IETF Logo Mail Archive

Re: [I2nsf] draft-kim-i2nsf-consumer-facing-interface-dm-00 and draft-kim-i2nsf-security-management-architecture-03

"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Thu, 03 November 2016 01:53 UTC

Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6A1CE129449 for <i2nsf@ietfa.amsl.com>; Wed, 2 Nov 2016 18:53:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.689
X-Spam-Level:
X-Spam-Status: No, score=-2.689 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_HK_NAME_FM_MR_MRS=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fhxJXTqd_FoW for <i2nsf@ietfa.amsl.com>; Wed, 2 Nov 2016 18:53:49 -0700 (PDT)
Received: from mail-yw0-x233.google.com (mail-yw0-x233.google.com [IPv6:2607:f8b0:4002:c05::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93AD91293FB for <i2nsf@ietf.org>; Wed, 2 Nov 2016 18:53:49 -0700 (PDT)
Received: by mail-yw0-x233.google.com with SMTP id t125so30117352ywc.1 for <i2nsf@ietf.org>; Wed, 02 Nov 2016 18:53:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=Lm+QifrG4SDYKgyONRpBkPMqsahQhofREXL2fmXKusA=; b=mySB7nUQlf4+GF2Qy1vbLRtXVexx9DpMsEUHBTpcc2zyGpAf7anxjR1o+Tl0iC2g8H wlVALs6PVVme/Ks7yxTHD3ZfF7asBxhmxA03U6vBvnhLQDvfMTeFV4lGFdRDZxLwmJyS DICMmvguWmQFm5STE/XG/TXyIJkDcPI+SwnTjXhS0sGiXQo157fJyl/L0zS5vs1wtzzg nVuYZ2tYdyMJvIPJrLQK3Ap3GKCkH9FAUsxfHptDmCZLgxSAoehSspBPlgh/DMCTdDpk rSugCmdHRohMl45Dtzq5R+X+UR1kYgv+TxPjDI0lpfm4jngarRjDMKU9jP7W/xxIFgSe Sm6Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=Lm+QifrG4SDYKgyONRpBkPMqsahQhofREXL2fmXKusA=; b=bVJDgu5NosxtRkS3ytbS5NX+j5t2n0iZ/klRQ+sIDGJ2rw0Da2wY/raT038k7bUFwn nZbrSFTKm6XDTl4bx/KmUlZe/azI8nUUr0x2cxYA0hwxrUIRoEE81TY+vsfPcEHSvzfZ 18ELABZ9JW2NYNoYFCsLZaAaIRDcHl0BzsKbAvQq1YVpssL4dQm8Kr5S02TZ0wiJkYve Kd3EOA/pWm4sCkPopJIBOrzTZdzrUIoIem4Sp88Z6E7u6ecoxM/PWi9hI3mPDcRTYov2 hpOnitL9ISvGvqxX88SoBrckSfRsvVzifTbuB6ARsQuecYxHgHRAewJs1QHEnQlA53hy Y/8g==
X-Gm-Message-State: ABUngvdnkreHR3sBN65Yr+SdPiiFpUee4OLeF5Bk06L9h6SvU6HFMQVK5ap6a8VyCcXULFUnSkivGiyA2rH/lw==
X-Received: by 10.13.244.65 with SMTP id d62mr5561846ywf.117.1478138028752; Wed, 02 Nov 2016 18:53:48 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.129.165.18 with HTTP; Wed, 2 Nov 2016 18:53:18 -0700 (PDT)
In-Reply-To: <D5EB9EC5-527C-4D15-8DEC-5F7089B99BDF@juniper.net>
References: <D5EB9EC5-527C-4D15-8DEC-5F7089B99BDF@juniper.net>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Thu, 03 Nov 2016 10:53:18 +0900
Message-ID: <CAPK2DewXVEosJsBQmtOG5w5mvZs+0f6yJVGhD9jCdpZuozMcBg@mail.gmail.com>
To: Rakesh Kumar <rkkumar@juniper.net>
Content-Type: multipart/alternative; boundary="94eb2c030b6c22098805405bd4c1"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/Y1HN5Ioh85Zu8AGTL2qSrJ4mpvo>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>
Subject: Re: [I2nsf] draft-kim-i2nsf-consumer-facing-interface-dm-00 and draft-kim-i2nsf-security-management-architecture-03
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 Nov 2016 01:53:53 -0000

Hi Rakesh,
Thanks for your analysis and suggestions.

