Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

["Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>]

Hi Linda and I2NSF WG,
I attach an example figure for Figure 2, which is Data Extractor's DFA.

Thanks.

Paul

On Thu, Aug 9, 2018 at 1:13 PM, Mr. Jaehoon Paul Jeong <
jaehoon.paul@gmail.com> wrote:

> Hi Linda,
> Thanks for your good comments and suggestions.
> Here are our answers.
>
> - Does it depend on the completion of https://datatracker.ietf.org/
> doc/draft-ietf-i2nsf-consumer-facing-interface-dm/ ?
>
> => I would say "No". Our Policy Translation Design can accommodate the
> revision of Consumer-Facing Interface Data Model (DM). That is, our draft
> proposes the design and implementation of a security policy translator that
> gets the revised Consumer-Facing Interface DM as input, so our document
> does not depend on the completion of Consumer-Facing Interface DM
> document.
>
> -----
> - Figure 2: What does the <tag m> mean in the figure? How it is relevant
> to Policy Translation?
>
> => Figure 2 describes the architecture of Extractor, extracting data in an
> input high-level policy.
> <tag m> represent a field in an XML file based on the Consumer-Facing
> Interface DM, such as rule name, condition, and action.
> For example, assume that a high-level policy is generated as follows:
>
> <I2NSF>
>     <rule-name>block_web</rule-name>
>     <condition>
>         <src>Son's_PC</src>
>         <dest>malicious</dest>
>     </condition>
>     <action>drop</action>
> </I2NSF>
>
> Then we can construct the Extractor for a high-level policy as follows:
>
> If you input a high-level policy, Deterministic Finite Automaton (DFA) can
> easily extract all of data by transitting between states.
> It starts from the Accepter state. For a given high-level policy, DFA
> reads the first tag called <I2NSF>, and it transits to the middle state.
> Next, it reads the second tag called <rule-name>, and then moves to the
> extractor state. When it arrives at the extractor state, it means that
> there are data to extract. In this way, DFA can easily extract the data of
> rule name called "block_web".
> Then, it reads the tag called </rule-name>, and then goes back to the
> previous middle state. By repeating this process, we can extract all of
> data from the high-level policy. Finally, DFA will come back to the
> accepter state.
>
> -----
> - Section 4.4: Context-free Grammar based policy generator. How to link
> the description in this section to the actual policy? Possible to give an
> example?
>
> => Here is an example for Section 4.4. Let's assume that we have data for
> generating a low-level policy as follows:
> block_web (rule-name), [10.0.0.1, 10.0.0.3] (IPv4 address list), [
> www.porno.com, www.malicious.com] (content list), drop (action).
>
> Then, we can construct the Generator by using a Context-Free Grammar
> (CFG). "[]" means the non-terminal factor.
>
> First, Structure Productions are used for grouping other tags:
>
>  [policy] -> <I2NSF>[rule-name][rules]</I2NSF>  ... (1)
>
>  [rules] -> <rules>[condition][payload][action]</rules> ... (2)
>
>  [condition] -> <condition>[packet-condition]</condition>  ... (3)
>
>  [packet-condition] -> <packet-condition>[ipv4]</packet-condition>  ...
> (4)
>
>  [payload] -> <payload>[content]</payload>  ... (5)
>
> Second, Content Productions are used for injecting data in tags:
>
>  [rule-name] -> <rule-name>[rule-name-data]</rule-name>  ... (6)
>
>  [rule-name-data] -> block_web  ... (7)
>
>  [ipv4] -> [ipv4][ipv4]      (to allow duplication)   ... (8)
>
>  [ipv4] -> <ipv4>[ipv4-data]</ipv4>   ... (9)
>
>  [ipv4-data] -> 10.0.0.1 | 10.0.0.3   ... (10)
>
>  [content] -> [content][content]    (to allow duplication)    ... (11)
>
>  [content] -> <content>[content-data]</content>    ... (12)
>
>  [content-data] -> www.porno.com | www.malicious.com    ... (13)
>
>  [action] -> <action>[action-data]<action>    ... (14)
>
>  [action-data] -> drop    ... (15)
>
> Let's follow the example of the CFG. We should derive [policy] into a
> detailed policy rule's description while there is no non-terminal factor
