Hosnieh, 

Since the Flow Based Security Functions (FW/IPS/IDS/Webfilter) examine packets 
(deeper to the layer) and make actions, which is similar to routers, the gap 
analysis need to document the key differences in matching criteria and actions. 

For example, the matching criteria for Flow Based Security Functions can be 
deeper in the data packets, can also be vendor specific service flavors 
registered by the security functions: 
-       TCP port, 
-       UDP port, 
-      HTTP header
-       QoS field, 
-       packet size, etc, 
-      special events
-      time of the day, time span
-      service flavors (vendor specific)
-       combination of any fields above.


I2RS/BGP primarily deal with L2/L3 header. Most forward based on destination 
addresses,  some may forward based on source address:
   -  Ingress port
   -  destination MAC, 
-       source MAC, 
-     MPLS, 
-       VN_id, 
-       destination IP, 
-       source IP, or


In addition to the actions that are commonly supported by routers: 
Pass/drop/mirror, there may be more actions by the Security Functions: 
Statistics (report  Destination) or /Function call (IPS/IDS/AV/URL 
filter/authentication/...)

Cheers, 

Linda 

-----Original Message-----
From: I2nsf [mailto:[email protected]] On Behalf Of Hosnieh Rafiee
Sent: Tuesday, February 24, 2015 2:20 PM
To: '[email protected]'
Cc: [email protected]
Subject: [I2nsf] gap analysis - I2NSF vs. I2RS

Hello,

We are working on a new version of gap analysis document for I2NSF. Since it is 
important for us to identify the exact scope of each WG that might have
any overlap with the work we are doing in I2NSF,   we invite you to provide
us your inputs on our work.


The following is our current context about your group. 

------

I2NSF should leverage the protocols developed by I2RS. I2NSF is only 
   to develop the additional information models and data models for 
   distributed security functions, like FW and IPS/IDS. 
The Policy structure specified by [bnpModel] can be used by I2NSF to 
   be extended to include recursive actions to other security functions.


   [bnpModel] Hares, S., Wu, Q.,"An Information Model for 
              Basic Network Policy", 
              http://tools.ietf.org/html/draft-hares-i2rs-bnp-info-model-01,

              October 2014
-----

Thanks,
Best,
Hosnieh


_______________________________________________
I2nsf mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2nsf

_______________________________________________
i2rs mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/i2rs

Reply via email to