draft-ietf-i2nsf-applicability-15.txt   draft-ietf-i2nsf-applicability-16.txt 
I2NSF Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft Sungkyunkwan University Internet-Draft Sungkyunkwan University
Intended status: Informational S. Hyun Intended status: Informational S. Hyun
Expires: January 25, 2020 Chosun University Expires: January 26, 2020 Chosun University
T. Ahn T. Ahn
Korea Telecom Korea Telecom
S. Hares S. Hares
Huawei Huawei
D. Lopez D. Lopez
Telefonica I+D Telefonica I+D
July 24, 2019 July 25, 2019
Applicability of Interfaces to Network Security Functions to Network- Applicability of Interfaces to Network Security Functions to Network-
Based Security Services Based Security Services
draft-ietf-i2nsf-applicability-15 draft-ietf-i2nsf-applicability-16
Abstract Abstract
This document describes the applicability of Interface to Network This document describes the applicability of Interface to Network
Security Functions (I2NSF) to network-based security services in Security Functions (I2NSF) to network-based security services in
Network Functions Virtualization (NFV) environments, such as Network Functions Virtualization (NFV) environments, such as
firewall, deep packet inspection, or attack mitigation engines. firewall, deep packet inspection, or attack mitigation engines.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 25, 2020. This Internet-Draft will expire on January 26, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . 19
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Changes from draft-ietf-i2nsf-applicability-14 . . . 23 Appendix A. Changes from draft-ietf-i2nsf-applicability-15 . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Interface to Network Security Functions (I2NSF) defines a framework Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions and interfaces for interacting with Network Security Functions
(NSFs). Note that an NSF is defined as software that provides a set (NSFs). Note that an NSF is defined as software that provides a set
of security-related services, such as (i) detecting unwanted of security-related services, such as (i) detecting unwanted
activity, (ii) blocking or mitigating the effect of such unwanted activity, (ii) blocking or mitigating the effect of such unwanted
activity in order to fulfil service requirements, and (iii) activity in order to fulfill service requirements, and (iii)
supporting communication stream integrity and confidentiality supporting communication stream integrity and confidentiality
[i2nsf-terminology]. [i2nsf-terminology].
The I2NSF framework allows heterogeneous NSFs developed by different The I2NSF framework allows heterogeneous NSFs developed by different
security solution vendors to be used in the Network Functions security solution vendors to be used in the Network Functions
Virtualization (NFV) environment [ETSI-NFV] by utilizing the Virtualization (NFV) environment [ETSI-NFV] by utilizing the
capabilities of such NSFs through I2NSF interfaces such as Customer- capabilities of such NSFs through I2NSF interfaces such as Customer-
Facing Interface [consumer-facing-inf-dm] and NSF-Facing Interface Facing Interface [consumer-facing-inf-dm] and NSF-Facing Interface
[nsf-facing-inf-dm]. In the I2NSF framework, each NSF initially [nsf-facing-inf-dm]. In the I2NSF framework, each NSF initially
registers the profile of its own capabilities with the Security registers the profile of its own capabilities with the Security
skipping to change at page 4, line 18 skipping to change at page 4, line 18
operation of network services in a dynamic and scalable manner operation of network services in a dynamic and scalable manner
[ITU-T.Y.3300]. [ITU-T.Y.3300].
o Network Function: A functional block within a network o Network Function: A functional block within a network
infrastructure that has well-defined external interfaces and well- infrastructure that has well-defined external interfaces and well-
defined functional behavior [NFV-Terminology]. defined functional behavior [NFV-Terminology].
o Network Security Function (NSF): Software that provides a set of o Network Security Function (NSF): Software that provides a set of
security-related services. Examples include detecting unwanted security-related services. Examples include detecting unwanted
activity and blocking or mitigating the effect of such unwanted activity and blocking or mitigating the effect of such unwanted
activity in order to fulfil service requirements. The NSF can activity in order to fulfill service requirements. The NSF can
also help in supporting communication stream integrity and also help in supporting communication stream integrity and
confidentiality [i2nsf-terminology]. confidentiality [i2nsf-terminology].
o Network Functions Virtualization (NFV): A principle of separating o Network Functions Virtualization (NFV): A principle of separating
network functions (or network security functions) from the network functions (or network security functions) from the
hardware they run on by using virtual hardware abstraction hardware they run on by using virtual hardware abstraction
[NFV-Terminology]. [NFV-Terminology].
o Service Function Chaining (SFC): The execution of an ordered set o Service Function Chaining (SFC): The execution of an ordered set
of abstract service functions (i.e., network functions) according of abstract service functions (i.e., network functions) according
skipping to change at page 23, line 5 skipping to change at page 23, line 5
[tls-esni] [tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood, Rescorla, E., Oku, K., Sullivan, N., and C. Wood,
"Encrypted Server Name Indication for TLS 1.3", draft- "Encrypted Server Name Indication for TLS 1.3", draft-
ietf-tls-esni-04 (work in progress), July 2019. ietf-tls-esni-04 (work in progress), July 2019.
[VNF-ONBOARDING] [VNF-ONBOARDING]
"VNF Onboarding", Available: "VNF Onboarding", Available:
https://wiki.opnfv.org/display/mano/VNF+Onboarding, https://wiki.opnfv.org/display/mano/VNF+Onboarding,
November 2016. November 2016.
Appendix A. Changes from draft-ietf-i2nsf-applicability-14 Appendix A. Changes from draft-ietf-i2nsf-applicability-15
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
applicability-14: applicability-15:
o In Section 4, to handle HTTP-session packets using TLS in web o This version reflects the comments from Francis Dupont who is a
filtering, it is clarified that the Server Name Indication (SNI) member of the General Area Review Team (Gen-ART) for review. That
can be used to detect a website's URL if the SNI field is not is, a typo of "fulfil" is corrected as "fulfill".
encryped in TLS versions without the encrypted SNI.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 10 change blocks. 
13 lines changed or deleted 12 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/