Re: [Anima] CoAP et al
Rafa Marin Lopez <rafa@um.es> Tue, 16 August 2016 23:22 UTC
Return-Path: <rafa@um.es>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D0312D182 for <anima@ietfa.amsl.com>; Tue, 16 Aug 2016 16:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.448
X-Spam-Level:
X-Spam-Status: No, score=-5.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMKvBXX2MKOU for <anima@ietfa.amsl.com>; Tue, 16 Aug 2016 16:22:01 -0700 (PDT)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id E910412D0FE for <anima@ietf.org>; Tue, 16 Aug 2016 16:22:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 375B840FEC; Wed, 17 Aug 2016 01:22:00 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id psY1I26C2uPK; Wed, 17 Aug 2016 01:22:00 +0200 (CEST)
Received: from [192.168.1.34] (199.red-88-14-208.dynamicip.rima-tde.net [88.14.208.199]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon21.um.es (Postfix) with ESMTPSA id D22B23FDC6; Wed, 17 Aug 2016 01:21:57 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <20160816054301.GB4333@cisco.com>
Date: Wed, 17 Aug 2016 01:21:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <974D14F7-0301-46AD-B759-B8C4A5BCB98F@um.es>
References: <4108581b-d6b8-b284-eb26-d3c047372aae@cisco.com> <1156D983-9628-41BC-8180-66999CABE3F6@um.es> <20160816054301.GB4333@cisco.com>
To: Toerless Eckert <eckert@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/FwYI11PZXf5o-wHK5UtK-ubqjhs>
Cc: Dan Garcia <DanGarc@cisco.com>, Eliot Lear <lear@cisco.com>, draft-ietf-anima-bootstrapping-keyinfra.all@tools.ietf.org, anima@ietf.org, Rafa Marin Lopez <rafa@um.es>
Subject: Re: [Anima] CoAP et al
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 23:22:03 -0000
Hi Toerless: > El 16 ago 2016, a las 7:43, Toerless Eckert <eckert@cisco.com> escribió: > > > Rafa, > > I have not managed to figure out from your draft what exactly > you consider to be bootstrapping. It seems you primarily refer > to draft-ohba-core-eap-based-bootstrapping, which seems to be expired. Just a clarification, draft-marin-ace-wg-coap-eap-03 is just presenting a transport of EAP in CoAP (CoAP used as EAP lower-layer). The bootstrapping service is in the paper. > To quickly summarize what in anima we call bootstrap: > > The ANIMA key bootstrap protocol primarily tries to get a credential > installed on a device. This is based on RFC7030 (eg: cert enrolment) > and adds all the functions we have identified as being necessary on top of this: > > 1. Initial signaling so the client can trust the server from which > it gets the credential - server can be from some owner of the > device and it's producing a credential from the vendor of the > device that makes the device trust the server. As a result > for example the client install the servers CA cert into its > cert trustpool list. > > 2. Requesting parameters to be associated with the credential. These > parameters are then useable by next steps. In Anima, these > credentials are parameters to the client cert, and those are > then used in building the ACP after bootstrap. > > 3. Installing the credential - in ANIMA devices the AN Certificate. > > Note: We did discuss but have not decided on options where > for example this step could be optional, eg: where in very low-end > devices the vendor installed credential is sufficient, and no new credential is > desired, but instead only 1., 2., 4., 5. are performed. > > 4. Diagnostics so the server side will know if/how steps 1..3 where > successful. > > 5. Next step to take by the device - eg: build ACP or for non > ANIMA devices, maybe "here is your next provisioning connection > to build". (we're just discussing this step). > > So, i am not aware that existing EAP mechanisms offer any such bootstrap > functionality. I am not even aware they offer an equivalent of rfc7030 with > EAP. [Rafa] Thanks for this clear summary. I have to say that EAP is a protocol for authentication and key management mainly. You have several "EAP methods” that define the authentication mechanisms in EAP. As I mentioned, previous work about MIPv6 bootstrapping used tunneling capabilities in certain EAP methods to “inject” that configuration information (e.g. draft-giaretta-mip6-authorization-eap-04 , old draft but interesting). Other alternative is just to use EAP for authentication key material generation to protect the signaling of other protocol/s that allows to transfer the information you need. In the context of "IoT bootstrapping", I must say that we are not the only one proposing the usage of EAP (the novelty of our solution is the usage of CoAP as EAP lower-layer). Best Regards. > > > On Sun, Aug 14, 2016 at 02:05:14PM +0200, Rafa Marin Lopez wrote: >> Dear all: >> >> Related with the usage of CoAP for bootstrapping in constrained devices (using EAP and AAA infrastructures) we wrote this I-D: >> >> https://tools.ietf.org/html/draft-marin-ace-wg-coap-eap-03 >> >> and wrote this paper that may be of your interest: >> >> http://www.mdpi.com/1424-8220/16/3/358 >> >> Comments are welcome. >> >> Best Regards. >> >>> El 3 ago 2016, a las 15:55, Eliot Lear <lear@cisco.com> escribió: >>> >>> Dear authors of draft-ietf-anima-bootstrapping-keyinfra and WG, >>> >>> The Fairhair alliance focuses on lighting and building automation. Our >>> security team has been reviewing your draft, and we appreciate the >>> effort that you are devoting in this direction. We would just like to >>> highlight at this junction that there is a preference for device >>> communications from the autonomic device to the registrar to be via COAP >>> over DTLS rather than HTTP over TLS, primarily because the devices that >>> we are working with will already have a CoAP implementation. As such, >>> there is some interest in draft-pritikin-coap-bootstrap-03.txt. We look >>> forward to seeing that work further developed. >>> >>> On behalf of the Fairhair security subgroup, >>> >>> Eliot >>> >>> ps: as usual, I will encourage fairhair members to directly chime in >>> with their own views on this matter. >>> >>> >>> >>> _______________________________________________ >>> Anima mailing list >>> Anima@ietf.org >>> https://www.ietf.org/mailman/listinfo/anima >> >> ------------------------------------------------------- >> Rafael Marin Lopez, PhD >> Dept. Information and Communications Engineering (DIIC) >> Faculty of Computer Science-University of Murcia >> 30100 Murcia - Spain >> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es >> ------------------------------------------------------- >> >> >> >> >> _______________________________________________ >> Anima mailing list >> Anima@ietf.org >> https://www.ietf.org/mailman/listinfo/anima > > -- > --- > Toerless Eckert, eckert@cisco.com > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima ------------------------------------------------------- Rafael Marin Lopez, PhD Dept. Information and Communications Engineering (DIIC) Faculty of Computer Science-University of Murcia 30100 Murcia - Spain Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es -------------------------------------------------------
- Re: [Anima] CoAP et al Rafa Marin Lopez
- Re: [Anima] CoAP et al Rafa Marin Lopez
- Re: [Anima] CoAP et al Rafa Marin Lopez
- Re: [Anima] CoAP et al Rafa Marin Lopez
- Re: [Anima] CoAP et al Michael Richardson
- Re: [Anima] Fairhair (Re: CoAP et al) Toerless Eckert
- Re: [Anima] CoAP et al Eliot Lear
- Re: [Anima] CoAP et al Toerless Eckert
- Re: [Anima] CoAP et al Toerless Eckert
- Re: [Anima] CoAP et al Toerless Eckert
- Re: [Anima] CoAP et al Brian E Carpenter
- Re: [Anima] CoAP et al Rafa Marin Lopez
- Re: [Anima] CoAP et al Behcet Sarikaya
- Re: [Anima] CoAP et al Rafa Marin Lopez
- [Anima] CoAP et al Eliot Lear
- Re: [Anima] CoAP et al Brian E Carpenter
- Re: [Anima] CoAP et al Michael Richardson
- Re: [Anima] CoAP et al Joel M. Halpern
- Re: [Anima] CoAP et al Paul Duffy
- Re: [Anima] CoAP et al peter van der Stok
- Re: [Anima] CoAP et al Joel M. Halpern