John, Frank, Diego, and Aldo: Thank you very much for the revision of the draft-xiabassnez-i2nsf-capability-01. I think the draft is structured really well, and describes a really good methodology for defining NSF capabilities. Very good work!
A few minor comments: 3.4.1 Network Security Capabilities I think the section is mainly describing the Security Capabilities for traffic or flows traversing the network. I would think that "Network Security" is broader, which covers how to secure access to network elements as well, or encryption of links, management of secure keys, etc. 3.4.2 Content Security Capabilities Your draft stated that "Content Security" is at application layer. Can you give some examples? Is it about some specified content (such as URL, video, or something else) can't be accessed by some users? How is "content" represented? Is it by an "Address"? Specific URL? Or special ID? Should also reference the Section 4.3 which has more description. Figure 3 (Page 19): are all those types of Rule (AuthenticationECAPolicyRule, AccoutingECAPolicyRule, ..) matched with the categories of "capabilities" described in Section 3.4? Or all the "capabilities" listed under Section 3.4 are under the "SecurityECAPolicyRule"? Figure 5 (Page 24): The "event" in Figure 4 ( Page 22) are further classified as "user security event", "device security event", "system security event", and "Time security event". But the "Condition" in Figure 5 are classified differently. What are the correlations between them? Is "UserSecurityCondition" mapped to "UserSecurityEvent"? how about the rest? What is the difference between "Packet Security Condition" and "Packet Payload Security condition"? Figure 6 (page 25): Can "Apply Profile Action" apply to both "Ingress Action" and "Egress Action"? Thank you very much for putting together a good document to describe such complex subject very clearly. Linda
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
