IETF Logo Mail Archive

Re: [Anima] draft-ietf-anima-constrained-voucher discovery questions

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 07 April 2022 15:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AB51D3A09EB; Thu, 7 Apr 2022 08:58:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04mf4yusp7or; Thu, 7 Apr 2022 08:58:25 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 578233A0DD1; Thu, 7 Apr 2022 08:58:23 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 6DA5A38AED; Thu, 7 Apr 2022 12:09:37 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id I-lWa0hv89j6; Thu, 7 Apr 2022 12:09:36 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [209.87.249.21]) by tuna.sandelman.ca (Postfix) with ESMTP id A233A38ADF; Thu, 7 Apr 2022 12:09:36 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1649347776; bh=Uxs9asemMoIUFtt5DeS0uiicpqqUqibWDDB75gzydyY=; h=From:To:Subject:In-Reply-To:References:Date:From; b=78hclC5v0W/lwNr+/oT/8n+kjLmUmx07WTucKtcObAl4cayH5jdiDiu4TZgoabVw5 MtZrhqmW0GuhefRaSHGWAcLg3zLbjDzyZiygE3NLpSvUnFhQv3NpqfRYKpIQ61kZvO GBTIKFUvIeu4gZufoczPfFjd1+u/iyiawQ+HcYSXgkFzSXtPk6FiDP5SsoUdVrFA9I 6goq3MHri5/FnXnn73luDVxnEkYwT0w/NPwcHs5LA5ruVhgG9GwkIgH/OuyP1wiuxF zE+GVxntqiPLTnoyxIAie7nbadWLpf/1hwXT/9GlBVMoAiV+0rDq5cVIfCy+mR3pxG MjLghaMuT1CMQ==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id DA47611F; Thu, 7 Apr 2022 11:58:20 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, draft-ietf-anima-constrained-voucher@ietf.org, anima@ietf.org
In-Reply-To: <Yk7Yi6iyK4N7mih4@faui48e.informatik.uni-erlangen.de>
References: <Yk7Yi6iyK4N7mih4@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 07 Apr 2022 11:58:20 -0400
Message-ID: <14115.1649347100@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/XEe_xt-0NjZoKhGrV_iTKKujwcc>
Subject: Re: [Anima] draft-ietf-anima-constrained-voucher discovery questions
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Apr 2022 15:58:31 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    >> 6.5.1.  Discovery
    >>
    >> The Pledge discovers an IP address and port number that connects to
    >> the Registrar (possibly via a Join Proxy), and it establishes a DTLS
    >> connection.

    > This is very terse and possibly not completely correct.

https://github.com/anima-wg/constrained-voucher/issues/224

    > But the discovery itself is described in draft-ietf-anima-constrained-join-proxy,
    > right ? E.g.: it could involve either directly discovering brski.rjp if there
    > is no join proxy or discoverin brski.jp if there is a join proxy. True ?
    > Would be good to at least provide an appropriate pointer that describes this. And
    > i am not sure that  draft-ietf-anima-constrained-join-proxy actually describes how
    > a pledge would use either brski.jp or brski.rjp... ?

You are a bit right.
The discovery by the proxy of the Registrar on a *NON* ACP network uses brski.rjp.
This discovery is *specific* to *this* kind of stateless join proxy.
The registrar and the proxy have to agree to use this extension.

The discovery by the pledge of the Registrar does not have any other place
discovery by CoAP RD.   constrained-voucher does not define it, so that's why
it is in join-proxy.

    >> No further discovery of hosts or port numbers is required, but a

    > beyond the discovery described in the prior paragraph ? Would suggest to
    > either remove this part of the sentence or add more details. As it stands it
    > is like be inserting into this email: It is not required to send toerless chocolade.
    > (huh, why the heck does toerless mention this - what other cases are there
    > where toerless would actuallt expect chocoade. why does he mention
    > it.. ?)

To point it your analogy, once we have determine that Toerless is Hungry, we
do not need to determine whether you want chocolate or not, because, only
triangular chocolate bars will fit through the transport protocol.

    >> pledge that can do more than one kind of enrollment
    >> (future work offers protocols other than [I-D.ietf-ace-coap-est]),
    >> then a pledge may need to use CoAP Discovery to determine what other protocols are
    >> available.

    > If the solultion os CoAP Discovery, then it seems the problem should maybe also
    > be rewritten to "pledge that can do more than one kind of enrollment mechanism using CoAP".

The pledge could also do DPP or CHIP/MATTER or 802.1x, which is not using CoAP.

    >> A Pledge that only supports the EST-coaps enrollment method SHOULD
    >> NOT use discovery for BRSKI resources.  It is more efficient to just

    > Confused. Do i translate this correctly to say "do not use brski.jp/brski.rjp discovery
    > from anima-constrained-join-proxy" ?

brski.jp is used to find the proxy in order to reach the Registrar.

Once a connection to the Registrar is found, then the question becomes: can
the pledge do CMP as well as EST? If so, it might need to discover if the
Registrar can do that.

I haven't opened another issue yet,because I'm not sure what to write yet.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email