draft-ietf-i2nsf-applicability-12.txt   draft-ietf-i2nsf-applicability-13.txt 
I2NSF Working Group J. Jeong I2NSF Working Group J. Jeong
Internet-Draft Sungkyunkwan University Internet-Draft Sungkyunkwan University
Intended status: Informational S. Hyun Intended status: Informational S. Hyun
Expires: December 20, 2019 Chosun University Expires: December 24, 2019 Chosun University
T. Ahn T. Ahn
Korea Telecom Korea Telecom
S. Hares S. Hares
Huawei Huawei
D. Lopez D. Lopez
Telefonica I+D Telefonica I+D
June 18, 2019 June 22, 2019
Applicability of Interfaces to Network Security Functions to Network- Applicability of Interfaces to Network Security Functions to Network-
Based Security Services Based Security Services
draft-ietf-i2nsf-applicability-12 draft-ietf-i2nsf-applicability-13
Abstract Abstract
This document describes the applicability of Interface to Network This document describes the applicability of Interface to Network
Security Functions (I2NSF) to network-based security services in Security Functions (I2NSF) to network-based security services in
Network Functions Virtualization (NFV) environments, such as Network Functions Virtualization (NFV) environments, such as
firewall, deep packet inspection, or attack mitigation engines. firewall, deep packet inspection, or attack mitigation engines.
Status of This Memo Status of This Memo
skipping to change at page 1, line 41 skipping to change at page 1, line 41
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on December 20, 2019. This Internet-Draft will expire on December 24, 2019.
Copyright Notice Copyright Notice
Copyright (c) 2019 IETF Trust and the persons identified as the Copyright (c) 2019 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 29 skipping to change at page 2, line 29
6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 11 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 11
6.1. Firewall: Centralized Firewall System . . . . . . . . . . 13 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 13
6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security
System . . . . . . . . . . . . . . . . . . . . . . . . . 14 System . . . . . . . . . . . . . . . . . . . . . . . . . 14
6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation
System . . . . . . . . . . . . . . . . . . . . . . . . . 14 System . . . . . . . . . . . . . . . . . . . . . . . . . 14
7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 15 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 15
8. Security Considerations . . . . . . . . . . . . . . . . . . . 17 8. Security Considerations . . . . . . . . . . . . . . . . . . . 17
9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 18
10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 18
11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 18
11.1. Normative References . . . . . . . . . . . . . . . . . . 19 11.1. Normative References . . . . . . . . . . . . . . . . . . 18
11.2. Informative References . . . . . . . . . . . . . . . . . 20 11.2. Informative References . . . . . . . . . . . . . . . . . 20
Appendix A. Changes from draft-ietf-i2nsf-applicability-10 . . . 22 Appendix A. Changes from draft-ietf-i2nsf-applicability-12 . . . 22
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 22
1. Introduction 1. Introduction
Interface to Network Security Functions (I2NSF) defines a framework Interface to Network Security Functions (I2NSF) defines a framework
and interfaces for interacting with Network Security Functions and interfaces for interacting with Network Security Functions
(NSFs). Note that an NSF is defined as software that provides a set (NSFs). Note that an NSF is defined as software that provides a set
of security-related services, such as (i) detecting unwanted of security-related services, such as (i) detecting unwanted
activity, (ii) blocking or mitigating the effect of such unwanted activity, (ii) blocking or mitigating the effect of such unwanted
activity in order to fulfil service requirements, and (iii) activity in order to fulfil service requirements, and (iii)
skipping to change at page 5, line 47 skipping to change at page 5, line 47
security capabilities, and generates low-level security policies for security capabilities, and generates low-level security policies for
each of the NSFs so that the high-level security policies are each of the NSFs so that the high-level security policies are
eventually enforced by those NSFs [policy-translation]. Finally, the eventually enforced by those NSFs [policy-translation]. Finally, the
Security Controller sends the generated low-level security policies Security Controller sends the generated low-level security policies
to the NSFs via the NSF-Facing Interface [nsf-facing-inf-dm]. to the NSFs via the NSF-Facing Interface [nsf-facing-inf-dm].
As shown in Figure 1, with a Developer's Management System (called As shown in Figure 1, with a Developer's Management System (called
DMS), developers (or vendors) inform the Security Controller of the DMS), developers (or vendors) inform the Security Controller of the
capabilities of the NSFs through the Registration Interface capabilities of the NSFs through the Registration Interface
[registration-inf-dm] for registering (or deregistering) the [registration-inf-dm] for registering (or deregistering) the
corresponding NSFs. corresponding NSFs. Note that the lifecycle management of NSF code
from DMS (e.g., downloading of NSF modules and testing of NSF code)
is out of scope for I2NSF.
The Consumer-Facing Interface can be implemented with the Consumer- The Consumer-Facing Interface can be implemented with the Consumer-
Facing Interface YANG data model [consumer-facing-inf-dm] using Facing Interface YANG data model [consumer-facing-inf-dm] using
RESTCONF [RFC8040] which befits a web-based user interface for an RESTCONF [RFC8040] which befits a web-based user interface for an
I2NSF User to send a Security Controller a high-level security I2NSF User to send a Security Controller a high-level security
policy. Data models specified by YANG [RFC6020] describe high-level policy. Data models specified by YANG [RFC6020] describe high-level
security policies to be specified by an I2NSF User. The data model security policies to be specified by an I2NSF User. The data model
defined in [consumer-facing-inf-dm] can be used for the I2NSF defined in [consumer-facing-inf-dm] can be used for the I2NSF
Consumer-Facing Interface. Note that an inside attacker at the I2NSF Consumer-Facing Interface. Note that an inside attacker at the I2NSF
User can misuse the I2NSF system so that the network system under the User can misuse the I2NSF system so that the network system under the
I2NSF system is vulnerable to security attacks. To handle this type I2NSF system is vulnerable to security attacks. To handle this type
of threat, the Security Controller needs to monitor the activities of of threat, the Security Controller needs to monitor the activities of
all the I2NSF Users as well as the NSFs through the I2NSF NSF all the I2NSF Users as well as the NSFs through the I2NSF NSF
monitoring functionality [nsf-monitoring-dm]. Note that the monitoring functionality [nsf-monitoring-dm]. Note that the
monitoring of the I2NSF Users is out of scope of I2NSF. monitoring of the I2NSF Users is out of scope for I2NSF.
The NSF-Facing Interface can be implemented with the NSF-Facing The NSF-Facing Interface can be implemented with the NSF-Facing
Interface YANG data model [nsf-facing-inf-dm] using NETCONF [RFC6241] Interface YANG data model [nsf-facing-inf-dm] using NETCONF [RFC6241]
which befits a command-line-based remote-procedure call for a which befits a command-line-based remote-procedure call for a
Security Controller to configure an NSF with a low-level security Security Controller to configure an NSF with a low-level security
policy. Data models specified by YANG [RFC6020] describe low-level policy. Data models specified by YANG [RFC6020] describe low-level
security policies for the sake of NSFs, which are translated from the security policies for the sake of NSFs, which are translated from the
high-level security policies by the Security Controller. The data high-level security policies by the Security Controller. The data
model defined in [nsf-facing-inf-dm] can be used for the I2NSF NSF- model defined in [nsf-facing-inf-dm] can be used for the I2NSF NSF-
Facing Interface. Facing Interface.
skipping to change at page 16, line 22 skipping to change at page 16, line 22
infrastructure as show in Figure 5. infrastructure as show in Figure 5.
Figure 5 shows an I2NSF framework implementation based on the NFV Figure 5 shows an I2NSF framework implementation based on the NFV
reference architecture that the European Telecommunications Standards reference architecture that the European Telecommunications Standards
Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as VNFs Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as VNFs
in Figure 5. The Developer's Management System (DMS) in the I2NSF in Figure 5. The Developer's Management System (DMS) in the I2NSF
framework is responsible for registering capability information of framework is responsible for registering capability information of
NSFs into the Security Controller. However, those NSFs are created NSFs into the Security Controller. However, those NSFs are created
or removed by a virtual network function manager (VNFM) in the NFV or removed by a virtual network function manager (VNFM) in the NFV
MANO that performs the lifecycle management of VNFs. Note that the MANO that performs the lifecycle management of VNFs. Note that the
lifecycle management of VNFs is out of scope of I2NSF. The Security lifecycle management of VNFs is out of scope for I2NSF. The Security
Controller controls and monitors the configurations (e.g., function Controller controls and monitors the configurations (e.g., function
parameters and security policy rules) of VNFs via the NSF-Facing parameters and security policy rules) of VNFs via the NSF-Facing
Interface along with the NSF monitoring capability Interface along with the NSF monitoring capability
[nsf-facing-inf-dm][nsf-monitoring-dm]. Both the DMS and Security [nsf-facing-inf-dm][nsf-monitoring-dm]. Both the DMS and Security
Controller can be implemented as the Element Managements (EMs) in the Controller can be implemented as the Element Managements (EMs) in the
NFV architecture. Finally, the I2NSF User can be implemented as OSS/ NFV architecture. Finally, the I2NSF User can be implemented as OSS/
BSS (Operational Support Systems/Business Support Systems) in the NFV BSS (Operational Support Systems/Business Support Systems) in the NFV
architecture that provides interfaces for users in the NFV system. architecture that provides interfaces for users in the NFV system.
The operation procedure in the I2NSF framework based on the NFV The operation procedure in the I2NSF framework based on the NFV
skipping to change at page 17, line 33 skipping to change at page 17, line 33
Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5. Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5.
8. Security Considerations 8. Security Considerations
The same security considerations for the I2NSF framework [RFC8329] The same security considerations for the I2NSF framework [RFC8329]
are applicable to this document. are applicable to this document.
This document shares all the security issues of SDN that are This document shares all the security issues of SDN that are
specified in the "Security Considerations" section of [ITU-T.Y.3300]. specified in the "Security Considerations" section of [ITU-T.Y.3300].
Note that an inside attacker (or supply chain attacker) at the DMS The role of the DMS is to provide an I2NSF system with the software
can seriously weaken the I2NSF system's security. Note that a packages or images for NSF execution. The DMS must not access NSFs
malicious NSF provider (as a DMS) is relevant to an insider attack, in activated status. An inside attacker or a supply chain attacker
and a compromised NSF provider is relevant to a supply chain attack. at the DMS can seriously weaken the I2NSF system's security. A
Also, note that a malicious (or compromised) DMS sending the wrong malicious DMS is relevant to an insider attack, and a compromised DMS
NSF may not modify the original code of the NSF but may alter the is relevant to a supply chain attack. A malicious (or compromised)
sent NSF as an instant. As a result, a malicious (or compromised) DMS could register an NSF of its choice in response to a capability
DMS can attack the Security Controller by providing the Security request by the Security Controller. As a result, a malicious DMS can
Controller with malicious (or compromised) NSFs, and controlling attack the I2NSF system by providing malicious NSFs with arbitrary
those NSFs in real time. Also, an unwitting DMS vendor could be capabilities to include potentially controlling those NSFs in real
compromised and their infrastructure could be coerced into time. An unwitting DMS could be compromised and the infrastructure
distributing modified NSFs. To deal with these types of threats, the of the DMS could be coerced into distributing modified NSFs as well.
role of the DMS should be restricted to providing an I2NSF system
with the software package/image for NSF execution, and the DMS should To deal with these types of threats, an I2NSF system should not use
never be able to access NSFs in activated status for the I2NSF NSFs from an untrusted DMS or without prior testing. The practices
system's security. On the other hand, an access to active NSFs by which these packages are downloaded and loaded into the system are
should be allowed only to the Security Controller, not the DMS during out of scope for I2NSF.
