IETF Logo Mail Archive

Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

"Toerless Eckert (eckert)" <eckert@cisco.com> Thu, 10 December 2015 03:01 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 14AAD1ACE07 for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 19:01:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AjIUFK-jX40b for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 19:01:35 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AA44C1ACDF4 for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 19:01:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=1568; q=dns/txt; s=iport; t=1449716495; x=1450926095; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=TzaTzfKIKbAFrt3EKAOYIDoB5hTUMhNvpuabnmhuLnI=; b=c2F2Io4egcjP7B90fACM8+w11lZjWdjsjEWOjGGWorWLCWN1+bcT43R2 06ZMm3L5/qadyxMiIQxNuIuSPppStfUX9FX7QQ0sr9WzOj5gqyifZCJNX x3m/z9r/YeBkpg8kqpcIS8uNDJerc7TnAdR0or5Fb+HgcAa5qR+lzO0sI M=;
X-IronPort-AV: E=Sophos;i="5.20,406,1444694400"; d="scan'208";a="216775040"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 10 Dec 2015 03:01:35 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by alln-core-8.cisco.com (8.14.5/8.14.5) with ESMTP id tBA31YX9014332 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 10 Dec 2015 03:01:34 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id tBA31Y6j011372; Wed, 9 Dec 2015 19:01:34 -0800
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id tBA31Ywe011371; Wed, 9 Dec 2015 19:01:34 -0800
Date: Wed, 09 Dec 2015 19:01:34 -0800
From: "Toerless Eckert (eckert)" <eckert@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Message-ID: <20151210030134.GV29056@cisco.com>
References: <20151204014333.GZ29056@cisco.com> <A4DCBB7E-A722-4AC1-A7B7-BD185ABEBF7F@cisco.com> <13379.1449515233@dooku.sandelman.ca> <20D831CB-5075-4899-9C4F-D3D04334B1CF@cisco.com> <2495.1449614267@dooku.sandelman.ca>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <2495.1449614267@dooku.sandelman.ca>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/IuqcpwAehEZV6E2l9G6nPJdpL_U>
Cc: "Max Pritikin (pritikin)" <pritikin@cisco.com>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 10 Dec 2015 03:01:44 -0000

On Tue, Dec 08, 2015 at 05:37:47PM -0500, Michael Richardson wrote:
>     > Are you agreeing with Toerless??? argument that the new device should be
>     > a responder?
> 
> No. I'm saying that a new device should do as little as possible to call
> attention to itself, and should prefer to do things that all other devices
> are already doing.

My argument why it should rather do as little as possible (nothing) to call
attention to itself (which i think is different to what you're saying) is that
the attacker can also observe waht everybody else is doing and attack everybody
else. Only that everybody else will likely have stronger defenses having been already
enrolled and hopefully gotten software upgrades and hardening through intent/config/whatever.

But, this is just an optimization proposal from my side. No strong opinions.
Would just like to hear why it may not be a worthwhile enough optimization if you think it ain't.

Cheers
    Toerless

>     > Or, are you arguing that the new device should initiate the
>     > bootstrapping; but do so in a way that does not expose it is a new
>     > device?
> 
> For non-challenged (IoT) devices on non-challenged networks, the new device should
> initiate and drive the bootstrapping.
> 
> It would be best if this communication was indistinguishable from other ACP
> communication to an outsider.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 



-- 
---
Toerless Eckert, eckert@cisco.com

v2.23.0 | Report a Bug | By Email