draft-ietf-i2nsf-applicability-14.txt   draft-ietf-i2nsf-applicability-15.txt 
I2NSF Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft Sungkyunkwan University Internet-Draft Sungkyunkwan University
Intended status: Informational S. Hyun Intended status: Informational S. Hyun
Expires: January 21, 2020 Chosun University Expires: January 25, 2020 Chosun University
T. Ahn T. Ahn
Korea Telecom Korea Telecom
S. Hares S. Hares
Huawei Huawei
D. Lopez D. Lopez
Telefonica I+D Telefonica I+D
July 20, 2019 July 24, 2019
Applicability of Interfaces to Network Security Functions to Network- Applicability of Interfaces to Network Security Functions to Network-
Based Security Services Based Security Services
draft-ietf-i2nsf-applicability-14 draft-ietf-i2nsf-applicability-15
Abstract Abstract
This document describes the applicability of Interface to Network This document describes the applicability of Interface to Network
Security Functions (I2NSF) to network-based security services in Security Functions (I2NSF) to network-based security services in
Network Functions Virtualization (NFV) environments, such as Network Functions Virtualization (NFV) environments, such as
firewall, deep packet inspection, or attack mitigation engines. firewall, deep packet inspection, or attack mitigation engines.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 21, 2020. This Internet-Draft will expire on January 25, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . 19
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Changes from draft-ietf-i2nsf-applicability-13 . . . 23 Appendix A. Changes from draft-ietf-i2nsf-applicability-14 . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Interface to Network Security Functions (I2NSF) defines a framework Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions and interfaces for interacting with Network Security Functions
(NSFs). Note that an NSF is defined as software that provides a set (NSFs). Note that an NSF is defined as software that provides a set
of security-related services, such as (i) detecting unwanted of security-related services, such as (i) detecting unwanted
activity, (ii) blocking or mitigating the effect of such unwanted activity, (ii) blocking or mitigating the effect of such unwanted
activity in order to fulfil service requirements, and (iii) activity in order to fulfil service requirements, and (iii)
skipping to change at page 9, line 9 skipping to change at page 9, line 9
Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with
TLS as HTTPS. The low-level security rules for web filter check that TLS as HTTPS. The low-level security rules for web filter check that
the target URL field of a received packet is equal to example.com, or the target URL field of a received packet is equal to example.com, or
that the destination IP address of a received packet is an IP address that the destination IP address of a received packet is an IP address
corresponding to example.com. Note that if HTTPS is used for an corresponding to example.com. Note that if HTTPS is used for an
HTTP-session packet, the HTTP protocol header is encrypted, so the HTTP-session packet, the HTTP protocol header is encrypted, so the
URL information may not be seen from the packet for the web URL information may not be seen from the packet for the web
filtering. Thus, the IP address(es) corresponding to the target URL filtering. Thus, the IP address(es) corresponding to the target URL
needs to be obtained from the certificate in TLS versions prior to needs to be obtained from the certificate in TLS versions prior to
1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session
packet in TLS. Also, to obtain IP address(es) corresponding to a packet in TLS versions without the encrypted SNI [tls-esni]. Also,
target URL, the DNS name resolution process can be observed through a to obtain IP address(es) corresponding to a target URL, the DNS name
packet capturing tool because the DNS name resolution will translate resolution process can be observed through a packet capturing tool
the target URL into IP address(es). The IP addresses obtained because the DNS name resolution will translate the target URL into IP
through either TLS or DNS can be used by both firewall and web filter address(es). The IP addresses obtained through either TLS or DNS can
for whitelisting or blacklisting the TCP five-tuples of HTTP be used by both firewall and web filter for whitelisting or
sessions. blacklisting the TCP five-tuples of HTTP sessions.
Finally, the Security Controller sends the low-level security rules Finally, the Security Controller sends the low-level security rules
of the IP address and port number inspection to the firewall NSF and of the IP address and port number inspection to the firewall NSF and
the low-level rules for URL inspection to the web filter NSF. the low-level rules for URL inspection to the web filter NSF.
The following describes how the time-dependent web access control The following describes how the time-dependent web access control
service is enforced by the NSFs of firewall and web filter. service is enforced by the NSFs of firewall and web filter.
1. A staff member tries to access example.com during business hours, 1. A staff member tries to access example.com during business hours,
e.g., 10 AM. e.g., 10 AM.
skipping to change at page 19, line 10 skipping to change at page 19, line 10
out of scope for I2NSF. out of scope for I2NSF.
I2NSF system operators should audit and monitor interactions with I2NSF system operators should audit and monitor interactions with
DMSs. Additionally, the operators should monitor the running NSFs DMSs. Additionally, the operators should monitor the running NSFs
through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as
part of the I2NSF NSF-Facing Interface. Note that the mechanics for part of the I2NSF NSF-Facing Interface. Note that the mechanics for
monitoring the DMSs are out of scope for I2NSF. monitoring the DMSs are out of scope for I2NSF.
