[Nsi-wg] Authorization in NSI
John MacAuley
macauley at es.net
Mon Mar 9 11:35:49 EDT 2015
I am not sure of the procedure for something like this, but if you want to propose the removal of the architectural principle of transitive trust in the control plane, I think you may need a formal contribution.
Guy, Tomohiro, Chin? What is the process for requesting a change to one of the NSI fundamental principles?
John
On 2015-03-09, at 6:11 AM, Henrik Thostrup Jensen <htj at nordu.net> wrote:
> Hi
>
> On Wed, 4 Feb 2015, John MacAuley wrote:
>
>> Before Christmas I pulled together an NSI security omnibus capturing content from Han's AAI document and discussions we had been having on the mechanisms needed to convey security information in the NSI protocol.
>
> Slide 8:
>
>> A suggestion was made that we need to introduce a way for downstream NSA to systematically block misbehaving NSA from sending messages into the control plane.
>>
>> This would change our principle of a control plane of trust, and if we make this step, where do we stop?
>
> How about we stop when we have a good security design? This should include straighforward revocation.
>
> The idea that everyone can make requests to everyone, migth not be a good idea. Especially since we don't have a good security model for transit networks.
>
>> Do we believe this is a discrete item that needs to be addressed in the protocol?
>
> Slide 10-12: (add URA to security attributes)
>
> While I think this might be good idea to add to the security attributes, it is inadequate to use for a revocation mechanism. It introduces a layer between TLS/OAuth identity that must be mapped carefully between the X.509 and the nsa id. If this mapping it not 100% correct, it means that revocation will not work properly.
>
> Revocation for an NSA should not rely on the correctness of other NSAs to work. This is bad security design.
>
> Request forwarding is extremely tricky to get right from a security point-of-view.
>
>
> Best regards, Henrik
>
> Henrik Thostrup Jensen <htj at nordu.net>
> Software Developer, NORDUnet
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1626 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20150309/0013279c/attachment-0001.bin>
More information about the nsi-wg
mailing list