[I2nsf] Capability Model - Yang Model Split and what it means for you
"Susan Hares" <shares@ndzh.com> Fri, 11 November 2016 07:07 UTC
Return-Path: <shares@ndzh.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 113251299F6 for <i2nsf@ietfa.amsl.com>; Thu, 10 Nov 2016 23:07:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.946
X-Spam-Level:
X-Spam-Status: No, score=0.946 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DOS_OUTLOOK_TO_MX=2.845, HTML_MESSAGE=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Ei2tvaryJbn for <i2nsf@ietfa.amsl.com>; Thu, 10 Nov 2016 23:07:36 -0800 (PST)
Received: from hickoryhill-consulting.com (50-245-122-97-static.hfc.comcastbusiness.net [50.245.122.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA117129A09 for <i2nsf@ietf.org>; Thu, 10 Nov 2016 23:07:35 -0800 (PST)
X-Default-Received-SPF: pass (skip=loggedin (res=PASS)) x-ip-name=31.133.148.72;
From: Susan Hares <shares@ndzh.com>
To: i2nsf@ietf.org
Date: Fri, 11 Nov 2016 02:04:42 -0500
Message-ID: <026201d23be9$e35457e0$a9fd07a0$@ndzh.com>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0263_01D23BBF.FA8099D0"
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AdI72WKAm/FIL1uVRaSXulkWi1UmwA==
Content-Language: en-us
X-Authenticated-User: skh@ndzh.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/8S3KL63sZ2j_6cU1p1S933kJ7_k>
Cc: skoh21@skku.edu, pauljeong@skku.edu, 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>, 'Linda Dunbar' <linda.dunbar@huawei.com>, mdaghmechi@skku.edu, hyoung@skku.edu, 'Adrian Farrel' <adrian@olddog.co.uk>, taejin.ahn@kt.com
Subject: [I2nsf] Capability Model - Yang Model Split and what it means for you
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 07:07:39 -0000
The capability model drafts have made a huge step forward between IETF 97 and IETF 98. I'd like to comment on this progress, and what it means to I2NSF WG. I will present this in terms of an American slang phrase - the good, the bad, and the ugly. A big thanks goes to the Korean "dream team" that implemented so much of the capability model. Sue ------ The Good: The capability drafts have been split into 3 types of drafts, and it has been partially implemented!!! 1) Capability draft -base model (Informational Model, Data Model) a. draft-xibassnez-i2nsf-capability-00 b. draft-hares-i2nsf-capability-data-model/ <https://datatracker.ietf.org/doc/draft-hares-i2nsf-capability-data-model/> 2) NSF facing interface - data model a. draft-kim-i2nsf-consumer-facing-interface-dm-00 3) Client facing interface information models draft-kumar-i2nsf-client-facing-interface-im/ draft-you-i2nsf-user-group-based-policy-02 draft-you-i2nsf-user-group-policy-capability-00 (beginnings of info model) draft-kim-i2nsf-consumer-facing-interface-dm/ (no yang yet, hopefully after hackathon) This break down allows the general capabilities to be common and supports the architecture below (this copy from draft-kim-i2nsf-security-management-architecture-03, but it has been part of our discussions for a while. One thing that has been added is the ability for the security controller to have registrations. Question: Does the client side have registrations as well? +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | I2NSF User | | +-+-+-+-+-+-+-+-+-+-+-+ | | ---| Application Logic |<-- | | | +-+-+-+-+-+-+-+-+-+-+-+ | | | | | | | | | | | +-+-+-+v+-+-+-+-+-+ +-+-+-+v+-+-+-+ | | | Policy Updater | | Event | | | +-+-+-+-+-+-+-+-+-+ | Collector | | | | +-+-+-+^+-+-+-+ | | | | | | | | | | | ------------------- | +-+-+-+-+-+-+-+-+-+-+-+-+-+|+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | | Consumer-Facing Interface +-+-+-+-+-+-+-+-+-+-+-+-+-+|+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Security Management System| | | | +-+-+-+-+-+-+-+-+-+v+-+-+-+-+ | | |Security Controller | | | | +-+-+-+-+-+ +-+-+-+-+-+-+ | Registration | | | |Security | |NSF | | Interface +-+-+-+-+-+-+-+ | | | |Policy | |Capability | |<----------->| controllers | | | | |Manager | |Manager | | | Mgnt System | | | | +-+-+-+-+-+ +-+-+-+-+-+-+ | +-+-+-+-+-+-+-+ | | +-+-+-+-+-+-^-+-+-+-+-+-+-+-+ | +-+-+-+-+-+-+-|-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |--------------------------------- NSF-Facing Interface +-+-+-+-+-+-+-|-+-+-+-+-+-+|+-+-+-+-+-+-+-+-+-+|+-+-+-+-+-+-+-+-+-+-+ |NSF Instances| | | | | +-+-+v+-+-+ +-+-+v+-+-+ +-+-+v+-+-+ | | | NSF | | NSF | . . . | NSF | | | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Figure 1: Security Management Architecture in I2NSF This architecture is capable of differentiating between trusted sources and non-trusted source. This is a good step forward. Thanks to Sangwon Hyun, SangUk Woo, YunSuk Yeo, Paul ( Jaehoon) Jeong, and Jung-Soo Park for this advance. There is a good chance this has been implemented!! +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+-+-+ | Source |----------->| Firewall|------------>| Destination | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+-+-+ (a) Traffic flow of trusted source +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+-+-+ | Source |---->|Firewall |---->| DPI |---->| Destination | +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+ +-+-+-+-+-+-+-+ (b) Traffic flow of untrusted source Drawing is in: draft-hyun-i2nsf-sfc-enabled-i2nsf-01 and draft-hyun-i2nsf-sfc-enabled-i2nsf-01. ======== The BAD: . The link between I2NSF Capabilities and Flow Policy has been broken Operators use Flow Filter policy (aka policy based routing) in routers, simple switches, and security devices. We've lost the link to the NETCONF ACLs, I2RS Filter-based policy, and the BGP Flow Specification filter policy. This policy has been replaced by a simple policy for flow filters in the capability. Possible fixes: o go back to I2RS FB-RIB policy link (draft-hares-pkt-eca-policy) o Allow a configuration parameter to choose between simple policy, I2RS Filter-based Policy, extended policy. Cost: 1 parameter that specifies what model is being used, and Choice statement in model . Group policy is not in the aligned capability model IM/DM Group policy allows users to design policy based on the role of a group. Grouping policy allows users to be able to think according to human groups. The two models of group policy do not intermix, and overlap in concepts. Both models have useful pieces that should be intermixed. However, both models do not link well to the routing and OPS area work on group policy. It would be really useful if our chairs could organize a side-meeting on this topic this week. The side-meetings were very helpful at IETF 96. . Attestations are not represented Attestations are a key component of the I2NSF architecture. Is the WG assuming that all Security devices must do Attestations? How are we getting a trusted channel? If the channel is not trusted, do we need to send a small signal "I'm getting queried by a non-trusted node" - just like the DOTS sends the "I'm being DOS attacked). . Monitoring capabilities not list included in the capabilities draft-zhang-i2nsf-info-model-monitoring-02 suggest some monitoring in terms of alarms, events, system log, system counters, network events, and NSF logs. This draft only presents some of the logical types, and does not link them to the NETCONF/RESTCONF management work. Three levels of things are needed: o Critical events (Tell me Now) Some Alarms + some events + some network events are critical for the NSF controller to get. o Need to know (Tell me Soon): Some events, some network events, some counters exceeded o Record (I'll process later): some alarms, some network events, most system counters, system log, and NSF log o Telemetry - things which you want to know to decide on how flows are going to work. Telemetry is not setting configurations. Telemetry is deep reporting of status. IPFix was built for telemetry work, but it lacks some of the application layer management that the NETCONF pub/sub work does. I2RS spawn the work in NETCONF to support multiple event streams (push/pull) with from a NETCONF server (aka NSF device) to NETCOFN client (NSF controller). Traceability in I2RS handles the System log and NSF log. You should really look up these types of events. Another ugliness related to monitoring is the early work in the SECEVENT WG which ignores the pub/sub work done in NETCONF/RESTCONF. Rather than create another protocol, it would be useful to simply create a data model out of this security information and a new . No document seems to global security design exists for the security associations so that a network with multi-vendor deployments has a common security association Choices: (see draft-moskowitz-dots-identities-00) o web PKI model (fraught with leakage challenges), o IEEE 802.1AR device identity certificate model - LDevID (used by Netconf-zerotouch) o Raw public keys (some unauthenticated data will be necessary which presents a risk) DANE [RFC6698] provides the necessary details to validate a TLS Raw key o Hierarchical HIT (based on HIP work) =========== The Ugly . draft-mglt-i2nsf-ssf-collaboration and draft-hares-i2nsf-ddos-yang-dm - are working on higher level Inter-Cloud DDOS work. Daniel did not look at [draft- fang-i2nsf-inter-cloud-ddos-mitigation-api-01] to see what Microsoft cloud wanted. Luyuan Fang let the draft expire - so this may be Daniel's confusion. Daniel apologized for not checking this draft . Since we've been co-authors on other I2RS drafts, we'll work this out as implementers. A second ugliness is I2NSF lacks a second Cloud provider for the API. The third ugliness is that I used the capability model at inter-domain level so that the providers could explain their capability. Luyuan suggested this concept, and I think it is a good one. My understanding is that the inter-domain relationship would have a unique security domain. [cloud provider-1] -----inter-domain exchange ---------- [cloud provider 2] Security domain 1 --- security domain 2 ------ security domain 3 . Another ugly factor is that we really do not know how some of the other Cloud providers want to handle DDoS API. If the SECEVENT people are trying to inform security events using JSON web tokens, I wonder why they are standardizing half the solution (token + data) without standardizing how to do the management streams (stream, stream-id, transport, rates of transaction). . DOTS devices are NSF devices, and should be part of the management of the whole network DOTS devices are NSF devices focused on handling DOS attacks. Having DOTS disconnected from the rest of the I2NSF management creates a silo. Linking the I2NSF mgr with the DOTS mgr makes sense. Client -- I2NSF mgr --- NSF \ DOTS client --- DOTS-mgr . MILE disconnect from I2NSF (draft-mile-rolie-05.txt) states that "This document defines a resource-oriented approach for security automation information publication, discovery, and sharing. Using this approach, producers may publish, share, and exchange representations of security incidents, attack indicators, software vulnerabilities, configuration checklists, and other security automation information as Web-addressable resources." If a node is utilizing MILE to share configuration check-list, attack indicators and I2NSF is monitoring the same information - one has to ask "why both are being done"? It seems like two hands - the left handed security protocol is not talking to the right handed security protocols. . SACM - records security postures (RFC7632) - using the IPFIX telemetry to support Target endpoint discover, characterization, classification plus collection of information and evaluation. There is also a portion of the data model to handle how the SACM Manager does SACM component discovery, component authentication, and component authorization, and component registration. What's ugly in the I2NSF/SACM/DOTS work? - DOTS is doing telemetry about DOS, I2NSF needs to do telemetry in addition to events, notifications, logs, and alarms. SACM has mgr/client relationship and is doing component registration. Sound familiar? It should since you've read it within this message. Is the security building lots of YAP (yet another protocol) rather than looking at the component parts? That's what it seems to me, but perhaps I'm missing something about the security association. I hope this has stirred up a bit of conversation on the open issues for I2NSF. I'm looking forward to IETF 97's hackathon and I2NSF on Monday. Sue