| draft-ietf-i2nsf-applicability-01.txt | draft-ietf-i2nsf-applicability-02.txt | |||
|---|---|---|---|---|
| Network Working Group J. Jeong | Network Working Group J. Jeong | |||
| Internet-Draft S. Hyun | Internet-Draft S. Hyun | |||
| Intended status: Informational Sungkyunkwan University | Intended status: Informational Sungkyunkwan University | |||
| Expires: May 18, 2018 T. Ahn | Expires: September 6, 2018 T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| November 14, 2017 | March 5, 2018 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-01 | draft-ietf-i2nsf-applicability-02 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 40 ¶ | skipping to change at page 1, line 40 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on May 18, 2018. | This Internet-Draft will expire on September 6, 2018. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2017 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 3.1. Time-dependent Web Access Control Service . . . . . . . . 5 | 3.1. Time-dependent Web Access Control Service . . . . . . . . 5 | |||
| 4. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 7 | 4. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 7 | |||
| 4.1. Firewall: Centralized Firewall System . . . . . . . . . . 9 | 4.1. Firewall: Centralized Firewall System . . . . . . . . . . 10 | |||
| 4.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | 4.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 10 | System . . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 4.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 4.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 12 | System . . . . . . . . . . . . . . . . . . . . . . . . . 13 | |||
| 5. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 5. Security Considerations . . . . . . . . . . . . . . . . . . . 15 | |||
| 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 14 | 6. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 14 | 7. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 8. Informative References . . . . . . . . . . . . . . . . . . . 14 | 8. Informative References . . . . . . . . . . . . . . . . . . . 15 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-01 . . . 18 | Appendix A. Changes from draft-ietf-i2nsf-applicability-01 . . . 19 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defined a framework | Interface to Network Security Functions (I2NSF) defined a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | |||
| different security solution vendors to be used in the NFV environment | different security solution vendors to be used in the NFV environment | |||
| by utilizing the capabilities of such products and the virtualization | by utilizing the capabilities of such products and the virtualization | |||
| of security functions in the NFV platform. In the I2NSF framework, | of security functions in the NFV platform. In the I2NSF framework, | |||
| each NSF initially registers the profile of its own capabilities into | each NSF initially registers the profile of its own capabilities into | |||
| skipping to change at page 3, line 11 ¶ | skipping to change at page 3, line 11 ¶ | |||
| efficient security services and use cases, such as firewall | efficient security services and use cases, such as firewall | |||
| [opsawg-firewalls], Deep Packet Inspection (DPI), and Distributed | [opsawg-firewalls], Deep Packet Inspection (DPI), and Distributed | |||
| Denial of Service (DDoS) attack mitigation. We implemented the I2NSF | Denial of Service (DDoS) attack mitigation. We implemented the I2NSF | |||
| framework based on SDN for these use cases, and the implementation | framework based on SDN for these use cases, and the implementation | |||
| successfully verified the effectiveness of the I2NSF framework. | successfully verified the effectiveness of the I2NSF framework. | |||
| 2. Terminology | 2. Terminology | |||
| This document uses the terminology described in [RFC7149], | This document uses the terminology described in [RFC7149], | |||
| [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture], | [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture], | |||
| [ITU-T.X.1252], [ITU-T.X.800], [i2nsf-framework], | [ITU-T.X.1252], [ITU-T.X.800], [RFC8329], [i2nsf-terminology], | |||
| [i2nsf-terminology], [consumer-facing-inf-im], | [consumer-facing-inf-im], [consumer-facing-inf-dm], | |||
| [consumer-facing-inf-dm], [i2nsf-nsf-cap-im], [nsf-facing-inf-dm], | [i2nsf-nsf-cap-im], [nsf-facing-inf-dm], [registration-inf-im], | |||
| [registration-inf-im], [registration-inf-dm], and | [registration-inf-dm], and [nsf-triggered-steering]. In addition, | |||
| [nsf-triggered-steering]. In addition, the following terms are | the following terms are defined below: | |||
| defined below: | ||||
| o Software-Defined Networking (SDN): A set of techniques that | o Software-Defined Networking (SDN): A set of techniques that | |||
| enables to directly program, orchestrate, control, and manage | enables to directly program, orchestrate, control, and manage | |||
| network resources, which facilitates the design, delivery and | network resources, which facilitates the design, delivery and | |||
| operation of network services in a dynamic and scalable manner | operation of network services in a dynamic and scalable manner | |||
| [ITU-T.Y.3300]. | [ITU-T.Y.3300]. | |||
| o Firewall: A service function at the junction of two network | o Firewall: A service function at the junction of two network | |||
| segments that inspects every packet that attempts to cross the | segments that inspects every packet that attempts to cross the | |||
| boundary. It also rejects any packet that does not satisfy | boundary. It also rejects any packet that does not satisfy | |||
| skipping to change at page 4, line 8 ¶ | skipping to change at page 4, line 8 ¶ | |||
| network resources for efficient DDoS-attack mitigation. These | network resources for efficient DDoS-attack mitigation. These | |||
| rules can be managed dynamically by a centralized server for DDoS- | rules can be managed dynamically by a centralized server for DDoS- | |||
| attack mitigation. The SDN controller and switches can | attack mitigation. The SDN controller and switches can | |||
| cooperatively work as a network-based firewall system through a | cooperatively work as a network-based firewall system through a | |||
| standard interface between an SDN switch and a firewall function | standard interface between an SDN switch and a firewall function | |||
| as a VNF running in the SDN controller. | as a VNF running in the SDN controller. | |||
| 3. I2NSF Framework | 3. I2NSF Framework | |||
| This section describes an I2NSF framework and its use case. Figure 1 | This section describes an I2NSF framework and its use case. Figure 1 | |||
| shows an I2NSF framework [i2nsf-framework] to support network-based | shows an I2NSF framework [RFC8329] to support network-based security | |||
| security services. As shown in Figure 1, I2NSF User can use security | services. As shown in Figure 1, I2NSF User can use security | |||
| functions by delivering high-level security policies, which specify | functions by delivering high-level security policies, which specify | |||
| security requirements the I2NSF user wants to enforce, to the | security requirements the I2NSF user wants to enforce, to the | |||
| Security Controller via the Consumer-Facing Interface | Security Controller via the Consumer-Facing Interface | |||
| [consumer-facing-inf-im][consumer-facing-inf-dm]. | [consumer-facing-inf-im][consumer-facing-inf-dm]. | |||
| The Security Controller receives and analyzes the high-level security | The Security Controller receives and analyzes the high-level security | |||
| policies from an I2NSF User, and identifies what types of security | policies from an I2NSF User, and identifies what types of security | |||
| capabilities are required to meet these high-level security policies. | capabilities are required to meet these high-level security policies. | |||
| The Security Controller then identifies NSFs that have the required | The Security Controller then identifies NSFs that have the required | |||
| security capabilities, and generates low-level security policies for | security capabilities, and generates low-level security policies for | |||
| skipping to change at page 7, line 24 ¶ | skipping to change at page 7, line 24 ¶ | |||
| 4. I2NSF Framework with SDN | 4. I2NSF Framework with SDN | |||
| This section describes an I2NSF framework with SDN for I2NSF | This section describes an I2NSF framework with SDN for I2NSF | |||
| applicability and use cases, such as firewall, deep packet | applicability and use cases, such as firewall, deep packet | |||
| inspection, and DDoS-attack mitigation functions. SDN enables some | inspection, and DDoS-attack mitigation functions. SDN enables some | |||
| packet filtering rules to be enforced in the network switches by | packet filtering rules to be enforced in the network switches by | |||
| controlling their packet forwarding rules. By taking advantage of | controlling their packet forwarding rules. By taking advantage of | |||
| this capability of SDN, it is possible to optimize the process of | this capability of SDN, it is possible to optimize the process of | |||
| security service enforcement in the I2NSF system. | security service enforcement in the I2NSF system. | |||
