| draft-ietf-i2nsf-applicability-17.txt | draft-ietf-i2nsf-applicability-18.txt | |||
|---|---|---|---|---|
| I2NSF Working Group J. Jeong | I2NSF Working Group J. Jeong | |||
| Internet-Draft Sungkyunkwan University | Internet-Draft Sungkyunkwan University | |||
| Intended status: Informational S. Hyun | Intended status: Informational S. Hyun | |||
| Expires: February 9, 2020 Chosun University | Expires: March 18, 2020 Myongji University | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| August 8, 2019 | September 15, 2019 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-17 | draft-ietf-i2nsf-applicability-18 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on February 9, 2020. | This Internet-Draft will expire on March 18, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Time-dependent Web Access Control Service . . . . . . . . . . 7 | 4. Time-dependent Web Access Control Service . . . . . . . . . . 8 | |||
| 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 10 | 5. Intent-based Security Services . . . . . . . . . . . . . . . 13 | |||
| 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 12 | 6. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 15 | |||
| 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 14 | 7. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 17 | |||
| 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | 7.1. Firewall: Centralized Firewall System . . . . . . . . . . 19 | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 7.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | System . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | 7.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | System . . . . . . . . . . . . . . . . . . . . . . . . . 20 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 8. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 21 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. Security Considerations . . . . . . . . . . . . . . . . . . . 23 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 11. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 12. References . . . . . . . . . . . . . . . . . . . . . . . . . 24 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | 12.1. Normative References . . . . . . . . . . . . . . . . . . 24 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-16 . . . 23 | 12.2. Informative References . . . . . . . . . . . . . . . . . 26 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Appendix A. Changes from draft-ietf-i2nsf-applicability-17 . . . 28 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 28 | ||||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defines a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). Note that an NSF is defined as software that provides a set | (NSFs). Note that an NSF is defined as software that provides a set | |||
| of security-related services, such as (i) detecting unwanted | of security-related services, such as (i) detecting unwanted | |||
| activity, (ii) blocking or mitigating the effect of such unwanted | activity, (ii) blocking or mitigating the effect of such unwanted | |||
| activity in order to fulfill service requirements, and (iii) | activity in order to fulfill service requirements, and (iii) | |||
| supporting communication stream integrity and confidentiality | supporting communication stream integrity and confidentiality | |||
| skipping to change at page 3, line 24 ¶ | skipping to change at page 3, line 26 ¶ | |||
| Registration Interface for a security service [RFC8329]. | Registration Interface for a security service [RFC8329]. | |||
| Security Controller maintains the mapping between a capability and an | Security Controller maintains the mapping between a capability and an | |||
| NSF, so it can perform to translate a high-level security policy | NSF, so it can perform to translate a high-level security policy | |||
| received from I2NSF User to a low-level security policy configured | received from I2NSF User to a low-level security policy configured | |||
| and enforced in an NSF [policy-translation]. Security Controller can | and enforced in an NSF [policy-translation]. Security Controller can | |||
| monitor the states and security attacks in NSFs through NSF | monitor the states and security attacks in NSFs through NSF | |||
| monitoring [nsf-monitoring-dm]. | monitoring [nsf-monitoring-dm]. | |||
| This document illustrates the applicability of the I2NSF framework | This document illustrates the applicability of the I2NSF framework | |||
| with four different scenarios: | with five different scenarios: | |||
| 1. The enforcement of time-dependent web access control. | 1. The enforcement of time-dependent web access control. | |||
| 2. The application of I2NSF to a Service Function Chaining (SFC) | 2. The support of intent-based security services through I2NSF and | |||
| Security Policy Translator [policy-translation]. | ||||
| 3. The application of I2NSF to a Service Function Chaining (SFC) | ||||
| environment [RFC7665]. | environment [RFC7665]. | |||
| 3. The integration of the I2NSF framework with Software-Defined | 4. The integration of the I2NSF framework with Software-Defined | |||
| Networking (SDN) [RFC7149] to provide different security | Networking (SDN) [RFC7149] to provide different security | |||
| functionality such as firewalls [opsawg-firewalls], Deep Packet | functionality such as firewalls [opsawg-firewalls], Deep Packet | |||
| Inspection (DPI), and Distributed Denial of Service (DDoS) attack | Inspection (DPI), and Distributed Denial of Service (DDoS) attack | |||
| mitigation. | mitigation. | |||
| 4. The use of Network Functions Virtualization (NFV) [ETSI-NFV] as a | 5. The use of Network Functions Virtualization (NFV) [ETSI-NFV] as a | |||
| supporting technology. | supporting technology. | |||
| The implementation of I2NSF in these scenarios has allowed us to | The implementation of I2NSF in these scenarios has allowed us to | |||
| verify the applicability and effectiveness of the I2NSF framework for | verify the applicability and effectiveness of the I2NSF framework for | |||
| a variety of use cases. | a variety of use cases. | |||
| 2. Terminology | 2. Terminology | |||
| This document uses the terminology described in [RFC7665], [RFC7149], | This document uses the terminology described in [RFC7665], [RFC7149], | |||
| [ITU-T.Y.3300], [ONF-SDN-Architecture], [ITU-T.X.800], | [ITU-T.Y.3300], [ONF-SDN-Architecture], [ITU-T.X.800], | |||
| [NFV-Terminology], [RFC8329], and [i2nsf-terminology]. In addition, | [NFV-Terminology], [RFC8329], and [i2nsf-terminology]. In addition, | |||
| the following terms are defined below: | the following terms are defined below: | |||
| o Software-Defined Networking (SDN): A set of techniques that | o Centralized DDoS-attack Mitigation System: A centralized mitigator | |||
| enables to directly program, orchestrate, control, and manage | that can establish and distribute access control policy rules into | |||
| network resources, which facilitates the design, delivery and | network resources for efficient DDoS-attack mitigation. | |||
| operation of network services in a dynamic and scalable manner | ||||
| [ITU-T.Y.3300]. | o Centralized Firewall System: A centralized firewall that can | |||
| establish and distribute policy rules into network resources for | ||||
| efficient firewall management. | ||||
| o Centralized VoIP Security System: A centralized security system | ||||
| that handles the security functions required for VoIP and VoLTE | ||||
| services. | ||||
| o Firewall: A service function at the junction of two network | ||||
| segments that inspects some suspicious packets that attempt to | ||||
| cross the boundary. It also rejects any packet that does not | ||||
| satisfy certain criteria for, for example, disallowed port numbers | ||||
| or IP addresses. | ||||
| o Network Function: A functional block within a network | o Network Function: A functional block within a network | |||
| infrastructure that has well-defined external interfaces and well- | infrastructure that has well-defined external interfaces and well- | |||
| defined functional behavior [NFV-Terminology]. | defined functional behavior [NFV-Terminology]. | |||
| o Network Functions Virtualization (NFV): A principle of separating | ||||
| network functions (or network security functions) from the | ||||
| hardware they run on by using virtual hardware abstraction | ||||
| [NFV-Terminology]. | ||||
| o Network Security Function (NSF): Software that provides a set of | o Network Security Function (NSF): Software that provides a set of | |||
| security-related services. Examples include detecting unwanted | security-related services. Examples include detecting unwanted | |||
| activity and blocking or mitigating the effect of such unwanted | activity and blocking or mitigating the effect of such unwanted | |||
| activity in order to fulfill service requirements. The NSF can | activity in order to fulfill service requirements. The NSF can | |||
| also help in supporting communication stream integrity and | also help in supporting communication stream integrity and | |||
| confidentiality [i2nsf-terminology]. | confidentiality [i2nsf-terminology]. | |||
