Re: [Anima] brski-discovery vs constrained BRSKI (was: Re: I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt)
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 21 November 2023 19:57 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A8561C14EB1E for <anima@ietfa.amsl.com>; Tue, 21 Nov 2023 11:57:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.196
X-Spam-Level:
X-Spam-Status: No, score=-7.196 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7KI3UwTd2Aq2 for <anima@ietfa.amsl.com>; Tue, 21 Nov 2023 11:57:45 -0800 (PST)
Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF705C14F693 for <anima@ietf.org>; Tue, 21 Nov 2023 11:57:45 -0800 (PST)
Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1cc5b705769so52872015ad.0 for <anima@ietf.org>; Tue, 21 Nov 2023 11:57:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1700596665; x=1701201465; darn=ietf.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :from:to:cc:subject:date:message-id:reply-to; bh=tP+49WlP5dXnUEl8wtN9ljIkFtYoKxmmmwwS7+hHT9g=; b=itKih+X6LYwM3LE6ZMK9RacmPyThWWqd6HkUI/+bGteYz9m412sbkItq8RdD2x/qsH lszz1Y0nGCEiz7uUHEpP9K1Xitm37guVKUUb27/wUawhHY+HOzUIW0X8iWrz9smuwU1P fRIH4bvO+CowL6+8P7R/mXgZqdJ8JRjMCtoTv7ULH7aiH5J0+RJR8eK0hZsE7BxBJ2V9 a9p98lnxpwbiUsko8RZriJJjlr6D81HplCayiENVTzP4Zxx0uP36XRSLU9ajNf+QeSXe Nkpgsxlyo7BFq9bRB/R/yBIuiKtMqCw3PtVLEJk3qY8aLdoP3/P7vMSLo/mMtReYbzXu EuBw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1700596665; x=1701201465; h=content-transfer-encoding:in-reply-to:from:references:cc:to :content-language:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=tP+49WlP5dXnUEl8wtN9ljIkFtYoKxmmmwwS7+hHT9g=; b=plCdaY4Q05C89x5cMhGG9lLVk47lzefibQMn/YJY3VaublzRXUbmTOhbpPEGjCwxHw XzBiIdbdNsUXdm7fmCgOO+U3nYwz85eIZ6dx7/7bEG0JPgqbvR2+I8z0qIIwetxV61pp 8hO++gdAv/EmlH+P17XZXwuYo5hD+o3nt3oiQ7dybFzTTdAxvV6yF/un+7OT0NQKvAg2 mnYg3hd8xd4Bte2m2B6fFAK3L4yQ9pX2sSFnIwJRzlbs/iXrzvHIBk5KBImCbJXdw8B0 d+qYVuM2IWgWxnF4pdgehLrca5doH68MsTw1f0kfO064NXE8IUlrPj7+uohDTMjS9Neo Oqyw==
X-Gm-Message-State: AOJu0Yypy2MV0d78wE6OB4wlAoFzAXrCn9yfLNnHAh+KT3u4/67UbVs9 G1eIpPfftHl5iBbZ4RGLdDzelnf24p1ERA==
X-Google-Smtp-Source: AGHT+IGkklOg0L1gYvZ8qzYbWQdt8bN5Q0e2rmbW6CBJhZ5NFjYD9oC2qyv8f/enNI62LdvyyTDJcA==
X-Received: by 2002:a17:902:820f:b0:1ca:1be4:bda4 with SMTP id x15-20020a170902820f00b001ca1be4bda4mr182601pln.4.1700596664865; Tue, 21 Nov 2023 11:57:44 -0800 (PST)
Received: from ?IPV6:2404:4400:541d:a600:44b7:2c2e:2bc6:8707? ([2404:4400:541d:a600:44b7:2c2e:2bc6:8707]) by smtp.gmail.com with ESMTPSA id q13-20020a170902dacd00b001cf65d03cedsm3370221plx.32.2023.11.21.11.57.42 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 21 Nov 2023 11:57:44 -0800 (PST)
Message-ID: <b45f3cb5-0813-1697-6260-b48e77e425c9@gmail.com>
Date: Wed, 22 Nov 2023 08:57:41 +1300
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Thunderbird/91.10.0
Content-Language: en-US
To: Toerless Eckert <tte@cs.fau.de>, Esko Dijk <esko.dijk@iotconsultancy.nl>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
References: <169927900610.48296.8352405496672443803@ietfa.amsl.com> <3528359.1699280649@dyas> <DU0P190MB1978A1B7481FE707DAB7E507FDBBA@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM> <ZVzJYPPRunw5gCAu@faui48e.informatik.uni-erlangen.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
In-Reply-To: <ZVzJYPPRunw5gCAu@faui48e.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="UTF-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/SE2cu2AIvhH6TbaUUECThzurelI>
Subject: Re: [Anima] brski-discovery vs constrained BRSKI (was: Re: I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Nov 2023 19:57:49 -0000
Front posting for simplicity:
constrained-join-proxy says:
> 5.2.2. GRASP discovery
>
> This section is normative for uses with an ANIMA ACP.
So really, is there a natural scenario where constrained-join-proxy is used in a region of the network where an ANIMA ACP is established? And on balance, I have to extend the question to constrained-voucher. Certainly, GRASP was not designed for constrained nodes. There is no logic in using GRASP discovery for its own sake.
To me, the conclusion is fairly obvious. Possibly the GRASP work done in both drafts should be combined into a new draft, if you can describe a scenario where constrained nodes participate in a full ANIMA ACP.
