Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
Michael Richardson <mcr+ietf@sandelman.ca> Wed, 13 April 2022 17:46 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2773A1C72 for <anima@ietfa.amsl.com>; Wed, 13 Apr 2022 10:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTWctWfofSfN for <anima@ietfa.amsl.com>; Wed, 13 Apr 2022 10:46:47 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD35A3A1C73 for <anima@ietf.org>; Wed, 13 Apr 2022 10:46:46 -0700 (PDT)
Received: from dooku.sandelman.ca (desktop4.sandelman.ca [209.87.249.16]) by relay.sandelman.ca (Postfix) with ESMTPS id 0CC011F4C9; Wed, 13 Apr 2022 17:41:05 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 70AF91A0482; Wed, 13 Apr 2022 13:19:21 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
In-reply-to: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
Comments: In-reply-to Toerless Eckert <tte@cs.fau.de> message dated "Tue, 12 Apr 2022 17:00:19 +0200."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 13 Apr 2022 13:19:21 -0400
Message-ID: <388791.1649870361@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/25_6yuoRgQyp4fu0kLs8fEW5zXg>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2022 17:46:52 -0000
Toerless Eckert <tte@cs.fau.de> wrote: > This is insufficient. Section 4.3 only describes the GRASP objective > for EST-TLS, which uses the objective-value "EST-TLS". For the > constrained join proxy, you need to specify the objective to use a new > appropriate objective. For example, you could specify to continue to > use AN_join_registrar, but use an objective-value of "EST-COAPS". That > would IMHO be in the spirit of how we defined the RFC8995 GRASP > objective. And astoundingly (;-)) it wouldn't require a new IANA > registration (i think, Brian ?). Yes, you are right, we need to have a new objective to announce. I guess that we don't really think about the constrained-join-proxy really being used in an ACP context, but we really should that right. https://github.com/anima-wg/constrained-join-proxy/issues/17 > Note that it is not sufficient to delta RFC8995 and mention > "EST-COAPS", because the GRASP objective also needs to indicate UDP > instead of TCP. Even though it is longer, it would IMHO be prudent to > copy the whole GRASP objectives and examples from RFC8995 and > accordingly modify them, so that the constrained-proxy draft is > "standalone" in this respect (even if a page longer). I think you are asking us to show an example that advertises both RFC8995, and the constrained version, correct? > Isn't there the thought that some other variations of BRSKI will use > protocol variations, such as not CBOR+JSON ? some other "CMP" encoding > ? We decided that Registrars will be responsible for interoperation, and will support all protocols the operator expects to use. If you buy a Registrar that does not do X and a pledge that only does X, then it fails, and you were stupid. > I am asking, because it seems to me we need to be aware, that the > constrained-proxy is logically "just" a DTLS proxy, but once we have > more than one DTLS BRSKI variation, we still need to be able for > pledges to connect to registrar(s) that talk the BRSKI variation that > the pledge supports. What we define here initially is effectively > proxy/registrar for EST-COAPS. So let's assume, we get another > protocol, OTHER1-DTLS. The constrained proxy continues to work, but it > would now need to discover the OTHER1-DTLS Registrar, allocate a new > UDP port number on which to offer proxy services for OTHER1-DTLS and > announce that to pledges. You aren't wrong, but you also aren't right. Pledges are expected to try all options (possibly concurrently if they have CPU/ram) until they find one that works. There is no reason the join proxy needs to know the details of the Registrar supports, only that they support a way to talk to it. > I wonder if the names choosen for est-coaps discovery, brski.jp and > brski.rjp are ideal indicative of the fact that we're rather defining > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness Fair point. > 3. 6tisch discovery > [I-D.ietf-6tisch-enrollment-enhanced-beacon] is now RFC9032, please > update draft accordingly. > Upon quick browse of RFC9032 i fail to see how/where RFC9032 would be > able to deal with more than one discovery protocol. E.g.: How would we > discover BRSKI-EST-COAPS-REGISTRAR BRSKI-EST-COAPS-PROXY > OTHER1-DTLS-REGISTRAR OTHER1-DTLS-PROXY Yes, are you right. RFC9032 does not support DTLS at all. It supports RFC9031 only. Perhaps we should simply indicate that we don't support 6TISCH. > 4. Stateful vs. stateless proxy discovery > How do i know as a customer of equipment know that all my > pledges/proxies/registrars will interoperate in the face of those > devices seemingly being able to freely pick stateful and/or stateless > mode of operations ? Because, we defined the proxy to have a standard interface. (Except for CoAP/OSCORE vs CoAPS above) How the join proxy keeps state (in memory or in the network) is a private matter between the JP and the Registrar, and does not concern the pledge. -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | network architect [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ -- Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =-
- [Anima] Discovery of proxy/registrar insufficient… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] GRASP securty/transport substrate alterna… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] FYI: est-coaps registered (was: Re: Disco… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Carsten Bormann
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- [Anima] Carsten: Re: FYI: est-coaps registered (w… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Esko Dijk