IETF Logo Mail Archive

[Anima] Cloud BRSKI discussion -- Option 1 use cases

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 24 November 2019 07:28 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 773F21200DF for <anima@ietfa.amsl.com>; Sat, 23 Nov 2019 23:28:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W2bB8nGw1Y1I for <anima@ietfa.amsl.com>; Sat, 23 Nov 2019 23:28:45 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [176.58.120.209]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B93B1200D7 for <anima@ietf.org>; Sat, 23 Nov 2019 23:28:44 -0800 (PST)
Received: from dooku.sandelman.ca (eth-west-pareq2-46-193-2-123.wb.wifirst.net [46.193.2.123]) by relay.sandelman.ca (Postfix) with ESMTPS id 2AC791F47D for <anima@ietf.org>; Sun, 24 Nov 2019 07:28:41 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 186F99D1; Sun, 24 Nov 2019 15:28:44 +0800 (+08)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "anima@ietf.org" <anima@ietf.org>
In-reply-to: <MN2PR11MB3901DD8CF27429ECAF1AA874DB780@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <5D36713D8A4E7348A7E10DF7437A4B9299B9FAD2@NKGEML515-MBX.china.huawei.com> <MN2PR11MB3901DD8CF27429ECAF1AA874DB780@MN2PR11MB3901.namprd11.prod.outlook.com>
Comments: In-reply-to "Owen Friel (ofriel)" <ofriel@cisco.com> message dated "Thu, 07 Nov 2019 11:47:55 +0000."
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 24 Nov 2019 08:28:44 +0100
Message-ID: <28576.1574580524@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/-BmVMOao231aZtk2aJkSTGOW_yk>
Subject: [Anima] Cloud BRSKI discussion -- Option 1 use cases
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 07:28:47 -0000

Following up on the discussion at the WG meeting.
The meeting materials are not yet converted to PDF, but let me attach the
three pictures, and start three threads on these options, and also I will
insert the ascii art from the document itself.
All three:

    https://github.com/anima-wg/brski-cloud/blob/master/presentations/three-flows.png

In all cases the Pledge gets some kind of network connectivity.
This could be an open WiFi, but is more often a cable plugged in with DHCPv4/IPv6.

1) Cloud Registrar Redirects

This is the most non-cloudy of the solutions.  The time sequence is below,
and the diagram is at:
  https://github.com/anima-wg/brski-cloud/blob/master/presentations/option-1-cloud-redirect.png


+--------+            +-----------+              +----------+
| Pledge |            | Local     |              | Cloud RA |
|        |            | Registrar |              | / MASA   |
+--------+            +-----------+              +----------+
    |                                                 |
    | 1. Full TLS                                     |
    |<----------------------------------------------->|
    |                                                 |
    | 2. Voucher Request                              |
    |------------------------------------------------>|
    |                                                 |
    | 3. 3xx Location: localra.example.com            |
    |<------------------------------------------------|
    |                                                 |
    | 4. Provisional TLS   |                          |
    |<-------------------->|                          |
    |                      |                          |
    | 5. Voucher Request   |                          |
    |--------------------->| 6. Voucher Request       |
    |                      |------------------------->|
    |                      |                          |
    |                      | 7. Voucher Response      |
    |                      |<-------------------------|
    | 8. Voucher Response  |                          |
    |<---------------------|                          |
    |                      |                          |
    | 9. Validate TLS      |                          |
    |<-------------------->|                          |
    |                      |                          |
    | 10. etc.             |                          |
    |--------------------->|                          |


This is the simplest variation, the local registrar is simply not
discoverable from the location of the Pledge.

The pledge is told of a way to reach the intended Registrar and process
proceeds as normal.  Note that the registrar still has to be proven
by voucher.   There could be attacks on the pledge via DNS.

This flow does not work at all for devices/manufacturers with poor supply
integration, as the Cloud RA would have no idea where to redirect the device.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email