| draft-ietf-i2nsf-applicability-11.txt | draft-ietf-i2nsf-applicability-12.txt | |||
|---|---|---|---|---|
| I2NSF Working Group J. Jeong | I2NSF Working Group J. Jeong | |||
| Internet-Draft Sungkyunkwan University | Internet-Draft Sungkyunkwan University | |||
| Intended status: Informational S. Hyun | Intended status: Informational S. Hyun | |||
| Expires: November 17, 2019 Chosun University | Expires: December 20, 2019 Chosun University | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| May 16, 2019 | June 18, 2019 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-11 | draft-ietf-i2nsf-applicability-12 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on November 17, 2019. | This Internet-Draft will expire on December 20, 2019. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 17 ¶ | skipping to change at page 2, line 17 ¶ | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| described in the Simplified BSD License. | described in the Simplified BSD License. | |||
| Table of Contents | Table of Contents | |||
| 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 | |||
| 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 | |||
| 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 5 | 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 5 | |||
| 4. Time-dependent Web Access Control Service . . . . . . . . . . 7 | 4. Time-dependent Web Access Control Service . . . . . . . . . . 6 | |||
| 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 10 | 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 9 | |||
| 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 12 | 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 11 | |||
| 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 15 | 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 13 | |||
| 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 17 | 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 15 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 19 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 20 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 20 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | 11.2. Informative References . . . . . . . . . . . . . . . . . 20 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-10 . . . 23 | Appendix A. Changes from draft-ietf-i2nsf-applicability-10 . . . 22 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 | |||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defines a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). Note that an NSF is defined as software that provides a set | (NSFs). Note that an NSF is defined as software that provides a set | |||
| of security-related services, such as (i) detecting unwanted | of security-related services, such as (i) detecting unwanted | |||
| activity, (ii) blocking or mitigating the effect of such unwanted | activity, (ii) blocking or mitigating the effect of such unwanted | |||
| activity in order to fulfil service requirements, and (iii) | activity in order to fulfil service requirements, and (iii) | |||
| supporting communication stream integrity and confidentiality | supporting communication stream integrity and confidentiality | |||
| [i2nsf-terminology]. | [i2nsf-terminology]. | |||
| The I2NSF framework allows heterogeneous NSFs developed by different | The I2NSF framework allows heterogeneous NSFs developed by different | |||
| security solution vendors to be used in the Network Functions | security solution vendors to be used in the Network Functions | |||
| Virtualization (NFV) environment [ETSI-NFV] by utilizing the | Virtualization (NFV) environment [ETSI-NFV] by utilizing the | |||
| capabilities of such NSFs through I2NSF interfaces such as Customer- | capabilities of such NSFs through I2NSF interfaces such as Customer- | |||
| Facing Interface [consumer-facing-inf-dm] and NSF-Facing Interface | Facing Interface [consumer-facing-inf-dm] and NSF-Facing Interface | |||
| [nsf-facing-inf-dm]. In the I2NSF framework, each NSF initially | [nsf-facing-inf-dm]. In the I2NSF framework, each NSF initially | |||
| registers the profile of its own capabilities into the Security | registers the profile of its own capabilities with the Security | |||
| Controller (i.e., network operator management system [RFC8329]) in | Controller (i.e., network operator management system [RFC8329]) of | |||
| the I2NSF system via Registration Interface [registration-inf-dm] so | the I2NSF system via the Registration Interface | |||
| that each NSF can be selected and used to enforce a given security | [registration-inf-dm]. This registration enables an I2NSF User | |||
| policy from I2NSF User (i.e., network security administrator). Note | (i.e., network security administrator) to select and use the NSF to | |||
| that Developer's Management System (DMS) is management software that | enforce a given security policy. Note that Developer's Management | |||
| provides a vendor's security service software as a Virtual Network | System (DMS) is management software that provides a vendor's security | |||
| Function (VNF) in an NFV environment (or middlebox in the legacy | service software as a Virtual Network Function (VNF) in an NFV | |||
| network) as an NSF, and registers the capabilities of an NSF into | environment (or middlebox in the legacy network) as an NSF, and | |||
| Security Controller via Registration Interface for a security service | registers the capabilities of an NSF into Security Controller via | |||
| [RFC8329]. | Registration Interface for a security service [RFC8329]. | |||
| Security Controller is defined as a management component that | Security Controller maintains the mapping between a capability and an | |||
| contains control plane functions to manage NSFs and facilitate | NSF, so it can perform to translate a high-level security policy | |||
| information sharing among other components (e.g., NSFs and I2NSF | received from I2NSF User to a low-level security policy configured | |||
| User) in an I2NSF system [i2nsf-terminology]. Security Controller | and enforced in an NSF [policy-translation]. Security Controller can | |||
| maintains the mapping between a capability and an NSF, so it can | monitor the states and security attacks in NSFs through NSF | |||
| perform to translate a high-level security policy received from I2NSF | monitoring [nsf-monitoring-dm]. | |||
| User to a low-level security policy configured and enforced in an NSF | ||||
| [policy-translation]. Security Controller can monitor the states and | ||||
| security attacks in NSFs through NSF monitoring [nsf-monitoring-dm]. | ||||
| This document illustrates the applicability of the I2NSF framework | This document illustrates the applicability of the I2NSF framework | |||
| with four different scenarios: | with four different scenarios: | |||
| 1. The enforcement of time-dependent web access control. | 1. The enforcement of time-dependent web access control. | |||
| 2. The application of I2NSF to a Service Function Chaining (SFC) | 2. The application of I2NSF to a Service Function Chaining (SFC) | |||
| environment [RFC7665]. | environment [RFC7665]. | |||
| 3. The integration of the I2NSF framework with Software-Defined | 3. The integration of the I2NSF framework with Software-Defined | |||
| skipping to change at page 5, line 51 ¶ | skipping to change at page 5, line 47 ¶ | |||
| security capabilities, and generates low-level security policies for | security capabilities, and generates low-level security policies for | |||
| each of the NSFs so that the high-level security policies are | each of the NSFs so that the high-level security policies are | |||
| eventually enforced by those NSFs [policy-translation]. Finally, the | eventually enforced by those NSFs [policy-translation]. Finally, the | |||
| Security Controller sends the generated low-level security policies | Security Controller sends the generated low-level security policies | |||
| to the NSFs via the NSF-Facing Interface [nsf-facing-inf-dm]. | to the NSFs via the NSF-Facing Interface [nsf-facing-inf-dm]. | |||
| As shown in Figure 1, with a Developer's Management System (called | As shown in Figure 1, with a Developer's Management System (called | |||
| DMS), developers (or vendors) inform the Security Controller of the | DMS), developers (or vendors) inform the Security Controller of the | |||
| capabilities of the NSFs through the Registration Interface | capabilities of the NSFs through the Registration Interface | |||
| [registration-inf-dm] for registering (or deregistering) the | [registration-inf-dm] for registering (or deregistering) the | |||
| corresponding NSFs. Note that an inside attacker at the DMS can | corresponding NSFs. | |||
| seriously weaken the I2NSF system's security. That is, DMS can be | ||||
| compromised to attack the Security Controller by providing the | ||||
| Security Controller with malicious NSFs, and controlling those NSFs | ||||
| in real time. To deal with this type of threat, the role of the DMS | ||||
| should be restricted to providing an I2NSF system with the software | ||||
| package/image for NSF execution, and the DMS should never be able to | ||||
| access NSFs in online/activated status for the I2NSF system's | ||||
| security. On the other hand, an access to active NSFs should be | ||||
| allowed only to the Security Controller, not the DMS during the | ||||
| provisioning time of those NSFs to the I2NSF system. However, note | ||||
| that an inside attacker can access the active NSFs, which are being | ||||
| executed as either VNFs or middleboxes in the I2NSF system, through a | ||||
| back door (i.e., an IP address and a port number that are known to | ||||
| the DMS to control an NSF). However, the Security Controller can | ||||
| detect and prevent inside attacks by monitoring the activities of all | ||||
| the DMSs as well as the NSFs through the I2NSF NSF monitoring | ||||
| functionality [nsf-monitoring-dm]. Through the NSF monitoring, the | ||||
| Security Controller can monitor the activities and states of NSFs, | ||||
| and then can make a diagnosis to see whether the NSFs are working in | ||||
| normal conditions or in abnormal conditions including the insider | ||||
| threat. Note that the monitoring of the DMSs is out of scope for | ||||
| I2NSF. | ||||
| The Consumer-Facing Interface can be implemented as an XML file based | The Consumer-Facing Interface can be implemented with the Consumer- | |||
| on the Consumer-Facing Interface data model [consumer-facing-inf-dm] | Facing Interface YANG data model [consumer-facing-inf-dm] using | |||
| along with RESTCONF [RFC8040], which befits a web-based user | RESTCONF [RFC8040] which befits a web-based user interface for an | |||
| interface for an I2NSF User to send a Security Controller a high- | I2NSF User to send a Security Controller a high-level security | |||
| level security policy. Data models specified by YANG [RFC6020] | policy. Data models specified by YANG [RFC6020] describe high-level | |||
| describe high-level security policies to be specified by an I2NSF | security policies to be specified by an I2NSF User. The data model | |||
| User. The data model defined in [consumer-facing-inf-dm] can be used | defined in [consumer-facing-inf-dm] can be used for the I2NSF | |||
| for the I2NSF Consumer-Facing Interface. Note that an inside | Consumer-Facing Interface. Note that an inside attacker at the I2NSF | |||
| attacker at the I2NSF User can misuse the I2NSF system so that the | User can misuse the I2NSF system so that the network system under the | |||
| network system under the I2NSF system is vulnerable to security | I2NSF system is vulnerable to security attacks. To handle this type | |||
| attacks. To handle this type of threat, the Security Controller | of threat, the Security Controller needs to monitor the activities of | |||
| needs to monitor the activities of all the I2NSF Users as well as the | all the I2NSF Users as well as the NSFs through the I2NSF NSF | |||
| NSFs through the I2NSF NSF monitoring functionality | monitoring functionality [nsf-monitoring-dm]. Note that the | |||
| [nsf-monitoring-dm]. Note that the monitoring of the I2NSF Users is | monitoring of the I2NSF Users is out of scope of I2NSF. | |||
| out of scope for I2NSF. | ||||
| The NSF-Facing Interface can be implemented as an XML file based on | The NSF-Facing Interface can be implemented with the NSF-Facing | |||
| the NSF-Facing Interface YANG data model [nsf-facing-inf-dm] along | Interface YANG data model [nsf-facing-inf-dm] using NETCONF [RFC6241] | |||
| with NETCONF [RFC6241], which befits a command-line-based remote- | which befits a command-line-based remote-procedure call for a | |||
| procedure call for a Security Controller to configure an NSF with a | Security Controller to configure an NSF with a low-level security | |||
| low-level security policy. Data models specified by YANG [RFC6020] | policy. Data models specified by YANG [RFC6020] describe low-level | |||
| describe low-level security policies for the sake of NSFs, which are | security policies for the sake of NSFs, which are translated from the | |||
| translated from the high-level security policies by the Security | high-level security policies by the Security Controller. The data | |||
| Controller. The data model defined in [nsf-facing-inf-dm] can be | model defined in [nsf-facing-inf-dm] can be used for the I2NSF NSF- | |||
| used for the I2NSF NSF-Facing Interface. | Facing Interface. | |||
| The Registration Interface can be implemented as an XML file based on | The Registration Interface can be implemented with the Registration | |||
| the Registration Interface YANG data model [registration-inf-dm] | Interface YANG data model [registration-inf-dm] using NETCONF | |||
| along with NETCONF [RFC6241], which befits a command-line-based | [RFC6241] which befits a command-line-based remote-procedure call for | |||
| remote-procedure call for a DMS to send a Security Controller an | a DMS to send a Security Controller an NSF's capability information. | |||
| NSF's capability information. Data models specified by YANG | Data models specified by YANG [RFC6020] describe the registration of | |||
| [RFC6020] describe the registration of an NSF's capabilities to | an NSF's capabilities to enforce security services at the NSF. The | |||
| enforce security services at the NSF. The data model defined in | data model defined in [registration-inf-dm] can be used for the I2NSF | |||
| [registration-inf-dm] can be used for the I2NSF Registration | Registration Interface. | |||
| Interface. | ||||
| Also, the I2NSF framework can enforce multiple chained NSFs for the | The I2NSF framework can chain multiple NSFs to implement low-level | |||
| low-level security policies by means of SFC techniques for the I2NSF | security policies with the SFC architecture [RFC7665]. | |||
| architecture [RFC7665]. | ||||
| The following sections describe different security service scenarios | The following sections describe different security service scenarios | |||
| illustrating the applicability of the I2NSF framework. | illustrating the applicability of the I2NSF framework. | |||
| 4. Time-dependent Web Access Control Service | 4. Time-dependent Web Access Control Service | |||
| This service scenario assumes that an enterprise network | This service scenario assumes that an enterprise network | |||
| administrator wants to control the staff members' access to a | administrator wants to control the staff members' access to a | |||
| particular Internet service (e.g., Example.com) during business | particular Internet service (e.g., Example.com) during business | |||
| hours. The following is an example high-level security policy rule | hours. The following is an example high-level security policy rule | |||
| skipping to change at page 9, line 9 ¶ | skipping to change at page 8, line 9 ¶ | |||
| After receiving the high-level security policy, the Security | After receiving the high-level security policy, the Security | |||
| Controller identifies required security capabilities, e.g., IP | Controller identifies required security capabilities, e.g., IP | |||
| address and port number inspection capabilities and URL inspection | address and port number inspection capabilities and URL inspection | |||
| capability. In this scenario, it is assumed that the IP address and | capability. In this scenario, it is assumed that the IP address and | |||
| port number inspection capabilities are required to check whether a | port number inspection capabilities are required to check whether a | |||
| received packet is an HTTP packet from a staff member. The URL | received packet is an HTTP packet from a staff member. The URL | |||
| inspection capability is required to check whether the target URL of | inspection capability is required to check whether the target URL of | |||
| a received packet is in the Example.com domain or not. | a received packet is in the Example.com domain or not. | |||
| The Security Controller maintains the security capabilities of each | The Security Controller maintains the security capabilities of each | |||
| NSF running in the I2NSF system, which have been reported by the | active NSF in the I2NSF system, which have been reported by the | |||
| Developer's Management System via the Registration interface. Based | Developer's Management System via the Registration interface. Based | |||
| on this information, the Security Controller identifies NSFs that can | on this information, the Security Controller identifies NSFs that can | |||
| perform the IP address and port number inspection and URL inspection | perform the IP address and port number inspection and URL inspection | |||
| [policy-translation]. In this scenario, it is assumed that a | [policy-translation]. In this scenario, it is assumed that a | |||
| firewall NSF has the IP address and port number inspection | firewall NSF has the IP address and port number inspection | |||
| capabilities and a web filter NSF has URL inspection capability. | capabilities and a web filter NSF has URL inspection capability. | |||
| The Security Controller generates low-level security rules for the | The Security Controller generates low-level security rules for the | |||
| NSFs to perform IP address and port number inspection, URL | NSFs to perform IP address and port number inspection, URL | |||
| inspection, and time checking. Specifically, the Security Controller | inspection, and time checking. Specifically, the Security Controller | |||
| skipping to change at page 9, line 47 ¶ | skipping to change at page 8, line 47 ¶ | |||
| 1. A staff member tries to access Example.com during business hours, | 1. A staff member tries to access Example.com during business hours, | |||
| e.g., 10 AM. | e.g., 10 AM. | |||
| 2. The packet is forwarded from the staff member's device to the | 2. The packet is forwarded from the staff member's device to the | |||
| firewall, and the firewall checks the source IP address and port | firewall, and the firewall checks the source IP address and port | |||
| number. Now the firewall identifies the received packet is an | number. Now the firewall identifies the received packet is an | |||
| HTTP packet from the staff member. | HTTP packet from the staff member. | |||
| 3. The firewall triggers the web filter to further inspect the | 3. The firewall triggers the web filter to further inspect the | |||
| packet, and the packet is forwarded from the firewall to the web | packet, and the packet is forwarded from the firewall to the web | |||
| filter. SFC technology can be utilized to support such packet | filter. The SFC architecture [RFC7665] can be utilized to | |||
| forwarding in the I2NSF framework [RFC7665]. | support such packet forwarding in the I2NSF framework. | |||
| 4. The web filter checks the target URL field of the received | 4. The web filter checks the target URL field of the received | |||
| packet, and realizes the packet is toward Example.com. The web | packet, and realizes the packet is toward Example.com. The web | |||
| filter then checks that the current time is in business hours. | filter then checks that the current time is in business hours. | |||
| If so, the web filter drops the packet, and consequently the | If so, the web filter drops the packet, and consequently the | |||
| staff member's access to Example.com during business hours is | staff member's access to Example.com during business hours is | |||
| blocked. | blocked. | |||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| skipping to change at page 11, line 31 ¶ | skipping to change at page 10, line 31 ¶ | |||
| with the classification rules over NSF-Facing Interface so that | with the classification rules over NSF-Facing Interface so that | |||
| relevant traffic packets can follow the SFPs. Also, based on the | relevant traffic packets can follow the SFPs. Also, based on the | |||
| global view of NSF instances available in the system, the Security | global view of NSF instances available in the system, the Security | |||
| Controller constructs forwarding tables, which are required for SFFs | Controller constructs forwarding tables, which are required for SFFs | |||
| to forward a given packet to the next NSF over the SFP, and | to forward a given packet to the next NSF over the SFP, and | |||
| configures SFFs with those forwarding tables over NSF-Facing | configures SFFs with those forwarding tables over NSF-Facing | |||
| Interface. | Interface. | |||
| To trigger an advanced security action in the I2NSF architecture, the | To trigger an advanced security action in the I2NSF architecture, the | |||
| current NSF appends metadata describing the security capability | current NSF appends metadata describing the security capability | |||
| required for the advanced action to the suspicious packet to the | required to the suspicious packet via a network service header (NSH) | |||
| network service header (NSH) of the packet [RFC8300]. It then sends | [RFC8300]. It then sends the packet to the classifier. Based on the | |||
| the packet to the classifier. Based on the metadata information, the | metadata information, the classifier searches an SFP which includes | |||
| classifier searches an SFP which includes an NSF with the required | an NSF with the required security capability, changes the SFP-related | |||
| security capability, changes the SFP-related information (e.g., | information (e.g., service path identifier and service index | |||
| service path identifier and service index [RFC8300]) of the packet | [RFC8300]) of the packet with the new SFP that has been found, and | |||
| with the new SFP that has been found, and then forwards the packet to | then forwards the packet to the SFF. When receiving the packet, the | |||
| the SFF. When receiving the packet, the SFF checks the SFP-related | SFF checks the SFP-related information such as the service path | |||
| information such as the service path identifier and service index | identifier and service index contained in the packet and forwards the | |||
| contained in the packet and forwards the packet to the next NSF on | packet to the next NSF on the SFP of the packet, according to its | |||
| the SFP of the packet, according to its forwarding table. | forwarding table. | |||
| +------------+ | +------------+ | |||
| | I2NSF User | | | I2NSF User | | |||
| +------------+ | +------------+ | |||
| ^ | ^ | |||
| | Consumer-Facing Interface | | Consumer-Facing Interface | |||
| v | v | |||
| +-------------------+ Registration +-----------------------+ | +-------------------+ Registration +-----------------------+ | |||
| |Security Controller|<-------------------->|Developer's Mgmt System| | |Security Controller|<-------------------->|Developer's Mgmt System| | |||
| +-------------------+ Interface +-----------------------+ | +-------------------+ Interface +-----------------------+ | |||
| skipping to change at page 13, line 14 ¶ | skipping to change at page 12, line 14 ¶ | |||
| both SDN forwarding elements and a firewall NSF is more efficient | both SDN forwarding elements and a firewall NSF is more efficient | |||
| than a firewall where SDN forwarding elements forward all the packets | than a firewall where SDN forwarding elements forward all the packets | |||
| to a firewall NSF for packet filtering. This is because packets to | to a firewall NSF for packet filtering. This is because packets to | |||
| be filtered out can be early dropped by SDN forwarding elements | be filtered out can be early dropped by SDN forwarding elements | |||
| without consuming further network bandwidth due to the forwarding of | without consuming further network bandwidth due to the forwarding of | |||
| the packets to the firewall NSF. | the packets to the firewall NSF. | |||
| Figure 4 shows an I2NSF framework [RFC8329] with SDN networks to | Figure 4 shows an I2NSF framework [RFC8329] with SDN networks to | |||
| support network-based security services. In this system, the | support network-based security services. In this system, the | |||
| enforcement of security policy rules is divided into the SDN | enforcement of security policy rules is divided into the SDN | |||
| forwarding elements (e.g., switch running as either a hardware middle | forwarding elements (e.g., a switch running as either a hardware | |||
| box or a software virtual switch) and NSFs (e.g., firewall running in | middle box or a software virtual switch) and NSFs (e.g., a firewall | |||
| a form of a virtual network function (VNF) [ETSI-NFV]). Note that | running in a form of a VNF [ETSI-NFV]). Note that NSFs are created | |||
| NSFs are created or removed by the NFV Management and Orchestration | or removed by the NFV Management and Orchestration (MANO) | |||
| (MANO) [ETSI-NFV-MANO], performing the life-cycle management of NSFs | [ETSI-NFV-MANO], performing the lifecycle management of NSFs as VNFs. | |||
| as VNFs. Refer to Section 7 for the detailed discussion of the NSF | Refer to Section 7 for the detailed discussion of the NSF lifecycle | |||
| life-cycle management in the NFV MANO for I2NSF. SDN forwarding | management in the NFV MANO for I2NSF. For security policy | |||
| elements enforce simple packet filtering rules that can be translated | enforcement (e.g., packet filtering), the Security Controller | |||
| into their packet forwarding rules, whereas NSFs enforce complicated | instructs the SDN Controller via NSF-Facing Interface so that SDN | |||
| NSF-related security rules requiring the security capabilities of the | forwarding elements can perform the required security services with | |||
| NSFs. Note that SDN packet forwarding rules are for packet | flow tables under the supervision of the SDN Controller. | |||
| forwarding or filtering by flow table entries at SDN forwarding | ||||
| elements, and NSF rules are for security enforcement at NSFs (e.g., | ||||
| firewall). Thus, simple firewall rules can be enforced by SDN packet | ||||
| forwarding rules at SDN forwarding elements (e.g., switches). For | ||||
| the tasks for security enforcement (e.g., packet filtering), the | ||||
| Security Controller instructs the SDN Controller via NSF-Facing | ||||
| Interface so that SDN forwarding elements can perform the required | ||||
| security services with flow tables under the supervision of the SDN | ||||
| Controller. | ||||
| As an example, let us consider two different types of security rules: | As an example, let us consider two different types of security rules: | |||
| Rule A is a simple packet filtering rule that checks only the IP | Rule A is a simple packet filtering rule that checks only the IP | |||
| address and port number of a given packet, whereas rule B is a time- | address and port number of a given packet, whereas rule B is a time- | |||
| consuming packet inspection rule for analyzing whether an attached | consuming packet inspection rule for analyzing whether an attached | |||
| file being transmitted over a flow of packets contains malware. Rule | file being transmitted over a flow of packets contains malware. Rule | |||
| A can be translated into packet forwarding rules of SDN forwarding | A can be translated into packet forwarding rules of SDN forwarding | |||
| elements and thus be enforced by these elements. In contrast, rule B | elements and thus be enforced by these elements. In contrast, rule B | |||
| cannot be enforced by forwarding elements, but it has to be enforced | cannot be enforced by forwarding elements, but it has to be enforced | |||
| by NSFs with anti-malware capability. Specifically, a flow of | by NSFs with anti-malware capability. Specifically, a flow of | |||
| skipping to change at page 14, line 15 ¶ | skipping to change at page 13, line 6 ¶ | |||
| rules requires security capabilities that can be provided by SDN | rules requires security capabilities that can be provided by SDN | |||
| forwarding elements, then the Security Controller instructs the SDN | forwarding elements, then the Security Controller instructs the SDN | |||
| Controller via NSF-Facing Interface so that SDN forwarding elements | Controller via NSF-Facing Interface so that SDN forwarding elements | |||
| can enforce those security policy rules with flow tables under the | can enforce those security policy rules with flow tables under the | |||
| supervision of the SDN Controller. Or if some rules require security | supervision of the SDN Controller. Or if some rules require security | |||
