One document matched: draft-hares-i2nsf-terminology-00.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC4948 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4948.xml">
<!ENTITY RFC7297 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7277.xml">
<!ENTITY I-D.ietf-netmod-acl-model SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-netmod-acl-model-06.xml">
<!ENTITY I-D.ietf-opsawg-firewalls SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-opsawg-firewalls-01.xml">
<!ENTITY I-D.ietf-i2nsf-gap-analysis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-i2nsf-gap-analysis-00.xml">
<!ENTITY I-D.ietf-i2nsf-problem-and-use-cases SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-i2nsf-problem-and-use-cases-00.xml">
<!ENTITY I-D.strassner-supa-generic-policy-info-model SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-strassner-supa-generic-policy-info-model-04.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc category="std" docName="draft-hares-i2nsf-terminology-00.txt" ipr="trust200902">
<front>
<title abbrev="I2NSF Existing Work Analysis">I2NSF Terminology </title>
<author fullname="Susan Hares" initials="S" surname="Hares">
<organization>Huawei</organization>
<address>
<postal>
<street>7453 Hickory Hill</street>
<city>Saline</city>
<region>MI</region>
<code>48176</code>
<country>USA</country>
</postal>
<phone>+1-734-604-0332</phone>
<email>shares@ndzh.com</email>
</address>
</author>
<author fullname="John Strassner" initials="J." surname="Strassner">
<organization>Huawei</organization>
<address>
<postal>
<street> </street>
<city>Santa Clara</city>
<region>CA</region>
<code></code>
<country>USA</country>
</postal>
<phone> </phone>
<email>John.Strassner@huawei.com </email>
</address>
</author>
<author fullname="Diego R. Lopex" initials="D" surname="Lopez">
<organization>Telefonica I+D</organization>
<address>
<postal>
<street>Don Ramon de la Cruz, 82</street>
<city>Madrid</city>
<code>28006</code>
<country>Spain</country>
</postal>
<email>diego.r.lopez@telefonica.com</email>
</address>
</author>
<author fullname="Liang Xia (Frank)" initials="L." surname="Xia">
<organization>Huawei</organization>
<address>
<postal>
<street>101 Software Avenue, Yuhuatai District</street>
<city>Nanjing </city>
<region>Jiangsu </region>
<code>210012</code>
<country>China</country>
</postal>
<email>Frank.Xialiang@huawei.com</email>
</address>
</author>
<date year="2016" />
<area>Security Area</area>
<workgroup>I2NSF</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>I2NSF</keyword>
<abstract>
<t>This document describes the terminology for I2NSF.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
This document describes the terminology for the work on the Interface to
Security Functions (I2NSF). This section provides some background on
I2NSF, but a problem statement can be found in
<xref target="I-D.ietf-i2nsf-problem-and-use-cases"></xref>
</t>
<t>
The growing challenges and complexity in maintaining a secure infrastructure,
complying with regulatory requirements, and controlling costs are enticing
enterprises into consuming network security functions hosted by service providers.
The hosted security service is especially attractive to small and medium size
enterprises who suffer from a lack of security experts to continuously monitor,
acquire new skills and propose immediate mitigations to ever increasing sets of security attacks.
Small and medium-sized businesses (SMBs) are increasingly adopting cloud-based security services
to replace on-premises security tools, while larger enterprises are deploying a
mix of traditional and cloud-based security services.
</t>
<t>
To meet the demand, more and more service providers are providing hosted security
solutions to deliver cost-effective managed security services to enterprise customers.
The hosted security services are primarily targeted at enterprises
(especially small/medium ones), but could also be provided to any kind of mass-market customer.
As the result, the Network security functions (NSFs) are provided and consumed in increasingly
diverse environments. Users of NSFs may consume network security services hosted by one
or more providers, which may be their own enterprise, service providers, or a combination of both.
</t>
</section>
<section title="Terminology">
<t>
<list style="hanging">
<t hangText="AAA: Authentication, Authorization, and Accounting. See individual
definitions. "></t>
<t hangText="Abstraction: "> An abstraction defines the salient characteristics and behavior of
an object that distinguish it from all other types of objects. It
manages complexity by exposing common properties between objects
and processes while hiding detail that is not relevant. </t>
<t hangText="Accounting: ">TBD </t>
<t hangText="ACL: ">Access Control List.
This is a mechanism for defining a set of permissions that are attached to an object.</t>
<t hangText="Action: "> is a set of purposeful activities
that have a set of associated behavior. (see I2NSF Action below.)
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>) </t>
<t hangText="Authentication: ">TBD </t>
<t hangText="Authorization: ">TBD </t>
<t hangText="B2B: ">Business-to-Business </t>
<t hangText="Bespoke: ">Something made to fit a particular person, client or company. </t>
<t hangText="Bespoke security management: ">Security management systems which are make to
fit a particular customer. </t>
<t hangText="Boolean Clause: ">A logical statement that evaluates to either TRUE
or FALSE. Also called Boolean Expression.</t>
<t hangText="Capability: "> TBD </t>
<t hangText="Capability Layer: "> TBD
[Editorial comment from Strassner: the existing definition in use in documents
is descriptive, not prescriptive.]
