Re: [Ace] EDHOC standardization

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 05 November 2018 02:17 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: ace@ietfa.amsl.com
Delivered-To: ace@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5A962129619 for <ace@ietfa.amsl.com>; Sun, 4 Nov 2018 18:17:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qDsfoe5W3WoP for <ace@ietfa.amsl.com>; Sun, 4 Nov 2018 18:17:26 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8A0B1127333 for <ace@ietf.org>; Sun, 4 Nov 2018 18:17:26 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [IPv6:2001:67c:370:1998:a11:96ff:fe01:81e0]) by relay.sandelman.ca (Postfix) with ESMTPS id 253611F8BD; Mon, 5 Nov 2018 02:17:24 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 85D82FE7; Mon, 5 Nov 2018 07:46:54 +0530 (IST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Benjamin Kaduk <kaduk@mit.edu>
cc: John Mattsson <john.mattsson@ericsson.com>, "alvador.p.f\@um.es" <alvador.p.f@um.es>, "ace\@ietf.org" <ace@ietf.org>
In-reply-to: <20181103151621.GH54966@kduck.kaduk.org>
References: <379B1A31-1F7E-43A6-A518-4398570CBBC7@ericsson.com> <16572.1541199115@dooku.sandelman.ca> <20181103151621.GH54966@kduck.kaduk.org>
Comments: In-reply-to Benjamin Kaduk <kaduk@mit.edu> message dated "Sat, 03 Nov 2018 10:16:21 -0500."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature"
Date: Mon, 05 Nov 2018 09:16:54 +0700
Message-ID: <31833.1541384214@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ace/ycMPH7p03dr5eVyL3cnJn72LbRk>
Subject: Re: [Ace] EDHOC standardization
X-BeenThere: ace@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Authentication and Authorization for Constrained Environments \(ace\)" <ace.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ace>, <mailto:ace-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ace/>
List-Post: <mailto:ace@ietf.org>
List-Help: <mailto:ace-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ace>, <mailto:ace-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Nov 2018 02:17:28 -0000

Benjamin Kaduk <kaduk@mit.edu> wrote:
    >> John Mattsson <john.mattsson@ericsson.com> wrote: > of negotiation is
    >> still needed. The current plan for the next version > is to introduce
    >> cipher suites and to let the cipher suite with value 0 > indicate that
    >> algorithms have been negotiated out-of-band.
    >>
    >> I agree with the idea that some common default should be very easy to
    >> refer to, but I don't like the idea that the gateway has to remember
    >> what the out-of-band "default" is on a per-device basis.  I would say
    >> that we need at least 0/1, so that we can say that it's the current vs
    >> the "new" default.
    >>
    >> If you consider the case where the sensor is on very low bandwidth
    >> connection (I would say LoRaWAN, but I am not well qualified in that
    >> space).  The sensor gets visited every two or three years by a
    >> technician (if only to make sure that the sensor is still where it is
    >> supposed to be).  While there new firmware updates are applied, and as
    >> a result the algorithm defaults are updated.  During the cycle, some
    >> devices are updated and some are still old.

    > Are you proposing that the management of the 0/1-to-algorithm mapping
    > be managed on a per-deployment basis or by the IETF?

I think that the existing proposal was that 0 means "negotiated out-of-band",
which implies that it's a per-deployment basis.

I'm proposing that instead of having 0 mean "some local default",
I'm suggesting that 0 mean, "some local default 0" and 1 mean, "some other
local default 1", which lets the default be updated without a flag day.


--
Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-