IETF Logo Mail Archive

Re: [I2nsf] I2NSF Drafts for Independent Submission Stream

Adrian Farrel <adrian@olddog.co.uk> Sun, 30 July 2023 00:15 UTC

Return-Path: <adrian@olddog.co.uk>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0EB9FC14CE51; Sat, 29 Jul 2023 17:15:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=olddog.co.uk
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2rg4iEHy9QVh; Sat, 29 Jul 2023 17:15:31 -0700 (PDT)
Received: from mta6.iomartmail.com (mta6.iomartmail.com [62.128.193.156]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60AF8C14CE4A; Sat, 29 Jul 2023 17:15:22 -0700 (PDT)
Received: from vs4.iomartmail.com (vs4.iomartmail.com [10.12.10.122]) by mta6.iomartmail.com (8.14.7/8.14.7) with ESMTP id 36U0FGjO018175; Sun, 30 Jul 2023 01:15:16 +0100
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id D390B4604A; Sun, 30 Jul 2023 01:15:15 +0100 (BST)
Received: from vs4.iomartmail.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id B30DC46043; Sun, 30 Jul 2023 01:15:15 +0100 (BST)
Received: from asmtp3.iomartmail.com (unknown [10.12.10.224]) by vs4.iomartmail.com (Postfix) with ESMTPS; Sun, 30 Jul 2023 01:15:15 +0100 (BST)
Received: from LAPTOPK7AS653V (76-14-1-154.sf-cable.astound.net [76.14.1.154] (may be forged)) (authenticated bits=0) by asmtp3.iomartmail.com (8.14.7/8.14.7) with ESMTP id 36U0FCeE003785 (version=TLSv1/SSLv3 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Sun, 30 Jul 2023 01:15:14 +0100
Reply-To: adrian@olddog.co.uk
From: Adrian Farrel <adrian@olddog.co.uk>
To: "'Independent Submissions Editor (Eliot Lear)'" <rfc-ise@rfc-editor.org>
Cc: i2nsf@ietf.org, sec-ads@ietf.org, "'Mr. Jaehoon Paul Jeong'" <jaehoon.paul@gmail.com>, 'Rifaat Shekh-Yusef' <rifaat.s.ietf@gmail.com>, 'Linda Dunbar' <linda.dunbar@futurewei.com>
References: <CAPK2Dex37mLMNTcb6aqT-DMVCjRvfdnLxexQndJD7zhmzbKsmg@mail.gmail.com> <61B52D16-EDA4-486F-9899-FE611B18DFE2@cisco.com> <89ea1507-6c08-ffee-abd0-f2ac87fbe880@rfc-editor.org> <CAPK2DeyZftNKJ9ERGv8b=kdDVYew1g-g2VDV9Q5dxa3HP9=LZw@mail.gmail.com> <CADNypP_nnT8tO7yqtmvOU5ogpT5cYLoOAC4waJ8nPrHzNdicJA@mail.gmail.com> <CAPK2DezQsA4b76Uq9YCv0sERf3qKaDuMCs1=cmgrHHPj8M+Ziw@mail.gmail.com>
In-Reply-To: <CAPK2DezQsA4b76Uq9YCv0sERf3qKaDuMCs1=cmgrHHPj8M+Ziw@mail.gmail.com>
Date: Sun, 30 Jul 2023 01:15:11 +0100
Organization: Old Dog Consulting
Message-ID: <004401d9c27a$e9bac370$bd304a50$@olddog.co.uk>
MIME-Version: 1.0
Content-Type: multipart/alternative; boundary="----=_NextPart_000_0045_01D9C283.4B87DE00"
X-Mailer: Microsoft Outlook 16.0
Thread-Index: AQH0FWrEreAtRhjKwEmAo5FcNIFaKQJB9Y1qAR+ekmACM7kVMwIxF4FgAs0qx1mvSB9X4A==
Content-Language: en-gb
X-Originating-IP: 76.14.1.154
X-Thinkmail-Auth: adrian@olddog.co.uk
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed; d=olddog.co.uk; h=reply-to :from:to:cc:references:in-reply-to:subject:date:message-id :mime-version:content-type; s=20221128; bh=3v8BSQm8IWMyYySurfMyr gFj9CQho2q7JJchRl9msgs=; b=jgapfvPlgHt/dwY9y7b1j4SF/73obKOEwtWIM y+8FvVBCpXmbH/4CLIidgEP7wUiD8ESIggV/ERlno0zKmYl2gITeq1pZu2ORaZOG vKBz3jYgWWhM1u4ZKQ4yzsdqw2Hp99Nuw4QfRLPLxP6KoP4Vq2O4riHdk/24MYcj QZaC9TXrTCatBd1X9hby98HIJ0MM4hgpzPUovbkHGtyosXxndszHIX3P4dXJElFy p3nOUelpxN2rIecFBgY6LMPH9RkUfDdStHwXU2wdyUwxmJaHmJc4/D3QfreUApYF tEsuWuot+TTrh59U3rbpmdLaagQK4roSssS4BuKAkV8zn+yxA==
X-TM-AS-GCONF: 00
X-TM-AS-Product-Ver: IMSVA-9.1.0.2090-9.0.0.1002-27782.003
X-TM-AS-Result: No--24.943-10.0-31-10
X-imss-scan-details: No--24.943-10.0-31-10
X-TMASE-Version: IMSVA-9.1.0.2090-9.0.1002-27782.003
X-TMASE-Result: 10--24.942500-10.000000
X-TMASE-MatchedRID: JQSF04SbSlQ7iuZ/mdYYtjtLuRAlPTkkWOUUKH0w1VssnkzzcI2cygVg f1XK2LQGS27AvgeJoNAsZAW16UOXiyKpn/iCVxz8MHPU4TB96leW15qLoPtbfi0mw44Qr35AjYb QU0iVlK8T3Cigx7DwIbPx3rO+jk2Q4ZWsG0MX2o9Abza1VIHIZWJjg9GXn3itTbpHHrS0p1XY0A 1PeQz/wKVNvIPifqQOymEwDzlvBiAzNsXWBvGVBoLYB7vZAK2TCBMD3DbxrsIPBAVprXRZnDliO bQKcTXEmwtmI3gWPW99v8t4yaa1EDK1/qdbjc7QnqTMYg6eO4ZjsekmL+iIKREKIPmfz1a4KChw 4KFw1hajeyfNFhJjaiQWufwDJ4K9iIB5natU4m3W2YYHslT0IwmKO6hjqvEArT7fVziRzfdSe3B BwR1DvB5ML9JcGh94Yy6AtAy7YZeoxfDhgVWbCMpQAYkQUlntS48IjXi9YDloBTbHAuitAUrF/m VEVKMJpANxWw95dxOTeuX4xo2DEOl782vYr/kH2xyHbnN4LdW6kJXVPDRM6W8/gKi82BLgbCkj4 6gswJKf6QCEa2YeNgXGi/7cli9j41DodRHs609qrsOvUFEKy4fraCyyl8ER5XVGnJhQpIF3ZVcb Jy0H7jIKYrmj3Q85RZfQN+FVqbDxVnSvYzRCxBdHX2eZFfZft6R3YtfQOkiaelW7arxTNM6NVDm +I33q4I8ILZkAKoAK3Ma88LL+bktHbXad8oK6MANM61uAKW/wHJWUN2E6gTkQWxJTKOXImwz1Wk Q0omxdInhzedP5BxoUWyc0/3ajgcrZCG1wmwdCb9sS4MpIz6PFjJEFr+ol6AvlZUR4Tsiypq0eC 3FVtj/cZn50ezHqi2QFaYS1v23pP8tMOyYmaA==
X-TMASE-SNAP-Result: 1.821001.0001-0-1-22:0,33:0,34:0-0
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/m-CSrAKtChed1asdk-T2yEUE1Ag>
Subject: Re: [I2nsf] I2NSF Drafts for Independent Submission Stream
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 30 Jul 2023 00:15:36 -0000

