draft-ietf-i2nsf-applicability-06.txt   draft-ietf-i2nsf-applicability-07.txt 
skipping to change at page 1, line 17 skipping to change at page 1, line 17
T. Ahn T. Ahn
Korea Telecom Korea Telecom
S. Hares S. Hares
Huawei Huawei
D. Lopez D. Lopez
Telefonica I+D Telefonica I+D
October 22, 2018 October 22, 2018
Applicability of Interfaces to Network Security Functions to Network- Applicability of Interfaces to Network Security Functions to Network-
Based Security Services Based Security Services
draft-ietf-i2nsf-applicability-06 draft-ietf-i2nsf-applicability-07
Abstract Abstract
This document describes the applicability of Interface to Network This document describes the applicability of Interface to Network
Security Functions (I2NSF) to network-based security services in Security Functions (I2NSF) to network-based security services in
Network Functions Virtualization (NFV) environments, such as Network Functions Virtualization (NFV) environments, such as
firewall, deep packet inspection, or attack mitigation engines. firewall, deep packet inspection, or attack mitigation engines.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on April 25, 2019. This Internet-Draft will expire on April 25, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4
4. Time-dependent Web Access Control Service . . . . . . . . . . 5 4. Time-dependent Web Access Control Service . . . . . . . . . . 5
5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 7 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . . 7
6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 8 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . . 8
6.1. Firewall: Centralized Firewall System . . . . . . . . . . 11 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 10
6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE
System . . . . . . . . . . . . . . . . . . . . . . . . . 12 Security System . . . . . . . . . . . . . . . . . . . . . 12
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation
System . . . . . . . . . . . . . . . . . . . . . . . . . 14 System . . . . . . . . . . . . . . . . . . . . . . . . . . 14
7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 18
11. Informative References . . . . . . . . . . . . . . . . . . . 19 11. Informative References . . . . . . . . . . . . . . . . . . . . 19
Appendix A. Changes from draft-ietf-i2nsf-applicability-05 . . . 22 Appendix A. Changes from draft-ietf-i2nsf-applicability-06 . . . 21
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Interface to Network Security Functions (I2NSF) defines a framework Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions and interfaces for interacting with Network Security Functions
(NSFs). The I2NSF framework allows heterogeneous NSFs developed by (NSFs). The I2NSF framework allows heterogeneous NSFs developed by
different security solution vendors to be used in the Network different security solution vendors to be used in the Network
Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing
the capabilities of such products and the virtualization of security the capabilities of such products and the virtualization of security
functions in the NFV platform. In the I2NSF framework, each NSF functions in the NFV platform. In the I2NSF framework, each NSF
skipping to change at page 18, line 43 skipping to change at page 18, line 39
specified in the "Security Considerations" section of [ITU-T.Y.3300]. specified in the "Security Considerations" section of [ITU-T.Y.3300].
9. Acknowledgments 9. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
This work has been partially supported by the European Commission
under Horizon 2020 grant agreement no. 700199 "Securing against
intruders and other threats through a NFV-enabled environment
(SHIELD)". This support does not imply endorsement.
10. Contributors 10. Contributors
I2NSF is a group effort. I2NSF has had a number of contributing I2NSF is a group effort. I2NSF has had a number of contributing
authors. The following are considered co-authors: authors. The following are considered co-authors:
o Hyoungshick Kim (Sungkyunkwan University) o Hyoungshick Kim (Sungkyunkwan University)
o Jinyong Tim Kim (Sungkyunkwan University) o Jinyong Tim Kim (Sungkyunkwan University)
o Hyunsik Yang (Soongsil University) o Hyunsik Yang (Soongsil University)
o Younghan Kim (Soongsil University) o Younghan Kim (Soongsil University)
o Jung-Soo Park (ETRI) o Jung-Soo Park (ETRI)
o Se-Hui Lee (Korea Telecom) o Se-Hui Lee (Korea Telecom)
o Mohamed Boucadair (Orange) o Mohamed Boucadair (Orange)
11. Informative References 11. Informative References
skipping to change at page 19, line 14 skipping to change at page 19, line 18
o Younghan Kim (Soongsil University) o Younghan Kim (Soongsil University)
o Jung-Soo Park (ETRI) o Jung-Soo Park (ETRI)
o Se-Hui Lee (Korea Telecom) o Se-Hui Lee (Korea Telecom)
o Mohamed Boucadair (Orange) o Mohamed Boucadair (Orange)
11. Informative References 11. Informative References
[AVANT-GUARD] [RFC8329] Lopez, D., Lopez, E., Dunbar, L.,
Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- Strassner, J., and R. Kumar, "Framework for
GUARD: Scalable and Vigilant Switch Flow Management in Interface to Network Security Functions",
Software-Defined Networks", ACM CCS, November 2013. RFC 8329, February 2018.
[consumer-facing-inf-dm] [RFC6020] Bjorklund, M., "YANG - A Data Modeling
Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, Language for the Network Configuration
"I2NSF Consumer-Facing Interface YANG Data Model", draft- Protocol (NETCONF)", RFC 6020,
ietf-i2nsf-consumer-facing-interface-dm-01 (work in October 2010.
progress), July 2018.
[consumer-facing-inf-im] [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J.,
Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, and A. Bierman, "Network Configuration
S., Xia, L., and J. Jeong, "Information Model for Protocol (NETCONF)", RFC 6241, June 2011.
Consumer-Facing Interface to Security Controller", draft-
kumar-i2nsf-client-facing-interface-im-07 (work in
progress), July 2018.
[ETSI-NFV] [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen,
ETSI GS NFV 002 V1.1.1, "Network Functions Virtualization "RESTCONF Protocol", RFC 8040,
(NFV); Architectural Framework", October 2013. January 2017.
[i2nsf-nfv-architecture] [consumer-facing-inf-im] Kumar, R., Lohiya, A., Qi, D., Bitar, N.,
Yang, H. and Y. Kim, "I2NSF on the NFV Reference Palislamovic, S., Xia, L., and J. Jeong,
Architecture", draft-yang-i2nsf-nfv-architecture-02 (work "Information Model for Consumer-Facing
in progress), June 2018. Interface to Security Controller", draft-
kumar-i2nsf-client-facing-interface-im-07
(work in progress), July 2018.
[i2nsf-nsf-cap-im] [consumer-facing-inf-dm] Jeong, J., Kim, E., Ahn, T., Kumar, R., and
Xia, L., Strassner, J., Basile, C., and D. Lopez, S. Hares, "I2NSF Consumer-Facing Interface
"Information Model of NSFs Capabilities", draft-ietf- YANG Data Model", draft-ietf-i2nsf-
i2nsf-capability-02 (work in progress), July 2018. consumer-facing-interface-dm-01 (work in
progress), July 2018.
[i2nsf-terminology] [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D.
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Lopez, "Information Model of NSFs
Birkholz, "Interface to Network Security Functions (I2NSF) Capabilities",
Terminology", draft-ietf-i2nsf-terminology-06 (work in draft-ietf-i2nsf-capability-02 (work in
progress), July 2018. progress), July 2018.
[ITU-T.X.1252] [policy-translation] Yang, J., Jeong, J., and J. Kim, "Security
Recommendation ITU-T X.1252, "Baseline Identity Management Policy Translation in Interface to Network
Terms and Definitions", April 2010. Security Functions", draft-yang-i2nsf-
security-policy-translation-01 (work in
progress), July 2018.
[ITU-T.X.800] [nsf-facing-inf-dm] Kim, J., Jeong, J., Park, J., Hares, S.,
Recommendation ITU-T X.800, "Security Architecture for and Q. Lin, "I2NSF Network Security
Open Systems Interconnection for CCITT Applications", Function-Facing Interface YANG Data Model",
March 1991. draft-ietf-i2nsf-nsf-facing-interface-data-
model-01 (work in progress), July 2018.
[ITU-T.Y.3300] [registration-inf-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and
Recommendation ITU-T Y.3300, "Framework of Software- J. Park, "I2NSF Registration Interface YANG
Defined Networking", June 2014. Data Model",
draft-hyun-i2nsf-registration-dm-06 (work
in progress), July 2018.
[nsf-facing-inf-dm] [nsf-triggered-steering] Hyun, S., Jeong, J., Park, J., and S.
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, Hares, "Service Function Chaining-Enabled
"I2NSF Network Security Function-Facing Interface YANG I2NSF Architecture",
Data Model", draft-ietf-i2nsf-nsf-facing-interface-data- draft-hyun-i2nsf-nsf-triggered-steering-06
model-01 (work in progress), July 2018. (work in progress), July 2018.
[nsf-triggered-steering] [i2nsf-nfv-architecture] Yang, H. and Y. Kim, "I2NSF on the NFV
Hyun, S., Jeong, J., Park, J., and S. Hares, "Service Reference Architecture",
Function Chaining-Enabled I2NSF Architecture", draft-hyun- draft-yang-i2nsf-nfv-architecture-02 (work
i2nsf-nsf-triggered-steering-06 (work in progress), July in progress), June 2018.
2018.
[ONF-OpenFlow] [RFC7149] Boucadair, M. and C. Jacquenet, "Software-
ONF, "OpenFlow Switch Specification (Version 1.4.0)", Defined Networking: A Perspective from
October 2013. within a Service Provider Environment",
RFC 7149, March 2014.
[ONF-SDN-Architecture] [ITU-T.Y.3300] Recommendation ITU-T Y.3300, "Framework of
ONF, "SDN Architecture", June 2014. Software-Defined Networking", June 2014.
[opsawg-firewalls] [ONF-OpenFlow] ONF, "OpenFlow Switch Specification
Baker, F. and P. Hoffman, "On Firewalls in Internet (Version 1.4.0)", October 2013.
Security", draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012.
[policy-translation] [ONF-SDN-Architecture] ONF, "SDN Architecture", June 2014.
Yang, J., Jeong, J., and J. Kim, "Security Policy
Translation in Interface to Network Security Functions",
draft-yang-i2nsf-security-policy-translation-01 (work in
progress), July 2018.
[registration-inf-dm] [ITU-T.X.1252] Recommendation ITU-T X.1252, "Baseline
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Identity Management Terms and Definitions",
Registration Interface YANG Data Model", draft-hyun-i2nsf- April 2010.
registration-dm-06 (work in progress), July 2018.
[RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session [ITU-T.X.800] Recommendation ITU-T X.800, "Security
Description Protocol", RFC 4566, July 2006. Architecture for Open Systems
Interconnection for CCITT Applications",
March 1991.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [AVANT-GUARD] Shin, S., Yegneswaran, V., Porras, P., and
Network Configuration Protocol (NETCONF)", RFC 6020, G. Gu, "AVANT-GUARD: Scalable and Vigilant
October 2010. Switch Flow Management in Software-Defined
Networks", ACM CCS, November 2013.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. [ETSI-NFV] ETSI GS NFV 002 V1.1.1, "Network Functions
Bierman, "Network Configuration Protocol (NETCONF)", Virtualization (NFV); Architectural
RFC 6241, June 2011. Framework", October 2013.
[RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined [RFC4566] Handley, M., Jacobson, V., and C. Perkins,
Networking: A Perspective from within a Service Provider "SDP: Session Description Protocol",
Environment", RFC 7149, March 2014. RFC 4566, July 2006.
[RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia,
(SFC) Architecture", RFC 7665, October 2015. L., and H. Birkholz, "Interface to Network
Security Functions (I2NSF) Terminology",
draft-ietf-i2nsf-terminology-06 (work in
progress), July 2018.
[RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF [opsawg-firewalls] Baker, F. and P. Hoffman, "On Firewalls in
Protocol", RFC 8040, January 2017. Internet Security",
draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012.
[RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet,
and J. Jeong, "Interface to Network Security Functions C., Kumar, R., and J. Jeong, "Interface to
(I2NSF): Problem Statement and Use Cases", RFC 8192, July Network Security Functions (I2NSF): Problem
2017. Statement and Use Cases", RFC 8192,
July 2017.
[RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service [RFC7665] Halpern, J. and C. Pignataro, "Service
Header (NSH)", RFC 8300, January 2018. Function Chaining (SFC) Architecture",
RFC 7665, October 2015.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8300] Quinn, P., Elzur, U., and C. Pignataro,
Kumar, "Framework for Interface to Network Security "Network Service Header (NSH)", RFC 8300,
Functions", RFC 8329, February 2018. January 2018.
Appendix A. Changes from draft-ietf-i2nsf-applicability-05 Appendix A. Changes from draft-ietf-i2nsf-applicability-06
The following change has been made from draft-ietf-i2nsf- The following change has been made from
applicability-05: draft-ietf-i2nsf-applicability-06:
o In Figure 3, a separate box of SFF and the relevant interfaces o Add the acknowledgment to the EU H2020 project SHIELD.
have been omitted to avoid misleading. Instead, SDN switches may
play the role of SFF and Classifier in an SDN network.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Software Department of Software
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
skipping to change at page 23, line 4 skipping to change at page 22, line 39
EMail: shyun@chosun.ac.kr EMail: shyun@chosun.ac.kr
Tae-Jin Ahn Tae-Jin Ahn
Korea Telecom Korea Telecom
70 Yuseong-Ro, Yuseong-Gu 70 Yuseong-Ro, Yuseong-Gu
Daejeon 305-811 Daejeon 305-811
Republic of Korea Republic of Korea
Phone: +82 42 870 8409 Phone: +82 42 870 8409
EMail: taejin.ahn@kt.com EMail: taejin.ahn@kt.com
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI 48176
USA USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
EMail: shares@ndzh.com EMail: shares@ndzh.com
Diego R. Lopez Diego R. Lopez
Telefonica I+D Telefonica I+D
Jose Manuel Lara, 9 Jose Manuel Lara, 9
Seville 41013 Seville, 41013
Spain Spain
Phone: +34 682 051 091 Phone: +34 682 051 091
EMail: diego.r.lopez@telefonica.com EMail: diego.r.lopez@telefonica.com
 End of changes. 40 change blocks. 
122 lines changed or deleted 131 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/