[Anima-bootstrap] message flow notes from design team meeting Feb 4th

"Max Pritikin (pritikin)" <pritikin@cisco.com> Thu, 04 February 2016 16:30 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4B20B1B324E for <anima-bootstrap@ietfa.amsl.com>; Thu, 4 Feb 2016 08:30:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7M9uegUANo_l for <anima-bootstrap@ietfa.amsl.com>; Thu, 4 Feb 2016 08:30:36 -0800 (PST)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C3BF1B31ED for <anima-bootstrap@ietf.org>; Thu, 4 Feb 2016 08:30:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9834; q=dns/txt; s=iport; t=1454603436; x=1455813036; h=from:to:subject:date:message-id:content-id: content-transfer-encoding:mime-version; bh=MnOqZiXgbAOE3r6NtNk9y6d47t0itjuJkMXSptZjU7E=; b=SDk5uiHM14qWqUBAJgx1T7yVSpuxKl1jjUARrLlIY6DV93KDCkKEsZAD NVl9xY3f0MLkU3qa5h2BzuavcpiDtClzihtzYr6f0vtoH+NH6CvNju1r+ z5Q3Ly9ljCFL03kV83oTZdWks1Nl7g/7Qv875fZskp7LU015cT9s++ZJm E=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CnAgCOe7NW/5BdJa1egzpSc4QphCyxA?= =?us-ascii?q?QENgWaGDR6BIjgUAQEBAQEBAX8LhEgjBA1XASICJgIEMBUSBAqIJKILj1uPHwE?= =?us-ascii?q?BAQEBBQEBAQEBAQEBGHuHBAiGXB4yAoJGK4EPBYdTjx4BjU6OcY4/AR4BAUKDZ?= =?us-ascii?q?IgYfAEBAQ?=
X-IronPort-AV: E=Sophos;i="5.22,396,1449532800"; d="scan'208";a="234912372"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 04 Feb 2016 16:30:35 +0000
Received: from XCH-RCD-012.cisco.com (xch-rcd-012.cisco.com [173.37.102.22]) by rcdn-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id u14GUZgN025279 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <anima-bootstrap@ietf.org>; Thu, 4 Feb 2016 16:30:35 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-RCD-012.cisco.com (173.37.102.22) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 4 Feb 2016 10:30:34 -0600
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.009; Thu, 4 Feb 2016 10:30:34 -0600
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: message flow notes from design team meeting Feb 4th
Thread-Index: AQHRX2lfTO84UUCWt0i5Mi+n6S4qpw==
Date: Thu, 4 Feb 2016 16:30:34 +0000
Message-ID: <F652518C-E0B8-4836-897D-8856E821B3C5@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.9]
Content-Type: text/plain; charset="utf-8"
Content-ID: <46DBDE7AEC81454C87393CC2FBA97FFB@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/E-9SvQNxnEE1sotZ55KJ2rM-yAs>
Subject: [Anima-bootstrap] message flow notes from design team meeting Feb 4th
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Feb 2016 16:30:38 -0000

Bootstrapping flow for anima-bootstrapping-keyinfra-02-pre01

                                             .+------------------------+
      +--------------Drop Ship-------------->.| Vendor Service         |
      |                                      .+------------------------+
      |                                      .| M anufacturer|         |
      |                                      .| A uthorized  |Ownership|
      |                                      .| S igning     |Tracker  |
      |                                      .| A uthority   |         |
      |                                      .+--------------+---------+
      |                                      ..............  ^
      V                                                      |
   +-------+     ............................................|...
   |       |     .                                           |  .
   |       |     .  +------------+       +-----------+       |  .
   |       |     .  |            |       |           |       |  .
   |       <---L2--->            |       |           <-------+  .
   |       |   or   |   Proxy    |       | Registrar |          .
   |       <---L3--->            <---L3-->           |          .
   | New   |     .  |            |       |           |          .
   | Entity|     .  +------------+       +-----+-----+          .
   |       |     .                             |                .
   |       |     .           +-----------------+----------+     .
   |       |     .           | Domain Certification       |     .
   |       |     .           | Authority                  |     .
   +-------+     .           | Management and etc         |     .
                 .           +----------------------------+     .
                 .                                              .
                 ................................................
                               "Domain" components


