Re: [Anima-bootstrap] Can the proxy add information during bootstrap?

Toerless Eckert <> Wed, 13 April 2016 15:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 371C912D73A for <>; Wed, 13 Apr 2016 08:55:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -15.516
X-Spam-Status: No, score=-15.516 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, LOTS_OF_MONEY=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 3W7C78zNnyZm for <>; Wed, 13 Apr 2016 08:55:51 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id DD5C712D5F5 for <>; Wed, 13 Apr 2016 08:55:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3577; q=dns/txt; s=iport; t=1460562948; x=1461772548; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=R1Y4Ax61fbKUW0qnYPkPqplPanAzE2sOeilqChoBV5Q=; b=KpVYCCBwPFlB3TiSTTC3T0HpRJK5Vfr796XNMMjhraCacXvERS6J1AJg hLyc2iyBOWmRwnRx/Kkah/YLYVrytz2jtg8UtlB315/Gl9e/FxUDLGhxJ iJt2dTVsMu1ucGhQEjyHO8E8YqqfWL/K+tWUwPvkM841WO27YaAlrQ9Gr M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ABAgAvaw5X/5tdJa1egzdTfbpMAQ2Bc?= =?us-ascii?q?RcLgjyDJgEJAoFBOBQBAQEBAQEBZSeEQgEBBAEBATc0CwULCxgJJQ8FEzYTG4g?= =?us-ascii?q?ODsMbAQEBAQEBAQEBAQEBAQEBAQEBAQEBEQSKbIoVBY5EiUSOAwqPEI8nHgEBQ?= =?us-ascii?q?oIJFIFqHDCJegEBAQ?=
X-IronPort-AV: E=Sophos;i="5.24,480,1454976000"; d="scan'208";a="93173774"
Received: from ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 13 Apr 2016 15:55:47 +0000
Received: from ( []) by (8.14.5/8.14.5) with ESMTP id u3DFtkpm007845 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 13 Apr 2016 15:55:46 GMT
Received: from ( []) by (8.13.8/8.13.8) with ESMTP id u3DFtkNP014325; Wed, 13 Apr 2016 08:55:46 -0700
Received: (from eckert@localhost) by (8.13.8/8.13.8/Submit) id u3DFtkO2014324; Wed, 13 Apr 2016 08:55:46 -0700
Date: Wed, 13 Apr 2016 08:55:45 -0700
From: Toerless Eckert <>
To: Michael Richardson <>
Message-ID: <>
References: <> <> <> <> <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/
Archived-At: <>
Cc: "" <>
Subject: Re: [Anima-bootstrap] Can the proxy add information during bootstrap?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 13 Apr 2016 15:55:58 -0000


So, lets talk use-case:

Consider that you have edge ports going to secure and less secure locations.
(secure: links ending up on your own premises vs. those ending up on customer
 premises).  Consider you have *yuck* devices with only UDI. You only want to
give them a cert when they connect to a secure location(port). Only S-UDI into
customer-prem locations.

Consider you do have any reason to make sure devices are only deployed in ghe
right location. If device shows up in wrong location, you need an exception
re-shipment to the right location. Imagine you care about NSA interception or
the like. Handing out the certificate later is more secure.

Consider the operator in the NOC sits on a console with a GUI saying
"Device XXX (destined for location X) has connected in location Y". Enroll ?
Yes, he could always enrol, but then there is more work afterwards in for
example quarantining or changing target configs for the device.

Consider we do want to tie devices to location and put that into some extension
data of the certificate.


P.S.: I am a bit preoccupied on this whole thing because i had around year 2000 a
perfect ATM-PVC based home IP connection into Cisco, and when those became too
expensive and we got IPsec VPN, our IT security introduced all type of additional
checks (like having to authenticate myself as a user on every device), and when i 
inquired with our InfoSec team they told me that for their security evaluation,
a key difference is that the prior ATM-PVC solution gave them location security,
aka: network access only went to a well known location (my home). I could refute
that argument, so i filed what became US8886934. Arguably, location info in
the cert would be one possible element to implement that patent ;-))

On Wed, Apr 13, 2016 at 09:00:57AM -0400, Michael Richardson wrote:
> Toerless Eckert <> wrote:
>     > On Wed, Apr 13, 2016 at 12:46:54PM +1200, Brian E Carpenter wrote:
>     >> If there's a need to discover topology, which I understood Michael B
>     >> was after, couldn't that be done after enrolment, with no security
>     >> risk?
>     > I am sure operators would love to have the option to reject enrollment
>     > if the device is in a wrong location.
> <putting my operator hat on, [AS26227, AS26413]>
> That's silly.  Either it's your device, or it's not.
> Even if it is in the wrong location, enrolling the device makes sense.
> Unless it's completely the wrong *model* and hasn't got any interfaces of the
> right type, getting the new service online usually takes priority.
> Installing a $300 8-port firewall instead of the $200 2-port firewall isn't a
> disaster. If the model was close enough, you'd want to consider the cost of
> shipping vs the cost difference of the devices.
> You might ship the *correct* model out once you figure this out and have
> remote hands swap cables later on, but that's essentially a capital
> allocation question.
> If you know enough in advance to know which device (down to the SN) was
> supposed to be in each location, then I don't think you need/have a zero-touch
> situation.
> --
> Michael Richardson <>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-

> _______________________________________________
> Anima-bootstrap mailing list

Toerless Eckert,