Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
Rakesh Kumar <rkkumar@juniper.net> Wed, 02 November 2016 16:16 UTC
Return-Path: <rkkumar@juniper.net>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 440791296D6 for <i2nsf@ietfa.amsl.com>; Wed, 2 Nov 2016 09:16:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gUXz1J4bvxae for <i2nsf@ietfa.amsl.com>; Wed, 2 Nov 2016 09:15:59 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0106.outbound.protection.outlook.com [104.47.40.106]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 869DC1296C7 for <i2nsf@ietf.org>; Wed, 2 Nov 2016 09:15:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=MK2oBuh85YVYZ5G0RQ75YBdjd2lhHYKbpCKyK1nyyVc=; b=PnE3zwM9vYhd27HPfUcF3YH5FSXn49CpLzsRjKH1USTQH99u3Ya7Bqk1uw4PFdpu5/msyogzEneCwuJHVipt9cepsAH2ZfiU+C3MfnscX1rGD/YIGbhsdyLoPbCygFBxBLBE82/edPE5XqSLHiGjVYvJ9K0nYdsFZSoR7OhXH1s=
Received: from BN6PR05MB2993.namprd05.prod.outlook.com (10.173.19.11) by BLUPR0501MB2114.namprd05.prod.outlook.com (10.164.23.144) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.707.1; Wed, 2 Nov 2016 16:15:57 +0000
Received: from BN6PR05MB2993.namprd05.prod.outlook.com ([10.173.19.11]) by BN6PR05MB2993.namprd05.prod.outlook.com ([10.173.19.11]) with mapi id 15.01.0707.004; Wed, 2 Nov 2016 16:15:49 +0000
From: Rakesh Kumar <rkkumar@juniper.net>
To: Linda Dunbar <linda.dunbar@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
Thread-Index: AQHSNGkxdWqqnaJsm0OtHOhFz0xPdaDEBUYAgAFlToA=
Date: Wed, 02 Nov 2016 16:15:49 +0000
Message-ID: <9BB0A033-04EA-4033-918F-A6DA9E8B9E47@juniper.net>
References: <4A95BA014132FF49AE685FAB4B9F17F657F64B5C@dfweml501-mbb> <4A95BA014132FF49AE685FAB4B9F17F657F64C1C@dfweml501-mbb> <18E4048E-18B8-4ECA-825C-FC0A3CFD014B@juniper.net>
In-Reply-To: <18E4048E-18B8-4ECA-825C-FC0A3CFD014B@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.18.0.160709
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rkkumar@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [73.241.94.21]
x-microsoft-exchange-diagnostics: 1; BLUPR0501MB2114; 7:+jdSYwb7wHNPcYiOg3yoa3jOO/ArNVBV3RRmmRGs/0YZk6ReCECiP1tBiBmzursKQPPWfdVckUpFQ5eLRK/c16fSkFZBOsyicdffY0qaNOg30/P+Xk87pYSPLxU/Te1WFWRRqSzhyxBmz7O7V+S5BP0s1bkxAji+RGxfWa2e2IXhwm54hQxTwvNQN5kLIgiZO+XFaDURq//NxaAzRFLeXahriTxPhJpgAjdu0r9j3HVnHK2OHglZPPxw/Kk1pbd5juGEfS5p7W9iudTNU6j7avfknJe82BTbcLxsC+yCM+NrsmqeLYyO46tZyqxt2JscTmdW3KvlL/esAYpY1ZUtsWx9Eihn5us94OAMCehhyV0=
x-forefront-antispam-report: SFV:SKI; SCL:-1SFV:NSPM; SFS:(10019020)(7916002)(45984002)(24454002)(13464003)(189002)(377424004)(377454003)(199003)(83506001)(97736004)(19300405004)(54356999)(2950100002)(8676002)(7906003)(19580395003)(86362001)(68736007)(7846002)(18206015028)(36756003)(5002640100001)(7736002)(19580405001)(4001430100002)(99286002)(122556002)(19627595001)(2501003)(105586002)(106116001)(77096005)(19617315012)(4326007)(33656002)(230783001)(2900100001)(19625215002)(17760045003)(106356001)(15975445007)(101416001)(92566002)(10400500002)(586003)(3280700002)(189998001)(6116002)(99936001)(87936001)(3846002)(4001350100001)(76176999)(2906002)(3660700001)(81156014)(9326002)(66066001)(5660300001)(4001150100001)(8936002)(81166006)(16236675004)(50986999)(5001770100001)(82746002)(107886002)(83716003)(102836003)(7099028)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BLUPR0501MB2114; H:BN6PR05MB2993.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
x-ms-office365-filtering-correlation-id: 8c6cb0d6-5eab-449a-a7b2-08d4033b82cb
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BLUPR0501MB2114;
x-microsoft-antispam-prvs: <BLUPR0501MB21146795B9BC4FD4E8BF24A1ADA00@BLUPR0501MB2114.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(120809045254105)(192374486261705)(138986009662008)(21748063052155)(50582790962513);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(102415321)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:BLUPR0501MB2114; BCL:0; PCL:0; RULEID:; SRVR:BLUPR0501MB2114;
x-forefront-prvs: 0114FF88F6
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/related; boundary="_004_9BB0A03304EA4033918FA6DA9E8B9E47junipernet_"; type="multipart/alternative"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Nov 2016 16:15:49.6729 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLUPR0501MB2114
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/gQ5tskT4opBZGYog3wAsN8dIe-g>
Cc: Adrian Farrel <afarrel@juniper.net>
Subject: Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt?
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Nov 2016 16:16:03 -0000
Hi Linda, One more thing regarding how a policy/rule is to be enforced. We see two distinct requirements: 1. Static security posture --> The security admin determines what security policies need to be enforced in their network based on their business needs (access policies such as who can access what) and/or regulatory compliance (HIPPA, FISA). These policies usually stay in the network unless manually removed. In my experience, majority of security policies fall under this category. 2. Dynamic security posture --> Some of the policies may be created but not always enforced. A security admin may want to increase or decrease its security posture based on an event. The event could be a time-based or threat based. For example, a policy is enforced only during weekend or a policy is enforced only when a DDoS event is detected. I don’t have any name for first one but the second one is ECA (Event Condition Action). We wanted to take both of them for interfaces to be meaningful in real security world. I hope this clarifies our thinking. We can add a section in our draft to put similar text there if you think that would be helpful. Thanks & Regards, Rakesh From: I2nsf <i2nsf-bounces@ietf.org> on behalf of Rakesh Kumar <rkkumar@juniper.net> Date: Tuesday, November 1, 2016 at 11:56 AM To: Linda Dunbar <linda.dunbar@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org> Cc: Adrian Farrel <afarrel@juniper.net> Subject: Re: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Hi Linda, Thanks a lot for the review. One of the biggest challenges in the security world today is that, it is too complex with each vendor having their own set of features and functionality exposed in a very proprietary manner. We have to simplify this with I2NSF client-facing interface so that a security admin can express their business needs without having to worry about the complexity. It is very important that security requirements be expressed by security admin with simple rules. But it is easier said than done, this is one of the most complex problem as how to make rules simple but at the same time able to capture wide variety of use-cases in different environment. The work done so far in this draft is just the beginning and we should brain storm and see how to make it more complete. I will look at the link you have sent and see how to leverage from there. Even if we develop very generic rules, we still need to define some basic constructs which would be used to build a policy. We have taken a step in that direction, but this is just a start and work will continue with ideas from folks in this WG. Regards, Rakesh From: Linda Dunbar <linda.dunbar@huawei.com> Date: Tuesday, November 1, 2016 at 10:55 AM To: Rakesh Kumar <rkkumar@juniper.net>, "i2nsf@ietf.org" <i2nsf@ietf.org> Cc: Adrian Farrel <afarrel@juniper.net> Subject: RE: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, By the way, the I2NSF framework has specified to use ECA (Event Condition Action) to describe “Rules”. https://datatracker.ietf.org/doc/draft-xibassnez-i2nsf-capability/ has the detailed description on how “Rules” information model. Is there any issue to utilize those information model? Thanks, Linda From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Linda Dunbar Sent: 2016年11月1日 12:10 To: Rakesh Kumar <rkkumar@juniper.net>; i2nsf@ietf.org Cc: Adrian Farrel <afarrel@juniper.net> Subject: [I2nsf] Will you provide more details on the Rules' Information model in draft-kumar-i2nsf-client-facing-interface-im-00.txt? Rakesh, Thank you very much for contributing the draft. Just curious, the current IM for Rules doesn't have much details: [cid:image001.jpg@01D234E9.B3807410] Will you add more in future revision? Linda Dunbar -----Original Message----- From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Rakesh Kumar Sent: 2016年10月31日 12:14 To: i2nsf@ietf.org<mailto:i2nsf@ietf.org> Cc: Adrian Farrel <afarrel@juniper.net<mailto:afarrel@juniper.net>>; Linda Dunbar <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> Subject: [I2nsf] FW: New Version Notification for draft-kumar-i2nsf-client-facing-interface-im-00.txt We posted a new draft that captures an information model for the client-facing interfaces based on “draft-ietf-i2nsf-client-facing-interface-req”. This is an initial version, we plan to update this as we evolve based on new requirements and information. Thanks & Regards, Rakesh and other co-authors. On 10/31/16, 10:08 AM, "internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>" <internet-drafts@ietf.org<mailto:internet-drafts@ietf.org>> wrote: A new version of I-D, draft-kumar-i2nsf-client-facing-interface-im-00.txt has been successfully submitted by Rakesh Kumar and posted to the IETF repository. Name: draft-kumar-i2nsf-client-facing-interface-im Revision: 00 Title: Information model for Client-Facing Interface to Security Controller Document date: 2016-10-31 Group: Individual Submission Pages: 17 URL: https://www.ietf.org/internet-drafts/draft-kumar-i2nsf-client-facing-interface-im-00.txt Status: https://datatracker.ietf.org/doc/draft-kumar-i2nsf-client-facing-interface-im/ Htmlized: https://tools.ietf.org/html/draft-kumar-i2nsf-client-facing-interface-im-00 Abstract: This document defines information model for the client-facing interface to security controller based on the requirements identfied in the [I-D.kumar-i2nsf-client-facing-interface-req]. The information model defines various managed objects and the relationship among these objects needed to build the client interfaces. Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org. The IETF Secretariat _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf
- [I2nsf] Will you provide more details on the Rule… Linda Dunbar
- Re: [I2nsf] Will you provide more details on the … Linda Dunbar
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar
- Re: [I2nsf] Will you provide more details on the … Diego R. Lopez
- Re: [I2nsf] Will you provide more details on the … John Strassner
- Re: [I2nsf] Will you provide more details on the … Rakesh Kumar