IETF Logo Mail Archive

Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.

Linda Dunbar <linda.dunbar@huawei.com> Wed, 18 March 2015 11:14 UTC

Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38FEB1A0045 for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 04:14:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.61
X-Spam-Level:
X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gJS-JqU0_TZG for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 04:14:16 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50C411A004D for <i2nsf@ietf.org>; Wed, 18 Mar 2015 04:14:15 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BTU35932; Wed, 18 Mar 2015 11:14:13 +0000 (GMT)
Received: from DFWEML703-CHM.china.huawei.com (10.193.5.130) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 18 Mar 2015 11:13:59 +0000
Received: from DFWEML701-CHM.china.huawei.com ([10.193.5.50]) by dfweml703-chm ([10.193.5.130]) with mapi id 14.03.0158.001; Wed, 18 Mar 2015 04:13:56 -0700
From: Linda Dunbar <linda.dunbar@huawei.com>
To: Alexey Gorbunov <alexey.gorbunov82@gmail.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Thread-Index: AQHQYRm/Auz2FMsKqUmqEC1YYEJnL50iFAoQ
Date: Wed, 18 Mar 2015 11:13:56 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F657BF5B13@dfweml701-chm>
References: <CAJd_XJi5urj_0WYeeTOJnD-gyTB60JHQOCd-fZvtxo0y2fw4+g@mail.gmail.com>
In-Reply-To: <CAJd_XJi5urj_0WYeeTOJnD-gyTB60JHQOCd-fZvtxo0y2fw4+g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.200.65.105]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F657BF5B13dfweml701chm_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/J8kT8uje6ViXhx9KCd8V1rMqq3Q>
Subject: Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 11:14:18 -0000

Alexey,

Thank you very much for the comments and suggestions. Yes, we have agreed to focus on functionality instead of device name. I2NSF will start with Flow Based Security Functions.

https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02  is a good start, but not comprehensive enough.
For example, for the Policy (that defines which traffic are allowed to pass firewall and in which direction), it is necessary for NSF to register which field the NSF can enforce the traffic (SA? DA? VLAN? TCP/UDP ports? TCP flag? Direction? HTTP header? Size? Etc).  such as:
           Ingress Port & match
                            |
                            |
       +-------+---------+--+----+--------+-------+---------+-------+
       |       |         |       |        |       |         |       |
       |       |         |       |        |       |         |       |
      L3Header L2header  L4    VLAN      VN ID    size    event .. HTTP

The actions can be more, some NSF only allows “Pass/Drop”, other NSFs can support more sophisticated actions (e.g. steering to different functions, ..
Linda


From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Alexey Gorbunov
Sent: Tuesday, March 17, 2015 8:20 PM
To: i2nsf@ietf.org
Subject: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.

Hi Folks

Just read "draft-dunbar-i2nsf-problem-statement-02.txt" and would like to share my thoughts and concerns. From my point of view it’s better to not focus on the specific names but on the functionality of network security function itself.  Most probably the main use case for NSF is virtual firewall with IPS/IDS and VPN capabilities. Openstack is the ideal candidate for NSF.

We have already virtual firewall and it's good to look at it's features and functionality. I summarized most of the firewall features below:

-Access-list.  Defines which traffic are allowed to enter and pass firewall.
It's covered in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02
- Policy.  Defines which traffic are allowed to pass firewall and in which direction.
- Dos protection:  multicast, broadcast rate limiting. DHCP, ARP protection and rate-limiting. Limitation of mac-address numbers.
-“Screens”  – Juniper calls it screens, cisco doesn’t have name for it. Basically it’s protection against well-know network attacks.
- “Intrusion prevention” – Signatures of any malicious activity.
- VPN PKI- configuration of IPSEC with PKI.
- Control-plane protection of firewall itself.
- L7 filtering and proxy.
- Application detection.  Some applications uses tcp port 80 and most of the firewall can detect it.
 - Monitoring and reporting traffic. Something similar to Openflow, Jflow and etc.

What exactly is going to be covered by i2nsf? Is i2nsf going to meet in the Dallas at IETF 92?

Thanks everybody for attention to this email.

Alexey Gorbunov
Telco Cloud and Security Architect at Nokia
CCIE R&S 41088

v2.23.0 | Report a Bug | By Email