| Figure 2 shows an I2NSF framework [i2nsf-framework] with SDN networks | Figure 2 shows an I2NSF framework [RFC8329] with SDN networks to | |||
| to support network-based security services. In this system, the | support network-based security services. In this system, the | |||
| enforcement of security policy rules is divided into the SDN switches | enforcement of security policy rules is divided into the SDN switches | |||
| and NSFs. Especially, SDN switches enforce simple packet filtering | and NSFs. Especially, SDN switches enforce simple packet filtering | |||
| rules that can be translated into their packet forwarding rules, | rules that can be translated into their packet forwarding rules, | |||
| whereas NSFs enforce NSF-related security rules requiring the | whereas NSFs enforce NSF-related security rules requiring the | |||
| security capabilities of the NSFs. For this purpose, the Security | security capabilities of the NSFs. For this purpose, the Security | |||
| Controller instructs the Switch Controller via NSF-Facing Interface | Controller instructs the Switch Controller via NSF-Facing Interface | |||
| so that SDN switches can perform the required security services with | so that SDN switches can perform the required security services with | |||
| flow tables under the supervision of the Switch Controller (i.e., SDN | flow tables under the supervision of the Switch Controller (i.e., SDN | |||
| Controller). | Controller). | |||
| As an example, let us consider two different types of security rules: | ||||
| Rule A is a simple packet fltering rule that checks only the IP | ||||
| address and port number of a given packet, whereas rule B is a time- | ||||
| consuming packet inspection rule for analyzing whether an attached | ||||
| file being transmitted over a flow of packets contains malware. Rule | ||||
| A can be translated into packet forwarding rules of SDN switches and | ||||
| thus be enforced by the switches. In contrast, rule B cannot be | ||||
| enforced by switches, but it can be enforced by NSFs with anti- | ||||
| malware capability. Specifically, a flow of packets is forwarded to | ||||
| and reassembled by an NSF to reconstruct the attached file stored in | ||||
| the flow of packets. The NSF then analyzes the file to check the | ||||
| existence of malware. If the file contains malware, the NSF drops | ||||
| the packets. | ||||
| In an I2NSF framework with SDN, the Security Controller can analyze | ||||
| given security policy rules and automatically determine which of the | ||||
| given security policy rules should be enforced by SDN switches and | ||||
| which should be enforced by NSFs. If some of the given rules | ||||
| requires security capabilities that can be provided by SDN switches, | ||||
| then the Security Controller instructs the Switch Controller via NSF- | ||||
| Facing Interface so that SDN switches can enforce those security | ||||
| policy rules with flow tables under the supervision of the Switch | ||||
| Controller (i.e., SDN Controller). Or if some rules require security | ||||
| capabilities that can be provided by not SDN switches but NSFs, then | ||||
| the Security Controller instructs relevant NSFs to enforce those | ||||
| rules. | ||||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| ^ ^ | ^ ^ | |||
| skipping to change at page 14, line 12 ¶ | skipping to change at page 15, line 12 ¶ | |||
| framework with SDN networks. To support these use cases in the | framework with SDN networks. To support these use cases in the | |||
| proposed data-driven security service framework, YANG data models | proposed data-driven security service framework, YANG data models | |||
| described in [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | described in [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | |||
| [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | |||
| Facing Interface, and Registration Interface, respectively, along | Facing Interface, and Registration Interface, respectively, along | |||
| with RESTCONF [RFC8040] and NETCONF [RFC6241]. | with RESTCONF [RFC8040] and NETCONF [RFC6241]. | |||
| 5. Security Considerations | 5. Security Considerations | |||
| The I2NSF framework with SDN networks in this document is derived | The I2NSF framework with SDN networks in this document is derived | |||
| from the I2NSF framework [i2nsf-framework], so the security | from the I2NSF framework [RFC8329], so the security considerations of | |||
| considerations of the I2NSF framework should be included in this | the I2NSF framework should be included in this document. Therefore, | |||
| document. Therefore, proper secure communication channels should be | proper secure communication channels should be used the delivery of | |||
| used the delivery of control or management messages among the | control or management messages among the components in the proposed | |||
| components in the proposed framework. | framework. | |||
| This document shares all the security issues of SDN that are | This document shares all the security issues of SDN that are | |||
| specified in the "Security Considerations" section of [ITU-T.Y.3300]. | specified in the "Security Considerations" section of [ITU-T.Y.3300]. | |||
| 6. Acknowledgments | 6. Acknowledgments | |||
| This work was supported by Institute for Information & communications | This work was supported by Institute for Information & communications | |||
| Technology Promotion (IITP) grant funded by the Korea government | Technology Promotion (IITP) grant funded by the Korea government | |||
| (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | |||
| Technology Development for the Customized Security Service | Technology Development for the Customized Security Service | |||
| skipping to change at page 15, line 8 ¶ | skipping to change at page 16, line 8 ¶ | |||
| 8. Informative References | 8. Informative References | |||
| [AVANT-GUARD] | [AVANT-GUARD] | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | GUARD: Scalable and Vigilant Switch Flow Management in | |||
| Software-Defined Networks", ACM CCS, November 2013. | Software-Defined Networks", ACM CCS, November 2013. | |||
| [consumer-facing-inf-dm] | [consumer-facing-inf-dm] | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | "I2NSF Consumer-Facing Interface YANG Data Model", draft- | |||
| jeong-i2nsf-consumer-facing-interface-dm-05 (work in | ietf-i2nsf-consumer-facing-interface-dm-00 (work in | |||
| progress), November 2017. | progress), March 2018. | |||
| [consumer-facing-inf-im] | [consumer-facing-inf-im] | |||
| Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, | Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, | |||
| S., and L. Xia, "Information model for Client-Facing | S., Xia, L., and J. Jeong, "Information Model for | |||
| Interface to Security Controller", draft-kumar-i2nsf- | Consumer-Facing Interface to Security Controller", draft- | |||
| client-facing-interface-im-04 (work in progress), October | kumar-i2nsf-client-facing-interface-im-04 (work in | |||
| 2017. | progress), October 2017. | |||
| [ETSI-NFV] | [ETSI-NFV] | |||
| ETSI GS NFV 002 V1.1.1, "Network Functions Virtualisation | ETSI GS NFV 002 V1.1.1, "Network Functions Virtualisation | |||
| (NFV); Architectural Framework", October 2013. | (NFV); Architectural Framework", October 2013. | |||
| [i2nsf-framework] | ||||
| Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | ||||
| Kumar, "Framework for Interface to Network Security | ||||
| Functions", draft-ietf-i2nsf-framework-08 (work in | ||||
| progress), October 2017. | ||||
| [i2nsf-nsf-cap-im] | [i2nsf-nsf-cap-im] | |||
| Xia, L., Strassner, J., Basile, C., and D. Lopez, | Xia, L., Strassner, J., Basile, C., and D. Lopez, | |||
| "Information Model of NSFs Capabilities", draft-ietf- | "Information Model of NSFs Capabilities", draft-ietf- | |||
| i2nsf-capability-00 (work in progress), September 2017. | i2nsf-capability-00 (work in progress), September 2017. | |||
| [i2nsf-terminology] | [i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| Birkholz, "Interface to Network Security Functions (I2NSF) | Birkholz, "Interface to Network Security Functions (I2NSF) | |||
| Terminology", draft-ietf-i2nsf-terminology-04 (work in | Terminology", draft-ietf-i2nsf-terminology-05 (work in | |||
| progress), July 2017. | progress), January 2018. | |||
| [ITU-T.X.1252] | [ITU-T.X.1252] | |||
| Recommendation ITU-T X.1252, "Baseline Identity Management | Recommendation ITU-T X.1252, "Baseline Identity Management | |||
| Terms and Definitions", April 2010. | Terms and Definitions", April 2010. | |||
| [ITU-T.X.800] | [ITU-T.X.800] | |||
| Recommendation ITU-T X.800, "Security Architecture for | Recommendation ITU-T X.800, "Security Architecture for | |||
| Open Systems Interconnection for CCITT Applications", | Open Systems Interconnection for CCITT Applications", | |||
| March 1991. | March 1991. | |||
| [ITU-T.Y.3300] | [ITU-T.Y.3300] | |||
| Recommendation ITU-T Y.3300, "Framework of Software- | Recommendation ITU-T Y.3300, "Framework of Software- | |||
| Defined Networking", June 2014. | Defined Networking", June 2014. | |||
| [nsf-facing-inf-dm] | [nsf-facing-inf-dm] | |||
| Kim, J., Jeong, J., Park, J., Hares, S., and L. Xia, | Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | |||
| "I2NSF Network Security Functions-Facing Interface YANG | "I2NSF Network Security Function-Facing Interface YANG | |||
| Data Model", draft-kim-i2nsf-nsf-facing-interface-data- | Data Model", draft-ietf-i2nsf-nsf-facing-interface-data- | |||
| model-04 (work in progress), October 2017. | model-00 (work in progress), March 2018. | |||
| [nsf-triggered-steering] | [nsf-triggered-steering] | |||
| Hyun, S., Jeong, J., Park, J., and S. Hares, "Service | Hyun, S., Jeong, J., Park, J., and S. Hares, "Service | |||
| Function Chaining-Enabled I2NSF Architecture", draft-hyun- | Function Chaining-Enabled I2NSF Architecture", draft-hyun- | |||
| i2nsf-nsf-triggered-steering-04 (work in progress), | i2nsf-nsf-triggered-steering-05 (work in progress), March | |||
| October 2017. | 2018. | |||
| [ONF-OpenFlow] | [ONF-OpenFlow] | |||
| ONF, "OpenFlow Switch Specification (Version 1.4.0)", | ONF, "OpenFlow Switch Specification (Version 1.4.0)", | |||
| October 2013. | October 2013. | |||
| [ONF-SDN-Architecture] | [ONF-SDN-Architecture] | |||
| ONF, "SDN Architecture", June 2014. | ONF, "SDN Architecture", June 2014. | |||
| [opsawg-firewalls] | [opsawg-firewalls] | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | Baker, F. and P. Hoffman, "On Firewalls in Internet | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | Security", draft-ietf-opsawg-firewalls-01 (work in | |||
| progress), October 2012. | progress), October 2012. | |||
| [registration-inf-dm] | [registration-inf-dm] | |||
| Hyun, S., Jeong, J., Yeo, Y., Woo, S., and J. Park, "I2NSF | Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | |||
| Registration Interface YANG Data Model", draft-hyun-i2nsf- | Registration Interface YANG Data Model", draft-hyun-i2nsf- | |||
| registration-dm-02 (work in progress), October 2017. | registration-dm-03 (work in progress), March 2018. | |||
| [registration-inf-im] | [registration-inf-im] | |||
| Hyun, S., Jeong, J., Woo, S., Yeo, Y., and J. Park, "I2NSF | Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | |||
| Registration Interface Information Model", draft-hyun- | Registration Interface Information Model", draft-hyun- | |||
| i2nsf-registration-interface-im-03 (work in progress), | i2nsf-registration-interface-im-04 (work in progress), | |||
| October 2017. | March 2018. | |||
| [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | |||
| Description Protocol", RFC 4566, July 2006. | Description Protocol", RFC 4566, July 2006. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | |||
| Bierman, "Network Configuration Protocol (NETCONF)", | Bierman, "Network Configuration Protocol (NETCONF)", | |||
| skipping to change at page 18, line 5 ¶ | skipping to change at page 18, line 10 ¶ | |||
| Environment", RFC 7149, March 2014. | Environment", RFC 7149, March 2014. | |||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | |||
| Protocol", RFC 8040, January 2017. | Protocol", RFC 8040, January 2017. | |||
| [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., | [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., | |||
| and J. Jeong, "Interface to Network Security Functions | and J. Jeong, "Interface to Network Security Functions | |||
| (I2NSF): Problem Statement and Use Cases", RFC 8192, July | (I2NSF): Problem Statement and Use Cases", RFC 8192, July | |||
| 2017. | 2017. | |||
| [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | ||||
| Kumar, "Framework for Interface to Network Security | ||||
| Functions", RFC 8329, February 2018. | ||||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-01 | Appendix A. Changes from draft-ietf-i2nsf-applicability-01 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-01: | applicability-01: | |||
| o In Section 3, a time-based web access control service is added as | o In Section 4, it is clarified what types of security policy rules | |||
| a general use case in the I2NSF framework. | can be enforced by SDN switches or NSFs in the environment of | |||
| I2NSF framework with SDN. | ||||
| o In Section 4, the movitation of the I2NSF framework with SDN is | ||||
| explained, that is, supporting the divided security policy | ||||
| enforcement for efficient security service. | ||||
| o In Section 4.2, the centralized VoIP/VoLTE security system is | o In Section 4, it is explained what should be done by the Security | |||
| clarified as a use case to explain the security service chaining | Controller in order to divide the enforcement of security policy | |||
| using SFC technology. | rules into the SDN switches and NSFs in the I2NSF framework with | |||
| SDN. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Software | Department of Software | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| End of changes. 26 change blocks. | ||||
| 63 lines changed or deleted | 85 lines changed or added | |||
This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||