IETF Logo Mail Archive

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

Eliot Lear <lear@cisco.com> Mon, 15 July 2019 07:40 UTC

Return-Path: <lear@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 079CC120074; Mon, 15 Jul 2019 00:40:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lLBsuEx5gfcZ; Mon, 15 Jul 2019 00:40:00 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 02FB212001E; Mon, 15 Jul 2019 00:39:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3594; q=dns/txt; s=iport; t=1563176400; x=1564386000; h=from:message-id:mime-version:subject:date:in-reply-to:cc: to:references; bh=8Uh+VkmV/7Yb8JKBiokqGARi6F3tBiejJbCQzGXnlLc=; b=OrNUdN9xrRLJHY/1FK+g6HRiIvPq6Ffyo0l0J610VNfO86WXhym0F/4o mzKyGyH1W+Dw9YAXuyEmKibeblhnQmAXASnTwOsHLhCp12k/qRCxi7JaQ LbA6dM7ZWhZwRHGcM3Fl4Hi/dZ/MbEVbSbmqM9FHfIC5GRsPCKpCqum3J k=;
X-Files: signature.asc : 195
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AHAAAgLSxd/xbLJq1mGgEBAQEBAgEBAQEHAgEBAQGBVAQBAQEBCwGDUQEgEiiEHIh7i1IlmH2BewIHAQEBCQMBAS8BAYRAAoJ9NQgOAQMBAQQBAQIBBW2FSIVKAQEBAQIBI1YFCwsYIwcCAlcGCgmDIgGBew+qKIEyhUeEYxCBNAGBUIolgX+BEScME4JMPodOMoImBIw4HIgdlXIJghuCH4EMjBkFhEMbk3iEEqF6gwsCBAYFAhWBUQE2gVgzGggbFWUBgkE+gjqODz0DMJArAQE
X-IronPort-AV: E=Sophos;i="5.63,493,1557187200"; d="asc'?scan'208";a="14252660"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 15 Jul 2019 07:39:58 +0000
Received: from ams3-vpn-dhcp3718.cisco.com (ams3-vpn-dhcp3718.cisco.com [10.61.78.134]) by aer-core-4.cisco.com (8.15.2/8.15.2) with ESMTPS id x6F7dvvp021845 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Mon, 15 Jul 2019 07:39:57 GMT
From: Eliot Lear <lear@cisco.com>
Message-Id: <A85B0B81-842C-4826-BDEB-8A2124F33622@cisco.com>
Content-Type: multipart/signed; boundary="Apple-Mail=_A3B84DC0-D8D0-458E-801A-6E2555B0865E"; protocol="application/pgp-signature"; micalg="pgp-sha1"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 15 Jul 2019 09:39:56 +0200
In-Reply-To: <1692.1563030627@localhost>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, Adam Roach <adam@nostrum.com>, anima-chairs@ietf.org, The IESG <iesg@ietf.org>, Toerless Eckert <tte+ietf@cs.fau.de>, anima@ietf.org
To: Michael Richardson <mcr+ietf@sandelman.ca>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <ACEB4033-707F-47AF-B58A-5227B444BEAB@cisco.com> <1692.1563030627@localhost>
X-Mailer: Apple Mail (2.3445.104.11)
X-Outbound-SMTP-Client: 10.61.78.134, ams3-vpn-dhcp3718.cisco.com
X-Outbound-Node: aer-core-4.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Hh2HXpsPMjSNAZgA-9c92JoMKkI>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jul 2019 07:40:03 -0000


> On 13 Jul 2019, at 17:10, Michael Richardson <mcr+ietf@sandelman.ca> wrote:
> 
> Signed PGP part
> 
> Eliot Lear <lear@cisco.com> wrote:
>> I think the simplest way to address the bulk of both Adam’s and
>> Warren’s concern is to require the device to emit via whatever
>> management interface exists, upon request, a voucher that it has signed
>> with its own iDevID.  It would have to be nonceless with perhaps a long
>> expiry, and that would cover a number of other use cases as well.  That
>> way if the manufacturer goes out of business, or if the owner wants to
>> transfer the device without manufacturer consent, there is a way
>> forward.
> 
> 1) would it have a pinned-domain-cert for the new owner, or would it be
>   some kind of wildcard/bearer voucher?

Again, I think this is a matter for the seller, and also a matter for the seller as to when the voucher is generated, so that it doesn’t need to lie around.  I was also thinking that this would be the sort of thing that could be printed out, either in a QR or OCR form, if necessary.

> 
> 2) what would the management interface be, specifically, how would it be
>   secured?

The reason I mentioned CIP and Profinet in a previous message is that once the device is bootstrapped, if it has a management interface, that is what should be used.  Adding new services on a device is undesirable. This covers the case when the manufacturer becomes unavailable.  However, it should be viewed as a backstop.  See below.

> 
> This would seem to cover the case where there is an orderly sale of equipment
> From an owner who is still in business to a new owner who is ready to receive
> the device.  In my experience buying used routing equipment, this is never
> the case.

Unless the owner printed out such a label in advance.  The point is that the mechanism could reasonably be used.  Many credentials are written on your wireless devices right now.  This give you the option for that not to be the case (people needn’t worry about Siemens, Rockwell, JCI, Honeywell, or Schneider Electric going out of business anytime soon, for instance - they may feel differently about Joe’s Tool and Die).

Another way to look at this would be to for the manufacturer to ping the owner periodically to reconfirm ownership.  If the owner fails to respond, allow another owner to transfer the device.  Or… simply ping the owner when a transfer request is made.  But these require that the MASA be present.

To Adam’s broader point, there are at least several ways to approach this.  We can leave it to the vendor to decide which is correct, and we can continue to look to standardize ideas such as the one Michael had in the message I’m replying to now.

Eliot

v2.23.0 | Report a Bug | By Email