I2NSF Registration Interface YANG Data Model for NSF Capability Registration
Department of Computer Engineering
Myongji University116 Myongji-ro, Cheoin-guYonginGyeonggi-do17058Republic of Koreashyun@mju.ac.kr
Department of Computer Science and Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673tkroh0198@skku.edu
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673dnl9795@skku.edu
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-GuDaejeon305-700Republic of Korea+82 42 860 6514pjs@etri.re.kr
Security
I2NSF Working GroupInternet-Draft
This document defines an information model and a YANG data
model for Registration Interface between Security Controller
and Developer's Management System (DMS) in the Interface to
Network Security Functions (I2NSF) framework to register
Network Security Functions (NSF) of the DMS with the Security
Controller. The objective of these information and data models
is to support NSF capability registration and query via I2NSF
Registration Interface.
A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework
. Since each of these NSFs likely has
different security capabilities from each other, it is important
to register the security capabilities of the NSF with the security
controller. In addition, it is required to search NSFs of some
required security capabilities on demand. As an example, if
additional security capabilities are required to serve some
security service request(s) from an I2NSF user, the security
controller SHOULD be able to request the DMS for NSFs that have
the required security capabilities.
As the main focus of the YANG module defined in
is to define
the security capabilities of an NSF, it lacks in some information
(e.g., network access information to an NSF) needed by the Security
Controller. Hence, this document provides extended information for
the I2NSF Registration Interface.
This document describes an information model (see
) and an augmented YANG
data model from I2NSF Capability YANG
data model
(see ) for the I2NSF
Registration Interface between the
security controller and the developer's management system (DMS)
to support NSF capability registration and query via the
registration interface. It also describes the operations which
SHOULD be performed by the security controller and the DMS via the
Registration Interface using the defined model.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.
This document uses the following terms defined in ,
and .
Network Security Function (NSF): A function that is
responsible for a specific treatment of received packets.
A Network Security Function can act at various layers of a
protocol stack (e.g., at the network layer or other OSI layers).
Sample Network Security Service Functions are as follows:
Firewall, Intrusion Prevention/Detection System (IPS/IDS),
Deep Packet Inspection (DPI), Application Visibility and Control
(AVC), network virus and malware scanning, sandbox, Data Loss
Prevention (DLP), Distributed Denial of Service (DDoS)
mitigation and TLS proxy.
Data Model: Data Models define managed objects at a lower
level of abstraction, which include implementation- and
protocol-specific details, e.g., rules that explain how to
map managed objects onto lower-level protocol constructs
.
Information Model: Information Models are primarily useful
for designers to describe the managed environment, for
operators to understand the modeled objects, and for
implementers as a guide to the functionality that must be
described and coded in the Data Models .
YANG: This document follows the guidelines of , uses the common YANG types defined in , and adopts the Network Management Datastore
Architecture (NMDA) . The meaning of
the symbols in tree diagrams is defined in
.
Registering NSFs with the I2NSF framework: Developer's Management
System (DMS) in I2NSF framework is typically run by an NSF
vendor, and uses Registration Interface to provide NSFs
developed by the NSF vendor to Security Controller. Since
there may be multiple vendors that provide NSFs for a target network,
the I2NSF Registration Interface can be used as a standard
interface for the DMSs to provide NSFs capability information
to the Security Controller. For the registered NSFs,
Security Controller maintains a catalog of the capabilities
of those NSFs to select appropriate NSFs for the requested
security services.
Updating the capabilities of registered NSFs: After an NSF
is registered with Security Controller, some modifications
on the capability of the NSF MAY be required later. In this
case, DMS uses Registration Interface to update the
capability of the NSF, and this update SHOULD be reflected
in the catalog of NSFs.
Asking DMS about some required capabilities: In cases that
some security capabilities are required to serve the
security service request from an I2NSF user, Security
Controller searches through the registered NSFs to find
ones that can provide the required capabilities. But
Security Controller might fail to find any NSFs having the
required capabilities among the registered NSFs. In this
case, Security Controller needs to request DMS for
additional NSF(s) that can provide the required security
capabilities via Registration Interface.
