IETF Logo Mail Archive

Re: [I2nsf] Narrowing down the scope of work for the I2NSF Re-Chartering

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Fri, 01 April 2022 07:51 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 279123A1883 for <i2nsf@ietfa.amsl.com>; Fri, 1 Apr 2022 00:51:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6YQulLlnKY1g for <i2nsf@ietfa.amsl.com>; Fri, 1 Apr 2022 00:51:49 -0700 (PDT)
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 95C663A1870 for <i2nsf@ietf.org>; Fri, 1 Apr 2022 00:51:48 -0700 (PDT)
Received: by mail-lf1-x12e.google.com with SMTP id bq24so3375904lfb.5 for <i2nsf@ietf.org>; Fri, 01 Apr 2022 00:51:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=bsLbtR/P40wzHENBtZWXn1GVe9rqw98eg67+Ugws7cY=; b=eeWNRJwyXbdhQKfZEgpeRuCcOYFS2G25ANhTEwhVBgkaxVhheQ9K2CAFMphXQpRqGv aEG3faKPi3h8ayos9JVFjFLkqyx3WvK/1QJoCpvCiSR50kFYn8cDzDv3xy/dpfAN1Ups ub2qRoH5MTn+1xRErUCWqLE5py/lLy60TLn+X3ex8WOXfA76eVVPH7eB+9N7p3lSvexH jhb+/muTKsM2QXOz7GOSgTjVKYb0m0CqcXjtniTTjhVVE3au+Hmn5nl1KGRQkM4fzRyt MUREAQhHymPbdmAvn9Iii43T63Ky1Zb8GbSv+r0K6JfeTynepyO1cnY6Hft/R31aY+nv 1ONw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=bsLbtR/P40wzHENBtZWXn1GVe9rqw98eg67+Ugws7cY=; b=3tyhXrK6vX1XFyNarhqYC2dYLWuyy+QwxB8vBYNuhBkBi2Ve5Qioa6CZgSrxSB0o6G KLozYNkwgB8pCrscEQ2D1I0G0HViqlpSlxKzcsB6mZUpj5V4sDQcuzeMtNb2hb1HO9vX RESa3CCSSmtxiw3moRLYdkqZ1kp+hJl0UfGazgKC3DI1XuIk3QIskjUneeE/iNh2C6DS wMYvcF/hf4/hkHcIpVWAEwBOy3V9sxOq8hT+EWU7hEK8gMM0Yfgh0p2WFdm2hFitNC2u 5Jcgdt7QKv5d9IO5dj2et9VutVWuU2jNlRptEgY1Uduryfv6xka8Cv4Hz9cVtByEJ/9A M0Mg==
X-Gm-Message-State: AOAM533lDhxguiD+20wD8HhnJ+x+ZAK6n21QD6JEgj01PSKlY7VbUk+p UyjDsBPIkVRoyq1J3R/N4Ma4CyZgEtKhipkthLs=
X-Google-Smtp-Source: ABdhPJyapxPuinrrc+CrDSvyNzVemlCjKUGCygjpPsGCIrDTVjtCA9J1yoheAcB65Snh9HM8kf0+b8soCFMo8zxDzGA=
X-Received: by 2002:a19:650d:0:b0:448:6bf1:ab65 with SMTP id z13-20020a19650d000000b004486bf1ab65mr13318927lfb.668.1648799505972; Fri, 01 Apr 2022 00:51:45 -0700 (PDT)
MIME-Version: 1.0
References: <CO1PR13MB49205BF5D1A1519D98655AA2851F9@CO1PR13MB4920.namprd13.prod.outlook.com>
In-Reply-To: <CO1PR13MB49205BF5D1A1519D98655AA2851F9@CO1PR13MB4920.namprd13.prod.outlook.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Fri, 01 Apr 2022 16:51:09 +0900
Message-ID: <CAPK2Dex2D9YTn+TVQG6GN6RwOuRVHNYQ8mmHRg64SLvd0=i92g@mail.gmail.com>
To: Linda Dunbar <linda.dunbar@futurewei.com>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Roman Danyliw <rdd@cert.org>, Yoav Nir <ynir.ietf@gmail.com>, tom petch <daedulus@btconnect.com>, Susan Hares <shares@ndzh.com>, DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>, JungSoo Park <pjs@etri.re.kr>, Yunchul Choi <cyc79@etri.re.kr>, Patrick Lingga <patricklink888@gmail.com>, Jeong Hyeon Kim <jeonghyeonkim92@gmail.com>, Younghan Kim <younghak@ssu.ac.kr>, "Panwei (William)" <william.panwei@huawei.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, yangpenglin <yangpenglin@chinamobile.com>, Kyoungjae Sun <gomjae@dcn.ssu.ac.kr>, Hyunsik Yang <yangun@dcn.ssu.ac.kr>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000dc00c605db930ccb"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/H1mEFoyEnaicfxOE1_LJ2Wl4qsc>
Subject: Re: [I2nsf] Narrowing down the scope of work for the I2NSF Re-Chartering
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Apr 2022 07:51:55 -0000

