[Anima-bootstrap] mDNS or GRASP? [was: peer and domain [was BRSKI State Machine]]

"Michael Behringer (mbehring)" <mbehring@cisco.com> Wed, 19 October 2016 07:35 UTC

Return-Path: <mbehring@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 8E3D5129430 for <anima-bootstrap@ietfa.amsl.com>; Wed, 19 Oct 2016 00:35:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id K4t8QaalLDRG for <anima-bootstrap@ietfa.amsl.com>; Wed, 19 Oct 2016 00:35:22 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B5F91294A0 for <anima-bootstrap@ietf.org>; Wed, 19 Oct 2016 00:35:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=8178; q=dns/txt; s=iport; t=1476862522; x=1478072122; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=vWy8g5cbS0c87FKG+59ODClorHgMnPXtKdl5xcx8IAU=; b=F736wAUSA08nPIX59pvHC48E7ZdCjkw6P1DfuWoJptt7nv8McSXVuEmT S7Y6xsBuLPmDNbSKBy2bd9v4k/W1/uCGcL6qBe1Q2GyBt3LZDasESxzBb gp7DvoVJOR1a1DFxUU/S0GycODp4J0DV6Lsv/EON6AwthMdSAj6jXCxlW 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.31,513,1473120000"; d="scan'208";a="337580090"
Received: from rcdn-core-12.cisco.com ([]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Oct 2016 07:35:21 +0000
Received: from XCH-ALN-013.cisco.com (xch-aln-013.cisco.com []) by rcdn-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id u9J7ZLeg032303 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 19 Oct 2016 07:35:21 GMT
Received: from xch-rcd-006.cisco.com ( by XCH-ALN-013.cisco.com ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 19 Oct 2016 02:35:20 -0500
Received: from xch-rcd-006.cisco.com ([]) by XCH-RCD-006.cisco.com ([]) with mapi id 15.00.1210.000; Wed, 19 Oct 2016 02:35:20 -0500
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "Max Pritikin (pritikin)" <pritikin@cisco.com>
Thread-Topic: mDNS or GRASP? [was: peer and domain [was BRSKI State Machine]]
Thread-Index: AdIp2zQGWTyykefBRMWndeUMtwD/tQ==
Date: Wed, 19 Oct 2016 07:35:20 +0000
Message-ID: <a17cad7df0fa43adb70c0e3c33bbe201@XCH-RCD-006.cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-bootstrap/Aeq_IcT8DMEjThlCtkONi0QA3KE>
Cc: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: [Anima-bootstrap] mDNS or GRASP? [was: peer and domain [was BRSKI State Machine]]
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2016 07:35:24 -0000

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: 18 October 2016 21:46
> To: Michael Behringer (mbehring) <mbehring@cisco.com>; Max Pritikin
> (pritikin) <pritikin@cisco.com>
> Cc: anima-bootstrap@ietf.org
> Subject: Re: peer and domain [was BRSKI State Machine]
> On 18/10/2016 21:03, Michael Behringer (mbehring) wrote:
> >> -----Original Message-----
> >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> >> Sent: 18 October 2016 01:18
> >> To: Max Pritikin (pritikin) <pritikin@cisco.com>; Michael Behringer
> >> (mbehring) <mbehring@cisco.com>
> >> Cc: anima-bootstrap@ietf.org
> >> Subject: peer and domain [was BRSKI State Machine]
> >>
> >>
> >>
> >> On 18/10/2016 12:05, Max Pritikin (pritikin) wrote:
> >> ...
> >>>> - I think we need to bring out more strongly that the state machine
> >>>> needs
> >> to track peer and domain. Because, if there is a failure, the pledge
> >> should, depending on the failure of course, not try the same domain
> >> again, and probably not the same peer either. This isn't coming out today.
> >>>> In fact, this is why I liked the "adjacency table" so much that I
> >>>> presented in
> >> Berlin (and before): Because there you see much clearer that, if
> >> enrolment fails with peer x, you may just move to the next one. As
> >> mentioned it's all there, but to a new reader this won't come out clearly,
> I'm afraid.
> >>>
> >>> Yeah, I can see your point that this is buried in the text of 3.1.1
> >>> where it is
> >> implied that there is a list of "services returned during each query”
> >> and in failure the list processing "picks up where it left off” but thats
> pretty subtle.
> >>
> >> What exactly is the "peer" in the above text? I tend to assume it's the
> proxy.
> >> In that case it seems to me that the discovery process (whether it's
> >> mDNS or
> >> GRASP) will discover all available proxies regardless of domain. And
> >> then try them in some order of preference TBD.
> >
> > "peer" is an entry in the adjacency table. Yes, there may be several on an
> interface, of several different domains. The adjacency table discussion tries
> to capture that.
> Fair enough. But anyway my comment still applies: a node that is joining the
> ACP, or simply updating its ACP adjacencies, will discover all available
> neighbors...

True. But why is that a problem, or what are you suggesting because of this? 
(I think I got lost in the arguments here)
> >
> >> Also, all of this needs to work in the absence of an ACP and
> >> therefore of the ACP's adjacency table. That applies to GRASP too,
> >> because in order to perform its various link-local actions, it needs
> >> to know which interfaces it has and which link-local addresses it
> >> has. And it learns of its link-local neighbors as a result of
> >> discovery. So while I fully appreciate the value of the adjacency table, we
> need to be functional without it.
> >
> > Now we're getting into a muddle with ANIMA vs non-ANIMA modes. (And
> you're right - this is important to sort out). Let's see whether we can sort
> that.
> >
> > Up front: This is the ANIMA WG, and we're primarily defining the behaviour
> of an ANIMA node. This is, IMO:
> >
> > - There is an adjacency table, that observes what nodes are seen on each
> ANIMA-capable interface.
> > - This table is fed by discovery (primarily).
> > - Depending on the state of the node, and the state of an adjacent node,
> different things will happen.
> >   (see my presentation on the reference model, last IETF - all
> > described there)
> >
> > For ANIMA, we need to settle on MUST discovery methods.
> > In ANIMA, we will ALWAYS build an ACP to other nodes of the same
> domain.
> >
> > The adjacency table links BRSKI and ACP automatically: Once I discover a
> node which is in the same domain, I attempt to set up an ACP connection
> with that node.
> Sure. And I think I can model that with GRASP - it simply needs an objective
> that includes the domain and node credentials, right?

We need a discovery protocol. 
We should use the same discovery protocol for BRSKI and ACP (and other actions later on, see my message a few mins ago)
GRASP *could* be that protocol, in the way you describe. 
But my understanding was that we had settled on using mDNS for this discovery. 

In the bootstrap calls, this was "decided", see
Notes from 2016-10-04, bullet 3 (currently, lines 175-178):  
<include from etherpad>
3. https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-03#section-3.1.1 does not specify a GRASP mechanism for proxy discovery, should it?

max feels, "no" because defining an insecure mode of GRASP is difficult.

mcr feels, "no" because discovery by multicast UDP but replys are by TCP which means the new node needs to open a TCP port to get a reply back. We just had a long conversation about TCP/UDP etc (re flipping the handshake) and this adds more confusion.

group conclusion: close this. "No". (agreement on the call is noted; with toerless voting for grasp but accepting the group decision)

Obviously, we don't have consensus on this in the wider WG yet. We really need to get this consensus to move on. 

(Note that GRASP for discovery in the ACP, and for negotiating between ASAs is generally accepted, I think)


> >
> > Outside ANIMA, GRASP can be used in many other ways; BRSKI can be
> used to derive LDevIDs and nothing else.
> >
> > Do we agree?
> I think so. But I won't know so until I see what the ACP's API looks like.
> Remember that GRASP needs to create unicast and multicast sockets, so in
> an ACP regime those sockets need to be provided by the ACP.
>    Brian
> > Michael
> >
> >> Rgds
> >>     Brian
> >>
> >