[Nsi-wg] Submission / Trust Issues in NSI
John Vollbrecht
jrv at internet2.edu
Thu Apr 15 11:34:00 CDT 2010
Hi Joe -
I agree that the way trust is implemented is out of scope. The intent
of this is to start a discussion on what the trust requirements for
NSI is. In particular, this is meant to identify three main issues
which I summarize here in case the PPT doesn't make this overview clear.
1) Trust between either end of the NSI is required. Identification of
NSAs at each end is also necessary. The protocol might support both
as a single operation, or might treat them independently.
2) Attributes of the original requestor of a circuit may need to be
down a chain of NSAs so the bottom NSA can use the attribute to
evaluate its policy to decide whether to grant the request for
resources it controls. Passing these attributes must be done in a way
that allows the bottom NSA to trust the attributes it gets. This
seems doable, but probably requires some special handling of these
attributes as they go from NSA to NSA. I describe a way that I think
will work to show that it seems possible, but this is not meant to
define the way that it will work.
3) Trust between the reservation/ scheduler and the control plane is
needed so that when a provisioning request is made the control plane
is sure the resource is reserved for the owner of this request. This
might be done in a number of ways, and I describe two approaches to
doing this.
In order for the standard to support interoperable implementations it
is necessary for it to define how trust will be supported between
implementations. This does not mean inventing the trust mechanisms
(in fact this is clearly out of scope), but it seems to me it does
mean defining which can or should or must be used.
Does this make sense?
John
On Apr 13, 2010, at 4:56 PM, Joe Mambretti wrote:
> Hello:
>
> All of these are important issues and should be addressed as part of
> using an NSI. However, in my opinion, all of these issues are out of
> scope for the basic definition of the NSI. All IT resources must be
> surrounded by various trust domains. However, there are thousand of
> activities developing these types of techniques. The basic
> architecture should be agnostic about trust techniques used.
>
> Thanks.
>
> At 02:55 PM 4/13/2010, John Vollbrecht wrote:
>> Attached is a ppt that describes 4 trust areas in NSI. It is meant
>> as
>> a way to help discussion. I think some trust discussion should be in
>> the eventual document.
>>
>> John
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> nsi-wg mailing list
>> nsi-wg at ogf.org
>> http://www.ogf.org/mailman/listinfo/nsi-wg
>
> Joe Mambretti, Director
> tel 312.503.0735
> International Center for Advanced Internet Research fax 312.503.0745
> 750 North Lake Shore Drive, Suite 600 www.icair.org
> Northwestern University, Chicago, Illinois 60611
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.ogf.org/pipermail/nsi-wg/attachments/20100415/589c9105/attachment.html
More information about the nsi-wg
mailing list