Re: [Anima] two EST question/suggestions
"Max Pritikin (pritikin)" <pritikin@cisco.com> Tue, 19 September 2017 20:34 UTC
Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C7E6134390 for <anima@ietfa.amsl.com>; Tue, 19 Sep 2017 13:34:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.52
X-Spam-Level:
X-Spam-Status: No, score=-14.52 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZoPJGpfC2hhy for <anima@ietfa.amsl.com>; Tue, 19 Sep 2017 13:34:17 -0700 (PDT)
Received: from rcdn-iport-9.cisco.com (rcdn-iport-9.cisco.com [173.37.86.80]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B5EC1329B5 for <anima@ietf.org>; Tue, 19 Sep 2017 13:34:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5198; q=dns/txt; s=iport; t=1505853257; x=1507062857; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=CJwpHRAKIY8S1+xHHre2r1pIYT2KTSBPEOuMpTKYREE=; b=PGbU+/irwEGvpr7TAJJVzlWEXFHYT0yDXXpgFCKxUHIGYNxpzz5k0dBJ /2B2VCf7X3n5NZhDANoVnHpxoNL5DyTJbSkX5be6StpTfWGBBwQltSaFx ew6xwqTlNBuq9+rr78qVaOaY+tK3w3qrN12p8awOnfVJKP2Qz1xvn5KYc g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CfAACjfsFZ/5hdJa1bGQEBAQEBAQEBAQEBBwEBAQEBgy0tZG4nB4NuiiCPdoF0eYdDjWmCEgoYC4FegzoCGoRBPxgBAgEBAQEBAQFrKIUYAQEBAQIBAQEMFRExCQsFCwIBCBgCAiYCAgIfBgsVEAIEDgUbigADDQgQqHKCJ4czDYNfAQEBAQEBAQEBAQEBAQEBAQEBAQEBGAWBDoIdgQt3gzUrgkg1glmCDBYXgnwvgjEFoFA8Ao9dhHeSeoxciC4CERkBgTgBHziBDXcVSRIBhwl2AYdqgQ8BAQE
X-IronPort-AV: E=Sophos;i="5.42,418,1500940800"; d="scan'208";a="295296589"
Received: from rcdn-core-1.cisco.com ([173.37.93.152]) by rcdn-iport-9.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 19 Sep 2017 20:34:16 +0000
Received: from XCH-ALN-011.cisco.com (xch-aln-011.cisco.com [173.36.7.21]) by rcdn-core-1.cisco.com (8.14.5/8.14.5) with ESMTP id v8JKYGw2007453 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 19 Sep 2017 20:34:16 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-011.cisco.com (173.36.7.21) with Microsoft SMTP Server (TLS) id 15.0.1263.5; Tue, 19 Sep 2017 15:34:15 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1263.000; Tue, 19 Sep 2017 15:34:15 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>
CC: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] two EST question/suggestions
Thread-Index: AQHTIQXdDQD3LWJmSEK5TOw40YgcLaKr+4eAgAW+jQCAAFwsgIAADV2AgAAaKgCAABnXgIABU7OAgAlz3oA=
Date: Tue, 19 Sep 2017 20:34:15 +0000
Message-ID: <4C500E2F-FDBB-484B-898B-F90B64D3C69C@cisco.com>
References: <961.1504038708@obiwan.sandelman.ca> <BAA96F8A-C61E-4DE1-9837-7964A0E8B4A2@cisco.com> <2a1cf1e7-f668-cf76-d471-78585d7ad7ba@cisco.com> <8b165f89-3be1-c814-5a88-bf62f708972f@gmail.com> <27231.1505249495@obiwan.sandelman.ca> <ce8e9ee0-6695-b113-94b9-bb56142c537d@gmail.com> <6079.1505260663@obiwan.sandelman.ca> <5c00237e-98fa-9764-d816-919307bdd994@gmail.com>
In-Reply-To: <5c00237e-98fa-9764-d816-919307bdd994@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <58CA52FDB32E72428CDE41E6D11D0529@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/OYyN4WXqLXcT_lyZVdcbeaD_fxY>
Subject: Re: [Anima] two EST question/suggestions
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Sep 2017 20:34:19 -0000
Any protocol work needs balance future proofing (anticipating changes in the MTI) against clear and definitive statements to meet the current requirements. If there are places where the current language falls down commenting on that specific language would help. Re the HTTP/2 discussion: HTTP/2 is requested by the client via one of the RFC7540 section3 methods. There is nothing in the MTI BRSKI language that would block attempts to so upgrade by clients. The server could of course support this if it so desired. I don’t see an advantage to HTTP/2 for BRSKI and EST interactions. I guess a server could finish authentication of the client and immediately initiate a server push of the csrattributes, voucher response (if available), and other messages. This would save some round trips but in the primary flows the client needs to perform a crypto operation that is used or verified by the server before a response is generated. So the basic state machine, I think, would continue to flow as currently specified. I agree with the conclusion below that "TTP 1.1 with persistent connections is the minimum (not the maximum)” and that we don’t have anything else to say here. - max > On Sep 13, 2017, at 2:13 PM, Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: > > On 13/09/2017 11:57, Michael Richardson wrote: >> >> Brian E Carpenter <brian.e.carpenter@gmail.com> wrote: >>>> We are running over HTTP 1.1, we have to assume that. >>>> The issue is that both client and server libraries will grow HTTP 2, and we >>>> need to know if this is a problem. >>>> >>>>> It seems to me that we want to minimise the requirements for low end pledge >>>>> devices, and every item that we make mandatory works against that. >>>> >>>> BRSKI does not target constrained devices; in the future having only an HTTP >>>> 2 library (because the application is using that) might be simplest. Is it >>>> going to work okay? >> >>> I don't see why not. But isn't there potentially a class of devices that >>> while not being 'constrained' in the formal sense, nevertheless needs to >>> minimise its software footprint? So the implementer will want to choose >>> the solution with the smallest footprint, rather than whatever MTI we >>> happen to define in 2017. >> >> Yes, I agree with you. >> >> That's why I would like us to permit pledges to support a single client HTTP >> library. They will use whatever HTTP client library that they need for their >> primary application... so if it's a webrtc nanny camera, then it might well >> be HTTP2 + QUIC. >> >> The problem with HTTP2 is that it permits requests and responses to be >> interleaved and not-sequential in the TCP sense. This potentially has a poor >> interaction with the BRSKI state machine. We ought to say something about >> this *today*. >> >>> Of course we can always change the MTI later, but if we say right now that >>> the MTI only applies to the server side, adding new solutions for future >>> types of pledge becomes more straightforward. As far as I can see, this >>> would have zero impact on first-generation implementations; initially >>> both servers and clients will support the MTI anyway. >> >> My take is that the server has to support every single MTI that we have every >> supported. That's okay. But, HTTP 1.1 with persistent connections is the >> minimum (not the maximum). > > Fair enough. I just want to be sure that when someone comes up with > a brilliant new method with a tiny footprint, pledges are free to adopt > it despite any MUSTs we write down in 2017. > > Brian > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima
- [Anima] two EST question/suggestions Michael Richardson
- Re: [Anima] two EST question/suggestions Max Pritikin (pritikin)
- Re: [Anima] two EST question/suggestions Eliot Lear
- Re: [Anima] two EST question/suggestions Brian E Carpenter
- Re: [Anima] two EST question/suggestions Eliot Lear
- Re: [Anima] two EST question/suggestions Michael Richardson
- Re: [Anima] two EST question/suggestions Brian E Carpenter
- Re: [Anima] two EST question/suggestions Michael Richardson
- Re: [Anima] two EST question/suggestions Brian E Carpenter
- Re: [Anima] two EST question/suggestions Max Pritikin (pritikin)
- Re: [Anima] two EST question/suggestions Michael Richardson
- Re: [Anima] two EST question/suggestions Brian E Carpenter