| capabilities that cannot be provided by SDN forwarding elements but | capabilities that cannot be provided by SDN forwarding elements but | |||
| by NSFs, then the Security Controller instructs relevant NSFs to | by NSFs, then the Security Controller instructs relevant NSFs to | |||
| enforce those rules. | enforce those rules. | |||
| The distinction between software-based SDN forwarding elements and | The distinction between software-based SDN forwarding elements and | |||
| NSFs, which can both run as virtual network functions (VNFs), may be | NSFs, which can both run as VNFs, may be necessary for some | |||
| necessary for some management purposes in this system. Note that an | management purposes in this system. Note that an SDN forwarding | |||
| SDN forwarding element (i.e., switch) is a specific type of VNF | element (i.e., switch) is a specific type of VNF rather than an NSF | |||
| rather than an NSF because an NSF is for security services rather | because an NSF is for security services rather than for packet | |||
| than for packet forwarding. For this distinction, we can take | forwarding. For this distinction, we can take advantage of the NFV | |||
| advantage of the NFV MANO where there is a subsystem that maintains | MANO where there is a subsystem that maintains the descriptions of | |||
| the descriptions of the capabilities each VNF can offer | the capabilities each VNF can offer [ETSI-NFV-MANO]. This subsystem | |||
| [ETSI-NFV-MANO]. This subsystem can determine whether a given | can determine whether a given software element (VNF instance) is an | |||
| software element (VNF instance) is an NSF or a virtualized SDN | NSF or a virtualized SDN switch. For example, if a VNF instance has | |||
| switch. For example, if a VNF instance has anti-malware capability | anti-malware capability according to the description of the VNF, it | |||
| according to the description of the VNF, it could be considered as an | could be considered as an NSF. A VNF onboarding system | |||
| NSF. A VNF onboarding system [VNF-ONBOARDING] can be used as such a | [VNF-ONBOARDING] can be used as such a subsystem that maintains the | |||
| subsystem that maintains the descriptions of each VNF to tell whether | descriptions of each VNF to tell whether a VNF instance is for an NSF | |||
| a VNF instance is for an NSF or for a virtualized SDN switch. | or for a virtualized SDN switch. | |||
| For the support of SFC in the I2NSF framework with SDN, as shown in | For the support of SFC in the I2NSF framework with SDN, as shown in | |||
| Figure 4, network forwarding elements (e.g., switch) can play the | Figure 4, network forwarding elements (e.g., switch) can play the | |||
| role of either SFC Classifier or SFF, which are explained in | role of either SFC Classifier or SFF, which are explained in | |||
| Section 5. Classifier and SFF have an NSF-Facing Interface with | Section 5. Classifier and SFF have an NSF-Facing Interface with | |||
| Security Controller. This interface is used to update security | Security Controller. This interface is used to update security | |||
| service function chaining information for traffic flows. For | service function chaining information for traffic flows. For | |||
| example, when it needs to update an SFP for a traffic flow in an SDN | example, when it needs to update an SFP for a traffic flow in an SDN | |||
| network, as shown in Figure 4, SFF (denoted as Switch-3) asks | network, as shown in Figure 4, SFF (denoted as Switch-3) asks | |||
| Security Controller to update the SFP for the traffic flow (needing | Security Controller to update the SFP for the traffic flow (needing | |||
| skipping to change at page 18, line 16 ¶ | skipping to change at page 16, line 16 ¶ | |||
| to rapidly and flexibly respond to the amount of service requests by | to rapidly and flexibly respond to the amount of service requests by | |||
| dynamically increasing or decreasing the number of NSF instances. | dynamically increasing or decreasing the number of NSF instances. | |||
| Moreover, NFV technology facilitates flexibly including or excluding | Moreover, NFV technology facilitates flexibly including or excluding | |||
| NSFs from multiple security solution vendors according to the changes | NSFs from multiple security solution vendors according to the changes | |||
| on security requirements. In order to take advantages of the NFV | on security requirements. In order to take advantages of the NFV | |||
| technology, the I2NSF framework can be implemented on top of an NFV | technology, the I2NSF framework can be implemented on top of an NFV | |||
| infrastructure as show in Figure 5. | infrastructure as show in Figure 5. | |||
| Figure 5 shows an I2NSF framework implementation based on the NFV | Figure 5 shows an I2NSF framework implementation based on the NFV | |||
| reference architecture that the European Telecommunications Standards | reference architecture that the European Telecommunications Standards | |||
| Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as | Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as VNFs | |||
| virtual network functions (VNFs) in Figure 5. The Developer's | in Figure 5. The Developer's Management System (DMS) in the I2NSF | |||
| Management System (DMS) in the I2NSF framework is responsible for | framework is responsible for registering capability information of | |||
| registering capability information of NSFs into the Security | NSFs into the Security Controller. However, those NSFs are created | |||
| Controller. However, those NSFs are created or removed by a virtual | or removed by a virtual network function manager (VNFM) in the NFV | |||
| network functions manager (VNFM) in the NFV MANO that performs the | MANO that performs the lifecycle management of VNFs. Note that the | |||
