IETF Logo Mail Archive

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Eliot Lear <lear@cisco.com> Tue, 16 July 2019 11:21 UTC

Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 550B91203FB for <anima@ietfa.amsl.com>; Tue, 16 Jul 2019 04:21:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.5
X-Spam-Level:
X-Spam-Status: No, score=-14.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HITUz5CFSImj for <anima@ietfa.amsl.com>; Tue, 16 Jul 2019 04:21:44 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DDA5912004D for <anima@ietf.org>; Tue, 16 Jul 2019 04:21:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=10177; q=dns/txt; s=iport; t=1563276104; x=1564485704; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=u05th4kIhG68DbjIOSWYq785lEu1t35N1vXwu4hB7LY=; b=XCcf0B55E85A3uz16QpK1SAXA1GS2rIwTpWhj4DsAw7xXd33yf6gQRhF T66lR7OQ1UfomhIPNr4st3ws1OCy1Wz3UW5UoxvrA+pfDErqy+7bOnSLs obvX6i3aiG5R2LeIC2bKCiRMR9kUuoo4RpeN3iYCacYfw3mAXNiUJQ08a E=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DvAAB2si1d/xbLJq1lGwEBAQEDAQEBBwMBAQGBZ4NSATIohByIe4tUJZJ6hheBZwIHAQEBCQMBAS8BAYRAAoMUOBMBAwEBBAEBAgEFbYVIhUoBAQEBAgEjVgULCxgjBwICVwYKCRsEgwMBgXsPrFqBMoVHhGsQgTSBUYolgX+BEScME4FOfj6ELYMhMoImBIw4iDmVcgmCG4IfgQyQYRuNN4pTi1uWH4MLAgQGBQIVgWchgVgzGggbFWUBgkE+gjqODz0DMJBFAQE
X-IronPort-AV: E=Sophos;i="5.63,498,1557187200"; d="asc'?scan'208,217";a="14298455"
Received: from aer-iport-nat.cisco.com (HELO aer-core-1.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Jul 2019 11:21:41 +0000
Received: from [10.61.214.237] ([10.61.214.237]) by aer-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id x6GBLeHb009153 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Tue, 16 Jul 2019 11:21:41 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <193EB8D1-3E58-4570-AC4D-55737E3D36CF@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_13DD1178-3C12-4B95-B146-244F1864F9D3"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 16 Jul 2019 13:21:38 +0200
In-Reply-To: <6ecdae7f-4fb7-d9fc-f19f-bf742c6fe83c@joelhalpern.com>
Cc: anima@ietf.org, Adam Roach <adam@nostrum.com>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com> <E2DA8D30-805E-478D-925D-534C04A0727F@cisco.com> <8869.1563140002@dooku.sandelman.ca> <cedc515e-22ab-94a9-e6ef-c55b345687ba@joelhalpern.com> <376eee31-0264-38a8-1d32-901bb1a0671b@gmail.com> <9e341730-dc47-8860-47d4-6421ab04d0dc@nostrum.com> <6ecdae7f-4fb7-d9fc-f19f-bf742c6fe83c@joelhalpern.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.214.237, [10.61.214.237]
X-Outbound-Node: aer-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/D1R_Ofoz3WMBjlTNm4NhfTMBI3g>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 11:21:46 -0000

Hi Joel,

> On 15 Jul 2019, at 23:42, Joel M. Halpern <jmh@joelhalpern.com> wrote:
> 
> I would probably go a step further than Adam.  Protecting the device so a thief can not use it in the thiefs' own network seems to me to be something that we should not be trying to achieve.  An active non-goal. It is not our problem.

>  And trying to achieve it has the implications that lead to this whole discussion about the original manufacturer controlling who can resell / re-buy the device.

I would rather we redressed this directly.  There is an entire work flow that involves zero-touch provisioning that at least two, and likely four large platforms are driving toward, that all require some sort of manufacturer assertion for device ownership to be transferred.  This is not just a good idea or an anti-theft mechanism, but an aspect that is required for zero-touch, particularly with wireless, where network selection has to occur.  While in that sense, you might say, “Anti-theft wasn’t the goal”, it is certainly a nice add-on, and it seems like a valuable function.

Personally I like that we had this discussion.  I think the BRSKI work will be much improved because of it, and people have a better understanding of how the mechanisms can be used/abused as a result.  I only wish we had had it earlier.

So now let’s talk about anti-theft and counterfeiting.  BRSKI has an interesting link to both.  If a manufacturer is able to show the customer what devices have been registered, any device that seems to be operational but is NOT registered has to be considered suspect by the customer.  That’s a nice counterfeit protection, and it isn’t there by accident.

Similarly having a way to say, “the thing won’t join an unauthorized network” is a very strong theft deterrent, very much akin to the electronic keys that we see now in cars.  You generally can no longer go to the local locksmith to get a duplicate key for a great many cars, but your theft insurance has dropped through the floor (particularly if you own a Honda).  Might GM, Ford, BMW etc might fail?  Sure.  No more new keys for those cars: the old ones had better suffice.

In this case we discussed several approaches to deal with the case where the supplier drops dead.  IMHO that’s a good outcome.

Eliot




>  While manufacturers may like that, it does not seem to be something we should get involved in. At all.
> 
> Yours,
> Joel
> 
> On 7/15/2019 5:10 PM, Adam Roach wrote:
>> On 7/15/19 3:38 PM, Brian E Carpenter wrote:
>>> On 15-Jul-19 16:45, Joel M. Halpern wrote:
>>>> I presume I am missing something basic.
>>>> I have tried to follow this discussion, as it seems to be about a
>>>> critical aspect of whether the BRSKI work is acceptable.
>>>> 
>>>> I have assumed that what we needed is the ability for a buyer, who has
>>>> physical possession of the device, and possibly some simple (non
>>>> cryptographic) credentials provided by the seller to force the device to
>>>> reset what it thinks it is part of, and to emit in some accessible form
>>>> the information the buyer needs to be able to make this device part of
>>>> his network, using his authentication servers, etc.
>>> Yes, but *not* a solution that works if the device is stolen.
>> I'm actually a little ambivalent with respect to this use case. For the kind of devices that the document purports to be targeting, I would imagine that theft is in the range of parts-per-thousand (or lower) as compared to things like post-bankruptcy liquidation. If you can fix the first without ruining the second, great.
>> /a

v2.23.0 | Report a Bug | By Email