[Anima] some comments on -- draft-ietf-anima-grasp-01
Michael Richardson <mcr+ietf@sandelman.ca> Sun, 29 November 2015 21:43 UTC
Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 102E51B3531 for <anima@ietfa.amsl.com>; Sun, 29 Nov 2015 13:43:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.486
X-Spam-Level:
X-Spam-Status: No, score=-2.486 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KnSQhdfD18v6 for <anima@ietfa.amsl.com>; Sun, 29 Nov 2015 13:43:45 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6AAE01B352D for <anima@ietf.org>; Sun, 29 Nov 2015 13:43:45 -0800 (PST)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 289BB200A5 for <anima@ietf.org>; Sun, 29 Nov 2015 16:48:47 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 6E9B063753; Sun, 29 Nov 2015 16:43:44 -0500 (EST)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 5934A636C4 for <anima@ietf.org>; Sun, 29 Nov 2015 16:43:44 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.3-dev; GNU Emacs 24.4.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Sun, 29 Nov 2015 16:43:44 -0500
Message-ID: <32380.1448833424@sandelman.ca>
Sender: mcr@sandelman.ca
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima/HCwlkVJldS79Tp0gfUcrqC2Vgtk>
Subject: [Anima] some comments on -- draft-ietf-anima-grasp-01
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Nov 2015 21:43:47 -0000
section 2.1, part 2.
>2.1. Requirements for Discovery
> 2. When an ASA first starts up, it has no knowledge of the specific
> network to which it is attached. Therefore the discovery process
> must be able to support any network scenario, assuming only that the
> device concerned is bootstrapped from factory condition.
I'm thinking that there is more to this: the ASA may assume that the device,
having been bootstrapped, now has a secured ACP with the local machine.
(The exception being a bootstrap ASA, but I'm not convinced GRASP should be
used for that)
I think that we should also need to think about channel binding mechanisms so
that the ASA doesn't have to do all it's own security work, and so that an
ASA can potentially put a bit more trust into the source address of a packet.
We also need to discuss how/if an ASA that do wants to do its own security
gets access to the validated device identity. The possibility that the device
would act as a sub-CA signing each of the ASAs. Another model would have the
device enroll each of the ASA into an ASA-type-specific CA. (Finding/creating
that ASA-specific-CA being a meta goal.)
> 8. The discovery process must not generate excessive (multicast)
> traffic and must take account of sleeping nodes in the case of a
> resource-constrained network [RFC7228].
First, 7228 defines constrained devices, and challenged networks.
"resource-constrained network" isn't a thing in 7228, so that needs to be
clarified.
Second, if the ACP is implemented as I think it ought to, we won't support
any kind of native multicast. We could provide multicast via
draft-ietf/roll-trickle-mcast, or draft-bergmann-bier-ccast perhaps, or PIM.
I don't think it's worth doing any of these things at the IP layer, I think
that there will be grasp daemons running at each vertice of the ACP, and so I
think that we should do flooding at the application layer, much like DNCP
does for Homenet.
> 25. The protocol needs to be fully secured against forged messages
> and man-in-the middle attacks, and secured as much as reasonably
> possible against denial of service attacks. It needs to be capable
> of encryption in order to resist unwanted monitoring, although this
> capability may not be required in all deployments. However, it is
> not required that the protocol itself provides these security
> features; it may depend on an existing secure environment.
I feel like there is too much hedging. This is where my comment that we seem
to be writing at cross-purposes come to play. I think it would be better to
say:
+ 25. The protocol is expected to run on top of a secure
infrastructure provided by the Autonomic Control Plane (ACP)
[I-D.ietf-anima-autonomic-control-plane]. The ACP is
expected to defend against: forged messages and man-in-the
middle attacks, as well as provide for mitigation of against
denial of service attacks from nodes not into the ACP. The
ACP is further expected to provide a private channel.
I think that the words here:
> , although this
> capability may not be required in all deployments.
are insufficiently supported. Why should the protocol be complicated in this
fashion? 3.3.1 goes on to say:
>3.3.1. Required External Security Mechanism
>
> The protocol SHOULD run within a secure Autonomic Control Plane (ACP)
> [I-D.ietf-anima-autonomic-control-plane]. The ACP MUST provide a
> status indicator to inform GRASP that the ACP is operational.
>
> If there is no ACP, the protocol MUST use another form of strong
> authentication and SHOULD use a form of strong encryption. TLS
> [RFC5246] or DTLS [RFC6347] are RECOMMENDED for this purpose, based
> on a local Public Key Infrastructure (PKI) [RFC5280] managed within
> the autonomic network itself.
so, let's not sit on the fence here. Can we please decide if we want an ACP,
and if we don't, then let's stop working on it.
If the designers of GRASP are thinking of using it in some other
non-Autonomic situation, then please write a new document that inherits from
draft-ietf-anima-grasp for that purpose.
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [Anima] some comments on -- draft-ietf-anima-gras… Michael Richardson
- Re: [Anima] some comments on -- draft-ietf-anima-… Brian E Carpenter
- Re: [Anima] some comments on -- draft-ietf-anima-… Michael Richardson
- Re: [Anima] some comments on -- draft-ietf-anima-… Brian E Carpenter
- Re: [Anima] some comments on -- draft-ietf-anima-… Michael Richardson