IETF Logo Mail Archive

Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sat, 21 July 2018 16:42 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53363130DC4 for <i2nsf@ietfa.amsl.com>; Sat, 21 Jul 2018 09:42:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CXSxoMQE3k5F for <i2nsf@ietfa.amsl.com>; Sat, 21 Jul 2018 09:42:33 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 124D3130DFF for <i2nsf@ietf.org>; Sat, 21 Jul 2018 09:42:32 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id q20-v6so18468516ith.0 for <i2nsf@ietf.org>; Sat, 21 Jul 2018 09:42:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=wAIt1vBs5OQM8IdSF60FWZ0xOuCidKihh2I/lrBqU90=; b=K6vI5q89zZMG9J4ImxiMwKnY/+Ge6t6Emk4dfgxn4poMtClfxIBlzrjIBb+eGNkRrG 76rcZkle6K2sbsWlMDSlN8iM/glywncpMLN+z9PsN3ZDit2R/TK2pphNRL0Xq4lGY3Js t5eoF4ZLV7B6jz191y8cPCL8d4BMIR5D7GF2Vqghx4dBh2/cDHfPf7zMYH9thKWIrsHK z6dAMMX2yzseYe40umnVw1Q6GEpNJ/3VcdJU8rpKlYbVQjyUD/ng6hK6bshwpM1DWhcL kQhhTaJ3unlKTsYINHBSP/fstVqmlA+YQpIBVqeqv4+ZdyH5Eq2Vsh5TRFZDxZ4yY1xD nD4g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=wAIt1vBs5OQM8IdSF60FWZ0xOuCidKihh2I/lrBqU90=; b=cuR2XoKEG/C5rHlT/Yt8W0uLW8SXIxToKDfIpSwoFxHvQfmA+aiDukIcMcyTuCB0S4 G/pfGGXLLOffCdxxLNfQV0VUPypa2w+VEz761kgtxdXcKqngltFnnq65238Do2aMwW+e 52mjsFXMB5SpCuE00r9C7zXtqPG9MLTKUmenRzTpSIqmoTUng8xsJozCmL33FkHJWAxf wTPWhSJdydX/linW0kEHMuqA8ZGW2NcSrK36sFjn5iUmhaS/3/F5U4E1wEJF5MgAxSwU cciRnMtlvi9hch8fiaLdmUQ5E/1jpGlthizwhXRI5FbsYyBVIcF4xb+W2I6KIAo/niOI Molg==
X-Gm-Message-State: AOUpUlHfo+8Ff61/Oo40qgqFVy3xcsjuynQ2f2P10kQe2mvU16a772vr ii/Roz3OTnDWWRoZ+pI+uI6XxPEaWOlLjhJBqrs=
X-Google-Smtp-Source: AAOMgpcuGlmKHKwaTDLDVw8Jb1yCNiFFKyNShvJMkbmFdvgtGHmXeyNnWcuhJvyV0Kv1ZPernhn1wPCCnEkB6YYcGbI=
X-Received: by 2002:a24:355:: with SMTP id e82-v6mr5075320ite.64.1532191352133; Sat, 21 Jul 2018 09:42:32 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:2696:0:0:0:0:0 with HTTP; Sat, 21 Jul 2018 09:42:01 -0700 (PDT)
In-Reply-To: <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com>
References: <CAPK2DewpB-ZJkD6THFAJOqZCa86kfW52m5xSg5iEbASf1WqPWA@mail.gmail.com> <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Sat, 21 Jul 2018 12:42:01 -0400
Message-ID: <CAPK2DeyMHBGeAVBDFDR4xboxE7T3EgMT-+KfiWa477HWmzXaKQ@mail.gmail.com>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, SecCurator_Team <skku_secu-brain_all@googlegroups.com>
Content-Type: multipart/alternative; boundary="00000000000045a5d3057185199a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Ei-0yAAFmbINhWo5y8NwH4x7te0>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Jul 2018 16:42:36 -0000

Hi Diego,
This draft is about the design and implementation of
I2NSF Security Policy Controller from a high-level YANG to a low-level YANG.