> as follows:
>
> [policy] -> <I2NSF>[rule-name][rules]</I2NSF>   ( by production (1) )
>
>  -> <I2NSF> <rule-name> [rule-name-data] </rule-name> [rules] </I2NSF>  (
> by production (6) )
>
>  -> <I2NSF> <rule-name> block_web </rule-name> [rules] </I2NSF>  ( by
> production (7) )
>
>  -> <I2NSF> <rule-name> block_web </rule-name>  <rules> [condition]
> [payload] [action] </rules> </I2NSF>   ( by production (2) )
>
>  -> ...
>
> Finally, with our translator, we can generate a low-level policy
> corresponding to a given high-level policy as follows:
>
> <I2NSF>
>     <rule-name>block_web</rule-name>
>     <rules>
>         <condition>
>             <packet-condition>
>                 <ipv4>10.0.0.1</ipv4>
>                 <ipv4>10.0.0.3</ipv4>
>             </packet-condition>
>         </condition>
>         <payload>
>             <content>www.porno.com</content>
>             <content>www.malicious.com</content>
>         </payload>
>         <action>drop</action>
>     </rules>
> </I2NSF>
>
> Generator can easily be constructed based on NSF-Facing Interface Data
> Model. Also, Generator can easily make low-level policies, which are
> compatible with NSF-Facing Interface Data Model, from the converted data.
>
> -----
> Some minor issues will be resolved according to your comments:
>
> Section 3 last paragraph: Is it a typo? “programming languates”?
> -> "programming languages"
>
> Section 4: Please provide the full name for the acronym of XSLT
> (Extensible Stylesheet language Transformation?).
> -> XSLT stands for "Extensible Stylesheet Language Transformations".
>
> Section 4 first paragraph:  Do you mean “this document describes a policy
> translator based on Automata theory” for the following sentence?
> -> “this document proposes a policy translator based on Automata theory”
>
> -----
> We will revise our draft with the above comments and answers this month.
>
> Thanks.
>
> Best Regards,
> Paul and Jinhyuk
>
> On Wed, Aug 8, 2018 at 7:31 AM, Linda Dunbar <linda.dunbar@huawei.com>
> wrote:
>
>> Paul,
>>
>>
>>
>> I see the draft kind of like a reference design of the I2NSF Controller
>> “from Consumer Facing policy to  NSF facing policy”. I agree that “translator
>> design provides big benefits to I2NSF Framework”.
>>
>>
>>
>> Some Questions:
>>
>> -        Does it depend on the completion of
>> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-f
>> acing-interface-dm/ ?
>>
>> -        Figure 2: What does the <tag m> mean in the figure? How it is
>> relevant to Policy Translation?
>>
>> -        Section 4.4: Context-free Grammar based policy generator. How
>> to link the description in this section to the actual policy? Possible to
>> give an example?
>>
>>
>>
>> Some minor issues:
>>
>> Section 3 last paragraph: Is it a typo? “programming languates”?
>>
>> Section 4: Please provide the full name for the acronym of XSLT
>> (Extensible Stylesheet language Transformation?).
>>
>>  Section 4 first paragraph:  Do you mean “this document describes a
>> policy translator based on Automata theory” for the following sentence?
>>
>> “this document a policy translator based on Automata theory”
>>
>>
>>
>>
>>
>> Thanks Linda Dunbar
>>
>> *From:* I2nsf [mailto:i2nsf-bounces@ietf.org] *On Behalf Of *Mr. Jaehoon
>> Paul Jeong
>> *Sent:* Friday, August 03, 2018 2:49 AM
>> *To:* i2nsf@ietf.org
>> *Cc:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>; Xialiang (Frank,
>> Network Integration Technology Research Dept) <frank.xialiang@huawei.com>;
>> DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>; SecCurator_Team <
>> skku_secu-brain_all@googlegroups.com>; Jinhyuk Yang <jin.hyuk@skku.edu>
>> *Subject:* Re: [I2nsf] Request for Comments on I2NSF Security Policy
>> Translation
>>
>>
>>
>> Hi I2NSF WG,
>>
>> I found a relevant RFC for implementation guidelines from CORE WG as
>> below:
>>
>>
>>
>> Guidelines for Mapping Implementations: HTTP to the Constrained
>> Application Protocol (CoAP)
>>
>> https://tools.ietf.org/html/rfc8075
>>
>>
>>
>> This RFC is Proposed Standard RFC.
>>
>>
>>
>> In our security policy translation draft, we can focus on the mapping
>> from high-level security policy into low-level security policy
>>
>> along with the architecture of an exemplary translator.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Paul
>>
>>
>>
>> On Mon, Jul 23, 2018 at 11:45 AM, Mr. Jaehoon Paul Jeong <
>> jaehoon.paul@gmail.com> wrote:
>>
>> Hi Frank,
>>
>> As you know, the open source is dominant these days.
>>
>> If IETF sticks to a general specification,
>>
>> its position will get narrower and narrower in future.
>>
>>
>>
>> To make I2NSF easily be used in the world, I believe the implementation
>> guidelines of the security policy translation is important and useful.
>>
>> IMHO, without these guidelines, but with data models, I2NSF will not be
>> hard to be accepted.
>>
>>
>>
>> As long as I understand, I2NSF Applicability draft should focus on how to
>> leverage I2NSF with other important aspects (e.g., SDN, SFC, and NFV) for
>> the deployment of I2NSF rather than the detailed specification of I2NSF
>> components, such as security policy translator.
>>
>>
>>
>> I2NSF other people,
>>
>> Let us know your opinions.
>>
>>
>>
>> After collecting opinions and making consensus, let's move forward.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Paul
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> 2018년 7월 22일 (일) 오후 9:09, Xialiang (Frank, Network Integration
>> Technology Research Dept) <frank.xialiang@huawei.com>님이 작성:
>>
>> Hi,
>>
>> I share the same concern with Diego. Although it’s a good example of how
>> to translate the YANG models, but it’s just one of the possible system
>> implementations, thus not suitable to be a specification.
>>
>>
>>
>> My suggestion is you can consider to include its key contents into the
>> I2NSF applicability draft.
>>
>>
>>
>> B.R.
>>
>> Frank
>>
>>
>>
>> *发件人**:* I2nsf [mailto:i2nsf-bounces@ietf.org] *代表* Diego R. Lopez
>> *发送时间**:* 2018年7月21日 23:39
>> *收件人**:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>; i2nsf@ietf.org
>> *抄送**:* SecCurator_Team <skku_secu-brain_all@googlegroups.com>
>> *主题**:* Re: [I2nsf] Request for Comments on I2NSF Security Policy
>> Translation
>>
>>
>>
>> Hi Paul,
>>
>>
>>
>> This is a rather interesting draft and I’d encourage you to continue and
>> report your work in policy translation, as it constitutes one of the
>> essential matters the I2NSF Controller has to deal with.
>>
>>
>>
>> But I am afraid I don’t see this document progressing in the standards
>> track (even as an experimental one), as the particular techniques for
>> implementing the translation do not seem a proper subject for
>> standardization. The only place I could see room for it in would be as part
>> of the applicability draft, and I am not sure about it… What do others
>> think?
>>
>>
>>
>> Be goode,
>>
>>
>>
>> --
>>
>> "Esta vez no fallaremos, Doctor Infierno"
>>
>>
>>
>> Dr Diego R. Lopez
>>
>> Telefonica I+D
>>
>> https://www.linkedin.com/in/dr2lopez/
>> <https://www.linkedin..com/in/dr2lopez/>
>>
>>
>>
>> e-mail: diego.r.lopez@telefonica.com
>>
>> Tel:         +34 913 129 041
>>
>> Mobile:  +34 682 051 091
>>
>> ----------------------------------
>>
>>
>>
>> On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" <
>> i2nsf-bounces@ietf.org on behalf of jaehoon.paul@gmail.com> wrote:
>>
>>
>>
>> Hi I2NSF WG,
>>
>>
>>
>> I would like to introduce our draft on I2NSF Security Policy Translation:
>>
>> - Draft
>>
>>   https://tools.ietf.org/html/draft-yang-i2nsf-security-policy
>> -translation-01
>>
>>
>>
>> - Slides
>>
>>   https://datatracker.ietf.org/meeting/102/materials/slides-
>> 102-i2nsf-security-policy-translation-00
>>
>>
>>
>> This draft gives I2NSF developers the guidelines for the design and
>> implementation
>>
>> of I2NSF Security Controller.
>>
>> One important functionality of the Security Controller is to
>> automatically translate
>>
>> an I2NSF User's high-level policy to a low-level policy for NSFs.
>>
>>
>>
>> In the past of our I2NSF Hackathon projects, we made an
>> XSLT-stylesheet-based translator.
>>
>> But this translator has two limitations, such as static
>> capability-and-NSF mapping construction
>>
>> and inefficient maintenance on such a mapping.
>>
>>
>>
>> The first limitation is the difficult high-level policy construction.
>>
>> By the XSLT-stylesheet approach, I2NSF User MUST manually selects target
>> NSFs to execute
>>
>> the required security capabilities.
>>
>> This means that I2NSF User needs to know each NSF's capabilities, so it
>> is difficult for
>>
>> I2NSF User to construct a high-level security policy without the detailed
>> knowledge on NSFs.
>>
>>
>>
>> The second limitation is an inefficient maintenance on the policy
>> translator.
>>
>> If the data models on I2NSF NSF-facing Interface requires some updates,
>>
>> the XSLT stylesheet and XML files need to be updated.
>>
>> On the other hand, our new approach  provides I2NSF User with an
>> efficient
>>
>> maintenance.
>>
>>
>>
>> To solve these two limitations, our draft proposes an automata-based
>> policy translator.
>>
>> This translator consists of three components, such as Extractor, Data
>> Converter, and Generator.
>>
>>
>>
>> First, when a high-level policy is delivered from I2NSF User to Security
>> Controller,
>>
>> Translator extracts data about the policy at Extractor, and then converts
>> it at Data Converter
>>
>> for NSF(s). Also, Data Converter can select proper NSFs automatically.
>>
>> Finally, Generator generates low-level policies of target NSFs based on
>> the data from Data Converter.
>>
>>
>>
>> I believe that this draft is valuable for IP2NSF WG adoption
>>
>> to facilitate the development and deployment of I2NSF in the real world.
>>
>>
>>
>> Please read this draft and give our authors your valuable comments.
>>
>> We aim at making this proposal as an Informational RFC.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Best Regards,
>>
>> Paul & Jinhyuk
>>
>> --
>>
>> ===========================
>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>> Assistant Professor
>> Department of Software
>> Sungkyunkwan University
>> Office: +82-31-299-4957
>> Email: jaehoon.paul@gmail..com <jaehoon.paul@gmail.com>, paulj
>> eong@skku.edu
>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>
>>
>> ------------------------------
>>
>>
>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
>> puede contener información privilegiada o confidencial y es para uso
>> exclusivo de la persona o entidad de destino. Si no es usted. el
>> destinatario indicado, queda notificado de que la lectura, utilización,
>> divulgación y/o copia sin autorización puede estar prohibida en virtud de
>> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
>> que nos lo comunique inmediatamente por esta misma vía y proceda a su
>> destrucción.
>>
>> The information contained in this transmission is privileged and
>> confidential information intended only for the use of the individual or
>> entity named above. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution or
>> copying of this communication is strictly prohibited. If you have received
>> this transmission in error, do not read it. Please immediately reply to the
>> sender that you have received this communication in error and then delete
>> it.
>>
>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu
>> destinatário, pode conter informação privilegiada ou confidencial e é para
>> uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o
>> destinatário indicado, fica notificado de que a leitura, utilização,
>> divulgação e/ou cópia sem autorização pode estar proibida em virtude da
>> legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos
>> o comunique imediatamente por esta mesma via e proceda a sua destruição
>>
>>
>>
>>
>>
>> --
>>
>> ===========================
>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>> Assistant Professor
>> Department of Software
>> Sungkyunkwan University
>> Office: +82-31-299-4957
>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>
>
>
>
> --
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>



-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>