--- 1/draft-ietf-i2nsf-applicability-14.txt 2019-07-24 07:13:49.613917436 -0700 +++ 2/draft-ietf-i2nsf-applicability-15.txt 2019-07-24 07:13:49.701919667 -0700 @@ -1,26 +1,26 @@ I2NSF Working Group J. Jeong Internet-Draft Sungkyunkwan University Intended status: Informational S. Hyun -Expires: January 21, 2020 Chosun University +Expires: January 25, 2020 Chosun University T. Ahn Korea Telecom S. Hares Huawei D. Lopez Telefonica I+D - July 20, 2019 + July 24, 2019 Applicability of Interfaces to Network Security Functions to Network- Based Security Services - draft-ietf-i2nsf-applicability-14 + draft-ietf-i2nsf-applicability-15 Abstract This document describes the applicability of Interface to Network Security Functions (I2NSF) to network-based security services in Network Functions Virtualization (NFV) environments, such as firewall, deep packet inspection, or attack mitigation engines. Status of This Memo @@ -30,21 +30,21 @@ Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." - This Internet-Draft will expire on January 21, 2020. + This Internet-Draft will expire on January 25, 2020. Copyright Notice Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents @@ -67,21 +67,21 @@ System . . . . . . . . . . . . . . . . . . . . . . . . . 15 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System . . . . . . . . . . . . . . . . . . . . . . . . . 15 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.2. Informative References . . . . . . . . . . . . . . . . . 21 - Appendix A. Changes from draft-ietf-i2nsf-applicability-13 . . . 23 + Appendix A. Changes from draft-ietf-i2nsf-applicability-14 . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 1. Introduction Interface to Network Security Functions (I2NSF) defines a framework and interfaces for interacting with Network Security Functions (NSFs). Note that an NSF is defined as software that provides a set of security-related services, such as (i) detecting unwanted activity, (ii) blocking or mitigating the effect of such unwanted activity in order to fulfil service requirements, and (iii) @@ -370,27 +370,27 @@ Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with TLS as HTTPS. The low-level security rules for web filter check that the target URL field of a received packet is equal to example.com, or that the destination IP address of a received packet is an IP address corresponding to example.com. Note that if HTTPS is used for an HTTP-session packet, the HTTP protocol header is encrypted, so the URL information may not be seen from the packet for the web filtering. Thus, the IP address(es) corresponding to the target URL needs to be obtained from the certificate in TLS versions prior to 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session - packet in TLS. Also, to obtain IP address(es) corresponding to a - target URL, the DNS name resolution process can be observed through a - packet capturing tool because the DNS name resolution will translate - the target URL into IP address(es). The IP addresses obtained - through either TLS or DNS can be used by both firewall and web filter - for whitelisting or blacklisting the TCP five-tuples of HTTP - sessions. + packet in TLS versions without the encrypted SNI [tls-esni]. Also, + to obtain IP address(es) corresponding to a target URL, the DNS name + resolution process can be observed through a packet capturing tool + because the DNS name resolution will translate the target URL into IP + address(es). The IP addresses obtained through either TLS or DNS can + be used by both firewall and web filter for whitelisting or + blacklisting the TCP five-tuples of HTTP sessions. Finally, the Security Controller sends the low-level security rules of the IP address and port number inspection to the firewall NSF and the low-level rules for URL inspection to the web filter NSF. The following describes how the time-dependent web access control service is enforced by the NSFs of firewall and web filter. 