| draft-ietf-i2nsf-applicability-04.txt | draft-ietf-i2nsf-applicability-05.txt | |||
|---|---|---|---|---|
| I2NSF Working Group J. Jeong | I2NSF Working Group J. Jeong | |||
| Internet-Draft Sungkyunkwan University | Internet-Draft Sungkyunkwan University | |||
| Intended status: Informational S. Hyun | Intended status: Informational S. Hyun | |||
| Expires: January 18, 2019 Chosun University | Expires: March 15, 2019 Chosun University | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| July 17, 2018 | September 11, 2018 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-04 | draft-ietf-i2nsf-applicability-05 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 18, 2019. | This Internet-Draft will expire on March 15, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3.1. Time-dependent Web Access Control Service . . . . . . . . 5 | 4. Time-dependent Web Access Control Service . . . . . . . . . . 5 | |||
| 4. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 7 | 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 6 | |||
| 5. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 9 | 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 9 | |||
| 5.1. Firewall: Centralized Firewall System . . . . . . . . . . 11 | 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 11 | |||
| 5.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 12 | System . . . . . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 5.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 14 | System . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | |||
| 7. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 8. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 10. Informative References . . . . . . . . . . . . . . . . . . . 20 | 11. Informative References . . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-03 . . . 23 | Appendix A. Changes from draft-ietf-i2nsf-applicability-04 . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defined a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | |||
| different security solution vendors to be used in the NFV environment | different security solution vendors to be used in the Network | |||
| by utilizing the capabilities of such products and the virtualization | Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing | |||
| of security functions in the NFV platform. In the I2NSF framework, | the capabilities of such products and the virtualization of security | |||
| each NSF initially registers the profile of its own capabilities into | functions in the NFV platform. In the I2NSF framework, each NSF | |||
| the system in order for themselves to be available in the system. In | initially registers the profile of its own capabilities into the | |||
| addition, the Security Controller registers itself to the I2NSF user | system in order for themselves to be available in the system. In | |||
| so that the user can request security services to the Security | addition, the Security Controller is validated by the I2NSF Client | |||
| Controller. | (also called I2NSF User) that the user is employing, so that the user | |||
| can request security services through the Security Controller. | ||||
| This document describes the applicability of I2NSF framework to | ||||
| network-based security services with a use case of time-dependent web | ||||
| access control. This document also describes integrating I2NSF | ||||
| framework with Software-Defined Networking (SDN) technology for | ||||
| efficient security services and use cases, such as firewall | ||||
| [opsawg-firewalls], Deep Packet Inspection (DPI), and Distributed | This document illustrates the applicability of the I2NSF framework | |||
| Denial of Service (DDoS) attack mitigation. We implemented the I2NSF | with four different scenarios: (i) the enforcement of time-dependent | |||
| framework based on SDN for these use cases, and the implementation | web access control; (ii) the application of I2NSF to a Service | |||
| successfully verified the effectiveness of the I2NSF framework. | Function Chaining (SFC) environment [RFC7665]; (iii) the integration | |||
| of the I2NSF framework with Software-Defined Networking (SDN) | ||||
| [RFC7149] to provide different security functionality such as | ||||
| firewalls [opsawg-firewalls], Deep Packet Inspection (DPI), and | ||||
| Distributed Denial of Service (DDoS) attack mitigation; (iv) the use | ||||
| of NFV as supporting technology. The implementation of I2NSF in | ||||
| these scenarios has allowed us to verify the applicability and | ||||
| effectiveness of the I2NSF framework for a variety of use cases. | ||||
| 2. Terminology | 2. Terminology | |||
| This document uses the terminology described in [RFC7149], | This document uses the terminology described in [RFC7149], | |||
| [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture], | [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture], | |||
| [ITU-T.X.1252], [ITU-T.X.800], [RFC8329], [i2nsf-terminology], | [ITU-T.X.1252], [ITU-T.X.800], [RFC8329], [i2nsf-terminology], | |||
| [consumer-facing-inf-im], [consumer-facing-inf-dm], | [consumer-facing-inf-im], [consumer-facing-inf-dm], | |||
| [i2nsf-nsf-cap-im], [nsf-facing-inf-dm], [registration-inf-im], | [i2nsf-nsf-cap-im], [nsf-facing-inf-dm], [registration-inf-dm], and | |||
| [registration-inf-dm], and [nsf-triggered-steering]. In addition, | [nsf-triggered-steering]. In addition, the following terms are | |||
| the following terms are defined below: | defined below: | |||
| o Software-Defined Networking (SDN): A set of techniques that | o Software-Defined Networking (SDN): A set of techniques that | |||
| enables to directly program, orchestrate, control, and manage | enables to directly program, orchestrate, control, and manage | |||
| network resources, which facilitates the design, delivery and | network resources, which facilitates the design, delivery and | |||
| operation of network services in a dynamic and scalable manner | operation of network services in a dynamic and scalable manner | |||
| [ITU-T.Y.3300]. | [ITU-T.Y.3300]. | |||
| o Firewall: A service function at the junction of two network | o Firewall: A service function at the junction of two network | |||
| segments that inspects every packet that attempts to cross the | segments that inspects every packet that attempts to cross the | |||
| boundary. It also rejects any packet that does not satisfy | boundary. It also rejects any packet that does not satisfy | |||
| certain criteria for, for example, disallowed port numbers or IP | certain criteria for, for example, disallowed port numbers or IP | |||
| addresses. | addresses. | |||
| o Centralized Firewall System: A centralized firewall that can | o Centralized Firewall System: A centralized firewall that can | |||
| establish and distribute policy rules into network resources for | establish and distribute policy rules into network resources for | |||
| efficient firewall management. These rules can be managed | efficient firewall management. | |||
| dynamically by a centralized server for firewall. SDN can work as | ||||
| a network-based firewall system through a standard interface | ||||
| between an SDN switch and a firewall function as a vitual network | ||||
| function (VNF). | ||||
| o Centralized VoIP Security System: A centralized security system | o Centralized VoIP Security System: A centralized security system | |||
| that handles the security functions required for VoIP and VoLTE | that handles the security functions required for VoIP and VoLTE | |||
| services. SDN can work as a network-based security system through | services. | |||
| a standard interface between an SDN switch and a VoIP/VoLTE | ||||
| security function as a VNF. | ||||
| o Centralized DDoS-attack Mitigation System: A centralized mitigator | o Centralized DDoS-attack Mitigation System: A centralized mitigator | |||
| that can establish and distribute access control policy rules into | that can establish and distribute access control policy rules into | |||
| network resources for efficient DDoS-attack mitigation. These | network resources for efficient DDoS-attack mitigation. | |||
| rules can be managed dynamically by a centralized server for DDoS- | ||||
| attack mitigation. The SDN controller and switches can | ||||
| cooperatively work as a network-based firewall system through a | ||||
| standard interface between an SDN switch and a firewall function | ||||
| as a VNF running in the SDN controller. | ||||
| 3. I2NSF Framework | 3. I2NSF Framework | |||
| This section describes an I2NSF framework and its use case. Figure 1 | This section summarizes the I2NSF framework as defined in [RFC8329]. | |||
| shows an I2NSF framework [RFC8329] to support network-based security | As shown in Figure 1, an I2NSF User can use security functions by | |||
| services. As shown in Figure 1, I2NSF User can use security | delivering high-level security policies, which specify security | |||
| functions by delivering high-level security policies, which specify | requirements that the I2NSF user wants to enforce, to the Security | |||
| security requirements the I2NSF user wants to enforce, to the | Controller via the Consumer-Facing Interface | |||
| Security Controller via the Consumer-Facing Interface | ||||
| [consumer-facing-inf-im][consumer-facing-inf-dm]. | [consumer-facing-inf-im][consumer-facing-inf-dm]. | |||
| The Security Controller receives and analyzes the high-level security | The Security Controller receives and analyzes the high-level security | |||
| policies from an I2NSF User, and identifies what types of security | policies from an I2NSF User, and identifies what types of security | |||
| capabilities are required to meet these high-level security policies. | capabilities are required to meet these high-level security policies. | |||
| The Security Controller then identifies NSFs that have the required | The Security Controller then identifies NSFs that have the required | |||
| security capabilities, and generates low-level security policies for | security capabilities, and generates low-level security policies for | |||
| each of the NSFs so that the high-level security policies are | each of the NSFs so that the high-level security policies are | |||
| eventually enforced by those NSFs. Finally, the Security Controller | eventually enforced by those NSFs [policy-translation]. Finally, the | |||
| sends the generated low-level security policies to the NSFs | Security Controller sends the generated low-level security policies | |||
| [i2nsf-nsf-cap-im][nsf-facing-inf-dm]. | to the NSFs [i2nsf-nsf-cap-im][nsf-facing-inf-dm]. | |||
| The Security Controller requests NSFs to perform low-level security | The Security Controller requests NSFs to perform low-level security | |||
| services via the NSF-Facing Interface. The NSFs are enabled as | services via the NSF-Facing Interface. The developers (or vendors) | |||
| Virtual Network Functions (VNFs) on top of virtual machines through | inform the Security Controller of the capabilities of the NSFs | |||
| Network Functions Virtualization (NFV) [ETSI-NFV]. In addition, the | through the I2NSF Registration Interface [registration-inf-dm] for | |||
| Security Controller uses the I2NSF Registration Interface | registering (or deregistering) the corresponding NSFs. | |||
| [registration-inf-im][registration-inf-dm] to communicate with | ||||
| Developer's Management System (called Developer's Mgmt System) for | ||||
| registering (or deregistering) the developer's NSFs into (or from) | ||||
| the NFV system using the I2NSF framework. | ||||
| The Consumer-Facing Interface between an I2NSF User and the Security | The Consumer-Facing Interface between an I2NSF User and the Security | |||
| Controller can be implemented using, for example, RESTCONF [RFC8040]. | Controller can be implemented using, for example, RESTCONF [RFC8040]. | |||
| Data models specified by YANG [RFC6020] describe high-level security | Data models specified by YANG [RFC6020] describe high-level security | |||
| policies to be specified by an I2NSF User. The data model defined in | policies to be specified by an I2NSF User. The data model defined in | |||
| [consumer-facing-inf-dm] can be used for the I2NSF Consumer-Facing | [consumer-facing-inf-dm] can be used for the I2NSF Consumer-Facing | |||
| Interface. | Interface. | |||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| ^ | ^ | |||
| | NSF-Facing Interface | | NSF-Facing Interface | |||
| v | v | |||
| +----------------+ +---------------+ +-----------------------+ | +----------------+ +---------------+ +-----------------------+ | |||
| | NSF-1 |-| NSF-2 |...| NSF-n | | | NSF-1 |-| NSF-2 |...| NSF-n | | |||
| | (Firewall) | | (Web Filter) | |(DDoS-Attack Mitigator)| | | (Firewall) | | (Web Filter) | |(DDoS-Attack Mitigator)| | |||
| +----------------+ +---------------+ +-----------------------+ | +----------------+ +---------------+ +-----------------------+ | |||
| Figure 1: I2NSF Framework | Figure 1: I2NSF Framework | |||
| The NSF-Facing Interface between the Security Controller and NSFs can | The NSF-Facing Interface between the Security Controller and NSFs can | |||
| be implemented using NETCONF [RFC6241]. YANG data models describe | be implemented using NETCONF [RFC6241]. YANG data models describe | |||
| low-level security policies for the sake of NSFs, which are | low-level security policies for the sake of NSFs, which are | |||
| translated from the high-level security policies by the Security | translated from the high-level security policies by the Security | |||
| Controller. The data model defined in [nsf-facing-inf-dm] can be | Controller. The data model defined in [nsf-facing-inf-dm] can be | |||
| used for the I2NSF NSF-Facing Interface. | used for the I2NSF NSF-Facing Interface. | |||
| The Registration Interface between the Security Controller and the | The Registration Interface between the Security Controller and the | |||
| Developer's Mgmt System can be implemented by RESTCONF [RFC8040]. | Developer's Management System can be implemented by RESTCONF | |||
| The data model defined in [registration-inf-dm] can be used for the | [RFC8040]. The data model defined in [registration-inf-dm] can be | |||
| I2NSF Registration Interface. | used for the I2NSF Registration Interface. | |||
| Also, the I2NSF framework can enforce multiple chained NSFs for the | Also, the I2NSF framework can enforce multiple chained NSFs for the | |||
| low-level security policies by means of service function chaining | low-level security policies by means of SFC techniques for the I2NSF | |||
| (SFC) techniques for the I2NSF architecture described in | architecture described in [nsf-triggered-steering]. | |||
| [nsf-triggered-steering]. | ||||
| The following describes a security service scenario using the I2NSF | The following sections describe different security service scenarios | |||
| framework. | illustrating the applicability of the I2NSF framework. | |||
| 3.1. Time-dependent Web Access Control Service | 4. Time-dependent Web Access Control Service | |||
| This service scenario assumes that an enterprise network | This service scenario assumes that an enterprise network | |||
| administrator wants to control the staff members' access to Facebook | administrator wants to control the staff members' access to a | |||
| during business hours. The following is an example high-level | particular Interner service (e.g., Example.com) during business | |||
| security policy rule that the administrator requests: Block the staff | hours. The following is an example high-level security policy rule | |||
| members' access to Facebook from 9 am to 6 pm. The administrator | that the administrator requests: Block the staff members' access to | |||
| sends this high-level security policy to the security controller, | Example.com from 9 AM to 6 PM. The administrator sends this high- | |||
| then the security controller identifies required secuity | level security policy to the Security Controller, then the Security | |||
