[Nsi-wg] Authorization in NSI
Henrik Thostrup Jensen
htj at nordu.net
Mon Mar 9 06:11:45 EDT 2015
Hi
On Wed, 4 Feb 2015, John MacAuley wrote:
> Before Christmas I pulled together an NSI security omnibus capturing
> content from Han's AAI document and discussions we had been having on
> the mechanisms needed to convey security information in the NSI
> protocol.
Slide 8:
> A suggestion was made that we need to introduce a way for downstream NSA
> to systematically block misbehaving NSA from sending messages into the
> control plane.
>
> This would change our principle of a control plane of trust, and if we
> make this step, where do we stop?
How about we stop when we have a good security design? This should include
straighforward revocation.
The idea that everyone can make requests to everyone, migth not be a good
idea. Especially since we don't have a good security model for transit
networks.
> Do we believe this is a discrete item that needs to be addressed in the
> protocol?
Slide 10-12: (add URA to security attributes)
While I think this might be good idea to add to the security attributes,
it is inadequate to use for a revocation mechanism. It introduces a layer
between TLS/OAuth identity that must be mapped carefully between the X.509
and the nsa id. If this mapping it not 100% correct, it means that
revocation will not work properly.
Revocation for an NSA should not rely on the correctness of other NSAs to
work. This is bad security design.
Request forwarding is extremely tricky to get right from a security
point-of-view.
Best regards, Henrik
Henrik Thostrup Jensen <htj at nordu.net>
Software Developer, NORDUnet
More information about the nsi-wg
mailing list