the provisioning time of those NSFs to the I2NSF system. However,
note that an inside attacker (or supply chain attacker) can access I2NSF system operators should audit and monitor interactions with
the active NSFs, which are being executed as either VNFs or DMSs. Additionally, the operators should monitor the running NSFs
middleboxes in the I2NSF system, through a back door (i.e., an IP through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as
address and a port number that are known to the DMS to control an part of the I2NSF NSF-Facing Interface. Note that the mechanics for
NSF). However, the Security Controller may detect and prevent those monitoring the DMSs are out of scope for I2NSF.
inside attacks (or supply chain attacks) by monitoring the activities
of all the DMSs as well as the NSFs through the I2NSF NSF Monitoring
Interface [nsf-monitoring-dm] as part of the I2NSF NSF-Facing
Interface. Through the NSF Monitoring Interface, the Security
Controller can monitor the activities and states of NSFs, and then
can make a diagnosis to see whether the NSFs are working in normal
conditions or in abnormal conditions including the insider threats
(or supply chain threats). Note that the monitoring of the DMSs is
out of scope of I2NSF. However, as a general caution, a mitigation
strategy for insider attacks and supply chain attacks is not to use
an NSF without prior testing for an automated security action in the
I2NSF system.
9. Acknowledgments 9. Acknowledgments
This work was supported by Institute for Information & communications This work was supported by Institute for Information & communications
Technology Promotion (IITP) grant funded by the Korea government Technology Promotion (IITP) grant funded by the Korea government
(MSIP) (No.R-20160222-002755, Cloud based Security Intelligence (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence
Technology Development for the Customized Security Service Technology Development for the Customized Security Service
Provisioning). Provisioning).
This work has been partially supported by the European Commission This work has been partially supported by the European Commission
skipping to change at page 22, line 5 skipping to change at page 22, line 5
Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF
Registration Interface YANG Data Model", draft-ietf-i2nsf- Registration Interface YANG Data Model", draft-ietf-i2nsf-
registration-interface-dm-04 (work in progress), June registration-interface-dm-04 (work in progress), June
2019. 2019.
[VNF-ONBOARDING] [VNF-ONBOARDING]
"VNF Onboarding", Available: "VNF Onboarding", Available:
https://wiki.opnfv.org/display/mano/VNF+Onboarding, https://wiki.opnfv.org/display/mano/VNF+Onboarding,
November 2016. November 2016.
Appendix A. Changes from draft-ietf-i2nsf-applicability-10 Appendix A. Changes from draft-ietf-i2nsf-applicability-12
The following changes have been made from draft-ietf-i2nsf- The following changes have been made from draft-ietf-i2nsf-
applicability-11: applicability-12:
o This version has reflected further questions and comments from o This version has reflected further questions and comments from
Roman Danyliw who is a Security Area Director. Roman Danyliw who is a Security Area Director.
o The security issues and discussion related to Developer's o In Section 3, it is mentioned that the lifecycle management of NSF
Management System (DMS) are moved to Section 8. The monitoring of code from Developer's Management System (DMS) is out of scope for
DMSs is out of scope of I2NSF. I2NSF.
o Some typos are corrected. o In Section 8, the security issues and discussion related to DMS
are refined.
Authors' Addresses Authors' Addresses
Jaehoon Paul Jeong Jaehoon Paul Jeong
Department of Computer Science and Engineering Department of Computer Science and Engineering
Sungkyunkwan University Sungkyunkwan University
2066 Seobu-Ro, Jangan-Gu 2066 Seobu-Ro, Jangan-Gu
Suwon, Gyeonggi-Do 16419 Suwon, Gyeonggi-Do 16419
Republic of Korea Republic of Korea
 End of changes. 14 change blocks. 
51 lines changed or deleted 42 lines changed or added

This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/