Sure, we can discuss these issues in IETF-97 Seoul Meeting.

Thanks.

Best Regards,
Paul

On Thu, Nov 3, 2016 at 9:48 AM, Rakesh Kumar <rkkumar@juniper.net> wrote:

> Hi Paul,
>
>
>
> Regarding the two drafts draft-kim-i2nsf-consumer-facing-interface-dm-00
> and draft-kim-i2nsf-security-management-architecture-03 and merging these
> with other drafts as mentioned in other threads. I have responded to
> “draft-kim-i2nsf-security-management-architecture-03” earlier but here is
> the consolidated input on both.
>
>
>
> Here is my understanding based on reading the two candidate drafts for
> merge:
>
>
>
> 1.       *draft-kim-i2nsf-security-management-architecture-03: *As per WG
> suggestion that we merge this draft with “draft-kumar-i2nsf-client-facing-interface-req-01”.
> I have responded earlier but now that draft has become WG draft “
> draft-ietf-i2nsf-client-facing-interface-req”. I see your draft has few
> main themes:
>
> o    *I2NSF user architecture: *As I stated earlier that “
> draft-ietf-i2nsf-client-facing-interface-req” does not focus on specifics
> of a client/user system. As far as I know, this is outside the scope of
> I2NSF charter since focus is on the client-interface; so I don’t see this
> as a candidate for merge. We can discuss if you think my understanding is
> incorrect.
>
> o    *Security requirements for VoIP/VolTE : * I see security
> requirements such as malware domains,  URL/IP filtering which can be
> enforced dynamically based on time calendar. This definitely falls into
> the scope of “draft-ietf-i2nsf-client-facing-interface-req”. We have
> defined these requirements and scheduling methods already but in a more
> generic way like threat feeds (IP, URL) in section 4.8. The use-case could
> be as VoIP/VoLTE security as you mentioned but if you think it is not
> coming out clearly then we can modify the text. Let us work on it.
>
> o    *Security management system architecture: * This is not in the scope
> of “draft-ietf-i2nsf-client-facing-interface-req”. As far as I know, this
> is outside the scope of I2NSF charter since focus is on the NSF-interface;
> so I don’t see this as a candidate for merge. We can discuss if you think
> my understanding is incorrect.
>
> 2.       *draft-kim-i2nsf-consumer-facing-interface-dm-00: *This is a
> candidate for merge with draft-kumar-i2nsf-client-facing-interface-im as
> you and Linda pointed out but our draft is an information model, not a data
> model as yours. Anyway, I feel, we have defined these in section 5.1 and
> 5.3 but we can work with you to see whether you want to add or modify.
>
>
>
> I know, this is one of the agenda items in Seoul, we should hash this out
> while in Seoul. I look forward to working with you on this.
>
>
>
> Thanks & Regards,
>
> Rakesh
>
>
>
>
> ---------- Forwarded message ----------
> From: Rakesh Kumar <rkkumar@juniper.net>
> To: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>, "Diego R. Lopez" <
> diego.r.lopez@telefonica.com>
> Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, "Prof. Hyoungshick Kim" <
> hyoung@skku.edu>, "Pauljeong@skku.edu" <Pauljeong@skku.edu>, "
> skku_secu-brain_all@googlegroups.com" <
> skku_secu-brain_all@googlegroups.com>, Linda Dunbar <
> linda.dunbar@huawei.com>, Rakesh Kumar <rkkumar@juniper.net>
> Date: Wed, 26 Oct 2016 21:56:54 +0000
> Subject: Re: [I2nsf] questions about
> draft-kim-i2nsf-security-management-architecture-01
>
> Hi Paul,
>
>
>
> Based on suggestion from Diego to see if we could merge
> draft-kim-i2nsf-security-management-architecture-01 with
> draft-kumar-i2nsf-client-facing-interface-req-01.
>
> Our draft deals with interfaces client would use to interact with the
> security controller/management system. We are discussing only the client
> interfaces and not the client structure itself.
>
>
>
> We should have a discussion to see what can be merged. I look forward to
> working with you.
>
>
>
> Thanks & Regards,
>
> Rakesh
>
> *From: *I2nsf <i2nsf-bounces@ietf.org> on behalf of "Mr. Jaehoon Paul
> Jeong" <jaehoon.paul@gmail.com>
> *Date: *Sunday, October 23, 2016 at 10:43 PM
> *To: *"Diego R. Lopez" <diego.r.lopez@telefonica.com>
> *Cc: *"i2nsf@ietf.org" <i2nsf@ietf.org>, "Prof. Hyoungshick Kim" <
> hyoung@skku.edu>, "Pauljeong@skku.edu" <Pauljeong@skku.edu>, "
> skku_secu-brain_all@googlegroups.com" <skku_secu-brain_all@
> googlegroups.com>, Linda Dunbar <linda.dunbar@huawei.com>
> *Subject: *Re: [I2nsf] questions about draft-kim-i2nsf-security-
> management-architecture-01
>
>
>
> Hi Diego,
>
> Thanks for your comments.
>
>
>
> Our draft can be aligned with draft-kumar-i2nsf-client-facing-interface-req-01
> in that
>
> ours deals with the interface between I2NSF Client and Security Controller.
>
> However, draft-kumar-i2nsf-client-facing-interface-req-01 does not
> clarify the structure of
>
> I2NSF Client in a detailed level, but our draft proposes such a detailed
> structure for I2NSF Client.
>
>
>
> In addition, our draft considers the policy update in I2NSF through the
> report from an NSF
>
> for a security attack (e.g., DDoS attack) or an event (e.g., the detection
> of a new malware)
>
> toward I2NSF Client. This updated policy is disseminated to the whole
> I2NSF systems
>
> for spontaneous reaction to the new security attack or event.
>
>
>
> Like this, our draft is closely related to the the I2NSF framework.
>
> Let us prepare for the text for the I2NSF framework draft, and then discuss
>
> whether our text can fit the I2NSF framework.
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul
>
>
>
>
>
>
>
>
>
> On Sat, Oct 22, 2016 at 7:49 PM, Diego R. Lopez <
> diego.r.lopez@telefonica.com> wrote:
>
> Hi Paul,
>
>
>
> While I find agreeable that your draft could be merged with another one
> (or other ones) in order to consolidate the documents to be produced by
> I2NSF, I am not 100% sure it should be the framework draft. Looking at the
> proposals you make in your draft I see it more aligned with what the drafts
> dealing with the client-facing interface are considering than with the
> general framework. In particular, draft-kumar-i2nsf-
> client-facing-interface-req-01
> <https://datatracker.ietf.org/doc/draft-kumar-i2nsf-client-facing-interface-req/> has
> a section(3.3) that discusses management deployment models, and I am under
> the impression this architecture you propose could be seen as a refinement
> of those models.
>
>
>
> Be goode,
>
>
>
> On 21 Oct 2016, at 02:54 , Mr. Jaehoon Paul Jeong <jaehoon.paul@gmail.com>
> wrote:
>
>
>
> Hi Linda,
>
> Are you agreeing at merging our draft (draft-kim-i2nsf-security-
> management-architecture-02)
>
> into draft-ietf-i2nsf-framework-03?
>
>
>
> Thanks.
>
>
>
> Best Regards,
>
> Paul
>
>
>
> On Fri, Oct 7, 2016 at 5:32 AM, Mr. Jaehoon Paul Jeong <
> jaehoon.paul@gmail.com> wrote:
>
> Hi Linda,
>
> As a coauthor of this draft, I will answer your questions inline below.
>
>
>
> On Wed, Oct 5, 2016 at 1:34 PM, Linda Dunbar <linda.dunbar@huawei.com>
> wrote:
>
> Hyoungshick, et al,
>
>
>
> How would you position your draft-kim-i2nsf-security-management-architecture-01
> with regard to the I2NSF framework draft? I find there are  a lot of
> duplicated content to the I2nsf framework draft.
>
>
>
>  [Paul] We would like to merge our draft into the i2nsf framework draft
>
>  because our draft has one depth more detailed architecture.
>
>  This detailed architecture will be helpful to implement the i2nsf
> framework.
>
>
>
>
>
> There are some differences,  such as the following: Are you trying to
> define how “security policy” is structured?
>
>
>
> <image002.png>
>
>
>
>  [Paul] Our architecture allows an NSF to update a low-level policy and
> apply it to the related high-level policy
>
>  via the control path of Security Controller and Policy Collector (renamed
> Event Collector in version 02) in Figure 1
>
>  of our version 02:
>
>  https://tools.ietf.org/html/draft-kim-i2nsf-security-
> management-architecture-02
>
>
>
>  For example, if an NSF of firewall detects a new DoS-attack host, it
> reports the updated blacklist having
>
>  the IP address of such a host to Application Logic in I2NSF Client via
> Security Controller and Event Collector.
>
>  Application Logic asks Policy Updater to disseminate the updated
> blacklist to the security controllers
>
>  under the administration of the same I2NSF Client.
>
>
>
> Will the “High Level security management” eventually lead to Client Facing
> Policy data models?
>
>
>
>  [Paul] Yes, as explained above, the High-level security management leads
> to update and handle Client facing policy
>
>  data models.
>
>
>
> Do you plan to define interfaces between all those components depicted in
> Figure 1?  The interfaces between some of those components are not really
> in the I2NSF WG current charter, such as “Security Policy Manager” <-> “NSF
> Capability Manager”,  or the interface between “Application Logic” <->
> “Policy Updater”.
>
>
>
>  [Paul]  Yes, we have a plan to define such interfaces.
>
>
>
>
>
> Are those components in your current implementation? Is it like an
> “example of one implementation”?
>
>
>
>  [Paul] Though those components are not fully implemented yet in our
> implementation, my team at SKKU
>
>  will make implement those components in a later version.
>
>
>
>  Thanks for your clarification questions.
>
>
>
>  Best Regards,
>
>  Paul
>
>
>
>
>
>
>
> Thanks, Linda
>
>
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
>
> --
> "Esta vez no fallaremos, Doctor Infierno"
>
> Dr Diego R. Lopez
> Telefonica I+D
> http://people.tid.es/diego.lopez/
>
> e-mail: diego.r.lopez@telefonica.com
> Tel:    +34 913 129 041
> Mobile: +34 682 051 091
> ----------------------------------
>
>
>
>
>
>
>
> --
>
> ===========================
> Mr. Jaehoon (Paul) Jeong, Ph.D.
> Assistant Professor
> Department of Software
> Sungkyunkwan University
> Office: +82-31-299-4957
> Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
> Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
> <http://cpslab.skku.edu/people-jaehoon-jeong.php>
>
>


-- 
===========================
Mr. Jaehoon (Paul) Jeong, Ph.D.
Assistant Professor
Department of Software
Sungkyunkwan University
Office: +82-31-299-4957
Email: jaehoon.paul@gmail.com, pauljeong@skku.edu
Personal Homepage: http://iotlab.skku.edu/people-jaehoon-jeong.php
<http://cpslab.skku.edu/people-jaehoon-jeong.php>

v2.23.0 | Report a Bug | By Email