[Anima] Operational Considerations for BRSKI Registrar
Michael Richardson <mcr+ietf@sandelman.ca> Mon, 07 March 2022 02:06 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 31AE03A093A for <anima@ietfa.amsl.com>; Sun, 6 Mar 2022 18:06:16 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id acBG53szgDPX for <anima@ietfa.amsl.com>; Sun, 6 Mar 2022 18:06:09 -0800 (PST)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FF473A0817 for <anima@ietf.org>; Sun, 6 Mar 2022 18:06:08 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 1BD5738CCA for <anima@ietf.org>; Sun, 6 Mar 2022 21:15:24 -0500 (EST)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id s3-HihJQpLzP for <anima@ietf.org>; Sun, 6 Mar 2022 21:15:23 -0500 (EST)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id 1DF5C38CC6 for <anima@ietf.org>; Sun, 6 Mar 2022 21:15:23 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1646619323; bh=6WXtWvIS1pvPZumYrJYAJdfKVEf4KyaBNukRNJipl2s=; h=From:To:Subject:In-Reply-To:References:Date:From; b=CpMr02RVW8dk/CjGdmWSSG9SpW9TLuVPaVZOp3MhenguYCM2lUnmW8Mp6Rc6Et+bM dgfAjS/d+AIr91AY54auiOCgqiQr4nKecTR7AmWdTGcdBchzKuK3jJVF7uVHCmcq44 gds0At47+JwUa2t8yYgU58fyMHMH6nSiM8PHYPt9Xq/qNnyWuxcz5sFB0y5cnnHUG+ zHgN7XDuZddsk8j9nQ9nZVKdtiqpucK+ePunJX0Z9dFxgOA6krYBycJJPPeA2XMwHE Wui4SMrlE3W/cIzljk0S9RJu+MfCCvtMa2fp/ojdY4up3njUbta3GBdpRDZQG+jKSe xO6ztx182pOpw==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id F373B865 for <anima@ietf.org>; Sun, 6 Mar 2022 21:06:05 -0500 (EST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
In-Reply-To: <164661793331.9063.10876907349131517548@ietfa.amsl.com>
References: <164661793331.9063.10876907349131517548@ietfa.amsl.com>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Sun, 06 Mar 2022 21:06:05 -0500
Message-ID: <13160.1646618765@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LVYGwl3WrSfPq5nynl8nv7Sre54>
Subject: [Anima] Operational Considerations for BRSKI Registrar
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Mar 2022 02:06:17 -0000
internet-drafts@ietf.org wrote: > A new version of I-D, draft-richardson-anima-registrar-considerations-05.txt > has been successfully submitted by Michael Richardson and posted to the > IETF repository. > Name: draft-richardson-anima-registrar-considerations > Revision: 05 > Title: Operational Considerations for BRSKI Registrar > Html: https://www.ietf.org/archive/id/draft-richardson-anima-registrar-considerations-05.html > Diff: https://www.ietf.org/rfcdiff?url2=draft-richardson-anima-registrar-considerations-05 I have posted a new version of my draft on operational considerations for a BRSKI Registrar. The document was not renewed during 2021 due to other priorities. I wrote this document to explore some of the design issues around using BRSKI in a variety of network scenarios: Tier-1 ISPs, Enterprises, and Home Networks. The different deployment scenarios do not call for the same technologies in the registrar, and this is part of the point of this document. One of things in this document is the Enterprise/Tier-1 asynchronous deployment model, where the "Northbound" BRSKI-MASA interface is not directly connected to the "Southbound" BRSKI-EST interface. (See figure 3). In such a case, it may not be the case that the TLS Client Certificate used by the BRSKI-MASA interface is identical to the Registrar/Domain certificate. This explanation was useful in getting some of the final discuss details in RFC8995, which were further clarified in constrainted-voucher section 4, about pinning. In creating Figure 1, with Denver/SanJose/NYC/Frankfurt/etc. it was my intention to discuss issues of onboarding, database synchronization, certificate renewal (via EST)... in the face of network partition. That content has not yet made it into this document. -- Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) Sandelman Software Works Inc, Ottawa and Worldwide
- [Anima] Operational Considerations for BRSKI Regi… Michael Richardson