[secdir] [new-work] WG Review: Interface to Network Security Functions (i2nsf)

IESG Secretary <iesg-secretary@ietf.org> Wed, 09 September 2015 21:23 UTC

Return-Path: <new-work-bounces@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 103551AD067; Wed, 9 Sep 2015 14:23:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1441833822; bh=CV2u6XkbjFY0IdsCntbdk4F+qdWGQ+PxATsHMvnidWc=; h=MIME-Version:From:To:Message-ID:Date:Subject:Reply-To:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: Content-Type:Content-Transfer-Encoding:Sender; b=Uj/MI6q20MxAkaHBrhzwasjBcYWbHdhLxnPp3ktvl1YQJebB8pycgQfBhTiD4XJmc svzk1lxYm85/pzFXPR6YERVtzpTs78GglIqOhVjDth/GEkV7HyoDYgtHmy5VszR2W6 hHkBAg5q2MLMAcmgcV5zDeTopapR9QK2NIpYnX90=
X-Original-To: new-work@ietfa.amsl.com
Delivered-To: new-work@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com []) by ietfa.amsl.com (Postfix) with ESMTP id D886A1A7D84; Wed, 9 Sep 2015 14:23:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -101.9
X-Spam-Status: No, score=-101.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, USER_IN_WHITELIST=-100] autolearn=ham
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id PZnKIarGwL1M; Wed, 9 Sep 2015 14:23:37 -0700 (PDT)
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 80AC71A88EC; Wed, 9 Sep 2015 14:23:37 -0700 (PDT)
MIME-Version: 1.0
From: IESG Secretary <iesg-secretary@ietf.org>
To: new-work@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 6.4.1
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <20150909212337.20507.3411.idtracker@ietfa.amsl.com>
Date: Wed, 09 Sep 2015 14:23:37 -0700
Archived-At: <http://mailarchive.ietf.org/arch/msg/new-work/iNjFGHRjwemT9Hy7RrTAYJallcw>
X-BeenThere: new-work@ietf.org
X-Mailman-Version: 2.1.15
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: new-work-bounces@ietf.org
Sender: new-work <new-work-bounces@ietf.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/secdir/cDJcPJ5GltvoPfOztFaPZwX6Rp4>
X-Mailman-Approved-At: Wed, 09 Sep 2015 14:30:50 -0700
Subject: [secdir] [new-work] WG Review: Interface to Network Security Functions (i2nsf)
X-BeenThere: secdir@ietf.org
Reply-To: iesg@ietf.org
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Sep 2015 21:23:42 -0000

A new IETF working group has been proposed in the Security Area. The IESG
has not made any determination yet. The following draft charter was
submitted, and is provided for informational purposes only. Please send
your comments to the IESG mailing list (iesg at ietf.org) by 2015-09-16.

Interface to Network Security Functions (i2nsf)
Current Status: Proposed WG


Assigned Area Director:
  Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>

Mailing list
  Address: i2nsf@ietf.org
  To Subscribe: https://www.ietf.org/mailman/listinfo/i2nsf 
  Archive: https://mailarchive.ietf.org/arch/browse/i2nsf/


A Network Security Function (NSF) is a function used to ensure integrity,
confidentiality, or availability of network communications, to detect
unwanted network activity, or to block or at least mitigate the effects
of unwanted activity. NSFs are provided and consumed in increasingly
diverse environments. Users could consume network security services
enforced by NSFs hosted by one or more providers, which may be their own
enterprise, service providers, or a combination of both.  Similarly,
service providers may offer their customers network security services
that are enforced by multiple security products, functions from different
vendors, or open source technologies. NSFs may be provided by physical
and/or virtualized infrastructure. Without standard interfaces to control
and monitor the behavior of NSFs, it has become virtually impossible for
providers of security services to automate service offerings that utilize
different security functions from multiple vendors.

The goal of I2NSF is to define a set of software interfaces and data
models for controlling and monitoring aspects of physical and virtual
NSFs, enabling clients to specify rulesets. If the working group finds it
necessary to work on an information model before the data models, to help
provide guidance and derive the data models, it may do so. The working
group will decide later whether the information model needs to be
published as an RFC. Other aspects of NSFs, such as device or network
provisioning and configuration, are out of scope.  As there are many
different security vendors or open source technologies supporting
different features and functions on their devices, I2NSF will focus on
flow-based NSFs that provide treatment to packets/flows, such as
Intrusion Protection/Detection System (IPS/IDS), web filtering, flow
filtering, deep packet inspection, or pattern matching and remediation.

Controlling and monitoring aspects of NSFs include the ability to specify
rules (by a single controller at the first phase), query, and monitor
NSFs by one or more management entities.  The initial phase of I2NSF will
only consider one single controller that can specify or change rules to
NSFs because multi-headed control requires the coordination to avoid
potential conflict of rules. The NSFs can be monitored by multiple
entities, but the database update and synchronization among multiple
management entities are out of scope for I2NSF. 

I2NSF will specify interfaces at two functional levels for the control
and monitoring of network security functions:

The I2NSF Capability Layer specifies how to control and monitor NSFs at a
functional implementation level.  The term "Functional Implementation" is
used to emphasize that the rules (for control and monitor) of NSFs have
to be implementable by most NSFs. I2NSF will standardize a set of
interfaces by which a security controller can invoke, operate, and
monitor NSFs.
The I2NSF Service Layer defines how clients' security policies may be
expressed to a security controller. The controller implements its
policies according to the various capabilities provided by the I2NSF
Capability Layer.  The I2NSF Service Layer also allows the client to
monitor the client specific policies.

A client may leverage the I2NSF Service Layer interface to express
security policies to a security controller, which in turn interacts with
one or more NSFs through the I2NSF Capability Layer interface. 
Alternatively, a client may interact with one or more NSFs directly
through the I2NSF Capability Layer interface.
Since there could be many depths or types of Service Layer policies, the
following bullets further clarify the scope of I2NSF:
    o Only the simple Service Layer policies that are modeled as closely
as possible on the Capability Layer are within the scope.
Simple Service Layer policies can be directly translated to capability
layer rules with a direct mapping that might include a customer ID to be
translated to tags carried by packets, but might not specify the NSF. 
This flexibility in the simple Service Layer enables a security
controller to handle issues like multi-tenancy and the choice between
available NSFs for a given policy.
    o I2NSF will not specify abstract or sophisticated policies from
clients. Expressing policies in ways other than the model used by the
Capability Layer is out of scope.
    o The translation mechanism/methods from Service Layer policies to
Capability layer commands are out of scope for I2NSF.
However, I2NSF will provide a discussion forum for Informational drafts
on data models, APIs, etc. that demonstrate how more complex Service
Layer policies and formats may be translated to Capability Layer
functions.  Such documents would be pursued outside the WG.

Standard interfaces for monitoring and controlling the behavior of NSFs
are essential building blocks for providers of security service to
automate the use of different NSFs from multiple vendors. This work will
leverage the existing protocols and data models defined by the I2RS,
NETCONF, and NETMOD working groups. If extensions to these protocols or
data models are needed, requirements will be developed by this WG, and
the extensions will be developed in cooperation with the working groups
responsible for the protocols.
The I2NSF working group's deliverables include:
    o A single document covering use cases, problem statement, and gap
analysis document. This document will initially be produced for reference
as a living list to track and record discussions: the working group may
decide to not publish this document as an RFC.
    o A framework document, presenting an overview of the use of NSFs and
the purpose of the models developed by the working group. This document
will also be a reference text to guide the main work and the working
group may decide to not publish this document as an RFC.
    o If the working group considers it necessary, a single, unified,
Information Model to describe the control and monitoring of flow-based
    o YANG data models for the control and monitoring of NSFs.
    o A vendor-neutral vocabulary  to enable the characteristics and
behavior of NSFs to be specified without requiring the NSFs themselves to
be standardized, so that "security controller" or "manager" have a common
base to choose the appropriate NSFs (by different vendors) that can
fulfill the requests requested by clients.
    o An examination of existing secure communication mechanisms to
identify the appropriate ones for carrying the controlling and monitoring
information between the NSFs and their management entities. This document
may also be produced as a working document that is not published as an
The working group may additionally choose to develop documents to
describe requirements for extensions (if any) to existing protocols used
by the working group, to explain how the data models are used to monitor
and control flow-based NSFs, and to describe how to use I2RS and NETCONF
to carry the content of the data models. These documents may be published
as Informational RFCs or may be working documents that are discarded once
they have triggered the necessary work.
The working group will work closely with the I2RS, NETCONF, and NETMOD
WGs. The working group will communicate with external SDOs like ETSI NFV
and will encourage open source code development related to the working
group scope in organizations like ONF, OpenStack, ODL, and OPNFV.

The working group must have the above deliverables completed within 24
months.  The responsible AD will close the working group at that time if
they are not completed or close to completion.  The working group may be
closed earlier if substantial progress is not being made.

  Nov 2015 - Adopt use Cases, problem statement, and gap analysis as WG
  Feb 2016 - Adopt framework as WG document
  Jun 2016 - Adopt requirements for extensions to protocols as WG
  Jun 2016 - Adopt examination of existing secure communication
mechanisms as WG document
  Jun 2016 - Adopt info model as WG document (if desired)
  Jul 2016 - Adopt data models as WG document
  Aug 2016 - WG decides whether to progress adopted drafts for
publication as RFCs (use cases, framework, information model, and
examination of existing secure communication mechanisms) 
  Aug 2016 - Adopt applicability statements as WG Document
  Oct 2016 - Adopt IANA registry consideration as WG document
  Apr 2017 - All early drafts to IESG for publication (if WG decided to
proceed): use cases, problem statement, and gap analysis document;
framework document; information model requirements for extensions to
protocols document; examination of existing secure communication
mechanisms document
  Apr 2017 - Data Models and Applicability Statements to IESG for
  Oct 2017 -  Working group re-charter or close

new-work mailing list