IETF Logo Mail Archive

Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Fri, 03 August 2018 07:49 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B297130DDA for <i2nsf@ietfa.amsl.com>; Fri, 3 Aug 2018 00:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09YMrqctNLK2 for <i2nsf@ietfa.amsl.com>; Fri, 3 Aug 2018 00:49:49 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79C3130DCE for <i2nsf@ietf.org>; Fri, 3 Aug 2018 00:49:48 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id h20-v6so7192642itf.2 for <i2nsf@ietf.org>; Fri, 03 Aug 2018 00:49:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ebaPt8NSDf4hBKp3p/0bJwHCxRS5TTGvGhmRdcCGD+I=; b=k6NTjEK9ar0s3gZVgMtozHsVUqh39VaHMuWWZKIvI/M4escvhDbaXiRzqPMfNxG5xx k0cjwd8n5Sk1csMgg/0K2jUfRkODG23Xq5bkXlq9WjLBtI0SB9wQverl3D/F1Q3McXPk hHJdpHunhK8/Kika33aUDnyGG4hek6t8602wzHZN2SHhZdtYm40f0qO78tfNnyNUaNhI IKdO144N9+vwxYbd19KNQVdOCxRoWpyqm/nJyNfZdCRo3JXhpE1E6cIG4c/B4VAilTfV 1Bt+8djCUAAd4TDKtrksZKAYPApeiYl/Ph0Md7r8mieqmY9y62cyFDhvFXHbExowX0pM U+BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ebaPt8NSDf4hBKp3p/0bJwHCxRS5TTGvGhmRdcCGD+I=; b=J5vZHcFvQNe/gYyLYIfEOA/KHVovctvSbLPs5x4kh0OeaVzWHCRHJdJpU8i9dYnQ/t MN+pdFjnCMKwhowwKU20b9A7tRB7w2LSNFPZS3IeanCUZRbb+83Vg52c0+7x313hlIdb Yl7ZNvdLmJWyR7SHiHxYLS7m1TjBnUUu4XjGK3g/ZbNCVADxAQNdfSdnb4DIHB1M8l7u tFKXwzn1v5cUy2axFE3VeuWDXnvgzAIBcthbYI6AaLUIj2gqw+8rZ3jKV8MFFpPXWGza F8oIdYbhzdppGJfJbkpAShoXfLYusFWZUlRCLybQdf4+XlcyQr8C82b2D8CFto0n6YFw TlNw==
X-Gm-Message-State: AOUpUlHsn5FnYMTBi1VtO4R9BUty0r2RO1O1I5MOftcfkchuafS8BthO BB47786VqvHiPvjQrH5n8+b8RDC+6I/hts20A1IKVpIk
X-Google-Smtp-Source: AAOMgpcAKtGsY3DFbmdGacabPWYj9tuwh6p7pc/IJdtaQ8yzS4CtSJXmNebgBBztt1jc/U/glayX1eObtRizBNy0/Hs=
X-Received: by 2002:a24:355:: with SMTP id e82-v6mr5049790ite.64.1533282587114; Fri, 03 Aug 2018 00:49:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:2696:0:0:0:0:0 with HTTP; Fri, 3 Aug 2018 00:49:16 -0700 (PDT)
In-Reply-To: <CAPK2Dex+tLq9pEUaN1HS6Tajvv+hcHpNDSbFoUweS=jR88cUPA@mail.gmail.com>
References: <CAPK2DewpB-ZJkD6THFAJOqZCa86kfW52m5xSg5iEbASf1WqPWA@mail.gmail.com> <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com> <C02846B1344F344EB4FAA6FA7AF481F12BE72DF2@DGGEML522-MBX.china.huawei.com> <CAPK2Dex+tLq9pEUaN1HS6Tajvv+hcHpNDSbFoUweS=jR88cUPA@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Fri, 03 Aug 2018 16:49:16 +0900
Message-ID: <CAPK2Deyde=P-4VLLPJOW1xq3WkkBw+rsAeqZ8Vhv3vB1hy9nBA@mail.gmail.com>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Cc: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, Jinhyuk Yang <jin.hyuk@skku.edu>, SecCurator_Team <skku_secu-brain_all@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f204710572832b5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/J83RspkBWo8-L2GN-47On5WAZFY>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 07:49:51 -0000

Hi I2NSF WG,
I found a relevant RFC for implementation guidelines from CORE WG as below:

Guidelines for Mapping Implementations: HTTP to the Constrained Application
Protocol (CoAP)
https://tools.ietf.org/html/rfc8075

This RFC is Proposed Standard RFC.

In our security policy translation draft, we can focus on the mapping from
high-level security policy into low-level security policy
along with the architecture of an exemplary translator.

Thanks.

Paul

On Mon, Jul 23, 2018 at 11:45 AM, Mr. Jaehoon Paul Jeong <
jaehoon.paul@gmail.com> wrote:

> Hi Frank,
> As you know, the open source is dominant these days.
> If IETF sticks to a general specification,
> its position will get narrower and narrower in future.
>
> To make I2NSF easily be used in the world, I believe the implementation
> guidelines of the security policy translation is important and useful.
> IMHO, without these guidelines, but with data models, I2NSF will not be
> hard to be accepted.
>
> As long as I understand, I2NSF Applicability draft should focus on how to
> leverage I2NSF with other important aspects (e.g., SDN, SFC, and NFV) for
> the deployment of I2NSF rather than the detailed specification of I2NSF
> components, such as security policy translator.
>
> I2NSF other people,
> Let us know your opinions.
>
> After collecting opinions and making consensus, let's move forward.
>
> Thanks.
>
> Paul
>
>
>
>
>
> 2018년 7월 22일 (일) 오후 9:09, Xialiang (Frank, Network Integration Technology
> Research Dept) <frank.xialiang@huawei.com>님이 작성:
>
>> Hi,
>>
>> I share the same concern with Diego. Although it’s a good example of how
>> to translate the YANG models, but it’s just one of the possible system
>> implementations, thus not suitable to be a specification.
>>
>>
>>
>> My suggestion is you can consider to include its key contents into the
>> I2NSF applicability draft.
>>
>>
>>
>> B.R.
>>
>> Frank
>>
>>
>>
>> *发件人:* I2nsf [mailto:i2nsf-bounces@ietf.org] *代表 *Diego R. Lopez
>> *发送时间:* 2018年7月21日 23:39
>> *收件人:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>; i2nsf@ietf.org
>> *抄送:* SecCurator_Team <skku_secu-brain_all@googlegroups.com>
>> *主题:* Re: [I2nsf] Request for Comments on I2NSF Security Policy
>> Translation
>>
>>
>>
>> Hi Paul,
>>
>>
>>
>> This is a rather interesting draft and I’d encourage you to continue and
>> report your work in policy translation, as it constitutes one of the
>> essential matters the I2NSF Controller has to deal with.
>>
>>
>>
>> But I am afraid I don’t see this document progressing in the standards
>> track (even as an experimental one), as the particular techniques for
>> implementing the translation do not seem a proper subject for
>> standardization. The only place I could see room for it in would be as part
>> of the applicability draft, and I am not sure about it… What do others
>> think?
>>
>>
>>
>> Be goode,
>>
>>
>>
>> --
>>
>> "Esta vez no fallaremos, Doctor Infierno"
>>
>>
>>
>> Dr Diego R. Lopez
>>
>> Telefonica I+D
>>
>> https://www.linkedin.com/in/dr2lopez/
>>
>>
>>
>> e-mail: diego.r.lopez@telefonica.com
>>
>> Tel:         +34 913 129 041
>>
>> Mobile:  +34 682 051 091
>>
>> ----------------------------------
>>
>>
>>
>> On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" <
>> i2nsf-bounces@ietf.org on behalf of jaehoon.paul@gmail.com> wrote:
>>
>>
>>
>> Hi I2NSF WG,
>>
>>
>>
>> I would like to introduce our draft on I2NSF Security Policy Translation:
>>
>> - Draft
>>
>>   https://tools.ietf.org/html/draft-yang-i2nsf-security-
>> policy-translation-01
>>
>>
>>
>> - Slides
>>
>>   https://datatracker.ietf.org/meeting/102/materials/
>> slides-102-i2nsf-security-policy-translation-00
>>
>>
>>
>> This draft gives I2NSF developers the guidelines for the design and
>> implementation
>>
>> of I2NSF Security Controller.
>>
>> One important functionality of the Security Controller is to
>> automatically translate
>>
>> an I2NSF User's high-level policy to a low-level policy for NSFs.
>>
>>
>>
>> In the past of our I2NSF Hackathon projects, we made an
>> XSLT-stylesheet-based translator.
>>
>> But this translator has two limitations, such as static
>> capability-and-NSF mapping construction
>>
>> and inefficient maintenance on such a mapping.
>>
>>
>>
>> The first limitation is the difficult high-level policy construction.
>>
>> By the XSLT-stylesheet approach, I2NSF User MUST manually selects target
>> NSFs to execute
>>
>> the required security capabilities.
>>
>> This means that I2NSF User needs to know each NSF's capabilities, so it
>> is difficult for
>>
>> I2NSF User to construct a high-level security policy without the detailed
>> knowledge on NSFs.
>>
>>
>>
>> The second limitation is an inefficient maintenance on the policy
>> translator.
>>
>> If the data models on I2NSF NSF-facing Interface requires some updates,
>>
>> the XSLT stylesheet and XML files need to be updated.
>>
>> On the other hand, our new approach  provides I2NSF User with an
>> efficient
>>
>> maintenance.
>>
>>
>>
>> To solve these two limitations, our draft proposes an automata-based
>> policy translator.
>>
>> This translator consists of three components, such as Extractor, Data
>> Converter, and Generator.
>>
>>
>>
>> First, when a high-level policy is delivered from I2NSF User to Security
>> Controller,
>>
>> Translator extracts data about the policy at Extractor, and then converts
>> it at Data Converter
>>
>> for NSF(s). Also, Data Converter can select proper NSFs automatically.
>>
>> Finally, Generator generates low-level policies of target NSFs based on
>> the data from Data Converter.
>>
>>
>>
>> I believe that this draft is valuable for IP2NSF WG adoption
>>
>> to facilitate the development and deployment of I2NSF in the real world.
>>
>>
>>
>> Please read this draft and give our authors your valuable comments.
>>
>> We aim at making this proposal as an Informational RFC.
>>
>>
>>
>> Thanks.
>>
>>
>>
>> Best Regards,
>>
>> Paul & Jinhyuk
>>
>> --
>>
>> ===========================
>> Mr. Jaehoon (Paul) Jeong, Ph.D.
>> Assistant Professor
>> Department of Software
>> Sungkyunkwan University
>> Office: +82-31-299-4957
>> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
>> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
>> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>>
>>
>> ------------------------------
>>
>>
>> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
>> puede contener información privilegiada o confidencial y es para uso
>> exclusivo de la persona o entidad de destino. Si no es usted. el
>> destinatario indicado, queda notificado de que la lectura, utilización,
>> divulgación y/o copia sin autorización puede estar prohibida en virtud de
>> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
>> que nos lo comunique inmediatamente por esta misma vía y proceda a su
>> destrucción.
>>
>> The information contained in this transmission is privileged and
>> confidential information intended only for the use of the individual or
>> entity named above. If the reader of this message is not the intended
>> recipient, you are hereby notified that any dissemination, distribution or
>> copying of this communication is strictly prohibited. If you have received
>> this transmission in error, do not read it. Please immediately reply to the
>> sender that you have received this communication in error and then delete
>> it.
>>
>> Esta mensagem e seus anexos se dirigem exclusivamente ao seu
>> destinatário, pode conter informação privilegiada ou confidencial e é para
>> uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o
>> destinatário indicado, fica notificado de que a leitura, utilização,
>> divulgação e/ou cópia sem autorização pode estar proibida em virtude da
>> legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos
>> o comunique imediatamente por esta mesma via e proceda a sua destruição
>>
>


-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email