[Nsi-wg] Authorization in NSI

John MacAuley macauley at es.net
Mon Mar 9 11:35:49 EDT 2015 

I am not sure of the procedure for something like this, but if you want to propose the removal of the architectural principle of transitive trust in the control plane, I think you may need a formal contribution.

Guy, Tomohiro, Chin?  What is the process for requesting a change to one of the NSI fundamental principles?

John

On 2015-03-09, at 6:11 AM, Henrik Thostrup Jensen <htj at nordu.net> wrote:

> Hi
> 
> On Wed, 4 Feb 2015, John MacAuley wrote:
> 
>> Before Christmas I pulled together an NSI security omnibus capturing content from Han's AAI document and discussions we had been having on the mechanisms needed to convey security information in the NSI protocol.
> 
> Slide 8:
> 
>> A suggestion was made that we need to introduce a way for downstream NSA to systematically block misbehaving NSA from sending messages into the control plane.
>> 
>> This would change our principle of a control plane of trust, and if we make this step, where do we stop?
> 
> How about we stop when we have a good security design? This should include straighforward revocation.
> 
> The idea that everyone can make requests to everyone, migth not be a good idea. Especially since we don't have a good security model for transit networks.
> 
>> Do we believe this is a discrete item that needs to be addressed in the protocol?
> 
> Slide 10-12: (add URA to security attributes)
> 
> While I think this might be good idea to add to the security attributes, it is inadequate to use for a revocation mechanism. It introduces a layer between TLS/OAuth identity that must be mapped carefully between the X.509 and the nsa id. If this mapping it not 100% correct, it means that revocation will not work properly.
> 
> Revocation for an NSA should not rely on the correctness of other NSAs to work. This is bad security design.
> 
> Request forwarding is extremely tricky to get right from a security point-of-view.
> 
> 
>    Best regards, Henrik
> 
> Henrik Thostrup Jensen <htj at nordu.net>
> Software Developer, NORDUnet
> 
> _______________________________________________
> nsi-wg mailing list
> nsi-wg at ogf.org
> https://www.ogf.org/mailman/listinfo/nsi-wg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1626 bytes
Desc: not available
URL: <http://www.ogf.org/pipermail/nsi-wg/attachments/20150309/0013279c/attachment-0001.bin>

More information about the nsi-wg mailing list