Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisoining-00
Vasu Kantubukta <vasu.kantubukta@huawei.com> Sat, 23 April 2016 09:09 UTC
Return-Path: <vasu.kantubukta@huawei.com>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86B8112E4C8 for <ace@ietfa.amsl.com>; Sat, 23 Apr 2016 02:09:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.217
X-Spam-Level:
X-Spam-Status: No, score=-5.217 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xHbHGcqzJV10 for <ace@ietfa.amsl.com>; Sat, 23 Apr 2016 02:09:03 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 07C6B12E4BA for <ace@ietf.org>; Sat, 23 Apr 2016 02:09:02 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml705-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CNA05952; Sat, 23 Apr 2016 09:09:00 +0000 (GMT)
Received: from BLREML408-HUB.china.huawei.com (10.20.4.47) by lhreml705-cah.china.huawei.com (10.201.5.168) with Microsoft SMTP Server (TLS) id 14.3.235.1; Sat, 23 Apr 2016 10:08:59 +0100
Received: from BLREML509-MBB.china.huawei.com ([169.254.1.138]) by BLREML408-HUB.china.huawei.com ([10.20.4.47]) with mapi id 14.03.0235.001; Sat, 23 Apr 2016 14:38:41 +0530
From: Vasu Kantubukta <vasu.kantubukta@huawei.com>
To: "ace@ietf.org" <ace@ietf.org>
Thread-Topic: discussion on draft-vasu-ace-core-access-privilege-provisoining-00
Thread-Index: AQHRnMlB/ZGS96TbOUGxy1P6DRf9yZ+XQxjw
Date: Sat, 23 Apr 2016 09:08:40 +0000
Message-ID: <D6EBB546995C064A9492E8E27F62D90D0AA2D4F3@blreml509-mbb.china.huawei.com>
References: <mailman.32.1461351612.25426.ace@ietf.org>
In-Reply-To: <mailman.32.1461351612.25426.ace@ietf.org>
Accept-Language: zh-CN, en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
x-originating-ip: [10.18.211.249]
Content-Type: multipart/mixed; boundary="_005_D6EBB546995C064A9492E8E27F62D90D0AA2D4F3blreml509mbbchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020202.571B3BAD.0060, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.138, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 43e285772c9acdb42d8a9fc27a5baaf5
Archived-At: <http://mailarchive.ietf.org/arch/msg/ace/xVJjjK1pe8-Qmtr56O73BcwxzOE>
Subject: Re: [Ace] discussion on draft-vasu-ace-core-access-privilege-provisoining-00
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 23 Apr 2016 09:09:06 -0000
Hi Ludwig Seitz, Plz find my inline comments: I'm still trying to clarify the details of the approach you propose, so please excuse the barrage of questions. --> Questions are always welcome. --> Even, We are very happy that experts like you are interested in reading the draft and providing us some feedback/suggestions. In figure 2 it looks like the RS has to do an online lookup at the AS to get an access control decision while in figure 3 it seems as if the AS itself executes the request on behalf of the client. Both cases work fine if the RS can connect to the AS at the time of the request, but if you look at RFC 7744 we have usecases where this is not possible or not cost effective (e.g. in terms of battery usage). Have you considered such usecases? From our discussion I got the impression that in your approach, both access control and resource control policies are provisioned to the AS only and not to the RS, but in figure 3 is seems like the RS makes some access control decision towards the AS, I wonder based on which policies that happens? --> good catch. Some text is missing in the figure 3, we will update in the draft. Whenever request comes from the client device, the provisioning server (PS) provisions the request based on admission and resource control policies of RS for the client at PS. Then PS will do it onbehalf of client device (e.g. in figure 17). In both cases, PS has to contact the RS whenever request comes. As u mentioned, and as per the RFC 7744, it may not be possible or not cost effective in some usecases. In such cases, Alternative solution such as mentioned in section 7 of the draft (draft-vasu-ace-core-access-privilege-provisioning-00) can be used. Here, only PS interacts with RD. Even in such cases, RD has similar problems, where RD may have to do the following: 1) Can use proxy feature which extends the functionality of RD. Sleepy nodes delegates its resources to proxy. (as mentioned in draft https://tools.ietf.org/pdf/draft-zotti-core-sleepy-nodes-04.pdf) As I said, the AS can very well consider resource control or scheduling when making an access control decision, but the details of how the AS makes access control decisions are not in scope for ACE. -->This query was raised long time back to Core-WG, where to address this draft, and it was suggested by Bormann to address to both Core, and ACE groups. (https://www.ietf.org/mail-archive/web/core/current/msg06057.html) Moreover, in last 94th meeting it was presented under t2trg. Eventhough, I could not attend the meeting due to VISA problems, My colleague presented the draft idea in 94th meeting at Japan. (https://tools.ietf.org/html/draft-vasu-core-ace-service-provisioning-00) Thanks and Best Regards K Vasu -----Original Message----- From: Ace [mailto:ace-bounces@ietf.org] On Behalf Of ace-request@ietf.org Sent: 2016年4月23日 0:30 To: ace@ietf.org Subject: Ace Digest, Vol 29, Issue 18 Send Ace mailing list submissions to ace@ietf.org To subscribe or unsubscribe via the World Wide Web, visit https://www.ietf.org/mailman/listinfo/ace or, via email, send a message with subject or body 'help' to ace-request@ietf.org You can reach the person managing the list at ace-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Ace digest..."
