IETF Logo Mail Archive

Re: [Anima] Adjacency table

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 04 November 2015 06:01 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1FF701ACDF5 for <anima@ietfa.amsl.com>; Tue, 3 Nov 2015 22:01:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.41
X-Spam-Level: *
X-Spam-Status: No, score=1.41 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HOST_MISMATCH_NET=0.311, J_CHICKENPOX_12=0.6, J_CHICKENPOX_16=0.6, J_CHICKENPOX_19=0.6, J_CHICKENPOX_27=0.6, J_CHICKENPOX_29=0.6, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xDVBma_QvNXe for <anima@ietfa.amsl.com>; Tue, 3 Nov 2015 22:01:21 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B4D5E1ACDF3 for <anima@ietf.org>; Tue, 3 Nov 2015 22:01:20 -0800 (PST)
Received: from sandelman.ca (y125066.ppp.asahi-net.or.jp [118.243.125.66]) by relay.sandelman.ca (Postfix) with ESMTPS id 168732208B; Wed, 4 Nov 2015 01:01:19 -0500 (EST)
Received: by sandelman.ca (Postfix, from userid 179) id 09CBE61E12; Wed, 4 Nov 2015 15:01:17 +0900 (JST)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: "anima@ietf.org" <anima@ietf.org>
In-reply-to: <368b49b722ab4ae5ad4fdfa2f016f73b@XCH-RCD-006.cisco.com>
References: <1245fe092b154549a46b9a4f4b1d0c7a@XCH-RTP-006.cisco.com> <5631813D.2030402@gmail.com> <4f5ca63f14214eb9b326f9d83f74a8f6@XCH-RCD-006.cisco.com> <5637B22B.4000701@gmail.com> <5178.1446544219@dooku.sandelman.ca> <368b49b722ab4ae5ad4fdfa2f016f73b@XCH-RCD-006.cisco.com>
Comments: In-reply-to "Michael Behringer (mbehring)" <mbehring@cisco.com> message dated "Tue, 03 Nov 2015 21:02:46 +0000."
X-Mailer: MH-E 8.6; nmh 1.6+dev; GNU Emacs 24.4.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha1"; protocol="application/pgp-signature"
Date: Wed, 04 Nov 2015 15:01:17 +0900
Message-ID: <3967.1446616877@dooku.sandelman.ca>
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima/MKB9ZH3zELGT6QKXA5mowwqXz1I>
Cc: "Michael Behringer (mbehring)" <mbehring@cisco.com>
Subject: Re: [Anima] Adjacency table
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Nov 2015 06:01:22 -0000

First, I confused myself and mis-stated something, but fundamentally
what I said was accurate.  Let me clarify first:

1) every certificate issued by any CA is supposed to have a unique
   "Serial Number" attribute.

dooku-[~] mcr 10008 %openssl x509 -in /etc/postfix/ssl/dooku.crt -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 121 (0x79)
...
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CA, ST=Ontario, L=Ottawa, O=Sandelman Software Works, OU=Debugging Department, CN=sandelman.ca/emailAddress=mcr@sandelman.ca
        [yes, I need to remove SHA1 from my SOHO CA]

2) The 802.1AR specification says vendors will use a SubjectAltName to
   indicate a vendor-specific serial number.
   802.1AR is rather silent about the form of that number, but in
     draft-richardson-6tisch-idevid-cert-01 now
     draft-richardson-anima-idevid-cert-00
   I suggested that it would be an integer like SerialNumber.


Michael Behringer (mbehring) <mbehring@cisco.com> wrote:
    >> > Probably not, but presumably the security bootstrap can deliver some
    >> > sort of answer to that? Anyway, if the answer is "unique string"
    >> > is what I wanted to know, thanks.

    >> Yes, the combination of <hash-of-vendor-CA-key, serialNumber> will be
    >> unique before bootstrap.

    > Are you suggesting to use that as a device-ID?  Strictly speaking <hash
    > of vendor CA-key> isn't guaranteed to be unique either...

I never said <hash-of-vendor-CA-key> was unique.
I said that the pair <hash-of-vendor-CA-key, SerialNumber> was unique by
construction (yes, bad things can happen, but that's against the spec).
I was vague as to whether this was the SerialNumber in the certificate,
of the device-serialnumber in the SubjectAltName.  Let me clarify that it's
the latter.

    >> After bootstrap, we will have <domain-CA,
    >> domain-specific-serialNumber> in a certificate that would be installed
    >> in each device.

    > I'd prefer to use the same device ID all the time, before and after
    > bootstrap. Why change? It's just a string to identify the device...

Well, because vendorA can issue SN: 000011
and vendorB can issue SN: 00011, and we can't expect them to coordinate.
The enrollment part of the bootstrap process will provide the node with a new
(locally significant) certificate, and can provide it with whatever stable
deviceID you like.  Unless you have a model where unenrolled nodes form
prospective ACPs [that idea of mine was withdrawn after discussion], then no
nodes communicate with each other in a secure way until after they are
enrolled. 

    >> If you are really lazy, you can just use the entire certificate bytes
    >> [on the order of 1Kbytes], but technically, a device might have many
    >> of those over it's lifetime.

    > Right.

    >> The serialNumber is mandated to be unique by pkix/x509.

    > Are you saying that the serial numbers in products ARE unique?

Yes.  The <vendor,serial-number> pair is unique from the factory.

-- 
]               Never tell me the odds!                 | ipv6 mesh networks [ 
]   Michael Richardson, Sandelman Software Works        | network architect  [ 
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

v2.23.0 | Report a Bug | By Email