Re: [Anima-bootstrap] BRSKI State Machine

"Max Pritikin (pritikin)" <> Mon, 17 October 2016 23:05 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 28D1D1294D8 for <>; Mon, 17 Oct 2016 16:05:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.952
X-Spam-Status: No, score=-14.952 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.431, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3a0IZZzuUJDW for <>; Mon, 17 Oct 2016 16:05:19 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id D4455129480 for <>; Mon, 17 Oct 2016 16:05:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=10162; q=dns/txt; s=iport; t=1476745518; x=1477955118; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=MVGPFxbUIX6ufqM2T1kYRFJhszY5zu+XZZ0ioFmBk7k=; b=U2hPZo461+8dTzMcb1eBKeuN5eZK7dcBGW1QjmUWmAHtcz24Up64Hkj8 BczrsTrgZVlAlf+en4Tpv4Fu3G+5qcLwb96+3EErk1H+eL54Dbcev9RYp pLMyQV8+ySCpez/aZ/5FVLW1284zGZPe5ozZuQuPsZB9qZ5zbwMcXDH5c Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.31,359,1473120000"; d="scan'208";a="336086873"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 17 Oct 2016 23:05:17 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u9HN5HQs004689 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <>; Mon, 17 Oct 2016 23:05:17 GMT
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 17 Oct 2016 18:05:16 -0500
Received: from ([]) by ([]) with mapi id 15.00.1210.000; Mon, 17 Oct 2016 18:05:17 -0500
From: "Max Pritikin (pritikin)" <>
To: "Michael Behringer (mbehring)" <>
Thread-Topic: [Anima-bootstrap] BRSKI State Machine
Thread-Index: AdImIxW8sCw9I7ieQW++wlMDDTidqAC0b9kA
Date: Mon, 17 Oct 2016 23:05:16 +0000
Message-ID: <>
References: <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <>
Cc: "" <>
Subject: Re: [Anima-bootstrap] BRSKI State Machine
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 17 Oct 2016 23:05:21 -0000

Thanks for the detailed review notes! They are much appreciated and very timely. I’ll be spending time this week addressing them. 

Responding to the higher level discussion inline, 

> On Oct 14, 2016, at 8:42 AM, Michael Behringer (mbehring) <> wrote:
> Hi Folks, 
> You know that I'm doing a complete thorough top-to-bottom review on the brski draft, but I'm only half-way through right now. (Yes, I'm taking it seriously ;-) 
> I'm bringing forward here a single topic that I think is fairly important, so that we can start discussion about that. And that is the state machine. My high-level observation is that I think the draft isn't precise enough yet to allow for independent, interoperable implementations. There are too many "lose ends". 
> So, I started looking through the state machine (figure 3), and thought this through in more detail. 
> * First of all, one thing isn't coming out clearly (it's there, but somehow not obvious at all): We have three "paths" through the algorithm, and it is the *pledge* that has "hard coded" which paths we're taking: 
> 1) join any domain (first come first join)  
>   --> No MASA required

For the record: I consider this a security vulnerability but accept that it will take a number of high profile attacks before folks come around to agreeing with me. ;) I recommend against this. 

> 2) require audit token 
>   --> MASA required, audit mode
> 3) require authentication token 
>   --> MASA required, ownership tracking mode
> [I really hope we agree on that!!!]


Where #2 and #3 could be seen as a single path with slightly different information in the message from the MASA server; but we’d be quickly be into the weeds of the msg format if we get into that here. 

> This needs to come out much more clearly. Should this "hard coded" behaviour be changeable under certain conditions? (Don't think so, but...) 
> The knee-jerk reaction would be to put this under 3.1, but I think it's more important than that! It should be explained very early, somewhere in 1), maybe in  1.2. Happy to write up some text if the team wants me to (and if we agree ;-) 
> * When you try to do a state machine with figure 3, there are a few things that don't quite gel. Main points are: 
> - "Identity" isn't really a state in itself. I would argue a pledge USES its identity in the next step. 

From a protocol perspective the pledge completes authentication as part of the TLS handshake and only after that is complete does it ‘request join’. So I called these distinct states. I don’t feel strongly about it though and am open to combining these states. 

> - I think we need to bring out more strongly that the state machine needs to track peer and domain. Because, if there is a failure, the pledge should, depending on the failure of course, not try the same domain again, and probably not the same peer either. This isn't coming out today. 
> In fact, this is why I liked the "adjacency table" so much that I presented in Berlin (and before): Because there you see much clearer that, if enrolment fails with peer x, you may just move to the next one. As mentioned it's all there, but to a new reader this won't come out clearly, I'm afraid.

Yeah, I can see your point that this is buried in the text of 3.1.1 where it is implied that there is a list of "services returned during each query” and in failure the list processing "picks up where it left off” but thats pretty subtle. 

> - We may want a "reason for rejection" if the domain rejects a device (for all negative cases). In some case, it could be a "wait a minute, I'm currently overloaded", in others "we don't like you in this domain", or "your enrolment mode (see first point) is not acceptable". 
> In "real life" this would allow some visual feedback at the install site, so that the engineer knows whether he should wait or can go. 
> [note: there may be security reasons to NOT give a reason for rejection, need to think more about this]

I think here we need to provide information about what happened. This is why s5.4 exists to have the pledge send telemetry back to the network that attempted bootstrapping. 

But note this is from the pledge to the domain. The device is assumed to be headless/zero-touch etc so I wasn’t thinking in terms of sending error messages to it. I’m open to doing so though.

> - I didn't quite like "imprint" as a state either. To me, the next logical state was "validation". see attached ppt for more details. But bottom line, we need to reflect the 3 "paths" through the algorithm here again. 

“validation” is a fine thing to call that state. 

> - And finally, I suggest we rename "being managed" to "enrolled". Reason is: I'm also drawing up a complete state machine for an ANIMA node, and there I think the main "transition points" between BRSKI and ACP is when the device is "enrolled". Thus I suggest to call the final state in BRSKI "Enrolled", and the first one in ACP the same. (Besides, "being managed" doesn't sound right when we're talking a fully autonomic device.)

I think there is a distinction between “obtaining an identity on the domain” and “what i do after I have an identity to be engaged with the domain”. So there are two states here. But yes, “being managed” could be “on the domain” or something. 

> In the attached ppt I made those few changes, and I marked with a red star, where I think we need more work before any last call, apart from what  I already mentioned: 
> - we need to specify precisely the discovery method, with mDNS field names, and other details. In my head we're using mDNS here, and I *think* we agreed on that? 

yes. with understanding that the proxy to registrar SHOULD be discovered using GRASP for ACP devices. 

> But, we'll need the same method also for the ACP draft: When both nodes have a certificate, they need to discover each other as well. 
> I've been haggling with Toerless about this :-)   I think we should take the mDNS insecure discovery into a separate, new draft.

I don’t follow. mDNS simply *is* insecure. This is important since we can’t establish a secure discovery yet. 

> This is likely very short, BUT: I think it doesn't really belong in the BRSKI draft (specifically if we use BRSKI also for non-ANIMA environments), neither in the ACP draft (because we also need it in BRSKI). Having a separate draft would be very clean. However I understand (when pushed hard) we may not want to do this for admin reasons. 
> Alternatively, we specify the discovery in the ACP draft, and BRSKI refers to it. I like this less, but will not scream murder if others insist. 

I think discovery of the proxy must be in this draft. I’m happy to move the proxy’s discovery of the registrar to another draft but I think its ok to recommend GRASP for that connection so I don’t see a problem with that. 

- max

> So much for now. Still on the full review, but this is pretty high level, and pretty fundamental. Happy to help with text and/or ASCII art if we decide to take on some of these points. 
> Michael
> <brski state machine.pptx>_______________________________________________
> Anima-bootstrap mailing list