IETF Logo Mail Archive

Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).

Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 12 April 2022 20:46 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B12C3A1798; Tue, 12 Apr 2022 13:46:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9vizhhRTF8fA; Tue, 12 Apr 2022 13:46:07 -0700 (PDT)
Received: from mail-pj1-x1033.google.com (mail-pj1-x1033.google.com [IPv6:2607:f8b0:4864:20::1033]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 66A403A1221; Tue, 12 Apr 2022 13:45:46 -0700 (PDT)
Received: by mail-pj1-x1033.google.com with SMTP id 2so19598496pjw.2; Tue, 12 Apr 2022 13:45:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=zwnEQws5J8az/Ki5pFZHX/RGXy1b80AI13nrIOYSYNE=; b=iyD8yayFuC/jeGGc5abt3qEvrUhKTGHOJNoJZ/jENydau0HZlFzdYJ4nJDM0nBCKx3 uQwlHfXrClbzQZvW8HE6uGHxg0SBtzW9Q/5t7cmvlJDcSMKlR/ibAlAtRJCTzGiqrMRv fioMvz6y/X/TiFadXHlYujC1FRp89ODar2FdetushFsxUMkK04MQonjJwBA6ZVxBQz3/ 8MVQ88WV9p9muhhLxMnLTHrhZK66hAuM4cVuCOyO+pUd9Aky7IV0KPEc7X9Vo0NTZx7j DtR73Hcl5VVkm+4q+9IgVMoaY5aCr6QMJWhgIQzHML8qWiqyE+XyI0j3PEDg6yo+VMdJ 7hQw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=zwnEQws5J8az/Ki5pFZHX/RGXy1b80AI13nrIOYSYNE=; b=toUs+qBHUImWtNsUuul4cKV9EPnyxRgwVq1CKsKYxjwkaj1c54LQ7Iau72Ak6OKyY/ OkzF4+upbz8vC0zha7LkWyPNuRfijuSL7+cdcJ4gYI0Fm2kkjf+JlRQ740KdstrOysvg 0VQCCd9Gm7BwRNu4h0VOdPZW5d3KwmN3YtbD2Zp4chrMV+4A4fFpJjjj/m/D2DNy3BE7 DzfBCrxgiTwhSngVnEOZviMbVkFnj7QPn1y1FXJBZj/INRCA1TeKzcaziy6CoN0eJ7Ap Pgouz9788GCew6FjnuWZ1dZUDTyLXPbULP52Jq81vxZGe19zyF2DSr6OBx00S0t2NGcF Bmng==
X-Gm-Message-State: AOAM530cJ5PZdpjzJnlP6JeDHb2DpSrQ+Wlgiiaf2AvRwFh4SAksVr+m CPGiVtuBQuOSTyIcQPu+UoMx6bh36awjFA==
X-Google-Smtp-Source: ABdhPJy4EYMfllO5M2edG/0BqgpzwCLOfBM5lbcSrgctnn3ae0CYKSXRR4I+hwPAlbZluFqffIW1mw==
X-Received: by 2002:a17:90b:1082:b0:1ca:aac5:5553 with SMTP id gj2-20020a17090b108200b001caaac55553mr6981274pjb.235.1649796345108; Tue, 12 Apr 2022 13:45:45 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id j13-20020a056a00130d00b004f1025a4361sm41745410pfu.202.2022.04.12.13.45.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 12 Apr 2022 13:45:44 -0700 (PDT)
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org, draft-ietf-anima-constrained-join-proxy@ietf.org, draft-ietf-anima-constrained-voucher@ietf.org, jiangsheng@huawei.com
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <6672a270-5a66-248c-b1f7-c3d56f80633f@gmail.com>
Date: Wed, 13 Apr 2022 08:45:39 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/HhkHhb94lOhBJw-xYXnb65Vi-uQ>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Apr 2022 20:46:21 -0000

On 13-Apr-22 03:00, Toerless Eckert wrote:
> Note: I am writing this as a problem against only the join-proxy draft, but i think
> there may also be text affected in constrained-voucher. I just have not checked
> specifically which text.
> 
> draft-ietf-anima-constrained-join-proxy:
> 
> 1. GRASP discovery
> 
> 514     6.1.2.  GRASP discovery
> 
> 516        This section is normative for uses with an ANIMA ACP.  In the context
>                                                                 ^ ... according to RFC8994
> 
> 517        of autonomic networks, the Join Proxy uses the DULL GRASP M_FLOOD
> 518        mechanism to announce itself.  Section 4.1.1 of [RFC8995] discusses
> 519        this in more detail.  The Registrar announces itself using ACP
> 520        instance of GRASP using M_FLOOD messages.  Autonomic Network Join
> 521        Proxies MUST support GRASP discovery of Registrar as described in
> 522        section 4.3 of [RFC8995].
> 
> This is insufficient. Section 4.3 only describes the GRASP objective for
> EST-TLS, which uses the objective-value "EST-TLS". For the constrained join proxy,
> you need to specify the objective to use a new appropriate objective. For
> example, you could specify to continue to use AN_join_registrar, but use an
> objective-value of "EST-COAPS". That would IMHO be in the spirit of how we
> defined the RFC8995 GRASP objective. And astoundingly (;-)) it wouldn't require
> a new IANA registration (i think, Brian ?).

If RFC8990 has a weakness, it is indeed that only the initial registration
of a GRASP objective requires a specification and expert review. Personally
I think this is a good thing, since it allows for flexible extensibility.
Since the designated expert is Michael Richardson, he might have an opinion.

I agree that if extra values of the objective are needed, they should
be specified, and making that an Updates: 8995 seems appropriate.

> 
> Likewise, draft-ietf-anima-constrained-join-proxy needs to specify the Objective
> for Pledges to use for sectin 6.2.2. Section 4.1.1 of RFC8995 specifies astoundingly an empty
> objective-value instead of the logical "EST-TLS". I think this may be the same
> type of oversight as discussed below. I would suggest to also use "EST-COAPS".
> 
> Note that it is not sufficient to delta RFC8995 and mention "EST-COAPS", because
> the GRASP objective also needs to indicate UDP instead of TCP. Even though it
> is longer, it would IMHO be prudent to copy the whole GRASP objectives and
> examples from RFC8995 and accordingly modify them, so that the constrained-proxy
> draft is "standalone" in this respect (even if a page longer).

But it must still be Updates: 8995 if it extends the details of the objective.
(Regrettably, the proposed "Extends:" tag is still only an I-D.)

> 
> (but before finishing, see below for point 4.)
> 
> 2. Other (primarily CoAP) discoveries
> 
> Isn't there the thought that some other variations of BRSKI will use protocol
> variations, such as not CBOR+JSON ? some other "CMP" encoding ?
> 
> I am asking, because it seems to me we need to be aware, that the constrained-proxy
> is logically "just" a DTLS proxy, but once we have more than one DTLS BRSKI
> variation, we still need to be able for pledges to connect to registrar(s) that
> talk the BRSKI variation that the pledge supports. What we define here initially
> is effectively proxy/registrar for EST-COAPS. So let's assume, we get another
> protocol, OTHER1-DTLS. The constrained proxy continues to work, but it would now
> need to discover the OTHER1-DTLS Registrar, allocate a new UDP port number on
> which to offer proxy services for OTHER1-DTLS and announce that to pledges.
> 
> I fail to find appropriate text to that (extensibility) extend in the draft.
> 
> I wonder if the names choosen for est-coaps discovery, brski.jp and brski.rjp are
> ideal indicative of the fact that we're rather defining brski-est-coaps.jp and
> brski-est-coaps.rjp. I guess beauty/explicitness may need to take second place
> over encoding efficiency, but lets make sure that the draft text as well as
> the registration texts with IANA are as explicit as we can make them.
> 
> 3. 6tisch discovery
> 
> [I-D.ietf-6tisch-enrollment-enhanced-beacon] is now RFC9032, please update draft
> accordingly.
> 
> Upon quick browse of RFC9032 i fail to see how/where RFC9032 would be able to
> deal with more than one discovery protocol. E.g.: How would we discover
>     BRSKI-EST-COAPS-REGISTRAR
>     BRSKI-EST-COAPS-PROXY
>     OTHER1-DTLS-REGISTRAR
>     OTHER1-DTLS-PROXY
> 
> ?
> 
> 4. Stateful vs. stateless proxy discovery
> 
> How do i know as a customer of equipment know that all my pledges/proxies/registrars
> will interoperate in the face of those devices seemingly being able to freely
> pick stateful and/or stateless mode of operations ?
> 
> Given how none of the discovery methods so far includes a specification of the
> supported mode(s) of a proxy/registrar, i guess we will end up with only very
> limited solutions where even two vendors can pick different preferences (ony
> stateful, thre other stateless), and we end up with non-interoperable-by-vendor
> networks ?
> 
> First of all, whatever the desire of the authors is, it should be written more
> explicitly in the document. "Interoperability considerations" or the like.
> 
> Secondly, i would very much like to see discovery methods to indicate whether
> stateful and/or stateless are supported.
> 
> For example, with GRASP, it would of course be easy to indicate:
>     EST-COAPS-STATEFUL
>     EST-COAPS-STATELESS
> 
> This would require two separate GRASP objectives if a Registrar/Proxy supports both,
> but would be the most easy solution.

Alternatively add options to the objective value. The value can be whatever we want,
as long as we can say it in CBOR and make sure that the RFC8995 definition is a proper subset.

     Brian

> 
> Similarily, i guess we could have equal variations of the names for other discovery
> mechanisms.
> 
> Cheers
>      Toerless
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email