I2NSF Use Cases in Access Networks Diego Lopez Telefónica I+D IETF91, Honolulu, 9-14 Nov.
Seeking an Open OAM Interface n What?: Open OAM interface for virtualized network security services (vNSF) n Who?: Actors: n Network operator n Customer(s) n Where?: Access network n Residential (and SME) landline network access: xDSL, FTTH n Mobile network Access: 2G, 3G, 4G, 5G… 2 Project SECURED (
A Few Examples of vNSFs n Traffic inspection n All services that copy/analize traffic n E.g.: IDS,DPI,DLP n Traffic Manipulation n Alteration of the original traffic n E.g.: IPS,ACL,FW,VPN n Traffic Impersonation n Impersonate a customer device or service n E.g.: Honeypot 3 Project SECURED ( vNSF Online traffic User access Online traffic Internet side Offline: Alerts vNSF Online traffic User access vNSF Offline: Alerts Online traffic Internet side
4 Project SECURED ( OAM Environments vNSF OSS/BSS vNSF OSS/BSS Closed Open Over a secure channel Over open channel Customer
Operator-Managed n Network Operator interactions n vNSF deployment n instantiating a vNSF on a NFVI n vNSF Customer provisioning n List vNSF functionalities n enroll/cancel subscriptions n vNSF configuration –By policy language. –By configuration templates/files 5 Project SECURED (
Customer-Managed n Customer direct interactions n vNSF self-provisioning n enroll/cancel subscriptions n Probably also need a vNSF configuration n vNSF validation n Customer could require a proof of correct vNSF execution: –Integrity –Isolation & privacy –Confidentiality? 6 Project SECURED (
Example: The NFV #7 Use Case for vCPE 7 Project SECURED ( Network Operator Mgmt Sys OAM Interface VNSF
Bringing This into Reality: The SECURED Architecture 8 Project SECURED ( PSAM PSAR PSA Manifest PSA Storage PSA Storage M2L Plugin User Portal Onboarding Process Back End API Manager (index, DB) Manager (index, DB) Web Portal End User PSA Portal Service PSA Portal Service Developer API Developer API PSA Provision Service PSA Provision Service User Profile Repository User Profile Repository SPM NED Developer OSS/BSS/ Orchestrator Authentication
n Programmatic interfaces n PSAM API n User provisioning n Load PSA in the system n PSAR API n Service support (information manager) n Deployment of PSA n User Portal n Public eye area Specifying PSAM and PSAR in SECURED 9 Project SECURED (
Expressing Policies n vNSF configuration language n Set by Operator or by Customer itself [... ] n the subject of the policy n (e.g., employee, family member) n subject may be implicit (e.g., all devices of a customer) n the action of the policy n (e.g., block, allow, protect… ) n the object of the policy that undergoes the action n (e.g., , web traffic, DNS request) n [ condition that characterize actions n (e.g., time, type of traffic...) n Examples: enable basic parental control enable ”school protection control” allow Internet traffic from 8:30 to 20:00 [time = 8:30-20:00] scan for malware detection [check type = malware] protect traffic to corporate network with integrity and confidentiality [protection type = integrity AND confidentiality] remove tracking data from Facebook [website = *.facebook.com] my son is allowed to access facebook from 18:30 to 20:00 10 Project SECURED (
THANK YOU ! Project SECURED (
EU disclaimer SECURED (project no ) is co-funded by the European Union (EU) via the European Commission (EC), under the Information and Communication Technologies (ICT) theme of the 7th Framework Programme for R&D (FP7). This document does not represent the opinion of the EC and the EC is not responsible for any use that might be made of its content. SECURED disclaimer The information in this document is provided "as is", and no guarantee or warranty is given that the information is fit for any particular purpose. The user thereof uses the information at its sole risk and liability. Disclaimer 12 Project SECURED (