 +---------+        +----------+        +----------+        +-----------+
 |  New    |        |  Proxy   |        |          |        |  Vendor   |
 | Entity  |        |          |        |Registrar |        |  Service  |
 |         |        |          |        |          |        | (Internet)|
 +---------+        +----------+        +----------+        +-----------+

New entity boots in CLEAN STATE
RFC3927 IPv4 Link-Local Address
RFC4862 IPv6 Stateless Address Autoconfiguraion <— design for this


            -------->

RFC6763/RFC6762 mDNS query 
*or* 
ietf-anima-grasp-02 GRASP query
Include a paragraph explaining the choice to be made

“MAY” do this but is it not required. Include a paragraph outlining the tradeoff between speed vs exposing the new device.
This indicates to the network that this new entity is looking to bootstrap
It leaks some information to watchers that the new device is in CLEAN STATE

            <--------
“MUST” be broadcast periodically w/o query
RFC6763/RFC6762 mDNS broadcast
*or*
ietf-anima-grasp-02 GRASP broadcast 
non-query devices can wait to listen for these
this response/broadcast indicates the local proxy contact information 

(In this flow it is assumed a response/broadcast is seen by New Entity. If one is not the NE MAY continue to communicate with a well known cloud based AN proxy. This flow is not detailed here.) 

 +---------+         +----------+         +----------+ 
 | New     |-------->|  Proxy   |-------->|Registrar | 

(d)TLS established. 
This is to-be RFC7030 EST with a bootstrapping extension.
The New Entity authenticates with IEEE 802.1AR credentials
The Domain authenticates with current Domain credentials which the new entity *PROVISIONALLY* accepts.
Proxy behavior: discussed in draft-richardson-anima-state-for-joinrouter-00
	“The New Entity MUST use method 3
	The Registrar MUST support method 3”
	HTTP-Proxy method is used and domain MUST support ‘CONNECT’ which allows maximum flexibility in proxy implementations
	including: circuit proxy, napt66, http proxy, CoAP/DTLS with relay, HTTP with IPIP tunnel, CoAP/DTLS with IPIP tunnel
MCR to bring over the conclusion and justification but leave the analysis via reference to his draft.

                                           +----------+ 
                                           |          |  
                                           |Registrar |  
                                           |          |  
                                           +----------+  
				<Verify 802.1AR credential against white list?>

				Extract MASA server information from 802.1AR credential extensions 
				see: MUD extension.
				If they don’t exist the registrar needs to be configured appropriately

							OPTIONAL: MASA *or* NETCONF ownership voucher flow
                                           +----------+         +--------+ 
                                           |          |         |
                                           |Registrar |-------->| Vendor MASA
							HTTPS REST API *also defined EST extensions*
							The 802.1AR ID is forwarded (not proved)
							The Domain ID is forwarded 
							Short story: Signed proof of Registrar of unknown domain. Domain auth only for DoS protection.
								OPTIONAL: Verify Domain/NE pairing
								Log ownership claim
							Longer story:
								nonce based
								this exchange MAY occur out-of-band/prior to deployment (nonce-less)
								
                                           +----------+         +--------+ 
                                           |Registrar |<--------| Vendor MASA
								Return proof of logging
								Return audit log information
								OPTION: “ownership voucher” instead of log based

                                           +----------+ 
                                           |          |  
                                           |Registrar |  
                                           |          |  
                                           +----------+  
				<Verify logged information, still accept?>


 +---------+         +----------+         +----------+ 
 | New     |<--------|  Proxy   |<--------|Registrar | 

Log/ownership voucher information returned via EST extension
New Entity now checks the previously accepted *PROVISIONAL* domain certs 

<all ok?>


 +---------+         +----------+         +----------+ 
 | New     |-------->|  Proxy   |-------->|Registrar | 


Continue with off the shelf EST:
	request CA certs
		Move from provisional to authenticated EST, as defined is RFC7030
	request client cert
						<Registrar  acts as off the shelf RA> 
 +---------+         +----------+         +----------+ 
 | New     |<--------|  Proxy   |-------->|Registrar | 

LDevID installed on device

Now fire up (secured) GRASP and ACP


=========

CoAP support: 
	Describe how to use block transfer *draft* for EST. That would enable this use of EST to work over dTLS/CoAP.
	Do this as a new document. Potentially for anima or core working group? This would only work if the core document proceeds.