In my previous RFC about "IPv6 Router Advertisement Options for DNS
Configuration",
the implementation considerations are included for facilitating developers
for an easy implementation:
https://tools.ietf.org/html/rfc8106

As I mentioned in the previous email, we aim at an Informational RFC rather
than
a Standard-track or experimental RFC.
IMHO, this policy translation is a key technology for I2NSF, so it will be
beneficial
to have an Informational RFC on the security policy translation.

Thanks.

Paul


On Sat, Jul 21, 2018 at 11:39 AM, Diego R. Lopez <
diego.r.lopez@telefonica.com> wrote:

> Hi Paul,
>
>
>
> This is a rather interesting draft and I’d encourage you to continue and
> report your work in policy translation, as it constitutes one of the
> essential matters the I2NSF Controller has to deal with.
>
>
>
> But I am afraid I don’t see this document progressing in the standards
> track (even as an experimental one), as the particular techniques for
> implementing the translation do not seem a proper subject for
> standardization. The only place I could see room for it in would be as part
> of the applicability draft, and I am not sure about it… What do others
> think?
>
>
>
> Be goode,
>
>
>
> --
>
> "Esta vez no fallaremos, Doctor Infierno"
>
>
>
> Dr Diego R. Lopez
>
> Telefonica I+D
>
> https://www.linkedin.com/in/dr2lopez/
>
>
>
> e-mail: diego.r.lopez@telefonica.com
>
> Tel:         +34 913 129 041
>
> Mobile:  +34 682 051 091
>
> ----------------------------------
>
>
>
> On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" <
> i2nsf-bounces@ietf.org on behalf of jaehoon.paul@gmail.com> wrote:
>
>
>
> Hi I2NSF WG,
>
>
>
> I would like to introduce our draft on I2NSF Security Policy Translation:
>
> - Draft
>
>   https://tools.ietf.org/html/draft-yang-i2nsf-security-policy
> -translation-01
>
>
>
> - Slides
>
>   https://datatracker.ietf.org/meeting/102/materials/slides-
> 102-i2nsf-security-policy-translation-00
>
>
>
> This draft gives I2NSF developers the guidelines for the design and
> implementation
>
> of I2NSF Security Controller.
>
> One important functionality of the Security Controller is to automatically
> translate
>
> an I2NSF User's high-level policy to a low-level policy for NSFs.
>
>
>
> In the past of our I2NSF Hackathon projects, we made an
> XSLT-stylesheet-based translator.
>
> But this translator has two limitations, such as static capability-and-NSF
> mapping construction
>
> and inefficient maintenance on such a mapping.
>
>
>
> The first limitation is the difficult high-level policy construction.
>
> By the XSLT-stylesheet approach, I2NSF User MUST manually selects target
> NSFs to execute
>
> the required security capabilities.
>
> This means that I2NSF User needs to know each NSF's capabilities, so it is
> difficult for
>
> I2NSF User to construct a high-level security policy without the detailed
> knowledge on NSFs.
>
>
>
> The second limitation is an inefficient maintenance on the policy
> translator.
>
> If the data models on I2NSF NSF-facing Interface requires some updates,
>
> the XSLT stylesheet and XML files need to be updated.
>
> On the other hand, our new approach  provides I2NSF User with an efficient
>
> maintenance.
>
>
>
> To solve these two limitations, our draft proposes an automata-based
> policy translator.
>
> This translator consists of three components, such as Extractor, Data
> Converter, and Generator.
>
>
>
> First, when a high-level policy is delivered from I2NSF User to Security
> Controller,
>
> Translator extracts data about the policy at Extractor, and then converts
> it at Data Converter
>
> for NSF(s). Also, Data Converter can select proper NSFs automatically.
>
> Finally, Generator generates low-level policies of target NSFs based on
> the data from Data Converter.
>
>
>
> I believe that this draft is valuable for IP2NSF WG adoption
>
> to facilitate the development and deployment of I2NSF in the real world.
>
>
>
> Please read this draft and give our authors your valuable comments.
>
> We aim at making this proposal as an Informational RFC.
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul & Jinhyuk
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>



-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email