Internet Engineering Task Force (IETF) N. Finn
Request for Comments: 8557 Huawei Technologies Co. Ltd
Category: Informational P. Thubert
ISSN: 2070-1721 Cisco
May 2019
Internet Engineering Task Force (IETF) N. Finn
Request for Comments: 8557 Huawei Technologies Co. Ltd
Category: Informational P. Thubert
ISSN: 2070-1721 Cisco
May 2019
Deterministic Networking Problem Statement
确定性网络问题陈述
Abstract
摘要
This paper documents the needs in various industries to establish multi-hop paths for characterized flows with deterministic properties.
本文记录了不同行业中为具有确定性的特征流建立多跳路径的需求。
Status of This Memo
关于下段备忘
This document is not an Internet Standards Track specification; it is published for informational purposes.
本文件不是互联网标准跟踪规范;它是为了提供信息而发布的。
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Not all documents approved by the IESG are candidates for any level of Internet Standard; see Section 2 of RFC 7841.
本文件是互联网工程任务组(IETF)的产品。它代表了IETF社区的共识。它已经接受了公众审查,并已被互联网工程指导小组(IESG)批准出版。并非IESG批准的所有文件都适用于任何级别的互联网标准;见RFC 7841第2节。
Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at https://www.rfc-editor.org/info/rfc8557.
有关本文件当前状态、任何勘误表以及如何提供反馈的信息,请访问https://www.rfc-editor.org/info/rfc8557.
Copyright Notice
版权公告
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
版权(c)2019 IETF信托基金和被确定为文件作者的人员。版权所有。
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
本文件受BCP 78和IETF信托有关IETF文件的法律规定的约束(https://trustee.ietf.org/license-info)自本文件出版之日起生效。请仔细阅读这些文件,因为它们描述了您对本文件的权利和限制。从本文件中提取的代码组件必须包括信托法律条款第4.e节中所述的简化BSD许可证文本,并提供简化BSD许可证中所述的无担保。
Table of Contents
目录
1. Introduction ....................................................2
2. On Deterministic Networking .....................................4
3. Problem Statement ...............................................6
3.1. Supported Topologies .......................................6
3.2. Flow Characterization ......................................6
3.3. Centralized Path Computation and Installation ..............7
3.4. Distributed Path Setup .....................................8
3.5. Duplicated Data Format .....................................8
4. Security Considerations .........................................9
5. IANA Considerations .............................................9
6. Informative References .........................................10
Acknowledgments ...................................................11
Authors' Addresses ................................................11
1. Introduction ....................................................2
2. On Deterministic Networking .....................................4
3. Problem Statement ...............................................6
3.1. Supported Topologies .......................................6
3.2. Flow Characterization ......................................6
3.3. Centralized Path Computation and Installation ..............7
3.4. Distributed Path Setup .....................................8
3.5. Duplicated Data Format .....................................8
4. Security Considerations .........................................9
5. IANA Considerations .............................................9
6. Informative References .........................................10
Acknowledgments ...................................................11
Authors' Addresses ................................................11
"Deterministic Networking Use Cases" [RFC8578] illustrates that beyond the classical case of Industrial Automation and Control Systems (IACSs) there are in fact multiple industries with strong, and relatively similar, needs for deterministic network services with latency guarantees and ultra-low packet loss.
“确定性网络使用案例”[RFC8578]说明,除了工业自动化和控制系统(IACS)的经典案例外,事实上,多个行业对确定性网络服务的需求强烈且相对相似,具有延迟保证和超低数据包丢失。
The generalization of the needs for more deterministic networks has led to the IEEE 802.1 Audio Video Bridging (AVB) Task Group becoming the Time-Sensitive Networking (TSN) [IEEE-802.1TSNTG] Task Group (TG), with a much-expanded constituency from the industrial and vehicular markets.
对更具确定性的网络需求的普遍化导致IEEE 802.1音频视频桥接(AVB)任务组成为时间敏感网络(TSN)[IEEE-802.1TSNTG]任务组(TG),工业和车辆市场的用户范围大大扩大。
Along with this expansion, the networks considered here are becoming larger and structured, requiring deterministic forwarding beyond the LAN boundaries. For instance, an IACS segregates the network along the broad lines of the Purdue Enterprise Reference Architecture (PERA) [ISA95], typically using deterministic LANs for Purdue level 2 control systems, whereas public infrastructures such as electricity automation require deterministic properties over the wide area. Implementers have come to realize that the convergence of IT and Operation Technology (OT) networks requires Layer 3, as well as Layer 2, capabilities.
随着这种扩展,这里考虑的网络变得越来越大和结构化,需要超出LAN边界的确定性转发。例如,IACS沿着普渡企业参考体系结构(PERA)[ISA95]的广泛路线隔离网络,通常为普渡2级控制系统使用确定性局域网,而电力自动化等公共基础设施需要广域的确定性属性。实施者已经意识到,IT和运营技术(OT)网络的融合需要第3层和第2层的能力。
While the initial user base has focused almost entirely on Ethernet physical media and Ethernet-based bridging protocols from several Standards Development Organizations (SDOs), the need for Layer 3, as expressed above, must not be confined to Ethernet and Ethernet-like media. While such media must be encompassed by any useful Deterministic Networking (DetNet) architecture, cooperation between the IETF and other SDOs must not be limited to the IEEE or the
虽然最初的用户群几乎完全集中于来自多个标准开发组织(SDO)的以太网物理介质和基于以太网的桥接协议,但如上所述,对第3层的需求不能局限于以太网和类似以太网的介质。虽然此类媒体必须包含在任何有用的确定性网络(DetNet)架构中,但IETF和其他SDO之间的合作不得限于IEEE或
IEEE 802 organizations. Furthermore, while both completed and ongoing work in other SDOs, and in IEEE 802 in particular, provides an obvious starting point for a DetNet architecture, we must not assume that these other SDOs' work confines the space in which the DetNet architecture progresses.
IEEE 802组织。此外,虽然其他SDO(尤其是IEEE 802)中已完成和正在进行的工作为DetNet体系结构提供了一个明显的起点,但我们不能假设这些其他SDO的工作限制了DetNet体系结构的发展空间。
The properties of deterministic networks will have specific requirements for the use of routed networks to support these applications, and a new model must be proposed to integrate this determinism in IT implementations. The proposed model should enable a fully scheduled operation orchestrated by a central controller and may support a more distributed operation with (probably lesser) capabilities. At any rate, the model should not compromise the ability of a network to keep carrying the sorts of traffic that is already carried today in conjunction with new, more deterministic flows. Note: "Deterministic Networking Architecture" [DetNet-Arch] was produced by the DetNet Working Group to describe that model.
确定性网络的特性将对使用路由网络来支持这些应用有特定的要求,必须提出一种新的模型来将这种确定性集成到IT实现中。建议的模型应支持由中央控制器协调的完全计划的操作,并可支持具有(可能更小)功能的更分布式操作。无论如何,该模型不应损害网络的能力,使其能够继续承载当前已承载的各种流量,并与新的、更具确定性的流量相结合。注:“确定性网络架构”[DetNet Arch]由DetNet工作组制作,用于描述该模型。
At the time of this writing, it is expected that
在撰写本文时,预计
o once the abstract model is agreed upon, the IETF will specify (1) the signaling elements to be used to establish a path and (2) the tagging elements to be used to identify the flows that are to be forwarded along that path
o 一旦对抽象模型达成一致,IETF将指定(1)用于建立路径的信令元素和(2)用于识别沿该路径转发的流的标记元素
o the IETF will specify the necessary protocols or protocol additions, based on relevant IETF technologies, to implement the selected model
o IETF将根据相关IETF技术规定必要的协议或协议补充,以实现所选模型
A desirable outcome of the work is the ability to establish a multi-hop path over the IP or MPLS network for a particular flow with given timing and precise throughput requirements and to carry this particular flow along the multi-hop path with such characteristics as low latency and ultra-low jitter, reordering and/or replication and elimination of packets over non-congruent paths for a higher delivery ratio, and/or zero congestion loss, regardless of the amount of other flows in the network.
工作的理想结果是能够为具有给定定时和精确吞吐量要求的特定流在IP或MPLS网络上建立多跳路径,并沿着具有诸如低延迟和超低抖动等特征的多跳路径承载该特定流,在非一致路径上重新排序和/或复制和消除数据包,以获得更高的传递率和/或零拥塞损失,而不考虑网络中的其他流量。
Depending on the network capabilities and the current state, requests to establish a path by an end node or a network management entity may be granted or rejected, an existing path may be moved or removed, and DetNet flows exceeding their contract may face packet declassification and drop.
根据网络能力和当前状态,终端节点或网络管理实体建立路径的请求可以被授予或拒绝,现有路径可以被移动或移除,并且超过其契约的DetNet流可能面临分组解密和丢弃。
The Internet is not the only digital network that has grown dramatically over the last 30-40 years. Video and audio entertainment, as well as control systems for machinery, manufacturing processes, and vehicles, are also ubiquitous and are now based almost entirely on digital technologies. Over the past 10 years, engineers in these fields have come to realize that significant advantages in both cost and the ability to accelerate growth can be obtained by basing all of these disparate digital technologies on packet networks.
互联网并不是在过去30-40年中迅速发展的唯一数字网络。视频和音频娱乐以及机械、制造过程和车辆的控制系统也无处不在,现在几乎完全基于数字技术。在过去的10年中,这些领域的工程师们逐渐认识到,将所有这些不同的数字技术建立在分组网络上,可以在成本和加速增长能力方面获得显著优势。
The goals of Deterministic Networking are to (1) enable the migration of applications with critical timing and reliability issues that currently use special-purpose fieldbus technologies (High-Definition Multimedia Interface (HDMI), Controller Area Network (CAN bus), PROFIBUS [PROFIBUS], etc. ... even RS-232!) to packet technologies in general and to IP in particular and (2) support both these new applications and existing packet network applications over the same physical network. In other words, a deterministic network is backwards compatible with (capable of transporting) statistically multiplexed traffic while preserving the properties of the accepted deterministic flows.
确定性网络的目标是(1)实现当前使用专用现场总线技术(高清多媒体接口(HDMI)、控制器局域网(CAN总线)、PROFIBUS[PROFIBUS]等…甚至RS-232!)的具有关键时序和可靠性问题的应用程序的迁移(2)在同一物理网络上支持这些新的应用程序和现有的分组网络应用程序。换句话说,确定性网络向后兼容(能够传输)统计复用的业务,同时保持可接受的确定性流的属性。
[RFC8578] indicates that applications in multiple fields need some or all of a suite of features that includes:
[RFC8578]表示多个字段中的应用程序需要部分或全部功能套件,包括:
1. Time synchronization of all host and network nodes (routers and/or bridges), accurate to something between 10 nanoseconds and 10 microseconds, depending on the application.
1. 所有主机和网络节点(路由器和/或网桥)的时间同步,精确到10纳秒到10微秒之间,具体取决于应用程序。
2. Support for deterministic packet flows that:
2. 对确定性数据包流的支持:
* Can be unicast or multicast.
* 可以是单播或多播。
* Need absolute guarantees of minimum and maximum latency end to end across the network; sometimes a tight jitter is required as well.
* 需要绝对保证网络端到端的最小和最大延迟;有时还需要一个紧密的抖动。
* Need a packet loss ratio beyond the classical range for a particular medium, in the range of 10^-9 to 10^-12 or better on Ethernet and on the order of 10^-5 in wireless sensor mesh networks.
* 对于特定介质,需要超过经典范围的数据包丢失率,在以太网上为10^-9到10^-12或更好,在无线传感器网状网络中为10^-5。
* Can, in total, absorb more than half of the network's available bandwidth (that is, massive over-provisioning is ruled out as a solution).
* 总的来说,它可以吸收超过一半的网络可用带宽(也就是说,大规模的过度供应被排除在解决方案之外)。
* Cannot suffer throttling, congestion feedback, or any other network-imposed transmission delay, although the flows can be meaningfully characterized by either (1) a fixed, repeating transmission schedule or (2) a maximum bandwidth and packet size.
* 不能受到节流、拥塞反馈或任何其他网络施加的传输延迟的影响,尽管流可以通过(1)固定的重复传输时间表或(2)最大带宽和数据包大小来有意义地表征。
3. Multiple methods for scheduling, shaping, limiting, and otherwise controlling the transmission of critical packets at each hop through the network data plane.
3. 用于调度、成形、限制和以其他方式控制通过网络数据平面在每个跃点处的关键数据包的传输的多种方法。
4. Robust defenses against misbehaving hosts, routers, or bridges, in both the data plane and the control plane, with guarantees that a critical flow within its guaranteed resources cannot be affected by other flows, whatever the pressures on the network. For more on the specific threats against DetNet, see "Deterministic Networking (DetNet) Security Considerations" [DetNet-Security].
4. 在数据平面和控制平面上对行为不端的主机、路由器或网桥进行强大防御,保证其保证资源内的关键流不会受到其他流的影响,无论网络上的压力如何。有关针对DetNet的特定威胁的更多信息,请参阅“确定性网络(DetNet)安全注意事项”[DetNet Security]。
5. One or more methods for reserving resources in bridges and routers to carry these flows.
5. 用于在网桥和路由器中保留资源以承载这些流的一种或多种方法。
Time-synchronization techniques need not be addressed by an IETF working group; there are a number of standards available for this purpose, including IEEE 1588 [IEEE-1588], IEEE 802.1AS [IEEE-8021AS], and more.
时间同步技术无需由IETF工作组解决;有许多标准可用于此目的,包括IEEE 1588[IEEE-1588]、IEEE 802.1AS[IEEE-8021AS]等。
The needs related to multicast, latency, loss ratio, and throttling avoidance exist because the algorithms employed by the applications demand it. They are not simply the transliteration of fieldbus needs to a packet-based fieldbus simulation; they also reflect fundamental mathematics of the control of a physical system.
存在与多播、延迟、丢失率和节流避免相关的需求,因为应用程序使用的算法需要它。它们不仅仅是现场总线的音译,还需要基于数据包的现场总线仿真;它们还反映了物理系统控制的基本数学。
With classical forwarding of latency-sensitive and loss-sensitive packets across a network, interactions among different critical flows introduce fundamental uncertainties in delivery schedules. The details of the queuing, shaping, and scheduling algorithms employed by each bridge or router to control the output sequence on a given port affect the detailed makeup of the output stream, e.g., how finely a given flow's packets are mixed among those of other flows.
随着延迟敏感和丢失敏感数据包在网络中的经典转发,不同关键流之间的交互在交付计划中引入了基本的不确定性。每个网桥或路由器用于控制给定端口上的输出序列的排队、成形和调度算法的细节影响输出流的详细组成,例如,给定流的数据包在其他流的数据包之间的混合程度。
This, in turn, has a strong effect on the buffer requirements, and hence the latency guarantees deliverable, by the next bridge or router along the path. For this reason, the IEEE 802.1 TSN TG has defined a new set of queuing, shaping, and scheduling algorithms that enable each bridge or router to compute the exact number of buffers to be allocated for each flow or class of flows.
这反过来对缓冲区需求有很大影响,因此延迟保证了路径上的下一个网桥或路由器可以交付。因此,IEEE 802.1 TSN TG定义了一组新的排队、成形和调度算法,使每个网桥或路由器能够计算为每个流或流类分配的确切缓冲区数量。
Networking protocols commonly need robustness. Note that robustness plays a particularly important part in real-time control networks, where expensive equipment, and even lives, can be lost due to misbehaving equipment.
网络协议通常需要健壮性。请注意,鲁棒性在实时控制网络中起着特别重要的作用,在实时控制网络中,昂贵的设备甚至生命都可能因设备的不当行为而损失。
Reserving resources before packet transmission is the one fundamental shift in the behavior of network applications that is impossible to avoid. In the first place, a network cannot deliver finite latency and practically zero packet loss to an arbitrarily high offered load. Secondly, achieving practically zero packet loss for unthrottled (though bandwidth-limited) flows means that bridges and routers have to dedicate buffer resources to specific flows or classes of flows. The requirements of each reservation have to be translated into the parameters that control each host's, bridge's, and router's queuing, shaping, and scheduling functions and delivered to the hosts, bridges, and routers.
在数据包传输之前保留资源是网络应用程序行为中无法避免的一个根本转变。首先,网络不能向任意高的负载提供有限的延迟和几乎零的数据包丢失。其次,实现无阻塞(尽管带宽有限)流的几乎零数据包丢失意味着网桥和路由器必须将缓冲资源专用于特定流或流类。每个预约的要求必须转化为控制每个主机、网桥和路由器的排队、成形和调度功能的参数,并传递给主机、网桥和路由器。
In some use cases, the end point that runs the application is involved in the Deterministic Networking operation -- for instance, by controlling certain aspects of its throughput, such as rate or precise time of emission. In such a case, the deterministic path is end to end from application host to application host.
在某些用例中,运行应用程序的端点涉及确定性网络操作——例如,通过控制其吞吐量的某些方面,例如速率或精确的发射时间。在这种情况下,确定性路径是从应用程序主机到应用程序主机的端到端路径。
On the other end, the deterministic portion of a path may be a tunnel between an ingress point and an egress router. In any case, routers and switches in between should not need to be aware of whether the path is end to end or a tunnel.
在另一端,路径的确定性部分可以是入口点和出口路由器之间的隧道。在任何情况下,路由器和交换机之间不需要知道路径是端到端还是隧道。
While it is clear that DetNet does not aim to set up deterministic paths over the global Internet, there is still a lack of clarity regarding the limits of a domain where a deterministic path can be set up. These limits may depend on the technology that is used to set the path up, whether it is centralized or distributed.
虽然DetNet的目标显然不是在全球互联网上建立确定性路径,但对于可以建立确定性路径的域的限制仍然缺乏明确性。这些限制可能取决于用于设置路径的技术,无论是集中式的还是分布式的。
Deterministic forwarding can only apply to flows with such well-defined characteristics as periodicity and burstiness. Before a path can be established to serve them, the expression of those characteristics, and how the network can serve them (for instance, in shaping and forwarding operations), must be specified.
确定性转发只能应用于具有周期性和突发性等明确特征的流。在建立为其服务的路径之前,必须指定这些特征的表达,以及网络如何为其服务(例如,在成形和转发操作中)。
A centralized routing model, such as that provided with a Path Computation Element (PCE) (see [RFC4655]), enables global and per-flow optimizations. This type of model is attractive, but a number of issues remain to be solved -- in particular:
集中式路由模型(如路径计算元素(PCE)(参见[RFC4655])提供的模型)支持全局和逐流优化。这种模式很有吸引力,但仍有许多问题有待解决,特别是:
o whether and how the path computation can be installed by
o 是否以及如何通过安装路径计算
* an end device or
* 终端设备或终端设备
* a network management entity
* 网络管理实体
and
和
o how the path is set up -- either
o 路径是如何设置的--或者
* by installing state at each hop with a direct interaction between the forwarding device and the PCE or
* 通过在转发设备和PCE之间直接交互的每个跃点处安装状态,或
* along a path by injecting a source-routed request at one end of the path, following classical Traffic Engineering (TE) models
* 按照经典流量工程(TE)模型,通过在路径的一端注入源路由请求沿着路径
To enable a centralized model, DetNet should produce a description of the high-level interaction and data models to:
为了实现集中式模型,DetNet应提供高级交互和数据模型的描述,以:
o report the topology and device capabilities to the central controller
o 向中央控制器报告拓扑和设备功能
o establish a direct interface between the centralized PCE and each device under its control in order to enable vertical signaling
o 在集中式PCE与其控制下的每个设备之间建立直接接口,以启用垂直信令
o request a path setup for a new flow with particular characteristics over the service interface and control it through its life cycle
o 通过服务接口请求具有特定特征的新流的路径设置,并在其整个生命周期中对其进行控制
o provide support for life-cycle management for a path (instantiate/modify/update/delete)
o 为路径的生命周期管理提供支持(实例化/修改/更新/删除)
o provide support for adaptability to cope with such various events as loss of a link
o 提供适应性支持,以应对链路丢失等各种事件
o expose the status of the path to the end devices (User-Network Interfaces (UNIs))
o 向终端设备(用户网络接口(UNIs))公开路径的状态
o provide additional reliability through redundancy, particularly with Packet Replication, Elimination, and Ordering Functions (PREOF), where redundant paths may deliver packets out of order and PREOF may need to correct the ordering
o 通过冗余提供额外的可靠性,特别是使用数据包复制、消除和排序功能(PREOF),其中冗余路径可能会无序交付数据包,而PREOF可能需要纠正排序
o indicate the flows and packet sequences in-band with the flows. This is needed for flows that require PREOF in order to isolate duplicates and reorder packets at the end of the sequence
o 用流指示带中的流和数据包序列。这对于需要PREOF的流是必需的,以便在序列的末尾隔离重复的数据包并重新排序数据包
Whether a distributed alternative without a PCE can be valuable could be studied as well. Such an alternative could, for instance, build upon Resource Reservation Protocol - TE (RSVP-TE) flows [RFC3209]. But the focus of the work should be to deliver the centralized approach first.
没有PCE的分布式替代方案是否有价值也可以研究。例如,这种替代方案可以基于资源预留协议-TE(RSVP-TE)流[RFC3209]。但工作的重点应该是首先提供集中的方法。
To enable functionality similar to that of RSVP-TE, the following steps would take place:
要启用与RSVP-TE类似的功能,将执行以下步骤:
1. Neighbors and their capabilities would be discovered and exposed to compute a path that would fit the DetNet constraints -- typically those of latency, time precision, and resource availability.
1. 邻居及其功能将被发现并公开,以计算出符合DetNet约束的路径——通常是延迟、时间精度和资源可用性约束。
2. A constrained path would be calculated with an improved version of Constrained Shortest Path First (CSPF) that is aware of DetNet.
2. 受约束路径将使用受约束最短路径优先(CSPF)的改进版本进行计算,该版本可感知DetNet。
3. The path may be installed using a control protocol such as RSVP-TE, extended to enable flow identification and install new per-hop behavior such as Packet Replication, Elimination, and Ordering, and to reserve physical resources for the flow. In that case, traffic flows could be transported through an MPLS-TE tunnel, using the reserved resources for this flow at each hop.
3. 可以使用诸如RSVP-TE的控制协议来安装路径,该控制协议被扩展以启用流识别并安装新的每跳行为,例如分组复制、消除和排序,并且为流保留物理资源。在这种情况下,可以通过MPLS-TE隧道传输流量,在每个跃点使用该流量的保留资源。
In some cases, the duplication and elimination of packets over non-congruent paths are required to achieve a sufficiently high delivery ratio to meet application needs. In these cases, a small number of packet formats and supporting protocols are required (preferably just one of each) to serialize the packets of a DetNet stream at one point in the network, replicate them at one or more points in the network, and discard duplicates at one or more other points in the network, including perhaps the destination host. Using an existing solution would be preferable to inventing a new one.
在某些情况下,需要在非一致路径上复制和消除数据包,以实现足够高的传递率,以满足应用需求。在这些情况下,需要少量的分组格式和支持协议(优选每种格式和支持协议中的一种),以在网络中的一个点处序列化DetNet流的分组,在网络中的一个或多个点处复制它们,并在网络中的一个或多个其他点处丢弃重复的数据,可能包括目标主机。使用现有解决方案比发明新解决方案更可取。
Security in the context of Deterministic Networking has an added dimension; the time of delivery of a packet can be just as important as the contents of the packet itself. A man-in-the-middle attack, for example, can impose and then systematically adjust additional delays into a link, and thus disrupt or subvert a real-time application without having to crack any encryption methods employed. See [RFC7384] for an exploration of this issue in a related context.
确定性网络环境下的安全性增加了一个维度;数据包的交付时间与数据包本身的内容一样重要。例如,中间人攻击可以在链路中施加并系统地调整额外延迟,从而中断或破坏实时应用程序,而无需破解所使用的任何加密方法。请参阅[RFC7384]了解相关背景下对该问题的探讨。
Typical control networks today rely on complete physical isolation to prevent rogue access to network resources. DetNet enables the virtualization of those networks over a converged IT/OT infrastructure. Doing so, DetNet introduces an additional risk of flows interacting and interfering with one another as they share physical resources such as Ethernet trunks and the radio spectrum. The requirement is that there is no possible data leak from and into a deterministic flow. Stated more generally, there is no possible influence whatsoever from the outside on a deterministic flow. The expectation is that physical resources are effectively associated with a given flow at a given point in time. In that model, the time-sharing of physical resources becomes transparent to the individual flows, as these flows have no clue regarding whether or not the resources are used by other flows at other times.
