IETF Logo Mail Archive

[I2nsf] 答复: 答复: 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt

"Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com> Tue, 17 July 2018 10:08 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED9D3130DE0 for <i2nsf@ietfa.amsl.com>; Tue, 17 Jul 2018 03:08:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.891
X-Spam-Level:
X-Spam-Status: No, score=-1.891 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DU5S4w3u0PyW for <i2nsf@ietfa.amsl.com>; Tue, 17 Jul 2018 03:08:05 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41160130DC1 for <i2nsf@ietf.org>; Tue, 17 Jul 2018 03:08:05 -0700 (PDT)
Received: from lhreml705-cah.china.huawei.com (unknown [172.18.7.106]) by Forcepoint Email with ESMTP id 9AF955CCD460D; Tue, 17 Jul 2018 11:07:58 +0100 (IST)
Received: from DGGEML403-HUB.china.huawei.com (10.3.17.33) by lhreml705-cah.china.huawei.com (10.201.108.46) with Microsoft SMTP Server (TLS) id 14.3.399.0; Tue, 17 Jul 2018 11:07:59 +0100
Received: from DGGEML522-MBX.china.huawei.com ([169.254.7.38]) by DGGEML403-HUB.china.huawei.com ([fe80::74d9:c659:fbec:21fa%31]) with mapi id 14.03.0382.000; Tue, 17 Jul 2018 18:07:51 +0800
From: "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com>
To: "Diego R. Lopez" <diego.r.lopez@telefonica.com>, "Dongyue (Yue, Network Integration Technology Research Dept)" <dongyue6@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: 答复: [I2nsf] 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt
Thread-Index: AQHUHQxoRbH2h0RmukS/8yvnXxiFTqSTMSlg
Date: Tue, 17 Jul 2018 10:07:51 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F12BE6A471@DGGEML522-MBX.china.huawei.com>
References: <84269F33-45B3-4E85-8E75-27A535C706BC@telefonica.com>
In-Reply-To: <84269F33-45B3-4E85-8E75-27A535C706BC@telefonica.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.124.182.169]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/nD1cU0l1R-Qrq0iLk1nV5HMFSjE>
Subject: [I2nsf] 答复: 答复: 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2018 10:08:09 -0000

Hi Diego,
We got your point, which makes sense.
We will consider how to make the security capability to be abstract and general enough, and independent with any particular kind of device. Although it's not so straightforward to achieve, it is indeed the right direction.

Thanks!

B.R.
Frank

-----邮件原件-----
发件人: Diego R. Lopez [mailto:diego.r.lopez@telefonica.com] 
发送时间: 2018年7月16日 21:54
收件人: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>; Dongyue (Yue, Network Integration Technology Research Dept) <dongyue6@huawei.com>; i2nsf@ietf.org
主题: Re: 答复: [I2nsf] 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt

If you associate a capability action (let's say collect-attack-evidence-enable) with a particular kind of device (as part of the antivirus branch) I would not be able to declare or use that particular capability unless the provider has stated the function is an antivirus, and therefore consider all the other capabilities for the antivirus. What is more, this prevents to have a common semantics for something like collect-attack-evidence-enable if you have to declare it under other branches. My understanding is that we have to deal with flat enumeration of capabilities, but I might be completely mistaken from the beginning...

Be goode,

--
"Esta vez no fallaremos, Doctor Infierno"

Dr Diego R. Lopez
Telefonica I+D
https://www.linkedin.com/in/dr2lopez/

e-mail: diego.r.lopez@telefonica.com
Tel:         +34 913 129 041
Mobile:  +34 682 051 091
----------------------------------

On 16/07/2018, 08:55, "Xialiang (Frank, Network Integration Technology Research Dept)" <frank.xialiang@huawei.com> wrote:

    Hi Diego,
    Thanks for your quick comments. In general, we agree with you that they should be as the various capabilities to be applied.
    But could you please clarify more about what is the difference to be as capability model vs yang grouping model definition?

    Thanks!

    B.R.
    Frank

    -----邮件原件-----
    发件人: Diego R. Lopez [mailto:diego.r.lopez@telefonica.com]
    发送时间: 2018年7月16日 20:00
    收件人: Dongyue (Yue, Network Integration Technology Research Dept) <dongyue6@huawei.com>; i2nsf@ietf.org
    抄送: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>
    主题: Re: [I2nsf] 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt

    Hi,

    My general comment to these definitions (and others that may come) is that we should try to deal with them in terms of capabilities, and not in terms of groupings associated to current (virtual or physical) devices. As an example, rather than thinking of "antivirus", I'd propose to think about "content analysis" or "content scanning" capabilities.

    Be goode,

    --
    "Esta vez no fallaremos, Doctor Infierno"

    Dr Diego R. Lopez
    Telefonica I+D
    https://www.linkedin.com/in/dr2lopez/

    e-mail: diego.r.lopez@telefonica.com
    Tel:         +34 913 129 041
    Mobile:  +34 682 051 091
    ----------------------------------

    On 16/07/2018, 07:02, "I2nsf on behalf of Dongyue (Yue, Network Integration Technology Research Dept)" <i2nsf-bounces@ietf.org on behalf of dongyue6@huawei.com> wrote:

        Dear all,

        The action part of the NSF-facing data model listed many security function actions, such as antivirus, ips, ids, and etc, that will be applid on traffic flow when the event and condition clauses are satisfied. However, I think it only list the corresponding names. And each type of the secuity function action (i.e. ips, antivirus, etc.) should have many selective profiles that could be executed. Therefore, we proposed a draft, draf-dong-i2nsf-asf-config-00, that specifies the configuration detail for each of the security function profile settings. And the NSF-facing data model is able to reference these profiles.

        This -00 version of draft only contains the antivirus, ips, and anti-ddos profiles.

        * Antivirus: The following figure shows the top-level tree diagram for antivirus profile settings. Each profile contains the configuration data for detection methods, detection configurations, signature exceptions, application exceptions, and the white lists configruations.

            +--rw antivirus
               +--rw antivirus-enable
               +--rw profiles
                  +--rw profile *  [name]
                  +--rw name
                  +--rw description
                  +--rw collect-attack-evidence-enable
                  +--rw sandbox-detection-enable
                  +--rw heuristic-detection-enable
                  +--rw detect*  [protocol]
                  |  . . .
                  +--rw exception-application* [application-name]
                  |  . . .
                  +--rw exception-signature*  [signature-id]
                  |  . . .
                  +--rw white-list
                     . . .

        * IPS: The following figure shows the top-level tree diagram for IPS profile settings. Each profile contains the configuration data for signature sets, signature exceptions, and protocol control.

            +--rw ips-config
               +--rw ips-enable
               +--rw profiles
                  +--rw profile*  [name]
                  +  . . .
                  +--rw domain-filter
                  |  . . .
                  +--rw signature-sets
                  |  . . .
                  +--rw exception-signatures
                  |  . . .
                  +--rw protocol-control
                     +--rw dns-check
                     | . . .
                     +--rw http-check
                       . . .

        * Anti-ddos: The anti-ddos part contains the configruation of the alter rate and/or maximum speed/bandwidth to trigger the prevention functions for each type of DDoS attacks.

        For more details, please review the draft: https://tools.ietf.org/html/draft-dong-i2nsf-asf-config-00

        We would like to obatain comments from i2nsf WG. Is this draft valuable as an individual draft and will the NSF-facing data model reference these profiles?
        We will appreciate all the comments from I2NSF WG.

        Best Regards,
        Yue

        -----邮件原件-----
        发件人: I2nsf [mailto:i2nsf-bounces@ietf.org] 代表 Dongyue (Yue, Network Integration Technology Research Dept)
        发送时间: 2018年6月30日 15:11
        收件人: i2nsf@ietf.org
        抄送: Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>
        主题: [I2nsf] 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt

        Dear All,

        We have submitted a new draft about the nsf-facing interface data model for configuration of some advanced security functions including antivirus, antiddos, and ips. We will appreciate all comments.

        Best Regards,
        Yue

        -----邮件原件-----
        发件人: internet-drafts@ietf.org [mailto:internet-drafts@ietf.org]
        发送时间: 2018年6月30日 15:06
        收件人: Dongyue (Yue, Network Integration Technology Research Dept) <dongyue6@huawei.com>; Xialiang (Frank, Network Integration Technology Research Dept) <frank.xialiang@huawei.com>
        主题: New Version Notification for draft-dong-i2nsf-asf-config-00.txt


        A new version of I-D, draft-dong-i2nsf-asf-config-00.txt
        has been successfully submitted by Yue Dong and posted to the IETF repository.

        Name:draft-dong-i2nsf-asf-config
        Revision:00
        Title:Configuration of Advanced Security Functions with I2NSF Security Controller
        Document date:2018-06-30
        Group:Individual Submission
        Pages:29
        URL:            https://www.ietf.org/internet-drafts/draft-dong-i2nsf-asf-config-00.txt
        Status:         https://datatracker.ietf.org/doc/draft-dong-i2nsf-asf-config/
        Htmlized:       https://tools.ietf.org/html/draft-dong-i2nsf-asf-config-00
        Htmlized:       https://datatracker.ietf.org/doc/html/draft-dong-i2nsf-asf-config


        Abstract:
           This draft defines a network security function (NSF-) facing
           interface of the security controller for the purpose of configuring
           some advanced security functions.  These advanced security functions
           include antivirus, anti-ddos, and intrusion prevention system (IPS).
           The interface is presented in a YANG data model fashion and can be
           used to deploy a large amount of NSF blocks that all support above
           mentioned functions in the software defined network (SDN) based
           paradigm.




        Please note that it may take a couple of minutes from the time of submission until the htmlized version and diff are available at tools.ietf.org.

        The IETF Secretariat

        _______________________________________________
        I2nsf mailing list
        I2nsf@ietf.org
        https://www.ietf.org/mailman/listinfo/i2nsf
        _______________________________________________
        I2nsf mailing list
        I2nsf@ietf.org
        https://www.ietf.org/mailman/listinfo/i2nsf



    ________________________________

    Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

    The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

    Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição



________________________________

Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.

The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.

Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição

v2.23.0 | Report a Bug | By Email