IETF Logo Mail Archive

Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 13 June 2019 14:54 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DEE8B1201EF; Thu, 13 Jun 2019 07:54:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ziZUkzM1y8C1; Thu, 13 Jun 2019 07:54:00 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23434120328; Thu, 13 Jun 2019 07:53:47 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 91BDA380BE; Thu, 13 Jun 2019 10:52:21 -0400 (EDT)
Received: by sandelman.ca (Postfix, from userid 179) id 804F1FD8; Thu, 13 Jun 2019 10:53:46 -0400 (EDT)
Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 7DC7EF4A; Thu, 13 Jun 2019 10:53:46 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "Owen Friel (ofriel)" <ofriel@cisco.com>
cc: "ietf@ietf.org" <ietf@ietf.org>, IETF-Announce <ietf-announce@ietf.org>, "ibagdona@gmail.com" <ibagdona@gmail.com>, "draft-ietf-anima-bootstrapping-keyinfra@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>, "anima@ietf.org" <anima@ietf.org>, "tte+ietf@cs.fau.de" <tte+ietf@cs.fau.de>
In-Reply-To: <DM6PR11MB3385616C4FB4DF6F6314B737DBEF0@DM6PR11MB3385.namprd11.prod.outlook.com>
References: <155847367546.2608.5031283783681425886.idtracker@ietfa.amsl.com> <DM6PR11MB3385616C4FB4DF6F6314B737DBEF0@DM6PR11MB3385.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Thu, 13 Jun 2019 10:53:46 -0400
Message-ID: <7971.1560437626@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LJR3W75cHpblx7Nvp6OQ2DGQww0>
Subject: Re: [Anima] Last Call: <draft-ietf-anima-bootstrapping-keyinfra-20.txt> (Bootstrapping Remote Secure Key Infrastructures (BRSKI)) to Proposed Standard
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Jun 2019 14:54:03 -0000

Owen Friel (ofriel) <ofriel@cisco.com> wrote:
    > Late feedback, but its ambiguous in the draft how vendor default Cloud
    > Registrar
    > https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-2.7
    > and redirects as described in
    > https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-5.6
    > should interact.

    > Should the cloud registrar redirect immediately in response to the
    > voucher request, so that the pledge then sends the voucher request via
    > a local domain RA?

The cloud registrar concept is not intended to be a normative part of BRSKI.
We went through a bunch of text to try to make that clear, but maybe we have
still failed.

We are simply saying that a pledge MAY do something else, such as direct EST
back to the manufacturer, and you are astute to realize that the manufacturer
might redirect to the customer's Internet visible Registrar.

Please feel free to start a document that explains this, as I have this as
part of a back of the envelope design as well.  We think it's a large ocean,
and we think that NETMOD ZERO TOUCH has some really good ideas here too.

We are also trying to keep the door open to completely autonomous networks,
where even the Registrar bootstraps itself:

draft>   In such a future situation, the device might use this
draft>   management interface to learn that it should configure itself to
draft>   become the local registrar.

As such, I think that your questions and feedback are "future work"
5.6 has the text:

draft>   In order to avoid infinite redirect loops, which a malicious
draft>   registrar might do in order to keep the pledge from discovering the
draft>   correct registrar, the pledge MUST NOT follow more than one
draft>   redirection (3xx code) to another web origins.  EST supports
draft>   redirection but requires user input; this change allows the pledge to
draft>   follow a single redirection without a user interaction.

We had to say something about redirection, because EST supports it.
We decided that we would permit a single redirection, but we did not
have a definite operational reason for this, we just felt it was important.

In most cases, the pledge connects to the Registrar using a proxy,
so the pledge actually cannot decide to connect elsewhere. It always
connects through the proxy, and the proxy does not interpret the URL.

So, the only useful redirection that makes sense is to a different
URL and/or virtual Host: on the same end point.  This might be done
for reasons of load balancing, or to leverage the EST domain concept.
We did not want to predict or proscribe something here, just to make
the pledge did not get into an infinite redirect loop, yet still permit 3xx
codes to be useful in the future.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email