IETF Logo Mail Archive

Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 13 April 2022 17:46 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CE2773A1C72 for <anima@ietfa.amsl.com>; Wed, 13 Apr 2022 10:46:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pTWctWfofSfN for <anima@ietfa.amsl.com>; Wed, 13 Apr 2022 10:46:47 -0700 (PDT)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00:e000:2bb::1]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DD35A3A1C73 for <anima@ietf.org>; Wed, 13 Apr 2022 10:46:46 -0700 (PDT)
Received: from dooku.sandelman.ca (desktop4.sandelman.ca [209.87.249.16]) by relay.sandelman.ca (Postfix) with ESMTPS id 0CC011F4C9; Wed, 13 Apr 2022 17:41:05 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 70AF91A0482; Wed, 13 Apr 2022 13:19:21 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
In-reply-to: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
Comments: In-reply-to Toerless Eckert <tte@cs.fau.de> message dated "Tue, 12 Apr 2022 17:00:19 +0200."
X-Mailer: MH-E 8.6+git; nmh 1.7.1; GNU Emacs 26.3
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Wed, 13 Apr 2022 13:19:21 -0400
Message-ID: <388791.1649870361@dooku>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/25_6yuoRgQyp4fu0kLs8fEW5zXg>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Apr 2022 17:46:52 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    > This is insufficient. Section 4.3 only describes the GRASP objective
    > for EST-TLS, which uses the objective-value "EST-TLS". For the
    > constrained join proxy, you need to specify the objective to use a new
    > appropriate objective. For example, you could specify to continue to
    > use AN_join_registrar, but use an objective-value of "EST-COAPS". That
    > would IMHO be in the spirit of how we defined the RFC8995 GRASP
    > objective. And astoundingly (;-)) it wouldn't require a new IANA
    > registration (i think, Brian ?).

Yes, you are right, we need to have a new objective to announce.
I guess that we don't really think about the constrained-join-proxy really
being used in an ACP context, but we really should that right.

https://github.com/anima-wg/constrained-join-proxy/issues/17

    > Note that it is not sufficient to delta RFC8995 and mention
    > "EST-COAPS", because the GRASP objective also needs to indicate UDP
    > instead of TCP. Even though it is longer, it would IMHO be prudent to
    > copy the whole GRASP objectives and examples from RFC8995 and
    > accordingly modify them, so that the constrained-proxy draft is
    > "standalone" in this respect (even if a page longer).

I think you are asking us to show an example that advertises both RFC8995,
and the constrained version, correct?

    > Isn't there the thought that some other variations of BRSKI will use
    > protocol variations, such as not CBOR+JSON ? some other "CMP" encoding
    > ?

We decided that Registrars will be responsible for interoperation, and will
support all protocols the operator expects to use.   If you buy a Registrar
that does not do X and a pledge that only does X, then it fails, and you were
stupid.

    > I am asking, because it seems to me we need to be aware, that the
    > constrained-proxy is logically "just" a DTLS proxy, but once we have
    > more than one DTLS BRSKI variation, we still need to be able for
    > pledges to connect to registrar(s) that talk the BRSKI variation that
    > the pledge supports. What we define here initially is effectively
    > proxy/registrar for EST-COAPS. So let's assume, we get another
    > protocol, OTHER1-DTLS. The constrained proxy continues to work, but it
    > would now need to discover the OTHER1-DTLS Registrar, allocate a new
    > UDP port number on which to offer proxy services for OTHER1-DTLS and
    > announce that to pledges.

You aren't wrong, but you also aren't right.
Pledges are expected to try all options (possibly concurrently if they have
CPU/ram) until they find one that works.    There is no reason the join proxy
needs to know the details of the Registrar supports, only that they support a
way to talk to it.

    > I wonder if the names choosen for est-coaps discovery, brski.jp and
    > brski.rjp are ideal indicative of the fact that we're rather defining
    > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness

Fair point.

    > 3. 6tisch discovery

    > [I-D.ietf-6tisch-enrollment-enhanced-beacon] is now RFC9032, please
    > update draft accordingly.

    > Upon quick browse of RFC9032 i fail to see how/where RFC9032 would be
    > able to deal with more than one discovery protocol. E.g.: How would we
    > discover BRSKI-EST-COAPS-REGISTRAR BRSKI-EST-COAPS-PROXY
    > OTHER1-DTLS-REGISTRAR OTHER1-DTLS-PROXY

Yes, are you right.
RFC9032 does not support DTLS at all.
It supports RFC9031 only.
Perhaps we should simply indicate that we don't support 6TISCH.

    > 4. Stateful vs. stateless proxy discovery

    > How do i know as a customer of equipment know that all my
    > pledges/proxies/registrars will interoperate in the face of those
    > devices seemingly being able to freely pick stateful and/or stateless
    > mode of operations ?

Because, we defined the proxy to have a standard interface.
(Except for CoAP/OSCORE vs CoAPS above)

How the join proxy keeps state (in memory or in the network) is a private
matter between the JP and the Registrar, and does not concern the pledge.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email