--- Begin Message ---Hello, I'm still trying to clarify the details of the approach you propose, so please excuse the barrage of questions. In figure 2 it looks like the RS has to do an online lookup at the AS to get an access control decision while in figure 3 it seems as if the AS itself executes the request on behalf of the client. Both cases work fine if the RS can connect to the AS at the time of the request, but if you look at RFC 7744 we have usecases where this is not possible or not cost effective (e.g. in terms of battery usage). Have you considered such usecases? From our discussion I got the impression that in your approach, both access control and resource control policies are provisioned to the AS only and not to the RS, but in figure 3 is seems like the RS makes some access control decision towards the AS, I wonder based on which policies that happens? > Why would the scheduling problem be caused by the access control > mechanism? That causality doesn't seem obvious to me, please explain > in more detail. > --> Here, If I am not wrong, you mentioned that same access tokens > can be valid for multiple resources. Right > If access control does not consider resource availability and > resources max capacity to handle the request. Then clients need to > send the resource request to multiple resource servers. Then it may > need a scheduling by a proxy. As I said, the AS can very well consider resource control or scheduling when making an access control decision, but the details of how the AS makes access control decisions are not in scope for ACE. I also get the feeling that you got hang up on my simplistic example of a client sending a request to multiple resource servers. I guess a more realistic example would be that there are proxies taking care of scheduling, independently of the access control mechanism in place. Alternatively you could imagine a setting where the client broadcasts or multicasts its request. > > It seems to me that your goal is to include resource control aspects > into that decision, and that is fine by me, but not relevant for the > ACE work, which deals with encoding the access control decision into > a token, getting the token to the Resource Server and then having the > RS enforce that access control decision. --> Can you suggest me, > which group I can reach for? I don't think there is an IETF working group on that topic. > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Ace digest..." Please note this ^^^^^^ /Ludwig -- Ludwig Seitz, PhD SICS Swedish ICT AB Ideon Science Park Building Beta 2 Scheelevägen 17 SE-223 70 Lund Phone +46(0)70-349 92 51 http://www.sics.se--- End Message ---
--- Begin Message ---
Hi Vasu,
thanks for your draft. I have browsed through it and I had a number of
questions and I wanted to start with one aspect that seems to be quite
central to your document.
In the introduction you talk about RD and the past work in the IETF CORE
working group.
Then, you introduce a Commissioner:
Once the services are advertised by any device, those services need
to be verified using commissioner. CORE RD provides a standard
procedure to interact with commissioner, where commissioner acts like
a client device to look up and verify the advertised services. Once
the commissioner verifies the pre-registered services, commissioner
can put some policy rules on services hosted by devices for resource
control.
The term itself is defined in the terminology section:
o "Commissioner" Commissioning agent is tool/device that verifies
the devices operation, integrity check with the network.
Could you explain a little bit what you mean by "verifies the device
operation", and "integrity check with the network"?
Ciao
Hannes
PS: You may have missed a few working group meetings and therefore you
may not know that we have already made a decision regarding the solution
direction regarding the use of OAuth for IoT.
--- End Message ---
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Hannes Tschofenig
- Re: [Ace] discussion on draft-vasu-ace-core-acces… Vasu Kantubukta