Re: [Ace] [Anima-bootstrap] EST over CoAP in ACE wg

"Panos Kampanakis (pkampana)" <pkampana@cisco.com> Fri, 09 December 2016 06:04 UTC

Return-Path: <pkampana@cisco.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 204631293EE; Thu, 8 Dec 2016 22:04:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -17.418
X-Spam-Level:
X-Spam-Status: No, score=-17.418 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.896, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eYOuGX8pPXes; Thu, 8 Dec 2016 22:04:24 -0800 (PST)
Received: from rcdn-iport-1.cisco.com (rcdn-iport-1.cisco.com [173.37.86.72]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A6932128B38; Thu, 8 Dec 2016 22:04:23 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4048; q=dns/txt; s=iport; t=1481263463; x=1482473063; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=Tk/ObWcHBerR5Y0U6HMtC5vA9NyrCvWbZRnEXovn0dU=; b=ZY7ganrAcPhPWjoyFHMNAEUZAaFXyXLgB0cJHPR9TCxVvroRtnMfgcvc RefdqFsFZB0/ZKklZPXgSTOUHWMcZSn1HRN1vTi71AXP604PlZViBUKv8 hOIMELa8CZFMxFxe+J7AVqxJxmpicSC47gjwTK6MLtypxHUWQAG+HqzAj c=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0BuAQCDSEpY/4UNJK1eGgEBAQECAQEBA?= =?us-ascii?q?QgBAQEBgywLAQEBAQEfWoEGB41ClxOVAoIJKYJCgmxKAoF8PxQBAgEBAQEBAQF?= =?us-ascii?q?iKIRoAQEBBDpLBAIBCBEEAQEfCQcyFAkIAQEEARIIiGMOqVmLLAEBAQEBAQEBA?= =?us-ascii?q?QEBAQEBAQEBAQEBARgFhj6EW4QaEAIBTYUvBZprAYlehziBfIhGhguOC4QNAR8?= =?us-ascii?q?3YTyDXRyBXXIBiAuBDQEBAQ?=
X-IronPort-AV: E=Sophos;i="5.33,323,1477958400"; d="scan'208";a="184901328"
Received: from alln-core-11.cisco.com ([173.36.13.133]) by rcdn-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 09 Dec 2016 06:04:22 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by alln-core-11.cisco.com (8.14.5/8.14.5) with ESMTP id uB964MGk012495 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 9 Dec 2016 06:04:22 GMT
Received: from xch-aln-010.cisco.com (173.36.7.20) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Fri, 9 Dec 2016 00:04:21 -0600
Received: from xch-aln-010.cisco.com ([173.36.7.20]) by XCH-ALN-010.cisco.com ([173.36.7.20]) with mapi id 15.00.1210.000; Fri, 9 Dec 2016 00:04:22 -0600
From: "Panos Kampanakis (pkampana)" <pkampana@cisco.com>
To: "ace@ietf.org" <ace@ietf.org>, "6tisch@ietf.org" <6tisch@ietf.org>, "6tisch-security@ietf.org" <6tisch-security@ietf.org>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: [Anima-bootstrap] [Ace] EST over CoAP in ACE wg
Thread-Index: AdJD/4dN3nkys8JpRuSDXvz8bQBVcAM9B64AADuYMdA=
Date: Fri, 9 Dec 2016 06:04:21 +0000
Message-ID: <d9aba3a07d14400f88f22329abc00128@XCH-ALN-010.cisco.com>
References: <6525c5f0b6e040b683ccd9c43b1c5e2f@VI1PR9003MB0237.MGDPHG.emi.philips.com> <14831.1481139454@obiwan.sandelman.ca>
In-Reply-To: <14831.1481139454@obiwan.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.82.216.75]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/W6MAk7axr0R2DzsnybakZzxvZ5w>
Subject: Re: [Ace] [Anima-bootstrap] EST over CoAP in ACE wg
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Dec 2016 06:04:26 -0000

Hi Michael,

This are interesting good points.

IMO, draft-pritikin-coap-bootstrap/draft-vanderstock-core-coap-est do not necessarily need to define one transport mechanism. COAPS (over DTLS) is one obvious option but running over OSCOAP with EDHOC is another. One of the goals of these drafts (would need to be merged) is the binding between COAP messages and BRSKI / EST APIs for all the bootstrapping and cert enrollment transactions defined in the anima-bootstrapping-keyinfra doc and RFC7030. draft-pritikin-coap-bootstrap/draft-vanderstock-core-coap-est address DTLS as transport mechanism right now, but could be expanded to define more than one transports. If the WG finds that as a better idea, normative language would need to be carefully of course and maybe an MTI option would need to be chosen.

I am curious about your workflow in https://www.ietf.org/mail-archive/web/6tisch/current/msg05020.html You are envisioning for the JCE to initiate the bootstrapping to the pledge, but wouldn't that better be defined in the anima-bootstrapping-keyinfra doc?

About 'simple system that can be used with PSKs as authentication', I was curious. Did you have TLS-PSK, or TLS-SRP or OSCOAP message auth with PSK/RPK/Cert? Anything more detail about these usecases?

A nit in " <--- CoAP POST /cert-----     [PKCS7 Certificate] ". That message would require the private key to be included with the cert since the pledge did not generate it by himself. EST defines CMS for this message. PKCS12 could suffice here as well with the challenge if the passphrase provisioning being the problem.

Rgs,
Panos

-----Original Message-----
From: Anima-bootstrap [mailto:anima-bootstrap-bounces@ietf.org] On Behalf Of Michael Richardson
Sent: Wednesday, December 07, 2016 2:38 PM
To: ace@ietf.org; 6tisch@ietf.org; 6tisch-security@ietf.org; anima-bootstrap@ietf.org
Subject: Re: [Anima-bootstrap] [Ace] EST over CoAP in ACE wg


I have read:
    draft-pritikin-coap-bootstrap
and draft-vanderstock-core-coap-est

and over in the 6tisch security design team we have been trying to adapt the ANIMA WG draft-ietf-anima-bootstrapping-keyinfra for use in the 6tisch environment as a zero-touch enrollment process.
(Yes, I am an author involved in both WGs)

Peter (one of the authors of draft-vanderstock-core-coap-est) and Max (author of draft-pritikin-coap-bootstrap) are involved.

Both documents have good content, and we could combine them easily and wind up with a relatively straight forward description of how to run EST over COAPS.
But I don't think that this really solves the problems that we have.

However, the movement in
         draft-vucinic-6tisch-minimal-security (as phase 2, and one-touch)
and   draft-richardson-6tisch-dtsecurity-secure-join (as phase 1, zero-touch)
[both of which are being considered for adoption]

is to move away from DTLS and towards OSCOAP and EDHOC.

As such, what we would really like is an EST-like mechanism which runs over OSCOAP with EDHOC keying.  Ideally, it would also permit the process to be managed/initiated from the new device (the pledge), or from the JCE (Registrar, which might also be the AS in ACE terminology).

We want to initiate from the JCE so that we can:
  a) simplify the constrained device.
  b) manage the order and priority of join activities to avoid
     network congestion in constrained (mesh) networks.

On the other hand, some want a really simple system that can be used with PSKs as authentication, with the new nodes initiating.

I wrote this email last week to explain some of what I have in mind.
  https://www.ietf.org/mail-archive/web/6tisch/current/msg05020.html

I don't know if the EST work fits into ACE's charter, but given that ACE is where OSCOAP and EDHOC seem to be, I'm happy to work on a document here.

--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works  -= IPv6 IoT consulting =-