[Anima-bootstrap] message flow notes from design team meeting Feb 4th
"Max Pritikin (pritikin)" <pritikin@cisco.com> Thu, 04 February 2016 16:30 UTC
Return-Path: <pritikin@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B20B1B324E for <anima-bootstrap@ietfa.amsl.com>; Thu, 4 Feb 2016 08:30:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7M9uegUANo_l for <anima-bootstrap@ietfa.amsl.com>; Thu, 4 Feb 2016 08:30:36 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C3BF1B31ED for <anima-bootstrap@ietf.org>; Thu, 4 Feb 2016 08:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9834; q=dns/txt; s=iport; t=1454603436; x=1455813036; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=MnOqZiXgbAOE3r6NtNk9y6d47t0itjuJkMXSptZjU7E=; b=SDk5uiHM14qWqUBAJgx1T7yVSpuxKl1jjUARrLlIY6DV93KDCkKEsZAD NVl9xY3f0MLkU3qa5h2BzuavcpiDtClzihtzYr6f0vtoH+NH6CvNju1r+ z5Q3Ly9ljCFL03kV83oTZdWks1Nl7g/7Qv875fZskp7LU015cT9s++ZJm E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CnAgCOe7NW/5BdJa1egzpSc4QphCyxAQENgWaGDR6BIjgUAQEBAQEBAX8LhEgjBA1XASICJgIEMBUSBAqIJKILj1uPHwEBAQEBBQEBAQEBAQEBGHuHBAiGXB4yAoJGK4EPBYdTjx4BjU6OcY4/AR4BAUKDZIgYfAEBAQ
X-IronPort-AV: E=Sophos;i="5.22,396,1449532800"; d="scan'208";a="234912372"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Feb 2016 16:30:35 +0000
Received: from XCH-RCD-012.cisco.com (xch-rcd-012.cisco.com [173.37.102.22]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id u14GUZgN025279 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <anima-bootstrap@ietf.org>; Thu, 4 Feb 2016 16:30:35 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-012.cisco.com (173.37.102.22) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 4 Feb 2016 10:30:34 -0600
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.009; Thu, 4 Feb 2016 10:30:34 -0600
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: message flow notes from design team meeting Feb 4th
Thread-Index: AQHRX2lfTO84UUCWt0i5Mi+n6S4qpw==
Date: Thu, 04 Feb 2016 16:30:34 +0000
Message-ID: <F652518C-E0B8-4836-897D-8856E821B3C5@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.9]
Content-Type: text/plain; charset="utf-8"
Content-ID: <46DBDE7AEC81454C87393CC2FBA97FFB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/E-9SvQNxnEE1sotZ55KJ2rM-yAs>
Subject: [Anima-bootstrap] message flow notes from design team meeting Feb 4th
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 16:30:38 -0000
Bootstrapping flow for anima-bootstrapping-keyinfra-02-pre01 .+------------------------+ +--------------Drop Ship-------------->.| Vendor Service | | .+------------------------+ | .| M anufacturer| | | .| A uthorized |Ownership| | .| S igning |Tracker | | .| A uthority | | | .+--------------+---------+ | .............. ^ V | +-------+ ............................................|... | | . | . | | . +------------+ +-----------+ | . | | . | | | | | . | <---L2---> | | <-------+ . | | or | Proxy | | Registrar | . | <---L3---> <---L3--> | . | New | . | | | | . | Entity| . +------------+ +-----+-----+ . | | . | . | | . +-----------------+----------+ . | | . | Domain Certification | . | | . | Authority | . +-------+ . | Management and etc | . . +----------------------------+ . . . ................................................ "Domain" components +---------+ +----------+ +----------+ +-----------+ | New | | Proxy | | | | Vendor | | Entity | | | |Registrar | | Service | | | | | | | | (Internet)| +---------+ +----------+ +----------+ +-----------+ New entity boots in CLEAN STATE RFC3927 IPv4 Link-Local Address RFC4862 IPv6 Stateless Address Autoconfiguraion <— design for this --------> RFC6763/RFC6762 mDNS query *or* ietf-anima-grasp-02 GRASP query Include a paragraph explaining the choice to be made “MAY” do this but is it not required. Include a paragraph outlining the tradeoff between speed vs exposing the new device. This indicates to the network that this new entity is looking to bootstrap It leaks some information to watchers that the new device is in CLEAN STATE <-------- “MUST” be broadcast periodically w/o query RFC6763/RFC6762 mDNS broadcast *or* ietf-anima-grasp-02 GRASP broadcast non-query devices can wait to listen for these this response/broadcast indicates the local proxy contact information (In this flow it is assumed a response/broadcast is seen by New Entity. If one is not the NE MAY continue to communicate with a well known cloud based AN proxy. This flow is not detailed here.) +---------+ +----------+ +----------+ | New |-------->| Proxy |-------->|Registrar | (d)TLS established. This is to-be RFC7030 EST with a bootstrapping extension. The New Entity authenticates with IEEE 802.1AR credentials The Domain authenticates with current Domain credentials which the new entity *PROVISIONALLY* accepts. Proxy behavior: discussed in draft-richardson-anima-state-for-joinrouter-00 “The New Entity MUST use method 3 The Registrar MUST support method 3” HTTP-Proxy method is used and domain MUST support ‘CONNECT’ which allows maximum flexibility in proxy implementations including: circuit proxy, napt66, http proxy, CoAP/DTLS with relay, HTTP with IPIP tunnel, CoAP/DTLS with IPIP tunnel MCR to bring over the conclusion and justification but leave the analysis via reference to his draft. +----------+ | | |Registrar | | | +----------+ <Verify 802.1AR credential against white list?> Extract MASA server information from 802.1AR credential extensions see: MUD extension. If they don’t exist the registrar needs to be configured appropriately OPTIONAL: MASA *or* NETCONF ownership voucher flow +----------+ +--------+ | | | |Registrar |-------->| Vendor MASA HTTPS REST API *also defined EST extensions* The 802.1AR ID is forwarded (not proved) The Domain ID is forwarded Short story: Signed proof of Registrar of unknown domain. Domain auth only for DoS protection. OPTIONAL: Verify Domain/NE pairing Log ownership claim Longer story: nonce based this exchange MAY occur out-of-band/prior to deployment (nonce-less) +----------+ +--------+ |Registrar |<--------| Vendor MASA Return proof of logging Return audit log information OPTION: “ownership voucher” instead of log based +----------+ | | |Registrar | | | +----------+ <Verify logged information, still accept?> +---------+ +----------+ +----------+ | New |<--------| Proxy |<--------|Registrar | Log/ownership voucher information returned via EST extension New Entity now checks the previously accepted *PROVISIONAL* domain certs <all ok?> +---------+ +----------+ +----------+ | New |-------->| Proxy |-------->|Registrar | Continue with off the shelf EST: request CA certs Move from provisional to authenticated EST, as defined is RFC7030 request client cert <Registrar acts as off the shelf RA> +---------+ +----------+ +----------+ | New |<--------| Proxy |-------->|Registrar | LDevID installed on device Now fire up (secured) GRASP and ACP ========= CoAP support: Describe how to use block transfer *draft* for EST. That would enable this use of EST to work over dTLS/CoAP. Do this as a new document. Potentially for anima or core working group? This would only work if the core document proceeds.
- [Anima-bootstrap] message flow notes from design … Max Pritikin (pritikin)
- Re: [Anima-bootstrap] message flow notes from des… Brian E Carpenter