[Anima] GRASP securty/transport substrate alternatives (was: Re: Discovery of proxy/registrar insufficient ...) more).
Toerless Eckert <tte@cs.fau.de> Thu, 28 April 2022 17:51 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 190CDC14F731 for <anima@ietfa.amsl.com>; Thu, 28 Apr 2022 10:51:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.651
X-Spam-Level:
X-Spam-Status: No, score=-1.651 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id E69e8q4uzI5b for <anima@ietfa.amsl.com>; Thu, 28 Apr 2022 10:51:01 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 57016C14F738 for <anima@ietf.org>; Thu, 28 Apr 2022 10:51:00 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 28A8A549EAD; Thu, 28 Apr 2022 19:50:54 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id F26D64EAD33; Thu, 28 Apr 2022 19:50:53 +0200 (CEST)
Date: Thu, 28 Apr 2022 19:50:53 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org
Message-ID: <YmrT/Qyqcdr+17k4@faui48e.informatik.uni-erlangen.de>
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de> <388791.1649870361@dooku> <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de> <02c83a2a-9370-9a69-ffa8-6c1259a2320f@gmail.com> <YmhdnX5P9C8mDGLR@faui48e.informatik.uni-erlangen.de> <1bcbe933-a451-65b2-79cf-c526e7225517@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <1bcbe933-a451-65b2-79cf-c526e7225517@gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Bi6jaDwcHCwA-XOzP1D-wcuL4mw>
Subject: [Anima] GRASP securty/transport substrate alternatives (was: Re: Discovery of proxy/registrar insufficient ...) more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Apr 2022 17:51:06 -0000
Changing subject as this is not directly related to the current constrained-brski drafts.. On Thu, Apr 28, 2022 at 02:13:40PM +1200, Brian E Carpenter wrote: > > Yes, was thinking of that, but instead of trying to invent what i'd call a new lightweight > > crypto header just use DTLS and TLS. So some similar or rewrite of that proposal. > > TLS for the GRASP TCP sessions should be fine. The reason I did QUADS was because people told me that multicast DTLS was not a thing, but GRASP depends on multicast UDP. But we only need unsecured link-local multicast fo DULL GRASP, but no other multicast. And instead of TLS we just use DTLS everywhere for GRASP, e.g.: - link-local p2p DTLS insted link-local TCP over ACP secure channel (because we have no ACP secure channel in such constrained networks) - end-to-end p2p DTLS instead of end-to-end TLS over ACP secure channel If we had a non-constrained network without ACP, we would do the same with TLS, because ultimately DTLS is not less overhead than TLS, its just a religion by some IoT folks. Aka: just to recreate the ACP-GRASP experience without an ACP we could just specify such a "constrained" DTLS and "unconstrained" TLS substrate option. This is maybe a bit spec-it-and-hope-they-will-come, but obviously, the overhead of a whole separate ACP is orders of magnitude higher than this simple application-layer-only "service-management-daemon" (one way to sell GRASP). The not-as-easy-resolved-issue is IMHO selecting some way to authenticate GRASP messages, e.g.: optional JOSE field in GRASP messages or the like. And defining maybe some ACP certificate property that authorizes the node to announce services. Those type of better-than-group-security would be likely highly needed in those non-ACP deployments. Cheers Toerless > Brian > > > > > > That work is not ready for the standards track but it shows proof of concept, if you accept the need for a shared secret. > > > > Given how we would be pitching it to networks where devices are enrolled with a certificate, > > we would get zero-touch deployment by using that certificate. And we given how we wouldn't > > want to do address assignment, we might get away with non-enhanced certificates. > > > > Its really the question where/how those constrained vouchers would be used in mesh networks and what > > gaps those mesh networks might have. > > > > 6TISCH for example seems like not having something useful for discovery right now if i correctly > > extrapolate MichaelR's last reply here. > > > > CHeers > > Toerless > > > > > > > > Regards > > > Brian > > > > > > On 26-Apr-22 12:16, Toerless Eckert wrote: > > > > On Wed, Apr 13, 2022 at 01:19:21PM -0400, Michael Richardson wrote: > > > > > > > > (1) > > > > > > > > > Yes, you are right, we need to have a new objective to announce. > > > > > I guess that we don't really think about the constrained-join-proxy really > > > > > being used in an ACP context, but we really should that right. > > > > > > > > I don't think this is true. As soon as EST-COAPS proliferates as an RFC, > > > > the choice of TLS vs. COAPS becomes not only a necessity for constrained > > > > devices, but also a preference choice by solution designers. Less code > > > > modules etc. > > > > > > > > Also, RFC8995 promised the COAPS solution as part of ANI (the way i see it). > > > > > > > > I always imagined in-ceiling network switches that do full ACP but > > > > are also gateways to IoT edge networks as a good size candidate market example. > > > > > > > > (2) > > > > > > > > Separate question: Do we have a good understanding which solution > > > > that needs the constrained proxy will use which discovery mechanism ? > > > > > > > > I am asking because if/where there are gaps in supported discovery mechanisms, > > > > we might be able to suggest GRASP without ACP. Which would be somewhat of another > > > > draft.. > > > > > > > > > https://github.com/anima-wg/constrained-join-proxy/issues/17 > > > > > > > > > > > Note that it is not sufficient to delta RFC8995 and mention > > > > > > "EST-COAPS", because the GRASP objective also needs to indicate UDP > > > > > > instead of TCP. Even though it is longer, it would IMHO be prudent to > > > > > > copy the whole GRASP objectives and examples from RFC8995 and > > > > > > accordingly modify them, so that the constrained-proxy draft is > > > > > > "standalone" in this respect (even if a page longer). > > > > > > > > > > I think you are asking us to show an example that advertises both RFC8995, > > > > > and the constrained version, correct? > > > > > > > > (3) > > > > > > > > No. The example does not need to show both. Just constrained version as a > > > > standalone GRASP objective IMHO. I would suggest to clone the text from > > > > RFC8995 and accordingly modify it. > > > > > > > > > > Isn't there the thought that some other variations of BRSKI will use > > > > > > protocol variations, such as not CBOR+JSON ? some other "CMP" encoding > > > > > > ? > > > > > > > > > > We decided that Registrars will be responsible for interoperation, and will > > > > > support all protocols the operator expects to use. If you buy a Registrar > > > > > that does not do X and a pledge that only does X, then it fails, and you were > > > > > stupid. > > > > > > > > (4) > > > > > > > > In the first place this needs to be written down. > > > > > > > > But i'd rather like to argue it away because i think it is an unnecessary > > > > constraining "hack". > > > > > > > > Why have all this discovery mechanisms when they are not even used correctly. > > > > Underspecifying the exact service(s) a Registrar offers is like announcing > > > > "Oh, go to google for the WHATEVER services". > > > > > > > > I don't see that implementations would get more complex, but rather > > > > simpler if we simply are able to distinguish the different protocol options > > > > by their service name/parameters and have proxies/clients be able to select > > > > them. > > > > > > > > At least thats my opening offer, lets discuss ;-) But see below. > > > > > > > > > > I am asking, because it seems to me we need to be aware, that the > > > > > > constrained-proxy is logically "just" a DTLS proxy, but once we have > > > > > > more than one DTLS BRSKI variation, we still need to be able for > > > > > > pledges to connect to registrar(s) that talk the BRSKI variation that > > > > > > the pledge supports. What we define here initially is effectively > > > > > > proxy/registrar for EST-COAPS. So let's assume, we get another > > > > > > protocol, OTHER1-DTLS. The constrained proxy continues to work, but it > > > > > > would now need to discover the OTHER1-DTLS Registrar, allocate a new > > > > > > UDP port number on which to offer proxy services for OTHER1-DTLS and > > > > > > announce that to pledges. > > > > > > > > > > You aren't wrong, but you also aren't right. > > > > > Pledges are expected to try all options (possibly concurrently if they have > > > > > CPU/ram) until they find one that works. There is no reason the join proxy > > > > > needs to know the details of the Registrar supports, only that they support a > > > > > way to talk to it. > > > > > > > > (5) > > > > > > > > That "trial&error" too should be described if its here to stay. Even if just > > > > through a reference to an appropriate section in 8995 (if its in there, not sure). > > > > > > > > (6) > > > > > > > > How about cert renewal, did you folks discuss if this would ever be something > > > > pledges would want to do through the proxy ? In the case of ACP we did > > > > discuss this, and i thinkit's in 8994 as well. E.g.: when cert is expired, so > > > > the enrolled device can not wield its cert for secure network access, but its > > > > still good enough for renewal. > > > > > > > > > > I wonder if the names choosen for est-coaps discovery, brski.jp and > > > > > > brski.rjp are ideal indicative of the fact that we're rather defining > > > > > > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness > > > > > > > > > > Fair point. > > > > > > > > (7) > > > > > > > > I guess a compromise for (4) would be new text that leaves the decision for > > > > how to deal with the next enrollment protocol/encoding to such a followu draft: > > > > > > > > IF implementers of a new variant feel that all existing/deployed registrars > > > > will and should be able to support the new protocol variant (e.g.: brski-xmp-xyz), > > > > then that protocol option does not need to come up with a new variation. > > > > > > > > IF implementers feel that is not appropriate, then: > > > > a) A new set of service names is required (brski-xmp-xyz.jp/rjp or the like) > > > > b) constrained proxies supporting both the new and the old will have to > > > > effectively run separate instances for them, e.g.: each instance having > > > > a separate UDP port number towards the pledge and using separate > > > > service names from registrar and to proxy. > > > > > > > > > > 3. 6tisch discovery > > > > > > > > > > > [I-D.ietf-6tisch-enrollment-enhanced-beacon] is now RFC9032, please > > > > > > update draft accordingly. > > > > > > > > > > > Upon quick browse of RFC9032 i fail to see how/where RFC9032 would be > > > > > > able to deal with more than one discovery protocol. E.g.: How would we > > > > > > discover BRSKI-EST-COAPS-REGISTRAR BRSKI-EST-COAPS-PROXY > > > > > > OTHER1-DTLS-REGISTRAR OTHER1-DTLS-PROXY > > > > > > > > > > Yes, are you right. > > > > > RFC9032 does not support DTLS at all. > > > > > It supports RFC9031 only. > > > > > Perhaps we should simply indicate that we don't support 6TISCH. > > > > > > > > No opinion. Sounds like the easiest solution, unless you do want some > > > > way to support 6TISCH ? > > > > > > > > > > 4. Stateful vs. stateless proxy discovery > > > > > > > > > > > How do i know as a customer of equipment know that all my > > > > > > pledges/proxies/registrars will interoperate in the face of those > > > > > > devices seemingly being able to freely pick stateful and/or stateless > > > > > > mode of operations ? > > > > > > > > > > Because, we defined the proxy to have a standard interface. > > > > > > > > What does that mean ? Do all proxies need to support both modes, or > > > > is there only the requirement for one mode, but some undefined entity has to > > > > figue out what registrar/proxies in some network should decide to use ? > > > > > > > > > (Except for CoAP/OSCORE vs CoAPS above) > > > > > > > > OSCORE = ? > > > > > > > > > How the join proxy keeps state (in memory or in the network) is a private > > > > > matter between the JP and the Registrar, and does not concern the pledge. > > > > > > > > Cheers > > > > Toerless > > > > > > > > > -- > > > > > ] Never tell me the odds! | ipv6 mesh networks [ > > > > > ] Michael Richardson, Sandelman Software Works | network architect [ > > > > > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > > > > > > > > > > > > > -- > > > > > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > > > > > -= IPv6 IoT consulting =- > > > > > > > > _______________________________________________ > > > > Anima mailing list > > > > Anima@ietf.org > > > > https://www.ietf.org/mailman/listinfo/anima > > > > > > -- --- tte@cs.fau.de
- [Anima] Discovery of proxy/registrar insufficient… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] GRASP securty/transport substrate alterna… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] FYI: est-coaps registered (was: Re: Disco… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Carsten Bormann
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- [Anima] Carsten: Re: FYI: est-coaps registered (w… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Esko Dijk