]> Huawei Technologies

China gengnan@huawei.com

Huawei Technologies

Beijing China lizhenbin@huawei.com

Bell Canada

Canada daniel.voyer@bell.ca

China Telecom

China licong@chinatelecom.cn

China Mobile

China liupengyjy@chinamobile.com

China Unicom

China caoc15@chinaunicom.cn

Application-aware Networking (APN) aims to convey Application-aware Information (APN attribute) including APN ID and APN parameters indicating application group-level and user group-level requirements along with the data packets into the network and enable the network to provide corresponding fine-granular network services. There have been challenges of the privacy and security issues that could potentially be introduced by conveying the APN attribute into the network. This document describes the security and privacy considerations of APN in various possible scenarios wherein APN will be deployed. Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 .

Introduction Application-aware Networking (APN) is introduced in and . APN conveys Application-aware Information (APN attribute) along with data packets into network and make the network aware of applications' requirements in order to provide corresponding network services. The ever-emerging network services such as network slicing and iOAM can be further enhanced with the application awareness in the network enabled by APN. Since APN conveys an APN attribute along with the data packets into network, APN has been challenged that it may potentially impose privacy and security issues. This document describes the privacy and security considerations of APN.

Terminologies AI: Artificial Intelligence APN: Application-aware Networking BNG: Broadband Network Gateway CPE: Customer Premise Equipment DPI: Deep Packet Inspection OS: Operating System RG: Residential Gateway UPF: User Plane Function 5GC: 5G Core

APN Framework The APN framework is introduced in , as shown in the Figure 1.

APN6 Framework | +-----+ ]]>

With APN, the APN attribute is acquired based on the existing information in the packet header such as 5-tuple and/or QinQ (S-VLAN and C-VLAN) at the edge devices of the APN domain (i.e. APN-Edge in the Figure 1), added to the data packets in the tunnel encapsulation, and delivered to the network, wherein, according to the carried APN attribute, the fine-granular network services are provisioned. The APN attribute is added by the edge device of an APN domain according to the local policy at the network edge device (i.e. APN- Edge), which is under the control of the network operator.

Privacy Considerations The APN attribute is only used within the network operator's controlled limited domain. A limited domain is intended as a portion of the operator infrastructure where APN is deployed. When a packet reaches the boundary of the limited domain, an APN attribute is added to the packet, used in order to steer the packet within the limited domain and then removed when the packet leaves the limited domain. Within the APN network domain, the APN attribute is added at the ingress node and removed from the egress node. In the APN network domain, the APN attribute only serves for the fine-granular network service provisioning, and there is no harm for the outside of the APN network domain.

Security Considerations There are two typical scenarios besides the SD-WAN scenario described in the draft : the home broadband scenario and the mobile broadband scenario. In the home broadband scenario, generally a home broadband user is authorized by the BNG. If the validation is passed and the access control is released, so the user group can start enjoying the value- added service. With APN, when the traffic traverses the metro network, the traffic flow can be indicated by the APN attribute that is added/removed at the edge devices of the Metro Network (APN domain) based on the mapping from the existing information (e.g. the QinQ which is composed of C-VLAN and S-VLAN) in the packet header and then carried in the tunnel encapsulation header. The APN attribute will facilitate the fine-granular service in the APN domain. Once the packets leave the APN domain, the APN attribute will be removed together with the tunnel encapsulation header.

Home Broadband Scenario +-----+ /+----+ +----+ ( ) +-------+ +-----+ /--/ '--( )--' |Phone|/ ( ) +-----+ '-----' QinQ QinQ |----|---- Tunnel ----|----| ]]>

