idnits 2.17.1 draft-wang-data-transmission-security-irii-02.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- No issues found here. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (15 April 2022) is 714 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) No issues found here. Summary: 0 errors (**), 0 flaws (~~), 1 warning (==), 1 comment (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Internet Engineering Task Force B. Wang, Ed. 3 Internet-Draft K. Lin, Ed. 4 Intended status: Standards Track Hikvision 5 Expires: 17 October 2022 C. Wang, Ed. 6 IIE, CAS 7 X. Wang, Ed. 8 Hikvision 9 15 April 2022 11 Data Transmission Security of Identity Resolution in Industrial Internet 12 draft-wang-data-transmission-security-irii-02 14 Abstract 16 This draft provides an overview of the security of data transmission 17 in the identity resolution system for the Industrial Internet. 18 Identity resolution systems play a vital role in the Industrial 19 Internet by providing secure sharing and intelligent association of 20 heterogeneous information among different organizations. This draft 21 focuses on the security services that identity resolution systems 22 should provide for resolution data transmission. 24 Status of This Memo 26 This Internet-Draft is submitted in full conformance with the 27 provisions of BCP 78 and BCP 79. 29 Internet-Drafts are working documents of the Internet Engineering 30 Task Force (IETF). Note that other groups may also distribute 31 working documents as Internet-Drafts. The list of current Internet- 32 Drafts is at https://datatracker.ietf.org/drafts/current/. 34 Internet-Drafts are draft documents valid for a maximum of six months 35 and may be updated, replaced, or obsoleted by other documents at any 36 time. It is inappropriate to use Internet-Drafts as reference 37 material or to cite them other than as "work in progress." 39 This Internet-Draft will expire on 17 October 2022. 41 Copyright Notice 43 Copyright (c) 2022 IETF Trust and the persons identified as the 44 document authors. All rights reserved. 46 This document is subject to BCP 78 and the IETF Trust's Legal 47 Provisions Relating to IETF Documents (https://trustee.ietf.org/ 48 license-info) in effect on the date of publication of this document. 49 Please review these documents carefully, as they describe your rights 50 and restrictions with respect to this document. Code Components 51 extracted from this document must include Revised BSD License text as 52 described in Section 4.e of the Trust Legal Provisions and are 53 provided without warranty as described in the Revised BSD License. 55 Table of Contents 57 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 58 2. Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 59 3. Terms and Definitions . . . . . . . . . . . . . . . . . . . . 3 60 3.1. International Root Node . . . . . . . . . . . . . . . . . 3 61 3.2. National Root Node . . . . . . . . . . . . . . . . . . . 3 62 3.3. Secondary Node . . . . . . . . . . . . . . . . . . . . . 3 63 3.4. Enterprise Node . . . . . . . . . . . . . . . . . . . . . 3 64 3.5. Recursive Node . . . . . . . . . . . . . . . . . . . . . 4 65 3.6. Transmission Security . . . . . . . . . . . . . . . . . . 4 66 3.7. Privacy . . . . . . . . . . . . . . . . . . . . . . . . . 4 67 3.8. Personal Data . . . . . . . . . . . . . . . . . . . . . . 4 68 4. Abbreviation . . . . . . . . . . . . . . . . . . . . . . . . 4 69 5. Overview . . . . . . . . . . . . . . . . . . . . . . . . . . 5 70 6. Security Protection Scope . . . . . . . . . . . . . . . . . . 7 71 7. Safety Technical Requirements . . . . . . . . . . . . . . . . 8 72 7.1. Data Transmission Integrity . . . . . . . . . . . . . . . 8 73 7.2. Data Transmission Availability . . . . . . . . . . . . . 9 74 7.3. Data Transmission Confidentiality . . . . . . . . . . . . 9 75 7.4. Data Transmission Authentication . . . . . . . . . . . . 9 76 7.5. Data Transmission Strategy . . . . . . . . . . . . . . . 10 77 7.6. Data Transmission Protocol . . . . . . . . . . . . . . . 10 78 7.7. Maintenance and Update of Transmission Protocol . . . . . 10 79 7.8. Log and Audit . . . . . . . . . . . . . . . . . . . . . . 10 80 8. Security Considerations . . . . . . . . . . . . . . . . . . . 11 81 9. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 11 82 10. Informative References . . . . . . . . . . . . . . . . . . . 11 83 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 11 85 1. Introduction 87 Identity resolution system is an important network infrastructure for 88 the Industrial Internet. It provides codes, registration and 89 resolution services for industrial equipment, machines, materials, 90 parts and products to achieve interoperability, secure sharing and 91 intelligent association of heterogeneous information, which is an 92 important cornerstone for the rapid development of the Industrial 93 Internet. Typical global identity resolution systems include the 94 Handle system [RFC3650] [RFC3651], the Object Identifier (OID) 95 resolution system [OID], etc. In order to ensure the security of 96 data transmission involved in the Industrial Internet identity 97 resolution system, the security technical requirements are formulated 98 to enhance the security of the entire Industrial Internet identity 99 resolution system and reduce the security risk caused by data 100 leakage. The security technical requirements can be applied to the 101 planning, construction, operation and management of data transmission 102 security of Industrial Internet identity resolution. 