IETF Logo Mail Archive

Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

"Max Pritikin (pritikin)" <pritikin@cisco.com> Mon, 07 December 2015 19:29 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F223E1A017A for <anima-bootstrap@ietfa.amsl.com>; Mon, 7 Dec 2015 11:29:25 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0IANh48PUCmF for <anima-bootstrap@ietfa.amsl.com>; Mon, 7 Dec 2015 11:29:24 -0800 (PST)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A8741A014A for <anima-bootstrap@ietf.org>; Mon, 7 Dec 2015 11:29:24 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6154; q=dns/txt; s=iport; t=1449516564; x=1450726164; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=jeHy6cYr4Fq+AAtAiIQ9MHZfB4DNKJqvBV7qmY1CrkA=; b=J1kVCt1i0pFgCm9L7u7Hfn8QFztKiuCOhFh8GUigamdWLnkPiBipvIYq /7K1muqPiqUdW9TGVC2ufUmrK8OX/La2gnyQhccD+f9zBnLWXWT5kDU/p dJq/G/GiB0WJypsV2ZtsulHjx6TJ9gCNPDysFwEvJ0AuckvOHQ6oLdcCZ U=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AAAgAh3WVW/5xdJa1egzpTbga9KwENgW4XCoI9gzACHIEqOBQBAQEBAQEBgQqENAEBAQMBAQEBIBE6CwULAgEIGAICJgICAiULFRACBA4FG4gMCA2wFpBaAQEBAQEBAQEBAQEBAQEBAQEBAQEBFASBAYdigm6ENQ2DNS+BFQWHTIcQiAUBjTuBW5cgg3EBHwEBQoQEcoQmQoEHAQEB
X-IronPort-AV: E=Sophos;i="5.20,396,1444694400"; d="scan'208";a="215124393"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 07 Dec 2015 19:29:23 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by rcdn-core-5.cisco.com (8.14.5/8.14.5) with ESMTP id tB7JTMSP016320 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 7 Dec 2015 19:29:23 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Mon, 7 Dec 2015 13:29:22 -0600
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.009; Mon, 7 Dec 2015 13:29:22 -0600
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
Thread-Index: AQHRLjUzUXhNiuqCZk29llWSg8eoaJ677SQAgARf/ICAAAYvgA==
Date: Mon, 07 Dec 2015 19:29:22 +0000
Message-ID: <20D831CB-5075-4899-9C4F-D3D04334B1CF@cisco.com>
References: <20151204014333.GZ29056@cisco.com> <A4DCBB7E-A722-4AC1-A7B7-BD185ABEBF7F@cisco.com> <13379.1449515233@dooku.sandelman.ca>
In-Reply-To: <13379.1449515233@dooku.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <83F2EBD90B3A5B4291F4F1B162505C2D@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/qssQrQ_kGzFe8e-g4JF5dhp0_LI>
Cc: "Toerless Eckert (eckert)" <eckert@cisco.com>, "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Dec 2015 19:29:26 -0000

> On Dec 7, 2015, at 12:07 PM, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> 
> Max Pritikin (pritikin) <pritikin@cisco.com> wrote:
>>> IMHO, i would let the proxy periodically (30 secs)
> 
>> Is it acceptable that a new device sits for 30s before joining? Should
>> this be shorter? Longer? What criteria do we use to choose (see below
>> before answering).
> 
>>> I don't want the enrolling device to be more attackable than
>>> necessarily.  Arguably such a greenfield device may be more attackable
>>> than a configured device. An unconfigured device that periodically
>>> broadcasts "hey, i am unconfigured and look for a proxy server"
>>> (especially when powered on in a non-AN enviroment) is the best victim
>>> ever to do a port-scan etc. pp.  on (or just find the console
>>> interface). And just because a vendor has added autonomic networking
>>> doesn't mean he has now also fixed all security for all OS services
>>> many of which may not even be off by default but would likely be
>>> configured off by security sensitive operators.
> 
> This is one reason I'd like the new device to do things that configured
> devices do regularly.
> So sending out a multicast IKEv2 INIT might really make sense here.
> Every device should do it every 5 to 15 minutes.
> 
> A new device will either send them, or receive them.  Either way, it can
> respond and within the privacy of IKEv2, can do something.
> That doesn't you can't use a proxy to get things through: the resulting
> one-hop-ACP won't be part of the production ACP.

Michael, I failed to parse your response. 

Are you agreeing with Toerless’ argument that the new device should be a responder? 

Or, are you arguing that the new device should initiate the bootstrapping; but do so in a way that does not expose it is a new device? 

- max

>>> So, i think we can use GARP DISCOVER for this periodic multicast,
> 
>> Multicast DNS supports multicast “unsolicited” responses and also
>> specifically states that peers cache these. So the basic behavior you
>> are requesting is fundamentally available from mDNS as well. This is a
>> design choice for Anima but I doesn’t seem to dramatically impact our
>> choice of discovery protocols.
> 
> mDNS is another good mechanism to use --- and it doesn't scream out, "newbie"
> either.
> 
>>> Also comparison with mDNS as we discussed it: - code size: We need
>>> GRASP for more functions in AN beside discovery, we do not need mDNS
>>> for anything in AN, so on IoT devices we would save code size. TBD:
>>> Size of an mDNS stack (note: We MAY want "normal" DNS, so the code
>>> size for mDNS may not be that large as a delta on top of "normal"
>>> DNS).
> 
>> This is where the real value/difference discussion comes in. I guess we
>> could build an avahi library and see how much the entire thing takes or
>> how big pieces of it are.
> 
> I claim that much of what we are doing with the ACP and GRASP is outside the
> code space limit for a constrained IoT device, so I don't buy this argument.
> 
> 1) mDNS *IS* useful in IoT space, so the code isn't wasted.
> 2) GRASP is *not* useful in constrained IoT space.
> 
>>> And i guess one could define a TXT RR with the signed timestamp. Aka:
>>> I could probably do the same thing i was describing above also with
>>> mDNS. Not sure if mDNS people would like that…
> 
>> For a DNS based solution I guess DNSsec integration would be
>> logical. I’m not sure I like any approach where we try to cram security
>> into the discovery protocol — the truth is that we don’t have
>> sufficient information to trust crypto methods in the
>> response/broadcast information until after we complete bootstrapping at
>> which point its relatively moot. Instead we can cut to the heart of
>> your security value by tracking "locator-option” information seen and
>> freaking out if an unexpected one was seen (assuming GRASP).
> 
> Exactly: You can't easily do DNSSEC easily here: no trust anchors available for
>         joining device.  DNSSEC can give you an alternative to 802.1AR
>         certificates though, but it replaces that part.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
> 
> 
> _______________________________________________
> Anima-bootstrap mailing list
> Anima-bootstrap@ietf.org
> https://www.ietf.org/mailman/listinfo/anima-bootstrap

v2.23.0 | Report a Bug | By Email