Hi I2NSF WG,
There will be a side meeting for I2NSF WG's next steps from 6PM to 7PM
today at Bras Basah.
https://datatracker.ietf.org/meeting/106/floor-plan?room=bras-basah#raffles-city-convention-center
* Agenda for I2NSF Side Meeting
- I2NSF Hackathon Project Report (Jaehoon Paul Jeong, 5 min)
- I2NSF Data Model Drafts Update (Jaehoon Paul Jeong, 10 min)
. I2NSF Capability YANG Data Model
. I2NSF Consumer-Facing Interface YANG Data Model
. I2NSF Network Security Function-Facing Interface YANG Data Model
. I2NSF Registration Interface YANG Data Model
. I2NSF NSF Monitoring YANG Data Model
- Security Policy Translator Draft Update (Chaehong Chung, 5 min)
- Open Discussion: Possible Work Items for I2NSF Rechartering (30 min)
I will report the progress of data model drafts.
I would like to discuss the rechartering of I2NSF WG with you.
I suggest four work items as the 2nd phase I2NSF.
1. YANG data model of the interface between I2NSF Security Controller and
SDN Switch Controller
2. YANG data model of the interface between I2NSF Security Controller and
SFC Classifier
3. Configuration of Advanced Security Functions with I2NSF Security
Controller
4. Policy Object for Interface to Network Security Functions (I2NSF)
Let me explain why each of them is important for I2NSF.
1. YANG data model of the interface between I2NSF Security Controller and
SDN Switch Controller
According to the I2NSF Applicability Draft and I2NSF Hackathon Project,
the SDN switches can perform simple packet filtering and the firewall NSF
can perform complicated packet filtering.
For this two separated packet filtering, the security policy about a
traffic flow should be delivered to an SDN Switch Controller.
For the delivery of a security policy to the SDN network, the interface
between the I2NSF Security Controller and
the SDN Switch Controller is needed.
2. YANG data model of the interface between I2NSF Security Controller and
SFC Classifier
According to the I2NSF Applicability Draft and I2NSF Hackathon Project,
a security policy (e.g., time-based web filtering) requires a Service
Function Chaining (SFC) such as
firewall and web filter.
For this SFC path specification of a security policy, a security about a
traffic flow should be delivered to an SFC Classifier.
For the delivery of a security policy to specify the service function path
in the SFC Classifier, the interface between
the I2NSF Security Controller and the SFC Classifier is needed.
3. Configuration of Advanced Security Functions with I2NSF Security
Controller
(https://tools.ietf.org/html/draft-dong-i2nsf-asf-config-01)
With the current NSF-Facing Interface, we can configure basic security
functions, such as firewall, deep packet inspection, and
DDoS attack mitigator. For rich network security functions, the YANG data
model of advanced security services needs to be
developed.
4. Policy Object for Interface to Network Security Functions (I2NSF)
(https://tools.ietf.org/html/draft-xia-i2nsf-security-policy-object-01)
Policy objects for I2NSF security policy rules can provide the I2NSF system
with reusability for security policy construction
by defining essential attributes for each policy object. This will be
useful for security policy rule generation in the I2NSF system.
Welcome your feedback.
Thanks.
Best Regards,
Paul
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf
