Internet DRAFT - draft-xia-i2nsf-capability-interface-im

draft-xia-i2nsf-capability-interface-im



I2NSF                                                          L. Xia
Internet Draft                                                 Huawei
Intended status: Standard Track                              D. Zhang
                                                              Alibaba
                                                             E. Lopez
                                                             Fortinet
                                                          N. BOUTHORS
                                                               Qosmos
                                                          Luyuan Fang
                                                            Microsoft

Expires: September 2016                                 March 21, 2016


        Information Model of Interface to Network Security Functions
                           Capability Interface
              draft-xia-i2nsf-capability-interface-im-05.txt


Status of this Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six
   months and may be updated, replaced, or obsoleted by other documents
   at any time.  It is inappropriate to use Internet-Drafts as
   reference material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html

   This Internet-Draft will expire on September 21,2016.

Copyright Notice

   Copyright (c) 2015 IETF Trust and the persons identified as the
   document authors. All rights reserved.





Xia, et al.          Expires September 21, 2016               [Page 1]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document. Please review these documents
   carefully, as they describe your rights and restrictions with
   respect to this document. Code Components extracted from this
   document must include Simplified BSD License text as described in
   Section 4.e of the Trust Legal Provisions and are provided without
   warranty as described in the Simplified BSD License.

Abstract

   This draft is focused on the capability interface of NSFs (Network
   Security Functions) and proposes its information model for
   controlling the various network security functions.

Table of Contents


   1. Introduction ................................................ 2
   2. Conventions used in this document ........................... 3
      2.1. Terminology ............................................ 4
   3. Overall Analysis of Security Capability ..................... 5
      3.1. Network Security Control ............................... 5
      3.2. Content Security Control ............................... 7
      3.3. Attack Mitigation Control .............................. 9
   4. Information Model Design .................................... 9
      4.1. Overall Structure ...................................... 9
      4.2. Information Model for Network Security Control ........ 10
      4.3. Information Model for Content Security Control ........ 17
      4.4. Information Model for Attack Mitigation Control ....... 18
   5. IM Grammar of Security Policy .............................. 19
   6. Security Considerations .................................... 22
   7. IANA Considerations ........................................ 22
   8. References ................................................. 23
      8.1. Normative References .................................. 23
      8.2. Informative References ................................ 23
   9. Acknowledgments ............................................ 23

 1. Introduction

   As with the rapid development and the more deployment of cloud
   computing, the demand of cloud-based security services is also
   rapidly growing. Such services can provide security protection in
   various scenarios, e.g., network devices in an enterprise network,
   User Equipments (UE) of mobile network, Internet of Things (IoT), or



Xia, et al.          Expires September 21, 2016               [Page 2]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   residential access users [I-D.draft-ietf-i2nsf-problem-and-use-
   cases].

   According to [I-D.draft-merged-i2nsf-framework], there are two types
   of I2NSF interfaces for security rules provisioning:

   o Interface between I2NSF clients with security controller: [I-
      D.xia-i2nsf-service-interface-DM] describes the information model
      used by this type of interface. This is a service-oriented
      interface, the main objective is to unify the communication
      channel and the security service request information model
      between various high-level application (e.g., openstack, or
      various BSS/OSS) with various security controllers. The design
      goal of the service interface is to decouple the security service
      in the application layer from various kinds of security devices
      and their device-level security functions. A feasible model may
      be the intent-based information model approach derived from RBAC;

   o Interface between NSFs (e.g., FW, AAA, IPS, Anti-DDOS, WAF, or
      Anti-Virus) with security controller, no matter whether the NSFs
      are run in Virtual Machines (VMs) or physical appliances. In this
      document, this type of interface is also referred to as
      "capability interface". Any network entities (e.g., I2NSF client,
      or network/security controller) control and monitor the NSFs via
      this interface. Nowadays, different NSF vendors have different
      interfaces and information models for the security functions
      management.

   In principle, the capability interface is used to decouple the up-
   layer security management scheme and the NSFs, and through the
   interface, a NSF can show its security functions to its controller.
   The information model proposed in this draft is only about of
   controlling part of the capability interface, and the monitoring
   part is out of scope.

   This document is organized as follows: Section 3 is an analysis of
   security capability for I2NSF interface. Section 4 presents the
   detailed structure and content of the information model. Section 4
   specifies the information model of security policy in Routing
   Backus-Naur Form [RFC5511].

 2. Conventions used in this document

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC-2119 [RFC2119].



Xia, et al.          Expires September 21, 2016               [Page 3]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   This document references to [I-D.draft-hares-i2nsf-terminology] for
   more specific security related and I2NSF scoped terminology
   definitions.

