[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FW: Request for BoF proposal.

To: Dinara Suleymanova <dinaras@ietf.org>
Subject: Re: FW: Request for BoF proposal.
From: Randy Bush <randy@psg.com>
Date: Thu, 27 Feb 2003 04:11:52 +0800
Cc: "Sahita, Ravi" <ravi.sahita@intel.com>, iesg@ietf.org
References: <65D5A07B5098D511BDDA0002A508E64F0B3495F7@orsmsx110.jf.intel.com><5.1.0.14.2.20030226103327.0267d860@odin>

put me as sponsoring area director, please.

avoid conflicts for me and for smb, please.

and i know you did not need this at the last minute, so i owe you
one.

randy

> You had to have the AD approval for this BOF. We can not schedule your 
> group without it.
> And actually, the request came after the cut-off.
> 
> At 06:32 PM 2/25/03 -0800, Sahita, Ravi wrote:
> >Hi,
> >I had sent this request for a BoF to the security AD
> >(Jeff Schiller) before the deadline, but have not
> >heard back from him yet. Just sending in this request
> >as a place holder.
> >
> >Ravi
> >
> >-----Original Message-----
> >From: Sahita, Ravi
> >Sent: Monday, February 24, 2003 11:05 PM
> >To: Sahita, Ravi; 'Reinaldo Penno'; 'Angelos D. Keromytis'; 'jis@mit.edu'
> >Cc: 'smb@research.att.com'; 'Sotiris Ioannidis'
> >Subject: Request for BoF proposal.
> >
> >Jeff,
> >
> >I wanted to make a request to get a slot for a BoF session
> >at the upcoming IETF meeting. The proposed charter is
> >listed below. We have 3 drafts in existence today, and a
> >public mailing list at disfi@lists.intel.com (the subscription
> >information is listed below).
> >
> >Regards,
> >Ravi
> >
> >Distributed/End-Point Firewall Control (DEFCon)
> >
> >Mailing Lists:
> >General Discussion: disfi@lists.intel.com
> >To Subscribe: send email to listserv@lists.intel.com
> >In Body: subscribe disfi
> >
> >DEFCon Charter:
> >
> >Perimeter firewalls (pfws) are predominant but do not
> >provide the protection against misuse or abuse from nodes
> >inside the network. Pfws are a potential bottleneck when
> >applying security rules for aggregated network traffic.
> >Stateful protocols cause additional complexity for pfws.
> >There is a need to open or partition parts of the network to
> >allow or avoid interaction between specific users. Wireless
> >infrastructures make every host vulnerable since here
> >access is not fundamentally restricted by infrastructure.
> >Traffic is increasingly being encrypted end-to-end hiding
> >viruses/worms/confidential information from pfws. This
> >either requires the pfw to become a proxy for secure
> >sessions causing performance and security problems, or be
> >rendered ineffective. The pfw approach breaks the e2e
> >principle and thus renders many protocols useless since
> >they are inevitably blocked network wide.
> >
> >Using end-point firewalls (epfws) network security rules
> >can be specified with a finer granularity and control, to
> >partition specific parts of the network. Rule specification
> >can be made simpler by targeting end-points instead of
> >aggregation points only at the perimeter. The epfw approach
> >does not preclude the perimeter approach instead it adds to
> >the security by introducing another perimeter at the
> >end-point. The epfw framework also enables interesting
> >network configurations without changes in the baseline
> >security rules. The epfw approach upholds the e2e theme and
> >can still try to keep the node (and the network) safe from
> >compromise and attack.
> >
> >Epfws also have the following additional advantages due to
> >being on the end-point instead of an intermediary:
> >
> >-       An epfw may have access to traffic in the clear
> >       (after decryption).
> >-       An epfw may have access to varying levels of
> >       state information.
> >-       Typically, an epfw will have to deal with a smaller
> >       number of security rules (as compared to a pfw)
> >-       Epfws by definition can provide a defense for wired
> >       and wireless nodes to attacks from inside or when
> >       roaming outside the network perimeter.
> >
> >The working group will tackle the following work items:
> >
> >-       A problem statement document for DEFCon.
> >-       An applicability statement for the DEFCon framework.
> >-       An architectural requirements document for the
> >       components in the framework. This document will cover
> >       the following topic regarding components, protocol
> >       and language:
> >       - Security (mutual authentication of
> >             control-points and end-points, integrity and
> >             confidentiality of rules and other
> >             pre-configuration issues)
> >       - Distributed versus Central control approaches
> >             and example deployment scenarios.
> >       - Scalability Considerations (potentially large
> >             number of epfws)
> >       - Co-ordination of epfw control-points and
> >             end-points with other security devices
> >       - Co-existence of non-DEFCon nodes in a DEFCon
> >             framework and co-existence of DEFCon nodes
> >             not-conforming to the DEFCon framework.
> >       - Using and leveraging trusted platforms
> >             when available.
> >       - Topology independent rule specification,
> >             translation and distribution. Handling rule
> >             conflicts.
> >       - Extensible Text Based Data Model requirements.
> >       - Interface and functionality compliance
> >             requirements of components.
> >       - DEFCon Protocol requirements.
> >       - Considerations for various end-point platforms
> >             with varying levels of firewalling capabilities,
> >             processing capabilities, virtual machine software
> >             support etc.
> >- Informational documents as necessary to describe current
> >   approaches for this area and examples of how the framework
> >   may be implemented.
> >- Extensible Text Based Data model for endpoint firewall
> >   rules language and associated semantics
> >- DEFCon Protocol and associated semantics.
> >
> >Security requirements are an important facet of all the
> >documents since the idea behind using epfws is to enhance
> >security. Also, Protocol and data model/language requirements
> >will ideally lead to choosing or extending if possible,
> >already existing work. A new protocol and/or data model/
> >language will be designed only if none is found suitable.
> >
> >The working group will not define:
> >
> >-Requirements that dictate how a particular function is
> >implemented. For example, a function may be implemented in
> >hardware or software as long as it meets the interface and
> >functional requirements as specified in the architecture
> >requirements documents.
> >
> >-Protocols to communicate requests between applications and
> >pfws and other middle boxes since that area is being
> >investigated by MidCom. The group will co-ordinate with other
> >relevant working groups to extend or reuse applicable work.
> >
> >Proposed Goals and Milestones for Working Group:
> >
> >April 03  - Submit I-D for DEFCon problem statement to IESG
> >             for Informational RFC publication.
> >May 03    - Submit I-D for DEFCon applicability statement for
> >             Informational RFC publication.
> >June 03   - Submit I-D DEFCon architecture requirements to
> >             IESG for Informational RFC publication.
> >August 03 - Submit I-D DEFCon Extensible Text Based Data Model.
> >             /Rule Language to IESG for Standard RFC publication.
> >August 03 - Submit I-D DEFCon Protocol specification to IESG
> >             for Standard RFC publication.
> 
> 
>

Follow-Ups:
- IPR on DISFI BoF
  - From: "Steven M. Bellovin" <smb@research.att.com>

References:
- Re: FW: Request for BoF proposal.
  - From: Dinara Suleymanova <dinaras@ietf.org>

Prev by Date: Re: SIGTRAN meeting
Next by Date: Please post MANET charter
Previous by thread: Re: FW: Request for BoF proposal.
Next by thread: IPR on DISFI BoF
Index(es):
- Date
- Thread