Re: [I2nsf] Comments/questions about draft-ietf-i2nsf-problem-and-use-cases
Gabriel Lopez <gabilm@um.es> Thu, 06 October 2016 10:55 UTC
Return-Path: <gabilm@um.es>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3C5F6129510 for <i2nsf@ietfa.amsl.com>; Thu, 6 Oct 2016 03:55:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.216
X-Spam-Level:
X-Spam-Status: No, score=-7.216 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9IE-pgVkJbkN for <i2nsf@ietfa.amsl.com>; Thu, 6 Oct 2016 03:55:45 -0700 (PDT)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id 1C974129505 for <i2nsf@ietf.org>; Thu, 6 Oct 2016 03:55:45 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 02B583F997; Thu, 6 Oct 2016 12:55:44 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id FIJO5Pc1LD-D; Thu, 6 Oct 2016 12:55:43 +0200 (CEST)
Received: from [192.168.1.2] (156.red-83-39-194.dynamicip.rima-tde.net [83.39.194.156]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: gabilm) by xenon21.um.es (Postfix) with ESMTPSA id 3D20C3F8C1; Thu, 6 Oct 2016 12:55:40 +0200 (CEST)
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
Content-Type: multipart/signed; boundary="Apple-Mail=_FEB6B70D-2F0B-433F-87BE-BCF80D8B35E1"; protocol="application/pgp-signature"; micalg="pgp-sha256"
X-Pgp-Agent: GPGMail
From: Gabriel Lopez <gabilm@um.es>
In-Reply-To: <FD60E1DF-FF8A-4F3E-9C64-FF10089F5332@um.es>
Date: Thu, 06 Oct 2016 12:55:35 +0200
Message-Id: <D184C922-06F8-48FB-B3AB-C6550B85EFCA@um.es>
References: <FD60E1DF-FF8A-4F3E-9C64-FF10089F5332@um.es>
To: Rafa Marin Lopez <rafa@um.es>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/V1fdfzv4vPppuSQLzOMfWFnxYxk>
Cc: i2nsf@ietf.org
Subject: Re: [I2nsf] Comments/questions about draft-ietf-i2nsf-problem-and-use-cases
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 06 Oct 2016 10:55:48 -0000
Dear all, please find some comments to the text • Section 3.1.1 • Security gateways or VPNs concentrators could also be add to the list. • “For example, from an I2NSF perspective, there is no need to standardize on how firewall filters are created or applied.”. It is not clear why ones need to be standardized and others no. • Does it means I2NSF aims to standardize the interface to control firewalls filters rather than the own firewalls filters? (just to clarify) • Section 3.1.9. • In addition to Rafa’s comments, I suggest this section should introduce first the security functions where key distribution is required. For example: securing routing protocols? IPsec flow protection channels? AAA protocols? Then, to discuss about the different approaches: a protocol-independent key table? a protocol-based approach?. It seems authors are proposing some kind of solution, but this is a problem-use-case document. • Section 3.2.2 • “No standard technical characterization and/or APIs” and “No standard interface”. • Both texts talks about “standard interfaces”. Could they be merger? (just suggesting) • Section 3.1.7 and section 3.4 both talks about IDS/IPS/etc. profiles. Could they be combined or referenced? • Should 3.3 be 3.2.4? and 3.4 be 3.2.5? and 3.5 be 3.2.6? Just my two cents. Best regards, Gabi. > El 3 oct 2016, a las 23:33, Rafa Marin Lopez <rafa@um.es> escribió: > > Dear all: > > I have reviewed draft-ietf-i2nsf-problem-and-use-cases and I have a few comments/questions (my apologies if these have been already discussed in the past). > > ----------------------- > > Section 3.1.1 > > -Security Functions in a DMZ. You refer to authentication and authorization but also AAA. Is this not redundant? > > -At first sight, there is no example of NSFs with flow based protection. That is, those that participate in the establishment of a security association to protect data traffic. > > Section 3.1.10 > > - A general comment about this section is that the text seems to pay attention to routing. In our case, for example, we have an I-D to manage IPSec SAs based on SDNs (https://tools.ietf.org/html/draft-abad-i2nsf-sdn-ipsec-flow-protection-00). I guess this use case we present in our I-D is somehow included in the text “Conceptually, there must be an interface defined for routing/signaling protocols…” but I am not sure. Could you clarify? > > - A suggestion I have is to revise this paragraph: > > “While there are many key management methods and > key derivation functions (KDF), there is a lack of standard interface > to provision and manage keys.” > > There is a lack not only to provision and manage keys but also to specify additional information (e.g. low level policies) or to fill certain information to manage, in the end, a security association. Additionally, I am not sure about the initial sentence "While there are many key management methods and key derivation functions (KDF)”… what do you mean with this? > > Perhaps a possible modification would say: > > —-> While there are many key management methods and > cryptographic suites (e.g. encryption algorithms, key derivation functions, etc…), there is a lack of standard interface > to provision and manage security associations. > > > Regarding this paragraph: > > “The ability to utilize keys when routing protocols send or receive > messages will be enhanced by having an abstract key table maintained > by a security service. Conceptually, there must be an interface > defined for routing/signaling protocols to make requests for > automated key management when it is being used, to notify the > protocols when keys become available in the key table.” > > In my opinion, it seems going into a solution space: “an abstract key table” and a mechanism to “pull” the keys, is this correct?. Why using this key table? Why using pull method so that the protocols know when the keys are available in the table?. Also, the text refers to routing protocols at the beginning. I would say that there must be an interface to configure security associations of any nature, no?. > > Section 4. In the use cases, there is no explicit text where key distribution is required. One may think that section 4.3.2 and, most probably, 4.3.3 may be related with key management (section 3.1.10). I mention this because our I-D focused on key management for IPSec SAs and VPNs is a term that may be associated to this. > > Section 7. > > When you mention AAA, are you referring to https://tools.ietf.org/html/rfc2904 ? > > --------- > > Best Regards. > > > ------------------------------------------------------- > Rafael Marin Lopez, PhD > Dept. Information and Communications Engineering (DIIC) > Faculty of Computer Science-University of Murcia > 30100 Murcia - Spain > Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es > ------------------------------------------------------- > > > > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf ----------------------------------------------------------- Gabriel López Millán Departamento de Ingeniería de la Información y las Comunicaciones University of Murcia Spain Tel: +34 868888504 Fax: +34 868884151 email: gabilm@um.es <mailto:gabilm@um.es>
- [I2nsf] Comments/questions about draft-ietf-i2nsf… Rafa Marin Lopez
- Re: [I2nsf] Comments/questions about draft-ietf-i… Gabriel Lopez
- Re: [I2nsf] Comments/questions about draft-ietf-i… Daniel Migault
- Re: [I2nsf] Comments/questions about draft-ietf-i… Susan Hares
- Re: [I2nsf] Comments/questions about draft-ietf-i… Susan Hares