Re: [Anima-signaling] GRASP issue 49: More text about inter-domain GRASP
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 02 August 2016 15:56 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima-signaling@ietfa.amsl.com
Delivered-To: anima-signaling@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 91EED12D7D8
for <anima-signaling@ietfa.amsl.com>; Tue, 2 Aug 2016 08:56:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.188
X-Spam-Level:
X-Spam-Status: No, score=-3.188 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-1.287, SPF_PASS=-0.001]
autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id apmTX6YHNi56 for <anima-signaling@ietfa.amsl.com>;
Tue, 2 Aug 2016 08:56:03 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca
[IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 6511C12D7C8
for <anima-signaling@ietf.org>; Tue, 2 Aug 2016 08:56:03 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247])
by tuna.sandelman.ca (Postfix) with ESMTP id A23202009E;
Tue, 2 Aug 2016 12:06:17 -0400 (EDT)
Received: from obiwan.sandelman.ca (localhost [IPv6:::1])
by sandelman.ca (Postfix) with ESMTP id 6F066638D1;
Tue, 2 Aug 2016 11:56:02 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <eckert@cisco.com>
In-Reply-To: <20160802115054.GA21039@cisco.com>
References: <623af621-1d6e-c5f3-17a1-63f8d5fe3ffd@gmail.com>
<03f239b1-bfda-d283-cf60-b81dacd61156@gmail.com>
<20160802115054.GA21039@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;
<'$9xN5Ub#
z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha1; protocol="application/pgp-signature"
Date: Tue, 02 Aug 2016 11:56:02 -0400
Message-ID: <31656.1470153362@obiwan.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-signaling/Nd2lnJQfSfqRQMoJLHj9vdUmuVE>
Cc: Anima signaling DT <anima-signaling@ietf.org>
Subject: Re: [Anima-signaling] GRASP issue 49: More text about inter-domain
GRASP
X-BeenThere: anima-signaling@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the signaling design team of the ANIMA WG
<anima-signaling.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-signaling>,
<mailto:anima-signaling-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-signaling/>
List-Post: <mailto:anima-signaling@ietf.org>
List-Help: <mailto:anima-signaling-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-signaling>,
<mailto:anima-signaling-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 15:56:04 -0000
Toerless Eckert <eckert@cisco.com> wrote: > In our Cisco implementation, we allow services to run on systems that > do not have ACP - just because its evolving work to get the ACP onto > such systems. Eg: TFTP servers, Radius Servers - or the like. SO there's > a leg of the ACP that's unencrypted. And the deployment requirement is > to physcially protect this segment - aka: router with ACP co-located with > those servers n a secure NOC room. And we use mDNS there. I was under the impression that we'd make this secure either by physical means (as you write), or by putting those services in containers or VMs, and connect them to devices/routers that would have ACP on them. > Now i could easily imagine that the next step would be to have multiple > disjoined autonomic networks, but a shared NOC. In that case, the > reason that we don't use encryption is not only "server systems suck, have no ACP", > but also: If a server should provide objectives (services) to multiple > autonomic networks, then we would need to solve how it could be cryptographically > part of multiple ACPs. Thats even more work. I'm not sure it's that big a deal to be part of multiple ACPs. Depends a lot upon the details of the service. For some services build upon a multi-tier architecture (anything RESTful, such as NETCONF...) then putting a front-end server into two ACPs while connecting to middle-ware on a common back-end network would be trivial. Ditto: Radius things, you can always add a layer of radius proxy. TFTP servers... not a huge deal, just NFS mount /tftpboot across a backend LAN from the real machine and have multiple TFTP servers in multiple ACPs. > If i take your text and would want to build a solution around it, then > i could think of some gateway-device thats part of two ACPs, and > has an ASA participating in each ACPs GRASP instance and is filtering/forwarding > objectives that should be allowed to be used across ACPs. Makes sense too... -- Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- Re: [Anima-signaling] GRASP issue 49: More text a… Brian E Carpenter
- Re: [Anima-signaling] GRASP issue 49: More text a… Toerless Eckert
- Re: [Anima-signaling] GRASP issue 49: More text a… Michael Richardson
- Re: [Anima-signaling] GRASP issue 49: More text a… Toerless Eckert
- Re: [Anima-signaling] GRASP issue 49: More text a… Brian E Carpenter
- [Anima-signaling] GRASP issue 49: More text about… Brian E Carpenter