Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 02 May 2022 22:05 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B69C15E3EA for <anima@ietfa.amsl.com>; Mon, 2 May 2022 15:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.955
X-Spam-Level:
X-Spam-Status: No, score=-3.955 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-oHukyHWWsW for <anima@ietfa.amsl.com>; Mon, 2 May 2022 15:05:47 -0700 (PDT)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0705C159A24 for <anima@ietf.org>; Mon, 2 May 2022 15:05:47 -0700 (PDT)
Received: by mail-pj1-x1031.google.com with SMTP id a15-20020a17090ad80f00b001dc2e23ad84so575115pjv.4 for <anima@ietf.org>; Mon, 02 May 2022 15:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=OEAZJruCPUEADJdXMAG4MhuPXfbBRn39fCUkwpqLyEs=; b=ph8oN0mH3gUkWFhCbp7S6VGyQowa/8KnsiY4Dkx0PR3BnD9Zi+e67xo/UrOJALrYRX sqKMMivmX0hQga15mHWGPeJPZtVFXC8xo3HyUlx3VGNm7pyPgTBojlZpxCDPopP8M6lA dZgXyS9JY3r31LnnfR9RygZlYO8/x5vlx3jrbR093Qb8TrGWOEXaRCQWR8erw8KZCwrH nuRY0b7kUg/hsuRa1XAUg7JemsuD/i6XX4Sf6sob3MYFJ9MHrxUptpQ97pKJZaWTv7zG McDwxtG3oOU6B1bYcujWHHvEKQif81gB0XwmQzh2m+19IIi08w8SyfNp7we+vwsR5Vdg WlYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OEAZJruCPUEADJdXMAG4MhuPXfbBRn39fCUkwpqLyEs=; b=z+A8babTr8Kt4DzrN8u+n52lYNe8IvBagXI3dZVKwgKG5FQWeP8533dro4c+0TwVil XZQ0tMWzYaWOQlsG9qA5UwEerbRQMfJHrC4iFQzPZCR8Nb5vZs58Qyc8tCchYv4B+t4F L1syXoAqn/c93oth+MRc0OTvcrZuryfJMMffvvf7tV6dV5mZGdC3eCCTg5bGdvjIveUL 7KZyQYyy0oPMvyBSfKCdcujXmutTK7iOvaZw+RhuZ6vFR5Gh9vkA7A3j6DO7zBGKBroI NMSmsuhC5Cd5x+M+n6d7B54GAhKBP2ZKXPn/CuRXoZLTvg8GSSu0pdNHSI6yiqf4Vhai oZ7g==
X-Gm-Message-State: AOAM531CNhkBEPlZDVmq050e4FW0OAzmoaHYWHR18tXdjfDkBg9LljME UafaSnX+k11ZhJ+Yl4f6kNii7lQ1wcxmzA==
X-Google-Smtp-Source: ABdhPJzb20Iejug4Zd1+hDZ3xnMaWfffqabypCvCG9AS/uUstBTJWIFF36gteV7mdvrKLYwji/uzlQ==
X-Received: by 2002:a17:90a:d584:b0:1bc:e520:91f2 with SMTP id v4-20020a17090ad58400b001bce52091f2mr1385951pju.192.1651529145676; Mon, 02 May 2022 15:05:45 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id s4-20020a62e704000000b0050dc762816csm5155075pfh.70.2022.05.02.15.05.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 May 2022 15:05:44 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>, Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de> <388791.1649870361@dooku> <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de> <8866.1651512153@localhost>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <823eaecd-ca8d-356a-6637-c12d9b6cdee4@gmail.com>
Date: Tue, 03 May 2022 10:05:40 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <8866.1651512153@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LdMPU0lcGbgO3g2Ig2dyBBGNAl8>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 22:05:52 -0000
On 03-May-22 05:22, Michael Richardson wrote: > > Toerless Eckert <tte@cs.fau.de> wrote: > > (1) > > >> Yes, you are right, we need to have a new objective to announce. > >> I guess that we don't really think about the constrained-join-proxy really > >> being used in an ACP context, but we really should that right. > > > I don't think this is true. As soon as EST-COAPS proliferates as an RFC, > > the choice of TLS vs. COAPS becomes not only a necessity for constrained > > devices, but also a preference choice by solution designers. Less code > > modules etc. > > We may be using different terminology, and being in violent agreement. > > I am saying that the existing GRASP M_FLOOD specified in RFC8995, > > RFC8995 4.1.1 says: > > flood-message = [M_FLOOD, session-id, initiator, ttl, > +[objective, (locator-option / [])]] > > objective = ["AN_Proxy", objective-flags, loop-count, > objective-value] > > ... > locator-option = [ O_IPv6_LOCATOR, ipv6-address, > transport-proto, port-number ] > ipv6-address = the v6 LL of the Proxy > $transport-proto /= IPPROTO_TCP ; note that this can be any value > ; from the IANA protocol registry, > ; as per RFC 8990, Section 2.9.5.1, > ; Note 3. > > and I'm saying that we'd have: > $transport-proto /= IPPROTO_UDP ; ... Or you could invent a new value outside the IANA range to indicate CoAPS, as the second sentence in Note 3 suggests: https://www.rfc-editor.org/rfc/rfc8990.html#section-2.9.5.1-6 > to indicate to use CoAPS (UDP/DTLS). That's in the latest draft in section > 6.1.2 (for AN_Registrar) and 6.2.2 (AN_Proxy). But section 6.2/6.3 is wrong, and > I'm fixing it at: > > https://github.com/anima-wg/constrained-join-proxy/pull/20 > > Brian, in RFC8995, we leave "objective-value" empty, while this document > wants to set it to "BRSKI_JP", and I don't think that does anything useful. That's a design choice you're free to make, of course. Brian > > > (2) > > > Separate question: Do we have a good understanding which solution > > that needs the constrained proxy will use which discovery mechanism ? > > > I am asking because if/where there are gaps in supported discovery mechanisms, > > we might be able to suggest GRASP without ACP. Which would be somewhat of another > > draft.. > > GRASP DULL is easy. > In some sense, for IoT networks, there is *only* the ACP :-) > > >> We decided that Registrars will be responsible for interoperation, and will > >> support all protocols the operator expects to use. If you buy a Registrar > >> that does not do X and a pledge that only does X, then it fails, and you were > >> stupid. > > > (4) > > > In the first place this needs to be written down. > > > But i'd rather like to argue it away because i think it is an unnecessary > > constraining "hack". > > > Why have all this discovery mechanisms when they are not even used correctly. > > Underspecifying the exact service(s) a Registrar offers is like announcing > > "Oh, go to google for the WHATEVER services". > > No, that's not at all what we said. > > > I don't see that implementations would get more complex, but rather > > simpler if we simply are able to distinguish the different protocol options > > by their service name/parameters and have proxies/clients be able to select > > them. > > I think that we did exactly this. > > >> You aren't wrong, but you also aren't right. > >> Pledges are expected to try all options (possibly concurrently if they have > >> CPU/ram) until they find one that works. There is no reason the join proxy > >> needs to know the details of the Registrar supports, only that they support a > >> way to talk to it. > > > (5) > > > That "trial&error" too should be described if its here to stay. Even if just > > through a reference to an appropriate section in 8995 (if its in there, not sure). > > I don't think that we need to have a document that says read 8995 in a dozen places. > > > How about cert renewal, did you folks discuss if this would ever be something > > pledges would want to do through the proxy ? In the case of ACP we did > > Nope, never. Just like in BRSKI. > > >> > I wonder if the names choosen for est-coaps discovery, brski.jp and > >> > brski.rjp are ideal indicative of the fact that we're rather defining > >> > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness > >> > >> Fair point. > > > (7) > > > I guess a compromise for (4) would be new text that leaves the decision for > > how to deal with the next enrollment protocol/encoding to such a followu draft: > > > IF implementers of a new variant feel that all existing/deployed registrars > > will and should be able to support the new protocol variant (e.g.: brski-xmp-xyz), > > then that protocol option does not need to come up with a new > > variation. > > You can bikeshed the names. I don't really care. > > >> Because, we defined the proxy to have a standard interface. > > > What does that mean ? Do all proxies need to support both modes, or > > is there only the requirement for one mode, but some undefined entity has to > > figue out what registrar/proxies in some network should decide to use ? > > What does "what does that mean"? I wrote an explanation, that I don't think > you read. > > The "standard" interface from a join proxy to the pledge (if it's DTLS) is to > use CoAP over DTLS, on the port given. The details of how it gets back to > the Registrar is irrelevant to the pledge. > (If it's TLS, then it's RFC8995. > (If it's OSCORE/EDHOC, then it's TBD) > > >> (Except for CoAP/OSCORE vs CoAPS above) > > > OSCORE = ? > > OSCORE. RFC8613. > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima >
- [Anima] Discovery of proxy/registrar insufficient… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] GRASP securty/transport substrate alterna… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] FYI: est-coaps registered (was: Re: Disco… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Carsten Bormann
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- [Anima] Carsten: Re: FYI: est-coaps registered (w… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Esko Dijk