| o Network Functions Virtualization (NFV): A principle of separating | o Security Policy Translator (SPT): Software that translates a high- | |||
| network functions (or network security functions) from the | level security policy for the Consumer-Facing Interface into a | |||
| hardware they run on by using virtual hardware abstraction | low-level security policy for the NSF-Facing Interface | |||
| [NFV-Terminology]. | [policy-translation]. The SPT is a core part of the Security | |||
| Controller in the I2NSF system. | ||||
| o Service Function Chaining (SFC): The execution of an ordered set | o Service Function Chaining (SFC): The execution of an ordered set | |||
| of abstract service functions (i.e., network functions) according | of abstract service functions (i.e., network functions) according | |||
| to ordering constraints that must be applied to packets, frames, | to ordering constraints that must be applied to packets, frames, | |||
| and flows selected as a result of classification. The implied | and flows selected as a result of classification. The implied | |||
| order may not be a linear progression as the architecture allows | order may not be a linear progression as the architecture allows | |||
| for SFCs that copy to more than one branch, and also allows for | for SFCs that copy to more than one branch, and also allows for | |||
| cases where there is flexibility in the order in which service | cases where there is flexibility in the order in which service | |||
| functions need to be applied [RFC7665]. | functions need to be applied [RFC7665]. | |||
| o Firewall: A service function at the junction of two network | o Software-Defined Networking (SDN): A set of techniques that | |||
| segments that inspects some suspicious packets that attempt to | enables to directly program, orchestrate, control, and manage | |||
| cross the boundary. It also rejects any packet that does not | network resources, which facilitates the design, delivery and | |||
| satisfy certain criteria for, for example, disallowed port numbers | operation of network services in a dynamic and scalable manner | |||
| or IP addresses. | [ITU-T.Y.3300]. | |||
| o Centralized Firewall System: A centralized firewall that can | ||||
| establish and distribute policy rules into network resources for | ||||
| efficient firewall management. | ||||
| o Centralized VoIP Security System: A centralized security system | ||||
| that handles the security functions required for VoIP and VoLTE | ||||
| services. | ||||
| o Centralized DDoS-attack Mitigation System: A centralized mitigator | ||||
| that can establish and distribute access control policy rules into | ||||
| network resources for efficient DDoS-attack mitigation. | ||||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| skipping to change at page 5, line 30 ¶ | skipping to change at page 5, line 45 ¶ | |||
| +----------------+ +---------------+ +-----------------------+ | +----------------+ +---------------+ +-----------------------+ | |||
| Figure 1: I2NSF Framework | Figure 1: I2NSF Framework | |||
| 3. I2NSF Framework | 3. I2NSF Framework | |||
| This section summarizes the I2NSF framework as defined in [RFC8329]. | This section summarizes the I2NSF framework as defined in [RFC8329]. | |||
| As shown in Figure 1, an I2NSF User can use security functions by | As shown in Figure 1, an I2NSF User can use security functions by | |||
| delivering high-level security policies, which specify security | delivering high-level security policies, which specify security | |||
| requirements that the I2NSF user wants to enforce, to the Security | requirements that the I2NSF user wants to enforce, to the Security | |||
| Controller via the Consumer-Facing Interface | Controller via the Consumer-Facing Interface (CFI) | |||
| [consumer-facing-inf-dm]. | [consumer-facing-inf-dm]. | |||
| The Security Controller receives and analyzes the high-level security | The Security Controller receives and analyzes the high-level security | |||
| policies from an I2NSF User, and identifies what types of security | policies from an I2NSF User, and identifies what types of security | |||
| capabilities are required to meet these high-level security policies. | capabilities are required to meet these high-level security policies. | |||
| The Security Controller then identifies NSFs that have the required | The Security Controller then identifies NSFs that have the required | |||
| security capabilities, and generates low-level security policies for | security capabilities, and generates low-level security policies for | |||
| each of the NSFs so that the high-level security policies are | each of the NSFs so that the high-level security policies are | |||
| eventually enforced by those NSFs [policy-translation]. Finally, the | eventually enforced by those NSFs [policy-translation]. Finally, the | |||
| Security Controller sends the generated low-level security policies | Security Controller sends the generated low-level security policies | |||
| to the NSFs via the NSF-Facing Interface [nsf-facing-inf-dm]. | to the NSFs via the NSF-Facing Interface (NFI) [nsf-facing-inf-dm]. | |||
| As shown in Figure 1, with a Developer's Management System (called | As shown in Figure 1, with a Developer's Management System (called | |||
| DMS), developers (or vendors) inform the Security Controller of the | DMS), developers (or vendors) inform the Security Controller of the | |||
| capabilities of the NSFs through the Registration Interface | capabilities of the NSFs through the Registration Interface (RI) | |||
| [registration-inf-dm] for registering (or deregistering) the | [registration-inf-dm] for registering (or deregistering) the | |||
| corresponding NSFs. Note that the lifecycle management of NSF code | corresponding NSFs. Note that the lifecycle management of NSF code | |||
| from DMS (e.g., downloading of NSF modules and testing of NSF code) | from DMS (e.g., downloading of NSF modules and testing of NSF code) | |||
| is out of scope for I2NSF. | is out of scope for I2NSF. | |||
| The Consumer-Facing Interface can be implemented with the Consumer- | The Consumer-Facing Interface can be implemented with the Consumer- | |||
| Facing Interface YANG data model [consumer-facing-inf-dm] using | Facing Interface YANG data model [consumer-facing-inf-dm] using | |||
| RESTCONF [RFC8040] which befits a web-based user interface for an | RESTCONF [RFC8040] which befits a web-based user interface for an | |||
| I2NSF User to send a Security Controller a high-level security | I2NSF User to send a Security Controller a high-level security | |||
| policy. Data models specified by YANG [RFC6020] describe high-level | policy. Data models specified by YANG [RFC6020] describe high-level | |||
| skipping to change at page 7, line 6 ¶ | skipping to change at page 7, line 12 ¶ | |||
| data model defined in [registration-inf-dm] can be used for the I2NSF | data model defined in [registration-inf-dm] can be used for the I2NSF | |||
| Registration Interface. | Registration Interface. | |||
| The I2NSF framework can chain multiple NSFs to implement low-level | The I2NSF framework can chain multiple NSFs to implement low-level | |||
| security policies with the SFC architecture [RFC7665]. | security policies with the SFC architecture [RFC7665]. | |||
| The following sections describe different security service scenarios | The following sections describe different security service scenarios | |||
| illustrating the applicability of the I2NSF framework. | illustrating the applicability of the I2NSF framework. | |||
| <?xml version="1.0" encoding="UTF-8" ?> | <?xml version="1.0" encoding="UTF-8" ?> | |||
| <ietf-i2nsf-cfi-policy:policy> | <policy xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-cfi-policy"> | |||
| <policy-name>block_website</policy-name> | <policy-name>block_website</policy-name> | |||
| <rule> | <rule> | |||
| <rule-name>block_website_during_working_hours</rule-name> | <rule-name>block_website_during_working_hours</rule-name> | |||
| <event> | <event> | |||
| <time-information> | <time-information> | |||
| <begin-time>09:00</begin-time> | <begin-time>09:00</begin-time> | |||
| <end-time>18:00</end-time> | <end-time>18:00</end-time> | |||
| </time-information> | </time-information> | |||
| </event> | </event> | |||
| <condition> | <condition> | |||
| <firewall-condition> | <firewall-condition> | |||
| <source-target> | <source-target> | |||
| <src-target>Staff_Member's_PC</src-target> | <src-target>Staff_Members'_PCs</src-target> | |||
| </source-target> | </source-target> | |||
| </firewall-condition> | </firewall-condition> | |||
| <custom-condition> | <custom-condition> | |||
| <destination-target> | <destination-target> | |||
| <dest-target>example.com</dest-target> | <dest-target>SNS_Websites</dest-target> | |||
| </destination-target> | </destination-target> | |||
| </custom-condition> | </custom-condition> | |||
| </condition> | </condition> | |||
| <action> | <action> | |||
| <primary-action>drop</primary-action> | <primary-action>drop</primary-action> | |||
| </action> | </action> | |||
| </rule> | </rule> | |||
| </ietf-i2nsf-cfi-policy:policy> | </policy> | |||
| Figure 2: An XML Example for Time-based Web-filter | Figure 2: A High-level Security Policy XML File for Time-based Web | |||
| Filter | ||||
| <?xml version="1.0" encoding="UTF-8" ?> | ||||
| <i2nsf-security-policy | ||||
| xmlns="urn:ietf:params:xml:ns:yang:ietf-i2nsf-policy-rule-for-nsf"> | ||||
| <system-policy> | ||||
| <system-policy-name>block_website</system-policy-name> | ||||
| <rules> | ||||
| <rule-name>block_website_during_working_hours</rule-name> | ||||
| <time-intervals> | ||||
| <absolute-time-interval> | ||||
| <begin-time>09:00</begin-time> | ||||
| <end-time>18:00</end-time> | ||||
| </absolute-time-interval> | ||||
| </time-intervals> | ||||
| <condition-clause-container> | ||||
| <packet-security-ipv6-condition> | ||||
| <pkt-sec-ipv6-src> | ||||
| <ipv6-address> | ||||
| <ipv6>2001:DB8:10:1::10</ipv6> | ||||
| <ipv6>2001:DB8:10:1::20</ipv6> | ||||
| <ipv6>2001:DB8:10:1::30</ipv6> | ||||
| </ipv6-address> | ||||
| </pkt-sec-ipv6-src> | ||||
| </packet-security-ipv6-condition> | ||||
| <packet-security-url-category-condition> | ||||
| <user-defined-category>example1.com</user-defined-category> | ||||
| <user-defined-category>example2.com</user-defined-category> | ||||
| <user-defined-category>example3.com</user-defined-category> | ||||
| <user-defined-category>example4.com</user-defined-category> | ||||
| </packet-security-url-category-condition> | ||||
| </condition-clause-container> | ||||
| <action-clause-container> | ||||
| <packet-action> | ||||
| <egress-action>drop</egress-action> | ||||
| </packet-action> | ||||
| </action-clause-container> | ||||
| </rules> | ||||
| </system-policy> | ||||
| </i2nsf-security-policy> | ||||
| Figure 3: A Low-level Security Policy XML File for Time-based Web | ||||
| Filter | ||||
| 4. Time-dependent Web Access Control Service | 4. Time-dependent Web Access Control Service | |||
| This service scenario assumes that an enterprise network | This service scenario assumes that an enterprise network | |||
| administrator wants to control the staff members' access to a | administrator wants to control the staff members' access to a | |||
| particular Internet service (e.g., example.com) during business | particular Internet service (e.g., social networking service (SNS)) | |||
| hours. The following is an example high-level security policy rule | during business hours. The following is an example high-level | |||
| for a web filter that the administrator requests: Block the staff | security policy rule for a web filter that the administrator | |||
| members' access to example.com from 9 AM (i.e., 09:00) to 6 PM (i.e., | requests: Block the staff members' access to SNS websites from 9 AM | |||
| 18:00) by dropping their packets. Figure 2 is an example XML code | (i.e., 09:00) to 6 PM (i.e., 18:00) by dropping their packets. | |||
| for this web filter that is sent from the I2NSF User to the Security | Figure 2 is a high-level security policy XML code for the web filter | |||
| Controller via the Consumer-Facing Interface | that is sent from the I2NSF User to the Security Controller via the | |||
| [consumer-facing-inf-dm]. | Consumer-Facing Interface [consumer-facing-inf-dm]. | |||
| The security policy name is "block_website" with the tag "policy- | The security policy name is "block_website" with the tag "policy- | |||
| name", and the security policy rule name is | name", and the security policy rule name is | |||
| "block_website_during_working_hours" with the tag "rule-name". The | "block_website_during_working_hours" with the tag "rule-name". The | |||
| filtering event has the time span where the filtering begin time is | filtering event has the time span where the filtering begin time is | |||
| the time "09:00" (i.e., 9:00AM) with the tag "begin-time", and the | the time "09:00" (i.e., 9:00AM) with the tag "begin-time", and the | |||
| filtering end time is the time "18:00" (i.e., 6:00PM) with the tag | filtering end time is the time "18:00" (i.e., 6:00PM) with the tag | |||
| "end-time". The filtering condition has the source target of | "end-time". The filtering condition has the source target of | |||
| "Staff_Member's_PC" with the tag "src-target", and the destination | "Staff_Members'_PCs" with the tag "src-target", and the destination | |||
| target of a website "example.com" with the tag "dest-target". Note | target of "SNS_Websites" with the tag "dest-target". | |||
| that the destination target can be translated to IP address(es) | ||||
| corresponding to the website's URL, and then either the website's URL | Assume that "Staff_Members'_PCs" are 2001:DB8:10:1::10, | |||
| or the corresponding IP address(es) can be used by both firewall and | 2001:DB8:10:1::20, and 2001:DB8:10:1::30, and that "SNS_Websites" are | |||
| web filter. The action is to "drop" the packets satisfying the above | example1.com, example2.com, example3.com, and example4.com, as shown | |||
| event and condition with the tag "primary-action". | in Figure 3. Note that Figure 3 is a low-level security policy XML | |||
| code for the web filter that is sent from the Security Controller to | ||||
| an NSF via the NSF-Facing Interface [nsf-facing-inf-dm]. | ||||
| The source target can by translated by the Security Policy Translator | ||||
| (SPT) in the Security Controller to the IP addresses of computers (or | ||||
| mobile devices) used by the staff members. Refer to Section 5 for | ||||
| the detailed description of the SPT. The destination target can also | ||||
| be translated by the SPT to the actual websites corresponding to the | ||||
| symbolic website name "SNS_Websites", and then either each website's | ||||
| URL or the corresponding IP address(es) can be used by both firewall | ||||
| and web filter. The action is to "drop" the packets satisfying the | ||||
| above event and condition with the tag "primary-action". | ||||
| After receiving the high-level security policy, the Security | After receiving the high-level security policy, the Security | |||
| Controller identifies required security capabilities, e.g., IP | Controller identifies required security capabilities, e.g., IP | |||
| address and port number inspection capabilities and URL inspection | address and port number inspection capabilities and URL inspection | |||
| capability. In this scenario, it is assumed that the IP address and | capability. In this scenario, it is assumed that the IP address and | |||
| port number inspection capabilities are required to check whether a | port number inspection capabilities are required to check whether a | |||
| received packet is an HTTP-session packet from a staff member, which | received packet is an HTTP-session packet from a staff member, which | |||
| is part of an HTTP session generated by the staff member. The URL | is part of an HTTP session generated by the staff member. The URL | |||
| inspection capability is required to check whether the target URL of | inspection capability is required to check whether the target URL of | |||
| a received packet is in the example.com domain or not. | a received packet is one of the target websites (i.e., example1.com, | |||
| example2.com, example3.com, and example4.com) or not. | ||||
| The Security Controller maintains the security capabilities of each | The Security Controller maintains the security capabilities of each | |||
| active NSF in the I2NSF system, which have been reported by the | active NSF in the I2NSF system, which have been reported by the | |||
| Developer's Management System via the Registration interface. Based | Developer's Management System via the Registration interface. Based | |||
| on this information, the Security Controller identifies NSFs that can | on this information, the Security Controller identifies NSFs that can | |||
| perform the IP address and port number inspection and URL inspection | perform the IP address and port number inspection and URL inspection | |||
| [policy-translation]. In this scenario, it is assumed that a | through the security policy translation in Section 5. In this | |||
| firewall NSF has the IP address and port number inspection | scenario, it is assumed that a firewall NSF has the IP address and | |||
| capabilities and a web filter NSF has URL inspection capability. | port number inspection capabilities and a web filter NSF has URL | |||
| inspection capability. | ||||
| The Security Controller generates low-level security rules for the | The Security Controller generates a low-level security policy for the | |||
| NSFs to perform IP address and port number inspection, URL | NSFs to perform IP address and port number inspection, URL | |||
| inspection, and time checking. Specifically, the Security Controller | inspection, and time checking, which is shown in Figure 3. | |||
| may interoperate with an access control server in the enterprise | Specifically, the Security Controller may interoperate with an access | |||
| network in order to retrieve the information (e.g., IP address in | control server in the enterprise network in order to retrieve the | |||
| use, company identifier (ID), and role) of each employee that is | information (e.g., IP address in use, company identifier (ID), and | |||
