Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Fri, 03 August 2018 07:49 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B297130DDA for <i2nsf@ietfa.amsl.com>; Fri, 3 Aug 2018 00:49:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09YMrqctNLK2 for <i2nsf@ietfa.amsl.com>; Fri, 3 Aug 2018 00:49:49 -0700 (PDT)
Received: from mail-it0-x22e.google.com (mail-it0-x22e.google.com [IPv6:2607:f8b0:4001:c0b::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D79C3130DCE for <i2nsf@ietf.org>; Fri, 3 Aug 2018 00:49:48 -0700 (PDT)
Received: by mail-it0-x22e.google.com with SMTP id h20-v6so7192642itf.2 for <i2nsf@ietf.org>; Fri, 03 Aug 2018 00:49:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=ebaPt8NSDf4hBKp3p/0bJwHCxRS5TTGvGhmRdcCGD+I=; b=k6NTjEK9ar0s3gZVgMtozHsVUqh39VaHMuWWZKIvI/M4escvhDbaXiRzqPMfNxG5xx k0cjwd8n5Sk1csMgg/0K2jUfRkODG23Xq5bkXlq9WjLBtI0SB9wQverl3D/F1Q3McXPk hHJdpHunhK8/Kika33aUDnyGG4hek6t8602wzHZN2SHhZdtYm40f0qO78tfNnyNUaNhI IKdO144N9+vwxYbd19KNQVdOCxRoWpyqm/nJyNfZdCRo3JXhpE1E6cIG4c/B4VAilTfV 1Bt+8djCUAAd4TDKtrksZKAYPApeiYl/Ph0Md7r8mieqmY9y62cyFDhvFXHbExowX0pM U+BA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=ebaPt8NSDf4hBKp3p/0bJwHCxRS5TTGvGhmRdcCGD+I=; b=J5vZHcFvQNe/gYyLYIfEOA/KHVovctvSbLPs5x4kh0OeaVzWHCRHJdJpU8i9dYnQ/t MN+pdFjnCMKwhowwKU20b9A7tRB7w2LSNFPZS3IeanCUZRbb+83Vg52c0+7x313hlIdb Yl7ZNvdLmJWyR7SHiHxYLS7m1TjBnUUu4XjGK3g/ZbNCVADxAQNdfSdnb4DIHB1M8l7u tFKXwzn1v5cUy2axFE3VeuWDXnvgzAIBcthbYI6AaLUIj2gqw+8rZ3jKV8MFFpPXWGza F8oIdYbhzdppGJfJbkpAShoXfLYusFWZUlRCLybQdf4+XlcyQr8C82b2D8CFto0n6YFw TlNw==
X-Gm-Message-State: AOUpUlHsn5FnYMTBi1VtO4R9BUty0r2RO1O1I5MOftcfkchuafS8BthO BB47786VqvHiPvjQrH5n8+b8RDC+6I/hts20A1IKVpIk
X-Google-Smtp-Source: AAOMgpcAKtGsY3DFbmdGacabPWYj9tuwh6p7pc/IJdtaQ8yzS4CtSJXmNebgBBztt1jc/U/glayX1eObtRizBNy0/Hs=
X-Received: by 2002:a24:355:: with SMTP id e82-v6mr5049790ite.64.1533282587114; Fri, 03 Aug 2018 00:49:47 -0700 (PDT)
MIME-Version: 1.0
Received: by 2002:a4f:2696:0:0:0:0:0 with HTTP; Fri, 3 Aug 2018 00:49:16 -0700 (PDT)
In-Reply-To: <CAPK2Dex+tLq9pEUaN1HS6Tajvv+hcHpNDSbFoUweS=jR88cUPA@mail.gmail.com>
References: <CAPK2DewpB-ZJkD6THFAJOqZCa86kfW52m5xSg5iEbASf1WqPWA@mail.gmail.com> <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com> <C02846B1344F344EB4FAA6FA7AF481F12BE72DF2@DGGEML522-MBX.china.huawei.com> <CAPK2Dex+tLq9pEUaN1HS6Tajvv+hcHpNDSbFoUweS=jR88cUPA@mail.gmail.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Fri, 03 Aug 2018 16:49:16 +0900
Message-ID: <CAPK2Deyde=P-4VLLPJOW1xq3WkkBw+rsAeqZ8Vhv3vB1hy9nBA@mail.gmail.com>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Cc: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, Jinhyuk Yang <jin.hyuk@skku.edu>, SecCurator_Team <skku_secu-brain_all@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f204710572832b5f"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/J83RspkBWo8-L2GN-47On5WAZFY>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Aug 2018 07:49:51 -0000
Hi I2NSF WG, I found a relevant RFC for implementation guidelines from CORE WG as below: Guidelines for Mapping Implementations: HTTP to the Constrained Application Protocol (CoAP) https://tools.ietf.org/html/rfc8075 This RFC is Proposed Standard RFC. In our security policy translation draft, we can focus on the mapping from high-level security policy into low-level security policy along with the architecture of an exemplary translator. Thanks. Paul On Mon, Jul 23, 2018 at 11:45 AM, Mr. Jaehoon Paul Jeong < jaehoon.paul@gmail.com> wrote: > Hi Frank, > As you know, the open source is dominant these days. > If IETF sticks to a general specification, > its position will get narrower and narrower in future. > > To make I2NSF easily be used in the world, I believe the implementation > guidelines of the security policy translation is important and useful. > IMHO, without these guidelines, but with data models, I2NSF will not be > hard to be accepted. > > As long as I understand, I2NSF Applicability draft should focus on how to > leverage I2NSF with other important aspects (e.g., SDN, SFC, and NFV) for > the deployment of I2NSF rather than the detailed specification of I2NSF > components, such as security policy translator. > > I2NSF other people, > Let us know your opinions. > > After collecting opinions and making consensus, let's move forward. > > Thanks. > > Paul > > > > > > 2018년 7월 22일 (일) 오후 9:09, Xialiang (Frank, Network Integration Technology > Research Dept) <frank.xialiang@huawei.com>님이 작성: > >> Hi, >> >> I share the same concern with Diego. Although it’s a good example of how >> to translate the YANG models, but it’s just one of the possible system >> implementations, thus not suitable to be a specification. >> >> >> >> My suggestion is you can consider to include its key contents into the >> I2NSF applicability draft. >> >> >> >> B.R. >> >> Frank >> >> >> >> *发件人:* I2nsf [mailto:i2nsf-bounces@ietf.org] *代表 *Diego R. Lopez >> *发送时间:* 2018年7月21日 23:39 >> *收件人:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>; i2nsf@ietf.org >> *抄送:* SecCurator_Team <skku_secu-brain_all@googlegroups.com> >> *主题:* Re: [I2nsf] Request for Comments on I2NSF Security Policy >> Translation >> >> >> >> Hi Paul, >> >> >> >> This is a rather interesting draft and I’d encourage you to continue and >> report your work in policy translation, as it constitutes one of the >> essential matters the I2NSF Controller has to deal with. >> >> >> >> But I am afraid I don’t see this document progressing in the standards >> track (even as an experimental one), as the particular techniques for >> implementing the translation do not seem a proper subject for >> standardization. The only place I could see room for it in would be as part >> of the applicability draft, and I am not sure about it… What do others >> think? >> >> >> >> Be goode, >> >> >> >> -- >> >> "Esta vez no fallaremos, Doctor Infierno" >> >> >> >> Dr Diego R. Lopez >> >> Telefonica I+D >> >> https://www.linkedin.com/in/dr2lopez/ >> >> >> >> e-mail: diego.r.lopez@telefonica.com >> >> Tel: +34 913 129 041 >> >> Mobile: +34 682 051 091 >> >> ---------------------------------- >> >> >> >> On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" < >> i2nsf-bounces@ietf.org on behalf of jaehoon.paul@gmail.com> wrote: >> >> >> >> Hi I2NSF WG, >> >> >> >> I would like to introduce our draft on I2NSF Security Policy Translation: >> >> - Draft >> >> https://tools.ietf.org/html/draft-yang-i2nsf-security- >> policy-translation-01 >> >> >> >> - Slides >> >> https://datatracker.ietf.org/meeting/102/materials/ >> slides-102-i2nsf-security-policy-translation-00 >> >> >> >> This draft gives I2NSF developers the guidelines for the design and >> implementation >> >> of I2NSF Security Controller. >> >> One important functionality of the Security Controller is to >> automatically translate >> >> an I2NSF User's high-level policy to a low-level policy for NSFs. >> >> >> >> In the past of our I2NSF Hackathon projects, we made an >> XSLT-stylesheet-based translator. >> >> But this translator has two limitations, such as static >> capability-and-NSF mapping construction >> >> and inefficient maintenance on such a mapping. >> >> >> >> The first limitation is the difficult high-level policy construction. >> >> By the XSLT-stylesheet approach, I2NSF User MUST manually selects target >> NSFs to execute >> >> the required security capabilities. >> >> This means that I2NSF User needs to know each NSF's capabilities, so it >> is difficult for >> >> I2NSF User to construct a high-level security policy without the detailed >> knowledge on NSFs. >> >> >> >> The second limitation is an inefficient maintenance on the policy >> translator. >> >> If the data models on I2NSF NSF-facing Interface requires some updates, >> >> the XSLT stylesheet and XML files need to be updated. >> >> On the other hand, our new approach provides I2NSF User with an >> efficient >> >> maintenance. >> >> >> >> To solve these two limitations, our draft proposes an automata-based >> policy translator. >> >> This translator consists of three components, such as Extractor, Data >> Converter, and Generator. >> >> >> >> First, when a high-level policy is delivered from I2NSF User to Security >> Controller, >> >> Translator extracts data about the policy at Extractor, and then converts >> it at Data Converter >> >> for NSF(s). Also, Data Converter can select proper NSFs automatically. >> >> Finally, Generator generates low-level policies of target NSFs based on >> the data from Data Converter. >> >> >> >> I believe that this draft is valuable for IP2NSF WG adoption >> >> to facilitate the development and deployment of I2NSF in the real world. >> >> >> >> Please read this draft and give our authors your valuable comments. >> >> We aim at making this proposal as an Informational RFC. >> >> >> >> Thanks. >> >> >> >> Best Regards, >> >> Paul & Jinhyuk >> >> -- >> >> =========================== >> Mr. Jaehoon (Paul) Jeong, Ph.D. >> Assistant Professor >> Department of Software >> Sungkyunkwan University >> Office: +82-31-299-4957 >> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu >> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php >> <http://cpslab.skku.edu/people-jaehoon-jeong.php> >> >> >> ------------------------------ >> >> >> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, >> puede contener información privilegiada o confidencial y es para uso >> exclusivo de la persona o entidad de destino. Si no es usted. el >> destinatario indicado, queda notificado de que la lectura, utilización, >> divulgación y/o copia sin autorización puede estar prohibida en virtud de >> la legislación vigente. Si ha recibido este mensaje por error, le rogamos >> que nos lo comunique inmediatamente por esta misma vía y proceda a su >> destrucción. >> >> The information contained in this transmission is privileged and >> confidential information intended only for the use of the individual or >> entity named above. If the reader of this message is not the intended >> recipient, you are hereby notified that any dissemination, distribution or >> copying of this communication is strictly prohibited. If you have received >> this transmission in error, do not read it. Please immediately reply to the >> sender that you have received this communication in error and then delete >> it. >> >> Esta mensagem e seus anexos se dirigem exclusivamente ao seu >> destinatário, pode conter informação privilegiada ou confidencial e é para >> uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o >> destinatário indicado, fica notificado de que a leitura, utilização, >> divulgação e/ou cópia sem autorização pode estar proibida em virtude da >> legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos >> o comunique imediatamente por esta mesma via e proceda a sua destruição >> > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Assistant Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: jaehoon.paul@gmail.com, pauljeong@skku.edu Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
- [I2nsf] Request for Comments on I2NSF Security Po… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Diego R. Lopez
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Diego R. Lopez
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- [I2nsf] 答复: Request for Comments on I2NSF Securit… Xialiang (Frank, Network Integration Technology Research Dept)
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Linda Dunbar
- Re: [I2nsf] Request for Comments on I2NSF Securit… Linda Dunbar
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] Request for Comments on I2NSF Securit… Linda Dunbar
- Re: [I2nsf] Request for Comments on I2NSF Securit… Mr. Jaehoon Paul Jeong