I2NSF Registration Interface YANG Data Model for NSF Capability Registration
Department of Computer Engineering
Myongji University116 Myongji-ro, Cheoin-guYonginGyeonggi-do17058Republic of Koreashyun@mju.ac.kr
Department of Computer Science and Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673tkroh0198@skku.edu
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673dnl9795@skku.edu
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-GuDaejeon34129Republic of Korea+82 42 860 6514pjs@etri.re.kr
Security
I2NSF Working GroupInternet-Draft
This document defines a YANG data model for the Registration
Interface between Security Controller and Developer's Management
System (DMS) in the Interface to Network Security Functions
(I2NSF) framework to register Network Security Functions (NSF)
of the DMS with the Security Controller. The objective of this
data model is to support NSF capability registration and query
via I2NSF Registration Interface.
A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework
. Since each of these NSFs likely has
different security capabilities from each other, it is important
to register the security capabilities of the NSFs to the Security
Controller (i.e., Network Operator Management System in ). In addition,
it is required to search NSFs of some required security
capabilities on demand. As an example, if additional security
capabilities are required to serve some security service request(s)
from an I2NSF User, the Security Controller should be able to
request the Developer's Management System (DMS) for NSFs that have
the required security capabilities.
As the main focus of the YANG module defined in
is to define
the security capabilities of an NSF, it lacks in some information
(e.g., network access information to an NSF) needed by the Security
Controller. This information can be provided by the
DMS as it is the vendor system that provides and deploys the NSFs.
Hence, this document provides the I2NSF Registration Interface
to let the DMS register the capabilities and network access
information of its NSFs with the Security Controller.
This document describes an information model (see
) and a YANG
data model
(see ), which is extended from
the I2NSF Capability YANG data model
, for the I2NSF
Registration Interface between the
Security Controller and the DMS to support NSF capability registration
and query via the registration interface. It also describes the
operations that can be performed by the Security Controller and the
DMS via the Registration Interface using the defined model.
Note that in either NETCONF or RESTCONF
parlance through the I2NSF Registration
Interface, the Security Controller is the client, and the DMS is
the server because the Security Controller and DMS run the client
and server for either NETCONF or RESTCONF, respectively.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.
This document uses the following terms defined in ,
and .
Network Security Function (NSF): A function that is
responsible for a specific treatment of received packets.
A Network Security Function can act at various layers of a
protocol stack (e.g., at the network layer or other OSI layers).
Sample Network Security Service Functions are as follows:
Firewall, Intrusion Prevention/Detection System (IPS/IDS),
Deep Packet Inspection (DPI), Application Visibility and Control
(AVC), network virus and malware scanning, sandbox, Data Loss
Prevention (DLP), Distributed Denial of Service (DDoS)
mitigation and TLS proxy.
Data Model: Data Models define managed objects at a lower
level of abstraction, which include implementation- and
protocol-specific details, e.g., rules that explain how to
map managed objects onto lower-level protocol constructs
.
Information Model: Information Models are primarily useful
for designers to describe the managed environment, for
operators to understand the modeled objects, and for
implementers as a guide to the functionality that must be
described and coded in the Data Models .
YANG: This document follows the guidelines of , uses the common YANG types defined in , and adopts the Network Management Datastore
Architecture (NMDA) . The meaning of
the symbols in tree diagrams is defined in
.
Registering NSFs with the I2NSF framework: Developer's Management
System (DMS) in I2NSF framework is typically run by an NSF
vendor, and uses Registration Interface to provide NSFs information
(i.e., capability, specification, and access information)
developed by the NSF vendor to Security Controller. Since
there may be multiple vendors that provide NSFs for a target network,
the I2NSF Registration Interface can be used as a standard
interface for the DMSs to provide NSFs capability information
to the Security Controller. For the registered NSFs,
Security Controller maintains a catalog of the capabilities
of those NSFs to select appropriate NSFs for the requested
security services. Note that the I2NSF User and the vendor should
exchange information for the discovery of Security Controller and
DMS during the subscription of the security service. The I2NSF
User should provide the Security Controller information (e.g.,
access information) to the DMS for the NSFs registration, and the
vendor should provide the DMS information (e.g., access information
and the types of NSFs managed by the DMS) to the Security Controller
for allowing such connections. The method of exchanging this
information can be done either manually or dynamically (e.g.,
through the new options of I2NSF information in both DHCP
and DHCPv6 ).
This actual method is out of the scope of this document.
Updating the capabilities of registered NSFs: After an NSF
is registered with Security Controller, some modifications
on the capability of the NSF may be required later. In this
case, DMS uses Registration Interface to deliver the update
of the capability of the NSF to the Security Controller,
and this update MUST be reflected on the catalog of NSFs
existing in the Security Controller. That is, the DMS sends
the updated NSF capability information to the Security Controller
through a notification mechanism. The Security Controller updates
its catalog of NSFs with the updated NSF capability information.
Asking DMS about some required capabilities: In cases that
some security capabilities are required to serve the
security service request from an I2NSF User, the Security
Controller searches through the registered NSFs to find
ones that can provide the required capabilities. But
Security Controller might fail to find any NSFs having the
required capabilities among the registered NSFs. In this
case, Security Controller needs to request DMS for
additional NSF(s) information that can provide the required
security capabilities via Registration Interface.
The I2NSF registration interface is used by Security Controller
and Developer's Management System (DMS) in I2NSF framework.
shows the information model of the I2NSF registration interface,
which consists of two submodels: NSF capability registration and
NSF capability update. Each submodel is used for the operations
listed above. The remainder of this section will provide in-depth
explanation of each submodel. The consideration of the design
of the data model is based on the procedure and mechanism discussed
in Section 8 of ,
which discusses I2NSF Framework with Network Functions
Virtualization (NFV) .
This submodel is used by the DMS to register the capabilities of NSFs with the
request of the Security Controller.
shows how this submodel is constructed. The most important
part in is the NSF
capability, and this specifies the set of capabilities that
the NSF to be registered can offer. The NSF Name contains a
unique name of this NSF with the specified set of
capabilities. The NSF name MUST be unique within the registered
NSFs in the Security Controller to identify the NSF with the
capability. The name can be an arbitrary string including
Fully Qualified Domain Name (FQDN). To make sure each vendor
does not provide a duplicated name, the name should include
the vendor's detail (e.g., firewall-vendor-series_name-series_number).
When registering the NSF, DMS additionally
includes the network access information of the NSF which is
required to enable network communications with the NSF.
The following sections will further explain the NSF capability
information and the NSF access information in more detail.
NSF Capability Information basically describes the
security capabilities of an NSF. In
, we show
capability objects of an NSF. Following the information
model of NSF capabilities defined in
,
we share the same I2NSF security capabilities: Directional
Capabilities, Event Capabilities, Condition Capabilities,
Action Capabilities, Resolution Strategy Capabilities,
Default Action Capabilities. Also, NSF Capability
Information additionally contains the specification
of an NSF as shown in
.
This information represents the specification information of
an NSF. As illustrated in ,
this information consists of packet processing and bandwidth
capabilities.
Packet processing is the overall capability of an NSF in
processing packets measured in packets per second (PPS).
Bandwidth describes the information about available network amount
in two cases, such as outbound and inbound. Assuming that the
current throughput and packet rate statuses of each NSF are being
collected through NSF monitoring
,
these capabilities of the NSF can be used to
determine whether the NSF is in congestion or not by comparing
it with the current throughput of the NSF.
NSF Access Information contains the following that
are required to communicate with an NSF through NETCONF
or RESTCONF :
an IP address (i.e., IPv4 or IPv6 address) and a port number.
Note that the transport layer protocol can be any transport
protocol that provides the required set of functionalities for
either NETCONF or RESTCONF .
In this document, NSF Access Information is used to identify a
specific NSF instance. That is, NSF Access Information is the
signature (i.e., unique identifier) of an NSF instance in the
overall I2NSF system.
The deployed NSFs may require to be updated to improve the quality
of the security service. The Security Controller can request
update information to the DMS by subscribing to the
NSF capability update notification. The DMS can send the
notification of NSF capability update using the NSF capability
information submodel in
for updating the capabilities of the NSF.
This section provides the YANG Tree Diagram of the I2NSF
registration interface.
The I2NSF Registration Interface is used by the Developer's
Management System (DMS) to register NSFs and their capabilities
with the Security Controller. Also, in case that the Security Controller
fails to find any NSF among the registered NSFs which can
provide some required capabilities, Security Controller
uses the registration interface to query DMS about NSF(s)
having the required capabilities. The following sections
describe the YANG data models to support these operations.
Note that the YANG module in this document relies on the YANG
module defined in ,
hence QUIC protocol and HTTP/3 are
excluded in the data model. The QUIC traffic should not be
treated as UDP traffic, and HTTP/3 should neither be interpreted
as either HTTP/1.1 nor HTTP/2. Thus, the data model should be
extended or augmented appropriately to support the handling of
the QUIC protocol and HTTP/3 traffic according to the needs of
the implementer.
This section describes the YANG tree diagram for the NSF
capability registration and capability query.
When a Security Controller requests security services to
the DMS, DMS uses the I2NSF Capability YANG Data Model
to describe what capabilities the NSFs can offer.
Security Controller makes a description of the required
capabilities and then queries DMS about
which NSF(s) can provide these capabilities.
The DMS can apply a selection mechanism to select the NSFs
that cover all requested capabilities effectively. This selection
mechanism is out of the scope of this document.
DMS includes the access information of the NSF
which is required to make a network connection with the
NSF as well as the specification of the NSFs.
The NSF access information consists of ip, port,
and management-protocol. The field of ip can have either
an IPv4 address or an IPv6 address. The port field is used
to get the transport protocol port number. As I2NSF uses a
YANG data model, the management protocol can be either
NETCONF or RESTCONF.
The credential management for accessing the NSFs is handled
by pre-negotiation with every DMS. This management is out
of the scope of this document.
The DMS can also include the resource information in
terms of packet processing and bandwidth capabilities
of the NSF. Detailed overview of NSF specification
can be seen in .
This section describes the YANG tree diagram for the NSF capability
update.
This YANG data model is used to update the registered NSFs.
The update operation started by the Security Controller
subscribing to the notification of NSFs capability updates.
See for the subscription mechanism.
explains the event stream
for the subscription of this YANG module.
The DMS should only send the NSF(s) with updated
capabilities. If an update is available, the DMS can deliver
the NSF capability update notification to the Security
Controller. This YANG module allows multiple NSF capability
updates in a single notification. Note that the capabilities
given in the update represent the full capabilities of
each NSF.
This section provides a YANG module of the data model for
the registration interface between Security Controller and
Developer's Management System, as defined in
.
This YANG module imports from and
.
It makes references to
This document requests IANA to register the following URI in the
"IETF XML Registry" :
This document requests IANA to register the following YANG
module in the "YANG Module Names" registry
:
The YANG module specified in this document defines a data schema designed
to be accessed through network management protocols such as NETCONF
or RESTCONF . The lowest NETCONF layer is the
secure transport layer, and the required secure transport is Secure Shell (SSH)
. The lowest RESTCONF layer is HTTPS, and the
required secure transport is TLS .
The NETCONF access control model provides a
means of restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
The architecture of I2NSF Framework presents a risk to the
implementation of security detection and mitigation activities.
The risks of externally operated NSFs are discussed in Section 4
(Threats Associated with Externally Provided NSFs) of
.
It is important to have an authentication and authorization
method between the communication of the Security Controller and
the DMS. The following are threats that need to be considered and mitigated:
It can send falsified information to the Security Controller
to mislead existing detection or mitigation devices.
Currently, there is no in-framework mechanism to mitigate this,
and it is an issue for such infrastructures. It is important to keep
confidential information from unauthorized persons to mitigate
the possibility of compromising the DMS with this information.
This involves a system trying to send false information
while imitating as a DMS; client authentication would help
the Security Controller to identify this invalid DMS.
The YANG module defined in this document extends the YANG module
described in .
Hence, this document shares all the security issues
that are specified in Section 9 of
.
There are a number of extended data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the default).
These data nodes MAY be considered sensitive or vulnerable in some
network environments. Write operations (e.g., edit-config) to these data
nodes without proper protection can have a negative effect on network
operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-specification: The attacker may provide
incorrect information of the specification of
any target NSF by modifying this.
nsf-access-info: The attacker may provide incorrect network
access information of any target NSF by modifying
this.
Some of the readable extended data nodes in this YANG module MAY be
considered sensitive or vulnerable in some network
environments. It is thus important to control read access
(e.g., via get, get-config, or notification) to these data
nodes. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-specification: The attacker may gather the
specification information of any target NSF and
misuse the information for subsequent attacks.
nsf-access-info: The attacker may gather the network
access information of any target NSF and misuse the
information for subsequent attacks.
The RPC operation in this YANG module MAY be considered
sensitive or vulnerable in some network environments. It is
thus important to control access to this operation. The
following is the operation and its sensitivity/vulnerability:
nsf-capability-query: The attacker may exploit this RPC
operation to deteriorate the availability of the DMS
and/or gather the information of some interested NSFs
from the DMS. Some of the product capabilities provided
by a vendor may be publicly known, the DMS should provide
an authentication and authorization method to make sure
this node cannot be used for exploitation.
Network Functions Virtualisation (NFV); Architectureal Framework
This section discusses the NETCONF event stream for an I2NSF
Registration subscription.
The YANG module in this document supports "ietf-subscribed-notifications"
YANG module for subscription.
The reserved event stream name for this document is "I2NSF-Registration".
The NETCONF Server (e.g., DMS) MUST support "I2NSF-Registration"
event stream for the NETCONF Client (e.g., Security Controller).
The "I2NSF-Registration" event stream contains all notifications
described in this document.
The following XML example shows the capabilities of the event
streams generated by the DMS (e.g., "NETCONF" and "I2NSF-Registration" event
streams) for the subscription of NSF capability update. Refer to
for a more detailed explanation of Event
Streams. The XML examples in this document follow the line breaks as per
.
This section shows XML examples of the I2NSF Registration
Interface data model for registering the capabilities in
either IPv4 networks or IPv6
networks with Security Controller.
shows the query for NSF(s) that can inspect
IPv4 source address, destination address, and URL.
shows the reply for the
configuration XML for registering a general firewall and a web filter
in an IPv4 network and their capabilities.
The general firewall registered is as follows.
The first instance name of the NSF is ipv4_general_firewall.
The version used is 1.2.0.
The NSF can inspect IPv4 protocol header field, source
address(es), and destination address(es).
The NSF can inspect the port number(s) for the transport
layer protocol, i.e., TCP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF is able to process 14,000,000 packets per second.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 192.0.2.11.
The port of the NSF is 49152 using the NETCONF protocol.
The web filter registered is as follows.
The first instance name of the NSF is ipv4_web_filter.
The version used is 1.1.0.
The NSF can inspect a URL matched from a user-defined URL.
User can specify their own URL.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF is able to process 14,000,000 packets per second.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 192.0.2.12.
The port of the NSF is 49152 using the NETCONF protocol.
In addition, and shows
the query and reply message for the configuration XML for registering a general firewall in
an IPv6 network and webfilter with their
capabilities.
The instance name of the NSF is ipv6_general_firewall.
The version used is 1.2.0.
The NSF can inspect IPv6 next header, flow direction,
source address(es), and destination address(es)
The NSF can inspect the port number(s) and flow direction
for the transport layer protocol, i.e., TCP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF is able to process 14,000,000 packets per second.
The network bandwidth available on the NSF is 1 GBps for
both the outbound and inbound traffics.
The IPv6 address of the NSF is 2001:db8:0:1::11.
The port of the NSF is 49153 using the NETCONF protocol.
The web filter registered is as follows.
The first instance name of the NSF is ipv6_web_filter.
The version used is 1.1.0.
The NSF can inspect a URL matched from a user-defined URL.
User can specify their own URL.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF is able to process 14,000,000 packets per second.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 2001:db8:0:1::12.
The port of the NSF is 49153 using the NETCONF protocol.
This section shows an XML example of a capability update for an NSF.
In this example, the registered General Firewall for the IPv4
network shown in is updated.
The DMS can send a notification for capability update with the following XML:
shows
the XML of an NSF capability update for the NSF named ipv4_general_firewall.
In this example, the NSF has been updated with a new version
(i.e., 2.0.0) and extended capabilities (i.e., inspect the port
number(s) for UDP packets).
Network Functions Virtualization (called NFV) can be used to implement
I2NSF framework. In NFV environments, NSFs are deployed as
virtual network functions (VNFs). Security Controller can be
implemented as an Element Management (EM) of the NFV
architecture, and is connected with the VNF Manager (VNFM) via
the Ve-Vnfm interface . Security
Controller can use this interface for the purpose of the
lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF
framework, Security Controller could request the VNFM to
instantiate them through the DMS having the Ve-Vnfm interface
with the VNFM. Refer to Section 8 of
for the detailed description on I2NSF Framework with NFV.
Or if an NSF, running as a VNF, is not used by any flows
for a time period, Security Controller may request
deinstantiating it through the DMS having the Ve-Vnfm
interface with the VNFM for efficient resource utilization.
This document is a product by the I2NSF Working Group (WG) including
WG Chairs (i.e., Linda Dunbar and Yoav Nir) and Diego Lopez.
This document took advantage of the review and comments from the following people:
Roman Danyliw, Reshad Rahman (YANG doctor), and Tom Petch.
We authors sincerely appreciate their sincere efforts and kind help.
This work was supported by Institute of Information &
Communications Technology Planning & Evaluation (IITP) grant funded by
the Korea MSIT (Ministry of Science and ICT) (No. 2016-0-00078, Cloud Based
Security Intelligence Technology Development for the Customized
Security Service Provisioning).
This work was supported in part by the IITP (2020-0-00395-003, Standard
Development of Blockchain based Network Management Automation Technology).
The following are co-authors of this document:
Patrick Lingga -
Department of Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: patricklink@skku.edu
Jinyong (Tim) Kim -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: timkim@skku.edu
Chaehong Chung -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: darkhong@skku.edu
Susan Hares -
Huawei,
7453 Hickory Hill,
Saline, MI 48176,
USA.
EMail: shares@ndzh.com
Diego R. Lopez -
Telefonica I+D,
Jose Manuel Lara, 9,
Seville, 41013,
Spain.
EMail: diego.r.lopez@telefonica.com
The following changes are made from draft-ietf-i2nsf-registration-interface-dm-25:
This version replaces Network Management Operator System with Network
Operator Management System according to