recently, a number of questions have been raised about the Capability
Interface. There are two sources of confusion:
1) What, exactly, is an "interface"? Can we use a different word instead
2) Why do we need another interface (or similar word)?
Clarifying the first issue.
A number of people have stated that to them, an "interface" is synonymous
with "communication". This is NOT what was meant when this I-D was written.
Indeed, the definition of Interface, from that I-D, is as follows:
Interface: A set of operations one object knows it can invoke on,
and expose to, another object. It is a subset of all operations
that a given object implements. The same object may have multiple
types of interfaces to serve different purposes. An example of
multiple interfaces can be seen by considering the interfaces
include a firewall uses; these include:
* multiple interfaces for data packets to traverse through,
* an interface for a controller to impose policy, or retrieve
the results of execution of a policy rule.
See also: Consumer Interface, I2NSF Interface, Provider Interface
Note that the above definition implies a **shared boundary** across which
two entities send and/or receive data. In other words, what's important is
the set of standard operations that can be invoked, and **not** the fact
that this is a form of communication.
Clarifying the second issue.
The reason that a separate interface for exchanging capability information
was proposed is to minimize the attack surface. The capability interface is
for exchanging **all** capabilities, so that two entities may negotiate and
agree on what set of capabilities will actually be used. Clearly, this is
different than operation on either the consumer-facing or NSF-facing
interfaces, since those interfaces are constrained to using **only** the
set of capabilities that have been agreed upon to use. This follows the
well-known Principle of Least Privilege (i.e., in a particular abstraction,
every function must be able to access **only** the information and
resources that are necessary for the legitimate purpose of that function.
Exposing the set of **all** capabilities over a widely used interface (like
the consumer- or NSF-facing interfaces) is a **bad idea**. It risks an
attacker understanding the complete set of capabilities of the system.
Furthermore, from a software componentization point-of-view, there is a
significant difference between exposing and negotiating between the set of
all capabilities (which is the purpose of the Capability Interface) and
simply using a selected set of capabilities (which is the purpose of the
consumer-facing or NSF-facing interfaces).
I hope this clarifies these two issues. I'll wait a couple of days before
issuing the next update to the Terminology Draft.
I2nsf mailing list