Re: SDNAuth - Secure SDN authentication and authorization - Interested?
Michael Richardson <mcr+ietf@sandelman.ca> Fri, 23 January 2015 15:44 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9AE1F1A9177 for <ietf@ietfa.amsl.com>; Fri, 23 Jan 2015 07:44:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.911
X-Spam-Level:
X-Spam-Status: No, score=-1.911 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Itqz2qAjuIoV for <ietf@ietfa.amsl.com>; Fri, 23 Jan 2015 07:44:36 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E389E1A9232 for <ietf@ietf.org>; Fri, 23 Jan 2015 07:44:35 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id AA8F3200A1; Fri, 23 Jan 2015 10:50:53 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 4B7C1637FE; Fri, 23 Jan 2015 10:44:34 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 33AC6637F4; Fri, 23 Jan 2015 10:44:34 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Hosnieh Rafiee <ietf@rozanak.com>
Subject: Re: SDNAuth - Secure SDN authentication and authorization - Interested?
In-Reply-To: <012901d03692$cdc46630$694d3290$@rozanak.com>
References: <012901d03692$cdc46630$694d3290$@rozanak.com>
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Fri, 23 Jan 2015 10:44:34 -0500
Message-ID: <12995.1422027874@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/iFqBceRi0nLlpGcvSDlPPUw8gBI>
Cc: ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 23 Jan 2015 15:44:38 -0000
Hosnieh Rafiee <ietf@rozanak.com> wrote: > The name of this group is: SDNAuth > This group focuses on the following scope: > - Authentication and authorization of application to the network > control - SDNAuth only provides the place where a network control can find > policy but applying policy is out of the scope of SDN auth > - Authentication and authorization of two controllers (exchanging > policy is out of the scope) > - Optimization of authentication and authorization of network elements > + user at the same time All of this seems very much internal-to-Autonomous-System. There are a bunch of solutions which exist already, many of which are aimed at tty/CLI-style logins. (Radius, tacacs and kerberos come to mind). Some many inappropriate for the m2m-type communication you envision; or may require some profiling to make work. > - Authentication and authorization of an app to a security function > service such as a firewall (applying any rules on the firewall is out of > scope but authentication and showing the place of policies are in scope) : > SDN/NFV authentication I don't know what the scope of "app" here is, but I think that perhaps it means that my mobile phone can ask some firewall that is (perhaps) not within my enterprise for access. Such as when I'm roaming at your office. But, even if it turns out that I'm at my office, the firewall is not *my* firewall (I'm not the admin), it's my enterprises' firewall. As such, this relates to such things as the "authenticated-firewall-traversal (AFT)" problem (and WG) of 2 decades ago <http://datatracker.ietf.org/wg/aft/charter/>, and also to much more modern things like PCP, RSVP, uPNP and the like. It would be wonderful if we could solve the problems of being able to scalably authenticate to network elements for the purpose of either reserving bandwith (in a positive, I care about this traffic way), and also for deflecting traffic (in a negative, please filter this DDoS traffic out further away from my constrainted pipe). On this, you seem to have a totally different set of requirements different From the SDN space, and I don't see how it matters that SDN is involved at all. I think that you should remove this item from your SDNauth scope; we've been through this dicussion multiple times now. It's not that it isn't important; its really really really important, but it has a very different set of constraints. > You can find more information about this group on the info page. > If you are interested on the scope of this group, please feel free to join > clicking on the following address: > < https://mail.rozanak.com/mailman/listinfo/sdnauth > > --------------------------------------------------------------- > We had some discussions on "secauth" at IETF and would like to continue the > discussion with interested folks in an external group. The goal is to > prepare the final draft of charter for possible BoF. > This group also plans to have an implementation by using Openstack as a > based. Later, I will update the info page of the group with the link to a > project repository. > Thanks, > Best, > Hosnieh > P.S. Please note that the group is public including its archive. -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- SDNAuth - Secure SDN authentication and authoriza… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Ted Hardie
- Re: SDNAuth - Secure SDN authentication and autho… Michael Richardson
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom
- RE: SDNAuth - Secure SDN authentication and autho… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Ted Lemon
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom
- Re: SDNAuth - Secure SDN authentication and autho… Ted Hardie
- RE: SDNAuth - Secure SDN authentication and autho… Hosnieh Rafiee
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Kathleen Moriarty
- Re: SDNAuth - Secure SDN authentication and autho… Dave Cridland
- Re: SDNAuth - Secure SDN authentication and autho… Ted Lemon
- Re: SDNAuth - Secure SDN authentication and autho… Tobias Gondrom