IETF Logo Mail Archive

RE: SDNAuth - Secure SDN authentication and authorization - Interested?

"Hosnieh Rafiee" <ietf@rozanak.com> Wed, 04 February 2015 07:30 UTC

Return-Path: <ietf@rozanak.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 78A251A6F22 for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 23:30:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9kvhqKEA-u4a for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 23:30:14 -0800 (PST)
Received: from mail.rozanak.com (mail.rozanak.com [IPv6:2a01:238:42ad:1500:aa19:4238:e48f:61cf]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EF6EF1A6F11 for <ietf@ietf.org>; Tue, 3 Feb 2015 23:30:13 -0800 (PST)
Received: from localhost (unknown [127.0.0.1]) by mail.rozanak.com (Postfix) with ESMTP id 3CBAC25CA22E; Wed, 4 Feb 2015 07:30:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at rozanak.com
Received: from mail.rozanak.com ([127.0.0.1]) by localhost (mail.iknowlaws.de [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lnf36UkbBomo; Wed, 4 Feb 2015 08:30:08 +0100 (CET)
Received: from kopoli (p5B342E71.dip0.t-ipconnect.de [91.52.46.113]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by mail.rozanak.com (Postfix) with ESMTPSA id 3D55D25CA21F; Wed, 4 Feb 2015 08:30:08 +0100 (CET)
From: Hosnieh Rafiee <ietf@rozanak.com>
To: 'Kathleen Moriarty' <kathleen.moriarty.ietf@gmail.com>
References: <012901d03692$cdc46630$694d3290$@rozanak.com> <12995.1422027874@sandelman.ca> <CAHbuEH6Y6BkP00hENS_KYhYVv84egAgRUBQEC+NScfbnmNFkFg@mail.gmail.com>
In-Reply-To: <CAHbuEH6Y6BkP00hENS_KYhYVv84egAgRUBQEC+NScfbnmNFkFg@mail.gmail.com>
Subject: RE: SDNAuth - Secure SDN authentication and authorization - Interested?
Date: Wed, 04 Feb 2015 08:30:07 +0100
Message-ID: <014f01d0404c$66e35110$34a9f330$@rozanak.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Mailer: Microsoft Outlook 14.0
Thread-Index: AQISgK84RX9GRHtbq7+pSR0m8KMk+wKdRxB0At5aGvCcL7l0QA==
Content-Language: en-us
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/YxqEUl4vTP0jKZmyazqEUGsKxpU>
Cc: 'IETF' <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Feb 2015 07:30:16 -0000

Thanks Kathleen for your useful advices. I am following your steps with a group of people who are interested to contribute to this work and progressing. I will contact you after finalizing our work and ready to submit the BoF. 

Best,
Hosnieh

> -----Original Message-----
> From: Kathleen Moriarty [mailto:kathleen.moriarty.ietf@gmail.com]
> Sent: Wednesday, February 04, 2015 12:05 AM
> To: Michael Richardson
> Cc: Hosnieh Rafiee; IETF
> Subject: Re: SDNAuth - Secure SDN authentication and authorization -
> Interested?
> 
> Hello Hosnieh,
> 
> I don't see any responses to the points/questions raised by Ted and Michael.
> When SecAuth was closed, I and others provided feedback to help you
> narrow the scope of work so that this could turn into something successful. If
> you are working to reduce the number of problem you solve at one time, that
> should help. Your plan to implement code along with OpenStack could help a
> lot to solidify your ideas and that is a good next next step.  To Ted's point on
> the NoteWell and your plan to progress to a BoF and eventual working group,
> I'd like to suggest a set of steps that should help you to be
> successful:
> 
> 1. Pick a few people that were helpful in the SecAuth list to collaborate with
> directly. Email is fine, a list is not necessary.
> 2. The team should understand the goal is to develop work that will get moved
> to the IETF.  This means they understand that the NoteWell will apply once
> that work is contributed.
> 3. Choose one of the 3 problems that were in discussion on SecAuth and only
> focus on that one problem.
> 4. Document the focused problem statement.
> 5. Document one or more use cases that directly align with the problem
> statement.
> 6. Document any requirements, especially unique ones to the problem.
> 7. Determine if existing protocols can be used for that solution.
> Document why related protocols may or me not be a fit for the problem
> space.
> 8. Identify overlap with existing working groups. Document why or why not
> there is a connection between this proposed work and each of the related
> working groups.
> 9. Define a narrow scope of work that might evolve to a charter.
> 10. Begin to collaborate on a draft.
> 11. Develop the draft enough to ensure the problem statement,
> requirements, and use case is clearly articulated.  Perhaps have the draft
> reviewed by another peer.
> 12. Develop open source code to demonstrate your proposal.  This would be
> extremely helpful.
> 13. Contact Sec ADs again to discuss progress and next steps.
> 
> I wish you lots of luck in your work and ask that you consider these steps to
> guide your work.
> 
> Best regards,
> Kathleen
> 
> On Fri, Jan 23, 2015 at 10:44 AM, Michael Richardson
> <mcr+ietf@sandelman.ca> wrote:
> >
> > Hosnieh Rafiee <ietf@rozanak.com> wrote:
> >     > The name of this group is: SDNAuth
> >
> >     > This group focuses on the following scope:
> >     > - Authentication and authorization of application to the network
> >     > control - SDNAuth only provides the place where a network control can
> find
> >     > policy but applying policy is out of the scope of SDN auth
> >     > - Authentication and authorization of two controllers (exchanging
> >     > policy is out of the scope)
> >     > - Optimization of authentication and authorization of network elements
> >     > + user at the same time
> >
> > All of this seems very much internal-to-Autonomous-System.  There are
> > a bunch of solutions which exist already, many of which are aimed at
> > tty/CLI-style logins.  (Radius, tacacs and kerberos come to mind).
> > Some many inappropriate for the m2m-type communication you envision;
> > or may require some profiling to make work.
> >
> >
> >     > - Authentication and authorization of an app to a security function
> >     > service such as a firewall (applying any rules on the firewall is out of
> >     > scope but authentication and showing the place of policies are in scope)
> :
> >     > SDN/NFV authentication
> >
> > I don't know what the scope of "app" here is, but I think that perhaps
> > it means that my mobile phone can ask some firewall that is (perhaps)
> > not within my enterprise for access.  Such as when I'm roaming at your
> office.
> > But, even if it turns out that I'm at my office, the firewall is not
> > *my* firewall (I'm not the admin), it's my enterprises' firewall.
> > As such, this relates to such things as the
> > "authenticated-firewall-traversal (AFT)" problem (and WG) of 2 decades
> > ago <http://datatracker.ietf.org/wg/aft/charter/>, and also to much
> > more modern things like PCP, RSVP, uPNP and the like. It would be
> > wonderful if we could solve the problems of being able to scalably
> > authenticate to network elements for the purpose of either reserving
> > bandwith (in a positive, I care about this traffic way), and also for
> > deflecting traffic (in a negative, please filter this DDoS traffic out further
> away from my constrainted pipe).
> >
> > On this, you seem to have a totally different set of requirements
> > different From the SDN space, and I don't see how it matters that SDN
> > is involved at all.
> >
> > I think that you should remove this item from your SDNauth scope;
> > we've been through this dicussion multiple times now.  It's not that
> > it isn't important; its really really really important, but it has a
> > very different set of constraints.
> >
> >
> >     > You can find more information about this group on the info page.
> >
> >     > If you are interested on the scope of this group, please feel free to join
> >     > clicking on the following address:
> >
> >     > < https://mail.rozanak.com/mailman/listinfo/sdnauth >
> >
> >     > ---------------------------------------------------------------
> >
> >     > We had some discussions on "secauth" at IETF and would like to
> continue the
> >     > discussion with interested folks in an external group. The goal is to
> >     > prepare the final draft of charter for possible BoF.
> >
> >     > This group also plans to have an implementation by using Openstack as a
> >     > based. Later, I will update the info page of the group with the link to a
> >     > project repository.
> >
> >     > Thanks,
> >     > Best,
> >     > Hosnieh
> >
> >     > P.S. Please note that the group is public including its archive.
> >
> >
> >
> > --
> > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> > -= IPv6 IoT consulting =-
> >
> >
> >
> 
> 
> 
> --
> 
> Best regards,
> Kathleen

v2.23.0 | Report a Bug | By Email