[I2nsf] Fwd: AD Review of draft-ietf-i2nsf-applicability-07

Eric Rescorla <ekr@rtfm.com> Sat, 22 December 2018 14:42 UTC

Return-Path: <ekr@rtfm.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 171E9126DBF for <i2nsf@ietfa.amsl.com>; Sat, 22 Dec 2018 06:42:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rtfm-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LJ8wxqCEb-Jn for <i2nsf@ietfa.amsl.com>; Sat, 22 Dec 2018 06:42:54 -0800 (PST)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD100123FFD for <i2nsf@ietf.org>; Sat, 22 Dec 2018 06:42:53 -0800 (PST)
Received: by mail-lf1-x12a.google.com with SMTP id n18so5840930lfh.6 for <i2nsf@ietf.org>; Sat, 22 Dec 2018 06:42:53 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rtfm-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=oOoWl+Z7ngV7tjD78zz52HeVgraWhd8FedigYRWU/1M=; b=sO9dKMq6pQ3aDmrC6jBCcd9+HtxAKgfDGhMtCSzEyd3m1agIHTYkaNXI8js8ZMLpmW miWlrYyM4jtGM9BE5223ID5sT8jRaO/5tJhZS+VaGVanfgijWy0698EdqmE7ylcBPb03 cA8MB7NBq3vky3cWVN3YAtGBwLMlonEfH77YJMAhT7nN9hJZqJvCZUKe1me47Hy/TJxV Hg7owdW054LW71COFLSZ5aEDbjFReexygcf7sBCGoZGIjx7/GfPV1pVSy9vJIxuIie3H dPfiFb+dScAxhbGOrMDE85gKbY4anmxXxdMRqRUw1ZvI8G3Gqq3yUOmA+glJqf8cHDkT Yj3Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=oOoWl+Z7ngV7tjD78zz52HeVgraWhd8FedigYRWU/1M=; b=skWMeTu5wcnlfpkPGIMrTWfBSWhVCgQJRAXWpdwExKjrAlyu69uKeouru8dFBbH4JP p6ABt0kDHgl0unx+3ZBfmspEwLeTqxqa7qhteQhvcem9C1Q2AAlvOcLAHVnnJIF2KFZq zKEI3vgdWURURz9anMumYMiZ8BFu6LIPTPkk2v3DQrv4iolhkw5p/39iIIdZooWqOyDn iDSHGJ3ga8UptfaJJOtBqY3R6Jg3IBdD1gCuYT+9ex6UT1oDFf7ChoQ7TPEDWE70QQ9h 3U6krqlY6rEHDZsHva8hPS4JT107paFTFirPIVAclDZAGVzpl4Mj7XsTMHdGopyvYjzD cwMQ==
X-Gm-Message-State: AA+aEWbp3SQBgWXXkMgZ6U9UercPCNubw+xJAw8RRLtPsZXMBgYfpNrS QT5Fsaql45Q2ckeP5erdv7/k0R+5xOOxxbGeNJBgI0BB
X-Google-Smtp-Source: AFSGD/WH4sdtdzsxVBW6bCUfbu/3cnQsbxEW521LD6G1Ns3Ac61mbZoU1gtHh415FxuDif9j3ecyI45d+0ckI40nJaQ=
X-Received: by 2002:a19:910d:: with SMTP id t13mr3329406lfd.98.1545489771366; Sat, 22 Dec 2018 06:42:51 -0800 (PST)
MIME-Version: 1.0
References: <CABcZeBOjhEpw4gNDRgJD=FCWy1Wrirz_EsJefJjDHpp5mVe1fw@mail.gmail.com>
In-Reply-To: <CABcZeBOjhEpw4gNDRgJD=FCWy1Wrirz_EsJefJjDHpp5mVe1fw@mail.gmail.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: Sat, 22 Dec 2018 06:42:14 -0800
Message-ID: <CABcZeBNJn_wZV6Q5fo6U2-WWOiV1B_LrXSm8wYZshEJY6qgS5A@mail.gmail.com>
To: i2nsf@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d3a264057d9d601e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/bVTGfSXR70UcFkwfkV4FsNHg8uo>
Subject: [I2nsf] Fwd: AD Review of draft-ietf-i2nsf-applicability-07
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 22 Dec 2018 14:42:57 -0000

CCing the WG because I was wrong about the aliases.

---------- Forwarded message ---------
From: Eric Rescorla <ekr@rtfm.com>
Date: Fri, Dec 21, 2018 at 6:32 AM
Subject: AD Review of draft-ietf-i2nsf-applicability-07
To: <draft-ietf-i2nsf-applicability@ietf.org>


Rich version of this review at:
https://mozphab-ietf.devsvcdev.mozaws.net/D3181


I found a number of typographical and grammar errors. Please give this
document a thorough read.

IMPORTANT
S 1.
>
>      Interface to Network Security Functions (I2NSF) defines a framework
>      and interfaces for interacting with Network Security Functions
>      (NSFs).  The I2NSF framework allows heterogeneous NSFs developed by
>      different security solution vendors to be used in the Network
>      Functions Virtualization (NFV) environment [ETSI-NFV] by utilizing

Much of this document cannot be understood without reading ETSI-NFV,
so it has to be a normative reference. It also would be helpful to
provide a link.


S 2.
>      This document uses the terminology described in [RFC7149],
>      [ITU-T.Y.3300], [ONF-OpenFlow], [ONF-SDN-Architecture],
>      [ITU-T.X.1252], [ITU-T.X.800], [RFC8329], [i2nsf-terminology],
>      [consumer-facing-inf-im], [consumer-facing-inf-dm],
>      [i2nsf-nsf-cap-im], [nsf-facing-inf-dm], [registration-inf-dm], and
>      [nsf-triggered-steering].  In addition, the following terms are

Every term in this document needs to be understandable without
reference to closed specifications or internally defined. Please
ensure that this is so,


S 3.
>      used for the I2NSF NSF-Facing Interface.
>
>      The Registration Interface between the Security Controller and the
>      Developer's Management System can be implemented by RESTCONF
>      [RFC8040].  The data model defined in [registration-inf-dm] can be
>      used for the I2NSF Registration Interface.

What role does the Developer's Management System play in this? I think
this refers to the text above starting with "The developers (or
vendors)...". Is that correct?

Assuming I am correct, this seems like a potentially serious security
vulnerability in this design in that it potentially allows an inside
attacker at the developer to seriously weaken a system's security.
What protections exist to prevent this?


S 4.
>      administrator wants to control the staff members' access to a
>      particular Interner service (e.g., Example.com) during business
>      hours.  The following is an example high-level security policy rule
>      that the administrator requests: Block the staff members' access to
>      Example.com from 9 AM to 6 PM.  The administrator sends this high-
>      level security policy to the Security Controller, then the Security

The text above suggests that high-level policies are via
RESTCONF/YANG, but this is clearly freeform text.
COMMENTS
S 1.
>
>   1.  Introduction
>
>      Interface to Network Security Functions (I2NSF) defines a framework
>      and interfaces for interacting with Network Security Functions
>      (NSFs).  The I2NSF framework allows heterogeneous NSFs developed by

Please define "Network Security Functions" here.




S 1.
>      functions in the NFV platform.  In the I2NSF framework, each NSF
>      initially registers the profile of its own capabilities into the
>      system in order for themselves to be available in the system.  In
>      addition, the Security Controller is validated by the I2NSF Client
>      (also called I2NSF User) that the user is employing, so that the user
>      can request security services through the Security Controller.

In this case the user is the system administrator.


S 1.
>      [RFC7149] to provide different security functionality such as
>      firewalls [opsawg-firewalls], Deep Packet Inspection (DPI), and
>      Distributed Denial of Service (DDoS) attack mitigation; (iv) the use
>      of NFV as supporting technology.  The implementation of I2NSF in
>      these scenarios has allowed us to verify the applicability and
>      effectiveness of the I2NSF framework for a variety of use cases.

This would be easier to read with a standard bulleted list.


S 2.
>         network resources, which facilitates the design, delivery and
>         operation of network services in a dynamic and scalable manner
>         [ITU-T.Y.3300].
>
>      o  Firewall: A service function at the junction of two network
>         segments that inspects every packet that attempts to cross the

Nit: It might not inspect *every* packet.


S 4.
>
>   4.  Time-dependent Web Access Control Service
>
>      This service scenario assumes that an enterprise network
>      administrator wants to control the staff members' access to a
>      particular Interner service (e.g., Example.com) during business

Nit: "Internet"


S 4.
>      inspection capability is required to check whether the target URL of
>      a received packet is in the Example.com domain or not.
>
>      The Security Controller maintains the security capabilities of each
>      NSF running in the I2NSF system, which have been reported by the
>      Developer's Management System via the Registation interface.  Based

Nit: "Registration"


S 4.
>      currently using the network.  Based on the retrieved information, the
>      Security Controller generates low-level security rules to check
>      whether the source IP address of a received packet matches any one
>      being used by a staff member.  In addition, the low-level security
>      rules should be able to determine that a received packet is of HTTP
>      protocol.  The low-level security rules for web filter checks that

Nit: "rules"... "checks" disagree.


S 6.
>      translated into their packet forwarding rules, whereas NSFs enforce
>      NSF-related security rules requiring the security capabilities of the
>      NSFs.  For this purpose, the Security Controller instructs the SDN
>      Controller via NSF-Facing Interface so that SDN forwarding elements
>      can perform the required security services with flow tables under the
>      supervision of the SDN Controller.

I'm having some trouble understanding the difference here between NSFs
and SDN elements. They both seem to be software controlled network
elements. Is this just some continuum about CPU power?


S 6.
>      can perform the required security services with flow tables under the
>      supervision of the SDN Controller.
>
>      As an example, let us consider two different types of security rules:
>
>      Rule A is a simple packet fltering rule that checks only the IP

Nit: "filtering"


S 6.2.
>          packets that have the same call-id.
>
>      6.  The SDN Controller installs new rules (e.g., drop packets) into
>          underlying switches.
>
>      7.  The illegal packets are dropped by these switches.

"Illegal" is probably the wrong wrod here.


S 6.3.
>         is helpful to determine security policies for such a network.
>
>   6.3.  Attack Mitigation: Centralized DDoS-attack Mitigation System
>
>      A centralized DDoS-attack mitigation can manage each network resource
>      and manipulate rules to each switch through a common server for DDoS-

"manipulate rules to" is not grammatical.


S 6.3.
>
>      Servers are categorized into stateless servers (e.g., DNS servers)
>      and stateful servers (e.g., web servers).  For DDoS-attack
>      mitigation, traffic flows in switches are dynamically configured by
>      traffic flow forwarding path management according to the category of
>      servers [AVANT-GUARD].  Such a managenent should consider the load

1. This seems hard to understand without this reference, which is not
public.
2. "management"


S 6.3.
>      mitigation, traffic flows in switches are dynamically configured by
>      traffic flow forwarding path management according to the category of
>      servers [AVANT-GUARD].  Such a managenent should consider the load
>      balance among the switches for the defense against DDoS attacks.
>
>      The procedure of DDoS-attack mitigation operations in this system is

"procedure of... operations" is ungrammatical