--- 1/draft-ietf-i2nsf-applicability-10.txt 2019-05-16 03:13:14.301865910 -0700 +++ 2/draft-ietf-i2nsf-applicability-11.txt 2019-05-16 03:13:14.353867221 -0700 @@ -1,26 +1,26 @@ I2NSF Working Group J. Jeong Internet-Draft Sungkyunkwan University Intended status: Informational S. Hyun -Expires: November 3, 2019 Chosun University +Expires: November 17, 2019 Chosun University T. Ahn Korea Telecom S. Hares Huawei D. Lopez Telefonica I+D - May 2, 2019 + May 16, 2019 Applicability of Interfaces to Network Security Functions to Network- Based Security Services - draft-ietf-i2nsf-applicability-10 + draft-ietf-i2nsf-applicability-11 Abstract This document describes the applicability of Interface to Network Security Functions (I2NSF) to network-based security services in Network Functions Virtualization (NFV) environments, such as firewall, deep packet inspection, or attack mitigation engines. Status of This Memo @@ -30,21 +30,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on November 3, 2019. + This Internet-Draft will expire on November 17, 2019. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -67,33 +67,33 @@ System . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 11.2. Informative References . . . . . . . . . . . . . . . . . 21 - Appendix A. Changes from draft-ietf-i2nsf-applicability-09 . . . 23 + Appendix A. Changes from draft-ietf-i2nsf-applicability-10 . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction Interface to Network Security Functions (I2NSF) defines a framework and interfaces for interacting with Network Security Functions - (NSFs). Note that Network Security Function (NSF) is defined as - software that provides a set of security-related services, such as - (i) detecting unwanted activity, (ii) blocking or mitigating the - effect of such unwanted activity in order to fulfil service - requirements, and (iii) supporting communication stream integrity and - confidentiality [i2nsf-terminology]. + (NSFs). Note that an NSF is defined as software that provides a set + of security-related services, such as (i) detecting unwanted + activity, (ii) blocking or mitigating the effect of such unwanted + activity in order to fulfil service requirements, and (iii) + supporting communication stream integrity and confidentiality + [i2nsf-terminology]. The I2NSF framework allows heterogeneous NSFs developed by different security solution vendors to be used in the Network Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing the capabilities of such NSFs through I2NSF interfaces such as Customer- Facing Interface [consumer-facing-inf-dm] and NSF-Facing Interface [nsf-facing-inf-dm]. In the I2NSF framework, each NSF initially registers the profile of its own capabilities into the Security Controller (i.e., network operator management system [RFC8329]) in the I2NSF system via Registration Interface [registration-inf-dm] so @@ -144,21 +144,21 @@ [NFV-Terminology], [RFC8329], and [i2nsf-terminology]. In addition, the following terms are defined below: o Software-Defined Networking (SDN): A set of techniques that enables to directly program, orchestrate, control, and manage network resources, which facilitates the design, delivery and operation of network services in a dynamic and scalable manner [ITU-T.Y.3300]. - o Network Function: A funcional block within a network + o Network Function: A functional block within a network infrastructure that has well-defined external interfaces and well- defined functional behavior [NFV-Terminology]. o Network Security Function (NSF): Software that provides a set of security-related services. Examples include detecting unwanted activity and blocking or mitigating the effect of such unwanted activity in order to fulfil service requirements. The NSF can also help in supporting communication stream integrity and confidentiality [i2nsf-terminology]. @@ -915,22 +915,22 @@ 11.2. Informative References [AVANT-GUARD] Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks", ACM CCS, November 2013. [consumer-facing-inf-dm] Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", draft- - ietf-i2nsf-consumer-facing-interface-dm-03 (work in - progress), March 2019. + ietf-i2nsf-consumer-facing-interface-dm-04 (work in + progress), April 2019. [ETSI-NFV-MANO] "Network Functions Virtualisation (NFV); Management and Orchestration", Available: https://www.etsi.org/deliver/etsi_gs/nfv- man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, December 2014. [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. @@ -938,84 +938,62 @@ Terminology", draft-ietf-i2nsf-terminology-07 (work in progress), January 2019. [ITU-T.X.800] "Security Architecture for Open Systems Interconnection for CCITT Applications", March 1991. [nsf-facing-inf-dm] Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG - Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-03 + Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-05 (work in progress), March 2019. [nsf-monitoring-dm] Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, - "A YANG Data Model for Monitoring I2NSF Network Security - Functions", draft-ietf-i2nsf-nsf-monitoring-data-model-00 - (work in progress), March 2019. + "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- + nsf-monitoring-data-model-00 (work in progress), March + 2019. [opsawg-firewalls] Baker, F. and P. Hoffman, "On Firewalls in Internet Security", draft-ietf-opsawg-firewalls-01 (work in progress), October 2012. [policy-translation] Yang, J., Jeong, J., and J. Kim, "Security Policy Translation in Interface to Network Security Functions", draft-yang-i2nsf-security-policy-translation-03 (work in progress), March 2019. [registration-inf-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Registration Interface YANG Data Model", draft-ietf-i2nsf- - registration-interface-dm-02 (work in progress), March + registration-interface-dm-03 (work in progress), March 2019. [VNF-ONBOARDING] "VNF Onboarding", Available: https://wiki.opnfv.org/display/mano/VNF+Onboarding, November 2016. -Appendix A. Changes from draft-ietf-i2nsf-applicability-09 +Appendix A. Changes from draft-ietf-i2nsf-applicability-10 The following changes have been made from draft-ietf-i2nsf- - applicability-09: - - o This version has reflected the questions and comments from Roman - Danyliw who is a Security Area Director as follows. - - o In Section 1, the description of I2NSF components and interfaces - is clarified with typo correction. - - o In Section 2, unnecessary references are deleted, and the - definition of a term "NSF" is clarified with the I2NSF terminology - draft [i2nsf-terminology]. - - o In Section 3, inside attacks at DMS or I2NSF User are described - clearly along with feasible counterattacks against those inside - attacks. Also, the usage of RESTCONF and NETCONF with YANG data - model language is clarified for three I2NSF interfaces such as the - Consumer-Facing Interface, NSF-Facing Interface, and Registration - Interface. - - o In Section 4, a real XML code for the time-dependent web access - control is added for the Consumer-Facing Interface as an example. + applicability-10: - o In Section 5, the network service header (NSH) as a reference is - added for the metadata format for I2NSF traffic steering based on - SFC. + o In Section 1, "Network Security Function (NSF)" is replaced with + "an NSF" because the abbreviation of "Network Security Function" + is defined as "NSF" in the previous sentence. - o In Section 6, the definitions of an SDN forwarding element and an - NSF are clarified. Also, the optimization of an SDN-and-NFV-based - firewall is explained clearly in terms of delay and network - bandwidth saving. + o In Section 2, a typo in "funcional block" is corrected as + "functional block". Authors' Addresses Jaehoon Paul Jeong Department of Software Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea