Re: [I2nsf] draft-zhang-gap-analysis-00
John Strassner <John.sc.Strassner@huawei.com> Wed, 04 February 2015 21:12 UTC
Return-Path: <John.sc.Strassner@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD4D21A8862 for <i2nsf@ietfa.amsl.com>; Wed, 4 Feb 2015 13:12:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.61
X-Spam-Level:
X-Spam-Status: No, score=-3.61 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, J_CHICKENPOX_81=0.6, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id naXJjvoSNWSj for <i2nsf@ietfa.amsl.com>; Wed, 4 Feb 2015 13:12:32 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE9FC1A8905 for <i2nsf@ietf.org>; Wed, 4 Feb 2015 13:11:49 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml405-hub.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BSC81543; Wed, 04 Feb 2015 21:11:48 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.212.94.48) by lhreml405-hub.china.huawei.com (10.201.5.242) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 4 Feb 2015 21:11:47 +0000
Received: from SJCEML701-CHM.china.huawei.com ([169.254.3.133]) by SJCEML702-CHM.china.huawei.com ([169.254.4.133]) with mapi id 14.03.0158.001; Wed, 4 Feb 2015 13:11:37 -0800
From: John Strassner <John.sc.Strassner@huawei.com>
To: Susan Hares <shares@ndzh.com>, 'Dacheng Zhang' <dacheng.zdc@alibaba-inc.com>, John Strassner <John.sc.Strassner@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: [I2nsf] draft-zhang-gap-analysis-00
Thread-Index: AdA/mUi18foS0hrcRki1BYDx0IhQZwAwN0kAAAAgyAAAGPeSsA==
Date: Wed, 04 Feb 2015 21:11:36 +0000
Message-ID: <B818037A70EDCC4A86113DA25EC020981FFC6EBB@SJCEML701-CHM.china.huawei.com>
References: <02c701d03f9a$48b96f10$da2c4d30$@ndzh.com> <D0F791C3.4912%dacheng.zdc@alibaba-inc.com> <064501d04017$9cd5b0e0$d68112a0$@ndzh.com>
In-Reply-To: <064501d04017$9cd5b0e0$d68112a0$@ndzh.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.47.130.147]
Content-Type: multipart/related; boundary="_004_B818037A70EDCC4A86113DA25EC020981FFC6EBBSJCEML701CHMchi_"; type="multipart/alternative"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/nx6ErK2fmSrkGBoQZhmXuiO0HrQ>
Cc: Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] draft-zhang-gap-analysis-00
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 21:12:35 -0000
Sue: Correction: I did NOT say that you “do not understand ACL, RBAC, ABAC, PBAC”. In fact, I didn’t even mention ACL in my reply. The point is that in RBAC, a role is a first-class object. Your draft did not mention Role, and in your reply, you say that “Role is a logical network role for a node and not a security role”. This does not meet the needs of RBAC, since RBAC requires that roles are managed objects, not concepts. regards, John Dr. John Strassner, Ph.D. CTO, Software Laboratory, CRD [logo.gif] Futurewei Technologies US R&D Center 2330 Central Expressway Building A, office A2-2143 Santa Clara, California 95050 Office: +1.408.330.4923 Email: john.sc.strassner@huawei.com From: I2nsf [mailto:i2nsf-bounces@ietf.org] On Behalf Of Susan Hares Sent: Tuesday, February 03, 2015 5:12 PM To: 'Dacheng Zhang'; i2nsf@ietf.org Cc: Linda Dunbar Subject: Re: [I2nsf] draft-zhang-gap-analysis-00 Dacheng: Read John Strasser’s email before adding things. He things I do not understand ACL, RBAC, ABAC, PBAC… I admit you-all are better at security than I am. Sue From: Dacheng Zhang [mailto:dacheng.zdc@alibaba-inc.com] Sent: Tuesday, February 03, 2015 8:09 PM To: Susan Hares; i2nsf@ietf.org Cc: linda.dunbar@huawei.com Subject: Re: [I2nsf] draft-zhang-gap-analysis-00 Hi, Sue: Sure. Hosnieh and I will include the work you mentioned into the new version. Thank you for the comments. Dacheng 发件人: Susan Hares <shares@ndzh.com<mailto:shares@ndzh.com>> 日期: 2015年2月3日 星期二 下午6:15 至: <i2nsf@ietf.org<mailto:i2nsf@ietf.org>> 抄送: <linda.dunbar@huawei.com<mailto:linda.dunbar@huawei.com>> 主题: [I2nsf] draft-zhang-gap-analysis-00 Hosnieh and Dacheng: Do you have an update for the gap analysis for the I2NSF? You did not include the work in I2RS, rtgwg, and netmod/ netconf in your analysis. It would be good to update it to include these features Just a few things to include to review for policy is the current · http://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/ - approved ACL policy · http://tools.ietf.org/html/draft-shaikh-rtgwg-policy-model-00 - Operators model · draft-yan-rtgwg-routing-policy-yang-00 – Proposed for routing policy · http://datatracker.ietf.org/doc/draft-ietf-netmod-acl-model/ - approved ACL policy · http://datatracker.ietf.org/doc/draft-hares-i2rs-bnp-info-model/ - an I2RS policy (Sue’s personal draft) . And there are probably others in the I2RS, RTWG, netmod, and netconf that I have missed. I2RS has both a broker /proxy functionality it is architecture and approved use cases for the firewall, DDoS/Anti-DoS, IDS/IPS policy. I hope this helps you complete your gap analysis. Sue Hares ------------------ Sections from the I2RS architecture: I2RS architecture document(p. 11-12) An I2RS Client is not automatically trustworthy. It has identity information and applications using that I2RS Client should be aware of the scope limitations of that I2RS Client. If the I2RS Client is acting as a broker for multiple applications, managing the security, authentication and authorization for that communication is out of scope; nothing prevents I2RS and a separate authentication and authorization channel from being used. Regardless of mechanism, an I2RS Client that is acting as a broker is responsible for determining that applications using it are trusted and permitted to make the particular requests. Use Case Document (search for the identifying strings) o Topo-REQ-06 (OC): I2RS should enable a orchestration manager attached to an I2RS client to communicate with I2RS agents into order to stitch together End-to-end services for network bandwidth optimization, load balancing, and Class-of-Service with point services (Firewall or NAT) within the end-to-end service). The orchestration manager should also be able to immediately schedule any of these resources via the I2RS-Client I2RS agent exchange. (from section 3.4) o SFC-Use-REQ02 (IC):Supported Service Types SHOULD include: NAT, IP Firewall, Load balancer, DPI, and others o L-Flow-REQ-06 (IC): Once a large flow has been detected, I2RS must be used to modify the forwarding tables in the router to: * In the case of large flow load balancing, be able to redirecting the large flow to a particular member with the LAG or ECMP group and readjusting the weights of the other members to account for the large flow * In the case of DDoS mitigation, the action involves rate limiting, remarking or potentially discarding the large flow in question _______________________________________________ I2nsf mailing list I2nsf@ietf.org<mailto:I2nsf@ietf.org> https://www.ietf.org/mailman/listinfo/i2nsf
- Re: [I2nsf] draft-zhang-gap-analysis-00 Susan Hares
- [I2nsf] draft-zhang-gap-analysis-00 Susan Hares
- Re: [I2nsf] draft-zhang-gap-analysis-00 Dacheng Zhang
- Re: [I2nsf] draft-zhang-gap-analysis-00 Susan Hares
- Re: [I2nsf] draft-zhang-gap-analysis-00 John Strassner