idnits 2.17.1 draft-ietf-i2nsf-applicability-09.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- ** The document seems to lack an IANA Considerations section. (See Section 2.2 of https://www.ietf.org/id-info/checklist for how to handle the case when there are no actions for IANA.) Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust and authors Copyright Line does not match the current year -- The document date (March 11, 2019) is 1863 days in the past. Is this intentional? Checking references for intended status: Informational ---------------------------------------------------------------------------- -- Obsolete informational reference (is this intentional?): RFC 4566 (Obsoleted by RFC 8866) Summary: 1 error (**), 0 flaws (~~), 1 warning (==), 2 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 I2NSF Working Group J. Jeong 3 Internet-Draft Sungkyunkwan University 4 Intended status: Informational S. Hyun 5 Expires: September 12, 2019 Chosun University 6 T. Ahn 7 Korea Telecom 8 S. Hares 9 Huawei 10 D. Lopez 11 Telefonica I+D 12 March 11, 2019 14 Applicability of Interfaces to Network Security Functions to Network- 15 Based Security Services 16 draft-ietf-i2nsf-applicability-09 18 Abstract 20 This document describes the applicability of Interface to Network 21 Security Functions (I2NSF) to network-based security services in 22 Network Functions Virtualization (NFV) environments, such as 23 firewall, deep packet inspection, or attack mitigation engines. 25 Status of This Memo 27 This Internet-Draft is submitted in full conformance with the 28 provisions of BCP 78 and BCP 79. 30 Internet-Drafts are working documents of the Internet Engineering 31 Task Force (IETF). Note that other groups may also distribute 32 working documents as Internet-Drafts. The list of current Internet- 33 Drafts is at https://datatracker.ietf.org/drafts/current/. 35 Internet-Drafts are draft documents valid for a maximum of six months 36 and may be updated, replaced, or obsoleted by other documents at any 37 time. It is inappropriate to use Internet-Drafts as reference 38 material or to cite them other than as "work in progress." 40 This Internet-Draft will expire on September 12, 2019. 42 Copyright Notice 44 Copyright (c) 2019 IETF Trust and the persons identified as the 45 document authors. All rights reserved. 47 This document is subject to BCP 78 and the IETF Trust's Legal 48 Provisions Relating to IETF Documents 49 (https://trustee.ietf.org/license-info) in effect on the date of 50 publication of this document. Please review these documents 51 carefully, as they describe your rights and restrictions with respect 52 to this document. Code Components extracted from this document must 53 include Simplified BSD License text as described in Section 4.e of 54 the Trust Legal Provisions and are provided without warranty as 55 described in the Simplified BSD License. 57 Table of Contents 59 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 60 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3 61 3. I2NSF Framework . . . . . . . . . . . . . . . . . . . . . . . 5 62 4. Time-dependent Web Access Control Service . . . . . . . . . . 6 63 5. I2NSF Framework with SFC . . . . . . . . . . . . . . . . . . 8 64 6. I2NSF Framework with SDN . . . . . . . . . . . . . . . . . . 10 65 6.1. Firewall: Centralized Firewall System . . . . . . . . . . 13 66 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security 67 System . . . . . . . . . . . . . . . . . . . . . . . . . 14 68 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation 69 System . . . . . . . . . . . . . . . . . . . . . . . . . 16 70 7. I2NSF Framework with NFV . . . . . . . . . . . . . . . . . . 19 71 8. Security Considerations . . . . . . . . . . . . . . . . . . . 20 72 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 20 73 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . 21 74 11. References . . . . . . . . . . . . . . . . . . . . . . . . . 21 75 11.1. Normative References . . . . . . . . . . . . . . . . . . 21 76 11.2. Informative References . . . . . . . . . . . . . . . . . 22 77 Appendix A. Changes from draft-ietf-i2nsf-applicability-08 . . . 25 78 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 25 80 1. Introduction 82 Interface to Network Security Functions (I2NSF) defines a framework 83 and interfaces for interacting with Network Security Functions 84 (NSFs). Note that Network Security Function (NSF) is defined as a 85 funcional block for a security service within an I2NSF framework that 86 has well-defined I2NSF NSF-facing interface and other external 87 interfaces and well-defined functional behavior [NFV-Terminology]. 89 The I2NSF framework allows heterogeneous NSFs developed by different 90 security solution vendors to be used in the Network Functions 91 Virtualization (NFV) environment [ETSI-NFV] by utilizing the 92 capabilities of such products and the virtualization of security 93 functions in the NFV platform. In the I2NSF framework, each NSF 94 initially registers the profile of its own capabilities into the 95 system in order for themselves to be available in the system. In 96 addition, the Security Controller is validated by the I2NSF User 97 (also called I2NSF Client) that a system administrator (as a user) is 98 employing, so that the system administrator can request security 99 services through the Security Controller. 101 This document illustrates the applicability of the I2NSF framework 102 with four different scenarios: 104 1. The enforcement of time-dependent web access control. 106 2. The application of I2NSF to a Service Function Chaining (SFC) 107 environment [RFC7665]. 109 3. The integration of the I2NSF framework with Software-Defined 110 Networking (SDN) [RFC7149] to provide different security 111 functionality such as firewalls [opsawg-firewalls], Deep Packet 112 Inspection (DPI), and Distributed Denial of Service (DDoS) attack 113 mitigation. 115 4. The use of Network Functions Virtualization (NFV) [ETSI-NFV] as a 116 supporting technology. 118 The implementation of I2NSF in these scenarios has allowed us to 119 verify the applicability and effectiveness of the I2NSF framework for 120 a variety of use cases. 122 2. Terminology 124 This document uses the terminology described in [RFC7665], [RFC7149], 125 [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture], 126 [ITU-T.X.1252], [ITU-T.X.800], [NFV-Terminology], [RFC8329], 127 [i2nsf-terminology], [consumer-facing-inf-dm], [i2nsf-nsf-cap-im], 128 [nsf-facing-inf-dm], [registration-inf-dm], and 129 [nsf-triggered-steering]. In addition, the following terms are 130 defined below: 132 o Software-Defined Networking (SDN): A set of techniques that 133 enables to directly program, orchestrate, control, and manage 134 network resources, which facilitates the design, delivery and 135 operation of network services in a dynamic and scalable manner 136 [ITU-T.Y.3300]. 138 o Network Function: A funcional block within a network 139 infrastructure that has well-defined external interfaces and well- 140 defined functional behavior [NFV-Terminology]. 142 o Network Security Function (NSF): A funcional block within a 143 security service within a network infrastructure that has well- 144 defined external interfaces and well-defined functional 145 behavior[NFV-Terminology]. 147 o Network Functions Virtualization (NFV): A principle of separating 148 network functions (or network security functions) from the 149 hardware they run on by using virtual hardware abstraction 150 [NFV-Terminology]. 152 o Service Function Chaining (SFC): The execution of an ordered set 153 of abstract service functions (i.e., network functions) according 154 to ordering constraints that must be applied to packets, frames, 155 and flows selected as a result of classification. The implied 156 order may not be a linear progression as the architecture allows 157 for SFCs that copy to more than one branch, and also allows for 158 cases where there is flexibility in the order in which service 159 functions need to be applied [RFC7665]. 161 o Firewall: A service function at the junction of two network 162 segments that inspects some suspicious packets that attempt to 163 cross the boundary. It also rejects any packet that does not 164 satisfy certain criteria for, for example, disallowed port numbers 165 or IP addresses. 167 o Centralized Firewall System: A centralized firewall that can 168 establish and distribute policy rules into network resources for 169 efficient firewall management. 171 o Centralized VoIP Security System: A centralized security system 172 that handles the security functions required for VoIP and VoLTE 173 services. 175 o Centralized DDoS-attack Mitigation System: A centralized mitigator 176 that can establish and distribute access control policy rules into 177 network resources for efficient DDoS-attack mitigation. 179 +------------+ 180 | I2NSF User | 181 +------------+ 182 ^ 183 | Consumer-Facing Interface 184 v 185 +-------------------+ Registration +-----------------------+ 186 |Security Controller|<-------------------->|Developer's Mgmt System| 187 +-------------------+ Interface +-----------------------+ 188 ^ 189 | NSF-Facing Interface 190 v 191 +----------------+ +---------------+ +-----------------------+ 192 | NSF-1 |-| NSF-2 |...| NSF-n | 193 | (Firewall) | | (Web Filter) | |(DDoS-Attack Mitigator)| 194 +----------------+ +---------------+ +-----------------------+ 196 Figure 1: I2NSF Framework 198 3. I2NSF Framework 200 This section summarizes the I2NSF framework as defined in [RFC8329]. 201 As shown in Figure 1, an I2NSF User can use security functions by 202 delivering high-level security policies, which specify security 203 requirements that the I2NSF user wants to enforce, to the Security 204 Controller via the Consumer-Facing Interface 205 [consumer-facing-inf-dm]. 207 The Security Controller receives and analyzes the high-level security 208 policies from an I2NSF User, and identifies what types of security 209 capabilities are required to meet these high-level security policies. 210 The Security Controller then identifies NSFs that have the required 211 security capabilities, and generates low-level security policies for 212 each of the NSFs so that the high-level security policies are 213 eventually enforced by those NSFs [policy-translation]. Finally, the 214 Security Controller sends the generated low-level security policies 215 to the NSFs [i2nsf-nsf-cap-im][nsf-facing-inf-dm]. 217 The Security Controller requests NSFs to perform low-level security 218 services via the NSF-Facing Interface. As shown in Figure 1, with a 219 Developer's Management System (DMS), developers (or vendors) inform 220 the Security Controller of the capabilities of the NSFs through the 221 I2NSF Registration Interface [registration-inf-dm] for registering 222 (or deregistering) the corresponding NSFs. Note that an inside 223 attacker at the DMS can seriously weaken the I2NSF system's security. 224 To deal with this type of threat, the role of the DMS should be 225 restricted to providing an I2NSF system with the software package/ 226 image for NSF execution, and the DMS should never be able to access 227 NSFs in online/activated status for the I2NSF system's security. On 228 the other hand, an access to running (online) NSFs should be allowed 229 only to the Security Controller, not the DMS. Also, the Security 230 Controller can detect and prevent inside attacks by monitoring the 231 activity of all the DMSs as well as the NSFs through the I2NSF NSF 232 monitoring functionality [nsf-monitoring-dm]. 234 The Consumer-Facing Interface between an I2NSF User and the Security 235 Controller can be implemented using, for example, RESTCONF [RFC8040]. 236 Data models specified by YANG [RFC6020] describe high-level security 237 policies to be specified by an I2NSF User. The data model defined in 238 [consumer-facing-inf-dm] can be used for the I2NSF Consumer-Facing 239 Interface. 241 The NSF-Facing Interface between the Security Controller and NSFs can 242 be implemented using NETCONF [RFC6241]. YANG data models describe 243 low-level security policies for the sake of NSFs, which are 244 translated from the high-level security policies by the Security 245 Controller. The data model defined in [nsf-facing-inf-dm] can be 246 used for the I2NSF NSF-Facing Interface. 248 The Registration Interface between the Security Controller and the 249 Developer's Management System can be implemented by RESTCONF 250 [RFC8040]. The data model defined in [registration-inf-dm] can be 251 used for the I2NSF Registration Interface. 253 Also, the I2NSF framework can enforce multiple chained NSFs for the 254 low-level security policies by means of SFC techniques for the I2NSF 255 architecture described in [nsf-triggered-steering]. 257 The following sections describe different security service scenarios 258 illustrating the applicability of the I2NSF framework. 260 4. Time-dependent Web Access Control Service 262 This service scenario assumes that an enterprise network 263 administrator wants to control the staff members' access to a 264 particular Internet service (e.g., Example.com) during business 265 hours. The following is an example high-level security policy rule 266 for a web filter that the administrator requests: Block the staff 267 members' access to Example.com from 9 AM to 6 PM. Figure 2 is an 268 example XML code for this web filter: 270 271 block_website 272 273 Staff_Member's_PC 274 Example.com 275 9:00AM 276 -6:00PM 277 278 block 279 281 Figure 2: An XML Example for Time-based Web-filter 283 The security policy name is "block_website" with the tag "name". The 284 filtering condition has the source group "Staff_Member's_PC" with the 285 tag "src", the destination website "Example.com" with the tag "dest", 286 the filtering start time is the time "9:00AM" with the tag " time- 287 span-start", and the filtering end time is the time "6:00PM" with the 288 tag "time-span-end". The action is to "block" the packets satisfying 289 the above condition, that is, to drop those packets. 