draft-ietf-i2nsf-applicability-16.txt   draft-ietf-i2nsf-applicability-17.txt 
I2NSF Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft Sungkyunkwan University Internet-Draft Sungkyunkwan University
Intended status: Informational S. Hyun Intended status: Informational S. Hyun
Expires: January 26, 2020 Chosun University Expires: February 9, 2020 Chosun University
T. Ahn T. Ahn
Korea Telecom Korea Telecom
S. Hares S. Hares
Huawei Huawei
D. Lopez D. Lopez
Telefonica I+D Telefonica I+D
July 25, 2019 August 8, 2019
Applicability of Interfaces to Network Security Functions to Network- Applicability of Interfaces to Network Security Functions to Network-
Based Security Services Based Security Services
draft-ietf-i2nsf-applicability-16 draft-ietf-i2nsf-applicability-17
Abstract Abstract
This document describes the applicability of Interface to Network This document describes the applicability of Interface to Network
Security Functions (I2NSF) to network-based security services in Security Functions (I2NSF) to network-based security services in
Network Functions Virtualization (NFV) environments, such as Network Functions Virtualization (NFV) environments, such as
firewall, deep packet inspection, or attack mitigation engines. firewall, deep packet inspection, or attack mitigation engines.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on January 26, 2020. This Internet-Draft will expire on February 9, 2020.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 32 skipping to change at page 2, line 32
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation
System . . . . . . . . . . . . . . . . . . . . . . . . . 15 System . . . . . . . . . . . . . . . . . . . . . . . . . 15
7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16
8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19
11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . 19
11.2. Informative References . . . . . . . . . . . . . . . . . 21 11.2. Informative References . . . . . . . . . . . . . . . . . 21
Appendix A. Changes from draft-ietf-i2nsf-applicability-15 . . . 23 Appendix A. Changes from draft-ietf-i2nsf-applicability-16 . . . 23
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23
1. Introduction 1. Introduction
Interface to Network Security Functions (I2NSF) defines a framework Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions and interfaces for interacting with Network Security Functions
(NSFs). Note that an NSF is defined as software that provides a set (NSFs). Note that an NSF is defined as software that provides a set
of security-related services, such as (i) detecting unwanted of security-related services, such as (i) detecting unwanted
activity, (ii) blocking or mitigating the effect of such unwanted activity, (ii) blocking or mitigating the effect of such unwanted
activity in order to fulfill service requirements, and (iii) activity in order to fulfill service requirements, and (iii)
skipping to change at page 15, line 30 skipping to change at page 15, line 30
packet that exhibits some suspicious patterns, then it triggers the packet that exhibits some suspicious patterns, then it triggers the
VoIP/VoLTE security system for more specialized security analysis of VoIP/VoLTE security system for more specialized security analysis of
the suspicious VoIP call packet. the suspicious VoIP call packet.
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System
A centralized DDoS-attack mitigation can manage each network resource A centralized DDoS-attack mitigation can manage each network resource
and configure rules to each switch for DDoS-attack mitigation (called and configure rules to each switch for DDoS-attack mitigation (called
DDoS-attack Mitigator) on a common server. The centralized DDoS- DDoS-attack Mitigator) on a common server. The centralized DDoS-
attack mitigation system defends servers against DDoS attacks outside attack mitigation system defends servers against DDoS attacks outside
the private network, that is, from public networks. the private network, that is, from public networks
[RFC8612][dots-architecture].
Servers are categorized into stateless servers (e.g., DNS servers) Servers are categorized into stateless servers (e.g., DNS servers)
and stateful servers (e.g., web servers). For DDoS-attack and stateful servers (e.g., web servers). For DDoS-attack
mitigation, the forwarding of traffic flows in switches can be mitigation, the forwarding of traffic flows in switches can be
dynamically configured such that malicious traffic flows are handled dynamically configured such that malicious traffic flows are handled
by the paths separated from normal traffic flows in order to minimize by the paths separated from normal traffic flows in order to minimize
the impact of those malicious traffic on the servers. This flow path the impact of those malicious traffic on the servers. This flow path
separation can be done by a flow forwarding path management scheme separation can be done by a flow forwarding path management scheme
based on [AVANT-GUARD]. This management should consider the load [dots-architecture][AVANT-GUARD]. This management should consider
balance among the switches for the defense against DDoS attacks. the load balance among the switches for the defense against DDoS
attacks.
So far this section has described the three use cases for network- So far this section has described the three use cases for network-
based security services using the I2NSF framework with SDN networks. based security services using the I2NSF framework with SDN networks.
