Re: [Anima-signaling] GRASP issue 49: More text about inter-domain GRASP
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 02 August 2016 20:40 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima-signaling@ietfa.amsl.com
Delivered-To: anima-signaling@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id 0D59112D103
for <anima-signaling@ietfa.amsl.com>; Tue, 2 Aug 2016 13:40:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7,
SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id tAN9bxR1zOtE for <anima-signaling@ietfa.amsl.com>;
Tue, 2 Aug 2016 13:40:07 -0700 (PDT)
Received: from mail-pf0-x236.google.com (mail-pf0-x236.google.com
[IPv6:2607:f8b0:400e:c00::236])
(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id A2EBC12D8C7
for <anima-signaling@ietf.org>; Tue, 2 Aug 2016 13:40:06 -0700 (PDT)
Received: by mail-pf0-x236.google.com with SMTP id h186so69485182pfg.3
for <anima-signaling@ietf.org>; Tue, 02 Aug 2016 13:40:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
h=subject:to:references:cc:from:organization:message-id:date
:user-agent:mime-version:in-reply-to:content-transfer-encoding;
bh=cC2W6Jniiuy8vH3opyLt+1d1isGzLiPutdD9mCD7uQw=;
b=Rocm6WjuqujKAVPJivSB5dbLx0r1ZW5m4ZYUDg+lx2MRLddrhgkDECmgvLVpjYgxa2
hjMTH3wfoLQwfdgjJxSfhCVsvRqSMvdC05+8/YRv3S3sl8XPtwqJoT+IcSVe9xYRUh3L
FAL9rtbzcpfaiQgEDpDrvHWPf1IPW2pLnBuTyFka6nQBXl61zBJil0CkRCNsXk/W1Q9/
Rfd45OIds1rHOLz4gaaEAfAVOX1VdyFcjm1uuztEN2VE8yu5jTBcHPu2vWwkH5kZdQQc
y4doJMN/p3UjBnG71trnlComP7/2O3aPuxAKdUzAo5TLQfkHTgDtwoQWqisjvekiec/G
YZ6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20130820;
h=x-gm-message-state:subject:to:references:cc:from:organization
:message-id:date:user-agent:mime-version:in-reply-to
:content-transfer-encoding;
bh=cC2W6Jniiuy8vH3opyLt+1d1isGzLiPutdD9mCD7uQw=;
b=d/bmNcNiW7fSGokCttXpw7PYxV6okIkrvv1hM+NUF9F/oF3ac+VFx9ytD5UrS9eL9f
tTUEDtpfWIFD8QHD/HMaoMZ+W7DmdH6ksTKeuxYWUrZhS/r61fq98Sg3Bp+1gpivHmuh
QLsEFtQVV9sGuY9kbycce4mKKK+Sc2pAewvrLx781ggAj98/w3Vbgo67gov/0q7poG5y
mHs08YP8EzaM3RaldNdWhc1APRRhhOa3XOIzsgCMgSN143cDm4efhJhFV9b4EsDfZLwy
5niCns9wUDs+kLEOJjGZjlCaKgaiddkh8BouP012PorMjv6xgwrmmCnxL5DFcXkoWOHo
28iQ==
X-Gm-Message-State: AEkoouvJg0ZXUk9oFexiC0AQTunX+0ZIExpyvwwFa4fC+jV2ofKiXBpWeYQBP3T4BcrTLg==
X-Received: by 10.98.13.84 with SMTP id v81mr110489200pfi.108.1470170406207;
Tue, 02 Aug 2016 13:40:06 -0700 (PDT)
Received: from [192.168.178.23] ([118.148.76.250])
by smtp.gmail.com with ESMTPSA id m78sm6883401pfj.66.2016.08.02.13.40.03
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Tue, 02 Aug 2016 13:40:05 -0700 (PDT)
To: Toerless Eckert <eckert@cisco.com>
References: <623af621-1d6e-c5f3-17a1-63f8d5fe3ffd@gmail.com>
<03f239b1-bfda-d283-cf60-b81dacd61156@gmail.com>
<20160802115054.GA21039@cisco.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <6ab99cec-c97f-3fcb-ea0c-bdfcf7546d54@gmail.com>
Date: Wed, 3 Aug 2016 08:40:06 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101
Thunderbird/45.2.0
MIME-Version: 1.0
In-Reply-To: <20160802115054.GA21039@cisco.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima-signaling/YJrigSw73Fcl8mvad2rP053D6yI>
Cc: Anima signaling DT <anima-signaling@ietf.org>
Subject: Re: [Anima-signaling] GRASP issue 49: More text about inter-domain
GRASP
X-BeenThere: anima-signaling@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the signaling design team of the ANIMA WG
<anima-signaling.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-signaling>,
<mailto:anima-signaling-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-signaling/>