291 After receiving the high-level security policy, the Security 292 Controller identifies required security capabilities, e.g., IP 293 address and port number inspection capabilities and URL inspection 294 capability. In this scenario, it is assumed that the IP address and 295 port number inspection capabilities are required to check whether a 296 received packet is an HTTP packet from a staff member. The URL 297 inspection capability is required to check whether the target URL of 298 a received packet is in the Example.com domain or not. 300 The Security Controller maintains the security capabilities of each 301 NSF running in the I2NSF system, which have been reported by the 302 Developer's Management System via the Registration interface. Based 303 on this information, the Security Controller identifies NSFs that can 304 perform the IP address and port number inspection and URL inspection 305 [policy-translation]. In this scenario, it is assumed that an NSF of 306 firewall has the IP address and port number inspection capabilities 307 and an NSF of web filter has URL inspection capability. 309 The Security Controller generates low-level security rules for the 310 NSFs to perform IP address and port number inspection, URL 311 inspection, and time checking. Specifically, the Security Controller 312 may interoperate with an access control server in the enterprise 313 network in order to retrieve the information (e.g., IP address in 314 use, company identifier (ID), and role) of each employee that is 315 currently using the network. Based on the retrieved information, the 316 Security Controller generates low-level security rules to check 317 whether the source IP address of a received packet matches any one 318 being used by a staff member. In addition, the low-level security 319 rules should be able to determine that a received packet is of HTTP 320 protocol. The low-level security rules for web filter check that the 321 target URL field of a received packet is equal to Example.com. 322 Finally, the Security Controller sends the low-level security rules 323 of the IP address and port number inspection to the NSF of firewall 324 and the low-level rules for URL inspection to the NSF of web filter. 326 The following describes how the time-dependent web access control 327 service is enforced by the NSFs of firewall and web filter. 329 1. A staff member tries to access Example.com during business hours, 330 e.g., 10 AM. 332 2. The packet is forwarded from the staff member's device to the 333 firewall, and the firewall checks the source IP address and port 334 number. Now the firewall identifies the received packet is an 335 HTTP packet from the staff member. 337 3. The firewall triggers the web filter to further inspect the 338 packet, and the packet is forwarded from the firewall to the web 339 filter. SFC technology can be utilized to support such packet 340 forwarding in the I2NSF framework [nsf-triggered-steering]. 342 4. The web filter checks the target URL field of the received 343 packet, and realizes the packet is toward Example.com. The web 344 filter then checks that the current time is in business hours. 345 If so, the web filter drops the packet, and consequently the 346 staff member's access to Example.com during business hours is 347 blocked. 349 5. I2NSF Framework with SFC 351 In the I2NSF architecture, an NSF can trigger an advanced security 352 action (e.g., DPI or DDoS attack mitigation) on a packet based on the 353 result of its own security inspection of the packet. For example, a 354 firewall triggers further inspection of a suspicious packet with DPI. 355 For this advanced security action to be fulfilled, the suspicious 356 packet should be forwarded from the current NSF to the successor NSF. 357 SFC [RFC7665] is a technology that enables this advanced security 358 action by steering a packet with multiple service functions (e.g., 359 NSFs), and this technology can be utilized by the I2NSF architecture 360 to support the advanced security action. 362 +------------+ 363 | I2NSF User | 364 +------------+ 365 ^ 366 | Consumer-Facing Interface 367 v 368 +-------------------+ Registration +-----------------------+ 369 |Security Controller|<-------------------->|Developer's Mgmt System| 370 +-------------------+ Interface +-----------------------+ 371 ^ ^ 372 | | NSF-Facing Interface 373 | |------------------------- 374 | | 375 | NSF-Facing Interface | 376 +-----v-----------+ +------v-------+ 377 | +-----------+ | ------>| NSF-1 | 378 | |Classifier | | | | (Firewall) | 379 | +-----------+ | | +--------------+ 380 | +-----+ |<-----| +--------------+ 381 | | SFF | | |----->| NSF-2 | 382 | +-----+ | | | (DPI) | 383 +-----------------+ | +--------------+ 384 | . 385 | . 386 | . 387 | +-----------------------+ 388 ------>| NSF-n | 389 |(DDoS-Attack Mitigator)| 390 +-----------------------+ 392 Figure 3: An I2NSF Framework with SFC 394 Figure 3 shows an I2NSF framework with the support of SFC. As shown 395 in the figure, SFC generally requires classifiers and service 396 function forwarders (SFFs); classifiers are responsible for 397 determining which service function path (SFP) (i.e., an ordered 398 sequence of service functions) a given packet should pass through, 399 according to pre-configured classification rules, and SFFs perform 400 forwarding the given packet to the next service function (e.g., NSF) 401 on the SFP of the packet by referring to their forwarding tables. In 402 the I2NSF architecture with SFC, the Security Controller can take 403 responsibilities of generating classification rules for classifiers 404 and forwarding tables for SFFs. By analyzing high-level security 405 policies from I2NSF users, the Security Controller can construct SFPs 406 that are required to meet the high-level security policies, generates 407 classification rules of the SFPs, and then configures classifiers 408 with the classification rules over NSF-Facing Interface so that 409 relevant traffic packets can follow the SFPs. Also, based on the 410 global view of NSF instances available in the system, the Security 411 Controller constructs forwarding tables, which are required for SFFs 412 to forward a given packet to the next NSF over the SFP, and 413 configures SFFs with those forwarding tables over NSF-Facing 414 Interface. 416 To trigger an advanced security action in the I2NSF architecture, the 417 current NSF appends a metadata describing the security capability 418 required for the advanced action to the suspicious packet and sends 419 the packet to the classifier. Based on the metadata information, the 420 classifier searches an SFP which includes an NSF with the required 421 security capability, changes the SFP-related information (e.g., 422 service path identifier and service index [RFC8300]) of the packet 423 with the new SFP that has been found, and then forwards the packet to 424 the SFF. When receiving the packet, the SFF checks the SFP-related 425 information such as the service path identifier and service index 426 contained in the packet and forwards the packet to the next NSF on 427 the SFP of the packet, according to its forwarding table. 429 6. I2NSF Framework with SDN 431 This section describes an I2NSF framework with SDN for I2NSF 432 applicability and use cases, such as firewall, deep packet 433 inspection, and DDoS-attack mitigation functions. SDN enables some 434 packet filtering rules to be enforced in network forwarding elements 435 (e.g., switch) by controlling their packet forwarding rules. By 436 taking advantage of this capability of SDN, it is possible to 437 optimize the process of security service enforcement in the I2NSF 438 system. 440 Figure 4 shows an I2NSF framework [RFC8329] with SDN networks to 441 support network-based security services. In this system, the 442 enforcement of security policy rules is divided into the SDN 443 forwarding elements (e.g., switch running as either a hardware middle 444 box or a software virtual switch) and NSFs (e.g., firewall running in 445 a form of a virtual network function [ETSI-NFV]). Especially, SDN 446 forwarding elements enforce simple packet filtering rules that can be 447 translated into their packet forwarding rules, whereas NSFs enforce 448 NSF-related security rules requiring the security capabilities of the 449 NSFs. For this purpose, the Security Controller instructs the SDN 450 Controller via NSF-Facing Interface so that SDN forwarding elements 451 can perform the required security services with flow tables under the 452 supervision of the SDN Controller. 454 +------------+ 455 | I2NSF User | 456 +------------+ 457 ^ 458 | Consumer-Facing Interface 459 v 460 +-------------------+ Registration +-----------------------+ 461 |Security Controller|<-------------------->|Developer's Mgmt System| 462 +-------------------+ Interface +-----------------------+ 463 ^ ^ 464 | | NSF-Facing Interface 465 | v 466 | +----------------+ +---------------+ +-----------------------+ 467 | | NSF-1 |-| NSF-2 |...| NSF-n | 468 | | (Firewall) | | (DPI) | |(DDoS-Attack Mitigator)| 469 | +----------------+ +---------------+ +-----------------------+ 470 | 471 | 472 | SDN Network 473 +--|----------------------------------------------------------------+ 474 | V NSF-Facing Interface | 475 | +----------------+ | 476 | | SDN Controller | | 477 | +----------------+ | 478 | ^ | 479 | | SDN Southbound Interface | 480 | v | 481 | +--------+ +------------+ +--------+ +--------+ | 482 | |Switch-1|-| Switch-2 |-|Switch-3|.......|Switch-m| | 483 | | | |(Classifier)| | (SFF) | | | | 484 | +--------+ +------------+ +--------+ +--------+ | 485 +-------------------------------------------------------------------+ 487 Figure 4: An I2NSF Framework with SDN Network 489 As an example, let us consider two different types of security rules: 490 Rule A is a simple packet filtering rule that checks only the IP 491 address and port number of a given packet, whereas rule B is a time- 492 consuming packet inspection rule for analyzing whether an attached 493 file being transmitted over a flow of packets contains malware. Rule 494 A can be translated into packet forwarding rules of SDN forwarding 495 elements and thus be enforced by these elements. In contrast, rule B 496 cannot be enforced by forwarding elements, but it has to be enforced 497 by NSFs with anti-malware capability. Specifically, a flow of 498 packets is forwarded to and reassembled by an NSF to reconstruct the 499 attached file stored in the flow of packets. The NSF then analyzes 500 the file to check the existence of malware. If the file contains 501 malware, the NSF drops the packets. 503 In an I2NSF framework with SDN, the Security Controller can analyze 504 given security policy rules and automatically determine which of the 505 given security policy rules should be enforced by SDN forwarding 506 elements and which should be enforced by NSFs. If some of the given 507 rules requires security capabilities that can be provided by SDN 508 forwarding elements, then the Security Controller instructs the SDN 509 Controller via NSF-Facing Interface so that SDN forwarding elements 510 can enforce those security policy rules with flow tables under the 511 supervision of the SDN Controller. Or if some rules require security 512 capabilities that cannot be provided by SDN forwarding elements but 513 by NSFs, then the Security Controller instructs relevant NSFs to 514 enforce those rules. 516 The distinction between software-based SDN forwarding elements and 517 NSFs, which can both run as virtual network functions, may be 518 necessary for some management purposes in this system. For this, we 519 can take advantage of the NFV MANO where there is a subsystem that 520 maintains the descriptions of the capabilities each VNF can offer 521 [ETSI-NFV-MANO]. This subsystem can determine whether a given 522 software element (VNF instance) is an NSF or a virtualized SDN 523 switch. For example, if a VNF instance has anti-malware capability 524 according to the description of the VNF, it could be considered as an 525 NSF. A VNF onboarding system [VNF-ONBOARDING] can be used as such a 526 subsystem that maintains the descriptions of each VNF to tell whether 527 a VNF instance is for an NSF or for a virtualized SDN switch. 529 For the support of SFC in the I2NSF framework with SDN, as shown in 530 Figure 4, network forwarding elements (e.g., switch) can play the 531 role of either SFC Classifier or SFF, which are explained in 532 Section 5. Classifier and SFF have an NSF-Facing Interface with 533 Security Controller. This interface is used to update security 534 service function chaining information for traffic flows. For 535 example, when it needs to update an SFP for a traffic flow in an SDN 536 network, as shown in Figure 4, SFF (denoted as Switch-3) asks 537 Security Controller to update the SFP for the traffic flow (needing 538 another security service as an NSF) via NSF-Facing Interface. This 539 update lets Security Controller ask Classifier (denoted as Switch-2) 540 to update the mapping between the traffic flow and SFP in Classifier 541 via NSF-Facing Interface. 543 The following subsections introduce three use cases for cloud-based 544 security services: (i) firewall system, (ii) deep packet inspection 545 system, and (iii) attack mitigation system. [RFC8192] 547 6.1. Firewall: Centralized Firewall System 549 A centralized network firewall can manage each network resource and 550 apply common rules to individual network elements (e.g., switch). 551 The centralized network firewall controls each forwarding element, 552 and firewall rules can be added or deleted dynamically. 554 The procedure of firewall operations in this system is as follows: 556 1. A switch forwards an unknown flow's packet to one of the SDN 557 Controllers. 559 2. The SDN Controller forwards the unknown flow's packet to an 560 appropriate security service application, such as the Firewall. 562 3. The Firewall analyzes, typically, the headers and contents of the 563 packet. 565 4. If the Firewall regards the packet as a malicious one with a 566 suspicious pattern, it reports the malicious packet to the SDN 567 Controller. 569 5. The SDN Controller installs new rules (e.g., drop packets with 570 the suspicious pattern) into underlying switches. 572 6. The suspected packets are dropped by these switches. 574 Existing SDN protocols can be used through standard interfaces 575 between the firewall application and switches 576 [RFC7149][ITU-T.Y.3300][ONF-OpenFlow] [ONF-SDN-Architecture]. 578 Legacy firewalls have some challenges such as the expensive cost, 579 performance, management of access control, establishment of policy, 580 and packet-based access mechanism. The proposed framework can 581 resolve the challenges through the above centralized firewall system 582 based on SDN as follows: 584 o Cost: The cost of adding firewalls to network resources such as 585 routers, gateways, and switches is substantial due to the reason 586 that we need to add firewall on each network resource. To solve 587 this, each network resource can be managed centrally such that a 588 single firewall is manipulated by a centralized server. 590 o Performance: The performance of firewalls is often slower than the 591 link speed of network interfaces. Every network resource for 592 firewall needs to check firewall rules according to network 593 conditions. Firewalls can be adaptively deployed among network 594 switches, depending on network conditions in the framework. 596 o The management of access control: Since there may be hundreds of 597 network resources in a network, the dynamic management of access 598 control for security services like firewall is a challenge. In 599 the framework, firewall rules can be dynamically added for new 600 malware. 602 o The establishment of policy: Policy should be established for each 603 network resource. However, it is difficult to describe what flows 604 are permitted or denied for firewall within a specific 605 organization network under management. Thus, a centralized view 606 is helpful to determine security policies for such a network. 608 o Packet-based access mechanism: Packet-based access mechanism is 609 not enough for firewall in practice since the basic unit of access 610 control is usually users or applications. Therefore, application 611 level rules can be defined and added to the firewall system 612 through the centralized server. 614 6.2. Deep Packet Inspection: Centralized VoIP/VoLTE Security System 616 A centralized VoIP/VoLTE security system can monitor each VoIP/VoLTE 617 flow and manage VoIP/VoLTE security rules, according to the 618 configuration of a VoIP/VoLTE security service called VoIP Intrusion 619 Prevention System (IPS). This centralized VoIP/VoLTE security system 620 controls each switch for the VoIP/VoLTE call flow management by 621 manipulating the rules that can be added, deleted or modified 622 dynamically. 624 The centralized VoIP/VoLTE security system can cooperate with a 625 network firewall to realize VoIP/VoLTE security service. 626 Specifically, a network firewall performs the basic security check of 627 an unknown flow's packet observed by a switch. If the network 628 firewall detects that the packet is an unknown VoIP call flow's 629 packet that exhibits some suspicious patterns, then it triggers the 630 VoIP/VoLTE security system for more specialized security analysis of 631 the suspicious VoIP call packet. 633 The procedure of VoIP/VoLTE security operations in this system is as 634 follows: 636 1. A switch forwards an unknown flow's packet to the SDN Controller, 637 and the SDN Controller further forwards the unknown flow's packet 638 to the Firewall for basic security inspection. 640 2. The Firewall analyzes the header fields of the packet, and 641 figures out that this is an unknown VoIP call flow's signal 642 packet (e.g., SIP packet) of a suspicious pattern. 644 3. The Firewall triggers an appropriate security service function, 645 such as VoIP IPS, for detailed security analysis of the 646 suspicious signal packet. In order for this triggering of VoIP 647 IPS to be served, the suspicious packet is sent to the Service 648 Function Forwarder (SFF) that is usually a switch in an SDN 649 network, as shown in Figure 4. The SFF forwards the suspicious 650 signal packet to the VoIP IPS. 652 4. The VoIP IPS analyzes the headers and contents of the signal 653 packet, such as calling number and session description headers 654 [RFC4566]. 656 5. If, for example, the VoIP IPS regards the packet as a spoofed 657 packet by hackers or a scanning packet searching for VoIP/VoLTE 658 devices, it drops the packet. In addition, the VoIP IPS requests 659 the SDN Controller to block that packet and the subsequent 660 packets that have the same call-id. 662 6. The SDN Controller installs new rules (e.g., drop packets) into 663 underlying switches. 665 7. The malicious packets are dropped by these switches. 667 Existing SDN protocols can be used through standard interfaces 668 between the VoIP IPS application and switches [RFC7149][ITU-T.Y.3300] 669 [ONF-OpenFlow][ONF-SDN-Architecture]. 671 Legacy hardware based VoIP IPS has some challenges, such as 672 provisioning time, the granularity of security, expensive cost, and 673 the establishment of policy. The I2NSF framework can resolve the 674 challenges through the above centralized VoIP/VoLTE security system 675 based on SDN as follows: 677 o Provisioning: The provisioning time of setting up a legacy VoIP 678 IPS to network is substantial because it takes from some hours to 679 some days. By managing the network resources centrally, VoIP IPS 680 can provide more agility in provisioning both virtual and physical 681 network resources from a central location. 