[NSIS] New version of Req submitted
Marcus Brunner <brunner@ccrle.nec.de> Tue, 12 August 2003 09:34 UTC
Received: from optimus.ietf.org (ietf.org [132.151.1.19] (may be forged)) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA06237 for <nsis-archive@odin.ietf.org>; Tue, 12 Aug 2003 05:34:30 -0400 (EDT)
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19mVXZ-00043n-Mf for nsis-archive@odin.ietf.org; Tue, 12 Aug 2003 05:34:06 -0400
Received: (from exim@localhost) by www1.ietf.org (8.12.8/8.12.8/Submit) id h7C9Y52E015608 for nsis-archive@odin.ietf.org; Tue, 12 Aug 2003 05:34:05 -0400
Received: from localhost.localdomain ([127.0.0.1] helo=www1.ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19mVXV-00043H-7w; Tue, 12 Aug 2003 05:34:01 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by optimus.ietf.org with esmtp (Exim 4.20) id 19mVX7-000436-9z for nsis@optimus.ietf.org; Tue, 12 Aug 2003 05:33:37 -0400
Received: from ietf-mx (ietf-mx.ietf.org [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id FAA06231 for <nsis@ietf.org>; Tue, 12 Aug 2003 05:33:31 -0400 (EDT)
Received: from ietf-mx ([132.151.6.1]) by ietf-mx with esmtp (Exim 4.12) id 19mVX3-0006b7-00 for nsis@ietf.org; Tue, 12 Aug 2003 05:33:33 -0400
Received: from tokyo.ccrle.nec.de ([195.37.70.2]) by ietf-mx with esmtp (Exim 4.12) id 19mVX2-0006ay-00 for nsis@ietf.org; Tue, 12 Aug 2003 05:33:33 -0400
Received: from venus.office (venus.office [10.1.1.11]) by tokyo.ccrle.nec.de (8.12.9/8.12.8) with ESMTP id h7C9X1VI074068; Tue, 12 Aug 2003 11:33:01 +0200 (CEST)
Received: from [10.1.1.130] (brunner.office [10.1.1.130]) by venus.office (Postfix on SuSE Linux eMail Server 3.0) with ESMTP id E7FA46EFB5; Tue, 12 Aug 2003 11:09:56 +0200 (CEST)
Date: Tue, 12 Aug 2003 11:33:01 +0200
From: Marcus Brunner <brunner@ccrle.nec.de>
Reply-To: Marcus Brunner <brunner@ccrle.nec.de>
To: Loughney <john.loughney@nokia.com>, Allison Mankin <mankin@isi.edu>
Cc: nsis@ietf.org, Harald Tveit Alvestrand <harald@alvestrand.no>, Steve Bellovin <smb@research.att.com>
Message-ID: <91739274.1060687981@[10.1.1.130]>
X-Mailer: Mulberry/3.0.2 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Content-Transfer-Encoding: 7bit
Subject: [NSIS] New version of Req submitted
Sender: nsis-admin@ietf.org
Errors-To: nsis-admin@ietf.org
X-BeenThere: nsis@ietf.org
X-Mailman-Version: 2.0.12
Precedence: bulk
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=unsubscribe>
List-Id: Next Steps in Signaling <nsis.ietf.org>
List-Post: <mailto:nsis@ietf.org>
List-Help: <mailto:nsis-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/nsis>, <mailto:nsis-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
John, Allison, I have a new version of the requirements submitted (draft-ietf-nsis-req-09.txt). The comments from Harald and Steve have been addressed (see below for the difference between the 08 and 09 of the draft. Marcus Section 5 (Harald's comment #1) OLD 5 Requirements This section defines more detailed requirements for a signaling solution, respecting the framework, scoping assumptions, and terminology considered earlier. The requirements are in subsections, grouped roughly according to general technical aspects: architecture and design goals, topology issues, parameters, performance, security, information, and flexibility. Two general (and potentially contradictory) goals for the solution are that it should be applicable in a very wide range of scenarios, and at the same time lightweight in implementation complexity and resource consumption requirements in NSIS Entities. One approach to this is that the solution could deal with certain requirements via modular components or capabilities, which are optional to implement or use in individual nodes. In order to prioritize the various requirements we informally define different 'parts of the network'. In the different parts of the network a particular requirement might have a different priority. The parts of the networks we differentiate are the host-to-first router, the access network, and the core network. The host to first router part includes all the layer 2 technologies to access to the Internet. This part of the division is especially informal and may incorporate several access segments. In many cases, there is an application and/or user running on the host initiating signaling. The access network can be characterized by low capacity links, medium speed IP processing capabilities, and it might consist of a complete layer 2 network as well. The core network characteristics include high-speed forwarding capacities and inter-domain issues. These divisions between network types are not strict and do not appear in all networks, but where they do exist they may influence signaling requirements and will be highlighted as necessary. NEW 5 Requirements This section defines more detailed requirements for a signaling solution, respecting the framework, scoping assumptions, and terminology considered earlier. The requirements are in subsections, grouped roughly according to general technical aspects: architecture and design goals, topology issues, parameters, performance, security, information, and flexibility. Two general (and potentially contradictory) goals for the solution are that it should be applicable in a very wide range of scenarios, and at the same time lightweight in implementation complexity and resource consumption requirements in NSIS Entities. We use the terms 'access' and 'core' informally in the discussion of some particular requirements to refer to deployment conditions where particular protocol attributes, especially performance characteristics, have special importance. Specifically, 'access' refers to lower capacity networks and fewer users and sessions. 'Core' refers to high capacity networks with a large number of users and sessions. One approach to this is that the solution could deal with certain requirements via modular components or capabilities, which are optional to implement or use in individual nodes. ==================================================== Req 5.5.1 Scalability (Harald's comment #2) NEW added the following paragraph at the end of req 5.5.1 Specifically, NSIS MUST work in Internet scale deployments, where the use of signaling by hosts becomes universal. Note that requirement 5.2.4 requires the functionality of transparently signal through networks without interpretation. Additionally, requirement 5.6.1 lists the capability to aggregate. Furthermore, requirement 5.5.4 states that NSIS should be able to constrain the load on devices. Basically, the performance of the signaling MUST degrade gracefully rather than catastrophically under overload conditions. ============================ section 3, last paragraph (Steve Bellovin comment #1) OLD 5. We can see the network at the level of domains/subdomains rather than individual routers (except in the special case that the domain contains one link). Domains are assumed to be administrative entities, so security requirements apply to the signaling between them. NEW 5. We can see the network at the level of domains/subdomains rather than individual routers (except in the special case that the domain contains one link). Domains are assumed to be administrative entities. So security requirements might apply differently for the signaling between the domains and within a domain. Both cases we deal with in this document. ============================ Requirement 5.7.8 (Steve Bellovin comment #2) OLD 5.7.8 Confidentiality of signaling messages Based on the signaling information exchanged between nodes participating in the signaling protocol an adversary may learn both the identities and the content of the signaling messages. To prevent this from happening, confidentiality of the signaling message in a hop-by-hop manner MAY be provided. Note that the protection can be provided on a hop-by-hop basis for most message payloads since it is required that entities which actively participating in the signaling protocol must be able to read and eventually modify the content of the signaling messages. NEW 5.7.8 Confidentiality of signaling messages Based on the signaling information exchanged between nodes participating in the signaling protocol an adversary may learn both the identities and the content of the signaling messages. Since the ability to listen to signaling channels is a major guide to what data channels are interesting ones. To prevent this from happening, confidentiality of the signaling message in a hop-by-hop manner SHOULD be provided. Note that most messages must be protected on a hop-by-hop basis, since entities, which actively participate in the signaling protocol, must be able to read and eventually modify the signaling messages. -------------------------------------- Marcus Brunner Network Laboratories NEC Europe Ltd. E-Mail: brunner@ccrle.nec.de WWW: http://www.ccrle.nec.de/ Phone: +49 (0) 6221 905 11 29 Mobile: +49 (0) 163 275 17 43 personal home page: http://www.brubers.org/marcus _______________________________________________ nsis mailing list nsis@ietf.org https://www1.ietf.org/mailman/listinfo/nsis
- [NSIS] New version of Req submitted Marcus Brunner
- [NSIS] Re: New version of NSIS Req submitted Harald Tveit Alvestrand