One document matched: draft-hares-i2nsf-terminology-02.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE rfc SYSTEM "rfc2629.dtd" [
<!ENTITY RFC2119 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2119.xml">
<!ENTITY RFC2975 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.2975.xml">
<!ENTITY RFC3198 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3198.xml">
<!ENTITY RFC3234 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3234.xml">
<!ENTITY RFC3539 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.3539.xml">
<!ENTITY RFC4949 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.4949.xml">
<!ENTITY RFC7297 SYSTEM "http://xml.resource.org/public/rfc/bibxml/reference.RFC.7277.xml">
<!ENTITY I-D.ietf-netmod-acl-model SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-netmod-acl-model-06.xml">
<!ENTITY I-D.ietf-opsawg-firewalls SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-opsawg-firewalls-01.xml">
<!ENTITY I-D.ietf-i2nsf-gap-analysis SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-i2nsf-gap-analysis-00.xml">
<!ENTITY I-D.ietf-i2nsf-problem-and-use-cases SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-ietf-i2nsf-problem-and-use-cases-00.xml">
<!ENTITY I-D.strassner-supa-generic-policy-info-model SYSTEM "http://xml.resource.org/public/rfc/bibxml3/reference.I-D.draft-strassner-supa-generic-policy-info-model-04.xml">
]>
<?xml-stylesheet type='text/xsl' href='rfc2629.xslt' ?>
<?rfc toc="yes" ?>
<?rfc symrefs="yes" ?>
<?rfc sortrefs="yes"?>
<?rfc compact="yes" ?>
<?rfc subcompact="no" ?>
<?rfc iprnotified="no" ?>
<?rfc strict="no" ?>
<rfc category="info" docName="draft-hares-i2nsf-terminology-02.txt" ipr="trust200902">
<front>
<title abbrev="I2NSF Terminology">Interface to Network Security Functions (I2NSF) Terminology </title>
<author fullname="Susan Hares" initials="S" surname="Hares">
<organization>Huawei</organization>
<address>
<postal>
<street>7453 Hickory Hill</street>
<city>Saline</city>
<region>MI</region>
<code>48176</code>
<country>USA</country>
</postal>
<phone>+1-734-604-0332</phone>
<email>shares@ndzh.com</email>
</address>
</author>
<author fullname="John Strassner" initials="J." surname="Strassner">
<organization>Huawei</organization>
<address>
<postal>
<street> </street>
<city>Santa Clara</city>
<region>CA</region>
<code></code>
<country>USA</country>
</postal>
<phone> </phone>
<email>John.Strassner@huawei.com </email>
</address>
</author>
<author fullname="Diego R. Lopex" initials="D" surname="Lopez">
<organization>Telefonica I+D</organization>
<address>
<postal>
<street>Don Ramon de la Cruz, 82</street>
<city>Madrid</city>
<code>28006</code>
<country>Spain</country>
</postal>
<email>diego.r.lopez@telefonica.com</email>
</address>
</author>
<author fullname="Liang Xia (Frank)" initials="L." surname="Xia">
<organization>Huawei</organization>
<address>
<postal>
<street>101 Software Avenue, Yuhuatai District</street>
<city>Nanjing </city>
<region>Jiangsu </region>
<code>210012</code>
<country>China</country>
</postal>
<email>Frank.Xialiang@huawei.com</email>
</address>
</author>
<date year="2016" />
<area>Security Area</area>
<workgroup>I2NSF</workgroup>
<keyword>RFC</keyword>
<keyword>Request for Comments</keyword>
<keyword>I-D</keyword>
<keyword>Internet-Draft</keyword>
<keyword>I2NSF</keyword>
<abstract>
<t> This document defines a set of terms that
are used for the Interface to Network Security Functions (I2NSF) effort.
</t>
</abstract>
</front>
<middle>
<section title="Introduction">
<t>
This document defines the terminology for the Interface to
Network Security Functions(I2NSF) effort. This section provides some background on
I2NSF; a detailed problem statement can be found in
<xref target="I-D.ietf-i2nsf-problem-and-use-cases"></xref>
</t>
<t>
Enterprises are now considering using network security functions
(NSFs) hosted by service providers due to the growing challenges and complexity in maintaining an
up to date secure infrastructure that complies with regulatory requirements, while controlling costs.
The hosted security service is especially attractive to small and medium size
enterprises who suffer from a lack of security experts to continuously monitor,
acquire new skills and propose immediate mitigations to ever increasing sets of security attacks.
Small and medium-sized businesses (SMBs) are increasingly adopting cloud-based security services
to replace on-premises security tools, while larger enterprises are deploying a
mix of traditional (hosted) and cloud-based security services.
</t>
<t>
To meet the demand, more and more service providers are providing hosted security
solutions to deliver cost-effective managed security services to enterprise customers.
The hosted security services are primarily targeted at enterprises, but
could also be provided to any kind of mass-market customers as well.
NSFs are provided and consumed in increasingly
diverse environments. Users of NSFs may consume network security services hosted by one
or more providers, which may be their own enterprise, service providers,
or a combination of both.
</t>
<t>It is out of scope in this document to define an exhaustive
list of terms that are used in the security field;
the reader is referred to other applicable documents, such as
<xref target="RFC4949"></xref>.
</t>
</section>
<section title="Terminology">
<t>
<list style="hanging">
<t hangText="AAA: Authentication, Authorization, and Accounting. See individual
definitions. "></t>
<t hangText="Abstraction: ">The definition of the salient characteristics and behavior of
an object that distinguish it from all other types of objects. It
manages complexity by exposing common properties between objects
and processes while hiding detail that is not relevant. </t>
<t hangText="Access Control: "> Protection of system resources
against unauthorized access; a process by which use of system resources
is regulated according to a security policy, and is permitted by
only authorized entities (users, programs, processes, or other systems)
according to that policy <xref target="RFC4949"></xref>.
</t>
<t hangText="Accounting: ">The act of collecting information on
resource usage for the purpose of trend analysis, auditing, billing, or cost
allocation (<xref target="RFC2975"></xref> <xref target="RFC3539"></xref>
</t>
<t hangText="ACL (Acess Control List): "> This is a mechanism
that implements access control for a system resource
by enumerating the system entities that are permitted
to access the resource and stating, either
implicitly or explicitly, the access modes granted to each entity
<xref target="RFC4949"></xref>.
</t>
<t hangText="Action: ">Defines what is to be done when a set of conditions are met
(See I2NSF Action).
(from <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>)
</t>
<t hangText="Authentication: ">The act of verifying a claimed identity,
in the form of a pre-existing label from a mutually known name space, as the
originator of a message (message authentication) or as the
end-point of a channel (entity authentication) <xref target="RFC3539"></xref>.
</t>
<t hangText="Authorization: ">The act of determining if a
particular right, such as access to some resource,
can be granted to the presenter of a particular credential
<xref target="RFC3539"></xref>.
</t>
<t hangText="B2B: ">Business-to-Business. </t>
<t hangText="Bespoke: ">Something made to fit a particular person,
customer, or company. </t>
<t hangText="Bespoke security management: ">Security management systems that are make to
fit a particular customer. </t>
<t hangText="Boolean Clause: ">A logical statement that evaluates to either TRUE
or FALSE. Also called Boolean Expression.</t>
<t hangText="Capability: ">Defines a set of features that are available
from a managed entity (see also I2NSF Capability). </t>
<t hangText="Capability Layer: "> Defines an abstraction layer that
exposes a set of capabilities of the I2NSF system.
</t>
<t hangText="Condition: ">A set of attributes, features, and/or values that are to be compared
with a set of known attributes, features, and/or values in order to
make a decision. A Condition, when used in the context of a Policy Rule, is used to
determine whether or not the set of Actions in that Policy Rule can
be executed or not. Examples of an I2NSF Condition include matching
attributes of a packet or flow, and comparing the internal state of a NSF to a
desired state.
<xref target="I-D.strassner-supa-generic-policy-info-model"></xref> </t>
<t hangText="Constraint: ">A constraint is a limitation or restriction. Constraints may be
associated with any type of object (e.g., events, conditions, and
actions in Policy Rules). </t>
<t hangText="Constraint Programming: ">A type of programming that uses constraints
to define relations between variables in order to find a feasible (and
not necessarily optimal) solution.
</t>
<t hangText="Context: ">The Context of an Entity is a collection of measured and/or inferred
knowledge that describe the state and the environment in which an
Entity exists or has existed.
(from http://www.ietf.org/mail-archive/web/i2nsf/current/msg00762.html)
</t>
<t hangText="Controller: "> TBD
[Editorial: The definition is lacking content ("used interchangeably with
Service Provider Security Controller or management system
throughout this document") and overloaded - the two terms should
be split into two separate definitions in documents.] </t>
<t hangText="Customer: ">A business role of an entity that is involved
in the definition and/or consumption of services, and the possible
negotiation of a contract to use services from a Provider.
</t>
<t hangText="DC: ">Data Center
</t>
<t hangText="Data Model: ">A representation of concepts of interest to an
environment in a form that is dependent on data repository, data
definition language, query language, implementation language, and
protocol (typically one or more of these )
<xref target="I-D.strassner-supa-generic-policy-info-model"></xref>.
</t>
<t hangText="Event: ">An important occurrence in time of a
change in the system being managed, and/or in the environment of
the system being managed. Examples of an I2NSF Event include
time and user actions (e.g. logon, logoff,
and actions that violate an ACL). An Event, when used in the
context of a Policy Rule, is used to
determine whether the condition clause of an imperative Policy Rule
can be evaluated or not
<xref target="I-D.strassner-supa-generic-policy-info-model"></xref>.
</t>
<t hangText="ECA: ">Event - Condition - Action policy (a type of Policy Rule).
</t>
<t hangText="Firewall (FW): ">A function that restricts data communication
traffic to and from one of the connected networks (the one said to
be 'inside' the firewall), and thus protects that network's system
resources against threats from the other network (the one that is
said to be 'outside' the firewall) <xref target="RFC4949"></xref>.
<xref target="I-D.ietf-opsawg-firewalls"></xref>
</t>
<t hangText="Flow-based NSF: ">A NSF that inspects network flows according to
a set of policies intended for enforcing security properties. Flow-based
security also means that packets are inspected in the order they
are received, and without modification to the packet due to the
inspection process. </t>
<t hangText="I2NSF Action: ">An I2NSF Action is a special type of Action that is
used to control and monitor aspects of flow-based Network Security Functions. Examples of I2NSF Actions include
providing intrusion detection and/or protection, web and flow
filtering, and deep packet inspection for packets and flows.
An I2NSF Action, when used in the context of a
I2NSF Policy Rule, may be executed when both the event and the condition
clauses of its owning I2NSF Policy Rule evaluate to true. The execution
of this action may be influenced by applicable metadata
<xref target="I-D.strassner-supa-generic-policy-info-model"></xref>.
</t>
<t hangText="I2NSF Agent: ">A software component in a device that implements an
NSF. It receives provisioning information and requests for
operational data (e.g., monitoring data) from an I2NSF client.
It is also responsible for enforcing the policies that it
receives from an I2NSF client.
</t>
<t hangText="I2NSF Capability: ">A set of features
that are available from an NSF server.
</t>
<t hangText="I2NSF client: ">A software component that uses
the I2NSF framework to read, write, and/or change provisioning
and operational aspects of the NSFs that it attaches to.
</t>
<t hangText="I2NSF Management System: ">I2NSF clients operate within a network
management system, which serves as a collection and distribution
point for I2NSF security provisioning and filters data. </t>
<t hangText="I2NSF Policy: ">A set of rules that are used to manage and
control the changing or maintaining of the state of an NSF instance.
</t>
<t hangText="I2NSF Policy Rule: ">A policy rule that is adapted for
I2NSF usage. The I2NSF Policy Rule is assumed to be in ECA form (i.e., an
imperative structure). Other types of programming paradigms
(e.g., declarative and functional) are currently out of scope.
An example of an I2NSF Policy Rule is, in pseudo-code:
<list>
<t>IF <event-clause> is TRUE
<list>
<t>IF <condition-clause> is TRUE
<list>
<t>THEN execute <action-clause></t>
</list>
</t>
<t>END-IF</t>
</list>
</t>
<t> END-IF </t>
</list>
In the above example, the Event, Condition, and Action portions
of a Policy Rule are all **Boolean Clauses**.
</t>
<t hangText="I2NSF Registry: ">A registry
that contains I2NSF capability
information, which can be controlled by the I2NSF Management
System. </t>
<t hangText="IDS: ">Intrusion Detection System (see below).
</t>
<t hangText="IPS: ">Intrusion Protection System (see below).
</t>
<t hangText="Information Model: ">Is a representation of concepts of interest
to an environment in a form that is independent of data repository,
data definition language, query language, implementation language, and protocol
<xref target="I-D.strassner-supa-generic-policy-info-model"></xref>.
</t>
<t hangText="Interface: ">A set of operations one object knows it can
invoke on, and expose to, another object. It is a subset of all
operations that a given object implements. The same object may have multiple
types of interfaces to serve different purposes. An example of multiple
interfaces can be seen by considering the interfaces include a firewall
uses; these include:
<list style="symbols">
<t>multiple interfaces for data packets to traverse through,</t>
<t>an interface for a controller to impose policy,or
retrieve the results of execution of a policy rule.
</t>
</list>
</t>
<t hangText="Intrusion Detection System (IDS): ">A system that detects
network intrusions via a variety of filters, monitors, and/or probes.
An IDS may be stateful or stateless.