List-Post: <mailto:anima-signaling@ietf.org>
List-Help: <mailto:anima-signaling-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-signaling>,
<mailto:anima-signaling-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 20:40:09 -0000
On 02/08/2016 23:50, Toerless Eckert wrote: > Its really hard to define requirements when you don't know what the > communication should ultimately do. Absolutely. And we shouldn't stretch the protocol spec to cover future application scenarios that we don't understand. I'd rather limit what we say to guaranteeing security properties. > So, for example: > > In our Cisco implementation, we allow services to run on systems that > do not have ACP - just because its evolving work to get the ACP onto > such systems. Eg: TFTP servers, Radius Servers - or the like. SO there's > a leg of the ACP that's unencrypted. And the deployment requirement is > to physcially protect this segment - aka: router with ACP co-located with > those servers n a secure NOC room. And we use mDNS there. > > The same setup would make sense to me to accelerate deployment also of > course with GRAP - instead of mDNS. > > So, this is an example of expanding the secured insance of GRASP across > a segment thats not cryptographically (IPsec) but physically protected. > > Now i could easily imagine that the next step would be to have multiple > disjoined autonomic networks, but a shared NOC. In that case, the > reason that we don't use encryption is not only "server systems suck, have no ACP", > but also: If a server should provide objectives (services) to multiple > autonomic networks, then we would need to solve how it could be cryptographically > part of multiple ACPs. Thats even more work. > > If i take your text and would want to build a solution around it, then > i could think of some gateway-device thats part of two ACPs, and > has an ASA participating in each ACPs GRASP instance and is filtering/forwarding > objectives that should be allowed to be used across ACPs. Makes sense too... Yes. I keep coming back to my old love: diffserv and how to deploy it between domains. I can see ASAs being deployed as inter-domain bandwidth brokers, but interworking with intra-domain bandwidth brokers, exactly as you say. Rgds, Brian > Cheers > Toerless > > On Tue, Aug 02, 2016 at 01:39:35PM +1200, Brian E Carpenter wrote: >> Hi, >> >> I came up with an idea of how to tackle this: state that any such inter-domain >> operation MUST be a separate (D)TLS-based instance of GRASP that does not >> share common data structures with the normal (ACP-based) instance. >> >> Brian >> On 01/08/2016 09:11, Brian E Carpenter wrote: >>> Hi, >>> >>> Here's another issue for design team comments. >>> >>> o 49. Section 3.3.1 should say more about signaling between two >>> autonomic networks/domains. >>> >>> I need ideas about what to say. >>> >>> Regards >>> Brian >>> >> >> _______________________________________________ >> Anima-signaling mailing list >> Anima-signaling@ietf.org >> https://www.ietf.org/mailman/listinfo/anima-signaling >
- Re: [Anima-signaling] GRASP issue 49: More text a… Brian E Carpenter
- Re: [Anima-signaling] GRASP issue 49: More text a… Toerless Eckert
- Re: [Anima-signaling] GRASP issue 49: More text a… Michael Richardson
- Re: [Anima-signaling] GRASP issue 49: More text a… Toerless Eckert
- Re: [Anima-signaling] GRASP issue 49: More text a… Brian E Carpenter
- [Anima-signaling] GRASP issue 49: More text about… Brian E Carpenter