[Nsi-wg] Query types
Jerry Sobieski
jerry at nordu.net
Fri May 18 11:19:03 EDT 2012
Actually, I think the form John proposed is good. I don't think some
redundant state returned is an issue if it simplifies the protocol, and
it could be very useful for debugging things like state machine problems
or for possible recovery processes when an NSA has been offline.
My only concern is that we preserve the authorization aspects.
Specifically, as I see it, there are/should be only two levels of
information regarding any connection instance: a) "summary
information" that reflects user specified constraints and which the
user/requester is entitled to know, and b) "detail information" that the
provider defines and the provider is entitled to control or limit.
The PA should have the option to keep detail info private - or to expose
those details selectively to agents it trusts (for example authorized
monitor agents) I think the detail information is a super set of the
summary information. Thus a authorized detail query should be able to
include summary information.
So, a Detailed query processing would check authorization as follows at
each NSA: If the request presents authorized high level credentials
and depth is greater or equal to zero, the local detail info is
releaseed and formatted. If depth is non-zero, the depth is
decremented and a detailed query is sent to the children and the
childrens' responses are formatted for release. The request returns
upward. If the credentials fail high level auth, they are checked
against low level authorization, if they pass low level authorization
then only summary info is released and formatted, no additional
recursion occurs, and the request returns up the tree. If the
credentials fail both high and low authorization, the request is
rejected and no information is released.
A Summary request is different than a Detailed request in that only
summary information is *ever* returned, thus only a low level
authorization check is ever made. There is no recursion for a summary
request.
Thoughts?
J
On 5/18/12 9:29 AM, Henrik Thostrup Jensen wrote:
> On Fri, 18 May 2012, John MacAuley wrote:
>
>> Forgot to answer this question. Yes they could if we are now
>> including the local information. The
>> question is does each NSA put in its full connection map, then let
>> the child NSA do the same thing
>> which will result in duplicate information?
>
> Interesting point. However is this really duplicate information? Each
> state represents what an NSA things about the state, making this
> usefull for detecting state skew betwen NSAs.
>
>
> Best regards, Henrik
>
> Henrik Thostrup Jensen <htj at nordu.net>
> Software Developer, NORDUnet
>
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20120518/cb85c0fd/attachment-0001.html>
More information about the nsi-wg
mailing list