Re: [Anima-bootstrap] bootstrap purpose

"Michael Behringer (mbehring)" <mbehring@cisco.com> Tue, 24 May 2016 11:23 UTC

Return-Path: <mbehring@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 329C112D1B2 for <anima-bootstrap@ietfa.amsl.com>; Tue, 24 May 2016 04:23:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.947
X-Spam-Level:
X-Spam-Status: No, score=-15.947 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.426, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 09q_m-wdGkHe for <anima-bootstrap@ietfa.amsl.com>; Tue, 24 May 2016 04:23:22 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BFE6D12D166 for <anima-bootstrap@ietf.org>; Tue, 24 May 2016 04:23:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2083; q=dns/txt; s=iport; t=1464089002; x=1465298602; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=jY6b4c+2gGdDbLqYUh9k9YAefSfdr1Iicf+PLN/EEMs=; b=F3IPYyy+5RQtkbYXo+A+iiYNvZv8RVNUX3JUANQtZrNTn0Ov8jnBvbsw 9pjHTehkhAvHhnWupEmHaewjsy6rPia9QQrj6eimJ6PQpSWtfzZ+9nrK8 nbONkXCyRyKOcp1RnLj4/HhsV0R32hA5ZdPD/FQ9c441XL8PaEnb2m/bM Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEAgBkOURX/4gNJK1cgzdWfQa5eAENg?= =?us-ascii?q?XYXC4VvAoEzOBQBAQEBAQEBZSeEQgEBAQMBAQEBNzQQBwQCAQgRBAEBHwkHJws?= =?us-ascii?q?UCQgCBAESCIgfCA7ENgEBAQEBAQEBAQEBAQEBAQEBAQEBARcFhieETIoZBZg3A?= =?us-ascii?q?Y4YgXCET4hkj0sBHgEBQoIGHIFLbohSfwEBAQ?=
X-IronPort-AV: E=Sophos;i="5.26,359,1459814400"; d="scan'208";a="276543383"
Received: from alln-core-3.cisco.com ([173.36.13.136]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 May 2016 11:23:13 +0000
Received: from XCH-RCD-008.cisco.com (xch-rcd-008.cisco.com [173.37.102.18]) by alln-core-3.cisco.com (8.14.5/8.14.5) with ESMTP id u4OBNDcp005698 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 24 May 2016 11:23:13 GMT
Received: from xch-rcd-006.cisco.com (173.37.102.16) by XCH-RCD-008.cisco.com (173.37.102.18) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 24 May 2016 06:23:12 -0500
Received: from xch-rcd-006.cisco.com ([173.37.102.16]) by XCH-RCD-006.cisco.com ([173.37.102.16]) with mapi id 15.00.1104.009; Tue, 24 May 2016 06:23:13 -0500
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: "consultancy@vanderstok.org" <consultancy@vanderstok.org>, Anima-bootstrap <anima-bootstrap@ietf.org>
Thread-Topic: [Anima-bootstrap] bootstrap purpose
Thread-Index: AQHRtY0YvJk4miaoNkuWmDqcyZq7Ep/H70HA
Date: Tue, 24 May 2016 11:23:13 +0000
Message-ID: <61110f7e2870402ba4ecfdaf5e909264@XCH-RCD-006.cisco.com>
References: <1913d4ecf0647ffdb77ff7f4d751218c@xs4all.nl>
In-Reply-To: <1913d4ecf0647ffdb77ff7f4d751218c@xs4all.nl>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.238.133]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/Y6PDXQpprnVdZioYa0IAJBmZhYY>
Subject: Re: [Anima-bootstrap] bootstrap purpose
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 11:23:24 -0000

Hi Peter, 

The primary purpose of draft-ietf-anima-bootstrapping-keyinfra is to deploy a domain specific key infrastructure. You're not mentioning that, I assume because it's obvious? 

What a device does with that key material is outside scope of this document. Although, 3.5 and 3.6 go a little step in that direction. IMO we should keep the bootstrap of key material (current objective of doc) clearly separate from what to do with this key material. So we should probably be clearer that 3.5 are just examples. 

To me, the objectives you mention: 

> As far as I understood there are 2 objectives;
> 1) a packet sent by an unauthorized node is not routed through the network
> 2) An unauthorized node cannot interpret a packet sent by an authorized
> node

are not the main objective of this work, but of course a security consideration for the bootstrap process. 

Since I'm not sure I understood you fully, please let me know whether we're in line!
Michael

> -----Original Message-----
> From: Anima-bootstrap [mailto:anima-bootstrap-bounces@ietf.org] On
> Behalf Of peter van der Stok
> Sent: 24 May 2016 09:23
> To: Anima-bootstrap <anima-bootstrap@ietf.org>
> Subject: [Anima-bootstrap] bootstrap purpose
> 
> Hi all,
> 
> I looked again at the keyinfra draft and did not recognize an explicit
> description of the purpose of securing the network with the bootstrap.
> 
> As far as I understood there are 2 objectives;
> 1) a packet sent by an unauthorized node is not routed through the network
> 2) An unauthorized node cannot interpret a packet sent by an authorized
> node
> 
> Neither does the text tell us how this is achieved once the bootstrap has
> successfully concluded.
> Do we aim at a specific protocol or do we want to leave this open?
> 
> --
> Peter van der Stok
> vanderstok consultancy
> 
> _______________________________________________
> Anima-bootstrap mailing list
> Anima-bootstrap@ietf.org
> https://www.ietf.org/mailman/listinfo/anima-bootstrap