IETF Logo Mail Archive

Re: [I2nsf] I2NSF Drafts for Independent Submission Stream

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Mon, 31 July 2023 16:49 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2948C14CF09; Mon, 31 Jul 2023 09:49:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.095
X-Spam-Level:
X-Spam-Status: No, score=-1.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, URI_DOTEDU=1] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9h43JL1MvoCy; Mon, 31 Jul 2023 09:49:18 -0700 (PDT)
Received: from mail-vk1-xa31.google.com (mail-vk1-xa31.google.com [IPv6:2607:f8b0:4864:20::a31]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 941D8C15153D; Mon, 31 Jul 2023 09:49:18 -0700 (PDT)
Received: by mail-vk1-xa31.google.com with SMTP id 71dfb90a1353d-486198c70adso1550470e0c.0; Mon, 31 Jul 2023 09:49:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1690822157; x=1691426957; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=UFjLiIfPnoOXxKnzhKAfeEZ50vJsP/1KZ0eBKrHkrQA=; b=sf9RKaTm169DCaG5PJb+Ynwaft9vcBviG6R/aT4H642zuHaAApZc7ew1plpWcBvU+U ND8eDZgucYk2BQiOE3gEsuf/JopDLxToC2Q0WmLBEYOuSJUAY7MXOzmCFxCuJVaGu2SU ifIIWamLkEFrUXhzQojS6NgfGpgp5FPO6du/IJ3Q1k32AkkF8uiRzGEo3pPAF1n9Z/2g zg10lXwGHnRnZLPl/rjRWTMuXxuqLxmD3oZLvlgzh+qMOiucDWHmfbpkK9PDjLea/F3j fnp7+WFpnR0ODTpbtF4lyLooe5mmBK+cIL1/WBnq98U/4clFy/k7R38lOEeSWsQhwlh9 TNHw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690822157; x=1691426957; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=UFjLiIfPnoOXxKnzhKAfeEZ50vJsP/1KZ0eBKrHkrQA=; b=DqN6A8DUTriCVdDMSIiMfAtC71C2gzrfjVbiOYKYZXmOr84lF7qkwIQY3cCcfeEdlz I3TlxVOquM+hK9RUsec+VBn8xFN/b3NHSlEu9alZOP0od3CpAJF2ibb1KLokKpoK04Bn ZP7VxafeYh+0m8TefWWBxPigUhLBZHYm8kwbm/8f1Qc5kt9BlgHjAnh8k7OfoUcafhN1 ihKSL1FfEssND6i2Z7Rwi6DeaD7MqzzeA3PDN/MOuAa0KKIwypDBA97KEMB0GVyKM3RP +mM5UP+5GZatfa7QJGMzgRouxpFEZCyJjtD2NMh2h0vliW9ESs+RBQYeUxkDkDPQH2/4 e+1g==
X-Gm-Message-State: ABy/qLZoCL7gJRkD9z5bwEAu91pAtQgDc7GEk19EKQBBoZWLjiyEwDAx JdLnnzcoV5BhFTCMVlm+5uy1w5RWH6OczwI5pBw=
X-Google-Smtp-Source: APBJJlFeeVhB4HJRudigi7hgLAivOvccxRhgFS9vYwt5yPQZ898I1u+frSvLtRWVYZc3BB9OCs9TArIXOhGgknnTNJI=
X-Received: by 2002:a1f:bf55:0:b0:471:24c3:6cd3 with SMTP id p82-20020a1fbf55000000b0047124c36cd3mr495274vkf.11.1690822155527; Mon, 31 Jul 2023 09:49:15 -0700 (PDT)
MIME-Version: 1.0
References: <CAPK2Dex37mLMNTcb6aqT-DMVCjRvfdnLxexQndJD7zhmzbKsmg@mail.gmail.com> <61B52D16-EDA4-486F-9899-FE611B18DFE2@cisco.com> <89ea1507-6c08-ffee-abd0-f2ac87fbe880@rfc-editor.org> <CAPK2DeyZftNKJ9ERGv8b=kdDVYew1g-g2VDV9Q5dxa3HP9=LZw@mail.gmail.com> <CADNypP_nnT8tO7yqtmvOU5ogpT5cYLoOAC4waJ8nPrHzNdicJA@mail.gmail.com> <CAPK2DezQsA4b76Uq9YCv0sERf3qKaDuMCs1=cmgrHHPj8M+Ziw@mail.gmail.com> <004401d9c27a$e9bac370$bd304a50$@olddog.co.uk>
In-Reply-To: <004401d9c27a$e9bac370$bd304a50$@olddog.co.uk>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Tue, 01 Aug 2023 01:48:39 +0900
Message-ID: <CAPK2Dey4VYf7o3nAN5ow8RKgCz+G5c+V9kSFAh+D9gfpdYs8Xw@mail.gmail.com>
To: adrian@olddog.co.uk
Cc: "Independent Submissions Editor (Eliot Lear)" <rfc-ise@rfc-editor.org>, i2nsf@ietf.org, sec-ads@ietf.org, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, Linda Dunbar <linda.dunbar@futurewei.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000f56ce00601cb35c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/thFlN33bQ6N9ESbUSF-GZBexGJI>
Subject: Re: [I2nsf] I2NSF Drafts for Independent Submission Stream
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 31 Jul 2023 16:49:22 -0000

