[Anima-bootstrap] ownership vouchers?

Kent Watsen <kwatsen@juniper.net> Mon, 25 April 2016 22:05 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA2AE12D11D for <anima-bootstrap@ietfa.amsl.com>; Mon, 25 Apr 2016 15:05:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2MXYZQGSOHLc for <anima-bootstrap@ietfa.amsl.com>; Mon, 25 Apr 2016 15:05:32 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0732.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::732]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6D99812D0FC for <anima-bootstrap@ietf.org>; Mon, 25 Apr 2016 15:05:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=LZ7hDarX7vStmILRIvtyr8PGmOENB9UHjtMEDd3fXIs=; b=VAWP5aERX9OgdCfWIK6y9vaLAVps4XQ1NAiFTWrIRfpEDnD7MEWMuxgcRvwtPF1aba9ZwdjCl50sjsRze4GLHq7V8liAxnkyq/ylyWM5ZF33D5ad/3M1eMvLEwCDm23QRlnuCFhwpwj+p28S/Ml4KmZbaWTuDocu2dOS24p0Ulo=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1443.namprd05.prod.outlook.com (10.160.117.152) with Microsoft SMTP Server (TLS) id 15.1.466.19; Mon, 25 Apr 2016 22:05:12 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0466.023; Mon, 25 Apr 2016 22:05:12 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: ownership vouchers?
Thread-Index: AQHRnz6KvSbUzAnF+kW3VDcOmCpiYA==
Date: Mon, 25 Apr 2016 22:05:12 +0000
Message-ID: <AC8506CD-B46D-4748-AE39-CE1DF93072BF@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.15.1.160411
authentication-results: sandelman.ca; dkim=none (message not signed) header.d=none;sandelman.ca; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.13]
x-ms-office365-filtering-correlation-id: ab140376-fce4-4b2c-ff9e-08d36d55acbb
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1443; 5:YguYkI2ez58I4z7CBmErEpZm3uJg8ChSedbYiJ4tRKPtSZJvc/LddCg82gqbJrbSCj0eWBgQ6+YEsW37A1wMSob8MdInhnaQwJu9Dx63vdTQC80CLZufYPMPaWF6wPfmvigdUMw55/kK1NwjJSxXGjruavjx9QTRXmSYtGb3s2gh7fbA2FsRLT6P4TmTtZON; 24:zcLDBt0bFpAxzUkAwOp/cnSj3c2YpNjN17hZ3SlbxuckhFGWHH9w/8WHDSO2hEF7hUfabsIHgbathpaospsjJY+oEi4x5ABIM0dNV5y0Df0=; 7:xL3Xj9/wpqiHqTW3ZXmuLHBtE4In4j1Dhh23mEMeryBWGVl/uuGGb2GKqfgil/UQepdTsSr88x5jjJl08wPw2OIa1e4NC3xVrVoDYf374L9tSAqbSiisLGULLgtP04T0rWugkGZRrBrstT5mLGpw2HZQvmd6OO48QSAGO/w7XKYGZ1gkTVhDLSj9Mp+8kWwkeMt3sGyJGEnsnW0BCEdEBROp/o3SZyo6hrbByAOkogs=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN3PR0501MB1443;
x-microsoft-antispam-prvs: <BN3PR0501MB14430FD50A268B54A935EBF3A5620@BN3PR0501MB1443.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(9101521072)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026); SRVR:BN3PR0501MB1443; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1443;
x-forefront-prvs: 0923977CCA
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(377454003)(24454002)(50986999)(86362001)(87936001)(110136002)(189998001)(4001350100001)(5004730100002)(83716003)(19580405001)(19580395003)(1096002)(1220700001)(83506001)(82746002)(102836003)(586003)(77096005)(5002640100001)(66066001)(11100500001)(6116002)(15975445007)(2906002)(99286002)(10400500002)(3846002)(54356999)(5008740100001)(2900100001)(33656002)(36756003)(229853001)(92566002)(81166005)(4326007)(122556002)(3280700002)(3480700003)(3660700001)(106116001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1443; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <E82B3DEF757FC548B1C788A557D33134@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Apr 2016 22:05:12.5927 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1443
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/6rSZto3Ay77P8ne-F-megUMTfY0>
Cc: "Max Pritikin \(pritikin\)" <pritikin@cisco.com>, anima-bootstrap <anima-bootstrap@ietf.org>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>, "Michael Behringer \(mbehring\)" <mbehring@cisco.com>
Subject: [Anima-bootstrap] ownership vouchers?
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Apr 2016 22:05:34 -0000

[Changing subject line]




On 4/18/16, 2:40 PM, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote:

>
>Kent Watsen <kwatsen@juniper.net> wrote:
>    > Though I may not be a regular, I think that we could use a meeting or
>    > two to discuss how to modify the Ownership Voucher definition to suit
>    > ANIMA bootstrap.
>
>I agree that this is an important thing to do.
>Should we detail why this needs to be standardized?


I have one reason outside of ANIMA, which is to enable multi-vendor devices to pull signed data from DNS-SD.  Specifically, look at the very last paragraph in Section 4.2 of the zerotouch draft (https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-08#section-4.2).

Let's says we have two devices, from two different vendors.  If they both do a DNS-SD lookup for say "_zerotouch._tcp.example.com", they'll both get the same signed data and, more to the point, the same ownership voucher.  While a single voucher can span many devices, unless standardized, it could never span more than one vendor.

That said, we may want to extend to concept of a "voucher" to a "bundle of vouchers" as, even with a single vendor case, the vouchers may by issued over time such that a single voucher doesn't span all the devices in a network.  If there were support for bundles, all the vouchers within the bundle would have to have a common format, or else be tagged as to which [vendor-specific] format they're in.  This might be a way to not have to standardize vouchers, but it seems easier to have a single format.

I don't know how realistic it is that a single voucher would span all the devices in a domain at a given time, or how likely it is that anyone would configure their DNS server to return signed data.  On that latter point, it certainly seems like a lot of effort given that the fallback position is to 1) return unsigned data, 2) let the device establish a provisional TLS connection to the bootstrap server, from which 3) it downloads signed data, potentially with a device-specific voucher.

Just thinking out loud here...

Kent