Re: [I2nsf] Does it make sense to say: using Packet based approach for Flow-Based NSF provisioning? (was RE: comments on draft-merged-i2nsf-framework-01
"Romascanu, Dan (Dan)" <dromasca@avaya.com> Tue, 09 June 2015 10:05 UTC
Return-Path: <dromasca@avaya.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E46B31B2B6D for <i2nsf@ietfa.amsl.com>; Tue, 9 Jun 2015 03:05:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.909
X-Spam-Level:
X-Spam-Status: No, score=-6.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FzNAm5oT-JmX for <i2nsf@ietfa.amsl.com>; Tue, 9 Jun 2015 03:05:47 -0700 (PDT)
Received: from co300216-co-outbound.net.avaya.com (co300216-co-outbound.net.avaya.com [198.152.13.100]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E2F9A1B2B6B for <i2nsf@ietf.org>; Tue, 9 Jun 2015 03:05:46 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AtAFAKO5dlXGmAcV/2dsb2JhbABcgkUhKlReBqxfAQEBAQEBBplnAoE/TAEBAQEBAYELhCIBAQEBAxIbXAIBCA0EBAEBCxkEBzIUCQgBAQQBEggaiAwBoFOuegEBAQEBAQEBAQEBAQEBAQEBAQEBAReGGYUqhFU3AYMXgRYFkz6HFYw7j0skYoEoHBWBPW+BRoEBAQEB
X-IronPort-AV: E=Sophos;i="5.13,579,1427774400"; d="scan'208,217";a="120020677"
Received: from unknown (HELO co300216-co-erhwest-exch.avaya.com) ([198.152.7.21]) by co300216-co-outbound.net.avaya.com with ESMTP; 09 Jun 2015 05:58:12 -0400
X-OutboundMail_SMTP: 1
Received: from unknown (HELO AZ-FFEXHC02.global.avaya.com) ([135.64.58.12]) by co300216-co-erhwest-out.avaya.com with ESMTP/TLS/AES128-SHA; 09 Jun 2015 05:58:12 -0400
Received: from AZ-FFEXMB04.global.avaya.com ([fe80::6db7:b0af:8480:c126]) by AZ-FFEXHC02.global.avaya.com ([135.64.58.12]) with mapi id 14.03.0174.001; Tue, 9 Jun 2015 11:58:10 +0200
From: "Romascanu, Dan (Dan)" <dromasca@avaya.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: Does it make sense to say: using Packet based approach for Flow-Based NSF provisioning? (was RE: comments on draft-merged-i2nsf-framework-01
Thread-Index: AdCh8mWmIjn6hIvpTXm02kpdH/myMQAEY2ZwAAKwExAABqKRAAAcE/HA
Date: Tue, 09 Jun 2015 09:58:09 +0000
Message-ID: <9904FB1B0159DA42B0B887B7FA8119CA5CA53C12@AZ-FFEXMB04.global.avaya.com>
References: <9904FB1B0159DA42B0B887B7FA8119CA5CA52A81@AZ-FFEXMB04.global.avaya.com> <4A95BA014132FF49AE685FAB4B9F17F657C55239@dfweml701-chm> <9904FB1B0159DA42B0B887B7FA8119CA5CA52F9B@AZ-FFEXMB04.global.avaya.com> <4A95BA014132FF49AE685FAB4B9F17F657C5544D@dfweml701-chm>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657C5544D@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.64.58.48]
Content-Type: multipart/alternative; boundary="_000_9904FB1B0159DA42B0B887B7FA8119CA5CA53C12AZFFEXMB04globa_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/A4BGc2yFQpOX9dsTFmOdNBcAvSw>
Subject: Re: [I2nsf] Does it make sense to say: using Packet based approach for Flow-Based NSF provisioning? (was RE: comments on draft-merged-i2nsf-framework-01
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 09 Jun 2015 10:05:50 -0000
Hi Linda,
I did not say that there is a conflict, I said that the terminology is not consistent. In draft-lopez-i2nsf-packet the word 'flow' appears only in the context of 'Open-flow', however draft-merged-i2nsf-framework-00 makes the claim (in 3.1) that
[Packet-based-NSF] advocates that the
flow based security functions can be categorized by
This is not accurate. [Packet-based-NSF] a.k.a draft-lopez-i2nsf-packet makes no statement about flow based security functions, it even does not use the term.
If flow-based NSF is defined in draft-dunbar-i2nsf-problem-statement, than this reference should be used.
Thanks and Regards,
Dan
From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Linda Dunbar
Sent: Monday, June 08, 2015 11:33 PM
To: Romascanu, Dan (Dan); i2nsf@ietf.org
Subject: [I2nsf] Does it make sense to say: using Packet based approach for Flow-Based NSF provisioning? (was RE: comments on draft-merged-i2nsf-framework-01
Dan,
Reading through the draft-lopez-i2nsf-packet draft again, I feel the proposed "Packet-Based" approach doesn't really conflict with the "Flow-based NSF".
The draft is advocating "using Packet-Based approach to provision Flow-Based NSFs".
I2nsf Problem Statement has this definition for Flow-based NSF:
"Flow-based Network Security Function: A NSF that inspects network flows according to a policy intended for enforcing security properties. Flow-based security also means that packets are inspected in the order they are received, and without modification to the packet due to the inspection process (MAC rewrites, TTL decrement action; even NAT would be outside the inspection process).
What do you think?
Linda
From: Romascanu, Dan (Dan) [mailto:dromasca@avaya.com]
Sent: Monday, June 08, 2015 12:22 PM
To: Linda Dunbar; i2nsf@ietf.org<mailto:i2nsf@ietf.org>
Subject: RE: comments on draft-merged-i2nsf-framework-01
Hi Linda,
Thanks for the answer. See below.
Regards,
Dan
2. We have an inconsistency in terminology between this I-D and draft-lopez-i2nsf-packet-00. In section 3.3 we refer to it for the definition of the flow based NSF, but actually that I-D speaks only about packet-based NSFs. This needs to be resolved. I would even copy the definition of 'flow-based' here for clarity, and with the assumed risk of duplication.
- [I2nsf] comments on draft-merged-i2nsf-framework-… Romascanu, Dan (Dan)
- Re: [I2nsf] comments on draft-merged-i2nsf-framew… Linda Dunbar
- Re: [I2nsf] comments on draft-merged-i2nsf-framew… Romascanu, Dan (Dan)
- Re: [I2nsf] comments on draft-merged-i2nsf-framew… Linda Dunbar
- Re: [I2nsf] comments on draft-merged-i2nsf-framew… Romascanu, Dan (Dan)
- [I2nsf] Does it make sense to say: using Packet b… Linda Dunbar
- Re: [I2nsf] Does it make sense to say: using Pack… DIEGO LOPEZ GARCIA
- Re: [I2nsf] Does it make sense to say: using Pack… Romascanu, Dan (Dan)