Re: [Anima-bootstrap] bootstrap purpose

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 24 May 2016 20:34 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46D3E12D532 for <anima-bootstrap@ietfa.amsl.com>; Tue, 24 May 2016 13:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIV_8vGa-ojP for <anima-bootstrap@ietfa.amsl.com>; Tue, 24 May 2016 13:34:37 -0700 (PDT)
Received: from mail-pa0-x22a.google.com (mail-pa0-x22a.google.com [IPv6:2607:f8b0:400e:c03::22a]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7E6B612D515 for <anima-bootstrap@ietf.org>; Tue, 24 May 2016 13:34:37 -0700 (PDT)
Received: by mail-pa0-x22a.google.com with SMTP id qo8so9964189pab.1 for <anima-bootstrap@ietf.org>; Tue, 24 May 2016 13:34:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=g170zhTPh5njYA7Ma93OooUZjMiAS1tvrG+IsIJftbI=; b=E5peZWqe7J7CLs4bgi8nVP+49aVebaxNSvRQX4H9BXU4R3ncO7pKyhxLDFyEQF1URe ZDTv9hVRkBSUQTgA0Nr5H0R8j8ktLAaULz7QojgYSOkqtbPzKuTpo4UPbGH+0nN4sFj6 YuU9xkc7vARBlNIte13BSkhPIDu9g9J/RKuGShsnecU5o43QUf80+FD+ecNz/8pX8N/S 3Cq0CYnf3KAtrOfA2QCytBsNlEloTB7SBTbhW26Qxhz+9HQCb1I2E+YQ0Jzu2VjTvSQE 8ar/SM0qf/RC9mkSqptPSa8XxjHOU4+EY5yDtWu8BbH43YcyPKeu0J06qBh9aZzqiJKw fuHQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=g170zhTPh5njYA7Ma93OooUZjMiAS1tvrG+IsIJftbI=; b=j2FGX0blcfJR1x5rEDYh6PierNSPYD5rIMgGS7ZEkoDi2v+/RLR9neGyeHCWkx6Xcx YJoxclN/WyuKElV7VfApqecwqEfUIGOjVkpNnrBGuqB31hTAPnlemFzJK5oNJXUz7Fug cxcNF6p1bX+h1Ytbm6Eo0n8lQFp/65o9grt+MEyxAVeW74g0WuGtsKI1DZI4cL2JhBij gaObpj0HUAtBLQzSKwQxtfuk5Ha9yeQsYWx3SywPo6opeyNgfGCazzyhOyeURP10nXIl Dxa8F53IewU+g6CugZ1CJjy7K6zD6uTXZtc6fvmqbzmuORslO9YCB758ymVG1LigCjTp Bzfg==
X-Gm-Message-State: ALyK8tI8lKSmg5FjbYDbcEP9YEXvb7q6ej9NYk3v8sU0h2eQSqRxzYEF9V8KxPVjKYZuJw==
X-Received: by 10.66.77.165 with SMTP id t5mr122279paw.61.1464122073625; Tue, 24 May 2016 13:34:33 -0700 (PDT)
Received: from ?IPv6:2406:e007:51cc:1:6d59:c4ad:d071:e461? ([2406:e007:51cc:1:6d59:c4ad:d071:e461]) by smtp.gmail.com with ESMTPSA id f191sm28783449pfa.26.2016.05.24.13.34.30 (version=TLSv1/SSLv3 cipher=OTHER); Tue, 24 May 2016 13:34:32 -0700 (PDT)
To: consultancy@vanderstok.org, "Michael Behringer (mbehring)" <mbehring@cisco.com>
References: <1913d4ecf0647ffdb77ff7f4d751218c@xs4all.nl> <61110f7e2870402ba4ecfdaf5e909264@XCH-RCD-006.cisco.com> <06638ab8359175685feb61f9873799bc@xs4all.nl>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <2cb7902b-01eb-7794-7721-2d564b262013@gmail.com>
Date: Wed, 25 May 2016 08:34:35 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0
MIME-Version: 1.0
In-Reply-To: <06638ab8359175685feb61f9873799bc@xs4all.nl>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/tLd2DhklCcPMsjHlUSpSD1kM5Nc>
Cc: Anima-bootstrap <anima-bootstrap@ietf.org>
Subject: Re: [Anima-bootstrap] bootstrap purpose
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 May 2016 20:34:39 -0000

On 25/05/2016 03:02, peter van der Stok wrote:
> Hi Michael,
> 
> In earlier versions of the bootstrapping the purpose was to add an unsecured node to a secured mesh network.
> Nodes on the secured network exchanged encrypted messages.
> New nodes had to learn the keys to encrypt.
> New nodes were not allowed to communicate with other secured nodes but for starting the acquisition of the keys.
> 
> Therefore the joining node needed a neighbouring proxy, because unsecured messages were not routed over the secured network.
> I don't find the concept of secured network any more and start wondering why we need the neighbouring proxy.

The secured network is the ACP, so I wouldn't expect any of that discussion in
the bootstrap work. It should be in the description of how the ACP is formed.
(In the non-ACP case, the assumption we make is that the nodes all have appropriate
certificates for (D)TLS, and those certificates will be sufficient to keep traffic
within the AN domain.)

I though the proxy was simply the way to reach the domain registrar?

    Brian

> 
> Peter
> 
> Michael Behringer (mbehring) schreef op 2016-05-24 13:23:
>> Hi Peter,
>>
>> The primary purpose of draft-ietf-anima-bootstrapping-keyinfra is to
>> deploy a domain specific key infrastructure. You're not mentioning
>> that, I assume because it's obvious?
>>
>> What a device does with that key material is outside scope of this
>> document. Although, 3.5 and 3.6 go a little step in that direction.
>> IMO we should keep the bootstrap of key material (current objective of
>> doc) clearly separate from what to do with this key material. So we
>> should probably be clearer that 3.5 are just examples.
>>
>> To me, the objectives you mention:
>>
>>> As far as I understood there are 2 objectives;
>>> 1) a packet sent by an unauthorized node is not routed through the network
>>> 2) An unauthorized node cannot interpret a packet sent by an authorized
>>> node
>>
>> are not the main objective of this work, but of course a security
>> consideration for the bootstrap process.
>>
>> Since I'm not sure I understood you fully, please let me know whether
>> we're in line!
>> Michael
>>
>>> -----Original Message-----
>>> From: Anima-bootstrap [mailto:anima-bootstrap-bounces@ietf.org] On
>>> Behalf Of peter van der Stok
>>> Sent: 24 May 2016 09:23
>>> To: Anima-bootstrap <anima-bootstrap@ietf.org>
>>> Subject: [Anima-bootstrap] bootstrap purpose
>>>
>>> Hi all,
>>>
>>> I looked again at the keyinfra draft and did not recognize an explicit
>>> description of the purpose of securing the network with the bootstrap.
>>>
>>> As far as I understood there are 2 objectives;
>>> 1) a packet sent by an unauthorized node is not routed through the network
>>> 2) An unauthorized node cannot interpret a packet sent by an authorized
>>> node
>>>
>>> Neither does the text tell us how this is achieved once the bootstrap has
>>> successfully concluded.
>>> Do we aim at a specific protocol or do we want to leave this open?
>>>
>>> -- 
>>> Peter van der Stok
>>> vanderstok consultancy
>>>
>>> _______________________________________________
>>> Anima-bootstrap mailing list
>>> Anima-bootstrap@ietf.org
>>> https://www.ietf.org/mailman/listinfo/anima-bootstrap
>>
>> _______________________________________________
>> Anima-bootstrap mailing list
>> Anima-bootstrap@ietf.org
>> https://www.ietf.org/mailman/listinfo/anima-bootstrap
> 
> _______________________________________________
> Anima-bootstrap mailing list
> Anima-bootstrap@ietf.org
> https://www.ietf.org/mailman/listinfo/anima-bootstrap
>