Regards
Brian Carpenter
On 22-Nov-23 04:14, Toerless Eckert wrote:
> Thanks Esko,
>
> inline
>
> On Tue, Nov 21, 2023 at 01:12:45PM +0000, Esko Dijk wrote:
>> A first comment / question here: in IETF 118, it was proposed to focus the discovery methods for Constrained BRSKI (draft-ietf-anima-constrained-voucher) only on a single mechanism and leave further alternatives to future work (like GRASP and mDNS).
>>
>> We didn't specifically discuss this aspect for the Constrained Join Proxy draft - do we need to do the same thing here and so take out the GRASP discovery text?
>> Or are we sufficiently confident the GRASP definition is okay and valuable to have already now included in a draft? In that case we may leave it in.
>>
>> Esko
>
> Check the GRASP text in both drafts, i think the text in constrained-join-proxy is more
> harmfull to move forward than the one in constrained-voucher. So i would definitely
> like to see it removed, or i would want to raise concerns about it (which i think we
> don't need to spend time on to get the constrained docs out the door):
>
> draft-ietf-anima-constrained-voucher proposes:
> discover (stateful) registrar by proxy: AN_join_registrar/BRSKI_JP
> discover proxy by pledge: AN_Proxy/DTLS
>
> The two objective-values proposed are not what we would logically end up with when
> using the more systematic approach from brsi-discovery, instead, both could be
> empty strings - because both are defaults for use with CoAPs, which we declare to
> be assumed by use of IPPROTO_UDP. But both values would not matter, but could be
> defined easily for backward compatibility into brski-discovery if we would keep
> the text.
>
> draft-ietf-anima-constrained-join-proxy proposes:
>
> discover stateless registrar by proxy: AN_join_registrar/BRSKI_RJP
> discover proxy by pledge: AN_Proxy/DTLS-EST
>
> The use of AN_join_registrar objective-name would forfeit the transparent operation
> of join-proxies as described in brski-discovery, because it moves the choiceof
> incompatible proxy<->registrar transport (stateful vs. stateless) into the objective-value
> element. Aka: this choice would block the way forward with brski-discovery unless
> brski-discovery would declare this specification invalid.
>
> brski-discovery instead proposes to use objective-name AN_join_registrar_rjp to
> indicate a stateless join registrar service. Hence allowing for all the different
> objective-value we want to use to be still available (and not occupied by the
> "BRSKI_RJP" value).
>
> Discovery of the proxy by the pledge vi DTLS-EST is also incompatible with what
> constrained-voucher writes (DTLS), aka: it could not automatically be created by
> a transparent proxy as proposed by brski-discovery (which would simply keep "DTLS").
>
> In addition, constrained-join-proxy also includes one nice inspirational line:
>
> h'fda379a6f6ee00000200000064000001', IPPROTO_TCP, 8443],
> ["AN_join_registrar", 4, 255, "CMP"],
>
> To discover a CMP registrar, but without any explanations.
>
> Aka: i'd have to go through the whole GRASP discovery text and see that its not
> wrong, and i'd rather spend that effort writing brski-discovery correctly...
>
> Aka: pls. remove is my preferred option.
>
> Lets see that we do check the CoAP text to be correct though with what we want to
> have going forwardg.
>
> Thanks!
> Toerless
>
>> -----Original Message-----
>> From: Anima <anima-bounces@ietf.org> On Behalf Of Michael Richardson
>> Sent: Monday, November 6, 2023 15:24
>> To: anima@ietf.org
>> Subject: Re: [Anima] I-D Action: draft-ietf-anima-constrained-join-proxy-15.txt
>>
>>
>> internet-drafts@ietf.org wrote:
>> > Title: Join Proxy for Bootstrapping of Constrained Network Elements
>> > Authors: Michael Richardson Peter van der Stok Panos Kampanakis Name:
>> > draft-ietf-anima-constrained-join-proxy-15.txt Pages: 26 Dates:
>> > 2023-11-06
>>
>> ...
>> > A diff from the previous version is available at:
>> > https://author-tools.ietf.org/iddiff?url2=draft-ietf-anima-constrained-join-proxy-15
>>
>> This is a repost of the I-D, because it expired.
>> This version includes partial work on the IoT-Directorate review comments
>> received in August, and which are still issues:
>>
>> https://github.com/anima-wg/constrained-join-proxy/issues
>>
>> So the work is just not done yet.
>> There are a number of pull requests, some rather old, which I need to clean
>> up and/or merge:
>> https://github.com/anima-wg/constrained-join-proxy/pulls
>>
>> Your comments are of course, very welcome.
>> It probably the case that there is need for some additional review/text based upon the
>> new conversations about the discovery draft. It would be great if there are
>> new eyes reading this document if they notice the mismatches.
>>
>> --
>> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>> -= IPv6 IoT consulting =- *I*LIKE*TRAINS*
>>
>>
>>
>
- [Anima] I-D Action: draft-ietf-anima-constrained-… internet-drafts
- Re: [Anima] I-D Action: draft-ietf-anima-constrai… Michael Richardson
- Re: [Anima] I-D Action: draft-ietf-anima-constrai… Esko Dijk
- [Anima] brski-discovery vs constrained BRSKI (was… Toerless Eckert
- Re: [Anima] brski-discovery vs constrained BRSKI … Brian E Carpenter
- Re: [Anima] brski-discovery vs constrained BRSKI … Toerless Eckert
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Brian E Carpenter
- Re: [Anima] brski-discovery vs constrained BRSKI … Michael Richardson
- Re: [Anima] brski-discovery vs constrained BRSKI … Esko Dijk