Re: [I2nsf] I-D Action: draft-ietf-i2nsf-registration-interface-dm-00.txt

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Tue, 23 October 2018 03:50 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 19A3D12870E for <i2nsf@ietfa.amsl.com>; Mon, 22 Oct 2018 20:50:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOLkfKe0yKFZ for <i2nsf@ietfa.amsl.com>; Mon, 22 Oct 2018 20:50:08 -0700 (PDT)
Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DE97F127333 for <i2nsf@ietf.org>; Mon, 22 Oct 2018 20:50:07 -0700 (PDT)
Received: by mail-lj1-x22f.google.com with SMTP id k11-v6so7006919lja.5 for <i2nsf@ietf.org>; Mon, 22 Oct 2018 20:50:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=4bxAm8/sGeQnu4JiOz7tCWBz9NE05TUexGRM3NHqjG0=; b=gG11NYceCY2GB//ZDNbb+PPUITmjajr7uPS00ODQlJI2xS17SC5gdpmwspruym7NkK H1YZPweVnPwi2IDChCa0HH6gLeuH9qAsI5/9WwBh4Pkz8omvkHgSDoLYJrAEVOR0qYTf NZL5JKlUH9A+wxiw2G1csuVyI9yScYC0q53dftkEhSOjpyz9lLhfqML0IeE28dXGwgpV sT6Cy8rzDQDuJWTxkRf+b9f6/ttbVaEI4kXJvjwL6ypS9LxzdKjVTiREjlnEyD3/p8lo /bzhwh0YRXHNEjW9JDJkx8IFqkQp6djpTFjGNBRu7pc6It0mz+3nbzzJLMGCdkJGAMCv 4LpQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=4bxAm8/sGeQnu4JiOz7tCWBz9NE05TUexGRM3NHqjG0=; b=XkCfsb57WGNSeCW/Yld6+E3MoB6csEc4+40okipKOjLtJdEWeGdHt52o5Ljuk2IIRU TX/kUSffywIgD8tfcqeREUdr/fh/4SBU/VgPa61eULb87FnbYUcQQD+OB0N3OuYiFDeX xMZbA0RqJoof8S09mG83wPqAO+BgWIwCTp1IMJ7VShfxkWVGmayq52GdhSZ+DEraK8PD SZL0VN3DM+0SXRTq8NBeA+oK+ZC5UJau6aFF9FC+cXYDD/kT6CBmXnx2DMJr8fTd1OfC t+qz2UbRjI62lDUYvnggDJ/QqNSd0U5IIOOOEWeDtTmH85W71/Sz0sCeS3UH41qjlcsw ckhw==
X-Gm-Message-State: ABuFfoiuNME6hUIKpzV5kL25pae9dhncwADCq/5ZEhltewwFTySVp0kx MiyhTxzF7ffGiy2mldNez3kRVk+bNW19suvx8BI=
X-Google-Smtp-Source: ACcGV63iW69nWexSR5B18Ne1VImC0kHVNJ2+V8uDfZ/vODDPu4/HIL0BwbZb2fZmtJlB3LE9fqgdT2cJWE2Iqe6USUs=
X-Received: by 2002:a2e:3211:: with SMTP id y17-v6mr33837401ljy.39.1540266605844; Mon, 22 Oct 2018 20:50:05 -0700 (PDT)
MIME-Version: 1.0
References: <154006619405.13838.11436642111446191940@ietfa.amsl.com> <1167C929-704F-49AC-9E8C-86652EABFAD9@telefonica.com> <CAPK2DezrguGg-mmBq6RzexWzxDz=8NdC=DeXr63PALwYHtJr3A@mail.gmail.com> <BED17F36-347B-48BE-8699-600A4D7F1942@telefonica.com>
In-Reply-To: <BED17F36-347B-48BE-8699-600A4D7F1942@telefonica.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Tue, 23 Oct 2018 12:50:45 +0900
Message-ID: <CAPK2Dewf0Y6cX-REY6hDK86y8LN-5=m6FmVriFPSbxKua2WuOA@mail.gmail.com>
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, skku_secu-brain_all@googlegroups.com, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000e69d770578dd436d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ha55ve3i8l3-XIR1nvSeb5OI7LU>
Subject: Re: [I2nsf] I-D Action: draft-ietf-i2nsf-registration-interface-dm-00.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Oct 2018 03:50:11 -0000

Diego,
Thanks for your clarification comments.

My team will review your comments for the construction of I2NSF framework
in an NFV environment, and
then polish up the description of the registration interface between SC and
DMC along with the MANO stack
in the revision of the Registration Interface Data Model document.

Thanks.

Best Regards,
Paul



On Tue, Oct 23, 2018 at 12:39 PM Diego R. Lopez <
diego.r.lopez@telefonica.com> wrote:

> Hi Paul,
>
>
>
> I think we agree in all aspects, but on the DMS concept and its connection
> with the Security Controller. In my view, a DMS will never be associated to
> VNFM (or anything else in the MANO stack) Let me try to illustrate this by
> means of the organizational roles involved: a SC would be typically run by
> a network provider or a its customer (Telefonica or, say, a bank Telefonica
> is providing network services), and a DMS would be typically run by a
> network equipment vendor (Huawei, Ericsson, F5…), and therefore it is quite
> unlikely the VNFM instances running in the network service providers are
> run by network equipment vendors.
>
>
>
> In an NFV environment, the DMS requests through the registration interface
> will translate into events related with NSF onboarding. And the SC will use
> the registration interface to query the catalog of available NSFs and
> translate its decisions into requests to the MANO stack. So we could
> conclude the registration interface is the way for both the DMS and the SC
> interact with the NFV MANO stack, but by no means in an interactive, direct
> way. The shortcut you describe may be acceptable for demonstration purposes
> in a hackathon, but I do not see how this can match a real operational
> environment.
>
>
>
> Be goode,
>
>
>
> --
>
> "Esta vez no fallaremos, Doctor Infierno"
>
>
>
> Dr Diego R. Lopez
>
> Telefonica I+D
>
> https://www.linkedin.com/in/dr2lopez/
>
>
>
> e-mail: diego.r.lopez@telefonica.com
>
> Tel:         +34 913 129 041
>
> Mobile:  +34 682 051 091
>
> ----------------------------------
>
>
>
> On 21/10/2018, 23:01, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
> wrote:
>
>
>
> Hi Diego,
>
> Here are my answers inline.
>
>
>
> On Sun, Oct 21, 2018 at 2:58 PM Diego R. Lopez <
> diego.r.lopez@telefonica.com> wrote:
>
> Hi,
>
> I've gone through the new version of the Registration Interface mode
> draft, that does look much better and integrated to me now, and I have a
> few comments, most of them on the procedures described for using the
> interface and the connection of Controller and the DMS:
>
> 1) First of all, related to terminology: Why do you define the term "NSF
> Profile"? Why not refer to the "Profile" definition in the terminology
> document? By referring just to "Profile" I think you can freely use "NSF
> Profile" later on...
>
>  => That's a good suggestion. We will refer to the definition of "Profile"
> of the object of an NSF
>
>       for the sake of "NSF Profile" in the revision -01.
>
>
> 2) The actions described in section 4 seems to imply a direct and dynamic
> communication between Controller and DMS, when what I foresee is something
> similar to the onboarding mechanisms in current software-based networks:
> The DMS uses the registration interface to provide and update the
> capabilities of those NSFs provided to the Controller, and the Controller
> makes the appropriate selection once it receives a request from a client,
> instantiating them from the repository. But by no means a direct dialog
> between Controller and DMS should be assumed, nor I think we should specify
> a dynamic instantiation mechanism in this document.
>
>  => In the IETF-103 Hackathon project for I2NSF in OpenStack-Based NFV,
> DMS is implemented as an EM that has an interface (i.e., Ve-Vnfm Interface)
> with VNF Manager.
>
>     That is, the instantiation request from Security Controller to DMS
> will be delivered to VNF Manager by DMS .
>
>      We will clarify this text based on our implementation in the
> revision.
>
>
>
> 3) The same happens with the process described in section 5. We should
> change this into a decoupled register-select-instantiate operation
> sequence. And, BTW, what do you mean by "a specific NSF required or
> *wasted* in the current system"? Wasted by whom and how?
>
>  => The wasted NSF is an NSF that is not used by any traffic flows, yet is
> running as a VNF in the NFV environment. For the efficient resource
> management, we need to
>
>       deinstantiate such an NSF.
>
>
>
>      The appendix of Registration Interface Information Model Draft below
> clarifies the above my answers.
>
>      Appendix A.  Lifecycle Management Mechanism in
> draft-hyun-i2nsf-registration-interface-im-06
>
>
> https://tools.ietf.org/html/draft-hyun-i2nsf-registration-interface-im-06#page-12
>
>
>
>      According to your comments, the the instantiation and deinstantiation
> of an NSF will clarified in an Appendix rather than in a main section.
>
>
> 4) Following this, the instantiation and deinstantaiation operations
> described in 5.1 should not be used. What is more, I'd say they are out of
> the scope of this document, and while mechanisms for instance management
> could be generally mentioned, they should not be described in detail here.
>
>
>
>  => Yes, as mentioned above, the instantiation and deinstantaiation
> operations will be described in an Appendix in the revision.
>
>
> 5) And a question on the access information described in section 5.3:
> should it not include a reference to the mechanisms to secure the access,
> like encryption, reference to certificates or key repositories, etc. I am
> not asking for storing credentials, but at least to let the Controller know
> that IPsec using certificates approved by a particular CA should be used,
> for example.
>
>  => As explained in I2NSF-IPsec draft (
> https://tools.ietf.org/html/draft-hyun-i2nsf-registration-interface-im-06#page-6
> ),
>
>       NSF Access Information contains the information to access an NSF in
> the I2NSF network,  such asfollowings
>
>       IPv4 address, IPv6 address, port number, and supported transport
> protocol(s) rather than security information
>
>       such IPsec session information. For secure access, we can use IPsec
> for I2NSF in
>
>
> https://tools.ietf.org/html/draft-ietf-i2nsf-sdn-ipsec-flow-protection-02
>
>
>
>       We will add the text about secure access using IPsec along with the
> above the I2NSF-IPsec draft in the revision.
>
>
>
>       Thanks.
>
>
>
>       Paul
>
>
>
>
>
> Be goode,
>
>  --
> "Esta vez no fallaremos, Doctor Infierno"
>
> Dr Diego R. Lopez
> Telefonica I+D
> https://www.linkedin.com/in/dr2lopez/
>
> e-mail: diego.r.lopez@telefonica.com
> Tel:         +34 913 129 041
> Mobile:  +34 682 051 091
> ----------------------------------
>
> On 20/10/2018, 22:10, "I2nsf on behalf of internet-drafts@ietf.org" <
> i2nsf-bounces@ietf.org on behalf of internet-drafts@ietf.org> wrote:
>
>
>     A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
>     This draft is a work item of the Interface to Network Security
> Functions WG of the IETF.
>
>             Title           : I2NSF Registration Interface Data Model
>             Authors         : Sangwon Hyun
>                               Jaehoon Paul Jeong
>                               Taekyun Roh
>                               Sarang Wi
>                               Jung-Soo Park
>     Filename        : draft-ietf-i2nsf-registration-interface-dm-00.txt
>     Pages           : 23
>     Date            : 2018-10-20
>
>     Abstract:
>        This document defines an information model and a YANG data model for
>        Interface to Network Security Functions (I2NSF) Registration
>        Interface between Security Controller and Developer's Management
>        System (DMS).  The objective of these information and data models is
>        to support NSF search, instantiation and registration according to
>        required security capabilities via I2NSF Registration Interface.
>
>
>     The IETF datatracker status page for this draft is:
>
> https://datatracker.ietf.org/doc/draft-ietf-i2nsf-registration-interface-dm/
>
>     There are also htmlized versions available at:
>
> https://tools.ietf.org/html/draft-ietf-i2nsf-registration-interface-dm-00
>
> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-registration-interface-dm-00
>
>
>     Please note that it may take a couple of minutes from the time of
> submission
>     until the htmlized version and diff are available at tools.ietf.org.
>
>     Internet-Drafts are also available by anonymous FTP at:
>     ftp://ftp.ietf.org/internet-drafts/
>
>     _______________________________________________
>     I2nsf mailing list
>     I2nsf@ietf.org
>     https://www.ietf.org/mailman/listinfo/i2nsf
>
>
>
> ________________________________
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>


-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Associate Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>