►
From YouTube: IETF100-I2NSF-20171114-1550
Description
I2NSF meeting session at IETF100
2017/11/14 1550
https://datatracker.ietf.org/meeting/100/proceedings/
A
A
A
A
A
A
A
A
C
So
so
this
working
group
primary
primary
deliverables
are
the
information
models
and
data
models,
and
here
are
the
current
drafts
and
we
have
capability
dropping
the
working
group
draft
now
and
along
with
that,
there
will
be.
There
are
some
others
like
the
client
facing
one
client
facing
information
model
and
the
registration
information
model,
and
we
also
have
monitoring
information
model.
C
So
we
decide
that
the
first
thing
is
to
work
with
NSF
facing
data
models,
make
sure
the
data
model
consistent
with
our
capability
draft
information
model,
and
then
next
one
is
going
to
work
with
clients
a
Singh
one,
and
so
tomorrow
afternoon
is
the
one.
We're
gonna
discuss
the
NSF
facing
data
model
with
the
capability
information
model.
Okay
and.
A
C
D
D
Yeah
so,
as
you
know,
I
to
NSF
uses
that
comp
last
comp
and
young
data
model
to
provide
standard
interface
to
manage
many
G
heterogeneous
network
security
function.
So
in
this
project
we
try
to
verify
this
concept
of
I
to
NSF
frame
o
is
feasible
using
various
open
source
software's.
So
this
walk
is
a
student
project
which
involves
on
seven
graduate
students
at
Sungkyunkwan
University.
D
So
this
is
a
hackathon
poster.
I
just
want
to
show
you
for
reference,
and
in
this
hackathon
we
try
to
extend
I
to
an
accept
or
the
existing
I
to
an
asset
to
frame
of
implementation
with
the
followings.
So
first
are
we
implemented
consumer
facing
interface
based
on
rest,
comp
and
young.
Second,
we
implemented
a
registration
interface
or
using
that
comp
and
young
and
third,
we
implemented
soy-based
function.
Cheney
based
on
that
took
saw
his
head
oh
and
tunneling
protocol.
D
So
to
implement
our
consumer
facing
interface,
we
used
a
rest
comp
protocol
and
young
and
to
implement
West
compute
protocol.
We
used
jet
comp
so
so,
basically
in
our
implementation,
I
to
an
SME
user,
specify
hireable
security
policy
in
XML
like
this
and
then
I
turn
as
a
future
or
send
the
high-level
policy
in
XML
to
the
security
controller
using
rest
combo
protocol
through
this
read
come
sober
and
then
we
implemented
our
registration
interface.
So
using
we
implemented
this
registration
interface
or
based
on
that
conf
and
young.
E
D
This
developer
management
system
is
responsible
for
registering
Itchy
NSF
so,
for
example,
to
register
a
firewall,
this
developers
management
system
or
send
the
capability
young
data
of
this
fire
were
in
XML.
So,
for
example,
this
capability
young
data
may
specify
IP
address
inspection
and
port
number
inspection,
something
like
this
and
two
for
this
capability,
young
data,
or
we
reused
this
capability
data
model
and
as
a
second
example,
or
to
register
this
Web
Filter.
Similarly,
this
developers
management
system
delivers
the
capability
young
data.
D
In
this
case
you
are
an
inspection
capability
and
this
young
data
is
also
described
in
XML,
based
on
this
data
model
and
to
implement
our
service
function
chaining.
We
we
used
that
talk
service
header,
so
we
attach
this
nsh
header
to
the
original
packet
and
to
support
holding
the
packet
to
this
NSF
of
Iowa
or
web
filter.
We
used
tunneling
protocol,
which
is
generate
routing
encapsulation,
so
this
additional
header
is
attached
it
in
addition
to
this
nsh.
So
this
packet
is
forwarded
to
the
NSF
plan.
D
First
arrives
in
this
SFC
proxy,
so
SFC
proxy
and
a
subsea
proxy
is
required
to
support
some
rugged
legacy
that
took
security
function.
So
this
a
septic
proxy
detach
this
yellow
header
field
and
board
this
original
packet
2n,
except
for
security
inspection,
so
to
afford
the
packet
to
another
NSF.
The
similar
procedure
is
repeated,
so
this
a
subsea
proxy
attached
back
this
yellow
header
field
and
port
to
a
CPAP
and
as
a
prep
for
the
to
the
next
NSF.
So
we
implemented
all
such
functionality
for
chaining
multiple
types
of
network
security
function.
D
So
we
unloaded
our
code
in
at
github,
so
you
can
download
our
code
from
this
URL
and
so
through.
This
I
turn
a
separate
project
or
we
keep
trying
to
verify
the
feasibility
of
I
turn
a
separate
project
using
open
source.
So
these
types
of
open
source
or
we
keep
trying
to
verify
the
concept
of
vital
asset
frame
o.
D
C
Have
a
question:
I
noticed
that
you
have
this
client-facing
data
model.
Is
that
to
the
controller
or
is
that
to
the
SFF
function
like
a.
F
F
I
should
have
let
you
speak.
I
wanted
to
simply
underscore
how
impressed
I
am
that
you're
pressing
the
technology
forward
on
the
registration.
That's
that's
usually
a
very
key
point
in
a
network
for
making
it
manageable
and
deployable
and
I
want
to.
Thank
you
for
that
that
leading-edge
work.
Thank
you.
G
D
D
I
C
D
This
is
someone
again.
This
presentation
is
about
applicability
or
I
to
and
I
said
so
in.
This
district
explains
general
security
service
procedure
in
aeterna
supremo,
and
we
also
explained
several
huge
cases
of
I
to
NSF
framework.
So
in
this
presentation,
I
refers
to
explain
security,
general
security
service
procedure
in
aeterna
sector
frame.
Oh
and
as
an
example,
I
will
introduce
time-dependent
web
access
control
security
service
scenario,
which
involves
fire
and
web
filter.
D
So
this
slide
is
about
general
security
procedure
in
it--when
asset
framework.
So
in
the
first
step,
I
an
SF
user
specify
high-level
security
policy
which
is
about
security
requirement.
They
want
and
deliver
this
hireable
security
policy
to
the
security
controller.
Then
the
security
controller
analyzes
the
received
a
high-level
security
policy
and
identify
what
kinds
of
secret
capability
are
required
to
enforce
this
high-level
security
policy
and
then
the
security
controller
identify
specific
NSM
of
the
required
security
capabilities.
D
Then
the
security
controller
generate
Louisville
security
policy
rule
for
each
of
the
required
network,
security
functions
and
then
security
controller
or
send
the
low
level
security
policy
to
each
of
the
that
talk.
Security
function
through
this
and
accept
facing
interface
and
then
network
security
function
enforces
row-level
security
rules
to
incoming
packet
to
eventually
enforce
this
high
level
security
policy
requirement.
D
So
in
this
slide,
I'd
like
to
introduce
general
general
use
case
of
time-dependent
a
web
access
control.
Actually
this
scenario
is
the
security
services
scenario
we
implemented
in
our
hackathon.
So
in
this
scenario,
we
assume
that
on
enterprise
network
administrator
want
to
block
every
ten
members
access
to
Facebook
during
or
business
hours.
So
in
this
case
a
hypothetical
example
of
high-level
security
policy
is
something
like
this
block.
The
access
of
ten
members
to
Facebook
from
9
a.m.
to
6
p.m.
so
I
as
a
future.
D
Send
this
hireable
policy
to
the
security
controller
and
security
controller
analyzes
and
identifies
the
required
security
capability.
In
this
case,
IP
address
and
port
number
inspection
capability
is
required
and
this
capability
now
we
assume
that
this
case
abilities
provided
by
fire
that
took
security
function
and
another
required
capabilities,
or
you
are
a
inspection
and
time
checking.
D
So
we
assume
that
these
capabilities
are
provided
by
Web
Filter
that
talk
security
function
and
then
the
security
controller
generate
low
rabble
security
policy
rule
for
each
of
firewall
and
web
filter,
then
our
security
controller
or
send
the
raw
level
policy
to
firewall
and
web
filter.
So
if
a
stem
member
tried
to
access
facebook.com/,
then
the
traffic
is
first
folded
to
the
firewall
for
basic
inspection.
D
So
if
two
conditioned
matches,
then
this
packet,
these
firewall
triggers,
are
web
filter
for
more
inspection
in
this
case
or
URL
target
URL
inspection.
So
if
this
packet
is
forwarded
to
the
way
filter,
then
web
filter
check
the
target,
URL
is
facebook.com
or
not.
So
if
this
condition
is
satisfied,
then
web
filter
or
drops
the
packet.
D
So
this
is
the
scenario
of
time-dependent
web
access,
control
and
another
thing-
or
we
explained
in
this
draft-
is
integrating
it--when
asset
framework
or
with
a
software-defined
networking
technology,
and
this
integration
can
optimize
the
security
service
procedure
by
dividing
the
security
policy
enforcement
into
a
stained,
switch
and
NSF
so
specifically
or
STS,
which
can
be
utilized
to
enforce
simple
packet
filtering
rules,
whereas
our
NSF's
can
NSF
is
used
to
enforce
more
complicated
security
inspection.
So
this
figure
is
a
illustrate,
this
dividing
the
security
policy
enforcement
into
this
switch
and
that
took
security
function.
D
So
in
this
newer
version
we
have
revised
section
3
to
explain
time-dependent
web
access
control
scenario
and
extinction
poll.
We
explained
the
motivation
of
integrating
I
to
NSF
remo
with
our
Sdn,
and
we
also
revised
section
4.2
to
explain
the
security
service.
Chaining
are
using
SMC
for
this
VoIP
priority
security
service
scenario.
D
J
D
J
I
understand
that
but
I
don't
I,
don't
see
how
and
even
worse
in
the
future
you're
going
to
access
the
you
I'll
look
here
you
mean
it
could
be
encrypted,
so
you
are
not
going
to
be
able
to
implement
your
feature
to
say:
I
want
to
block
this
URL
from
6
from
8
a.m.
to
6
p.m.
because
you
will
not
be
able
to
access
this.
You
are
perhaps
the
domain,
but
not
the
UI.
D
J
D
G
C
Just
one
comment:
didn't
capture
your
name:
maybe
you
can
go
to
the
the
the
notes.
It's
a
pad.
It's
a
parent!
You
can
enter
your
name
there.
Oh
my.
J
C
E
Cataldo
pasilla
I
have
a
few
questions
on
the
way
the
policy
department
works
because
I
want
to
know
what
part
of
the
refinement
of
desire
level
policy
into
low-level
policies
are
coded
in
statical
information
like
Facebook
time
and
what
is
the
part
that
is
intelligent
intelligently,
is
Martley
made
by
your
policy
refinement
system
and
then
you're
also
another
question
about
the
the
capabilities.
How
can
you
tell
the
actual
difference
between
a
firewall
from
a
packet
filter
from
the
Cisco
firewall
or
for
the
from
another
brand?
D
So
actually,
this
is
an
example
of
high
level
policy,
so
in
this
case
I
an
SF
user
doesn't
have
to
worry
about
the
specific
IP
address
being
used
by
step
members,
something
like
that
yeah
yeah.
So
so
this
is.
This
is
how
this
is
all
you
Jeff
Randall
e
hireable
security
policy,
so
so,
but
from
this
policy,
or
we
cannot
directly
apply
what
we
want.
So
in
this
case
the
security
controller
need
to
identify
the
IP
order,
has
been
used
by
step
member,
something
like
that
yeah.
E
How
is
the
inside
of
the
security
controller
made?
Okay,
you
map
the
eye-level
policy
into
the
low-level
security
policies.
So
how
do
you
actually
do
this?
Because
we
also,
we
are
also
working
on
a
similar
thing
and
we
are
using
different
methods,
and
you
know
for
well
the
inference
logic
and
some
mapping
with
ontologies
and
it's
a
lot
of
work
we
are
doing
on
this
and
I
want
to
ask
you
I:
did
you
actually
implement.
D
E
E
Then
for
the
security
controller,
so
when
reading
the
the
the
other
draft
from
the
I
to
NSF
documents,
the
the
security
controller
makes
as
different
as
different
functionalities.
But
there
is
no
explicit
request
of
I
mean
a
policy
refinement
engine
inside
the
security
controller.
So,
and
so
this
is
an
open
question,
probably
for
the
group
of
ordinary
for
the
future
discussion.
It's
the
security
refinement
engine,
a
part
that
must
be
inside
the
security
controller
or
an
external
component,
because
in
my
understanding,
so
at
the
network
layer,
the
the
policy
refinement
is
outside.
E
While
you
incorporated
in
a
single
single
box
security
controller,
and
then
there
is
all
the
management
of
the
load
in
the
network.
Security
functions
push
in
the
configurations,
and
this
is
everything
up
to
the
security
controller
as
intended
by
the
this
working
group,
and
the
policy
refinement
has
never
been
explicitly
indicated.
So
it
that's
my
my
dog
at
this
point.
I
just.
C
Want
to
add
some
comment
to
that:
your
questioning
about
the
the
internal
brang.
How
does
a
controller
translating
from
the
user
level
to
the
facing
right?
There
is
an
open
source,
a
project
on
that
by
Linux,
Foundation
called
open
security
controller
and
their
goal
is
to
actually
start
it
by
Intel,
and
so
that
is
the
where
they
won't
have
open
source
code
and
translating
from
user
intent
policies
to
more
specific
function,
level
policies,
so
something
we
can
look
into.
Okay,.
K
F
Our
management
and
routing,
and
some
of
the
other,
that
internal
pieces
actually
per
implementations,
so
it
won't
be
found
in
the
data
models
that
you're
seeing
that
compressed
come
it's
truly
important.
It's
just
I
just
wanted
to
say
you
won't
find
it
in
the
data
models.
He
may
have
it.
The
open
source
may
have
it,
but
it's
specifically
not
there.
A
So
between,
if
you
remember
in
previous
meetings,
we
always
had
some
people
from
Marshall
University
I'm,
not
pronouncing
that
right
coming
in
the
having
their
draft
for
controlling
IPSec
and
we've
always
had
the
IPSec
mafia.
I
was
part
of
that
coming
in
to
say
no,
that's
a
terrible
idea.
We
shouldn't
do
that
because
they
don't
understand
how
VPN
works.
A
So
in
between
these
two
IT
in
between
the
last
ITF,
and
now
we
had
in
virtual
interim
meeting
where
we
discussed
this
and
as
it
turns
out,
the
scope
of
what
they're
doing
is
really
is
separate
from
the
traditional
VPN
traditional
IPSec
VPN.
That
were
also
concerned
about.
So
we
reached
agreement
and
we
adopted
their
draft
and
now
Gabriel
was.
G
M
M
The
idea
is
to
to
define
the
framework
to
centralize
the
establishment
of
security
associations
from
the
security
controller,
and
also
to
define
the
NSF
patient
interface
required
to
manage
and
monitor
the
security
Association.
In
this
case,
the
IPSec
security
associations
in
the
network
security
function
element
from
the
security
controller.
In
the
draft
we
propose
two
cases
in
case
one.
We
suppose
the
network
security
function
implements
all
the
traditional
IPSec
stack,
including
the
kernel
elements
like
SP
des
a
D
and
P
idea,
but
also
the
key
management
protocol,
in
this
case
a
key.
M
Also
in
case
with
the
fan,
we
define
a
case
tube
in
which
we
suppose
the
natural
event
implements
only
the
IPSec
databases
that
sits
the
SPD
and
SAT,
but
no
I
key
in
the
network
elements.
So
in
this
case
the
security
controller
should
provide
the
network
security
function
with
the
entries
for
the
policies
in
the
security
policy
database,
but
also
the
required
information
for
the
security
Association
database.
M
Ok
next,
please
well
from
the
last
version
of
the
draft
we
have
Don's
and
little
update
in
section
5.3
in
case
one
versus
case
two
discussion.
We
have
included
some
text
about
the.
What
happens?
What
could
happen
just
to
introduce
the
problems
of
what
happens
when,
when
the
network
security
function
restart
the
behavior
of
the
network
security
function
because
it
may,
it
may
lose
a
part
of
the
IPSec
state?
So
well,
it's
just
a
way
to
introduce
the
discussion
and
I
we
by
default.
M
We
suppose
that
the
state
in
the
network
security
function
is
lost
and
therefore
the
all
the
information
has
to
be
configured
again
from
the
security
controller,
depending
on
case
one
case
two,
but
we
can
also
think
in
other
more
optimize.
That
option,
like
can
be
considered
like
the
configuration,
is
permanent
in
the
network
security
function
between
reboots
following
the
traditional
way
of
running
config
at
the
starter
country
in
the
network
security
function.
I
E
I
I
I
M
The
comment-
and
you
are
right-
we,
the
idea-
is
that
the
security
controller
has
to
recreate
the
information,
mainly
the
more
problematic
cases,
as
you
say
this
case,
because
we
have
to
order.
The
security
controller
has
to
recreate
again
the
security
policies
and
also
the
security
Association
database.
M
The
main
changes
are
were
in
the
Sadd
model.
We
have
a
line
at
the
description
of
the
Ahn
ASP
description,
just
to
be
current,
with
the
description
of
the
elements
we
have
introduced,
the
or,
in
this
case
modified
the
combine
and
encryption
element
in
order
to
improve
the
description
or
hall
to
represent
the
combinate
encryption
algorithm
by
means
of
the
authentication
and
encryption
previous
elements.
M
M
Next,
please
well
regarding
the
Jan
configuration
data
model,
we
have
also
following
the
recommendation
from
Paul,
will
have
updated
the
outer
star
of
the
startup
element,
which
was
previously
a
boolean
element.
Now
it's
represent
states
of
always
on
any
date
on
andaman
and
respect.
Only
we
need
here
some
text
describing
the
states,
the
different
states.
M
Commented
before
we
have
added
a
new
security
consideration
session
16,
in
which
we
assume
that,
of
course,
the
security
control
is
the
key
point
here
like
in
every
SDNS
scenario.
We
assume
that
in
this
case,
the
security
controller
has
to
follow
the
security
requirements
specified
in
the
ideal,
d3300
+
FEC
8192
document,
and
we
have
also
introduced
some
text
about
the
problematic
of
how
to
avoid
to
avoid
this
case
the
impersonation
of
the
RT
element.
This
text
also
needs
to
be
improved.
It's
just
a
first
version
of
discussion.
M
I
I
E
I
E
M
That
the
network
security
function
must
not
hello.
The
reading
of
this
is
values
once
they
have
to
apply
it.
That's
it's
just
yet
to
configure
read-only
operation
in
the
network,
security
function
and
well
jobs,
some
ideas
of
how
to
avoid
impersonation
in
the
in
the
this
case
in
the
a
key
element.
If
we
are
using
PA
scheme,
then
immediately
after
after
distributing
the
PhD,
the
security
controller
shall
remove
it.
If
we
assume
that
he
is
using
raw
kiss
the
security
controller,
she
removed
the
Associated
private
key
mildly.
M
After
distributing,
then
to
the
not
your
security
function
and
in
the
case
the
IT
element
make
use
of
public
key
certificates.
One
option
could
be
that
the
network
security
function
may
generate
the
private
key
and
export
the
public
key
for
certification
in
the
security
controller
said
before
are
just
some
first
ideas
to
solve
the
problem
of
impersonation.
M
M
M
M
Next,
please
well
just
finish
some
next
step
steps
that
we
have
in
mind.
The
first
one
is
to
continue
with
the
revision
of
the
configuration
data
model
based
on
comments
from
the
court
affirmed
working
group,
but
also
to
start
another
important
point:
that
is,
the
state
data
model
in
order
to
allow
their
security
controller
to
monitor
the
behavior
of
the
network
security
function,
in
both
case
to
case
1
and
case
2.
And
next
please,
that's
all.
Thank
you
very
much
for
your
time.
Sorry
again
for
the
delay.
C
N
Wish
there
we
go:
okay
click.
N
Okay,
there's
something
that
I
can
figure
out
how
to
use
this
okay,
so
the
capabilities
draft
was
recently
adopted
by
the
working
group.
This
is
just
a
quick
reminder
of
what
capabilities
is,
and
the
purpose
of
this
slide
is
to
remind
the
data
model.
Authors
that
there's
a
difference
between
capabilities
and
events,
conditions
and
actions,
events,
conditions
and
actions
are
not
capabilities.
N
There's
a
duality,
however,
between
capabilities
and
policies,
capabilities
describe
functionality.
Policies
can
be
used
to
manage
that
functionality.
They
can
be
used
to
define
a
new
capability.
They
can
be
used
to
combine
different
capabilities,
so
this
network
device
consists
of
this
set
of
capabilities.
N
N
The
purpose
of
this
draft
is
to
ensure
that
capabilities
are
independent
of
the
packaging,
the
deployment
and
other
characteristics
of
both
physical
or
virtual
NSF's.
We
used
an
object-oriented
information
model
to
maximize
interoperability,
even
though
the
IETF
is
very
interested
in
yang.
There
are
plenty
of
other
applications
like
cloud
that
don't
use
yang
so
in
the
future.
N
If
we
want
the,
if
we
want
I
to
NSF
adopted,
we
need
to
keep
that
in
mind
and
be
able
to
produce
other
types
of
data
models
that
have
a
common
definition
and
a
common
semantics
with
the
gangue
models
that
this
group
is
producing,
so
just
to
be
clear.
I'm
not
saying
that
we
should
produce,
for
example,
a
relational
calculus
model
I'm,
just
saying
that
other
people
might
want
to
the
current
ECA
model
and
capabilities
actually
have
two
different
parents.
N
So
capabilities
are
a
type
of
metadata
policy.
Rules
are
a
type
of
object
in
the
system
that
metadata
can
describe.
Not
only
can
metadata
describe
the
policy
rule
as
a
whole,
but
metadata
can
be
used
to
describe
the
component
parts
of
that
policy.
I
can
have
metadata
for
events
that
is
very
different
than
metadata
for
conditions
that
is
very
different
than
metadata
for
action.
N
The
behavior
that
we
have
right
now
is
what
we'd
call
simplistic,
but
still
powerful.
So
if
an
event
fires,
it
is
represented
as
a
boolean
clause.
So
if
time
is
greater
than
8:00
in
the
morning
and
user
is
not
authenticated,
that
would
be
two
terms
in
a
boolean
clause
that
gets
evaluated.
If
the
boolean
Clause
evaluates
to
false
next
rule,
we
were
done.
If
the
boolean
Clause
evaluates
to
true,
then
we
evaluate
the
condition,
so
the
event
can
be
viewed
as
setting
the
context.
N
The
condition
is
now
what
you
would
call
the
selection
of
the
applicability
of
the
actions
in
that
policy.
So
now
in
we've
got
it's
801
John
hasn't
been
authenticated.
Yes,
yet
the
event
boolean
Clause
returns.
True,
we
now
evaluate
the
condition
and
that
condition
can
have
any
number
of
things
from
any
of
the
packet
headers,
as
well
as
other
data.
We
could
have
IP
fix
data,
we
could
have
other
types
of
data,
and
if
all
of
that
is
true
now
we
are
ready
to
execute
an
action.
N
Note
that
I
didn't
say
we
will
execute
an
action
that
depends
upon
metadata
and
a
resolution
strategy.
So
if
I
had
five
rules,
my
metadata
might,
for
example,
say
execute
the
first
rule
you
come
to
and
then
return,
it
might
say,
execute
the
last
one,
because
we
all
know
from
Ackles
the
order
is
kind
of
important,
it
might
say,
execute
every
rule
until
something
blow
fails
and
then
do
something
else,
etc,
etc.
N
So
this
metadata
this
is
an
example
of
what
we
call
prescriptive
metadata.
That
applies
to
the
rule
as
a
whole.
You
can
also,
of
course,
have
descriptive
metadata
like,
for
example,
best
current
pass
practices.
The
resolution
strategy
is
defined
by
a
formal
algebra.
We
all
find
it
fascinating.
Reading
we'd,
like
some
comments
from
the
working
group.
That's
a
hint
by
the
way,
we're
going
to
enhance
this,
but
you'll
have
to
read
the
next
draft
to
see
how
we
enhance
it.
The
biggest
contribution
of
this
algebra
is
that
detecting
conflicting
policies
is
really
hard.
N
I've
graduated
three
PhD
students
whose
theses
were
about
policy,
conflict
detection
and
remediation
and
it's
still
not
solved
in
the
general
case,
I
promise.
So
this
capability
algebra,
is
a
very
simple
and
hopefully
not
computationally
complex.
At
least
we
don't
think
it
is
way
to
determine
if
two
or
more
policy
rules,
conflict,
ie
their
event
and
condition.
Clauses
are
both
satisfied,
but
their
actions
do
two
different
things
to
the
same
object.
That's
a
bad
thing!
N
K
K
N
N
Control
points
such
as
priorities
that
allow
for
a
deterministic
solution.
So,
for
example,
if
I
have
two
roles,
two
rules,
one
says
authenticate
the
other
one
says
don't
authenticate.
If
the
priority
of
the
first
is
higher,
it
wins,
there's
some
other
mechanisms,
but
we
could
talk
off
line
or,
although,
if
you
want
to
add
anything,
Mike
Mike
Mike,
Mike,
Mike,
Mike,
Mike,.
E
The
model
is
about
what
a
network
security
function
can
do,
so
we
don't
fix
the
resolution
strategy
or
the
way
the
conflicts
are
managed.
We
just
need
to
describe
in
order
for
the
security
controller,
to
understand
how
to
manage
the
network
security
functions.
What
are
the
strategies
available
at
the
current
function?
So
there
is
no
the
fixer
that
there
are
several
ways
as
expressed.
O
E
John,
but
in
general,
the
capability
model
much
just
allow
the
vendors
or
the
people
using
this
system
to
understand
what
I
can
do
with
the
security
network
security
function.
Then,
if
you
support
you
can
enable,
if
you
support
more,
you
can
select,
if
you
don't
have
an
internal
resolution
or
a
conflict
resolution
internally,
you
don't
use.
N
Yeah
and
in
fact,
to
generalize
what
Aldo
just
said,
what
we're
trying
to
give
you
is
a
lego
building
blocks,
so
we're
giving
you
a
bunch
of
building
blocks
to
put
together
your
policy.
The
way
you
want
to,
because
who
are
we
to
tell
you
how
to
build
a
policy
right
so
that
so
do
take
a
look
at
at
the
resolution
strategy,
part
in
in
the
draft,
and
let
us
know
if
it
meets
your
needs,
so
next
steps
for
the
capabilities
ID.
N
This
is
actually
going
to
be
a
fairly
large
rewrite.
It's
going
to
be
a
large
rewrite,
because
we
are
going
to
move
towards
a
more
academically,
precise
information
model,
with
guidelines
on
how
to
translate
that
back
to
into
English.
So
don't
be
scared,
and
so
you
can
look
at
these
and
others
as
being
implemented
using
UML
using
wherever
possible
design
patterns.
And
if
we
have
time
at
the
end,
we'll
talk
a
little
bit
about
what
a
software
design
pattern
is.
N
N
So
an
example
of
one
of
the
patterns
is
the
decorator
pattern.
Decorator
pattern
is
one
of
the
most
underappreciated
underused
patterns.
I
know
of
it
was
actually
defined
in
1995
in
the
Gang
of
Four
seminal
book
design
patterns.
It's
that's
22
years
ago
it's
used
in
the
Java,
IO
library
and
other
parts
of
Java
in
lots
of
other
places.
It
is
an
alternative
to
inheritance,
an
inheritance,
I
start
with
an
object,
foo
and
I
say
if
I
need
new
functionality,
I
create
a
subclass
of
foo
called
bar.
Well,
that's
fine.
N
As
long
as
a
number
of
principles
are
followed,
it
can
also
lead
to
class
explosion.
The
simplest
example
I
can
think
of
is
if
I'm,
building
a
when
doing
toolkit
and
I
start
with
the
base
object
called
a
window
and
I
have
a
horizontal
scrollbar
and
maybe
a
vertical
scrollbar
and
the
title
bar
and
a
bunch
of
icons
on
and
on
and
on.
If
all
of
these
are
objects
and
I
want
to
represent
every
possible
permutation
of
them
using
inheritance,
I
take
the
permutation
of
all
of
those
that's
big
number.
N
There's
also
another
set
of
patterns
that
will
introduce
the
question
that
we'd,
like
the
working
group
to
ponder,
is:
do
you
want
one
ID
which
is
going
to
be
well
over
a
hundred
pages?
That's
a
hint,
or
should
we
split
this
these
things
out
into
a
separate
ID,
don't
have
to
answer
now
and
that's
it.
Questions
seems.
A
N
J
So
apologies
I'm
new
to
this
to
this
work,
so
I
don't
have
the
background
on
everything.
So
first
question
is:
do
you?
How
are
you
approaching
the
access
controls?
It
is
something
you
go
down
to
that
level
when
you,
when
you
want
to
specify
certain
functions,
to
do
something
single
access
controls
so.
N
That's
not
currently
in
the
scope
of
this
document,
I
can't
if
you're
interested
I
built,
then
our
back
end
and
a
back
low
uml
model
before
so.
I
could
point
you
at
that
work
that
would
so
those
aren't
those
are
so
our
back
and
a
back
is
really
and
other
types
of
acts
are
really
design,
philosophies
right
and
so
they're
not
really
a
capability,
although
you
could
define
a
capability
that
says
here
is
the
access
control
models
that
I
support
on
a
contextual
basis
or
even
a
per
object
basis.
