Re: [I2nsf] Key problems to reflect the narrower scoped I2NSF charter
Sumandra Majee <S.Majee@F5.com> Wed, 03 June 2015 17:45 UTC
Return-Path: <S.Majee@f5.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A72DB1AC3C8 for <i2nsf@ietfa.amsl.com>; Wed, 3 Jun 2015 10:45:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RzKdkYHhosLz for <i2nsf@ietfa.amsl.com>; Wed, 3 Jun 2015 10:45:23 -0700 (PDT)
Received: from mail.f5.com (mail.f5.com [208.85.209.139]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7029B1ACE29 for <i2nsf@ietf.org>; Wed, 3 Jun 2015 10:45:22 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.13,548,1427760000"; d="scan'208,217";a="165007944"
X-IPAS-Result: A2BDBQCyPG9V/+sKqMBbgkWBH14GhSGxE4d0gV8LGQELhXUCghABAQEBAQGBC4QiAQEBAQMBAQEqOwYLDAYBCBEDAQEBIQEGLgIJFAkKBAENBYg62zgBAQEBAQEBAQEBAQEBAQEBAQEBAQEXi0OEdAEHBgQGBwOEJAWGbIRtNYs/ghKDD4JzPoM1gn+LS4NZEYIdHIFSbwGBBCUcgQEBAQE
Received: from oracle-apps.f5net.com (HELO exchmail.f5net.com) ([192.168.10.235]) by mail.f5.com with ESMTP/TLS/AES256-SHA; 03 Jun 2015 17:45:21 +0000
Received: from SEAEXCHMBX06.olympus.F5Net.com (192.168.15.49) by SEAEXCHMBX06.olympus.F5Net.com (192.168.15.49) with Microsoft SMTP Server (TLS) id 15.0.1044.25; Wed, 3 Jun 2015 10:45:20 -0700
Received: from SEAEXCHMBX06.olympus.F5Net.com ([fe80::b921:c8e9:b9b2:3e8a]) by SEAEXCHMBX06.olympus.F5Net.com ([fe80::b921:c8e9:b9b2:3e8a%12]) with mapi id 15.00.1044.021; Wed, 3 Jun 2015 10:45:20 -0700
From: Sumandra Majee <S.Majee@F5.com>
To: Linda Dunbar <linda.dunbar@huawei.com>, DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
Thread-Topic: [I2nsf] Key problems to reflect the narrower scoped I2NSF charter
Thread-Index: AQHQniUOuYmmqw2PxkuH2qHw5giW1Q==
Date: Wed, 03 Jun 2015 17:45:20 +0000
Message-ID: <D1948929.3AC66%s.majee@f5.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [192.168.15.239]
Content-Type: multipart/alternative; boundary="_000_D19489293AC66smajeef5com_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/U4EcQjnLXrRpTxyPSM4Vg81mqXM>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>
Subject: Re: [I2nsf] Key problems to reflect the narrower scoped I2NSF charter
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2015 17:45:26 -0000
Linda,
My personal opinion is that the issue at hand is diversity of security functionality and lack of enabling those function.
I am not sure if this WG should need differentiate if enforcing NSF is distributed, local or remote or virtual or physical(section 3.1.3) . It is in fact desirable that interface is consistent and leave the job of optimal placement on scheduling layer.
The security functions that are invoked to enforce a security
policy can be located in different equipment and network
locations.
From: Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>>
Date: Tuesday, May 26, 2015 at 10:31 AM
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>>
Cc: "i2nsf@ietf.org<mailto:i2nsf@ietf.org>" <i2nsf@ietf.org<mailto:i2nsf@ietf.org>>
Subject: [I2nsf] Key problems to reflect the narrower scoped I2NSF charter
Diego,
Thank you very much for the suggestion (and the time taken yesterday for the conference call).
How about the following description of the key problems for I2NSF?
3.1. Challenges Facing Security Service Providers
- Diverse types of Security Functions
No Standard Characterization of NSFs
- Diverse Interfaces to Control NSFs
- Diverse mechanisms to monitor the behavior of NSFs
- More Distributed NSFs and vNSFs
- Demand to Control NSFs Dynamically
- Demand for multi-tenancy of the interfaces to control and monitor NSFs.
Service providers may well require having several operational units to make this control and monitoring, especially when they become distributed and virtualized
3.2. Challenges Facing Customers
- Need consistent integration of NSFs over heterogeneous administrative domains
- Today's Policy Expressions are Vendors Specific
- Difficulty to Monitor the Execution of Desired Policies
Cheers,
Linda
From: DIEGO LOPEZ GARCIA [mailto:diego.r.lopez@telefonica.com]
Sent: Monday, May 25, 2015 2:04 PM
To: Linda Dunbar
Cc: i2nsf@ietf.org<mailto:i2nsf@ietf.org>
Subject: Re: [I2nsf] updated I2NSF problem statement to reflect the narrower scoped charter
Hi,
As we discussed recently, I'd say that:
1.- It is important to address multi-tenancy of the interfaces to control and monitor NSFs. First, because service providers may well require to have several operational units to make this control and monitoring, especially when they become distributed and virtualized. Second, service providers may find a value in offering a (mediated) interface to control and monitoring NSFs to their customers. This could certainly be part of 3.1.5...
2.- In what relates to 3.2.1, rather than distinguishing between "on-premises" and "remote", I'd talk about a consistent integration of NSFs, independently of their location and their implementation mechanisms.
Be goode,
On 22 May 2015, at 24:42 , Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> wrote:
We updated the I2NSF problem statement to reflect the narrower scoped charter.
The primary issues and challenges facing NSFs hosted by different domains are:
3.1. Challenges Facing Security Service Providers..............5
3.1.1. Diverse types of Security Functions..................5
3.1.2. No Standard Characterization of NSFs.................6
3.1.3. More Distributed NSFs and vNSFs......................7
3.1.4. More Demand to Control NSFs Dynamically..............7
3.1.5. Diverse Interfaces to Control and Monitor NSFs.......7
3.1.6. Lack of mechanism to monitor the behavior of NSFs....8
3.2. Challenges Facing Customers...............................8
3.2.1. Need to integrate on-premises NSFs with Remote NSFs..8
3.2.2. Today's Policy Expressions are Vendors Specific......9
3.2.3. Difficulty to Monitor the Execution of Desired Policies
...........................................................10
3.3. Difficulty to Validate Policies across Multiple Domains..10
3.4. Lack of Standard Interface to Inject Feedback to NSF.....11
Your comments and suggestions are highly appreciated.
Linda
-----Original Message-----
From: internet-drafts@ietf.org<mailto:internet-drafts@ietf.org> [mailto:internet-drafts@ietf.org]
Sent: Thursday, May 21, 2015 5:37 PM
To: Mohamed Boucadair; Shaibal Chakrabarty; Linda Dunbar; Christian Jacquenet; Myo Zarny; Christian Jacquenet; Myo Zarny; Shaibal Chakrabarty; Linda Dunbar; Mohamed Boucadair
Subject: New Version Notification for draft-dunbar-i2nsf-problem-statement-04.txt
A new version of I-D, draft-dunbar-i2nsf-problem-statement-04.txt
has been successfully submitted by Linda Dunbar and posted to the IETF repository.
Name: draft-dunbar-i2nsf-problem-statement
Revision: 04
Title: Interface to Network Security Functions (I2NSF) Problem Statement
Document date: 2015-05-21
Group: Individual Submission
Pages: 20
URL: https://www.ietf.org/internet-drafts/draft-dunbar-i2nsf-problem-statement-04.txt
Status: https://datatracker.ietf.org/doc/draft-dunbar-i2nsf-problem-statement/
Htmlized: https://tools.ietf.org/html/draft-dunbar-i2nsf-problem-statement-04
Diff: https://www.ietf.org/rfcdiff?url2=draft-dunbar-i2nsf-problem-statement-04
Abstract:
This document describes the motivation and the problem statement for
Interface to Network Security Functions (I2NSF).
Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org<http://tools.ietf.org>.
The IETF Secretariat
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org<mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf
--
"Esta vez no fallaremos, Doctor Infierno"
Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/
e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel: +34 913 129 041
Mobile: +34 682 051 091
----------------------------------
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
- Re: [I2nsf] Key problems to reflect the narrower … Sumandra Majee