| Internet-Draft | Dynamic Trust Security Architecture for | January 2025 |
| Si | Expires 3 August 2025 | [Page] |
This document proposes a Service Mesh Dynamic-Trust Architecture (SM-DTA) to address security risks in dynamic service-to-service communication within distributed service mesh environments. The architecture is applicable to scenarios such as elastic service scaling and cross-domain service invocation. SM-DTA enforces end-to-end security governance through service identity authentication, dynamic context-aware policy engines, and data sovereignty proxies.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 3 August 2025.¶
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
1)Dynamic Service Instances Challenge Traditional Trust Models¶
In distributed systems based on service mesh, the ephemeral nature of service instances (e.g., minute-scale lifecycle of Kubernetes Pods) leads to frequent changes in network identifiers (e.g., IP addresses). Traditional static trust models relying on IP/port-based mechanisms (e.g., firewall rules, VPN allowlists) struggle to maintain effective policies during service scaling or failover events, resulting in over-privileged access or service disruptions. Perimeter-centric defenses fail to adapt to the dynamic topology of east-west traffic between services.¶
2)Lack of Unified Security Governance for East-West Traffic¶
In service mesh environments, inter-service communication (e.g., east-west traffic) typically bypasses traditional perimeter security devices (e.g., gateway firewalls), creating fragmented security controls. Existing solutions (e.g., static RBAC policies) lack awareness of real-time context (e.g., health status of source services, time sensitivity) and fail to enforce end-to-end encryption. Attackers may exploit unencrypted plaintext communications or outdated policies to laterally penetrate critical services.¶
3)Cross-Boundary Data Transmission Faces Sovereignty Risks¶
In hybrid cloud or multi-cluster scenarios, sensitive data (e.g., user credentials, transaction records) must flow across network boundaries, but current mechanisms lack granular protection capabilities. Plaintext transmission and static masking rules expose risks to man-in-the-middle attacks or data leakage, while centralized encryption gateways become performance bottlenecks and single points of failure. The absence of data lineage tracking capabilities further complicates compliance auditing.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119] .¶
Assign unique cryptographic identities to service instances via automated certificate management, with strong binding to service characteristics (e.g., microservice name, container labels). The verification process eliminates dependencies on IP addresses/ports, enabling dynamic trust evaluation at the service-instance level to address trust anchor failures caused by ephemeral instances.¶
To address the challenges of ephemeral service instances, the architecture establishes a robust identity framework by strongly binding service identities to infrastructure metadata (e.g., microservice names, container labels). Automated certificate management ensures short-lived certificates (≤24-hour validity) are issued and rotated seamlessly, eliminating reliance on static IP/port-based trust models. Real-time cryptographic signature validation further secures service interactions, dynamically verifying identities even as instances scale or migrate, thereby mitigating risks of trust anchor failures.¶
Deploy a multi-dimensional policy engine to dynamically generate least-privilege rules. Access grants depend on real-time context (request time, service load, vulnerability status) rather than static role attributes, ensuring strict alignment between privileges and current risk posture.¶
The policy engine enforces granular access control by continuously aggregating contextual attributes such as service health metrics, request sensitivity tags, and environmental states. Leveraging a multi-dimensional risk assessment matrix, it dynamically generates least-privilege rules tailored to real-time conditions (e.g., service load, vulnerability status). This approach ensures privileges align strictly with current risk postures, automatically triggering actions like privilege degradation or circuit-breaking during anomalies (e.g., excessive request rates), thereby minimizing over-provisioned access.¶
Enforce sovereignty controls throughout the data lifecycle (transit, processing, storage) to prevent cross-domain leakage of sensitive information via granular data governance.¶
To safeguard sensitive data across hybrid or multi-cluster environments, the architecture integrates lightweight tagging with dynamic masking rules that adapt to data classification labels (e.g., PII, Confidential). Privacy-preserving techniques, such as partially homomorphic encryption, enable secure processing of encrypted data in transit and at rest. Distributed audit logs and lineage tracking systems ensure compliance with sovereignty regulations (e.g., GDPR), providing end-to-end visibility into data flows while preventing unauthorized cross-domain leakage.¶
In this draft, we defined a Dynamic Trust Security Architecture for Distributed Service Mesh. The architecture consists of three core components (Figure 1):¶
+---------------------------------------------------------------+
| Control Plane |
| |
| +---------------------+ +---------------------+ |
| | Identity Provider |<--(1)---| Certificate Issuance| |
| | (Issuance/Rotation) |-------->| & Rotation | |
| +---------------------+ +----------+----------+ |
| | |
| +---------------------+ +----------v----------+ |
| | Policy Rules |<--(2)---| Policy Engine | |
| | (Static Definitions)| | (Dynamic Evaluation)| |
| +---------------------+ +----------+----------+ |
| | |
| +---------------------+ +----------v----------+ |
| | Audit Logs |<--(3)---| Audit & Compliance | |
| | (Raw Event Storage) | |(Aggregation/Reports)| |
| +---------------------+ +---------------------+ |
+---------------------------------------------------------------+
| (4) Policy Distribution
| (5) Revocation Sync
v
+---------------------------------------------------------------+
| Data Plane |
| |
| +---------------------+ +---------------------+ |
| | Sidecar Proxy |<--(4)---| Crypto Module | |
| | (Traffic Intercept) | | (mTLS Handshake) | |
| +----------+----------+ +-----------+---------+ |
| | | |
| +----------v----------+ +-----------v---------+ |
| | Encrypted Traffic | | Context Collector | |
| | (Data Transmission) |---(6)-->|(Metadata Extraction)| |
| +---------------------+ +-----------+---------+ |
| | |
| +---------------------+ +------------v--------+ |
| | Dynamic Masking |<--(7)---| Data Classification | |
| | (Sensitive Fields) | | (Tagging & Analysis)| |
| +---------------------+ +---------------------+ |
+---------------------------------------------------------------+
Figure 1: Architecture Overview¶
SM-DTA establishes a cryptographically verifiable identity framework for ephemeral service instances. Each service instance is assigned a globally unique UUID, while critical metadata (e.g., owning team, deployment environment, domain affiliation) is embedded in a certificate. A centralized certificate authority (CA) automates the issuance and rotation of short-lived certificates, ensuring credentials remain time-bound and minimizing exposure from compromised keys. Revoked certificates are propagated in real-time across the service mesh control plane, enabling immediate enforcement of trust boundaries.¶
Dynamic Access Control leverages a context-aware policy engine to enforce least-privilege access. The engine evaluates requests against a multi-dimensional risk matrix, incorporating attributes such as:¶
+--------------------------+---------------------+ | Context Attribute | Example Values | +--------------------------+---------------------+ | Request time | 09:00-18:00 | | Source service health | CPU < 80%, no CVE | | Data sensitivity level | PII, Confidential | +--------------------------+---------------------+¶
Access decisions dynamically adapt to real-time conditions - for instance, granting access only if the service identity is valid, the request occurs within an authorized time window, and the source environment matches the destination. Policy violations trigger automated responses such as privilege degradation or service isolation.¶
Data Protection ensures end-to-end security for sensitive information. Inbound plaintext requests undergo dynamic masking (e.g., replacing credit card numbers with ****-****-****-1234) based on predefined classification labels. The data is then encrypted using mTLS for full-path protection, preventing eavesdropping or tampering during transit. The workflow is illustrated below:¶
The east-west traffic of service mesh lacks end-to-end encryption, making it vulnerable to man-in-the-middle attacks or traffic eavesdropping. This exposes service-to-service communications in plaintext, allowing attackers to intercept sensitive data or inject malicious payloads. Additionally, sidecar proxies may become single points of attack; if the proxy components contain vulnerabilities or misconfigurations, attackers could hijack traffic, steal cryptographic keys, or even bypass the control of the policy engine.¶