| capabilities, e.g., IP address and port number inspection | Controller identifies required security capabilities, e.g., IP | |||
| capabilities and URL inspection capability. In this scenario, it is | address and port number inspection capabilities and URL inspection | |||
| assumed that the IP address and port number inspection capabilities | capability. In this scenario, it is assumed that the IP address and | |||
| are required to check whether a received packet is an HTTP packet | port number inspection capabilities are required to check whether a | |||
| from a staff member. The URL inspection capability is required to | received packet is an HTTP packet from a staff member. The URL | |||
| check whether the target URL of a received packet is facebook.com or | inspection capability is required to check whether the target URL of | |||
| not. | a received packet is in the Example.com domain or not. | |||
| The Security Controller maintains the security capabilities of each | The Security Controller maintains the security capabilities of each | |||
| NSF running in the I2NSF system, which have been reported by the | NSF running in the I2NSF system, which have been reported by the | |||
| Developer's Management System via the Registation interface. Based | Developer's Management System via the Registation interface. Based | |||
| on this information, the Security Controller identifies NSFs that can | on this information, the Security Controller identifies NSFs that can | |||
| perform the IP address and port number inspection and URL inspection. | perform the IP address and port number inspection and URL inspection | |||
| In this scenario, it is assumed that an NSF of firewall has the IP | [policy-translation]. In this scenario, it is assumed that an NSF of | |||
| address and port number inspection capabilities and an NSF of web | firewall has the IP address and port number inspection capabilities | |||
| filter has URL inspection capability. | and an NSF of web filter has URL inspection capability. | |||
| The Security Controller generates low-level security rules for the | The Security Controller generates low-level security rules for the | |||
| NSFs to perform IP address and port number inspection, URL | NSFs to perform IP address and port number inspection, URL | |||
| inspection, and time checking. Specifically, the Security Controller | inspection, and time checking. Specifically, the Security Controller | |||
| may interoperate with an access control server in the enterprise | may interoperate with an access control server in the enterprise | |||
| network in order to retrieve the information (e.g., IP address in | network in order to retrieve the information (e.g., IP address in | |||
| use, company identifier (ID), and role) of each employee that is | use, company identifier (ID), and role) of each employee that is | |||
| currently using the network. Based on the retrieved information, the | currently using the network. Based on the retrieved information, the | |||
| Security Controller generates low-level security rules to check | Security Controller generates low-level security rules to check | |||
| whether the source IP address of a received packet matches any one | whether the source IP address of a received packet matches any one | |||
| being used by a staff member. In addition, the low-level security | being used by a staff member. In addition, the low-level security | |||
| rules should be able to determine that a received packet is of HTTP | rules should be able to determine that a received packet is of HTTP | |||
| protocol. The low-level security rules for web filter checks that | protocol. The low-level security rules for web filter checks that | |||
| the target URL field of a received packet is equal to facebook.com. | the target URL field of a received packet is equal to Example.com. | |||
| Finally, the Security Controller sends the low-level security rules | Finally, the Security Controller sends the low-level security rules | |||
| of the IP address and port number inspection to the NSF of firewall | of the IP address and port number inspection to the NSF of firewall | |||
| and the low-level rules for URL inspection to the NSF of web filter. | and the low-level rules for URL inspection to the NSF of web filter. | |||
| The following describes how the time-dependent web access control | The following describes how the time-dependent web access control | |||
| service is enforced by the NSFs of firewall and web filter. | service is enforced by the NSFs of firewall and web filter. | |||
| 1. A staff member tries to access Fackbook.com during business | 1. A staff member tries to access Example.com during business hours, | |||
| hours, e.g., 10 am. | e.g., 10 AM. | |||
| 2. The packet is forwarded from the staff member's device to the | 2. The packet is forwarded from the staff member's device to the | |||
| firewall, and the firewall checks the source IP address and port | firewall, and the firewall checks the source IP address and port | |||
| number. Now the firewall identifies the received packet is an | number. Now the firewall identifies the received packet is an | |||
| HTTP packet from the staff member. | HTTP packet from the staff member. | |||
| 3. The firewall triggers the web filter to further inspect the | 3. The firewall triggers the web filter to further inspect the | |||
| packet, and the packet is forwarded from the firewall to the web | packet, and the packet is forwarded from the firewall to the web | |||
| filter. Service Function Chaining (SFC) technology can be | filter. SFC technology can be utilized to support such packet | |||
| utilized to support such packet forwarding in the I2NSF framework | forwarding in the I2NSF framework [nsf-triggered-steering]. | |||
| [nsf-triggered-steering]. | ||||
| 4. The web filter checks the target URL field of the received | 4. The web filter checks the target URL field of the received | |||
| packet, and realizes the packet is toward Facebook.com. The web | packet, and realizes the packet is toward Example.com. The web | |||
| filter then checks that the current time is in business hours. | filter then checks that the current time is in business hours. | |||
| If so, the web filter drops the packet, and consequently the | If so, the web filter drops the packet, and consequently the | |||
| staff member's access to Facebook during business hours is | staff member's access to Example.com during business hours is | |||
| blocked. | blocked. | |||
| 4. I2NSF Framework with SFC | 5. I2NSF Framework with SFC | |||
| In the I2NSF architecture, an NSF can trigger an advanced security | In the I2NSF architecture, an NSF can trigger an advanced security | |||
| action (e.g., DPI and DDoS attack mitigation) on a packet based on | action (e.g., DPI or DDoS attack mitigation) on a packet based on the | |||
| the result of its own security inspection of the packet. For | result of its own security inspection of the packet. For example, a | |||
| example, a firewall triggers further inspection of a suspicious | firewall triggers further inspection of a suspicious packet with DPI. | |||
| packet with DPI. For this advanced security action to be fulfilled, | For this advanced security action to be fulfilled, the suspicious | |||
| the suspicious packet should be forwarded from the current NSF to the | packet should be forwarded from the current NSF to the successor NSF. | |||
| successor NSF. Service Function Chaining (SFC) [RFC7665] is a | SFC [RFC7665] is a technology that enables this advanced security | |||
| technology that enables this advanced security action by steering a | action by steering a packet with multiple service functions (e.g., | |||
| packet with multiple service functions (e.g., NSFs), and this | NSFs), and this technology can be utilized by the I2NSF architecture | |||
| technology can be utilized by the I2NSF architecture to support the | to support the advanced security action. | |||
| advanced security action. | ||||
| SFC generally requires classifiers and service function forwarders | SFC generally requires classifiers and service function forwarders | |||
| (SFFs); classifiers are responsible for determining which service | (SFFs); classifiers are responsible for determining which service | |||
| function path (SFP) (i.e., an ordered sequence of service functions) | function path (SFP) (i.e., an ordered sequence of service functions) | |||
| a given packet should pass through, according to pre-configured | a given packet should pass through, according to pre-configured | |||
| classification rules, and SFFs perform forwarding the given packet to | classification rules, and SFFs perform forwarding the given packet to | |||
| the next service function (e.g., NSF) on the SFP of the packet by | the next service function (e.g., NSF) on the SFP of the packet by | |||
| referring to their forwarding tables. In the I2NSF architecture with | referring to their forwarding tables. In the I2NSF architecture with | |||
| SFC, the Security Controller can take responsibilities of generating | SFC, the Security Controller can take responsibilities of generating | |||
| classification rules for classifiers and forwarding tables for SFFs. | classification rules for classifiers and forwarding tables for SFFs. | |||
| skipping to change at page 9, line 5 ¶ | skipping to change at page 9, line 5 ¶ | |||
| the packet to the classifier. Based on the metadata information, the | the packet to the classifier. Based on the metadata information, the | |||
| classifier searches an SFP which includes an NSF with the required | classifier searches an SFP which includes an NSF with the required | |||
| security capability, changes the SFP-related information (e.g., | security capability, changes the SFP-related information (e.g., | |||
| service path identifier and service index [RFC8300]) of the packet | service path identifier and service index [RFC8300]) of the packet | |||
| with the new SFP that has been found, and then forwards the packet to | with the new SFP that has been found, and then forwards the packet to | |||
| the SFF. When receiving the packet, the SFF checks the SFP-related | the SFF. When receiving the packet, the SFF checks the SFP-related | |||
| information such as the service path identifier and service index | information such as the service path identifier and service index | |||
| contained in the packet and forwards the packet to the next NSF on | contained in the packet and forwards the packet to the next NSF on | |||
| the SFP of the packet, according to its forwarding table. | the SFP of the packet, according to its forwarding table. | |||
| 5. I2NSF Framework with SDN | 6. I2NSF Framework with SDN | |||
| This section describes an I2NSF framework with SDN for I2NSF | This section describes an I2NSF framework with SDN for I2NSF | |||
| applicability and use cases, such as firewall, deep packet | applicability and use cases, such as firewall, deep packet | |||
| inspection, and DDoS-attack mitigation functions. SDN enables some | inspection, and DDoS-attack mitigation functions. SDN enables some | |||
| packet filtering rules to be enforced in the network switches by | packet filtering rules to be enforced in network forwarding elements | |||
| controlling their packet forwarding rules. By taking advantage of | (e.g., switch) by controlling their packet forwarding rules. By | |||
| this capability of SDN, it is possible to optimize the process of | taking advantage of this capability of SDN, it is possible to | |||
| security service enforcement in the I2NSF system. | optimize the process of security service enforcement in the I2NSF | |||
| system. | ||||
| Figure 3 shows an I2NSF framework [RFC8329] with SDN networks to | Figure 3 shows an I2NSF framework [RFC8329] with SDN networks to | |||
| support network-based security services. In this system, the | support network-based security services. In this system, the | |||
| enforcement of security policy rules is divided into the SDN switches | enforcement of security policy rules is divided into the SDN | |||
| and NSFs. Especially, SDN switches enforce simple packet filtering | forwarding elements (e.g., switch) and NSFs. Especially, SDN | |||
| rules that can be translated into their packet forwarding rules, | forwarding elements enforce simple packet filtering rules that can be | |||
| whereas NSFs enforce NSF-related security rules requiring the | translated into their packet forwarding rules, whereas NSFs enforce | |||
| security capabilities of the NSFs. For this purpose, the Security | NSF-related security rules requiring the security capabilities of the | |||
| Controller instructs the Switch Controller via NSF-Facing Interface | NSFs. For this purpose, the Security Controller instructs the SDN | |||
| so that SDN switches can perform the required security services with | Controller via NSF-Facing Interface so that SDN forwarding elements | |||
| flow tables under the supervision of the Switch Controller (i.e., SDN | can perform the required security services with flow tables under the | |||
| Controller). | supervision of the SDN Controller. | |||
| As an example, let us consider two different types of security rules: | As an example, let us consider two different types of security rules: | |||
| Rule A is a simple packet fltering rule that checks only the IP | Rule A is a simple packet fltering rule that checks only the IP | |||
| address and port number of a given packet, whereas rule B is a time- | address and port number of a given packet, whereas rule B is a time- | |||
| consuming packet inspection rule for analyzing whether an attached | consuming packet inspection rule for analyzing whether an attached | |||
| file being transmitted over a flow of packets contains malware. Rule | file being transmitted over a flow of packets contains malware. Rule | |||
| A can be translated into packet forwarding rules of SDN switches and | A can be translated into packet forwarding rules of SDN forwarding | |||
| thus be enforced by the switches. In contrast, rule B cannot be | elements and thus be enforced by these elements. In contrast, rule B | |||
| enforced by switches, but it can be enforced by NSFs with anti- | cannot be enforced by forwarding elements, but it has to be enforced | |||
| malware capability. Specifically, a flow of packets is forwarded to | by NSFs with anti-malware capability. Specifically, a flow of | |||
| and reassembled by an NSF to reconstruct the attached file stored in | packets is forwarded to and reassembled by an NSF to reconstruct the | |||
| the flow of packets. The NSF then analyzes the file to check the | attached file stored in the flow of packets. The NSF then analyzes | |||
| existence of malware. If the file contains malware, the NSF drops | the file to check the existence of malware. If the file contains | |||
| the packets. | malware, the NSF drops the packets. | |||
| In an I2NSF framework with SDN, the Security Controller can analyze | In an I2NSF framework with SDN, the Security Controller can analyze | |||
| given security policy rules and automatically determine which of the | given security policy rules and automatically determine which of the | |||
| given security policy rules should be enforced by SDN switches and | given security policy rules should be enforced by SDN forwarding | |||
| which should be enforced by NSFs. If some of the given rules | elements and which should be enforced by NSFs. If some of the given | |||
| requires security capabilities that can be provided by SDN switches, | rules requires security capabilities that can be provided by SDN | |||
| then the Security Controller instructs the Switch Controller via NSF- | forwarding elements, then the Security Controller instructs the SDN | |||
| Facing Interface so that SDN switches can enforce those security | Controller via NSF-Facing Interface so that SDN forwarding elements | |||
| policy rules with flow tables under the supervision of the Switch | can enforce those security policy rules with flow tables under the | |||
