April 2011 - Nsi-wg - lists.ogf.org

Security attributes
by Jerry Sobieski 06 Apr '11

06 Apr '11

I propose the following high level approach for V1: We have defined two levels of AA: "Session layer" between NSAs, and "Request layer" at the primitive/connection context. I pose we define a "security attributes" element that consists of: a) Security Type := Identifies the security mechanism this element provides. b) Secutity Credentials := Contains a string of security information to be interpreted by the mechanism specified in the Type field. When initializing the NSA to NSA session, this element will authenticate each NSA to the other, and then each NSA will decide whether the other [remote] NSA is authorized to communicate with the local NSA. For any service request, the request must be authorized. The Service Definition will specify the set of recognized and allowable AA mechanisms for each network. The user request must specify one allowable mechanism in the service request. Initially, the NSI CS spec will require NSAs to recognize and support two levels of security: a) "simple security" consisting of a string passed to the authorizing agent for lookup in a flat text file, b) "better security" a more sophisticated AA scheme such as X509 or the like (details TBD by someone who understands these issues in greater detail.) I will code this into the XSD for the Service Defs. Any comments or additional necessary detail, please let me know. Jerry

3 3

clearer naming for service definitions
by Guy Roberts 06 Apr '11

06 Apr '11

Jerry, As discussed in today's NSI call a clearer naming scheme would be helpful for service definitions, the following is proposed (with thanks to Inder and Tomohiro): Service Capabilities Definition (SDC) - This is often referred to as the 'service definition', so from Jerry's document: 'The Service Definition (SD) is a machine readable textual document that identifies each attribute of the service and the range of values that attribute will allow'. ... and I think defines a default value? Service Request Description (SRC) - this is a request for a specific instance of a service. It is created by the Requester Agent when it assigns desired values to each of the attributes described in the SDC. The SRC is sent from the RA to the PA in a Connection Request. Service Instance Description (SID) - this is a description of an actual service instance, the attribute values reflect the values chosen and confirmed by the Provider Agent. Would these terms help clarify your service definition document? Guy _____________________________________________________________________ ** Guy Roberts, PhD Network Engineering & Planning * * Tel: +44 (0)1223 371300 * * City House Direct: +44 (0)1223 371316 * 126-130 Hills Road Fax: +44 (0)1223 371371 * Cambridge * CB2 1PQ E-mail: guy.roberts(a)dante.net<mailto:guy.roberts@dante.org.uk> D A N T E United Kingdom WWW: http://www.dante.net _____________________________________________________________________

4 4

tomorrow's NSI conf call
by Guy Roberts 06 Apr '11

06 Apr '11

Hi all, The following is dial-in information for tomorrow's NSI call: 7:00 PDT 10:00 EDT, 15:00 GMT, 16:00 CET, 23:00 JST 1. Dial Toll-Free Number: 866-740-1260 (U.S. & Canada) 2. International participants dial: Toll Number: 303-248-0285 Or International Toll-Free Number: http://www.readytalk.com/intl 3. Enter 7-digit access code 8937606, followed by "#" Guy _____________________________________________________________________ ** Guy Roberts, PhD Network Engineering & Planning * * Tel: +44 (0)1223 371300 * * City House Direct: +44 (0)1223 371316 * 126-130 Hills Road Fax: +44 (0)1223 371371 * Cambridge * CB2 1PQ E-mail: guy.roberts(a)dante.net<mailto:guy.roberts@dante.org.uk> D A N T E United Kingdom WWW: http://www.dante.net _____________________________________________________________________

1 0