Hi Linda and Yoav, Here is the proposed structure with four categories for the I2NSF Rechartering based on our discussion.
--------------------------------------------------------------------------------------------------------------- 1. The Augmentation of Architecture and Interfaces for Security Management Automation in I2NSF - An Extension of I2NSF Framework for Security Management Automation - Support of Security Policy/Feedback Translation - Support of Cloud Native Systems for I2NSF - Support of Security Audit System - Support of Remote Attestation 2. YANG Data Models for Security Management Automation in I2NSF - Application Interface YANG Data Model - Remote Attestation Interface YANG Data Model - Enhancement of five I2NSF YANG Data Models to support New Protocols such as QUIC and HTTP/3 - A Common YANG Data Model for I2NSF YANG Data Models (including common identities) 3. Guidelines of Security Policy Translation for Security Management Automation in I2NSF - Policy Translation between Consumer-Facing Interface and NSF-Facing Interface - Policy/Feedback Translation between Application Interface and NSF-Facing Interface (or Consumer-Facing Interface) 4. Use Cases of I2NSF for Secured Networks - I2NSF for BGP Security Parameter Exchange (i.e., IPsec policies to functions embedded in nodes running BGP) - I2NSF for Security Management in Internet of Things Devices - I2NSF for Security Management in Autonomous Vehicles --------------------------------------------------------------------------------------------------------------- How about it? Thanks. Best Regards, Paul On Wed, Apr 6, 2022 at 12:47 AM Mr. Jaehoon Paul Jeong < [email protected]> wrote: > Hi Linda, > > On Tue, Apr 5, 2022 at 3:22 AM Linda Dunbar <[email protected]> > wrote: > >> Paul, >> >> >> >> IESG doesn’t like fancy acronyms, mentioning Block chain without >> describing the additional features won’t go very far. >> >> >> >> Suggest to have a narrower scoped work proposal, so that it is more >> likely to get IESG approval. >> >> >> >> Comments to your suggested work items for I2NSF Rechartering are inserted >> below: >> >> >> >> >> >> *From:* Mr. Jaehoon Paul Jeong <[email protected]> >> *Sent:* Friday, April 1, 2022 2:51 AM >> *To:* Linda Dunbar <[email protected]> >> *Cc:* [email protected]; Roman Danyliw <[email protected]>; Yoav Nir < >> [email protected]>; tom petch <[email protected]>; Susan Hares < >> [email protected]>; DIEGO LOPEZ GARCIA <[email protected]>; >> JungSoo Park <[email protected]>; Yunchul Choi <[email protected]>; Patrick >> Lingga <[email protected]>; Jeong Hyeon Kim < >> [email protected]>; Younghan Kim <[email protected]>; Panwei >> (William) <[email protected]>; Henk Birkholz < >> [email protected]>; yangpenglin < >> [email protected]>; Kyoungjae Sun <[email protected]>; >> Hyunsik Yang <[email protected]>; skku-iotlab-members < >> [email protected]>; Mr. Jaehoon Paul Jeong < >> [email protected]> >> *Subject:* Re: Narrowing down the scope of work for the I2NSF >> Re-Chartering >> >> >> >> Hi Linda and Yoav, >> >> I would say that the theme of this I2NSF Re-Chartering is "Security >> Management Automation". >> This theme is based on 7-year I2NSF standardization and hackathon >> projects with our I2NSF WG colleagues. >> >> May I suggest three more work items in addition to your proposed work >> items? >> >> The following three work items can be handled with focus along with the >> CCed I2NSF WG colleagues >> >> as coauthors and contributors: >> >> --------------------------------------------------------------------------------------------------------------------------------------------------------------- >> 1. Security Service Management through Leveraging I2NSF Framework and >> Interfaces >> - Main Contents >> . An Extension of I2NSF Framework for Intelligent Security Management >> Automation >> . Distributed Auditing Services for Supply Chain Attacks and Insider >> Attacks by Distributed Ledger Technology (DLT) and Remote Attestation >> . Support of Containers for I2NSF in Cloud Native Systems >> . Support of Other Contemporary Technologies for I2NSF such as Quantum >> Key Distribution (QKD) and Post Quantum Cryptography (PQC) >> >> [Linda] The above items should be already covered by the existing I2NSF >> Charter, except I don’t know what additional features required by QKD and >> PQC to NSF or Consumer facing interfaces. >> >> > >> => [Paul] A certain level of security management automation (e.g., >> enforcement of a high-level security policy from I2NSF User to an NSF) is >> mentioned >> > in the current I2NSF charter, and are fulfilled by the five I2NSF >> YANG data