Re: [Nsaas] Existing work, other things

Melinda Shore <> Thu, 11 September 2014 03:08 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 5860C1A03C5 for <>; Wed, 10 Sep 2014 20:08:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id G9T6oOKseKWP for <>; Wed, 10 Sep 2014 20:08:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400e:c02::22d]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 414EA1A0314 for <>; Wed, 10 Sep 2014 20:08:46 -0700 (PDT)
Received: by with SMTP id ft15so10416624pdb.32 for <>; Wed, 10 Sep 2014 20:08:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=o/hXHprDmz7RU+jNtDlkXs8Tf6yrnLj7I/9h9e67COo=; b=HLnZbPhzaYPKdEob62jQjJOpPYIj49xU/PsLZQlTpytz+Rol1S2BPiTjHiQZ9rPjZB LzZKjGOZqrt5O+Ha5c5UlX1pmZWsGOLAMWTb8zC6VNSf2/eIiKy3Rbqy2YML67d1QDGF Drlzedn6eWG78tjWZVGee6sf1yZ4XLjcElSTbna/gCXZgjTXB4TCNO/dVMDCjxauJQED G4crEWqr5YIWwm1J11kY/1fnuzh5GSwGdhv1iHedZTS2yC0LO79cvKZiFmea/SoT8cev k5JsWBGIYwC4We6KnArxrcqhAPsqkp0S8pSaF5/xWlGkk85GJsZAyyetUZRx1zbJO8Es HXYg==
X-Received: by with SMTP id ez10mr69725666pab.12.1410404925921; Wed, 10 Sep 2014 20:08:45 -0700 (PDT)
Received: from spandex.local ( []) by with ESMTPSA id hz1sm15731222pbb.75.2014. for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 10 Sep 2014 20:08:45 -0700 (PDT)
Message-ID: <>
Date: Wed, 10 Sep 2014 19:08:43 -0800
From: Melinda Shore <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
References: <> <> <> <> <> <> <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: "" <>, Linda Dunbar <>
Subject: Re: [Nsaas] Existing work, other things
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*NSaaS: Network Security as a Service mailing list*" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 11 Sep 2014 03:08:48 -0000

On 9/10/14 12:13 PM, DIEGO LOPEZ GARCIA wrote:
> I fully agree with your statement of trying to narrow the scope and
> identify the piece(s) of technical work to be solved. With that in
> mind I suggested the three aspects to be considered, intended as a
> first step to concrete the goals for a future group. For sure we need
> to refine them but I can tell you that we are seriously considering
> the provision of this kind of security services to our customers. So
> I guess we can consider the request to bring our "product managers"
> to the process fulfilled from our side...

Well, yes and no.

To back up a little bit, the IETF has not historically hewn to the
problem statement->framework->whatever process.  Work used to be
brought in more fully considered, and I think it does not represent
progress that we're now seeing a lot of problem statements.  To me,
it suggests that the work that's being proposed isn't really work
per se - someone's got some ideas about an interesting problem but
hasn't really worked out the details, whether the problem can (or
should) be solved in the IETF at all, and so on.  It seems to me that
from an organizational perspective, the problem statements have
turned into an unproductive time sink.  Work really needs to be
more mature before a BOF is approved.

On the other hand, people who are writing drafts and advocating
for particular pieces of work should not be in a particular hurry
to have a BOF.  It is not in the interest of people advocating a
piece of work to have an unsuccessful BOF.  It hurts your case.
Second, it's also important to keep in mind that the work of the
IETF is done primarily on mailing lists and through the document
process, not at meetings.  It's possible (and has been done a
number of times) to form a working group without ever having held
a BOF.

This is not ETSI and it's not the ITU-T.  The best way to move
work along is to have a technically credible proposal that's
reasonably mature, and to have some people who want to build it
and some other people who want to deploy it.  Support from other
people who write standards is shallow if there's no institutional
commitment to the technology on the parts of their employers.

I don't know where this cloud security stuff is going to go.  It
looks like there are a few specific technical problems that need
to be solved.  I think the best way forward it to tease out
some specific problems, and try to develop technical proposals
around those problems.  Don't rush towards a BOF but rather have
some solid, credible technical work done first.  Demonstrate that
it's a problem that needs to be solved, that the participants are
capable of solving it, that somebody's going to actually build it,
and someone else is going to actually deploy it, and your chances of
the work going forward in the IETF have just skyrocketed.