Hi Qin,
It is not yet clear to me if the access control should have the granularity of
resource-id or resource-type (there could be different resources of the same
type being consumed by the client, in principle, so N:1 relationship).
The second question I made about the resource type is orthogonal to the access
control topic, but probably interesting to discuss as well, maybe as a separate
thread.
Bets regards
Luis
De: Qin Wu <bill...@huawei.com>
Enviado el: martes, 20 de diciembre de 2022 10:26
Para: LUIS MIGUEL CONTRERAS MURILLO
<luismiguel.contrerasmuri...@telefonica.com>; Jensen Zhang
<jingxuan.n.zh...@gmail.com>; IETF ALTO <alto@ietf.org>
CC: draft-ietf-alto-oam-y...@ietf.org
Asunto: RE: [alto] Open discussion on providing resource-level access control
in ALTO O&M
Jensen, Luis and all:
I quote access control related requirements in RFC7285:
“
An ALTO server requires at least the following logical inputs:
o Security policies mapping potential clients to the information
that they have privilege to access.
The ALTO information (e.g., network maps and cost maps) being served by
each ALTO server, as well as security policies (HTTP authentication,
TLS client and server authentication, TLS encryption parameters)
intended to serve the same information should be monitored for
consistency.
“
We need to make sure our designed solution meet the basic requirements in
RFC7285.
发件人: alto [mailto:alto-boun...@ietf.org] 代表 LUIS MIGUEL CONTRERAS MURILLO
发送时间: 2022年12月18日 5:36
收件人: Jensen Zhang
<jingxuan.n.zh...@gmail.com<mailto:jingxuan.n.zh...@gmail.com>>; IETF ALTO
<alto@ietf.org<mailto:alto@ietf.org>>
抄送: draft-ietf-alto-oam-y...@ietf.org<mailto:draft-ietf-alto-oam-y...@ietf.org>
主题: Re: [alto] Open discussion on providing resource-level access control in
ALTO O&M
HI Jensen, all,
Regarding the access to information resources a couple of questions come to my
mind.
· What would be the roles you consider for accessing the info? In your
proposed piece of model the role is assigned by resource-id, but maybe it could
make sense to apply that also (or alternatively) per resource-type
· Related to resource-type. The model defined three types so far:
network-map, cost-map and property-map. I wonder if a kind of registry should
be defined for that allowing a more generic definition of the resource types
thinking on future extensions of ALTO where new types could be defined.
What do you think?
Best regards
Luis
De: alto <alto-boun...@ietf.org<mailto:alto-boun...@ietf.org>> En nombre de
Jensen Zhang
Enviado el: martes, 13 de diciembre de 2022 11:16
Para: IETF ALTO <alto@ietf.org<mailto:alto@ietf.org>>
CC: draft-ietf-alto-oam-y...@ietf.org<mailto:draft-ietf-alto-oam-y...@ietf.org>
Asunto: [alto] Open discussion on providing resource-level access control in
ALTO O&M
Hi ALTOers,
From the discussion about the ALTO O&M draft last week, we find there is
another open issue that we should solve before we request YANG doctor reviews:
According to Section 16.2.4 of RFC7285 and Requirement R5-3 of the ALTO O&M
draft, the data model should support configuration for access control at the
information resource level. In other words, the data model should configure:
1. How an ALTO server identifies an ALTO client?
2. Which ALTO clients can access a given information resource?
To realize them, we consider two design options:
---
Option 1: authentication and authorization based approach
- To realize the first one, conceptually, we should provide data model to
configure authentication and authorization for each client. It can be simply
based on username and password, or delegated to other more complex
authentication systems like openID and LDAP.
- To realize the second one, a simple approach is to use a role-based solution.
Every authenticated client can be assigned to multiple roles. And each
information resource can configure to be accessible by given roles.
The YANG module can be like the following:
+--rw alto!
+--rw alto-server
...
+--rw auth-client* [username]
| +--rw username string
| +--rw (auth-config)
| +--:(basic-auth)
| | +--rw username string
| | +--rw password string
| ...
| +--rw role* role-name
+--rw resource* [resource-id]
...
+-- rw accepted-role* role-name
...
The choice auth-config can be augmented for different authentication protocols.
We can reference or even reuse the openconfig-aaa data mode [1].
[1]
https://github.com/openconfig/public/blob/master/release/models/system/openconfig-aaa.yang
---
Option 2: ACL based approach
This approach only requires the server to configure an ACL. We can reuse the
YANG data model defined by RFC8519 [2]. It only filters the traffic by the
packet attributes, not the application-level authentication. Compared with
option 1, it may lose some fine-grained control. But for some simple use cases
like CDN or cloud networks, it may be good enough.
[2]: https://datatracker.ietf.org/doc/html/rfc8519
---
We are looking forward to seeing comments or suggestions on this open issue
from the WG.
Best regards,
Jensen on behalf of coauthers of ALTO O&M draft
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede
contener información privilegiada o confidencial y es para uso exclusivo de la
persona o entidad de destino. Si no es usted. el destinatario indicado, queda
notificado de que la lectura, utilización, divulgación y/o copia sin
autorización puede estar prohibida en virtud de la legislación vigente. Si ha
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente
por esta misma vía y proceda a su destrucción.
The information contained in this transmission is confidential and privileged
information intended only for the use of the individual or entity named above.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this transmission in error, do not
read it. Please immediately reply to the sender that you have received this
communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode
conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa
ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica
notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização
pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem
por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e
proceda a sua destruição
________________________________
Este mensaje y sus adjuntos se dirigen exclusivamente a su destinatario, puede
contener información privilegiada o confidencial y es para uso exclusivo de la
persona o entidad de destino. Si no es usted. el destinatario indicado, queda
notificado de que la lectura, utilización, divulgación y/o copia sin
autorización puede estar prohibida en virtud de la legislación vigente. Si ha
recibido este mensaje por error, le rogamos que nos lo comunique inmediatamente
por esta misma vía y proceda a su destrucción.
The information contained in this transmission is confidential and privileged
information intended only for the use of the individual or entity named above.
If the reader of this message is not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this communication
is strictly prohibited. If you have received this transmission in error, do not
read it. Please immediately reply to the sender that you have received this
communication in error and then delete it.
Esta mensagem e seus anexos se dirigem exclusivamente ao seu destinatário, pode
conter informação privilegiada ou confidencial e é para uso exclusivo da pessoa
ou entidade de destino. Se não é vossa senhoria o destinatário indicado, fica
notificado de que a leitura, utilização, divulgação e/ou cópia sem autorização
pode estar proibida em virtude da legislação vigente. Se recebeu esta mensagem
por erro, rogamos-lhe que nos o comunique imediatamente por esta mesma via e
proceda a sua destruição
_______________________________________________
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto
