[Search] [txt|pdfized|bibtex] [Tracker] [Email] [Nits]
Versions: 00 01 02 03 04 05                                             
Network Working Group                                           J. Jeong
Internet-Draft                                                    H. Kim
Intended status: Standards Track                 Sungkyunkwan University
Expires: April 30, 2015                                          J. Park
                                                                    ETRI
                                                        October 27, 2014


Requirements for Security Services based on Software-Defined Networking
               draft-jeong-i2nsf-sdn-security-services-00

Abstract

   This document provides requirements for security services based on
   Software-Defined Networking (SDN) with two representative use cases:
   (i) centralized firewall system for intra-domain networks and (ii)
   centralized DDoS-attack mitigation system between inter-domain
   networks.  For the centralized firewall system, this document raises
   challenging issues in existing firewalls and a use case of
   centralized firewall system based on SDN.  For the centralized DDoS-
   attack mitigation system, this document also raises challenging
   issues in existing DDoS-attack mitigation techniques and a use case
   of centralized DDoS-attack mitigation system based on SDN.

Status of This Memo

   This Internet-Draft is submitted to IETF in full conformance with the
   provisions of BCP 78 and BCP 79.

   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF), its areas, and its working groups.  Note that
   other groups may also distribute working documents as Internet-
   Drafts.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   The list of current Internet-Drafts can be accessed at
   http://www.ietf.org/ietf/1id-abstracts.txt.

   The list of Internet-Draft Shadow Directories can be accessed at
   http://www.ietf.org/shadow.html.

   This Internet-Draft will expire on April 30, 2015.

Copyright Notice



Jeong, et al.            Expires April 30, 2015                 [Page 1]


Internet-Draft      SDN Security Service Requirements       October 2014


   Copyright (c) 2014 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents
   (http://trustee.ietf.org/license-info) in effect on the date of
   publication of this document.  Please review these documents
   carefully, as they describe your rights and restrictions with respect
   to this document.  Code Components extracted from this document must
   include Simplified BSD License text as described in Section 4.e of
   the Trust Legal Provisions and are provided without warranty as
   described in the Simplified BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . . . 3
   2.  Requirements Language . . . . . . . . . . . . . . . . . . . . . 4
   3.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . . . 4
   4.  Overview  . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
   5.  Objectives  . . . . . . . . . . . . . . . . . . . . . . . . . . 6
   6.  Requirements  . . . . . . . . . . . . . . . . . . . . . . . . . 6
   7.  Use Cases . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
   8.  Security Considerations . . . . . . . . . . . . . . . . . . . . 7
   9.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . . . 7
   10. References  . . . . . . . . . . . . . . . . . . . . . . . . . . 8
     10.1.  Normative References . . . . . . . . . . . . . . . . . . . 8
     10.2.  Informative References . . . . . . . . . . . . . . . . . . 8
























Jeong, et al.            Expires April 30, 2015                 [Page 2]


Internet-Draft      SDN Security Service Requirements       October 2014


1.  Introduction

   Software-Defined Networking (SDN) is a set of techniques that enables
   users to directly program, orchestrate, control and manage network
   resources through software (e.g., SDN applications).  It relocates
   the control of network resources to a dedicated network element,
   namely SDN controller.  The SDN controller uses the interface and
   arbitrates the control of network resources in a logically
   centralized manner.  It also manages and configures the distributed
   network resources and provides and abstracted view of the network
   resources to the SDN applications.  The SDN application can customize
   and automate the operations (including management) of the abstracted
   network resources in a programmable manner via this interface
   [RFC7149][ITU-T.Y.3300][ONF-SDN-Architecture][ONF-OpenFlow].

   Due to the increase of sophisticated network attacks, the legacy
   security services become difficult to cope with such network attacks
   in an autonomous manner.  SDN has been introduced to make networks
   more controllable and manageable, and this SDN technology will be
   promising to autonomously deal with such network attacks in a prompt
   manner.

   This document raises requirements to support the protection of
   network resources using security services based on SDN.  Also, this
   document proposes two use cases of the security services, such as
   centralized firewall system and centralized DDoS-attack mitigation
   system.

   For the centralized firewall system, this document raises limitations
   in legacy firewalls in terms of flexibility and administration costs.
   Since in many cases, access control management for firewall is
   manually performed, it is difficult to add the access control policy
   rules corresponding to new network attacks in a prompt and autonomous
   manner.  Thus, this situation requires expensive administration
   costs.  This document introduces a use case of SDN-based firewall
   system to overcome these limitations.

   For the centralized DDoS-attack mitigation system, this document
   raises limitations in legacy DDoS-attack mitigation techniques in
   terms of flexibility and administration costs.  Since in many cases,
   network configuration for the mitigation is manually performed, it is
   difficult to dynamically configure network devices to limit and
   control suspicious network traffic for DDoS attacks.  This document
   introduces a use case of SDN-based DDoS-attack mitigation system to
   provide an autonomous and prompt configuration for suspicious network
   traffic.





