IETF Logo Mail Archive

Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05

DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com> Sat, 21 November 2015 12:28 UTC

Return-Path: <diego.r.lopez@telefonica.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E1831A8930 for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 04:28:17 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.185
X-Spam-Level:
X-Spam-Status: No, score=-3.185 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NdhxMPfw29sA for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 04:28:12 -0800 (PST)
Received: from smtpjc.telefonica.com (smtpjc.telefonica.com [81.47.204.76]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A79F61A892B for <i2nsf@ietf.org>; Sat, 21 Nov 2015 04:28:11 -0800 (PST)
Received: from smtpjc.telefonica.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 1C9E82F013A; Sat, 21 Nov 2015 13:28:09 +0100 (CET)
Received: from ESTGVMSP113.EUROPE.telefonica.corp (unknown [10.92.4.9]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtpjc.telefonica.com (Postfix) with ESMTPS id 0277E2F0136; Sat, 21 Nov 2015 13:28:09 +0100 (CET)
Received: from emea01-am1-obe.outbound.protection.outlook.com (10.92.5.139) by tls.telefonica.com (10.92.6.55) with Microsoft SMTP Server (TLS) id 14.3.235.1; Sat, 21 Nov 2015 13:28:07 +0100
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com (10.161.13.142) by DB4PR06MB0621.eurprd06.prod.outlook.com (10.161.13.139) with Microsoft SMTP Server (TLS) id 15.1.325.17; Sat, 21 Nov 2015 12:28:06 +0000
Received: from DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) by DB4PR06MB0624.eurprd06.prod.outlook.com ([10.161.13.142]) with mapi id 15.01.0325.019; Sat, 21 Nov 2015 12:28:06 +0000
From: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
To: "Anil Kumar S N (VRP Network BL)" <anil.sn@huawei.com>
Thread-Topic: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
Thread-Index: AdEioAyIQfd93omoRVuyqnHeGuMT8AAmR5vwAEe5yYA=
Date: Sat, 21 Nov 2015 12:28:06 +0000
Message-ID: <C9100DC8-1CD1-49A4-AB60-D5BCC60499F3@telefonica.com>
References: <327562D94EA7BF428CD805F338C31EF06C07EC8B@nkgeml512-mbx.china.huawei.com>
In-Reply-To: <327562D94EA7BF428CD805F338C31EF06C07EC8B@nkgeml512-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=diego.r.lopez@telefonica.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [83.36.36.154]
x-microsoft-exchange-diagnostics: 1; DB4PR06MB0621; 5:pJjsj+dgj8h1YkKPI8VLm0IgCyeJTpSaPvyn1pUas4TPNy6U8aZ6qkUicOEoB94liBxJGBgxh8UbSraOp2NAPlkWlgCSWU1c+sHrYogb11RhBdELI5fqG0fP+dx5foahqeo1J6x/HNrj+6ijjaX0Yw==; 24:4Oacu4K6ADTk5RshWDU/BhIN4K8ho7EVNFuZHyWksM8bb82t13HT6bDlP8vWDefI9Z+kGot0PFqAC1tFFOpEenNnpqEJeh16MAjd5ol3pXY=; 20:rh3FbCIQsK3sHuwLpf7tVirOoLhDtgLHEXhWm2nAs0nMQswP8ZWz5eNSsaCCdpK0uqsMBdQpBUC+XqPLCSGb6Q==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DB4PR06MB0621;
x-microsoft-antispam-prvs: <DB4PR06MB06217B0275F1C23C497CA82ADF190@DB4PR06MB0621.eurprd06.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(40392960112811);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(520078)(8121501046)(5005006)(10201501046)(3002001); SRVR:DB4PR06MB0621; BCL:0; PCL:0; RULEID:; SRVR:DB4PR06MB0621;
x-forefront-prvs: 076777155F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(189002)(199003)(24454002)(252514010)(54356999)(11100500001)(92566002)(50986999)(2950100001)(40100003)(87936001)(83716003)(2900100001)(19617315012)(66066001)(76176999)(82746002)(16236675004)(33656002)(586003)(5001960100002)(19580395003)(106356001)(230783001)(5004730100002)(10400500002)(122556002)(5007970100001)(5002640100001)(6116002)(36756003)(110136002)(105586002)(102836003)(77096005)(189998001)(97736004)(86362001)(15975445007)(81156007)(101416001)(19580405001)(3846002)(5008740100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DB4PR06MB0621; H:DB4PR06MB0624.eurprd06.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: telefonica.com does not designate permitted sender hosts)
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_C9100DC81CD149A4AB60D5BCC60499F3telefonicacom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Nov 2015 12:28:06.0500 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 9744600e-3e04-492e-baa1-25ec245c6f10
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB4PR06MB0621
X-OriginatorOrg: telefonica.com
X-TM-AS-MML: No
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/Nn0H6-HSQWSE9kMbWw8nCZH3B8U>
Cc: Jayaraghavendran k <jayaraghavendran.k@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-dunbar-i2nsf-problem-statement-05@ietf.org" <draft-dunbar-i2nsf-problem-statement-05@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2015 12:28:17 -0000

Hi,

A couple of comments in line below…

On 20 Nov 2015, at 03:22 , Anil Kumar S N (VRP Network BL) <anil.sn@huawei.com<mailto:anil.sn@huawei.com>> wrote:
•         Requirements Language, terms and acronyms section : We need to describe following abbreviations which are used in the documents as it the first document
to be referred by any newcomer into I2NSF WG

IPS, IDS, ACL, FWs, AAA, CA, VNFpool, Etc…

DRL> I disagree. Terms like IDS, AAA, ACL or CA are well defined elsewhere, have been of common usage for quite a while, and there is no advantage in redefining them in this document. For what is worth, we could need to define terms like “network” or “TCP”… There may be others like VNFpool that would need a definition because they are by no means widespread, though in those case we should first consider whether the term makes sense in the document, which I’d say it is not the case for “VNFpool” in particular.


•         Adding new section :

3.1.9 Lack of mechanism for Key Management/Deterministic Generation and Provisioning for communicating protocols



There is a need for a framework/data model for a key management protocol that may be used to create and manage session

keys for message authentication and integrity. As of now there is no much focus on an abstraction for keying information that describes the interface

between protocols, operators, and automated key management.



In March 2006, the Internet Architecture Board (IAB) held a workshop

on the topic of "Unwanted Internet Traffic".  The report from that workshop is documented in RFC 4948 [RFC4948].

Section 8.1 of that document states that "A simple risk analysis would suggest that an ideal attack target of minimal

cost but maximal disruption is the core routing infrastructure".  Section 8.2 calls for "Tightening the security of

the core routing infrastructure".



One of the four main steps were identified for that tightening the security for the protocol packets on the wire.

It is concerned with guidelines for describing issues and techniques for protecting the messages between directly communicating peers.



Conceptually, when routing protocols send or receive messages, they

   might need to look up the key to use in this abstract key table.

   Conceptually, there must be an interface defined for a protocols to

   make requests of automated key management when it is being used; when

   keys become available, they might be made available in the key table.

   There might not be any requirement that this abstraction be used for

   implementation:



   1) I2NSF need to design the key table abstraction, the interface between

      key management protocols and routing/other protocols, and possibly

      security protocols at other layers.



   2) For each routing/other protocol, I2NSF need to define the mapping between

      how the protocol represents key material and the protocol-

      independent key table abstraction.  When routing/other protocols share a

      common mechanism for authentication, such as the TCP

      Authentication Option, the same mapping is likely to be reused

      between protocols.  An implementation may be able to move much of

      the keying logic into code related to this shared authentication

      primitive rather than code specific to routing/other protocols.



   3) When designing automated key management for both symmetric keys

      and group keys, we will only need to use the abstractions designed based on

      point 1 above to communicate between automated key management and

      routing/other protocols.

DRL> As Linda said, you should clarify what is the purpose for this. The intent of I2NSF is not to define new security functions, but to define an interface to them. And I’d say you are proposing the definition of a new key management service to be used by routing and other protocols.

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/

e-mail: diego.r.lopez@telefonica.com
Tel:    +34 913 129 041
Mobile: +34 682 051 091
----------------------------------


________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email