[I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
Alexey Gorbunov <alexey.gorbunov82@gmail.com> Wed, 18 March 2015 01:09 UTC
Return-Path: <alexey.gorbunov82@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 890851A7D82 for <i2nsf@ietfa.amsl.com>; Tue, 17 Mar 2015 18:09:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.749
X-Spam-Level:
X-Spam-Status: No, score=-1.749 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U4AN3F9kwB4h for <i2nsf@ietfa.amsl.com>; Tue, 17 Mar 2015 18:09:34 -0700 (PDT)
Received: from mail-wi0-x22e.google.com (mail-wi0-x22e.google.com [IPv6:2a00:1450:400c:c05::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C5B9B1A7035 for <i2nsf@ietf.org>; Tue, 17 Mar 2015 18:09:33 -0700 (PDT)
Received: by wifj2 with SMTP id j2so25806929wif.1 for <i2nsf@ietf.org>; Tue, 17 Mar 2015 18:09:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=hJ9ECL7zxqUu7Vv0ShDCxPBGtuL03uKRuh+Zf0S2c5k=; b=E9+dTHetSeRq6+Jgzn7wLCWMe/MJG7+Iv3IVmiRld1IqeKXtqCTP8hLpDCXK1uFd1X dGKRIaIZ7MRkbbgbW5xoyFW1U1LxDQ198SCN94mxqPzY1FnDMZbVtXDDxi9MRNuuh5Xr ny5dCbyDewsHNermymhjnnVBzsapIGRFEDSpKzPkJ5yiajaWWqR3tOsrjLQuEPJpd+Fy 2PDNFiY4dhIjmh8/8Nq0J54w36dgxCqrI+ubSZ0qGCu0ydt09j6KOP4A8ptUDjfrHyzW y1kKm3KyAR26OZr7nSPn4ImC6Td5U75Qp6eYJqgj9txi8EEjRnvjbAUCo7rUFF6+RGqa 0SnQ==
MIME-Version: 1.0
X-Received: by 10.194.122.196 with SMTP id lu4mr138584314wjb.154.1426640972555; Tue, 17 Mar 2015 18:09:32 -0700 (PDT)
Received: by 10.28.227.194 with HTTP; Tue, 17 Mar 2015 18:09:32 -0700 (PDT)
Date: Tue, 17 Mar 2015 20:09:32 -0500
Message-ID: <CAJd_XJh9rfJKAXziZzsvZqSnENGE+5sA3VvDc+P0=1Ua+wtWmQ@mail.gmail.com>
From: Alexey Gorbunov <alexey.gorbunov82@gmail.com>
To: i2nsf@ietf.org
Content-Type: multipart/alternative; boundary="089e0122aec2642961051185bcb8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/zJ5kvl30qN0bajDHQ8P2e8PNUHI>
Subject: [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.txt" - few comments.
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 01:10:11 -0000
Hi Folks Just read "draft-dunbar-i2nsf-problem-statement-02.txt" and would like to share my thoughts and concerns. From my point of view it’s better to not focus on the specific names but on the functionality of network security function itself. Most probably the main use case for NSF is virtual firewall with IPS/IDS and VPN capabilities. Openstack is the ideal candidate for NSF. We have already virtual firewall and it's good to look at it's features and functionality. I summarized most of the firewall features below: *-Access-list*. Defines which traffic are allowed to enter and pass firewall. It's covered in https://tools.ietf.org/html/draft-ietf-netmod-acl-model-02 *- Policy.* Defines which traffic are allowed to pass firewall and in which direction. *- Dos protection:* multicast, broadcast rate limiting. DHCP, ARP protection and rate-limiting. Limitation of mac-address numbers. *-“Screens”* – Juniper calls it screens, cisco doesn’t have name for it. Basically it’s protection against well-know network attacks. *- “Intrusion prevention” *– Signatures of any malicious activity. *- VPN PKI*- configuration of IPSEC with PKI. *- Control-plane protection of firewall itself.* *- L7 filtering and proxy.* - *Application detection.* Some applications uses tcp port 80 and most of the firewall can detect it. - *Monitoring and reporting traffic.* Something similar to Openflow, Jflow and etc. What exactly is going to be covered in by i2nsf? Is i2nsf going to meet in the Dallas at IETF 92? Thanks everybody for attention to this email. Alexey Gorbunov Telco Cloud and Security Architect at Nokia CCIE R&S 41088
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] "draft-dunbar-i2nsf-problem-statement-02.… Alexey Gorbunov
- [I2nsf] What kind of policy that can be dynamical… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Linda Dunbar
- Re: [I2nsf] "draft-dunbar-i2nsf-problem-statement… Alexey Gorbunov