Hi Adrian,
Thank you very much for your detailed review on the three drafts.

According to your comments, I will submit the following two drafts to the
ISE after polishing them up:
- draft-jeong-i2nsf-security-management-automation
- draft-lingga-i2nsf-analytics-interface-dm

Thanks.

Best Regards,
Paul

On Sun, Jul 30, 2023 at 9:15 AM Adrian Farrel <adrian@olddog.co.uk> wrote:

> Hi,
>
>
>
> [Reduced circulation a bit]
>
>
>
> This email is primarily for the ISE to help them understand how the
> documents may be positioned. The document authors may want to chime in, but
> I am not trying to have a discussion.
>
>
>
> I read all three of these documents on the plane today. I did not give as
> much review as they need, but I aimed to get enough of a view that we can
> work out the next steps.
>
>
>
> I note that none of the documents was adopted by I2NSF, although some of
> them have been around for a long time and revised often. From this, I
> deduce that either the work was judged out of scope of he working group or
> there was insufficient support from the working group.
>
>
>
> All three drafts need a lot of polish. This is the sort of assistance that
> working group review normally provides. Before they could be presented for
> publication they need work to make them more readable and clear: authors
> often look for an interested party who has good language skills and can
> help make the documents clear. Note that we cannot leave that sort of work
> to the late stage reviewers or the RFC Editor because:
>
>    1. It is unfair to ask people to give up their time to perform
>    technical reviews and then expect them to spend extra effort as language
>    editors.
>    2. The RFC Editor cannot perform technical edits and if the make a
>    large number of language edits, there is a high likelihood that they will
>    break some technical description
>
>
>
> *draft-yang-i2nsf-security-po**licy-translation* is not an easy ready. I
> think it is substantially “upside down” in that it discusses the details
> before presenting the architecture that gives the context for the details.
>
>
>
> The document advertises itself as providing “guidelines” but is positioned
> as Standards Track, which is inconsistent with a document that defines no
> on-wire behaviours.
>
>
>
> RFC 8329 shows the high level I2NSF architecture and names the main functional unit the Network Operator Management System. This document appears to name the same component as the Security Controller (a name introduced in draft-pastor-i2nsf-nsf-remote-attestation?). But the external interfaces are the same (CFI and NFI) so we can probably assume they are identical.
>
>
>
> The main thrust of this document is to describe how there is an important functional component within the Security Controller, and it describes how that component is broken into a number of subcomponents. The document goes on to define YANG models that are used on the interfaces between those subcomponents.
>
>
>
> It seems to me that the “guidelines” in this document are no more than advice to an implementer about how to build their software. The advice may be good or otherwise (I am not going to make an assessment), but I don’t think it has standardisation merit. This is because the document is essentially an implementation guide for people who need help working out the processing that should be done in an I2NSF system. I think, however, that the CFI and NFI are well-defined and that **any** implementation that maps between those interfaces would be acceptable. We do not need to show people how to make good implementations, and we should allow scope for them to make better or worse implementations as they choose.
>
>
>
> My conclusion, therefore, is that while this document falls into the category of “related to IETF work”:
>
> 1.       There is no value in bringing it to SecDispatch because it is not a document the IETF would publish
>
> 2.       The AD has already indicated that he would not AD-sponsor this document
>
> 3.       There is no working group into which this work falls
>
> 4.       This document would be better published as a journal article describing the architecture of Sungkyunkwan University implementation, and should not be published on the Independent Stream (the ISE can, of course, make their own decision)
>
>
>
> *draft-jeong-i2nsf-security-management-automation *is in much better shape both technically and with its use of language.
>
>
>
> Sections 1, 2, and 3 seem reasonable, although the material is presented across the three sections in a strange way, and would benefit from re-ordering so that related pieces are kept together (for example, Figure 1 is in section 2 – the terminology section – but the explanation of the terms used in the figure are found in section 3).
>
>
>
> The components shown in Figure 1 seem reasonable potential distinct components that could be implemented by different people and so would need standard interfaces.
>
>
>
> Section 4 seems to be a repeat of the internal functional architecture of the Security Controller as defined in draft-yang-i2nsf-security-policy-translation. I don’t see why this section is present in this document as it describes internals that do not need to be exposed in the architecture.
>
>
>
> If slimmed down with the removal of section 4, this document is a candidate for publication (it would be <8 pages of content). It falls into the category of “related to IETF work” and is sufficiently general to avoid being associated with any individual implementation.
>
>
>
> My conclusion, therefore, is that this document could be published as an RFC:
>
> 1.       Showing this document to SecDispatch might bring additional reviews, but I do not believe they have anywhere to which to dispatch it:
>
> a.       The AD has already indicated that he would not AD-sponsor this document
>
> b.       There is no working group into which this work falls
>
> 2.       This document could be published on the Independent Stream (the ISE can, of course, make their own decision), but would need to include some explanation of why it is not IETF work and how it is of value to the reader
>
>
>
> *draft-lingga-i2nsf-analytics-interface-dm* describes an interface introduced in draft-jeong-i2nsf-security-management-automation. Its publication, therefore, is entirely dependent on the publication of draft-jeong-i2nsf-security-management-automation.
>
>
>
> In defining a YANG model, the document requests codepoint assignments from registries governed as “Specification Required” with review by Designated Experts. The registries talk about being for things “used within IETF protocols” and it is not clear to me whether assignments may be made for non-IETF documents if the involved protocols **are** IETF protocols. The Designated Expert should be consulted.
>
>
>
> The model defined is intended to work on an external interface between components that may be separately located and might be implemented by different sources. This is a valid reason to define a model, but the question must arise as to whether anyone intends to implement this model (and the architecture in draft-jeong-i2nsf-security-management-automation) for actual deployment. This makes a difference between the document being a general definition of a YANG model, and “Sungkyunkwan University and ETRI’s YANG model”.
>
>
>
> I have not reviewed the YANG and I believe that detailed and careful YANG review is needed before the publication of any new model.
>
>
>
> My conclusion, therefore, is that this document could be published as an RFC:
>
> 1.       It is related to IETF work, although only if draft-jeong-i2nsf-security-management-automation is published
>
> 2.       Showing this document to SecDispatch might bring additional reviews, but I do not believe they have anywhere to which to dispatch it:
>
> a.       The AD has already indicated that he would not AD-sponsor this document
>
> b.       There is no working group into which this work falls
>
> 3.       Significant review of the YANG is needed
>
> 4.       Approval by the IANA Designated Experts should be gained before spending any reviewer time
>
> 5.       This document could be published on the Independent Stream (the ISE can, of course, make their own decision), but would need to include some explanation of whether it is specific to known implementations or more generally applicable.
>
>
>
> Cheers,
>
> Adrian
>
>
>
> *From:* Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
> *Sent:* 27 July 2023 06:05
> *To:* Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>; Adrian Farrel <
> adrian@olddog.co.uk>; Linda Dunbar <linda.dunbar@futurewei.com>
> *Cc:* Independent Submissions Editor (Eliot Lear) <rfc-ise@rfc-editor.org>;
> Roman Danyliw <rdd@cert.org>; i2nsf@ietf.org; opsawg-chairs@ietf.org;
> sec-ads@ietf.org; Secdispatch@ietf.org; Mr. Jaehoon Paul Jeong <
> jaehoon.paul@gmail.com>
> *Subject:* Re: I2NSF Drafts for Independent Submission Stream
>
>
>
> Hi Rifaat,
>
> Okay, SecDispatch WG seems like a good place.
>
> How can I take action to let the following three I2NSF drafts be reviewed
> by SecDispatch WG?
>
>
>
> ---
> - Security Management Automation of Cloud-Based Security Services in I2NSF
> Framework
> . URL:
> https://datatracker.ietf.org/doc/draft-jeong-i2nsf-security-management-automation/
> . Summary: This draft proposes an extension of the I2NSF framework for
> closed-loop
>   security control in Intent-Based Networking (IBN). It suggests a new
> component called
>   I2NSF Analyzer and a new interface called Analytics Interface.
> . Purpose: Informational RFC
>
> - I2NSF Analytics Interface YANG Data Model
> . URL:
> https://datatracker.ietf.org/doc/draft-lingga-i2nsf-analytics-interface-dm/
> . Summary: This draft proposes an Analytics Interface YANG Data Model to
> deliver either
>   policy reconfiguration or feedback information from I2NSF Analyzer to
> Security
>   Controller.
> . Purpose: Experimental RFC
>
> - Guidelines for Security Policy Translation in Interface to Network
> Security Functions
> . URL:
> https://datatracker.ietf.org/doc/draft-yang-i2nsf-security-policy-translation/
> . Summary: This draft proposes the guidelines for security policy
> translation
>    in the I2NSF framework, that is, the translation from a high-level
> security policy
>    to the corresponding low-level security policy. It focuses on the
> mapping between
>    Consumer-Facing Interface and Network Security Function (NSF)-Facing
> Interface.
>
> . Purpose:  Standards Track RFC
> ---
>
>
>
> Adrian and Linda,
>
> If you have another opinion, please let us know.
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul
>
>
>
> 2023년 7월 26일 (수) 오전 3:22, Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>님이
> 작성:
>
>
>
>
>
> On Tue, Jul 25, 2023 at 11:45 PM Mr. Jaehoon Paul Jeong <
> jaehoon.paul@gmail.com> wrote:
>
> Hi Eliot,
>
> I answer your comments and questions inline below.
>
>
>
> On Tue, Jul 25, 2023 at 1:35 AM Independent Submissions Editor (Eliot
> Lear) <rfc-ise@rfc-editor.org> wrote:
>
> Hi Paul and thanks for contacting me, and thanks Adrian.  Before we
> proceed further, it may be desirable to either SECDISPATCH
>
> or present to OPSAREA these works back into the IETF.
>
> Has that been discussed?
>
>  => These three I2NSF drafts were discussed in the I2NSF WG in the past.
>
>    However, since their topics were out of scope of the I2NSF WG, they
> could not
>    be adopted by the I2NSF WG.
>    Even though I tried to proceed with the standardization of those drafts
>    through the rechartering of the I2NSF WG, the rechartering was declined
> by
>    Roman Danyliw, who is a SEC AD, due to the low energy of the I2NSF WG.
>    Roman also declined to shepherd them as an AD sponsor in the case of
>    Independent Submission Stream due to some reasons announced to the
> I2NSF WG.
>    By this background, I think that the discussion in SECDISPATCH may not
> be
>    appropriable for these drafts.
>
>
>
>
> I do not think that these are reasons for not to go to SecDispatch.
>
> That's the role of SecDispatch WG; to discuss and suggest a way forward
> for work that has no obvious home.
>
>
>
> Regards,
>
>  Rifaat
>
>
>
>
>
>
>
>
>
>    OPSAWG may be appropriable for these drafts since they are related to
>    operations and management for the closed-loop security control by the
> I2NSF
>    framework.
>    However, many active WG documents are handled and overloaded by OPSAWG,
>    I am afraid that these drafts cannot be discussed and handled by
> OPSAWG.
>
> A working group closure on its own should not preclude further IETF work.
>
> Also, you may wish to present this work to iotops if you have not already
> done so.
>
> => Thanks for your encouragement on these drafts.
>    IOTOPS handles the issues related to IoT devices, so these drafts
>    may not be interesting to IOTOPS because these I2NSF drafts are related
> to
>    the virtualized security functions for cloud-based security service
> systems.
>
>
>
>    I believe that Adrian will be able to suggest a good way for these
> drafts after his review on
>    these drafts after this IETF 117.
>
>
>
>    I CC Roman Danyliw who was the responsible AD of the I2NSF WG since he
> may give
>
>    us his more opinions.
>
>    Thanks.
>
>    Best Regards,
>    Paul
>
>
>
>
>
> Eliot (ISE)
>
> On 25 Jul 2023, at 09:33, Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
> <jaehoon.paul@gmail.com> wrote:
>
>
>
> Hi Adrian,
>
> As I told you yesterday,
>
> I2NSF WG has finished all the chartered work items including the five YANG
> data model drafts recently,
>
> and it is concluded now:
>
> https://datatracker.ietf.org/wg/i2nsf/about/
>
>
>
> However, to deploy the I2NSF framework and interfaces in the industry,
>
> the following three drafts will be quite useful:
>
>
>
> - Security Management Automation of Cloud-Based Security Services in I2NSF
> Framework
> . URL:
> https://datatracker.ietf.org/doc/draft-jeong-i2nsf-security-management-automation/
> . Summary: This draft proposes an extension of the I2NSF framework for
> closed-loop
>   security control in Intent-Based Networking (IBN). It suggests a new
> component called
>   I2NSF Analyzer and a new interface called Analytics Interface.
> . Purpose: Informational RFC
>
> - I2NSF Analytics Interface YANG Data Model
> . URL:
> https://datatracker.ietf.org/doc/draft-lingga-i2nsf-analytics-interface-dm/
> . Summary: This draft proposes an Analytics Interface YANG Data Model to
> deliver either
>   policy reconfiguration or feedback information from I2NSF Analyzer to
> Security
>   Controller.
> . Purpose: Experimental RFC
>
> - Guidelines for Security Policy Translation in Interface to Network
> Security Functions
> . URL:
> https://datatracker.ietf.org/doc/draft-yang-i2nsf-security-policy-translation/
> . Summary: This draft proposes the guidelines for security policy
> translation
>    in the I2NSF framework, that is, the translation from a high-level
> security policy
>    to the corresponding low-level security policy. It focuses on the
> mapping between
>    Consumer-Facing Interface and Network Security Function (NSF)-Facing
> Interface.
>
> The basic concepts of these works are proved through the I2NSF Hackathon
> Projects.
> The open-source I2NSF hackathon project is located at the Github:
> https://github.com/jaehoonpaul/i2nsf-framework
>
> I would like to submit those three drafts to the IETF independent
> submission stream this week:
>
> https://www.rfc-editor.org/about/independent/
>
> If you have comments on this matter, please let us know.
>
>
>
> I CC Eliot Lear who is the Independent Submissions Editor (ISE) in the
> IETF.
>
>
> Thanks for your support.
>
> Best Regards,
> Paul
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Associate Professor
>
> Department of Computer Science and Engineering
>
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: pauljeong@skku.edu, jaehoon.paul@gmail.com
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
>
>
>

v2.23.0 | Report a Bug | By Email