683 o The granularity of security: The security rules of a legacy VoIP 684 IPS are compounded considering the granularity of security. The 685 proposed framework can provide more granular security by 686 centralizing security control into a switch controller. The VoIP 687 IPS can effectively manage security rules throughout the network. 689 o Cost: The cost of adding VoIP IPS to network resources, such as 690 routers, gateways, and switches is substantial due to the reason 691 that we need to add VoIP IPS on each network resource. To solve 692 this, each network resource can be managed centrally such that a 693 single VoIP IPS is manipulated by a centralized server. 695 o The establishment of policy: Policy should be established for each 696 network resource. However, it is difficult to describe what flows 697 are permitted or denied for VoIP IPS within a specific 698 organization network under management. Thus, a centralized view 699 is helpful to determine security policies for such a network. 701 6.3. Attack Mitigation: Centralized DDoS-attack Mitigation System 703 A centralized DDoS-attack mitigation can manage each network resource 704 and configure rules to each switch for DDoS-attack mitigation (called 705 DDoS-attack Mitigator) on a common server. The centralized DDoS- 706 attack mitigation system defends servers against DDoS attacks outside 707 the private network, that is, from public networks. 709 Servers are categorized into stateless servers (e.g., DNS servers) 710 and stateful servers (e.g., web servers). For DDoS-attack 711 mitigation, the forwarding of traffic flows in switches can be 712 dynamically configured such that malicious traffic flows are handled 713 by the paths separated from normal traffic flows in order to minimize 714 the impact of those malicious traffic on the the servers. This flow 715 path separation can be done by a flow forwarding path management 716 scheme based on [AVANT-GUARD]. This management should consider the 717 load balance among the switches for the defense against DDoS attacks. 719 The procedure of DDoS-attack mitigation in this system is as follows: 721 1. A Switch periodically reports an inter-arrival pattern of a 722 flow's packets to one of the SDN Controllers. 724 2. The SDN Controller forwards the flow's inter-arrival pattern to 725 an appropriate security service application, such as DDoS-attack 726 Mitigator. 728 3. The DDoS-attack Mitigator analyzes the reported pattern for the 729 flow. 731 4. If the DDoS-attack Mitigator regards the pattern as a DDoS 732 attack, it computes a packet dropping probability corresponding 733 to suspiciousness level and reports this DDoS-attack flow to the 734 SDN Controller. 736 5. The SDN Controller installs new rules into switches (e.g., 737 forward packets with the suspicious inter-arrival pattern with a 738 dropping probability). 740 6. The suspicious flow's packets are randomly dropped by switches 741 with the dropping probability. 743 For the above centralized DDoS-attack mitigation system, the existing 744 SDN protocols can be used through standard interfaces between the 745 DDoS-attack mitigator application and switches [RFC7149] 746 [ITU-T.Y.3300][ONF-OpenFlow][ONF-SDN-Architecture]. 748 The centralized DDoS-attack mitigation system has challenges similar 749 to the centralized firewall system. The proposed framework can 750 resolve the challenges through the above centralized DDoS-attack 751 mitigation system based on SDN as follows: 753 o Cost: The cost of adding DDoS-attack mitigators to network 754 resources such as routers, gateways, and switches is substantial 755 due to the reason that we need to add DDoS-attack mitigator on 756 each network resource. To solve this, each network resource can 757 be managed centrally such that a single DDoS-attack mitigator is 758 manipulated by a centralized server. 760 o Performance: The performance of DDoS-attack mitigators is often 761 slower than the link speed of network interfaces. The checking of 762 DDoS attacks may reduce the performance of the network interfaces. 763 DDoS-attack mitigators can be adaptively deployed among network 764 switches, depending on network conditions in the framework. 766 o The management of network resources: Since there may be hundreds 767 of network resources in an administered network, the dynamic 768 management of network resources for performance (e.g., load 769 balancing) is a challenge for DDoS-attack mitigation. In the 770 framework, for dynamic network resource management, a flow 771 forwarding path management scheme can handle the load balancing of 772 network switches [AVANT-GUARD]. With this management scheme, the 773 current and near-future workload can be spread among the network 774 switches for DDoS-attack mitigation. In addition, DDoS-attack 775 mitigation rules can be dynamically added for new DDoS attacks. 777 o The establishment of policy: Policy should be established for each 778 network resource. However, it is difficult to describe what flows 779 are permitted or denied for new DDoS-attacks (e.g., DNS reflection 780 attack) within a specific organization network under management. 781 Thus, a centralized view is helpful to determine security policies 782 for such a network. 784 So far this section has described the procedure and impact of the 785 three use cases for network-based security services using the I2NSF 786 framework with SDN networks. To support these use cases in the 787 proposed data-driven security service framework, YANG data models 788 described in [consumer-facing-inf-dm], [nsf-facing-inf-dm], and 789 [registration-inf-dm] can be used as Consumer-Facing Interface, NSF- 790 Facing Interface, and Registration Interface, respectively, along 791 with RESTCONF [RFC8040] and NETCONF [RFC6241]. 793 +--------------------+ 794 +-------------------------------------------+ | ---------------- | 795 | I2NSF User (OSS/BSS) | | | NFV | | 796 +------+------------------------------------+ | | Orchestrator +-+ | 797 | Consumer-Facing Interface | -----+---------- | | 798 +------|------------------------------------+ | | | | 799 | -----+---------- (a) ----------------- | | ----+----- | | 800 | | Security +-------+ Developer's | | | | | | | 801 | |Controller(EM)| |Mgmt System(EM)| +-(b)-+ VNFM(s)| | | 802 | -----+---------- ----------------- | | | | | | 803 | | NSF-Facing Interface | | ----+----- | | 804 | ----+----- ----+----- ----+----- | | | | | 805 | |NSF(VNF)| |NSF(VNF)| |NSF(VNF)| | | | | | 806 | ----+----- ----+----- ----+----- | | | | | 807 | | | | | | | | | 808 +------|-------------|-------------|--------+ | | | | 809 | | | | | | | 810 +------+-------------+-------------+--------+ | | | | 811 | NFV Infrastructure (NFVI) | | | | | 812 | ----------- ----------- ----------- | | | | | 813 | | Virtual | | Virtual | | Virtual | | | | | | 814 | | Compute | | Storage | | Network | | | | | | 815 | ----------- ----------- ----------- | | ----+----- | | 816 | +---------------------------------------+ | | | | | | 817 | | Virtualization Layer | +-----+ VIM(s) +------+ | 818 | +---------------------------------------+ | | | | | 819 | +---------------------------------------+ | | ---------- | 820 | | ----------- ----------- ----------- | | | | 821 | | | Compute | | Storage | | Network | | | | | 822 | | | Hardware| | Hardware| | Hardware| | | | | 823 | | ----------- ----------- ----------- | | | | 824 | | Hardware Resources | | | NFV Management | 825 | +---------------------------------------+ | | and Orchestration | 826 | | | (MANO) | 827 +-------------------------------------------+ +--------------------+ 828 (a) = Registration Interface 829 (b) = Ve-Vnfm Interface 831 Figure 5: I2NSF Framework Implementation with respect to the NFV 832 Reference Architectural Framework 834 7. I2NSF Framework with NFV 836 This section discusses the implementation of the I2NSF framework 837 using Network Functions Virtualization (NFV). 839 NFV is a promising technology for improving the elasticity and 840 efficiency of network resource utilization. In NFV environments, 841 NSFs can be deployed in the forms of software-based virtual instances 842 rather than physical appliances. Virtualizing NSFs makes it possible 843 to rapidly and flexibly respond to the amount of service requests by 844 dynamically increasing or decreasing the number of NSF instances. 845 Moreover, NFV technology facilitates flexibly including or excluding 846 NSFs from multiple security solution vendors according to the changes 847 on security requirements. In order to take advantages of the NFV 848 technology, the I2NSF framework can be implemented on top of an NFV 849 infrastructure as show in Figure 5. 851 Figure 5 shows an I2NSF framework implementation based on the NFV 852 reference architecture that the European Telecommunications Standards 853 Institute (ETSI) defines [ETSI-NFV]. The NSFs are deployed as 854 virtual network functions (VNFs) in Figure 5. The Developer's 855 Management System (DMS) in the I2NSF framework is responsible for 856 registering capability information of NSFs into the Security 857 Controller. Those NSFs are created or removed by a virtual network 858 functions manager (VNFM) in the NFV architecture that performs the 859 life-cycle management of VNFs. The Security Controller controls and 860 monitors the configurations (e.g., function parameters and security 861 policy rules) of VNFs. Both the DMS and Security Controller can be 862 implemented as the Element Managements (EMs) in the NFV architecture. 863 Finally, the I2NSF User can be implemented as OSS/BSS (Operational 864 Support Systems/Business Support Systems) in the NFV architecture 865 that provides interfaces for users in the NFV system. 867 The operation procedure in the I2NSF framework based on the NFV 868 architecture is as follows: 870 1. The VNFM has a set of virtual machine (VM) images of NSFs, and 871 each VM image can be used to create an NSF instance that provides 872 a set of security capabilities. The DMS initially registers a 873 mapping table of the ID of each VM image and the set of 874 capabilities that can be provided by an NSF instance created from 875 the VM image into the Security Controller. 877 2. If the Security Controller does not have any instantiated NSF 878 that has the set of capabilities required to meet the security 879 requirements from users, it searches the mapping table 880 (registered by the DMS) for the VM image ID corresponding to the 881 required set of capabilities. 883 3. The Security Controller requests the DMS to instantiate an NSF 884 with the VM image ID via VNFM. 886 4. When receiving the instantiation request, the VNFM first asks the 887 NFV orchestrator for the permission required to create the NSF 888 instance, requests the VIM to allocate resources for the NSF 889 instance, and finally creates the NSF instance based on the 890 allocated resources. 892 5. Once the NSF instance has been created by the VNFM, the DMS 893 performs the initial configurations of the NSF instance and then 894 notifies the Security Controller of the NSF instance. 896 6. After being notified of the created NSF instance, the Security 897 Controller delivers low-level security policy rules to the NSF 898 instance for policy enforcement. 900 We can conclude that the I2NSF framework can be implemented based on 901 the NFV architecture framework. Note that the registration of the 902 capabilities of NSFs is performed through the Registration Interface 903 and the lifecycle management for NSFs (VNFs) is performed through the 904 Ve-Vnfm interface between the DMS and VNFM, as shown in Figure 5. 905 More details about the I2NSF framework based on the NFV reference 906 architecture are described in [i2nsf-nfv-architecture]. 908 8. Security Considerations 910 The same security considerations for the I2NSF framework [RFC8329] 911 are applicable to this document. 913 This document shares all the security issues of SDN that are 914 specified in the "Security Considerations" section of [ITU-T.Y.3300]. 916 9. Acknowledgments 918 This work was supported by Institute for Information & communications 919 Technology Promotion (IITP) grant funded by the Korea government 920 (MSIP) (No.R-20160222-002755, Cloud based Security Intelligence 921 Technology Development for the Customized Security Service 922 Provisioning). 924 This work has been partially supported by the European Commission 925 under Horizon 2020 grant agreement no. 700199 "Securing against 926 intruders and other threats through a NFV-enabled environment 927 (SHIELD)". This support does not imply endorsement. 929 10. Contributors 931 I2NSF is a group effort. I2NSF has had a number of contributing 932 authors. The following are considered co-authors: 934 o Hyoungshick Kim (Sungkyunkwan University) 936 o Jinyong Tim Kim (Sungkyunkwan University) 938 o Hyunsik Yang (Soongsil University) 940 o Younghan Kim (Soongsil University) 942 o Jung-Soo Park (ETRI) 944 o Se-Hui Lee (Korea Telecom) 946 o Mohamed Boucadair (Orange) 948 11. References 950 11.1. Normative References 952 [ETSI-NFV] 953 "Network Functions Virtualisation (NFV); Architectural 954 Framework", Available: 955 https://www.etsi.org/deliver/etsi_gs/ 956 nfv/001_099/002/01.01.01_60/gs_nfv002v010101p.pdf, October 957 2013. 959 [ITU-T.Y.3300] 960 "Framework of Software-Defined Networking", 961 Available: https://www.itu.int/rec/T-REC-Y.3300-201406-I, 962 June 2014. 964 [NFV-Terminology] 965 "Network Functions Virtualisation (NFV); Terminology for 966 Main Concepts in NFV", Available: 967 https://www.etsi.org/deliver/etsi_gs/ 968 NFV/001_099/003/01.02.01_60/gs_nfv003v010201p.pdf, 969 December 2014. 971 [ONF-OpenFlow] 972 "OpenFlow Switch Specification (Version 1.4.0)", 973 Available: https://www.opennetworking.org/wp- 974 content/uploads/2014/10/openflow-spec-v1.4.0.pdf, October 975 2013. 977 [ONF-SDN-Architecture] 978 "SDN Architecture (Issue 1.1)", Available: 979 https://www.opennetworking.org/wp- 980 content/uploads/2014/10/TR- 981 521_SDN_Architecture_issue_1.1.pdf, June 2016. 983 [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the 984 Network Configuration Protocol (NETCONF)", RFC 6020, 985 October 2010. 987 [RFC6241] Enns, R., Bjorklund, M., Schoenwaelder, J., and A. 988 Bierman, "Network Configuration Protocol (NETCONF)", 989 RFC 6241, June 2011. 991 [RFC7149] Boucadair, M. and C. Jacquenet, "Software-Defined 992 Networking: A Perspective from within a Service Provider 993 Environment", RFC 7149, March 2014. 995 [RFC7665] Halpern, J. and C. Pignataro, "Service Function Chaining 996 (SFC) Architecture", RFC 7665, October 2015. 998 [RFC8040] Bierman, A., Bjorklund, M., and K. Watsen, "RESTCONF 999 Protocol", RFC 8040, January 2017. 1001 [RFC8192] Hares, S., Lopez, D., Zarny, M., Jacquenet, C., Kumar, R., 1002 and J. Jeong, "Interface to Network Security Functions 1003 (I2NSF): Problem Statement and Use Cases", RFC 8192, July 1004 2017. 1006 [RFC8300] Quinn, P., Elzur, U., and C. Pignataro, "Network Service 1007 Header (NSH)", RFC 8300, January 2018. 1009 [RFC8329] Lopez, D., Lopez, E., Dunbar, L., Strassner, J., and R. 1010 Kumar, "Framework for Interface to Network Security 1011 Functions", RFC 8329, February 2018. 1013 11.2. Informative References 1015 [AVANT-GUARD] 1016 Shin, S., Yegneswaran, V., Porras, P., and G. Gu, "AVANT- 1017 GUARD: Scalable and Vigilant Switch Flow Management in 1018 Software-Defined Networks", ACM CCS, November 2013. 1020 [consumer-facing-inf-dm] 1021 Jeong, J., Kim, E., Ahn, T., Kumar, R., and S. Hares, 1022 "I2NSF Consumer-Facing Interface YANG Data Model", draft- 1023 ietf-i2nsf-consumer-facing-interface-dm-03 (work in 1024 progress), March 2019. 1026 [ETSI-NFV-MANO] 1027 "Network Functions Virtualisation (NFV); Management and 1028 Orchestration", Available: 1029 https://www.etsi.org/deliver/etsi_gs/nfv- 1030 man/001_099/001/01.01.01_60/gs_nfv-man001v010101p.pdf, 1031 December 2014. 1033 [i2nsf-nfv-architecture] 1034 Yang, H., Kim, Y., Jeong, J., and J. Kim, "I2NSF on the 1035 NFV Reference Architecture", draft-yang-i2nsf-nfv- 1036 architecture-04 (work in progress), November 2018. 1038 [i2nsf-nsf-cap-im] 1039 Xia, L., Strassner, J., Basile, C., and D. Lopez, 1040 "Information Model of NSFs Capabilities", draft-ietf- 1041 i2nsf-capability-04 (work in progress), October 2018. 1043 [i2nsf-terminology] 1044 Hares, S., Strassner, J., Lopez, D., Xia, L., and H. 1045 Birkholz, "Interface to Network Security Functions (I2NSF) 1046 Terminology", draft-ietf-i2nsf-terminology-07 (work in 1047 progress), January 2019. 1049 [ITU-T.X.1252] 1050 "Baseline Identity Management Terms and Definitions", 1051 April 2010. 1053 [ITU-T.X.800] 1054 "Security Architecture for Open Systems Interconnection 1055 for CCITT Applications", March 1991. 1057 [nsf-facing-inf-dm] 1058 Kim, J., Jeong, J., Park, J., Hares, S., and Q. Lin, 1059 "I2NSF Network Security Function-Facing Interface YANG 1060 Data Model", draft-ietf-i2nsf-nsf-facing-interface-dm-03 1061 (work in progress), March 2019. 1063 [nsf-monitoring-dm] 1064 Jeong, J., Chung, C., Hares, S., Xia, L., and H. Birkholz, 1065 "A YANG Data Model for Monitoring I2NSF Network Security 1066 Functions", draft-ietf-i2nsf-nsf-monitoring-data-model-00 1067 (work in progress), March 2019. 1069 [nsf-triggered-steering] 1070 Hyun, S., Jeong, J., Park, J., and S. Hares, "Service 1071 Function Chaining-Enabled I2NSF Architecture", draft-hyun- 1072 i2nsf-nsf-triggered-steering-06 (work in progress), July 1073 2018. 1075 [opsawg-firewalls] 1076 Baker, F. and P. Hoffman, "On Firewalls in Internet 1077 Security", draft-ietf-opsawg-firewalls-01 (work in 1078 progress), October 2012. 1080 [policy-translation] 1081 Yang, J., Jeong, J., and J. Kim, "Security Policy 1082 Translation in Interface to Network Security Functions", 1083 draft-yang-i2nsf-security-policy-translation-03 (work in 1084 progress), March 2019. 1086 [registration-inf-dm] 1087 Hyun, S., Jeong, J., Roh, T., Wi, S., and J. Park, "I2NSF 1088 Registration Interface YANG Data Model", draft-ietf-i2nsf- 1089 registration-interface-dm-02 (work in progress), March 1090 2019. 1092 [RFC4566] Handley, M., Jacobson, V., and C. Perkins, "SDP: Session 1093 Description Protocol", RFC 4566, July 2006. 1095 [VNF-ONBOARDING] 1096 "VNF Onboarding", Available: 1097 https://wiki.opnfv.org/display/mano/VNF+Onboarding, 1098 November 2016. 1100 Appendix A. Changes from draft-ietf-i2nsf-applicability-08 1102 The following changes have been made from draft-ietf-i2nsf- 1103 applicability-08: 1105 o This version has reflected the additional comments from Eric 1106 Rescorla who is a Security Area Director as follows. 1108 o In Section 3, for a Developer's Management System, the problem of 1109 an inside attacker is addressed, and a possible solution for the 1110 inside attacks is suggested through I2NSF NSF monitoring 1111 functionality. Also, some restrictions on the role of the DMS are 1112 required to deal with the inside attacks. 1114 o In Section 4, an XML code for the time-dependent web access 1115 control is explained as an example. 1117 o In Section 6, the definitions of an SDN forwarding element and an 1118 NSF are clarified such that an SDN forwarding element is a switch 1119 running as either a hardware middle box or a software virtual 1120 switch, and an NSF is a virtual network function for a security 1121 service. It also discusses about how to determine whether a given 1122 software element in virtualized environments is an NSF or a 1123 virtualized switch. 1125 Authors' Addresses 1127 Jaehoon Paul Jeong 1128 Department of Software 1129 Sungkyunkwan University 1130 2066 Seobu-Ro, Jangan-Gu 1131 Suwon, Gyeonggi-Do 16419 1132 Republic of Korea 1134 Phone: +82 31 299 4957 1135 Fax: +82 31 290 7996 1136 EMail: pauljeong@skku.edu 1137 URI: http://iotlab.skku.edu/people-jaehoon-jeong.php 1138 Sangwon Hyun 1139 Department of Computer Engineering 1140 Chosun University 1141 309 Pilmun-daero, Dong-Gu 1142 Gwangju 61452 1143 Republic of Korea 1145 Phone: +82 62 230 7473 1146 EMail: shyun@chosun.ac.kr 1148 Tae-Jin Ahn 1149 Korea Telecom 1150 70 Yuseong-Ro, Yuseong-Gu 1151 Daejeon 305-811 1152 Republic of Korea 1154 Phone: +82 42 870 8409 1155 EMail: taejin.ahn@kt.com 1157 Susan Hares 1158 Huawei 1159 7453 Hickory Hill 1160 Saline, MI 48176 1161 USA 1163 Phone: +1-734-604-0332 1164 EMail: shares@ndzh.com 1166 Diego R. Lopez 1167 Telefonica I+D 1168 Jose Manuel Lara, 9 1169 Seville 41013 1170 Spain 1172 Phone: +34 682 051 091 1173 EMail: diego.r.lopez@telefonica.com