Re: [I2nsf] Further clarification and explanations to I2NSF charter has been added to the I2NSF Wiki Q&A (was RE: Consensus call on I2NSF Charter
Flemming Andreasen <fandreas@cisco.com> Thu, 27 August 2015 19:52 UTC
Return-Path: <fandreas@cisco.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 836BE1ACCEF for <i2nsf@ietfa.amsl.com>; Thu, 27 Aug 2015 12:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -12.21
X-Spam-Level:
X-Spam-Status: No, score=-12.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, MANGLED_NAIL=2.3, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hSqtWTEULFQI for <i2nsf@ietfa.amsl.com>; Thu, 27 Aug 2015 12:52:22 -0700 (PDT)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B14C61A8AEA for <i2nsf@ietf.org>; Thu, 27 Aug 2015 12:52:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=79793; q=dns/txt; s=iport; t=1440705141; x=1441914741; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=LMH7o4GUB1lMJNhT2Ko9uY1alyzH32Xuq9JuaNTZGDs=; b=QoihJgRDF7le/BlIri08ZDGR/GpPddEnA0ZY17wV2XHkvtb/I84CSgAO +NsZ37DbFbsu50PcFkcOgdRv9KGhp2Ht0ldAShdDqTOsJrF8F+ezY02GQ f6LuHyWj1dWgBdRD061p92Dbh68EJrGUNYKuj9Yq/gRIy9ZvEtvS8gBbK 4=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DQBQDCad9V/5RdJa1UCoJOTVRpqgIBAQEFAYEKkm+BVRkBCYIeJYM4AoE2ORMBAQEBAQEBgQqEIwEBAQMBAQEBFwECBgo6BAMEAgQBBQcECQIRBAEBAQkWAQECBAMCAgkDAgECARUfCQgGAQwGAgEBiCIIDZVTnR2UegEBAQEBAQEBAQEBAQEBAQEBAQEBARMEhieFOoQnBwVYBgEGgmOBQwEEhyqKe4MYhQaHbYFKhDKCe4k2hEmDayaCQYFaIjOBBoFHAQEB
X-IronPort-AV: E=Sophos; i="5.17,423,1437436800"; d="scan'208,217"; a="27895003"
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 27 Aug 2015 19:52:18 +0000
Received: from [10.98.149.195] (bxb-fandreas-8812.cisco.com [10.98.149.195]) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id t7RJqHVf002215; Thu, 27 Aug 2015 19:52:17 GMT
To: Linda Dunbar <linda.dunbar@huawei.com>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, Joseph Salowey <joe@salowey.net>
References: <CAOgPGoAs_5aCckVfz_DY5+UO1hPo9sT9AoYqjD68SQy6i_DABw@mail.gmail.com> <CAHbuEH7Y-mEdWKfz5508eoUwrOrBHc=oLmLzYj2tzu2hp-+PVw@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657D19A74@dfweml701-chm> <55DE41BB.3000801@cisco.com> <4A95BA014132FF49AE685FAB4B9F17F657D19B03@dfweml701-chm> <55DE6F40.3080604@cisco.com> <4A95BA014132FF49AE685FAB4B9F17F657D1A09B@dfweml701-chm>
From: Flemming Andreasen <fandreas@cisco.com>
Message-ID: <55DF6A8A.8090407@cisco.com>
Date: Thu, 27 Aug 2015 15:52:42 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657D1A09B@dfweml701-chm>
Content-Type: multipart/alternative; boundary="------------040202090901010209080409"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/-S8LpMRUFZtuC4ruQuioOdGadqU>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>
Subject: Re: [I2nsf] Further clarification and explanations to I2NSF charter has been added to the I2NSF Wiki Q&A (was RE: Consensus call on I2NSF Charter
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 Aug 2015 19:52:28 -0000
Thanks Linda Taking a quick look at the Wiki: - I noticed that your definition of an NSF explicitly prohibits any packet modification such as NAT or MAC rewrite; this will exclude a large portion of current NSFs (e.g. it's commonly used by FWs and ADCs) - is that intentional ? - You mention that "logging" is out of scope, yet in other places you refer to reporting, analytics, etc., and the charter talks about monitoring. Can you clarify ? Also, a couple of my questions below still seem to be open, but there is a parallel exchange with Kathleen on some of those, so maybe we can resolve them there. Cheers -- Flemming On 8/27/15 12:29 PM, Linda Dunbar wrote: > > Flemming, > > I have updated the Q&A on the I2NSF Wiki to clarify the questions you > have: https://sites.google.com/site/interface2nsf/i2nsf-q-a/i2nsfqa > > Hope it helps. Please let me know if you have more questions or > suggestions for I2NSF charter. > > Thanks, > > Linda > > *From:*Flemming Andreasen [mailto:fandreas@cisco.com] > *Sent:* Wednesday, August 26, 2015 9:01 PM > *To:* Linda Dunbar; Kathleen Moriarty; Joseph Salowey > *Cc:* i2nsf@ietf.org > *Subject:* Re: [I2nsf] Consensus call on I2NSF Charter > > On 8/26/15 7:31 PM, Linda Dunbar wrote: > > Flemming, > > Thank you very much for the detailed comments. Thank you for > catching those typos (corrected on the I2NSF wiki now). We really > need the fresh set of eyes to look at it. > > You stated: > > - The third paragraph says that "The NSFs can be monitored by > multiple entities..."; does this imply a 1:N (direct) monitoring > relationship ? > > If so, that seems to get to a design decision that may be premature. > > [Linda] The intent is to describe a scenario that a NSF may send > different outputs to different entities. For example, some > statistics report to “Analytics system”, “rule query” to > management entity. Can you suggest a better wording for this? > > I see. I'm not sure I would get into that level of detail in the > charter, but since you introduce the notion of "features and > functions", you could for example say > > "The NSFs may contain a multitude of features and functions, each of > which can be monitored by a different entity" > > or something like that. > > > > Other Replies are inserted below: > > -----Original Message----- > From: Flemming Andreasen [mailto:fandreas@cisco.com] > Sent: Wednesday, August 26, 2015 5:46 PM > To: Linda Dunbar; Kathleen Moriarty; Joseph Salowey > Cc: i2nsf@ietf.org <mailto:i2nsf@ietf.org> > Subject: Re: [I2nsf] Consensus call on I2NSF Charter > > Apologies for joining the discussion late - just got back from PTO. In > any case, please find some additional comments on the proposed charter > below (some more substantial than others): > > - The first paragraph starts out by defining what an NSF is, and we > can argue about some of the points in there for various security > functions (e.g. I may want to detect normal network behavior to > establish a baseline, which does not seem to be covered by the current > definition). > > [Linda] Over the course of I2NSF (about a year), we have gone through > a long debate on what NSFs should be considered by IETF I2NSF. As the > result of the long debate, we use the definition to classify a set of > functions to be considered for IETF I2NSF (then further narrowing down > to Flow-based NSFs). > > The function you described, i.e. detecting normal network behavior to > establish a baseline is not in the scope of I2NSF, even though this > function can also be "provided and consumed in increasingly diverse > environments". > > Ok - the part about "detect unwanted network activity" is fairly broad > though, and I'm not sure how you detect unwanted activity without > looking at all activity (which is what triggered my original question). > > > I don't think that will be a productive discussion though, nor is it > necessary. Instead, I'd suggest we are not overly prescriptive, but > rather view these as possible NSF features, and supplement them with > some actual product examples (e.g. FW, NGFW, IPS, etc.). Similarly, > since we limit our scope to "flow-based NSFs", we may want to make > that clear here. An example of a security function that would *not* be > in scope may be helpful too. > > [Linda] All the NSFs in I2NSF context are “features”, whose form > factor can be provided physical box or virtualized format. Some form > factors, i.e. devices or VM, can provide multiple “functions”. Do you > think the sentences in the third paragraph is good enough to describe > what you want? > > /“I2NSF will focus on flow-based NSFs that provide treatment to > packets/flows, such as Intrusion Protection/Detection System > (IPS/IDS), Web filtering, flow filtering, deep packet inspection, or > pattern matching and remediation.” / > > The examples here are clear; I'm less clear on what else might be in > scope. For example, would a DDoS detection and mitigation system be in > scope (keeping in mind it may use a combination of packet inspection > and telemetry-based detection and mitigation and that establishing a > "normal" baseline is often part of the operation) ? > > > - The charter seems to operate with the notion of a "security > controller" that interacts with the "NSF". If I understand correctly, > the security controller implements the "Service Layer" and the NSF > implements the "Capability Layer". Furthermore, we have "clients" that > interact with the security controller to implement policies (by > leveraging the service layer). If so, it would be good to clarify this > taxonomy earlier in the charter. If not, then I probably need some > clarifications in the text. > > [Linda] “Security controller” is a conceptual entity, meaning an > entity to send implementable rules (capability layer) to the NSFs. > There could be multiple of them, each responsible for one type of NSF > (i.e. managing the instances of the NSFs). > > I2NSF includes “Simple Service Layer” that models closely to the > “Capability Layer”. For example: client can specify the rules without > specify which instances of the NSF. The “Controller” manage the > instances, as described by The figure in I2NSF Framework document: > > + - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - + > > | NSF-A +--------------+ | | NSF-B +--------------+ | > > | | Controller| | | | Controller| | > > | +--------------+ | | +--------------+ | > > | + - - - - - - - - - - - - - + | | + - - - - - - - - - - - - - + | > > | |+---------+ +---------+| | | |+---------+ +---------+| | > > | || NSF-A#1 | ... | NSF-A#n|| | | || NSF-B#1| ... | NSF-B#m|| | > > | |+---------+ +---------+| | | |+---------+ +---------+| | > > | | NSF-A cluster | | | | NSF-B cluster | | > > | + - - - - - - - - - - - - - + | | + - - - - - - - - - - - - - + | > > + - - - - - - - - - - - - - - - + + - - - - - - - - - - - - - - - + > > Ok - this basic framework seems to be foundational to the structure of > the work the group is doing. If so, I think it would be helpful to > outline it (verbally) in the charter. > > > - In the definition of the "Capability Layer", there is a statement > about "rules...of NSFs have to be implementable by most NSFs". Do you > mean all NSFs or NSFs of a given type (I assume we have different > types of NSFs) ? > > [Linda] yes. > > - Policies are labeled as "simple" or "abstract or sophisticated" > > without further definition; I'm not sure where we draw that line or > how to do that in the charter; maybe clarifying that part needs to be > a deliverable ? > > [Linda] “simple” means that they can be directly translated to > capability layer rules with simple mapping, e.g. without explicit > stating which instantiation, may have customer ID that can be > translated to some tags carried by packets > > Ok - if that's the definition we want to use, can we clarify it in the > charter ? > > > - A number of deliverables may not be published as an RFC; why not > (they seem to set the stage for several other deliverables and hence > are relevant for consumers of the information and data models later on) ? > > [Linda] The WG group may decide to publish them as RFC or not later. > But the charter doesn’t specify which way. That is how IESG wanted. > > Ok. > > - The part about I2NSF providing a "discussion forum for Informational > drafts on.....[more complex Service Layer policies]..." is confusing > to me. The work seems to be pursued outside the WG, so there are no > deliverables and presumably no agenda time will be allocated either. > > [Linda] this is to address the information documents that describe the > I2NSF demo, open source or interoperability initiatives that are > conducted outside the WG. E.g > https://datatracker.ietf.org/doc/draft-xie-i2nsf-demo-outline-design/ > > Ok - thanks for the pointer, however from a WG point of view, I'm not > clear on what it means to have a discussion forum and what, if > anything, the WG will do with it (e.g. discuss such drafts as part of > meetings, etc) ? > > > It's also not clear to me that we can/should state that such documents > would be Informational. We may decide that we need some procedures for > how to define such documents, have designated experts, a directorate, > etc. to review them etc. I'm guessing this is all a bit premature > though, but again, we may want to note that as an issue in the charter > that the WG needs to resolve at some point. > > [Linda] Agree with you. I will see how AD wants to address this > suggestion . > > Ok > > Nits: > > - first paragraph: > > s/the mitigate/mitigate the/ > > - second last paragraph: > > s/RFCs of/RFCs or > > [Linda] Thank you for the catch. They are corrected on the I2NSF wiki > now. > > Thanks for the quick response and updates. > > -- Flemming > > > Thanks > > -- Flemming > > On 8/26/15 5:38 PM, Linda Dunbar wrote: > > > Kathleen, > > > > > > Thank you very much for the editorial changes. The charter description > > > on the I2NSF Wiki has been updated to reflect your suggested changes: > > >https://sites.google.com/site/interface2nsf/home > <https://sites.google.com/site/interface2nsf/home> > > > > > > > > > Linda > > > > > > > > > -----Original Message----- > > > From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Kathleen > > > Moriarty > > > Sent: Wednesday, August 26, 2015 2:29 PM > > > To: Joseph Salowey > > > Cc:i2nsf@ietf.org <mailto:i2nsf@ietf.org> > > > Subject: Re: [I2nsf] Consensus call on I2NSF Charter > > > > > > I have a few editorial changes in the following text that does not change > the meaning of the charter text: > > > > > > A Network Security Function (NSF) is a function used to ensure > integrity, confidentiality, and availability of network > communications, to detect unwanted network activity, and to block or > at least the mitigate effects of unwanted activity. NSFs are provided > and consumed in increasingly diverse environments. Users of NSFs could > consume network security services hosted by one or more providers, > which may be their own enterprise, service providers, or a combination > of both. Similarly, service providers may offer their customers > network security services that are enforced by multiple security > products and/or functions from different vendors. NSFs may be provided > by physical and/or virtualized infrastructure. Without standard > interfaces to control and monitor the behavior of NSFs, it has become > virtually impossible for providers of security services to automate > service offerings that utilize different security functions from > multiple vendors. > > > > > > The goal of I2NSF is to define a set of software interfaces and data > models for controlling and monitoring aspects of physical and virtual > NSFs. If the working group finds it necessary to work on an > information model before the data models, to help provide guidance and > derive the data models, it may do so. The working group will decide > later whether the information model needs to be published as an RFC. > > > Other aspects of NSFs, such as device or network provisioning and > configuration, are out of scope. > > > > > > Controlling and monitoring aspects of NSFs include the ability to > specify rules (by a single controller at the first phase), query, and > monitor NSFs by one or more management entities. The initial phase of > I2NSF will only consider one single controller that can specify or > change rules to NSFs because multi-headed control requires the > coordination to avoid potential conflict of rules. The NSFs can be > monitored by multiple entities, but the database update and > synchronization among multiple management entities are out of scope > for I2NSF. As there are many different security vendors supporting > different features and functions on their devices, I2NSF will focus on > flow-based NSFs that provide treatment to packets/flows, such as > Intrusion Protection/Detection System (IPS/IDS), Web filtering, flow > filtering, deep packet inspection, or pattern matching and remediation. > > > > > > I2NSF will specify interfaces at two functional levels for the control and > monitoring of network security functions: > > > > > > The I2NSF Capability Layer specifies how to control and monitor NSFs > > > at a functional implementation level. The term “Functional > > > Implementation” is used to emphasize that the rules (for control and > > > monitor) of NSFs have to be implementable by most NSFs. I2NSF will > standardize a set of interfaces by which a security controller can > invoke, operate, and monitor NSFs. > > > > > > The I2NSF Service Layer defines how clients’ security policies may be > expressed to a security controller. The controller implements its > policies according to the various capabilities provided by the I2NSF > capability Layer. The I2NSF Service Layer also allows the client to > monitor the client specific policies. > > > > > > Since there could be many depths or types of Service Layer policies, the > following bullets further clarify the scope of I2NSF: > > > o Only the Simple Service Layer policies that are modeled as closely as > possible on the Capability Layer are within the scope. > > > Such a Simple Service Layer will enable a security controller to handle > issues like multi-tenancy and the choice between available NSFs for a > given policy. > > > o I2NSF will not specify abstract or sophisticated policies from > clients. Expressing policies in ways other than the model used by the > Capability Layer is out of scope. > > > o The translation mechanism/methods from Service Layer policies to > Capability layer comments are out of scope for I2NSF. > > > However, I2NSF will provide a discussion forum for Informational > drafts on data models, APIs, etc. that demonstrate how more complex > Service Layer policies and formats may be translated to Capability > Layer functions. Such documents would be pursued outside the WG. > > > > > > Standard interfaces for monitoring and controlling the behavior of > NSFs are essential building blocks for providers of security service > to automate the use of different NSFs from multiple vendors. This work > will leverage the existing protocols and data models defined by the > I2RS, NETCONF, and NETMOD working groups. If extensions to these > protocols or data models are needed, requirements will be developed by > this WG, and the extensions will be developed in cooperation with the > WGs responsible for the protocols. > > > > > > The I2NSF WG’s deliverables include: > > > > > > o A single document covering use cases, problem statement, and gap > analysis document. This document will initially be produced for > reference as a living list to track and record discussions: the WG may > decide to not publish this document as an RFC. > > > o A framework document, presenting an overview of the use of NSFs and > the purpose of the models developed by the WG. This document will also > be a reference text to guide the main work and the WG may decide to > not publish this document as an RFC. > > > o If the working group considers it necessary, a single, unified, > Information Model to describe the control and monitoring of flow-based > NSFs. > > > o YANG data models for the control and monitoring of NSFs. > > > o Requests to the IANA for the creation of a registry that enables the > characteristics and behavior of NSFs to be specified using a > vendor-neutral vocabulary without requiring the NSFs themselves to be > standardized. The registry enables various mechanisms, including > policy rules, to be used to match monitor and control functions to the > needs of an application and/or environment. > > > An examination of existing secure communication mechanisms to identify > the appropriate ones for carrying the controlling and monitoring > information between the NSFs and their management entities. This > document may also be produced as a working document that is not > published as an RFC. > > > > > > The WG may additionally choose to develop documents to describe requirements > for extensions (if any) to existing protocols used by the WG, to > explain how the data models are used to monitor and control flow-based > NSFs, and to describe how to use I2RS and NETCONF to carry the content > of the data models. These documents may be published as Informational > RFCs of may be working documents that are discarded once they have > triggered the necessary work. > > > > > > The WG will work closely with the I2RS, NETCONF, and NETMOD WGs. The WG will > communicate with external SDOs like ETSI NFV and will encourage open > source code development related to the WG scope in organizations like > ONF, OpenStack, ODL, and OPNFV. > > > > > > > > > On Wed, Aug 26, 2015 at 1:44 AM, Joseph Salowey <joe@salowey.net > <mailto:joe@salowey.net>> wrote: > > >> Thanks to everyone who has contributed towards developing the charter. > > >> I believe we are close to consensus so this is a consensus call for the > I2NSF > > >> charter. The charter text is located at > > >>https://sites.google.com/site/interface2nsf/home > <https://sites.google.com/site/interface2nsf/home>. Please send > > >> comments on this charter to the I2NSF list by September 2, 2015. > > >> > > >> Thank you, > > >> > > >> Joe > > >> > > >> _______________________________________________ > > >> I2nsf mailing list > > >>I2nsf@ietf.org <mailto:I2nsf@ietf.org> > > >>https://www.ietf.org/mailman/listinfo/i2nsf > <https://www.ietf.org/mailman/listinfo/i2nsf> > > >> > > > > > > >
- [I2nsf] Consensus call on I2NSF Charter Joseph Salowey
- Re: [I2nsf] Consensus call on I2NSF Charter Kathleen Moriarty
- Re: [I2nsf] Consensus call on I2NSF Charter Linda Dunbar
- Re: [I2nsf] Consensus call on I2NSF Charter Flemming Andreasen
- Re: [I2nsf] Consensus call on I2NSF Charter Linda Dunbar
- Re: [I2nsf] Consensus call on I2NSF Charter Kathleen Moriarty
- Re: [I2nsf] Consensus call on I2NSF Charter Flemming Andreasen
- Re: [I2nsf] Consensus call on I2NSF Charter Flemming Andreasen
- Re: [I2nsf] Consensus call on I2NSF Charter Kathleen Moriarty
- Re: [I2nsf] Consensus call on I2NSF Charter Flemming Andreasen
- [I2nsf] Further clarification and explanations to… Linda Dunbar
- Re: [I2nsf] Further clarification and explanation… Flemming Andreasen
- Re: [I2nsf] Further clarification and explanation… Linda Dunbar
- [I2nsf] Question about the wording used in I2NSF … Linda Dunbar
- Re: [I2nsf] Further clarification and explanation… Flemming Andreasen
- Re: [I2nsf] Consensus call on I2NSF Charter Tobias Gondrom