[Nsaas] Proposed charter for Interface to Network Security Functions (I2NSF)

Linda Dunbar <linda.dunbar@huawei.com> Tue, 23 September 2014 17:32 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: nsaas@ietfa.amsl.com
Delivered-To: nsaas@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id 720DF1A1B47 for <nsaas@ietfa.amsl.com>; Tue, 23 Sep 2014 10:32:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.986
X-Spam-Status: No, score=-4.986 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.786, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id EXuZTvH1hr2g for <nsaas@ietfa.amsl.com>; Tue, 23 Sep 2014 10:32:31 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D5821A8739 for <nsaas@ietf.org>; Tue, 23 Sep 2014 10:32:30 -0700 (PDT)
Received: from (EHLO lhreml405-hub.china.huawei.com) ([]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BJU26556; Tue, 23 Sep 2014 17:32:29 +0000 (GMT)
Received: from DFWEML703-CHM.china.huawei.com ( by lhreml405-hub.china.huawei.com ( with Microsoft SMTP Server (TLS) id; Tue, 23 Sep 2014 18:32:28 +0100
Received: from DFWEML701-CHM.china.huawei.com ([]) by dfweml703-chm ([]) with mapi id 14.03.0158.001; Tue, 23 Sep 2014 10:32:26 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "nsaas@ietf.org" <nsaas@ietf.org>
Thread-Topic: Proposed charter for Interface to Network Security Functions (I2NSF)
Thread-Index: Ac/XVFao4LMn+51eTWeTdLHKfAGLCQ==
Date: Tue, 23 Sep 2014 17:32:25 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F645E07F05@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F645E07F05dfweml701chm_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/nsaas/_HxLsAZMwVoMm_iZ9c2OMyGNR9w
Subject: [Nsaas] Proposed charter for Interface to Network Security Functions (I2NSF)
X-BeenThere: nsaas@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*NSaaS: Network Security as a Service mailing list*" <nsaas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/nsaas>, <mailto:nsaas-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/nsaas/>
List-Post: <mailto:nsaas@ietf.org>
List-Help: <mailto:nsaas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/nsaas>, <mailto:nsaas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Sep 2014 17:32:34 -0000

Based on the feedback that we've received on that list, we are leaning towards Interface to Network Security Function (I2NSF) for the proposed work. We're informally thinking of modeling work going forward as the I2RS working group. We will ask our Security AD to change the mailing list. We believe that the standard Interface to (Virtual) Network Security Functions (I2NSF)  is a tool to enable NSaaS.  NSaaS will have broader scope, which will touch upon services model, SLA, etc. we are thinking of requesting a non-WG forming BOF at the Honolulu IETF. The deadline is this Friday.

Here is the proposed charter. Please comment and suggest changes.

Interface to Network Security Functions (I2NSF)

Enterprises are increasingly consuming network functions, especially the network security related functions that are not running on their premises.  This shift has occurred for a variety of reasons including greater economies of scale, streamlined delivery mechanisms, and the demand of business and applications for more sophisticated security functions that they do not have. Numerous security vendors are now leveraging cloud based models to deliver security solutions. In particular, the virtualization of network  functions, is meant to facilitate the management of various resources for the benefit of enterprises, who may not own or physically host those network functions. Here are some examples of network security functions under consideration:

*       Firewall

*       DDOS/Anti-DOS

*       Access control/Authorization/Authentication

*       Remote identity management

*       Secure Key management

*       Intrusion Detection System/ Intrusion Prevention System (IDS/IPS)

The Interface to (Virtual) Network Security Functions (I2NSF) initiative aims at improving the dynamic allocation and operation of  network security functions by documenting a global framework that would include protocol-based control and management interfaces, along with adequate data models. The information required for the provisioning, the configuration and the operation of network security functions will be exchanged through the said interfaces and protocols.  . The I2NSF initiative will also take into account the need for co-existing with legacy configuration and management systems used to allocate and operate network security functions, whether they are embedded in network devices or virtualized in data center environments, for example. The standard Interface to request/negotiate/allocate/operate (Virtual) Network Security Functions (I2VNSF) should help operators and service providers offer network security functions as a service to their corporate clients.
It is envisioned that clients of the I2NSF interfaces include management applications, service orchestration systems, network controllers, or user applications that may solicit network security resources.
The I2NSF working group aims at documenting a high-level architecture that will describe the functional building blocks for the dynamic negotiation of security service parameters, the dynamic and subsequent allocation of network security resources and the operation of such resources, including means to assess that what has been allocated complies with what has been negotiated. The work to be conducted by the I2NSF WG also includes the documentation of use cases as well as the specification of information and data models that will provide the adequate level of abstraction. In addition, the I2NSF WG will analyze candidate protocols that may carry the information to be exchanged through the various interfaces (e.g., between a customer and a service provider, between the control plane and the data plane, etc.) for the purpose of network security resource negotiation, allocation and operation.. Small and well-scoped use cases are critical to constrain the scope of the work and achieve sufficient focus for the working group to deliver successful outcomes.

The intended deliverables will include:

*       Tightly scoped key use cases for operational use of I2VNSF

*       Problem statement

*       High-level architecture for I2VNSF security policy request/negotiation/validation

*       Abstract information models consistent with the use cases.

*       An analysis of existing IETF and other protocols and encoding
languages against the requirements derived from the problem statement and use case documents.

Thanks, Linda