Re: [Anima] Homogeneous vs. heterogeneous trust domains (Re: What elements of IETF ANIMA can be used for I2NSF?)
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 28 October 2014 14:53 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3944C1A89B5 for <anima@ietfa.amsl.com>; Tue, 28 Oct 2014 07:53:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, T_TVD_MIME_NO_HEADERS=0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eW7dZ5xLxwoc for <anima@ietfa.amsl.com>; Tue, 28 Oct 2014 07:53:12 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 856A11A89E0 for <anima@ietf.org>; Tue, 28 Oct 2014 07:53:12 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 3F35520028 for <anima@ietf.org>; Tue, 28 Oct 2014 10:54:26 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 342DD63A84; Tue, 28 Oct 2014 10:53:11 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 161D563A21 for <anima@ietf.org>; Tue, 28 Oct 2014 10:53:11 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <3AA7118E69D7CD4BA3ECD5716BAF28DF21C9DAAA@xmb-rcd-x14.cisco.com>
References: <4A95BA014132FF49AE685FAB4B9F17F645E2074F@dfweml701-chm> <54495813.4050703@gmail.com> <54495A00.4000302@gmail.com> <54499D7E.4060007@gmail.com> <20141027004833.GA4665@cisco.com> <12570.1414373603@sandelman.ca> <544DB2E4.5020808@gmail.com> <17335.1414412250@sandelman.ca> <3AA7118E69D7CD4BA3ECD5716BAF28DF21C9DAAA@xmb-rcd-x14.cisco.com>
X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Tue, 28 Oct 2014 10:53:11 -0400
Message-ID: <2376.1414507991@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: http://mailarchive.ietf.org/arch/msg/anima/-ftAWxWxA8HjRWwhfaxuI_rQlwg
Subject: Re: [Anima] Homogeneous vs. heterogeneous trust domains (Re: What elements of IETF ANIMA can be used for I2NSF?)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 14:53:19 -0000
Michael Behringer (mbehring) <mbehring@cisco.com> wrote: > Toerless summed it up nicely. > Inside a domain (for example, an enterprise network), you want a single > trust domain. The owner of that enterprise network wants all those > devices under one trust anchor. (Of course he can create sub-domains, > or several domains). I think that we are all agreed on this. > Before they form part of a single domain, devices come from various > vendors, or are imprinted in various ways. In that part there are many > trust domains. As Brian points out, some domains will accept a call > home functions, others will not. So, irrespective of whether there is a call-home part of the imprinting, Brian's point was that some domains expect to the imprinting in the field, and some prefer to do this in a virtual faraday cage. I claim that there is doesn't matter where the initial imprinting occurs; I think it's the same process. All nodes should expect the potential for their role to change after a power cycle/deep sleep. > Bottom line: We need a process which gets devices from various origins > and trust domains, and various ways to initialise them to a single > trust domain, for example an enterprise > network. draft-pritikin-bootstrapping-keyinfrastructures tries to > explain what this process could look like. In other emails over the I've tried to fill in some details on such a process, is it the time to recap that here? -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] What elements of IETF ANIMA can be used f… Linda Dunbar
- Re: [Anima] What elements of IETF ANIMA can be us… Brian E Carpenter
- [Anima] Homogeneous vs. heterogeneous trust domai… Rene Struik
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Brian E Carpenter
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Toerless Eckert
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Michael Richardson
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Brian E Carpenter
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Michael Richardson
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Brian E Carpenter
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Michael Richardson
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Michael Behringer (mbehring)
- Re: [Anima] Homogeneous vs. heterogeneous trust d… Michael Richardson