Internet DRAFT - draft-qi-i2nsf-access-network-usecase

draft-qi-i2nsf-access-network-usecase



 



Internet Engineering Task Force                                  K. Wang
Internet-Draft                                                 X. Zhuang
Intended status: Informational                              China Mobile
Expires: September 7, 2015                                 March 6, 2015


            Integrated Security with Access Network Use Case
                draft-qi-i2nsf-access-network-usecase-02

Abstract

   In traditional telecommunication system, operators usually provide
   general and limited security protection service for users during
   access (e.g. AKA in 3G/4G network). Now, with the development of
   network virtualization technology and data center, physical network
   devices can be replaced by network function softwares which are
   running on virtual machines and the network function can be flexible
   and elastic. Operators can provide users with more security services.
   So this interfaces between operator's network and users are highly
   desired.  These interfaces will be used to request/achieve (Virtual)
   Network Security Functions from operator's network. This draft
   describes use cases for using the interface in operator's network
   environment.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at http://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on August 31, 2015.

Copyright Notice

   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.



 


Wang &Zhuang &Qi       Expires September 7, 2015                [Page 1]

Internet-Draft          Access Network Use Case            February 2015


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.



Table of Contents

   1.  Introduction . . . . . . . . . . . . . . . . . . . . . . . . .  2
   2.  Conventions used in this document  . . . . . . . . . . . . . .  3
   3.  Use case summary . . . . . . . . . . . . . . . . . . . . . . .  3
   4.  Use case for Instantiation and Configuration of Security
       Service Function . . . . . . . . . . . . . . . . . . . . . . .  5
   5.  Use case for Updating Security Service Function  . . . . . . .  5
   6.  Use case for Collecting and Feedback of Status of Security
       Service Function . . . . . . . . . . . . . . . . . . . . . . .  5
   7.  The Benefits . . . . . . . . . . . . . . . . . . . . . . . . .  6
   8.  IANA Considerations  . . . . . . . . . . . . . . . . . . . . .  6
   9.  Informative References . . . . . . . . . . . . . . . . . . . .  6
   Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . .  6




1.  Introduction

   This draft is a revised version of draft-qi-i2nsf-access-network-
   usecase and refines the original use cases. In draft-qi-i2nsf-access-
   network-usecase, an interface between UE and network was described
   while this draft describes two interfaces.Users can use client to
   achieve security service of operator via these interfaces. The user
   can be an enterprise, an enterprise user, administrator of operator
   and so on. The revisions details as below: 1.For original use case-
   Interface about sending security configuration information from
   network to UE: All examples have been deleted and network did not
   send configuration information to UE via interface. Instead Users
   will send security service requests to security controller to
   configure NSF(s). 2.For original use case-Interface about optional
   security function negotiation between    Network and UE: All examples
   have been deleted and there is no security function negotiation
   between network and UE. Instead Users will send security service
   request to security controller to configure NSF(s). 3.For original
 


Wang &Zhuang &Qi       Expires September 7, 2015                [Page 2]

Internet-Draft          Access Network Use Case            February 2015


   use case-UE proposed security request to the network: The original
   interactions between user and network will be more concrete. For
   example, the original interaction between user and specific network
   element will be revised into interaction between user's client and
   security controller. The interaction between specific network element
   and security function settings will be described in detail. 4.For
   original section of Abstraction and The Benefits: Corresponding
   modifications have been made to match revised use cases better.

2.  Conventions used in this document

   The section clarifies the intended meaning of specific terms used
   within this document.

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in [RFC2119].

   In this document, these words will appear with that interpretation
   only when in ALL CAPS.  Lower case uses of these words are not to be
   interpreted as carrying [RFC2119] significance.

3.  Use case summary

   This draft describes use cases of users (e.g. enterprise user,
   operator's administrator and so on) using operators' flexible
   security services. For example, a user can request a security service
   through a client (e.g. APP, BSS/OSS, OAM etc.).An operator's network
   entity(e.g. gateway) can invoke (v)NSF(s) according to user's service
   request. In order to make the description more clear, we call
   operator's network entity as security controller. The interaction
   between entities above(i.e. client, security controller, NSF) can be
   showed as below: 

                       +----------+
+-------+              |          |                  +-------+
|       |  Interface 1 |Security  |   Interface 2    | NSF(s)|
|Client <-------------->          <------------------>       |
|       |              |Controller|                  |       |
+-------+              |          |                  +-------+
                       +----------+
            Figure 1. Interaction between Entities

   Interface 1 is used for receiving security requirements from client
   and translating them into commands that NSF(s) can understand and
   execute. Moreover, it is also responsible for giving feedback of
   NSFs' security statistics to client.Interface 2 is used for
   interacting with NSFs according to commands. Moreover, it is also
 


Wang &Zhuang &Qi       Expires September 7, 2015                [Page 3]

Internet-Draft          Access Network Use Case            February 2015


   responsible for receiving the results of commands from NSFs.NSF
   mentioned in this draft includes virtualized NSF and physical NSF.

4.  Use case for Instantiation and Configuration of Security Service
   Function

   Client sends collected security requirements through interface 1 to
   the security controller in operator's network which then translates
   them into a security function or a set of security functions then the
   corresponding NSFs are instantiated and configured through interface
   2.For example, an enterprise user A is a tenant of operator data
   center and wants to filter all TCP data packets flowing to A's
   network. Such a requirement is sent from client to security
   controller through interface 1. The security controller translates
   the requirement into a firewall function and then instantiates a
   firewall NSF through interface 2. The corresponding filter rule is
   also configured onto this firewall NSF.

5.  Use case for Updating Security Service Function

   User can use client to update security service function, including
   adding/deleting a security service function and updating
   configurations at former security service function. For example,a
   user who has instantiated a security service before wants to enable
   an IDS service additionally, this requirement will be sent to
   security controller through interface 1 and be translated and then
   security controller instantiates and configures an IDS NSF through
   interface 2. Another example is that if the user A mentioned in use
   case 1 wants to filter all UDP packets besides TCP packets, client
   sends this requirement to security controller through interface 1 and
   then security controller configures translated requirement onto the
   former firewall NSF.

6.  Use case for Collecting and Feedback of Status of Security Service
   Function

   When users want to get the executing status of security service, they
   can request the status statistics information of NSF(s) from client.
   Security controller can collect NSFs' status statistics information
   through interface 2 and give feedback to client through interface 1,
   which is helpful for user analyzing or updating security
   requirements. Users can collect status statistics information of
   NSF(s) related to their security service and can also be authorized
   to collect all NSFs' status statistics information for the analysis
   of big data for network security like the overall security status of
   the network in operator's data center.

7.  The Benefits
 


Wang &Zhuang &Qi       Expires September 7, 2015                [Page 4]

Internet-Draft          Access Network Use Case            February 2015


   There are numerous benefits by defining such interfaces. Operators
   could provide more flexible and customized security services for
   specific users and this would provide more efficient and secure
   protection to each user.

8.  IANA Considerations

   TBD

9.  Informative References

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119, March 1997.

Authors' Addresses

   Ke Wang
   China Mobile
   32 Xuanwumenxi Ave,Xicheng District
   Beijing  100053
   China

   Email: wangkeyj@chinamobile.com


   Xiaojun Zhuang
   China Mobile
   32 Xuanwumenxi Ave, Xicheng District
   Beijing  100053
   China

   Email: zhuangxiaojun@chinamobile.com

   Minpeng Qi
   China Mobile
   32 Xuanwumenxi Ave,Xicheng District
   Beijing  100053
   China

   Email: qiminpeng@chinamobile.com











Wang &Zhuang &Qi       Expires September 7, 2015                [Page 5]