[Nsi-wg] NML Security Requirements

Jerry Sobieski jerry at nordu.net
Thu Nov 14 13:31:14 EST 2013 

Hi Henrik (and all) -

I too doubt that we can really differentiate topology announcements by 
their "sensitivity".   I don't think we can control redistribution once 
a topology is announced publicly.  If we announce more than one topology 
(on the basis of supposed sensitivity) we have to consider what will 
happen when a downstream agent leaks the information and other agents 
encounter two or more topologies claiming to describe the same Service 
Domain (or put another way - if *we* see two different topologies 
pertaining to the same NSI service domain - what should our NSA do?)

First, it is critically important that any topology that is announced 
(or encountered) be trustworthy- that we know firstly that it was indeed 
announced by the NSI Network it represents and has not been tampered 
with.   Which requires authentication, which implies a trusted service 
or chain of authority.   We do not currently have a topology service 
authority.    I think this is probably fairly easy to solve, but it 
requires agreement and acceptance and someone to run the 
authority(s).    However it is done, it needs to be addressed and 
clearly defined so that we know our topology information came from a 
legitimate source.

IMO, when you advertise a topology, it is no longer in your control.  It 
becomes impossible to prevent someone from redistributing it or sharing 
it downstream.   Thus differentiated announcements for a single service 
domain would be pointless.

However, there may still be multiple topologies in circulation at any 
time due to legitimate updates of the one topology and convergence 
delays.  So, even though only one topology is /current/, there may be 
multiple copies out there in circulation.

*IF* you feel there are features that need to be differentiated publicly 
for some reason, then define different services.   And then annouce two 
different service domains.   Since the NSI topology model represents 
logical [service] domains - not physical infrastructure, many NSI 
service domains can be easily defined and advertised to express 
different topological capabilities.  The internal NRM can sort the local 
engineering issues out under the covers.

So, I recommend the following rules as discussion points for topology 
announcement/redistribution:
1. All topology announcements must be able to be authenticated.
2. Each Topology announcement is timestamped as to when it is in effect.
2a.   A topology should include a Time-to-Live and/or an Expiration Date (?)
3. Only complete topologies are announced.  I.e. A topology announcement 
comprises the entire and complete topology that is officially publicly 
available for a given NSI Service Domain.  ( No partial announcements or 
"updates" are defined at this stage.)
4. All topologies should be authenticated before they are used. The 
authenticating server should indicate whether the announcement is 
authentic and if it is current. (i.e. should a stale topology be 
authenticated?)
4.5 If two announcements for the same NSI Service Domain are 
encountered, only the latest announcement is considered "current" and is 
the only topology that should be used.
5. A NSI Service Domain should announce only one _/current /_topology. 
And an NSI Service Domain should always announce a new topology if/when 
the announced topology has changed.
6. The minimum required topology that a NSI Service Domain *must* 
announce is:
     a. the NSI Network Service Domain Identifier  (i.e. the <networkId>)
     b. the NSA that speaks for the domain
     c.. the SDPs this domain shares with neighbor domains in the data 
plane.
     d. a pointer to the Service Definition document that describes the 
Service Type of the domain.
     All other topology information is optional.
7. A topology server may announce *any* topology.   It is up to the 
receiving agent to authenticate the announcements associated with 
different service domains before using them.
8. An "Announcement" is posted publicly and may be a) pulled down by 
clients, or b) pushed to clients who have registered for updates.

THoughts?
Jerry




On 11/11/13 6:42 AM, Henrik Thostrup Jensen wrote:
> So, requirements for secure topology distribution.
>
> Personally, I don't quite believe in "requirements", as system design 
> inherently contains tradeoffs between functionality, complexity, 
> security, and usability (we usually only focus on the first). However 
> it is topic that deservices some more light.
>
> Some basic stuff:
>
> * An NSA should be able to publish its topology, and others NSAs 
> should be able
>   to retrieve it in such a way that it has not been tampered with.
>
> * There should be a mechanism to prevent (well filter/detect) NSAs from
>   publishing topologies, where ids overwrite other ids (injection).
>
> Any further requirements depend on what functionality it is we want 
> have in
> topology distribution and how topology and path finding should work 
> (which is,
> at least to me - still up in the air).
>
> One thing, I think we should start making clear is what it means when 
> an NSI
> XML document has multiple (NML) topologies in it?
> * Does it mean that it administrates the topology (I believe we agreed 
> on this)
> * That it peers with the NSAs of the respective topologies (and can 
> hence setup circuits on it)
> * That it is simply relaying information somehow
>
> One solution that have come up to prevent injection / to allow an NSA to
> publish topologies for altnernate domains (those two things are more 
> or less
> the same, but with very different intentions) is to sign the nml:Topology
> element. E.g., the NORDUnet NSA could announce both the nordu.net 
> topology and
> the deic.dk (the danish NREN) topology. However, NORDUnet and DeIC are
> different adminstrative organizations, and NORDUnet should not have their
> certificate (hence I cannot use SUNET as an example). Certificates 
> should not
> be thrown around like that. Of course DeIC could publish their own 
> topology,
> but it is difficult to see what is gained by having NORDUnet relay it.
>
> Furthermore we do not have an everyone-trusts-everyone model in NSI 
> (which is a
> good thing), but instead have transitive trust. There is no guarantie 
> that
> anyone else than your peers (whatever that means), actually knows your
> certificate.
>
> Further questions:
>
> * Can topology information be sensitive? I.e. have limited distribution?
>
>   Since topology is - inherently - meant for distribution, it is 
> difficult to
>   restrict the distribution of it. I suggest we try not to deal with 
> this.
>   Remember, that termination points should not have to be listed, as 
> there
>   might be an awful lot of them, and that the core point of topology 
> exchange
>   is to facilitate pathfinding.
>
>
>     Best regards, Henrik
>
>  Henrik Thostrup Jensen <htj at nordu.net>
>  Software Developer, NORDUnet
>
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20131114/f3c0e44b/attachment.html>

More information about the nsi-wg mailing list