I2NSF Registration Interface YANG Data Model for NSF Capability Registration
Department of Computer Engineering
Myongji University116 Myongji-ro, Cheoin-guYonginGyeonggi-do17058Republic of Koreashyun@mju.ac.kr
Department of Computer Science and Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 299 4957+82 31 290 7996pauljeong@skku.eduhttp://iotlab.skku.edu/people-jaehoon-jeong.php
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673tkroh0198@skku.edu
Department of Electronic, Electrical and Computer Engineering
Sungkyunkwan University2066 Seobu-Ro, Jangan-GuSuwonGyeonggi-Do16419Republic of Korea+82 31 290 7222+82 31 299 6673dnl9795@skku.edu
Electronics and Telecommunications Research Institute
218 Gajeong-Ro, Yuseong-GuDaejeon305-700Republic of Korea+82 42 860 6514pjs@etri.re.kr
Security
I2NSF Working GroupInternet-Draft
This document defines an information model and a YANG data
model for the Registration Interface between Security Controller
and Developer's Management System (DMS) in the Interface to
Network Security Functions (I2NSF) framework to register
Network Security Functions (NSF) of the DMS with the Security
Controller. The objective of these information and data models
is to support NSF capability registration and query via I2NSF
Registration Interface.
A number of Network Security Functions (NSF) may exist in the
Interface to Network Security Functions (I2NSF) framework
. Since each of these NSFs likely has
different security capabilities from each other, it is important
to register the security capabilities of the NSFs to the Security
Controller (i.e., Network Management Operator System). In addition, it is required to search NSFs of some
required security capabilities on demand. As an example, if
additional security capabilities are required to serve some
security service request(s) from an I2NSF User, the security
controller SHOULD be able to request the DMS for NSFs that have
the required security capabilities.
As the main focus of the YANG module defined in
is to define
the security capabilities of an NSF, it lacks in some information
(e.g., network access information to an NSF) needed by the Security
Controller. This information can be provided by the
DMS as it is the vendor system that provides and deploys the NSFs.
Hence, this document provides extended information for
the I2NSF Registration Interface.
This document describes an information model (see
) and an extended YANG
data model from I2NSF Capability YANG
data model
(see ) for the I2NSF
Registration Interface between the
Security Controller and the developer's management system (DMS)
to support NSF capability registration and query via the
registration interface. It also describes the operations which
SHOULD be performed by the Security Controller and the DMS via the
Registration Interface using the defined model.
Note that in either NETCONF or RESTCONF
parlance through the I2NSF Registration
Interface, the Security Controller is the client, and the DMS is
the server because the Security Controller and DMS run the client
and server for either NETCONF or RESTCONF, respectively.
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in BCP 14
when, and only
when, they appear in all capitals, as shown here.
This document uses the following terms defined in ,
and .
Network Security Function (NSF): A function that is
responsible for a specific treatment of received packets.
A Network Security Function can act at various layers of a
protocol stack (e.g., at the network layer or other OSI layers).
Sample Network Security Service Functions are as follows:
Firewall, Intrusion Prevention/Detection System (IPS/IDS),
Deep Packet Inspection (DPI), Application Visibility and Control
(AVC), network virus and malware scanning, sandbox, Data Loss
Prevention (DLP), Distributed Denial of Service (DDoS)
mitigation and TLS proxy.
Data Model: Data Models define managed objects at a lower
level of abstraction, which include implementation- and
protocol-specific details, e.g., rules that explain how to
map managed objects onto lower-level protocol constructs
.
Information Model: Information Models are primarily useful
for designers to describe the managed environment, for
operators to understand the modeled objects, and for
implementers as a guide to the functionality that must be
described and coded in the Data Models .
YANG: This document follows the guidelines of , uses the common YANG types defined in , and adopts the Network Management Datastore
Architecture (NMDA) . The meaning of
the symbols in tree diagrams is defined in
.
