IETF Logo Mail Archive

Re: [Supa] We need some good examples of what SUPA can do !

"Joel M. Halpern" <jmh@joelhalpern.com> Fri, 16 December 2016 16:59 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: supa@ietfa.amsl.com
Delivered-To: supa@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B6501293E0; Fri, 16 Dec 2016 08:59:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.702
X-Spam-Level:
X-Spam-Status: No, score=-2.702 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OokbFYwwRCKE; Fri, 16 Dec 2016 08:59:46 -0800 (PST)
Received: from maila2.tigertech.net (maila2.tigertech.net [208.80.4.152]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3375B1298D5; Fri, 16 Dec 2016 08:59:46 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by maila2.tigertech.net (Postfix) with ESMTP id 1A24A26843B; Fri, 16 Dec 2016 08:59:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1481907586; bh=iyUz8ZqUUXbdh1qNKGypw/XZlKULomG0ptzG5l9RS+M=; h=Subject:To:References:Cc:From:Date:In-Reply-To:From; b=jXS12ppL8FL7lQaDpSzCpsvVfzoFur+QC2SOH+hapiAzBZMM5pFMgsNHrQKKuOZT2 z6XjXQHM0Zllh7BxlqhbXO/gFv+yZZOnDQBD6PWX1AlMASmz4ei4HjT1vXRlAAPsGC EqbgTOqFK5RVxRbs3Ck7pmezaqjCD5JYhwXqJUPk=
X-Virus-Scanned: Debian amavisd-new at maila2.tigertech.net
Received: from Joels-MacBook-Pro.local (209-255-163-147.ip.mcleodusa.net [209.255.163.147]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by maila2.tigertech.net (Postfix) with ESMTPSA id 26E00250B3D; Fri, 16 Dec 2016 08:59:45 -0800 (PST)
To: Benoit Claise <bclaise@cisco.com>, "Joel M. Halpern" <jmh@joelhalpern.com>, "Bert Wijnen (IETF)" <bwietf@bwijnen.net>, Georgios Karagiannis <georgios.karagiannis@huawei.com>, Nevil Brownlee <n.brownlee@auckland.ac.nz>, "draft-cheng-supa-applicability@ietf.org" <draft-cheng-supa-applicability@ietf.org>
References: <faad1f30-1af9-5b97-2cd5-0b157b94ed45@auckland.ac.nz> <c4e41200-845d-ef28-42cd-cb9c77c50927@bwijnen.net> <ecce02d9-f3b1-e1c6-86a5-5fc7b641937d@joelhalpern.com> <C5034E44CD620A44971BAAEB372655DC2DC4C0E2@lhreml502-mbs> <f5e04195-b007-d99c-21fe-548dcaf635ee@bwijnen.net> <7daae66b-1a6b-5591-8818-75ae1d7139a3@joelhalpern.com> <19955746-00cd-7965-b44e-b65c8601df2f@cisco.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <4fa6f4ec-4489-07b7-3b98-8216c5da0ea7@joelhalpern.com>
Date: Fri, 16 Dec 2016 11:59:44 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.5.1
MIME-Version: 1.0
In-Reply-To: <19955746-00cd-7965-b44e-b65c8601df2f@cisco.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/supa/ah5m-mIl6Nznv6qDK9-1NSBsPoc>
Cc: SUPA list <supa@ietf.org>
Subject: Re: [Supa] We need some good examples of what SUPA can do !
X-BeenThere: supa@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "This list is to discuss SUPA \(Simplified Use of Policy Abstractions\) related issues." <supa.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/supa>, <mailto:supa-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/supa/>
List-Post: <mailto:supa@ietf.org>
List-Help: <mailto:supa-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/supa>, <mailto:supa-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Dec 2016 16:59:48 -0000

Thanks Benoit.  I do not think that (block vs send syslog) is the hard 
part of the case.

I think we can address the proposed case.  In discussing it with John, 
we found that there were actually two different use cases in there.  We 
are putting together enough explanation to send to the WG on the 
approach we think works, building on the SUPA model, to address these 
cases.  We will an email out soon.

Yours,
Joel

On 12/16/16 10:18 AM, Benoit Claise wrote:
> On 11/23/2016 3:33 PM, Joel M. Halpern wrote:
>> To some degree Bert, you are demonstrating the limitations of the
>> directive from the AD that SUPA is to use only ECA policies, not
>> declarative.  Modeling the policy goal would be much easier.
> Ok.
>
> OLD:
>      ensures that SNMP is blocked on ports at the edge
>      of the administrative domain to prevent SNMP going
>      out or coming in from outside the enterprise.
>
> NEW:
>     send a (syslog/whatever) message if SNMP traffic is going out or
> coming in from outside the enterprise
>
> Let's walk before we run.
>
> Regards, B.
>>
>> I do believe that with a few extra definitions, we can create a set of
>> meaningful events to trigger.  Mostly the insertion of ports at the
>> edge of the domain.  And then the actions will be to create the filter
>> rules to block SNMP in both directions.
>>
>> I will be working with John to work out the exact modeling.
>>
>> Yours,
>> Joel
>>
>> On 11/23/16 5:54 AM, Bert Wijnen (IETF) wrote:
>>> On 23/11/2016 10:56, Georgios Karagiannis wrote:
>>>> Hi Bert,
>>>>
>>>> Thanks for your input.
>>>> Please note that I agree with Joel that the input is useful.
>>>> Can you please provide more details on what will be the Event
>>>> Condition Action?
>>> well, is that not my exact question?
>>>
>>> I am asking what ECA policies need to be setup/defined in order to
>>> achieve/effectuate a policy that
>>>
>>>      ensures that SNMP is blocked on ports at the edge
>>>      of the administrative domain to prevent SNMP going
>>>      out or coming in from outside the enterprise.
>>>
>>> Bert
>>>> Best regards,
>>>> Georgios
>>>>
>>>>
>>>> -----Original Message-----
>>>> From: Supa [mailto:supa-bounces@ietf.org] On Behalf Of Joel M. Halpern
>>>> Sent: Friday, November 18, 2016 2:45 AM
>>>> To: Bert Wijnen (IETF); Nevil Brownlee;
>>>> draft-cheng-supa-applicability@ietf.org
>>>> Cc: SUPA list
>>>> Subject: Re: [Supa] We need some good examples of what SUPA can do !
>>>>
>>>> Thank you Bert.  That is exactly the kind of request I am looking for.
>>>>
>>>> No, I do not think it will be simple to answer your question. But I
>>>> do think that showing how to do so will show both what we have and
>>>> what more we need.
>>>>
>>>> Yours,
>>>> Joel
>>>>
>>>> On 11/17/16 8:28 PM, Bert Wijnen (IETF) wrote:
>>>>> Could the proponets of the current (in my view still complex) IM and
>>>>> DM work out how one would define/configure/populate the policies for:
>>>>>
>>>>>       ensure that SNMP is blocked on ports at the edge
>>>>>       of the administrative domain to prevent SNMP going
>>>>>       out or coming in from outside the enterprise.
>>>>>
>>>>> This should be simple, no?
>>>>>
>>>>> Thanks, Bert
>>>>>
>>>>> On 17/11/2016 18:31, Nevil Brownlee wrote:
>>>>>> Hi all:
>>>>>>
>>>>>> Your SUPA chairs met this morning with some of the SUPA I-D authors
>>>>>> to consider "how can we get people working on some simple examples to
>>>>>> demonstrate how SUPA could be used."
>>>>>>
>>>>>> One idea we considered was "we need a few good example uses, with
>>>>>> clear specs written for each - we could start with the examples in
>>>>>> our (draft) Applicability Statement.  That considers five examples -
>>>>>>
>>>>>>    4.1.  Use Case 1: Switched Ethernet services (SES)
>>>>>>    4.2.  Use Case 2: Virtualized Private Clouds (VPC)
>>>>>>    4.3.  Use Case 3: Traffic Manipulation cross DCs
>>>>>>    4.4.  Use Case 4: Virtual SP
>>>>>>    4.5.  Use Case 5: Instant VPN
>>>>>>    4.6.  Use Case 6: traffic optimization and Qos assurance on ISP DC
>>>>>>
>>>>>> It would help SUPA a lot to have input, especially from network
>>>>>> operators, telling us "what do you actually want (SUPA to) do?"
>>>>>>
>>>>>> Do please give this some thought, and send your 'wishes' text to the
>>>>>> SUPA list!
>>>>>>
>>>>>> Cheers, Nevil
>>>>>>
>>>>> _______________________________________________
>>>>> Supa mailing list
>>>>> Supa@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/supa
>>>>>
>>>> _______________________________________________
>>>> Supa mailing list
>>>> Supa@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/supa
>>>>
>>>
>>
>> _______________________________________________
>> Supa mailing list
>> Supa@ietf.org
>> https://www.ietf.org/mailman/listinfo/supa
>> .
>>
>

v2.23.0 | Report a Bug | By Email