IETF Logo Mail Archive

Re: [Anima] CoAP et al

Toerless Eckert <eckert@cisco.com> Tue, 16 August 2016 05:43 UTC

Return-Path: <eckert@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F70C12D0EA for <anima@ietfa.amsl.com>; Mon, 15 Aug 2016 22:43:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.768
X-Spam-Level:
X-Spam-Status: No, score=-15.768 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-1.247, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T23gif4-3Ggu for <anima@ietfa.amsl.com>; Mon, 15 Aug 2016 22:43:02 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94A3612D0C2 for <anima@ietf.org>; Mon, 15 Aug 2016 22:43:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4081; q=dns/txt; s=iport; t=1471326182; x=1472535782; h=date:from:to:cc:subject:message-id:references: mime-version:content-transfer-encoding:in-reply-to; bh=BbRSpt+sRJIRuu2v6/FXW1dpuyYswDGfz5sgG289E9c=; b=bJnk94xHDixhTTzZkBl22HNz8oltes+jrbT6VwxTqPrPr96V+obparm3 WuSNQPjw1r8yOb//L1jjg5v0aQJBXZ/Ay6sWbyddKelqRBYdIUUay7DBz jWe2sUS4g0hSE5GOqvvTODLaHEK00RC41JWVZf36DU2McPfp5GwIVmbtL w=;
X-IronPort-AV: E=Sophos;i="5.28,528,1464652800"; d="scan'208";a="138062078"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 16 Aug 2016 05:43:02 +0000
Received: from mcast-linux1.cisco.com (mcast-linux1.cisco.com [172.27.244.121]) by alln-core-9.cisco.com (8.14.5/8.14.5) with ESMTP id u7G5h1mL032624 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 16 Aug 2016 05:43:01 GMT
Received: from mcast-linux1.cisco.com (localhost.cisco.com [127.0.0.1]) by mcast-linux1.cisco.com (8.13.8/8.13.8) with ESMTP id u7G5h1sQ005666; Mon, 15 Aug 2016 22:43:01 -0700
Received: (from eckert@localhost) by mcast-linux1.cisco.com (8.13.8/8.13.8/Submit) id u7G5h1Gf005665; Mon, 15 Aug 2016 22:43:01 -0700
Date: Mon, 15 Aug 2016 22:43:01 -0700
From: Toerless Eckert <eckert@cisco.com>
To: Rafa Marin Lopez <rafa@um.es>
Message-ID: <20160816054301.GB4333@cisco.com>
References: <4108581b-d6b8-b284-eb26-d3c047372aae@cisco.com> <1156D983-9628-41BC-8180-66999CABE3F6@um.es>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1156D983-9628-41BC-8180-66999CABE3F6@um.es>
User-Agent: Mutt/1.4.2.2i
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Lpwpjpw7K77jHSo5JA2PRG0a3GA>
Cc: Dan Garcia <DanGarc@cisco.com>, anima@ietf.org, draft-ietf-anima-bootstrapping-keyinfra.all@tools.ietf.org, Eliot Lear <lear@cisco.com>
Subject: Re: [Anima] CoAP et al
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 05:43:04 -0000

Rafa,

I have not managed to figure out from your draft what exactly
you consider to be bootstrapping. It seems you primarily refer
to draft-ohba-core-eap-based-bootstrapping, which seems to be expired.

To quickly summarize what in anima we call bootstrap:

The ANIMA key bootstrap protocol primarily tries to get a credential
installed on a device. This is based on RFC7030 (eg: cert enrolment)
and adds all the functions we have identified as being necessary on top of this:

  1. Initial signaling so the client can trust the server from which
     it gets the credential - server can be from some owner of the
     device and it's producing a credential from the vendor of the
     device that makes the device trust the server.  As a result
     for example the client install the servers CA cert into its
     cert trustpool list.
  
  2. Requesting parameters to be associated with the credential. These
     parameters are then useable by next steps. In Anima, these
     credentials are parameters to the client cert, and those are
     then used in building the ACP after bootstrap.

  3. Installing the credential - in ANIMA devices the AN Certificate.
  
     Note: We did discuss but have not decided on options where
     for example this step could be optional, eg: where in very low-end
     devices the vendor installed credential is sufficient, and no new credential is
     desired, but instead only 1., 2., 4., 5. are performed.
  
  4. Diagnostics so the server side will know if/how steps 1..3 where
     successful.
  
  5.  Next step to take by the device - eg: build ACP or for non
      ANIMA devices, maybe "here is your next provisioning connection
      to build". (we're just discussing this step).

So, i am not aware that existing EAP mechanisms offer any such bootstrap
functionality. I am not even aware they offer an equivalent of rfc7030 with
EAP.


On Sun, Aug 14, 2016 at 02:05:14PM +0200, Rafa Marin Lopez wrote:
> Dear all:
> 
> Related with the usage of CoAP for bootstrapping in constrained devices (using EAP and AAA infrastructures) we wrote this I-D:
> 
> https://tools.ietf.org/html/draft-marin-ace-wg-coap-eap-03
> 
> and wrote this paper that may be of your interest:
> 
> http://www.mdpi.com/1424-8220/16/3/358
> 
> Comments are welcome.
> 
> Best Regards.
> 
> > El 3 ago 2016, a las 15:55, Eliot Lear <lear@cisco.com> escribió:
> > 
> > Dear authors of draft-ietf-anima-bootstrapping-keyinfra and WG,
> > 
> > The Fairhair alliance focuses on lighting and building automation.  Our
> > security team has been reviewing your draft, and we appreciate the
> > effort that you are devoting in this direction.  We would just like to
> > highlight at this junction that there is a preference for device
> > communications from the autonomic device to the registrar to be via COAP
> > over DTLS rather than HTTP over TLS, primarily because the devices that
> > we are working with will already have a CoAP implementation.  As such,
> > there is some interest in draft-pritikin-coap-bootstrap-03.txt.  We look
> > forward to seeing that work further developed.
> > 
> > On behalf of the Fairhair security subgroup,
> > 
> > Eliot
> > 
> > ps: as usual, I will encourage fairhair members to directly chime in
> > with their own views on this matter.
> > 
> > 
> > 
> > _______________________________________________
> > Anima mailing list
> > Anima@ietf.org
> > https://www.ietf.org/mailman/listinfo/anima
> 
> -------------------------------------------------------
> Rafael Marin Lopez, PhD
> Dept. Information and Communications Engineering (DIIC)
> Faculty of Computer Science-University of Murcia
> 30100 Murcia - Spain
> Telf: +34868888501 Fax: +34868884151 e-mail: rafa@um.es
> -------------------------------------------------------
> 
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima

-- 
---
Toerless Eckert, eckert@cisco.com

v2.23.0 | Report a Bug | By Email