1. A staff member tries to access example.com during business hours, e.g., 10 AM. @@ -827,25 +827,25 @@ out of scope for I2NSF. I2NSF system operators should audit and monitor interactions with DMSs. Additionally, the operators should monitor the running NSFs through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as part of the I2NSF NSF-Facing Interface. Note that the mechanics for monitoring the DMSs are out of scope for I2NSF. 9. Acknowledgments - This work was supported by Institute for Information & communications - Technology Promotion (IITP) grant funded by the Korea government - (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence - Technology Development for the Customized Security Service - Provisioning). + This work was supported by Institute of Information & Communications + Technology Planning & Evaluation (IITP) grant funded by the Korea + MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based + Security Intelligence Technology Development for the Customized + Security Service Provisioning). This work has been partially supported by the European Commission under Horizon 2020 grant agreement no. 700199 "Securing against intruders and other threats through a NFV-enabled environment (SHIELD)". This support does not imply endorsement. 10. Contributors I2NSF is a group effort. I2NSF has had a number of contributing authors. The following are considered co-authors: @@ -929,86 +929,88 @@ 11.2. Informative References [AVANT-GUARD] Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- GUARD: Scalable and Vigilant Switch Flow Management in Software-Defined Networks", ACM CCS, November 2013. [consumer-facing-inf-dm] Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, "I2NSF Consumer-Facing Interface YANG Data Model", draft- - ietf-i2nsf-consumer-facing-interface-dm-05 (work in - progress), June 2019. + ietf-i2nsf-consumer-facing-interface-dm-06 (work in + progress), July 2019. [ETSI-NFV-MANO] "Network Functions Virtualisation (NFV); Management and Orchestration", Available: https://www.etsi.org/deliver/etsi_gs/nfv- man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, December 2014. [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Birkholz, "Interface to Network Security Functions (I2NSF) - Terminology", draft-ietf-i2nsf-terminology-07 (work in - progress), January 2019. + Terminology", draft-ietf-i2nsf-terminology-08 (work in + progress), July 2019. [ITU-T.X.800] "Security Architecture for Open Systems Interconnection for CCITT Applications", March 1991. [nsf-facing-inf-dm] Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, "I2NSF Network Security Function-Facing Interface YANG - Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-06 - (work in progress), June 2019. + Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 + (work in progress), July 2019. [nsf-monitoring-dm] Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- - nsf-monitoring-data-model-00 (work in progress), March + nsf-monitoring-data-model-01 (work in progress), July 2019. [opsawg-firewalls] Baker, F. and P. Hoffman, "On Firewalls in Internet Security", draft-ietf-opsawg-firewalls-01 (work in progress), October 2012. [policy-translation] - Yang, J., Jeong, J., and J. Kim, "Security Policy - Translation in Interface to Network Security Functions", - draft-yang-i2nsf-security-policy-translation-03 (work in - progress), March 2019. + Jeong, J., Yang, J., Chung, C., and J. Kim, "Security + Policy Translation in Interface to Network Security + Functions", draft-yang-i2nsf-security-policy- + translation-04 (work in progress), July 2019. [registration-inf-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Registration Interface YANG Data Model", draft-ietf-i2nsf- - registration-interface-dm-04 (work in progress), June + registration-interface-dm-05 (work in progress), July 2019. + [tls-esni] + Rescorla, E., Oku, K., Sullivan, N., and C. Wood, + "Encrypted Server Name Indication for TLS 1.3", draft- + ietf-tls-esni-04 (work in progress), July 2019. + [VNF-ONBOARDING] "VNF Onboarding", Available: https://wiki.opnfv.org/display/mano/VNF+Onboarding, November 2016. -Appendix A. Changes from draft-ietf-i2nsf-applicability-13 +Appendix A. Changes from draft-ietf-i2nsf-applicability-14 The following changes have been made from draft-ietf-i2nsf- - applicability-13: - - o This version has reflected comments from Tommy Pauly who is a - member of the Transport Area Review Team (TSVART). - - o In Section 4, the discussion is added to explain how to handle - HTTP-session packets using TLS in web filtering. + applicability-14: - o Some editorial comments are reflected. + o In Section 4, to handle HTTP-session packets using TLS in web + filtering, it is clarified that the Server Name Indication (SNI) + can be used to detect a website's URL if the SNI field is not + encryped in TLS versions without the encrypted SNI. Authors' Addresses Jaehoon Paul Jeong Department of Computer Science and Engineering Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon, Gyeonggi-Do 16419 Republic of Korea