models. >> > However, the full level of security mangement automation can be >> completed by the adding the feedback-control-loop to augment security >> policies >> > through NSF monitoring data collection, the analysis of those >> monitoring data, and the delivery of feedback information to Security >> Controller. >> > Refer to Figure 1 and Section 3 in >> https://datatracker.ietf.org/doc/html/draft-jeong-i2nsf-security-management-automation-03 >> >> > for the detailed explanation of the extension of the I2NSF >> framework. >> > > => [Paul] For QKD and PQC, we need to extend the NSF-Facing Interface > for the exchange of parameters for quantum computing-based security > rather than the Consumer-Facing Interface. This is because the > I2NSF User just specifies a high-level security policy to the Security > Controller, and > the Security Controller needs to translate it into a low-level > security policy along with the detailed handling of QKD and PQC. > >> >> 2. I2NSF Application Interface YANG Data Model >> - Main Contents >> . A New I2NSF Interface for Feedback-control-loop-based Security >> Management Automation >> >> . Support of Feedback Information Delivery from I2NSF (Data) Analyzer to >> Security Controller for Security Policy Augmentation and Generation >> > => [Paul] In Figure 1 in the above I-D, the feedback-loop-based security > management requires a new interface called Application Interface. > This interface delivers feedback information (or policy > reconfiguration) with an NSF name, a problem description and a possible > solution to > either Security Controller or I2NSF User rather than a high-level > security policy delivered from the I2NSF User to the Security Controller via > the Consumer-Facing Interface. > Either the Security Controller or the I2NSF User needs to evaluate > whether the suggested solution in the feedback information is good for > the reported problem or not. After this evaluation, one of them can > update the current high-level security policy or generate a high-level > security policy for a low-level security policy. > > >> 3. Guidelines to Security Policy Translation for I2NSF-Based Security >> Enforcement >> >> - Main Contents >> . A Relation between I2NSF Consumer-Facing Interface and NSF >> Facing-Interface >> . Handling of Default Actions for a High-level Security Policy to be >> translated to a Low-level Security Policy >> . Population of Information for Security Policy Translation (e.g., >> mapping of IP addresses for users and devices) >> . Implementation Guidelines for Security Policy Translator (will be put >> as Appendix rather than main text) >> >> [Linda] I can see this being the potential work item for the rechartering. >> > => [Paul] Thanks. Actually, this security policy translation needs to > include the following translations: > - Policy Translation between the Consumer-Facing Interface and the > NSF-Facing Interface > - Policy Translation between the Application Interface and the > Consumer-Facing Interface (or NSF-Facing Interface) > > Thanks. > > Best Regards, > Paul > > >> >> Linda >> >> >> >> --------------------------------------------------------------------------------------------------------------------------------------------------------------- >> >> >> As you know, my SKKU team with ETRI demonstrated the feasibility of those >> three work items through the past I2NSF Projects. >> >> For the 1st work item, this provides autonomous security management >> services to minimize human engagement for security services. >> >> The I2NSF extension for this autonomous security management is explained >> by my new I2NSF I-D: >> >> https://datatracker.ietf.org/doc/html/draft-jeong-i2nsf-security-management-automation-03 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-jeong-i2nsf-security-management-automation-03&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=2Ok0aDHdpx%2Ft36oaWiOfeIntayLaTd8cfEDtc0kqQc0%3D&reserved=0> >> >> As a use case, a new outside (or inside) security attack is detected and >> blocked by an I2NSF system. >> >> For this, an NSF reports monitoring data of a suspicious activity to an >> I2NSF Analyzer (as a new component which is >> >> a data collector and a data analyzer with machine learning), which is >> defined in the above I-D. >> >> The I2NSF Analyzer analyzes the monitoring data and diagnoses what is a >> problem or security attack. >> The I2NSF Analyzer makes a feedback report to a Security Controller so >> that the Security Controller can augment >> >> its existing security policy or generate a new security policy to cope >> with the problem or security attack. >> >> The involved security functions include the following steps: >> 1. The monitoring data delivery from an NSF to an I2NSF Analyzer, >> 2. The analysis of the monitoring data at the I2NSF Analyzer, >> 3. The construction of a feedback report by the I2NSF Analyzer, >> 4. The delivery of the feedback report from the I2NSF Analyzer to the >> Security Controller, >> 5. The interpretation/translation of the feedback report at the Security >> Controller, and >> >> the augmentation of an existing security policy (or the generation of a >> new security policy) by the Security Controller, and >> 6. The delivery of the augmented (or generated) security policy to an >> appropriate NSF. >> >> These steps are explained in the above I-D. I have explained them in the >> presentation of I2NSF Re-chartering slides >> >> during the IETF-113 I2NSF WG Session. >> >> For the support of the containers for I2NSF NSFs, the interface to >> security functions on Container will be the same >> >> with that to the security functions on VM. >> However, the operation and management of I2NSF in container deployment >> can be specified in the document. >> Here is my I2NSF I-D for Cloud Native Systems for your reference: >> >> >> https://datatracker.ietf.org/doc/html/draft-yang-i2nsf-nfv-architecture-07#page-11 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-yang-i2nsf-nfv-architecture-07%23page-11&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=5jkxDRkVzgA0VMltvNAAyDIM5KsvMyuLcYIqPPkMvH8%3D&reserved=0> >> >> >> I CC Dr. Kyoungjae Sun and Dr. Hyunsik Yang as the authors of this I-D >> for the Cloud Native Systems for I2NSF >> >> since they are experts in this domain. >> >> For the support of Other Contemporary Technologies, "Quantum Key" can be >> distributed to NSFs through Security Controllers. >> The work of RFC 9061 (A YANG Data Model for IPsec Flow Protection Based >> on Software-Defined Networking (SDN)) >> >> can be extended for this key distribution. >> >> For the 2nd work item, I2NSF Application Interface delivers a feedback >> report containing feedback information as >> >> a high-level policy to describe a problem or security attack rather than >> monitoring data. >> The Application Interface is a newly defined interface from I2NSF >> Analyzed to Security Controller, >> >> so it is different from the Monitoring Interface. >> You can refer to my I2NSF I-D for the Application Interface: >> >> https://datatracker.ietf.org/doc/html/draft-lingga-i2nsf-application-interface-dm-02 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-lingga-i2nsf-application-interface-dm-02&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=sEbIvZW4NFSUzG0SALRlqdzS8WKOfS8ywjTGozvQfbc%3D&reserved=0> >> >> For the 3rd work item, the guidelines for security policy translation are >> specified in terms of the mapping of interfaces, >> >> default action handling, the population of translation information (e.g., >> mapping of user group (or device group) and >> >> their IP addresses), the procedures of the security policy translation >> rather than translation algorithm itself. >> >> You can refer to my I2NSF I-D for the Security Policy Translation: >> >> https://datatracker.ietf.org/doc/html/draft-yang-i2nsf-security-policy-translation-10 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-yang-i2nsf-security-policy-translation-10&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=s93IFrkZ4%2BAVWUjLe0NMNPFBqDwM1HuZutZsUJC%2Brog%3D&reserved=0> >> >> >> >> If you have questions and comments, let me know. >> >> Thanks. >> >> Best Regards, >> Paul >> >> >> >> On Thu, Mar 31, 2022 at 2:10 AM Linda Dunbar <[email protected]> >> wrote: >> >> I2NSF Rechartering Proponents, >> >> >> >> I re-read all the emails exchanged about I2NSF Re-Chartering plus the >> discussion minutes at IETF113, I concluded the 2 key points: >> >> - The proposed Rechartered work is too broad, the scope of work is to >> wide, >> - We don’t have enough people and expertise to cover all the proposed >> work. >> >> >> >> Therefore I would like to suggest prioritizing the work items based on >> available expertise, and choose the highest 3~4 work items for the I2NSF >> rechartering. >> >> >> >> With the current available expertise among the I2NSF participants, we can >> confidently tackle the following work items. Therefore I think they should >> be high on the priority list of the rechartering. >> >> >> >> - Work around the remote attestation of NSF in I2NSF architecture, >> including the YANG Data Model. >> - Add the support recently developed protocols such as QUIC and >> HTTP/3. >> - Develop the YANG module of IPsec policies to functions embedded in >> nodes running BGP. >> >> >> >> For the proposed work item of the Interface tot eh Data Analysis >> Entities, I am wondering if the work is similar to the >> draft-ietf-i2nsf-nsf-monitoring-data-model? >> >> >> >> For the proposed work item of “controlling container deployments in Cloud >> Native NFV architecture”, I am not sure how different between the >> “Interface to NSF” vs. the “interface to Container”. >> >> >> >> Can you please chime in to express your opinion? >> >> >> >> Thank you >> >> Linda >> >> >> >> *From:* I2nsf <[email protected]> *On Behalf Of *Mr. Jaehoon Paul >> Jeong >> *Sent:* Thursday, March 24, 2022 2:38 AM >> *To:* [email protected] >> *Cc:* Roman Danyliw <[email protected]>; Panwei (William) < >> [email protected]>; Henk Birkholz < >> [email protected]>; tom petch <[email protected]>; >> yangpenglin <[email protected]>; Susan Hares <[email protected]>; >> DIEGO LOPEZ GARCIA <[email protected]> >> *Subject:* [I2nsf] Request for Comments, Interest and Support in I2NSF >> Re-Chartering >> >> >> >> Hi I2NSF WG, >> >> As you know, our I2NSF WG will discuss the I2NSF Re-Chartering >> >> at IETF-113 I2NSF WG Session today. >> >> >> >> I attach the text of the re-chartering as pdf and txt files. >> >> >> >> Our five core I2NSF YANG data model drafts are almost completed. >> >> >> ------------------------------------------------------------------------------------ >> >> 1. Capability YANG Data Model >> >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-capability-data-model-27 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-capability-data-model-27&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=TRzRqjLtK7Vqg%2F4yJxZMc5xFSDjCmBHohns6VUrlLPM%3D&reserved=0> >> >> 2. NSF-Facing Interface YANG Data Model >> >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-facing-interface-dm-22 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-nsf-facing-interface-dm-22&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=ifm6PB3tFG%2B8F2JbDviFnwd0B30iftCRKr0aze6vOJY%3D&reserved=0> >> >> 3. Monitoring Interface YANG Data Model >> >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-nsf-monitoring-data-model-16 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-nsf-monitoring-data-model-16&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=Y7Q3ursUB3KalwVGmvSGJxQbohoN9yjjn4MwDXsOIvc%3D&reserved=0> >> >> 4. Consumer-Facing Interface YANG Data Model >> >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-consumer-facing-interface-dm-17 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-consumer-facing-interface-dm-17&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=OQNZ4F5iRKNe9G74OehRS%2BWLcBzJX%2FF9sok7f7sYBLY%3D&reserved=0> >> >> 5. Registration Interface YANG Data Model >> >> https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-registration-interface-dm-15 >> <https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fhtml%2Fdraft-ietf-i2nsf-registration-interface-dm-15&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=CHYx5DQsaPESpsMD14nhTwTZa9ZSxlMXfc%2Bf61q14BY%3D&reserved=0> >> >> >> ------------------------------------------------------------------------------------ >> >> >> >> The three of them (i.e., 1, 2, and 3) got the feedback of the IESG and >> >> the revisions have been sent to the IESG reviewers. >> >> >> >> The remaining two (i.e., 4, 5) are well-synchronized with the others. >> >> I will present the updates of them today's I2NSF WG. >> >> I attach the slides for them for your easy checking. >> >> >> >> Our AD Roman has concerns about the low energy of our I2NSF WG for the new >> >> work items in the I2NSF Re-chartering. >> >> >> >> Could you speak up your voice about your comments, interest, and support >> of our I2NSF Re-Chartering? >> >> >> >> See you online at IETF-113 I2NSF WG Session today. >> >> >> >> Thanks. >> >> >> >> Best Regards, >> >> Paul >> -- >> >> =========================== >> Mr. Jaehoon (Paul) Jeong, Ph.D. >> Associate Professor >> >> Department Head >> Department of Computer Science and Engineering >> Sungkyunkwan University >> Office: +82-31-299-4957 >> Email: [email protected], [email protected] >> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php >> <https://nam11.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcpslab.skku.edu%2Fpeople-jaehoon-jeong.php&data=04%7C01%7Clinda.dunbar%40futurewei.com%7C56912b91156d4740dcd408da13b4799e%7C0fee8ff2a3b240189c753a1d5591fedc%7C1%7C0%7C637843963123356743%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=lArXzPvmAjhFcwKMhNgNEmpbnRo70lLtU0pEHU8HiHI%3D&reserved=0> >> >>
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