Hi Linda and Yoav,

I would say that the theme of this I2NSF Re-Chartering is "Security
Management Automation".
This theme is based on 7-year I2NSF standardization and hackathon projects
with our I2NSF WG colleagues.

May I suggest three more work items in addition to your proposed work items?

The following three work items can be handled with focus along with the
CCed I2NSF WG colleagues
as coauthors and contributors:
---------------------------------------------------------------------------------------------------------------------------------------------------------------
1. Security Service Management through Leveraging I2NSF Framework and
Interfaces
- Main Contents
 . An Extension of I2NSF Framework for Intelligent Security Management
Automation
 . Distributed Auditing Services for Supply Chain Attacks and Insider
Attacks by Distributed Ledger Technology (DLT) and Remote Attestation
 . Support of Containers for I2NSF in Cloud Native Systems
 . Support of Other Contemporary Technologies for I2NSF such as Quantum Key
Distribution (QKD) and Post Quantum Cryptography (PQC)

2. I2NSF Application Interface YANG Data Model
- Main Contents
 . A New I2NSF Interface for Feedback-control-loop-based Security
Management Automation
 . Support of Feedback Information Delivery from I2NSF (Data) Analyzer to
Security Controller for Security Policy Augmentation and Generation

3. Guidelines to Security Policy Translation for I2NSF-Based Security
Enforcement
- Main Contents
 . A Relation between I2NSF Consumer-Facing Interface and NSF
Facing-Interface
 . Handling of Default Actions for a High-level Security Policy to be
translated to a Low-level Security Policy
 . Population of Information for Security Policy Translation (e.g., mapping
of IP addresses for users and devices)
 . Implementation Guidelines for Security Policy Translator (will be put as
Appendix rather than main text)
---------------------------------------------------------------------------------------------------------------------------------------------------------------

As you know, my SKKU team with ETRI demonstrated the feasibility of those
three work items through the past I2NSF Projects.

For the 1st work item, this provides autonomous security management
services to minimize human engagement for security services.
The I2NSF extension for this autonomous security management is explained by
my new I2NSF I-D:
https://datatracker.ietf.org/doc/html/draft-jeong-i2nsf-security-management-automation-03

As a use case, a new outside (or inside) security attack is detected and
blocked by an I2NSF system.
For this, an NSF reports monitoring data of a suspicious activity to an
I2NSF Analyzer (as a new component which is
a data collector and a data analyzer with machine learning), which is
defined in the above I-D.

The I2NSF Analyzer analyzes the monitoring data and diagnoses what is a
problem or security attack.
The I2NSF Analyzer makes a feedback report to a Security Controller so that
the Security Controller can augment
its existing security policy or generate a new security policy to cope with
the problem or security attack.