Hi,

 

[Reduced circulation a bit]

 

This email is primarily for the ISE to help them understand how the documents may be positioned. The document authors may want to chime in, but I am not trying to have a discussion.

 

I read all three of these documents on the plane today. I did not give as much review as they need, but I aimed to get enough of a view that we can work out the next steps.

 

I note that none of the documents was adopted by I2NSF, although some of them have been around for a long time and revised often. From this, I deduce that either the work was judged out of scope of he working group or there was insufficient support from the working group. 

 

All three drafts need a lot of polish. This is the sort of assistance that working group review normally provides. Before they could be presented for publication they need work to make them more readable and clear: authors often look for an interested party who has good language skills and can help make the documents clear. Note that we cannot leave that sort of work to the late stage reviewers or the RFC Editor because:

1.	It is unfair to ask people to give up their time to perform technical reviews and then expect them to spend extra effort as language editors.
2.	The RFC Editor cannot perform technical edits and if the make a large number of language edits, there is a high likelihood that they will break some technical description

 

draft-yang-i2nsf-security-policy-translation is not an easy ready. I think it is substantially “upside down” in that it discusses the details before presenting the architecture that gives the context for the details.

 

The document advertises itself as providing “guidelines” but is positioned as Standards Track, which is inconsistent with a document that defines no on-wire behaviours. 

 

RFC 8329 shows the high level I2NSF architecture and names the main functional unit the Network Operator Management System. This document appears to name the same component as the Security Controller (a name introduced in draft-pastor-i2nsf-nsf-remote-attestation?). But the external interfaces are the same (CFI and NFI) so we can probably assume they are identical.
 
The main thrust of this document is to describe how there is an important functional component within the Security Controller, and it describes how that component is broken into a number of subcomponents. The document goes on to define YANG models that are used on the interfaces between those subcomponents.
 
It seems to me that the “guidelines” in this document are no more than advice to an implementer about how to build their software. The advice may be good or otherwise (I am not going to make an assessment), but I don’t think it has standardisation merit. This is because the document is essentially an implementation guide for people who need help working out the processing that should be done in an I2NSF system. I think, however, that the CFI and NFI are well-defined and that *any* implementation that maps between those interfaces would be acceptable. We do not need to show people how to make good implementations, and we should allow scope for them to make better or worse implementations as they choose.
 
My conclusion, therefore, is that while this document falls into the category of “related to IETF work”:
1.       There is no value in bringing it to SecDispatch because it is not a document the IETF would publish
2.       The AD has already indicated that he would not AD-sponsor this document
3.       There is no working group into which this work falls
4.       This document would be better published as a journal article describing the architecture of Sungkyunkwan University implementation, and should not be published on the Independent Stream (the ISE can, of course, make their own decision)
 
draft-jeong-i2nsf-security-management-automation is in much better shape both technically and with its use of language.
 
Sections 1, 2, and 3 seem reasonable, although the material is presented across the three sections in a strange way, and would benefit from re-ordering so that related pieces are kept together (for example, Figure 1 is in section 2 – the terminology section – but the explanation of the terms used in the figure are found in section 3).
 
The components shown in Figure 1 seem reasonable potential distinct components that could be implemented by different people and so would need standard interfaces.
 
Section 4 seems to be a repeat of the internal functional architecture of the Security Controller as defined in draft-yang-i2nsf-security-policy-translation. I don’t see why this section is present in this document as it describes internals that do not need to be exposed in the architecture.
 
If slimmed down with the removal of section 4, this document is a candidate for publication (it would be <8 pages of content). It falls into the category of “related to IETF work” and is sufficiently general to avoid being associated with any individual implementation. 
 
My conclusion, therefore, is that this document could be published as an RFC:
1.       Showing this document to SecDispatch might bring additional reviews, but I do not believe they have anywhere to which to dispatch it:
a.       The AD has already indicated that he would not AD-sponsor this document
b.       There is no working group into which this work falls
2.       This document could be published on the Independent Stream (the ISE can, of course, make their own decision), but would need to include some explanation of why it is not IETF work and how it is of value to the reader
 
draft-lingga-i2nsf-analytics-interface-dm describes an interface introduced in draft-jeong-i2nsf-security-management-automation. Its publication, therefore, is entirely dependent on the publication of draft-jeong-i2nsf-security-management-automation.
 
In defining a YANG model, the document requests codepoint assignments from registries governed as “Specification Required” with review by Designated Experts. The registries talk about being for things “used within IETF protocols” and it is not clear to me whether assignments may be made for non-IETF documents if the involved protocols *are* IETF protocols. The Designated Expert should be consulted.
 
The model defined is intended to work on an external interface between components that may be separately located and might be implemented by different sources. This is a valid reason to define a model, but the question must arise as to whether anyone intends to implement this model (and the architecture in draft-jeong-i2nsf-security-management-automation) for actual deployment. This makes a difference between the document being a general definition of a YANG model, and “Sungkyunkwan University and ETRI’s YANG model”.
 
I have not reviewed the YANG and I believe that detailed and careful YANG review is needed before the publication of any new model.
 
My conclusion, therefore, is that this document could be published as an RFC:
1.       It is related to IETF work, although only if draft-jeong-i2nsf-security-management-automation is published
2.       Showing this document to SecDispatch might bring additional reviews, but I do not believe they have anywhere to which to dispatch it:
a.       The AD has already indicated that he would not AD-sponsor this document
b.       There is no working group into which this work falls
3.       Significant review of the YANG is needed
4.       Approval by the IANA Designated Experts should be gained before spending any reviewer time
5.       This document could be published on the Independent Stream (the ISE can, of course, make their own decision), but would need to include some explanation of whether it is specific to known implementations or more generally applicable.
 
Cheers,
Adrian

 

From: Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com> 
Sent: 27 July 2023 06:05
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; Adrian Farrel <adrian@olddog.co.uk>; Linda Dunbar <linda.dunbar@futurewei.com>
Cc: Independent Submissions Editor (Eliot Lear) <rfc-ise@rfc-editor.org>; Roman Danyliw <rdd@cert.org>; i2nsf@ietf.org; opsawg-chairs@ietf.org; sec-ads@ietf.org; Secdispatch@ietf.org; Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
Subject: Re: I2NSF Drafts for Independent Submission Stream

 

Hi Rifaat,

Okay, SecDispatch WG seems like a good place.

How can I take action to let the following three I2NSF drafts be reviewed by SecDispatch WG?

 

---
- Security Management Automation of Cloud-Based Security Services in I2NSF Framework
. URL: https://datatracker.ietf.org/doc/draft-jeong-i2nsf-security-management-automation/
. Summary: This draft proposes an extension of the I2NSF framework for closed-loop
  security control in Intent-Based Networking (IBN). It suggests a new component called
  I2NSF Analyzer and a new interface called Analytics Interface.
. Purpose: Informational RFC

- I2NSF Analytics Interface YANG Data Model
. URL: https://datatracker.ietf.org/doc/draft-lingga-i2nsf-analytics-interface-dm/
. Summary: This draft proposes an Analytics Interface YANG Data Model to deliver either 
  policy reconfiguration or feedback information from I2NSF Analyzer to Security
  Controller.
. Purpose: Experimental RFC

- Guidelines for Security Policy Translation in Interface to Network Security Functions
. URL: https://datatracker.ietf.org/doc/draft-yang-i2nsf-security-policy-translation/
. Summary: This draft proposes the guidelines for security policy translation
   in the I2NSF framework, that is, the translation from a high-level security policy
   to the corresponding low-level security policy. It focuses on the mapping between
   Consumer-Facing Interface and Network Security Function (NSF)-Facing Interface.

. Purpose:  Standards Track RFC
---

 

Adrian and Linda,

If you have another opinion, please let us know.

 

Thanks.

 

Best Regards,

Paul

 

2023년 7월 26일 (수) 오전 3:22, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com> >님이 작성:

 

 

On Tue, Jul 25, 2023 at 11:45 PM Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com> > wrote:

Hi Eliot,

I answer your comments and questions inline below.

 

On Tue, Jul 25, 2023 at 1:35 AM Independent Submissions Editor (Eliot Lear) <rfc-ise@rfc-editor.org <mailto:rfc-ise@rfc-editor.org> > wrote:

Hi Paul and thanks for contacting me, and thanks Adrian.  Before we proceed further, it may be desirable to either SECDISPATCH

or present to OPSAREA these works back into the IETF.  

Has that been discussed?  

 => These three I2NSF drafts were discussed in the I2NSF WG in the past.

   However, since their topics were out of scope of the I2NSF WG, they could not
   be adopted by the I2NSF WG.
   Even though I tried to proceed with the standardization of those drafts
   through the rechartering of the I2NSF WG, the rechartering was declined by
   Roman Danyliw, who is a SEC AD, due to the low energy of the I2NSF WG.
   Roman also declined to shepherd them as an AD sponsor in the case of 
   Independent Submission Stream due to some reasons announced to the I2NSF WG.
   By this background, I think that the discussion in SECDISPATCH may not be
   appropriable for these drafts.
   

 

I do not think that these are reasons for not to go to SecDispatch.

That's the role of SecDispatch WG; to discuss and suggest a way forward for work that has no obvious home.

 

Regards,

 Rifaat

 

 

 

 

   OPSAWG may be appropriable for these drafts since they are related to
   operations and management for the closed-loop security control by the I2NSF
   framework.
   However, many active WG documents are handled and overloaded by OPSAWG,
   I am afraid that these drafts cannot be discussed and handled by OPSAWG. 

A working group closure on its own should not preclude further IETF work. 

Also, you may wish to present this work to iotops if you have not already done so.

=> Thanks for your encouragement on these drafts.
   IOTOPS handles the issues related to IoT devices, so these drafts 
   may not be interesting to IOTOPS because these I2NSF drafts are related to
   the virtualized security functions for cloud-based security service systems.

 

   I believe that Adrian will be able to suggest a good way for these drafts after his review on
   these drafts after this IETF 117.

 

   I CC Roman Danyliw who was the responsible AD of the I2NSF WG since he may give

   us his more opinions.

   Thanks.

   Best Regards,
   Paul

 

 

Eliot (ISE)



On 25 Jul 2023, at 09:33, Mr. Jaehoon Paul Jeong  <mailto:jaehoon.paul@gmail.com> <jaehoon.paul@gmail.com> wrote:

 

Hi Adrian, 

As I told you yesterday,

I2NSF WG has finished all the chartered work items including the five YANG data model drafts recently, 

and it is concluded now:

https://datatracker.ietf.org/wg/i2nsf/about/

 

However, to deploy the I2NSF framework and interfaces in the industry, 

the following three drafts will be quite useful:

 

- Security Management Automation of Cloud-Based Security Services in I2NSF Framework
. URL: https://datatracker.ietf.org/doc/draft-jeong-i2nsf-security-management-automation/
. Summary: This draft proposes an extension of the I2NSF framework for closed-loop
  security control in Intent-Based Networking (IBN). It suggests a new component called
  I2NSF Analyzer and a new interface called Analytics Interface.
. Purpose: Informational RFC

- I2NSF Analytics Interface YANG Data Model
. URL: https://datatracker.ietf.org/doc/draft-lingga-i2nsf-analytics-interface-dm/
. Summary: This draft proposes an Analytics Interface YANG Data Model to deliver either 
  policy reconfiguration or feedback information from I2NSF Analyzer to Security
  Controller.
. Purpose: Experimental RFC

- Guidelines for Security Policy Translation in Interface to Network Security Functions
. URL: https://datatracker.ietf.org/doc/draft-yang-i2nsf-security-policy-translation/
. Summary: This draft proposes the guidelines for security policy translation
   in the I2NSF framework, that is, the translation from a high-level security policy
   to the corresponding low-level security policy. It focuses on the mapping between
   Consumer-Facing Interface and Network Security Function (NSF)-Facing Interface.
   
The basic concepts of these works are proved through the I2NSF Hackathon Projects.
The open-source I2NSF hackathon project is located at the Github:
https://github.com/jaehoonpaul/i2nsf-framework

I would like to submit those three drafts to the IETF independent submission stream this week:

https://www.rfc-editor.org/about/independent/

If you have comments on this matter, please let us know.

 

I CC Eliot Lear who is the Independent Submissions Editor (ISE) in the IETF.


Thanks for your support.

Best Regards,
Paul

-- 

===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Associate Professor

Department of Computer Science and Engineering

Sungkyunkwan University
Office: +82-31-299-4957
Email:  <mailto:pauljeong@skku.edu> pauljeong@skku.edu, jaehoon.paul@gmail.com <mailto:jaehoon.paul@gmail.com> 
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email