RE: SDNAuth - Secure SDN authentication and authorization - Interested?
"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 04 February 2015 07:30 UTC
Return-Path: <ietf@rozanak.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78A251A6F22 for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 23:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kvhqKEA-u4a for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 23:30:14 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF6EF1A6F11 for <ietf@ietf.org>; Tue, 3 Feb 2015 23:30:13 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 3CBAC25CA22E; Wed, 4 Feb 2015 07:30:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnf36UkbBomo; Wed, 4 Feb 2015 08:30:08 +0100 (CET)
Received: from kopoli (p5B342E71.dip0.t-ipconnect.de [91.52.46.113]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 3D55D25CA21F; Wed, 4 Feb 2015 08:30:08 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>
References: <012901d03692$cdc46630$694d3290$@rozanak.com> <12995.1422027874@sandelman.ca> <CAHbuEH6Y6BkP00hENS_KYhYVv84egAgRUBQEC+NScfbnmNFkFg@mail.gmail.com>
In-Reply-To: <CAHbuEH6Y6BkP00hENS_KYhYVv84egAgRUBQEC+NScfbnmNFkFg@mail.gmail.com>
Subject: RE: SDNAuth - Secure SDN authentication and authorization - Interested?
Date: Wed, 04 Feb 2015 08:30:07 +0100
Message-ID: <014f01d0404c$66e35110$34a9f330$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQISgK84RX9GRHtbq7+pSR0m8KMk+wKdRxB0At5aGvCcL7l0QA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/YxqEUl4vTP0jKZmyazqEUGsKxpU>
Cc: 'IETF' <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 07:30:16 -0000
Thanks Kathleen for your useful advices. I am following your steps with a group of people who are interested to contribute to this work and progressing. I will contact you after finalizing our work and ready to submit the BoF. Best, Hosnieh > -----Original Message----- > From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com] > Sent: Wednesday, February 04, 2015 12:05 AM > To: Michael Richardson > Cc: Hosnieh Rafiee; IETF > Subject: Re: SDNAuth - Secure SDN authentication and authorization - > Interested? > > Hello Hosnieh, > > I don't see any responses to the points/questions raised by Ted and Michael. > When SecAuth was closed, I and others provided feedback to help you > narrow the scope of work so that this could turn into something successful. If > you are working to reduce the number of problem you solve at one time, that > should help. Your plan to implement code along with OpenStack could help a > lot to solidify your ideas and that is a good next next step. To Ted's point on > the NoteWell and your plan to progress to a BoF and eventual working group, > I'd like to suggest a set of steps that should help you to be > successful: > > 1. Pick a few people that were helpful in the SecAuth list to collaborate with > directly. Email is fine, a list is not necessary. > 2. The team should understand the goal is to develop work that will get moved > to the IETF. This means they understand that the NoteWell will apply once > that work is contributed. > 3. Choose one of the 3 problems that were in discussion on SecAuth and only > focus on that one problem. > 4. Document the focused problem statement. > 5. Document one or more use cases that directly align with the problem > statement. > 6. Document any requirements, especially unique ones to the problem. > 7. Determine if existing protocols can be used for that solution. > Document why related protocols may or me not be a fit for the problem > space. > 8. Identify overlap with existing working groups. Document why or why not > there is a connection between this proposed work and each of the related > working groups. > 9. Define a narrow scope of work that might evolve to a charter. > 10. Begin to collaborate on a draft. > 11. Develop the draft enough to ensure the problem statement, > requirements, and use case is clearly articulated. Perhaps have the draft > reviewed by another peer. > 12. Develop open source code to demonstrate your proposal. This would be > extremely helpful. > 13. Contact Sec ADs again to discuss progress and next steps. > > I wish you lots of luck in your work and ask that you consider these steps to > guide your work. > > Best regards, > Kathleen > > On Fri, Jan 23, 2015 at 10:44 AM, Michael Richardson > <mcr+ietf@sandelman.ca> wrote: > > > > Hosnieh Rafiee <ietf@rozanak.com> wrote: > > > The name of this group is: SDNAuth > > > > > This group focuses on the following scope: > > > - Authentication and authorization of application to the network > > > control - SDNAuth only provides the place where a network control can > find > > > policy but applying policy is out of the scope of SDN auth > > > - Authentication and authorization of two controllers (exchanging > > > policy is out of the scope) > > > - Optimization of authentication and authorization of network elements > > > + user at the same time > > > > All of this seems very much internal-to-Autonomous-System. There are > > a bunch of solutions which exist already, many of which are aimed at > > tty/CLI-style logins. (Radius, tacacs and kerberos come to mind). > > Some many inappropriate for the m2m-type communication you envision; > > or may require some profiling to make work. > > > > > > > - Authentication and authorization of an app to a security function > > > service such as a firewall (applying any rules on the firewall is out of > > > scope but authentication and showing the place of policies are in scope) > : > > > SDN/NFV authentication > > > > I don't know what the scope of "app" here is, but I think that perhaps > > it means that my mobile phone can ask some firewall that is (perhaps) > > not within my enterprise for access. Such as when I'm roaming at your > office. > > But, even if it turns out that I'm at my office, the firewall is not > > *my* firewall (I'm not the admin), it's my enterprises' firewall. > > As such, this relates to such things as the > > "authenticated-firewall-traversal (AFT)" problem (and WG) of 2 decades > > ago <http://datatracker.ietf.org/wg/aft/charter/>, and also to much > > more modern things like PCP, RSVP, uPNP and the like. It would be > > wonderful if we could solve the problems of being able to scalably > > authenticate to network elements for the purpose of either reserving > > bandwith (in a positive, I care about this traffic way), and also for > > deflecting traffic (in a negative, please filter this DDoS traffic out further > away from my constrainted pipe). > > > > On this, you seem to have a totally different set of requirements > > different From the SDN space, and I don't see how it matters that SDN > > is involved at all. > > > > I think that you should remove this item from your SDNauth scope; > > we've been through this dicussion multiple times now. It's not that > > it isn't important; its really really really important, but it has a > > very different set of constraints. > > > > > > > You can find more information about this group on the info page. > > > > > If you are interested on the scope of this group, please feel free to join > > > clicking on the following address: > > > > > < https://mail.rozanak.com/mailman/listinfo/sdnauth > > > > > > --------------------------------------------------------------- > > > > > We had some discussions on "secauth" at IETF and would like to > continue the > > > discussion with interested folks in an external group. The goal is to > > > prepare the final draft of charter for possible BoF. > > > > > This group also plans to have an implementation by using Openstack as a > > > based. Later, I will update the info page of the group with the link to a > > > project repository. > > > > > Thanks, > > > Best, > > > Hosnieh > > > > > P.S. Please note that the group is public including its archive. > > > > > > > > -- > > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > > -= IPv6 IoT consulting =- > > > > > > > > > > -- > > Best regards, > Kathleen
- SDNAuth - Secure SDN authentication and authoriza… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Ted Hardie
- Re: SDNAuth - Secure SDN authentication and autho… Michael Richardson
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom
- RE: SDNAuth - Secure SDN authentication and autho… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Ted Lemon
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom
- Re: SDNAuth - Secure SDN authentication and autho… Ted Hardie
- RE: SDNAuth - Secure SDN authentication and autho… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Ted Lemon
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom