IETF Logo Mail Archive

Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Sun, 22 July 2018 05:07 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C49C2130E57 for <i2nsf@ietfa.amsl.com>; Sat, 21 Jul 2018 22:07:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HK_NAME_FM_MR_MRS=1.499, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id t_MtCX7BMJlY for <i2nsf@ietfa.amsl.com>; Sat, 21 Jul 2018 22:07:11 -0700 (PDT)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com [IPv6:2607:f8b0:4001:c06::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 44025130DEB for <i2nsf@ietf.org>; Sat, 21 Jul 2018 22:07:11 -0700 (PDT)
Received: by mail-io0-x22e.google.com with SMTP id g11-v6so13013893ioq.9 for <i2nsf@ietf.org>; Sat, 21 Jul 2018 22:07:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qNLbHoettjGRf3yPa/+DyNktomNGvqkLKS9m6+8PCmY=; b=n+BbVCoz+vjpLcxkUSStawwUby6dlzKU7qv+VwXyjLyakZ+6c9fN/qkhqK/5DGq9A4 4kqwM9L0xXwYOfr1k6kNaeRt8zgkY/T9YBhgU4IfGleDJD0pGCMdXfThjlYzUhRjGGyj vMBGonR7utCG4DkXGlOGSuK/8Zo5IUwsDHuPPGH0qhlTEehVxe7hx0ie1ow1WJeG5n8N Xlx2HL5cmjOkXrN95+9fbl3B6tHJg8uw+bOIo42ccYnrW+gaf8ExcSS8DP5uXE8VB98f bKT7ycyjhXQzZ+yfUCgKJHjNYi3sYgOCQZS3x+lsF7prIGAd6TfTrcNp92kxczg4REC+ jbZw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qNLbHoettjGRf3yPa/+DyNktomNGvqkLKS9m6+8PCmY=; b=HPfmn6qeCXG7PTwepLpDAja7LILHoSxcu4oi3F/1IpS3nekOR7BVRKBOiRSmp1qxDn ol+FZKJPZMecyrvIay2gCGW8tNrBBVTbZeAVhwD/KRdrLj3rN/wvkz1evW4QHnqMExHo aALuA864MsameCPaXsVop4cQ3GtaXrUE0wGQhVBQEClBgJFzsTVcuHI40FK+JTIxEgvs OpESbBBYrJAET72oMBc2MURXZBp/9s44RBX7k8UEL34pO6sf/RT5R2kOx24KFtdWGA0v ouOHR4/XHFiXxITq1CsfdQ7kLSGmiFI0mDFIG+HLStRxYRkij17vBuEnVVNI/N3hg7Po kv7A==
X-Gm-Message-State: AOUpUlHzT7DcAd76P3hz8QOPgf/6JRy/pkL8r8wKlq80lwDbx40/IxMF ReKE1xk0Sh+F7TTwmVrPZrgMD6fpS/NWVICpQSk=
X-Google-Smtp-Source: AAOMgpc5INfwwHMiDUY4qFzXw8TBujziD7HcGq7hVZxP3QdMB3Kvm9mIeaWPGwaCQo58HJidmkeJsNPKlRdrnoeUEao=
X-Received: by 2002:a6b:845a:: with SMTP id g87-v6mr6697673iod.58.1532236030120; Sat, 21 Jul 2018 22:07:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAPK2DewpB-ZJkD6THFAJOqZCa86kfW52m5xSg5iEbASf1WqPWA@mail.gmail.com> <E4E2E6B7-9935-450D-B6F9-B32ABCA5159A@telefonica.com> <CAPK2DeyMHBGeAVBDFDR4xboxE7T3EgMT-+KfiWa477HWmzXaKQ@mail.gmail.com> <CD40837C-EB77-4ABF-BEB9-FCD5FB3AC5B0@telefonica.com>
In-Reply-To: <CD40837C-EB77-4ABF-BEB9-FCD5FB3AC5B0@telefonica.com>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Sun, 22 Jul 2018 01:06:57 -0400
Message-ID: <CAPK2DeyvU9EOWW6mmD=gZSuLGXuocfSmLc54xUQkRB9OPUz5UQ@mail.gmail.com>
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
Cc: i2nsf@ietf.org, SecCurator_Team <skku_secu-brain_all@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoonpaul@gmail.com>
Content-Type: multipart/alternative; boundary="00000000000049971705718f8043"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/ki0JMwGVIIcWoIcCFE4AxlGZvo4>
Subject: Re: [I2nsf] Request for Comments on I2NSF Security Policy Translation
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 22 Jul 2018 05:07:15 -0000

