Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
"Diego R. Lopez" <diego.r.lopez@telefonica.com> Fri, 11 November 2016 11:29 UTC
Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A118129AF8 for <i2nsf@ietfa.amsl.com>; Fri, 11 Nov 2016 03:29:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.892
X-Spam-Level:
X-Spam-Status: No, score=-1.892 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ooKWg4uAZ6_c for <i2nsf@ietfa.amsl.com>; Fri, 11 Nov 2016 03:28:55 -0800 (PST)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0138.outbound.protection.outlook.com [104.47.0.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9417C129B0A for <i2nsf@ietf.org>; Fri, 11 Nov 2016 03:28:14 -0800 (PST)
Received: from DB6PR0601MB2167.eurprd06.prod.outlook.com (10.168.57.26) by DB6PR0601MB2168.eurprd06.prod.outlook.com (10.168.57.27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.6; Fri, 11 Nov 2016 11:28:11 +0000
Received: from DB6PR0601MB2167.eurprd06.prod.outlook.com ([10.168.57.26]) by DB6PR0601MB2167.eurprd06.prod.outlook.com ([10.168.57.26]) with mapi id 15.01.0707.013; Fri, 11 Nov 2016 11:28:11 +0000
From: "Diego R. Lopez" <diego.r.lopez@telefonica.com>
To: Rakesh Kumar <rkkumar@juniper.net>
Thread-Topic: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
Thread-Index: AdI0YtSOBCTIEiOzQlmIWbiGwgM/dgABeSLQAAI/4AAALKnPgAG6kr4A
Date: Fri, 11 Nov 2016 11:28:11 +0000
Message-ID: <7D79BEAF-2039-409E-B78E-3F4ED2D8F88D@telefonica.com>
References: <4A95BA014132FF49AE685FAB4B9F17F657F64B5C@dfweml501-mbb> <4A95BA014132FF49AE685FAB4B9F17F657F64C1C@dfweml501-mbb> <18E4048E-18B8-4ECA-825C-FC0A3CFD014B@juniper.net> <9BB0A033-04EA-4033-918F-A6DA9E8B9E47@juniper.net>
In-Reply-To: <9BB0A033-04EA-4033-918F-A6DA9E8B9E47@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [87.235.190.32]
x-microsoft-exchange-diagnostics: 1; DB6PR0601MB2168; 7:QkCiRXUhDnSwbjezGdK8ucP8kAOllncMeBCROraOGxwpsXXJc5FGrDI6+d5bJUx1abysau5jGIX88aEfNvk/njacTlioekImmtjOl2QEJsZGEw7llYYXDKEqAtZB1G+5SwTcrWIIElF0xW935k+5IYNjEJscrkp7LsgXhUqmveCX259zVjBBPQzfHYgEsR9N19MBL6LzFXHttkpu+ttM4BeT8maVQ5iLFwz07V8Nl48gfguR0gJVKc1rSfqO6vRGUTYvKLhHAEpIlux6TxaTpwtKH82vCOkZt02ppbM3N8+OBtIeWSJ7emheg3AGy+l/8TZhooACZSyUPNp4RkA3GvXrE4L7LMmFD+e2yr+puJQ=
x-ms-office365-filtering-correlation-id: 6ea4bab4-89fc-4aea-259a-08d40a25d19b
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DB6PR0601MB2168;
x-microsoft-antispam-prvs: <DB6PR0601MB2168AB613DACFF799457ADC6DFBB0@DB6PR0601MB2168.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811)(120809045254105)(192374486261705)(138986009662008)(50582790962513);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DB6PR0601MB2168; BCL:0; PCL:0; RULEID:; SRVR:DB6PR0601MB2168;
x-forefront-prvs: 012349AD1C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(24454002)(13464003)(252514010)(199003)(377424004)(45984002)(189002)(377454003)(7736002)(8666005)(7846002)(8676002)(82746002)(3280700002)(1941001)(3660700001)(87936001)(7906003)(33656002)(83716003)(229853002)(86362001)(2900100001)(189998001)(106356001)(105586002)(92566002)(4001150100001)(77096005)(97736004)(586003)(8936002)(66066001)(81156014)(93886004)(101416001)(50986999)(81166006)(76176999)(54356999)(4326007)(5660300001)(36756003)(2906002)(110136003)(6916009)(2950100002)(122556002)(230783001)(3846002)(68736007)(102836003)(6116002)(7059030)(104396002)(579004); DIR:OUT; SFP:1102; SCL:1; SRVR:DB6PR0601MB2168; H:DB6PR0601MB2167.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_7D79BEAF2039409EB78E3F4ED2D8F88Dtelefonicacom_"
MIME-Version: 1.0
X-OriginatorOrg: telefonica.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Nov 2016 11:28:11.0544 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6PR0601MB2168
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/He7wNnm4pW6ypnVj77pM6NN7ehw>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Adrian Farrel <afarrel@juniper.net>, Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 11:29:00 -0000
Hi, I am afraid we have a language gap here, Rakesh. In my view, you are talking of two kind of rules that can be expressed with an ECA model, only that those in the first class would have an empty (or wildcard or default) condition expression that will make them applicable whenever a certain event happens. As you said, we need some brainstorming to bridge these language gaps. Be goode, On 2 Nov 2016, at 17:15 , Rakesh Kumar <rkkumar@juniper.net<mailto:rkkumar@juniper.net>> wrote: Hi Linda, One more thing regarding how a policy/rule is to be enforced. We see two distinct requirements: 1. Static security posture --> The security admin determines what security policies need to be enforced in their network based on their business needs (access policies such as who can access what) and/or regulatory compliance (HIPPA, FISA). These policies usually stay in the network unless manually removed. In my experience, majority of security policies fall under this category. 2. Dynamic security posture --> Some of the policies may be created but not always enforced. A security admin may want to increase or decrease its security posture based on an event. The event could be a time-based or threat based. For example, a policy is enforced only during weekend or a policy is enforced only when a DDoS event is detected. I don’t have any name for first one but the second one is ECA (Event Condition Action). We wanted to take both of them for interfaces to be meaningful in real security world. I hope this clarifies our thinking. We can add a section in our draft to put similar text there if you think that would be helpful. Thanks & Regards, Rakesh From: I2nsf <i2nsf-bounces@ietf.org<mailto:i2nsf-bounces@ietf.org>> on behalf of Rakesh Kumar <rkkumar@juniper.net<mailto:rkkumar@juniper.net>> Date: Tuesday, November 1, 2016 at 11:56 AM To: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>, "i2nsf@ietf.org<mailto:i2nsf@ietf.org>" <i2nsf@ietf.org<mailto:i2nsf@ietf.org>> Cc: Adrian Farrel <afarrel@juniper.net<mailto:afarrel@juniper.net>> Subject: Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Hi Linda, Thanks a lot for the review. One of the biggest challenges in the security world today is that, it is too complex with each vendor having their own set of features and functionality exposed in a very proprietary manner. We have to simplify this with I2NSF client-facing interface so that a security admin can express their business needs without having to worry about the complexity. It is very important that security requirements be expressed by security admin with simple rules. But it is easier said than done, this is one of the most complex problem as how to make rules simple but at the same time able to capture wide variety of use-cases in different environment. The work done so far in this draft is just the beginning and we should brain storm and see how to make it more complete. I will look at the link you have sent and see how to leverage from there. Even if we develop very generic rules, we still need to define some basic constructs which would be used to build a policy. We have taken a step in that direction, but this is just a start and work will continue with ideas from folks in this WG. Regards, Rakesh From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Date: Tuesday, November 1, 2016 at 10:55 AM To: Rakesh Kumar <rkkumar@juniper.net<mailto:rkkumar@juniper.net>>, "i2nsf@ietf.org<mailto:i2nsf@ietf.org>" <i2nsf@ietf.org<mailto:i2nsf@ietf.org>> Cc: Adrian Farrel <afarrel@juniper.net<mailto:afarrel@juniper.net>> Subject: RE: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, By the way, the I2NSF framework has specified to use ECA (Event Condition Action) to describe “Rules”. https://datatracker.ietf.org/doc/draft-xibassnez-i2nsf-capability/ has the detailed description on how “Rules” information model. Is there any issue to utilize those information model? Thanks, Linda From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Linda Dunbar Sent: 2016年11月1日 12:10 To: Rakesh Kumar <rkkumar@juniper.net<mailto:rkkumar@juniper.net>>; i2nsf@ietf.org<mailto:i2nsf@ietf.org> Cc: Adrian Farrel <afarrel@juniper.net<mailto:afarrel@juniper.net>> Subject: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, Thank you very much for contributing the draft. Just curious, the current IM for Rules doesn't have much details: <image001.jpg> Will you add more in future revision? Linda Dunbar -----Original Message----- From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rakesh Kumar Sent: 2016年10月31日 12:14 To: i2nsf@ietf.org<mailto:i2nsf@ietf.org> Cc: Adrian Farrel <afarrel@juniper.net<mailto:afarrel@juniper.net>>; Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Subject: [I2nsf] FW: New Version Notification for draft-kumar-i2nsf-client-facing-interface-im-00.txt We posted a new draft that captures an information model for the client-facing interfaces based on “draft-ietf-i2nsf-client-facing-interface-req”. This is an initial version, we plan to update this as we evolve based on new requirements and information. Thanks & Regards, Rakesh and other co-authors. On 10/31/16, 10:08 AM, "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote: A new version of I-D, draft-kumar-i2nsf-client-facing-interface-im-00.txt has been successfully submitted by Rakesh Kumar and posted to the IETF repository. Name: draft-kumar-i2nsf-client-facing-interface-im Revision: 00 Title: Information model for Client-Facing Interface to Security Controller Document date: 2016-10-31 Group: Individual Submission Pages: 17 URL: https://www.ietf.org/internet-drafts/draft-kumar-i2nsf-client-facing-interface-im-00.txt Status: https://datatracker.ietf.org/doc/draft-kumar-i2nsf-client-facing-interface-im/ Htmlized: https://tools.ietf.org/html/draft-kumar-i2nsf-client-facing-interface-im-00 Abstract: This document defines information model for the client-facing interface to security controller based on the requirements identfied in the [I-D.kumar-i2nsf-client-facing-interface-req]. The information model defines various managed objects and the relationship among these objects needed to build the client interfaces. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org/>. The IETF Secretariat _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: diego.r.lopez@telefonica.com Tel: +34 913 129 041 Mobile: +34 682 051 091 ----------------------------------
- [I2nsf] Will you provide more details on the Rule… Linda Dunbar
- Re: [I2nsf] Will you provide more details on the … Linda Dunbar
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar
- Re: [I2nsf] Will you provide more details on the … Diego R. Lopez
- Re: [I2nsf] Will you provide more details on the … John Strassner
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar