| Internet-Draft | IBN Network Management Automation | April 2023 |
| Jeong, et al. | Expires 26 October 2023 | [Page] |
This document describes Network Management Automation (NMA) of cellular network services in 5G networks. For NMA, it proposes a framework empowered with Intent-Based Networking (IBN). The NMA in this document deals with a closed-loop network control, network policy translation, and network management audit. To support these three features in NMA, it specifies an architectural framework with system components and interfaces. Also, this framework can support the use cases of NMA in 5G networks such as the data aggregation of Internet of Things (IoT) devices, network slicing, and the Quality of Service (QoS) in Vehicle-to-Everything (V2X).¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 26 October 2023.¶
Copyright (c) 2023 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
5G networks are evolutionary mobile networks over 4G networks in terms of high speed, wide bandwidth, high frequency bands, massive device connectivity, low energy consumption, and intelligence. Especially, the intelligence will be a key feature to understand the intents of users and automate network management fully. 5G networks are designed and implemented on the experience from 4G networks and new technologies which include Software-Defined Networking (SDN) [RFC7149] and Network Functions Virtualization (NFV) [ETSI-NFV][ETSI-NFV-Release-2] along with mmWave for low delivery delay, high data speed, and large network capacity [TS-23.501].¶
The support of network intelligence is one of the main goals of 5G networks. The network intelligence can provide the 5G networks with Network Management Automation (NMA) for a self-driving network that optimizes and adjusts itself by minimizing the interaction with humans (e.g., network administrators and users).¶
Intent-Based Networking (IBN) is a feasible approach that can provide the 5G networks with the NMA services [RFC9315] [TS-28.312][TR-28.812]. The concept of IBN enables a closed-loop network control architecture that can adapt to the current status of a target network by collecting and analyzing monitoring data from Network Service Functions (NSFs). NSFs can be either Virtual Network Functions (VNFs) or Physical Network Functions (PNFs) in cloud and edge computing environments. In the 3rd Generation Partnership Project (3GPP), Network Data Analytics Function (NWDAF) is defined to collect and analyze monitoring data from multiple VNFs and PNFs in cellular networks [TS-23.288][TS-29.520].¶
For the intelligent NMA services, this document proposes an architectural framework that combines the IBN and NWDAF to the 5G networks with Artificial Intelligence (AI) and Machine Learning (ML). The framework allows an intent from either a network operator or user to be translated into a high-level policy through a Natural Language Processing (NLP) technique such as Lumi [USENIX-ATC-Lumi]. The high-level policy is then translated into a low-level policy through a Policy Data Model Mapping and a Network Policy Translator (NPT) [I-D.yang-i2nsf-security-policy-translation]. This low-level policy is used to remotely configure a network policy into appropriate VNFs or PNFs in order to enforce the commanded intent in a target network (e.g., 5G Networks). Also, it also collects and analyzes the monitoring data from VNFs and PNFs such that the policy can be verified and optimized to satisfy the requests for the intent.¶
Therefore, the NMA in this document deals with closed-loop network control, network policy translation, and network management audit. To support these three features in NMA, it specifies an architectural framework with system components and interfaces. In addition, this framework can support the use cases of NMA in 5G networks such as the data aggregation of Internet of Things (IoT) devices, network slicing, and the Quality of Service (QoS) in Vehicle-to-Everything (V2X). Especially, this document shows a use case of IoT in 5G networks such as the data collection and analysis of IoT devices.¶
This document uses the terminology described in [RFC8329], [I-D.ietf-i2nsf-applicability], and [I-D.jeong-i2nsf-security-management-automation]. In addition, the following terms are defined below:¶
+------------+
| IBN User |
+------------+
^
| Consumer-Facing Interface
v
+-------------------+ Registration +-----------------------+
| IBN Controller |<-------------------->| Vendor's Mgmt System |
+-------------------+ Interface +-----------------------+
^ ^
| |
| | Analytics Interface +-----------------------+
| +------------------------>| IBN Analyzer (NWDAF) |
| +-----------------------+
| NSF-Facing Interface ^ ^ ^
| | | |
| | | |
| +------------------------------+ | |
| | +-----------------------+ |
| | | Monitoring Interface |
v v v v
+---------------+ +---------------+ +---------------+
| NSF-1 |--| NSF-2 |........| NSF-n |
|(Policy Control| | (Application | | (IoT Device) |
| Function, PCF)| | Function, AF)| | |
+---------------+ +---------------+ +---------------+
This section describes an IBN framework for 5G networks. Note that this IBN Framework is based on the Framework for Interface to Network Security Functions (I2NSF) [RFC8329][I-D.jeong-i2nsf-security-management-automation]. As shown in Figure 1, an IBN User can use network functions by delivering high-level network policies, which specify network requirements that the IBN User wants to enforce, to the IBN Controller via the Consumer-Facing Interface (CFI).¶
The following are the system components for the IBN framework for network management automation in 5G networks.¶
For IBN-based network services with Feedback-Based Network Management (FNM), IBN Analyzer is a key IBN component for the IBN framework [RFC9315] to collect monitoring data from NSFs and analyzing the monitoring data. The actual implementation of the analysis of monitoring data is out of the scope of this document.¶
The following are the interfaces for the IBN framework. Note that the interfaces can be modeled with YANG [RFC6020] and network policies are delivered through either RESTCONF [RFC8040] or NETCONF [RFC6241]. In addition, according to 3GPP specifications, REST API [REST] can be supported for those interfaces.¶
For IBN-based network services with FSM, Analytics Interface is a key interface in the IBN framework to deliver an analytics report of the augmentation or generation of network rules to IBN Controller through the analysis of the monitoring data from NSFs.¶
To facilitate Network Policy Translation (NPT), IBN Controller needs to have a network policy translator that performs the translation of a high-level network policy into the corresponding low-level network policy. For the automatic NPT services, the IBN framework needs to bridge a high-level YANG data model and a low-level YANG data model in an automatic manner [I-D.yang-i2nsf-security-policy-translation]. Note that a high-level YANG data model is for the IBN Consumer-Facing Interface, and a low-level YANG data model is for the IBN NSF-Facing Interface.¶
Figure 2 shows automatic mapping of high-level and low-level data models for network policies. Automatic Data Model Mapper takes a high-level YANG data module for the Consumer-Facing Inteface and a low-level YANG data module for the NSF-Facing Interface. It then constructs a mapping table associating the data attributes (or variables) of the high-level YANG data module with the corresponding data attributes (or variables) of the low-level YANG data module. Also, it generates a set of production rules of the grammar for the construction of an XML file of low-level network policy rules.¶
Figure 3 shows the procedure of high-to-low network policy translation. A network policy translator is a component of IBN Controller. The translator consists of three components such as Policy Data Model Mapper, Policy Data Extractor, Policy Data Converter, and Policy Generator.¶
High-level YANG Data Module Low-level YANG Data Model
| |
V V
+---------+------------------------------+---------+
| Policy Data Model Mapper |
+------------------------+-------------------------+
|
Mapping Model (Data Model Mapping Table)
|
V
+--------------------------------------------------+
| NSF Database |
+--------------------------------------------------+
+-------------------------------------------------+
| |
| IBN User |
| |
+------------------------+------------------------+
| Consumer-Facing Interface
|
High-level Network Policy
|
IBN Controller V
+--------------------------+-----------------------------------------------+
| Network Policy | |
| Translator V |
| +-----------------------+--------------------------------------------+ |
| | | | |
| | V | |
| | +---------------+-------+ +--------------------------+ | |
| | | Policy Data Extractor | | Policy Data Model Mapper | | |
| | +---------------+-------+ +--------+-----------------+ | |
| | | | Mapping | |
| | V V Model | |
| | +---------------+-------+ +--------------------+ | |
| | | Policy Data Converter |<---->| NSF Database | | |
| | +---------------+-------+ +--------------------+ | |
| | | | |
| | V | |
| | +---------------+-------+ | |
| | | Policy Generator | | |
| | +---------------+-------+ | |
| | | | |
| | V | |
| +-----------------------+--------------------------------------------+ |
| | |
| V |
+--------------------------+-----------------------------------------------+
| NSF-Facing Interface
|
Low-level Network Policy
|
V
+------------------------+-------------------------+
| |
| NSF(s) |
| |
+--------------------------------------------------+
Policy Data Model Mapper maps the attributes and their values of a high-level network policy to the corresponding attributes and their values of a low-level network policy. Note that the values of a high-level network policy may involve a human language and must be converted to an appropriate value for a low-level network policy (e.g., employees -> 192.0.1.0/24).¶
Policy Data Extractor extracts the values of the attributes related to a network policy from a high-level network policy that was delivered by an IBN User to an IBN Controller through the Consumer-Facing Interface [I-D.ietf-i2nsf-consumer-facing-interface-dm].¶
Policy Data Converter converts the values of the high-level policy's attributes into the values of the corresponding low-level policy's attributes to generate the low-level network policy [I-D.ietf-i2nsf-nsf-facing-interface-dm].¶
Policy Generator generates the corresponding low-level network policy that is delivered by the IBN Controller to an appropriate NSF through NSF-Facing Interface [I-D.ietf-i2nsf-nsf-facing-interface-dm].¶
The IBN framework is weak to both an insider attack and a supply chain attack since it trusts in NSFs provided by VMS and assumes that NSFs work for their network services appropriately [I-D.ietf-i2nsf-applicability].¶
To detect the malicious activity of either an insider attack by a malicious VMS or a supply chain attack by a compromised VMS, a network audit system is required by the IBN framework. This network audit system can facilitate the non-repudiation of configuration commands and monitoring data generated in the IBN framework.¶
A network audit system has the following four main objectives:¶
+-----------------------------+ +----------------+
| IBN User | | Vendor's Mgmt |
| +------------+ | System |
+--------------+--------------+ | +--------+-------+
| Consumer-Facing Interface | |
| | Remote |
High-level Security Policy | Attestation |
| | Interface |
| | |
V | V
+--------------+--------------+ | +---------+--------+
| | V | Network |
| IBN Controller +------------+---->| Audit |
| | ^ | System |
+--------------+--------------+ | +---------+--------+
| NSF-Facing Interface | ^
| | Remote |
Low-level Security Policy | Attestation |
| | Interface |
V | |
+--------------+--------------+ | +--------+-------+
| NSF(s) +------------+ | IBN Analyzer |
| +------------------>| |
+-----------------------------+ Monitoring +----------------+
Interface
Figure 4 shows activity auditing with a network audit system in the IBN framework. All the components in the IBN framwork report its activities (such as configuration commands and monitoring data) to Network Audit System as transactions through Remote Attestation Interface [I-D.yang-i2nsf-remote-attestation-interface-dm]. The network audit system can analyze the reported activities from the IBN components to detect malicious activities such as an insider attack and a supply chain attack. Note that such a network audit system can be implemented by remote attestation [I-D.ietf-rats-architecture][I-D.yang-i2nsf-remote-attestation-interface-dm] or Blockchain [Bitcoin]. The details of the implementation of the network audit system are out of the scope of this document.¶
In order to determine a minimum set of controls required to reduce the risks from either an insider attack or a supply chain attack, the network audit system should analyze the activities of all the components in the IBN framework periodically, evaluate possible risks, and take an action to such risks since vulnerabilities and threats may change in different environments over time.¶
This section describes a use case where a policy of IoT device data aggregation is set up in the IBN framework for 5G networks.¶
Figure 5 shows the procedure of the enforcement for an IoT device data aggregation policy in the IBN Framework as follows:¶
IBN IBN Vendor's Cloud NSF1 User Controller Mgmt System (or Edge Server) (IoT Device) | | | | | |-High-level--->| | | | | Policy Request| | | | | | | | | | Translation: | | | | Data Extraction & | | | | Data Conversion | | | | | | | | |*** Case 1: NSFs available: Go to Policy Generation *** | | | | | | |*** Case 2: NSFs unavailable (START) *** | | | | | | | | |-NSF Query------>| | | | | Request |-NSF Initiation->| | | | | Request | | | | | |-NSF Initiation->| | | | | Request | | | | | | | | | | NSF | | | | Initialization | | | | | | | | |<-NSF Initiation-| | | |<-NSF Initiation-| Response | | |<-NSF Query------| Response | | | | Response | | | | | | | | |*** Case 2: NSFs unavailable (END) *** | | | | | | | | Translation: | | | | Policy Generation | | | | | | | | | |--Low-level Policy Request-------------------------->| | | | | | | | | | NSF | | | | Configuration | | | | | | |<-Low-level Policy Response--------------------------| | | | | |
Figure 6 shows the procedure of the reporting for IoT device data aggregation in the IBN Framework as follows:¶
IBN IBN IBN NSF1 NSF2 User Controller Analyzer (IoT Device) (IoT Device) | | | | | | | |<----Sensing-----| | | | | Data | | | | | | | | | |<----Sending-----------------------| | | | Data | | | | | | | | | Sensing | | | | Data | | | | Aggregation | | | | | | | | |<---Sensing------| | | | | Report | | | | | | | | | Policy | | | | Update | | | | (or Generation) | | | | | | | | |<---Report-----| | | | | |--Updated/New Low-level Policy Request-------------->| | | | | | | | | | NSF | | | | (Re)Configuration | | | | | | |<-Updated/New Low-level Policy Response--------------| | | | | |
This document does not require any IANA actions.¶
The same security considerations for the IBN framework [RFC8329] are applicable to this document.¶
The development and introduction of IBN Analyzer and Network Audit System in the IBN Framework may create new security concerns that have to be anticipated at the design and specification time. The usage of machine learning to analyze monitoring data of malicious NSFs may add a risk to its model to be attacked (e.g., adversarial attack) and can result in a bad security policy that is deployed into the IBN system.¶
This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea Ministry of Science and ICT (MSIT)(No. 2022-0-01015, Development of Candidate Element Technology for Intelligent 6G Mobile Core Network).¶
This work was supported in part by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Korea Ministry of Science and ICT (MSIT) (No. 2022-0-01199, Regional strategic industry convergence security core talent training business).¶
This document is made by the group effort of NMRG. Many people actively contributed to this document, such as Linda Dunbar, Yoav Nir, Susan Hares, and Qin Wu. The authors sincerely appreciate their contributions.¶
The following are co-authors of this document:¶
Patrick Lingga - Department of Electronic, Electrical and Computer Engineering, Sungkyunkwan University, 2066 Seobu-Ro Jangan-Gu, Suwon, Gyeonggi-do 16419, Republic of Korea. EMail: patricklink@skku.edu¶
Jung-Soo Park - Electronics and Telecommunications Research Institute, 218 Gajeong-Ro, Yuseong-Gu, Daejeon, 34129, Republic of Korea. EMail: pjs@etri.re.kr¶
Yunchul Choi - Electronics and Telecommunications Research Institute, 218 Gajeong-Ro, Yuseong-Gu, Daejeon, 34129, Republic of Korea. EMail: cyc79@etri.re.kr¶
The following changes are made from draft-jeong-nmrg-ibn-network-management-automation-00:¶