Thomas, Comments inserted below:
-----Original Message----- From: I2nsf [mailto:[email protected]] On Behalf Of Thomas D. Nadeau Sent: Wednesday, February 04, 2015 10:37 AM To: Linda Dunbar Cc: Russ White; [email protected]; [email protected]; Susan Hares; [email protected] Subject: Re: [I2nsf] [i2rs] revised charter for I2NSF > On Feb 4, 2015:11:25 AM, at 11:25 AM, Linda Dunbar <[email protected]> > wrote: > > Russ, > > Thank you very much for the suggestion of framing in terms of services. What > do you think with the following changes to the I2NSF charter with your > suggestions added? > > In a nutshell, The Interface to vNSF (I2NSF) allows clients to communicate > their specific security policies (request/monitor/report) to security > functions. I2NSF will specify a vNSF framework, requirements for > programmatic interface to vNSF devices (configuration and dynamic > programmatic) , and Information and Data models for security functions' > Operation, Administration, Maintenance and Provisioning (OAM). The > information models will include the following security functions: Why wouldn't you do the models for those OAM functions where those functions are modeled already? I don't see the need for a special WG that creates a subset of models that can done elsewhere like in LIME, or the Routing Area groups that are already chartered to do this stuff. [Linda] LIME addresses OAM for network layer, connectivity (link/port) failures, end to end performances measurement, whereas I2NSF is for security policies to be enforced by distributed (virtual) network security functions (vNSF). I2NSF provides a standard interface to express, monitor, and manage the security policies across distributed security functions that may be running on different premises. This leaves just doing requirements and a framework for this proposed group, which without clear goals to build things from is a WG looking for a reason to exist rather than the other way around. --Tom > > * Firewall > including various services associated with FW, such as stateful or deep > packet inspection, packet/flow/stream filtering and redirect (remote and > local), etc > > * Intrusion Detection System/ Intrusion Prevention System (IDS/IPS) > Including intrusion detection (flow/stream pattern matching) > > > Linda > > -----Original Message----- > From: i2rs [mailto:[email protected]] On Behalf Of Russ White > Sent: Tuesday, February 03, 2015 7:35 AM > To: 'Susan Hares'; Linda Dunbar; [email protected] > Cc: [email protected]; [email protected] > Subject: Re: [i2rs] revised charter for I2NSF > > > Interesting concept. One thought that might be helpful -- > >> * Firewall >> * DDOS/Anti-DOS >> * Intrusion Detection System/ Intrusion Prevention System >> (IDS/IPS) >> * Access control/Authorization/Authentication > > I think I would try to frame things in terms of services, rather than > devices, or a mix of the two. For instance -- what does a "firewall" really > do? Stateful packet inspection, deep packet inspection, and... ?? So maybe a > list something like this might make sense -- (and remember, this is > brainstorming, nothing more) -- > > - Stateful packet inspection > - Deep packet inspection > - Packet/flow/stream filtering (remote and local) > - Packet/flow/stream redirect (remote and local) > - Intrusion detection (or perhaps flow/stream pattern matching?) > - AAA > > Don't know if this is a useful line of thought or not. > > :-) > > Russ > > _______________________________________________ > i2rs mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2rs > > _______________________________________________ > i2rs mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/i2rs > _______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf _______________________________________________ i2rs mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2rs
