Re: [Nsaas] : A ore accurate name....

Lisa Lorenzin <> Mon, 15 September 2014 19:17 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 3B1C31A0384 for <>; Mon, 15 Sep 2014 12:17:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id kN4QtHRbTO7b for <>; Mon, 15 Sep 2014 12:17:30 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1B6A11A01E2 for <>; Mon, 15 Sep 2014 12:14:58 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1029.13; Mon, 15 Sep 2014 19:14:56 +0000
Received: from ([]) by ([]) with mapi id 15.00.1029.000; Mon, 15 Sep 2014 19:14:56 +0000
From: Lisa Lorenzin <>
To: Linda Dunbar <>, Myo Zarny <>, "" <>, "" <>
Thread-Topic: : A ore accurate name....
Thread-Index: AQHP0Rd2jjXr7zPuy0SA4FavBfH/Y5wCjpzw
Date: Mon, 15 Sep 2014 19:14:55 +0000
Message-ID: <>
References: <4A95BA014132FF49AE685FAB4B9F17F645DECABE@dfweml701-chm> <> <4A95BA014132FF49AE685FAB4B9F17F645E00334@dfweml701-chm>
In-Reply-To: <4A95BA014132FF49AE685FAB4B9F17F645E00334@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
x-microsoft-antispam: BCL:0;PCL:0;RULEID:;UriScan:;
x-forefront-prvs: 03355EE97E
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(15404003)(189002)(199003)(377454003)(16236675004)(2656002)(18717965001)(83072002)(85852003)(105586002)(99396002)(108616004)(87936001)(86362001)(2201001)(77982001)(46102001)(19580395003)(101416001)(76576001)(74662001)(15395725005)(76482001)(33646002)(19580405001)(19609705001)(66066001)(64706001)(19625215002)(19617315012)(95666004)(80022001)(81542001)(74316001)(106356001)(99286002)(20776003)(54356999)(76176999)(97736003)(81342001)(19300405004)(15202345003)(15975445006)(79102001)(107046002)(83322001)(74502001)(2501002)(4396001)(21056001)(106116001)(50986999)(85306004)(90102001)(24736002); DIR:OUT; SFP:1102; SCL:1; SRVR:BY2PR05MB551;; FPR:; MLV:sfv; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
Content-Type: multipart/alternative; boundary="_000_b24a1391776c4f6b96dce67f08c8a7d8BY2PR05MB550namprd05pro_"
MIME-Version: 1.0
Cc: "Zarny, Myo" <>
Subject: Re: [Nsaas] : A ore accurate name....
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*NSaaS: Network Security as a Service mailing list*" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 15 Sep 2014 19:17:33 -0000

Hi Linda,

I've been following this thread with great interest but no clear opinion up until now, but this framing, that I2NSF is a tool to enable NSaaS, really resonates with me.  I think it's a much more clear way of articulating - and differentiating between - the problem space in which we're having the conversation (which is clearly more broad than the space SACM has defined) vs. the work we're trying to scope to address that problem space.

FWIW, adding "open" feels unnecessary to me.  My personal perception is that anything standardized in the IETF is open by default, so it's implicit.


From: Nsaas [] On Behalf Of Linda Dunbar
Sent: Monday, September 15, 2014 2:51 PM
To: Myo Zarny;;
Cc: Zarny, Myo
Subject: Re: [Nsaas] : A ore accurate name....

Agree with Myo that prioritization/scoping of NSaaS will be crucial.
IMHO, standard Interface to Virtual Network Security Functions (I2NSF, or I2VNSF)  is a tool to enable NSaaS.  NSaaS might have broader scope, which might touch upon services model, SLA, etc.

IETF has traditionally been good in building tools, instead of broad service model (not to say that IETF can’t do it).

Another important point, strictly speaking, API is normally referring to function calls among different functions on one system, what we want to achieve is the interface between separate entities (boxes), as what I2RS is doing.

Therefore,  “Programmatic interfaces” might be more accurate.

Any thoughts?


From: Myo Zarny []
Sent: Sunday, September 14, 2014 8:27 PM
Cc: Zarny, Myo; Linda Dunbar
Subject: Re: FW: A ore accurate name....

Hi Brian,

I agree that the scopes of SACM and NSaaS aren't the same even though there is overlap. NSaaS is broader. Its domain/scope is more than just endpoints, consistent APIs, communication protocols between endpoints and network-based security services. It's all that plus--as you've pointed out--how security policies are translated and provisioned on the "southbound" side--regardless of their form-factor (hardware, software, hypervisor-based, container-based). And so on.

The challenge is in determining which ones should be prioritized. To me, as a user (not a vendor) of services, being able to dynamically reserve network (security) services and have appropriate (security) policies dynamically applied is the holy grail. (Especially if those policies can be defined in user friendly terms and the system be smart enough to translate them.) The question is how do we define and prioritize the steps towards achieving them.


From: Nsaas [] On Behalf Of Brian Ford (brford)
Sent: Wednesday, September 10, 2014 7:10 PM
Subject: [Nsaas] A ore accurate name....


IMO someone can make the argument that just about any acronym is like a ‘Marketing program’.  Changing the name of the pre-WG effort for that reason alone doesn’t seem wise ego me.  Changing it from something …’was’ to include ‘Open’ doesn’t seem like a big win.

When I first read your messages about Network Security as a Service I was interested.  I still am even though I know little more than the name.

I have been watching and involved in SACM, Security Automation and Continuous Monitoring.  One of my concerns that I have about SACM are its almost myopic endpoint focus.  I’m particularly interested in NSaaS because it could or might address the application of security policy in networks that protect all devices be they endpoints or VMs or intelligent lightbulbs in an IoT (or IoE).

I see ‘daylight’ between SACM and NSaaS.  But they could help each other.  Let’s start working on the real problem.



Via the offline discussion with Melinda, I learned that many people may think that NSaaS is more like Marketing slogan.

Since the goal is to define a common interface for network security functions (like what I2RS has done for routers), so that Service Providers or 3rd party operators can offer Network Security Functions that may not physically present in the client premises.

Is  "I2NSF" (Open Interface to Network Security functions) a more appropriate name? Any more suggestions?


  Brian Ford | OCTAO |<> | Direct 212.714.4288<tel:212.714.4288> | Mobile: 516.769.5884<tel:516.769.5884> |<>