries is responsible for allocating identity and 133 providing identity registration, identity resolution and identity 134 data services for industrial enterprises. And they are divided into 135 two types of industry secondary nodes and comprehensive secondary 136 nodes. 138 3.4. Enterprise Node 140 An intra-enterprise identity service node is able to provide identity 141 registration, identity resolution service, identity data service, 142 etc. for a specific enterprise and connect with secondary nodes. 144 3.5. Recursive Node 146 The key entrance facility of the identity resolution system is 147 responsible for caching and other operations on the resolution data 148 in the process of identity resolution, reducing the amount of 149 resolution data processing and improving the efficiency of resolution 150 services. 152 3.6. Transmission Security 154 Protect the confidentiality, integrity, availability and timeliness 155 characteristics of information transmitted in the network. 157 3.7. Privacy 159 Privacy refers to the authority that individuals have to control 160 their information, including who collects and stores it and who 161 discloses it. 163 4. Abbreviation 165 +==============+====================================+ 166 | Abbreviation | Full Name | 167 +==============+====================================+ 168 | TLS | Transport Layer Security | 169 +--------------+------------------------------------+ 170 | IPSec | Internet Protocol Security | 171 +--------------+------------------------------------+ 172 | HTTPS | Hypertext Transfer Protocol Secure | 173 +--------------+------------------------------------+ 174 | OID | Object Identifier | 175 +--------------+------------------------------------+ 176 | DNS | Domain Name System | 177 +--------------+------------------------------------+ 179 Table 1: Abbreviation 181 5. Overview 183 The Industrial Internet identity resolution and management service 184 system is mainly a system that supports the global traceability 185 management of industrial IoT product data and dynamic sharing of data 186 information in all aspects of the product life cycle by using the 187 capabilities of the security identity management and resolution 188 platform. Industrial Internet identity resolution data transmission 189 refers to the data technology collection used in the industrial 190 Internet terminal to obtain information and transmit information, and 191 its transmission security involves the network security part of the 192 basic security protection measures dimension, all inter-domain and 193 intra-domain data transmission of the functional domain dimension of 194 the Industrial Internet of Things identity resolution and management 195 service system, and the whole process of the system life cycle 196 dimension. 198 +---------------+ 199 +-------------+ DNS Root Node +----------------+ 200 | +---------------+ | 201 +-----+-------+ +--------+------+ 202 |OID Root Node| International Root Node |Ecode Root Node| 203 +-----+-------+ +--------+------+ 204 | | 205 | +---------------------+ | 206 +---------+ +--------------+ 207 | Handle Root Node | 208 +-----------> <----------------+ 209 | +---------------------+ | 210 | | 211 | +----------v---+ 212 | |Secondary Node| 213 +-----+--------+ +---------+ +------+-------+ 214 |Recursive Node+----+----->National | | 215 +-----^--------+ | |Top Level| +-------+--------+ 216 | | |Node | | | 217 | | +---------+ +----+------+ +-------+--+ 218 | | | Enterprise| |Enterprise| 219 | | | Node | |Node | 220 | | +-----------+ +----------+ 221 | | 222 +-----------+---------+ | +--------------+ 223 |Identity Resolution | +---->Secondary Node| 224 |Data and Application | | +------+-------+ 225 | +------------+ | | | 226 | |Industry App| | | +-------+--------+ 227 | +------------+ | | | | 228 | +-----------+ | +v---+------+ +-------+--+ 229 | |Enterprise | | | Enterprise| |Enterprise| 230 | |Information| | | Node | |Node | 231 | |System | | +-----------+ +----------+ 232 | +-----------+ | 233 | +-----------+ | 234 | |Industrial | | 235 | |Internet | | 236 | |Platform | | 237 +-------------+-------+ 238 Figure 1: Industrial Internet Identity Resolution and Management 239 Service System 241 6. Security Protection Scope 243 The security protection scope of the Industrial Internet identity 244 resolution and management service system proposed in this draft 245 mainly means that the identity is written into the device and is 246 responsible for collecting product information including device 247 model, device type, generation batch, generation date, generation 248 site, device production information link, device description data 249 link, etc., integrate this information into identity data, and then 250 publish it to the data exchange system for access by identity 251 resolution enterprise nodes. Among the identity resolution 252 enterprise node, the identity resolution secondary node, and the 253 identity resolution root node, the process of data synchronization 254 between the application scenarios, the collection of data 255 transmission technologies used, is used to provide security assurance 256 and security support for the Industrial Internet identity data 257 transmission. 259 The scope of Industrial Internet identity data transmission security 260 protection specifically includes the security and the security 261 support of the data transmission interface within and between the 262 functional domains of the Industrial Internet identity resolution 263 system. Its role is in the whole life cycle of the system (planning 264 and design, development and construction, operation and maintenance , 265 abandonment and exit). 267 +--------------------------------------------------------+ 268 | Identity Resolution Root Node | 269 +-------------------------^------------------------------+ 270 | 271 +-------------------------v------------------------------+ 272 | Identity Resolution Secondary Node | 273 +-------------------------^------------------------------+ 274 +------------------------------------|--------------------------------+ 275 | | | 276 | +-------------------------v------------------------------+ | 277 | | Identity Resolution Enterprise Node | | 278 | +-------------------------^------------------------------+ | 279 |Demilitarized | | 280 | Zone +-------------------------v------------------------------+ | 281 | | Data Exchange System | | 282 | +-------------------------^------------------------------+ | 283 | | | 284 +------------------------------------|--------------------------------+ 285 | +-------------------------|------------------------------+ | 286 | | Identity Generation and Management System | | 287 | +------^------------------------------------------^------+ | 288 |Enterprise | | | 289 | Intranet +------v-------+ Enterprise Products ------------v------+ | 290 | | | | +-----------------+ +--------------+ | | 291 | | | | |Network Hard Disk| |Access Control| | | 292 | | Enterprise | | |Video Recorder | | Device | | | 293 | | Information | | +-----------------+ +--------------+ | | 294 | | System | | +------------+ +---+ | | 295 | | | | |Video Camera| |...| | | 296 | | | | +------------+ +---+ | | 297 | +--------------+ +--------------------------------------+ | 298 +---------------------------------------------------------------------+ 300 Figure 2: Industrial Internet Identity Resolution and Management 301 Service System 303 7. Safety Technical Requirements 305 7.1. Data Transmission Integrity 307 Data transmission should comply with the following common 308 requirements: 310 1) Support the information integrity check mechanism during 311 transmission to realize the transmission integrity protection of 312 management data, authentication information, sensitive information, 313 important business data and other data (such as: check code, message 314 abstract, digital signature, etc.). 316 2) It has the functions of communication delay and interrupt 317 processing to ensure the integrity of the data. 319 3) For important data, use the relevant cryptographic algorithm 320 technology of National Cryptography Administration to ensure the 321 integrity of data transmission 323 4) Take measures to restore or regain data when it detects that the 324 integrity has been compromised. 326 7.2. Data Transmission Availability 328 The timeliness and accuracy of the data shall be guaranteed during 329 data transmission. Specifically: 331 1) Timeliness: the feature of identifying historical data received or 332 data beyond the time limit. Specifically, the data comes from the 333 system using a unified time allocation/correction mechanism, and the 334 data should include time stamps, etc. 336 2) Accuracy: When there is an acceptable error in the data, there is 337 an overload to ensure the normal acquisition of the data in time. 339 7.3. Data Transmission Confidentiality 341 When transferring data, it is necessary to ensure the confidentiality 342 of the data, including: 344 1) For important data, authenticate information and important 345 business data such as user passwords, biometrics, private keys, 346 symmetric keys, product order information, device unique identity 347 (Handle ID), etc., a certain strength encryption algorithm or other 348 effective measures should be used to ensure Confidentiality. 350 2) Choose appropriate security protocols (such as HTTPS, SSH, IPSec, 351 TLS, etc.) to protect the transmitted data. 353 7.4. Data Transmission Authentication 355 Ensure the legitimacy of the identities of both parties in the data 356 transmission, which means, ensure the identity authentication of the 357 subject to the object before the interaction, and establish a trusted 358 transmission path. 360 7.5. Data Transmission Strategy 362 Establish a formal transmission strategy to protect the security of 363 all types of information transmitted through communication 364 facilities, and meet: 366 1) Clarify the type and scope of information that can be transmitted 367 in plain text. 369 2) For sensitive data, such as user passwords, biometrics, private 370 keys, symmetric keys, etc., an encrypted transmission strategy is 371 required. 373 7.6. Data Transmission Protocol 375 The protocol should address the safe transmission of internal and 376 external business, and meet: 378 Cryptographic algorithms such as data abstract, signature, and 379 authentication shall use the cryptographic algorithms and 380 combinations of abstract, signature, and authentication required by 381 national regulations or national mandatory standards. 383 7.7. Maintenance and Update of Transmission Protocol 385 The confidentiality protocol for data transmission should be 386 regularly maintained and updated so that the procotol should reflect 387 the requirements for data transmission security protection and meet: 389 1) The transmission security protocol needs to be reviewed every year 390 to ensure that the agreement should reflect the requirements for data 391 transmission security protection 393 2) When new services are launched or existing services are changed, 394 the transmission security protocol needs to be audited and updated if 395 necessary 397 7.8. Log and Audit 399 The transmission system shall log and audit the following security 400 failure events. The content of the log shall at least contains date/ 401 time, event type, event subject, event description, success/failure 402 information, and meet the following requirements: 404 1) Data transmission establishment success and failure 406 2) Transmission device online monitoring abnormalities and alarm 407 events 408 3) Malicious program intrusion alert event 410 4) Configuration modification operations caused by administrators/ 411 non-administrators 413 8. Security Considerations 415 This entire memo deals with security issues. 417 9. IANA Considerations 419 This documents has no IANA actions. 421 10. Informative References 423 [OID] "Introduction to OIDs and the OID Resolution System 424 (ORS)", May 2020, 425 . 427 [RFC3650] Sun, S., Lannom, L., and B. Boesch, "Handle System 428 Overview", DOI 10.17487/RFC3650, November 2003, 429 . 431 [RFC3651] Sun, S., Reilly, S., and L. Lannom, "Handle System 432 Namespace and Service Definition", DOI 10.17487/RFC3651, 433 November 2003, . 435 Authors' Addresses 437 Bin Wang (editor) 438 Hikvision 439 555 Qianmo Road, Binjiang District 440 Hangzhou 441 310051 442 China 444 Phone: +86 571 8847 3644 445 Email: wbin2006@gmail.com 447 Kezhang Lin (editor) 448 Hikvision 449 555 Qianmo Road, Binjiang District 450 Hangzhou 451 310051 452 China 454 Phone: +86 571 8847 3644 455 Email: lkz_wz98@163.com 457 Chonghua Wang (editor) 458 IIE, CAS 459 Beijing 460 100093 461 China 463 Phone: +86 185 1894 5987 464 Email: chonghuaw@live.com 466 Xing Wang (editor) 467 Hikvision 468 555 Qianmo Road, Binjiang District 469 Hangzhou 470 310051 471 China 473 Phone: +86 571 8847 3644 474 Email: xing.wang.email@gmail.com