Jeong, et al.            Expires April 30, 2015                 [Page 3]


Internet-Draft      SDN Security Service Requirements       October 2014


2.  Requirements Language

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
   document are to be interpreted as described in RFC 2119 [RFC2119].

3.  Terminology

   This document uses the terminology described in [RFC7149],
   [ITU-T.Y.3300], [ONF-SDN-Architecture], [ONF-OpenFlow],
   [ITU-T.X.1252], and [ITU-T.X.800].  In addition, the following terms
   are defined below:

   o  Software-Defined Networking: A set of techniques that enables to
      directly program, orchestrate, control and manage network
      resources, which facilitates the design, delivery and operation of
      network services in a dynamic and scalable manner [ITU-T.Y.3300].

   o  Access Control: A procedure used to determine if an entity should
      be granted access to resources, facilities, services, or
      information based on pre-established rules and specific rights or
      authority associated with the requesting party [ITU-T.X.1252].

   o  Access Control Policy: The set of rules that define the conditions
      under which and access may take place [ITU-T.X.800].

   o  Access Control Policy Rules: Security policy rules concerning the
      provision of the access control service [ITU-T.X.800].

   o  Network Resources: Network devices that can perform packet
      forwarding in a network system.  The network resources include
      network switch, router, gateway, WiFi access points, and similar
      devices.

   o  Firewall: A firewall that is a device or service at the junction
      of two network segments that inspects every packet that attempts
      to cross the boundary.  It also rejects any packet that does not
      satisfy certain criteria for disallowed port numbers or IP
      addresses.

   o  Centralized Firewall System: A centralized firewall that can
      establish and distribute access control policy rules into network
      resources for the efficient firewall management.  These rules can
      be managed dynamically by a centralized server.  SDN can work as a
      network-based firewall system through a standard interface between
      firewall applications and network resources.





Jeong, et al.            Expires April 30, 2015                 [Page 4]


Internet-Draft      SDN Security Service Requirements       October 2014


   o  Centralized DDoS-attack Mitigation System: A centralized mitigator
      that can establish and distribute access control policy rules into
      network resources for the efficient DDoS-attack mitigation.  These
      rules can be managed dynamically by a centralized server.  SDN can
      work as a network-based mitigation system through a standard
      interface between DDoS-attack mitigation applications and network
      resources.

4.  Overview

   This section describes the referenced architecture to support SDN-
   based security services, such as centralized firewall system and
   centralized DDoS-attack mitigation system.

        |
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | |             Security Application            | Application
        | |   (e.g., Firewall, DDoS-attack mitigation)  | Layer
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |------------------------------------------------------------
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | |              Application Support            |
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ SDN
        | |                 Orchestration               | Controller
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Layer
        | |                  Abstraction                |
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |-------------------------------------------------------------
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        | |                Control Support              |
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Resource
        | |         Data Transport and Processing       | Layer
        | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        |


     Figure 1: High-level Architecture for SDN-based Security Services

   As shown in Figure 1, applications for security services (e.g.,
   firewall and DDoS-attack mitigation) run on the top of SDN controller
   [ITU-T.Y.3300][ONF-SDN-Architecture].  When an administrator enforces
   security policies for the security services through an application
   interface, SDN controller generates the corresponding access control
   policy rules to meet such security policies in an autonomous and
   prompt manner.  According to the generated access control policy
   rules, the network resources such as switches take an action to
   mitigate network attacks, for example, dropping packets with
   suspicious patterns.



Jeong, et al.            Expires April 30, 2015                 [Page 5]


Internet-Draft      SDN Security Service Requirements       October 2014


5.  Objectives

   o  Prompt reaction to new network attacks: SDN-based security
      services allow private networks to defend themselves against new
      sophisticated network attacks.

   o  Automatic defense from network attacks: SDN-based security
      services identify the category of network attack (e.g., worms and
      DDoS attacks) and take counteraction for the defense without the
      intervention of network administrators.

   o  Network-load-aware resource allocation: SDN-based security
      services measure the overhead of resources for security services
      and dynamically select resources considering load balance for the
      maximum network performance.

6.  Requirements

   SDN-based security services provide dynamic and flexible network
   resource management to mitigate network attacks, such as malicious
   traffic and DDoS attacks.  In order to support this capability, the
   requirements for SDN-based security services are described as
   follows:

   o  SDN-based security services are required to support the
      programmability of network resources to mitigate network attacks.

   o  SDN-based security services are required to support the
      orchestration of network resources and SDN applications to
      mitigate network attacks.

   o  SDN-based security services are required to provide an application
      interface allowing the management of access control policies in an
      autonomous and prompt manner.

   o  SDN-based security services are required to provide a resource-
      control interface for control of network resources to mitigate
      network attacks.

   o  SDN-based security services are required to provide logically
      centralized control of network resources to mitigate network
      attacks.

7.  Use Cases

   This section introduces two use cases for security services based on
   SDN: (i) centralized firewall system for intra-domain networks and
   (ii) centralized DDoS-attack mitigation system between inter-domain



Jeong, et al.            Expires April 30, 2015                 [Page 6]


Internet-Draft      SDN Security Service Requirements       October 2014


   networks.

   For the centralized firewall system, a centralized network firewall
   can manage each network resources and firewall rules can be managed
   flexibly by centralized server.  The centralized network firewall
   manages each switches and firewall rules can be added or deleted.
   Legacy firewalls have some challenges such as the expensive cost,
   performance, management of access control, establishment of policy,
   and packet-based access mechanism.  To address these challenges, this
   document will investigate the framework of a centralized firewall
   system based on SDN.  Firewall rules can be managed flexibly by a
   centralized server.  Existing SDN protocols can be used through
   standard interfaces between firewall applications and switches
   [RFC7149][ITU-T.Y.3300][ONF-SDN-Architecture][ONF-OpenFlow].

   For the centralized DDoS-attack mitigation system, a DDoS-attack
   mitigation system add, delete or modify rules to each switch.  The
   centralized DDoS-attack mitigation system defends servers against
   DDoS attacks outside private network, that is, from public network.
   The servers are categorized into stateless servers (e.g., DNS
   servers) and stateful servers (e.g., web servers).  In a DDoS-attack
   mitigation system in a private network, switches are configured in
   multi-levels to provide the dynamic defense lines against a variety
   of DDoS attacks.  The centralized DDoS-attack mitigation system has
   some challenges such as the expensive cost, performance, management
   of access control, establishment of policy, and packet-based access
   mechanism.  To address these challenges, this document will
   investigate the framework of a centralized DDoS-attack mitigation
   system based on SDN.  DDoS-attack mitigation rules can be managed
   flexibly by a centralized server.  Existing SDN protocols can be used
   through standard interfaces between DDoS-attack mitigator
   applications and switches [RFC7149][ITU-T.Y.3300]
   [ONF-SDN-Architecture][ONF-OpenFlow].

8.  Security Considerations

   This document shares all the security issues of SDN that are
   specified in the "Security Considerations" section of [ITU-T.Y.3300].

9.  Acknowledgements

   This work was partly supported by the ICT R&D program of MSIP/IITP
   [10041244, SmartTV 2.0 Software Platform] and ETRI.

   This document has greatly benefited from inputs by Geumhwan Cho and
   Jihyeok Seo.

10.  References



Jeong, et al.            Expires April 30, 2015                 [Page 7]


Internet-Draft      SDN Security Service Requirements       October 2014


10.1.  Normative References

   [RFC2119]               Bradner, S., "Key words for use in RFCs to
                           Indicate Requirement Levels", BCP 14,
                           RFC 2119, March 1997.

10.2.  Informative References

   [RFC7149]               Boucadair, M. and C. Jacquenet, "Software-
                           Defined Networking: A Perspective from within
                           a Service Provider Environment", RFC 7149,
                           March 2014.

   [ITU-T.Y.3300]          Recommendation ITU-T Y.3300, "Framework of
                           Software-Defined Networking", June 2014.

   [ONF-SDN-Architecture]  ONF, "SDN Architecture", June 2014.

   [ONF-OpenFlow]          ONF, "OpenFlow Switch Specification (Version
                           1.4.0)", October 2013.

   [ITU-T.X.1252]          Recommendation ITU-T X.1252, "Baseline
                           Identity Management Terms and Definitions",
                           April 2010.

   [ITU-T.X.800]           Recommendation ITU-T X.800, "Security
                           Architecture for Open Systems Interconnection
                           for  CCITT Applications", March 1991.

Authors' Addresses

   Jaehoon Paul Jeong
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  440-746
   Republic of Korea

   Phone: +82 31 299 4957
   Fax:   +82 31 290 5119
   EMail: pauljeong@skku.edu
   URI:   http://cpslab.skku.edu/people-jaehoon-jeong.php










Jeong, et al.            Expires April 30, 2015                 [Page 8]


Internet-Draft      SDN Security Service Requirements       October 2014


   Hyoungshick Kim
   Sungkyunkwan University
   2066 Seobu-Ro, Jangan-Gu
   Suwon, Gyeonggi-Do  440-746
   Republic of Korea

   Phone: +82 31 299 4324
   EMail: hyoung@skku.edu
   URI:   http://seclab.skku.edu/people/hyoungshick-kim/


   Jung-Soo Park
   Electronics and Telecommunications Research Institute
   218 Gajeong-Ro, Yuseong-Gu
   Daejeon,   305-700
   Republic of Korea

   Phone: +82 42 860 6514
   EMail: pjs@etri.re.kr
































Jeong, et al.            Expires April 30, 2015                 [Page 9]