| currently using the network. Based on the retrieved information, the | role) of each employee that is currently using the network. Based on | |||
| Security Controller generates low-level security rules to check | the retrieved information, the Security Controller generates a low- | |||
| whether the source IP address of a received packet matches any one | level security policy to check whether the source IP address of a | |||
| being used by a staff member. | received packet matches any one being used by a staff member. | |||
| In addition, the low-level security rules should be able to determine | In addition, the low-level security policy's rule (shortly, low-level | |||
| that a received packet uses either the HTTP protocol without | security rule) should be able to determine that a received packet | |||
| Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with | uses either the HTTP protocol without Transport Layer Security (TLS) | |||
| TLS as HTTPS. The low-level security rules for web filter check that | [RFC8446] or the HTTP protocol with TLS as HTTPS. The low-level | |||
| the target URL field of a received packet is equal to example.com, or | security rule for web filter checks that the target URL field of a | |||
| that the destination IP address of a received packet is an IP address | received packet is equal to one of the target SNS websites (i.e., | |||
| corresponding to example.com. Note that if HTTPS is used for an | example1.com, example2.com, example3.com, and example4.com), or that | |||
| HTTP-session packet, the HTTP protocol header is encrypted, so the | the destination IP address of a received packet is an IP address | |||
| URL information may not be seen from the packet for the web | corresponding to one of the SNS websites. Note that if HTTPS is used | |||
| for an HTTP-session packet, the HTTP protocol header is encrypted, so | ||||
| the URL information may not be seen from the packet for the web | ||||
| filtering. Thus, the IP address(es) corresponding to the target URL | filtering. Thus, the IP address(es) corresponding to the target URL | |||
| needs to be obtained from the certificate in TLS versions prior to | needs to be obtained from the certificate in TLS versions prior to | |||
| 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session | 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session | |||
| packet in TLS versions without the encrypted SNI [tls-esni]. Also, | packet in TLS versions without the encrypted SNI [tls-esni]. Also, | |||
| to obtain IP address(es) corresponding to a target URL, the DNS name | to obtain IP address(es) corresponding to a target URL, the DNS name | |||
| resolution process can be observed through a packet capturing tool | resolution process can be observed through a packet capturing tool | |||
| because the DNS name resolution will translate the target URL into IP | because the DNS name resolution will translate the target URL into IP | |||
| address(es). The IP addresses obtained through either TLS or DNS can | address(es). The IP addresses obtained through either TLS or DNS can | |||
| be used by both firewall and web filter for whitelisting or | be used by both firewall and web filter for whitelisting or | |||
| blacklisting the TCP five-tuples of HTTP sessions. | blacklisting the TCP five-tuples of HTTP sessions. | |||
| Finally, the Security Controller sends the low-level security rules | Finally, the Security Controller sends the low-level security policy | |||
| of the IP address and port number inspection to the firewall NSF and | of the IP address and port number inspection to the firewall NSF and | |||
| the low-level rules for URL inspection to the web filter NSF. | the low-level security policy for URL inspection to the web filter | |||
| NSF. | ||||
| The following describes how the time-dependent web access control | The following describes how the time-dependent web access control | |||
| service is enforced by the NSFs of firewall and web filter. | service is enforced by the NSFs of firewall and web filter. | |||
| 1. A staff member tries to access example.com during business hours, | 1. A staff member tries to access one of the target SNS websites | |||
| e.g., 10 AM. | (i.e., example1.com, example2.com, example3.com, and | |||
| example4.com) during business hours, e.g., 10 AM. | ||||
| 2. The packet is forwarded from the staff member's device to the | 2. The packet is forwarded from the staff member's device to the | |||
| firewall, and the firewall checks the source IP address and port | firewall, and the firewall checks the source IP address and port | |||
| number. Now the firewall identifies the received packet is an | number. Now the firewall identifies the received packet is an | |||
| HTTP-session packet from the staff member. | HTTP-session packet from the staff member. | |||
| 3. The firewall triggers the web filter to further inspect the | 3. The firewall triggers the web filter to further inspect the | |||
| packet, and the packet is forwarded from the firewall to the web | packet, and the packet is forwarded from the firewall to the web | |||
| filter. The SFC architecture [RFC7665] can be utilized to | filter. The SFC architecture [RFC7665] can be utilized to | |||
| support such packet forwarding in the I2NSF framework. | support such packet forwarding in the I2NSF framework. | |||
| 4. The web filter checks the received packet's target URL field or | 4. The web filter checks the received packet's target URL field or | |||
| its destination IP address corresponding to the target URL, and | its destination IP address corresponding to the target URL, and | |||
| detects that the packet is being sent to the server for | detects that the packet is being sent to the server for | |||
| example.com. The web filter then checks that the current time is | example1.com. The web filter then checks that the current time | |||
| within business hours. If so, the web filter drops the packet, | is within business hours. If so, the web filter drops the | |||
| and consequently the staff member's access to example.com during | packet, and consequently the staff member's access to one of the | |||
| business hours is blocked. | SNS websites (i.e., example1.com, example2.com, example3.com, and | |||
| example4.com) during business hours is blocked. | ||||
| +------------------------+-------------------------+ | ||||
| | | | ||||
| | I2NSF User | | ||||
| | | | ||||
| +------------------------+-------------------------+ | ||||
| | Consumer-Facing Interface | ||||
| | | ||||
| High-level Security Policy | ||||
| Security | | ||||
| Controller V | ||||
| +------------------------+-------------------------+ | ||||
| | Security Policy | | | ||||
| | Translator | | | ||||
| | +---------------------+----------------------+ | | ||||
| | | | | | | ||||
| | | +-------+--------+ | | | ||||
| | | | Data Extractor | | | | ||||
| | | +-------+--------+ | | | ||||
| | | | Extracted Data from | | | ||||
| | | V High-level Policy | | | ||||
| | | +-------+--------+ +------+ | | | ||||
| | | | Data Converter |<-->|NSF DB| | | | ||||
| | | +-------+--------+ +------+ | | | ||||
| | | | Required Data for | | | ||||
| | | V Target NSFs | | | ||||
| | | +-------+--------+ | | | ||||
| | | |Policy Generator| | | | ||||
| | | +-------+--------+ | | | ||||
| | | | | | | ||||
| | +---------------------+----------------------+ | | ||||
| | | | | ||||
| +------------------------+-------------------------+ | ||||
| | NSF-Facing Interface | ||||
| | | ||||
| Low-level Security Policy | ||||
| | | ||||
| V | ||||
| +------------------------+-------------------------+ | ||||
| | | | ||||
| | NSF(s) | | ||||
| | | | ||||
| +------------------------+-------------------------+ | ||||
| Figure 4: Security Policy Translation and Enforcement in I2NSF System | ||||
| 5. Intent-based Security Services | ||||
| I2NSF aims at providing intent-based security services to configure | ||||
| specific security policies into NSFs with customer-friendly secuirty | ||||
| policies at a high level. For example, when an I2NSF User submits a | ||||
| high-level security policy (e.g., web filtering as shown in Figure 2) | ||||
| to the Security Controller, the Security Policy Tranlator (SPT) in | ||||
| the Security Controller will translate it into the correspondong low- | ||||
| level security policy as shown in Figure 3 [policy-translation]. A | ||||
| security administrator using the I2NSF User can describe a security | ||||
| policy without the knowledge of the detailed information about | ||||
| subjects (e.g., source and destination) and objects (e.g., web | ||||
| traffic) of the security policy's rule(s). | ||||
| Figure 4 shows the security policy translation and enforcement in the | ||||
| I2NSF system [policy-translation]. As shown in Figure 4, an I2NSF | ||||
| User delivers a high-level security policy to the Security Controller | ||||
| using the Consumer-Facing Interface (denoted as CFI). The high-level | ||||
| security policy is translated by the SPT in the Security Controller | ||||
| into the corresponding low-level security policy which is | ||||
| understandable by target NSF(s). The Security Controller delivers | ||||
| the low-level security policy to the appropriate NSF(s) to enforce | ||||
