IETF Logo Mail Archive

[I2nsf] Requests for Comments on I2NSF WG Re-chartering Text

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Thu, 10 December 2020 02:16 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9CA433A0475 for <i2nsf@ietfa.amsl.com>; Wed, 9 Dec 2020 18:16:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.088
X-Spam-Level:
X-Spam-Status: No, score=-0.088 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URI_DOTEDU=1.999] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LThVgyaFQWBI for <i2nsf@ietfa.amsl.com>; Wed, 9 Dec 2020 18:16:52 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 243293A044E for <i2nsf@ietf.org>; Wed, 9 Dec 2020 18:16:52 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id y19so5933030lfa.13 for <i2nsf@ietf.org>; Wed, 09 Dec 2020 18:16:51 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to:cc; bh=5+n1j9ibgYmVhId4fbHm6i6A/yfsBvIO5lkGdAVrLkM=; b=DC7oTnqce/DeN+KSSzhBxmpqkntOgLNWlDEYIV6rqjvqPU14lXxViN0h8fOijt2jOf IM0SYiRTO7EO2W+CRWtYUM/PYtYWhPNioFg5wcvPVtD2k1NsjPHgigIDWu6eO9AVn1rs 20j0y0OVEYeUqiknMl/EFYC519acciOqvLkuD/cq5n9ijXRpTviNi6yxekKhbRFgIKcX Wn6WcRRlbOvPL2lrV8dxuh9airtP4xZptzn0EXlIZDAGH2UGsybUXyy5cOaCHds3SFEl k5/W5ywg61/nt1XfgzafapFXiSlSLf3FfJWGFOFdcXc8ZTKOkM3MBjf72kdfwqriTP/z 2VIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to:cc; bh=5+n1j9ibgYmVhId4fbHm6i6A/yfsBvIO5lkGdAVrLkM=; b=MkSqFIMYinAXL7DYx7o5ad3d3PdDeuFYNkHXWBYizQwUcNkl3x1TB4YoIy8JGMrZ0/ kBz2BwJ0APX75xj6BT/vexrW4DZpTpQCtCJ7in0mbksyxsj0V6mAoU7ggPW88OF05VFd MniPnTVkcSWh9M/QUPsxvuedd0CSANUH83P1YPepok8/ESnYS76znkZf1msxJ/X4mda5 Uaeo81hT+c4j1X+R4KmdV45Tva17zQKLuLXApXH6LKfYmdqxKi8znfZNn1q9IOFYza9e HfkxYCGuYiGnGEJxw3kqkCudn7XY/Q9tnxhAUZiqtIn6Cm+JMUmd9yMO/x7pv6qi6Um0 0aAQ==
X-Gm-Message-State: AOAM531+2uudBQlbpk/78+Af6uP6U3F2ZxcQDZpN/s3IsOFy0GIpX2ge cLY4IQIajlrg0gUq+IWTU5Ul4apFxGc0JxSV/TAPVfjQZds=
X-Google-Smtp-Source: ABdhPJycs0E1wpC4mkJZy1/sbNuKd2lF48lpacFHXt126xL+fR+6pJxHaecEwwv+h/E23COEbkHgTDFwOLqWaM2vMUE=
X-Received: by 2002:a05:6512:210c:: with SMTP id q12mr1789671lfr.601.1607566609969; Wed, 09 Dec 2020 18:16:49 -0800 (PST)
MIME-Version: 1.0
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Thu, 10 Dec 2020 11:16:14 +0900
Message-ID: <CAPK2DezSjGQxCTm+ZzLPT5bD62N8+=_vEurZLVmyQqP+q-6eKA@mail.gmail.com>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Cc: Roman Danyliw <rdd@cert.org>, Linda Dunbar <linda.dunbar@futurewei.com>, Yoav Nir <ynir.ietf@gmail.com>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000bd77e005b612c442"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/emK5lGoG2PdBwMoVMB2ewlgYyTI>
Subject: [I2nsf] Requests for Comments on I2NSF WG Re-chartering Text
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2020 02:16:55 -0000

Hi I2NSF WG,
I2NSF WG chairs (Linda and Yoav) and members including Susan, Diego, and me
had an online meeting for I2NSF WG Re-chartering Text on December 3, 2020.

Could you read the following text and give us your comments on it?

-------------------------------------------------------------------------------------------------------------------------------
<I2NSF WG Re-chartering Text>

Interface to Network Security Functions (I2NSF) provides security function
vendors, users, and
operators with a standard framework and interfaces for cloud-based security
services. I2NSF
enables the enforcement of a high-level security policy, which is expressed
according to a user's
perspective of the target network. This security policy enforcement in
I2NSF is a data-driven
approach using NETCONF/YANG or RESTCONF/YANG, where a security policy is
constructed
based on a YANG data model.

The I2NSF framework consists of four components such as I2NSF User,
Security Controller,
Network Security Function (NSF), and Developer's Management System (DMS).
The I2NSF
User specifies a high-level security policy for a target network. The
Security Controller is aware
of the capabilities of the attached NSFs, using them to build the security
service(s) satisfying
the policy expressed by the I2NSF User. An NSF provides a set of specific
security capabilities
(e.g., firewalling, web filtering, packet inspection, and DDoS-attack
mitigation), applying security
policy rules. The DMS registers the capabilities of an NSF with the
Security Controller.

The I2NSF framework has four interfaces such as Consumer-Facing Interface,
NSF-Facing
Interface, Registration Interface, and Monitoring Interface.
Consumer-Facing Interface is used
to deliver high-level security policies from the I2NSF User to the Security
Controller. NSF-Facing
Interface is used to deliver low-level security policies from the Security
Controller to an NSF.
The Registration Interface is used to register the capabilities of an NSF
with the Security
Controller. The Monitoring Interface is used to collect monitoring data
from an NSF.

The goal of I2NSF is to define a set of software interfaces and data models
of such interfaces
for configuring, maintaining, and monitoring NSFs in cloud environments,
including NFV and
edge deployments. For security management automation in an autonomous
security system,
I2NSF needs to have a feedback control loop consisting of security policy
configuration in an
NSF, monitoring for an NSF, data analysis for NSF monitoring data, feedback
delivery, and
security policy augmentation/generation. For this security management
automation, the I2NSF
framework requires a new component to collect NSF monitoring data and
analyze them, which
is called I2NSF Analyzer. Also, the I2NSF framework needs a new interface
to deliver feedback
messages for security policy adjustment from I2NSF Analyzer to Security
Controller. A proper
translation of the planned actions onto NSF capabilities requires a
well-defined model for
representing these actions.

I2NSF is vulnerable to inside and supply chain attacks since it trusts NSF
capability declarations
as provided by DMS, assuming that NSFs work appropriately in all
circumstances, as well as
I2NSF User’s policy declarations and the actions of the Security
Controller. The registration of
NSF capabilities, the declaration of a security policy from either the
I2NSF User or its
enforcement by the Security Controller, and the monitoring data from an NSF
are assumed to be
genuine and non-malicious. If one of such activities is malicious, the
security system based on
I2NSF may collapse. To prevent this malicious activity from happening in
the I2NSF framework
or detect the root of a security attack, all the activities in the I2NSF
framework should be logged
in either a centralized or decentralized (e.g., blockchain) way. Also, the
provenance and status
of the I2NSF components (i.e., I2NSF User, Security Controller, NSF, DMS,
and I2NSF Analyzer)
need to be verified by remote attestation, leveraging the current results
mostly focused on IT
environments.

Finally, the current YANG data models for the I2NSF interfaces are designed
on the basis of NSFs
implemented as virtual machines, and therefore they need to be redesigned
for the case where
I2NSF components are instantiated by containers.

The I2NSF working group's deliverables include:

o A single document for an extension of I2NSF framework for security
management automation.
This document will initially be produced for reference as a living list to
track and record discussions:
the working group may decide to not publish this document as an RFC.
o A YANG data model document for I2NSF Application Interface to deliver
feedback from I2NSF
Analyzer to Security Controller.
o A single document for applicability and use cases in I2NSF-based security
management
automation.
o A single document for a framework for security policy translation to
support the mapping
between a high-level YANG module and a low-level YANG module: the working
group may decide
to not publish this document as an RFC. This document will apply the
recommendations under
discussion in NETMOD and OPSAWG on event modeling.
o A single document for remote attestation for I2NSF components, based on
the work of the
RATS WG.
o A single document for I2NSF on container deployments in a cloud native
NFV architecture.

--------------
Milestones

o July 2022: Adopt applicability and use cases in I2NSF-based security
management automation
as WG document
o March 2022: Adopt I2NSF on container deployments in a cloud native NFV
architecture as WG
document
o November 2021: Adopt a framework for security policy translation as WG
document
o July 2021: Adopt remote attestation for I2NSF components as WG document
o July 2021: Adopt a YANG data model for I2NSF Application Interface as WG
document
o March 2021: Adopt an extension of I2NSF framework for security management
automation as
WG document
-------------------------------------------------------------------------------------------------------------------------------

After submitting all the I2NSF YANG data model drafts, we will be able to
work on
the I2NSF WG re-chartering in earnest.

Thanks.

Best Regards,
Paul
-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Associate Professor
Department of Computer Science and Engineering
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email