Re: [I2nsf] 答复: Help on turning I2NSF Information Models to Data Models

[Susan Hares]

Frank: 

 

I just took your capability information model and made it concrete for a very 
simple firewall (IPTables/netfilters in linux).   As we iterate on these 
models, I’m sure we’ll learn from each other.   I just wanted to get it started 
so that we could give vendors an idea where the info-models would plug in 
vendor specific model.  It also helps me understand what in the I2RS FB-FIB can 
be reused and what must be changed. 

 

I suspect iteration will be helpful here on the list. 

 

Sue 

 

From: I2nsf [mailto:i2nsf-boun...@ietf.org] On Behalf Of Xialiang (Frank)
Sent: Wednesday, June 15, 2016 11:42 PM
To: DIEGO LOPEZ GARCIA
Cc: i2nsf@ietf.org; adr...@olddog.co.uk; Susan Hares; Linda Dunbar
Subject: [I2nsf] 答复: Help on turning I2NSF Information Models to Data Models

 

Ok, Diego. I get your point.

In general, I agree with you. More concrete approaches are always easier than 
the general classification.

The information model draft is going to and will continue this direction.

 

Thanks!

 

发件人: DIEGO LOPEZ GARCIA [mailto:diego.r.lo...@telefonica.com] 
发送时间: 2016年6月16日 11:09
收件人: Xialiang (Frank)
抄送: i2nsf@ietf.org; adr...@olddog.co.uk; Linda Dunbar; Susan Hares
主题: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models

 

Hi Frank, 

 

May be is my personal preference to avoid general classifications (what I was 
concerned the information model could fall into) or the fact that concrete 
approaches are easier to understand (and that’s why I tend to look for data 
models whenever I see an information model), but I saw this document as a clear 
step towards a precise understanding of what the capability layer is.

 

Be goode,

 

On 16 Jun 2016, at 10:50 , Xialiang (Frank) <frank.xiali...@huawei.com> wrote:

 

Hi all,

Firstly, I really like Sue’s design of I2NSF capability interface data model 
even it’s in the very beginning stage now. I think it’s very promising.

My Comments to Diego:

 

发件人: I2nsf [ <mailto:i2nsf-boun...@ietf.org> mailto:i2nsf-boun...@ietf.org] 代表 
DIEGO LOPEZ GARCIA
发送时间: 2016年6月9日 5:41
收件人: Susan Hares
抄送:  <mailto:i2nsf@ietf.org> i2nsf@ietf.org;  <mailto:adr...@olddog.co.uk> 
adr...@olddog.co.uk; Linda Dunbar
主题: Re: [I2nsf] Help on turning I2NSF Information Models to Data Models

 

Hi, 

 

Just a quick reply from a not too deep reading and a few minutes of thinking 
about it. I see this approach promising, and better structured than previous 
proposals on how to work at the Capability interface.

[Frank]: Could you please remind me what is the “previous proposals”? Do you 
mean the current information model design? Any more details?

 

It is my impression that this is well aligned with the model we have been 
applying in the SECURED project.

 

Be goode,

 

On 8 Jun 2016, at 19:23 , Susan Hares < <mailto:sha...@ndzh.com> 
sha...@ndzh.com> wrote:

 

I’m working on some data models for I2NSF that intersect with I2RS Filter-Based 
RIB Models and BGP Flow Specification Data models.  I could use some advice 
from the authors of the following information models. 

 

My focus is to be able to drive the use the flow filter Yang models (I2NSF 
packet-filters, Filter-Based RIB (config, I2RS, BGP input),  and BGP Flow 
Specification transmission of filters) to drive the simple firewall rules found 
in the Linux iptables user program (netfilter kernel module).  I am trying to 
get a set of Yang data models that can interact with a process (e.g. iptable++ 
user program named flow-filters) that communicates with a confd (cisco netconf 
deamon set) that handles NETCONF/RESTCONF and uses Yang to create the data 
base.   I am creating prototype Data models that mirror the following drafts: 

 

·         Capability model for South Bound interface (I2NSF manager to NSF 
device)  
<https://datatracker.ietf.org/doc/draft-xia-i2nsf-capability-interface-im/> 
https://datatracker.ietf.org/doc/draft-xia-i2nsf-capability-interface-im/

·         Inter-Cloud DDoS Mitigation API – 

 
<https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-mitigation-api/>
 
https://datatracker.ietf.org/doc/draft-fang-i2nsf-inter-cloud-ddos-mitigation-api/

·         An Information Model for the Monitoring of Network Security Functions 
-  <https://tools.ietf.org/html/draft-zhang-i2nsf-info-model-monitoring-00> 
https://tools.ietf.org/html/draft-zhang-i2nsf-info-model-monitoring-00

 

My understanding is the I2NSF capability interface focus on the south-bound 
interface to the NSF.  To start out a Yang data model, I have created 
high-level Yang structures for these three models.  I’ll be asking questions 
about each model in a separate email thread, but answer me in any email thread. 
    

 

First on the capability model,  network security control is a list of ECA 
policies, network security content capability is a list of security content 
capabilities, and attack mitigation is a list of attack mitigation 
capabilities.   A suggested Yang High-level model structure is below.  My 
question is how does an I2NSF manager engage the packet security policies?  
Does putting a policy in the network security control means it gets transmitted 
to the NSF device, and installed?  Does the capability model provide both the 
way to list the functions (security content and mitigation) and a way to engage 
these functions? 

 

Sue Hares

 

 

Initial Yang models 

----------

ietf-i2nsf-capability-SBI

+--rw i2nsf-policy-list

    +--rw policy-list-name string   - name of policy list

    +--rw i2nsf-policy-rule* [name]

        +--rw name string    - name of policy rule 

       +--rw net-sec-ctl-rules 

            uses ietf-pkt-eca-sec-policy // packet ECA security policy 

 

      +--rw net-sec-content               // list of content security 
capabilities 

            uses i2nsf-sec-content       // grouping of security capabilities 

 

      +--rw net-attack-mitigate        // list of mitigation capabilities / 

           uses i2nsf-mitigate-rules  //grouping of mitigation capabilities 

 

Is this a good way to start the capabilities structure?  I have definitions for 
each of the “uses” statements in different models, but I need help 
understanding if this structure is correct. 

 

ietf-pkt-eca-sec-policy can be an extension of the I2RS/Configuration filters 
for packet Filter-Based RIBS.   For the i2nsf-sec-content-capbility, does this 
form make sense: 

 

+--i2nsf-sec-content

  +--rw i2nsf-sec-content-cap* [order-id function-set-name]

     +--rw order-id                                     // order # if in 
ordered list 

     +--rw function-set-name string      // name for function 

     +--rw anti-virus                                 // basic security content 
action 

     |  +--rw public-anti-virus [name]    // anti-virus capability from public 
sources 

     |   …                                                       //  (yang 
structure details) 

     |  +--rw vendor-anti-virus [vendor]  // anti-virus capability from vendor 

     |  |

    …. 

 

The mitigation has a similar structure to the i2nsf-sec-content.   

 

+--i2nsf-attack-mitigation

  +--rw i2nsf-attack-mitigate-fcn* [order-id, fcn-name]

     +--rw order-id

     +--rw fcn-name 

     +--rw syn-flood

    |  +--rw public-syn-flood* [name]

     |  | ... 

     |  +--rw vendor-syn-flood* [vendor] 

     |  | ... 

     +--rw UDP flood

 

 

 

_______________________________________________
I2nsf mailing list
 <mailto:I2nsf@ietf.org> I2nsf@ietf.org
 <https://www.ietf.org/mailman/listinfo/i2nsf> 
https://www.ietf.org/mailman/listinfo/i2nsf

 

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
 <http://people.tid.es/diego.lopez/> http://people.tid.es/diego.lopez/

e-mail:  <mailto:diego.r.lo...@telefonica.com> diego.r.lo...@telefonica.com
Tel:    +34 913 129 041
Mobile: +34 682 051 091
----------------------------------

 

 


  _____  



Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede 
contener información privilegiada o confidencial y es para uso exclusivo de la 
persona o entidad de destino. Si no es usted. el destinatario indicado, queda 
notificado de que la lectura, utilización, divulgación y/o copia sin 
autorización puede estar prohibida en virtud de la legislación vigente. Si ha 
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente 
por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential 
information intended only for the use of the individual or entity named above. 
If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication 
is strictly prohibited. If you have received this transmission in error, do not 
read it. Please immediately reply to the sender that you have received this 
communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode 
conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa 
ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica 
notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização 
pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem 
por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e 
proceda a sua destruição

 

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego.r.lo...@telefonica.com
Tel:    +34 913 129 041
Mobile: +34 682 051 091
----------------------------------

 

 

  _____  


Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede 
contener información privilegiada o confidencial y es para uso exclusivo de la 
persona o entidad de destino. Si no es usted. el destinatario indicado, queda 
notificado de que la lectura, utilización, divulgación y/o copia sin 
autorización puede estar prohibida en virtud de la legislación vigente. Si ha 
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente 
por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential 
information intended only for the use of the individual or entity named above. 
If the reader of this message is not the intended recipient, you are hereby 
notified that any dissemination, distribution or copying of this communication 
is strictly prohibited. If you have received this transmission in error, do not 
read it. Please immediately reply to the sender that you have received this 
communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode 
conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa 
ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica 
notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização 
pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem 
por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e 
proceda a sua destruição


_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf