[I2nsf] I2NSF charter that removed specific device name (e.g. FW), but instead focusing on Flow Based Security Functions
Linda Dunbar <linda.dunbar@huawei.com> Wed, 11 February 2015 21:21 UTC
Return-Path: <linda.dunbar@huawei.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EED5A1A6EDB for <i2nsf@ietfa.amsl.com>; Wed, 11 Feb 2015 13:21:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.21
X-Spam-Level:
X-Spam-Status: No, score=-4.21 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kVPy5BaXvZIj for <i2nsf@ietfa.amsl.com>; Wed, 11 Feb 2015 13:20:59 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EEC291A6EF0 for <i2nsf@ietf.org>; Wed, 11 Feb 2015 13:20:42 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml404-hub.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BPE43838; Wed, 11 Feb 2015 21:20:41 +0000 (GMT)
Received: from DFWEML704-CHM.china.huawei.com (10.193.5.141) by lhreml404-hub.china.huawei.com (10.201.5.218) with Microsoft SMTP Server (TLS) id 14.3.158.1; Wed, 11 Feb 2015 21:20:40 +0000
Received: from DFWEML701-CHM.china.huawei.com ([10.193.5.50]) by dfweml704-chm ([10.193.5.141]) with mapi id 14.03.0158.001; Wed, 11 Feb 2015 13:20:35 -0800
From: Linda Dunbar <linda.dunbar@huawei.com>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>, Kathleen Moriarty <kathleen.moriarty.ietf@gmail.com>, "Romascanu, Dan (Dan)" <dromasca@avaya.com>
Thread-Topic: I2NSF charter that removed specific device name (e.g. FW), but instead focusing on Flow Based Security Functions
Thread-Index: AQHQRkCS0Z74On2uCEmwmDFJAaGbhQ==
Date: Wed, 11 Feb 2015 21:20:35 +0000
Message-ID: <4A95BA014132FF49AE685FAB4B9F17F645EC36F6@dfweml701-chm>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.212.245.23]
Content-Type: multipart/alternative; boundary="_000_4A95BA014132FF49AE685FAB4B9F17F645EC36F6dfweml701chm_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/i2nsf/6J-b7PReyQk4vLssOBMgXMdqA7Y>
Cc: Edward Lopez <elopez@fortinet.com>, Joseph Salowey <joe@salowey.net>
Subject: [I2nsf] I2NSF charter that removed specific device name (e.g. FW), but instead focusing on Flow Based Security Functions
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Feb 2015 21:21:05 -0000
Ed Lopez and I had a 1.5 hours long talk yesterday and discussed his concern of the current I2NSF charter, his thinking of SDN approach for NSF, as well as how to focus I2NSF to make it valuable for the industry. Here is what he thinks on what I2NSF should focus. Ultimate goal of I2NSF: - Establish how to communicate with (virtual & physical) Network Security Functions (i.e. develop a standard mechanism to express security service intent and information/data model to security functions), - How to get performance data out of vNSF and How to get report from (v)NSF To make the I2NSF charter more focused, Ed suggested that I2NSF can start with Flow Based Security Functions (instead of FW devices because different vendors have different features on FW). Flow Based Security Functions provide treatment to packets/flows, such as IPS/IDS, Web filter, and Stateless flow filter. (They are different from Application layer security functions, such as email filter, virus treatment, etc). After Flow Based Security functions, the I2NSF can start to look into Stateful Security functions. The purpose of the mentioned security functions is to make the I2NSF discussion more focused and to validate if the proposed mechanisms to communicate with NSF work properly. To address Ed Lopez's concern of different security vendors supporting different features & functions on their devices, we updated the I2NSF charter (removed specific device name (e.g. FW), but instead focusing on Flow Based Security Functions). Similar to I2RS focusing on the interface to RIB/FIB even though virtually all routers provide far more functions than RIB/FIB, the I2NSF focused functions can be a portion of features supported by vendors' specific devices. Based on this discussion, here is the revised charter. What do people think? Linda Enterprises, residential, and mobile customers are increasingly consuming network functions, especially network security related functions that are not running on their premises. In addition, the ETSI Network Function Virtualization (NFV) initiative creates new management challenges for security policies to be enforced by distributed, virtual, network security functions (vNSF). These trends require a standard interface to express, monitor, and manage security policies for physical and virtual distributed security functions that may be running on different premises. In order to address the above challenges, vNSF devices may include two layers: - Security Service and Policy Layer - Functional Layer The Security Policy Layer is for clients to express and monitor security policies for their specific flows, which is security service oriented. This layer will leverage existing protocols, such as those defined in RESTconf, Netconf, AAA, and SACM, to carry security policies that can be expressed by Discretionary Access Control, Mandatory Access Control, Role Based Access Control, Attribute-Based Access Control, Policy-Based Access Control, or combinations of these. The Functional layer specifies the informational and data models for security functions. This layer will leverage the existing protocols and data models defined by I2RS, Netconf, and NETMOD. The ultimate goal of I2NSF is to establish how to communicate with vNSF and how to get performance data or report out of vNSF. I2NSF enables clients to communicate their specific security policies (request/monitor/report) to a system, and map these security policies to the security functions present in security devices in that system. I2NSF will specify a set of standardized mechanisms for clients and applications to request, negotiate, manage, and validate security functions using a declarative programmatic interface to physical and virtual devices. In order to support this programmatic interface, an Information Model will be defined to serve as a common vocabulary of security policy concepts and security function capability; associated Data Models will be derived from this Information Model to support Operation, Administration, Maintenance and Provisioning (OAMP) functions for security policies and security functions. Since different security vendors support different features & functions on their devices, I2NSF will focus on a few specific functions. I2NSF will start with Flow Based Security functions. Flow Based Security Functions provide treatment to packets/flows, such as IPS/IDS, Web filter, and Stateless flow filter. (They are different from Application layer security functions, such as email filter, virus treatment, etc). Exemplar services associated with Flow Based Security functions include deep packet inspection, packet/flow/stream filtering, and redirection (remote and local). Exemplar IDS/IDP functions includes flow/stream pattern matching and remediation, respectively. The purpose of the focused security functions is to make the I2NSF discussion more focused and to validate if the proposed mechanisms to communicate with NSF work properly. Similar to I2RS focusing on the interface to RIB/FIB even though most routers provide far more functions than RIB/FIB, the I2NSF focused functions can be a portion of features supported by vendors' specific devices. It is a non-goal to create new protocols or data modeling languages for I2NSF interfaces. I2NSF WG Deliverables include: - Use Case document. - Framework Document. - Requirement for extensions (if there are any) to existing protocols used by the WG. - Gap analysis of existing protocols and modeling languages - A single, unified, Information Model for expressing policies to the Flow Based Security Functions described above. - Corresponding Data Models (e.g. YANG models) derived from the above Information Model. - (Optionally) Applicability Statements on how to use I2RS, Netconf, and NETMOD to carry the content of the specified information/data models. [The WG may decide that the Use cases, Framework, and Requirement are Informational documents or simply reference documents during the lifetime of the WG. The framework, that describes the reference points and functional components, is to make the discussion more focused.] Suggested Milestones - Use Case Document: Charter time + 1 month to WG Document - Framework: Charter time + 4 months to WG Document - Requirements for extensions to protocols: Charter time + 6 months to WG document - Info model: Charter time + 7 months to WG Document - All Early Drafts to IESG: 10 months [decision point - +10 months] - Data Models: Charter + 9 Months to WG Document - Applicability Statements: 10 months to WG Document - Data Models and Applicability Statements to IESG - 16 months The WG will work closely with I2RS, Netconf and Netmod WGs.
- [I2nsf] I2NSF charter that removed specific devic… Linda Dunbar
- Re: [I2nsf] I2NSF charter that removed specific d… John Strassner