IETF
i2nsf@jabber.ietf.org
Friday, November 14, 2014< ^ >
Room Configuration
Room Occupants

GMT+0
[02:23:52] Edward Lopez joins the room
[02:34:09] mahoney@nostrum.com joins the room
[02:35:36] Yoav Nir joins the room
[02:37:00] Yoav Nir has set the subject to: I2NSF BOF - IETF 91 - http://www.ietf.org/proceedings/91/agenda/agenda-91-i2nsf
[02:37:31] Meetecho joins the room
[02:37:37] Melinda joins the room
[02:39:24] Kathleen Moriarty joins the room
[02:39:57] Melinda Shore joins the room
[02:40:27] Melinda leaves the room
[02:40:46] Melinda Shore leaves the room
[02:41:01] rachel huang joins the room
[02:41:13] Melinda Shore joins the room
[02:41:20] hartmans joins the room
[02:41:37] Lars joins the room
[02:42:01] <Yoav Nir> I will be your Jabber scribe. If you want anything channeled to the room, prefix with "mic:"
[02:42:46] <Yoav Nir> This is a non-WG forming BoF, so no charter discussion
[02:43:48] <Yoav Nir> Problem Statement presso
[02:43:56] <Yoav Nir> Linda Dunbar presenting
[02:43:58] Melinda joins the room
[02:44:17] <Yoav Nir> slide #2
[02:44:44] <Yoav Nir> slide #3: challenges
[02:46:13] <Yoav Nir> slide #4: Common Functional components of FW
[02:48:18] <Yoav Nir> slide #5: Goal: a common interface for client to specify desired network security functions
[02:49:11] <Yoav Nir> slide #6: Security Functions under consideration
[02:50:11] satoru.kanno@jabber.org joins the room
[02:50:32] <Yoav Nir> slide #7: FW as a service: potential attributes
[02:50:36] Satoru Kanno joins the room
[02:51:36] kepeng_li joins the room
[02:51:54] <Yoav Nir> Reminder: I will be your Jabber scribe. If you want anything channeled to the room, prefix with "mic:"
[02:52:28] <Yoav Nir> slide #8: Security as a Service: Potential attributes
[02:53:06] <Yoav Nir> slide #9: Relevant Industry initiatives:
[02:54:31] <Melinda> What was his name, again?  I missed it.
[02:54:45] <Yoav Nir> Edward Lopez
[02:54:57] <Melinda> Thanks
[02:58:46] <Yoav Nir> Kathleen Moriarty @ mic
[02:58:57] Dan Wing joins the room
[02:59:49] <Yoav Nir> Ed Lopez (Fortinet) @ mic
[03:00:27] <Yoav Nir> Bob Briscoe (BT) @ mic
[03:00:48] <Yoav Nir> I'm not going to the mic right now, but +1 to what Ed said.
[03:02:05] <Yoav Nir> Nikolai (DT) @ mic
[03:02:09] <Melinda> mic: So far what's been discussed has not, for the most part, been peculiar to sdn or virtualized security services.  We've done quite a bit of work in the IETF  on firewall policy communication and it's seen virtually no uptake.  It seems to me that what might be interesting here would be the virtualization aspect.
[03:02:40] <Melinda> Having worked on this in ETSI, there was considerable support from service providers and none from vendors.
[03:02:54] aaron joins the room
[03:03:07] Joe joins the room
[03:03:53] <Yoav Nir> Next Up: draft-qi-i2nsf-access-network-usecase-00
[03:04:28] <Yoav Nir> Sorry, that was wrong
[03:04:42] <Yoav Nir> I2NSF Use Cases in Access Networks
[03:04:54] <Yoav Nir> slide 2: Seeking an Open OAM Interface
[03:05:13] <Yoav Nir> slide #3
[03:05:38] <Yoav Nir> http://www.ietf.org/proceedings/91/slides/slides-91-i2nsf-2.pptx
[03:06:14] <Yoav Nir> slide #4
[03:06:26] <aaron> install a honeypot on my home gateway?  no thank you.