| the policy's rules. | ||||
| The SPT consists of three modules for security policy translations | ||||
| such as Data Extractor, Data Converter, and Policy Generator, as | ||||
| shown in Figure 4. The Data Extractor extracts data from a high- | ||||
| level security policy delivered by the I2NSF User. The data | ||||
| correspond to the leaf nodes in the YANG data model for the Consumer- | ||||
| Facing Interface. In the high-level policy in Figure 2, the data are | ||||
| the tag values of policy-name, rule-name, begin-time, end-time, src- | ||||
| target, dest-target, and primary-action. That is, the tag values are | ||||
| "block_website", "block_website_during_working_hours", "09:00", | ||||
| "18:00", "Staff_Members'_PCs", "SNS_Websites", and "drop." | ||||
| The Data Converter converts the extracted high-level policy data | ||||
| received from the Data Extractor into the corresponding low-level | ||||
| policy data. The low-level policy data have the capability | ||||
| information of NSFs to be selected as target NSFs for the required | ||||
| security service enforcement specified by the high-level security | ||||
| policy. The tag values in the extracted high-level policy data are | ||||
| replaced with the tag values in the low-level policy data, which are | ||||
| the leaf nodes of the YANG data model for the NSF-Facing Interface | ||||
| (denoted as NFI). The value of each leaf node in CFI is translated | ||||
| into the value of the corresponding leaf node in NFI. For example, | ||||
| "block_website" of policy-name in CFI (in Figure 2) is translated | ||||
| into "block_website" of system-policy-name in NFI (in Figure 3). The | ||||
| tag values of rule-name, begin-time, end-time, and primary-action in | ||||
| CFI are mapped into the same values of rule-name, begin-time, end- | ||||
| time, and egress-action in NFI. However, the tag values of src- | ||||
| target and dest-target in CFI are translated into IP addresses and | ||||
| URLs, respectively, for the sake of NFI. That is, | ||||
| "Staff_Members'_PCs" of CFI is translated into three IPv6 addresses | ||||
| such as "2001:DB8:10:1::10", "2001:DB8:10:1::20", and | ||||
| "2001:DB8:10:1::30" for the sake of NFI. Also, "SNS_Websites" of CFI | ||||
| is translated into four URLs such as "example1.com", "example2.com", | ||||
| "example3.com", and "example4.com" for the sake of NFI. In addition | ||||
| to the data conversion, the Data Converter searches for appropriate | ||||
| NSFs having capabilities corresponding to the leaf nodes of the YANG | ||||
| data model for NFI. For the data conversion and NSF search, an NSF | ||||
| database (denoted as NSF DB) can be consulted, as shown in Figure 4, | ||||
| because the NSF DB has the capability information of NSFs that the | ||||
| DMS(s) registered with the Security Controller using the Registration | ||||
| Interface. | ||||
| The Policy Generator generates a low-level security policy | ||||
| corresponding to the low-level policy data made by the Data Converter | ||||
| per a target NSF. That is, the Policy Generator can build such a | ||||
| low-level security policy XML file like Figure 3 with the NSF DB | ||||
| because the NSF DB has the mapping information between the CFI YANG | ||||
| data model and the NFI YANG data model. | ||||
| Therefore, by allowing the I2NSF User to express its security policy | ||||
| without knowing the detailed information of entities for security | ||||
| policies, the I2NSF can efficiently support the intent-based security | ||||
| services with the help of the security policy translator along with | ||||
| the NSF DB. | ||||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| skipping to change at page 10, line 35 ¶ | skipping to change at page 15, line 35 ¶ | |||
| | +-----+ | | | (DPI) | | | +-----+ | | | (DPI) | | |||
| +-----------------+ | +--------------+ | +-----------------+ | +--------------+ | |||
| | . | | . | |||
| | . | | . | |||
| | . | | . | |||
| | +-----------------------+ | | +-----------------------+ | |||
| ------>| NSF-n | | ------>| NSF-n | | |||
| |(DDoS-Attack Mitigator)| | |(DDoS-Attack Mitigator)| | |||
| +-----------------------+ | +-----------------------+ | |||
| Figure 3: An I2NSF Framework with SFC | Figure 5: An I2NSF Framework with SFC | |||
| 5. I2NSF Framework with SFC | 6. I2NSF Framework with SFC | |||
| In the I2NSF architecture, an NSF can trigger an advanced security | In the I2NSF architecture, an NSF can trigger an advanced security | |||
| action (e.g., DPI or DDoS attack mitigation) on a packet based on the | action (e.g., DPI or DDoS attack mitigation) on a packet based on the | |||
| result of its own security inspection of the packet. For example, a | result of its own security inspection of the packet. For example, a | |||
| firewall triggers further inspection of a suspicious packet with DPI. | firewall triggers further inspection of a suspicious packet with DPI. | |||
| For this advanced security action to be fulfilled, the suspicious | For this advanced security action to be fulfilled, the suspicious | |||
| packet should be forwarded from the current NSF to the successor NSF. | packet should be forwarded from the current NSF to the successor NSF. | |||
| SFC [RFC7665] is a technology that enables this advanced security | SFC [RFC7665] is a technology that enables this advanced security | |||
| action by steering a packet with multiple service functions (e.g., | action by steering a packet with multiple service functions (e.g., | |||
| NSFs), and this technology can be utilized by the I2NSF architecture | NSFs), and this technology can be utilized by the I2NSF architecture | |||
| to support the advanced security action. | to support the advanced security action. | |||
| Figure 3 shows an I2NSF framework with the support of SFC. As shown | Figure 5 shows an I2NSF framework with the support of SFC. As shown | |||
| in the figure, SFC generally requires classifiers and service | in the figure, SFC generally requires classifiers and service | |||
| function forwarders (SFFs); classifiers are responsible for | function forwarders (SFFs); classifiers are responsible for | |||
| determining which service function path (SFP) (i.e., an ordered | determining which service function path (SFP) (i.e., an ordered | |||
| sequence of service functions) a given packet should pass through, | sequence of service functions) a given packet should pass through, | |||
| according to pre-configured classification rules, and SFFs perform | according to pre-configured classification rules, and SFFs perform | |||
| forwarding the given packet to the next service function (e.g., NSF) | forwarding the given packet to the next service function (e.g., NSF) | |||
| on the SFP of the packet by referring to their forwarding tables. In | on the SFP of the packet by referring to their forwarding tables. In | |||
| the I2NSF architecture with SFC, the Security Controller can take | the I2NSF architecture with SFC, the Security Controller can take | |||
| responsibilities of generating classification rules for classifiers | responsibilities of generating classification rules for classifiers | |||
| and forwarding tables for SFFs. By analyzing high-level security | and forwarding tables for SFFs. By analyzing high-level security | |||
| skipping to change at page 12, line 38 ¶ | skipping to change at page 17, line 38 ¶ | |||
| | +----------------+ | | | +----------------+ | | |||
| | ^ | | | ^ | | |||
| | | SDN Southbound Interface | | | | SDN Southbound Interface | | |||
| | v | | | v | | |||
| | +--------+ +------------+ +--------+ +--------+ | | | +--------+ +------------+ +--------+ +--------+ | | |||
| | |Switch-1|-| Switch-2 |-|Switch-3|.......|Switch-m| | | | |Switch-1|-| Switch-2 |-|Switch-3|.......|Switch-m| | | |||
| | | | |(Classifier)| | (SFF) | | | | | | | | |(Classifier)| | (SFF) | | | | | |||
| | +--------+ +------------+ +--------+ +--------+ | | | +--------+ +------------+ +--------+ +--------+ | | |||
| +-------------------------------------------------------------------+ | +-------------------------------------------------------------------+ | |||
| Figure 4: An I2NSF Framework with SDN Network | Figure 6: An I2NSF Framework with SDN Network | |||
| 6. I2NSF Framework with SDN | 7. I2NSF Framework with SDN | |||
| This section describes an I2NSF framework with SDN for I2NSF | This section describes an I2NSF framework with SDN for I2NSF | |||
| applicability and use cases, such as firewall, deep packet | applicability and use cases, such as firewall, deep packet | |||
| inspection, and DDoS-attack mitigation functions. SDN enables some | inspection, and DDoS-attack mitigation functions. SDN enables some | |||
| packet filtering rules to be enforced in network forwarding elements | packet filtering rules to be enforced in network forwarding elements | |||
| (e.g., switch) by controlling their packet forwarding rules. By | (e.g., switch) by controlling their packet forwarding rules. By | |||
| taking advantage of this capability of SDN, it is possible to | taking advantage of this capability of SDN, it is possible to | |||
| optimize the process of security service enforcement in the I2NSF | optimize the process of security service enforcement in the I2NSF | |||
| system. For example, for efficient firewall services, simple packet | system. For example, for efficient firewall services, simple packet | |||
| filtering can be performed by SDN forwarding elements (e.g., | filtering can be performed by SDN forwarding elements (e.g., | |||
| switches), and complicated packet filtering based on packet payloads | switches), and complicated packet filtering based on packet payloads | |||
| can be performed by a firewall NSF. This optimized firewall using | can be performed by a firewall NSF. This optimized firewall using | |||
| both SDN forwarding elements and a firewall NSF is more efficient | both SDN forwarding elements and a firewall NSF is more efficient | |||
| than a firewall where SDN forwarding elements forward all the packets | than a firewall where SDN forwarding elements forward all the packets | |||
| to a firewall NSF for packet filtering. This is because packets to | to a firewall NSF for packet filtering. This is because packets to | |||
| be filtered out can be early dropped by SDN forwarding elements | be filtered out can be early dropped by SDN forwarding elements | |||
| without consuming further network bandwidth due to the forwarding of | without consuming further network bandwidth due to the forwarding of | |||
| the packets to the firewall NSF. | the packets to the firewall NSF. | |||
| Figure 4 shows an I2NSF framework [RFC8329] with SDN networks to | Figure 6 shows an I2NSF framework [RFC8329] with SDN networks to | |||
| support network-based security services. In this system, the | support network-based security services. In this system, the | |||
| enforcement of security policy rules is divided into the SDN | enforcement of security policy rules is divided into the SDN | |||
| forwarding elements (e.g., a switch running as either a hardware | forwarding elements (e.g., a switch running as either a hardware | |||
| middle box or a software virtual switch) and NSFs (e.g., a firewall | middle box or a software virtual switch) and NSFs (e.g., a firewall | |||
| running in a form of a VNF [ETSI-NFV]). Note that NSFs are created | running in a form of a VNF [ETSI-NFV]). Note that NSFs are created | |||
| or removed by the NFV Management and Orchestration (MANO) | or removed by the NFV Management and Orchestration (MANO) | |||
| [ETSI-NFV-MANO], performing the lifecycle management of NSFs as VNFs. | [ETSI-NFV-MANO], performing the lifecycle management of NSFs as VNFs. | |||
| Refer to Section 7 for the detailed discussion of the NSF lifecycle | Refer to Section 8 for the detailed discussion of the NSF lifecycle | |||
| management in the NFV MANO for I2NSF. For security policy | management in the NFV MANO for I2NSF. For security policy | |||
| enforcement (e.g., packet filtering), the Security Controller | enforcement (e.g., packet filtering), the Security Controller | |||
| instructs the SDN Controller via NSF-Facing Interface so that SDN | instructs the SDN Controller via NSF-Facing Interface so that SDN | |||
| forwarding elements can perform the required security services with | forwarding elements can perform the required security services with | |||
| flow tables under the supervision of the SDN Controller. | flow tables under the supervision of the SDN Controller. | |||
| As an example, let us consider two different types of security rules: | As an example, let us consider two different types of security rules: | |||
| Rule A is a simple packet filtering rule that checks only the IP | Rule A is a simple packet filtering rule that checks only the IP | |||
| address and port number of a given packet, whereas rule B is a time- | address and port number of a given packet, whereas rule B is a time- | |||
| consuming packet inspection rule for analyzing whether an attached | consuming packet inspection rule for analyzing whether an attached | |||
| skipping to change at page 14, line 22 ¶ | skipping to change at page 19, line 22 ¶ | |||
| the capabilities each VNF can offer [ETSI-NFV-MANO]. This subsystem | the capabilities each VNF can offer [ETSI-NFV-MANO]. This subsystem | |||
| can determine whether a given software element (VNF instance) is an | can determine whether a given software element (VNF instance) is an | |||
| NSF or a virtualized SDN switch. For example, if a VNF instance has | NSF or a virtualized SDN switch. For example, if a VNF instance has | |||
| anti-malware capability according to the description of the VNF, it | anti-malware capability according to the description of the VNF, it | |||
| could be considered as an NSF. A VNF onboarding system | could be considered as an NSF. A VNF onboarding system | |||
| [VNF-ONBOARDING] can be used as such a subsystem that maintains the | [VNF-ONBOARDING] can be used as such a subsystem that maintains the | |||
| descriptions of each VNF to tell whether a VNF instance is for an NSF | descriptions of each VNF to tell whether a VNF instance is for an NSF | |||
| or for a virtualized SDN switch. | or for a virtualized SDN switch. | |||
| For the support of SFC in the I2NSF framework with SDN, as shown in | For the support of SFC in the I2NSF framework with SDN, as shown in | |||
| Figure 4, network forwarding elements (e.g., switch) can play the | Figure 6, network forwarding elements (e.g., switch) can play the | |||
| role of either SFC Classifier or SFF, which are explained in | role of either SFC Classifier or SFF, which are explained in | |||
| Section 5. Classifier and SFF have an NSF-Facing Interface with | Section 6. Classifier and SFF have an NSF-Facing Interface with | |||
| Security Controller. This interface is used to update security | Security Controller. This interface is used to update security | |||
| service function chaining information for traffic flows. For | service function chaining information for traffic flows. For | |||
| example, when it needs to update an SFP for a traffic flow in an SDN | example, when it needs to update an SFP for a traffic flow in an SDN | |||
| network, as shown in Figure 4, SFF (denoted as Switch-3) asks | network, as shown in Figure 6, SFF (denoted as Switch-3) asks | |||
| Security Controller to update the SFP for the traffic flow (needing | Security Controller to update the SFP for the traffic flow (needing | |||
| another security service as an NSF) via NSF-Facing Interface. This | another security service as an NSF) via NSF-Facing Interface. This | |||
| update lets Security Controller ask Classifier (denoted as Switch-2) | update lets Security Controller ask Classifier (denoted as Switch-2) | |||
| to update the mapping between the traffic flow and SFP in Classifier | to update the mapping between the traffic flow and SFP in Classifier | |||
| via NSF-Facing Interface. | via NSF-Facing Interface. | |||
| The following subsections introduce three use cases from [RFC8192] | The following subsections introduce three use cases from [RFC8192] | |||
| for cloud-based security services: (i) firewall system, (ii) deep | for cloud-based security services: (i) firewall system, (ii) deep | |||
| packet inspection system, and (iii) attack mitigation system. | packet inspection system, and (iii) attack mitigation system. | |||
| 6.1. Firewall: Centralized Firewall System | 7.1. Firewall: Centralized Firewall System | |||
| A centralized network firewall can manage each network resource and | A centralized network firewall can manage each network resource and | |||
| apply common rules to individual network elements (e.g., switch). | apply common rules to individual network elements (e.g., switch). | |||
| The centralized network firewall controls each forwarding element, | The centralized network firewall controls each forwarding element, | |||
| and firewall rules can be added or deleted dynamically. | and firewall rules can be added or deleted dynamically. | |||
| A time-based firewall can be enforced with packet filtering rules and | A time-based firewall can be enforced with packet filtering rules and | |||
| a time span (e.g., work hours). With this time-based firewall, a | a time span (e.g., work hours). With this time-based firewall, a | |||
| time-based security policy can be enforced, as explained in | time-based security policy can be enforced, as explained in | |||
| Section 4. For example, employees at a company are allowed to access | Section 4. For example, employees at a company are allowed to access | |||
| social networking service websites during lunch time or after work | social networking service websites during lunch time or after work | |||
| hours. | hours. | |||
| 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security System | 7.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security System | |||
| A centralized VoIP/VoLTE security system can monitor each VoIP/VoLTE | A centralized VoIP/VoLTE security system can monitor each VoIP/VoLTE | |||
| flow and manage VoIP/VoLTE security rules, according to the | flow and manage VoIP/VoLTE security rules, according to the | |||
| configuration of a VoIP/VoLTE security service called VoIP Intrusion | configuration of a VoIP/VoLTE security service called VoIP Intrusion | |||
