netreg net·reg - /'net-rej/ noun a web-based registration application for the management of...

NetReg

Net·Reg - /'net-rej/ nounA web-based registration application for the management of system, network and contact information.

Unify RDM, Security Contacts and DHCP MAC Registration Applications

• Each application manages information about related and overlapping entities

• One Stop Shop for Registration for Network access, Security Contacts, and Restricted Data

• All three existing applications need enhancements

Existing Application: Restricted Data Management (RDM)

Data OwnerRDM

System name, IP addressType of Data, quantitySecurity plan, etc.

Registers RDM Systems

Creates Role

Existing Application: Security Contacts

Primary IT Contact Security Contacts App

Contact Role name, DeptOwner, contact informationList of MaintainersEmail address Add IP Address Entities

IP Address EntityAddressRangeCIDR block (subnet)Subdomain

Existing Application: DHCP MAC Registration

Individual DHCP Registrant DHCP MAC Registration

System EntityMAC addressFixed DHCP? Then IP addressDynamic DNS? Then hostname

Registers MAC address.

Requests Fixed DHCP, Dynamic DNS

Hostmaster DHCP Service

IP Address EntityAddressRangeCIDR block (subnet)Subdomain

New Application: NetReg

Data Owner

NetRegContact Role (CR) name, DeptList of MembersEmail address Delegated Group(s)

Registers System, MAC address

Hostmaster

DHCP Service

IP Address EntityIPv4 and IPv6Address, RangeCIDR block (subnet)Subdomain

Individual DHCP Registrant

Registers RDMSystem

System EntityMAC addressIP Addr Assignment?RDM type?

Systems: add, edit, remove, bulk upload

IP Addr Entity: claim, abandon, transfer

Primary IT Contact Creates Role

NetReg Goals

• Promote Campus DHCP service• Improve information management• Improve data integrity

• 100 % coverage for notifications• Good authorization platform –Required for future services

Promote Campus DHCP service

• Role-based Management• Bulk upload of System Entity data• Notes field• Transfer MAC address mechanism• Greater use of DHCP – Future: Option 82 - Location with lease

information– Future: IP source guard – requires the use of

DHCP

Improved Management

• Unified application– Integrate RDM with Security Contacts

• Role-based• Allow multiple profiles, multiple Contact

Roles, per user

Data Integrity

• Automatic checks for changes that effect Authorization or Notification – Expired CalNet UIDs– Contact Roles with no active members– Stale MAC addresses– Network moves– Job changes– Re-organizations

• Appropriate follow-through

100% Coverage

• Really is ‘100% Coverage without any overlap’• Quickly, easily translate an IP address to a

responsible party for notification• Responsible party related to organizational

structure for security reporting

Authorization

• Is this person authorized to create this department’s Contact Role?

• Does this IP address entity belong with this Contact Role?

• When was this IP address associated with this Contact Role?

• Future services require good authorization

Proposals

Contact Roles• Two kinds of Contact Role (CR), Department and

Group.– Group CR created by Department CR

• Department Contact Role tied to organizational structure for security reports– Dept CR at a node in organizational structure, any level.– Only one Dept CR per node in org structure.

• Groups Contact Roles allow for different IT management styles within departments– Group CR has Dept CR parent.

• Group CRs cannot create additional Group CRs.

Organizational StructureContact Roles

DCR1

DCR5

GCR5A

DCR2

GCR5B

DCR3

GCR3A GCR3B

DCR4

Contact Roles, con’t.

• Member of Dept CR can be member of Group CR, and vice-versa.

• Dept CR has read-only access to child Group CR information

• Group CR has read-only access to parent Dept CR information?

• Dept CR can configure whether it sees notifications to Group CRs, or not

IP Address Entities

• CRs claim, abandon, request, transfer IP Address Entities.

• IP Address Entities claimed by only one Contact Role (CR)– E.g., CR1 claims CIDR block (subnet), transfers

individual addresses to CR2• Notifications match IP Address by longest

prefix match.• CIDR blocks as defined in networks.local.

Unallocated CIDR blocks, unassigned IP addresses

Actions upon IP Address Entities

Network

NetReg

Allocated CIDR blocksAssigned IP addresses

Dept CR 1

Dept CR 2 Group CR 2A Claim

Abandon

Request

Data feed

Transfer

Holding Area

IP Address Entities, con’t.

• Claim/Abandon by Dept CR only, Requests/Transfers by any CR

• Subdomain claims potentially create collisions.– IP Address claimed by Address by one CR and

another CR by Subdomain

Relationship of Data Owner to Contact Role?

• Does the Data Owner ask the Contact Role to mark a System as having restricted data?

• Is the Data Owner a member of the Contact Role? In order to marks System as having sensitive data.

• Is the Data owner a different kind of Role with a relationship to the Contact Role?

NetReg Application

1. CalNet Authenticate2. Select Profile, if more than one3. NetReg Main Menu

NetReg: Main menu

• Manage Contact Roles• Manage IP Address Entities• Manage System Entities

NetReg: Contact Info

• Manage Contact Role– View – default• Members, Email address, Dept ID and name, or Parent

CR

– Members – list, add, remove– Email address – view, edit, send test message– Delegated groups• Add• Remove• Transfer IP Address(es) to/from

NetReg: IP Address Entities

• Manage Network information– View – default– Search - – Claim– Request– Transfer– Abandon

NetReg: System Info• Manage Systems

– View – Default• View, detail view – DHCP lease, location, ARP cache information

– Search– Edit

• Name• Notes• MAC address – list, edit, add, remove• RDM type - if >0 then RDM sub-system• IP assignment type – DHCP – dynamic, DHCP – fixed, Static, and appropriate

follow-on fields.

– Add– Transfer– Remove– Bulk Upload

Other Issues?

Feedback to Saskia Etling, saetling@berkeley.edu