Markdown Version | Session Recording

Session Date/Time: 26 Jul 2022 17:30

i2nsf

Summary

The i2nsf working group session focused on the status of existing drafts, particularly two YANG models nearing Working Group Last Call (WGLC), and proposals for new work items. A significant portion of the discussion revolved around the need for demonstrable working group consensus through reviews for the mature YANG models. New drafts were presented covering a security policy translator guideline and an analytics interface for closed-loop security control. Finally, a request for guidance on integrating secure sessions for BGP using IPsec raised questions about the appropriate working group scope and rechartering needs.

Key Discussion Points

• Working Group Draft Status:

  • Three drafts have completed IESG review and are awaiting RFC publication due to normative references.
  • Several other drafts require discussion to determine if they should proceed to WGLC or be abandoned.

• Consumer-Facing Interface and Registration Interface YANG Data Models (draft-ietf-i2nsf-consumer-interface-data-model, draft-ietf-i2nsf-registration-interface-data-model):

  • The authors reported that both drafts have been updated based on reviews from China Mobile, security directorate, and others. IPR has been declared royalty-free.
  • The drafts are synchronized with other approved i2nsf YANG models (NSF Facing, Capability, Monitoring).
  • Roman (AAD) emphasized that while hackathon participation and directorate reviews are valuable, they do not substitute for explicit working group consensus. He requested 3-5 independent reviews from non-authors within the working group, clearly documented on the mailing list, to signal readiness for WGLC.
  • The chairs acknowledged the difficulty of reviewing YANG models but agreed on the necessity for greater working group engagement to confirm consensus.

• Guideline for Security Policy Translator (draft-young-i2nsf-security-policy-translation):

  • Presented as version-11, this draft aims to provide guidelines for translating high-level security policies (from the Consumer-Facing Interface, CFI) to low-level policies (for the NSF Facing Interface, NFI).
  • It highlights the almost one-to-one mapping relationship and similar YANG tree structures between CFI and NFI, based on the i2nsf capability YANG data model.
  • An exemplary architecture for a security policy translator was presented, comprising components like an NSF database, data model mapper, and policy generator.
  • Discussion included the potential for dynamic extensions and mapping instances of models, with an offer to connect with other related work in the ops group.
  • The authors clarified that the draft aims to fill the gap in understanding how to link CFI and NFI for implementers, including handling details like user groups and IP addresses via an NSF database.
  • Proposed as a new working group item as part of the rechartering effort.

• Analytics Information and Analytics Interface (draft-linga-i2nsf-analytics-interface):

  • The draft, previously named "Application Interface," was renamed for clarity.
  • Introduced an i2nsf-analyzer component and an analytics-interface between the security controller and the analyzer.
  • The analyzer collects and processes monitoring data from NSFs to provide useful information and configurations back to the security controller.
  • The goal is to enable closed-loop security control and management automation through policy configuration and feedback information (e.g., hardware failures).
  • The interface operates asynchronously (event-driven notification) and includes fields for nsf-name, problem (e.g., DDoS attack source IP), and solution (e.g., reconfiguration to block an IP).
  • Proposed as a new working group item as part of the rechartering effort.

• BGP Secure Session YANG Model Integration:

  • Sue Hares (remote) presented a need from the Routing Area to integrate security for BGP sessions, including options like AO, MD5, and IPsec.
  • The request was for guidance on where to find expertise for modeling security-association-name and whether this work fit within i2nsf or ipsecme.
  • Discussion covered the complexities of trust models for BGP peers in different administrative domains using a common controller.
  • Rafa (ipsecme Co-Chair) suggested that RFC 9061 could potentially be used as-is for establishing security associations between two endpoints, but noted that if different security controllers are involved, an East-West interface between them would be required for cohesive policy.
  • Roman (AAD) expressed significant concern, stating that additional IPsec modeling is likely outside the current i2nsf charter, and the ipsecme WG had previously rejected similar policy work that led to the earlier i2nsf IPsec document. Rafa concurred that ipsecme typically focuses on configuration, not policy definition or East-West controller negotiation.

Decisions and Action Items

• Action Item: The WG Chairs will actively solicit additional independent reviews for draft-ietf-i2nsf-consumer-interface-data-model and draft-ietf-i2nsf-registration-interface-data-model on the i2nsf mailing list, explicitly requesting 3-5 non-author reviewers to signal working group consensus.
• Action Item: Sue Hares will prepare examples related to the BGP secure session model integration and circulate them on the i2nsf mailing list, copying Rafa (ipsecme co-chair) for further discussion and guidance on the appropriate venue.
• Decision: New IPsec modeling for BGP secure sessions is likely out of scope for the current i2nsf charter. Further discussion is needed to determine if this work could be pursued in collaboration with ipsecme, particularly regarding East-West controller interfaces for cohesive policy, or if a recharter would be required.

Next Steps

• Working group members are encouraged to review and provide feedback on draft-ietf-i2nsf-consumer-interface-data-model and draft-ietf-i2nsf-registration-interface-data-model on the mailing list to establish consensus for WGLC.
• Continue the discussion regarding the BGP secure session model integration on the i2nsf mailing list to determine the best path forward and identify relevant expertise.
• Discussions regarding the working group's rechartering, which would potentially include draft-young-i2nsf-security-policy-translation and draft-linga-i2nsf-analytics-interface as new work items, will continue on the mailing list.