Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
Sumandra Majee <S.Majee@F5.com> Sat, 21 November 2015 19:09 UTC
Return-Path: <S.Majee@f5.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3AE531B2A4C for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 11:09:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.585
X-Spam-Level:
X-Spam-Status: No, score=-7.585 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3MLKBDpJU8i4 for <i2nsf@ietfa.amsl.com>; Sat, 21 Nov 2015 11:09:13 -0800 (PST)
Received: from mail.f5.com (mail.f5.com [208.85.209.139]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA66F1B2A3E for <i2nsf@ietf.org>; Sat, 21 Nov 2015 11:09:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=f5.com; i=@f5.com; q=dns/txt; s=seattle; t=1448132953; x=1479668953; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=hWHKejT16ZeQlQRPpFIOHMQ5r4Bt/HuaSwh0mwE2ZeI=; b=ZLpStq4Z/qCymy/rakfU2Bl6PZYjJR3z61YbEDs8b/ddrZ3hin/Z0JDM pRSlx8A7RbQI8VhSOETcCnctOF7mQufiPDFv6CEaXUVC7uqbpZFY+yS+N 0P3m8r2eeeg/FiLgSJ4HBJX2P8wEMRT+1P0xo3H+mZ/tWPKs/XvKb6hgU o=;
X-IronPort-AV: E=Sophos;i="5.20,329,1444694400"; d="scan'208,217";a="189668900"
X-IPAS-Result: A2CmBAB2wFBW/+sKqMBeGQEBAQEPAQEBAYI+gSBvt2mJFwEDFwEJhW4CgXwBAQEBAQGBC4Q1AQEBAwEBAWsLEAIBCBImAQYHJwIJFAMOAQEEDgWIO789AQEBAQEBAQECAQEBAQEBAQEBAQEYhlSCEIJuhQiDHIEVBYdHAo8HhSSGMYM3SYN3gyWTCxGCYx2BVnIBhSoBAQE
Received: from oracle-apps.f5net.com (HELO exchmail.f5net.com) ([192.168.10.235]) by mail.f5.com with ESMTP/TLS/AES256-SHA; 21 Nov 2015 19:09:11 +0000
Received: from SEAEXCHMBX02.olympus.F5Net.com (192.168.15.224) by seaexchmbx03.olympus.F5Net.com (192.168.15.225) with Microsoft SMTP Server (TLS) id 15.0.1130.7; Sat, 21 Nov 2015 11:09:10 -0800
Received: from SEAEXCHMBX02.olympus.F5Net.com ([fe80::dd5e:c398:17d9:927f]) by seaexchmbx02.olympus.F5Net.com ([fe80::dd5e:c398:17d9:927f%13]) with mapi id 15.00.1130.005; Sat, 21 Nov 2015 11:09:10 -0800
From: Sumandra Majee <S.Majee@F5.com>
To: DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com>
Thread-Topic: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
Thread-Index: AdEioAyIQfd93omoRVuyqnHeGuMT8AAmR5vwAEe5yYAADgHZ+A==
Date: Sat, 21 Nov 2015 19:09:09 +0000
Message-ID: <A00862EF-35D2-4A8F-BE07-B54AE6046B50@F5.com>
References: <327562D94EA7BF428CD805F338C31EF06C07EC8B@nkgeml512-mbx.china.huawei.com>, <C9100DC8-1CD1-49A4-AB60-D5BCC60499F3@telefonica.com>
In-Reply-To: <C9100DC8-1CD1-49A4-AB60-D5BCC60499F3@telefonica.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
Content-Type: multipart/alternative; boundary="_000_A00862EF35D24A8FBE07B54AE6046B50F5com_"
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/uZR3VFjODZ6KnV_wxAofOh-np4s>
Cc: Jayaraghavendran k <jayaraghavendran.k@huawei.com>, "Anil Kumar S N (VRP Network BL)" <anil.sn@huawei.com>, "i2nsf@ietf.org" <i2nsf@ietf.org>, "draft-dunbar-i2nsf-problem-statement-05@ietf.org" <draft-dunbar-i2nsf-problem-statement-05@ietf.org>, Linda Dunbar <linda.dunbar@huawei.com>
Subject: Re: [I2nsf] Comments on draft-dunbar-i2nsf-problem-statement-05
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 21 Nov 2015 19:09:16 -0000
Agree that FW IDS IPS etc are commonly understood network component and trying to define them here might lead to more confusion. Having a section for abbreviation is ok.
