So, requirements for secure topology distribution. Personally, I don't quite believe in "requirements", as system design inherently contains tradeoffs between functionality, complexity, security, and usability (we usually only focus on the first). However it is topic that deservices some more light. Some basic stuff: * An NSA should be able to publish its topology, and others NSAs should be able to retrieve it in such a way that it has not been tampered with. * There should be a mechanism to prevent (well filter/detect) NSAs from publishing topologies, where ids overwrite other ids (injection). Any further requirements depend on what functionality it is we want have in topology distribution and how topology and path finding should work (which is, at least to me - still up in the air). One thing, I think we should start making clear is what it means when an NSI XML document has multiple (NML) topologies in it? * Does it mean that it administrates the topology (I believe we agreed on this) * That it peers with the NSAs of the respective topologies (and can hence setup circuits on it) * That it is simply relaying information somehow One solution that have come up to prevent injection / to allow an NSA to publish topologies for altnernate domains (those two things are more or less the same, but with very different intentions) is to sign the nml:Topology element. E.g., the NORDUnet NSA could announce both the nordu.net topology and the deic.dk (the danish NREN) topology. However, NORDUnet and DeIC are different adminstrative organizations, and NORDUnet should not have their certificate (hence I cannot use SUNET as an example). Certificates should not be thrown around like that. Of course DeIC could publish their own topology, but it is difficult to see what is gained by having NORDUnet relay it. Furthermore we do not have an everyone-trusts-everyone model in NSI (which is a good thing), but instead have transitive trust. There is no guarantie that anyone else than your peers (whatever that means), actually knows your certificate. Further questions: * Can topology information be sensitive? I.e. have limited distribution? Since topology is - inherently - meant for distribution, it is difficult to restrict the distribution of it. I suggest we try not to deal with this. Remember, that termination points should not have to be listed, as there might be an awful lot of them, and that the core point of topology exchange is to facilitate pathfinding. Best regards, Henrik Henrik Thostrup Jensen <htj at nordu.net> Software Developer, NORDUnet