| draft-ietf-i2nsf-applicability-16.txt | draft-ietf-i2nsf-applicability-17.txt | |||
|---|---|---|---|---|
| I2NSF Working Group J. Jeong | I2NSF Working Group J. Jeong | |||
| Internet-Draft Sungkyunkwan University | Internet-Draft Sungkyunkwan University | |||
| Intended status: Informational S. Hyun | Intended status: Informational S. Hyun | |||
| Expires: January 26, 2020 Chosun University | Expires: February 9, 2020 Chosun University | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| July 25, 2019 | August 8, 2019 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-16 | draft-ietf-i2nsf-applicability-17 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 26, 2020. | This Internet-Draft will expire on February 9, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-15 . . . 23 | Appendix A. Changes from draft-ietf-i2nsf-applicability-16 . . . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defines a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). Note that an NSF is defined as software that provides a set | (NSFs). Note that an NSF is defined as software that provides a set | |||
| of security-related services, such as (i) detecting unwanted | of security-related services, such as (i) detecting unwanted | |||
| activity, (ii) blocking or mitigating the effect of such unwanted | activity, (ii) blocking or mitigating the effect of such unwanted | |||
| activity in order to fulfill service requirements, and (iii) | activity in order to fulfill service requirements, and (iii) | |||
| skipping to change at page 15, line 30 ¶ | skipping to change at page 15, line 30 ¶ | |||
| packet that exhibits some suspicious patterns, then it triggers the | packet that exhibits some suspicious patterns, then it triggers the | |||
| VoIP/VoLTE security system for more specialized security analysis of | VoIP/VoLTE security system for more specialized security analysis of | |||
| the suspicious VoIP call packet. | the suspicious VoIP call packet. | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | |||
| A centralized DDoS-attack mitigation can manage each network resource | A centralized DDoS-attack mitigation can manage each network resource | |||
| and configure rules to each switch for DDoS-attack mitigation (called | and configure rules to each switch for DDoS-attack mitigation (called | |||
| DDoS-attack Mitigator) on a common server. The centralized DDoS- | DDoS-attack Mitigator) on a common server. The centralized DDoS- | |||
| attack mitigation system defends servers against DDoS attacks outside | attack mitigation system defends servers against DDoS attacks outside | |||
| the private network, that is, from public networks. | the private network, that is, from public networks | |||
| [RFC8612][dots-architecture]. | ||||
| Servers are categorized into stateless servers (e.g., DNS servers) | Servers are categorized into stateless servers (e.g., DNS servers) | |||
| and stateful servers (e.g., web servers). For DDoS-attack | and stateful servers (e.g., web servers). For DDoS-attack | |||
| mitigation, the forwarding of traffic flows in switches can be | mitigation, the forwarding of traffic flows in switches can be | |||
| dynamically configured such that malicious traffic flows are handled | dynamically configured such that malicious traffic flows are handled | |||
| by the paths separated from normal traffic flows in order to minimize | by the paths separated from normal traffic flows in order to minimize | |||
| the impact of those malicious traffic on the servers. This flow path | the impact of those malicious traffic on the servers. This flow path | |||
| separation can be done by a flow forwarding path management scheme | separation can be done by a flow forwarding path management scheme | |||
| based on [AVANT-GUARD]. This management should consider the load | [dots-architecture][AVANT-GUARD]. This management should consider | |||
| balance among the switches for the defense against DDoS attacks. | the load balance among the switches for the defense against DDoS | |||
| attacks. | ||||
| So far this section has described the three use cases for network- | So far this section has described the three use cases for network- | |||
| based security services using the I2NSF framework with SDN networks. | based security services using the I2NSF framework with SDN networks. | |||
| To support these use cases in the proposed data-driven security | To support these use cases in the proposed data-driven security | |||
| service framework, YANG data models described in | service framework, YANG data models described in | |||
| [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | |||
| [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | |||
| Facing Interface, and Registration Interface, respectively, along | Facing Interface, and Registration Interface, respectively, along | |||
| with RESTCONF [RFC8040] and NETCONF [RFC6241]. | with RESTCONF [RFC8040] and NETCONF [RFC6241]. | |||
| skipping to change at page 19, line 44 ¶ | skipping to change at page 19, line 44 ¶ | |||
| o Jung-Soo Park (ETRI) | o Jung-Soo Park (ETRI) | |||
| o Se-Hui Lee (Korea Telecom) | o Se-Hui Lee (Korea Telecom) | |||
| o Mohamed Boucadair (Orange) | o Mohamed Boucadair (Orange) | |||
| 11. References | 11. References | |||
| 11.1. Normative References | 11.1. Normative References | |||
| [AVANT-GUARD] | ||||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | ||||
| GUARD: Scalable and Vigilant Switch Flow Management in | ||||
| Software-Defined Networks", ACM CCS, November 2013. | ||||
| [consumer-facing-inf-dm] | ||||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | ||||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | ||||
| ietf-i2nsf-consumer-facing-interface-dm-06 (work in | ||||
| progress), July 2019. | ||||
| [dots-architecture] | ||||
| Mortensen, A., Reddy, T., Andreasen, F., Teague, N., and | ||||
| R. Compton, "Distributed-Denial-of-Service Open Threat | ||||
| Signaling (DOTS) Architecture", draft-ietf-dots- | ||||
| architecture-14 (work in progress), May 2019. | ||||
| [ETSI-NFV] | [ETSI-NFV] | |||
| "Network Functions Virtualisation (NFV); Architectural | "Network Functions Virtualisation (NFV); Architectural | |||
| Framework", Available: | Framework", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/ | https://www.etsi.org/deliver/etsi_gs/ | |||
| nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf, October | nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf, October | |||
| 2013. | 2013. | |||
| [ITU-T.Y.3300] | [ITU-T.Y.3300] | |||
| "Framework of Software-Defined Networking", | "Framework of Software-Defined Networking", | |||
| Available: https://www.itu.int/rec/T-REC-Y.3300-201406-I, | Available: https://www.itu.int/rec/T-REC-Y.3300-201406-I, | |||
| June 2014. | June 2014. | |||
| [NFV-Terminology] | [NFV-Terminology] | |||
| "Network Functions Virtualisation (NFV); Terminology for | "Network Functions Virtualisation (NFV); Terminology for | |||
| Main Concepts in NFV", Available: | Main Concepts in NFV", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/ | https://www.etsi.org/deliver/etsi_gs/ | |||
| NFV/001_099/003/01.02.01_60/gs_nfv003v010201p.pdf, | NFV/001_099/003/01.02.01_60/gs_nfv003v010201p.pdf, | |||
| December 2014. | December 2014. | |||
| [nsf-facing-inf-dm] | ||||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | ||||
| "I2NSF Network Security Function-Facing Interface YANG | ||||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 | ||||
| (work in progress), July 2019. | ||||
| [nsf-monitoring-dm] | ||||
| Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | ||||
| "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | ||||
| nsf-monitoring-data-model-01 (work in progress), July | ||||
| 2019. | ||||
| [ONF-SDN-Architecture] | [ONF-SDN-Architecture] | |||
| "SDN Architecture (Issue 1.1)", Available: | "SDN Architecture (Issue 1.1)", Available: | |||
| https://www.opennetworking.org/wp- | https://www.opennetworking.org/wp- | |||
| content/uploads/2014/10/TR- | content/uploads/2014/10/TR- | |||
| 521_SDN_Architecture_issue_1.1.pdf, June 2016. | 521_SDN_Architecture_issue_1.1.pdf, June 2016. | |||
| [registration-inf-dm] | ||||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | ||||
| Registration Interface YANG Data Model", draft-ietf-i2nsf- | ||||
| registration-interface-dm-05 (work in progress), July | ||||
| 2019. | ||||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | |||
| Bierman, "Network Configuration Protocol (NETCONF)", | Bierman, "Network Configuration Protocol (NETCONF)", | |||
| RFC 6241, June 2011. | RFC 6241, June 2011. | |||
| [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined | [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined | |||
| Networking: A Perspective from within a Service Provider | Networking: A Perspective from within a Service Provider | |||
| skipping to change at page 21, line 8 ¶ | skipping to change at page 21, line 44 ¶ | |||
| [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service | [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service | |||
| Header (NSH)", RFC 8300, January 2018. | Header (NSH)", RFC 8300, January 2018. | |||
| [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | |||
| Kumar, "Framework for Interface to Network Security | Kumar, "Framework for Interface to Network Security | |||
| Functions", RFC 8329, February 2018. | Functions", RFC 8329, February 2018. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, August 2018. | Version 1.3", RFC 8446, August 2018. | |||
| 11.2. Informative References | [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open | |||
| Threat Signaling (DOTS) Requirements", RFC 8612, May 2019. | ||||
| [AVANT-GUARD] | ||||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | ||||
| GUARD: Scalable and Vigilant Switch Flow Management in | ||||
| Software-Defined Networks", ACM CCS, November 2013. | ||||
| [consumer-facing-inf-dm] | 11.2. Informative References | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | ||||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | ||||
| ietf-i2nsf-consumer-facing-interface-dm-06 (work in | ||||
| progress), July 2019. | ||||
| [ETSI-NFV-MANO] | [ETSI-NFV-MANO] | |||
| "Network Functions Virtualisation (NFV); Management and | "Network Functions Virtualisation (NFV); Management and | |||
| Orchestration", Available: | Orchestration", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/nfv- | https://www.etsi.org/deliver/etsi_gs/nfv- | |||
| man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | |||
| December 2014. | December 2014. | |||
| [i2nsf-terminology] | [i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| Birkholz, "Interface to Network Security Functions (I2NSF) | Birkholz, "Interface to Network Security Functions (I2NSF) | |||
| Terminology", draft-ietf-i2nsf-terminology-08 (work in | Terminology", draft-ietf-i2nsf-terminology-08 (work in | |||
| progress), July 2019. | progress), July 2019. | |||
| [ITU-T.X.800] | [ITU-T.X.800] | |||
| "Security Architecture for Open Systems Interconnection | "Security Architecture for Open Systems Interconnection | |||
| for CCITT Applications", March 1991. | for CCITT Applications", March 1991. | |||
| [nsf-facing-inf-dm] | ||||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | ||||
| "I2NSF Network Security Function-Facing Interface YANG | ||||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 | ||||
| (work in progress), July 2019. | ||||
| [nsf-monitoring-dm] | ||||
| Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | ||||
| "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | ||||
| nsf-monitoring-data-model-01 (work in progress), July | ||||
| 2019. | ||||
| [opsawg-firewalls] | [opsawg-firewalls] | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | Baker, F. and P. Hoffman, "On Firewalls in Internet | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | Security", draft-ietf-opsawg-firewalls-01 (work in | |||
| progress), October 2012. | progress), October 2012. | |||
| [policy-translation] | [policy-translation] | |||
| Jeong, J., Yang, J., Chung, C., and J. Kim, "Security | Jeong, J., Yang, J., Chung, C., and J. Kim, "Security | |||
| Policy Translation in Interface to Network Security | Policy Translation in Interface to Network Security | |||
| Functions", draft-yang-i2nsf-security-policy- | Functions", draft-yang-i2nsf-security-policy- | |||
| translation-04 (work in progress), July 2019. | translation-04 (work in progress), July 2019. | |||
| [registration-inf-dm] | ||||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | ||||
| Registration Interface YANG Data Model", draft-ietf-i2nsf- | ||||
| registration-interface-dm-05 (work in progress), July | ||||
| 2019. | ||||
| [tls-esni] | [tls-esni] | |||
| Rescorla, E., Oku, K., Sullivan, N., and C. Wood, | Rescorla, E., Oku, K., Sullivan, N., and C. Wood, | |||
| "Encrypted Server Name Indication for TLS 1.3", draft- | "Encrypted Server Name Indication for TLS 1.3", draft- | |||
| ietf-tls-esni-04 (work in progress), July 2019. | ietf-tls-esni-04 (work in progress), July 2019. | |||
| [VNF-ONBOARDING] | [VNF-ONBOARDING] | |||
| "VNF Onboarding", Available: | "VNF Onboarding", Available: | |||
| https://wiki.opnfv.org/display/mano/VNF+Onboarding, | https://wiki.opnfv.org/display/mano/VNF+Onboarding, | |||
| November 2016. | November 2016. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-15 | Appendix A. Changes from draft-ietf-i2nsf-applicability-16 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-15: | applicability-16: | |||
| o This version reflects the comments from Francis Dupont who is a | o The data model drafts for I2NSF are referenced as Normative | |||
| member of the General Area Review Team (Gen-ART) for review. That | references rather than Informative references. | |||
| is, a typo of "fulfil" is corrected as "fulfill". | ||||
| o An RFC and a draft for Distributed-Denial-of-Service Open Threat | ||||
| Signaling (DOTS) are referenced for attack mitigation. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Computer Science and Engineering | Department of Computer Science and Engineering | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| End of changes. 17 change blocks. | ||||
| 42 lines changed or deleted | 55 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||