J
Second
question
is
actually
the
the
language
approach
of
the
policy
aspects,
so
I
mean
I,
looked
at
two
products
run
on
proxy
on
the
web
and
one
on
SMTP
mtas
that
are
too
good
to
pass
up,
describing
a
full
language
to
actually
explain
the
policies
and
then
get
them
to
implementation.
So
a
few
of
you
looked
at
specific
implementations
like
this,
because
the
concern
I
would
have
is.
Are
you
sure
that
you're
carrying
all
what
we're
going
to
need
with
this
disability.
H
Q
This
trap
is
updated
version
from
previous
version.
This
trapped,
deep
I
young
data
model
corresponding
to
the
information
model
for
the
Tokyo
secret
function,
a
sheet
of
interface.
If
young
data
model
was
verify
the
troll
prototype
implemented
at
I,
kept
100
Hecate
on
this
slide
show
major
change
over
this
podium.
Q
Q
Let
lab
speaker,
show
co
poverty,
information
model
and
light
figure,
show
NSA
profession,
interface,
state
model
in
the
rapid
figure,
some
clashes
over
ETA
political
or
can
be
inherited
and
user
used
to
type.
I
in
the
toko
security
issue
a
policy
words
extensively
so
that
other
police
alerts
can
be
audited.
Q
Q
Q
N
Judge
trust
nur,
so
in
general,
and
looking
at
at
this
latest
version,
I
think
you've
done
a
very
good
job.
There's
a
meta
question
for
the
working
group
there's
two
very
different
ways
of
building
yang
models.
The
first
is
what
I'll
call
a
traditional
way
where
it's
basically
just
a
hierarchical
model,
much
like
what
you've
done.
N
The
second
is
making
yang
more
object-oriented
in
spite
of
itself,
and
for
example,
even
though
yang
is
not
object
oriented,
you
can
use
yang
tools
like
a
grouping
and
an
identity
to
define
an
ID
for
an
object
that
corresponds
to
the
information
model
class,
and
this,
in
my
humble
opinion,
solves
a
number
of
deployment
problems
that
you'll
have
with
yang.
So
I
think
that
we
should
discuss
this
in
some
future
point
not
now
and
come
to
a
consensus
in
the
working
grip
thanks.
Thank.
Q
F
F
Yes,
you
may
be
shocked
and
fall
over
because
they're
stopped
now,
but
I
yes,
I
know,
but
I
they're
actually
moving
in
that
direction.
So
I
strong
III
think
that
in
doing
our
yang
models
to
work
with
the
ITF
we
will
be.
We
I
would
suggest
that
this
working
group
would
go
in
the
direction
of
the
yang
guidelines
that
align
with
John.
C
Q
N
N
F
Q
Q
We
we,
we
have
made
it
possible
for
vendors
to
expand
this
young
data
model
according
to
specific
capability
of
their
the
top
security
functions.
We
audited
examples
in
openness
or
in
Appendix
A.
It
extended.
It
show
extended
young
data
model
about
a
specific
legislative
function
for
such
an
extended
pure
IP
purity,
Security,
functional
capabilities
in
Appendix
B,
or
it
show
configuration
XML
for
channeling.
The
Turkish
Creed
function,
capabilities
and
extended
the
pre
purity,
secretive
function,
capabilities.
Q
Vendors
can
extend
it
all
Kapil
t-yong
data
model
for
through
inheritance
people.
Talk
about
the
young
data
model
does
not
provide
the
dodging
of
flow
by
the
capabilities
for
the
Turkish
security.
Specify
the
Turkish
credit
function
over
vendors
in
the
bigger
addition
in
this
speaker
or
vendor
can
extended
the
copper,
T
and
data
model
through
inheritance.
Q
C
A
question
so
what's
the
major
difference
between
the
capability
data
model
and
NSF
facing
data
model,
because
you
also
for
both
of
them
was
the
major
difference.
I
think.
Q
In
the
case
of
a
cop
over
to
young
data
model,
we
can
use
it
youngest
poverty
and
a
tall
order
to
register
to
security
control
and,
in
the
case
of
an
excitation
interface
on
data
model,
or
we
can
use
it
of
Toyland.
A
to
model
to
configure
toward
education
function
or
we
we
implemented
is
the
prototype
and
I
care
for
100
or.
Q
F
To
help
you
out
John,
one
of
our
discussions
needs
to
be
looking
at
the
grouping
you
just
discussed
and
see
if
we
can
have
common
grouping
to
reduce
the
complexity
and-
and
we
started
with
implementation
and
and
now
we
need
to
look
at
that
factor.
Okay,
I
think
that's
what
you
were
trying
to
help
us
do
earlier
right.
O
This
is
a
new
version
of
this
about
the
customer
facing
the
faces
of
food
at
myself
for
functions,
and
here
the
customer
facing
means
that
the
northbound
interfaces
for
the
for
the
security
controller,
so
the
applications
requester
his
requirement,
Aki's
end-to-end,
the
security
service
requirement
to
the
security
control
security
controller
and
how
we
define
this
kind
of
service
or
requirement
with
information,
motor
style,
okay.
So
next
page,
okay,
so,
firstly,
I
will
I
will
give
an
introduction
of
the
major
changes
in
this
version
and
then.
O
Some
more
details
about
how
how
how
is
the
current
information
model
design
and
the
next
plane
steps?
Ok,
next
page,
ok
and
before
I
give
the
media
changes
of
this
draft.
I
want
to
I
want
to
say
that
actually,
the
original
idea
of
this
customer
or
this
client
facing
interfaces
information
motor
is
from
some
custom
enterprise
users
from
the
euro
and
United
States
enterprise
users.
So
we
get
a
lot
of
information
input
from
then
so
help
us
to
get
a
lot
of
get
to
the
enough
content
for
this.
O
For
this
information
motor
and
then
we
we
have
the
customer-facing
recommend
drafts
eventuates
our
working
group
chapter
now
and
then,
based
on
that
requirement,
the
draft
we
have.
We
have
righted
this
information
motor
draft,
but
from
my
personal
view
that
I
think
that
current
information
motor
after
it's
some
it's
not
so
so
so,
oh
it's
on!
It's
not
so
formal!
You
know
it's
it's
more
like
some,
some
continent
that
we
need
and
we
listed
here
and
we
organize
them
into
some
single
structure
but
I
think
to
later
after
us.
O
After
the
work
we
compile
this
customer-facing
motor
to
the
to
the
capability
information
motor,
agreeing
that
by
our
working
group
that
the
the
basic
information
motor,
so
we
we
need
to
reorganize
the
information
murder
so
make
it
more
more,
more,
more
consistent
and
more
formal,
so
I
think
we
already
done
this
work
in
this
version
and
we
are
needed
to
down
this
work
to
this
working
later.
Osha.
R
Has
their
customer
information
facing
information
model?
You
probably
know
where
I'm
going
with
this?
Has
there
been
any
discussions
or
thought
about
allowing
subscription
to
the
customer
facing
model
on
change
so
that
a
customer
can
subscribe
to
this
model
and
get
the
changes
pushed
to
them
and
are
there
any
I
to
NSF
requirements
for
yank
push
yeah.
O
I
think
that
make
sense.
Actually
we
we
have.
We
have
some
content,
indeed
carnage
after
talking
about
the
telemetry
data,
because
just
like
what
you
said,
the
the
user
needed
the
security
controller
to
send
the
some
of
the
telemetry
information
from
the
network
or
from
the
security
devices
and
to
his
application.
So
but
right
now,
I
think
it's
not.
Maybe
it's
not
complete,
or
it's
not
consider
so
well
yet
I
think
later
we
can
discuss
and
add
more
good
work
based
on
the
yam
push
subscribe.
We
can
you
then.
Yes,.
R
O
G
E
G
Saying
that
the
document
has
no
value,
and
probably
precisely
these
alignment
with
there,
it
was
mentioning
on
this
Netcom
push
for
to
from
from
the
user
point
of
view.
Probably
both
help
is
nothing
understanding
that
here,
probably
what
we're
talking
about
this
is
about
the
operations
and
this
and
the
operational
semantics
of
the
interface,
which
is
not
necessarily
an
information
model.
We
are
I,
mean
I
know.
G
O
I
understand
your
concerns:
yeah
I,
don't
and
yeah
in
principle,
in
our
advanced
networking
group
that
we
we
have
a
consensus
that
we
we
should
have
the
basically
information
motor
and
we
should
follow
those
those
die
and
those
way
to
define
our
us
syntax
and
our
you
know
the
attributes
anything
so
anyway.
Let
me
finish
my
presentation
and
we
can
get
calculator
and
how
to
organize
all
this
document.
O
Okay,
I
from
this
picture,
you
can
see
that
we
we
got
a
requirement
and
what
is
the
information
we
need
from
the
requirement
draft?
And
then
we
in
this
version
we
organize
the
information,
the
the
structure
of
the
customer
facing
the
faces,
a
motor
and
to
follow
the
the
if
a
motor
and,
if
and
have
ability,
algebra,
so
I
think
that's
more
consistent
and
now.
Okay,
that's
the
maintainer
of
the
this
this
this
document
dissolution
next
page,
okay,
so
that
that
is
the
current
kind
of
structure
of
the
customer
facing
the
faces
motor.
O
E
O
And
the
drawer
is
constructed
about
the
event
condition
action,
so
I
don't
modify
any
concrete
content
of
every
every
object,
adjusted.
We
we
we
organize
there,
the
whole
architecture,
okay,
so
that's
the
current,
a
new
architecture
of
this
motor.
Ok
next
page,
so
the
the
the
the
the
the
the
Sarah
the
later
pages
several
pages
are
all
about.
Each
issue
object
of
this
motor.
O
Because
for
security
devices
there
are
a
lot
of
actions
begin
to,
in
addition
to
the
ACR
or
just
some
Fiat,
or
something
okay,
and
now
you
can
see
that
the
priority
primary
section
and
the
secondary
section
second
section
is
mainly
for
some
unlock,
some
two
more
two
more
things
than
just
a
controller
traffic.
We
need
to
some
lock.
We
need
to
do
some
syslog
something
Joe
I.
N
N
There's
these
there
are
some
of
these
are
objects.
Some
of
these
are
attributes
and
I,
don't
think
that
all
of
them
are
generically
applicable.
So,
okay,
so
the
problem
with
the
information
model,
if
you
do
it
this
way,
is
that
you
end
up
with
large
heavyweight
objects
that
people
won't
use
because
they
don't
contain
just
that
information
that
they
want.
This
is
actually
a
case.
We're
using
some
of
the
new
patterns
would
actually
be
superior
than
making
heavy
weight
classes.
O
Hundreds,
it's
not.
We
don't
say
that
we
must
define
this
in
the
any
motors.
It's
just
a
sum,
so
information
that
we
need
in
somewhere
to
do
the
are
to
the
security
service
control.
It
may
be
in
the
basic
motor
or
it
may
be
in
the
inherited
in
the
some
subclass
right.
So
so
it
depends
on
the
arm,
our
overall
information
motorway.
So
we
have
one
completed
information
model
and
then
how
we,
how
we
construct
more
specifically
motor
based
on
this
those
information
model,
so
I
think
that's
a
further
work
we
need
to.
O
So
I
think
people
can,
if
you
are
enjoy
yo
you
can
you
can
take
a
look,
these
slides,
so
other
objects
included
autos
upon
to
the
multi-tenancy
hottest
upon
the
how
to
defined
at
the
end,
the
point
yeah.
Okay,
we
have
your
support,
your
subgroup
and
a
device
group
amplication
group
location
group-
that's
all
the
in
the
high
level
in
the
user
friendly
level
to
define
the
to
define
the
service.
Okay
and
next
page
is
okay.
It's
read
the
previous
right,
the
prevention.
O
It
means
that
we
can
get
some
security
feeds
from
this
object
and
the
to
help
our
network
security
function
to
decide
what
happened
and
what
you
do
and
the
telemetry
data
is
about
the
we
need
to
selector
all
kinds
of
security,
really
the
telemetry
or
log
informations,
and
how
to
organize
them
to
to
report
to
the
user,
to
the
application.
Ok
and
a
next
page,
ok,
I,
think
I
think
in
future.
O
H
E
H
Model
for
the
conservation
interface
between
the
I-20
futures
and
the
secret
controller,
as
shown
in
the
figure.
The
main
objective
of
the
console
phase
interface
is
to
deliver
high-level
security
policy
to
the
security
controller
for
security
enforcement
in
NSF.
So
the
data
model
is
required
for
enabling
different
users
to
vanish
vanish
security
policy
and
to
deliver
the
secret
policy.
H
The
data
model
is
derived
from
the
console
phase
interface
information
model.
In
this
information
model,
the
policy
is
a
container
of
the
rules
and
in
order
to
express
a
loop,
the
rule
subject
must
contain
the
complete
information
such
as
on
where
and
when
the
policy
is
to
be
applied.
So
this
information
model
define
the
set
of
banished,
manage
it
object
and
their
relationships
for
complete
information
about
a
policy.
H
H
The
data
model
for
the
consume
facing
interface
consists
of
five
object:
Bart
Allen,
C
and
groups,
repeater
metadata
and
the
policy
of
the
rest
of
the
data
model,
except
the
policy
policy
object,
have
the
content
of
some
additional
function
or
write
the
feedbag
of
NSF
or
some
reference
data
for
the
policy
object,
wherein
this
updated
version
of
our
main
objective
is
to
only
practice
is
the
a
paradigm.
So
we
could
modify
the
policy
object
to
align
the
semantics
of
data
model
within
in
information
model,
a.
H
Policy
object
is
sorry.
Policy
object,
represent
our
mechanism
to
express
the
security
policy,
so
the
policy
has
a
wrister
blue
and
for
the
EC
a
paradigm,
the
rule
object,
consists
of
event,
condition
and
action.
The
event
is
the
security
event
deciding
the
evaluation
of
condition.
So
the
event
field
contains
the
data
for
the
data
to
make
a
decision.
The
occurrence
of
security
and
the
condition
is
about
how
to
decide
the
action
is.
H
Action
will
be
executed
a
lot,
so
the
condition
field
contains
the
data
for
the
decision
of
action
enforcement
and,
finally,
the
action
is
an
action,
unlike
permit
a
lot
or
drop
executed
when
the
condition
is
match
it.
So,
in
the
same,
in
the
same
context,
we
also
could
apply
the
t-state
model
to
our
use
case
in
the
document.
So
next
step,
we
need
some
discussions
for
the
constancy
between
the
information
model
and
data
model
and
the
generalization
of
the
data
model
for
world
use
cases.
F
This
is
a
comment
or
suggestion.
Thank
you.
First
of
all
for
your
good
presentation.
It
allows
me
to
ask
these
very
to
make
a
simple
suggestion
for
your
combination.
With
the
information
model.
The
telemetry
information
that
you
see
there
may
want
it
to
be
harmonized
with
Erics
existing
telemetry
information,
because
it
contains
some
of
the
same
information
and
since
we
are
harmonizing
ITF,
hang
models
across
the
network,
it
will
be
something
we
will
discuss
in
our
information
model.
F
J
Okay
I'll
go
today:
I
have
a
question
regarding
one
of
the
form
of
slides
I
think
is
the
at
the
beginning.
Okay,
stop
stop
here
the
one
here!
So
yes
on
this
one,
you
you
speak
about
I,
see
the
leg
on
multi-tenancy.
Sorry,
so
I
see
that
the
box,
multi-tenancy
and
I
don't
know.
If
the
group
thought
about
the
meaty
tearing
aspect
and
the
delegation
of
administration
aspects,
because
if
I
read
correctly,
the
Charter
of
that
group.
J
You
are
going
to
create
something
which
is
good
for
SMB
customers
and
so
on,
and
so
you
need
with
it
Anansi,
but
in
effect
it
will
be
managed
by
many
tiers
of
people
will
have
various
steering
and
it's
not
the
same.
Therefore,
why
has
the
question
about
the
accessorize,
ation
and
excess
control
as
well
before?
So
is
this
something
that
we
that
is
covered
by
this
group
or
not.
J
E
I
have
another
question
for
the
for
the
chairs,
because
what
I
see
is
that
we
have
several
data
models.
This
is
okay
with
my
model
in
religion,
but
the
certain
point
in
into
a
data
model
like
the
example
the
previous
example.
There
is
a
definition
of
attributes,
primary
action
and
secondary
action.
This
is
a
just
an
example,
but
primary
action
and
secondary
action
is
not
just
a
data
model
is
change
in
high
level.
Information
is
a
sort
of
sub
classing.
This
is
not
exactly
okay
with
my
modern
religion,
but
the
certain
point.
E
There
are
several
information
model.
This
is
a
seem
fundamental
sin
and
then
we
have
a
certain
point.
These
data
models
are
derived
from
different
information
models
and
the
information
model
draft
kumar
is
derived
and
made
compatible
with
another
information
model.
This
is
a
bit
confusing
from
my
perspective,
so
again
to
the
chairs.
What
is
the
strategy
to
reduce
the
proliferation
of
information
models,
data
models
and
the
strange
inheritance
between
the
models
and
conflicts
so
that
we
don't
have
to
every
time
discuss
about
the
small
details
and
what
it
so
we
already
discussed
this,
but
really?
C
Yes,
just
want
to
comment
on
this.
I
have
observed
that
people
in
this
working
group
have
different
definitions
on
information
models
right.
I
TM
had
a
draft
RFC
on
what
information
model
is,
but
obviously
many
people
disagree.
That's
okay,
we
don't
have
a
debate
here.
So
maybe
we
just
create
a
terminology
set
in
formation
model
in
academic
world
is
different
than
like.
Diego
has
a
really
good
term,
like
semantics
of
the
attributes
to
configure
but,
for
example,
operational
semantics.
So
we
can.
We
can
define
something
like
that.