Hi I2NSF WG, I have the schedule to submit our I2NSF YANG Data Model Drafts to the IESG as follows.
o I2NSF Capability YANG Data Model Draft (https://datatracker.ietf.org/doc/draft-ietf-i2nsf-capability-data-model/) - The revised draft for the IESG's and Tsvart's reviews will be submitted on December 18, 2020. o I2NSF NSF-Facing Interface YANG Data Model Draft ( https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-facing-interface-dm/) - The revised draft for our AD Roman's review will be submitted on January 18, 2021. o I2NSF Consumer-Facing Interface YANG Data Model Draft ( https://datatracker.ietf.org/doc/draft-ietf-i2nsf-consumer-facing-interface-dm/ ) - The draft will be submitted to the IESG for our AD's review on January 25, 2021. o I2NSF NSF Monitoring Interface YANG Data Model Draft ( https://datatracker.ietf.org/doc/draft-ietf-i2nsf-nsf-monitoring-data-model/ ) - The revised draft for the 1st YANG Doctor review will be submitted to the YANG Doctor on January 31, 2021. o I2NSF Registration Interface YANG Data Model Draft ( https://datatracker.ietf.org/doc/draft-ietf-i2nsf-registration-interface-dm/ ) - The draft will be submitted to the IESG for our AD's review on February 15, 2021. Thanks. Best Regards, Paul On Thu, Dec 10, 2020 at 11:16 AM Mr. Jaehoon Paul Jeong < [email protected]> wrote: > Hi I2NSF WG, > I2NSF WG chairs (Linda and Yoav) and members including Susan, Diego, and > me > had an online meeting for I2NSF WG Re-chartering Text on December 3, 2020. > > Could you read the following text and give us your comments on it? > > > ------------------------------------------------------------------------------------------------------------------------------- > <I2NSF WG Re-chartering Text> > > Interface to Network Security Functions (I2NSF) provides security function > vendors, users, and > operators with a standard framework and interfaces for cloud-based > security services. I2NSF > enables the enforcement of a high-level security policy, which is > expressed according to a user's > perspective of the target network. This security policy enforcement in > I2NSF is a data-driven > approach using NETCONF/YANG or RESTCONF/YANG, where a security policy is > constructed > based on a YANG data model. > > The I2NSF framework consists of four components such as I2NSF User, > Security Controller, > Network Security Function (NSF), and Developer's Management System (DMS). > The I2NSF > User specifies a high-level security policy for a target network. The > Security Controller is aware > of the capabilities of the attached NSFs, using them to build the security > service(s) satisfying > the policy expressed by the I2NSF User. An NSF provides a set of specific > security capabilities > (e.g., firewalling, web filtering, packet inspection, and DDoS-attack > mitigation), applying security > policy rules. The DMS registers the capabilities of an NSF with the > Security Controller. > > The I2NSF framework has four interfaces such as Consumer-Facing Interface, > NSF-Facing > Interface, Registration Interface, and Monitoring Interface. > Consumer-Facing Interface is used > to deliver high-level security policies from the I2NSF User to the > Security Controller. NSF-Facing > Interface is used to deliver low-level security policies from the Security > Controller to an NSF. > The Registration Interface is used to register the capabilities of an NSF > with the Security > Controller. The Monitoring Interface is used to collect monitoring data > from an NSF. > > The goal of I2NSF is to define a set of software interfaces and data > models of such interfaces > for configuring, maintaining, and monitoring NSFs in cloud environments, > including NFV and > edge deployments. For security management automation in an autonomous > security system, > I2NSF needs to have a feedback control loop consisting of security policy > configuration in an > NSF, monitoring for an NSF, data analysis for NSF monitoring data, > feedback delivery, and > security policy augmentation/generation. For this security management > automation, the I2NSF > framework requires a new component to collect NSF monitoring data and > analyze them, which > is called I2NSF Analyzer. Also, the I2NSF framework needs a new interface > to deliver feedback > messages for security policy adjustment from I2NSF Analyzer to Security > Controller. A proper > translation of the planned actions onto NSF capabilities requires a > well-defined model for > representing these actions. > > I2NSF is vulnerable to inside and supply chain attacks since it trusts NSF > capability declarations > as provided by DMS, assuming that NSFs work appropriately in all > circumstances, as well as > I2NSF User’s policy declarations and the actions of the Security > Controller. The registration of > NSF capabilities, the declaration of a security policy from either the > I2NSF User or its > enforcement by the Security Controller, and the monitoring data from an > NSF are assumed to be > genuine and non-malicious. If one of such activities is malicious, the > security system based on > I2NSF may collapse. To prevent this malicious activity from happening in > the I2NSF framework > or detect the root of a security attack, all the activities in the I2NSF > framework should be logged > in either a centralized or decentralized (e.g., blockchain) way. Also, the > provenance and status > of the I2NSF components (i.e., I2NSF User, Security Controller, NSF, DMS, > and I2NSF Analyzer) > need to be verified by remote attestation, leveraging the current results > mostly focused on IT > environments. > > Finally, the current YANG data models for the I2NSF interfaces are > designed on the basis of NSFs > implemented as virtual machines, and therefore they need to be redesigned > for the case where > I2NSF components are instantiated by containers. > > The I2NSF working group's deliverables include: > > o A single document for an extension of I2NSF framework for security > management automation. > This document will initially be produced for reference as a living list to > track and record discussions: > the working group may decide to not publish this document as an RFC. > o A YANG data model document for I2NSF Application Interface to deliver > feedback from I2NSF > Analyzer to Security Controller. > o A single document for applicability and use cases in I2NSF-based > security management > automation. > o A single document for a framework for security policy translation to > support the mapping > between a high-level YANG module and a low-level YANG module: the working > group may decide > to not publish this document as an RFC. This document will apply the > recommendations under > discussion in NETMOD and OPSAWG on event modeling. > o A single document for remote attestation for I2NSF components, based on > the work of the > RATS WG. > o A single document for I2NSF on container deployments in a cloud native > NFV architecture. > > -------------- > Milestones > > o July 2022: Adopt applicability and use cases in I2NSF-based security > management automation > as WG document > o March 2022: Adopt I2NSF on container deployments in a cloud native NFV > architecture as WG > document > o November 2021: Adopt a framework for security policy translation as WG > document > o July 2021: Adopt remote attestation for I2NSF components as WG document > o July 2021: Adopt a YANG data model for I2NSF Application Interface as WG > document > o March 2021: Adopt an extension of I2NSF framework for security > management automation as > WG document > > ------------------------------------------------------------------------------------------------------------------------------- > > After submitting all the I2NSF YANG data model drafts, we will be able to > work on > the I2NSF WG re-chartering in earnest. > > Thanks. > > Best Regards, > Paul > -- > =========================== > Mr. Jaehoon (Paul) Jeong, Ph.D. > Associate Professor > Department of Computer Science and Engineering > Sungkyunkwan University > Office: +82-31-299-4957 > Email: [email protected], [email protected] > Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php > <http://cpslab.skku.edu/people-jaehoon-jeong.php> > -- =========================== Mr. Jaehoon (Paul) Jeong, Ph.D. Associate Professor Department of Computer Science and Engineering Sungkyunkwan University Office: +82-31-299-4957 Email: [email protected], [email protected] Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php <http://cpslab.skku.edu/people-jaehoon-jeong.php>
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
