[Nsi-wg] Query types

Jerry Sobieski jerry at nordu.net
Fri May 18 11:19:03 EDT 2012 

Actually, I think the form John proposed is good.  I don't think some 
redundant state returned is an issue if it simplifies the protocol, and 
it could be very useful for debugging things like state machine problems 
or for possible recovery processes when an NSA has been offline.

My only concern is that we preserve the authorization aspects.   
Specifically, as I see it, there are/should be only two levels of 
information regarding any connection instance:    a) "summary 
information" that reflects user specified constraints and which the 
user/requester is entitled to know, and b) "detail information" that the 
provider defines and the provider is entitled to control or limit.

The PA should have the option to keep detail info private - or to expose 
those details selectively to agents it trusts (for example authorized 
monitor agents)    I think the detail information is a super set of the 
summary information.   Thus a authorized detail query should be able to 
include summary information.

So, a Detailed query processing would check authorization as follows at 
each NSA:   If the request presents authorized high level credentials 
and depth is greater or equal to zero, the local detail info is 
releaseed and formatted.   If depth is non-zero, the depth is 
decremented and a detailed query is sent to the children and the 
childrens' responses are formatted for release.   The request returns 
upward.     If the credentials fail high level auth, they are checked 
against low level authorization,  if they pass low level authorization 
then only summary info is released and formatted, no additional 
recursion occurs, and the request returns up the tree.    If the 
credentials fail both high and low authorization, the request is 
rejected and no information is released.

A Summary request is different than a Detailed request in that only 
summary information is *ever* returned, thus only a low level 
authorization check is ever made.  There is no recursion for a summary 
request.

Thoughts?
J

On 5/18/12 9:29 AM, Henrik Thostrup Jensen wrote:
> On Fri, 18 May 2012, John MacAuley wrote:
>
>> Forgot to answer this question.  Yes they could if we are now 
>> including the local information.  The
>> question is does each NSA put in its full connection map, then let 
>> the child NSA do the same thing
>> which will result in duplicate information?
>
> Interesting point. However is this really duplicate information? Each 
> state represents what an NSA things about the state, making this 
> usefull for detecting state skew betwen NSAs.
>
>
>     Best regards, Henrik
>
>  Henrik Thostrup Jensen <htj at nordu.net>
>  Software Developer, NORDUnet
>
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20120518/cb85c0fd/attachment-0001.html>

More information about the nsi-wg mailing list