IETF Logo Mail Archive

Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 09 December 2015 23:49 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9269F1B3015 for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 15:49:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.011
X-Spam-Level:
X-Spam-Status: No, score=-2.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_32=0.6, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id csCMvirEPDoY for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 15:49:46 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 00F331B301B for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 15:49:39 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id C56A2203CA for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 18:55:15 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id ED6D763757; Wed, 9 Dec 2015 18:49:37 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id DA38863745 for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 18:49:37 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
In-Reply-To: <20151209192313.GR29056@cisco.com>
References: <20151204014333.GZ29056@cisco.com> <A4DCBB7E-A722-4AC1-A7B7-BD185ABEBF7F@cisco.com> <13379.1449515233@dooku.sandelman.ca> <20D831CB-5075-4899-9C4F-D3D04334B1CF@cisco.com> <2495.1449614267@dooku.sandelman.ca> <43C69994-D02E-44A0-A739-4A6E45A3CE8C@cisco.com> <566776A4.4080804@gmail.com> <20151209131234.GN29056@cisco.com> <56687A15.7070305@gmail.com> <20151209192313.GR29056@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 09 Dec 2015 18:49:37 -0500
Message-ID: <25760.1449704977@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/oMEul_W628-KjxJ7WjN4hzJ_jBY>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 23:49:47 -0000

Toerless Eckert (eckert) <eckert@cisco.com> wrote:

    > a) Lets assume we're talking bout announcements by Bob/Eve to connect to their ACP.

    > Minimally, Alice has no idea whom it wants to connect to. So it simply starts
    > let's say dTLS to Bob and Eve. Alice will then figure out whether Bob and.or
    > Eve have domain certs for the same domain Alice is in. If not, Alice (or Bob/Eve)
    > will drop the dTLS connection.

I don't know why you write *TLS here. There is no specification for running
IPv6 over TLS.

    > b) Lets assume we're talking about announcements by Bob/Eve to be enrollment proxies.

    > So now Alice is not in a domain and will set up ESP "randomnly" to Bob and/or Eve.

I think you mean, EST?

    > If we do not have a MASA, then Alice is really at the mercy of
    > The guy who plugs Alice's cable into some network connection.
    > "Do not plug into an untusty socket".

We can do things without a MASA, but the certificate validation chain is more complex.

    > Aka: Both Bob and Eve belong to friendly domains only accepting devices
    > they know they own.

    > If we do have a MASA, Alice can feel more secure. So it connects to Eve,
    > and Eve 's domain registrar wants to have Alice - even thoug alice doesn't below
    > to Eves domain, but Eve is evil in this case. Alice will only accept enrollment
    > when Eve is producing to Alice a ticket from the MASA stating that Alice belongs
    > to Alices domain. And Alice trusts this ticket because it ultimately came from

Here, where you write "Alices domain", you mean "Eve's domain"

    > I can't see how Bob/Eve announcing their certs here would help Alice at all
    > before establishing the EST connection.

It could help if both Bob and Eve are part of the same domain, and so after a
failure with Bob, Alice would know to go on to Frank, skipping Eve.
But, I agree that it doesn't in general help, because neither Bob nor Eve's
certificate has any verifiable meaning to Alice.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email