In the mobile broadband scenario, a UE is authorized by the 5GC function, and the traffic steering and QoS policy are enforced by the UPF (User Plane Function) node. If the validation is passed and the access control is released, so the user can start enjoying the value- added service. With APN, when the traffic traverses the mobile transport network, the traffic flow can be indicated by the APN attribute that is added at the edge devices of the mobile transport network (APN domain) based on mapping from the existing information (e.g. GTP-u tunnel encapsulation information) in the packet header and then carried in the tunnel encapsulation header. The APN attribute will facilitate the fine-granular service in the APN domain. Once the packets leave the APN domain, the APN attribute will be removed together with the tunnel encapsulation header. In fact, the APN attribute can also be acquired at the gNB based on the mapping of the existing information of the packet header (e.g. 5-tuple information) and carried along with the GTP-u tunnel encapsulation. The mobile transport network can provide the corresponding service according to the APN attribute. When the packet leaves the UPF, the APN attribute can be removed together with the GTP-u tunnel encapsulation.

• |--

  APN Domain ---|

Mobile Broadband Scenario +----+ +------+ ( Network ) +-------+ +-----+ '--( )--' | CPE | ( ) +-----+ '-----' |---- Tunnel ----| |--------- GTP-u Tunnel --------| ]]>

In the typical APN scenarios like the home broadband scenario and the mobile broadband scenario, before the traffic is delivered to the network domain, the end user must be authenticated and authorized firstly to guarantee the security of the network domain. When the traffic traverses the APN domain, the APN attribute is added and removed at the edge of the APN domain along with the tunnel encapsulation. That is, the APN attribute is only used locally in the APN domain and will not introduce the extra security issues.

IANA Considerations There are no IANA considerations in this document.

Contributors

Normative References Huawei Technologies Huawei Technologies China Telecom China Telecom Bell Canada Tsinghua University China Mobile China Unicom Toyota Motor Corporation Application-aware IPv6 Networking (APN6) framework makes use of IPv6 encapsulation in order to convey the application-aware information along with the data packet to the network so to facilitate the service deployment and SLA guarantee. This document defines the encodings of the application characteristic information, for the APN6 framework, that can be exchanged between an application or a network edge device such as CPE (Customer-Premises Equipment) and the network infrastructure through the use of IPv6 extension headers. Huawei Technologies Huawei Technologies Bell Canada China Telecom China Mobile China Unicom Verizon Inc. A multitude of applications are carried over the network, which have varying needs for network bandwidth, latency, jitter, and packet loss, etc. Some new emerging applications have very demanding performance requirements. However, in current networks, the network and applications are decoupled, that is, the network is not aware of the applications' requirements in a fine granularity. Therefore, it is difficult to provide truly fine-granularity traffic operations for the applications and guarantee their SLA requirements. This document proposes a new framework, named Application-aware Networking (APN), where application-aware information (i.e. APN attribute) including APN identification (ID) and/or APN parameters (e.g. network performance requirements) is encapsulated at network edge devices and carried in packets traversing an APN domain in order to facilitate service provisioning, perform fine-granularity traffic steering and network resource adjustment. Huawei Technologies Huawei Technologies Bell Canada China Telecom China Mobile China Unicom Verizon Inc. Network operators are facing the challenge of providing better network services for users. As the ever-developing 5G and industrial verticals evolve, more and more services that have diverse network requirements such as ultra-low latency and high reliability are emerging, and therefore differentiated service treatment is desired by users. On the other hand, as network technologies such as Hierarchical QoS (H-QoS), SR Policy, and Network Slicing keep evolving, the network has the capability to provide more fine- granularity differentiated services. However, network operators are typically unaware of the applications that are traversing their network infrastructure, which means that not very effective differentiated service treatment can be provided to the traffic flows. As network technologies evolve including deployments of IPv6, SRv6, Segment Routing over MPLS dataplane, the programmability provided by IPv6 and Segment Routing can be augmented by conveying application related information into the network satisfying the fine- granularity requirements. This document analyzes the existing problems caused by lack of service awareness, and outlines various use cases that could benefit from an Application-aware Networking (APN) framework. China Mobile China Mobile Huawei Huawei This document describes the usage of Application-aware Networking (APN) in SD-WAN scenarios. In these scenarios, APN is able to identify a particular application, steer its traffic flows along explicit path across the network, and provide SLA guaranteed network services such as low latency and high reliability. In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.