Hi Diego,
in our I2NSF security policy translator, a restconf xml file based on a
high-level policy YANG is translated into a netconf xml file based on a
low-level policy YANG.

RFC 8106 is an example to show that the implementation considerations are
useful to developers though RFC 8106 is about IPv6 DNS autoconfiguration.

Without our I2NSF security translation draft, it is hard for developers to
figure out the implementation of Security Controller that bridges
Consumer-Facing Interface and NSF-Facing Interface.

Thanks.

Paul


2018년 7월 21일 (토) 오후 1:45, Diego R. Lopez <diego.r.lopez@telefonica.com>님이
작성:

> Hi Paul,
>
>
>
> Where are the high-level YANG and low-level YANG defined? Probably, as you
> suggest in the case of RFC8106, this could become implementation
> considerations on one of the YANG definitions.
>
>
>
> Be goode,
>
>
>
> --
>
> "Esta vez no fallaremos, Doctor Infierno"
>
>
>
> Dr Diego R. Lopez
>
> Telefonica I+D
>
> https://www.linkedin.com/in/dr2lopez/
>
>
>
> e-mail: diego.r.lopez@telefonica.com
>
> Tel:         +34 913 129 041
>
> Mobile:  +34 682 051 091
>
> ----------------------------------
>
>
>
> On 21/07/2018, 18:42, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
> wrote:
>
>
>
> Hi Diego,
>
> This draft is about the design and implementation of
>
> I2NSF Security Policy Controller from a high-level YANG to a low-level
> YANG.
>
>
>
> In my previous RFC about "IPv6 Router Advertisement Options for DNS
> Configuration",
>
> the implementation considerations are included for facilitating developers
> for an easy implementation:
>
> https://tools.ietf.org/html/rfc8106
>
>
>
> As I mentioned in the previous email, we aim at an Informational RFC
> rather than
>
> a Standard-track or experimental RFC.
>
> IMHO, this policy translation is a key technology for I2NSF, so it will be
> beneficial
>
> to have an Informational RFC on the security policy translation.
>
>
>
> Thanks.
>
>
>
> Paul
>
>
>
>
>
> On Sat, Jul 21, 2018 at 11:39 AM, Diego R. Lopez <
> diego.r.lopez@telefonica.com> wrote:
>
> Hi Paul,
>
>
>
> This is a rather interesting draft and I’d encourage you to continue and
> report your work in policy translation, as it constitutes one of the
> essential matters the I2NSF Controller has to deal with.
>
>
>
> But I am afraid I don’t see this document progressing in the standards
> track (even as an experimental one), as the particular techniques for
> implementing the translation do not seem a proper subject for
> standardization. The only place I could see room for it in would be as part
> of the applicability draft, and I am not sure about it… What do others
> think?
>
>
>
> Be goode,
>
>
>
> --
>
> "Esta vez no fallaremos, Doctor Infierno"
>
>
>
> Dr Diego R. Lopez
>
> Telefonica I+D
>
> https://www.linkedin.com/in/dr2lopez/
>
>
>
> e-mail: diego.r.lopez@telefonica.com
>
> Tel:         +34 913 129 041
>
> Mobile:  +34 682 051 091
>
> ----------------------------------
>
>
>
> On 21/07/2018, 12:01, "I2nsf on behalf of Mr. Jaehoon Paul Jeong" <
> i2nsf-bounces@ietf.org on behalf of jaehoon.paul@gmail.com> wrote:
>
>
>
> Hi I2NSF WG,
>
>
>
> I would like to introduce our draft on I2NSF Security Policy Translation:
>
> - Draft
>
>
> https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-01
>
>
>
> - Slides
>
>
> https://datatracker.ietf.org/meeting/102/materials/slides-102-i2nsf-security-policy-translation-00
>
>
>
> This draft gives I2NSF developers the guidelines for the design and
> implementation
>
> of I2NSF Security Controller.
>
> One important functionality of the Security Controller is to automatically
> translate
>
> an I2NSF User's high-level policy to a low-level policy for NSFs.
>
>
>
> In the past of our I2NSF Hackathon projects, we made an
> XSLT-stylesheet-based translator.
>
> But this translator has two limitations, such as static capability-and-NSF
> mapping construction
>
> and inefficient maintenance on such a mapping.
>
>
>
> The first limitation is the difficult high-level policy construction.
>
> By the XSLT-stylesheet approach, I2NSF User MUST manually selects target
> NSFs to execute
>
> the required security capabilities.
>
> This means that I2NSF User needs to know each NSF's capabilities, so it is
> difficult for
>
> I2NSF User to construct a high-level security policy without the detailed
> knowledge on NSFs.
>
>
>
> The second limitation is an inefficient maintenance on the policy
> translator.
>
> If the data models on I2NSF NSF-facing Interface requires some updates,
>
> the XSLT stylesheet and XML files need to be updated.
>
> On the other hand, our new approach  provides I2NSF User with an efficient
>
> maintenance.
>
>
>
> To solve these two limitations, our draft proposes an automata-based
> policy translator.
>
> This translator consists of three components, such as Extractor, Data
> Converter, and Generator.
>
>
>
> First, when a high-level policy is delivered from I2NSF User to Security
> Controller,
>
> Translator extracts data about the policy at Extractor, and then converts
> it at Data Converter
>
> for NSF(s). Also, Data Converter can select proper NSFs automatically.
>
> Finally, Generator generates low-level policies of target NSFs based on
> the data from Data Converter.
>
>
>
> I believe that this draft is valuable for IP2NSF WG adoption
>
> to facilitate the development and deployment of I2NSF in the real world.
>
>
>
> Please read this draft and give our authors your valuable comments.
>
> We aim at making this proposal as an Informational RFC.
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul & Jinhyuk
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
>
> ------------------------------
>
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição
>
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
> ------------------------------
>
> Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario,
> puede contener información privilegiada o confidencial y es para uso
> exclusivo de la persona o entidad de destino. Si no es usted. el
> destinatario indicado, queda notificado de que la lectura, utilización,
> divulgación y/o copia sin autorización puede estar prohibida en virtud de
> la legislación vigente. Si ha recibido este mensaje por error, le rogamos
> que nos lo comunique inmediatamente por esta misma vía y proceda a su
> destrucción.
>
> The information contained in this transmission is privileged and
> confidential information intended only for the use of the individual or
> entity named above. If the reader of this message is not the intended
> recipient, you are hereby notified that any dissemination, distribution or
> copying of this communication is strictly prohibited. If you have received
> this transmission in error, do not read it. Please immediately reply to the
> sender that you have received this communication in error and then delete
> it.
>
> Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário,
> pode conter informação privilegiada ou confidencial e é para uso exclusivo
> da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário
> indicado, fica notificado de que a leitura, utilização, divulgação e/ou
> cópia sem autorização pode estar proibida em virtude da legislação vigente.
> Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique
> imediatamente por esta mesma via e proceda a sua destruição0
>

v2.23.0 | Report a Bug | By Email