[03:06:28] smemery joins the room
[03:06:58] <Kathleen Moriarty> @Aaron, he's talking about hosted environments
[03:06:59] Praveen Kumar joins the room
[03:07:32] <Yoav Nir> slide #5
[03:07:38] <aaron> I must have misheard
[03:08:18] <Yoav Nir> slide #6
[03:08:59] wilma joins the room
[03:09:48] <Yoav Nir> slide #7
[03:10:56] wilma leaves the room
[03:13:56] <Yoav Nir> slide #8
[03:14:41] sunseawq joins the room
[03:14:57] <Yoav Nir> slide #9
[03:15:23] <Yoav Nir> slide #10
[03:16:31] <Yoav Nir> Hannes @ mic
[03:16:46] <Yoav Nir> "Thank You" slide
[03:18:39] <Yoav Nir> You can open an IPsec tunnel to your secure environment and tunnel all your traffic through that IPsec gateway.
[03:21:25] <Yoav Nir> Ed Lopez @ mic
[03:21:39] Joe leaves the room
[03:21:46] Joe joins the room
[03:22:30] <Yoav Nir> Bob Briscoe @ mic
[03:25:33] <Yoav Nir> Next Up: http://www.ietf.org/proceedings/91/slides/slides-91-i2nsf-1.pptx
[03:25:57] <Yoav Nir> slide #2: Current Access Network Security
[03:27:40] <Yoav Nir> slide #3: Virtualized Security Function
[03:28:54] <Yoav Nir> slide #4: Use Case 1: security configuration
[03:28:55] sunseawq leaves the room
[03:30:28] <hartmans> Wait is this part a proposal for something in the cloud to push configuration to devices in the client network--CPE devices?
[03:30:43] <Yoav Nir> @hartmans: mic?
[03:30:56] <hartmans> I was hoping someone here understood.
[03:30:59] <hartmans> I'll get up if needed
[03:31:02] <Kathleen Moriarty> that would be good to raise at the mic
[03:31:02] Erik Nygren joins the room
[03:31:03] <Yoav Nir> slide #5: Use Case2: Optional security function Negotiation
[03:31:10] <hartmans> OK, I'll get in line
[03:31:11] <Kathleen Moriarty> Yes, he is proposing that
[03:31:27] <Kathleen Moriarty> but raising it would be good
[03:31:29] <hartmans> OK, then I don't see a reason to mic it because that was my reading of his slides
[03:31:46] <hartmans> I will get up and talk about privacy  and perpass concerns at some point in this.
[03:32:00] <Yoav Nir> slide #6: Use Case3: Security Request from user side
[03:33:24] <Yoav Nir> Hannes @ mic
[03:33:31] jeferson.nobre joins the room
[03:35:24] Dan Wing leaves the room
[03:35:27] sunseawq joins the room
[03:36:55] <Yoav Nir> Sam Hartman @ mic - gonna talk about privacy and pervasive monitoring
[03:37:04] Dan Wing joins the room
[03:38:43] <Yoav Nir> Lars Eggert @ mic
[03:39:50] <hartmans> no, I'll talk about privacy when we're in open discussion
[03:40:28] <Yoav Nir> @hartmans: hey, if you can't trust your ISP to take good care of your privacy, who can you trust?
[03:40:33] <Yoav Nir> Sam H @ mic
[03:42:25] <Yoav Nir> Kathleen M @ mic
[03:42:59] <hartmans> I think this is probably a good idea, but I want to see a lot of work discussing privacy and legal/political issues.
[03:43:46] <Yoav Nir> Ed Lopez @ mic
[03:44:16] <hartmans> Agreed.  use coase 2 and 3 will merge in any protocol
[03:44:25] <Kathleen Moriarty> I think I prefer use case 2 as the user makes the finla decision, has more control over their environment
[03:44:39] <Yoav Nir> From my standpoint, I'd rather make the ISP interchangeable than the security function
[03:44:48] <hartmans> But redundant use cases is so far down on the  not care list.
[03:46:20] Dan Wing leaves the room
[03:46:43] <Yoav Nir> No idea what these slides are...
[03:46:52] <Yoav Nir> I'll just type in the titles
[03:46:58] <Yoav Nir> "Role of I2NSF"
[03:47:49] <Yoav Nir> Got it. http://www.ietf.org/proceedings/91/slides/slides-91-i2nsf-10.pptx
[03:47:57] <Yoav Nir> Presso link "Data Center"
[03:48:07] Leif Johansson joins the room
[03:48:16] <Yoav Nir> slide #5
[03:48:50] Melinda Shore leaves the room
[03:49:11] <Yoav Nir> slide #6
[03:49:16] Melinda Shore joins the room
[03:50:06] Dan Wing joins the room
[03:51:31] <Yoav Nir> ed lopez @ mic
[03:52:43] <Yoav Nir> SDN presso
[03:52:52] <Yoav Nir> http://www.ietf.org/proceedings/91/slides/slides-91-i2nsf-0.pptx
[03:52:52] <Lars> on the topic of firewall config protocols, hannes, me and some others did an old survey that already had too many options :-)
[03:52:53] <Lars> https://eggert.org/papers/draft-eggert-middlebox-control-survey-01.txt
[03:52:56] <Yoav Nir> slide #3
[03:53:39] <hartmans> I've never bought "we've done it before," as an option to not try again if you can get the right interest.
[03:53:57] <hartmans> In that sometimes a different mix of approach and market conditions can cause something to take that previously failed.
[03:53:59] <Yoav Nir> slide #4
[03:54:16] <Yoav Nir> slide #5
[03:54:19] <Lars> @hartmans: sure. i meant that we might have the building blocks ready already.
[03:54:20] <hartmans> But I agree done it before means you should be more skeptical of success and look more closely into whether you have the right stakeholders
[03:54:34] <Yoav Nir> slide #6
[03:55:10] <Melinda> I think the main issue is that previous middlebox protocols have generally not been successful.  That may mean that there's still a need out there but I do think someone needs to make the case for why they'd be successful where various other ones have not.
[03:55:16] <Yoav Nir> slide #7
[03:55:47] <hartmans> melinda: agree completely
[03:56:25] <Kathleen Moriarty> @Melinda: If this is for hosted environments, then it would be firewall configuration to protect your hosted services.  It's a bit different than middleboxes
[03:56:39] <Yoav Nir> slide #8
[03:57:08] <Yoav Nir> slide #9
[03:57:33] <Yoav Nir> I think the firewall vendors are not on board
[03:57:38] <Yoav Nir> slide #10
[03:58:38] wilma joins the room
[03:58:45] <Yoav Nir> Yes, it sometimes works to have the customers "gang up" on vendors and force them into a standard, but service providers are not the main customers of the vendors, so I don't think that would work
[03:58:48] <Yoav Nir> slide #13
[03:58:50] <Kathleen Moriarty> That would be a good question to ask and may be specific to FWs in hosted virtual environments
[03:59:11] <Melinda> I'm not completely clear on what they've got in mind.  If it's static configuration, there may be some differences (although I'd take  very close look at the midcom MIB).
[03:59:19] <Kathleen Moriarty> not sure if any are in the room or on boardā€¦ would be good to know
[03:59:57] <Melinda> My experience at Cisco was that the PIX team were absolutely opposed to externalizing firewall "control", but they (or their successors) may feel differently about static configuration).  
[04:00:15] <Yoav Nir> There are some firewall vendors in the room. At least Ed and me, and there are some Cisco people here, I'm sure
[04:00:45] <Melinda> But, the situation in which midcom came to the IETF was that there were a lot of very large European service providers who were asking for firewall control.  BT, Telekom Austria, Deutsche Telekom, etc.  
[04:00:46] <Kathleen Moriarty> I can find out what VMWare's take would be for their firewall service for these types of environments, but would like to get info on others
[04:00:55] <Melinda> They wanted it, but the vendors wouldn't do it.
[04:01:38] wilma leaves the room
[04:02:27] Karen O'Donoghue joins the room
[04:02:46] <Kathleen Moriarty> Does PIX and Checkpoint integrate into an OpenStack environment?  Or would this be the virtual VMWare firewall and other virtual ones, not sure if Microsoft has one?
[04:02:55] <Yoav Nir> I don't know, because I'm not on the firewall side of Check Point, but our firewall does run in virtualized environments and given special access to the network to help in filtering. I'm sure other software-based firewalls can get similar access, but I don't know.
[04:04:18] <Kathleen Moriarty> OK, so I can ask them to show the support from vendors
[04:04:42] <hartmans> Kathleen: openstack can control a number of network entities including routers and firewalls for certain functions.
[04:04:48] <hartmans> It has a fairly complex networking layer.
[04:04:51] <Yoav Nir> Check Point firewalls get some special APIs from VMWare. Nothing that I know of about OpenStack. Definitely don't know about PIX, but AFAIK PIX is a hardware device, so it won't run on VMWare
[04:04:55] <Kathleen Moriarty> Thanks, Sam
[04:05:07] <Kathleen Moriarty> That's what I thought, Lars said the same
[04:05:08] <hartmans> So, yes, openstack and similar can build virtualized services out of things that aren't expecting to be used that. way.
[04:05:23] <hartmans> Put another way, something like this can be useful in certain situations even without the Firewall vendors.
[04:05:27] <Kathleen Moriarty> OpenStack and NFV changes the game a bit
[04:05:37] <hartmans> For example if Amazon and Rackspace said they wanted this I wouldn't care what Checkpoint and Cisco said.
[04:05:47] <Kathleen Moriarty> Exactly
[04:06:01] <Kathleen Moriarty> We care about the vendors integrating with OpenStack
[04:06:19] <Kathleen Moriarty> and other SDN environments
[04:06:26] <Yoav Nir> @hartmans: True, but so far they haven't said that.
[04:06:48] <hartmans> But for example given Cisco Nexus or whatever their virtualized thing is, some firewall virtualized applicances and a few coders I could put together some services that could be packaged as a cloud offering.
[04:07:05] <hartmans> I don't need Cisco's help except for a license plan that makes my business possible.
[04:07:27] <hartmans> Right.  for this to work you need:
[04:07:41] <hartmans> 1) cloud service providers or firewall or ids vendors
[04:07:43] <hartmans> 2) customers.
[04:08:12] <Lars> so soft switches are turing complete. i don't understand how some physical security box is still being thought of as required.
[04:08:37] <Kathleen Moriarty> +! Lars
[04:08:40] <Kathleen Moriarty> 1
[04:09:20] <Yoav Nir> Next Up: http://www.ietf.org/proceedings/91/slides/slides-91-i2nsf-5.ppt
[04:09:29] <hartmans> Physical security boxes are very much not required
[04:09:36] <Yoav Nir> slide #3
[04:09:51] <hartmans> They may be faster at some things but that's mostly  solvable with horizontal scaling.
[04:09:55] <hartmans> map reduce your firewall:-)
[04:10:09] <Lars> i guess if you are a vendor of such boxes speaking at the microphone, you might disagreeā€¦
[04:10:09] <Yoav Nir> slide #4
[04:10:30] <Yoav Nir> I'm a vendor, not at the mic, and I completely agree
[04:10:46] <hartmans> I was pricing firewalls for a US state a few years ago.  It didn't seem like the hardware in the physical boxes was all that special.
[04:10:51] <hartmans> Ah, see this speaker:-)
[04:11:16] <Lars> right, this presentation looks promising
[04:11:20] <Yoav Nir> slide #5
[04:11:26] <Edward Lopez> I'm not dissagreeing, my company provides security VMs as well as physical appliances.  However, most security vendors have strongly invested in merchant silicon (ASIC, FPGAs, speciality processors) that simply don't exist in a white-box hypervisor environment.  It's really A PERFORMANCE ISSUE
[04:11:41] <Edward Lopez> sorry about caps, didn't mean
[04:11:53] <Edward Lopez> just hit caps-lock on the a
[04:12:17] <hartmans> Edward Lopez: Right, but the numbers I was seeing a few years ago suggest that it's a performance issue whose time is going even for moderately large networks
[04:12:35] <Yoav Nir> slide #6
[04:12:53] <Lars> regarding performance, why is scale-out not possible?
[04:13:23] <hartmans> Note that my numbers didn't consider hypervizor overhead, just whether you could run a security appliance for multiple gig-ethernets on stock hardware with tuning but no security-specific silicon
[04:13:26] <Lars> how much cross-correlation between e.g. flows is done?
[04:13:30] <Kathleen Moriarty> There are trends for customers moving data and applications that have higher security requirements into hosted environments, so it makes sense that security service management would be needed
[04:13:40] <hartmans> I don't know how bad the virtualization impacts what work loads.