The I2NSF registration interface is used by Security Controller
and Developer's Management System (DMS) in I2NSF framework. The
following summarizes the operations done through the
registration interface:
DMS registers NSFs and their capabilities with Security
Controller via the registration interface. DMS also uses
the registration interface to update the capabilities of
the NSFs registered previously.
In case that an I2NSF user requests a certain security service,
and the Security Controller fails to find some of the
required security capabilities from any registered NSFs,
the Security Controller queries DMS about an additional NSF(s)
having the required security capabilities via the registration
interface.
shows the information model of the I2NSF registration interface,
which consists of two submodels: NSF capability registration and
NSF capability query. Each submodel is used for the operations
listed above. The remainder of this section will provide in-depth
explanations of each submodel.
This submodel is used by DMS to register an NSF with
Security Controller.
shows how this submodel is constructed. The most important
part in is the NSF
capability, and this specifies the set of capabilities that
the NSF to be registered can offer. The NSF Name contains a
unique name of this NSF with the specified set of
capabilities. When registering the NSF, DMS additionally
includes the network access information of the NSF which is
required to enable network communications with the NSF.
The following will further explain the NSF capability
information and the NSF access information in more detail.
NSF Capability Information basically describes the
security capabilities of an NSF. In
, we show
capability objects of an NSF. Following the information
model of NSF capabilities defined in
,
we share the same I2NSF security capabilities: Directional
Capabilities, Event Capabilities, Condition Capabilities,
Action Capabilities, Resolution Strategy Capabilities,
Default Action Capabilities. Also, NSF Capability
Information additionally contains the specification
of an NSF as shown in
.
This information represents the processing capability of
an NSF. Assuming that the current workload status of each
NSF is being collected through NSF monitoring
,
this capability information of the NSF can be used to
determine whether the NSF is in congestion by comparing
it with the current workload of the NSF. Moreover, this
information can specify an available amount of each type
of resource, such as processing power which are available
on the NSF. (The registration interface can control the
usages and limitations of the created instance and make
the appropriate request according to the status.) As
illustrated in ,
this information consists of two items: Processing and
Bandwidth. Processing information describes the NSF's
available processing power. Bandwidth describes the
information about available network amount in two cases,
outbound, inbound. These two information can be used for
the NSF's instance request.
NSF Access Information contains the following that
are required to communicate with an NSF through NETCONF
or RESTCONF :
an IP address (i.e., IPv4 or IPv6 address) and a port number.
Note that TCP is used as a transport layer protocol due to either
NETCONF or RESTCONF. In this document, NSF Access Information is
used to identify a specific NSF instance. That is, NSF Access
Information is the signature (i.e., unique identifier) of an
NSF instance in the overall I2NSF system.
Security Controller MAY require some additional capabilities
to serve the security service request from an I2NSF user, but
none of the registered NSFs has the required capabilities. In
this case, Security Controller makes a description of the
required capabilities by using the NSF capability information
submodel in , and sends
DMS a query about which NSF(s) can provide these
capabilities.
This section provides the YANG Tree diagram of the I2NSF registration interface.
A simplified graphical representation of the data model is
used in this section. The meaning of the symbols used in
the following diagrams is as
follows:
Brackets "[" and "]" enclose list keys.
Abbreviations before data node names: "rw" means
configuration (read-write) and "ro" state data
(read-only).
Symbols after data node names: "?" means an optional
node and "*" denotes a "list" and "leaf-list".
Parentheses enclose choice and case nodes, and case
nodes are also marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that
are not shown.
The I2NSF registration interface is used by the Developer's
Management System (DMS) to register NSFs and their capabilities
with the Security Controller. In case that the Security Controller
fails to find any NSF among the registered NSFs which can
provide some required capabilities, Security Controller
uses the registration interface to query DMS about NSF(s)
having the required capabilities.
The following sections describe the YANG data models to support these operations.
This section describe the YANG tree for the NSF capability registration.
When registering an NSF with Security Controller, DMS uses
the augmented I2NSF Capability YANG Data Model
to describe what capabilities the NSF can offer.
DMS includes the access information of the NSF
which is required to make a network connection with the
NSF as well as the specification of the NSFs.
The NSF access information consists of ip, port,
and management-protocol. The field of ip can have either
an IPv4 address or an IPv6 address. The port field is used
to get the transport protocol port number. As I2NSF uses a
YANG data model, the management protocol can be either
NETCONF or RESTCONF.
The DMS can also include the resource capacity
information in terms of processing power and network
bandwidth of the NSF. Detailed overview of NSF specification
can be seen in .
This section describe the YANG tree for the NSF capability
query.
Security Controller MAY require some additional
capabilities to provide the security service requested
by an I2NSF user, but none of the registered NSFs has
the required capabilities. In this case, Security
Controller makes a description of the required
capabilities using this module and then queries DMS about
which NSF(s) can provide these capabilities. Use NETCONF
RPCs to send a NSF capability query. Input data is
query-i2nsf-capability-info and output data is
nsf-access-info. In ,
the ietf-i2nsf-capability refers to the module defined in
.
This section provides a YANG module of the data model for
the registration interface between Security Controller and
Developer's Management System, as defined in
.
This YANG module imports from and
.
It makes references to
This document requests IANA to register the following URI in the
"IETF XML Registry" :
This document requests IANA to register the following YANG
module in the "YANG Module Names" registry
:
The YANG module specified in this document defines a data schema designed
to be accessed through network management protocols such as NETCONF
or RESTCONF . The lowest NETCONF layer is the
secure transport layer, and the required secure transport is Secure Shell (SSH)
. The lowest RESTCONF layer is HTTPS, and the
required secure transport is TLS .
The NETCONF access control model provides a
means of restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
There are a number of data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the default).
These data nodes MAY be considered sensitive or vulnerable in some
network environments. Write operations (e.g., edit-config) to these data
nodes without proper protection can have a negative effect on network
operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-registration: The attacker MAY exploit this to
register a compromised or malicious NSF instead of a
legitimate NSF with the Security Controller.
nsf-specification: The attacker MAY provide
incorrect information of the specification of
any target NSF by illegally modifying this.
nsf-capability-info: The attacker MAY provide incorrect
information of the security capability of any target NSF
by illegally modifying this.
nsf-access-info: The attacker MAY provide incorrect network
access information of any target NSF by illegally modifying
this.
Some of the readable data nodes in this YANG module MAY be
considered sensitive or vulnerable in some network
environments. It is thus important to control read access
(e.g., via get, get-config, or notification) to these data
nodes. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-registration: The attacker MAY try to gather some
sensitive information of a registered NSF by sniffing
this.
nsf-specification: The attacker MAY gather the
specification information of any target NSF and
misuse the information for subsequent attacks.
nsf-capability-info: The attacker MAY gather the security
capability information of any target NSF and misuse the
information for subsequent attacks.
nsf-access-info: The attacker MAY gather the network
access information of any target NSF and misuse the
information for subsequent attacks.
The RPC operation in this YANG module MAY be considered
sensitive or vulnerable in some network environments. It is
thus important to control access to this operation. The
following is the operation and its sensitivity/vulnerability:
nsf-capability-query: The attacker MAY exploit this RPC operation to deteriorate the availability of the DMS and/or gather the information of some interested NSFs from the DMS.
Network Functions Virtualisation (NFV); Architectureal Framework
This section shows XML examples of the I2NSF Registration
Interface data model for registering the capabilities in
either IPv4 networks or IPv6
networks with Security Controller.
shows the
configuration XML for registering a general firewall in an
IPv4 network and its capabilities
as follows.
The instance name of the NSF is ipv4_general_firewall.
The NSF can inspect IPv4 protocol header field, source
address(es), and destination address(es).
The NSF can inspect the port number(s) for the transport
layer protocol, i.e., TCP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF can have processing power and bandwidth.
The IPv4 address of the NSF is 192.0.2.11.
The port of the NSF is 49152.
In addition, shows
the configuration XML for registering a general firewall in
an IPv6 network and its
capabilities as follows.
The instance name of the NSF is ipv6_general_firewall.
The NSF can inspect IPv6 next header, flow direction,
source address(es), and destination address(es)
The NSF can inspect the port number(s) and flow direction
for the transport layer protocol, i.e., TCP and UDP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF can have processing power and bandwidth.
The IPv6 address of the NSF is 2001:db8:0:1::11.
The port of the NSF is 49152.
This section shows an XML example of the Security Controller
requesting an additional NSF with a certain capability. In this
example, an I2NSF user requests a security service that is able
to block the specified websites. When the Security Controller checks
that no registered NSF can provide such a service, it makes a query
to the DMS with the following XML:
shows
the XML for requesting an unregistered web filter with its
capabilities as follows.
The NSF can inspect a URL matched from a user-defined URL
where the user can specify their own URL.
The NSF can control the network by dropping the packets that
match the condition. It can drop packets that are entering
or leaving the target network.
After receiving a query given in ,
the DMS can reply with following XML:
In the reply shown in ,
the additional NSF called web_filter can be used by accessing
the NSF with the IPv4 address of 192.0.2.13 and the port number
of 49152, using the NETCONF management protocol.
Network Functions Virtualization (NFV) can be used to implement
I2NSF framework. In NFV environments, NSFs are deployed as
virtual network functions (VNFs). Security Controller can be
implemented as an Element Management (EM) of the NFV
architecture, and is connected with the VNF Manager (VNFM) via
the Ve-Vnfm interface . Security
Controller can use this interface for the purpose of the
lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF
framework, Security Controller could request the VNFM to
instantiate them through the Ve-Vnfm interface. Or if an NSF,
running as a VNF, is not used by any traffic flows for a time
period, Security Controller MAY request deinstantiating it
through the interface for efficient resource utilization.
This document is a product by the I2NSF Working Group (WG) including
WG Chairs (i.e., Linda Dunbar and Yoav Nir) and Diego Lopez.
This document took advantage of the review and comments from the following people:
Roman Danyliw, Reshad Rahman (YANG doctor), and Tom Petch.
We authors sincerely appreciate their sincere efforts and kind help.
This work was supported by Institute of Information &
Communications Technology Planning & Evaluation (IITP) grant funded by
the Korea MSIT (Ministry of Science and ICT) (No. 2016-0-00078, Cloud Based
Security Intelligence Technology Development for the Customized
Security Service Provisioning).
This work was supported in part by the IITP (2020-0-00395-003, Standard
Development of Blockchain based Network Management Automation Technology).
The following are co-authors of this document:
Patrick Lingga -
Department of Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: patricklink@skku.edu
Jinyong (Tim) Kim -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: timkim@skku.edu
Chaehong Chung -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: darkhong@skku.edu
Susan Hares -
Huawei,
7453 Hickory Hill,
Saline, MI 48176,
USA.
EMail: shares@ndzh.com
Diego R. Lopez -
Telefonica I+D,
Jose Manuel Lara, 9,
Seville, 41013,
Spain.
EMail: diego.r.lopez@telefonica.com
The following changes are made from draft-ietf-i2nsf-registration-interface-dm-20:
The updates are made following Qin Wu's comments. The important updates are as follows:
This version clarifies the third objective (i.e., an query
to an NSF for a given security capability) discussed in
.
This version provides a new XML example for requesting
additional NSF via the I2NSF Registration Interface, that is,
an query to an NSF for a given security capability in
.
This version updates the information model and data model
for NSF registration by using the "augment" statement instead of reusing
the "grouping" from the .