| draft-ietf-i2nsf-applicability-14.txt | draft-ietf-i2nsf-applicability-15.txt | |||
|---|---|---|---|---|
| I2NSF Working Group J. Jeong | I2NSF Working Group J. Jeong | |||
| Internet-Draft Sungkyunkwan University | Internet-Draft Sungkyunkwan University | |||
| Intended status: Informational S. Hyun | Intended status: Informational S. Hyun | |||
| Expires: January 21, 2020 Chosun University | Expires: January 25, 2020 Chosun University | |||
| T. Ahn | T. Ahn | |||
| Korea Telecom | Korea Telecom | |||
| S. Hares | S. Hares | |||
| Huawei | Huawei | |||
| D. Lopez | D. Lopez | |||
| Telefonica I+D | Telefonica I+D | |||
| July 20, 2019 | July 24, 2019 | |||
| Applicability of Interfaces to Network Security Functions to Network- | Applicability of Interfaces to Network Security Functions to Network- | |||
| Based Security Services | Based Security Services | |||
| draft-ietf-i2nsf-applicability-14 | draft-ietf-i2nsf-applicability-15 | |||
| Abstract | Abstract | |||
| This document describes the applicability of Interface to Network | This document describes the applicability of Interface to Network | |||
| Security Functions (I2NSF) to network-based security services in | Security Functions (I2NSF) to network-based security services in | |||
| Network Functions Virtualization (NFV) environments, such as | Network Functions Virtualization (NFV) environments, such as | |||
| firewall, deep packet inspection, or attack mitigation engines. | firewall, deep packet inspection, or attack mitigation engines. | |||
| Status of This Memo | Status of This Memo | |||
| skipping to change at page 1, line 41 ¶ | skipping to change at page 1, line 41 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at https://datatracker.ietf.org/drafts/current/. | Drafts is at https://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on January 21, 2020. | This Internet-Draft will expire on January 25, 2020. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2019 IETF Trust and the persons identified as the | Copyright (c) 2019 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (https://trustee.ietf.org/license-info) in effect on the date of | (https://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| skipping to change at page 2, line 32 ¶ | skipping to change at page 2, line 32 ¶ | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation | |||
| System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | System . . . . . . . . . . . . . . . . . . . . . . . . . 15 | |||
| 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 16 | |||
| 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | 8. Security Considerations . . . . . . . . . . . . . . . . . . . 18 | |||
| 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 19 | |||
| 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | 11.1. Normative References . . . . . . . . . . . . . . . . . . 19 | |||
| 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | 11.2. Informative References . . . . . . . . . . . . . . . . . 21 | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-13 . . . 23 | Appendix A. Changes from draft-ietf-i2nsf-applicability-14 . . . 23 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 23 | |||
| 1. Introduction | 1. Introduction | |||
| Interface to Network Security Functions (I2NSF) defines a framework | Interface to Network Security Functions (I2NSF) defines a framework | |||
| and interfaces for interacting with Network Security Functions | and interfaces for interacting with Network Security Functions | |||
| (NSFs). Note that an NSF is defined as software that provides a set | (NSFs). Note that an NSF is defined as software that provides a set | |||
| of security-related services, such as (i) detecting unwanted | of security-related services, such as (i) detecting unwanted | |||
| activity, (ii) blocking or mitigating the effect of such unwanted | activity, (ii) blocking or mitigating the effect of such unwanted | |||
| activity in order to fulfil service requirements, and (iii) | activity in order to fulfil service requirements, and (iii) | |||
| skipping to change at page 9, line 9 ¶ | skipping to change at page 9, line 9 ¶ | |||
| Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with | Transport Layer Security (TLS) [RFC8446] or the HTTP protocol with | |||
| TLS as HTTPS. The low-level security rules for web filter check that | TLS as HTTPS. The low-level security rules for web filter check that | |||
| the target URL field of a received packet is equal to example.com, or | the target URL field of a received packet is equal to example.com, or | |||
| that the destination IP address of a received packet is an IP address | that the destination IP address of a received packet is an IP address | |||
| corresponding to example.com. Note that if HTTPS is used for an | corresponding to example.com. Note that if HTTPS is used for an | |||
| HTTP-session packet, the HTTP protocol header is encrypted, so the | HTTP-session packet, the HTTP protocol header is encrypted, so the | |||
| URL information may not be seen from the packet for the web | URL information may not be seen from the packet for the web | |||
| filtering. Thus, the IP address(es) corresponding to the target URL | filtering. Thus, the IP address(es) corresponding to the target URL | |||
| needs to be obtained from the certificate in TLS versions prior to | needs to be obtained from the certificate in TLS versions prior to | |||
| 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session | 1.3 [RFC8446] or the Server Name Indication (SNI) in a TCP-session | |||
| packet in TLS. Also, to obtain IP address(es) corresponding to a | packet in TLS versions without the encrypted SNI [tls-esni]. Also, | |||
| target URL, the DNS name resolution process can be observed through a | to obtain IP address(es) corresponding to a target URL, the DNS name | |||
| packet capturing tool because the DNS name resolution will translate | resolution process can be observed through a packet capturing tool | |||
| the target URL into IP address(es). The IP addresses obtained | because the DNS name resolution will translate the target URL into IP | |||
| through either TLS or DNS can be used by both firewall and web filter | address(es). The IP addresses obtained through either TLS or DNS can | |||
| for whitelisting or blacklisting the TCP five-tuples of HTTP | be used by both firewall and web filter for whitelisting or | |||
| sessions. | blacklisting the TCP five-tuples of HTTP sessions. | |||
| Finally, the Security Controller sends the low-level security rules | Finally, the Security Controller sends the low-level security rules | |||
| of the IP address and port number inspection to the firewall NSF and | of the IP address and port number inspection to the firewall NSF and | |||
| the low-level rules for URL inspection to the web filter NSF. | the low-level rules for URL inspection to the web filter NSF. | |||
| The following describes how the time-dependent web access control | The following describes how the time-dependent web access control | |||
| service is enforced by the NSFs of firewall and web filter. | service is enforced by the NSFs of firewall and web filter. | |||
| 1. A staff member tries to access example.com during business hours, | 1. A staff member tries to access example.com during business hours, | |||
| e.g., 10 AM. | e.g., 10 AM. | |||
| skipping to change at page 19, line 10 ¶ | skipping to change at page 19, line 10 ¶ | |||
| out of scope for I2NSF. | out of scope for I2NSF. | |||
| I2NSF system operators should audit and monitor interactions with | I2NSF system operators should audit and monitor interactions with | |||
| DMSs. Additionally, the operators should monitor the running NSFs | DMSs. Additionally, the operators should monitor the running NSFs | |||
| through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as | through the I2NSF NSF Monitoring Interface [nsf-monitoring-dm] as | |||
| part of the I2NSF NSF-Facing Interface. Note that the mechanics for | part of the I2NSF NSF-Facing Interface. Note that the mechanics for | |||
| monitoring the DMSs are out of scope for I2NSF. | monitoring the DMSs are out of scope for I2NSF. | |||
| 9. Acknowledgments | 9. Acknowledgments | |||
| This work was supported by Institute for Information & communications | This work was supported by Institute of Information & Communications | |||
| Technology Promotion (IITP) grant funded by the Korea government | Technology Planning & Evaluation (IITP) grant funded by the Korea | |||
| (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence | MSIT (Ministry of Science and ICT) (R-20160222-002755, Cloud based | |||
| Technology Development for the Customized Security Service | Security Intelligence Technology Development for the Customized | |||
| Provisioning). | Security Service Provisioning). | |||
| This work has been partially supported by the European Commission | This work has been partially supported by the European Commission | |||
| under Horizon 2020 grant agreement no. 700199 "Securing against | under Horizon 2020 grant agreement no. 700199 "Securing against | |||
| intruders and other threats through a NFV-enabled environment | intruders and other threats through a NFV-enabled environment | |||
| (SHIELD)". This support does not imply endorsement. | (SHIELD)". This support does not imply endorsement. | |||
| 10. Contributors | 10. Contributors | |||
| I2NSF is a group effort. I2NSF has had a number of contributing | I2NSF is a group effort. I2NSF has had a number of contributing | |||
| authors. The following are considered co-authors: | authors. The following are considered co-authors: | |||
| skipping to change at page 21, line 18 ¶ | skipping to change at page 21, line 18 ¶ | |||
| 11.2. Informative References | 11.2. Informative References | |||
| [AVANT-GUARD] | [AVANT-GUARD] | |||
| Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- | |||
| GUARD: Scalable and Vigilant Switch Flow Management in | GUARD: Scalable and Vigilant Switch Flow Management in | |||
| Software-Defined Networks", ACM CCS, November 2013. | Software-Defined Networks", ACM CCS, November 2013. | |||
| [consumer-facing-inf-dm] | [consumer-facing-inf-dm] | |||
| Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, | |||
| "I2NSF Consumer-Facing Interface YANG Data Model", draft- | "I2NSF Consumer-Facing Interface YANG Data Model", draft- | |||
| ietf-i2nsf-consumer-facing-interface-dm-05 (work in | ietf-i2nsf-consumer-facing-interface-dm-06 (work in | |||
| progress), June 2019. | progress), July 2019. | |||
| [ETSI-NFV-MANO] | [ETSI-NFV-MANO] | |||
| "Network Functions Virtualisation (NFV); Management and | "Network Functions Virtualisation (NFV); Management and | |||
| Orchestration", Available: | Orchestration", Available: | |||
| https://www.etsi.org/deliver/etsi_gs/nfv- | https://www.etsi.org/deliver/etsi_gs/nfv- | |||
| man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, | |||
| December 2014. | December 2014. | |||
| [i2nsf-terminology] | [i2nsf-terminology] | |||
| Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | Hares, S., Strassner, J., Lopez, D., Xia, L., and H. | |||
| Birkholz, "Interface to Network Security Functions (I2NSF) | Birkholz, "Interface to Network Security Functions (I2NSF) | |||
| Terminology", draft-ietf-i2nsf-terminology-07 (work in | Terminology", draft-ietf-i2nsf-terminology-08 (work in | |||
| progress), January 2019. | progress), July 2019. | |||
| [ITU-T.X.800] | [ITU-T.X.800] | |||
| "Security Architecture for Open Systems Interconnection | "Security Architecture for Open Systems Interconnection | |||
| for CCITT Applications", March 1991. | for CCITT Applications", March 1991. | |||
| [nsf-facing-inf-dm] | [nsf-facing-inf-dm] | |||
| Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, | |||
| "I2NSF Network Security Function-Facing Interface YANG | "I2NSF Network Security Function-Facing Interface YANG | |||
| Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-06 | Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-07 | |||
| (work in progress), June 2019. | (work in progress), July 2019. | |||
| [nsf-monitoring-dm] | [nsf-monitoring-dm] | |||
| Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, | |||
| "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | "I2NSF NSF Monitoring YANG Data Model", draft-ietf-i2nsf- | |||
| nsf-monitoring-data-model-00 (work in progress), March | nsf-monitoring-data-model-01 (work in progress), July | |||
| 2019. | 2019. | |||
| [opsawg-firewalls] | [opsawg-firewalls] | |||
| Baker, F. and P. Hoffman, "On Firewalls in Internet | Baker, F. and P. Hoffman, "On Firewalls in Internet | |||
| Security", draft-ietf-opsawg-firewalls-01 (work in | Security", draft-ietf-opsawg-firewalls-01 (work in | |||
| progress), October 2012. | progress), October 2012. | |||
| [policy-translation] | [policy-translation] | |||
| Yang, J., Jeong, J., and J. Kim, "Security Policy | Jeong, J., Yang, J., Chung, C., and J. Kim, "Security | |||
| Translation in Interface to Network Security Functions", | Policy Translation in Interface to Network Security | |||
| draft-yang-i2nsf-security-policy-translation-03 (work in | Functions", draft-yang-i2nsf-security-policy- | |||
| progress), March 2019. | translation-04 (work in progress), July 2019. | |||
| [registration-inf-dm] | [registration-inf-dm] | |||
| Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF | |||
| Registration Interface YANG Data Model", draft-ietf-i2nsf- | Registration Interface YANG Data Model", draft-ietf-i2nsf- | |||
| registration-interface-dm-04 (work in progress), June | registration-interface-dm-05 (work in progress), July | |||
| 2019. | 2019. | |||
| [tls-esni] | ||||
| Rescorla, E., Oku, K., Sullivan, N., and C. Wood, | ||||
| "Encrypted Server Name Indication for TLS 1.3", draft- | ||||
| ietf-tls-esni-04 (work in progress), July 2019. | ||||
| [VNF-ONBOARDING] | [VNF-ONBOARDING] | |||
| "VNF Onboarding", Available: | "VNF Onboarding", Available: | |||
| https://wiki.opnfv.org/display/mano/VNF+Onboarding, | https://wiki.opnfv.org/display/mano/VNF+Onboarding, | |||
| November 2016. | November 2016. | |||
| Appendix A. Changes from draft-ietf-i2nsf-applicability-13 | Appendix A. Changes from draft-ietf-i2nsf-applicability-14 | |||
| The following changes have been made from draft-ietf-i2nsf- | The following changes have been made from draft-ietf-i2nsf- | |||
| applicability-13: | applicability-14: | |||
| o This version has reflected comments from Tommy Pauly who is a | ||||
| member of the Transport Area Review Team (TSVART). | ||||
| o In Section 4, the discussion is added to explain how to handle | ||||
| HTTP-session packets using TLS in web filtering. | ||||
| o Some editorial comments are reflected. | o In Section 4, to handle HTTP-session packets using TLS in web | |||
| filtering, it is clarified that the Server Name Indication (SNI) | ||||
| can be used to detect a website's URL if the SNI field is not | ||||
| encryped in TLS versions without the encrypted SNI. | ||||
| Authors' Addresses | Authors' Addresses | |||
| Jaehoon Paul Jeong | Jaehoon Paul Jeong | |||
| Department of Computer Science and Engineering | Department of Computer Science and Engineering | |||
| Sungkyunkwan University | Sungkyunkwan University | |||
| 2066 Seobu-Ro, Jangan-Gu | 2066 Seobu-Ro, Jangan-Gu | |||
| Suwon, Gyeonggi-Do 16419 | Suwon, Gyeonggi-Do 16419 | |||
| Republic of Korea | Republic of Korea | |||
| End of changes. 17 change blocks. | ||||
| 38 lines changed or deleted | 40 lines changed or added | |||
This html diff was produced by rfcdiff 1.47. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||