[Nsi-wg] Security and Exchanges

Henrik Thostrup Jensen htj at nordu.net
Wed Dec 17 05:15:49 EST 2014 

Hey

On Wed, 10 Dec 2014, John MacAuley wrote:

>> Specifically, we are treating them as an independent domain, which does 
>> not reflect that the ports on exchange is leased by the connecting 
>> network, and hence be under control of the NSA of that network.
>
> So you are saying that a port in an exchange point is not owned by the 
> exchange point, but the network on the far end of the port?

Well, I reckon the exchange owns the port/switch, but it is leased to the 
network, so it is (or should be) theirs to administrate.

> The argument was that each link (SDP) was owned by a single network, 
> even though it interconnected two networks.

There are lot of options here:

Links can be owned by a single entity and connect the network internally 
(these are faily easy).

Links can be owner by a single entity but connect to another network in 
one end (typical for customer connects).

Links can be co-owned (e.g. the ANA links), and have various policies for 
them. E.g. a static allocation for each network, and a best effort queue 
on top of those.

AFAIK Cross-connects in data centers are often shared cost-wise, but can 
of course also be payed by a single entity (there are places where we 
would happily pay for a cross-connect if the other network would peer with 
us).

Add link AUPs on top of all that.

> If we believe this is true, and it sounds like you have a good example 
> of where it is, then we need to consider this in our NML modelling which 
> we do not at the moment.

NML more or less left policy as an exercise for the user. The 
domain/node-first approach makes policies very difficult to model in it.

> Did we start this discussion in Uppsala which ended up with us needing 
> people to describe their policies?

I have already described most of ours in my presentation at Uppsala. I 
think one of the issues is that most NRENs don't have very complex 
policies, so it has limited attention.


>> Allowing a third party NSA to create circuits on an exchange to another 
>> networks port violoates the simple principle that an NSA should be in 
>> charge of the networks resources.
>
> I think we need to clarify this statement.  The uPA is always permitted 
> to reject any request it receives so is in total control of its own 
> resources.

The point here, is that another NSA is controlling its resources.

When you lease a port on an exchange your NSA should control it. That is 
not the situation we have today.

> How does this exchange point decide to connect two ports together if 
> each is owned by a different network?  Is this a phone call to each 
> network operator asking if it is okay to make the connection?

Typically phone or email is involved to ensure that both customers want 
the cross-link setup. But it is bilateral agreement, with the link being 
set up by a third party.

> There are a number of standard access control solutions for authorizing 
> access to resources, including protocols for acquiring said permissions 
> (tokens, authorization certificates, etc.).  The problem is we need to 
> understand the types of policies that will need to be enforced so we can 
> determine an kind of solution.  I remember the discussion in Uppsala 
> where someone had a policy decision based on a transit network three 
> times removed from the current network.

Yeah, we have those. They are typically related to link AUPs. I can make 
arbitrary long ones though. The switching node mechanism in NML cannot 
describe these cases.

Blocking upstream networks is not that uncommon in BGP. Juniper even has 
some examples with it, e.g.: 
http://www.juniper.net/documentation/en_US/junos13.3/topics/example/policy-as-path-regular-expressions.html

>> The following presents a scheme that keeps the port under control by their
>> respective NSA, doesn't require any static pre-allocation, and does not require
>> any out-of-band token distribution.
[snip]

> OMG - this is exactly like the Network Element "Gun rack" I designed and 
> applied for a patent on back in the days of the Pacific Bell purchase by 
> SBC.  I love it.  Now that I see it I realized we had the exact same 
> problem in Optical back in the good old Nortel days.

[snip]

> As a cost cutting measure they started sharing single Network Elements 
> with their peering partners instead of back-to-back configurations.

We have started doing something like this several places for the exact 
same cost-cutting reason. A lot of this also aligns up quite well with the 
GNA.

[snip]
> So the assumption here is that NSA X has port A and port B defined with 
> a special policy indicating that the special two step reservation must 
> be performed?

Yes. My idea was that the NSA should announce something else than UPA 
role, but maybe it needs to be per port (but I am not happy about that 
complexity).

It also possible to have the networks present direct links in their 
topology and have the entire thing encapsulated. This makes the exchange 
points disappear from the topology :-)

> Also, NSA A talks directly to NSA B in step 2?

Yes (though technically it could be forwarded, but I dislike request 
forwarding, as NSA access revocation becomes a pain = bad security 
design).


     Best regards, Henrik

  Henrik Thostrup Jensen <htj at nordu.net>
  Software Developer, NORDUnet

More information about the nsi-wg mailing list