Hi Diego and Aldo, Thanks for your comments. I think generally we have got your idea. But personally I still have a question:
In the I2NSF capability data model [draft-ietf-i2nsf-capability-data-model-01], the content security capability part contains the antiviurs, ips, ids, and etc. capabilities. But in your comment, such kind of functions (e.g. ips, ids, etc.) are repackaged group of security capabilities. So I confused with it. Regards, Yue -----邮件原件----- 发件人: Cataldo Basile [mailto:[email protected]] 发送时间: 2018年7月17日 17:34 收件人: Diego R. Lopez <[email protected]>; Xialiang (Frank, Network Integration Technology Research Dept) <[email protected]>; Dongyue (Yue, Network Integration Technology Research Dept) <[email protected]>; [email protected] 主题: Re: [I2nsf] 答复: 转发: New Version Notification for draft-dong-i2nsf-asf-config-00.txt I completely agree with Diego. The purpose of a capability model is to 'understand each other' with precise, thus more granular, information that allows avoiding any ambiguity. Hence, a controller could automatically decide how to use NSFs. It is pretty known that marketing units repackage NSFs with brand new names that are good for selling software and equipment, but increase confusion for technical people (and for automatic systems as well). Imagine a scenario where a company make an epsilon modification to an IDS and sells it as a Smart IDS (SIDS). An automatic system must understand what 'Smart' means and what a SIDS can do that an IDS cannot actually do already. And now think about a concrete case, the IPS... So, in my opinion, flat enumeration of capabilities is the only way to deal with issue (different fields, like the actions that enforce, the flows/traffic they can identify, the events they react to, etc., i.e., the capability model we are authoring). Regards, Aldo On 16/07/2018 15:53, Diego R. Lopez wrote: > If you associate a capability action (let's say > collect-attack-evidence-enable) with a particular kind of device (as part of > the antivirus branch) I would not be able to declare or use that particular > capability unless the provider has stated the function is an antivirus, and > therefore consider all the other capabilities for the antivirus. What is > more, this prevents to have a common semantics for something like > collect-attack-evidence-enable if you have to declare it under other > branches. My understanding is that we have to deal with flat enumeration of > capabilities, but I might be completely mistaken from the beginning... > > Be goode, > > -- > "Esta vez no fallaremos, Doctor Infierno" > > Dr Diego R. Lopez > Telefonica I+D > https://www.linkedin.com/in/dr2lopez/ > > e-mail: [email protected] > Tel: +34 913 129 041 > Mobile: +34 682 051 091 > ---------------------------------- > > On 16/07/2018, 08:55, "Xialiang (Frank, Network Integration Technology > Research Dept)" <[email protected]> wrote: > > Hi Diego, > Thanks for your quick comments. In general, we agree with you that they > should be as the various capabilities to be applied. > But could you please clarify more about what is the difference to be as > capability model vs yang grouping model definition? > > Thanks! > > B.R. > Frank > > -----邮件原件----- > 发件人: Diego R. Lopez [mailto:[email protected]] > 发送时间: 2018年7月16日 20:00 > 收件人: Dongyue (Yue, Network Integration Technology Research Dept) > <[email protected]>; [email protected] > 抄送: Xialiang (Frank, Network Integration Technology Research Dept) > <[email protected]> > 主题: Re: [I2nsf] 转发: New Version Notification for > draft-dong-i2nsf-asf-config-00.txt > > Hi, > > My general comment to these definitions (and others that may come) is > that we should try to deal with them in terms of capabilities, and not in > terms of groupings associated to current (virtual or physical) devices. As an > example, rather than thinking of "antivirus", I'd propose to think about > "content analysis" or "content scanning" capabilities. > > Be goode, > > -- > "Esta vez no fallaremos, Doctor Infierno" > > Dr Diego R. Lopez > Telefonica I+D > https://www.linkedin.com/in/dr2lopez/ > > e-mail: [email protected] > Tel: +34 913 129 041 > Mobile: +34 682 051 091 > ---------------------------------- > > On 16/07/2018, 07:02, "I2nsf on behalf of Dongyue (Yue, Network > Integration Technology Research Dept)" <[email protected] on behalf of > [email protected]> wrote: > > Dear all, > > The action part of the NSF-facing data model listed many security > function actions, such as antivirus, ips, ids, and etc, that will be applid > on traffic flow when the event and condition clauses are satisfied. However, > I think it only list the corresponding names. And each type of the secuity > function action (i.e. ips, antivirus, etc.) should have many selective > profiles that could be executed. Therefore, we proposed a draft, > draf-dong-i2nsf-asf-config-00, that specifies the configuration detail for > each of the security function profile settings. And the NSF-facing data model > is able to reference these profiles. > > This -00 version of draft only contains the antivirus, ips, and > anti-ddos profiles. > > * Antivirus: The following figure shows the top-level tree diagram > for antivirus profile settings. Each profile contains the configuration data > for detection methods, detection configurations, signature exceptions, > application exceptions, and the white lists configruations. > > +--rw antivirus > +--rw antivirus-enable > +--rw profiles > +--rw profile * [name] > +--rw name > +--rw description > +--rw collect-attack-evidence-enable > +--rw sandbox-detection-enable > +--rw heuristic-detection-enable > +--rw detect* [protocol] > | . . . > +--rw exception-application* [application-name] > | . . . > +--rw exception-signature* [signature-id] > | . . . > +--rw white-list > . . . > > * IPS: The following figure shows the top-level tree diagram for IPS > profile settings. Each profile contains the configuration data for signature > sets, signature exceptions, and protocol control. > > +--rw ips-config > +--rw ips-enable > +--rw profiles > +--rw profile* [name] > + . . . > +--rw domain-filter > | . . . > +--rw signature-sets > | . . . > +--rw exception-signatures > | . . . > +--rw protocol-control > +--rw dns-check > | . . . > +--rw http-check > . . . > > * Anti-ddos: The anti-ddos part contains the configruation of the > alter rate and/or maximum speed/bandwidth to trigger the prevention functions > for each type of DDoS attacks. > > For more details, please review the draft: > https://tools.ietf.org/html/draft-dong-i2nsf-asf-config-00 > > We would like to obatain comments from i2nsf WG. Is this draft > valuable as an individual draft and will the NSF-facing data model reference > these profiles? > We will appreciate all the comments from I2NSF WG. > > Best Regards, > Yue > > -----邮件原件----- > 发件人: I2nsf [mailto:[email protected]] 代表 Dongyue (Yue, Network > Integration Technology Research Dept) > 发送时间: 2018年6月30日 15:11 > 收件人: [email protected] > 抄送: Xialiang (Frank, Network Integration Technology Research Dept) > <[email protected]> > 主题: [I2nsf] 转发: New Version Notification for > draft-dong-i2nsf-asf-config-00.txt > > Dear All, > > We have submitted a new draft about the nsf-facing interface data > model for configuration of some advanced security functions including > antivirus, antiddos, and ips. We will appreciate all comments. > > Best Regards, > Yue > > -----邮件原件----- > 发件人: [email protected] [mailto:[email protected]] > 发送时间: 2018年6月30日 15:06 > 收件人: Dongyue (Yue, Network Integration Technology Research Dept) > <[email protected]>; Xialiang (Frank, Network Integration Technology > Research Dept) <[email protected]> > 主题: New Version Notification for draft-dong-i2nsf-asf-config-00.txt > > > A new version of I-D, draft-dong-i2nsf-asf-config-00.txt > has been successfully submitted by Yue Dong and posted to the IETF > repository. > > Name:draft-dong-i2nsf-asf-config > Revision:00 > Title:Configuration of Advanced Security Functions with I2NSF > Security Controller > Document date:2018-06-30 > Group:Individual Submission > Pages:29 > URL: > https://www.ietf.org/internet-drafts/draft-dong-i2nsf-asf-config-00.txt > Status: > https://datatracker.ietf.org/doc/draft-dong-i2nsf-asf-config/ > Htmlized: > https://tools.ietf.org/html/draft-dong-i2nsf-asf-config-00 > Htmlized: > https://datatracker.ietf.org/doc/html/draft-dong-i2nsf-asf-config > > > Abstract: > This draft defines a network security function (NSF-) facing > interface of the security controller for the purpose of > configuring > some advanced security functions. These advanced security > functions > include antivirus, anti-ddos, and intrusion prevention system > (IPS). > The interface is presented in a YANG data model fashion and can be > used to deploy a large amount of NSF blocks that all support above > mentioned functions in the software defined network (SDN) based > paradigm. > > > > > Please note that it may take a couple of minutes from the time of > submission until the htmlized version and diff are available at > tools.ietf.org. > > The IETF Secretariat > > _______________________________________________ > I2nsf mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2nsf > _______________________________________________ > I2nsf mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2nsf > > > > ________________________________ > > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, > puede contener información privilegiada o confidencial y es para uso > exclusivo de la persona o entidad de destino. Si no es usted. el destinatario > indicado, queda notificado de que la lectura, utilización, divulgación y/o > copia sin autorización puede estar prohibida en virtud de la legislación > vigente. Si ha recibido este mensaje por error, le rogamos que nos lo > comunique inmediatamente por esta misma vía y proceda a su destrucción. > > The information contained in this transmission is privileged and > confidential information intended only for the use of the individual or > entity named above. If the reader of this message is not the intended > recipient, you are hereby notified that any dissemination, distribution or > copying of this communication is strictly prohibited. If you have received > this transmission in error, do not read it. Please immediately reply to the > sender that you have received this communication in error and then delete it. > > Esta mensagem e seus anexos se dirigem exclusivamente ao seu > destinatário, pode conter informação privilegiada ou confidencial e é para > uso exclusivo da pessoa ou entidade de destino. Se não é vossa senhoria o > destinatário indicado, fica notificado de que a leitura, utilização, > divulgação e/ou cópia sem autorização pode estar proibida em virtude da > legislação vigente. Se recebeu esta mensagem por erro, rogamos-lhe que nos o > comunique imediatamente por esta mesma via e proceda a sua destruição > > > > ________________________________ > > Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, > puede contener información privilegiada o confidencial y es para uso > exclusivo de la persona o entidad de destino. Si no es usted. el destinatario > indicado, queda notificado de que la lectura, utilización, divulgación y/o > copia sin autorización puede estar prohibida en virtud de la legislación > vigente. Si ha recibido este mensaje por error, le rogamos que nos lo > comunique inmediatamente por esta misma vía y proceda a su destrucción. > > The information contained in this transmission is privileged and confidential > information intended only for the use of the individual or entity named > above. If the reader of this message is not the intended recipient, you are > hereby notified that any dissemination, distribution or copying of this > communication is strictly prohibited. If you have received this transmission > in error, do not read it. Please immediately reply to the sender that you > have received this communication in error and then delete it. > > Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, > pode conter informação privilegiada ou confidencial e é para uso exclusivo da > pessoa ou entidade de destino. Se não é vossa senhoria o destinatário > indicado, fica notificado de que a leitura, utilização, divulgação e/ou cópia > sem autorização pode estar proibida em virtude da legislação vigente. Se > recebeu esta mensagem por erro, rogamos-lhe que nos o comunique imediatamente > por esta mesma via e proceda a sua destruição > _______________________________________________ > I2nsf mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2nsf > _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
