IETF Logo Mail Archive

Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options

"Toerless Eckert (eckert)" <eckert@cisco.com> Wed, 09 December 2015 13:22 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883E01A912C for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 05:22:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3KVkx0iSPX7d for <anima-bootstrap@ietfa.amsl.com>; Wed, 9 Dec 2015 05:22:26 -0800 (PST)
Received: from rcdn-iport-5.cisco.com (rcdn-iport-5.cisco.com [173.37.86.76]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 914F91A9134 for <anima-bootstrap@ietf.org>; Wed, 9 Dec 2015 05:22:26 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=2712; q=dns/txt; s=iport; t=1449667346; x=1450876946; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=/ADtDuf60w+5Vxt3T9YAF9ZVRBmI570tDWEHzMyNkU8=; b=VO/EBO+64VF7bQbRHyUJRsHgrbIrn3ceNlEDAhwBoWVTCn1BYBoHlADT YtoGdKdld8YE6HxHVO2Yq5MHXnlL+o84VYrZQLC7aRc7nDo3oYqYroyfs CxQOeynfN036K3QCL3RrmMsvv8wLJd02TFURFcZrwGNCtfvnwyeLiX6mN 0=;
X-IronPort-AV: E=Sophos;i="5.20,403,1444694400"; d="scan'208";a="53959630"
Received: from alln-core-6.cisco.com ([173.36.13.139]) by rcdn-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 09 Dec 2015 13:22:26 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by alln-core-6.cisco.com (8.14.5/8.14.5) with ESMTP id tB9DMPe3032563 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 9 Dec 2015 13:22:25 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id tB9DMPFA001739; Wed, 9 Dec 2015 05:22:25 -0800
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id tB9DMOa9001738; Wed, 9 Dec 2015 05:22:24 -0800
Date: Wed, 09 Dec 2015 05:22:24 -0800
From: "Toerless Eckert (eckert)" <eckert@cisco.com>
To: "Michael Behringer (mbehring)" <mbehring@cisco.com>
Message-ID: <20151209132224.GO29056@cisco.com>
References: <20151204014333.GZ29056@cisco.com> <6471865864850e6c34961f12d45853cd@xs4all.nl> <5665D85C.5010604@gmail.com> <92ddd96dc21275a00aab797656407971@xs4all.nl> <cdb25a0fdcce4973acb930b5c86ed1ce@XCH-RCD-006.cisco.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <cdb25a0fdcce4973acb930b5c86ed1ce@XCH-RCD-006.cisco.com>
User-Agent: Mutt/1.4.2.2i
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/sMgEO9gnnqSEVoWbPDrov1Od2Ss>
Cc: "anima-bootstrap@ietf.org" <anima-bootstrap@ietf.org>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>
Subject: Re: [Anima-bootstrap] anima-bootstrap: Bootstrap proxy discovery options
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Dec 2015 13:22:28 -0000

Michael:

Lets assume we replace EST bootstraap with "a guy with a USB stick feeding
manually domain certs to greenfield devices".

a) I agree that we would want to make sure our protocols are set up so that even such
   a device could perfectly bring up ACP afterwards and continue with the rest
   of autonomic functions (GRASP inside ACP, agents,...). 

b) I don't think we would want to call such a device "autonomic". It's partial
   autonomic at best. But yes, it may be perfectly valid and relevant to some
   industries.

If you agree, then the problem is IMHO primarily in the reference model calling
out that devices that for one reason or the other can not / want-not implement
the whole ANIMA suite can perfectly well implement just parts of it, because
ANIMA is defined such that the different building blocks are modular. Just that
such a device is only "partial-autonomic" (or  whatever you think is a good
naming to distinguish it from a truely autonomic device).

Btw: This also goes the other way, eg: it would IHO make sense that the bootstrap
spec can be deplpoyed on devices that do not want any further AN functions after
the certificates are enrolled. I think that option is also something we want to
explain in the bootstrap draft.

Cheers
    Toerless

On Wed, Dec 09, 2015 at 01:08:39PM +0000, Michael Behringer (mbehring) wrote:
> > The discovery alternatives cited by toerless impress me as a list of services of
> > which at least one must be present.
> > 
> > Therefore my consideration that for something as basic as Service discovery,
> > some industries may regret that they need for example mDNS next to their
> > favoured discovery service e.g. Resource Directory.
> > Faced with this choice they may decide that mDNS is not wanted but
> > replaced by RD; and the Anima code in their products is adapted for that
> > choice; while maintaining interoperability with ANIMA routers in all other
> > respects.
> 
> At the end of the day I personally don't care *how* a domain certificate gets onto a new device. 
> 
> Probably we should be more clear on this, draw a big line, and state that the domain enrolment process may be replaced by many other methods, and that's ok.
> 
> So for us here that means, AN must also work if the domain certificates are (for whatever reason) already on the devices. I.e., what happens later in the AN process must not depend on anything in the bootstrap process, except the PKI info. 
> 
> Michael
>  
> > Peter
> > 
> > _______________________________________________
> > Anima-bootstrap mailing list
> > Anima-bootstrap@ietf.org
> > https://www.ietf.org/mailman/listinfo/anima-bootstrap

v2.23.0 | Report a Bug | By Email