104 2. Scope 106 This draft specifies the security technical requirements for the 107 transmission of Industrial Internet identity resolution data. 109 This draft applies to the planning, construction, operation and 110 management of the Industrial Internet identity resolution data 111 transmission security of the relevant parties. 113 3. Terms and Definitions 115 3.1. International Root Node 117 International root nodes are the top-level service node of the 118 identity resolution system. They are not limited to specific 119 countries or regions to provide public root-level identity services 120 for the global scope on the one hand, and to provide services such as 121 data synchronization and registration resolution for different levels 122 of nodes in local country on the other hand. 124 3.2. National Root Node 126 The top-level node within a country or region, which is connected to 127 the international root node and secondary nodes, provides top-level 128 identity resolution services for the whole country. 130 3.3. Secondary Node 132 The public node providing identity services for specific industries 133 or multiple industries is responsible for allocating identity and 134 providing identity registration, identity resolution and identity 135 data services for industrial enterprises. And they are divided into 136 two types of industry secondary nodes and comprehensive secondary 137 nodes. 139 3.4. Enterprise Node 141 An intra-enterprise identity service node is able to provide identity 142 registration, identity resolution service, identity data service, 143 etc. for a specific enterprise and connect with secondary nodes. 145 3.5. Recursive Node 147 The key entrance facility of the identity resolution system is 148 responsible for caching and other operations on the resolution data 149 in the process of identity resolution, reducing the amount of 150 resolution data processing and improving the efficiency of resolution 151 services. 153 3.6. Transmission Security 155 Protect the confidentiality, integrity, availability and timeliness 156 characteristics of information transmitted in the network. 158 3.7. Privacy 160 Privacy refers to the authority that individuals have to control 161 their information, including who collects and stores it and who 162 discloses it. 164 3.8. Personal Data 166 Personal Data refers to the information that a natural person can be 167 identified directly through the data, or indirectly through the data 168 combined with other information. 170 4. Abbreviation 172 +==============+====================================+ 173 | Abbreviation | Full Name | 174 +==============+====================================+ 175 | TLS | Transport Layer Security | 176 +--------------+------------------------------------+ 177 | IPSec | Internet Protocol Security | 178 +--------------+------------------------------------+ 179 | HTTPS | Hypertext Transfer Protocol Secure | 180 +--------------+------------------------------------+ 181 | OID | Object Identifier | 182 +--------------+------------------------------------+ 183 | DNS | Domain Name System | 184 +--------------+------------------------------------+ 185 | ENODE | Enterprise Node | 186 +--------------+------------------------------------+ 187 | IIP | Industrial Internet Platform | 188 +--------------+------------------------------------+ 189 | HandleID | Unique Identification of Equipment | 190 +--------------+------------------------------------+ 192 Table 1: Abbreviation 194 5. Overview 196 The Industrial Internet identity resolution and management service 197 system is mainly a system that supports the global traceability 198 management of industrial IoT product data and dynamic sharing of data 199 information in all aspects of the product life cycle by using the 200 capabilities of the security identity management and resolution 201 platform. Industrial Internet identity resolution data transmission 202 refers to the data technology collection used in the industrial 203 Internet terminal to obtain information and transmit information, and 204 its transmission security involves the network security part of the 205 basic security protection measures dimension, all inter-domain and 206 intra-domain data transmission of the functional domain dimension of 207 the Industrial Internet of Things identity resolution and management 208 service system, and the whole process of the system life cycle 209 dimension. 211 +---------------+ 212 +-------------+ DNS Root Node +----------------+ 213 | +---------------+ | 214 +-----+-------+ +--------+------+ 215 |OID Root Node| International Root Node |Ecode Root Node| 216 +-----+-------+ +--------+------+ 217 | | 218 | +---------------------+ | 219 +---------+ +--------------+ 220 | Handle Root Node | 221 +-----------> <----------------+ 222 | +---------------------+ | 223 | | 224 | +----------v---+ 225 | |Secondary Node| 226 +-----+--------+ +---------+ +------+-------+ 227 |Recursive Node+----+----->National | | 228 +-----^--------+ | |Top Level| +-------+--------+ 229 | | |Node | | | 230 | | +---------+ +----+------+ +-------+--+ 231 | | | Enterprise| |Enterprise| 232 | | | Node | |Node | 233 | | +-----------+ +----------+ 234 | | 235 +-----------+---------+ | +--------------+ 236 |Identity Resolution | +---->Secondary Node| 237 |Data and Application | | +------+-------+ 238 | +------------+ | | | 239 | |Industry App| | | +-------+--------+ 240 | +------------+ | | | | 241 | +-----------+ | +v---+------+ +-------+--+ 242 | |Enterprise | | | Enterprise| |Enterprise| 243 | |Information| | | Node | |Node | 244 | |System | | +-----------+ +----------+ 245 | +-----------+ | 246 | +-----------+ | 247 | |Industrial | | 248 | |Internet | | 249 | |Platform | | 250 +-------------+-------+ 252 Figure 1: Industrial Internet Identity Resolution and Management 253 Service System 255 6. Security Protection Scope 257 The security protection scope of the Industrial Internet identity 258 resolution and management service system proposed in this draft 259 mainly means that the identity is written into the device and is 260 responsible for collecting product information including device 261 model, device type, generation batch, generation date, generation 262 site, device production information link, device description data 263 link, etc., integrate this information into identity data, and then 264 publish it to the data exchange system for access by identity 265 resolution enterprise nodes. Among the identity resolution 266 enterprise node, the identity resolution secondary node, and the 267 identity resolution root node, the process of data synchronization 268 between the application scenarios, the collection of data 269 transmission technologies used, is used to provide security assurance 270 and security support for the Industrial Internet identity data 271 transmission. 273 The scope of Industrial Internet identity data transmission security 274 protection specifically includes the security and the security 275 support of the data transmission interface within and between the 276 functional domains of the Industrial Internet identity resolution 277 system. Its role is in the whole life cycle of the system (planning 278 and design, development and construction, operation and maintenance , 279 abandonment and exit). 281 +--------------------------------------------------------+ 282 | Identity Resolution Root Node | 283 +-------------------------^------------------------------+ 284 | 285 +-------------------------v------------------------------+ 286 | Identity Resolution Secondary Node | 287 +-------------------------^------------------------------+ 288 +------------------------------------|--------------------------------+ 289 | | | 290 | +-------------------------v------------------------------+ | 291 | | Identity Resolution Enterprise Node | | 292 | +-------------------------^------------------------------+ | 293 |Demilitarized | | 294 | Zone +-------------------------v------------------------------+ | 295 | | Data Exchange System | | 296 | +-------------------------^------------------------------+ | 297 | | | 298 +------------------------------------|--------------------------------+ 299 | +-------------------------|------------------------------+ | 300 | | Identity Generation and Management System | | 301 | +------^------------------------------------------^------+ | 302 |Enterprise | | | 303 | Intranet +------v-------+ Enterprise Products ------------v------+ | 304 | | | | +-----------------+ +--------------+ | | 305 | | | | |Network Hard Disk| |Access Control| | | 306 | | Enterprise | | |Video Recorder | | Device | | | 307 | | Information | | +-----------------+ +--------------+ | | 308 | | System | | +------------+ +---+ | | 309 | | | | |Video Camera| |...| | | 310 | | | | +------------+ +---+ | | 311 | +--------------+ +--------------------------------------+ | 312 +---------------------------------------------------------------------+ 314 Figure 2: Industrial Internet Identity Resolution and Management 315 Service System 317 7. Safety Technical Requirements 319 7.1. Data Transmission Integrity 321 Data transmission should comply with the following common 322 requirements: 324 1) Support the information integrity check mechanism during 325 transmission to realize the transmission integrity protection of 326 management data, authentication information, sensitive information, 327 important business data and other data (such as: check code, message 328 abstract, digital signature, etc.). 330 2) It has the functions of communication delay and interrupt 331 processing to ensure the integrity of the data. 333 3) For important data, use the relevant cryptographic algorithm 334 technology of National Cryptography Administration to ensure the 335 integrity of data transmission 337 4) Take measures to restore or regain data when it detects that the 338 integrity has been compromised. 340 7.2. Data Transmission Availability 342 The timeliness and accuracy of the data shall be guaranteed during 343 data transmission. Specifically: 345 1) Timeliness: the feature of identifying historical data received or 346 data beyond the time limit. Specifically, the data comes from the 347 system using a unified time allocation/correction mechanism, and the 348 data should include time stamps, etc. 350 2) Accuracy: When there is an acceptable error in the data, there is 351 an overload to ensure the normal acquisition of the data in time. 353 7.3. Data Transmission Confidentiality 355 When transferring data, it is necessary to ensure the confidentiality 356 of the data, including: 358 1) For important data, authenticate information and important 359 business data such as user passwords, biometrics, private keys, 360 symmetric keys, product order information, device unique identity 361 (Handle ID), etc., a certain strength encryption algorithm or other 362 effective measures should be used to ensure Confidentiality. 364 2) Choose appropriate security protocols (such as HTTPS, SSH, IPSec, 365 TLS, etc.) to protect the transmitted data. 367 7.4. Data Transmission Authentication 369 Ensure the legitimacy of the identities of both parties in the data 370 transmission, which means, ensure the identity authentication of the 371 subject to the object before the interaction, and establish a trusted 372 transmission path. 374 7.5. Data Transmission Strategy 376 Establish a formal transmission strategy to protect the security of 377 all types of information transmitted through communication 378 facilities, and meet: 380 1) Clarify the type and scope of information that can be transmitted 381 in plain text. 383 2) For sensitive data, such as user passwords, biometrics, private 384 keys, symmetric keys, etc., an encrypted transmission strategy is 385 required. 387 7.6. Data Transmission Protocol 389 The protocol should address the safe transmission of internal and 390 external business, and meet: 392 Cryptographic algorithms such as data abstract, signature, and 393 authentication shall use the cryptographic algorithms and 394 combinations of abstract, signature, and authentication required by 395 national regulations or national mandatory standards. 397 7.7. Maintenance and Update of Transmission Protocol 399 The confidentiality protocol for data transmission should be 400 regularly maintained and updated so that the procotol should reflect 401 the requirements for data transmission security protection and meet: 403 1) The transmission security protocol needs to be reviewed every year 404 to ensure that the agreement should reflect the requirements for data 405 transmission security protection 407 2) When new services are launched or existing services are changed, 408 the transmission security protocol needs to be audited and updated if 409 necessary 411 7.8. Log and Audit 413 The transmission system shall log and audit the following security 414 failure events. The content of the log shall at least contains date/ 415 time, event type, event subject, event description, success/failure 416 information, and meet the following requirements: 418 1) Data transmission establishment success and failure 420 2) Transmission device online monitoring abnormalities and alarm 421 events 422 3) Malicious program intrusion alert event 424 4) Configuration modification operations caused by administrators/ 425 non-administrators 427 8. Security Considerations 429 This entire memo deals with security issues. 431 9. IANA Considerations 433 This documents has no IANA actions. 435 10. Informative References 437 [OID] "Introduction to OIDs and the OID Resolution System 438 (ORS)", May 2020, 439 . 441 [RFC3650] Sun, S., Lannom, L., and B. Boesch, "Handle System 442 Overview", DOI 10.17487/RFC3650, November 2003, 443 . 445 [RFC3651] Sun, S., Reilly, S., and L. Lannom, "Handle System 446 Namespace and Service Definition", DOI 10.17487/RFC3651, 447 November 2003, . 449 Authors' Addresses 451 Bin Wang (editor) 452 Hikvision 453 555 Qianmo Road, Binjiang District 454 Hangzhou 455 310051 456 China 457 Phone: +86 571 8847 3644 458 Email: wbin2006@gmail.com 460 Kezhang Lin (editor) 461 Hikvision 462 555 Qianmo Road, Binjiang District 463 Hangzhou 464 310051 465 China 466 Phone: +86 571 8847 3644 467 Email: lkz_wz98@163.com 468 Chonghua Wang (editor) 469 IIE, CAS 470 Beijing 471 100093 472 China 473 Phone: +86 185 1894 5987 474 Email: chonghuaw@live.com 476 Xing Wang (editor) 477 Hikvision 478 555 Qianmo Road, Binjiang District 479 Hangzhou 480 310051 481 China 482 Phone: +86 571 8847 3644 483 Email: xing.wang.email@gmail.com