IETF Logo Mail Archive

Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 02 May 2022 22:05 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 77B69C15E3EA for <anima@ietfa.amsl.com>; Mon, 2 May 2022 15:05:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.955
X-Spam-Level:
X-Spam-Status: No, score=-3.955 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-1.857, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id N-oHukyHWWsW for <anima@ietfa.amsl.com>; Mon, 2 May 2022 15:05:47 -0700 (PDT)
Received: from mail-pj1-x1031.google.com (mail-pj1-x1031.google.com [IPv6:2607:f8b0:4864:20::1031]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C0705C159A24 for <anima@ietf.org>; Mon, 2 May 2022 15:05:47 -0700 (PDT)
Received: by mail-pj1-x1031.google.com with SMTP id a15-20020a17090ad80f00b001dc2e23ad84so575115pjv.4 for <anima@ietf.org>; Mon, 02 May 2022 15:05:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=OEAZJruCPUEADJdXMAG4MhuPXfbBRn39fCUkwpqLyEs=; b=ph8oN0mH3gUkWFhCbp7S6VGyQowa/8KnsiY4Dkx0PR3BnD9Zi+e67xo/UrOJALrYRX sqKMMivmX0hQga15mHWGPeJPZtVFXC8xo3HyUlx3VGNm7pyPgTBojlZpxCDPopP8M6lA dZgXyS9JY3r31LnnfR9RygZlYO8/x5vlx3jrbR093Qb8TrGWOEXaRCQWR8erw8KZCwrH nuRY0b7kUg/hsuRa1XAUg7JemsuD/i6XX4Sf6sob3MYFJ9MHrxUptpQ97pKJZaWTv7zG McDwxtG3oOU6B1bYcujWHHvEKQif81gB0XwmQzh2m+19IIi08w8SyfNp7we+vwsR5Vdg WlYw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=OEAZJruCPUEADJdXMAG4MhuPXfbBRn39fCUkwpqLyEs=; b=z+A8babTr8Kt4DzrN8u+n52lYNe8IvBagXI3dZVKwgKG5FQWeP8533dro4c+0TwVil XZQ0tMWzYaWOQlsG9qA5UwEerbRQMfJHrC4iFQzPZCR8Nb5vZs58Qyc8tCchYv4B+t4F L1syXoAqn/c93oth+MRc0OTvcrZuryfJMMffvvf7tV6dV5mZGdC3eCCTg5bGdvjIveUL 7KZyQYyy0oPMvyBSfKCdcujXmutTK7iOvaZw+RhuZ6vFR5Gh9vkA7A3j6DO7zBGKBroI NMSmsuhC5Cd5x+M+n6d7B54GAhKBP2ZKXPn/CuRXoZLTvg8GSSu0pdNHSI6yiqf4Vhai oZ7g==
X-Gm-Message-State: AOAM531CNhkBEPlZDVmq050e4FW0OAzmoaHYWHR18tXdjfDkBg9LljME UafaSnX+k11ZhJ+Yl4f6kNii7lQ1wcxmzA==
X-Google-Smtp-Source: ABdhPJzb20Iejug4Zd1+hDZ3xnMaWfffqabypCvCG9AS/uUstBTJWIFF36gteV7mdvrKLYwji/uzlQ==
X-Received: by 2002:a17:90a:d584:b0:1bc:e520:91f2 with SMTP id v4-20020a17090ad58400b001bce52091f2mr1385951pju.192.1651529145676; Mon, 02 May 2022 15:05:45 -0700 (PDT)
Received: from ?IPv6:2406:e003:1005:b501:80b2:5c79:2266:e431? ([2406:e003:1005:b501:80b2:5c79:2266:e431]) by smtp.gmail.com with ESMTPSA id s4-20020a62e704000000b0050dc762816csm5155075pfh.70.2022.05.02.15.05.43 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 02 May 2022 15:05:44 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>, Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de> <388791.1649870361@dooku> <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de> <8866.1651512153@localhost>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <823eaecd-ca8d-356a-6637-c12d9b6cdee4@gmail.com>
Date: Tue, 03 May 2022 10:05:40 +1200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.10.0
MIME-Version: 1.0
In-Reply-To: <8866.1651512153@localhost>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LdMPU0lcGbgO3g2Ig2dyBBGNAl8>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 22:05:52 -0000

On 03-May-22 05:22, Michael Richardson wrote:
> 
> Toerless Eckert <tte@cs.fau.de> wrote:
>      > (1)
> 
>      >> Yes, you are right, we need to have a new objective to announce.
>      >> I guess that we don't really think about the constrained-join-proxy really
>      >> being used in an ACP context, but we really should that right.
> 
>      > I don't think this is true. As soon as EST-COAPS proliferates as 
an RFC,
>      > the choice of TLS vs. COAPS becomes not only a necessity for constrained
>      > devices, but also a preference choice by solution designers. Less code
>      > modules etc.
> 
> We may be using different terminology, and being in violent agreement.
> 
> I am saying that the existing GRASP M_FLOOD specified in RFC8995,
> 
> RFC8995 4.1.1 says:
> 
>     flood-message = [M_FLOOD, session-id, initiator, ttl,
>                      +[objective, (locator-option / [])]]
> 
>     objective = ["AN_Proxy", objective-flags, loop-count,
>                                            objective-value]
> 
> ...
>     locator-option    = [ O_IPv6_LOCATOR, ipv6-address,
>                         transport-proto, port-number ]
>     ipv6-address      = the v6 LL of the Proxy
>     $transport-proto /= IPPROTO_TCP   ; note that this can be any value
>                                      ; from the IANA protocol registry,
>                                      ; as per RFC 8990, Section 2.9.5.1,
>                                      ; Note 3.
> 
> and I'm saying that we'd have:
>     $transport-proto /= IPPROTO_UDP  ; ...

Or you could invent a new value outside the IANA range to indicate CoAPS,
as the second sentence in Note 3 suggests:
https://www.rfc-editor.org/rfc/rfc8990.html#section-2.9.5.1-6


> to indicate to use CoAPS (UDP/DTLS).  That's in the latest draft in section
> 6.1.2 (for AN_Registrar) and 6.2.2 (AN_Proxy).  But section 6.2/6.3 is wrong, and
> I'm fixing it at:
> 
>     https://github.com/anima-wg/constrained-join-proxy/pull/20
> 
> Brian, in RFC8995, we leave "objective-value" empty, while this document
> wants to set it to "BRSKI_JP", and I don't think that does anything useful.

That's a design choice you're free to make, of course.

    Brian

> 
>      > (2)
> 
>      > Separate question: Do we have a good understanding which solution
>      > that needs the constrained proxy will use which discovery mechanism ?
> 
>      > I am asking because if/where there are gaps in supported discovery mechanisms,
>      > we might be able to suggest GRASP without ACP. Which would be somewhat of another
>      > draft..
> 
> GRASP DULL is easy.
> In some sense, for IoT networks, there is *only* the ACP :-)
> 
>      >> We decided that Registrars will be responsible for interoperation, and will
>      >> support all protocols the operator expects to use.   If you buy 
a Registrar
>      >> that does not do X and a pledge that only does X, then it fails, and you were
>      >> stupid.
> 
>      > (4)
> 
>      > In the first place this needs to be written down.
> 
>      > But i'd rather like to argue it away because i think it is an unnecessary
>      > constraining "hack".
> 
>      > Why have all this discovery mechanisms when they are not even used correctly.
>      > Underspecifying the exact service(s) a Registrar offers is like announcing
>      > "Oh, go to google for the WHATEVER services".
> 
> No, that's not at all what we said.
> 
>      > I don't see that implementations would get more complex, but rather
>      > simpler if we simply are able to distinguish the different protocol options
>      > by their service name/parameters and have proxies/clients be able to select
>      > them.
> 
> I think that we did exactly this.
> 
>      >> You aren't wrong, but you also aren't right.
>      >> Pledges are expected to try all options (possibly concurrently if they have
>      >> CPU/ram) until they find one that works.    There is no reason the join proxy
>      >> needs to know the details of the Registrar supports, only that they support a
>      >> way to talk to it.
> 
>      > (5)
> 
>      > That "trial&error" too should be described if its here to stay. Even if just
>      > through a reference to an appropriate section in 8995 (if its in 
there, not sure).
> 
> I don't think that we need to have a document that says read 8995 in a dozen places.
> 
>      > How about cert renewal, did you folks discuss if this would ever 
be something
>      > pledges would want to do through the proxy ? In the case of ACP we did
> 
> Nope, never. Just like in BRSKI.
> 
>      >> > I wonder if the names choosen for est-coaps discovery, brski.jp and
>      >> > brski.rjp are ideal indicative of the fact that we're rather defining
>      >> > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness
>      >>
>      >> Fair point.
> 
>      > (7)
> 
>      > I guess a compromise for (4) would be new text that leaves the decision for
>      > how to deal with the next enrollment protocol/encoding to such a 
followu draft:
> 
>      > IF implementers of a new variant feel that all existing/deployed 
registrars
>      > will and should be able to support the new protocol variant (e.g.: brski-xmp-xyz),
>      > then that protocol option does not need to come up with a new
>      > variation.
> 
> You can bikeshed the names. I don't really care.
> 
>      >> Because, we defined the proxy to have a standard interface.
> 
>      > What does that mean ? Do all proxies need to support both modes, 
or
>      > is there only the requirement for one mode, but some undefined entity has to
>      > figue out what registrar/proxies in some network should decide to use ?
> 
> What does "what does that mean"?  I wrote an explanation, that I don't think
> you read.
> 
> The "standard" interface from a join proxy to the pledge (if it's DTLS) 
is to
> use CoAP over DTLS, on the port given.  The details of how it gets back 
to
> the Registrar is irrelevant to the pledge.
> (If it's TLS, then it's RFC8995.
> (If it's OSCORE/EDHOC, then it's TBD)
> 
>      >> (Except for CoAP/OSCORE vs CoAPS above)
> 
>      > OSCORE = ?
> 
> OSCORE. RFC8613.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
>             Sandelman Software Works Inc, Ottawa and Worldwide
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email