| draft-ietf-i2nsf-applicability-06.txt | draft-ietf-i2nsf-applicability-07.txt | |||
|---|---|---|---|---|
| skipping to change at page 1, line 17 ¶ | skipping to change at page 1, line 17 ¶ | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| October 22, 2018 | October 22, 2018 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-06 | draft-ietf-i2nsf-applicability-07 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| This Internet-Draft is submitted in full conformance with the | This Internet-Draft is submitted in full conformance with the | |||
| provisions of BCP 78 and BCP 79. | provisions of BCP 78 and BCP 79. | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on April 25, 2019. | This Internet-Draft will expire on April 25, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2018 IETF Trust and the persons identified as the | Copyright (c) 2018 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 | 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 4 | |||
| 4. Time-dependent Web Access Control Service . . . . . . . . . . 5 | 4. Time-dependent Web Access Control Service . . . . . . . . . . 5 | |||
| 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 7 | 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . . 7 | |||
| 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 8 | 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . . 8 | |||
| 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 11 | 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 10 | |||
| 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 12 | Security System . . . . . . . . . . . . . . . . . . . . . 12 | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 14 | System . . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . . 16 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11. Informative References . . . . . . . . . . . . . . . . . . . 19 | 11. Informative References . . . . . . . . . . . . . . . . . . . . 19 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-05 . . . 22 | Appendix A. Changes from draft-ietf-i2nsf-applicability-06 . . . 21 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | ||||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defines a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | (NSFs). The I2NSF framework allows heterogeneous NSFs developed by | |||
| different security solution vendors to be used in the Network | different security solution vendors to be used in the Network | |||
| Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing | Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing | |||
| the capabilities of such products and the virtualization of security | the capabilities of such products and the virtualization of security | |||
| functions in the NFV platform. In the I2NSF framework, each NSF | functions in the NFV platform. In the I2NSF framework, each NSF | |||
| skipping to change at page 18, line 43 ¶ | skipping to change at page 18, line 39 ¶ | |||
| specified in the "Security Considerations" section of [ITU-T.Y.3300]. | specified in the "Security Considerations" section of [ITU-T.Y.3300]. | |||
| 9. Acknowledgments | 9. Acknowledgments | |||
| This work was supported by Institute for Information & communications | This work was supported by Institute for Information & communications | |||
| Technology Promotion (IITP) grant funded by the Korea government | Technology Promotion (IITP) grant funded by the Korea government | |||
| (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | |||
| Technology Development for the Customized Security Service | Technology Development for the Customized Security Service | |||
| Provisioning). | Provisioning). | |||
| This work has been partially supported by the European Commission | ||||
| under Horizon 2020 grant agreement no. 700199 "Securing against | ||||
| intruders and other threats through a NFV-enabled environment | ||||
| (SHIELD)". This support does not imply endorsement. | ||||
| 10. Contributors | 10. Contributors | |||