</t>
<t hangText="Intrusion Protection System (IPS): ">A system that
protects against network intrusions. An IPS may be stateful or
stateless.
</t>
<t hangText="Metadata: ">Data that provides information about other data.
Examples include IETF network management protocols (e.g. NETCONF,
RESTCONF, IPFix) or IETF routing interfaces (I2RS). The I2NSF security interface
may utilize Metadata to describe and/or prescribe characteristics
and behavior of the YANG data models.
</t>
<t hangText=" Middlebox: ">Any intermediary device performing functions other than
the normal, standard functions of an IP router on the datagram path
between a source host and destination host <xref target="RFC3234"></xref>.
</t>
<t hangText="Network Security Function (NSF): ">Software that
provides a set of security-related services. Examples include
detecting unwanted activity and blocking or mitigating the effect of such
unwanted activity in order to fulfil service requirements.
The NSF can also help in supporting communication stream
integrity and confidentiality.
</t>
<t hangText="OCL (Object Constraint Language): ">A constraint
programming language that is used to specify constraints (e.g., in UML)
(from http://www.ietf.org/mail-archive/web/i2nsf/current/msg00762.html)
</t>
<t hangText="Policy Rule: ">A set of rules that are used to
manage and control the changing or maintaining of the state of one or
more managed objects. Often this is shorterned to Rule or Policy (see I2NSF
policy rule) <xref target="I-D.strassner-supa-generic-policy-info-model"></xref>.
</t>
<t hangText="Profile: "> A structured representation of information
that characterizes the capabilities of an object, typically
in a specific context.
This may be used to simplify how this
object interacts with other objects in its environment.
[Editors note: John Strassner suggests this is a simplified
definition from a variety of sources (UAProf and CC/PP).
It does not mention the concept of preference, therefore
John wonders if we need a different definition here.]
</t>
<t hangText="Registry: ">is a logically centralized location containing data of a
particular type; it may optionally contain metadata, relationships,
and other aspects of the registered data in order to use those data
effectively. An I2NSF registry is used to contain capability
information that can be controlled by the controller. </t>
<t hangText="Registration Interface: ">An interface dedicated to requesting, receiving, editing, and
deleting information in a Registry. </t>
<t hangText="Service Layer: ">Software that enables
clients to manage security policies for their specific flows.
This is also called the Client-Facing Interface.
</t>
<t hangText="Service Provider Security Controller: ">TBD
(Editorial: Place holder for a split between controller and security
controller definitions.)
</t>
<t hangText="Tenant: ">A group of users that share common
access privileges to the same software. An I2NSF tenant may be physical
or virtual, and may run on a variety of systems or servers.
</t>
<t hangText="Vendor Facing Interface: "> This enables vendors to register their NSFs,
along with the capabilities of their NSFs, with a logically
centralized authority.
</t>
<t hangText="Virtual NSF: ">An NSF that is deployed as a distributed
virtual device.
</t>
<t hangText="Virtual Network Function (VNF): ">A virtualized network component,
such as a router, switch, security box, or AAA Servier.
</t>
<t hangText=" VNFM (VNF Manager): ">Manager of virtual network functions
that creates, deletes, manages, and moves VNFs.</t>
<t hangText="VNFPool: ">A collection of interchangeable VNFs
(i.e., each VNF has the same set of capabilities).</t>
<t hangText="Virtualization: ">Virtualization is a type of software
that creates a non-physical version of an object. Examples include
virtualized operating systems, storagte devices, and networking elements.
[Editor's notes: Questions from John: Do we want or need to differentiate
between different tyeps of virtualization? For example: full vs. partial vs.
para-virtualization (all types of "hardware virtualization")? Do we need to introduce
OS virtualization? What about application virtualization?]
</t>
</list>
</t>
</section>
<section anchor="IANA" title="IANA Considerations">
<t>No IANA considerations exist for this document. </t>
</section>
<section title="Security Considerations">
<t>
This is a terminology document with no security considerations.
</t>
</section>
</middle>
<back>
<references title="Normative References">
&RFC2119;
</references>
<references title="Informative References">
&RFC2975;
&RFC3198;
&RFC3234;
&RFC3539;
&RFC4949;
&RFC7297;
&I-D.ietf-netmod-acl-model;
&I-D.ietf-opsawg-firewalls;
&I-D.ietf-i2nsf-problem-and-use-cases;
&I-D.ietf-i2nsf-gap-analysis;
&I-D.strassner-supa-generic-policy-info-model;
</references>
</back>
</rfc>| PAFTECH AB 2003-2026 | 2026-04-24 04:26:03 |