draft-ietf-i2nsf-terminology-01.txt   draft-ietf-i2nsf-terminology-02.txt 
I2NSF S. Hares I2NSF S. Hares
Internet-Draft J. Strassner Internet-Draft J. Strassner
Intended status: Informational Huawei Intended status: Informational Huawei
Expires: January 29, 2017 D. Lopez Expires: April 25, 2017 D. Lopez
Telefonica I+D Telefonica I+D
L. Xia L. Xia
Huawei Huawei
July 8, 2016 H. Birkholz
Fraunhofer SIT
October 23, 2016
Interface to Network Security Functions (I2NSF) Terminology Interface to Network Security Functions (I2NSF) Terminology
draft-ietf-i2nsf-terminology-01.txt draft-ietf-i2nsf-terminology-02.txt
Abstract Abstract
This document defines a set of terms that are used for the Interface This document defines a set of terms that are used for the Interface
to Network Security Functions (I2NSF) effort. to Network Security Functions (I2NSF) effort.
Status of this Memo Status of this Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
skipping to change at page 1, line 36 skipping to change at page 1, line 38
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current working documents as Internet-Drafts. The list of current
Internet-Drafts is at http://datatracker.ietf.org/drafts/current/. Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in as reference material or to cite them other than as "work in
progress." progress."
This Internet-Draft will expire on January 29, 2017. This Internet-Draft will expire on April 25, 2017.
Copyright Notice Copyright Notice
Copyright (c) 2016 IETF Trust and the persons identified as the Copyright (c) 2016 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info) in effect on the date of (http://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 3, line 35 skipping to change at page 3, line 35
Access Control: Protection of system resources against unauthorized Access Control: Protection of system resources against unauthorized
access; a process by which use of system resources is regulated access; a process by which use of system resources is regulated
according to a security policy, and is permitted by only according to a security policy, and is permitted by only
authorized entities (users, programs, processes, or other systems) authorized entities (users, programs, processes, or other systems)
according to that policy [RFC4949]. according to that policy [RFC4949].
Accounting: The act of collecting information on resource usage for Accounting: The act of collecting information on resource usage for
the purpose of trend analysis, auditing, billing, or cost the purpose of trend analysis, auditing, billing, or cost
allocation ([RFC2975] [RFC3539]). allocation ([RFC2975] [RFC3539]).
ACL (Acess Control List): This is a mechanism that implements ACL (Access Control List): This is a mechanism that implements
access control for a system resource by enumerating the system access control for a system resource by enumerating the system
entities that are permitted to access the resource and stating, entities that are permitted to access the resource and stating,
either implicitly or explicitly, the access modes granted to each either implicitly or explicitly, the access modes granted to each
entity [RFC4949]. A YANG description is defined in entity [RFC4949]. A YANG description is defined in
[I-D.ietf-netmod-acl-model]. [I-D.ietf-netmod-acl-model].
Action: Defines what is to be done when a set of Conditions are Action: Defines what is to be done when a set of Conditions are
met (See I2NSF Action). (from met (See I2NSF Action). (from
[I-D.ietf-supa-generic-policy-info-model]). [I-D.ietf-supa-generic-policy-info-model]).
skipping to change at page 4, line 32 skipping to change at page 4, line 32
or FALSE. Also called Boolean Expression. or FALSE. Also called Boolean Expression.
Capability: Defines a set of features that are available from a Capability: Defines a set of features that are available from a
managed entity (see also I2NSF Capability). Examples of "managed managed entity (see also I2NSF Capability). Examples of "managed
entities" are NSFs and Controllers, where NSF Capabilities and entities" are NSFs and Controllers, where NSF Capabilities and
Controller Capabilities define functionality of an NSF and about Controller Capabilities define functionality of an NSF and about
Controller, respectively. These functions may, but do not have Controller, respectively. These functions may, but do not have
to, be used. All Capabilities are announced through the to, be used. All Capabilities are announced through the
Registration Interface. Registration Interface.
Capability Interface: An interface dedicated to requesting,
receiving, editing, and deleting capability information.
Client: See Consumer. [Editor's note: placeholder for gradually Client: See Consumer. [Editor's note: placeholder for gradually
replacing Client with Consumer, since Client is too vague and replacing Client with Consumer, since Client is too vague and
has other connotations (e.g., client-server)]. has other connotations (e.g., client-server)].
Client-Facing Interface: See Consumer-Facing Interface. Client-Facing Interface: See Consumer-Facing Interface.
See also: Interface, NSF-Facing Interface. See also: Interface, NSF-Facing Interface.
Component: An encapsulation of software that communicates using Component: An encapsulation of software that communicates using
Interfaces. A Component may be implemented by hardware and/or Interfaces. A Component may be implemented by hardware and/or
software, and be represented using a set of classes. In general, software, and be represented using a set of classes. In general,
a Component encapsulates a set of data structures and a set of a Component encapsulates a set of data structures and a set of
algorithms that implement the function(s) that it provides. algorithms that implement the function(s) that it provides.
Consumer: A Consumer is a Role that is assigned to an I2NSF Consumer: A Consumer is a Role that is assigned to an I2NSF
Component that can receive information from another I2NSF Component that represents the needs of a user of I2NSF services.
Component. See also: Provider, Role. A consumer can send/receive information to/from another I2NSF
Component (e.g., for defining and monitoring security policies
for the Consumer's specific flows through an I2NSF
administrative domain). See also: Producer, Role.
Consumer-Facing Interface: An Interface dedicated to communication Consumer-Facing Interface: An Interface dedicated to communication
with Consumers of NSF data and Services. This is typically with Consumers of NSF Data and Services. This is typically
defined per I2NSF administrative domain. See also: Interface, defined per I2NSF administrative domain. See also: Interface,
NSF-Facing Interface. NSF-Facing Interface.
Condition: A set of attributes, features, and/or values that are to Condition: A set of attributes, features, and/or values that are to
be compared with a set of known attributes, features, and/or be compared with a set of known attributes, features, and/or
values in order to make a decision. A Condition, when used in the values in order to make a decision. A Condition, when used in the
context of a Policy Rule, is used to determine whether or not the context of a Policy Rule, is used to determine whether or not the
set of Actions in that Policy Rule can be executed or not. set of Actions in that Policy Rule can be executed or not.
Examples of an I2NSF Condition include matching attributes of a Examples of an I2NSF Condition include matching attributes of a
packet or flow, and comparing the internal state of a NSF to a packet or flow, and comparing the internal state of a NSF to a
skipping to change at page 6, line 39 skipping to change at page 6, line 39
ECA: Event - Condition - Action (a type of Policy Rule). ECA: Event - Condition - Action (a type of Policy Rule).
Firewall (FW): A function that restricts data communication traffic Firewall (FW): A function that restricts data communication traffic
to and from one of the connected networks (the one said to be to and from one of the connected networks (the one said to be
'inside' the firewall), and thus protects that network's system 'inside' the firewall), and thus protects that network's system
resources against threats from the other network (the one that resources against threats from the other network (the one that
is said to be 'outside' the firewall) [RFC4949]. is said to be 'outside' the firewall) [RFC4949].
[I-D.ietf-opsawg-firewalls] [I-D.ietf-opsawg-firewalls]
Flow-based NSF: A NSF that inspects network flows according to a Flow: A set of information (e.g., packets) that are related in a
fundamental manner (e.g., sent from the same source and sent to
the same destination). A common example is a sequence of packets.
It is the opposite of packet-based, which treats each packet
discretely (e.g., each packet is assessed individually to
determine the action(s) to be taken).
Flow-based NSF: A NSF that inspects network flows according to a
set of policies intended for enforcing security properties. Flow- set of policies intended for enforcing security properties. Flow-
based security also means that packets are inspected in the order based security also means that packets are inspected in the order
they are received, and without modification to the packet due to they are received, and without modification to the packet due to
the inspection process. the inspection process.
I2NSF Agent: A software Component in a device that implements an
NSF. It receives provisioning information and requests for
operational data (e.g., monitoring data) from an I2NSF Consumer.
It is also responsible for enforcing the policies that it
receives from an I2NSF Consumer.
I2NSF Action: An I2NSF Action is a special type of Action that is I2NSF Action: An I2NSF Action is a special type of Action that is
used to control and monitor aspects of flow-based Network Security used to control and monitor aspects of flow-based Network Security
Functions. Examples of I2NSF Actions include providing intrusion Functions. Examples of I2NSF Actions include providing intrusion
detection and/or protection, web and flow filtering, and deep detection and/or protection, web and flow filtering, and deep
packet inspection for packets and flows. An I2NSF Action, when packet inspection for packets and flows. An I2NSF Action, when
used in the context of a I2NSF Policy Rule, may be executed when used in the context of a I2NSF Policy Rule, may be executed when
both the Event and the Condition clauses of its owning I2NSF both the Event and the Condition clauses of its owning I2NSF
Policy Rule evaluate to true. The execution of this Action may be Policy Rule evaluate to true. The execution of this Action may be
influenced by applicable metadata. (from influenced by applicable metadata. (from
[I-D.ietf-supa-generic-policy-info-model]). [I-D.ietf-supa-generic-policy-info-model]).
I2NSF Agent: A software Component in a device that implements an
NSF. It receives provisioning information and requests for
operational data (e.g., monitoring data) from an I2NSF Consumer.
It is also responsible for enforcing the policies that it
receives from an I2NSF Consumer.
I2NSF Capability: A set of features that are available from an NSF I2NSF Capability: A set of features that are available from an NSF
Server or an NSF Controller. While both are Capabilities, the Server or an NSF Controller. While both are Capabilities, the
former defines functions that are available from an NSF, whereas former defines functions that are available from an NSF, whereas
the latter defines functions that are available from a security the latter defines functions that are available from a security
Controller or other Management Entity. This definition is based Controller or other Management Entity. This definition is based
on that in [I-D.ietf-sacm-terminology]. on that in [I-D.ietf-sacm-terminology].
I2NSF Client: See I2NSF Consumer. I2NSF Client: See I2NSF Consumer.
I2NSF Component: A Component that provides one or more I2NSF I2NSF Component: A Component that provides one or more I2NSF
skipping to change at page 8, line 40 skipping to change at page 8, line 52
and protocol [I-D.ietf-supa-generic-policy-info-model]. and protocol [I-D.ietf-supa-generic-policy-info-model].
Interface: A set of operations one object knows it can invoke on, Interface: A set of operations one object knows it can invoke on,
and expose to, another object. It is a subset of all operations and expose to, another object. It is a subset of all operations
that a given object implements. The same object may have multiple that a given object implements. The same object may have multiple
types of interfaces to serve different purposes. An example of types of interfaces to serve different purposes. An example of
multiple interfaces can be seen by considering the interfaces multiple interfaces can be seen by considering the interfaces
include a firewall uses; these include: include a firewall uses; these include:
* multiple interfaces for data packets to traverse through, * multiple interfaces for data packets to traverse through,
* an interface for a controller to impose policy,or retrieve * an interface for a controller to impose policy, or retrieve
the results of execution of a policy rule. the results of execution of a policy rule.
See also: Consumer Interface, I2NSF Interface, Provider Interface See also: Consumer Interface, I2NSF Interface, Provider Interface
Interface Group: A set of Interfaces that are related in purpose and
which share the same communication mechanisms.
Intrusion Detection System (IDS): A system that detects network Intrusion Detection System (IDS): A system that detects network
intrusions via a variety of filters, monitors, and/or probes. An intrusions via a variety of filters, monitors, and/or probes. An
IDS may be stateful or stateless. IDS may be stateful or stateless.
Intrusion Protection System (IPS): A system that protects against Intrusion Protection System (IPS): A system that protects against
network intrusions. An IPS may be stateful or stateless. network intrusions. An IPS may be stateful or stateless.
Management Plane: In the context of I2NSF, the Management Plane is Management Plane: In the context of I2NSF, the Management Plane is
an architectural Component that provides common functions to an architectural Component that provides common functions to
define the behavior of I2NSF Components. The primary use of the define the behavior of I2NSF Components. The primary use of the
skipping to change at page 11, line 17 skipping to change at page 11, line 25
The following people contributed to creating this document, and are The following people contributed to creating this document, and are
listed in alphabetical order: listed in alphabetical order:
Henk Birkholz Henk Birkholz
6. References 6. References
6.1. Informative References 6.1. Informative References
[I-D.ietf-i2nsf-gap-analysis] [I-D.ietf-i2nsf-gap-analysis]
Hares, S., Moskowitz, R., and D. Zhang, "Analysis of Hares, S., Moskowitz, R., and Zhang, D., "Analysis of
Existing work for I2NSF", draft-ietf-i2nsf-gap-analysis-01 Existing work for I2NSF", draft-ietf-i2nsf-gap-analysis-02
(work in progress), April 2016. (work in progress), July 2016.
[I-D.ietf-i2nsf-problem-and-use-cases] [I-D.ietf-i2nsf-problem-and-use-cases]
Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C. Hares, S., Dunbar, L., Lopez, D., Zarny, M., and C.
Jacquenet, "I2NSF Problem Statement and Use cases", draft- Jacquenet, "I2NSF Problem Statement and Use cases", draft-
ietf-i2nsf-problem-and-use-cases-01 (work in progress), ietf-i2nsf-problem-and-use-cases-02 (work in progress),
July 2016. October 2016.
[I-D.ietf-netmod-acl-model] [I-D.ietf-netmod-acl-model]
Bogdanovic, D., Sreenivasa, K., Huang, L., Blair, D., Bogdanovic, D., Sreenivasa, K., Huang, L., Blair, D.,
"Network Access Control List (ACL) YANG Data Model", "Network Access Control List (ACL) YANG Data Model",
draft-ietf-netmod-acl-model-08 (work in progress), draft-ietf-netmod-acl-model-09 (work in progress),
July 2016. October 2016.
[I-D.ietf-opsawg-firewalls] [I-D.ietf-opsawg-firewalls]
Baker, F. and P. Hoffman, "On Firewalls in Internet Baker, F. and P. Hoffman, "On Firewalls in Internet
Security", draft-ietf-opsawg-firewalls-01 (work in Security", draft-ietf-opsawg-firewalls-01 (work in
progress), October 2012. progress), October 2012.
[I-D.ietf-sacm-terminology] [I-D.ietf-sacm-terminology]
Birkholz, H., Lu, J., Cam-Wignet, N., "Secure Automation Birkholz, H., Lu, J., Strassner, J., Cam-Wignet, N.,
and Continuous Monitoring (SACM) Terminology", "Secure Automation and Continuous Monitoring (SACM)
draft-ietf-sacm-terminology-09, March 2016 Terminology", draft-ietf-sacm-terminology-11,
September 2016
[I-D.ietf-supa-generic-policy-info-model] [I-D.ietf-supa-generic-policy-info-model]
Strassner, J., Halpern, J., and J. Coleman, "Generic Strassner, J., Halpern, J., and J. Coleman, "Generic
Policy Information Model for Simplified Use of Policy Policy Information Model for Simplified Use of Policy
Abstractions (SUPA)", draft-ietf-supa-generic-policy- Abstractions (SUPA)", draft-ietf-supa-generic-policy-
info-model-00 (work in progress), June 2016. info-model-01 (work in progress), July 2016.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997. Requirement Levels", BCP 14, RFC 2119, March 1997.
[RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to [RFC2975] Aboba, B., Arkko, J., and D. Harrington, "Introduction to
Accounting Management", RFC 2975, DOI 10.17487/RFC2975, Accounting Management", RFC 2975, DOI 10.17487/RFC2975,
October 2000, <http://www.rfc-editor.org/info/rfc2975>. October 2000, <http://www.rfc-editor.org/info/rfc2975>.
[RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and [RFC3234] Carpenter, B. and S. Brim, "Middleboxes: Taxonomy and
Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002, Issues", RFC 3234, DOI 10.17487/RFC3234, February 2002,
skipping to change at page 12, line 19 skipping to change at page 12, line 32
[RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and [RFC3539] Aboba, B. and J. Wood, "Authentication, Authorization and
Accounting (AAA) Transport Profile", RFC 3539, Accounting (AAA) Transport Profile", RFC 3539,
DOI 10.17487/RFC3539, June 2003, DOI 10.17487/RFC3539, June 2003,
<http://www.rfc-editor.org/info/rfc3539>. <http://www.rfc-editor.org/info/rfc3539>.
[RFC4949] Shirey, R., "Internet Security Glossary, Version 2", [RFC4949] Shirey, R., "Internet Security Glossary, Version 2",
FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
<http://www.rfc-editor.org/info/rfc4949>. <http://www.rfc-editor.org/info/rfc4949>.
[X.1252] ITU-T, "Baseline identity management terms and [X.1252] ITU-T, "Baseline identity management terms and
definitions", Recommendation ITU-T X.1252, April 2010 definitions", Recommendation ITU-T X.1252, April 2510
Authors' Addresses Authors' Addresses
Susan Hares Susan Hares
Huawei Huawei
7453 Hickory Hill 7453 Hickory Hill
Saline, MI 48176 Saline, MI USA 48176
USA
Phone: +1-734-604-0332 Phone: +1-734-604-0332
Email: shares@ndzh.com Email: shares@ndzh.com
John Strassner John Strassner
Huawei Technologies Huawei Technologies
Santa Clara, CA Santa Clara, CA USA 95050
USA
Email: john.sc.strassner@huawei.com Email: john.sc.strassner@huawei.com
Diego R. Lopez Diego R. Lopez
Telefonica I+D Telefonica I+D
Don Ramon de la Cruz, 82 Don Ramon de la Cruz, 82
Madrid 28006 Madrid 28006
Spain Spain
Email: diego.r.lopez@telefonica.com Email: diego.r.lopez@telefonica.com
Liang Xia (Frank) Liang Xia (Frank)
Huawei Huawei
101 Software Avenue, Yuhuatai District 101 Software Avenue, Yuhuatai District
Nanjing , Jiangsu 210012 Nanjing , Jiangsu 210012
China China
Email: Frank.Xialiang@huawei.com Email: Frank.Xialiang@huawei.com
Henk Birkholz
Fraunhofer SIT
Rheinstrasse 75
Darmstadt 64295
Germany
Email: henk.birkholz@sit.fraunhofer.de
 End of changes. 23 change blocks. 
36 lines changed or deleted 46 lines changed or added

This html diff was produced by rfcdiff 1.45. The latest version is available from http://tools.ietf.org/tools/rfcdiff/