Hi Linda,


I apology for the delay. Please find my response and additional questions –
mostly for Susan ;-). If you are find with the response, I can also send
them on the ML.



Q1: There is no difference between SSF and NSF. We will change that in the
next version. Thanks for raising it, this is a good reminder to update our
terminology.



Q2: Our protocol defines how the two domains interconnect to have NSF
working in different domains interacting properly. In our case, the
security controller of the cloud and the security controller of the
cloudlet agree on how the cloudlet and the cloud needs to interconnect
their data plane as well as how the cloud can configure or control the NSF
in the cloudlet. The configuration of the NSF itself is not part of the
collaboration protocol typically we expect that NETCONF/YANG be used.



My understanding of draft-kumar-i2nsf-controller-northbound-framework-00
[1] is that is provides some requirements for an API to be able to manage a
whole domain of NSF provided by multiple vendors. In our case if a cloud
were using such API, we would consider the security controller of the cloud
got control over a significant part of the resource of the cloudlet. In our
case, we would like that collaboration of the cloudlet can be performed
with a reduced footprint from the cloud. The foot print is limited by the
cloudlet by limiting the interaction from the cloud to the NSF
instantiating in the cloud.



BR,

Daniel

On Mon, Sep 12, 2016 at 5:59 PM, Linda Dunbar <linda.dun...@huawei.com>
wrote:

> Daniel and Alirezza,
>
>
>
> Is the “Security Service Function (SSF)” in your draft equivalent to the
> Network Security Function (NSF) defined in https://www.ietf.org/id/draft-
> ietf-i2nsf-problem-and-use-cases-01.pdf  ?
>
>
>
>
>
> NSF: Network Security Function. An NSF is a function that detects abnormal
> activity and blocks/mitigates the effect of such abnormal activity in order
> to preserve the availability of a network or a service. In addition, the
> NSF can help in supporting communication stream integrity and
> confidentiality.
>
>
>
> Flow-based NSF: An NSF which inspects network flows according to a
>
> security policy. Flow-based security also means that packets are
>
> inspected in the order they are received, and without altering
>
> packets due to the inspection process (e.g., MAC rewrites, TTL
>
> decrement action, or NAT inspection or changes).
>
>
>
>
>
> If they are the same, can you change the terminology? If they are
> different, can you elaborate the differences in your draft?
>
>
>
>
>
> Second question:
>
> When the “Cloud based services” need network provider to enforce certain
> flow rules for the traffic destined to (originated from) the “Cloud based
> services”, do you anticipate those flow rules to be applied to specific
> SSFs belonging to different administrators?  Or can those rules be to the
> “controller” of the SSFs belonging to network providers?  As described by
> https://datatracker.ietf.org/doc/draft-kumar-i2nsf-controller-northbound-
> framework/ ?
>
>
>
>
>
> Thanks,
>
> Linda
>
> _______________________________________________
> I2nsf mailing list
> I2nsf@ietf.org
> https://www.ietf.org/mailman/listinfo/i2nsf
>
>
_______________________________________________
I2nsf mailing list
I2nsf@ietf.org
https://www.ietf.org/mailman/listinfo/i2nsf

Reply via email to