Hi I2NSF WG, I would like to introduce our draft on I2NSF Security Policy Translation: - Draft
https://tools.ietf.org/html/draft-yang-i2nsf-security-policy-translation-01 - Slides https://datatracker.ietf.org/meeting/102/materials/slides-102-i2nsf-security-policy-translation-00 This draft gives I2NSF developers the guidelines for the design and implementation of I2NSF Security Controller. One important functionality of the Security Controller is to automatically translate an I2NSF User's high-level policy to a low-level policy for NSFs. In the past of our I2NSF Hackathon projects, we made an XSLT-stylesheet-based translator. But this translator has two limitations, such as static capability-and-NSF mapping construction and inefficient maintenance on such a mapping. The first limitation is the difficult high-level policy construction. By the XSLT-stylesheet approach, I2NSF User MUST manually selects target NSFs to execute the required security capabilities. This means that I2NSF User needs to know each NSF's capabilities, so it is difficult for I2NSF User to construct a high-level security policy without the detailed knowledge on NSFs. The second limitation is an inefficient maintenance on the policy translator. If the data models on I2NSF NSF-facing Interface requires some updates, the XSLT stylesheet and XML files need to be updated. On the other hand, our new approach provides I2NSF User with an efficient maintenance. To solve these two limitations, our draft proposes an automata-based policy translator. This translator consists of three components, such as Extractor, Data Converter, and Generator. First, when a high-level policy is delivered from I2NSF User to Security Controller, Translator extracts data about the policy at Extractor, and then converts it at Data Converter for NSF(s). Also, Data Converter can select proper NSFs automatically. Finally, Generator generates low-level policies of target NSFs based on the data from Data Converter. I believe that this draft is valuable for IP2NSF WG adoption to facilitate the development and deployment of I2NSF in the real world. Please read this draft and give our authors your valuable comments. We aim at making this proposal as an Informational RFC. Thanks. Best Regards, Paul & Jinhyuk -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Assistant Professor Department of Software Sungkyunkwan University Office: +82-31-299-4957 Email: [email protected], [email protected] Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
