Internet Draft P. Urien Intended status: Informational Telecom Paris Expires: January 2024 July 7 2023 COIN Security draft-urien-coin-sec-01.txt Abstract This draft introduces some security issues for COIN systems. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. Status of this Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on January 2024 Urien Expires January 2024 [Page 1] Copyright Notice Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Urien Expires January 2024 [page 2] COIN Security July 2023 Table of Contents Abstract........................................................... 1 Requirements Language.............................................. 1 Status of this Memo................................................ 1 Copyright Notice................................................... 2 1 Overview......................................................... 4 2 COIN Security.................................................... 4 3 Program Security................................................. 5 4 Identity......................................................... 5 5 IANA Considerations.............................................. 6 6 Security Considerations.......................................... 6 7 References....................................................... 6 7.1 Normative References........................................ 6 7.2 Informative References...................................... 6 8 Authors' Addresses............................................... 6 Urien Expires January 2024 [Page 3] COIN Security July 2023 1 Overview Computing in the Network (COIN) is a concept [COIN-TERMINOLOGY] that aims at deploying and using programs, based on computing resources hosted in Programmable Network Devices (PNDs). Such infrastructures could be integrated in edge computing or 5G slicing [COIN-USECASES]. A program works with several PNDs exchanging data over secure communications. In that context there is a need for security either for intrinsic COIN needs or for programs running in COIN systems. 2 COIN Security COIN should rely on fully encrypted communications, what implies authentication and keying mechanisms based on symmetric or asymmetric secrets. Some research items for COIN security are the following: 1) Security Architecture 2) PND security model 3) Key Management System (KMS) 4) Identity Model 5) Authentication Center +-------+ | PND | +------------+ ID +------------+ | | KMS | | | +---+---+ | | | | | +---+---+ | | | Auth. | | | +----+ Center+----+ | | / | KMS | \ | | / +-------+ \ | | / \ | +---+---+ +---+---+ | PND | | PND | | ID +-------------------------+ ID | | KMS | | KMS | +-------+ +-------+ PND could include a Key Management System (KMS) in order to provide these security features. If COIN services rely on centralized architecture an Authentication Center (AC) should provide KMS functionalities. Urien Expires January 2024 [Page 4] COIN Security July 2023 PND processors can also include a physical entity with isolated (for example Trusted Execution Environment, TEE) or tamper resistant computing resources (sometimes refers as integrated secure element iSE). A classical approach in cloud computing relies on the deployment of Hardware Secure Module (HSM) in data centers, typically performing offload or KMS operations, i.e. computing cryptographic procedures in a trusted environment. 3 Program Security Programs could have security requirements. For example the generation of blockchain transactions implies secure key storage and trusted signature. Some research items for program security are the following: -1) Secure program deployment -2) Attestation and secure cryptographic provisioning -3) Level of security & trust -4) Scalability & Performances The IoSE [IOSE] draft introduces on-demand secure computing resources, identified by Uniform Resources Identifier (URI), and could be a use case for COIN +-------+ +-------+ | PND | URI | IoSE | | +-------------+ | | KMS | | Server| +-------+ +-------+ \ / \ /URI +-------+ | COIN | | [ | Client| +-------+ 4 Identity Identity is used to identify and authenticate PNDs. Identity knowledge should provide information about computing resources and trust level. An entirely distributed architecture could use asymmetric cryptographic and certificates to identify participating PNDs and associated computing resources. Urien Expires January 2024 [Page 5] COIN Security July 2023 Single tenant architectures will likely used symmetric cryptographic algorithms and single authentication center. Secure data exchanges could occur in a way similar to cellular network communications. Multi tenant architectures should involve several authentication centers. Secure data exchanges could occur in a way similar to cellular network communications. 5 IANA Considerations This draft does not require any action from IANA. 6 Security Considerations This entire document is about security. 7 References 7.1 Normative References [COIN-TERMINOLOGY] draft-irtf-coinrg-coin-terminology-00, "Terminology for Computing in the Network" [COIN-USECASES] draft-irtf-coinrg-use-cases-04, "Use Cases for In- Network Computing" 7.2 Informative References [IOSE] draft-urien-coinrg-iose-07.txt, "Internet of Secure Elements" 8 Authors' Addresses Pascal Urien Telecom Paris 19 place Marguerite Perey 91120 Palaiseau Phone: NA France Email: Pascal.Urien@telecom-paris.fr Urien Expires January 2024 [Page 6]