Hi Some notes from implementing NML, and some input for the topology discussion at Glif. There is no bandwdith/capacity attribute in NML. This means we cannot do capacity matching in pathfinding Is this something we need? (insert usual disclaimer about advertised bandwidth being different from avaible) NML does not have anything to denote available service definitions - per network or port. This again, makes pathfinding rather tricky and full of assumptions. While one can match labels with labels used in a service definition, there might be certain semantics which is not supported. Is this something we need to add? The NML model is quite different from the original network+port model of NSI. The role of a topology corresponds roughly to a network, but this is a restriction/policy that we have made (which I am perfectly fine with, but we just need to be explicit about this). This also means the way NML and NSI reference ports are different. In NSI we use a network id (which maps to a topology in NML) and a local id which maps to a fully qualified port name in NML, like this: <sourceSTP> <networkId>urn:ogf:network:aruba.net</networkId> <localId>urn:ogf:network:aruba.net:ps</localId> </sourceSTP> In NML, one can reference ports directly, like this: <nml:PortGroup id="urn:ogf:network:bonaire.net:bonaire.net:arb-in" /> There is something to be said for both models, but not really about having both at the same. The network id in NSI is really redundant. I talked to to John about this in Madrid, and while he agreed he just couldn't get himself to remove (and I agree with this, the whole thing just feels so goddamn clumsy). Right now we essentially have 1½ topology model. There are some ways Then there are some security aspects. How do I control that no one injects services / topologies / servies into the topology? In OpenNSA, I do the following in the configuration: peers=example.org@http://example.org:9080/NSI/topology/example.org.xml This enables me to check/filter for identifiers in the retrieved topology. A basic way could be to match the hostname of the base identifier (like nordu.net:2013) against a certificate (can the the one of the TLS session or via a signed topology). However AFAICT, there is no way to establish exactly what the base identifier is. Furthermore the certificate is not likely to match the base identifier, e.g. nordu.net:2013 vs nsi.nordu.net. The NML year model also falls somewhat apart here, as someone announcing with a certain year would need to have a valid certificate for that year, however certificates where the current time is not within the valid period are by default invalid (and with good reason). Best regards, Henrik Henrik Thostrup Jensen <htj at nordu.net> Software Developer, NORDUnet