Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-06.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 12 June 2017 03:11 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 937E31294BC; Sun, 11 Jun 2017 20:11:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ciCpEbk4TwVT; Sun, 11 Jun 2017 20:11:07 -0700 (PDT)
Received: from mail-pf0-x22c.google.com (mail-pf0-x22c.google.com [IPv6:2607:f8b0:400e:c00::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AC40D126DED; Sun, 11 Jun 2017 20:11:06 -0700 (PDT)
Received: by mail-pf0-x22c.google.com with SMTP id x63so46524736pff.3; Sun, 11 Jun 2017 20:11:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:references:from:organization:to:cc:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=TlTOpdsxKr5dDWajY6ZqL97kVwbV9yfqH9zvmlmUg8s=; b=Yxr5PNkILXFfgmCBGLchw0/xjM0qHOZ0UoC6BBtYYNu7oGaLu2BVTwR5ac2HzjsMhj DD/nzm7Y7Yuw6JJpdMur/unpqY84p5gioQMWN1rPHWuUvF+1mIGVgZDF62a5FSMXbqUl 4U/7XOvjXYluyO/UpnBll9D++sVjc0Z2zm1rjqm5R/cB/556w5ZZaZ031A8/6cal/hrN 3BEm2cWiOoZpqySdmbzbP5BuiOjqGt7TtL3c8RB/ZIxP/7ZMV1qOU+d7+OmJARd8X1It evyD+ZE/10POajtRf8VhflBpwoTSdi6r8PgoYL9V2SWnqUXMd7NkB8NRyTYaJe0JKkGD Qxmw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:references:from:organization:to:cc :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=TlTOpdsxKr5dDWajY6ZqL97kVwbV9yfqH9zvmlmUg8s=; b=oj8ySaK/rPaP2XIfUK/p3I6jw5tHiiGjAihi0zWY4SbtT4OicrXnTrfzyv8g4FoHd+ EG1DcbntB67fotqb06XY1BYI2QjQfvA2D64/6haLlg8o8Rk07U/AgeMwoHgPFbddc6xb PEEL1vCev/UKxEINsItVMAvPFnSmh7SO0Zfzi+uw9a6Ph/XSSd2C+KN2KSbN5kqdCyvP Ydmyrr/hjysz24K1A+qasjmBTi4DdRd0j9P8Dtgz7DfNI8+skSL+Ax9TK5LqPtawNtsw S/hWgGPwtC4Cgc77DtB+cmdOvzrodHKEmyQW+ituxx4qAf8Cs6mYNTiypj7ImFYto5Mo oi+A==
X-Gm-Message-State: AODbwcAQmMvxknwvpO2fDTjiEEMldoplVij/sAwVJbDw+mc1f6TTVRN0 gMTOPghJ4g67mMX7
X-Received: by 10.84.224.5 with SMTP id r5mr55354265plj.267.1497237066035; Sun, 11 Jun 2017 20:11:06 -0700 (PDT)
Received: from [192.168.178.21] ([118.148.117.140]) by smtp.gmail.com with ESMTPSA id 62sm12862383pfz.39.2017.06.11.20.11.03 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 11 Jun 2017 20:11:05 -0700 (PDT)
References: <149566389334.8737.940293315082013190@ietfa.amsl.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
To: draft-ietf-anima-bootstrapping-keyinfra@ietf.org
Cc: Anima WG <anima@ietf.org>
Message-ID: <e24d09bd-9497-3066-7659-895c664bb248@gmail.com>
Date: Mon, 12 Jun 2017 15:11:02 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.1.1
MIME-Version: 1.0
In-Reply-To: <149566389334.8737.940293315082013190@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/8VQHnU2I_tq6hZgySlhdRB9CTDA>
Subject: Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-06.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Jun 2017 03:11:10 -0000
Hi,
About the GRASP usage in BRSKI:
> 3.1.1. Proxy Discovery Protocol Details
>
> The proxy uses the GRASP M_FLOOD mechanism to announce itself. This
> announcement is done with the same message as the ACP announcement
> detailed in [I-D.ietf-anima-autonomic-control-plane].
Can we make it:
This announcement SHOULD be done with the same message...
That's only an optimisation, really.
>
> proxy-objective = ["Proxy", [ O_IPv6_LOCATOR, ipv6-address,
> transport-proto, port-number ] ]
>
> ipv6-address - the v6 LL of the proxy
> transport-proto - 6, for TCP 17 for UDP
> port-number - the TCP or UDP port number to find the proxy
1. We need to agree on the objective name; at the moment the draft is
inconsistent. What's wrong with "AN_Proxy"? It also needs to go in the
IANA Considerations since it needs to be registered.
2. It would be better to make normative references for the items that
are taken directly from the GRASP spec:
ipv6-address: as defined in [I-D.ietf-anima-grasp] but REQUIRED to be link-local
transport-proto: as defined in [I-D.ietf-anima-grasp]
port-number: as defined in [I-D.ietf-anima-grasp]
> 3.1.2. Registrar Discovery Protocol Details
>
> A Registrar is typically configured manually. When the Registrar
> joins an Autonomic Control Plane
> ([I-D.ietf-anima-autonomic-control-plane]) it MUST respond to GRASP
> ([I-D.ietf-anima-grasp]) M_NEG_SYN message.
That's kind of jumping into the middle. Perhaps start by saying
...it MUST support the GRASP objective "AN_registrar" for discovery
and synchronization.
> The registrar responds to discovery messages from the proxy (or GRASP
> caches between them) as follows: (XXX changed from M_DISCOVERY)
>
> objective = ["AN_registrar", F_DISC, 255 ]
> discovery-message = [M_NEG_SYN, session-id, initiator, objective]
No, that isn't a discovery message. In fact, it isn't a GRASP message
type at all. Now we need to decide whether you want to support GRASP
rapid mode. If not, there needs to be an M_DISCOVERY, followed
by an M_RESPONSE, followed by an M_REQ_SYN, followed by an M_SYNCH.
But you don't need to specify *any* of that, if you specify a GRASP
synchronization objective. It's just bog standard GRASP.
Similarly if you want to support rapid mode. Really, all you need to
specify is the format of the objective, the fact that it supports
synchronization, and whether it supports rapid mode.
> Figure 6: Registrar Discovery
>
> The response from the registrar (or cache) will be a M_RESPONSE with
> the following parameters:
>
> response-message = [M_RESPONSE, session-id, initiator, ttl,
> (+locator-option // divert-option), ?objective)]
> initiator = ACP address of Registrar
> locator1 = [O_IPv6_LOCATOR, fd45:1345::6789, 6, 443]
> locator2 = [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683]
> locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]
So now I'm lost. Using M_FLOOD gives you the option of attaching
arbitrary locators, but here you seem to be attaching arbitrary
locators to a response message.
1) The initiator field in M_RESPONSE echoes the initiator
field in the M_DISCOVERY. That's non-negotiable because it's
required for matching responses to the correct discoverer.
2) The locators in M_RESPONSE are supposed to be GRASP locators
for starting a GRASP M_REQ_* session. It's kind of weird to use
them for communicationg the BRSKI locators. I can't see a big
reason why it won't work, but it needs to be called out explicitly.
(After the discussion back in Berlin, we added a feature to
M_FLOOD to allow arbitrary locators to be attached to a given
flood message. I thought that was what the BRSKI team wanted
at that time. Seems not.)
What I had assumed is that you'd return the BRKSI information as
the *value* of the "AN_registrar" objective. That would give
100% freedom, independent of GRASP inner workings. That's what
you have done in the "AN_proxy" objective. It would be simpler
to do the same here.
Also, 41 is not a protocol type defined in GRASP
today. And does protocol 6 actually mean TLS in this case?
Let me know your thoughts. I'm very willing to write text (and
Python demo code) but I need to know what you want that's consistent
with GRASP.
Regards
Brian
- [Anima] I-D Action: draft-ietf-anima-bootstrappin… internet-drafts
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Brian E Carpenter
- [Anima] Use of M_FLOOD for discovery of Proxy Michael Richardson
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Brian E Carpenter
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Toerless Eckert
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Brian E Carpenter
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Michael Richardson
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Michael Richardson
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Brian E Carpenter
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Michael Richardson
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Toerless Eckert
- Re: [Anima] Use of M_FLOOD for discovery of Proxy Brian E Carpenter