Re: [Nsaas] Comparing NSIS and the work to be done by NSaaS

[Linda Dunbar <linda.dunbar@huawei.com>]

Melinda, 

Thanks for the additional analysis of NSIS. 

You said " NSIS provides a signaling *model*" that the industry didn't find it useful. 

Let's look at the recent strong industry initiative: NFV (with 38 operators participating and wanting the service). In order for NFV to be deployed in network, it is very essential to have common protocols for "Controller (or Orchestrator)" to 

- create client specific Virtual Firewall with the needed rules & policies over physical appliances from different vendors, very much how routers being partitioned for VPNs.

- Specify concrete rules (or attributes) for instantiating VMs for virtual security functions (NFV initiative), and

- Define the mechanisms for clients (applications) to request/negotiate/validate security functions that are not physically located on the local premises.

Take Firewall as an example, the rules for a specific client vFW can include:
- a 5-tuple and an action such as allow or deny. The information contained in the tuple
includes source/destination IP addresses, transport protocol, and source/destination port numbers (RFC5973).

- The policy rules also require order context. Since firewalls operate in a top-down first-match order, a set of policy rules without order context is insufficient (new).

- The RFC5973’s definition implicitly assumes that the firewall has the intelligence to recognize related traffic that may not match the original 5-tuple. The perfect example is FTP, which consists of control and data connections. The firewall needs to recognize and permit the data connection which isn’t defined in the original rule, which covers only the control channel. (The actual process is a bit more complicated—depending on whether it’s active or passive mode FTP).

Most, if not all, firewalls today have protocol-specific ALGs (app layer gateways) that support more complicated protocols like FTP and SIP. NSIS is to remove the need of ALG (RFC5973). NSaaS is to develop a protocol to ALG. 

The protocol semantics should at least include "request from client to provider", "negotiation of the supported rules between provider and clients", and "verify". 

It is also necessary to have common representation for vFW. Very much like VPN Identifier. 

Linda

-----Original Message-----
From: Melinda Shore [mailto:melinda.shore@gmail.com] 
Sent: Friday, August 15, 2014 10:44 PM
To: Linda Dunbar; nsaas@ietf.org
Subject: Re: Comparing NSIS and the work to be done by NSaaS

On 8/15/14 1:19 PM, Linda Dunbar wrote:
> - Differences between NSIS and NSaaS:

I think the most salient issue is that because NSIS is path-coupled, it's possible to message every participating device along a path without having to know its location, or its location relative to other devices (this is particularly a pressing issue when you've got one or more NATs present in the network, or when trying to locate appropriate tunnel endpoints).  NSIS provides a signaling *model* that may or may not be useful.  I'd say that industry did not find it useful except that other security device signaling models haven't been implemented and deployed, either, so the issue appears to be with the general class of solution rather than with this individual, particular solution.


Getting these questions answered is not a hoop to jump through, but rather, I think, a very serious issue with the work going forward.

Melinda