  2.1. Terminology

  AAA -Access control, Authorization, Authentication

  ACL - Access Control List

  AD - Active Directory

  ANSI - American National Standards Institute

  DDoS - Distributed Deny of Services

  FW - Firewall

  I2NSF - Interface to Network Security Functions

  INCITS - International Committee for Information Technology
Standards

  IoT - Internet of Things

  IPS - Intrusion Prevention System

  LDAP - Lightweight Directory Access Protocol

  NAT - Network Address Translation

  NBI - North-bound Interface

  NIST - National Institute of Standard Technology

  NSF - Network Security Function

  RBAC - Role Based Access Control

  UE - User Equipment

  URL - Uniform/Universal Resource Locator

  VM - Virtual Machine

  WAF - Web Application Firewall



Xia, et al.          Expires September 21, 2016               [Page 4]

Internet-Draft      I2NSF Capability Interface IM           March 2016


 3. Overall Analysis of Security Capability

   At present, a variety of NSFs produced by multiple security vendors
   provide various security capabilities to customers. Logically, no
   matter these security capabilities are carried out in VMs or in
   physical appliance, multiple NSFs can be combined together as a
   whole to provide security services over the given network traffic.

   Most of today's security capabilities can fall into several
   categories according to their basic functionalities: network
   security control, content security control, attack mitigation
   control. Each category further covers more specific security
   capabilities, which are described below.

  3.1. Network Security Control

   Network security control is a category with only one security
   capability which has the security function very similar as network
   firewall. Its main function is inspecting and processing the network
   traffic traversing network based on predefined security policies.

   With respect to the inspecting part, this security capability is
   abstractly a packet-processing engine that inspects packets
   traversing networks, either directly or in context to flows to which
   the packet is associated. Considering from the perspective of
   packet-processing, the implementations of it differ in the depths of
   packet headers and/or payloads they can inspect, the various flow
   and context states they can maintain, and the actions they can apply.
   Therefore, it can be characterized by the level of packet-processing
   and context that it can support, and the actions that it can apply,
   so does its policy design paradigm.

   By referencing to [I-D.draft-merged-i2nsf-framework], the "Event-
   Condition-Action" (ECA) policy ruleset is used here as the basis for
   the security rule design as follows:

   o Event: An Event is defined as any important occurrence in time of
      a change in the system being managed, and/or in the environment
      of the system being managed. When used in the context of policy
      rules for a flow-based NSF, it is used to determine whether the
      Condition clause of the Policy Rule can be evaluated or not.
      Examples of an I2NSF Event include time and user actions (e.g.
      logon, logoff, and actions that violate any ACL.);






Xia, et al.          Expires September 21, 2016               [Page 5]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   o Condition: A set of attributes, features, and/or values that are
      to be compared with a set of known attributes, features, and/or
      values in order to make a decision. When used in the context of
      policy rules for flow-based NSFs, it is used to determine whether
      or not the set of Actions in that Policy Rule can be executed or
      not. The following contents (which are not exhausted) of the
      received packets can be used in the Condition:

        - Packet content values: Refer to the kind of information or
          attributes acquired directly from the packet headers or
          payloads that can be used in the security policy directly. It
          can be any fields or attributes in the packet L2/L3/L4 header,
          or special segment of bytes in the packet payload;

        - Context values: Refer to the context information for the
          received packets. It can be (and not limited to):

             * User: The user (or user group) information to which
               network flow is associated: User has many attributes
               such as name, id, password, type, authentication mode
               and so on. Name/id is often used in the security policy
               to identify the user. Besides, NSF is aware of the IP
               address of the user provided by unified user management
               system via network. Based on name-address association,
               NSF is able to enforce the security functions over the
               given user (or user group);

             * Schedule: Time or time range when network flow happens;

             * Region: The location where network traffic is associated
               with. The region can be the geographic location such as
               country, province, and city as well, as well as the
               logical network location such as IP address, network
               section and network domain;

             * Target: Under the circumstances of network, it mainly
               refers to the service, application and device. A service
               is an application identified by a protocol type and port
               number, such as TCP, UDP, ICMP and IP. An application is
               a computer program for a specific task or purpose. It
               provides a finer granularity than service in matching
               traffic. The attributes that can identify a device
               include type (i.e., router, switch, pc, ios, or android)
               and the device's owner as well;





Xia, et al.          Expires September 21, 2016               [Page 6]

Internet-Draft      I2NSF Capability Interface IM           March 2016


             * State: It refers to various states to which the network
               flow is associated. It can be either the TCP session
               state (i.e., new, established, related, invalid, or
               untracked), the session AAA state or the access mode of
               the devices (i.e., wire, wireless, or vpn);

             * Direction: the direction of the network flow.

   o Action: The flow-based NSFs realize the security functions by
      executing various Actions, which at least includes:

        - Ingress actions, such as pass, drop, mirroring, etc;

        - Egress actions, such as invoke signaling, tunnel
          encapsulation, packet forwarding and/or transformation;

        - Applying a specific Functional Profile or signature - e.g.,
          an IPS Profile, a signature file, an anti-virus file, or a
          URL filtering file. The functional profile or signature file
          corresponds to the security capability for the content
          security control and attack mitigation control which will be
          described afterwards. It is one of the key properties that
          determine the effectiveness of the NSF, and is mostly vendor-
          specific today. One goal of I2NSF is to standardize the form
          and functional interface of those security capabilities while
          supporting vendor-specific implementations of each.

   The above ECA ruleset is very general and easily extensible, thus
   can avoid any potential constraints which could limit the
   implementation of the network security control capability.

  3.2. Content Security Control

   Content security control is another category of security
   capabilities applied to application layer. Through detecting the
   contents carried over the traffic in application layer, these
   capabilities can realize various security purposes, such as
   defending against intrusion, inspecting virus, filtering malicious
   URL or junk email, blocking illegal web access or data retrieve.

   Generally, each type of threat in application layer has its unique
   characteristic and requires to be handled with the unique method
   accordingly, which can be a logically independent security
   capability. Since there are a large number of types of threats in
   the application layer, as well as the new type of threat occurs
   quickly, there will also be a large number of security capabilities.



Xia, et al.          Expires September 21, 2016               [Page 7]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   Therefore, some basic principles for security capabilities'
   management and utilization need to be considered:

   o Flexibility: each security capability should be an independent
      function, with minimum overlap or dependency to other
      capabilities. By this atomic style design, the security
      capabilities can be utilized and assembled together freely, and
      changes of one capability will not influence others;

   o High abstraction: through the high level of abstraction and
      consolidation, each capability should have a unified interface to
      make it programmable, or report its processing result and the
      statistics information. Furthermore, it facilitates the
      intercommunication between multi-vendors;

   o Scalability: The system must have the capability of scale up/down
      or scale in/out. Thus it can meet various performance
      requirements derived from the rapid changeable network traffic or
      service request. In addition, the security capability must
      support the statistics reporting to the security controller to
      assist its decision on whether it needs to be scale up or not;

   o Automation: it includes the features of auto-discovery, auto-
      negotiation, and automatic update. These features are especially
      useful for the management of a large number of NSFs.

   Based on the above principles, a set of abstract and vendor-neutral
   capabilities with standard interface is needed. The security
   controller can have a common capabilities base to choose the
   appropriate NSFs (by different vendors), as well as customize each
   NSF's detailed function by setting the interface parameters, to meet
   the requirements requested by clients. The security controller does
   not need to be aware of any detailed implementation of each
   capability which each vendor differs. This category of security
   capability is more like a black box compared with the network
   security control.

   Furthermore, when an unknown threat (e.g., zero-day exploits,
   unknown malwares, and APTs) is reported by a network security device,
   new capability may be created, or existing capability may need to
   update its intelligence (e.g., signature, and algorithm), to enable
   the NSF to acquire the new capability to handle the threat. The new
   capability and intelligence are provided from different vendors
   after their analysis on the new threats, and may be sent and stored
   in a centralized repository or stored separately in their local
   repository. In any case, a standard interface is needed during this
   automated update process.


Xia, et al.          Expires September 21, 2016               [Page 8]

Internet-Draft      I2NSF Capability Interface IM           March 2016


  3.3. Attack Mitigation Control

   This category of security capabilities is specially used to detect
   and mitigate various types of network attacks. Today's common
   network attacks are mainly classified into the following sets, and
   each set further consists of a number of specific attacks:

   o DDoS attacks:

        - Network layer DDoS attacks: SYN flood, UDP flood, ICMP flood,
          IP fragment flood, IPv6 Routing header attack, and IPv6
          duplicate address detection attack, etc

        - Application layer DDoS attacks: http flood, https flood, dns
          flood, dns amplification, ssl DDoS, etc

   o Single-packet attack:

        - Scanning and sniffing attacks: IP sweep, port scanning, etc

        - malformed packet attacks: Ping of Death, Teardrop, etc

        - special packet attacks: Oversized ICMP, Tracert, IP timestamp
          option packets, etc

   Each type of network attack has its own network behaviors and
   packet/flow characteristics. It therefore needs a special security
   capability for detection and mitigation.

   Overall, the implementation and management of this category of
   security capabilities of attack mitigation control is very similar
   to content security control. A standard interface is essential here
   through which the security controller can choose and customize the
   given security capabilities according to specific requirements.

 4. Information Model Design

  4.1. Overall Structure

   The I2NSF capability interface is in charge of controlling and
   monitoring the NSFs. Based on the analysis above, the controlling
   part of its information model should at least consist of three
   blocks: network security control, content security control and
   attack mitigation control. It's noted that the capability interface
   only cares about the specific security capabilities rather than to
   which type of device that the NSF belongs. That is, it is assume
   that the user of the capability interface does not care about


Xia, et al.          Expires September 21, 2016               [Page 9]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   whether the network entity it is communicating with is a firewall or
   an IPS. Instead, the user cares about the capability that it has,
   such as packet filtering or deep packet inspection. The Overall
   structure is illustrated in the figure below:

    +---------------------------------------------------------------+
    |                                                               |
    |                                                               |
    |  +-------------+       +-------------+       +-------------+  |
    |  |             |       |             |       |             |  |
    |  | Content     | call  | Network     | call  | Attack      |  |
    |  | security    <-------+ security    +-------> mitigation  |  |
    |  | control     |       | control     |       | control     |  |
    |  |             |       |             |       |             |  |
    |  |             |       |             |       |             |  |
    |  +-------------+       +-------------+       +-------------+  |
    |                                                               |
    |                                                               |
    |                                                               |
    |             Information model for I2NSF capability interface  |
    +---------------------------------------------------------------+
       Figure 1. The overall structure of information model for I2NSF
                           Capability Interface

   As illustrated in Figure 1, the network security control is the key
   block of the whole system. It usually runs at the first step to
   handle traffic (i.e., packet/flow detection and filtering, etc) over
   the network layer. In the extreme condition, the system can still
   work without this block, which means network security control is not
   needed under that condition.

   The other two blocks are both composed of a number of specific
   security capabilities, which are enforced either statically
   according to fixed configuration or dynamically over some given
   traffic based on the detecting results of network security control.
   The two enforcement ways have difference in the information model.

   The more detailed descriptions of information model for each block
   are given in the following sections.

  4.2. Information Model for Network Security Control

   The information model for network security control specifies the
   content and structure of a rule. A rule is complied with by the NSFs
   when they handle the network traffic over network layer. Its basic
   structure is shown in the following figure:



Xia, et al.          Expires September 21, 2016              [Page 10]

Internet-Draft      I2NSF Capability Interface IM           March 2016



                                         +--------+
                                      +-->Time    |
                          +---------+ |  |events  |
                        +->  Event  +-+  +--------+
                        | +---------+ |  +-------+
                        |             |  |User   |
                        |             +-->actions|
                        |             |  +-------+  +-----------+
                                      |   *         |L2/L3/L4   |
                                      +-->*       +->packet     |
                        |                 *       | |header     |
                        |               +-------+ | +-----------+
                        |               |Packet | | +---------+
                        |             +->content|-+-> Packet  |
                        |             | |values |   | payload |
                        |             | +-------+   +---------+
                        |             |
                        |             |             +----------+
                        |             |           +->  User    |
                        |             |           | +----------+
                        | +---------+ |           | +----------+
                +----+  +->Condition|-+           +-> Schedule |
                |    |  | +---------+ |           | +----------+
             +-->Rule|  |             |           | +---------+
             |  |    |  |             | +-------+ +-> Region  |
             |  +----+  |             | |Context| | +---------+
             |          |             +->values +-+ +---------+
             |    *     |               |       | +-> Target  |
             |    *     |               +-------+ | +---------+
             |    *     |                         | +---------+
             |          |                         +-> State   |
             |          |                         | +---------+
   +------+  |  +----+  |                         | +-----------+
   |      |  |  |    |  |                         +-> Direction |
   |Policy+--+-->Rule+--+                           +-----------+
   |      |  |  |    |  |
   +------+  |  +----+  |                            +-------+
             |          |                          +->Permit |
             |    *     |                          | +-------+
             |    *     |               +--------+ | +-------+
             |    *     |             +->Ingress +-+-> Deny  |
             |          |             | |actions | | +-------+
             |          |             | +--------+ | +-------+
             |          |             |            +-> Mirror|
             |          |             |            | +-------+
             |          |             |            |   *


Xia, et al.          Expires September 21, 2016              [Page 11]

Internet-Draft      I2NSF Capability Interface IM           March 2016


             |          |             |            +-> *
             |  +----+  |             |                *
             |  |    |  | +---------+ |              +---------+
             +-->Rule|  +-> Action  +-+            +->Invoke   |
                |    |    +---------+ |            | |signaling|
                +----+                | +--------+   +---------+
                                      | |Egress  | | +-------------+
                                      +->actions +-+->Tunnel       |
                                      | +--------+ | |encapsulation|
                                      |            | +-------------+
                                      |            | +----------+
                                      |            +->Forwarding|
                                      |            | +----------+
                                      |            |   *
                                      |            +-> *
                                      |                *
                                      |                  +----------+
                                      |                +->Antivirus:|
                                      |                | |profile   |
                                      |                | +----------+
                                      |                | +---------+
                                      |                +->  IPS:   |
                                      |                | |signature|
                                      |                | +---------+
                                      |                | +----------+
                                      | +------------+ | | URL      |
                                      +->Other       +-+->Filtering:|
                                        |security    | | |data base |
                                        |capabilities| | +----------+
                                        +------------+ | +----------+
                                                       | |  File    |
                                                       +->Blocking: |
                                                       | |profile   |
                                                       | +----------+
                                                       | +----------+
                                                       | |  Data    |
                                                       +->Filtering:|
                                                       | |profile   |
                                                       | +----------+
                                                       |   *
                                                       +-> *
                                                           *
       Figure 2. The basic structure of information model for network
                             security control

   As illustrated in Figure 2, at the top level, policy is a container
   including a set of security rules according to certain logic, i.e.,


Xia, et al.          Expires September 21, 2016              [Page 12]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   their similarity or mutual relations, etc. The network security
   policy is able to apply over both the unidirectional and
   bidirectional traffic across the NSF.

   Each rule represents some specific security requirements or actions
   with the ECA model.

   An example of an I2NSF Policy Rule is, in pseudo-code:

            IF <event-clause> is TRUE

               IF <condition-clause> is TRUE

                  THEN execute <action-clause>

               END-IF

            END-IF

   In the above example, the Event, Condition, and Action portions of a
   Policy Rule are all **Boolean Clauses**.

   In summary, the detailed variable definitions of all event clauses
   and condition clauses are as follows:

   o Time event: TBD;

   o User actions event: user related actions such as login, logoff,
      etc;

   o L2/L3/L4 Packet header: all meaningful and useful attributes in
      L2/L3/L4 packet header, for example: src/dest address, or
      src/dest port;

   o Packet payload: any segment of bytes in the packet payload;

   o User: The user is a person who is authorized to access network
      resources. A user can be an internet access user who accesses
      Internet resources or intranet resources from inside the intranet
      through a FW, or a remote access user who connects to a FW in VPN,
      or PPPoE mode to access intranet resources. The NSFs need to know
      the IP address or other information (i.e., user's tenant or VN-ID)
      of the user to identify the user's traffic and perform the pre-
      defined actions. It can also define a group of users to match and
      perform actions to them together;




Xia, et al.          Expires September 21, 2016              [Page 13]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   o Schedule: A schedule defines time range. A rule can reference a
      schedule to filter traffic that passes through the NSF within the
      schedule. A schedule can be a periodic schedule, or a one-time
      schedule;

   o Region: The location information of the user traffic. The logical
      definition of the location can be pre-defined in the location
      signature database by the geographical information, or be
      manually defined by the user's IP information.

   o Target:

        - Service: A service is an application identified by a protocol
          type and port number. It can be a service or a group of
          services. The network security control matches the service
          traffics based on the protocol types and port numbers and
          applies the security actions to them;

        - Application: An application is a computer program for a
          specific task or purpose, and multiple applications
          constitute an application group. It provides a finer
          granularity than service in matching traffic. Even if
          different applications have the same service, they still can
          be distinguished by analyzing the data packets and comparing
          the signatures of each application. The hierarchy category
          method is appropriate for identifying applications. For
          example, the application of Gmail belongs to the category of
          business systems, and the subcategory of Email. Other key
          attributes that belongs to and can be used to identify an
          application are data transmission model (e.g., client-server,
          browser-based, networking, or peer-to-peer), risk level (e.g.,
          Exploitable, Evasive, Data-loss, or Bandwidth-consuming);

        - Device: The attributes that can identify a device include type
          (i.e., router, switch, pc, ios, or android) and the device's
          owner as well;

   o State:

        - Session state: any one specific state related to the
          user/operation sessions, such as authentication state,
          TCP/UDP session state, or bidirectional state;

        - Session AAA state: includes authentication state,
          authorization state, accounting state;

        - Access mode: the access mode of user or device.


Xia, et al.          Expires September 21, 2016              [Page 14]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   o Direction: the direction of the network flow.

   Following table lists the possible attributes with their possible
   values for all the match conditions:

     +-----------------------------------------------------------+
     |Match Condition|      Attributes: Values                   |
     +---------------+-------------------------------------------+
     | Time          |                                           |
     | Event         | TBD                                       |
     |---------------+-------------------------------------------+
     | User Actions  |                                           |
     | Event         | login, logout, violate ACL ...            |
     |---------------+-------------------------------------------+
     | Ethernet      |                                           |
     | Frame         | Source/Destination address                |
     | Header        | s-VID/c-VID/EtherType                     |
     |---------------+-------------------------------------------+
     |               |            src/dest address               |
     | IPv4          |            protocol                       |
     | Packet        |            src/dest port                  |
     | Header        |            length                         |
     |               |            flags                          |
     |               |            ttl                            |
     +---------------+-------------------------------------------+
     |               |            src/dest address               |
     |  IPv6         |            protocol/nh                    |
     |  Packet       |            src/dest port                  |
     |  Header       |            length                         |
     |               |            traffic class                  |
     |               |            hop limit                      |
     |               |            flow label                     |
     +---------------+-------------------------------------------+
     | TCP           |            Port                           |
     | SCTP          |            syn                            |
     | DCCP          |            ack                            |
     |               |            fin                            |
     |               |            rst                            |
     |               |            psh                            |
     |               |            urg                            |
     |               |            window                         |
     |               |            sockstress                     |


Xia, et al.          Expires September 21, 2016              [Page 15]

Internet-Draft      I2NSF Capability Interface IM           March 2016


     +---------------+-------------------------------------------+
     | User          |                                           |
     +---------------+-------------------------------------------+
     | Schedule      |   time span                               |
     |               |   days, minutes, seconds,                 |
     +---------------+-------------------------------------------+
     | Region        |   country, province, city                 |
     |               |   IP address, network section,            |
     |               |   network domain                          |
     +---------------+-------------------------------------------+
     |               |   service: TCP, UDP, ICMP, HTTP...        |
     | Target        |   application: Gmail, QQ, MySQL...        |
     |               |   device: mobile phone, tablet, PC...     |
     +---------------+-------------------------------------------+
     |               |   session state: new, established, related|
     | State         |   invalid, untracked                      |
     |               |   access mode: WIFI, 802.1x, PPPOE, SSL...|
     +---------------+-------------------------------------------+
     |               |   Direction: from_client, from_server,    |
     | Direction     |   bidirection, reversed                   |
     |               |                                           |
     +---------------+-------------------------------------------+
                   Table 1. Match conditions details

   Note that match conditions are extensible, new one can be created
   any time according to the requirements.

   Network security control policy consists of a number of rules
   complying with the information model described above. Then it
   enforces the rules in turn to process the passing traffic. Following
   is the basic operation process:

   1. The NSF compares the attributes in the event and condition
      clauses defined in the first rule. If all the results are TRUE,
      the traffic matches the rule. If one or more clauses are FALSE,
      the NSF compares the attributes with in event and condition
      clauses defined in the next rule. If all rules are not met, the
      NSF denies the traffic by default;







Xia, et al.          Expires September 21, 2016              [Page 16]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   2. If the traffic matches a rule, the NSF performs the defined
      actions over the traffic. If the action is "deny", the NSF blocks
      the traffic. If the basic action is permit/mirror, the NSF
      resumes checking whether certain other security capabilities are
      referenced in the rule. If yes, go to step 3. If no, the traffic
      is permitted;

   3. If other security capabilities (e.g., Antivirus or IPS) are
      referenced in the rule and the action defined in the rule is
      permit/mirror, the NSF performs the called security capabilities.

   One policy or rule can be applied multiple times on different places,
   i.e., links, devices, networks, vpns, etc. It not only guarantees
   the consistent policy enforcement in the whole network, but also
   decreases the configuration workload.

  4.3. Information Model for Content Security Control

   The block for content security control is composed of a number of
   security capabilities, while each one aims for protecting against a
   specific type of threat in the application layer.

   Following figure shows a basic structure of the information model:

                   +----------------------------------+
                   |                                  |
                   |                                  |
                   |     Anti-Virus                   |
                   |     Intrusion Prevention         |
                   |     URL Filtering                |
                   |     File Blocking                |
                   |     Data Filtering               |
                   |     Application Behavior Control |
                   |     Mail Filtering               |
                   |     Packet Capturing             |
                   |     File Isolation               |
                   |     ...                          |
                   |                                  |
                   |                                  |
                   |                                  |
                   |                                  |
                   |              Information model   |
                   |              for content security|
                   |              control             |
                   +----------------------------------+
       Figure 3. The basic structure of information model for content
                             security control


Xia, et al.          Expires September 21, 2016              [Page 17]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   The detailed description about the standard interface and the
   parameters for all the security capabilities of this category are
   TBD.

  4.4. Information Model for Attack Mitigation Control

   The block for attack mitigation control is composed of a number of
   security capabilities, while each one aims for mitigating a specific
   type of network attack.

   Following figure shows a basic structure of the information model:

             Please view in a fixed-width font such as Courier.

            +-------------------------------------------------+
            |                                                 |
            | +---------------------+    +---------------+    |
            | |Attack mitigation    |    | General Shared|    |
            | |capabilites:         |    | Parameters:   |    |
            | | SYN flood,          |    |               |    |
            | | UDP flood,          |    |               |    |
            | | ICMP flood,         |    |               |    |
            | | IP fragment flood,  |    |               |    |
            | | IPv6 related attacks|    |               |    |
            | | HTTP flood,         |    |               |    |
            | | HTTPS flood,        |    |               |    |
            | | DNS flood,          |    |               |    |
            | | DNS amplification,  |    |               |    |
            | | SSL DDoS,           |    |               |    |
            | | IP sweep,           |    |               |    |
            | | Port scanning,      |    |               |    |
            | | Ping of Death,      |    |               |    |
            | | Oversized ICMP      |    |               |    |
            | |                     |    |               |    |
            | | ...                 |    |               |    |
            | |                     |    |               |    |
            | +---------------------+    +---------------+    |
            |                                                 |
            |                            Information model    |
            |                            for attack mitigation|
            |                            control              |
            +-------------------------------------------------+
       Figure 4. The basic structure of information model for attack
                            mitigation control





Xia, et al.          Expires September 21, 2016              [Page 18]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   The detailed description about the standard interface and the
   general shared parameters for all the security capabilities of this
   category are TBD.

 5. IM Grammar of Security Policy

   This section specifies the information model of security policy in
   Routing Backus-Naur Form [RFC5511].  This grammar is intended to
   help the reader better understand the english text description in
   order to derive a data model.

   Firstly, several types of route are specified as follows:

   o IPv4: Match on destination IP address in the IPv4 header

   o IPv6: Match on destination IP address in the IPv6 header

   o MPLS: Match on a MPLS label at the top of the MPLS label stack

   o MAC: Match on MAC destination addresses in the ethernet header

   o Interface: Match on incoming/outcoming interface of the packet



   Then, the I2NSF information model grammar of security policy is
   specified as follows:

   <Policy> ::= <policy-name> <policy-id> (<Rule> ...)

   <Rule> ::= <rule-name> <rule-id> <Match> <Action>



   <Match> ::= [<subject-based-match>] [<object-based-match>]

   <subject-based-match> ::= [<L234-packet-header> ...]

                            [<packet-payload> ...]

   <L234-packet-header> ::= [<address-scope>] [<layer-2-header>]

                              [<layer-3-header>] [<layer-4-header>]

   <address-scope> ::= <route-type> (<ipv4-route> | <ipv6-route> |

                       <mpls-route> | <mac-route> | <interface-route>)


Xia, et al.          Expires September 21, 2016              [Page 19]

Internet-Draft      I2NSF Capability Interface IM           March 2016


   <route-type> ::= <IPV4> | <IPV6> | <MPLS> | <IEEE_MAC> | <INTERFACE>

   <ipv4-route> ::= <ip-route-type> (<destination-ipv4-address> |

                    <source-ipv4-address> | (<destination-ipv4-address>

                    <source-ipv4-address>))

   <destination-ipv4-address> ::= <ipv4-prefix>

   <source-ipv4-address> ::= <ipv4-prefix>

   <ipv4-prefix> ::= <IPV4_ADDRESS> <IPV4_PREFIX_LENGTH>



   <ipv6-route> ::= <ip-route-type> (<destination-ipv6-address> |

                    <source-ipv6-address> | (<destination-ipv6-address>

                    <source-ipv6-address>))

   <destination-ipv6-address> ::= <ipv6-prefix>

   <source-ipv6-address> ::= <ipv6-prefix>

   <ipv6-prefix> ::= <IPV6_ADDRESS> <IPV6_PREFIX_LENGTH>

   <ip-route-type> ::= <SRC> | <DEST> | <DEST_SRC>



   <layer-3-header> ::= <ipv4-header> | <ipv6-header>

   <ipv4-header> ::= <SOURCE_IPv4_ADDRESS> <DESTINATION_IPv4_ADDRESS>

                     <PROTOCOL> [<TTL>] [<DSCP>]

   <ipv6-header> ::= <SOURCE_IPV6_ADDRESS> <DESTINATION_IPV6_ADDRESS>

                     <NEXT_HEADER> [<TRAFFIC_CLASS>]

                     [<FLOW_LABEL>] [<HOP_LIMIT>]



   <object-based-match> ::= [<user> ...] [<schedule>] [<region>]


Xia, et al.          Expires September 21, 2016              [Page 20]

Internet-Draft      I2NSF Capability Interface IM           March 2016


                            [<target>] [<state>]

   <user> ::= (<login-name> <group-name> <parent-group> <password>

               <expired-date> <allow-multi-account-login>

               <address-binding>) | <tenant> | <VN-id>

   <schedule> ::= <name> <type> <start-time> <end-time>

                  <weekly-validity-time>

   <type> ::= <once> | <periodic>

   <target> ::= [<service>] [<application>] [<device>]

   <service> ::= <name> <id> <protocol> [<protocol-num>] [<src-port>]

                [<dest-port>]

   <protocol> ::= <TCP> | <UDP> | <ICMP> | <ICMPv6> | <IP>



   <application> ::= <name> <id> <category> <subcategory>

                    <data-transmission-model> <risk-level>

                    <signature>

   <category> ::= <business-system> | <Entertainment> | <internet>

                  <network> | <general>

   <subcategory> ::= <Finance> | <Email> | <Game> | <media-sharing> |

                    <social-network> | <web-posting> | <proxy> | ...

   <data-transmission-model> ::= <client-server> | <browser-based> |

                                <networking> | <peer-to-peer> |

                                <unassigned>

   <risk-level> ::= <Exploitable> | <Productivity-loss> | <Evasive> |

                    <Data-loss> | <Malware-vehicle> |


Xia, et al.          Expires September 21, 2016              [Page 21]

Internet-Draft      I2NSF Capability Interface IM           March 2016


                    <Bandwidth-consuming> | <Tunneling>



   <signature> ::= <server-address> <protocol> <dest-port-num>

                   <flow-direction> <object> <keyword>

   <flow-direction> ::= <request> | <response> | <bidirection>

   <object> ::= <packet> | <flow>

   <device> ::= <pc> | <mobile-phone> | <tablet>

   <session-state> ::= <new> | <established> | <related> | <invalid> |

                       <untracked>



   <action> ::= <basic-action> [<advanced-action>]

   <basic-action> ::= <pass> | <deny> | <mirror> | <call-function> |

                     <encapsulation>

   <advanced-action> ::= [<profile-antivirus>] [<profile-IPS>]

                         [<profile-url-filtering>]

                        [<profile-file-blocking>]

                        [<profile-data-filtering>]

                        [<profile-application-control>]

 6. Security Considerations

   TBD

 7. IANA Considerations








Xia, et al.          Expires September 21, 2016              [Page 22]

Internet-Draft      I2NSF Capability Interface IM           March 2016


 8. References

  8.1. Normative References

   [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
             Requirement Levels", BCP 14, RFC 2119, March 1997.

   [RFC2234] Crocker, D. and Overell, P.(Editors), "Augmented BNF for
             Syntax Specifications: ABNF", RFC 2234, Internet Mail
             Consortium and Demon Internet Ltd., November 1997.

   [RFC6020] Bjorklund, M., "YANG - A Data Modeling Language for the
             Network Configuration Protocol (NETCONF)", RFC 6020,
             October 2010.

   [RFC5511] Farrel, A., "Routing Backus-Naur Form (RBNF): A Syntax
             Used to Form Encoding Rules in Various Routing Protocol
             Specifications", RFC 5511, April 2009.

  8.2. Informative References

   [INCITS359 RBAC]   NIST/INCITS, "American National Standard for
             Information Technology - Role Based Access Control",
             INCITS 359, April, 2003

    [I-D.draft-ietf-i2nsf-problem-and-use-cases] Hares, S., et.al.,
             "I2NSF Problem Statement and Use cases", Work in Progress,
             February, 2016.

   [I-D.draft-merged-i2nsf-framework] Lopez, E., et.al., "Framework for
             Interface to Network Security Functions", Work in Progress,
             March, 2016.

   [I-D.xia-i2nsf-service-interface-DM] Xia, L., et.al., "Data Model of
             Interface to Network Security Functions Service Interface",
             February, 2015.

 9. Acknowledgments



   This document was prepared using 2-Word-v2.0.template.dot.







Xia, et al.          Expires September 21, 2016              [Page 23]

Internet-Draft      I2NSF Capability Interface IM           March 2016


Authors' Addresses

   Liang Xia (Frank)
   Huawei

   101 Software Avenue, Yuhuatai District
   Nanjing, Jiangsu  210012
   China

   Email: Frank.xialiang@huawei.com


   DaCheng Zhang
   Alibaba

   Email: Dacheng.zdc@alibaba-inc.com



   Edward Lopez
   Fortinet
   899 Kifer Road
   Sunnyvale, CA 94086
   Phone: +1 703 220 0988

   EMail: elopez@fortinet.com


   Nicolas BOUTHORS
   Qosmos

   Email: Nicolas.BOUTHORS@qosmos.com

   Luyuan Fang
   Microsoft
   15590 NE 31st St
   Redmond, WA 98052
   Email: lufang@microsoft.com










Xia, et al.          Expires September 21, 2016              [Page 24]