IETF Logo Mail Archive

Re: [Anima] CoAP et al

Rafa Marin Lopez <rafa@um.es> Tue, 16 August 2016 23:22 UTC

Return-Path: <rafa@um.es>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B8D0312D182 for <anima@ietfa.amsl.com>; Tue, 16 Aug 2016 16:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.448
X-Spam-Level:
X-Spam-Status: No, score=-5.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xMKvBXX2MKOU for <anima@ietfa.amsl.com>; Tue, 16 Aug 2016 16:22:01 -0700 (PDT)
Received: from xenon21.um.es (xenon21.um.es [155.54.212.161]) by ietfa.amsl.com (Postfix) with ESMTP id E910412D0FE for <anima@ietf.org>; Tue, 16 Aug 2016 16:22:00 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by xenon21.um.es (Postfix) with ESMTP id 375B840FEC; Wed, 17 Aug 2016 01:22:00 +0200 (CEST)
X-Virus-Scanned: by antispam in UMU at xenon21.um.es
Received: from xenon21.um.es ([127.0.0.1]) by localhost (xenon21.um.es [127.0.0.1]) (amavisd-new, port 10024) with LMTP id psY1I26C2uPK; Wed, 17 Aug 2016 01:22:00 +0200 (CEST)
Received: from [192.168.1.34] (199.red-88-14-208.dynamicip.rima-tde.net [88.14.208.199]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: rafa) by xenon21.um.es (Postfix) with ESMTPSA id D22B23FDC6; Wed, 17 Aug 2016 01:21:57 +0200 (CEST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 9.3 \(3124\))
From: Rafa Marin Lopez <rafa@um.es>
In-Reply-To: <20160816054301.GB4333@cisco.com>
Date: Wed, 17 Aug 2016 01:21:56 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <974D14F7-0301-46AD-B759-B8C4A5BCB98F@um.es>
References: <4108581b-d6b8-b284-eb26-d3c047372aae@cisco.com> <1156D983-9628-41BC-8180-66999CABE3F6@um.es> <20160816054301.GB4333@cisco.com>
To: Toerless Eckert <eckert@cisco.com>
X-Mailer: Apple Mail (2.3124)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/FwYI11PZXf5o-wHK5UtK-ubqjhs>
Cc: Dan Garcia <DanGarc@cisco.com>, Eliot Lear <lear@cisco.com>, draft-ietf-anima-bootstrapping-keyinfra.all@tools.ietf.org, anima@ietf.org, Rafa Marin Lopez <rafa@um.es>
Subject: Re: [Anima] CoAP et al
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 23:22:03 -0000

Hi Toerless:

> El 16 ago 2016, a las 7:43, Toerless Eckert <eckert@cisco.com> escribió:
> 
> 
> Rafa,
> 
> I have not managed to figure out from your draft what exactly
> you consider to be bootstrapping. It seems you primarily refer
> to draft-ohba-core-eap-based-bootstrapping, which seems to be expired.

Just a clarification,  draft-marin-ace-wg-coap-eap-03 is just presenting a transport of EAP in CoAP (CoAP used as EAP lower-layer). The bootstrapping service is in the paper.
	
> To quickly summarize what in anima we call bootstrap:
> 
> The ANIMA key bootstrap protocol primarily tries to get a credential
> installed on a device. This is based on RFC7030 (eg: cert enrolment)
> and adds all the functions we have identified as being necessary on top of this:
> 
>  1. Initial signaling so the client can trust the server from which
>     it gets the credential - server can be from some owner of the
>     device and it's producing a credential from the vendor of the
>     device that makes the device trust the server.  As a result
>     for example the client install the servers CA cert into its
>     cert trustpool list.
> 
>  2. Requesting parameters to be associated with the credential. These
>     parameters are then useable by next steps. In Anima, these
>     credentials are parameters to the client cert, and those are
>     then used in building the ACP after bootstrap.
> 
>  3. Installing the credential - in ANIMA devices the AN Certificate.
> 
>     Note: We did discuss but have not decided on options where
>     for example this step could be optional, eg: where in very low-end
>     devices the vendor installed credential is sufficient, and no new credential is
>     desired, but instead only 1., 2., 4., 5. are performed.
> 
>  4. Diagnostics so the server side will know if/how steps 1..3 where
>     successful.
> 
>  5.  Next step to take by the device - eg: build ACP or for non
>      ANIMA devices, maybe "here is your next provisioning connection
>      to build". (we're just discussing this step).
> 
> So, i am not aware that existing EAP mechanisms offer any such bootstrap
> functionality. I am not even aware they offer an equivalent of rfc7030 with
> EAP.

[Rafa] Thanks for this clear summary. I have to say that EAP is a protocol for authentication and key management mainly. You have several "EAP methods” that define the authentication mechanisms in EAP. As I mentioned, previous work about MIPv6 bootstrapping used tunneling capabilities in certain EAP methods to “inject” that configuration information (e.g. draft-giaretta-mip6-authorization-eap-04 , old draft but interesting). Other alternative is just to use EAP for authentication key material generation to protect the signaling of other protocol/s that allows to transfer the information you need. 

In the context of "IoT bootstrapping", I must say that we are not the only one proposing the usage of EAP (the novelty of our solution is the usage of CoAP as EAP lower-layer). 

Best Regards.

> 
> 
> On Sun, Aug 14, 2016 at 02:05:14PM +0200, Rafa Marin Lopez wrote:
>> Dear all:
>> 
>> Related with the usage of CoAP for bootstrapping in constrained devices (using EAP and AAA infrastructures) we wrote this I-D:
>> 
>> https://tools.ietf.org/html/draft-marin-ace-wg-coap-eap-03
>> 
>> and wrote this paper that may be of your interest:
>> 
>> http://www.mdpi.com/1424-8220/16/3/358
>> 
>> Comments are welcome.
>> 
>> Best Regards.
>> 
>>> El 3 ago 2016, a las 15:55, Eliot Lear <lear@cisco.com> escribió:
>>> 
>>> Dear authors of draft-ietf-anima-bootstrapping-keyinfra and WG,
>>> 
>>> The Fairhair alliance focuses on lighting and building automation.  Our
>>> security team has been reviewing your draft, and we appreciate the
>>> effort that you are devoting in this direction.  We would just like to
>>> highlight at this junction that there is a preference for device
>>> communications from the autonomic device to the registrar to be via COAP
>>> over DTLS rather than HTTP over TLS, primarily because the devices that
>>> we are working with will already have a CoAP implementation.  As such,
>>> there is some interest in draft-pritikin-coap-bootstrap-03.txt.  We look
>>> forward to seeing that work further developed.
>>> 
>>> On behalf of the Fairhair security subgroup,
>>> 
>>> Eliot
>>> 
>>> ps: as usual, I will encourage fairhair members to directly chime in
>>> with their own views on this matter.
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Anima mailing list
>>> Anima@ietf.org
>>> https://www.ietf.org/mailman/listinfo/anima
>> 
>> -------------------------------------------------------
>> Rafael Marin Lopez, PhD
>> Dept. Information and Communications Engineering (DIIC)
>> Faculty of Computer Science-University of Murcia
>> 30100 Murcia - Spain
>> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
>> -------------------------------------------------------
>> 
>> 
>> 
>> 
>> _______________________________________________
>> Anima mailing list
>> Anima@ietf.org
>> https://www.ietf.org/mailman/listinfo/anima
> 
> -- 
> ---
> Toerless Eckert, eckert@cisco.com
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

-------------------------------------------------------
Rafael Marin Lopez, PhD
Dept. Information and Communications Engineering (DIIC)
Faculty of Computer Science-University of Murcia
30100 Murcia - Spain
Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
-------------------------------------------------------

v2.23.0 | Report a Bug | By Email