[I2nsf] draft-dunbar-i2nsf-problem-statement
Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Thu, 12 February 2015 14:53 UTC
Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3BA981A8A92 for <i2nsf@ietfa.amsl.com>; Thu, 12 Feb 2015 06:53:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iK4coic8Gsz5 for <i2nsf@ietfa.amsl.com>; Thu, 12 Feb 2015 06:53:07 -0800 (PST)
Received: from mail-lb0-x22d.google.com (mail-lb0-x22d.google.com [IPv6:2a00:1450:4010:c04::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1896A1A901C for <I2nsf@ietf.org>; Thu, 12 Feb 2015 06:52:14 -0800 (PST)
Received: by mail-lb0-f173.google.com with SMTP id n10so10037271lbv.4 for <I2nsf@ietf.org>; Thu, 12 Feb 2015 06:52:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=8XKaah89YeMNVe/KheQstGpFi++BBPNd102c9tipT6A=; b=vwSV8d58eYZRIfF0BCP6g+S3Af8E2i22fpb7gGex8d0Mk9XSFhdxoOw2wXa/NwQThA Dg1C4+YL1TqdbhZloVTZf5gJ5wVTErMnxTNKzjIiGeCdOyTc8+RpM575qGwPeU+U+j18 nGUNtKnM/kt9uPnKXG4wupnPjWdSSbhBkHqadISGLwLmSEhyYWjf0nwq1BpW75hkIgwU 8ILC7vLjDxHDeJK5jkh494dufC5W5A9qNVXpu+MPeAWhAilMFa5tvdoWOqbwX1IxyA7U SbWlo2SoisXieLnUghmkIhPT98dB5px9RaajiOXsnL2INZdlto17egz3NKtRTk3xNt6T buVA==
MIME-Version: 1.0
X-Received: by 10.112.61.228 with SMTP id t4mr3895853lbr.0.1423752732357; Thu, 12 Feb 2015 06:52:12 -0800 (PST)
Received: by 10.112.167.101 with HTTP; Thu, 12 Feb 2015 06:52:12 -0800 (PST)
Date: Thu, 12 Feb 2015 09:52:12 -0500
Message-ID: <CAHbuEH5RmLTk3X0_-zdXgiH6xZap_feBdF_z4q-Mj+OSRGEVVg@mail.gmail.com>
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: "i2nsf@ietf.org" <I2nsf@ietf.org>
Content-Type: multipart/alternative; boundary="001a11c3e9c8dc3813050ee54337"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/g68yrpXQx_ooTzmpzpyziTEbk6o>
Subject: [I2nsf] draft-dunbar-i2nsf-problem-statement
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Feb 2015 14:53:11 -0000
Hello, In reviewing draft-dunbar-i2nsf-problem-statement, I see that this draft also covers use cases. Having 4 different drafts with use cases is problematic as the scope seems unwieldy. There is plenty of overlap between drafts, but I recommend the group narrows down the number of drafts to better focus the efforts. Having them within the framework may make sense. It's also fine to have use cases in either a separate draft that may not get published or on a wiki to maintain as the work definition evolves. In many cases, the use cases don't need to be published, so the wiki model could work to consolidate the numerous efforts put forth by list members. This draft also uses the word "cloud", it would be more clear if the draft instead stated the scope so the reader would understand if it's a managed data center or the data center crosses administrative domains, etc. The scope stated in the following section is quite broad: There are two aspects of the I2NSF work: - Service Layer, which is for clients to express, monitor, or manage their desired security policies for their designated traffic. This layer will leverage the existing protocols in RESTconf, AAA, SACM, and security policy expression using Role Based Access Control (RBAC), Mandatory Access Control (MAC), or Attribute based access control (ABAC). - Functional layer, which is to specify the proper interface to the individual security functions or function instances when overall policies are enforced by a collection of security functions located in multiple premises. Although it is good to leverage existing work, how much of this work could be done in the mentioned working groups? SACM is starting to look at information models, could some of that be proposed in drafts to that WG? I'd like to understand more on the access control statements as it is not clear where that fits in from the current materials and if it changes with the flow-based discussions (I'm not sure if that was agreed upon or not yet). If that doesn't meet the need of the BoF proponents, we need to hear that on list as well. Section 3, for the pinhole example, I think you can fit this into service definitions where the ports would already be defined and it may get opened for a user or set of to/from addresses. I think this would help you get around the vendor agnostic issues as your service definitions might reside at the service provider and include specific requirements for the particular firewall in question. I need to dig into PCP and Midcom a bit more, so if what I am describing has been done, the existing work should be leveraged. Discussion of VPN clients in this section needs to be further distinguished from SUPA, which should be easy enough to do as this applies to tenants, or it should be removed if it is now out-of-scope. Summary: I think this work is progressing and will be valuable once the scope is clear not only in a charter, but also in the supporting drafts. I'll need to know if that scope is agreed to by those on list: is the scope allowing for policy configuration of a few devices such as firewall and IPS or will it switch to flow-based? Could the team continue to work on the scope, then update and consolidate the drafts to reflect the more clearly defined scope (once it is agreed upon)? Understanding how you might achieve the vendor agnostic policy management in either scope will be important to understating if this effort can be successful. I did provide an option that I think could work in my feedback if the WG chooses the firewall/IPS direction or maybe others on list have thought through this more and have methods that would be better. Thank you. -- Best regards, Kathleen
- [I2nsf] draft-dunbar-i2nsf-problem-statement Kathleen Moriarty