Re: [Anima] [Emu] teap-brski
"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 10 June 2019 21:55 UTC
Return-Path: <ofriel@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 241D11200E0; Mon, 10 Jun 2019 14:55:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.49
X-Spam-Level:
X-Spam-Status: No, score=-14.49 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=ZAuXNXvZ; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=uyOLztX+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B5WCP-2R0tu9; Mon, 10 Jun 2019 14:55:27 -0700 (PDT)
Received: from alln-iport-7.cisco.com (alln-iport-7.cisco.com [173.37.142.94]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39D0912001E; Mon, 10 Jun 2019 14:55:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=26670; q=dns/txt; s=iport; t=1560203727; x=1561413327; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=hssLA52mksYM6WZ4hoUIYSDq1rSrH6luFxLMR8atTi4=; b=ZAuXNXvZh8qa0PPuoU4b+i8Xy4ynNev43kE8yyzQtwWPuDaTtzBASq31 RIEUS1WEuaLqOVdLcWTh4GARJ8V0OsPsvKbKoWqN1MvvwLEqpNWaGmvL/ +VGAKRqA9910/ZN7PipIQa192P0iGQIM6kYkpL+zYFVv57b8N0H1FiQbD Y=;
IronPort-PHdr: 9a23:NP6fSBBE0OAWxGGIgKXiUyQJPHJ1sqjoPgMT9pssgq5PdaLm5Zn5IUjD/qg83kTRU9Dd7PRJw6rNvqbsVHZIwK7JsWtKMfkuHwQAld1QmgUhBMCfDkiuK/DwbiE+NM9DT1RiuXq8NBsdFQ==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BIAABU0f5c/5ldJa1mHAEBAQQBAQcEAQGBUQcBAQsBgQ4vJCwDalUgBAsoCoQLg0cDhFKKDYJXlzKBLoEkA1QJAQEBDAEBGAEMCAIBAYRAAheCXSM0CQ4BAwEBBAEBAgEEbRwMhUoBAQEBAwEBEBEKEwEBKQMMCwQCAQgOAwEDAQEoAwICAiULFAMGCAIEARIIGoMBgR1NAx0BAgydbAKBOIhfcYExgk8qAQEFhQYYgg8DBoE0AYRvhm0XgUA/gRFGgkw+gmEBAQIBgTcRGCsJglQygiaLZx2CJIRsgh+GH4xvagkCgg+FaVuNGZcbjROHE48nAgQCBAUCDgEBBYFPOIFYcBU7gmyCD4NwhRSFP3IBAYEnjDgCJAeBBAGBIAEB
X-IronPort-AV: E=Sophos;i="5.63,576,1557187200"; d="scan'208,217";a="282255518"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 10 Jun 2019 21:55:24 +0000
Received: from XCH-ALN-012.cisco.com (xch-aln-012.cisco.com [173.36.7.22]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x5ALtOli022608 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 10 Jun 2019 21:55:24 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-012.cisco.com (173.36.7.22) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 10 Jun 2019 16:55:23 -0500
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 10 Jun 2019 16:55:23 -0500
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 10 Jun 2019 16:55:22 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hssLA52mksYM6WZ4hoUIYSDq1rSrH6luFxLMR8atTi4=; b=uyOLztX+jODx80OcaDmsrvh0PPrmYMBEvybpM590SC+YNa8vHxeXJW9Beu2CbySVkxU6v3OUETRCY8FCLqAeHiV4Vjzan20PGeafWr7XcodTWa9VyKgPh8BYSQr+Libfy9mVtZu97WoZ07fQo5k8X4So0F9souK/3VoRMa+druQ=
Received: from DM6PR11MB3385.namprd11.prod.outlook.com (20.176.123.12) by DM6PR11MB2827.namprd11.prod.outlook.com (20.176.100.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1965.14; Mon, 10 Jun 2019 21:55:22 +0000
Received: from DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::d46b:d11:c52a:f807]) by DM6PR11MB3385.namprd11.prod.outlook.com ([fe80::d46b:d11:c52a:f807%7]) with mapi id 15.20.1965.017; Mon, 10 Jun 2019 21:55:22 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Dan Harkins <dharkins@lounge.org>, "anima@ietf.org" <anima@ietf.org>, "emu@ietf.org" <emu@ietf.org>
Thread-Topic: [Emu] teap-brski
Thread-Index: AQHVHHIBAxJTiV6W80uQlmK2H+9Z36aVaMXA
Date: Mon, 10 Jun 2019 21:55:21 +0000
Message-ID: <DM6PR11MB3385E9075778EA632C6B289DDB130@DM6PR11MB3385.namprd11.prod.outlook.com>
References: <50c726dd-011d-9c52-6d79-caeb2ee0ef3b@lounge.org>
In-Reply-To: <50c726dd-011d-9c52-6d79-caeb2ee0ef3b@lounge.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [173.38.220.37]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c202e87b-c117-4967-4df9-08d6edee5601
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:DM6PR11MB2827;
x-ms-traffictypediagnostic: DM6PR11MB2827:
x-ms-exchange-purlcount: 5
x-microsoft-antispam-prvs: <DM6PR11MB2827224658B4610BC3FC25DEDB130@DM6PR11MB2827.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0064B3273C
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(376002)(136003)(366004)(396003)(346002)(39860400002)(189003)(199004)(13464003)(99286004)(966005)(5660300002)(14454004)(2906002)(73956011)(110136005)(256004)(14444005)(71200400001)(33656002)(52536014)(71190400001)(790700001)(606006)(66066001)(74316002)(3846002)(6116002)(186003)(446003)(53936002)(102836004)(86362001)(6246003)(6506007)(229853002)(66556008)(2201001)(11346002)(2501003)(486006)(68736007)(53546011)(64756008)(476003)(66476007)(66446008)(26005)(55016002)(236005)(6306002)(9686003)(54896002)(76116006)(66946007)(8676002)(25786009)(81156014)(8936002)(6436002)(76176011)(478600001)(7696005)(81166006)(316002)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:DM6PR11MB2827; H:DM6PR11MB3385.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: nttULXgnppmScLQgQJkgLJXQwm7sMgHB6dGj5ExNXIViE+OthMMD/kGoJdYeLiwfpG5I/+QJXIcnyatFRm82jRJ6tSrkSj9CTi0go15wjEgqHxNImlOFpc18S9VN1mC5VVMQ5Y+ErK66oecx47Jq10JvuV0l1XnL8z06G69vTBeVALQ72vZazRIhZN8SlKMxsOFyEoO/wjuICaxPr+KuRA5TmCnvjq2cHDn5BZzRjoKZMX4xd7ktJqONjaK1g7hQZDdRhENTM1k68ehAmSZCDfWsYT7eU+S+UQUBhpknXDETDcbHAscZopjdSV02Mb48KyHEtZ3Si/1GrpT+TTCWfhHY/GvCL+qlkzZ8xHoAXEhYOK49FD1G4Ad4yqEc6jhFi+DcyXW03NevgsUCHvCPo9aIGV+7CgLRE+it3CNIM/A=
Content-Type: multipart/alternative; boundary="_000_DM6PR11MB3385E9075778EA632C6B289DDB130DM6PR11MB3385namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c202e87b-c117-4967-4df9-08d6edee5601
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Jun 2019 21:55:21.9589 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ofriel@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2827
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.22, xch-aln-012.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/YfF7jftwndubxom_wEIq6JugHjE>
Subject: Re: [Anima] [Emu] teap-brski
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 10 Jun 2019 21:55:30 -0000
-----Original Message----- From: Emu <emu-bounces@ietf.org> On Behalf Of Dan Harkins Sent: 06 June 2019 15:13 To: anima@ietf.org; emu@ietf.org Subject: [Emu] teap-brski Hello, In a private thread on teap-brski the topic of co-location of the TEAP server and the BRSKI registrar was brought up. It was suggested that the discussion move to these lists to get more input from the experts. In draft-lear-eap-teap-brski-02 the architecture shows a the TEAP server and the BRSKI registrar as separate while mentioning that they can be co-located. The following assumes they are not co-located. The BRSKI pledge in this draft is called a "device" and the device establishes a provisional TLS connection (through TEAP) to the TEAP server over 802.1X or something similar. The device does not connect to the registrar. The device then creates a voucher request and sends it to the TEAP server using a newly defined TEAP TLV. The registrar signs the request, forwards it onto a MASA, and sends the voucher it gets back from the MASA to the device using another newly defined TEAP TLV. So the question is, will this even work? If the TEAP server and BRSKI registrar are separate entities then the voucher will include the TEAP server's EE certificate but it will be signed by the registrar's EE certificate. From my admittedly limited understanding of BRSKI I think the MASA will reject this voucher request because it fails the "proximity" check (if I understand the proximity check correctly). The MASA will treat the registrar as a man-in-the-middle. BRSKI folks: is this correct? Will a voucher request be rejected from a deployment like this? [ofriel] I believe this will fail the proximity check as outlined in https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-5.5.5 However, there is an interesting definition in https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-20#section-3.4 leaf prior-signed-voucher-request { type binary; description "If it is necessary to change a voucher, or re-sign and forward a voucher that was previously provided along a protocol path, then the previously signed voucher SHOULD be included in this field. For example, a pledge might sign a voucher request with a proximity-registrar-cert, and the registrar then includes it in the prior-signed-voucher-request field. This is a simple mechanism for a chain of trusted parties to change a voucher request, while maintaining the prior signature information. The Registrar and MASA MAY examine the prior signed voucher information for the purposes of policy decisions. For example this information could be useful to a MASA to determine that both pledge and registrar agree on proximity assertions. The MASA SHOULD remove all prior-signed-voucher-request information when signing a voucher for imprinting so as to minimize the final voucher size."; } Most notable: “This is a simple mechanism for a chain of trusted parties to change a voucher request, while maintaining the prior signature information.” So with some extra definition, one could envisage the TEAP server signing the Voucher request using its cert and including the Pledge’s voucher request in its prior-signed-voucher-request and sending it to the RA, and then the RA in turn signing the request using its own cert, and including the TEAP server’s voucher request in its prior-signed-voucher-request. The pledge could also assert the TEAP EE cert in its voucher request, with the TEAP server asserting the RA’s cert in its voucher request. The MASA could in theory then validate the full chain of trust back. Now, that’s reading a lot into that one statement, and the rest of BRSKI certainly doesn’t describe operation like that, and its far easier to mandate that the TEAP server *is* the Registrar. EMU folks: if the answer from the BRSKI folks is that this doesn't work then is there any sort of weird tunneling or "phase 2" trickery that can be added to TEAP to get this to work or should we just explicitly state that the TEAP server and the registrar are the same entity (they authenticate with the same certificate)? Thanks, Dan. _______________________________________________ Emu mailing list Emu@ietf.org<mailto:Emu@ietf.org> https://www.ietf.org/mailman/listinfo/emu
- [Anima] teap-brski Dan Harkins
- Re: [Anima] [Emu] teap-brski Owen Friel (ofriel)