IETF Logo Mail Archive

Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

Linda Dunbar <linda.dunbar@huawei.com> Thu, 09 August 2018 20:05 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BF4130ED1 for <i2nsf@ietfa.amsl.com>; Thu, 9 Aug 2018 13:05:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qcQnYA1PPABf for <i2nsf@ietfa.amsl.com>; Thu, 9 Aug 2018 13:05:27 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F921130E8A for <i2nsf@ietf.org>; Thu, 9 Aug 2018 13:05:27 -0700 (PDT)
Received: from lhreml702-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 95A433FF5EF8D; Thu, 9 Aug 2018 21:05:23 +0100 (IST)
Received: from SJCEML703-CHM.china.huawei.com (10.208.112.39) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.399.0; Thu, 9 Aug 2018 21:05:24 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.107]) by SJCEML703-CHM.china.huawei.com ([169.254.5.139]) with mapi id 14.03.0399.000; Thu, 9 Aug 2018 13:05:12 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
CC: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>, Jinhyuk Yang <jin.hyuk@skku.edu>, "i2nsf@ietf.org" <i2nsf@ietf.org>, SecCurator_Team <skku_secu-brain_all@googlegroups.com>, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
Thread-Topic: [I2nsf] Request for Comments on I2NSF Security Policy Translation
Thread-Index: AQHUIi9g176AR3t7fEyLm7iF44ipiKSuLe4AgAaZ9TCAApepAIAAjikA
Date: Thu, 09 Aug 2018 20:05:11 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F66B0DA3E3@sjceml521-mbx.china.huawei.com>
References: <CAPK2DewpB-ZJkD6THFAJOqZCa86kfW52m5xSg5iEbASf1WqPWA@mail.gmail.com> <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com> <C02846B1344F344EB4FAA6FA7AF481F12BE72DF2@DGGEML522-MBX.china.huawei.com> <CAPK2Dex+tLq9pEUaN1HS6Tajvv+hcHpNDSbFoUweS=jR88cUPA@mail.gmail.com> <CAPK2Deyde=P-4VLLPJOW1xq3WkkBw+rsAeqZ8Vhv3vB1hy9nBA@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F66B0D96EB@sjceml521-mbx.china.huawei.com> <CAPK2Deyz64GPdxytnN=ZGcL2P=E4wjyTqC1ZUMacaWuOubRs=Q@mail.gmail.com>
In-Reply-To: <CAPK2Deyz64GPdxytnN=ZGcL2P=E4wjyTqC1ZUMacaWuOubRs=Q@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.192.11.118]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F66B0DA3E3sjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/fLVH0JXurHMAltJxKANpXGz2vEM>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Aug 2018 20:05:34 -0000

Paul,

Thank you very much for the detailed explanation and the examples. Some comments are inserted below

From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Mr. Jaehoon Paul Jeong
Sent: Wednesday, August 08, 2018 11:13 PM
To: Linda Dunbar <linda.dunbar@huawei.com>
Cc: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>; Jinhyuk Yang <jin.hyuk@skku.edu>; i2nsf@ietf.org; SecCurator_Team <skku_secu-brain_all@googlegroups.com>; Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

Hi Linda,
Thanks for your good comments and suggestions.
Here are our answers.

-----
- Figure 2: What does the <tag m> mean in the figure? How it is relevant to Policy Translation?

=> Figure 2 describes the architecture of Extractor, extracting data in an input high-level policy.
<tag m> represent a field in an XML file based on the Consumer-Facing Interface DM, such as rule name, condition, and action.
For example, assume that a high-level policy is generated as follows:

<I2NSF>
    <rule-name>block_web</rule-name>
    <condition>
        <src>Son's_PC</src>
        <dest>malicious</dest>
    </condition>
    <action>drop</action>
</I2NSF>

Then we can construct the Extractor for a high-level policy as follows:

If you input a high-level policy, Deterministic Finite Automaton (DFA) can easily extract all of data by transitting between states.
It starts from the Accepter state. For a given high-level policy, DFA reads the first tag called <I2NSF>, and it transits to the middle state. Next, it reads the second tag called <rule-name>, and then moves to the extractor state. When it arrives at the extractor state, it means that there are data to extract. In this way, DFA can easily extract the data of rule name called "block_web".
Then, it reads the tag called </rule-name>, and then goes back to the previous middle state. By repeating this process, we can extract all of data from the high-level policy. Finally, DFA will come back to the accepter state.

[Linda] Can you add those explanation to the Section?
-----
- Section 4.4: Context-free Grammar based policy generator. How to link the description in this section to the actual policy? Possible to give an example?

=> Here is an example for Section 4.4. Let's assume that we have data for generating a low-level policy as follows:
block_web (rule-name), [10.0.0.1, 10.0.0.3] (IPv4 address list), [www.porno.com<http://www.porno.com>, www.malicious.com<http://www.malicious.com>] (content list), drop (action).

Then, we can construct the Generator by using a Context-Free Grammar (CFG). "[]" means the non-terminal factor.

First, Structure Productions are used for grouping other tags:

 [policy] -> <I2NSF>[rule-name][rules]</I2NSF>  ... (1)

 [rules] -> <rules>[condition][payload][action]</rules> ... (2)

 [condition] -> <condition>[packet-condition]</condition>  ... (3)

 [packet-condition] -> <packet-condition>[ipv4]</packet-condition>  ... (4)

 [payload] -> <payload>[content]</payload>  ... (5)

[Linda] the [packet-condition] has [ipv4] as the actual value, are you supposed to have [ipv4] instead of “[payload]”? Are all the items above part of one policy (say [policy:1])?


Second, Content Productions are used for injecting data in tags:

 [rule-name] -> <rule-name>[rule-name-data]</rule-name>  ... (6)

 [rule-name-data] -> block_web  ... (7)

 [ipv4] -> [ipv4][ipv4]      (to allow duplication)   ... (8)

 [ipv4] -> <ipv4>[ipv4-data]</ipv4>   ... (9)

 [ipv4-data] -> 10.0.0.1 | 10.0.0.3   .... (10)

[Linda] I can follow you to this step, i.e. the [rule-name] is from the first [policy]. But what do the [content] below come from?


 [content] -> [content][content]    (to allow duplication)    ... (11)

 [content] -> <content>[content-data]</content>    ... (12)

 [content-data] -> www.porno.com<http://www.porno.com> | www.malicious.com<http://www..malicious.com>    ... (13)

 [action] -> <action>[action-data]<action>    ... (14)

 [action-data] -> drop    ... (15)

Let's follow the example of the CFG. We should derive [policy] into a detailed policy rule's description while there is no non-terminal factor
as follows:

[policy] -> <I2NSF>[rule-name][rules]</I2NSF>   ( by production (1) )

 -> <I2NSF> <rule-name> [rule-name-data] </rule-name> [rules] </I2NSF>  ( by production (6) )

 -> <I2NSF> <rule-name> block_web </rule-name> [rules] </I2NSF>  ( by production (7) )

 -> <I2NSF> <rule-name> block_web </rule-name>  <rules> [condition] [payload] [action] </rules> </I2NSF>   ( by production (2) )

 -> ...

Finally, with our translator, we can generate a low-level policy corresponding to a given high-level policy as follows:

<I2NSF>
    <rule-name>block_web</rule-name>
    <rules>
        <condition>
            <packet-condition>
                <ipv4>10.0.0.1</ipv4>
                <ipv4>10.0.0.3</ipv4>
            </packet-condition>
        </condition>
        <payload>
            <content>www.porno.com<http://www.porno.com></content>
            <content>www.malicious.com<http://www.malicious.com></content>
        </payload>
        <action>drop</action>
    </rules>
</I2NSF>

Generator can easily be constructed based on NSF-Facing Interface Data Model. Also, Generator can easily make low-level policies, which are compatible with NSF-Facing Interface Data Model, from the converted data.

-----
Some minor issues will be resolved according to your comments:

Section 3 last paragraph: Is it a typo? “programming languates”?
-> "programming languages"

Section 4: Please provide the full name for the acronym of XSLT (Extensible Stylesheet language Transformation?).
-> XSLT stands for "Extensible Stylesheet Language Transformations".

Section 4 first paragraph:  Do you mean “this document describes a policy translator based on Automata theory” for the following sentence?
-> “this document proposes a policy translator based on Automata theory”

-----
We will revise our draft with the above comments and answers this month.

Thanks.

Best Regards,
Paul and Jinhyuk

Thank you.

Linda

On Wed, Aug 8, 2018 at 7:31 AM, Linda Dunbar <linda.dunbar@huawei.com<mailto:linda..dunbar@huawei.com>> wrote:
Paul,

I see the draft kind of like a reference design of the I2NSF Controller “from Consumer Facing policy to  NSF facing policy”. I agree that “translator design provides big benefits to I2NSF Framework”.

Some Questions:

-        Does it depend on the completion of https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-facing-interface-dm/ ?

-        Figure 2: What does the <tag m> mean in the figure? How it is relevant to Policy Translation?

-        Section 4.4: Context-free Grammar based policy generator. How to link the description in this section to the actual policy? Possible to give an example?

Some minor issues:
Section 3 last paragraph: Is it a typo? “programming languates”?
Section 4: Please provide the full name for the acronym of XSLT (Extensible Stylesheet language Transformation?)..
 Section 4 first paragraph:  Do you mean “this document describes a policy translator based on Automata theory” for the following sentence?
“this document a policy translator based on Automata theory”


Thanks Linda Dunbar
From: I2nsf [mailto:i2nsf-bounces@ietf.org<mailto:i2nsf-bounces@ietf.org>] On Behalf Of Mr. Jaehoon Paul Jeong
Sent: Friday, August 03, 2018 2:49 AM
To: i2nsf@ietf.org<mailto:i2nsf@ietf.org>
Cc: Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>>; Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>>; SecCurator_Team <skku_secu-brain_all@googlegroups.com<mailto:skku_secu-brain_all@googlegroups.com>>; Jinhyuk Yang <jin.hyuk@skku.edu<mailto:jin.hyuk@skku.edu>>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

Hi I2NSF WG,
I found a relevant RFC for implementation guidelines from CORE WG as below:

Guidelines for Mapping Implementations: HTTP to the Constrained Application Protocol (CoAP)
https://tools.ietf.org/html/rfc8075

This RFC is Proposed Standard RFC.