9. Acknowledgments 9. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute of Information & Communications
Technology Promotion (IITP) grant funded by the Korea government Technology Planning & Evaluation (IITP) grant funded by the Korea
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based
Technology Development for the Customized Security Service Security Intelligence Technology Development for the Customized
Provisioning). Security Service Provisioning).
This work has been partially supported by the European Commission This work has been partially supported by the European Commission
under Horizon 2020 grant agreement no. 700199 "Securing against under Horizon 2020 grant agreement no. 700199 "Securing against
intruders and other threats through a NFV-enabled environment intruders and other threats through a NFV-enabled environment
(SHIELD)". This support does not imply endorsement. (SHIELD)". This support does not imply endorsement.
10. Contributors 10. Contributors
I2NSF is a group effort. I2NSF has had a number of contributing I2NSF is a group effort. I2NSF has had a number of contributing
authors. The following are considered co-authors: authors. The following are considered co-authors:
skipping to change at page 21, line 18 skipping to change at page 21, line 18
11.2. Informative References 11.2. Informative References
[AVANT-GUARD] [AVANT-GUARD]
Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT-
GUARD: Scalable and Vigilant Switch Flow Management in GUARD: Scalable and Vigilant Switch Flow Management in
Software-Defined Networks", ACM CCS, November 2013. Software-Defined Networks", ACM CCS, November 2013.
[consumer-facing-inf-dm] [consumer-facing-inf-dm]
Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft- "I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-05 (work in ietf-i2nsf-consumer-facing-interface-dm-06 (work in
progress), June 2019. progress), July 2019.
[ETSI-NFV-MANO] [ETSI-NFV-MANO]
"Network Functions Virtualisation (NFV); Management and "Network Functions Virtualisation (NFV); Management and
Orchestration", Available: Orchestration", Available:
https://www.etsi.org/deliver/etsi_gs/nfv- https://www.etsi.org/deliver/etsi_gs/nfv-
man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf,
December 2014. December 2014.
[i2nsf-terminology] [i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-07 (work in Terminology", draft-ietf-i2nsf-terminology-08 (work in
progress), January 2019. progress), July 2019.
[ITU-T.X.800] [ITU-T.X.800]
"Security Architecture for Open Systems Interconnection "Security Architecture for Open Systems Interconnection
for CCITT Applications", March 1991. for CCITT Applications", March 1991.
[nsf-facing-inf-dm] [nsf-facing-inf-dm]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG "I2NSF Network Security Function-Facing Interface YANG
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-06 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07
(work in progress), June 2019. (work in progress), July 2019.
[nsf-monitoring-dm] [nsf-monitoring-dm]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-00 (work in progress), March nsf-monitoring-data-model-01 (work in progress), July
2019. 2019.
[opsawg-firewalls] [opsawg-firewalls]
Baker, F. and P. Hoffman, "On Firewalls in Internet Baker, F. and P. Hoffman, "On Firewalls in Internet
Security", draft-ietf-opsawg-firewalls-01 (work in Security", draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012. progress), October 2012.
[policy-translation] [policy-translation]
Yang, J., Jeong, J., and J. Kim, "Security Policy Jeong, J., Yang, J., Chung, C., and J. Kim, "Security
Translation in Interface to Network Security Functions", Policy Translation in Interface to Network Security
draft-yang-i2nsf-security-policy-translation-03 (work in Functions", draft-yang-i2nsf-security-policy-
progress), March 2019. translation-04 (work in progress), July 2019.
[registration-inf-dm] [registration-inf-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF
Registration Interface YANG Data Model", draft-ietf-i2nsf- Registration Interface YANG Data Model", draft-ietf-i2nsf-
registration-interface-dm-04 (work in progress), June registration-interface-dm-05 (work in progress), July
2019. 2019.
[tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood,
"Encrypted Server Name Indication for TLS 1.3", draft-
ietf-tls-esni-04 (work in progress), July 2019.
[VNF-ONBOARDING] [VNF-ONBOARDING]
"VNF Onboarding", Available: "VNF Onboarding", Available:
https://wiki.opnfv.org/display/mano/VNF+Onboarding, https://wiki.opnfv.org/display/mano/VNF+Onboarding,
November 2016. November 2016.
Appendix A. Changes from draft-ietf-i2nsf-applicability-13 Appendix A. Changes from draft-ietf-i2nsf-applicability-14
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
applicability-13: applicability-14:
o This version has reflected comments from Tommy Pauly who is a
member of the Transport Area Review Team (TSVART).
o In Section 4, the discussion is added to explain how to handle
HTTP-session packets using TLS in web filtering.
o Some editorial comments are reflected. o In Section 4, to handle HTTP-session packets using TLS in web
filtering, it is clarified that the Server Name Indication (SNI)
can be used to detect a website's URL if the SNI field is not
encryped in TLS versions without the encrypted SNI.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 17 change blocks. 
38 lines changed or deleted 40 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/