[I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Alexey Gorbunov <alexey.gorbunov82@gmail.com> Wed, 18 March 2015 01:20 UTC
Return-Path: <alexey.gorbunov82@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1EADD1A890E for <i2nsf@ietfa.amsl.com>; Tue, 17 Mar 2015 18:20:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O9p4osIPXZa1 for <i2nsf@ietfa.amsl.com>; Tue, 17 Mar 2015 18:20:28 -0700 (PDT)
Received: from mail-wg0-x233.google.com (mail-wg0-x233.google.com [IPv6:2a00:1450:400c:c00::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDE7C1A8762 for <i2nsf@ietf.org>; Tue, 17 Mar 2015 18:20:27 -0700 (PDT)
Received: by wgdm6 with SMTP id m6so22489925wgd.2 for <i2nsf@ietf.org>; Tue, 17 Mar 2015 18:20:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=/lS6ZN1Ac0A/5TG7s/MIA4LGzxjqDvXrk4TlVtbYETI=; b=O5s6LtdEzz03m8lgnn5XfFSgFgS8hWGA04DU5d99TfZ0rhr3HY+mjWLmsGVZKzj0bp 58bp0leVWVJz2M/crZmxtI2j7OL5H7AI7CgVLhyyvb2Rb5ewzZFB3895l2XODgixDM4Q ZzkGNLTUY6xpHZYoGAA0nJlzYdx2qdvSX6nOC+g8K8nhqUwLMy87B4T1AVCGFZinneDy r3na5ZtSb6A8/+qPIRQ0BT+TgSRgbhZZCb8jzzq/VHz59jkEAGnKmz37f/uAisl3vfgh GVMXiiknf+SwGBYS0bGyBA0OhrFwECaRWRdU1DiFItq0pub8porLgD+nCkeiKj6Vq4R7 oBiQ==
MIME-Version: 1.0
X-Received: by 10.194.59.199 with SMTP id b7mr138884413wjr.26.1426641626497; Tue, 17 Mar 2015 18:20:26 -0700 (PDT)
Received: by 10.28.227.194 with HTTP; Tue, 17 Mar 2015 18:20:26 -0700 (PDT)
Date: Tue, 17 Mar 2015 20:20:26 -0500
Message-ID: <CAJd_XJi5urj_0WYeeTOJnD-gyTB60JHQOCd-fZvtxo0y2fw4+g@mail.gmail.com>
From: Alexey Gorbunov <alexey.gorbunov82@gmail.com>
To: i2nsf@ietf.org
Content-Type: multipart/alternative; boundary="047d7bacc0f85e8aad051185e3c2"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/at-MfLHErYVc4-wcK_AnN4lPK7w>
Subject: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 01:20:30 -0000
Hi Folks Just read "draft-dunbar-i2nsf-problem-statement-02.txt" and would like to share my thoughts and concerns. From my point of view it’s better to not focus on the specific names but on the functionality of network security function itself. Most probably the main use case for NSF is virtual firewall with IPS/IDS and VPN capabilities. Openstack is the ideal candidate for NSF. We have already virtual firewall and it's good to look at it's features and functionality. I summarized most of the firewall features below: *-Access-list*. Defines which traffic are allowed to enter and pass firewall. It's covered in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02 *- Policy.* Defines which traffic are allowed to pass firewall and in which direction. *- Dos protection:* multicast, broadcast rate limiting. DHCP, ARP protection and rate-limiting. Limitation of mac-address numbers. *-“Screens”* – Juniper calls it screens, cisco doesn’t have name for it. Basically it’s protection against well-know network attacks. *- “Intrusion prevention” *– Signatures of any malicious activity. *- VPN PKI*- configuration of IPSEC with PKI. *- Control-plane protection of firewall itself.* *- L7 filtering and proxy.* - *Application detection.* Some applications uses tcp port 80 and most of the firewall can detect it. - *Monitoring and reporting traffic.* Something similar to Openflow, Jflow and etc. What exactly is going to be covered by i2nsf? Is i2nsf going to meet in the Dallas at IETF 92? Thanks everybody for attention to this email. Alexey Gorbunov Telco Cloud and Security Architect at Nokia CCIE R&S 41088
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] What kind of policy that can be dynamical… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Alexey Gorbunov