Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

"Michael Behringer (mbehring)" <mbehring@cisco.com> Thu, 17 December 2015 22:26 UTC

Return-Path: <mbehring@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 540651A8BB1 for <anima-bootstrap@ietfa.amsl.com>; Thu, 17 Dec 2015 14:26:59 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h1mfNqgMdFGc for <anima-bootstrap@ietfa.amsl.com>; Thu, 17 Dec 2015 14:26:57 -0800 (PST)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8AFA31A8ACA for <anima-bootstrap@ietf.org>; Thu, 17 Dec 2015 14:26:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3830; q=dns/txt; s=iport; t=1450391217; x=1451600817; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=MmRNbLMn21xwsQSgRKs+NO3X4v+dFr67oZq6vbEl5PY=; b=izcNHl5JXnMcSDZM+QnHWgdWNNLGnZFmSPb5TWYbuxCpZTMPXKdM/sjU lq7F2C8cSLGoaMKprOPxowuSwSuklzOPVR2fja7LJfK+YXtWt46xpoB8Y 6pqI25MgJuTD0dgYyQ4am1lwtujKMJOYSKzPZBuL0fY9T0PuvpjHmysNg I=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0D8AQCbNXNW/4YNJK1egzpSXg8GvVMBD?= =?us-ascii?q?YFiFwqFbAKBPTgUAQEBAQEBAYEKhDQBAQEDAQEBATc0CwUHBAIBCBEEAQEBHhA?= =?us-ascii?q?hBgsdCAIEDgUIiBIDCggOuT0NhCkBAQEBAQEBAQEBAQEBAQEBAQEBAQEUBIZWh?= =?us-ascii?q?H6CU4FWhRcFln0Bi0+BcZVJh1oBIAEBQoQEcgGDYYEIAQEB?=
X-IronPort-AV: E=Sophos;i="5.20,443,1444694400"; d="scan'208";a="56631876"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 17 Dec 2015 22:26:56 +0000
Received: from XCH-ALN-003.cisco.com (xch-aln-003.cisco.com [173.36.7.13]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id tBHMQupk022166 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 17 Dec 2015 22:26:56 GMT
Received: from xch-rcd-006.cisco.com (173.37.102.16) by XCH-ALN-003.cisco.com (173.36.7.13) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Thu, 17 Dec 2015 16:26:55 -0600
Received: from xch-rcd-006.cisco.com ([173.37.102.16]) by XCH-RCD-006.cisco.com ([173.37.102.16]) with mapi id 15.00.1104.009; Thu, 17 Dec 2015 16:26:55 -0600
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: "Toerless Eckert (eckert)" <eckert@cisco.com>
Thread-Topic: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
Thread-Index: AQHRLjUzV0yYB4U3OkOkSfr7faNAW56/ogkAgACqeACAARe8AIABQjvQgABq+gCADKhzwA==
Date: Thu, 17 Dec 2015 22:26:55 +0000
Message-ID: <65bbfa373d044c869bca321c1600a63b@XCH-RCD-006.cisco.com>
References: <20151204014333.GZ29056@cisco.com> <6471865864850e6c34961f12d45853cd@xs4all.nl> <5665D85C.5010604@gmail.com> <92ddd96dc21275a00aab797656407971@xs4all.nl> <cdb25a0fdcce4973acb930b5c86ed1ce@XCH-RCD-006.cisco.com> <20151209132224.GO29056@cisco.com>
In-Reply-To: <20151209132224.GO29056@cisco.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.55.238.133]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/ZJTTe2FeZPJoMVhC0wfS-llPrws>
Cc: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Dec 2015 22:26:59 -0000

> -----Original Message-----
> From: Toerless Eckert (eckert)
> Sent: 09 December 2015 14:22
> To: Michael Behringer (mbehring) <mbehring@cisco.com>
> Cc: consultancy@vanderstok.org; Brian E Carpenter
> <brian.e.carpenter@gmail.com>om>; anima-bootstrap@ietf.org
> Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery
> options
> 
> 
> Michael:
> 
> Lets assume we replace EST bootstraap with "a guy with a USB stick feeding
> manually domain certs to greenfield devices".
> 
> a) I agree that we would want to make sure our protocols are set up so that
> even such
>    a device could perfectly bring up ACP afterwards and continue with the rest
>    of autonomic functions (GRASP inside ACP, agents,...).

We agree. 
 
> b) I don't think we would want to call such a device "autonomic". It's partial
>    autonomic at best. But yes, it may be perfectly valid and relevant to some
>    industries.

I don't care what we call it. "fully autonomic" won't happen for a long time anyway.

But aside of the naming, I really think the key value of AN is way beyond bootstrap. Not today, but in the future. So frankly, if someone wants to use another method to bootstrap, I really don't care. 

> If you agree, then the problem is IMHO primarily in the reference model
> calling out that devices that for one reason or the other can not / want-not
> implement the whole ANIMA suite can perfectly well implement just parts of
> it, because ANIMA is defined such that the different building blocks are
> modular. Just that such a device is only "partial-autonomic" (or  whatever you
> think is a good naming to distinguish it from a truely autonomic device).

Yup. we can do that. 

> Btw: This also goes the other way, eg: it would IHO make sense that the
> bootstrap spec can be deplpoyed on devices that do not want any further AN
> functions after the certificates are enrolled. I think that option is also
> something we want to explain in the bootstrap draft.

True. And we do already have customers that are JUST interested in the bootstrap, Sprint was one case. Remember, they wanted to disable AN after bootstrap!! 

All I'm saying, let's be practical, not religious. :-) 

Michael

> Cheers
>     Toerless
> 
> On Wed, Dec 09, 2015 at 01:08:39PM +0000, Michael Behringer (mbehring)
> wrote:
> > > The discovery alternatives cited by toerless impress me as a list of
> > > services of which at least one must be present.
> > >
> > > Therefore my consideration that for something as basic as Service
> > > discovery, some industries may regret that they need for example
> > > mDNS next to their favoured discovery service e.g. Resource Directory.
> > > Faced with this choice they may decide that mDNS is not wanted but
> > > replaced by RD; and the Anima code in their products is adapted for
> > > that choice; while maintaining interoperability with ANIMA routers
> > > in all other respects.
> >
> > At the end of the day I personally don't care *how* a domain certificate
> gets onto a new device.
> >
> > Probably we should be more clear on this, draw a big line, and state that
> the domain enrolment process may be replaced by many other methods,
> and that's ok.
> >
> > So for us here that means, AN must also work if the domain certificates are
> (for whatever reason) already on the devices. I.e., what happens later in the
> AN process must not depend on anything in the bootstrap process, except
> the PKI info.
> >
> > Michael
> >
> > > Peter
> > >
> > > _______________________________________________
> > > Anima-bootstrap mailing list
> > > Anima-bootstrap@ietf.org
> > > https://www.ietf.org/mailman/listinfo/anima-bootstrap