[Anima] brski-discovery vs constrained BRSKI (was: Re: I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt)
Toerless Eckert <tte@cs.fau.de> Tue, 21 November 2023 15:14 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E3B60C14E515 for <anima@ietfa.amsl.com>; Tue, 21 Nov 2023 07:14:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.657
X-Spam-Level:
X-Spam-Status: No, score=-6.657 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KaDlJAcfiOLl for <anima@ietfa.amsl.com>; Tue, 21 Nov 2023 07:14:46 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F26B1C14CEFD for <anima@ietf.org>; Tue, 21 Nov 2023 07:14:45 -0800 (PST)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 4SZSbN2ytfznkRY; Tue, 21 Nov 2023 16:14:40 +0100 (CET)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 4SZSbN27dYzkm3S; Tue, 21 Nov 2023 16:14:40 +0100 (CET)
Date: Tue, 21 Nov 2023 16:14:40 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Message-ID: <ZVzJYPPRunw5gCAu@faui48e.informatik.uni-erlangen.de>
References: <169927900610.48296.8352405496672443803@ietfa.amsl.com> <3528359.1699280649@dyas> <DU0P190MB1978A1B7481FE707DAB7E507FDBBA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <DU0P190MB1978A1B7481FE707DAB7E507FDBBA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/C137KjZ8dXTMUvC_8wdy-2H60hY>
Subject: [Anima] brski-discovery vs constrained BRSKI (was: Re: I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 15:14:50 -0000
Thanks Esko,
inline
On Tue, Nov 21, 2023 at 01:12:45PM +0000, Esko Dijk wrote:
> A first comment / question here: in IETF 118, it was proposed to focus the discovery methods for Constrained BRSKI (draft-ietf-anima-constrained-voucher) only on a single mechanism and leave further alternatives to future work (like GRASP and mDNS).
>
> We didn't specifically discuss this aspect for the Constrained Join Proxy draft - do we need to do the same thing here and so take out the GRASP discovery text?
> Or are we sufficiently confident the GRASP definition is okay and valuable to have already now included in a draft? In that case we may leave it in.
>
> Esko
Check the GRASP text in both drafts, i think the text in constrained-join-proxy is more
harmfull to move forward than the one in constrained-voucher. So i would definitely
like to see it removed, or i would want to raise concerns about it (which i think we
don't need to spend time on to get the constrained docs out the door):
draft-ietf-anima-constrained-voucher proposes:
discover (stateful) registrar by proxy: AN_join_registrar/BRSKI_JP
discover proxy by pledge: AN_Proxy/DTLS
The two objective-values proposed are not what we would logically end up with when
using the more systematic approach from brsi-discovery, instead, both could be
empty strings - because both are defaults for use with CoAPs, which we declare to
be assumed by use of IPPROTO_UDP. But both values would not matter, but could be
defined easily for backward compatibility into brski-discovery if we would keep
the text.
draft-ietf-anima-constrained-join-proxy proposes:
discover stateless registrar by proxy: AN_join_registrar/BRSKI_RJP
discover proxy by pledge: AN_Proxy/DTLS-EST
The use of AN_join_registrar objective-name would forfeit the transparent operation
of join-proxies as described in brski-discovery, because it moves the choiceof
incompatible proxy<->registrar transport (stateful vs. stateless) into the objective-value
element. Aka: this choice would block the way forward with brski-discovery unless
brski-discovery would declare this specification invalid.
brski-discovery instead proposes to use objective-name AN_join_registrar_rjp to
indicate a stateless join registrar service. Hence allowing for all the different
objective-value we want to use to be still available (and not occupied by the
"BRSKI_RJP" value).
Discovery of the proxy by the pledge vi DTLS-EST is also incompatible with what
constrained-voucher writes (DTLS), aka: it could not automatically be created by
a transparent proxy as proposed by brski-discovery (which would simply keep "DTLS").
In addition, constrained-join-proxy also includes one nice inspirational line:
h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443],
["AN_join_registrar", 4, 255, "CMP"],
To discover a CMP registrar, but without any explanations.
Aka: i'd have to go through the whole GRASP discovery text and see that its not
wrong, and i'd rather spend that effort writing brski-discovery correctly...
Aka: pls. remove is my preferred option.
Lets see that we do check the CoAP text to be correct though with what we want to
have going forwardg.
Thanks!
Toerless
> -----Original Message-----
> From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
> Sent: Monday, November 6, 2023 15:24
> To: anima@ietf.org
> Subject: Re: [Anima] I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt
>
>
> internet-drafts@ietf.org wrote:
> > Title: Join Proxy for Bootstrapping of Constrained Network Elements
> > Authors: Michael Richardson Peter van der Stok Panos Kampanakis Name:
> > draft-ietf-anima-constrained-join-proxy-15.txt Pages: 26 Dates:
> > 2023-11-06
>
> ...
> > A diff from the previous version is available at:
> > https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-constrained-join-proxy-15
>
> This is a repost of the I-D, because it expired.
> This version includes partial work on the IoT-Directorate review comments
> received in August, and which are still issues:
>
> https://github.com/anima-wg/constrained-join-proxy/issues
>
> So the work is just not done yet.
> There are a number of pull requests, some rather old, which I need to clean
> up and/or merge:
> https://github.com/anima-wg/constrained-join-proxy/pulls
>
> Your comments are of course, very welcome.
> It probably the case that there is need for some additional review/text based upon the
> new conversations about the discovery draft. It would be great if there are
> new eyes reading this document if they notice the mismatches.
>
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
>
>
>
--
---
tte@cs.fau.de
- [Anima] I-D Action: draft-ietf-anima-constrained-… internet-drafts
- Re: [Anima] I-D Action: draft-ietf-anima-constrai… Michael Richardson
- Re: [Anima] I-D Action: draft-ietf-anima-constrai… Esko Dijk
- [Anima] brski-discovery vs constrained BRSKI (was… Toerless Eckert
- Re: [Anima] brski-discovery vs constrained BRSKI … Brian E Carpenter
- Re: [Anima] brski-discovery vs constrained BRSKI … Toerless Eckert
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Brian E Carpenter
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Esko Dijk