Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisoining-00
Vasu Kantubukta <vasu.kantubukta@huawei.com> Sat, 23 April 2016 09:16 UTC
Return-Path: <vasu.kantubukta@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF1AD12E6F3 for <ace@ietfa.amsl.com>; Sat, 23 Apr 2016 02:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level:
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wXrDu37PJdfG for <ace@ietfa.amsl.com>; Sat, 23 Apr 2016 02:16:04 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8D18712E6E8 for <ace@ietf.org>; Sat, 23 Apr 2016 02:16:03 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CIG01928; Sat, 23 Apr 2016 09:16:01 +0000 (GMT)
Received: from BLREML406-HUB.china.huawei.com (10.20.4.43) by lhreml702-cah.china.huawei.com (10.201.5.99) with Microsoft SMTP Server (TLS) id 14.3.235.1; Sat, 23 Apr 2016 10:15:57 +0100
Received: from BLREML509-MBB.china.huawei.com ([169.254.1.138]) by BLREML406-HUB.china.huawei.com ([10.20.4.43]) with mapi id 14.03.0235.001; Sat, 23 Apr 2016 14:45:47 +0530
From: Vasu Kantubukta <vasu.kantubukta@huawei.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: discussion on draft-vasu-ace-core-access-privilege-provisoining-00
Thread-Index: AQHRnMlB/ZGS96TbOUGxy1P6DRf9yZ+XRfcw
Date: Sat, 23 Apr 2016 09:15:46 +0000
Message-ID: <D6EBB546995C064A9492E8E27F62D90D0AA2D51C@blreml509-mbb.china.huawei.com>
References: <mailman.32.1461351612.25426.ace@ietf.org>
In-Reply-To: <mailman.32.1461351612.25426.ace@ietf.org>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.211.249]
Content-Type: multipart/mixed; boundary="_005_D6EBB546995C064A9492E8E27F62D90D0AA2D51Cblreml509mbbchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020206.571B3D52.0014, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.138, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: c4c06fba18e5667c2a9a52d542100270
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/SiUDqG2k86USZKDXC6iDqjvw_yU>
Subject: Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisoining-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2016 09:16:05 -0000
Hi Hannes Tschofenig, Thanks for reviewing our draft and giving us feedback. Plz find the below inline response: The term itself is defined in the terminology section: o "Commissioner" Commissioning agent is tool/device that verifies the devices operation, integrity check with the network. Could you explain a little bit what you mean by "verifies the device operation", and "integrity check with the network"? ---> Sorry for the wording, maybe it is not conveying the actual meaning. ---> I mean it verifies whether the device can be operational in the network or not, and can join to the network or not. Thanks and Best Regards K Vasu -----Original Message----- From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of ace-request@ietf.org Sent: 2016年4月23日 0:30 To: ace@ietf.org Subject: Ace Digest, Vol 29, Issue 18 Send Ace mailing list submissions to ace@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/ace or, via email, send a message with subject or body 'help' to ace-request@ietf.org You can reach the person managing the list at ace-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Ace digest..."
--- Begin Message ---Hello, I'm still trying to clarify the details of the approach you propose, so please excuse the barrage of questions. In figure 2 it looks like the RS has to do an online lookup at the AS to get an access control decision while in figure 3 it seems as if the AS itself executes the request on behalf of the client. Both cases work fine if the RS can connect to the AS at the time of the request, but if you look at RFC 7744 we have usecases where this is not possible or not cost effective (e.g. in terms of battery usage). Have you considered such usecases? From our discussion I got the impression that in your approach, both access control and resource control policies are provisioned to the AS only and not to the RS, but in figure 3 is seems like the RS makes some access control decision towards the AS, I wonder based on which policies that happens? > Why would the scheduling problem be caused by the access control > mechanism? That causality doesn't seem obvious to me, please explain > in more detail. > --> Here, If I am not wrong, you mentioned that same access tokens > can be valid for multiple resources. Right > If access control does not consider resource availability and > resources max capacity to handle the request. Then clients need to > send the resource request to multiple resource servers. Then it may > need a scheduling by a proxy. As I said, the AS can very well consider resource control or scheduling when making an access control decision, but the details of how the AS makes access control decisions are not in scope for ACE. I also get the feeling that you got hang up on my simplistic example of a client sending a request to multiple resource servers. I guess a more realistic example would be that there are proxies taking care of scheduling, independently of the access control mechanism in place. Alternatively you could imagine a setting where the client broadcasts or multicasts its request. > > It seems to me that your goal is to include resource control aspects > into that decision, and that is fine by me, but not relevant for the > ACE work, which deals with encoding the access control decision into > a token, getting the token to the Resource Server and then having the > RS enforce that access control decision. --> Can you suggest me, > which group I can reach for? I don't think there is an IETF working group on that topic. > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ace digest..." Please note this ^^^^^^ /Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se--- End Message ---
--- Begin Message ---Hi Vasu, thanks for your draft. I have browsed through it and I had a number of questions and I wanted to start with one aspect that seems to be quite central to your document. In the introduction you talk about RD and the past work in the IETF CORE working group. Then, you introduce a Commissioner: Once the services are advertised by any device, those services need to be verified using commissioner. CORE RD provides a standard procedure to interact with commissioner, where commissioner acts like a client device to look up and verify the advertised services. Once the commissioner verifies the pre-registered services, commissioner can put some policy rules on services hosted by devices for resource control. The term itself is defined in the terminology section: o "Commissioner" Commissioning agent is tool/device that verifies the devices operation, integrity check with the network. Could you explain a little bit what you mean by "verifies the device operation", and "integrity check with the network"? Ciao Hannes PS: You may have missed a few working group meetings and therefore you may not know that we have already made a decision regarding the solution direction regarding the use of OAuth for IoT.--- End Message ---
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Hannes Tschofenig
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta