Re: [I2nsf] AD review of draft-ietf-i2nsf-problem-and-use-cases
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 07 March 2017 18:58 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E46C11295C1 for <i2nsf@ietfa.amsl.com>; Tue, 7 Mar 2017 10:58:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cWK8SLtJIw8j for <i2nsf@ietfa.amsl.com>; Tue, 7 Mar 2017 10:58:27 -0800 (PST)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com [IPv6:2607:f8b0:400e:c00::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C03AA1294A4 for <I2nsf@ietf.org>; Tue, 7 Mar 2017 10:58:27 -0800 (PST)
Received: by mail-pf0-x236.google.com with SMTP id j5so3971103pfb.2 for <I2nsf@ietf.org>; Tue, 07 Mar 2017 10:58:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=a3Y9ykxJE4kik08r0wgkyj8SFheMYlNfPIjt9LJB4aI=; b=Z08bXrWUF2nR8TzflzUE4cNLQCKOcke+5ZdIz+7aqkRtU0jXCPHI1PuF16mp11XOwr zvLjK5RRhvxmCKntAWplemOR3LZSXahGl29gqiEfFDrCkESmO6W0NP4ITjMGkTcC7/Zq yJV2VL+P9lRb6FxUD+o6eI/xWcYrWsG2siJPhOUso78YwwIRMI9R+W+QG/1NmW5c9h2b 5502VRw8JR5hTlwYcS6370UEu0bZIjWYkDk6D11o6CUeqCzCm4QDbej23iFJntNlawH5 JZuB2KEFQ5++iDMFswi8vWb3IDTaKF8ZdJ7QZMHduQoeJ6oLBUkoUBIDD2cdbGiBuu6O WCDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=a3Y9ykxJE4kik08r0wgkyj8SFheMYlNfPIjt9LJB4aI=; b=Gc7carE98MHx/C01m/H2UEjO2IK3XJA7/L+1F7vtFoqOgeix/bTbRzD6dOgfYFoX4t t4A8XgqDUeSIiMMDG0Fv3MZoVFzMNwbVcmMosW5nVMQwQ8z0o1q4/bItB4AHtLiEQiUG 2zP2JBz7Sbw3cHx3Z4dNwBnUkdKKWSzjdqdiHGMd0+sVoWuWRwvpD6DBln6TldL6+nuc Sz8cQ0IkNdwq3y1NDc+GtN4Wvmvh81dLKZR/EayPdbQ8asPZFcFv+MIVecm5xKfZ8a7E hDewJaq8wVV51mRuW0F2Vd79EA1Uu/ETdY8cz+q10JZkwLf7T0zU9wEmFULPnDhKrDBH E+yg==
X-Gm-Message-State: AMke39k6H/LJNS5AzAvq2YXlz8Hl7PTBlr7fZd53uda9FQjF2MSZ/vz1Cy38TOSZIn9eU38iiZQF8tG8VbmTGw==
X-Received: by 10.98.32.24 with SMTP id g24mr2014815pfg.115.1488913107330; Tue, 07 Mar 2017 10:58:27 -0800 (PST)
MIME-Version: 1.0
Received: by 10.100.177.199 with HTTP; Tue, 7 Mar 2017 10:58:26 -0800 (PST)
In-Reply-To: <006701d29760$bba67a70$32f36f50$@ndzh.com>
References: <CAHbuEH6VXiN6CssTLu836MrKh9_+YbT92ix=4M+4VVE2HB0qcA@mail.gmail.com> <002901d29540$d2240ff0$766c2fd0$@ndzh.com> <006701d29760$bba67a70$32f36f50$@ndzh.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
Date: Tue, 07 Mar 2017 13:58:26 -0500
Message-ID: <CAHbuEH5q01W437bGCV2hfrYsGkPgTfkyRtu4wArXgUdP8JMjyw@mail.gmail.com>
To: Susan Hares <shares@ndzh.com>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/aaovWLL97KrQEtg-CCkqr-1YJmM>
Cc: "i2nsf@ietf.org" <I2nsf@ietf.org>
Subject: Re: [I2nsf] AD review of draft-ietf-i2nsf-problem-and-use-cases
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Mar 2017 18:58:30 -0000
Hi Sue, Thanks for your work updating the draft. I'll respond inline just where I have a comment. Most updates look great, so thanks for that. On Tue, Mar 7, 2017 at 11:34 AM, Susan Hares <shares@ndzh.com> wrote: > Kathleen: > > Time is moving toward the deadline. I will check the abbreviations and > grammar and submit this draft as a response. > > Sue > > -----Original Message----- > From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Susan Hares > Sent: Saturday, March 4, 2017 6:41 PM > To: 'Kathleen Moriarty'; 'i2nsf@ietf.org' > Subject: Re: [I2nsf] AD review of draft-ietf-i2nsf-problem-and-use-cases > > Kathleen: > > Would you let me know if this is on the right track. I will go through and > check all abbreviations and grammar - but I wanted to make sure this works > for you. I've attached a diff as well between 9 and 10. > > Sue > > -----Original Message----- > From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Kathleen Moriarty > Sent: Friday, February 17, 2017 10:08 PM > To: i2nsf@ietf.org > Subject: [I2nsf] AD review of draft-ietf-i2nsf-problem-and-use-cases > > Hello, > > Thank you for your work on this draft. I can see that a lot effort has gone > into it from the beginning of the I2 NSF work. I have some recommendations > for changes before starting IETF last call. I hope you find these comments > helpful to improve the document. > > #1 - section 3.1.9 > >>Section 3.1.9: >>Are there more details on the security requirements around #3: >> >> 3. Automated Key management must support both symmetric keys and > > group keys via the service provided by items 1 and 2. > > Replacement: > 3 Automated Key management MUST support both symmetric keys and > group keys via the abstract key service provided by items 1 > and 2. > I2NSF controllers within the NSF required to exchange data > with NSFs > may exchange data with individual NSFs using individual > symmetric keys or > with a group of NSFs simultaneously using an IP group address > secured by a group security key(s). > > > Section 3.2 top >>Section 3.2: The work in DOTS is limited to DDoS and not all attack >>types > and the following text reads as if it were all attack types: >> >> "o Which critical communications are to be preserved during critical >> events (DOTS working group is standardizing), >> >> o Which hosts are to continue service even during severe security >> attacks (DOTS working group is standardizing)," > > Replaced with: > Which critical communications are to be preserved during > critical events and which hosts are continue service,< Can you fix the grammar at the end of this phrase (are continue service)? > > What signaling information is passed to a controller that > during a Distributed Denial of Service in order to ask for > mitigation services (within the scope DOTS working group), > > > #3 - section 3.2.2 > >>Once I reached section 3.2.2, the bulleted section felt redundant. I >>don't > think the text was explicitly stated elsewhere, but the positive direction > of the same material is >> expressed and that should be enough IMO. This is just an opinion to > consider if you'd like to tighten up the document a bit. > > > #4 - section 3.2.2. > >>The last paragraph of 3.2.2 could be argued as a selling point to > differentiate between another firewall vendor. Object oriented > configuration tools were my personal favorite. This >was provided through > an interface that would generate the configs to push out to multiple > firewalls. It can be a selling point to be different. You may be better > off dropping this >claim. > > New Paragraph - at end of 3.2.2 > New:/In contrast, as figure 1 shows, if a firewall/IPS interface standard > exists the customer would be able to send the request to a security > management system and the security management would send it via a I2NSF > standard interface. > Service providers could now utilize the same standard interface interface to > represent firewall/IPS services implemented using products from many > vendors. > / > > #5 Section 3.2: Is efficiency the word you intended in the following > sentence or was it some other property? > > Old/ The customer also > lacks the ability to perform "what-if" scenarios to assess the > efficiency of the delivered security service. > / > New/ The customer also lacks the ability to perform > "what-if" scenarios to assess the efficacy of the delivered security > service. > / Thanks! > > Comment: Efficacy - indicates both efficiency and ability to correctly > perform the work. > > > #6 - Section 3.2.3: Could you break the last sentence into 2? And do you > mean efficiency or something else? > I've re-written this section: > > /New: > 3.3 Difficult to Monitor the Execution of Desired Policies > > How a policy is translated into technology-specific actions is > hidden from the customers. However, customers still need ways to > monitor the delivered security service that results from the > execution of their desired security requirements, guidelines and > expectations. Customers want to monitor existing policies to > determine > such things as: which policies are in effect, how many security > attacks are being > prevented, and how much bandwidth efficiency does security > enforcement cost. > > Today, there is no standard way for customers to get these details > from the security service which assure the customer that their > specified security policies properly enforced by the security > functions > in the provider domain. > > Getting this monitoring information from the security system also > helps > the customer to plan for the future using "what-if" scenarios > with real data. A tight loop between the data gathered from > security > systems and the "what-if" scenario planning can reduce the > time to design and deploy workable security policies that deal > with new threats. > > It is the objective of the I2NSF work to provide a standard way > to get the information that security service assurance systems need > to > provide customers an evaluation about the current security systems, > and > to quickly plan for future security policies using "what-if" > scenarios > based on today's information > / > > Sue: Could you provide me feedback on this text? Looks good, thank you! > > #7 - Section 3.3 also feels repetitive. Reducing text in the earlier > section will help to resolve this issue. > > Sue: I've re-ordered section 3 to try to address your concerns. > > > ------------------- > #8 - Section 4.2: The beginning of this screams of censorship. Although > your intended use case is innocent enough with parental controls, there is > lots of opportunity for abuse expanding to other types of censorship we > don't typically support in protocols. I recommend reducing this to the > threat management descriptions. > > OLD: > > /Residential: service requests for parental control, content > management, and threat management. > > Parental control requests may include identity based filters for > web content or usage. Content management may include identifying > and blocking malicious activities from web contents, mail, or > files downloaded. Threat management may include identifying and > blocking botnets or malware. > / > > NEW: > > /Residential: service requests for threat management. > > Threat content management may include identifying > and blocking malicious activities from web contents, mail, or > files downloaded. Threat management may also include identifying and > blocking botnets or malware. > / > Sue: I've changed to your text. Thanks, I think you'll need to add in mention of the "enterprise" as even this type of filtering on the Internet and outside of Enterprise restrictions wouldn't be acceptable. Even then, we may have a hard time in last call and IESG review. > > > #9 - Enterprise section: I recommend that you also tighten up this language > so it is not about content censorship in any way. > > access to (or isolation from) > various web sites or social media applications > > Enterprise: "service requests for enterprise flow security policies and > managed security services > > Flow security policies identify and block malicious activities > during access to (or isolation from) web sites or social media > applications. > Managed security services for an enterprise may include detection > and mitigation of external and internal threats. > External threats can include application or phishing attacks, > malware, > botnet, DDoS, and others. This is better, thanks. > > #10 Section 4.3.2: >>I'm having a little trouble with the following sentence and think the >>point > is made in the previous 2 sentences, so I think it is safe to >>drop: >> > > Without automation, it is virtually >> impossible for clients to dynamically specify their desired rules for > > their traffic. > >> Then the following sentence is more of a requirement, but is in the >> use > case section, so should it be written a little differently? > >Another feature that aids automation of firewalls that must be > > covered in automation is dynamic key management. > > Sue: Merged last 2 paragraphs to: > > Even though most vendors support similar firewall features, the > actual rule configuration keywords are different from vendors to > vendors, making it difficult for automation. Automation works best > when it can leverage a common set of standards that will work > across > NSFs by multiple vendors and utilize dynamic key management. Looks good, thanks. > > #11 - Section 4.3.4: I wouldn't refer to DLP as a 'new' class of service. > Removed > > > Nits: > General - check acronyms to just expand on first use. I think there are a > few cases where acronyms are redefined multiple times in the document. > > Section 3.1.1 > > s/IP-sec gateways/ IPsec gateways/ > > Last sentence in this section could be written more clearly, I get what it > is saying, but it could be improved: > 'There exist various network security monitoring > vendor-specific interfaces for forensics and troubleshooting.' > > Section 3.1.9 > s/IPSec/IPsec/ > > Section 3.4: Last line > s/raise raise/raise/ > > Section 3.5: > s/standrd/standard/ > > Section 4.3.2 > I think this is the first place I saw FWs in the docuemnt. It's easy enough > to just spell it out, so please do! > -- > > Best regards, > Kathleen > > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf > Thanks, Sue! I didn't have time to look at the draft, just the text provided and we are close, thanks! -- Best regards, Kathleen
- [I2nsf] AD review of draft-ietf-i2nsf-problem-and… Kathleen Moriarty
- Re: [I2nsf] AD review of draft-ietf-i2nsf-problem… Susan Hares
- Re: [I2nsf] AD review of draft-ietf-i2nsf-problem… Susan Hares
- Re: [I2nsf] AD review of draft-ietf-i2nsf-problem… Susan Hares
- Re: [I2nsf] AD review of draft-ietf-i2nsf-problem… Kathleen Moriarty