Hi, This review should count as WG chair review and also getting ahead on the document shepherd review.
All of my comments are pretty minor. Thanks for the work, Adrian --- idnits shows up some issues with references. At first glance, these all seem to be real problems. Note that the reference cited in Section 10 is not picked up by idnits, but still needs to be sorted out. https://www.ietf.org/tools/idnits?url=https://www.ietf.org/archive/id/draft-ietf -i2nsf-problem-and-use-cases-06.txt --- "DC" is used in the Introduction without expansion. OTOH, once explained in section 2, it is not used again. --- Section 2 I2NSF s/interface/Interface/ --- Section 2. I think your definition is semantically equivalent to what we have in our charter, but I would feel more comfortable if you matched the wording. Is that OK? A Network Security Function (NSF) is a function used to ensure integrity, confidentiality, or availability of network communications, to detect unwanted network activity, or to block or at least mitigate the effects of unwanted activity. --- Section 2 includes "VNFPool" but the term (and the concept) is not used in the rest of the document. --- Section 3 You have... There is currently no standard mechanism to capture those requirements. This could be enhanced by saying whether it is the objective of the I2NSF work to address this absence. (similar in 3.1.6, 3.2.3, and 3.5) By the way do you mean "address these requirements", or perhaps "express those requirements for communication between the customer and provider"? --- 3.1 You have used a number of terms without expansion. DMZ AAA --- 3.1.1 OLD What is needed is a standardized interface to control and monitor the rule sets that NSFs use to treat packets traversing through. NEW What is needed is a standardized interface to control and monitor the rule sets that NSFs use to treat packets that traverse them. --- 3.1.2 Since no widely accepted industry standard security interface exists today, management of NSFs (device and policy provisioning, monitoring, etc.) tends to be bespoke security management offered by product vendors. The term "security interface" hasn't been introduced, and I think you mean "interface to security NSFs". --- 3.1.3 The European Telecommunications Standards Institute (ETSI) Network Function Virtualization (NFV) initiative Do you have a reference for that? --- 3.1.3 OLD security policies to be enforced by distributed, virtual, and network security functions (vNSF). NEW security policies to be enforced by distributed, virtual network security functions (vNSF). --- 3.1.3 A vNSF has higher risk of failure, migrating, and state changes as their hosting VMs are being created, moved, or decommissioned. I understand "migration" but I think it is a synonym for "moved" "State change" seems to possibly be an effect of migration. "Higher risk of failure" doesn't follow unless you are saying that a VM infrastructure is fundamentally less stable than dedicated hardware. In fact, I don't think I can get on board with this statement at all. BTW, you need to expand "VM". --- 3.1.7 has "DOTS" without explanation or expansion --- 3.1.7 s/envelop/envelope/ --- 3.1.9 s/uites/suites/ --- 3.1.9 para 1 has an additional close parentheses --- 3.2 Might be nice to indicate that DOTS, MILE, and SACM are working groups responsible for documenting the guidelines you list. --- 3.2.2 Customers may consume NSFs by multiple service providers. "hosted by"? "provided by"? --- 3.2.2 Figure 1 It's not clear what "Picture:" means in the figure. You should add an explicit reference to the figure from the text. --- 3.5 I think DDoS is not a security function. Maybe "DDoS mitigation"? --- 3.5 Cyper Threat Alliance (CA, http://cyberthreatalliance.org/) s/Cyper/Cyber/ Can you turn the URL into a reference? --- 3.6 s/events somethings happen/events sometimes happen/ --- 4.1 introduces some unexplained abbreviations NSP BSS OSS --- 4.1 Figure 2 Need one more "-" in the Interface 1 arrow. --- 4.1 Page 15 para 1 line 1 s/client/clients/ s/control/controller/ --- 4.1 s/consolidate them,/consolidate it,/ --- 4.1 says... In order to achieve this, the security controller may collect security measurements and share them with an independent and trusted third party (via interface 1) in order to allow for attestation of NSF functions using the third party added information. Does this mean that there is need for an additional standard interface between the client and this third party? --- 4.2 uses some terms without expansion: CPE vCPE vPE vEPC (although maybe this is a typo?) --- 4.2 Figure 3 You need to make an explicit reference to the figure from the text. I think the figure is trying to show a domain of influence for the Management System. This component is not described in the text, and the curvy line on the figure is also not describe. Maybe this could be tidied up as... Customer | Access | PoP/Datacenter | | | | +--------+ | ..................|Network | | : | |Operator| +-------------+ | : +----+ | |Mgmt Sys| | Residential |-+---:---+vCPE+-----+ +--------+ +-------------+ | : +----+ | \ | : | : | \ | : +----------+ | : +----+ | +----+ : |Enterprise|---+---:---+ vPE+--+-----+ NSF| : +----------+ | : +----+ | +----+ : | : | / : +--------+ | : +----+ | / : | Mobile |-+---:---+vEPC+-----+ : +--------+ | : +----+ | Mgmt : | : | Domain : | :.........................: | | | | However, your text describes four "different access clients" including Residential, Enterprise, Mobile, and Service Provider, while the figure only shows three of these. --- 4.2 under "Mobile:" removing malicious programs such as Botnet, DDoS, and Malware. Is DDoS a program? --- 4.3 You need to reference Figure 4 from the text. --- 4.3.3 s/need not only to secure/not only need to secure/ --- 4.4 uses "VoLTE" without expansion. --- 4.4 s/this kind of attacks/these kinds of attack/ --- 4.5 Please capitalise the section header. --- 4.5 You should expand PCI-DSS and HIPPA. You should also probably include references. _______________________________________________ I2nsf mailing list I2nsf@ietf.org https://www.ietf.org/mailman/listinfo/i2nsf
