Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-08.txt
Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 18 October 2017 03:19 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A3067127005 for <anima@ietfa.amsl.com>; Tue, 17 Oct 2017 20:19:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BOyoki2HEgLK for <anima@ietfa.amsl.com>; Tue, 17 Oct 2017 20:19:10 -0700 (PDT)
Received: from mail-pg0-x22b.google.com (mail-pg0-x22b.google.com [IPv6:2607:f8b0:400e:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E2B2126B71 for <anima@ietf.org>; Tue, 17 Oct 2017 20:19:09 -0700 (PDT)
Received: by mail-pg0-x22b.google.com with SMTP id l24so3096242pgu.11 for <anima@ietf.org>; Tue, 17 Oct 2017 20:19:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:subject:to:references:organization:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=vRYeX0xKThzCXu5lELOOS9V8nEIV7ABFSKqgEqaA0QA=; b=qJPKmSf3mQj0ZCeTBkA+9ivPYc+W1v+RvwpAemy1yKs94OS67psQuR04aSGhjOzDXz v+03oVAEmwBJ4o2sPUduqgZ5bXoPP6Jb0qFhe1MO8Wp0moQ6chme+En9iuaHBVJce6HT 1XQSPnsIGfzaBmbpGg+U8htUmOmVQHXnSKk2RcMjUSmiSph+yui77xBChpashYyKyh2w atLbWa5nLIubKT14CgtQutVYyUTCnyYhxRUIXt3L8998V+hwzJ+mxTCWmDgk6I9bi366 PEaiJNYriYUXp2cs53A+1EkaLHqGhSEhjZXUo1R/0AhLVl3an1JKI8FRANRKtjUKr0kJ 1GAg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:subject:to:references:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=vRYeX0xKThzCXu5lELOOS9V8nEIV7ABFSKqgEqaA0QA=; b=RqHOOqJR8fDmyfrBKMPJHBzXRzd1Kosvs0E/y6kps5vu1IN9pAH9bqbZcsXgAGF05l ThOtPpA2+9PHBCq8E5JrkjhtbzcRgKB+ndAowS1Duj8DM0IMbX8ZQBTLKxMIPtmlnApr drZ5mOihQNJa3mp5xp5xL6WnARNfIumLgwYAoILcbYVaelaa+nechRJ3TowHtzfn4VSq j1a1ZHh8V9wmNbMad9SHNsBoIm7/ebQNqa1qAB7JGJVxgCQq1W5Y3CJAvwQpIThPgRTP UESbY/es422cy78ORHpl0JV+6HwFGtlxZKOeA+Kk7J6sQHdN7b4zl+spvGJ8b7icWN30 CVdA==
X-Gm-Message-State: AMCzsaXOpRbqK6pTJMkksGKx6Z/zoZOWYHqredgYRZxSQVELTd9nK8Zx 8PtKTJPU8zFSxnpbLDNb8iJLWg==
X-Google-Smtp-Source: AOwi7QBVSOkBpmfgy3dePOtQSyaVWpHXKM+DjUiI85tUFH1b0AtZDMD3GMKrtIhxHeSWCMByy/G/tg==
X-Received: by 10.101.70.76 with SMTP id k12mr12614997pgr.19.1508296748951; Tue, 17 Oct 2017 20:19:08 -0700 (PDT)
Received: from ?IPv6:2406:e007:6d3c:1:28cc:dc4c:9703:6781? ([2406:e007:6d3c:1:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id 76sm21550354pfq.4.2017.10.17.20.19.06 for <anima@ietf.org> (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 17 Oct 2017 20:19:07 -0700 (PDT)
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: Anima WG <anima@ietf.org>
References: <150791598017.23771.18187732712497738112@ietfa.amsl.com>
Organization: University of Auckland
Message-ID: <7fcffe21-d396-bad5-b311-d2879b14b0f1@gmail.com>
Date: Wed, 18 Oct 2017 16:19:09 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
MIME-Version: 1.0
In-Reply-To: <150791598017.23771.18187732712497738112@ietfa.amsl.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/F4zjCPoPn-eWWip4PwQxvSR_KDQ>
Subject: Re: [Anima] I-D Action: draft-ietf-anima-bootstrapping-keyinfra-08.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Oct 2017 03:19:13 -0000
Hi,
Unfortunately this is still a little broken around both GRASP objectives,
in a way that needs to be fixed:
> 4.1.1. Proxy Grasp announcements
>
> A proxy uses the GRASP M_FLOOD mechanism to announce itself. The
> pledge SHOULD listen for messages of these form. This announcement
> can be within the same message as the ACP announcement detailed in
> [I-D.ietf-anima-autonomic-control-plane].
>
>
> proxy-objective = ["AN_Proxy", [ O_IPv6_LOCATOR, ipv6-address,
> transport-proto, port-number ] ]
That's not valid syntax for an objective. Also, in the Flood message you
have the option of associating a locator directly with the flooded
objective, as part of the basic message format. My suggestion:
The objective is defined in fragmentary CDDL as:
registrar-objective = ["AN_Proxy", objective-flags, loop-count, null]
objective-flags = ; as in the GRASP specification
loop-count = 1 ; restricted to link-local use
The objective-flags field is set to indicate synchronization.
The loop-count is set to 1 to limit the scope of flooding
to the local link.
The value field is set to a null value.
In the GRASP Flood message, an IPv6 locator option is
associated with the objective as described in Section 2.8.11
of [I-D.ietf-anima-grasp]. The locator format is
[O_IPv6_LOCATOR, ipv6-address, transport-proto, port-number]
where
> ipv6-address - the v6 LL of the proxy
> transport-proto - 6, for TCP 17 for UDP
> port-number - the TCP or UDP port number to find the proxy
Then there are more problems with this:
> 4.4. Proxy discovery of Registrar
>
> The Registrar SHOULD announce itself so that proxies can find it and
> determine what kind of connections can be terminated.
>
> When the Registrar joins an Autonomic Control Plane
> ([I-D.ietf-anima-autonomic-control-plane]) it MUST respond to GRASP
> ([I-D.ietf-anima-grasp]) M_NEG_SYN message.
There is no such thing as M_NEG_SYN. Anyway this is a backwards
way of describing things. I think you should start with something
like:
When the Registrar joins an Autonomic Control Plane
[I-D.ietf-anima-autonomic-control-plane] it MUST be
ready to support the GRASP [I-D.ietf-anima-grasp]
object "AN_registrar" defined below. This is an
objective that supports only discovery; it does not
support synchronization or negotiation. When a proxy
sends a GRASP Discovery (M_DISCOVERY) message seeking
this objective, the Registrar SHOULD respond with a
GRASP Discovery Response (M_RESPONSE) message including
relevant locators as described below.
The objective is defined in fragmentary CDDL as:
registrar-objective = ["AN_join_registrar", objective-flags,
loop-count, null]
objective-flags = ; as in the GRASP specification
loop-count = ; as in the GRASP specification
The objective-flags field is set to indicate discovery.
The loop-count is set to a suitable value to limit the scope of
discovery. A suggested default value is 6.
The value field is set to a null value.
> The registrar responds to discovery messages from the proxy (or GRASP
> caches between them) as follows: (XXX changed from M_DISCOVERY)
>
> objective = ["AN_registrar", F_DISC, 255 ]
Why 255? Do you expect networks to be that big? Discovery
loops will be detected anyway, but I think a much more conservative
value is appropriate.
> discovery-message = [M_NEG_SYN, session-id, initiator, objective]
Nope. M_DISCOVERY is needed. But anyway, what is the point of
replicating bog-standard GRASP here? Possibly in an appendix, but not
main text.
> Figure 6: Registrar Discovery
>
> The response from the registrar (or cache) will be a M_RESPONSE with
> the following parameters:
>
> response-message = [M_RESPONSE, session-id, initiator, ttl,
> (+locator-option // divert-option), ?objective)]
Here an example is more helpful than more cut-and-paste from
GRASP.
> initiator = ACP address of Registrar
Wrong, another argument against redundancy.
See https://tools.ietf.org/html/draft-ietf-anima-grasp-15#section-2.8.5
> locator1 = [O_IPv6_LOCATOR, fd45:1345::6789, 6, 443]
> locator2 = [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683]
> locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]
OK. This is fine in terms of GRASP syntax, although it's
a slightly special case of implying semantics within the
locators. The only problem is mine: my prototype code can't
do this without enhancement. I'd suggest giving the example
a bit more precisely, something like:
An example M_RESPONSE packet, following the GRASP syntax,
could be as follows:
[M_RESPONSE, session-id, initiator, ttl,
[O_IPv6_LOCATOR, fd45:1345::6789, 6, 443],
[O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683],
[O_IPv6_LOCATOR, fe80::1234, 41, null]]
Also, technically, using proto = 41 extends the formal GRASP syntax.
We could let that slide, holding it in reserve for GRASP 2.0, or
we could at least note that it's an extension.
Regards
Brian
- [Anima] I-D Action: draft-ietf-anima-bootstrappin… internet-drafts
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Brian E Carpenter
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Michael Richardson
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Brian E Carpenter
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… Brian E Carpenter
- Re: [Anima] I-D Action: draft-ietf-anima-bootstra… peter van der Stok