[Nsi-wg] Topology comments

[Jeroen van der Ham]

Hi,

Thank you for you comments, I've taken most of them and have updated the document. A newer version is located at: https://redmine.ogf.org/dmsf_files/12981?download=

On 13 Feb 2013, at 15:54, Jerry Sobieski <jerry at nordu.net> wrote:
> objection:  For _/NSI/_ the local ID need not be globally unique.  For NSI the local id only needs to be unique within the scope of the network to which it belongs.
> 
> The global uniqueness for local id object is an _/NML/_ requirement - not an NSI requirement.   We should not impose this on NSI as it as it fundamentally changes the NSI framwork.
> 
> We can state that the NML expects objects to have globally unique URNs, and that this is compatible with NSI topology.   But that NSI does not impose the globally unique requirement onto the local ID portion.

The NSI imposes a globally unique identifier for the Topology.
Indeed the Port(Group) identifiers are not necessarily unique, but should be locally unique, and the combination of Topology and Port must be globally unique.


> note:  there is no way to verify that either the topology object or the localid object (ports) names are in fact globally unique.  We simply use them.  If we require ("must be") something in NSI, there must also be an agreed upon or specified means of determining if an identifier meets those requiremetns before it is used.   Use without validation can create security holes that are easily exploited.

If we require this, then we should state this as a security concern.
Ensuring or verifying that something is globally unique is not possible.

> comment:  THis section should define what the source/dest identifiers are meant to do with respect to NSI:  They indicate where a connection terminates (or originates), and thus must specifiy the NSI network domain in which the endpoint exists, and provide further resolution to identify the end point within that domain.   Then map those functional requirements to the mechanisms for identifying each of those elemtns of the STP.

No. This document specifies syntax and minimal context, nothing more.

> 
> *2.3  THis seems convoluted.*    Is this necessary?    Why can't we have a simple list of TV pairs?

What do you mean simple list of TV pairs?

> 
> Further, how would one specify a list of Ports - any of which are valid termination points?    Or a list of VLANS that extend across a disjoint set of ports that may be on different switches?

Not possible in the current syntax.

> 
> I am concerend that this syntax is I think too rooted in an ethenret VLAN service expectation.   We need a more comprehensive and generalized means of identifying the set of terminals that can be used for an endpoint (or we will regress back to the exhaistive search problem.)   The TVP pairs can do this if we eleboprate on how they build constraints that identify the candidate endpoints.

No. It is rooted in the basic assumption that a group of ports is distinguished by a single labelset, whatever that labelset is. We have been only been able to define this deterministically with a single labelset (type-value pair).

> *3.1.2 What is difference between "defined" relation and "allowed" relation?*

an "allowed" relation is syntactically valid, but does not currently have any meaning associated to it. This means that a parser should at least accept it, and can then ignore it, but it can't throw an error.

> 3.2.3  WHy do we have peersWith?  While it makes sense for persistent NSAs managing networks or federations, plain old users "peerWith" other NSAs to make requests.    So perhaps we should be clearer about what the peerswith relation really means or ought to mean.

We want to be able to express control plane connections right?
I welcome a better description here.

> 
> *Sect 4. *  Personal subjective thought:  I understand the N3 syntax.  But it seems rather convoluted just the same.   The NSI concepts are very simple - why can't we find an expression of these simple concepts in a simple syntactic structure?   While experts in this field may be able to sort thru this - it will be very difficult for network engineers to construct this who are not knowledgable of NDL or programmers or computer scientists.
> 
> It seems to me there must be an easier more intuitive means of defining the NSI service environment.  I think the Port/PortGroup/STP Group approach as defined is confusing as there is no underlying consistentcy to what a "Group" inherits from the base object.   A group is not a grouping of another object - it seems to be a defined object in itself...which is confusing.

An "intuitive definition" does not have a place in a standard.

A Group is a special kind of object, which groups together other kinds of objects. You do not want to have a Group behaving like any other kind of object, except in very specific cases.
This is why it is constructed like that.

> Grouping is an important concept and I support it - but it needs to be generalized as a functional element.

Grouping *is* a general concept.

> Sect 4 page 8:  The Location element is indeed useful, but I think we need to scope it better - i.e. it makes sense if the object associated with it is an object whose physical/geogrphic dimension is "small", e.g. a switch.  It is less clear how it would apply to an entire Topology if that topology spanned a whole continent.   If it is present for say NORDUnet.ets, what should we infer by that given that ports may be present in two different continents?

The NML standard allows you to relate a Location object to any Network Object, so you can scope it any way you want.


> Sect 5:   If you assert an idenitifier must be globally unique - you must define how that is determined or validated.   Otherwise, you put each NSA at risk of accepting a non-globally unique object name (for instance).   If the NSI protocols require uniqueness, then it should be clearly stated why, and how that can be verified.   Else, using a fake ID can cause protocl malfunction - a serious security problem.

It is not determined or validated, and specifically stated as such in the URN, NML and NSI Topology standards security considerations.

I am not aware of any feasible way of determining or validating globally uniqueness, nor does there seem much incentive in the NSI group to create something like that.

Jeroen.