[Nsi-wg] NML Security Requirements

Henrik Thostrup Jensen htj at nordu.net
Mon Nov 11 06:42:18 EST 2013 

So, requirements for secure topology distribution.

Personally, I don't quite believe in "requirements", as system design 
inherently contains tradeoffs between functionality, complexity, security, 
and usability (we usually only focus on the first). However it is topic 
that deservices some more light.

Some basic stuff:

* An NSA should be able to publish its topology, and others NSAs should be able
   to retrieve it in such a way that it has not been tampered with.

* There should be a mechanism to prevent (well filter/detect) NSAs from
   publishing topologies, where ids overwrite other ids (injection).

Any further requirements depend on what functionality it is we want have in
topology distribution and how topology and path finding should work (which is,
at least to me - still up in the air).

One thing, I think we should start making clear is what it means when an NSI
XML document has multiple (NML) topologies in it?
* Does it mean that it administrates the topology (I believe we agreed on this)
* That it peers with the NSAs of the respective topologies (and can hence setup circuits on it)
* That it is simply relaying information somehow

One solution that have come up to prevent injection / to allow an NSA to
publish topologies for altnernate domains (those two things are more or less
the same, but with very different intentions) is to sign the nml:Topology
element. E.g., the NORDUnet NSA could announce both the nordu.net topology and
the deic.dk (the danish NREN) topology. However, NORDUnet and DeIC are
different adminstrative organizations, and NORDUnet should not have their
certificate (hence I cannot use SUNET as an example). Certificates should not
be thrown around like that. Of course DeIC could publish their own topology,
but it is difficult to see what is gained by having NORDUnet relay it.

Furthermore we do not have an everyone-trusts-everyone model in NSI (which is a
good thing), but instead have transitive trust. There is no guarantie that
anyone else than your peers (whatever that means), actually knows your
certificate.

Further questions:

* Can topology information be sensitive? I.e. have limited distribution?

   Since topology is - inherently - meant for distribution, it is difficult to
   restrict the distribution of it. I suggest we try not to deal with this.
   Remember, that termination points should not have to be listed, as there
   might be an awful lot of them, and that the core point of topology exchange
   is to facilitate pathfinding.


     Best regards, Henrik

  Henrik Thostrup Jensen <htj at nordu.net>
  Software Developer, NORDUnet

More information about the nsi-wg mailing list