| life-cycle management of VNFs. Note that the life-cycle management | lifecycle management of VNFs is out of scope of I2NSF. The Security | |||
| of VNFs are out of scope for I2NSF. The Security Controller controls | Controller controls and monitors the configurations (e.g., function | |||
| and monitors the configurations (e.g., function parameters and | parameters and security policy rules) of VNFs via the NSF-Facing | |||
| security policy rules) of VNFs via NSF-Facing Interface along with | Interface along with the NSF monitoring capability | |||
| NSF monitoring capability [nsf-facing-inf-dm][nsf-monitoring-dm]. | [nsf-facing-inf-dm][nsf-monitoring-dm]. Both the DMS and Security | |||
| Both the DMS and Security Controller can be implemented as the | Controller can be implemented as the Element Managements (EMs) in the | |||
| Element Managements (EMs) in the NFV architecture. Finally, the | NFV architecture. Finally, the I2NSF User can be implemented as OSS/ | |||
| I2NSF User can be implemented as OSS/BSS (Operational Support | BSS (Operational Support Systems/Business Support Systems) in the NFV | |||
| Systems/Business Support Systems) in the NFV architecture that | architecture that provides interfaces for users in the NFV system. | |||
| provides interfaces for users in the NFV system. | ||||
| The operation procedure in the I2NSF framework based on the NFV | The operation procedure in the I2NSF framework based on the NFV | |||
| architecture is as follows: | architecture is as follows: | |||
| 1. The VNFM has a set of virtual machine (VM) images of NSFs, and | 1. The VNFM has a set of virtual machine (VM) images of NSFs, and | |||
| each VM image can be used to create an NSF instance that provides | each VM image can be used to create an NSF instance that provides | |||
| a set of security capabilities. The DMS initially registers a | a set of security capabilities. The DMS initially registers a | |||
| mapping table of the ID of each VM image and the set of | mapping table of the ID of each VM image and the set of | |||
| capabilities that can be provided by an NSF instance created from | capabilities that can be provided by an NSF instance created from | |||
| the VM image into the Security Controller. | the VM image into the Security Controller. | |||
| skipping to change at page 19, line 33 ¶ | skipping to change at page 17, line 33 ¶ | |||
| Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5. | Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5. | |||
| 8. Security Considerations | 8. Security Considerations | |||
| The same security considerations for the I2NSF framework [RFC8329] | The same security considerations for the I2NSF framework [RFC8329] | |||
| are applicable to this document. | are applicable to this document. | |||
| This document shares all the security issues of SDN that are | This document shares all the security issues of SDN that are | |||
| specified in the "Security Considerations" section of [ITU-T.Y.3300]. | specified in the "Security Considerations" section of [ITU-T.Y.3300]. | |||
| Note that an inside attacker (or supply chain attacker) at the DMS | ||||
| can seriously weaken the I2NSF system's security. Note that a | ||||
| malicious NSF provider (as a DMS) is relevant to an insider attack, | ||||
| and a compromised NSF provider is relevant to a supply chain attack. | ||||
| Also, note that a malicious (or compromised) DMS sending the wrong | ||||
| NSF may not modify the original code of the NSF but may alter the | ||||
| sent NSF as an instant. As a result, a malicious (or compromised) | ||||
| DMS can attack the Security Controller by providing the Security | ||||
| Controller with malicious (or compromised) NSFs, and controlling | ||||
| those NSFs in real time. Also, an unwitting DMS vendor could be | ||||
| compromised and their infrastructure could be coerced into | ||||
| distributing modified NSFs. To deal with these types of threats, the | ||||
| role of the DMS should be restricted to providing an I2NSF system | ||||
| with the software package/image for NSF execution, and the DMS should | ||||
| never be able to access NSFs in activated status for the I2NSF | ||||
| system's security. On the other hand, an access to active NSFs | ||||
| should be allowed only to the Security Controller, not the DMS during | ||||
| the provisioning time of those NSFs to the I2NSF system. However, | ||||
| note that an inside attacker (or supply chain attacker) can access | ||||
| the active NSFs, which are being executed as either VNFs or | ||||
| middleboxes in the I2NSF system, through a back door (i.e., an IP | ||||
| address and a port number that are known to the DMS to control an | ||||
| NSF). However, the Security Controller may detect and prevent those | ||||
| inside attacks (or supply chain attacks) by monitoring the activities | ||||
| of all the DMSs as well as the NSFs through the I2NSF NSF Monitoring | ||||
| Interface [nsf-monitoring-dm] as part of the I2NSF NSF-Facing | ||||
| Interface. Through the NSF Monitoring Interface, the Security | ||||
| Controller can monitor the activities and states of NSFs, and then | ||||
| can make a diagnosis to see whether the NSFs are working in normal | ||||
| conditions or in abnormal conditions including the insider threats | ||||
| (or supply chain threats). Note that the monitoring of the DMSs is | ||||
| out of scope of I2NSF. However, as a general caution, a mitigation | ||||
| strategy for insider attacks and supply chain attacks is not to use | ||||
| an NSF without prior testing for an automated security action in the | ||||
| I2NSF system. | ||||
| 9. Acknowledgments | 9. Acknowledgments | |||
| This work was supported by Institute for Information & communications | This work was supported by Institute for Information & communications | |||
| Technology Promotion (IITP) grant funded by the Korea government | Technology Promotion (IITP) grant funded by the Korea government | |||
| (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | |||
| Technology Development for the Customized Security Service | Technology Development for the Customized Security Service | |||
| Provisioning). | Provisioning). | |||
| This work has been partially supported by the European Commission | This work has been partially supported by the European Commission | |||
| under Horizon 2020 grant agreement no. 700199 "Securing against | under Horizon 2020 grant agreement no. 700199 "Securing against | |||
| skipping to change at page 21, line 37 ¶ | skipping to change at page 20, line 27 ¶ | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [AVANT-GUARD] | [AVANT-GUARD] | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | GUARD: Scalable and Vigilant Switch Flow Management in | |||
| Software-Defined Networks", ACM CCS, November 2013. | Software-Defined Networks", ACM CCS, November 2013. | |||
| [consumer-facing-inf-dm] | [consumer-facing-inf-dm] | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | "I2NSF Consumer-Facing Interface YANG Data Model", draft- | |||
| ietf-i2nsf-consumer-facing-interface-dm-04 (work in | ietf-i2nsf-consumer-facing-interface-dm-05 (work in | |||
| progress), April 2019. | progress), June 2019. | |||
| [ETSI-NFV-MANO] | [ETSI-NFV-MANO] | |||
| "Network Functions Virtualisation (NFV); Management and | "Network Functions Virtualisation (NFV); Management and | |||
| Orchestration", Available: | Orchestration", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/nfv- | https://www.etsi.org/deliver/etsi_gs/nfv- | |||
| man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | |||
| December 2014. | December 2014. | |||
| [i2nsf-terminology] | [i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| skipping to change at page 22, line 12 ¶ | skipping to change at page 20, line 50 ¶ | |||
| Terminology", draft-ietf-i2nsf-terminology-07 (work in | Terminology", draft-ietf-i2nsf-terminology-07 (work in | |||
| progress), January 2019. | progress), January 2019. | |||
| [ITU-T.X.800] | [ITU-T.X.800] | |||
| "Security Architecture for Open Systems Interconnection | "Security Architecture for Open Systems Interconnection | |||
| for CCITT Applications", March 1991. | for CCITT Applications", March 1991. | |||
| [nsf-facing-inf-dm] | [nsf-facing-inf-dm] | |||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | |||
| "I2NSF Network Security Function-Facing Interface YANG | "I2NSF Network Security Function-Facing Interface YANG | |||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-05 | Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-06 | |||
| (work in progress), March 2019. | (work in progress), June 2019. | |||
| [nsf-monitoring-dm] | [nsf-monitoring-dm] | |||
| Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | |||
| "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | |||
| nsf-monitoring-data-model-00 (work in progress), March | nsf-monitoring-data-model-00 (work in progress), March | |||
| 2019. | 2019. | |||
| [opsawg-firewalls] | [opsawg-firewalls] | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | Baker, F. and P. Hoffman, "On Firewalls in Internet | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | Security", draft-ietf-opsawg-firewalls-01 (work in | |||
| skipping to change at page 22, line 35 ¶ | skipping to change at page 21, line 25 ¶ | |||
| [policy-translation] | [policy-translation] | |||
| Yang, J., Jeong, J., and J. Kim, "Security Policy | Yang, J., Jeong, J., and J. Kim, "Security Policy | |||
| Translation in Interface to Network Security Functions", | Translation in Interface to Network Security Functions", | |||
| draft-yang-i2nsf-security-policy-translation-03 (work in | draft-yang-i2nsf-security-policy-translation-03 (work in | |||
| progress), March 2019. | progress), March 2019. | |||
| [registration-inf-dm] | [registration-inf-dm] | |||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | |||
| Registration Interface YANG Data Model", draft-ietf-i2nsf- | Registration Interface YANG Data Model", draft-ietf-i2nsf- | |||
| registration-interface-dm-03 (work in progress), March | registration-interface-dm-04 (work in progress), June | |||
| 2019. | 2019. | |||
| [VNF-ONBOARDING] | [VNF-ONBOARDING] | |||
| "VNF Onboarding", Available: | "VNF Onboarding", Available: | |||
| https://wiki.opnfv.org/display/mano/VNF+Onboarding, | https://wiki.opnfv.org/display/mano/VNF+Onboarding, | |||
| November 2016. | November 2016. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-10 | Appendix A. Changes from draft-ietf-i2nsf-applicability-10 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-10: | applicability-11: | |||
| o In Section 1, "Network Security Function (NSF)" is replaced with | o This version has reflected further questions and comments from | |||
| "an NSF" because the abbreviation of "Network Security Function" | Roman Danyliw who is a Security Area Director. | |||
| is defined as "NSF" in the previous sentence. | ||||
| o In Section 2, a typo in "funcional block" is corrected as | o The security issues and discussion related to Developer's | |||
| "functional block". | Management System (DMS) are moved to Section 8. The monitoring of | |||
| DMSs is out of scope of I2NSF. | ||||
| o Some typos are corrected. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Software | Department of Computer Science and Engineering | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| Phone: +82 31 299 4957 | Phone: +82 31 299 4957 | |||
| Fax: +82 31 290 7996 | Fax: +82 31 290 7996 | |||
| EMail: pauljeong@skku.edu | EMail: pauljeong@skku.edu | |||
| URI: http://iotlab.skku.edu/people-jaehoon-jeong.php | URI: http://iotlab.skku.edu/people-jaehoon-jeong.php | |||
| End of changes. 28 change blocks. | ||||
| 174 lines changed or deleted | 174 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||