| Prevention System (IPS). This centralized VoIP/VoLTE security system | Prevention System (IPS). This centralized VoIP/VoLTE security system | |||
| controls each switch for the VoIP/VoLTE call flow management by | controls each switch for the VoIP/VoLTE call flow management by | |||
| manipulating the rules that can be added, deleted or modified | manipulating the rules that can be added, deleted or modified | |||
| dynamically. | dynamically. | |||
| The centralized VoIP/VoLTE security system can cooperate with a | The centralized VoIP/VoLTE security system can cooperate with a | |||
| network firewall to realize VoIP/VoLTE security service. | network firewall to realize VoIP/VoLTE security service. | |||
| Specifically, a network firewall performs the basic security check of | Specifically, a network firewall performs the basic security check of | |||
| an unknown flow's packet observed by a switch. If the network | an unknown flow's packet observed by a switch. If the network | |||
| firewall detects that the packet is an unknown VoIP call flow's | firewall detects that the packet is an unknown VoIP call flow's | |||
| packet that exhibits some suspicious patterns, then it triggers the | packet that exhibits some suspicious patterns, then it triggers the | |||
| VoIP/VoLTE security system for more specialized security analysis of | VoIP/VoLTE security system for more specialized security analysis of | |||
| the suspicious VoIP call packet. | the suspicious VoIP call packet. | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | 7.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | |||
| A centralized DDoS-attack mitigation can manage each network resource | A centralized DDoS-attack mitigation can manage each network resource | |||
| and configure rules to each switch for DDoS-attack mitigation (called | and configure rules to each switch for DDoS-attack mitigation (called | |||
| DDoS-attack Mitigator) on a common server. The centralized DDoS- | DDoS-attack Mitigator) on a common server. The centralized DDoS- | |||
| attack mitigation system defends servers against DDoS attacks outside | attack mitigation system defends servers against DDoS attacks outside | |||
| the private network, that is, from public networks | the private network, that is, from public networks | |||
| [RFC8612][dots-architecture]. | [RFC8612][dots-architecture]. | |||
| Servers are categorized into stateless servers (e.g., DNS servers) | Servers are categorized into stateless servers (e.g., DNS servers) | |||
| and stateful servers (e.g., web servers). For DDoS-attack | and stateful servers (e.g., web servers). For DDoS-attack | |||
| skipping to change at page 16, line 43 ¶ | skipping to change at page 21, line 43 ¶ | |||
| | | | Compute | | Storage | | Network | | | | | | | | | Compute | | Storage | | Network | | | | | | |||
| | | | Hardware| | Hardware| | Hardware| | | | | | | | | Hardware| | Hardware| | Hardware| | | | | | |||
| | | ----------- ----------- ----------- | | | | | | | ----------- ----------- ----------- | | | | | |||
| | | Hardware Resources | | | NFV Management | | | | Hardware Resources | | | NFV Management | | |||
| | +---------------------------------------+ | | and Orchestration | | | +---------------------------------------+ | | and Orchestration | | |||
| | | | (MANO) | | | | | (MANO) | | |||
| +-------------------------------------------+ +--------------------+ | +-------------------------------------------+ +--------------------+ | |||
| (a) = Registration Interface | (a) = Registration Interface | |||
| (b) = Ve-Vnfm Interface | (b) = Ve-Vnfm Interface | |||
| Figure 5: I2NSF Framework Implementation with respect to the NFV | Figure 7: I2NSF Framework Implementation with respect to the NFV | |||
| Reference Architectural Framework | Reference Architectural Framework | |||
| 7. I2NSF Framework with NFV | 8. I2NSF Framework with NFV | |||
| This section discusses the implementation of the I2NSF framework | This section discusses the implementation of the I2NSF framework | |||
| using Network Functions Virtualization (NFV). | using Network Functions Virtualization (NFV). | |||
| NFV is a promising technology for improving the elasticity and | NFV is a promising technology for improving the elasticity and | |||
| efficiency of network resource utilization. In NFV environments, | efficiency of network resource utilization. In NFV environments, | |||
| NSFs can be deployed in the forms of software-based virtual instances | NSFs can be deployed in the forms of software-based virtual instances | |||
| rather than physical appliances. Virtualizing NSFs makes it possible | rather than physical appliances. Virtualizing NSFs makes it possible | |||
| to rapidly and flexibly respond to the amount of service requests by | to rapidly and flexibly respond to the amount of service requests by | |||
| dynamically increasing or decreasing the number of NSF instances. | dynamically increasing or decreasing the number of NSF instances. | |||
| Moreover, NFV technology facilitates flexibly including or excluding | Moreover, NFV technology facilitates flexibly including or excluding | |||
| NSFs from multiple security solution vendors according to the changes | NSFs from multiple security solution vendors according to the changes | |||
| on security requirements. In order to take advantages of the NFV | on security requirements. In order to take advantages of the NFV | |||
| technology, the I2NSF framework can be implemented on top of an NFV | technology, the I2NSF framework can be implemented on top of an NFV | |||
| infrastructure as show in Figure 5. | infrastructure as show in Figure 7. | |||
| Figure 5 shows an I2NSF framework implementation based on the NFV | Figure 7 shows an I2NSF framework implementation based on the NFV | |||
| reference architecture that the European Telecommunications Standards | reference architecture that the European Telecommunications Standards | |||
| Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as VNFs | Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as VNFs | |||
| in Figure 5. The Developer's Management System (DMS) in the I2NSF | in Figure 7. The Developer's Management System (DMS) in the I2NSF | |||
| framework is responsible for registering capability information of | framework is responsible for registering capability information of | |||
| NSFs into the Security Controller. However, those NSFs are created | NSFs into the Security Controller. However, those NSFs are created | |||
| or removed by a virtual network function manager (VNFM) in the NFV | or removed by a virtual network function manager (VNFM) in the NFV | |||
| MANO that performs the lifecycle management of VNFs. Note that the | MANO that performs the lifecycle management of VNFs. Note that the | |||
| lifecycle management of VNFs is out of scope for I2NSF. The Security | lifecycle management of VNFs is out of scope for I2NSF. The Security | |||
| Controller controls and monitors the configurations (e.g., function | Controller controls and monitors the configurations (e.g., function | |||
| parameters and security policy rules) of VNFs via the NSF-Facing | parameters and security policy rules) of VNFs via the NSF-Facing | |||
| Interface along with the NSF monitoring capability | Interface along with the NSF monitoring capability | |||
| [nsf-facing-inf-dm][nsf-monitoring-dm]. Both the DMS and Security | [nsf-facing-inf-dm][nsf-monitoring-dm]. Both the DMS and Security | |||
| Controller can be implemented as the Element Managements (EMs) in the | Controller can be implemented as the Element Managements (EMs) in the | |||
| skipping to change at page 18, line 23 ¶ | skipping to change at page 23, line 23 ¶ | |||
| notifies the Security Controller of the NSF instance. | notifies the Security Controller of the NSF instance. | |||
| 6. After being notified of the created NSF instance, the Security | 6. After being notified of the created NSF instance, the Security | |||
| Controller delivers low-level security policy rules to the NSF | Controller delivers low-level security policy rules to the NSF | |||
| instance for policy enforcement. | instance for policy enforcement. | |||
| We can conclude that the I2NSF framework can be implemented based on | We can conclude that the I2NSF framework can be implemented based on | |||
| the NFV architecture framework. Note that the registration of the | the NFV architecture framework. Note that the registration of the | |||
| capabilities of NSFs is performed through the Registration Interface | capabilities of NSFs is performed through the Registration Interface | |||
| and the lifecycle management for NSFs (VNFs) is performed through the | and the lifecycle management for NSFs (VNFs) is performed through the | |||
| Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5. | Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 7. | |||
| 8. Security Considerations | 9. Security Considerations | |||
| The same security considerations for the I2NSF framework [RFC8329] | The same security considerations for the I2NSF framework [RFC8329] | |||
| are applicable to this document. | are applicable to this document. | |||
| This document shares all the security issues of SDN that are | This document shares all the security issues of SDN that are | |||
