Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com> Sat, 21 November 2015 12:28 UTC
Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1831A8930 for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 04:28:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.185
X-Spam-Level:
X-Spam-Status: No, score=-3.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdhxMPfw29sA for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 04:28:12 -0800 (PST)
Received: from smtpjc.telefonica.com (smtpjc.telefonica.com [81.47.204.76]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79F61A892B for <i2nsf@ietf.org>; Sat, 21 Nov 2015 04:28:11 -0800 (PST)
Received: from smtpjc.telefonica.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C9E82F013A; Sat, 21 Nov 2015 13:28:09 +0100 (CET)
Received: from ESTGVMSP113.EUROPE.telefonica.corp (unknown [10.92.4.9]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtpjc.telefonica.com (Postfix) with ESMTPS id 0277E2F0136; Sat, 21 Nov 2015 13:28:09 +0100 (CET)
Received: from emea01-am1-obe.outbound.protection.outlook.com (10.92.5.139) by tls.telefonica.com (10.92.6.55) with Microsoft SMTP Server (TLS) id 14.3.235.1; Sat, 21 Nov 2015 13:28:07 +0100
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com (10.161.13.142) by DB4PR06MB0621.eurprd06.prod.outlook.com (10.161.13.139) with Microsoft SMTP Server (TLS) id 15.1.325.17; Sat, 21 Nov 2015 12:28:06 +0000
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) by DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) with mapi id 15.01.0325.019; Sat, 21 Nov 2015 12:28:06 +0000
From: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
To: "Anil Kumar S N (VRP Network BL)" <anil.sn@huawei.com>
Thread-Topic: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
Thread-Index: AdEioAyIQfd93omoRVuyqnHeGuMT8AAmR5vwAEe5yYA=
Date: Sat, 21 Nov 2015 12:28:06 +0000
Message-ID: <C9100DC8-1CD1-49A4-AB60-D5BCC60499F3@telefonica.com>
References: <327562D94EA7BF428CD805F338C31EF06C07EC8B@nkgeml512-mbx.china.huawei.com>
In-Reply-To: <327562D94EA7BF428CD805F338C31EF06C07EC8B@nkgeml512-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [83.36.36.154]
x-microsoft-exchange-diagnostics: 1; DB4PR06MB0621; 5:pJjsj+dgj8h1YkKPI8VLm0IgCyeJTpSaPvyn1pUas4TPNy6U8aZ6qkUicOEoB94liBxJGBgxh8UbSraOp2NAPlkWlgCSWU1c+sHrYogb11RhBdELI5fqG0fP+dx5foahqeo1J6x/HNrj+6ijjaX0Yw==; 24:4Oacu4K6ADTk5RshWDU/BhIN4K8ho7EVNFuZHyWksM8bb82t13HT6bDlP8vWDefI9Z+kGot0PFqAC1tFFOpEenNnpqEJeh16MAjd5ol3pXY=; 20:rh3FbCIQsK3sHuwLpf7tVirOoLhDtgLHEXhWm2nAs0nMQswP8ZWz5eNSsaCCdpK0uqsMBdQpBUC+XqPLCSGb6Q==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB0621;
x-microsoft-antispam-prvs: <DB4PR06MB06217B0275F1C23C497CA82ADF190@DB4PR06MB0621.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(10201501046)(3002001); SRVR:DB4PR06MB0621; BCL:0; PCL:0; RULEID:; SRVR:DB4PR06MB0621;
x-forefront-prvs: 076777155F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(199003)(24454002)(252514010)(54356999)(11100500001)(92566002)(50986999)(2950100001)(40100003)(87936001)(83716003)(2900100001)(19617315012)(66066001)(76176999)(82746002)(16236675004)(33656002)(586003)(5001960100002)(19580395003)(106356001)(230783001)(5004730100002)(10400500002)(122556002)(5007970100001)(5002640100001)(6116002)(36756003)(110136002)(105586002)(102836003)(77096005)(189998001)(97736004)(86362001)(15975445007)(81156007)(101416001)(19580405001)(3846002)(5008740100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB4PR06MB0621; H:DB4PR06MB0624.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C9100DC81CD149A4AB60D5BCC60499F3telefonicacom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2015 12:28:06.0500 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB0621
X-OriginatorOrg: telefonica.com
X-TM-AS-MML: No
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/Nn0H6-HSQWSE9kMbWw8nCZH3B8U>
Cc: Jayaraghavendran k <jayaraghavendran.k@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-dunbar-i2nsf-problem-statement-05@ietf.org" <draft-dunbar-i2nsf-problem-statement-05@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2015 12:28:17 -0000
Hi, A couple of comments in line below… On 20 Nov 2015, at 03:22 , Anil Kumar S N (VRP Network BL) <anil.sn@huawei.com<mailto:anil.sn@huawei.com>> wrote: • Requirements Language, terms and acronyms section : We need to describe following abbreviations which are used in the documents as it the first document to be referred by any newcomer into I2NSF WG IPS, IDS, ACL, FWs, AAA, CA, VNFpool, Etc… DRL> I disagree. Terms like IDS, AAA, ACL or CA are well defined elsewhere, have been of common usage for quite a while, and there is no advantage in redefining them in this document. For what is worth, we could need to define terms like “network” or “TCP”… There may be others like VNFpool that would need a definition because they are by no means widespread, though in those case we should first consider whether the term makes sense in the document, which I’d say it is not the case for “VNFpool” in particular. • Adding new section : 3.1.9 Lack of mechanism for Key Management/Deterministic Generation and Provisioning for communicating protocols There is a need for a framework/data model for a key management protocol that may be used to create and manage session keys for message authentication and integrity. As of now there is no much focus on an abstraction for keying information that describes the interface between protocols, operators, and automated key management. In March 2006, the Internet Architecture Board (IAB) held a workshop on the topic of "Unwanted Internet Traffic". The report from that workshop is documented in RFC 4948 [RFC4948]. Section 8.1 of that document states that "A simple risk analysis would suggest that an ideal attack target of minimal cost but maximal disruption is the core routing infrastructure". Section 8.2 calls for "Tightening the security of the core routing infrastructure". One of the four main steps were identified for that tightening the security for the protocol packets on the wire. It is concerned with guidelines for describing issues and techniques for protecting the messages between directly communicating peers. Conceptually, when routing protocols send or receive messages, they might need to look up the key to use in this abstract key table. Conceptually, there must be an interface defined for a protocols to make requests of automated key management when it is being used; when keys become available, they might be made available in the key table. There might not be any requirement that this abstraction be used for implementation: 1) I2NSF need to design the key table abstraction, the interface between key management protocols and routing/other protocols, and possibly security protocols at other layers. 2) For each routing/other protocol, I2NSF need to define the mapping between how the protocol represents key material and the protocol- independent key table abstraction. When routing/other protocols share a common mechanism for authentication, such as the TCP Authentication Option, the same mapping is likely to be reused between protocols. An implementation may be able to move much of the keying logic into code related to this shared authentication primitive rather than code specific to routing/other protocols. 3) When designing automated key management for both symmetric keys and group keys, we will only need to use the abstractions designed based on point 1 above to communicate between automated key management and routing/other protocols. DRL> As Linda said, you should clarify what is the purpose for this. The intent of I2NSF is not to define new security functions, but to define an interface to them. And I’d say you are proposing the definition of a new key management service to be used by routing and other protocols. Be goode, -- "Esta vez no fallaremos, Doctor Infierno" Dr Diego R. Lopez Telefonica I+D http://people.tid.es/diego.lopez/ e-mail: diego.r.lopez@telefonica.com Tel: +34 913 129 041 Mobile: +34 682 051 091 ---------------------------------- ________________________________ Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción. The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it. Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
- [I2nsf] Comments on draft-dunbar-i2nsf-problem-st… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Linda Dunbar
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… DIEGO LOPEZ GARCIA
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Sumandra Majee
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Susan Hares