Hi Linda, Thanks for your good comments here. As one of the co-authors, I try to give my replies as inline, more complements are anticipated from the other co-authors.
From: Linda Dunbar Sent: Saturday, March 25, 2017 4:46 PM To: John Strassner; Xialiang (Frank); Diego R. Lopez; [email protected]; Aldo Basile Subject: comments to draft-xiabassnez-i2nsf-capability-01 John, Frank, Diego, and Aldo: Thank you very much for the revision of the draft-xiabassnez-i2nsf-capability-01. I think the draft is structured really well, and describes a really good methodology for defining NSF capabilities. Very good work! A few minor comments: 3.4.1 Network Security Capabilities I think the section is mainly describing the Security Capabilities for traffic or flows traversing the network. I would think that "Network Security" is broader, which covers how to secure access to network elements as well, or encryption of links, management of secure keys, etc. [Frank]: the line we draw between Network Security Capability and Content Security Capability is the network layer: the former is used for layer 1~4, the latter is used for layer 5~7, although there are some minor co-existence for them in layer 4. But basically, there two types of security capability can be divided by this mean clearly. So, my question is if we need a formal definition for them in the terminology draft? 3.4.2 Content Security Capabilities Your draft stated that "Content Security" is at application layer. Can you give some examples? Is it about some specified content (such as URL, video, or something else) can't be accessed by some users? How is "content" represented? Is it by an "Address"? Specific URL? Or special ID? Should also reference the Section 4.3 which has more description. [Frank]: see my above clarification. In layer 4~7, the content is represented no more by "Address", but by application layer metadata, such as: URL, file name, regular expressions of content, etc. Figure 3 (Page 19): are all those types of Rule (AuthenticationECAPolicyRule, AccoutingECAPolicyRule, ..) matched with the categories of "capabilities" described in Section 3.4? Or all the "capabilities" listed under Section 3.4 are under the "SecurityECAPolicyRule"? Figure 5 (Page 24): The "event" in Figure 4 ( Page 22) are further classified as "user security event", "device security event", "system security event", and "Time security event". But the "Condition" in Figure 5 are classified differently. What are the correlations between them? Is "UserSecurityCondition" mapped to "UserSecurityEvent"? how about the rest? [Frank]: they are different and orthogonal. Event is "significant occurrences the NSF is able to react to", which is something happened to trigger the security policy's execution. But Condition is used during the process of security policy's execution to determine which actions will be applied. What is the difference between "Packet Security Condition" and "Packet Payload Security condition"? [Frank]: the former is for the packet header matching, the latter is for the packet payload matching. Figure 6 (page 25): Can "Apply Profile Action" apply to both "Ingress Action" and "Egress Action"? [Frank]: both for each direction and both directions. Thank you very much for putting together a good document to describe such complex subject very clearly. Linda
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