</t>
<t hangText="Condition: "> a set of attributes, features, and/or values that are to be compared
with a set of known attributes, features, and/or values in order to
make a decision. Examples of an I2NSF Condition include matching attributes of a
packet or flow, and comparing the internal state of a NSF to a
desired state. A Condition, when used in the context of a Policy Rule, is used to
determine whether or not the set of Actions in that Policy Rule can
be executed or not.
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>) </t>
<t hangText="Constraint: ">
A constraint is a limitation or restriction. Constraints may be
added to any type of object (e.g., events, conditions, and
actions in Policy Rules). </t>
<t hangText="Constraint Programming: "> a type of programming that uses constraints
to define relations between variables in order to find a feasible (and
not necessarily optimal) solution.
</t>
<t hangText="Context: "> The Context of an Entity is a collection of measured and/or inferred
knowledge that describe the state and the environment in which an
Entity exists or has existed.
(from http://www.ietf.org/mail-archive/web/i2nsf/current/msg00762.html)
</t>
<t hangText="Controller: "> TBD
[Editorial: The definition is lacking content ("used interchangeably with
Service Provider Security Controller or management system
throughout this document") and overloaded - the two terms should
be split into two separate definitions in documents.] </t>
<t hangText="DC: ">Data Center </t>
<t hangText="Data Model: ">
A data model is a representation of concepts of interest to an
environment in a form that is dependent on data repository, data
definition language, query language, implementation language, and
protocol (typically one or more of these ).
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>).
</t>
<t hangText="Event: ">
An Event is defined as any important occurrence in time of a
change in the system being managed, and/or in the environment of
the system being managed. Examples of an I2NSF EVent include
time and user actioins (e.g. logon, logoff, and actions that violate and ACL.)
An Event, when used in the context of a Policy Rule, is used to
determine whether the condition clause of an imperative Policy Rule
can be evaluated or not.
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>).
</t>
<t hangText="ECA: "> Event - Condition - Action policy.
</t>
<t hangText="FW: "> Firewall </t>
<t hangText="Flow-based NSF: ">A NSF that inspects network flows according to a
policy intended for enforcing security properties. Flow based
security also means that packets are inspected in the order they
are received, and without modification to the packet due to the
inspection process (MAC rewrites, TTL decrement action, or NAT
inspection or changes). </t>
<t hangText="I2NSF Action: ">An I2NSF Action is a special type of Action that is
used to control and monitor aspects of physical and virtual flow-
based Network Security Functions. Examples of I2NSF Actions include
providing intrusion detection and/or protection, web and flow
filtering, and deep packet inspection for packets and flows.
An I2NSF Action, when used in the context of a
I2NSF Policy Rule, may be executed when both the event and the condition
clauses of its owning I2NSF Policy Rule evaluate to true. The execution
of this action may be influenced by applicable metadata.
(see <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>).
</t>
<t hangText="I2NSF agent: ">A piece of software in a device that implements a
network security function that receives provisioning information
and requests for operational data (monitoring data) across the
I2NSF protocol from an I2NSF client. </t>
<t hangText="I2NSF client: ">A security client software component that utilizes the I2NSF
protocol to read, write or change provisioning and operational aspects
for the NSFs it attaches to by using the I2NSF protocol
</t>
<t hangText="I2NSF Management System: ">I2NSF client operates within a network
management system, which serves as a collection and distribution
point for security provisioning and filter data. This management
system is denoted as an I2NS management system in this document. </t>
<t hangText="I2NSF Policy: ">is a set of rules that are used to manage and control the
changing or maintaining of the state of an security device.
</t>
<t hangText="I2NSF Policy Rule: "> is a policy rule that is adapted for
I2NSF. The I2NSF Policy Rule is assumed to be in ECA form (i.e., an
imperative structure). Other types of programming paradigms
(e.g., declarative and functional) are currently out of scope.
An example of an I2NSF Policy Rule is, in pseudo-code:
<list>
<t>IF <event-clause> is TRUE
<list>
<t>IF <condition-clause> is TRUE
<list>
<t>THEN execute <action-clause></t>
</list>
</t>
<t>END-IF</t>
</list>
</t>
<t> END-IF </t>
</list>
In the above example, the Event, Condition, and Action portions
of a Policy Rule are all **Boolean Clauses**.
</t>
<t hangText="I2NSF Registry: "> a registry
which contains I2NSF capability
information that can be controlled by the controller.
(An expansion of Registry definition below.) </t>
<t hangText="IDS: ">Intrusion Detection System (see below).
</t>
<t hangText="IPS: ">Intrusion Protection System (see below).
</t>
<t hangText="Information Model: "> An information model is a
representation of concepts of interest
to an environment in a form that is independent of data repository,
data definition language, query language, implementation language, and protocol.
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>).
</t>
<t hangText="Interface: "> is the set of operations one object knows it can
invoke on another object. It is a subset of all operations that
a given object implements. An example of multiple interfaces can be seen by
considering the interfaces include a firewall uses. A firewall
can have: a) multiple interfaces for data packets to traverse through and
b) an interface for a controller to impose policy, or
retrieve the results of execution of a policy rule.
This illustrates that the same object may have multiple types
of interfaces to serve different purposes.
</t>
<t hangText="Intrusion Detection System (IDS): "> a system which detects
network intrusions via a variety of filters, monitors, and/or probes.
An IDS may be stateful or stateless.
</t>
<t hangText="Intrusion Protection System (IPS): "> a system that
protect against network intrusions. An IPS may be stateful or
stateless.
</t>
<t hangText="Metadata: "> is data that provides information about other data.
IETF network management protocols (e.g. NETCONF/RESTCONF/IPFix) or
IETF routing interfaces (I2RS), and the I2NSF security interface
may each utilize Metadata regarding the yang data models.
</t>
<t hangText=" Middlebox: "> TBD </t>
<t hangText="NSF: "> Network security function. An NSF is a function that that
detects unwanted activity and blocks/mitigates the effect of such
unwanted activity in order to support availability of a network.
In addition, the NSF can help in supporting communication stream
integrity and confidentiality.
</t>
<t hangText="OCL (the Object Constraint Language) "> is used to
specify constraints in UML. (from http://www.ietf.org/mail-
archive/web/i2nsf/current/msg00762.html)
</t>
<t hangText="OPNFV (Open Network Function Virtualization)">
TBD </t>
<t hangText="Policy Rule: "> A Policy Rule is a set of rules that are used to
manage and control the changing or maintaining of the state of one or
more managed objects. Often this is shorterned to Rule or Policy.
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>).
An I2NSF Policy Rule is assumed to be in ECA form (i.e., an
imperative structure). Other types of programming paradigms
(e.g., declarative and functional) are currently out of scope.
For the complete definition of an I2NSF Policy Rule please see above.
(see above I2NSF policy rule).
</t>
<t hangText="Profile: "> A structured representation of information
that characterizes the capabilities of an object. This may be used to simplify how this
object interacts with other objects in its environment.
[Editors note: John Strassner suggestse this is a simplified
defintion from a variety of sources (UAProf and CC/PP).
It does not mention the concept of preference, therefore
John wonders if we need a different definition here.]
</t>
<t hangText="Registry: "> is a logically centralized location containing data of a
particular type; it may optionally contain metadata, relationships,
and other aspects of the registered data in order to use those data
effectively. An I2NSF registry is used to contain capability
information that can be controlled by the controller. </t>
<t hangText="Registration Interface: "> is an interface dedicated to requesting, receiving, editing, and
deleting information in a Registry. </t>
<t hangText="Security Management System: "> TBD
(Editorial: Placeholder fro split of definition betweeen
controller (see above), and service provider security controller (see below)
which existing I2NSF documents merge").
</t>
<t hangText="Server Layer: "> The Service Layer is called the Server
Layer Interface in the I2NSF context.
</t>
<t hangText="Service Layer: ">
The Service Layer (also called Client-Facing Interface) enables
clients to manage security policies for their specific flows.
</t>
<t hangText="Service Provider Security Controller: "> TBD
(Editorial: Place holder for a split between controller and security
controller definition.)
</t>
<t hangText="Tenant: "> a tenant is a gorup of users that share common
access proviliges to the same software. An I2NSF tenanat may be physical
or virtual, and may run on a variety of systems or servers.
</t>
<t hangText="Vendor Facing Interface: ">
The Vendor Facing Interface enables vendors to register their NSFs,
along with the capabilities of their NSFs, with a logically
centralized authority.
</t>
<t hangText="Virtual NSF: "> A NSF that is deployed as a distributed
virtual device.
</t>
<t hangText="Virtual Network Function (VNF): "> A virtualized network component
such as a router, switch, security box, or AAA Servier.
</t>
<t hangText=" VNFM (VNF Manager): ">Manager of virtual network functions
that creates, deletes, manages, and moves VNFs.</t>
<t hangText="VNFPool: "> a collection of interchangeable VNFs
(i.e., each VNF has the same set of capabilities).</t>
<t hangText="Virtualization: "> Virtualization is a type of software
that creates a non-physical version of an object. Examples include
virtualized operating systems, storagte devices, and networking elements.
[Editoris notes: Questions from John: Do we want or need to differentiate
between different tyeps of virtualization? For example: full vs. partial vs.
para-virtualization (all types of "hardware virtualization")? Do we need to introduce
OS virtualization? What about application virtualization?]
</t>
</list>
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>No IANA considerations exist for this document. </t>
</section>
<section title="Security Considerations">
<t>
This is a terminology document with no security considerations.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
</references>
<references title="Informative References">
&RFC4948;
&RFC7297;
&I-D.ietf-netmod-acl-model;
&I-D.ietf-opsawg-firewalls;
&I-D.ietf-i2nsf-gap-analysis;
&I-D.ietf-i2nsf-problem-and-use-cases;
&I-D.strassner-supa-generic-policy-info-model;
</references>
</back>
</rfc>| PAFTECH AB 2003-2026 | 2026-04-24 04:26:25 |