In our security policy translation draft, we can focus on the mapping from high-level security policy into low-level security policy
along with the architecture of an exemplary translator.

Thanks.

Paul

On Mon, Jul 23, 2018 at 11:45 AM, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>> wrote:
Hi Frank,
As you know, the open source is dominant these days.
If IETF sticks to a general specification,
its position will get narrower and narrower in future.

To make I2NSF easily be used in the world, I believe the implementation guidelines of the security policy translation is important and useful.
IMHO, without these guidelines, but with data models, I2NSF will not be hard to be accepted.

As long as I understand, I2NSF Applicability draft should focus on how to leverage I2NSF with other important aspects (e.g., SDN, SFC, and NFV) for the deployment of I2NSF rather than the detailed specification of I2NSF components, such as security policy translator.

I2NSF other people,
Let us know your opinions.

After collecting opinions and making consensus, let's move forward.

Thanks.

Paul





2018년 7월 22일 (일) 오후 9:09, Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>님이 작성:
Hi,
I share the same concern with Diego. Although it’s a good example of how to translate the YANG models, but it’s just one of the possible system implementations, thus not suitable to be a specification.

My suggestion is you can consider to include its key contents into the I2NSF applicability draft.

B.R.
Frank

发件人: I2nsf [mailto:i2nsf-bounces@ietf.org<mailto:i2nsf-bounces@ietf.org>] 代表 Diego R.. Lopez
发送时间: 2018年7月21日 23:39
收件人: Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>>; i2nsf@ietf.org<mailto:i2nsf@ietf.org>
抄送: SecCurator_Team <skku_secu-brain_all@googlegroups.com<mailto:skku_secu-brain_all@googlegroups.com>>
主题: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

Hi Paul,

This is a rather interesting draft and I’d encourage you to continue and report your work in policy translation, as it constitutes one of the essential matters the I2NSF Controller has to deal with.

But I am afraid I don’t see this document progressing in the standards track (even as an experimental one), as the particular techniques for implementing the translation do not seem a proper subject for standardization. The only place I could see room for it in would be as part of the applicability draft, and I am not sure about it… What do others think?

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/<https://www.linkedin..com/in/dr2lopez/>

e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel:         +34 913 129 041
Mobile:  +34 682 051 091
----------------------------------

On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" <i2nsf-bounces@ietf.org<mailto:i2nsf-bounces@ietf.org> on behalf of jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>> wrote:

Hi I2NSF WG,

I would like to introduce our draft on I2NSF Security Policy Translation:
- Draft
  https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-01

- Slides
  https://datatracker.ietf.org/meeting/102/materials/slides-102-i2nsf-security-policy-translation-00

This draft gives I2NSF developers the guidelines for the design and implementation
of I2NSF Security Controller.
One important functionality of the Security Controller is to automatically translate
an I2NSF User's high-level policy to a low-level policy for NSFs.

In the past of our I2NSF Hackathon projects, we made an XSLT-stylesheet-based translator.
But this translator has two limitations, such as static capability-and-NSF mapping construction
and inefficient maintenance on such a mapping.

The first limitation is the difficult high-level policy construction.
By the XSLT-stylesheet approach, I2NSF User MUST manually selects target NSFs to execute
the required security capabilities.
This means that I2NSF User needs to know each NSF's capabilities, so it is difficult for
I2NSF User to construct a high-level security policy without the detailed knowledge on NSFs.

The second limitation is an inefficient maintenance on the policy translator.
If the data models on I2NSF NSF-facing Interface requires some updates,
the XSLT stylesheet and XML files need to be updated.
On the other hand, our new approach  provides I2NSF User with an efficient
maintenance.

To solve these two limitations, our draft proposes an automata-based policy translator.
This translator consists of three components, such as Extractor, Data Converter, and Generator.

First, when a high-level policy is delivered from I2NSF User to Security Controller,
Translator extracts data about the policy at Extractor, and then converts it at Data Converter
for NSF(s). Also, Data Converter can select proper NSFs automatically.
Finally, Generator generates low-level policies of target NSFs based on the data from Data Converter.

I believe that this draft is valuable for IP2NSF WG adoption
to facilitate the development and deployment of I2NSF in the real world.

Please read this draft and give our authors your valuable comments.
We aim at making this proposal as an Informational RFC.

Thanks.

Best Regards,
Paul & Jinhyuk
--
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail..com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu>
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>

________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição



--
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu>
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>



--
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com<mailto:jaehoon.paul@gmail.com>, pauljeong@skku.edu<mailto:pauljeong@skku.edu>
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email