IETF Logo Mail Archive

Re: [Anima-bootstrap] joiner router stateful/stateless considerations

Michael Richardson <mcr+ietf@sandelman.ca> Tue, 19 January 2016 16:04 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B36E41B311D for <anima-bootstrap@ietfa.amsl.com>; Tue, 19 Jan 2016 08:04:07 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SfkbG8WfRwE4 for <anima-bootstrap@ietfa.amsl.com>; Tue, 19 Jan 2016 08:04:03 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 697E81B3119 for <anima-bootstrap@ietf.org>; Tue, 19 Jan 2016 08:04:02 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 02F56200A5; Tue, 19 Jan 2016 11:12:01 -0500 (EST)
Received: from obiwan.sandelman.ca (ip6-localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 304E6637A0; Tue, 19 Jan 2016 11:04:01 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: consultancy@vanderstok.org
In-Reply-To: <792a80be15de2b353298752e7b8d160d@xs4all.nl>
References: <3993.1453005398@obiwan.sandelman.ca> <792a80be15de2b353298752e7b8d160d@xs4all.nl>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Tue, 19 Jan 2016 11:04:01 -0500
Message-ID: <5232.1453219441@obiwan.sandelman.ca>
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/kSJW_sWbQF1iLuA7Jev89wLSVpM>
Cc: anima-bootstrap <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] joiner router stateful/stateless considerations
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jan 2016 16:04:07 -0000

peter van der Stok <stokcons@xs4all.nl> wrote:
    > Hi Richard,

{Michael :-)}

    > To clarify how far we are aligned, I like to describe my view on the managed
    > (and “constrained”) network. After that I do have a suggestion and a
    > question.

I think that I missed the suggestion, maybe it's in here:

    > Once this view is accepted, there are some complicating aspects for the anima
    > bootstrapping process. There is the “managed network” part with the
    > standardized stack without ASAs - possibly using DTLS with CoAP-,
    > and there is the more complex Internet with ASAs - probably using http with
    > TLS-. If it is reasonable to include the “managed network” devices into the
    > anima bootstrapping process, I **SUGGEST** that the anima bootstrapping services
    > both types of networks. That may mean that 2 solutions from the ones proposed
    > in joinrouter document are chosen.

Which two solutions would you pick?

From the new node to joining router, we have three options:
     A) CoAP/DTLS, B) HTTPS, C) HTTPS over HTTP proxy.

I prefer (A) as MTI, with (C) as MAY.
From the joining router to the registrar, I prefer method 6, CoAP/DTLS with
IPIP tunnel.  I think that this works the best in a constrained network,
where I do not expect to see an ACP.

At the edge of the contrained network, the 6LBR might have an ACP, and would
further route the join the traffic that way.  The IPIP header might be
addressed to the 6LBR, and re-encapsulated by the 6LBR as well, but that
would involve some state (methods 1 or 2) on the 6LBR: That may be acceptable.

I'm trying also to build a system that could also be initiated from the
registrar to new node direction, as I've proposed in 6tisch.

    > Having written that, my question concerns figure 1 of keyinfra draft. Two
    > arrows are shown between new entity and Proxy with L2 and L3. I understand
    > that this means that payloads are encoded at L2 or at L3. I am not sure that
    > I understand how this works, because L2 security provisioning between for
    > example 802.11 and 802.15.4 devices is different. Maintaining both the L2 and
    > L3 option means that the security levels need to be aligned between the
    > different link technologies and layer 3 technologies. That looks like an
    > addition to the IP over foo documents. Is that correct?

I think that the point is that we don't know (in this document, at this
stage) precisely if the new node and proxy communicate at layer 2 (e.g. 802.1x)
or layer 3 (PANA, CoAP/HTTP, etc.).  That's why it says "or"

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email