| Controller (i.e., SDN Controller). Or if some rules require security | supervision of the SDN Controller. Or if some rules require security | |||
| capabilities that can be provided by not SDN switches but NSFs, then | capabilities that cannot be provided by SDN forwarding elements but | |||
| the Security Controller instructs relevant NSFs to enforce those | by NSFs, then the Security Controller instructs relevant NSFs to | |||
| rules. | enforce those rules. | |||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| ^ ^ | ^ ^ | |||
| | | NSF-Facing Interface | | | NSF-Facing Interface | |||
| | v | | v | |||
| | +----------------+ +---------------+ +-----------------------+ | | +----------------+ +---------------+ +-----------------------+ | |||
| | | NSF-1 |-| NSF-2 |...| NSF-n | | | | NSF-1 |-| NSF-2 |...| NSF-n | | |||
| | | (Firewall) | | (DPI) | |(DDoS-Attack Mitigator)| | | | (Firewall) | | (DPI) | |(DDoS-Attack Mitigator)| | |||
| | +----------------+ +---------------+ +-----------------------+ | | +----------------+ +---------------+ +-----------------------+ | |||
| | ^ | | ^ | |||
| | | | | | | |||
| | v | | v | |||
| | +--------+ | | +--------+ | |||
| | | SFF | | | | SFF | | |||
| | +--------+ | | +--------+ | |||
| | ^ | | ^ | |||
| | | | | | | |||
| | V SDN Network | | V SDN Network | |||
| +--|----------------------------------------------------------------+ | +--|----------------------------------------------------------------+ | |||
| | V NSF-Facing Interface | | | V NSF-Facing Interface | | |||
| | +-----------------+ | | | +----------------+ | | |||
| | |Switch Controller| | | | | SDN Controller | | | |||
| | +-----------------+ | | | +----------------+ | | |||
| | ^ | | | ^ | | |||
| | | SDN Southbound Interface | | | | SDN Southbound Interface | | |||
| | v | | | v | | |||
| | +--------+ +--------+ +--------+ +--------+ | | | +--------+ +--------+ +--------+ +--------+ | | |||
| | |Switch 1|-|Switch 2|-|Switch 3|......|Switch m| | | | |Switch 1|-|Switch 2|-|Switch 3|......|Switch m| | | |||
| | +--------+ +--------+ +--------+ +--------+ | | | +--------+ +--------+ +--------+ +--------+ | | |||
| +-------------------------------------------------------------------+ | +-------------------------------------------------------------------+ | |||
| Figure 3: An I2NSF Framework with SDN Network | Figure 3: An I2NSF Framework with SDN Network | |||
| The following subsections introduce three use cases for cloud-based | The following subsections introduce three use cases for cloud-based | |||
| security services: (i) firewall system, (ii) deep packet inspection | security services: (i) firewall system, (ii) deep packet inspection | |||
| system, and (iii) attack mitigation system. [RFC8192] | system, and (iii) attack mitigation system. [RFC8192] | |||
| 5.1. Firewall: Centralized Firewall System | 6.1. Firewall: Centralized Firewall System | |||
| A centralized network firewall can manage each network resource and | A centralized network firewall can manage each network resource and | |||
| firewall rules can be managed flexibly by a centralized server for | apply common rules to individual network elements (e.g., switch). | |||
| firewall (called Firewall). The centralized network firewall | The centralized network firewall controls each forwarding element, | |||
| controls each switch for the network resource management and the | and firewall rules can be added or deleted dynamically. | |||
| firewall rules can be added or deleted dynamically. | ||||
| The procedure of firewall operations in this system is as follows: | The procedure of firewall operations in this system is as follows: | |||
| 1. A switch forwards an unknown flow's packet to one of the Switch | 1. A switch forwards an unknown flow's packet to one of the SDN | |||
| Controllers. | Controllers. | |||
| 2. The Switch Controller forwards the unknown flow's packet to an | 2. The SDN Controller forwards the unknown flow's packet to an | |||
| appropriate security service application, such as the Firewall. | appropriate security service application, such as the Firewall. | |||
| 3. The Firewall analyzes, typically, the headers and contents of the | 3. The Firewall analyzes, typically, the headers and contents of the | |||
| packet. | packet. | |||
| 4. If the Firewall regards the packet as a malicious one with a | 4. If the Firewall regards the packet as a malicious one with a | |||
| suspicious pattern, it reports the malicious packet to the Switch | suspicious pattern, it reports the malicious packet to the SDN | |||
| Controller. | Controller. | |||
| 5. The Switch Controller installs new rules (e.g., drop packets with | 5. The SDN Controller installs new rules (e.g., drop packets with | |||
| the suspicious pattern) into underlying switches. | the suspicious pattern) into underlying switches. | |||
| 6. The suspected packets are dropped by these switches. | 6. The suspected packets are dropped by these switches. | |||
| Existing SDN protocols can be used through standard interfaces | Existing SDN protocols can be used through standard interfaces | |||
| between the firewall application and switches | between the firewall application and switches | |||
| [RFC7149][ITU-T.Y.3300][ONF-OpenFlow] [ONF-SDN-Architecture]. | [RFC7149][ITU-T.Y.3300][ONF-OpenFlow] [ONF-SDN-Architecture]. | |||
| Legacy firewalls have some challenges such as the expensive cost, | Legacy firewalls have some challenges such as the expensive cost, | |||
| performance, management of access control, establishment of policy, | performance, management of access control, establishment of policy, | |||
| skipping to change at page 12, line 25 ¶ | skipping to change at page 12, line 23 ¶ | |||
| are permitted or denied for firewall within a specific | are permitted or denied for firewall within a specific | |||
| organization network under management. Thus, a centralized view | organization network under management. Thus, a centralized view | |||
| is helpful to determine security policies for such a network. | is helpful to determine security policies for such a network. | |||
| o Packet-based access mechanism: Packet-based access mechanism is | o Packet-based access mechanism: Packet-based access mechanism is | |||
| not enough for firewall in practice since the basic unit of access | not enough for firewall in practice since the basic unit of access | |||
| control is usually users or applications. Therefore, application | control is usually users or applications. Therefore, application | |||
| level rules can be defined and added to the firewall system | level rules can be defined and added to the firewall system | |||
| through the centralized server. | through the centralized server. | |||
| 5.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security System | 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security System | |||
| A centralized VoIP/VoLTE security system can monitor each VoIP/VoLTE | A centralized VoIP/VoLTE security system can monitor each VoIP/VoLTE | |||
| flow and manage VoIP/VoLTE security rules controlled by a centralized | flow and manage VoIP/VoLTE security rules, according to the | |||
| server for VoIP/VoLTE security service called VoIP Intrusion | configuration of a VoIP/VoLTE security service called VoIP Intrusion | |||
| Prevention System (IPS). The VoIP/VoLTE security system controls | Prevention System (IPS). This centralized VoIP/VoLTE security system | |||
| each switch for the VoIP/VoLTE call flow management by manipulating | controls each switch for the VoIP/VoLTE call flow management by | |||
| the rules that can be added, deleted or modified dynamically. | manipulating the rules that can be added, deleted or modified | |||
| dynamically. | ||||
| A centralized VoIP/VoLTE security system can cooperate with a network | The centralized VoIP/VoLTE security system can cooperate with a | |||
| firewall to realize VoIP/VoLTE security service. Specifically, a | network firewall to realize VoIP/VoLTE security service. | |||
| network firewall performs basic security checks of an unknown flow's | Specifically, a network firewall performs basic security checks of an | |||
| packet observed by a switch. If the network firewall detects that | unknown flow's packet observed by a switch. If the network firewall | |||
| the packet is an unknown VoIP call flow's packet that exhibits some | detects that the packet is an unknown VoIP call flow's packet that | |||
| suspicious patterns, then it triggers the VoIP/VoLTE security system | exhibits some suspicious patterns, then it triggers the VoIP/VoLTE | |||
| for more specialized security analysis of the suspicious VoIP call | security system for more specialized security analysis of the | |||
| packet. | suspicious VoIP call packet. | |||
| The procedure of VoIP/VoLTE security operations in this system is as | The procedure of VoIP/VoLTE security operations in this system is as | |||
| follows: | follows: | |||
| 1. A switch forwards an unknown flow's packet to the Switch | 1. A switch forwards an unknown flow's packet to the SDN Controller, | |||
| Controller, and the Switch Controller further forwards the | and the SDN Controller further forwards the unknown flow's packet | |||
| unknown flow's packet to the Firewall for basic security | to the Firewall for basic security inspection. | |||
| inspection. | ||||
| 2. The Firewall analyzes the header fields of the packet, and | 2. The Firewall analyzes the header fields of the packet, and | |||
| figures out that this is an unknown VoIP call flow's signal | figures out that this is an unknown VoIP call flow's signal | |||
| packet (e.g., SIP packet) of a suspicious pattern. | packet (e.g., SIP packet) of a suspicious pattern. | |||
| 3. The Firewall triggers an appropriate security service function, | 3. The Firewall triggers an appropriate security service function, | |||
| such as VoIP IPS, for detailed security analysis of the | such as VoIP IPS, for detailed security analysis of the | |||
| suspicious signal packet. That is, the firewall sends the packet | suspicious signal packet. That is, the firewall sends the packet | |||
| to the Service Function Forwarder (SFF) in the I2NSF framework | to the Service Function Forwarder (SFF) in the I2NSF framework | |||
| [nsf-triggered-steering], as shown in Figure 3. The SFF forwards | [nsf-triggered-steering], as shown in Figure 3. The SFF forwards | |||
| the suspicious signal packet to the VoIP IPS. | the suspicious signal packet to the VoIP IPS. | |||
| 4. The VoIP IPS analyzes the headers and contents of the signal | 4. The VoIP IPS analyzes the headers and contents of the signal | |||
| packet, such as calling number and session description headers | packet, such as calling number and session description headers | |||
| [RFC4566]. | [RFC4566]. | |||
| 5. If, for example, the VoIP IPS regards the packet as a spoofed | 5. If, for example, the VoIP IPS regards the packet as a spoofed | |||
| packet by hackers or a scanning packet searching for VoIP/VoLTE | packet by hackers or a scanning packet searching for VoIP/VoLTE | |||
| devices, it drops the packet. In addition, the VoIP IPS requests | devices, it drops the packet. In addition, the VoIP IPS requests | |||
| the Switch Controller to block that packet and the subsequent | the SDN Controller to block that packet and the subsequent | |||
| packets that have the same call-id. | packets that have the same call-id. | |||
| 6. The Switch Controller installs new rules (e.g., drop packets) | 6. The SDN Controller installs new rules (e.g., drop packets) into | |||
| into underlying switches. | underlying switches. | |||
| 7. The illegal packets are dropped by these switches. | 7. The illegal packets are dropped by these switches. | |||
| Existing SDN protocols can be used through standard interfaces | Existing SDN protocols can be used through standard interfaces | |||
| between the VoIP IPS application and switches [RFC7149][ITU-T.Y.3300] | between the VoIP IPS application and switches [RFC7149][ITU-T.Y.3300] | |||
| [ONF-OpenFlow][ONF-SDN-Architecture]. | [ONF-OpenFlow][ONF-SDN-Architecture]. | |||
| Legacy hardware based VoIP IPS has some challenges, such as | Legacy hardware based VoIP IPS has some challenges, such as | |||
| provisioning time, the granularity of security, expensive cost, and | provisioning time, the granularity of security, expensive cost, and | |||
| the establishment of policy. The I2NSF framework can resolve the | the establishment of policy. The I2NSF framework can resolve the | |||
| skipping to change at page 14, line 17 ¶ | skipping to change at page 14, line 13 ¶ | |||
| that we need to add VoIP IPS on each network resource. To solve | that we need to add VoIP IPS on each network resource. To solve | |||
| this, each network resource can be managed centrally such that a | this, each network resource can be managed centrally such that a | |||
| single VoIP IPS is manipulated by a centralized server. | single VoIP IPS is manipulated by a centralized server. | |||
| o The establishment of policy: Policy should be established for each | o The establishment of policy: Policy should be established for each | |||
| network resource. However, it is difficult to describe what flows | network resource. However, it is difficult to describe what flows | |||
| are permitted or denied for VoIP IPS within a specific | are permitted or denied for VoIP IPS within a specific | |||
| organization network under management. Thus, a centralized view | organization network under management. Thus, a centralized view | |||
| is helpful to determine security policies for such a network. | is helpful to determine security policies for such a network. | |||
| 5.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System | |||
| A centralized DDoS-attack mitigation can manage each network resource | A centralized DDoS-attack mitigation can manage each network resource | |||
| and manipulate rules to each switch through a centralized server for | and manipulate rules to each switch through a common server for DDoS- | |||
| DDoS-attack mitigation (called DDoS-attack Mitigator). The | attack mitigation (called DDoS-attack Mitigator). The centralized | |||
| centralized DDoS-attack mitigation system defends servers against | DDoS-attack mitigation system defends servers against DDoS attacks | |||
| DDoS attacks outside private network, that is, from public network. | outside the private network, that is, from public networks. | |||
| Servers are categorized into stateless servers (e.g., DNS servers) | Servers are categorized into stateless servers (e.g., DNS servers) | |||
| and stateful servers (e.g., web servers). For DDoS-attack | and stateful servers (e.g., web servers). For DDoS-attack | |||
| mitigation, traffic flows in switches are dynamically configured by | mitigation, traffic flows in switches are dynamically configured by | |||
| traffic flow forwarding path management according to the category of | traffic flow forwarding path management according to the category of | |||
| servers [AVANT-GUARD]. Such a managenent should consider the load | servers [AVANT-GUARD]. Such a managenent should consider the load | |||
| balance among the switches for the defense against DDoS attacks. | balance among the switches for the defense against DDoS attacks. | |||
| The procedure of DDoS-attack mitigation operations in this system is | The procedure of DDoS-attack mitigation operations in this system is | |||
| as follows: | as follows: | |||
| 1. A Switch periodically reports an inter-arrival pattern of a | 1. A Switch periodically reports an inter-arrival pattern of a | |||
| flow's packets to one of the Switch Controllers. | flow's packets to one of the SDN Controllers. | |||
| 2. The Switch Controller forwards the flow's inter-arrival pattern | 2. The SDN Controller forwards the flow's inter-arrival pattern to | |||
| to an appropriate security service application, such as DDoS- | an appropriate security service application, such as DDoS-attack | |||
| attack Mitigator. | Mitigator. | |||
| 3. The DDoS-attack Mitigator analyzes the reported pattern for the | 3. The DDoS-attack Mitigator analyzes the reported pattern for the | |||
| flow. | flow. | |||
| 4. If the DDoS-attack Mitigator regards the pattern as a DDoS | 4. If the DDoS-attack Mitigator regards the pattern as a DDoS | |||
| attack, it computes a packet dropping probability corresponding | attack, it computes a packet dropping probability corresponding | |||
| to suspiciousness level and reports this DDoS-attack flow to | to suspiciousness level and reports this DDoS-attack flow to the | |||
| Switch Controller. | SDN Controller. | |||
| 5. The Switch Controller installs new rules into switches (e.g., | 5. The SDN Controller installs new rules into switches (e.g., | |||
| forward packets with the suspicious inter-arrival pattern with a | forward packets with the suspicious inter-arrival pattern with a | |||
| dropping probability). | dropping probability). | |||
| 6. The suspicious flow's packets are randomly dropped by switches | 6. The suspicious flow's packets are randomly dropped by switches | |||
| with the dropping probability. | with the dropping probability. | |||
| For the above centralized DDoS-attack mitigation system, the existing | For the above centralized DDoS-attack mitigation system, the existing | |||
| SDN protocols can be used through standard interfaces between the | SDN protocols can be used through standard interfaces between the | |||
| DDoS-attack mitigator application and switches [RFC7149] | DDoS-attack mitigator application and switches [RFC7149] | |||
| [ITU-T.Y.3300][ONF-OpenFlow][ONF-SDN-Architecture]. | [ITU-T.Y.3300][ONF-OpenFlow][ONF-SDN-Architecture]. | |||
| skipping to change at page 15, line 49 ¶ | skipping to change at page 15, line 46 ¶ | |||
| for DDoS-attack mitigation. In addition, DDoS-attack mitigation | for DDoS-attack mitigation. In addition, DDoS-attack mitigation | |||
| rules can be dynamically added for new DDoS attacks. | rules can be dynamically added for new DDoS attacks. | |||
| o The establishment of policy: Policy should be established for each | o The establishment of policy: Policy should be established for each | |||
| network resource. However, it is difficult to describe what flows | network resource. However, it is difficult to describe what flows | |||
| are permitted or denied for new DDoS-attacks (e.g., DNS reflection | are permitted or denied for new DDoS-attacks (e.g., DNS reflection | |||
| attack) within a specific organization network under management. | attack) within a specific organization network under management. | |||
| Thus, a centralized view is helpful to determine security policies | Thus, a centralized view is helpful to determine security policies | |||
| for such a network. | for such a network. | |||
| So far this document has described the procedure and impact of the | So far this section has described the procedure and impact of the | |||
| three use cases for network-based security services using the I2NSF | three use cases for network-based security services using the I2NSF | |||
| framework with SDN networks. To support these use cases in the | framework with SDN networks. To support these use cases in the | |||
| proposed data-driven security service framework, YANG data models | proposed data-driven security service framework, YANG data models | |||
| described in [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | described in [consumer-facing-inf-dm], [nsf-facing-inf-dm], and | |||
| [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- | |||
| Facing Interface, and Registration Interface, respectively, along | Facing Interface, and Registration Interface, respectively, along | |||
| with RESTCONF [RFC8040] and NETCONF [RFC6241]. | with RESTCONF [RFC8040] and NETCONF [RFC6241]. | |||
| 6. I2NSF Framework with NFV | 7. I2NSF Framework with NFV | |||
| This section discusses the implementation of the I2NSF framework with | This section discusses the implementation of the I2NSF framework | |||
| Network Functions Virtualization (called NFV). | using Network Functions Virtualization (NFV). | |||
| +--------------------+ | +--------------------+ | |||
| +-------------------------------------------+ | ---------------- | | +-------------------------------------------+ | ---------------- | | |||
| | I2NSF User (OSS/BSS) | | | NFV | | | | I2NSF User (OSS/BSS) | | | NFV | | | |||
| +------+------------------------------------+ | | Orchestrator +-+ | | +------+------------------------------------+ | | Orchestrator +-+ | | |||
| | Consumer-Facing Interface | -----+---------- | | | | Consumer-Facing Interface | -----+---------- | | | |||
| +------|------------------------------------+ | | | | | +------|------------------------------------+ | | | | | |||
| | -----+---------- (a) ----------------- | | | | | | | -----+---------- (a) ----------------- | | | | | | |||
| | | Security |-------| Developer's | | | | | | | | | Security |-------| Developer's | | | | | | | |||
| | |Controller(EM)| |Mgmt System(EM)| | | | | | | | |Controller(EM)| |Mgmt System(EM)| | | | | | | |||
| skipping to change at page 17, line 42 ¶ | skipping to change at page 16, line 49 ¶ | |||
| | | ----------- ----------- ----------- | | | | | | | ----------- ----------- ----------- | | | | | |||
| | | | Compute | | Storage | | Network | | | | | | | | | Compute | | Storage | | Network | | | | | | |||
| | | | Hardware| | Hardware| | Hardware| | | | | | | | | Hardware| | Hardware| | Hardware| | | | | | |||
| | | ----------- ----------- ----------- | | | | | | | ----------- ----------- ----------- | | | | | |||
| | | Hardware Resources | | | NFV Management | | | | Hardware Resources | | | NFV Management | | |||
| | +---------------------------------------+ | | and Orchestration | | | +---------------------------------------+ | | and Orchestration | | |||
| +-------------------------------------------+ +--------------------+ | +-------------------------------------------+ +--------------------+ | |||
| (a) = Registration Interface | (a) = Registration Interface | |||
| (b) = Ve-Vnfm Interface | (b) = Ve-Vnfm Interface | |||
| Figure 4: I2NSF Framework Implementation in NFV Reference | Figure 4: I2NSF Framework Implementation with respect to the NFV | |||
| Architectural Framework | Reference Architectural Framework | |||
| NFV is a promising technology for improving the elasticity and | NFV is a promising technology for improving the elasticity and | |||
| efficiency of network resource utilization. In NFV environments, | efficiency of network resource utilization. In NFV environments, | |||
| NSFs can be deployed in the forms of software-based virtual instances | NSFs can be deployed in the forms of software-based virtual instances | |||
| rather than physical appliances. Virtualizing NSFs makes it possible | rather than physical appliances. Virtualizing NSFs makes it possible | |||
| to rapidly and flexibly respond to the amount of service requests by | to rapidly and flexibly respond to the amount of service requests by | |||
| dynamically increasing or decreasing the number of NSF instances. | dynamically increasing or decreasing the number of NSF instances. | |||
| Moreover, NFV technology facilitates flexibly including or excluding | Moreover, NFV technology facilitates flexibly including or excluding | |||
| NSFs from multiple security solution vendors according to the changes | NSFs from multiple security solution vendors according to the changes | |||
| on security requirements. In order to take advantages of the NFV | on security requirements. In order to take advantages of the NFV | |||
| skipping to change at page 19, line 9 ¶ | skipping to change at page 18, line 19 ¶ | |||
| allocated resources. | allocated resources. | |||
| 5. Once the NSF instance has been created by the VNFM, the DMS | 5. Once the NSF instance has been created by the VNFM, the DMS | |||
| performs the initial configurations of the NSF instance and then | performs the initial configurations of the NSF instance and then | |||
| notifies the Security Controller of the NSF instance. | notifies the Security Controller of the NSF instance. | |||
| 6. After being notified of the created NSF instance, the Security | 6. After being notified of the created NSF instance, the Security | |||
| Controller delivers low-level security policy rules to the NSF | Controller delivers low-level security policy rules to the NSF | |||
| instance for policy enforcement. | instance for policy enforcement. | |||
| The I2NSF framework can be implemented based on the NFV architecture. | We can conclude that the I2NSF framework can be implemented based on | |||
| Note that the registration of the capabilities of NSFs is performed | the NFV architecture framework. Note that the registration of the | |||
| through the Registration Interface and the life-cycle management for | capabilities of NSFs is performed through the Registration Interface | |||
| NSFs (VNFs) is performed through the Ve-Vnfm interface between the | and the lifecycle management for NSFs (VNFs) is performed through the | |||
| DMS and VNFM, as shown in Figure 4. More details about the I2NSF | Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 4. | |||
| framework based on the NFV reference architecture are described in | More details about the I2NSF framework based on the NFV reference | |||
| [i2nsf-nfv-architecture]. | architecture are described in [i2nsf-nfv-architecture]. | |||
| 7. Security Considerations | 8. Security Considerations | |||
| The I2NSF framework with SDN networks in this document is derived | The same security considerations for the I2NSF framework [RFC8329] | |||
| from the I2NSF framework [RFC8329], so the security considerations of | are applicable to this document. | |||
| the I2NSF framework should be included in this document. Therefore, | ||||
| proper secure communication channels should be used the delivery of | ||||
| control or management messages among the components in the proposed | ||||
| framework. | ||||
| This document shares all the security issues of SDN that are | This document shares all the security issues of SDN that are | |||
| specified in the "Security Considerations" section of [ITU-T.Y.3300]. | specified in the "Security Considerations" section of [ITU-T.Y.3300]. | |||
| 8. Acknowledgments | 9. Acknowledgments | |||
| This work was supported by Institute for Information & communications | This work was supported by Institute for Information & communications | |||
| Technology Promotion (IITP) grant funded by the Korea government | Technology Promotion (IITP) grant funded by the Korea government | |||
| (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | |||
| Technology Development for the Customized Security Service | Technology Development for the Customized Security Service | |||
| Provisioning). | Provisioning). | |||
| 9. Contributors | 10. Contributors | |||
| I2NSF is a group effort. I2NSF has had a number of contributing | I2NSF is a group effort. I2NSF has had a number of contributing | |||
| authors. The following are considered co-authors: | authors. The following are considered co-authors: | |||
| o Hyoungshick Kim (Sungkyunkwan University) | o Hyoungshick Kim (Sungkyunkwan University) | |||
| o Jinyong Tim Kim (Sungkyunkwan University) | o Jinyong Tim Kim (Sungkyunkwan University) | |||
| o Hyunsik Yang (Soongsil University) | o Hyunsik Yang (Soongsil University) | |||
| o Younghan Kim (Soongsil University) | o Younghan Kim (Soongsil University) | |||
| o Jung-Soo Park (ETRI) | o Jung-Soo Park (ETRI) | |||
| o Se-Hui Lee (Korea Telecom) | o Se-Hui Lee (Korea Telecom) | |||
| o Mohamed Boucadair (Orange) | o Mohamed Boucadair (Orange) | |||
| 10. Informative References | 11. Informative References | |||
| [AVANT-GUARD] | [AVANT-GUARD] | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | GUARD: Scalable and Vigilant Switch Flow Management in | |||
| Software-Defined Networks", ACM CCS, November 2013. | Software-Defined Networks", ACM CCS, November 2013. | |||
| [consumer-facing-inf-dm] | [consumer-facing-inf-dm] | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | "I2NSF Consumer-Facing Interface YANG Data Model", draft- | |||
| ietf-i2nsf-consumer-facing-interface-dm-01 (work in | ietf-i2nsf-consumer-facing-interface-dm-01 (work in | |||
| skipping to change at page 21, line 38 ¶ | skipping to change at page 20, line 42 ¶ | |||
| October 2013. | October 2013. | |||
| [ONF-SDN-Architecture] | [ONF-SDN-Architecture] | |||
| ONF, "SDN Architecture", June 2014. | ONF, "SDN Architecture", June 2014. | |||
| [opsawg-firewalls] | [opsawg-firewalls] | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | Baker, F. and P. Hoffman, "On Firewalls in Internet | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | Security", draft-ietf-opsawg-firewalls-01 (work in | |||
| progress), October 2012. | progress), October 2012. | |||
| [policy-translation] | ||||
| Yang, J., Jeong, J., and J. Kim, "Security Policy | ||||
| Translation in Interface to Network Security Functions", | ||||
| draft-yang-i2nsf-security-policy-translation-01 (work in | ||||
| progress), July 2018. | ||||
| [registration-inf-dm] | [registration-inf-dm] | |||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | |||
| Registration Interface YANG Data Model", draft-hyun-i2nsf- | Registration Interface YANG Data Model", draft-hyun-i2nsf- | |||
| registration-dm-05 (work in progress), July 2018. | registration-dm-06 (work in progress), July 2018. | |||
| [registration-inf-im] | ||||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | ||||
| Registration Interface Information Model", draft-hyun- | ||||
| i2nsf-registration-interface-im-06 (work in progress), | ||||
| July 2018. | ||||
| [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | |||
| Description Protocol", RFC 4566, July 2006. | Description Protocol", RFC 4566, July 2006. | |||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | Network Configuration Protocol (NETCONF)", RFC 6020, | |||
| October 2010. | October 2010. | |||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | |||
| Bierman, "Network Configuration Protocol (NETCONF)", | Bierman, "Network Configuration Protocol (NETCONF)", | |||
| skipping to change at page 23, line 5 ¶ | skipping to change at page 22, line 5 ¶ | |||
| (I2NSF): Problem Statement and Use Cases", RFC 8192, July | (I2NSF): Problem Statement and Use Cases", RFC 8192, July | |||
| 2017. | 2017. | |||
| [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service | [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service | |||
| Header (NSH)", RFC 8300, January 2018. | Header (NSH)", RFC 8300, January 2018. | |||
| [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | |||
| Kumar, "Framework for Interface to Network Security | Kumar, "Framework for Interface to Network Security | |||
| Functions", RFC 8329, February 2018. | Functions", RFC 8329, February 2018. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-03 | Appendix A. Changes from draft-ietf-i2nsf-applicability-04 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-03: | applicability-04: | |||
| o In Section 4, NSF-Facing Interface is used between Security | o A more precise description of the basic I2NSF flows is provided. | |||
| Controller and Classifier (or SFF) in order to configure | ||||
| Classifier (or SFF) for SFC-based NSF chaining. | ||||
| o In Section 6, Developer's Management System is implemented as EM | o The structure of the document makes each discussed use case be an | |||
| rather than VNFM in the NFV reference architecture. | applicability statement according to the applied technology, such | |||
| as SFC, SDN, and NFV. | ||||
| o In Section 6, Switch Controller is replaced by SDN Controller for | ||||
| the terminology consistency in SDN standards. Switch is replaced | ||||
| by forwarding element as a general term. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Software | Department of Software | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| End of changes. 74 change blocks. | ||||
| 233 lines changed or deleted | 215 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||