[Nsi-wg] Question about NSA identifier

Jerry Sobieski jerry at nordu.net
Sun Mar 10 11:31:10 EDT 2013 

Hi John-

On 3/6/13 10:28 PM, John MacAuley wrote:
> Peoples,
>
> I was running through the bootstrap procedure with Chin when the 
> question of multiple NSA identifiers per software instance came up. 
>  Can someone please explain to me again why we need a one-to-one 
> mapping between NSA (NSA identifier) and Network (Network Identifier)? 
>  It seems to be a very arbitrary restriction.
> I have looked through the existing WSDL definitions and there are no 
> restrictions within it for this imposed rule.  In addition, the 
> topology schema could easily have multiple "managing" elements within 
> the NSA object to allow it to reference multiple Network Identifiers, 
> thereby creating a one-to-many relationship.
The WSDL does not define the framework or the protocol(s) - it simply 
defines the primitive interfaces.  It does not express their functional 
meaning or semantics.   You need to study the framework and/or protocols 
to make sure the protocol and framework continue to work properly in the 
face of the change you propose.
>
> We have a very real network requirement to support multiple network 
> services off of a single NSA software instance.  For example, off of 
> one NSA (urn:ogf:network:surfnet.nl <http://surfnet.nl>:2012:nsa) we 
> can support the ETS service (urn:ogf:network:surfnet.nl 
> <http://surfnet.nl>:2012:ets) and an EPL service 
> (urn:ogf:network:surfnet.nl:2012:epl).  At the moment, given the 
> current restriction, I would have to have two separate NSA.
>
Can you describe the "very real network requirements" that cannot use 
separate NSA IDs for each service instance?

You should state the specific issue that is problematic, explain why it 
causes problems with the exsiting framework and/or protocol as currently 
defined, or why it prevents or enables important future capability(s).  
Then explain why/how your solution resolves the issue.

Sudden changes to core framework principles are really REALLY dangerous 
and make real implementors (besides yourself:-) crazy. We need to 
observe the process of making a proposal, circulating it and presenting 
and discussing it, giving people time to consider it and the 
implications it carries with it.

> Does anyone have a reason why we can't remove this restriction?
I actually think it is viable...with some explicit caveats:

We initially asserted the one-to-one NSA-to-Service Domain relation so 
that we could identify to which agent we should send a request intended 
for a particular data plane domain.   Implicitly, this also identified 
the set of policies the RA would encounter to authenticate and authorize 
the request.    And similarly, each PA NSA would implement a set of 
policy corresponding to the one domain it covered.   Simple and easily 
understood by mortals.   And frankly quite easy to implement.

If we allow a single NSA to speak for multiple domains, _/we need a 
means to differentiate the policies associated with each domain covered 
by that single NSA./_  This is at least one aspect that breaks if we 
allow it.    This could be solved by the "Service identifier" (the 
service definition type) we adopted in Chicago as part of the 
Reservation Request.

This Service Identifier could be defined to identify local service 
specific administrative policies that the NSA is to consult for each 
service under its control - as well as the service specific parameters 
that are allowed by convention for that type of service.   e.g.   A 
request to the NetherLight NSA might allow one of two possible Service 
Identifiers: the "NetherLight.ets" service, or the "NetherLight.EPL" 
service.  Both service domains would be seen in the topology database 
and would point to the same NSA object.   Both service identifiers would 
map to the same service type (say, a "p2pcs" service definition) but 
each has a separate policy associated with it as to whom can use it, or 
how it chooses paths, who it will peer with on the control plane, etc.   
Indeed, your example is exactly why I wanted to see the service 
identifier in the reservation request (I expected we would have multiple 
services coverd by one NSA.)   This may be quite simple if the covered 
domains are all willing to assume the same policy constraints (begs the 
question of why have separate domains...but whatever.)

---> So I think the protocol can function appropriately with one NSA 
covering multiple domains *IF* we clearly define the Service Identifier 
to identify and differentiate policy by service domain. I.e. the Service 
Identifier specifies which service the request pertains to.

Another concern is the resulting service tree... Allowing a single NSA 
to serve multiple domains does not imply that these domains are disjoint 
or of different types or that they comprise a single uber-domain.    A 
single NSA may cover a set of NSI service domains [data planes] that may 
or may not be interconnected at the data plane.   We need to make sure 
that a request received by the "megaNSA" and which is segmented across 
any of those covered domains, that the megaNSA strictly adheres to NSI 
protocol and constructs a service tree reflecting each individual NSI 
domain segment.    I.e. if the megaNSA gets a request that it segments 
to transit multiple of its own covered domains - this request must be 
treated as if each domain had its own separate NSA. _/The result is an 
/__/inter-domain multi-segment NSI service tree,/__/and not a single 
intra-domain segment./_   The resulting service tree will point to the 
same NSA at different nodes, but the associated children requests will 
have differing service constraints and are subject to different policies 
for each child segment.    As each domain is thus able to maintain 
separate policy, these children segments and any subsequent operations 
upon them must be individually authorized according to the NSI rules for 
inter-domain primitives and policies at each domain boundary- regardless 
that a single NSA is performing these function(s).   To do otherwise 
abrogates inter-domain security architecture and will pose a deployment 
issue and will confuse many aspects of service tree processing.     
(Note - if the various domains agree to a single covering policy, this 
is ok, but the megaNSA breaks protocol if NSI transit domains are not 
authorized appropriately and reflected in the construction of the 
service tree.)

---> If a "mega NSA" _/rigorously /_follows NSI protocol for 
inter-domain path segmentation/tree construction/primitive 
authorization, even and especially when the path transits one or more 
covered domains, then, IMO, I think it is fine for an NSA to cover 
multiple domains.   THis is essentially saying as long as the advertised 
NSI domains continue to be treated as separate NSI domains, one NSA may 
be allowed to act as the protocol entity for service requests.

What is the implication of a NSA which covers multiple domains treating 
transit requests across those domains as a single intra-domain 
segment?   First, one would ask if this is treated as intra-domain, then 
why differentiate the domains in the first place?   If the domains are 
disjoint without any data plane peering between the covered domains, 
then all transit segments will necessarilly be single domain segments 
and the tree will build in conformance with existing NSI practice.   If 
a single segment is created that crosses multiple interconnected covered 
NSI domains, then the megaNSA is in fact an aggregator - and so strictly 
speaking, each covered domain should have its own PA-Only NSA...at least 
logically ... but how do we indicate this if both the aggregator and the 
leaf node NSA are the same NSA object in the topology?    This implies 
then that a megaNSA can not be an aggregator, that it must be PA Only 
for each/every domain it covers.   (THis is a softer issue - the 
delineation of Agg from PA-Only may not be really necessary...)   THis 
is an issue that needs some group discussion and resolution - but I 
don't think is structural or would prevent a megaNSA.

--->  So we should discuss the implications further of how a megaNSA is 
expected to function within the NSI framework.  This is not simply a 
WSDL issue but deals with the protocol and framework semantics.   It 
seems that if we [for v2] allow megaNSA's, but require that multi-domain 
transit segmentations are reflected in the service tree in the existing 
manner, then we can go with it.   We need to discuss federations and 
such for v3 and this issue will again come up in that discussion - so in 
v3 we may be able to ease some aspects further.



I want to make sure we clearly understand that a single NSI 
implementation (e.g. DRAC, or OpenNSA or OSCARs etc) may be coded so 
that a single implementation instance - say the Nordunet OpenNSA 
instance or the StarLight OpenNSA instance - could be acting as multiple 
NSAs.  If an implementation can do this is solely an implementation 
issue.   The NSI spec does not prevent this.   For example, if OpenNSA 
was coded to support it, the Nordunet OpenNSA instance could be 
configured to act as the NorthernLight NSA *and* the SUnet NSA, and 
possibly many other NSAs as well.    Each "NSA" would have its own 
object in the global Topology database and its own separate NSA 
identifier...but would end up mapping to a single OpenNSA instance 
running on a server in Copenhagen.   (This would be indicated by the 
csProviderEndpoint(s) found in the topology database.)  This one OpenNSA 
instance would recognize protocol messages intended for any of the 
configured NSAs and process them as if they were separate NSI protocol 
entities.   How this is accomplished internally is an implementation 
issue.  But the global NSI framework still sees two separate [logical] 
NSAs.

Likewise, an NSA covering multiple domains would be very similar. Only 
difference would be that an NSI software implementation and each NSA 
instance running one of those implementations must be configurable to 
recognize their respective domains and NSA ids, and treat the NSI 
protocol requests in the same fashion as would separate NSAs covering 
each domain.   In this way we maintain the semantics and overall 
scalability of the framework and protocols, while at the same time 
allowing additional flexibility in some aspects of the implementations 
and deployments and service domain crafting.

Thanks all!   See you all soon in Charlottesville!
Jerry

>
> Thank you,
> John
>
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20130310/271dd128/attachment-0001.html>

More information about the nsi-wg mailing list