| specified in the "Security Considerations" section of [ITU-T.Y.3300]. | specified in the "Security Considerations" section of [ITU-T.Y.3300]. | |||
| The role of the DMS is to provide an I2NSF system with the software | The role of the DMS is to provide an I2NSF system with the software | |||
| packages or images for NSF execution. The DMS must not access NSFs | packages or images for NSF execution. The DMS must not access NSFs | |||
| in activated status. An inside attacker or a supply chain attacker | in activated status. An inside attacker or a supply chain attacker | |||
| skipping to change at page 19, line 8 ¶ | skipping to change at page 24, line 8 ¶ | |||
| NSFs from an untrusted DMS or without prior testing. The practices | NSFs from an untrusted DMS or without prior testing. The practices | |||
| by which these packages are downloaded and loaded into the system are | by which these packages are downloaded and loaded into the system are | |||
| out of scope for I2NSF. | out of scope for I2NSF. | |||
| I2NSF system operators should audit and monitor interactions with | I2NSF system operators should audit and monitor interactions with | |||
| DMSs. Additionally, the operators should monitor the running NSFs | DMSs. Additionally, the operators should monitor the running NSFs | |||
| through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as | through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as | |||
| part of the I2NSF NSF-Facing Interface. Note that the mechanics for | part of the I2NSF NSF-Facing Interface. Note that the mechanics for | |||
| monitoring the DMSs are out of scope for I2NSF. | monitoring the DMSs are out of scope for I2NSF. | |||
| 9. Acknowledgments | 10. Acknowledgments | |||
| This work was supported by Institute of Information & Communications | This work was supported by Institute of Information & Communications | |||
| Technology Planning & Evaluation (IITP) grant funded by the Korea | Technology Planning & Evaluation (IITP) grant funded by the Korea | |||
| MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based | MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based | |||
| Security Intelligence Technology Development for the Customized | Security Intelligence Technology Development for the Customized | |||
| Security Service Provisioning). | Security Service Provisioning). | |||
| This work has been partially supported by the European Commission | This work has been partially supported by the European Commission | |||
| under Horizon 2020 grant agreement no. 700199 "Securing against | under Horizon 2020 grant agreement no. 700199 "Securing against | |||
| intruders and other threats through a NFV-enabled environment | intruders and other threats through a NFV-enabled environment | |||
| (SHIELD)". This support does not imply endorsement. | (SHIELD)". This support does not imply endorsement. | |||
| 10. Contributors | 11. Contributors | |||
| I2NSF is a group effort. I2NSF has had a number of contributing | I2NSF is a group effort. I2NSF has had a number of contributing | |||
| authors. The following are considered co-authors: | authors. The following are considered co-authors: | |||
| o Hyoungshick Kim (Sungkyunkwan University) | o Hyoungshick Kim (Sungkyunkwan University) | |||
| o Jinyong Tim Kim (Sungkyunkwan University) | o Jinyong Tim Kim (Sungkyunkwan University) | |||
| o Hyunsik Yang (Soongsil University) | o Hyunsik Yang (Soongsil University) | |||
| o Younghan Kim (Soongsil University) | o Younghan Kim (Soongsil University) | |||
| o Jung-Soo Park (ETRI) | o Jung-Soo Park (ETRI) | |||
| o Se-Hui Lee (Korea Telecom) | o Se-Hui Lee (Korea Telecom) | |||
| o Mohamed Boucadair (Orange) | o Mohamed Boucadair (Orange) | |||
| 11. References | 12. References | |||
| 11.1. Normative References | 12.1. Normative References | |||
| [AVANT-GUARD] | [AVANT-GUARD] | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | GUARD: Scalable and Vigilant Switch Flow Management in | |||
| Software-Defined Networks", ACM CCS, November 2013. | Software-Defined Networks", ACM CCS, November 2013. | |||
| [consumer-facing-inf-dm] | [consumer-facing-inf-dm] | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | "I2NSF Consumer-Facing Interface YANG Data Model", draft- | |||
| ietf-i2nsf-consumer-facing-interface-dm-06 (work in | ietf-i2nsf-consumer-facing-interface-dm-06 (work in | |||
| skipping to change at page 21, line 47 ¶ | skipping to change at page 26, line 47 ¶ | |||
| [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | |||
| Kumar, "Framework for Interface to Network Security | Kumar, "Framework for Interface to Network Security | |||
| Functions", RFC 8329, February 2018. | Functions", RFC 8329, February 2018. | |||
| [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol | |||
| Version 1.3", RFC 8446, August 2018. | Version 1.3", RFC 8446, August 2018. | |||
| [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open | [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open | |||
| Threat Signaling (DOTS) Requirements", RFC 8612, May 2019. | Threat Signaling (DOTS) Requirements", RFC 8612, May 2019. | |||
| 11.2. Informative References | 12.2. Informative References | |||
| [ETSI-NFV-MANO] | [ETSI-NFV-MANO] | |||
| "Network Functions Virtualisation (NFV); Management and | "Network Functions Virtualisation (NFV); Management and | |||
| Orchestration", Available: | Orchestration", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/nfv- | https://www.etsi.org/deliver/etsi_gs/nfv- | |||
| man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | |||
| December 2014. | December 2014. | |||
| [i2nsf-terminology] | [i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| skipping to change at page 23, line 5 ¶ | skipping to change at page 28, line 5 ¶ | |||
| [tls-esni] | [tls-esni] | |||
| Rescorla, E., Oku, K., Sullivan, N., and C. Wood, | Rescorla, E., Oku, K., Sullivan, N., and C. Wood, | |||
| "Encrypted Server Name Indication for TLS 1.3", draft- | "Encrypted Server Name Indication for TLS 1.3", draft- | |||
| ietf-tls-esni-04 (work in progress), July 2019. | ietf-tls-esni-04 (work in progress), July 2019. | |||
| [VNF-ONBOARDING] | [VNF-ONBOARDING] | |||
| "VNF Onboarding", Available: | "VNF Onboarding", Available: | |||
| https://wiki.opnfv.org/display/mano/VNF+Onboarding, | https://wiki.opnfv.org/display/mano/VNF+Onboarding, | |||
| November 2016. | November 2016. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-16 | Appendix A. Changes from draft-ietf-i2nsf-applicability-17 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-16: | applicability-17: | |||
| o The data model drafts for I2NSF are referenced as Normative | o In Section 4, a high-level security policy XML file in Figure 2 | |||
| references rather than Informative references. | and the corresponding low-level security policy XML file Figure 3 | |||
| are constructed using the Consumer-Facing Interface data model and | ||||
| the NSF-Facing data model, respectively. | ||||
| o An RFC and a draft for Distributed-Denial-of-Service Open Threat | o For the applicability of I2NSF to the real world, Section 5 is | |||
| Signaling (DOTS) are referenced for attack mitigation. | added to support the Intent-based Security Services using I2NSF. | |||
| This section explains the security policy translation based on an | ||||
| I2NSF User's intents on the required security services. Figure 4 | ||||
| shows the archiecture and procedure of the I2NSF security policy | ||||
| translator. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Computer Science and Engineering | Department of Computer Science and Engineering | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| Phone: +82 31 299 4957 | Phone: +82 31 299 4957 | |||
| Fax: +82 31 290 7996 | Fax: +82 31 290 7996 | |||
| EMail: pauljeong@skku.edu | EMail: pauljeong@skku.edu | |||
| URI: http://iotlab.skku.edu/people-jaehoon-jeong.php | URI: http://iotlab.skku.edu/people-jaehoon-jeong.php | |||
| Sangwon Hyun | Sangwon Hyun | |||
| Department of Computer Engineering | Department of Computer Engineering | |||
| Chosun University | Myongji University | |||
| 309 Pilmun-daero, Dong-Gu | 116 Myongji-ro, Cheoin-gu | |||
| Gwangju 61452 | Yongin 17058 | |||
| Republic of Korea | Republic of Korea | |||
| Phone: +82 62 230 7473 | Phone: +82 62 230 7473 | |||
| EMail: shyun@chosun.ac.kr | EMail: shyun@chosun.ac.kr | |||
| Tae-Jin Ahn | Tae-Jin Ahn | |||
| Korea Telecom | Korea Telecom | |||
| 70 Yuseong-Ro, Yuseong-Gu | 70 Yuseong-Ro, Yuseong-Gu | |||
| Daejeon 305-811 | Daejeon 305-811 | |||
| Republic of Korea | Republic of Korea | |||
| Phone: +82 42 870 8409 | Phone: +82 42 870 8409 | |||
| EMail: taejin.ahn@kt.com | EMail: taejin.ahn@kt.com | |||
| Susan Hares | Susan Hares | |||
| Huawei | Huawei | |||
| 7453 Hickory Hill | 7453 Hickory Hill | |||
| Saline, MI 48176 | Saline, MI 48176 | |||
| USA | USA | |||
| Phone: +1-734-604-0332 | Phone: +1-734-604-0332 | |||
| EMail: shares@ndzh.com | EMail: shares@ndzh.com | |||
| Diego R. Lopez | Diego R. Lopez | |||
| End of changes. 65 change blocks. | ||||
| 140 lines changed or deleted | 341 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||