Changes between Version 128 and Version 129 of GAPI_AM_API_DRAFT

04/02/15 14:13:04 (9 years ago)
Aaron Helsinger




    v128 v129  
    442442 - For APIv3, change the `ListResources` details that now says `this list must include a valid user credential` to instead use `may`, as in: `this list may include a valid user credential`.
     444== Change Set AE: Allow Restricted Shared VLANs ==
     445Experimenters want to be able to offer services on GENI for other slices, or to connect multiple slices together. This is termed 'cross slice stitching'; connecting 2 slices at layer 2. As background, note that GENI has the notion of a 'shared VLAN'. This is a VLAN that gets a name and that is marked public, allowing anyone to connect to it. At InstaGENI, there is a `PerformOperationalAction` to convert a newly allocated LAN into a shared VLAN. This topic was discussed at [wiki:GEC21Agenda/DeveloperRoundtable#Cross-SliceStitching1 GEC21], and again at [wiki:GEC22Agenda/DeveloperRoundtable#CrossSliceStitching1 GEC22].
     447'''Proposal''': Add to the existing POA `geni_sharelan` a new option `restricted` with default value `false` (old behavior). When true, the created shared VLAN requires a new credential when requesting a connection to this new Shared VLAN.
     448The POA method will return in this case a GENI SFA credential with owner <user calling the method> and target <sliver  of the shared VLAN, or the shared VLAN in some way; contents are not specified but should be sufficient for the aggregate to authorize the call>.
     450Note that shared vlan names are scoped within the AM and must be unique within the AM.
     452The server slice aggregate manager (the AM at which the shared VLAN was created) should include the shared vlan (whether restricted or not) in the advertisement RSpec for the aggregate, indicating if this LAN is shared or not. The current `shared-vlan` RSpec suffices, but needs an attribute to indicate the VLAN is `restricted`.
     454'''Proposal''': add a new optional attribute to the existing `shared-vlan` extension `restricted` with type `xml:boolean` and default value `false`.
     456Slices desiring to connect to this restricted shared VLAN negotiate with the service slice. The service slice must delegate the shared VLAN credential to the client slice user (the mechanism for doing so is not specified by this proposal, but the format for a delegated credential is [wiki:GeniApiCredentials#Delegation specified]. Then the client slice user must include this extra credential in the call to `createsliver` or `allocate` (in the existing `credentials` argument to those API calls).
     458The aggregate can then create a LAN for the client slice that connects to the specified shared VLAN, allowing traffic to flow freely between the two slices.
     460Note that there could also be an additional `PerformOperationalAction` command to modify an existing 'client' slice to connect a LAN belonging to that slice to one of these 'restricted shared VLANs'. We have not specified the syntax for such an operation.
     462A server slice can identify which client slice is contacting it using the information from the client's manifest RSpec. To make this data available reliably to the server slice, the aggregate manager can sign the manifest RSpec of the 'client' slice, and the client slice can pass this (out of band) to the 'server' slice. (The XML-DSIG signature is a new child element under `rspec`.)
    444464== Older Proposals ==
    445465Older proposals, withdrawn, superseded, or postponed: