Re: [Anima-bootstrap] Can the proxy add information during bootstrap?

"Michael Behringer (mbehring)" <mbehring@cisco.com> Wed, 13 April 2016 14:36 UTC

Return-Path: <mbehring@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA69612E0A0 for <anima-bootstrap@ietfa.amsl.com>; Wed, 13 Apr 2016 07:36:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rYJZnq0NcfjN for <anima-bootstrap@ietfa.amsl.com>; Wed, 13 Apr 2016 07:36:21 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BCDC212E027 for <anima-bootstrap@ietf.org>; Wed, 13 Apr 2016 07:36:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2137; q=dns/txt; s=iport; t=1460558181; x=1461767781; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=nzUkACBvpluYNyUeRkDVjiHiTTnS7ujHgdYfK78EXhI=; b=hSxYDib/RPlapEIC1lRrximGgF6kFHrMshcH6Z2oqfA1qk1+if0+tfsZ QD7rb0yOtg6P6LmGVgzXsIGkJv2WZ8XY0U4N1IBBurwDj9JixXJDwMYyW OiDc+f2iYcrf03AZV+9PnTN9yYrEvIt0N8xwvrndJ56UmP+EITtedPP5d Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ABAgDgWA5X/4sNJK1egzeBUAa6RgENg?= =?us-ascii?q?XSGDgKBPzgUAQEBAQEBAWUnhEEBAQEDATpECwIBCBgeEDIlAgQBEgiIGAjDJwE?= =?us-ascii?q?BAQEBAQEDAQEBAQEBARmGIYRLihUFmAgBjgWPF48mAR4BAUKDZ2yIfH4BAQE?=
X-IronPort-AV: E=Sophos;i="5.24,479,1454976000"; d="scan'208";a="259118278"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 13 Apr 2016 14:36:20 +0000
Received: from XCH-ALN-009.cisco.com (xch-aln-009.cisco.com [173.36.7.19]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id u3DEaKSi001842 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 13 Apr 2016 14:36:20 GMT
Received: from xch-rcd-006.cisco.com (173.37.102.16) by XCH-ALN-009.cisco.com (173.36.7.19) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Wed, 13 Apr 2016 09:36:19 -0500
Received: from xch-rcd-006.cisco.com ([173.37.102.16]) by XCH-RCD-006.cisco.com ([173.37.102.16]) with mapi id 15.00.1104.009; Wed, 13 Apr 2016 09:36:19 -0500
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Thread-Topic: [Anima-bootstrap] Can the proxy add information during bootstrap?
Thread-Index: AQHRlRlxL75adUdvWUak1H6GJRHLbZ+HZZEAgAAA2oCAAMw9gP//xbDA
Date: Wed, 13 Apr 2016 14:36:19 +0000
Message-ID: <8c3d30d618ae4035b2c5ac316491120c@XCH-RCD-006.cisco.com>
References: <5c12b5d6940d4970bd3c0ad4c94b4696@XCH-RCD-006.cisco.com> <14252.1460506458@obiwan.sandelman.ca> <570D96FE.1000105@gmail.com> <20160413004957.GH21173@cisco.com> <18364.1460552457@obiwan.sandelman.ca>
In-Reply-To: <18364.1460552457@obiwan.sandelman.ca>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.49.80.20]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/kKqGp6Yg-PGPqrP0O8O4g_teRU4>
Subject: Re: [Anima-bootstrap] Can the proxy add information during bootstrap?
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2016 14:36:23 -0000

> Toerless Eckert <eckert@cisco.com> wrote:
>     > On Wed, Apr 13, 2016 at 12:46:54PM +1200, Brian E Carpenter wrote:
>     >> If there's a need to discover topology, which I understood Michael B
>     >> was after, couldn't that be done after enrolment, with no security
>     >> risk?
> 
>     > I am sure operators would love to have the option to reject enrollment
>     > if the device is in a wrong location.
> 
> <putting my operator hat on, [AS26227, AS26413]>
> 
> That's silly.  Either it's your device, or it's not.
> Even if it is in the wrong location, enrolling the device makes sense.
> Unless it's completely the wrong *model* and hasn't got any interfaces of
> the right type, getting the new service online usually takes priority.
> Installing a $300 8-port firewall instead of the $200 2-port firewall isn't a
> disaster. If the model was close enough, you'd want to consider the cost of
> shipping vs the cost difference of the devices.
> 
> You might ship the *correct* model out once you figure this out and have
> remote hands swap cables later on, but that's essentially a capital allocation
> question.
> 
> If you know enough in advance to know which device (down to the SN) was
> supposed to be in each location, then I don't think you need/have a zero-
> touch situation.

I've heard the requirement quite a few times to be able to see where in the network a device is trying to enrol. For starters, assuming you are shipping devices to install locations randomly, then you can make the link between device and target config. 

If pushed hard, you could argue against this I guess; you could argue that you can first let the device enrol, THEN check where it is. 

Just saying: I've heard this request quite a few times; we can choose to ignore it, and argue our model. But seems the operational procedures are set up that way today, and we'd fit in more easily with what's done today. 

My feeling: Unless a big issue, would be good to support the passing on of proxy information in the bootstrap protocol. 

Michael