Re: [Anima] review of grasp-08
Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 28 November 2016 22:53 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6D4612A07A for <anima@ietfa.amsl.com>; Mon, 28 Nov 2016 14:53:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Chhb3CyJJcXu for <anima@ietfa.amsl.com>; Mon, 28 Nov 2016 14:53:29 -0800 (PST)
Received: from mail-pg0-x22b.google.com (mail-pg0-x22b.google.com [IPv6:2607:f8b0:400e:c05::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3803B12A0FC for <anima@ietf.org>; Mon, 28 Nov 2016 14:50:54 -0800 (PST)
Received: by mail-pg0-x22b.google.com with SMTP id 3so61662991pgd.0 for <anima@ietf.org>; Mon, 28 Nov 2016 14:50:54 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=from:subject:to:references:organization:message-id:date:user-agent :mime-version:in-reply-to:content-transfer-encoding; bh=Z2w3rrG29EmprLhfT/L2YYR/28SNsVxKEq0MPZuMCys=; b=df9UFVJ1n2hYwQQskwj2UsH5I/QXnbZLBjHvQXKXo6rZJ5cesH+7Krj/9w9TCxduVX xi/MsCVhXm7Ax8ZUhBTGFyKKCPGrpKJ6swaeUxlEmM37MAFnHU7C+34v6PzvpRmiBVch Ilz1l7OAzw+onRdoDRsUoou9C52uguZfO43g0hGASJSPFtqtgchUGfDujdQyByf5dHEz 1vZm7tRg6RjoTx7pe7NFE4kFkEjowXEG8m20FUCNYsiol17dfXBkTCf6YOmoxBB7hh6j Uv12ipU5Z/igH7YKGaG3TGNxS3PBZkjk+TNhD7Svo2hVox4QqTEW5o1LZuwCVBDUpaXa 6zEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:subject:to:references:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=Z2w3rrG29EmprLhfT/L2YYR/28SNsVxKEq0MPZuMCys=; b=BKS9FP38bRe9fl6olZ7t7uSwvgBs15CtthsrX/Afs92VcVSBPW0hzwvtBAKP9KtNxj t0WHLA9EANsjV18Q8BsV04TC3yFwrxuuRp9j/t12VhAqHadNH8d/RIPcGmMxfsqCLKZX xOUn10GHGx3X42zKtR+XAmAzpbZNbrD/l8R0SAj6nw3U0DNpF3SKk/k11z6LFfoyFO3p CIvfH10pYK5rODHkAe7wNGnIQWxZWUq82akcmiMbwJO1lIUZ4FeiB3bW4L7AQZn8jttM 1h3IyJdae8l9UqIafbsd3iGiaZybyThr10GtJXBVYdHr2KbWX+eD/IpWFXRw8AY65sYL clYg==
X-Gm-Message-State: AKaTC01Ht7rQy5QwuwDV1LSmvMR8uqY34cQIp1YQNkTLPBoFXLFx6hoEUBKohQ691o2IlQ==
X-Received: by 10.99.114.2 with SMTP id n2mr44118003pgc.130.1480373453393; Mon, 28 Nov 2016 14:50:53 -0800 (PST)
Received: from ?IPv6:2001:df0:0:2006:c0da:ac17:5f6d:8e76? ([2001:df0:0:2006:c0da:ac17:5f6d:8e76]) by smtp.gmail.com with ESMTPSA id q14sm89612168pfa.40.2016.11.28.14.50.51 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 28 Nov 2016 14:50:52 -0800 (PST)
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, anima@ietf.org
References: <4565.1479941260@obiwan.sandelman.ca>
Organization: University of Auckland
Message-ID: <715763aa-678a-d6cc-6f59-3cfa6f5aad49@gmail.com>
Date: Tue, 29 Nov 2016 11:50:52 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.5.0
MIME-Version: 1.0
In-Reply-To: <4565.1479941260@obiwan.sandelman.ca>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/O9wPWHcO6t3zJHpErc_Vvxhj5gY>
Subject: Re: [Anima] review of grasp-08
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 28 Nov 2016 22:53:31 -0000
Replying on some details in Michael's review. Points that are omitted here are either obvious and will be fixed in the next version, or are already the subject of other threads: On 24/11/2016 11:47, Michael Richardson wrote: ... > 2.1 [Requirements for Discovery] --- does this belong in GRASP, vs reference model document? > Would like MB and Toerless to confirm that it is consistent in wording > with reference model document! It's lot more detailed than the reference model, and IMHO it is needed here to provide context for the actual design. As far as consistency goes, Bing and I are co-authors of the reference model so I guess it's our job to check. As far as I know there is no inconsistency. >> D8. The discovery process must not generate excessive traffic and >> must take account of sleeping nodes in the case of a constrained-node >> network [RFC7228]. > > I think this actually out of charter, and furthermore, GRASP doesn't do a > very good job of taking this into account. I think it should be striked out. Agreed for the 'constrained node' part. I think that traffic volume and sleeping nodes always apply. ... > section 3.3 was good to write down, but seems like it is too much like a discussion. We can try to tighten up the language. It seems like useful material, though/ > I would like the bullets as subsections, as they are really modes of > operation! Hmm. Other opinions? That would make a *lot* of small subsections. ... > I appreciate 3.5.1 trying to establish some security via (D)TLS, but it > simply doesn't say enough to result in interoperability. (for instance, > should certificates be validated? If so, what should be in the CN? Do we need > PFS? When do we rekey? Are client-side certificates important? Is there a > link between IP addresses and something in the CN?) > > I'd prefer that all the mention of TLS be removed to another document that > would specify it more completely, a document titled something like: > "Using GRASP between service providers" > or: "Securing GRASP using TLS" > or: "CoAP/DTLS mode for GRASP" > > > I'd like 3.5.2 point (1) be numbered 3.5.2.1 so it can be better referenced, > and I'd like it say something like: > > 3.5.2.1 Inter-domain GRASP Instance > As mentioned in Section 3.3, some GRASP operations might be performed > across an administrative domain boundary by mutual agreement. > Such operations MUST be confined to a separate instance of GRASP with its > own copy of all GRASP data structures. Details of this mode are the > subject of a future document that would clearly detail the security > limitations of such an instance. Hmm. I have a counter-proposal. I'm reluctant to drop all mention of TLS from the draft, because otherwise, who knows what people might do - so how about this (with other mentions of TLS removed): 3.5.2.1. No ACP As mentioned in Section 3.3, some GRASP operations might be performed across an administrative domain boundary by mutual agreement, without the benefit of an ACP. Such operations MUST be confined to a separate instance of GRASP with its own copy of all GRASP data structures. Messages MUST be authenticated and SHOULD be encrypted. TLS [RFC5246] and DTLS [RFC6347] based on a Public Key Infrastructure (PKI) [RFC5280] are RECOMMENDED for this purpose. Further details are out of scope for this document. > 3.5.2.2 Bootstrap and ACP GRASP Instance (DULL) > > This instance is nicknamed DULL - Discovery Unsolicited Link Local. > > The bootstrap process uses only M_FLOOD messages to announce the location > of the bootstrap proxy. This message is used only on-link using > link-local multicast, on the underlying (insecure) media. > > Full ANIMA nodes that act are willing to act as bootstrap proxies will > include a flag indicating this into this message. Full ANIMA nodes > looking for ACP peers will also indicate that in the message. > > Full ANIMA nodes MAY listen for M_FLOOD messages on insecure interfaces. > Other messages MUST be discarded. M_FLOOD messages which are improperly > formatted such as: > > o having a loop count > 1 > o having a GRASP message type != M_FLOOD > o having a non-link-local source address > > MUST be discarded. It is acceptable for the M_FLOOD to be to the > ALL_GRASP_NEIGHBOR multicast address, or to be unicast to the host in > question. > > ANIMA nodes in bootstrap mode listen on the ALL_GRASP_NEIGHBOR multicast > address, and listen according to the same rules above, but examine the > BOOTSTRAP_PROXY attribute only. > > Details of DULL are included in: [I-D.ietf-anima-autonomic-control-plane] I'm confused. I don't think we want any specifics about bootrap or ACP formation in this draft. What we need here is the rules of the game for the GRASP implementer, and I think the existing formulation (with the updates already suggested by Toerless) is more appropriate. How DULL is *used* belongs in the ACP draft, of course. Specifically, I don't think we should exclude discovery messages. I don't think it's wise to *use* them, but that choice belongs in the BRSKI and ACP drafts. And we definitely should not say anything about specific objectives in the GRASP draft - it needs to be completely agnostic about that. > > I want to suggest that point (3), about ACP formation be dropped, as it is > included in part 2. Well, that's an argument you need to have with Toerless. There are two key differences between DULL and SONN: 1. SONN says "with unicast messages secured by TLS" (and don't ask me where the PKI comes from, I only work here). 2. SONN says: Any type of GRASP message MAY be sent. ... > In section 3.5.4.1, can we write: > > The discovery (M_DISCOVERY) action will normally be followed by a > negotiation (M_REQ_NEG) or > synchronization (M_REQ_SYN) action. The discovery results could be utilized by > the negotiation protocol to decide which ASA the initiator will > negotiate with. > > 3.5.4.2: > > A complete discovery process will start with a multicast (of M_DISCOVERY) > on the local > link. On-link neighbors supporting the discovery objective will > respond directly (with M_DISCOVERY). A neighbor with multiple interfaces > SHOULD respond with a cached discovery response if it was learnt from > another interface. Question to the WG - do you like that idea (inserting the message mnemonics at various points)? It seems natural enough to me, because of course I use them in my code, but is it the right thing to do in an RFC? > > ADD: > A neighbor SHOULD NOT respond with a cached response on an interface > if it learnt that information from the same interface. That's a subtle point. If it does so, it will very likely generate redundant traffic. But if it doesn't do so, there might be cases of discovery failure. (Also, this is the wrong thing to say on an NBMA network, I think.) I propose to change it as Michael suggests, but I have a slight doubt. The SHOULD NOT leaves us some wiggle room. Thanks again for a very thorough review! Brian
- [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- Re: [Anima] review of grasp-08 Brian E Carpenter
- Re: [Anima] review of grasp-08 Michael Richardson
- [Anima] Discovered link-local addresses [was revi… Brian E Carpenter
- [Anima] example for M_FLOOD? [was review of grasp… Brian E Carpenter
- Re: [Anima] review of grasp-08 Brian E Carpenter