NetReg
Net·Reg - /'net-rej/ nounA web-based registration application for the management of system, network and contact information.
Unify RDM, Security Contacts and DHCP MAC Registration Applications
• Each application manages information about related and overlapping entities
• One Stop Shop for Registration for Network access, Security Contacts, and Restricted Data
• All three existing applications need enhancements
Existing Application: Restricted Data Management (RDM)
Data OwnerRDM
System name, IP addressType of Data, quantitySecurity plan, etc.
Registers RDM Systems
Creates Role
Existing Application: Security Contacts
Primary IT Contact Security Contacts App
Contact Role name, DeptOwner, contact informationList of MaintainersEmail address Add IP Address Entities
IP Address EntityAddressRangeCIDR block (subnet)Subdomain
Existing Application: DHCP MAC Registration
Individual DHCP Registrant DHCP MAC Registration
System EntityMAC addressFixed DHCP? Then IP addressDynamic DNS? Then hostname
Registers MAC address.
Requests Fixed DHCP, Dynamic DNS
Hostmaster DHCP Service
IP Address EntityAddressRangeCIDR block (subnet)Subdomain
New Application: NetReg
Data Owner
NetRegContact Role (CR) name, DeptList of MembersEmail address Delegated Group(s)
Registers System, MAC address
Hostmaster
DHCP Service
IP Address EntityIPv4 and IPv6Address, RangeCIDR block (subnet)Subdomain
Individual DHCP Registrant
Registers RDMSystem
System EntityMAC addressIP Addr Assignment?RDM type?
Systems: add, edit, remove, bulk upload
IP Addr Entity: claim, abandon, transfer
Primary IT Contact Creates Role
NetReg Goals
• Promote Campus DHCP service• Improve information management• Improve data integrity
• 100 % coverage for notifications• Good authorization platform –Required for future services
Promote Campus DHCP service
• Role-based Management• Bulk upload of System Entity data• Notes field• Transfer MAC address mechanism• Greater use of DHCP – Future: Option 82 - Location with lease
information– Future: IP source guard – requires the use of
DHCP
Improved Management
• Unified application– Integrate RDM with Security Contacts
• Role-based• Allow multiple profiles, multiple Contact
Roles, per user
Data Integrity
• Automatic checks for changes that effect Authorization or Notification – Expired CalNet UIDs– Contact Roles with no active members– Stale MAC addresses– Network moves– Job changes– Re-organizations
• Appropriate follow-through
100% Coverage
• Really is ‘100% Coverage without any overlap’• Quickly, easily translate an IP address to a
responsible party for notification• Responsible party related to organizational
structure for security reporting
Authorization
• Is this person authorized to create this department’s Contact Role?
• Does this IP address entity belong with this Contact Role?
• When was this IP address associated with this Contact Role?
• Future services require good authorization
Proposals
Contact Roles• Two kinds of Contact Role (CR), Department and
Group.– Group CR created by Department CR
• Department Contact Role tied to organizational structure for security reports– Dept CR at a node in organizational structure, any level.– Only one Dept CR per node in org structure.
• Groups Contact Roles allow for different IT management styles within departments– Group CR has Dept CR parent.
• Group CRs cannot create additional Group CRs.
Organizational StructureContact Roles
DCR1
DCR5
GCR5A
DCR2
GCR5B
DCR3
GCR3A GCR3B
DCR4
Contact Roles, con’t.
• Member of Dept CR can be member of Group CR, and vice-versa.
• Dept CR has read-only access to child Group CR information
• Group CR has read-only access to parent Dept CR information?
• Dept CR can configure whether it sees notifications to Group CRs, or not
IP Address Entities
• CRs claim, abandon, request, transfer IP Address Entities.
• IP Address Entities claimed by only one Contact Role (CR)– E.g., CR1 claims CIDR block (subnet), transfers
individual addresses to CR2• Notifications match IP Address by longest
prefix match.• CIDR blocks as defined in networks.local.
Unallocated CIDR blocks, unassigned IP addresses
Actions upon IP Address Entities
Network
NetReg
Allocated CIDR blocksAssigned IP addresses
Dept CR 1
Dept CR 2 Group CR 2A Claim
Abandon
Request
Data feed
Transfer
Holding Area
IP Address Entities, con’t.
• Claim/Abandon by Dept CR only, Requests/Transfers by any CR
• Subdomain claims potentially create collisions.– IP Address claimed by Address by one CR and
another CR by Subdomain
Relationship of Data Owner to Contact Role?
• Does the Data Owner ask the Contact Role to mark a System as having restricted data?
• Is the Data Owner a member of the Contact Role? In order to marks System as having sensitive data.
• Is the Data owner a different kind of Role with a relationship to the Contact Role?
NetReg Application
1. CalNet Authenticate2. Select Profile, if more than one3. NetReg Main Menu
NetReg: Main menu
• Manage Contact Roles• Manage IP Address Entities• Manage System Entities
NetReg: Contact Info
• Manage Contact Role– View – default• Members, Email address, Dept ID and name, or Parent
CR
– Members – list, add, remove– Email address – view, edit, send test message– Delegated groups• Add• Remove• Transfer IP Address(es) to/from
NetReg: IP Address Entities
• Manage Network information– View – default– Search - – Claim– Request– Transfer– Abandon
NetReg: System Info• Manage Systems
– View – Default• View, detail view – DHCP lease, location, ARP cache information
– Search– Edit
• Name• Notes• MAC address – list, edit, add, remove• RDM type - if >0 then RDM sub-system• IP assignment type – DHCP – dynamic, DHCP – fixed, Static, and appropriate
follow-on fields.
– Add– Transfer– Remove– Bulk Upload
Other Issues?
Feedback to Saskia Etling, [email protected]