Registering NSFs with the I2NSF framework: Developer's Management
System (DMS) in I2NSF framework is typically run by an NSF
vendor, and uses Registration Interface to provide NSFs information
(i.e., capability, specification, and access information)
developed by the NSF vendor to Security Controller. Since
there may be multiple vendors that provide NSFs for a target network,
the I2NSF Registration Interface can be used as a standard
interface for the DMSs to provide NSFs capability information
to the Security Controller. For the registered NSFs,
Security Controller maintains a catalog of the capabilities
of those NSFs to select appropriate NSFs for the requested
security services. Note that the I2NSF User and the vendor should
exchange information for the discovery of Security Controller and
DMS during the subscription of the security service. The I2NSF
User should provide the Security Controller information (e.g.,
access information) to the DMS for the NSFs registration, and the
vendor should provide the DMS information (e.g., access information
and the types of NSFs managed by the DMS) to the Security Controller
for allowing such connections. The method of exchanging this
information can be done either manually or dynamically (e.g.,
through the new options of I2NSF information in both DHCP
and DHCPv6 ).
This actual method is out of the scope of this document.
Updating the capabilities of registered NSFs: After an NSF
is registered with Security Controller, some modifications
on the capability of the NSF MAY be required later. In this
case, DMS uses Registration Interface to deliver the update
of the capability of the NSF to the Security Controller,
and this update MUST be reflected on the catalog of NSFs
existing in the Security Controller. That is, the Security Controller
should check for updates of the NSFs to the DMS periodically,
and the DMS sends the updated NSF capability information
to the Security Controller. The Security Controller updates
its catalog of NSFs with the updated NSF capability information.
Asking DMS about some required capabilities: In cases that
some security capabilities are required to serve the
security service request from an I2NSF User, the Security
Controller searches through the registered NSFs to find
ones that can provide the required capabilities. But
Security Controller might fail to find any NSFs having the
required capabilities among the registered NSFs. In this
case, Security Controller needs to request DMS for
additional NSF(s) information that can provide the required
security capabilities via Registration Interface.
The I2NSF registration interface is used by Security Controller
and Developer's Management System (DMS) in I2NSF framework.
shows the information model of the I2NSF registration interface,
which consists of two submodels: NSF capability registration and
NSF capability query. Each submodel is used for the operations
listed above. The remainder of this section will provide in-depth
explanation of each submodel. The consideration of the design
of the data model is based on the procedure and mechanism discussed
in Section 8 of ,
which discusses I2NSF Framework with Network Functions
Virtualization (NFV) .
This submodel is used by the DMS to register the capabilities of NSFs with the
request of the Security Controller.
shows how this submodel is constructed. The most important
part in is the NSF
capability, and this specifies the set of capabilities that
the NSF to be registered can offer. The NSF Name contains a
unique name of this NSF with the specified set of
capabilities. The NSF name MUST be unique within the registered
NSFs in the Security Controller to identify the NSF with the
capability. The name can be an arbitrary string including
Fully Qualified Domain Name (FQDN). To make sure each vendor
does not provide a duplicated name, the name should include
the vendor's name (e.g., firewall-cisco, firewall-huawei).
When registering the NSF, DMS additionally
includes the network access information of the NSF which is
required to enable network communications with the NSF.
The following sections will further explain the NSF capability
information and the NSF access information in more detail.
NSF Capability Information basically describes the
security capabilities of an NSF. In
, we show
capability objects of an NSF. Following the information
model of NSF capabilities defined in
,
we share the same I2NSF security capabilities: Directional
Capabilities, Event Capabilities, Condition Capabilities,
Action Capabilities, Resolution Strategy Capabilities,
Default Action Capabilities. Also, NSF Capability
Information additionally contains the specification
of an NSF as shown in
.
This information represents the specification information
(e.g., CPU, memory, disk, and bandwidth) of
an NSF. As illustrated in ,
this information consists of CPU, memory, disk, and
bandwidth. The CPU information describes the Central Processing
Unit (CPU) used by the NSF. The information consists of
model name, cores, clock speed, and threads.
The memory information describes the hardware that stores
information temporarily, i.e., Random Access Memory (RAM).
The information consists of RAM maximum capacity and RAM speed.
The disk information describes the storage information,
i.e., Hard Disk and Solid-State Drive. The information
given is the maximum capacity of the storage available
in the NSF.
Bandwidth describes the information about available network amount in two cases,
such as outbound and inbound. Assuming that the current throughput status of each
NSF is being collected through NSF monitoring
,
this capability information of the NSF can be used to
determine whether the NSF is in congestion or not by comparing
it with the current throughput of the NSF.
NSF Access Information contains the following that
are required to communicate with an NSF through NETCONF
or RESTCONF :
an IP address (i.e., IPv4 or IPv6 address) and a port number.
Note that TCP is used as a transport layer protocol due to either
NETCONF or RESTCONF. In this document, NSF Access Information is
used to identify a specific NSF instance. That is, NSF Access
Information is the signature (i.e., unique identifier) of an
NSF instance in the overall I2NSF system.
The deployed NSFs may require to be updated to improve the quality
of the security service. The Security Controller can request
for an update
Security Controller MAY require some additional capabilities
to serve the security service request from an I2NSF User, but
none of the registered NSFs has the required capabilities. In
this case, Security Controller makes a description of the
required capabilities by using the NSF capability information
submodel in , and
sends DMS a query about which NSF(s) can provide these
capabilities.
This section provides the YANG Tree diagram of the I2NSF registration interface.
A simplified graphical representation of the data model is
used in this section. The meaning of the symbols used in
the following diagrams is as
follows:
Brackets "[" and "]" enclose list keys.
Abbreviations before data node names: "rw" means
configuration (read-write) and "ro" state data
(read-only).
Symbols after data node names: "?" means an optional
node and "*" denotes a "list" and "leaf-list".
Parentheses enclose choice and case nodes, and case
nodes are also marked with a colon (":").
Ellipsis ("...") stands for contents of subtrees that
are not shown.
The I2NSF Registration Interface is used by the Developer's
Management System (DMS) to register NSFs and their capabilities
with the Security Controller. Also, in case that the Security Controller
fails to find any NSF among the registered NSFs which can
provide some required capabilities, Security Controller
uses the registration interface to query DMS about NSF(s)
having the required capabilities. The following sections
describe the YANG data models to support these operations.
This section describes the YANG tree for the NSF
capability registration and capability query.
When a Security Controller requests security services to
the DMS, DMS uses the I2NSF Capability YANG Data Model
to describe what capabilities the NSFs can offer.
Security Controller makes a description of the required
capabilities and then queries DMS about
which NSF(s) can provide these capabilities.
DMS includes the access information of the NSF
which is required to make a network connection with the
NSF as well as the specification of the NSFs.
The NSF access information consists of ip, port,
and management-protocol. The field of ip can have either
an IPv4 address or an IPv6 address. The port field is used
to get the transport protocol port number. As I2NSF uses a
YANG data model, the management protocol can be either
NETCONF or RESTCONF.
The credential management for accessing the NSFs is handled
by pre-negotiation with every DMS. This management is out
of the scope of this document.
The DMS can also include the resource information in
terms of CPU, memory, disk, and network
bandwidth of the NSF. Detailed overview of NSF specification
can be seen in .
This section describes the YANG tree for the NSF capability
update.
This YANG data model is used to update the registered NSFs.
The update operation started by the Security Controller
requesting an updated version of the existing NSFs. This
request can be done periodically to get a new update for the
NSFs.
To request for an update, the Security Controller can send
the registered NSF's name and its current version.
If an update is available, the DMS can update the NSF and
inform the Security Controller about the changes from the
update with positive response. If no such update, the DMS
can reply with a negative response (i.e., rpc-error).
This section provides a YANG module of the data model for
the registration interface between Security Controller and
Developer's Management System, as defined in
.
This YANG module imports from and
.
It makes references to
This document requests IANA to register the following URI in the
"IETF XML Registry" :
This document requests IANA to register the following YANG
module in the "YANG Module Names" registry
:
The YANG module specified in this document defines a data schema designed
to be accessed through network management protocols such as NETCONF
or RESTCONF . The lowest NETCONF layer is the
secure transport layer, and the required secure transport is Secure Shell (SSH)
. The lowest RESTCONF layer is HTTPS, and the
required secure transport is TLS .
The NETCONF access control model provides a
means of restricting access to specific NETCONF or RESTCONF users to a
preconfigured subset of all available NETCONF or RESTCONF protocol
operations and content.
The architecture of I2NSF Framework presents a risk to the
implementation of security detection and mitigation activities.
The risks of externally operated NSFs are discussed in Section 4
(Threats Associated with Externally Provided NSFs) of
.
It is important to have an authentication and authorization
method between the communication of the Security Controller and
the DMS. The following are threats that need to be considered and mitigated:
It can send falsified information to the Security Controller
to mislead existing detection or mitigation devices.
Currently, there is no in-framework mechanism to mitigate this,
and it is an issue for such infrastructures. It is important to keep
confidential information from unauthorized persons to mitigate
the possibility of compromising the DMS with this information.
This involves a system trying to send false information
while imitating as a DMS; client authentication would help
the Security Controller to identify this invalid DMS.
The YANG module defined in this document extends the YANG module
described in .
Hence, this document shares all the security issues
that are specified in Section 9 of
.
There are a number of extended data nodes defined in this YANG module that are
writable/creatable/deletable (i.e., config true, which is the default).
These data nodes MAY be considered sensitive or vulnerable in some
network environments. Write operations (e.g., edit-config) to these data
nodes without proper protection can have a negative effect on network
operations. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-specification: The attacker may provide
incorrect information of the specification of
any target NSF by modifying this.
nsf-access-info: The attacker may provide incorrect network
access information of any target NSF by modifying
this.
Some of the readable extended data nodes in this YANG module MAY be
considered sensitive or vulnerable in some network
environments. It is thus important to control read access
(e.g., via get, get-config, or notification) to these data
nodes. These are the subtrees and data nodes and their
sensitivity/vulnerability:
nsf-specification: The attacker may gather the
specification information of any target NSF and
misuse the information for subsequent attacks.
nsf-access-info: The attacker may gather the network
access information of any target NSF and misuse the
information for subsequent attacks.
The RPC operation in this YANG module MAY be considered
sensitive or vulnerable in some network environments. It is
thus important to control access to this operation. The
following is the operation and its sensitivity/vulnerability:
nsf-capability-query: The attacker may exploit this RPC
operation to deteriorate the availability of the DMS
and/or gather the information of some interested NSFs
from the DMS. Some of the product capabilities provided
by a vendor may be publicly known, the DMS should provide
an authentication and authorization method to make sure
this node cannot be used for exploitation.
Network Functions Virtualisation (NFV); Architectureal Framework
This section shows XML examples of the I2NSF Registration
Interface data model for registering the capabilities in
either IPv4 networks or IPv6
networks with Security Controller.
shows the query for NSF(s) that can inspect
IPv4 source address, destination address, and URL.
shows the reply for the
configuration XML for registering a general firewall and a web filter
in an IPv4 network and their capabilities.
The general firewall registered is as follows.
The first instance name of the NSF is ipv4_general_firewall.
The version used is 1.2.0.
The NSF can inspect IPv4 protocol header field, source
address(es), and destination address(es).
The NSF can inspect the port number(s) for the transport
layer protocol, i.e., TCP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF's CPU model is Intel(R) Core(TM) i7-10510U.
The clock speed is 1800 MHz, with 4 cores and 8 total threads.
The NSF's memory capacity is 8192 MB with the speed 2667 MHz.
The NSF's storage can hold maximum 239000 MB.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 192.0.2.11.
The port of the NSF is 49152 using the NETCONF protocol.
The web filter registered is as follows.
The first instance name of the NSF is ipv4_web_filter.
The version used is 1.1.0.
The NSF can inspect a URL matched from a user-defined URL.
User can specify their own URL.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF's CPU model is Intel(R) Core(TM) i7-10510U.
The clock speed is 1800 MHz, with 4 cores and 8 total threads.
The NSF's memory capacity is 8192 MB with the speed 2667 MHz.
The NSF's storage can hold maximum 239000 MB.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 192.0.2.12.
The port of the NSF is 49152 using the NETCONF protocol.
In addition, and shows
the query and reply message for the configuration XML for registering a general firewall in
an IPv6 network and webfilter with their
capabilities.
The instance name of the NSF is ipv6_general_firewall.
The version used is 1.2.0.
The NSF can inspect IPv6 next header, flow direction,
source address(es), and destination address(es)
The NSF can inspect the port number(s) and flow direction
for the transport layer protocol, i.e., TCP.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF's CPU model is Intel(R) Core(TM) i7-10510U.
The clock speed is 1800 MHz, with 4 cores and 8 total threads.
The NSF's memory capacity is 8192 MB with the speed 2667 MHz.
The NSF's storage can hold maximum 239 GB.
The network bandwidth available on the NSF is 1 GBps for
both the outbound and inbound traffics.
The IPv6 address of the NSF is 2001:db8:0:1::11.
The port of the NSF is 49153 using the NETCONF protocol.
The web filter registered is as follows.
The first instance name of the NSF is ipv6_web_filter.
The version used is 1.1.0.
The NSF can inspect a URL matched from a user-defined URL.
User can specify their own URL.
The NSF can determine whether the packets are allowed to
pass, drop, or mirror.
The NSF's CPU model is Intel(R) Core(TM) i7-10510U.
The clock speed is 1800 MHz, with 4 cores and 8 total threads.
The NSF's memory capacity is 8192 MB with the speed 2667 MHz.
The NSF's storage can hold maximum 239000 MB.
The network bandwidth available on the NSF is 1 GBps for
both the outbound traffic and inbound traffic.
The IPv4 address of the NSF is 2001:db8:0:1::12.
The port of the NSF is 49153 using the NETCONF protocol.
This section shows an XML example of the Security Controller
requesting an update for an NSF. In this example, the Security
Controller requests an update for the registered General Firewall
for the IPv4 network. To do so, it makes a query as follows:
After receiving a query given in ,
the DMS can reply with following XML:
shows
the XML for requesting an update for the NSF named ipv4_general_firewall.
In the reply shown in ,
the NSF has been updated with a new version (i.e., 2.0.0) and extended capabilities
(i.e., inspect the port number(s) for UDP packets).
Network Functions Virtualization (called NFV) can be used to implement
I2NSF framework. In NFV environments, NSFs are deployed as
virtual network functions (VNFs). Security Controller can be
implemented as an Element Management (EM) of the NFV
architecture, and is connected with the VNF Manager (VNFM) via
the Ve-Vnfm interface . Security
Controller can use this interface for the purpose of the
lifecycle management of NSFs. If some NSFs need to be
instantiated to enforce security policies in the I2NSF
framework, Security Controller could request the VNFM to
instantiate them through the DMS having the Ve-Vnfm interface
with the VNFM. Refer to Section 8 of
for the detailed description on I2NSF Framework with NFV.
Or if an NSF, running as a VNF, is not used by any flows
for a time period, Security Controller may request
deinstantiating it through the DMS having the Ve-Vnfm
interface with the VNFM for efficient resource utilization.
This document is a product by the I2NSF Working Group (WG) including
WG Chairs (i.e., Linda Dunbar and Yoav Nir) and Diego Lopez.
This document took advantage of the review and comments from the following people:
Roman Danyliw, Reshad Rahman (YANG doctor), and Tom Petch.
We authors sincerely appreciate their sincere efforts and kind help.
This work was supported by Institute of Information &
Communications Technology Planning & Evaluation (IITP) grant funded by
the Korea MSIT (Ministry of Science and ICT) (No. 2016-0-00078, Cloud Based
Security Intelligence Technology Development for the Customized
Security Service Provisioning).
This work was supported in part by the IITP (2020-0-00395-003, Standard
Development of Blockchain based Network Management Automation Technology).
The following are co-authors of this document:
Patrick Lingga -
Department of Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: patricklink@skku.edu
Jinyong (Tim) Kim -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: timkim@skku.edu
Chaehong Chung -
Department of Electronic, Electrical and Computer Engineering,
Sungkyunkwan University,
2066 Seo-ro Jangan-gu,
Suwon, Gyeonggi-do 16419,
Republic of Korea.
EMail: darkhong@skku.edu
Susan Hares -
Huawei,
7453 Hickory Hill,
Saline, MI 48176,
USA.
EMail: shares@ndzh.com
Diego R. Lopez -
Telefonica I+D,
Jose Manuel Lara, 9,
Seville, 41013,
Spain.
EMail: diego.r.lopez@telefonica.com
The following changes are made from draft-ietf-i2nsf-registration-interface-dm-22:
This version has reflected the 2nd AD Review of Roman Danyliw.