To support these use cases in the proposed data-driven security To support these use cases in the proposed data-driven security
service framework, YANG data models described in service framework, YANG data models described in
[consumer-facing-inf-dm], [nsf-facing-inf-dm], and [consumer-facing-inf-dm], [nsf-facing-inf-dm], and
[registration-inf-dm] can be used as Consumer-Facing Interface, NSF- [registration-inf-dm] can be used as Consumer-Facing Interface, NSF-
Facing Interface, and Registration Interface, respectively, along Facing Interface, and Registration Interface, respectively, along
with RESTCONF [RFC8040] and NETCONF [RFC6241]. with RESTCONF [RFC8040] and NETCONF [RFC6241].
skipping to change at page 19, line 44 skipping to change at page 19, line 44
o Jung-Soo Park (ETRI) o Jung-Soo Park (ETRI)
o Se-Hui Lee (Korea Telecom) o Se-Hui Lee (Korea Telecom)
o Mohamed Boucadair (Orange) o Mohamed Boucadair (Orange)
11. References 11. References
11.1. Normative References 11.1. Normative References
[AVANT-GUARD]
Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT-
GUARD: Scalable and Vigilant Switch Flow Management in
Software-Defined Networks", ACM CCS, November 2013.
[consumer-facing-inf-dm]
Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-06 (work in
progress), July 2019.
[dots-architecture]
Mortensen, A., Reddy, T., Andreasen, F., Teague, N., and
R. Compton, "Distributed-Denial-of-Service Open Threat
Signaling (DOTS) Architecture", draft-ietf-dots-
architecture-14 (work in progress), May 2019.
[ETSI-NFV] [ETSI-NFV]
"Network Functions Virtualisation (NFV); Architectural "Network Functions Virtualisation (NFV); Architectural
Framework", Available: Framework", Available:
https://www.etsi.org/deliver/etsi_gs/ https://www.etsi.org/deliver/etsi_gs/
nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf, October nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf, October
2013. 2013.
[ITU-T.Y.3300] [ITU-T.Y.3300]
"Framework of Software-Defined Networking", "Framework of Software-Defined Networking",
Available: https://www.itu.int/rec/T-REC-Y.3300-201406-I, Available: https://www.itu.int/rec/T-REC-Y.3300-201406-I,
June 2014. June 2014.
[NFV-Terminology] [NFV-Terminology]
"Network Functions Virtualisation (NFV); Terminology for "Network Functions Virtualisation (NFV); Terminology for
Main Concepts in NFV", Available: Main Concepts in NFV", Available:
https://www.etsi.org/deliver/etsi_gs/ https://www.etsi.org/deliver/etsi_gs/
NFV/001_099/003/01.02.01_60/gs_nfv003v010201p.pdf, NFV/001_099/003/01.02.01_60/gs_nfv003v010201p.pdf,
December 2014. December 2014.
[nsf-facing-inf-dm]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07
(work in progress), July 2019.
[nsf-monitoring-dm]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-01 (work in progress), July
2019.
[ONF-SDN-Architecture] [ONF-SDN-Architecture]
"SDN Architecture (Issue 1.1)", Available: "SDN Architecture (Issue 1.1)", Available:
https://www.opennetworking.org/wp- https://www.opennetworking.org/wp-
content/uploads/2014/10/TR- content/uploads/2014/10/TR-
521_SDN_Architecture_issue_1.1.pdf, June 2016. 521_SDN_Architecture_issue_1.1.pdf, June 2016.
[registration-inf-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF
Registration Interface YANG Data Model", draft-ietf-i2nsf-
registration-interface-dm-05 (work in progress), July
2019.
[RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
Network Configuration Protocol (NETCONF)", RFC 6020, Network Configuration Protocol (NETCONF)", RFC 6020,
October 2010. October 2010.
[RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A.
Bierman, "Network Configuration Protocol (NETCONF)", Bierman, "Network Configuration Protocol (NETCONF)",
RFC 6241, June 2011. RFC 6241, June 2011.
[RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined
Networking: A Perspective from within a Service Provider Networking: A Perspective from within a Service Provider
skipping to change at page 21, line 8 skipping to change at page 21, line 44
[RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service
Header (NSH)", RFC 8300, January 2018. Header (NSH)", RFC 8300, January 2018.
[RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R.
Kumar, "Framework for Interface to Network Security Kumar, "Framework for Interface to Network Security
Functions", RFC 8329, February 2018. Functions", RFC 8329, February 2018.
[RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol [RFC8446] Rescorla, E., "The Transport Layer Security (TLS) Protocol
Version 1.3", RFC 8446, August 2018. Version 1.3", RFC 8446, August 2018.
11.2. Informative References [RFC8612] Mortensen, A., Reddy, T., and R. Moskowitz, "DDoS Open
Threat Signaling (DOTS) Requirements", RFC 8612, May 2019.
[AVANT-GUARD]
Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT-
GUARD: Scalable and Vigilant Switch Flow Management in
Software-Defined Networks", ACM CCS, November 2013.
[consumer-facing-inf-dm] 11.2. Informative References
Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares,
"I2NSF Consumer-Facing Interface YANG Data Model", draft-
ietf-i2nsf-consumer-facing-interface-dm-06 (work in
progress), July 2019.
[ETSI-NFV-MANO] [ETSI-NFV-MANO]
"Network Functions Virtualisation (NFV); Management and "Network Functions Virtualisation (NFV); Management and
Orchestration", Available: Orchestration", Available:
https://www.etsi.org/deliver/etsi_gs/nfv- https://www.etsi.org/deliver/etsi_gs/nfv-
man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf,
December 2014. December 2014.
[i2nsf-terminology] [i2nsf-terminology]
Hares, S., Strassner, J., Lopez, D., Xia, L., and H. Hares, S., Strassner, J., Lopez, D., Xia, L., and H.
Birkholz, "Interface to Network Security Functions (I2NSF) Birkholz, "Interface to Network Security Functions (I2NSF)
Terminology", draft-ietf-i2nsf-terminology-08 (work in Terminology", draft-ietf-i2nsf-terminology-08 (work in
progress), July 2019. progress), July 2019.
[ITU-T.X.800] [ITU-T.X.800]
"Security Architecture for Open Systems Interconnection "Security Architecture for Open Systems Interconnection
for CCITT Applications", March 1991. for CCITT Applications", March 1991.
[nsf-facing-inf-dm]
Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin,
"I2NSF Network Security Function-Facing Interface YANG
Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07
(work in progress), July 2019.
[nsf-monitoring-dm]
Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz,
"I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf-
nsf-monitoring-data-model-01 (work in progress), July
2019.
[opsawg-firewalls] [opsawg-firewalls]
Baker, F. and P. Hoffman, "On Firewalls in Internet Baker, F. and P. Hoffman, "On Firewalls in Internet
Security", draft-ietf-opsawg-firewalls-01 (work in Security", draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012. progress), October 2012.
[policy-translation] [policy-translation]
Jeong, J., Yang, J., Chung, C., and J. Kim, "Security Jeong, J., Yang, J., Chung, C., and J. Kim, "Security
Policy Translation in Interface to Network Security Policy Translation in Interface to Network Security
Functions", draft-yang-i2nsf-security-policy- Functions", draft-yang-i2nsf-security-policy-
translation-04 (work in progress), July 2019. translation-04 (work in progress), July 2019.
[registration-inf-dm]
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF
Registration Interface YANG Data Model", draft-ietf-i2nsf-
registration-interface-dm-05 (work in progress), July
2019.
[tls-esni] [tls-esni]
Rescorla, E., Oku, K., Sullivan, N., and C. Wood, Rescorla, E., Oku, K., Sullivan, N., and C. Wood,
"Encrypted Server Name Indication for TLS 1.3", draft- "Encrypted Server Name Indication for TLS 1.3", draft-
ietf-tls-esni-04 (work in progress), July 2019. ietf-tls-esni-04 (work in progress), July 2019.
[VNF-ONBOARDING] [VNF-ONBOARDING]
"VNF Onboarding", Available: "VNF Onboarding", Available:
https://wiki.opnfv.org/display/mano/VNF+Onboarding, https://wiki.opnfv.org/display/mano/VNF+Onboarding,
November 2016. November 2016.
Appendix A. Changes from draft-ietf-i2nsf-applicability-15 Appendix A. Changes from draft-ietf-i2nsf-applicability-16
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
applicability-15: applicability-16:
o This version reflects the comments from Francis Dupont who is a o The data model drafts for I2NSF are referenced as Normative
member of the General Area Review Team (Gen-ART) for review. That references rather than Informative references.
is, a typo of "fulfil" is corrected as "fulfill".
o An RFC and a draft for Distributed-Denial-of-Service Open Threat
Signaling (DOTS) are referenced for attack mitigation.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 17 change blocks. 
42 lines changed or deleted 55 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/