[Anima] Cloud BRSKI discussion -- Option 2 use cases - Enroll Redirect

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 24 November 2019 07:36 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2D9A12002E for <anima@ietfa.amsl.com>; Sat, 23 Nov 2019 23:36:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.436
X-Spam-Level: *
X-Spam-Status: No, score=1.436 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_SBL_CSS=3.335, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rUgyBDabrfuh for <anima@ietfa.amsl.com>; Sat, 23 Nov 2019 23:36:46 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 53F14120025 for <anima@ietf.org>; Sat, 23 Nov 2019 23:36:46 -0800 (PST)
Received: from dooku.sandelman.ca (eth-west-pareq2-46-193-2-123.wb.wifirst.net [46.193.2.123]) by relay.sandelman.ca (Postfix) with ESMTPS id D0C7E1F47D for <anima@ietf.org>; Sun, 24 Nov 2019 07:36:44 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 0D4AB9D1; Sun, 24 Nov 2019 15:36:48 +0800 (+08)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 24 Nov 2019 08:36:48 +0100
Message-ID: <28737.1574581008@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/SETjSk2ADRUzCIXblyCI9YwEWSM>
Subject: [Anima] Cloud BRSKI discussion -- Option 2 use cases - Enroll Redirect
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 07:36:48 -0000

Following up on the discussion at the WG meeting.
All three:

    https://github.com/anima-wg/brski-cloud/blob/master/presentations/three-flows.png

In all cases the Pledge gets some kind of network connectivity.
This could be an open WiFi, but is more often a cable plugged in with DHCPv4/IPv6.

2) Cloud Registrar Issues Voucher, Home RA issues LDevID

(Note that the document has 7.2 having "Option 1", "Option 2", "Option 3".
They are out of sync with the presentation)

This is involves all the BRSKI mechanism occuring in the cloud, but the local
domain still having a CA.  The CA could be a pure EST (RFC7030) with no BRSKI
extensions.

The diagram is at:
  https://github.com/anima-wg/brski-cloud/blob/master/presentations/option-2-enroll-redirect.png


7.2.2 proposes to do this with the enroll getting a 3xx (probably 307) code:

+--------+            +-----------+              +----------+
| Pledge |            | Local     |              | Cloud RA |
|        |            | Registrar |              | / MASA   |
+--------+            +-----------+              +----------+
    |                                                 |
    | 1. Full TLS                                     |
    |<----------------------------------------------->|
    |                                                 |
    | 2. Voucher Request                              |
    |------------------------------------------------>|
    |                                                 |
    | 3. Voucher Response                             |
    |<------------------------------------------------|
    |                                                 |
    | 4. EST enroll                                   |
    |------------------------------------------------>|
    |                                                 |
    | 5. 3xx Location: localra.example.com            |
    |<------------------------------------------------|
    |                                                 |
    | 6. Full TLS          |                          |
    |<-------------------->|                          |
    |                      |                          |
    | 7. EST Enrol         |                          |
    |--------------------->|                          |
    |                      |                          |
    | 8. Certificate       |                          |
    |<---------------------|                          |
    |                      |                          |
    | 9. etc.              |                          |
    |--------------------->|                          |


7.2.3 proposes to do this with the voucher providing the address of the EST
server.



   +--------+            +-----------+              +----------+
   | Pledge |            | Local     |              | Cloud RA |
   |        |            | Registrar |              | / MASA   |
   +--------+            +-----------+              +----------+
       |                                                 |
       | 1. Full TLS                                     |
       |<----------------------------------------------->|
       |                                                 |
       | 2. Voucher Request                              |
       |------------------------------------------------>|
       |                                                 |
       | 3. Voucher Response  {localra:fqdn}             |
       |<------------------------------------------------|
       |                                                 |
       | 4. Full TLS          |                          |
       |<-------------------->|                          |
       |                      |                          |
       | 5. EST Enrol         |                          |
       |--------------------->|                          |
       |                      |                          |
       | 6. Certificate       |                          |
       |<---------------------|                          |
       |                      |                          |
       | 7. etc.              |                          |
       |--------------------->|                          |


In both cases, the voucher response provides a pinn of the Local Registrar.

--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-