Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Alexey Gorbunov <alexey.gorbunov82@gmail.com> Thu, 19 March 2015 00:24 UTC
Return-Path: <alexey.gorbunov82@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15ED41AC39C for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 17:24:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.149
X-Spam-Level:
X-Spam-Status: No, score=-1.149 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xopPB68Z1DNm for <i2nsf@ietfa.amsl.com>; Wed, 18 Mar 2015 17:24:29 -0700 (PDT)
Received: from mail-wi0-x232.google.com (mail-wi0-x232.google.com [IPv6:2a00:1450:400c:c05::232]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E9481AC3B5 for <i2nsf@ietf.org>; Wed, 18 Mar 2015 17:24:28 -0700 (PDT)
Received: by wixw10 with SMTP id w10so955424wix.0 for <i2nsf@ietf.org>; Wed, 18 Mar 2015 17:24:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=Md8ojTPXgMAQo57EJR4JE1Ntio/amBROCam6/5SvLLU=; b=ZEOi2AbJyu/eiyajRWR7sgY549eX3OPuzd5V3Q4zwlIUJyzSezDz1zscCrIOFdT5Hj HS8MDhO6583elQrqo7RGOk37uoMpxByWYJYiXpduW+hFMu2/c6Bdp3jOyA+ozqtmpTXm 6sJPvQQ0Otj9GcIo8/ojsKpakaOOOprkISO8f2sEOORqmGe77/jyga9bNLD4fpksvrUW hEU8v+dQAXNgO4vYKoKsDrZPaIFRHrcBgQS1QOnw3OEtmtgHcQnAUihkfisvjj9beFKA dGYMiw2NZQM7i1vxgpPXFzndaCWpOPGqhqMrM06N6C+7wLsmmOJ8aRh6vCWOxyE72Kq8 5m4Q==
MIME-Version: 1.0
X-Received: by 10.180.103.40 with SMTP id ft8mr11805260wib.68.1426724667317; Wed, 18 Mar 2015 17:24:27 -0700 (PDT)
Received: by 10.28.227.194 with HTTP; Wed, 18 Mar 2015 17:24:27 -0700 (PDT)
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F657BF5B13@dfweml701-chm>
References: <CAJd_XJi5urj_0WYeeTOJnD-gyTB60JHQOCd-fZvtxo0y2fw4+g@mail.gmail.com> <4A95BA014132FF49AE685FAB4B9F17F657BF5B13@dfweml701-chm>
Date: Wed, 18 Mar 2015 19:24:27 -0500
Message-ID: <CAJd_XJiHmc_7FfMvTZ0tuANFMhia8jHM_0_E7ZGVW7RjEutizg@mail.gmail.com>
From: Alexey Gorbunov <alexey.gorbunov82@gmail.com>
To: Linda Dunbar <linda.dunbar@huawei.com>
Content-Type: multipart/alternative; boundary="f46d044282acfce6540511993837"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/hyz5kFwcX-DvCIkaspXYI76GFRQ>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>
Subject: Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 19 Mar 2015 00:24:31 -0000
Hi Linda Thanks for your reply and clarification of my questions. I agree that mentioned rfc draft isn't comprehensive enough. Have you already started "Flow Based Security Functions"? Do you have link to this draft? Linda, is I2NSF participants are going to meet in Dallas at IETF 92? I think it would be quite efficient to discuss ideas during IETF. “Screens” - are basic attack and settings. Like allowing or denying ip fragments. Regarding your question "Is there any run time policy (based on some events) that can be sent to the “Screen” feature?". These settings aren't changed frequently based on some events. They are discussed, defined, configured and just stay in the running configuration. I just mention that it should be possible somehow to specify these settings. Probably with the same approach like ALC with Netconf. Anyway, that should be different topic. Br, Alexey Gorbunov Br, Alexey Gorbunov 2015-03-18 6:13 GMT-05:00 Linda Dunbar <linda.dunbar@huawei.com>: > Alexey, > > > > Thank you very much for the comments and suggestions. Yes, we have agreed > to focus on functionality instead of device name. I2NSF will start with > Flow Based Security Functions. > > > > https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02 is a good > start, but not comprehensive enough. > > For example, for the Policy (that defines which traffic are allowed to > pass firewall and in which direction), it is necessary for NSF to register > which field the NSF can enforce the traffic (SA? DA? VLAN? TCP/UDP ports? > TCP flag? Direction? HTTP header? Size? Etc). such as: > > Ingress Port & match > > | > > | > > +-------+---------+--+----+--------+-------+---------+-------+ > > | | | | | | | | > > | | | | | | | | > > L3Header L2header L4 VLAN VN ID size event .. HTTP > > > > The actions can be more, some NSF only allows “Pass/Drop”, other NSFs can > support more sophisticated actions (e.g. steering to different functions, .. > > Linda > > > > > > *From:* I2nsf [mailto:i2nsf-bounces@ietf.org] *On Behalf Of *Alexey > Gorbunov > *Sent:* Tuesday, March 17, 2015 8:20 PM > *To:* i2nsf@ietf.org > *Subject:* [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few > comments. > > > > Hi Folks > > > > Just read "draft-dunbar-i2nsf-problem-statement-02.txt" and would like to > share my thoughts and concerns. From my point of view it’s better to not > focus on the specific names but on the functionality of network security > function itself. Most probably the main use case for NSF is virtual > firewall with IPS/IDS and VPN capabilities. Openstack is the ideal > candidate for NSF. > > > > We have already virtual firewall and it's good to look at it's features > and functionality. I summarized most of the firewall features below: > > > > *-Access-list*. Defines which traffic are allowed to enter and pass > firewall. > > It's covered in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02 > > *- Policy.* Defines which traffic are allowed to pass firewall and in > which direction. > > *- Dos protection:* multicast, broadcast rate limiting. DHCP, ARP > protection and rate-limiting. Limitation of mac-address numbers. > > *-“Screens”* – Juniper calls it screens, cisco doesn’t have name for it. > Basically it’s protection against well-know network attacks. > > *- “Intrusion prevention” *– Signatures of any malicious activity. > > *- VPN PKI*- configuration of IPSEC with PKI. > > *- Control-plane protection of firewall itself.* > > *- L7 filtering and proxy.* > > - *Application detection.* Some applications uses tcp port 80 and most > of the firewall can detect it. > > -* Monitoring and reporting traffic.* Something similar to Openflow, > Jflow and etc. > > What exactly is going to be covered by i2nsf? Is i2nsf going to meet in > the Dallas at IETF 92? > > Thanks everybody for attention to this email. > > Alexey Gorbunov > > Telco Cloud and Security Architect at Nokia > > CCIE R&S 41088 >
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] What kind of policy that can be dynamical… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Alexey Gorbunov