[04:13:42] <Edward Lopez> Generally, many security funcitons are either vulnerable to asymmetric flows, or suffer functionaly degradation when load-balanced
[04:14:14] <Yoav Nir> slide #7
[04:14:45] <Edward Lopez> This is why integration with orchestration is important.  The need to distribute traffic based on user/device/organization, rather than just purely on header information
[04:14:46] <hartmans> lars: scaleout is possible if you can manage to handle your nat state somehow.  There is some cross-flow corrilation for some things.  For example think ftp algs and similar.
[04:15:32] <Dan Wing> Lars: there is not much high-speed correlation between flows.  But each flow is, by definition, being created by an Intel chip and if going through a white-box hardware, is being firewalled by another Intel chip.
[04:15:37] <hartmans> But for example Checkpoint's documented language allowed you to set up state at a number of different levels and I think in theory you could generate rules where flow corrilation was important.
[04:16:55] <hartmans> There are various state synchronization approaches of course implemented by various products.  Some of them increase performance; many decrease performance at the advantage of better reliability in case of failure
[04:17:03] <Yoav Nir> Linda Dunbar @ mic
[04:18:22] <hartmans> If you have access to Gartner reports I recommend looking at the appropriate magic quadrant for this sector over the past few releases.
[04:19:02] <hartmans> I think this meeting is balanced too presentation-heavy.
[04:19:39] <hartmans> In that for example the problem statement draft did a reasonable job of covering the ietf activities and that could have just been folded in as a single slide there.
[04:22:52] Karen O'Donoghue leaves the room
[04:23:54] smemery leaves the room
[04:24:53] <Erik Nygren> The draft NFVSEC doc from ETSI is interesting on a quick skim that I did a few weeks back.  The thing that really worries me here is the lack of primitives within NFV for managing private keys in a way that allows for sane transport security, especially as there is a desire to be able to deploy services in environments not fully trusted by the service operators (whether that is possible or not.  ;)
[04:26:08] Satoru Kanno leaves the room
[04:26:22] Tero Kivinen joins the room
[04:27:03] <hartmans> What are we doing now?
[04:27:18] <Erik Nygren> I think waiting to pull up more slides.
[04:27:22] <Edward Lopez> SHifting presentations
[04:27:26] <Yoav Nir> sitting quietly pondering the mostly blank screen
[04:27:51] <Yoav Nir> "analysis of existing work for I2NSF"
[04:27:53] <Edward Lopez> draft-zhang-gap-analysis prezo
[04:28:08] <Yoav Nir> slide #2: NSIS
[04:28:33] Tero Kivinen leaves the room
[04:28:50] Karen O'Donoghue joins the room
[04:29:43] <Yoav Nir> slide #3: NSIS (2)
[04:30:30] Karen O'Donoghue leaves the room
[04:30:41] <Yoav Nir> slide #4: hos nsaas is different from SACM
[04:31:04] <Kathleen Moriarty> It's clear this is different - sorry, this was a question much earlier in their work
[04:33:53] <Yoav Nir> "PCP"
[04:34:03] <hartmans> O, hmm, I never would have considered this overlapped with PCP.
[04:34:16] <Yoav Nir> "SFC"
[04:34:28] Karen O'Donoghue joins the room
[04:34:31] <hartmans> Although..p. for simple cases adding an avp to pcp to request a firewall service might be kind of cool, but would solve very different use cases.
[04:34:44] <hartmans> O, thanks.
[04:34:47] <hartmans> oops
[04:35:01] <Yoav Nir> "ANIMA"
[04:35:41] satoru.kanno@jabber.org leaves the room
[04:35:55] <Lars> can we recover some discussion time here?
[04:36:15] Dan Wing leaves the room
[04:36:18] <Yoav Nir> Hannes @ mic
[04:40:29] <Yoav Nir> Sam H @ mic
[04:41:00] satoru.kanno@jabber.org joins the room
[04:41:30] <Lars> +1 to sam
[04:42:29] Satoru Kanno joins the room
[04:43:05] <hartmans> That time I talked about privacy:-)
[04:43:27] <Yoav Nir> That's good
[04:43:53] Erik Nygren leaves the room
[04:44:10] <Yoav Nir> Bob Briscoe @ mic
[04:46:50] Yoav Nir leaves the room
[04:47:12] Yoav Nir joins the room
[04:47:36] Karen O'Donoghue leaves the room
[04:48:58] <Melinda> I think that would be incredibly valuable but I don't think that's what these folks are asking to do.
[04:49:27] <aaron> I think Sam's proposal falls into the category of 'broccoli'
[04:50:16] <hartmans> Yeah, I'm saying that if they want to do work here they should be required to sign up to writing their privacy considerations.
[04:50:21] <hartmans> I understand that's not their focus.
[04:50:35] <hartmans> But the real question we need to answer is are there customers and vendors for this.
[04:50:47] <Leif Johansson> +1 on api's for key mgmt
[04:53:13] Erik Nygren joins the room
[04:58:52] <Kathleen Moriarty> @Sam: The IESG is looking at privacy with every draft where there may be concerns  Hopefully they get caught by WGs and the SecDir review, but we look for that too just in case it wasn't covered in the list of considerations for drafts
[04:59:35] <Yoav Nir> I see virtualization of the firewalls, but this virtualization is happening at virtualization providers (like Amazon) and security service providers (where you tunnel traffic to the service provider for firewalling). Some of this is even run by the vendors. I don't see any of that happening at the ISPs
[04:59:57] <Melinda> http://nutss.gforge.cis.cornell.edu/publications.php
[05:00:37] <aaron> @Melinda: yup.  I was thinking of the very short lived end-middle-end RG
[05:00:43] jeferson.nobre leaves the room
[05:01:28] <Melinda> I don't think any two people in the room agree on what's under discussion.
[05:01:38] Leif Johansson leaves the room
[05:01:57] <Yoav Nir> @Melinda: they want to configure my box. Get off my lawn!
[05:02:01] Edward Lopez leaves the room
[05:02:53] aaron leaves the room
[05:02:57] Melinda Shore leaves the room
[05:03:00] Joe leaves the room
[05:03:02] Erik Nygren leaves the room
[05:03:05] Kathleen Moriarty leaves the room
[05:03:24] Lars leaves the room: Disconnected: session closed
[05:03:29] kepeng_li leaves the room
[05:04:09] Melinda leaves the room
[05:04:22] Yoav Nir leaves the room
[05:04:47] Praveen Kumar leaves the room
[05:07:31] rachel huang leaves the room
[05:09:21] Meetecho leaves the room
[05:17:25] sunseawq leaves the room
[05:19:51] hartmans leaves the room: Disconnected: connection closed
[05:22:28] mahoney@nostrum.com leaves the room
[06:01:10] kepeng_li joins the room
[06:01:16] kepeng_li leaves the room
[06:12:12] satoru.kanno@jabber.org leaves the room
[06:12:25] Satoru Kanno leaves the room
[06:56:05] hartmans joins the room
[06:57:09] hartmans leaves the room: Disconnected: connection closed
[06:57:12] hartmans joins the room
[07:09:19] Kathleen Moriarty joins the room
[07:10:17] Kathleen Moriarty leaves the room
[07:26:32] hartmans leaves the room: Disconnected: connection closed
[08:02:49] hartmans joins the room
[08:03:09] hartmans leaves the room
[08:54:00] Karen O'Donoghue joins the room
[08:59:18] Karen O'Donoghue leaves the room: Replaced by new connection
[10:23:16] Erik Nygren joins the room
[10:24:35] Erik Nygren leaves the room
[11:37:15] satoru.kanno@jabber.org joins the room
[12:25:17] satoru.kanno@jabber.org leaves the room
[17:43:08] Karen O'Donoghue joins the room
[17:51:05] Karen O'Donoghue leaves the room
[18:06:34] satoru.kanno@jabber.org joins the room
[18:14:48] satoru.kanno@jabber.org leaves the room
[19:01:58] Kathleen Moriarty joins the room
[19:02:57] Kathleen Moriarty leaves the room
[19:07:33] satoru.kanno@jabber.org joins the room
[19:16:32] satoru.kanno@jabber.org leaves the room
[19:19:32] Dan Wing joins the room
[19:24:23] Dan Wing leaves the room
[20:01:24] Karen O'Donoghue joins the room
[20:07:34] Karen O'Donoghue leaves the room
[20:07:49] Karen O'Donoghue joins the room
[20:19:03] Karen O'Donoghue leaves the room
[20:23:19] Karen O'Donoghue joins the room
[20:23:31] Karen O'Donoghue leaves the room