IETF Logo Mail Archive

Re: SDNAuth - Secure SDN authentication and authorization - Interested?

Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com> Tue, 03 February 2015 23:04 UTC

Return-Path: <kathleen.moriarty.ietf@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 036431A1B1E for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 15:04:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iB9-OiB_aYhK for <ietf@ietfa.amsl.com>; Tue, 3 Feb 2015 15:04:56 -0800 (PST)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EA9ED1A1B11 for <ietf@ietf.org>; Tue, 3 Feb 2015 15:04:55 -0800 (PST)
Received: by mail-la0-f49.google.com with SMTP id gf13so54960493lab.8 for <ietf@ietf.org>; Tue, 03 Feb 2015 15:04:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=DuIyIv0qk3AF11bxbD8dGOhlEI9DRDj5N28o5oa5Kzs=; b=lub99LzR+XuQqKVsqqDy0x4vACGim6ogQjVkN5ywgbQ8wQfHjrivarv1yu0ajaOQhR 35DEAGZgSFpYw7te53lGKN/pQrPE8pkszTNgRQM+FkbCoUTeEUFhrAQhSSNbO7p7Umb7 7lOYoic5ZPMVoqHFiexjS7wpWxx80tnwY5+LWhmBpidr9Lciyan360p1JpopQOYbdtD+ GF0A44G0w5ZlCHkw3xXqoIXy+3WtPSDT4H2AnXYMIyq2wAO5w2v5uwyqIjtL8MMUbkba qy5Q78RZ4GGy+SWelRItJHF9/OwqgkWmEgyojBIR1lVq8DGZ4N5NHkRzAvGFQ8akDY8s UDNg==
MIME-Version: 1.0
X-Received: by 10.112.151.228 with SMTP id ut4mr27379413lbb.77.1423004694323; Tue, 03 Feb 2015 15:04:54 -0800 (PST)
Received: by 10.112.167.134 with HTTP; Tue, 3 Feb 2015 15:04:54 -0800 (PST)
In-Reply-To: <12995.1422027874@sandelman.ca>
References: <012901d03692$cdc46630$694d3290$@rozanak.com> <12995.1422027874@sandelman.ca>
Date: Tue, 03 Feb 2015 18:04:54 -0500
Message-ID: <CAHbuEH6Y6BkP00hENS_KYhYVv84egAgRUBQEC+NScfbnmNFkFg@mail.gmail.com>
Subject: Re: SDNAuth - Secure SDN authentication and authorization - Interested?
From: Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <http://mailarchive.ietf.org/arch/msg/ietf/j46XwybElMRvfrjX3VsHxjfsKYk>
Cc: IETF <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Feb 2015 23:04:59 -0000

Hello Hosnieh,

I don't see any responses to the points/questions raised by Ted and
Michael.  When SecAuth was closed, I and others provided feedback to
help you narrow the scope of work so that this could turn into
something successful. If you are working to reduce the number of
problem you solve at one time, that should help. Your plan to
implement code along with OpenStack could help a lot to solidify your
ideas and that is a good next next step.  To Ted's point on the
NoteWell and your plan to progress to a BoF and eventual working
group, I'd like to suggest a set of steps that should help you to be
successful:

1. Pick a few people that were helpful in the SecAuth list to
collaborate with directly. Email is fine, a list is not necessary.
2. The team should understand the goal is to develop work that will
get moved to the IETF.  This means they understand that the NoteWell
will apply once that work is contributed.
3. Choose one of the 3 problems that were in discussion on SecAuth and
only focus on that one problem.
4. Document the focused problem statement.
5. Document one or more use cases that directly align with the problem
statement.
6. Document any requirements, especially unique ones to the problem.
7. Determine if existing protocols can be used for that solution.
Document why related protocols may or me not be a fit for the problem
space.
8. Identify overlap with existing working groups. Document why or why
not there is a connection between this proposed work and each of the
related working groups.
9. Define a narrow scope of work that might evolve to a charter.
10. Begin to collaborate on a draft.
11. Develop the draft enough to ensure the problem statement,
requirements, and use case is clearly articulated.  Perhaps have the
draft reviewed by another peer.
12. Develop open source code to demonstrate your proposal.  This would
be extremely helpful.
13. Contact Sec ADs again to discuss progress and next steps.

I wish you lots of luck in your work and ask that you consider these
steps to guide your work.

Best regards,
Kathleen

On Fri, Jan 23, 2015 at 10:44 AM, Michael Richardson
<mcr+ietf@sandelman.ca> wrote:
>
> Hosnieh Rafiee <ietf@rozanak.com> wrote:
>     > The name of this group is: SDNAuth
>
>     > This group focuses on the following scope:
>     > - Authentication and authorization of application to the network
>     > control - SDNAuth only provides the place where a network control can find
>     > policy but applying policy is out of the scope of SDN auth
>     > - Authentication and authorization of two controllers (exchanging
>     > policy is out of the scope)
>     > - Optimization of authentication and authorization of network elements
>     > + user at the same time
>
> All of this seems very much internal-to-Autonomous-System.  There are a bunch
> of solutions which exist already, many of which are aimed at tty/CLI-style
> logins.  (Radius, tacacs and kerberos come to mind). Some many inappropriate
> for the m2m-type communication you envision; or may require some profiling to
> make work.
>
>
>     > - Authentication and authorization of an app to a security function
>     > service such as a firewall (applying any rules on the firewall is out of
>     > scope but authentication and showing the place of policies are in scope) :
>     > SDN/NFV authentication
>
> I don't know what the scope of "app" here is, but I think that perhaps it
> means that my mobile phone can ask some firewall that is (perhaps) not within
> my enterprise for access.  Such as when I'm roaming at your office.
> But, even if it turns out that I'm at my office, the firewall is not *my*
> firewall (I'm not the admin), it's my enterprises' firewall.
> As such, this relates to such things as the "authenticated-firewall-traversal
> (AFT)" problem (and WG) of 2 decades ago
> <http://datatracker.ietf.org/wg/aft/charter/>, and also to much more modern
> things like PCP, RSVP, uPNP and the like. It would be wonderful if we could
> solve the problems of being able to scalably authenticate to network elements
> for the purpose of either reserving bandwith (in a positive, I care about
> this traffic way), and also for deflecting traffic (in a negative, please
> filter this DDoS traffic out further away from my constrainted pipe).
>
> On this, you seem to have a totally different set of requirements different
> From the SDN space, and I don't see how it matters that SDN is involved at
> all.
>
> I think that you should remove this item from your SDNauth scope; we've been
> through this dicussion multiple times now.  It's not that it isn't important;
> its really really really important, but it has a very different set of
> constraints.
>
>
>     > You can find more information about this group on the info page.
>
>     > If you are interested on the scope of this group, please feel free to join
>     > clicking on the following address:
>
>     > < https://mail.rozanak.com/mailman/listinfo/sdnauth >
>
>     > ---------------------------------------------------------------
>
>     > We had some discussions on "secauth" at IETF and would like to continue the
>     > discussion with interested folks in an external group. The goal is to
>     > prepare the final draft of charter for possible BoF.
>
>     > This group also plans to have an implementation by using Openstack as a
>     > based. Later, I will update the info page of the group with the link to a
>     > project repository.
>
>     > Thanks,
>     > Best,
>     > Hosnieh
>
>     > P.S. Please note that the group is public including its archive.
>
>
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
>
>
>



-- 

Best regards,
Kathleen

v2.23.0 | Report a Bug | By Email