如今,典型的控制网络依靠完全的物理隔离来防止恶意访问网络资源。DetNet通过融合的IT/OT基础设施实现这些网络的虚拟化。这样做,DetNet带来了额外的流交互和相互干扰的风险,因为它们共享物理资源,如以太网中继和无线电频谱。要求是不存在来自或进入确定性流的可能数据泄漏。更一般地说,外部对确定性流没有任何可能的影响。期望物理资源在给定时间点与给定流有效关联。在该模型中,物理资源的分时对各个流是透明的,因为这些流不知道资源是否在其他时间被其他流使用。
The overall security of a deterministic system must cover:
确定性系统的总体安全性必须包括:
o the protection of the signaling protocol
o 信令协议的保护
o the authentication and authorization of the controlling nodes, including plug-and-play participating end systems
o 控制节点的身份验证和授权,包括即插即用参与终端系统
o the identification and shaping of the flows
o 流动的识别和塑造
o the isolation of flows from leakage and other influences from any activity sharing physical resources
o 将流量与任何共享物理资源的活动的泄漏和其他影响隔离
The specific threats against DetNet are further discussed in [DetNet-Security].
[DetNet Security]中进一步讨论了针对DetNet的具体威胁。
This document has no IANA actions.
本文档没有IANA操作。
[DetNet-Arch] Finn, N., Thubert, P., Varga, B., and J. Farkas, "Deterministic Networking Architecture", Work in Progress, draft-ietf-detnet-architecture-13, May 2019.
[DetNet Arch]Finn,N.,Thubert,P.,Varga,B.,和J.Farkas,“确定性网络架构”,正在进行的工作,草案-ietf-DetNet-Architecture-13,2019年5月。
[DetNet-Security] Mizrahi, T., Grossman, E., Ed., Hacker, A., Das, S., Dowdell, J., Austad, H., Stanton, K., and N. Finn, "Deterministic Networking (DetNet) Security Considerations", Work in Progress, draft-ietf-detnet-security-04, March 2019.
[DetNet Security]Mizrahi,T.,Grossman,E.,Ed.,Hacker,A.,Das,S.,Dowdell,J.,Austad,H.,Stanton,K.,和N.Finn,“确定性网络(DetNet)安全注意事项”,正在进行中,草案-ietf-DetNet-Security-042019年3月。
[IEEE-1588] IEEE, "IEEE Standard for a Precision Clock Synchronization Protocol for Networked Measurement and Control Systems", IEEE Standard 1588-2008, <https://standards.ieee.org/ findstds/standard/1588-2008.html>.
[IEEE-1588]IEEE,“网络测量和控制系统精确时钟同步协议的IEEE标准”,IEEE标准1588-2008<https://standards.ieee.org/ findstds/standard/1588-2008.html>。
[IEEE-802.1TSNTG] IEEE Standards Association, "IEEE 802.1 Time-Sensitive Networking Task Group", <http://www.ieee802.org/1/pages/avbridges.html>.
[IEEE-802.1TSNTG]IEEE标准协会,“IEEE 802.1时间敏感网络任务组”<http://www.ieee802.org/1/pages/avbridges.html>.
[IEEE-8021AS] IEEE, "IEEE Standard for Local and Metropolitan Area Networks - Timing and Synchronization for Time-Sensitive Applications in Bridged Local Area Networks", IEEE 802.1AS-2011, <http://www.ieee802.org/1/pages/802.1as.html>.
[IEEE-8021AS]IEEE,“局域网和城域网的IEEE标准-桥接局域网中时间敏感应用的定时和同步”,IEEE 802.1AS-2011<http://www.ieee802.org/1/pages/802.1as.html>.
[ISA95] ANSI/ISA, "Enterprise-Control System Integration - Part 1: Models and Terminology", <https://www.isa.org/isa95/>.
[ISA95]ANSI/ISA,“企业控制系统集成-第1部分:模型和术语”<https://www.isa.org/isa95/>.
[PROFIBUS] IEC, "PROFIBUS Standard - DP Specification (IEC 61158 Type 3)", <https://www.profibus.com/>.
[PROFIBUS]IEC,“PROFIBUS标准-DP规范(IEC 61158第3类)”<https://www.profibus.com/>.
[RFC3209] Awduche, D., Berger, L., Gan, D., Li, T., Srinivasan, V., and G. Swallow, "RSVP-TE: Extensions to RSVP for LSP Tunnels", RFC 3209, DOI 10.17487/RFC3209, December 2001, <https://www.rfc-editor.org/info/rfc3209>.
[RFC3209]Awduche,D.,Berger,L.,Gan,D.,Li,T.,Srinivasan,V.,和G.Swallow,“RSVP-TE:LSP隧道RSVP的扩展”,RFC 3209,DOI 10.17487/RFC3209,2001年12月<https://www.rfc-editor.org/info/rfc3209>.
[RFC4655] Farrel, A., Vasseur, J.-P., and J. Ash, "A Path Computation Element (PCE)-Based Architecture", RFC 4655, DOI 10.17487/RFC4655, August 2006, <https://www.rfc-editor.org/info/rfc4655>.
[RFC4655]Farrel,A.,Vasseur,J.-P.,和J.Ash,“基于路径计算元素(PCE)的体系结构”,RFC 4655,DOI 10.17487/RFC4655,2006年8月<https://www.rfc-editor.org/info/rfc4655>.
[RFC7384] Mizrahi, T., "Security Requirements of Time Protocols in Packet Switched Networks", RFC 7384, DOI 10.17487/RFC7384, October 2014, <https://www.rfc-editor.org/info/rfc7384>.
[RFC7384]Mizrahi,T.,“分组交换网络中时间协议的安全要求”,RFC 7384,DOI 10.17487/RFC7384,2014年10月<https://www.rfc-editor.org/info/rfc7384>.
[RFC8578] Grossman, E., Ed., "Deterministic Networking Use Cases", RFC 8578, DOI 10.17487/RFC8578, May 2019, <https://www.rfc-editor.org/info/rfc8578>.
[RFC8578]格罗斯曼,E.,编辑,“确定性网络用例”,RFC 8578,DOI 10.17487/RFC8578,2019年5月<https://www.rfc-editor.org/info/rfc8578>.
Acknowledgments
致谢
The authors wish to thank Lou Berger, Pat Thaler, Jouni Korhonen, Janos Farkas, Stewart Bryant, Andrew Malis, Ethan Grossman, Patrick Wetterwald, Subha Dhesikan, Matthew Miller, Erik Nordmark, George Swallow, Rodney Cummings, Ines Robles, Shwetha Bhandari, Rudy Klecka, Anca Zamfir, David Black, Thomas Watteyne, Shitanshu Shah, Kiran Makhijani, Craig Gunther, Warren Kumari, Wilfried Steiner, Marcel Kiessling, Karl Weber, Alissa Cooper, and Benjamin Kaduk for their various contributions to this work.
作者希望感谢卢·伯杰、帕特·泰勒、朱尼·科霍宁、雅诺斯·法卡斯、斯图尔特·布莱恩特、安德鲁·马里、伊桑·格罗斯曼、帕特里克·韦特瓦尔德、苏巴·德西坎、马修·米勒、埃里克·诺德马克、乔治·斯沃夫、罗德尼·卡明斯、伊内斯·罗伯斯、什维塔·班达里、鲁迪·克莱卡、安卡·赞菲尔、大卫·布莱克、托马斯·沃特因、什坦舒·沙阿、基兰·马基贾尼、,Craig Gunther、Warren Kumari、Wilfried Steiner、Marcel Kiessling、Karl Weber、Alissa Cooper和Benjamin Kaduk为这项工作做出了各种贡献。
Authors' Addresses
作者地址
Norman Finn Huawei Technologies Co. Ltd 3755 Avocado Blvd. PMB 436 La Mesa, California 91941 United States of America
诺曼·芬恩华为技术有限公司鳄梨大道3755号。美国加利福尼亚州拉梅萨市PMB 436邮编:91941
Phone: +1 925 980 6430
Email: norman.finn@mail01.huawei.com
Phone: +1 925 980 6430
Email: norman.finn@mail01.huawei.com
Pascal Thubert Cisco Systems, Inc. Building D, 45 Allee des Ormes - BP1200 Mougins - Sophia Antipolis 06254 France
Pascal Thubert Cisco Systems,Inc.D栋,45 Allee des Ormes-BP1200 Mougins-Sophia Antipolis 06254法国
Phone: +33 4 97 23 26 34
Email: pthubert@cisco.com
Phone: +33 4 97 23 26 34
Email: pthubert@cisco.com