IETF Logo Mail Archive

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 14 July 2019 22:48 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDABA120158; Sun, 14 Jul 2019 15:48:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.859
X-Spam-Level:
X-Spam-Status: No, score=-2.859 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DATE_IN_PAST_24_48=1.34, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id x5OUEdhRL1qJ; Sun, 14 Jul 2019 15:48:54 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 98BD712006B; Sun, 14 Jul 2019 15:48:54 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 765A33818E; Sun, 14 Jul 2019 18:48:51 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id CB44FF32; Sat, 13 Jul 2019 11:10:27 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Eliot Lear <lear@cisco.com>
cc: Adam Roach <adam@nostrum.com>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Toerless Eckert <tte+ietf@cs.fau.de>, anima@ietf.org, The IESG <iesg@ietf.org>, anima-chairs@ietf.org
In-Reply-To: <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sat, 13 Jul 2019 11:10:27 -0400
Message-ID: <1692.1563030627@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/2MPdUNCipiLJnkVJyjoTSdS9-xE>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 14 Jul 2019 22:48:57 -0000

Eliot Lear <lear@cisco.com> wrote:
    > I think the simplest way to address the bulk of both Adam’s and
    > Warren’s concern is to require the device to emit via whatever
    > management interface exists, upon request, a voucher that it has signed
    > with its own iDevID.  It would have to be nonceless with perhaps a long
    > expiry, and that would cover a number of other use cases as well.  That
    > way if the manufacturer goes out of business, or if the owner wants to
    > transfer the device without manufacturer consent, there is a way
    > forward.

1) would it have a pinned-domain-cert for the new owner, or would it be
   some kind of wildcard/bearer voucher?

2) what would the management interface be, specifically, how would it be
   secured?

This would seem to cover the case where there is an orderly sale of equipment
From an owner who is still in business to a new owner who is ready to receive
the device.  In my experience buying used routing equipment, this is never
the case.

The best case is that equipment was removed from active service 6 to 10
months previously, stored somewhere until it was certain that no spares would
be required, and then sold on eBay directly to the buyer.

Creating this new voucher would require that the sellor spin the systems up,
hook them back onto some management interface (which effectively means going
through the onboarding process again, since their IP addresses will be wrong,
having been replaced), and then getting a voucher issued for the buyor's
domainID.   Is this ridiculous? No. Knowing that the systems boot (and
haven't rotted), and knowing that the old configurations have correctly wiped
is pretty good hygiene.

Often the systems are purchased by a used equipment broker, and having the
broker issue an intermediate (could be time limited) voucher to themselves
would be reasonable as they take the systems into their inventory.  In larger
sales, the broker could provide personnel to do the spin-up at the sellor's
location.

The sellor *could* generate that voucher themselves before the device is
taken offline, linking the voucher to a newly generated domain owner
keypair.  This effectively is now a bearer voucher.  At which point one could
consider some other kind of existing technology: a TLS session resumption
ticket (issued by the BRSKI client to the Registrar) might make more
sense. It has all the properties of a bearer voucher, and all the risks,
but is well established mechanism.

I would be happy to start a draft that explained this process.
It's something that I wish we have a SEC-AREA BRSKI WG to make sure we get
this right.

In the worst case, the reason the equipment is being sold is because the
sellor went into bankruptcy.  There is no sellor Registrar to invoke this
API.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email