Hi On Wed, 4 Feb 2015, John MacAuley wrote:
Before Christmas I pulled together an NSI security omnibus capturing content from Han's AAI document and discussions we had been having on the mechanisms needed to convey security information in the NSI protocol.
Slide 8:
A suggestion was made that we need to introduce a way for downstream NSA to systematically block misbehaving NSA from sending messages into the control plane.
This would change our principle of a control plane of trust, and if we make this step, where do we stop?
How about we stop when we have a good security design? This should include straighforward revocation. The idea that everyone can make requests to everyone, migth not be a good idea. Especially since we don't have a good security model for transit networks.
Do we believe this is a discrete item that needs to be addressed in the protocol?
Slide 10-12: (add URA to security attributes) While I think this might be good idea to add to the security attributes, it is inadequate to use for a revocation mechanism. It introduces a layer between TLS/OAuth identity that must be mapped carefully between the X.509 and the nsa id. If this mapping it not 100% correct, it means that revocation will not work properly. Revocation for an NSA should not rely on the correctness of other NSAs to work. This is bad security design. Request forwarding is extremely tricky to get right from a security point-of-view. Best regards, Henrik Henrik Thostrup Jensen <htj at nordu.net> Software Developer, NORDUnet