< draft-yang-i2nsf-nfv-architecture-04.txt   draft-yang-i2nsf-nfv-architecture-05.txt >
Network Working Group H. Yang Network Working Group H. Yang
Internet-Draft Y. Kim Internet-Draft Y. Kim
Intended status: Informational Soongsil University Intended status: Informational Soongsil University
Expires: May 10, 2019 J. Jeong Expires: January 9, 2020 J. Jeong
J. Kim J. Kim
Sungkyunkwan University Sungkyunkwan University
November 6, 2018 July 8, 2019
I2NSF on the NFV Reference Architecture I2NSF on the NFV Reference Architecture
draft-yang-i2nsf-nfv-architecture-04 draft-yang-i2nsf-nfv-architecture-05
Abstract Abstract
This document describes the integration of Interface to Network This document describes the integration of Interface to Network
Security Functions (I2NSF) Framework into the Network Functions Security Functions (I2NSF) Framework into the Network Functions
Virtualization (NFV) Reference Model. This document explains how the Virtualization (NFV) Reference Model. This document explains how the
components and interfaces in the I2NSF Framework can be placed in the components and interfaces in the I2NSF Framework can be placed in the
NFV reference architecture, and also explains the procedures of the NFV reference architecture, and also explains the procedures of the
lifecycle management of Network Security Functions (NSFs) according lifecycle management of Network Security Functions (NSFs) according
to a user's security policy specification in the I2NSF framework on to a user's security policy specification in the I2NSF framework on
skipping to change at page 1, line 40 skipping to change at page 1, line 40
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on May 10, 2019. This Internet-Draft will expire on January 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
skipping to change at page 2, line 31 skipping to change at page 2, line 31
3.4.2. NSF-Facing Interface . . . . . . . . . . . . . . . . 6 3.4.2. NSF-Facing Interface . . . . . . . . . . . . . . . . 6
3.4.3. Registration Interface . . . . . . . . . . . . . . . 6 3.4.3. Registration Interface . . . . . . . . . . . . . . . 6
3.4.4. Interface for NSF Management . . . . . . . . . . . . 6 3.4.4. Interface for NSF Management . . . . . . . . . . . . 6
4. Initial Configuration Procedure in NFV Architecture . . . . . 6 4. Initial Configuration Procedure in NFV Architecture . . . . . 6
5. Multi-site Consideration . . . . . . . . . . . . . . . . . . 10 5. Multi-site Consideration . . . . . . . . . . . . . . . . . . 10
6. Use Case of SFC-Enabled I2NSF Framework . . . . . . . . . . . 10 6. Use Case of SFC-Enabled I2NSF Framework . . . . . . . . . . . 10
6.1. SFC Policy Manager . . . . . . . . . . . . . . . . . . . 11 6.1. SFC Policy Manager . . . . . . . . . . . . . . . . . . . 11
6.2. SFC Catalog Manager . . . . . . . . . . . . . . . . . . . 11 6.2. SFC Catalog Manager . . . . . . . . . . . . . . . . . . . 11
6.3. Developer's Management System in SFC-Enabled I2NSF 6.3. Developer's Management System in SFC-Enabled I2NSF
Framework . . . . . . . . . . . . . . . . . . . . . . . . 12 Framework . . . . . . . . . . . . . . . . . . . . . . . . 12
6.4. The consideration of SFC-enabled architecture in I2NSF
Framework . . . . . . . . . . . . . . . . . . . . . . . . 12
7. Security Considerations . . . . . . . . . . . . . . . . . . . 12 7. Security Considerations . . . . . . . . . . . . . . . . . . . 12
8. Informative References . . . . . . . . . . . . . . . . . . . 12 8. Informative References . . . . . . . . . . . . . . . . . . . 12
Appendix A. Changes from draft-yang-i2nsf-nfv-architecture-03 . 14 Appendix A. Changes from draft-yang-i2nsf-nfv-architecture-04 . 14
Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14 Appendix B. Acknowledgements . . . . . . . . . . . . . . . . . . 14
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 14
1. Introduction 1. Introduction
The goal of Interface to Network Security Functions (I2NSF) is to The goal of Interface to Network Security Functions (I2NSF) is to
define a set of software interfaces and components for controlling define a set of software interfaces and components for controlling
and monitoring aspects of physical and virtual Network Security and monitoring aspects of physical and virtual Network Security
Functions (NSFs), with which a user can specify high-level security Functions (NSFs), with which a user can specify high-level security
policy. To achieve this goal, the I2NSF framework not only considers policy. To achieve this goal, the I2NSF framework not only considers
skipping to change at page 12, line 21 skipping to change at page 12, line 21
As mentioned above, if DMS manages the NSF's lifecycle indirectly As mentioned above, if DMS manages the NSF's lifecycle indirectly
with VNFM, it play a role of a VNFM. VNF lifecycle management with VNFM, it play a role of a VNFM. VNF lifecycle management
includes the instantiation, creation, provisioning, scaling, includes the instantiation, creation, provisioning, scaling,
monitoring, and termination of a VM as a VNF instance. Therefore, monitoring, and termination of a VM as a VNF instance. Therefore,
DMS corresponds to a specific VNFM. DMS corresponds to a specific VNFM.
However, for the scaling performance at a network service level, the However, for the scaling performance at a network service level, the
role of DMS can be a part of MANO. role of DMS can be a part of MANO.
6.4. The consideration of SFC-enabled architecture in I2NSF Framework
As mentioned above, when the I2NSF is provided in an NFV environment,
various use cases can be provided through SFC technology.
As an NFV point of view, SFC can be provided in two ways. The first
way is to configure the SFC between NSF through the individual SDN
controller, and the second is to configure the SFC through the
network management function in the cloud.
The way to provide traffic steering capabilities may vary depending
on the cloud environment, but the Security Controller must request
traffic steering to the SDN controller or network function management
via VNFM (using Ve-Vnfm interface). Traffic steering can be provided
through physical switches or Virtual Switch.
7. Security Considerations 7. Security Considerations
This document specifies the implementation of the I2NSF framework in This document specifies the implementation of the I2NSF framework in
the NFV system, so the same security considerations for the I2NSF the NFV system, so the same security considerations for the I2NSF
framework [RFC8329] can be applied to this document. framework [RFC8329] can be applied to this document.
This document shares all the security issues of NFV that are This document shares all the security issues of NFV that are
specified in the "Potential Areas of Concern" section of specified in the "Potential Areas of Concern" section of
[ETSI-GS-NFV-SEC-001]. [ETSI-GS-NFV-SEC-001].
8. Informative References 8. Informative References
[ETSI-GS-IFA-008] [ETSI-GS-IFA-008]
ETSI GS NFV-IFA 008 V2.1.1, "Network Functions "Network Functions Virtualisation (NFV);Management and
Virtualisation (NFV);Management and Orchestration;Ve-Vnfm Orchestration;Ve-Vnfm reference point - Interface
reference point - Interface andInformation Model andInformation Model Specification", October 2016.
Specification", October 2016.
[ETSI-GS-NFV-003] [ETSI-GS-NFV-003]
ETSI GS NFV 002 V1.1.1, "Network Functions Virtualization "Network Functions Virtualization (NFV); Architectural
(NFV); Architectural Framework", October 2013. Framework", October 2013.
[ETSI-GS-NFV-SEC-001] [ETSI-GS-NFV-SEC-001]
ETSI GS NFV-SEC 001 V1.1.1, "Network Functions "Network Functions Virtualisation (NFV); NFV Security;
Virtualisation (NFV); NFV Security; Problem Statement", Problem Statement", October 2014.
October 2014.
[I2NSF-Applicability] [I2NSF-Applicability]
Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez, Jeong, J., Hyun, S., Ahn, T., Hares, S., and D. Lopez,
"Applicability of Interfaces to Network Security Functions "Applicability of Interfaces to Network Security Functions
to Network-Based Security Services", draft-ietf-i2nsf- to Network-Based Security Services", draft-ietf-i2nsf-
applicability-07 (work in progress), October 2018. applicability-13 (work in progress), Jun 2019.
[I2NSF-Terminology] [I2NSF-Terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-06 (work in Terminology", draft-ietf-i2nsf-terminology-06 (work in
progress), July 2018. progress), July 2018.
[NSF-Triggered-Steering] [NSF-Triggered-Steering]
Hyun, S., Jeong, J., Park, J., and S. Hares, "Service Hyun, S., Jeong, J., Park, J., and S. Hares, "Service
Function Chaining-Enabled I2NSF Architecture", draft-hyun- Function Chaining-Enabled I2NSF Architecture", draft-hyun-
skipping to change at page 14, line 5 skipping to change at page 14, line 5
registration-interface-dm-01 (work in progress), November registration-interface-dm-01 (work in progress), November
2018. 2018.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119, March 1997. Requirement Levels", RFC 2119, March 1997.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, February 2018. Functions", RFC 8329, February 2018.
Appendix A. Changes from draft-yang-i2nsf-nfv-architecture-03 Appendix A. Changes from draft-yang-i2nsf-nfv-architecture-04
The following changes have been made from draft-yang-i2nsf-nfv- The following changes have been made from draft-yang-i2nsf-nfv-
architecture-03: architecture-04:
o In Figure 1, the figure of the I2NSF Framework on NFV Reference
Architecture is revised to be synchronized with I2NSF on NFV in
[I2NSF-Applicability].
o In Figure 2 and Figure 3, the procedures of I2NSF framework on NFV
are added to both the case of "NSF Available", and the case of "No
NSF Existing".
o Overall editorial errors have been corrected. o In this version, Section 6.4 is added.
Appendix B. Acknowledgements Appendix B. Acknowledgements
This work was supported in part by the Ministry of Science and ICT This work was supported in part by the Ministry of Science and ICT
(MSIT) under the ITRC (Information Technology Research Center) (MSIT) under the ITRC (Information Technology Research Center)
support program (IITP-2018-2017-0-01633) supervised by the Institute support program (IITP-2019-2017-0-01633) supervised by the Institute
for Information & communications Technology Promotion (IITP). for Information & communications Technology Promotion (IITP).
Authors' Addresses Authors' Addresses
Hyunsik Yang Hyunsik Yang
School of Electronic Engineering School of Electronic Engineering
Soongsil University Soongsil University
369, Sangdo-ro, Dongjak-gu 369, Sangdo-ro, Dongjak-gu
Seoul, Seoul 06978 Seoul, Seoul 06978
Republic of Korea Republic of Korea
 End of changes. 16 change blocks. 
28 lines changed or deleted 36 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/