Hi Henrik- Here are my recommendation about the issues to which you refer: Jerry On 1/18/13 3:06 AM, Henrik Thostrup Jensen wrote:
* NML format decision
We need to decide on a format for topology exchange (note that the model for all these are NML, is is just about the specific format).
Options are: XML, OWL, N3 (unless we want to invent something).
OWL and N3 are RDF based, where as the XML is a direct NML representation in XML. See the NML spec for XML and OWL examples. OWL and N3 examples can be seen in the autogole-topology repository at: https://github.com/jeroenh/AutoGOLE-Topologies/tree/nsiv2/goles
All of the formats need to be augmented slightly for describing NSAs, but that is more or less trivial in all of them (and roughly the same procedure).
Personally I like the XML representation is it the one most close to the actual mode, and seems easy to generate and parse.
Do we have some XML examples to compare to the N3 and others? For instance, a XML, N3, and OWL representation of one or two autoGOLE domains... My recommendation is to use the form that is a) most likely to exist in five years, and b) easy for network engineers to understand and maintain.
* Do we allow one NSA (by URL) to act for multiple networks
This isn't clear and does affect some things in the protocol design.
Personally I think this is way more trouble than it is worth, and it is easy to create different URLs for each NSA even if they are hosted within the same daemon.
I agree that breaking the one-to-one relationship of NSA to Network service domain is a non-trivial issue. I suggest that we maintain the one-to-one NSI architectural/protocol model of one NSA to each Network service domain, and vice versa of one Network to each NSA. One to one. For v2. Revisit in V3. However (!) - even with current one-to-one architectural model, one _/implementation/_ can still be written so that it can be exhibit things like redundancy and multi-network management from a single process. But these are implementation issues - not NSI framework or protocol issues. Discussion: For example: In the current topology descriptions, an "NSA object" contains a reference to the csProviderEndpoint for that NSA. The same csProviderEndpoint could be used by many NSA objects in the topology description. All these NSAs share the same web service endpoint as the place to send messages. The NSI protocol layer however still sees only one NSA per network service domain, i.e. a unique NSA ID for each network domain. NSI protocol messages - regardless of purpose or protocol - are sent between *NSA*s, and contain the destination NSA ID in the message header (and the sender NSA ID as well.) At the destination, in the code that implements the [shared] csProviderEndpoint, the message is queued for the MDL. The MDL code looks at the destination NSA ID in the message and processes the message as if it were that NSA. Simple. The NSI protocol still only sees one-to-one relations between NSAs and Networks, but one server process could thus be configured at run time to act as multiple NSAs. The Message Transport Layer (not to be confused with the Message Delivery Layer) takes care of mapping NSA IDs to tcp/ssl sessions (ws endpoints) and processing the message queues. This approach does several things: a) it continues our thrust to separate the NSI framework issues from underlying implementation issues, b) it continue our thrust of separating the NSI protocol issues from underlying message transport issues, and c) it allows us to still indicate in the topology description network policies associated with specific network service domains rather than by NSA. I recommend we retain the one-to-one NSA relation, but we make sure that we recognize the need for flexibility in the implementations to serve as multiple NSAs ( i.e. we don't need separate csProviderEndpoints for every NSA as the ws endpoints are not NSI protocol issues.)
* Do we allow multiple NSAs for a single network
Could potentially be used for redundancy.
In case we allow them, should the NSAs have different identity or the same? This is another message transport layer issue IMO (like above).
Discussion: If we have multiple agents representing a single network.. are they all equivalent and interchangeable? can we send primitives to any of them? For example: if NSAs A, B and C all represent the same network, can we send a Reservation to A, a Provision to B and a Cancel to C for the same connection? And likewise, if we send a Reservation to A can we expect a Confirmation from B or C? How does a Notify() percolate up? And since our CS state machine imposes a sequence to the life cycle, one would need to synchronize all primitive messages among the equivalent NSAs so that they are not processed out of order by the state machine... I am not sure this is actually viable since the NSAs could have dramatic latency or processing deltas. To avaoid this, you need to map each connection to one NSA, which voids the reundancy prospect. If we were to assert that these NSAs provide redundancy to one another, then the NSAs would in fact be interchangeable. If one NSA died, in order for the others to continue to function, they would have had to exchanged state for all active reservations before the one died. So, in fact, they all must maintain a coherent state database. This is possible, but it poses other problems to the state transitions from potential re-ordering of primitives arriving for one connection at different NSAs. And since they are interchangable, they act - to the nSI layer - as one NSA...why not treat them as a single NSA? If we want reliability that is transparent to the NSI layer, we can write software (i.e. implementations) that are redundant. For instance, an NSA implementation could be configured to have two or more csProviderEndpoints...any one of which is useable for establishing the external NSA-to-NSA transport session. The redundant NSA software would still look like a single NSA to the protocol layer with a single unique NSA ID, but would advertise several csProviderEndpoints. The Message Transport Layer could try these endpoints in sequence (or randomly) until a session answers. Since the two conversing NSAs use a single TCP session, there is no reordering issue. And the redundant web services implementation is responsible for intra-domain coherency. This maintains the one-to-one NSA-to-network ratio, while allowing redundancy, load balancing, and multi-network representation to be offered as implementation features. This keeps the NSI layer very simple - one-to-one - which is a very good thing. Further, NSI currently allows for NSAs to be genned up arbitrarily that act as aggregators or gateways to other networks/NSAs. This provides a multi-path control plane capability and is expressible in the topology. So for topological control plane redundancy, we already have means of expressing this within the current NSI architecture. I recommend that the NSI layer maintain a one-to-one architectural model of NSA to network service domain. I recommend that we have an addendum that describes how redundancy or multi-path issues may be adressed at the software or network design and/or implementation. I will also develop a proposal for a "Message Transport Layer". This will describe how a MTL could simplify several of these issues. I will schedule this with the chairs for presentation and discussion in the WG. We should also address the issue that some NSAs to not have *any* network. Such as a user/uRA. If "normal" NSAs take their unique ID from their unique network name, then what does a uRA do to get a unique NSA ID? Does it *really* need a globally unique NSA ID? or would a locally unique NSA ID that is unique to the PA sufficient? I would suggest that the NSA ID only needs to be globally unique if global operations are anticiapted (such as for the NSA of a large network) but that a locally unique NSAID is sufficient in most uRA cases.
* WSDL clean up
Remove superflourous NetworkIdType and saml import ogf_nsi_connection_types_v2_0.xsd
I don't expect any objections here.
* Decide on SOAP 1.1 or SOAP 1.2 for NSI2
This affects requests (slightly), processing and SOAP Faults.
It appears that most are on SOAP 1.1 (at least from the faults I have seen).
* ServiceExceptionType variables
ServiceExceptionType has the following variables decleration:
<xsd:element name="variables" type="tns:VariablesType" />
Could we get minOccurs="0" on this, as not all exceptions are necessarely related to a variable.
* Orientation
In the WSDL we allow STPs to be specified without an orientation.
What is the semantics for an STP without orientation?
ugh. Bidirectional STPs cause so much ambiguity.... I think for Bi-directional STPs in a Reservation request, the orientation must be observed by the PA if the orientation it is specified by the RA. If the RA does not specify an orientation, both orientations should be considered as candidate end points. Thus the PA will compute a path to/from each, and choose the one that works, or if both are valid, then the PA may choose either arbitrarilly. For unidirectional STPs, the orientation, if specified in the service request, must match that found in the topology. (I.e. topology takes precedence.) Else, an error "orientation conflict" should be returned, and the request rejected. My recomendation is that the Source STP, Destination STPs and any ERO STPs should be of like type for v2. Mixed modes will cause more headaches.
* Connection Identifier
We currently have no good way of making an identifier for a connection (it is scoped within the requester identity). This means that there is no way for one entity to pass a connection reference to another. The easiest way to get this it allow NSAs to scope connection ids independently of requester identity, which means that a connection id at an NSA is always the same. This should allow us to create a URN for it at least. Not so. Its easy to pass a CID...its just not clear that it will be meaningful to the target agent.:-)
Which begs the *real* question: Why do you need to pass a ConnectionID to another agent? ...presumably an agent that does not know that ConnectionID already..? What are you trying to do? The easiest thing to do is to let the requester choose their own connection ID. Period. It is only [locally] unique to the requester. The PA gets a request from an RA, and creates its own locally unique Connection ID. The PA binds the PA-CID to the RA's RA-CID in the PA's Connection Table. And when speaking to RAs, uses the RAs' Connection ID. And when doing things internally, it has its own local ID it uses, which it can also use for its children. There is a sense also that Connection IDs should be globally unique so that it is easy to locate segments. But this is bad and doesn't scale: In fact, there is a *BIG* security hole created when we assert any tag must be "globally unique" and do not provide validation. We often say this because the assumption of global uniqueness simplifies things...but in reality, if we are to rely on a tag (e.g. a CID) to be globally unique - _/and it turns out that it is not/_ - it can crash whatever function is relying on that uniqueness (e.g. all NSAs in the service tree.) Thus we cannot expect production provisioning systems to simply trust that a tag's value and context is unique. Thus, if we place uniqueness scoping on any tag, we have to also describe the process whereby the software can verify that uniqueness before that software uses it. In *this* case, locally unique requirements become trivial to verify, whereas global uniqueness requires large scale distributed infrastructure and processes for validation and reliability. Thus avoiding global uniqueness requirements for all but the most critical aspects is best. So, given this situation, globally unique ConnectionIDs are difficult to secure. But locally unique CIDs are easily validated. So we use locally unique ConnectionIDs. We adopted that the RA creates a CID, which as you note has a limited scope, but is presumably unique to the RA. In fact, by concatenating the globally unique NSAID to the locally unique Connection ID, you do in fact create a globally unique identifier. If a third party references a Connection by its <RA NSAID><ConnectionID>, it should be globally unique. It does not guarantee that the NSA will know anything about it, or will tell you about it if it does, but there will be no confusion about which segment we are referencing. (Indeed - even this construct does not mean the connection id is meaningful within the context (NSA) it is being used.) The children of a Connection cannot have the same Connection ID as the parent. This is necessary to distinguish the individual segments (created by the PA) from the overall requested CID (that was created by the RA). Thus a single ID for all segments is not useful in processing those segments... But(!) we do have a "globalID" tag that is optional that can be associated with all children (this has problems too, but it is currently a feature.) In fact, each PA must scope requested Connections with the RA NSAID anyway. Two separate RAs could make a request with the same CID...the PA has to be able to distinguish the two requests...it can only do this by a) either including the RA ID as part of the CID, or to create a local PA CID that is bound to the RA-CID. Some protocols allow each agent to create their own CID - and they communicate both back and forth in the messaging. This allows each agent to construct practical CIDs that have a local or internally useful significance (e.g. maybe an index into their connection table...) Note also: Just declaring a Connection ID to be of the form UUID does not make it unique - uniqueness requires that the requesting agent insures that that id is not used elsewhere. Failure to do so deterministically can cause duplicates to infiltrate the system and will crash it - classic security hole. So, The bigger question you pose though is this: What are you trying to do? I can think of a scenario where the uRA agent that made the reservation request is not the same agent making a subsequent request...say a Query() request. Or a Release() request. If these "third party" requests want to manipulate the entire end-to-end connection, they can only send that request to the first hop PA...and *that* PA will recognize the RA's CID (so no problem.) If the third party request is sent to *any* other NSA, the destination NSA will not recognize it. And even if we had a means to globalize the CID, we do not have a means of communicating service requests *UP* the tree and over to distant cousins. All we can do currently is progress these requests *DOWN* the tree. So any mid-tree requests would only manipulate the descendents of that point - not the entire Connection. THis would be severely problematic - This brings up a requirement for V3 to generalize the message distribution so that such "up and over" primitive distribution is allowed...but thats V3. So if an agent wants to monitor a circuit, or learn about a circuit, it *must* walk the tree. This is the only way to insure the integrity of the entire system in this multi-domain environment. This is not difficult - we can agree to have a super-user authorization that everyone recognizes - but we cannot bypass the walk itself because that would bypass the structured authorization/security process. And you cannot compel each NSA to pass information along that is not a verifiable part of the service request. Thus we still need to walk the tree properly to gain authorized access to the information we seek - including the children Connection IDs that an NSA chose. (I assert that the segmentation/detailed path information or state that an intermediate NSA chooses based upon its internal policies is not inherently information the requester is entitled to see or manipulate. The requester must be authorized to learn this information.)
The real solution is to have a URL, but since we don't use a protocol where URLs are first-grade citizens that would require a major re-design.
Not sure what you mean by this...? you mean a URN?
Best regards, Henrik
Henrik Thostrup Jensen <htj at nordu.net> Software Developer, NORDUnet
_______________________________________________ nsi-wg mailing list nsi-wg@ogf.org https://www.ogf.org/mailman/listinfo/nsi-wg