Re: [Anima] draft-ietf-anima-constrained-voucher discovery questions
Toerless Eckert <tte@cs.fau.de> Fri, 08 April 2022 15:20 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BF3783A0D97; Fri, 8 Apr 2022 08:20:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.88
X-Spam-Level:
X-Spam-Status: No, score=-0.88 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NEUTRAL=0.779, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZ_aky5DViqG; Fri, 8 Apr 2022 08:20:08 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:40]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EAAB3A0D87; Fri, 8 Apr 2022 08:20:05 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 73FD758C4AF; Fri, 8 Apr 2022 17:19:59 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 602374EAB57; Fri, 8 Apr 2022 17:19:59 +0200 (CEST)
Date: Fri, 08 Apr 2022 17:19:59 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: draft-ietf-anima-constrained-voucher@ietf.org, anima@ietf.org
Message-ID: <YlBSnzHmgIy8wLI8@faui48e.informatik.uni-erlangen.de>
References: <Yk7Yi6iyK4N7mih4@faui48e.informatik.uni-erlangen.de> <14115.1649347100@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <14115.1649347100@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Dw6iE54Tv86wnIHWLAUfCimihlc>
Subject: Re: [Anima] draft-ietf-anima-constrained-voucher discovery questions
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 08 Apr 2022 15:20:13 -0000
1. One more thing i stumbled across: | 6.2 TLS Client Certificates: IDevID authentication | | As described in Section 5.1 of [RFC8995], the Pledge makes a | connection to the Registrar using a TLS Client Certificate for | authentication. This reads as if constrained-voucher/BRSKI uses TLS instead of DTLS. Suggest something like: ! 6.2 Client Certificates: IDevID authentication ! ! As described in Section 5.1 of [RFC8995], the Pledge makes a ! connection to the Registrar using a Client Certificate (called the IDevID) ! for authentication, but uses DTLS instead of TLS. (aka: remove confusing use of TLS, and establish a linkage from IDevID in the title to client certificate. Especially 5.1 of rfc8994 is the only place that doesn't mention IDevID and is therefore somewhat confusing when read by itself (which readers might do when they just try to read the reference here). 2. I kinda fail why 6.5.1 and 6.5.2 are extensions to BRSKI. To me they just look like separate aspects of constrained browser BRSKI as 6.1 ... 6.4. Aka: renumber 6.5.1 to 6.5, and 6.5.2 to 6.6, remove that "extensions to BRSKI" notion ? 3. It seems cumbersome to talk about the modified BRSKI in this solution without having a proper name for it. Could we / should we not call it cBRSKI, C-BRSKI, CBRSKI or anything similarily compact ? And of course put it in the title - (cBRSKI) instead of (BRSKI). 4. Wrt to 6.5.1 > Toerless Eckert <tte@cs.fau.de> wrote: > >> 6.5.1. Discovery > >> > >> The Pledge discovers an IP address and port number that connects to > >> the Registrar (possibly via a Join Proxy), and it establishes a DTLS > >> connection. Would suggest to replace with (if correct): ! As described in RFC8995, section 4.2 and 4.2, BRSKI discovers an IP address ! and TCP port number for the registrar and (when used) proxy to establish ! the TLS connection from pledge to Registrar. Likewise, cBRSKI needs to ! discover IP address and UDP port number for the registrar and (when used) proxy ! to establish the DTLS connection from pledge to Registrar. This is described ! in [I-D.ietf-anima-constrained-join-proxy]. > > But the discovery itself is described in draft-ietf-anima-constrained-join-proxy, > > right ? E.g.: it could involve either directly discovering brski.rjp if there > > is no join proxy or discoverin brski.jp if there is a join proxy. True ? > > Would be good to at least provide an appropriate pointer that describes this. And > > i am not sure that draft-ietf-anima-constrained-join-proxy actually describes how > > a pledge would use either brski.jp or brski.rjp... ? > > You are a bit right. > The discovery by the proxy of the Registrar on a *NON* ACP network uses brski.rjp. > This discovery is *specific* to *this* kind of stateless join proxy. > The registrar and the proxy have to agree to use this extension. Ok, but we need to text to point to constrained-join-proxy for this section (as proposed by my text proposal above) in constrained-voucher to make any sense at all, otherwise its confusing leading nowhere. > The discovery by the pledge of the Registrar does not have any other place discovery by CoAP RD. "any other place discovery by CoAP RD" ? Can you rephrase pls. can't parse. |No further discovery of hosts or port numbers is required, but a |pledge that can do more than one kind of enrollment (future work |offers protocols other than [I-D.ietf-ace-coap-est]), then a pledge |may need to use CoAP Discovery to determine what other protocols are |available. I would still recommend to remove "N further discovery of hosts or port numbers is required", as its unnecessary and at least to me confusing to be mentioned. Is CoAP Discovery applicable to non-coap based protocols ? I would think not. In that case the sentence should be changed to "can do more than one kind of CoAP based enrollment...". But still, the sentence is confusing, because to the best of my understanding, constrained-join-proxy already says that cBRSKI _IS_ using CoAP Discovery, whereas this sentence sounds as if CoAP discovery would only required when more than whats defined in this doc and constrained-proxy is done... > > beyond the discovery described in the prior paragraph ? Would suggest to > > either remove this part of the sentence or add more details. As it stands it > > is like be inserting into this email: It is not required to send toerless chocolade. > > (huh, why the heck does toerless mention this - what other cases are there > > where toerless would actuallt expect chocoade. why does he mention > > it.. ?) > > To point it your analogy, once we have determine that Toerless is Hungry, we > do not need to determine whether you want chocolate or not, because, only > triangular chocolate bars will fit through the transport protocol. When you state the obvious without a good lead-in, people will start to question that it was obvious in the first place. Hence i am suggesting to remove. > >> pledge that can do more than one kind of enrollment > >> (future work offers protocols other than [I-D.ietf-ace-coap-est]), > >> then a pledge may need to use CoAP Discovery to determine what other protocols are > >> available. > > > If the solultion os CoAP Discovery, then it seems the problem should maybe also > > be rewritten to "pledge that can do more than one kind of enrollment mechanism using CoAP". > > The pledge could also do DPP or CHIP/MATTER or 802.1x, which is not using CoAP. If CoAP Discovery can axctually be used to do discovery for those non-CoAP protocols, then text should explicitly say so, because that would i think be non-obvious and unexpected. > >> A Pledge that only supports the EST-coaps enrollment method SHOULD > >> NOT use discovery for BRSKI resources. It is more efficient to just > > > Confused. Do i translate this correctly to say "do not use brski.jp/brski.rjp discovery > > from anima-constrained-join-proxy" ? > > brski.jp is used to find the proxy in order to reach the Registrar. I thought that looking for brski.jp is an instance of CoAP discovery... ? > Once a connection to the Registrar is found, then the question becomes: can > the pledge do CMP as well as EST? If so, it might need to discover if the > Registrar can do that. Hah, ok. That IMHO must be written explicitly. Especially the fact its dual-stage. But that confuses me further. Do brski.jp and brski.rjp guarantee that the proxy/registrar do support EST-coap ? Or else: How do we avoid that a registrar that may only support CMP-coap but not ESP-coap is not discovered by a pledge that can only do EST-coap ? > I haven't opened another issue yet,because I'm not sure what to write yet. Sure. And i have not responded to the github yet so that we can keep the whole WG in the loop, while we're discussing the best resolution ;-) Cheers Toerless > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] draft-ietf-anima-constrained-voucher disc… Toerless Eckert
- Re: [Anima] draft-ietf-anima-constrained-voucher … Michael Richardson
- Re: [Anima] draft-ietf-anima-constrained-voucher … Michael Richardson
- Re: [Anima] draft-ietf-anima-constrained-voucher … Toerless Eckert