With encouragement from customers, Cisco has submitted the TrustSec protocol that we use to exchange role and context information between network devices to the IETF. Chris Young, Senior Vice President of Cisco Security, shared the news during his keynote address at Cisco Live! Milan.
The Source-group tag eXchange Protocol (SXP) has been submitted to the IETF as an informational draft, in order to open up TrustSec capabilities to other vendors. In our experience, defining access controls and segmentation functions using logical policy groups, instead of IP addresses and subnets, removes operational complexity for customers. When we authorize a user device or a server as a member of a policy group, SXP allows us to propagate that information to devices that reuse that intelligent classification and apply security policies based upon it.
We have published SXP to enable interoperability with TrustSec functions in widely deployed Cisco products, so customers can not only simplify security policy management in diverse networking environments, but also use the classification for other purposes beyond security. For that reason, we have used the term source-group, instead of the more familiar security group designation, in the draft.
For more information please refer to http://tools.ietf.org/html/draft-smith-kandula-sxp-00
If you're at Cisco Live! Milan this week, please do come to the Cisco campus, we will be pleased to talk more about TrustSec and show examples of TrustSec in action.