--- 1/draft-ietf-i2nsf-applicability-06.txt 2018-10-22 09:14:46.346883793 -0700 +++ 2/draft-ietf-i2nsf-applicability-07.txt 2018-10-22 09:14:46.394884929 -0700 @@ -6,81 +6,80 @@ T. Ahn Korea Telecom S. Hares Huawei D. Lopez Telefonica I+D October 22, 2018 Applicability of Interfaces to Network Security Functions to Network- Based Security Services - draft-ietf-i2nsf-applicability-06 + draft-ietf-i2nsf-applicability-07 Abstract This document describes the applicability of Interface to Network Security Functions (I2NSF) to network-based security services in Network Functions Virtualization (NFV) environments, such as firewall, deep packet inspection, or attack mitigation engines. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- - Drafts is at https://datatracker.ietf.org/drafts/current/. + Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on April 25, 2019. Copyright Notice Copyright (c) 2018 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents - (https://trustee.ietf.org/license-info) in effect on the date of + (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents - 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 + 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 4. Time-dependent Web Access Control Service . . . . . . . . . . 5 - 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 7 - 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 8 - 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 11 - 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security - System . . . . . . . . . . . . . . . . . . . . . . . . . 12 + 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . . 7 + 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . . 8 + 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 10 + 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE + Security System . . . . . . . . . . . . . . . . . . . . . 12 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation - System . . . . . . . . . . . . . . . . . . . . . . . . . 14 - 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 + System . . . . . . . . . . . . . . . . . . . . . . . . . . 14 + 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 - 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 - 11. Informative References . . . . . . . . . . . . . . . . . . . 19 - Appendix A. Changes from draft-ietf-i2nsf-applicability-05 . . . 22 - Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 + 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 18 + 11. Informative References . . . . . . . . . . . . . . . . . . . . 19 + Appendix A. Changes from draft-ietf-i2nsf-applicability-06 . . . 21 1. Introduction Interface to Network Security Functions (I2NSF) defines a framework and interfaces for interacting with Network Security Functions (NSFs). The I2NSF framework allows heterogeneous NSFs developed by different security solution vendors to be used in the Network Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing the capabilities of such products and the virtualization of security functions in the NFV platform. In the I2NSF framework, each NSF @@ -824,30 +824,35 @@ specified in the "Security Considerations" section of [ITU-T.Y.3300]. 9. Acknowledgments This work was supported by Institute for Information & communications Technology Promotion (IITP) grant funded by the Korea government (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). + This work has been partially supported by the European Commission + under Horizon 2020 grant agreement no. 700199 "Securing against + intruders and other threats through a NFV-enabled environment + (SHIELD)". This support does not imply endorsement. + 10. Contributors I2NSF is a group effort. I2NSF has had a number of contributing authors. The following are considered co-authors: o Hyoungshick Kim (Sungkyunkwan University) - o Jinyong Tim Kim (Sungkyunkwan University) o Hyunsik Yang (Soongsil University) + o Younghan Kim (Soongsil University) o Jung-Soo Park (ETRI) o Se-Hui Lee (Korea Telecom) o Mohamed Boucadair (Orange) 11. Informative References @@ -844,147 +849,152 @@ o Younghan Kim (Soongsil University) o Jung-Soo Park (ETRI) o Se-Hui Lee (Korea Telecom) o Mohamed Boucadair (Orange) 11. Informative References - [AVANT-GUARD] - Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- - GUARD: Scalable and Vigilant Switch Flow Management in - Software-Defined Networks", ACM CCS, November 2013. + [RFC8329] Lopez, D., Lopez, E., Dunbar, L., + Strassner, J., and R. Kumar, "Framework for + Interface to Network Security Functions", + RFC 8329, February 2018. - [consumer-facing-inf-dm] - Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, - "I2NSF Consumer-Facing Interface YANG Data Model", draft- - ietf-i2nsf-consumer-facing-interface-dm-01 (work in - progress), July 2018. + [RFC6020] Bjorklund, M., "YANG - A Data Modeling + Language for the Network Configuration + Protocol (NETCONF)", RFC 6020, + October 2010. - [consumer-facing-inf-im] - Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, - S., Xia, L., and J. Jeong, "Information Model for - Consumer-Facing Interface to Security Controller", draft- - kumar-i2nsf-client-facing-interface-im-07 (work in - progress), July 2018. + [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., + and A. Bierman, "Network Configuration + Protocol (NETCONF)", RFC 6241, June 2011. - [ETSI-NFV] - ETSI GS NFV 002 V1.1.1, "Network Functions Virtualization - (NFV); Architectural Framework", October 2013. + [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, + "RESTCONF Protocol", RFC 8040, + January 2017. - [i2nsf-nfv-architecture] - Yang, H. and Y. Kim, "I2NSF on the NFV Reference - Architecture", draft-yang-i2nsf-nfv-architecture-02 (work - in progress), June 2018. + [consumer-facing-inf-im] Kumar, R., Lohiya, A., Qi, D., Bitar, N., + Palislamovic, S., Xia, L., and J. Jeong, + "Information Model for Consumer-Facing + Interface to Security Controller", draft- + kumar-i2nsf-client-facing-interface-im-07 + (work in progress), July 2018. - [i2nsf-nsf-cap-im] - Xia, L., Strassner, J., Basile, C., and D. Lopez, - "Information Model of NSFs Capabilities", draft-ietf- - i2nsf-capability-02 (work in progress), July 2018. + [consumer-facing-inf-dm] Jeong, J., Kim, E., Ahn, T., Kumar, R., and + S. Hares, "I2NSF Consumer-Facing Interface + YANG Data Model", draft-ietf-i2nsf- + consumer-facing-interface-dm-01 (work in + progress), July 2018. - [i2nsf-terminology] - Hares, S., Strassner, J., Lopez, D., Xia, L., and H. - Birkholz, "Interface to Network Security Functions (I2NSF) - Terminology", draft-ietf-i2nsf-terminology-06 (work in + [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. + Lopez, "Information Model of NSFs + Capabilities", + draft-ietf-i2nsf-capability-02 (work in progress), July 2018. - [ITU-T.X.1252] - Recommendation ITU-T X.1252, "Baseline Identity Management - Terms and Definitions", April 2010. + [policy-translation] Yang, J., Jeong, J., and J. Kim, "Security + Policy Translation in Interface to Network + Security Functions", draft-yang-i2nsf- + security-policy-translation-01 (work in + progress), July 2018. - [ITU-T.X.800] - Recommendation ITU-T X.800, "Security Architecture for - Open Systems Interconnection for CCITT Applications", - March 1991. + [nsf-facing-inf-dm] Kim, J., Jeong, J., Park, J., Hares, S., + and Q. Lin, "I2NSF Network Security + Function-Facing Interface YANG Data Model", + draft-ietf-i2nsf-nsf-facing-interface-data- + model-01 (work in progress), July 2018. - [ITU-T.Y.3300] - Recommendation ITU-T Y.3300, "Framework of Software- - Defined Networking", June 2014. + [registration-inf-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and + J. Park, "I2NSF Registration Interface YANG + Data Model", + draft-hyun-i2nsf-registration-dm-06 (work + in progress), July 2018. - [nsf-facing-inf-dm] - Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, - "I2NSF Network Security Function-Facing Interface YANG - Data Model", draft-ietf-i2nsf-nsf-facing-interface-data- - model-01 (work in progress), July 2018. + [nsf-triggered-steering] Hyun, S., Jeong, J., Park, J., and S. + Hares, "Service Function Chaining-Enabled + I2NSF Architecture", + draft-hyun-i2nsf-nsf-triggered-steering-06 + (work in progress), July 2018. - [nsf-triggered-steering] - Hyun, S., Jeong, J., Park, J., and S. Hares, "Service - Function Chaining-Enabled I2NSF Architecture", draft-hyun- - i2nsf-nsf-triggered-steering-06 (work in progress), July - 2018. + [i2nsf-nfv-architecture] Yang, H. and Y. Kim, "I2NSF on the NFV + Reference Architecture", + draft-yang-i2nsf-nfv-architecture-02 (work + in progress), June 2018. - [ONF-OpenFlow] - ONF, "OpenFlow Switch Specification (Version 1.4.0)", - October 2013. + [RFC7149] Boucadair, M. and C. Jacquenet, "Software- + Defined Networking: A Perspective from + within a Service Provider Environment", + RFC 7149, March 2014. - [ONF-SDN-Architecture] - ONF, "SDN Architecture", June 2014. + [ITU-T.Y.3300] Recommendation ITU-T Y.3300, "Framework of + Software-Defined Networking", June 2014. - [opsawg-firewalls] - Baker, F. and P. Hoffman, "On Firewalls in Internet - Security", draft-ietf-opsawg-firewalls-01 (work in - progress), October 2012. + [ONF-OpenFlow] ONF, "OpenFlow Switch Specification + (Version 1.4.0)", October 2013. - [policy-translation] - Yang, J., Jeong, J., and J. Kim, "Security Policy - Translation in Interface to Network Security Functions", - draft-yang-i2nsf-security-policy-translation-01 (work in - progress), July 2018. + [ONF-SDN-Architecture] ONF, "SDN Architecture", June 2014. - [registration-inf-dm] - Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF - Registration Interface YANG Data Model", draft-hyun-i2nsf- - registration-dm-06 (work in progress), July 2018. + [ITU-T.X.1252] Recommendation ITU-T X.1252, "Baseline + Identity Management Terms and Definitions", + April 2010. - [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session - Description Protocol", RFC 4566, July 2006. + [ITU-T.X.800] Recommendation ITU-T X.800, "Security + Architecture for Open Systems + Interconnection for CCITT Applications", + March 1991. - [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the - Network Configuration Protocol (NETCONF)", RFC 6020, - October 2010. + [AVANT-GUARD] Shin, S., Yegneswaran, V., Porras, P., and + G. Gu, "AVANT-GUARD: Scalable and Vigilant + Switch Flow Management in Software-Defined + Networks", ACM CCS, November 2013. - [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. - Bierman, "Network Configuration Protocol (NETCONF)", - RFC 6241, June 2011. + [ETSI-NFV] ETSI GS NFV 002 V1.1.1, "Network Functions + Virtualization (NFV); Architectural + Framework", October 2013. - [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined - Networking: A Perspective from within a Service Provider - Environment", RFC 7149, March 2014. + [RFC4566] Handley, M., Jacobson, V., and C. Perkins, + "SDP: Session Description Protocol", + RFC 4566, July 2006. - [RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining - (SFC) Architecture", RFC 7665, October 2015. + [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, + L., and H. Birkholz, "Interface to Network + Security Functions (I2NSF) Terminology", + draft-ietf-i2nsf-terminology-06 (work in + progress), July 2018. - [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF - Protocol", RFC 8040, January 2017. + [opsawg-firewalls] Baker, F. and P. Hoffman, "On Firewalls in + Internet Security", + draft-ietf-opsawg-firewalls-01 (work in + progress), October 2012. - [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., - and J. Jeong, "Interface to Network Security Functions - (I2NSF): Problem Statement and Use Cases", RFC 8192, July - 2017. + [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, + C., Kumar, R., and J. Jeong, "Interface to + Network Security Functions (I2NSF): Problem + Statement and Use Cases", RFC 8192, + July 2017. - [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service - Header (NSH)", RFC 8300, January 2018. + [RFC7665] Halpern, J. and C. Pignataro, "Service + Function Chaining (SFC) Architecture", + RFC 7665, October 2015. - [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. - Kumar, "Framework for Interface to Network Security - Functions", RFC 8329, February 2018. + [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, + "Network Service Header (NSH)", RFC 8300, + January 2018. -Appendix A. Changes from draft-ietf-i2nsf-applicability-05 +Appendix A. Changes from draft-ietf-i2nsf-applicability-06 - The following change has been made from draft-ietf-i2nsf- - applicability-05: + The following change has been made from + draft-ietf-i2nsf-applicability-06: - o In Figure 3, a separate box of SFF and the relevant interfaces - have been omitted to avoid misleading. Instead, SDN switches may - play the role of SFF and Classifier in an SDN network. + o Add the acknowledgment to the EU H2020 project SHIELD. Authors' Addresses Jaehoon Paul Jeong Department of Software Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea @@ -1004,27 +1014,27 @@ EMail: shyun@chosun.ac.kr Tae-Jin Ahn Korea Telecom 70 Yuseong-Ro, Yuseong-Gu Daejeon 305-811 Republic of Korea Phone: +82 42 870 8409 EMail: taejin.ahn@kt.com + Susan Hares Huawei 7453 Hickory Hill Saline, MI 48176 USA Phone: +1-734-604-0332 EMail: shares@ndzh.com - Diego R. Lopez Telefonica I+D Jose Manuel Lara, 9 - Seville 41013 + Seville, 41013 Spain Phone: +34 682 051 091 EMail: diego.r.lopez@telefonica.com