Sent from my iPhone
On Nov 21, 2015, at 4:28 AM, DIEGO LOPEZ GARCIA <diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>> wrote:
Hi,
A couple of comments in line below…
On 20 Nov 2015, at 03:22 , Anil Kumar S N (VRP Network BL) <anil.sn@huawei.com<mailto:anil.sn@huawei.com>> wrote:
• Requirements Language, terms and acronyms section : We need to describe following abbreviations which are used in the documents as it the first document
to be referred by any newcomer into I2NSF WG
IPS, IDS, ACL, FWs, AAA, CA, VNFpool, Etc…
DRL> I disagree. Terms like IDS, AAA, ACL or CA are well defined elsewhere, have been of common usage for quite a while, and there is no advantage in redefining them in this document. For what is worth, we could need to define terms like “network” or “TCP”… There may be others like VNFpool that would need a definition because they are by no means widespread, though in those case we should first consider whether the term makes sense in the document, which I’d say it is not the case for “VNFpool” in particular.
• Adding new section :
3.1.9 Lack of mechanism for Key Management/Deterministic Generation and Provisioning for communicating protocols
There is a need for a framework/data model for a key management protocol that may be used to create and manage session
keys for message authentication and integrity. As of now there is no much focus on an abstraction for keying information that describes the interface
between protocols, operators, and automated key management.
In March 2006, the Internet Architecture Board (IAB) held a workshop
on the topic of "Unwanted Internet Traffic". The report from that workshop is documented in RFC 4948 [RFC4948].
Section 8.1 of that document states that "A simple risk analysis would suggest that an ideal attack target of minimal
cost but maximal disruption is the core routing infrastructure". Section 8.2 calls for "Tightening the security of
the core routing infrastructure".
One of the four main steps were identified for that tightening the security for the protocol packets on the wire.
It is concerned with guidelines for describing issues and techniques for protecting the messages between directly communicating peers.
Conceptually, when routing protocols send or receive messages, they
might need to look up the key to use in this abstract key table.
Conceptually, there must be an interface defined for a protocols to
make requests of automated key management when it is being used; when
keys become available, they might be made available in the key table.
There might not be any requirement that this abstraction be used for
implementation:
1) I2NSF need to design the key table abstraction, the interface between
key management protocols and routing/other protocols, and possibly
security protocols at other layers.
2) For each routing/other protocol, I2NSF need to define the mapping between
how the protocol represents key material and the protocol-
independent key table abstraction. When routing/other protocols share a
common mechanism for authentication, such as the TCP
Authentication Option, the same mapping is likely to be reused
between protocols. An implementation may be able to move much of
the keying logic into code related to this shared authentication
primitive rather than code specific to routing/other protocols.
3) When designing automated key management for both symmetric keys
and group keys, we will only need to use the abstractions designed based on
point 1 above to communicate between automated key management and
routing/other protocols.
DRL> As Linda said, you should clarify what is the purpose for this. The intent of I2NSF is not to define new security functions, but to define an interface to them. And I’d say you are proposing the definition of a new key management service to be used by routing and other protocols.
Be goode,
--
"Esta vez no fallaremos, Doctor Infierno"
Dr Diego R. Lopez
Telefonica I+D
http://people.tid.es/diego.lopez/
e-mail: diego.r.lopez@telefonica.com<mailto:diego.r.lopez@telefonica.com>
Tel: +34 913 129 041
Mobile: +34 682 051 091
----------------------------------
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede contener información privilegiada o confidencial y es para uso exclusivo de la persona o entidad de destino. Si no es usted. el destinatario indicado, queda notificado de que la lectura, utilización, divulgación y/o copia sin autorización puede estar prohibida en virtud de la legislación vigente. Si ha recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente por esta misma vía y proceda a su destrucción.
The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, do not read it. Please immediately reply to the sender that you have received this communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e proceda a sua destruição
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org<mailto:I2nsf@ietf.org>
https://www.ietf.org/mailman/listinfo/i2nsf
- [I2nsf] Comments on draft-dunbar-i2nsf-problem-st… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Linda Dunbar
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… DIEGO LOPEZ GARCIA
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Sumandra Majee
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Anil Kumar S N (VRP Network BL)
- Re: [I2nsf] Comments on draft-dunbar-i2nsf-proble… Susan Hares