| I2NSF is a group effort. I2NSF has had a number of contributing | I2NSF is a group effort. I2NSF has had a number of contributing | |||
| authors. The following are considered co-authors: | authors. The following are considered co-authors: | |||
| o Hyoungshick Kim (Sungkyunkwan University) | o Hyoungshick Kim (Sungkyunkwan University) | |||
| o Jinyong Tim Kim (Sungkyunkwan University) | o Jinyong Tim Kim (Sungkyunkwan University) | |||
| o Hyunsik Yang (Soongsil University) | o Hyunsik Yang (Soongsil University) | |||
| o Younghan Kim (Soongsil University) | o Younghan Kim (Soongsil University) | |||
| o Jung-Soo Park (ETRI) | o Jung-Soo Park (ETRI) | |||
| o Se-Hui Lee (Korea Telecom) | o Se-Hui Lee (Korea Telecom) | |||
| o Mohamed Boucadair (Orange) | o Mohamed Boucadair (Orange) | |||
| 11. Informative References | 11. Informative References | |||
| skipping to change at page 19, line 14 ¶ | skipping to change at page 19, line 18 ¶ | |||
| o Younghan Kim (Soongsil University) | o Younghan Kim (Soongsil University) | |||
| o Jung-Soo Park (ETRI) | o Jung-Soo Park (ETRI) | |||
| o Se-Hui Lee (Korea Telecom) | o Se-Hui Lee (Korea Telecom) | |||
| o Mohamed Boucadair (Orange) | o Mohamed Boucadair (Orange) | |||
| 11. Informative References | 11. Informative References | |||
| [AVANT-GUARD] | [RFC8329] Lopez, D., Lopez, E., Dunbar, L., | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Strassner, J., and R. Kumar, "Framework for | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | Interface to Network Security Functions", | |||
| Software-Defined Networks", ACM CCS, November 2013. | RFC 8329, February 2018. | |||
| [consumer-facing-inf-dm] | [RFC6020] Bjorklund, M., "YANG - A Data Modeling | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Language for the Network Configuration | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | Protocol (NETCONF)", RFC 6020, | |||
| ietf-i2nsf-consumer-facing-interface-dm-01 (work in | October 2010. | |||
| progress), July 2018. | ||||
| [consumer-facing-inf-im] | [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., | |||
| Kumar, R., Lohiya, A., Qi, D., Bitar, N., Palislamovic, | and A. Bierman, "Network Configuration | |||
| S., Xia, L., and J. Jeong, "Information Model for | Protocol (NETCONF)", RFC 6241, June 2011. | |||
| Consumer-Facing Interface to Security Controller", draft- | ||||
| kumar-i2nsf-client-facing-interface-im-07 (work in | ||||
| progress), July 2018. | ||||
| [ETSI-NFV] | [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, | |||
| ETSI GS NFV 002 V1.1.1, "Network Functions Virtualization | "RESTCONF Protocol", RFC 8040, | |||
| (NFV); Architectural Framework", October 2013. | January 2017. | |||
| [i2nsf-nfv-architecture] | [consumer-facing-inf-im] Kumar, R., Lohiya, A., Qi, D., Bitar, N., | |||
| Yang, H. and Y. Kim, "I2NSF on the NFV Reference | Palislamovic, S., Xia, L., and J. Jeong, | |||
| Architecture", draft-yang-i2nsf-nfv-architecture-02 (work | "Information Model for Consumer-Facing | |||
| in progress), June 2018. | Interface to Security Controller", draft- | |||
| kumar-i2nsf-client-facing-interface-im-07 | ||||
| (work in progress), July 2018. | ||||
| [i2nsf-nsf-cap-im] | [consumer-facing-inf-dm] Jeong, J., Kim, E., Ahn, T., Kumar, R., and | |||
| Xia, L., Strassner, J., Basile, C., and D. Lopez, | S. Hares, "I2NSF Consumer-Facing Interface | |||
| "Information Model of NSFs Capabilities", draft-ietf- | YANG Data Model", draft-ietf-i2nsf- | |||
| i2nsf-capability-02 (work in progress), July 2018. | consumer-facing-interface-dm-01 (work in | |||
| progress), July 2018. | ||||
| [i2nsf-terminology] | [i2nsf-nsf-cap-im] Xia, L., Strassner, J., Basile, C., and D. | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Lopez, "Information Model of NSFs | |||
| Birkholz, "Interface to Network Security Functions (I2NSF) | Capabilities", | |||
| Terminology", draft-ietf-i2nsf-terminology-06 (work in | draft-ietf-i2nsf-capability-02 (work in | |||
| progress), July 2018. | progress), July 2018. | |||
| [ITU-T.X.1252] | [policy-translation] Yang, J., Jeong, J., and J. Kim, "Security | |||
| Recommendation ITU-T X.1252, "Baseline Identity Management | Policy Translation in Interface to Network | |||
| Terms and Definitions", April 2010. | Security Functions", draft-yang-i2nsf- | |||
| security-policy-translation-01 (work in | ||||
| progress), July 2018. | ||||
| [ITU-T.X.800] | [nsf-facing-inf-dm] Kim, J., Jeong, J., Park, J., Hares, S., | |||
| Recommendation ITU-T X.800, "Security Architecture for | and Q. Lin, "I2NSF Network Security | |||
| Open Systems Interconnection for CCITT Applications", | Function-Facing Interface YANG Data Model", | |||
| March 1991. | draft-ietf-i2nsf-nsf-facing-interface-data- | |||
| model-01 (work in progress), July 2018. | ||||
| [ITU-T.Y.3300] | [registration-inf-dm] Hyun, S., Jeong, J., Roh, T., Wi, S., and | |||
| Recommendation ITU-T Y.3300, "Framework of Software- | J. Park, "I2NSF Registration Interface YANG | |||
| Defined Networking", June 2014. | Data Model", | |||
| draft-hyun-i2nsf-registration-dm-06 (work | ||||
| in progress), July 2018. | ||||
| [nsf-facing-inf-dm] | [nsf-triggered-steering] Hyun, S., Jeong, J., Park, J., and S. | |||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | Hares, "Service Function Chaining-Enabled | |||
| "I2NSF Network Security Function-Facing Interface YANG | I2NSF Architecture", | |||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-data- | draft-hyun-i2nsf-nsf-triggered-steering-06 | |||
| model-01 (work in progress), July 2018. | (work in progress), July 2018. | |||
| [nsf-triggered-steering] | [i2nsf-nfv-architecture] Yang, H. and Y. Kim, "I2NSF on the NFV | |||
| Hyun, S., Jeong, J., Park, J., and S. Hares, "Service | Reference Architecture", | |||
| Function Chaining-Enabled I2NSF Architecture", draft-hyun- | draft-yang-i2nsf-nfv-architecture-02 (work | |||
| i2nsf-nsf-triggered-steering-06 (work in progress), July | in progress), June 2018. | |||
| 2018. | ||||
| [ONF-OpenFlow] | [RFC7149] Boucadair, M. and C. Jacquenet, "Software- | |||
| ONF, "OpenFlow Switch Specification (Version 1.4.0)", | Defined Networking: A Perspective from | |||
| October 2013. | within a Service Provider Environment", | |||
| RFC 7149, March 2014. | ||||
| [ONF-SDN-Architecture] | [ITU-T.Y.3300] Recommendation ITU-T Y.3300, "Framework of | |||
| ONF, "SDN Architecture", June 2014. | Software-Defined Networking", June 2014. | |||
| [opsawg-firewalls] | [ONF-OpenFlow] ONF, "OpenFlow Switch Specification | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | (Version 1.4.0)", October 2013. | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | ||||
| progress), October 2012. | ||||
| [policy-translation] | [ONF-SDN-Architecture] ONF, "SDN Architecture", June 2014. | |||
| Yang, J., Jeong, J., and J. Kim, "Security Policy | ||||
| Translation in Interface to Network Security Functions", | ||||
| draft-yang-i2nsf-security-policy-translation-01 (work in | ||||
| progress), July 2018. | ||||
| [registration-inf-dm] | [ITU-T.X.1252] Recommendation ITU-T X.1252, "Baseline | |||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | Identity Management Terms and Definitions", | |||
| Registration Interface YANG Data Model", draft-hyun-i2nsf- | April 2010. | |||
| registration-dm-06 (work in progress), July 2018. | ||||
| [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session | [ITU-T.X.800] Recommendation ITU-T X.800, "Security | |||
| Description Protocol", RFC 4566, July 2006. | Architecture for Open Systems | |||
| Interconnection for CCITT Applications", | ||||
| March 1991. | ||||
| [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the | [AVANT-GUARD] Shin, S., Yegneswaran, V., Porras, P., and | |||
| Network Configuration Protocol (NETCONF)", RFC 6020, | G. Gu, "AVANT-GUARD: Scalable and Vigilant | |||
| October 2010. | Switch Flow Management in Software-Defined | |||
| Networks", ACM CCS, November 2013. | ||||
| [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. | [ETSI-NFV] ETSI GS NFV 002 V1.1.1, "Network Functions | |||
| Bierman, "Network Configuration Protocol (NETCONF)", | Virtualization (NFV); Architectural | |||
| RFC 6241, June 2011. | Framework", October 2013. | |||
| [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined | [RFC4566] Handley, M., Jacobson, V., and C. Perkins, | |||
| Networking: A Perspective from within a Service Provider | "SDP: Session Description Protocol", | |||
| Environment", RFC 7149, March 2014. | RFC 4566, July 2006. | |||
| [RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining | [i2nsf-terminology] Hares, S., Strassner, J., Lopez, D., Xia, | |||
| (SFC) Architecture", RFC 7665, October 2015. | L., and H. Birkholz, "Interface to Network | |||
| Security Functions (I2NSF) Terminology", | ||||
| draft-ietf-i2nsf-terminology-06 (work in | ||||
| progress), July 2018. | ||||
| [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF | [opsawg-firewalls] Baker, F. and P. Hoffman, "On Firewalls in | |||
| Protocol", RFC 8040, January 2017. | Internet Security", | |||
| draft-ietf-opsawg-firewalls-01 (work in | ||||
| progress), October 2012. | ||||
| [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., | [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, | |||
| and J. Jeong, "Interface to Network Security Functions | C., Kumar, R., and J. Jeong, "Interface to | |||
| (I2NSF): Problem Statement and Use Cases", RFC 8192, July | Network Security Functions (I2NSF): Problem | |||
| 2017. | Statement and Use Cases", RFC 8192, | |||
| July 2017. | ||||
| [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service | [RFC7665] Halpern, J. and C. Pignataro, "Service | |||
| Header (NSH)", RFC 8300, January 2018. | Function Chaining (SFC) Architecture", | |||
| RFC 7665, October 2015. | ||||
| [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. | [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, | |||
| Kumar, "Framework for Interface to Network Security | "Network Service Header (NSH)", RFC 8300, | |||
| Functions", RFC 8329, February 2018. | January 2018. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-05 | Appendix A. Changes from draft-ietf-i2nsf-applicability-06 | |||
| The following change has been made from draft-ietf-i2nsf- | The following change has been made from | |||
| applicability-05: | draft-ietf-i2nsf-applicability-06: | |||
| o In Figure 3, a separate box of SFF and the relevant interfaces | o Add the acknowledgment to the EU H2020 project SHIELD. | |||
| have been omitted to avoid misleading. Instead, SDN switches may | ||||
| play the role of SFF and Classifier in an SDN network. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Software | Department of Software | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| skipping to change at page 23, line 4 ¶ | skipping to change at page 22, line 39 ¶ | |||
| EMail: shyun@chosun.ac.kr | EMail: shyun@chosun.ac.kr | |||
| Tae-Jin Ahn | Tae-Jin Ahn | |||
| Korea Telecom | Korea Telecom | |||
| 70 Yuseong-Ro, Yuseong-Gu | 70 Yuseong-Ro, Yuseong-Gu | |||
| Daejeon 305-811 | Daejeon 305-811 | |||
| Republic of Korea | Republic of Korea | |||
| Phone: +82 42 870 8409 | Phone: +82 42 870 8409 | |||
| EMail: taejin.ahn@kt.com | EMail: taejin.ahn@kt.com | |||
| Susan Hares | Susan Hares | |||
| Huawei | Huawei | |||
| 7453 Hickory Hill | 7453 Hickory Hill | |||
| Saline, MI 48176 | Saline, MI 48176 | |||
| USA | USA | |||
| Phone: +1-734-604-0332 | Phone: +1-734-604-0332 | |||
| EMail: shares@ndzh.com | EMail: shares@ndzh.com | |||
| Diego R. Lopez | Diego R. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| Jose Manuel Lara, 9 | Jose Manuel Lara, 9 | |||
| Seville 41013 | Seville, 41013 | |||
| Spain | Spain | |||
| Phone: +34 682 051 091 | Phone: +34 682 051 091 | |||
| EMail: diego.r.lopez@telefonica.com | EMail: diego.r.lopez@telefonica.com | |||
| End of changes. 40 change blocks. | ||||
| 122 lines changed or deleted | 131 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||