Re: [Anima] FYI: est-coaps registered (was: Re: Discovery of proxy/registrar insufficient (GRASP and) more).
Toerless Eckert <tte@cs.fau.de> Thu, 05 May 2022 21:12 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 521D4C1594BF for <anima@ietfa.amsl.com>; Thu, 5 May 2022 14:12:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.649
X-Spam-Level:
X-Spam-Status: No, score=-1.649 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.248, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BoFYAZ8Lo8Jy for <anima@ietfa.amsl.com>; Thu, 5 May 2022 14:12:09 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE942C15948A for <anima@ietf.org>; Thu, 5 May 2022 14:12:08 -0700 (PDT)
Received: from faui48e.informatik.uni-erlangen.de (faui48e.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:51]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTPS id 97C0958C4AF; Thu, 5 May 2022 23:12:01 +0200 (CEST)
Received: by faui48e.informatik.uni-erlangen.de (Postfix, from userid 10463) id 86A384EADDF; Thu, 5 May 2022 23:12:01 +0200 (CEST)
Date: Thu, 05 May 2022 23:12:01 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Message-ID: <YnQ9odb1fVakhs4E@faui48e.informatik.uni-erlangen.de>
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de> <388791.1649870361@dooku> <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de> <8866.1651512153@localhost> <YnLVDjRUP/ZrT4kd@faui48e.informatik.uni-erlangen.de> <14843.1651770972@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <14843.1651770972@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/THW6UO6rNZuDzy5BK_vY8GLMyeg>
Subject: Re: [Anima] FYI: est-coaps registered (was: Re: Discovery of proxy/registrar insufficient (GRASP and) more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 May 2022 21:12:13 -0000
On Thu, May 05, 2022 at 01:16:12PM -0400, Michael Richardson wrote: > Toerless Eckert <tte@cs.fau.de> wrote: > > Just for the fun of it i just registered service-name est-coaps against RFC9148 with IANA > > yesterday, like Jack registered "est" against RFC7030 a decade afterwards. That should/could > > then be used for constrained networks to use any working (*grin*) discovery for automatic cert > > renewal, which to me is equally important to bootstrap. See for example RFC8994 for SRV.est > > for how ACP defines to do this with EST/RFC7030 (via GRASP). > > I'm not sure that I agree with the name "est-coaps", as I think it's still > "est" with a transport of CoAP/UDP. a) I think you're logically right, but practically we do not have any actual formal service specification agnostic to transport for that abstract EST, such as a TAP-like service interface definition. We only have stuff in rfc9148 and ANIMA cBRSKI draft that reads: "this does the same as XXX in RFC7030/RFC8995". b) I was just looking at the openthread brski code, and it would be interesting to see how far one could get with actual code and a set of API functions shared bteween BRSKI/cBRSKI.. c) Can i circle that argument back to you and ask why we should actually introduce brski.jp/brski.rjp if we already have brski-proxy and brski-registrar ? > I'm pretty sure that SRV records can encode that. d) Actually no. SRV is just one RR for a DNS-SD service definition, and its not extensible. The extensible one is the TXT one. See my other mails proposing to exactly do that, e.g. ensure we do not introduce unnecessarily many service names just for protocol variations by using TXT proto=<variation> e) But: For this quick est-coaps service registration, without any draft/rfc describing/specifying any such parameters, i didn't want to start having a long discussion with Jack about updating/expanding the individual est registration to introduce TXT parameters. Thats exactly one of those problems of forgetting to do this work in e.g.: RFC9148 where it could have nicely been documented (but we can of course always do it in constrained voucher, updating (amending) RFC9148. Except that i have no idea what bureaucracy we're inviting trying to maned an RFC from a different WG. > > A lot more disappointed that RFC9148 didn't care about DNS-SD discovery than back when > > RFC7030 was written, but i guess they probably think their CoAP group communications discovery > > is better. > > If we had known that we'd spend 2 years in the RFC-editor Q waiting for > DTLS1.3, then maybe we would have done the document differently. Sure. > > Except that neither one works for L3 networks multicast IMHO (i am getting no > > response to that request i sent meaning at least nobody knows or cares), and COAP > > does not provide unicast discovery like DNS-SD from all i know. > > RD is a core part of RFC7252: > https://www.rfc-editor.org/rfc/rfc7252.html#section-7 > > you can do it multicast or unicast, and RFC9148 does that. Sure, but i am worried about understanding how realistically working either of these dependencies are: -> Which network of interest has multihop ASM IP MUlticast to support multicast coap discovery (via FF05::FD) ? I just have a few decades of challenges in other networks of getting multicast deployed there, which is why i am burned. And remember that the IETF explicitly worked on avoiding multihop mDNS for exactly the same reason. I wrote this in more detail in the question i sent to other WGs (that nobody replied to!) -> For unicast, what exactly is then the method to discover the URI of the registrar (across >= 1 L3 hop) ? If there is some mandatory support not only for unicast DNS (requests) but also automatically working registration of DNS names in some type of networks, that would be great. But that would then for example increase priority for us to define DNS-SD details for cBRSKI (and BRSKI outside ANI for that matter equally). This is what i am trying to figure out. Without either of these answers, RFC7252 could equally define that discovery depends on perpetuum mobiles or human configuration of discovered results (which i fear is what happens right now in all lab settings). > > I really wonder how networks using RFC9148 intend to automate renewal, even absent > > automated secure bootstrap. I bet there is not going to be any interop requirements > > anyhow, and vendors are just hacking in some well-known DNS name for > > EST servers (est-server.<domain>) and ultimately do rely on unicast DNS. > > At the beginning of the effort, I asked this question. > > I was told that there were multiple sensor networks (consisting of millions > of sensors) where the devices had been deployed with manufacturer installed > IDevID. The (WiSun) network operates with them today. My understanding is > that there is a desire to rekey all these devices (over UDP) using 9148. > That the presence of the keygen target was important for this use case, > because there was a desire not to rely upon in-device random number > generator. (And the private key size for IDevID was now considered weak) Interesting data point, although i am not sure how it relates to the question: Any idea how those networks discover the EST (over coaps) server ? > If not for the above, I think that we would not have split RFC9148 out. What do you men with "split out" ? Thanks! Toerless > > -- > ] Never tell me the odds! | ipv6 mesh networks [ > ] Michael Richardson, Sandelman Software Works | IoT architect [ > ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ > > > -- > Michael Richardson <mcr+IETF@sandelman.ca> . o O ( IPv6 IøT consulting ) > Sandelman Software Works Inc, Ottawa and Worldwide > > > > -- --- tte@cs.fau.de
- [Anima] Discovery of proxy/registrar insufficient… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] GRASP securty/transport substrate alterna… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Peter van der Stok
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- [Anima] FYI: est-coaps registered (was: Re: Disco… Toerless Eckert
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] Discovery of proxy/registrar insuffic… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Carsten Bormann
- Re: [Anima] Discovery of proxy/registrar insuffic… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- [Anima] Carsten: Re: FYI: est-coaps registered (w… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Toerless Eckert
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Brian E Carpenter
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Michael Richardson
- Re: [Anima] FYI: est-coaps registered (was: Re: D… Esko Dijk