The involved security functions include the following steps:
1. The monitoring data delivery from an NSF to an I2NSF Analyzer,
2. The analysis of the monitoring data at the I2NSF Analyzer,
3. The construction of a feedback report by the I2NSF Analyzer,
4. The delivery of the feedback report from the I2NSF Analyzer to the
Security Controller,
5. The interpretation/translation of the feedback report at the Security
Controller, and
the augmentation of an existing security policy (or the generation of a new
security policy) by the Security Controller, and
6. The delivery of the augmented (or generated) security policy to an
appropriate NSF.

These steps are explained in the above I-D. I have explained them in the
presentation of I2NSF Re-chartering slides
during the IETF-113 I2NSF WG Session.

For the support of the containers for I2NSF NSFs, the interface to security
functions on Container will be the same
with that to the security functions on VM.
However, the operation and management of I2NSF in container deployment can
be specified in the document.
Here is my I2NSF I-D for Cloud Native Systems for your reference:
https://datatracker.ietf.org/doc/html/draft-yang-i2nsf-nfv-architecture-07#page-11

I CC Dr. Kyoungjae Sun and Dr. Hyunsik Yang as the authors of this I-D for
the Cloud Native Systems for I2NSF
since they are experts in this domain.

For the support of Other Contemporary Technologies, "Quantum Key" can be
distributed to NSFs through Security Controllers.
The work of RFC 9061 (A YANG Data Model for IPsec Flow Protection Based on
Software-Defined Networking (SDN))
can be extended for this key distribution.

For the 2nd work item, I2NSF Application Interface delivers a feedback
report containing feedback information as
a high-level policy to describe a problem or security attack rather than
monitoring data.
The Application Interface is a newly defined interface from I2NSF Analyzed
to Security Controller,
so it is different from the Monitoring Interface.
You can refer to my I2NSF I-D for the Application Interface:
https://datatracker.ietf.org/doc/html/draft-lingga-i2nsf-application-interface-dm-02

For the 3rd work item, the guidelines for security policy translation are
specified in terms of the mapping of interfaces,
default action handling, the population of translation information (e.g.,
mapping of user group (or device group) and
their IP addresses), the procedures of the security policy translation
rather than translation algorithm itself.
You can refer to my I2NSF I-D for the Security Policy Translation:
https://datatracker.ietf.org/doc/html/draft-yang-i2nsf-security-policy-translation-10

If you have questions and comments, let me know.

Thanks.

Best Regards,
Paul

On Thu, Mar 31, 2022 at 2:10 AM Linda Dunbar <linda.dunbar@futurewei.com>
wrote:

> I2NSF Rechartering Proponents,
>
>
>
> I re-read all the emails exchanged about I2NSF Re-Chartering plus the
> discussion minutes at IETF113, I concluded the 2 key points:
>
>    - The proposed Rechartered work is too broad, the scope of work is to
>    wide,
>    - We don’t have enough people and expertise to cover all the proposed
>    work.
>
>
>
> Therefore I would like to suggest prioritizing the work items based on
> available expertise, and choose the highest 3~4 work items for the I2NSF
> rechartering.
>
>
>
> With the current available expertise among the I2NSF participants, we can
> confidently tackle the following work items. Therefore I think they should
> be high on the priority list of the rechartering.
>
>
>
>    - Work around the remote attestation of NSF in I2NSF architecture,
>    including the YANG Data Model.
>    - Add the support recently developed protocols such as QUIC and HTTP/3.
>    - Develop the YANG module of IPsec policies to functions embedded in
>    nodes running BGP.
>
>
>
> For the proposed work item of the Interface tot eh Data Analysis Entities,
> I am wondering if the work is similar to the
> draft-ietf-i2nsf-nsf-monitoring-data-model?
>
>
>
> For the proposed work item of “controlling container deployments in Cloud
> Native NFV architecture”, I am not sure how different between the
> “Interface to NSF” vs. the “interface to Container”.
>
>
>
> Can you please chime in to express your opinion?
>
>
>
> Thank you
>
> Linda
>
>
>
> *From:* I2nsf <i2nsf-bounces@ietf.org> *On Behalf Of * Mr. Jaehoon Paul
> Jeong
> *Sent:* Thursday, March 24, 2022 2:38 AM
> *To:* i2nsf@ietf.org
> *Cc:* Roman Danyliw <rdd@cert.org>; Panwei (William) <
> william.panwei@huawei.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>;
> tom petch <daedulus@btconnect.com>; yangpenglin <
> yangpenglin@chinamobile.com>; Susan Hares <shares@ndzh.com>; DIEGO LOPEZ
> GARCIA <diego.r.lopez@telefonica.com>
> *Subject:* [I2nsf] Request for Comments, Interest and Support in I2NSF
> Re-Chartering
>
>
>
> Hi I2NSF WG,
>
> As you know, our I2NSF WG will discuss the I2NSF Re-Chartering
>
> at IETF-113 I2NSF WG Session today.
>
>
>
> I attach the text of the re-chartering as pdf and txt files.
>
>
>
> Our five core I2NSF YANG data model drafts are almost completed.
>
>
> ------------------------------------------------------------------------------------
>
> 1. Capability YANG Data Model
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-capability-data-model-27
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-capability-data-model-27&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eMxzolXRjEgy2inUC0hMEa1ev3fHmIPXa5f%2BiL3CTOk%3D&reserved=0>
>
> 2. NSF-Facing Interface YANG Data Model
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-facing-interface-dm-22
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-nsf-facing-interface-dm-22&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ehBg1iXMG99aadoR4Q9uTIQFVWQhXk6pqUoZgG0famk%3D&reserved=0>
>
> 3. Monitoring Interface YANG Data Model
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-monitoring-data-model-16
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-nsf-monitoring-data-model-16&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=InLGFZfSPj5L4unhMa43QK%2F5cNWzojVDBVXEQIACFYo%3D&reserved=0>
>
> 4. Consumer-Facing Interface YANG Data Model
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-17
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-consumer-facing-interface-dm-17&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=rg0WNbzaS0anOG6cuG16zGzKLFIn8RIPTa%2BLmZX5ZqM%3D&reserved=0>
>
> 5. Registration Interface YANG Data Model
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-registration-interface-dm-15
> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-registration-interface-dm-15&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=IPGC5Q399i%2FoMWpCxa3wcL0NydFA9IVqyef90QA%2BJR0%3D&reserved=0>
>
>
> ------------------------------------------------------------------------------------
>
>
>
> The three of them (i.e., 1, 2, and 3) got the feedback of the IESG and
>
> the revisions have been sent to the IESG reviewers.
>
>
>
> The remaining two (i.e., 4, 5) are well-synchronized with the others.
>
> I will present the updates of them today's I2NSF WG.
>
> I attach the slides for them for your easy checking.
>
>
>
> Our AD Roman has concerns about the low energy of our I2NSF WG for the new
>
> work items in the I2NSF Re-chartering.
>
>
>
> Could you speak up your voice about your comments, interest, and support
> of our I2NSF Re-Chartering?
>
>
>
> See you online at IETF-113 I2NSF WG Session today.
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
>
> Department Head
> Department of Computer Science and Engineering
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: pauljeong@skku.edu, jaehoon.paul@gmail.com
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcpslab.skku.edu%2Fpeople-jaehoon-jeong.php&data=04%7C01%7Clinda.dunbar%40futurewei.com%7Cb9cf4db729f0405e0f3f08da0d698172%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637837044263961549%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=7WW6EBf1kV88BqMsLa6tFg5TrN0%2FE9wDBMTrvYrSaFM%3D&reserved=0>
>

v2.23.0 | Report a Bug | By Email