IETF Logo Mail Archive

Re: [Anima] some minor questions about ACP -23

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 10 March 2020 19:20 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 03C993A08EF for <anima@ietfa.amsl.com>; Tue, 10 Mar 2020 12:20:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HLMDIBPWjJqb for <anima@ietfa.amsl.com>; Tue, 10 Mar 2020 12:20:25 -0700 (PDT)
Received: from mail-pg1-x533.google.com (mail-pg1-x533.google.com [IPv6:2607:f8b0:4864:20::533]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6E0F23A08E8 for <anima@ietf.org>; Tue, 10 Mar 2020 12:20:25 -0700 (PDT)
Received: by mail-pg1-x533.google.com with SMTP id u12so6739263pgb.10 for <anima@ietf.org>; Tue, 10 Mar 2020 12:20:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=L3aHLNzNezvBO65iUUzqrU/utxPbsBXCeJ1pRzGaN6Q=; b=HxTLxSQIZ0urY6PfHBHf+MLMXPDe3WAKHOKZt+jCDYmpU0AIj9wSP2tvRHizC0nOwf UNG6Pm6k35b7lUrEFAsGt/LW/jUac82oQqu4476Pwftg2R8izIFBiCGOJ4O7uuLRFzBW Bu/IG46kAY5ThIPU5xFiLqqhdQ6qgN/VwRNLmNf44AVjVdFc2io7qBMD1PEkjPIc1HAV FNOO7EoLjJ7ki7rEwyNrAUlSgvEoxQMOufzZeFdmVrDVXTQVzoxIt7SZLRjlA4L7Z4bT ofVO1ijSrRj6f2ughUEyvlLh6+Fm6NYhdCgWjrosNT4hmczMZ06qVS06Q++W/JJbpRBx vzaw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=L3aHLNzNezvBO65iUUzqrU/utxPbsBXCeJ1pRzGaN6Q=; b=pYBXcVyosDd6k/gLC1ItU1qbdOb5PBCWFniTSayamkfpvS8Lr7kuPRhy52tNyhnr/c rLUFxb2zju23lnSsfsTlEqQZMmK22ZSSZETlazFXVCYJNJYCdU4GZp5mHM4/LYy8dxjo 2FHRyvuVmeLctjUPFzEBrP4XzCuXs3gPFUjaW+9/TqYZey6y/CYd+1WPbw2dnpOpdEVq 0U6FytZBtKqJcCzc8W30BEPhECToHoJP7C9sPME+q71pZ//dgAR74BvXEMOQE2c3n4tA mJiW4S5Jbvze/pKBhBygCwb9PNN5/EUyDtY6qNweyGp90WsXcMkVMU9ZeAYZwexDhkBL 7oMQ==
X-Gm-Message-State: ANhLgQ2GQq/HVtSCkaK6O3dmaXGzcfL0XitE0vtz4c7ExcfkZn9Elnpe EiecfOeKY8E79pmtpsgb6rfF1Vpn
X-Google-Smtp-Source: ADFU+vstbobVMJvUcXWyWtwHQx6mPxEUou4Mn6YTTJT4kbx9shEfRVXupCODwbAwoWLENqD0UDdjfw==
X-Received: by 2002:a62:18c7:: with SMTP id 190mr20445395pfy.119.1583868024357; Tue, 10 Mar 2020 12:20:24 -0700 (PDT)
Received: from [192.168.178.30] ([165.84.25.143]) by smtp.gmail.com with ESMTPSA id g18sm2804284pfh.174.2020.03.10.12.20.22 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Mar 2020 12:20:23 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org
References: <20307.1583842818@localhost>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <c98b5a6e-ddbc-c677-125a-e2ab5b0c6411@gmail.com>
Date: Wed, 11 Mar 2020 08:20:21 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20307.1583842818@localhost>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Gisd3DprJ-Pu8cZr9vKUbVGY2dk>
Subject: Re: [Anima] some minor questions about ACP -23
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Mar 2020 19:20:28 -0000

On 11-Mar-20 01:20, Michael Richardson wrote:
> 
> section 6.1.5 says:
> 
>    When BRSKI (see
>    [I-D.ietf-anima-bootstrapping-keyinfra]) is used, the IPv6 locator of
>    the BRSKI registrar from the BRSKI TLS connection SHOULD be
>    remembered and used for the next renewal via EST if that registrar
>    also announces itself as an EST server via GRASP (see next section)
>    on its ACP address.
> 
> The BRSKI TLS connection is proxied through a join proxy.
> The pledge (new node) never knows what the IPv6 locator of the BRSKI registrar is.

Right, and unless I'm mistaken that remains true even if the registrar is
on the same layer 2 link as the pladge; the node containing the registrar also
contains a proxy. Pledges don't need a special case for this situation.

   Brian

> I suggest removing this paragraph, the node should listen for the EST GRASP
> announcement.
> 
> 
> 6.1.5.3 mandates use of CRLs rather than OCSP.
> I'm okay with that, but I wanted to make sure the WG understood.
> OCSP might require a node to be on the ACP before it could get get on the
> ACP.  CRLs could be cached for extended periods of time.
> 
> We might consider adding a CRL retrieval step to BRSKI, after the cacerts are
> retrieved.
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email