Re: [Anima] GRASP details - WGLC draft-ietf-anima-bootstrapping-keyinfra-15
Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 01 June 2018 21:54 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 506AF12DA54; Fri, 1 Jun 2018 14:54:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1iYXf7Wy8Qi; Fri, 1 Jun 2018 14:54:48 -0700 (PDT)
Received: from mail-pl0-x244.google.com (mail-pl0-x244.google.com [IPv6:2607:f8b0:400e:c01::244]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 742A512DA1C; Fri, 1 Jun 2018 14:54:48 -0700 (PDT)
Received: by mail-pl0-x244.google.com with SMTP id z9-v6so12709507plk.11; Fri, 01 Jun 2018 14:54:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=0hXLH1aQ3Q0KJ9EfEhphUchTqJ0NsLhIUMX0qSRjAv4=; b=YSwhEZsaUxcMv3VxOuHVMVawobNTZjBqU3KwdFSBgMkvlS9R0PtqM6bI4U9qXufxu5 6JB8uBVLfdIsFskDfhdBK/wbj4otI1BjEaXurKqXPIup0jQ0wTRo450l7YW7sVXsAmsP UiDNNHFtltBb5OOb6cz36IcLiKmNSl16YHcG6Yv4bhoQsNNfdxjxZK4IoTMoI/nLgUbP 1OH3NruDxMUKtZhJeh8FdHKomolsMb801hKt7NpEH/UajBWw0dnDtK76zJU4jUlVmerH 0HWqKHa1F26Wh1jNavPwMyFiD76Of2i7QOXT+MsCZIguK/u9oUVexhE6R93xyno4WxUb fssQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=0hXLH1aQ3Q0KJ9EfEhphUchTqJ0NsLhIUMX0qSRjAv4=; b=ZjFny5T86Di1SeKXlq22MEx6ctvjtdePSfw/CD8hrsUi2cggUwQmWNeOQB6NB1ndKg 2YXL84gu8cCe9gQDaX6DHjbHykTdK+1qFnNePj0qlUdza0iHV9ytXjQGZekNOiaBXB+Z Y6Fx4KGpYRzkVQPnwv5+WimoJOGu+VU4bT//baBOl0qaQyHzGvDf44kjcshXlYKUuEni wMhRz9VZOXq0BvGAnz1S9eoxyQZGvb35uGEE34pIiyAQBvpLqupA560AlhBoW+C8sHz1 TxVtqyDyA5ea6HvGjBuzUuWBuEhzH+93WfKQWetLxTivC80qpdwL3V98j2Q2djFZ1OM/ uSOQ==
X-Gm-Message-State: ALKqPwcu2EUMQzVQkk/XyJ03C+qlXTIMdWlnpNyar2HqYW5gOhLUYTBI RfOGDFA2i3LFF6TunoDUP4sdxg==
X-Google-Smtp-Source: ADUXVKLk6BRyRJMuTLCp3pOdXM7Opf+iFOCXLTxcLx2snMVXt22Frba5VJKLzA1RBDG854lu0S7Ptg==
X-Received: by 2002:a17:902:7c84:: with SMTP id y4-v6mr12914776pll.262.1527890087671; Fri, 01 Jun 2018 14:54:47 -0700 (PDT)
Received: from [192.168.178.21] ([118.148.121.80]) by smtp.gmail.com with ESMTPSA id p12-v6sm55409786pgn.26.2018.06.01.14.54.44 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Jun 2018 14:54:46 -0700 (PDT)
To: Toerless Eckert <tte@cs.fau.de>, Michael Richardson <mcr+ietf@sandelman.ca>
Cc: draft-ietf-anima-bootstrapping-keyinfra@ietf.org, anima@ietf.org
References: <20180601062342.p3njduv4o6awwxbo@faui48f.informatik.uni-erlangen.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <a8e6e6fe-d7f3-94d2-a039-a39f00a7c935@gmail.com>
Date: Sat, 02 Jun 2018 09:54:53 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.8.0
MIME-Version: 1.0
In-Reply-To: <20180601062342.p3njduv4o6awwxbo@faui48f.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/avRQzWrUz889icY7WDpSCZtN5yk>
Subject: Re: [Anima] GRASP details - WGLC draft-ietf-anima-bootstrapping-keyinfra-15
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Jun 2018 21:54:52 -0000
Comments on three points in line: On 01/06/2018 18:23, Toerless Eckert wrote: > Ok, lets separate out the threads here. > > On Thu, May 31, 2018 at 03:35:31PM -0400, Michael Richardson wrote: >> >> Toerless Eckert <tte@cs.fau.de> wrote: >> > 1. The GRASP specification of 4.1.1 should only describe what is required >> > and valid for the standard of GRASP objective, which is the TCP proxy. >> >> > Appendix C proxy option is not full/formally worked out, thats why >> > its in an appendix. If the authors want to propose a formal GRASP >> >> It's not mandatory to implement, which is why it got pushed to the appendix. >> If it wasn't worked out, then it would be removed. > > Ok. *sigh*. I guess i didn't quite get that. So, if we want to make GRASP in BRSKI > fwork correctly for IPinIP instead of just making it sugestive, there are a bunch > of fixes necessary. Some of them where part of the shepherd review suggestion > you dismissed as bikeshed. You didn't like the idea of using objective-value strings > to identify the proxy method. But the fix i suggested also fixed other GRASP > details. > > Anyhow. let me just list what i think is necessary to fi up the GRASP so it works > for both TLS and IPinIP. > > let me know if/how i can best help to get this done,I'd be happy to write up a > diff if we can finally get through this. > > Proposed changes to 4.1.1: > > Note: This 4.1.1 text fixes are not complete wrt. to the IPinIP port > constraints you seem to want to have according to the 4.2 text. See below > for the 4.2 text discus, and if thats fine with you, then of course, we would > also need to incude the locator-options for permitted TCP/UDP ports of the IPinIP > proxy into the 4.1.1 AN_Proxy objective, because otherwise the Pledge wouldn't > know which TCP or UDP (address)/port numbers to use across the IPinIP proxy (i think). > > a) Insert after: > | A proxy uses the DULL GRASP M_FLOOD mechanism to announce itself. > | This announcement can be within the same message as the ACP > | announcement detailed in [I-D.ietf-anima-autonomic-control-plane]. > > The optional IPinIP proxy as described in Appendix C requires > the following extension to the syntax of [GRASP]: > > transport-proto /= IPPROTO_IPINIP > IPPROTO_IPV6 = 41 ; [RFC2473] > > Figure xx: GRASP syntax extensions for BRSKI > > Note: Process wise we might need to declare BRSKI RFC to be an update to > GRASP RFC because of these two lines, but i would just wait until this gets > discussed with IANA and then suggest that we change instead GRASP before > it becomes RFC to: > > transport-proto = 0..255 I'm really reluctant to do that for the reason I gave yesterday (it allows rubbish values). I don't see why BRSKI can't just define the extra value that it needs. That doesn't really require an "Updates:" IMHO. I do want to revisit this later, very likely by adding an IANA registry, but I don't see the rush. > > Aka: that way we can define IPPROTO_IPV6 perfectly in BRSKI without > extending GRASP (IMHO). We can still later on expend it beyond 255 when we need to, > but thats not a BRSKI RFC problem then anymore. Yes, I think that's true in any case. Brian > > b) Change: > | The M_FLOOD is formatted as follows: > > To: > An example of M_FLOOD (without ACP) is as follows: > > (aka: "is formatted as" is not the correct lead in for an example). > > c) Fix up example picture: > > [M_FLOOD, 12340815, h'fe800000000000000000000000000001', 180000, > [ ["AN_Proxy", 4, 1 ], > [O_IPv6_LOCATOR, > h'fe800000000000000000000000000001', IPPROTO_TCP, 4443]], > [ ["AN_Proxy", 4, 1 ], > [O_IPv6_LOCATOR, > h'fe800000000000000000000000000001', IPPROTO_IPV6, 0]] ] > > Figure 6b: AN_Proxy Example > > This is actually multiple fixes > - Better title for picture (match AN_Proxy with following > CDDL picture title and 'example') > - the objective-value is not used, so "" for objective-value > is not really correct IMHO, the field is just not encoded: > ["AN_Proxy", 4, 1, "" ] -> ["AN_Proxy", 4, 1 ] > - I think it helps a lot to understand how to announce > multiple proxy options, so i highly suggest to have the > above example include the TCP circuit proxy and IPinIP options. > - Whether or not you use one or two objective announcements, > you always need one more structure level around objective > and locator-option according to GRASP syntax, > aka: > changed: ["AN_Proxy", 4, 1 ], ... 4443] > to: [ ["AN_Proxy", 4, 1 ], ... 4443] ] Yes. I thought that had already been caught. > c) Fix syntax: > from: flood-message = [M_FLOOD, session-id, initiator, ttl, > +[objective, (locator-option / [])]] > > to: flood-message = [M_FLOOD, session-id, initiator, ttl, > +[objective, locator-option ]] > > Aka: for this objective, locator-option is not optional, > but mandatory, because it indicates the proxy-type via the > transport-type which is part of the locator-option. That isn't a fix to the GRASP syntax, it's a *restriction* of the syntax for this particular case. Which is fine, but just note it as a restriction. > > d) from: locator = [ O_IPv6_LOCATOR, ipv6-address, > to: locator-option = [ O_IPv6_LOCATOR, ipv6-address, > > textual consistency with prior use of locator-option and GRASP RFC. > > e) Add at end of 4.1.1 suggested text: > > The transport-proto of the locator-option indicates the mechanism(s) > supported by the proxy to the pledge. IPPROTO_TCP indicates the > mandatory ANI TLS circuit proxy. IPPROTO_IPV6 indicates the optional > IPinIP proxy, see Appendix C. IPPROTO_UDP would indicate a future > CoAP mechanism, see Section 4.2. For IPPROTO_IPV6, proto-number > MUST be 0. > > The above example shows a proxy supporting both ANI TLS circuit proxy > and IP in IP proxy. > > Notes: > > I hope i understand the IP in IP proxy correctly, but given that > there is no port number in IPinIP, and given that port-number is > mandatory in GRASP syntax in this case, 0 seems to be the logical > number to use for port-number in this case. > > I am just guessing you want IPPROTO_UDP to indicate CoAP in the > future. If so, then it would be prudent to notice this here, > otherwise describe what IPPROTO_UDP should mean, and if there is > no predefined meaning, just remove it from the CDDL syntax. > > f) If you do not fancy to include the IP in IP example and text in > 4.1.1, then i would strongly suggest to remove ALL indications of > IP in IP, including the mentioning of IPPROTO_IPv6 from 4.1.1 > (also the extension to the GRASP syntax) - and instead put that > all into appendix C. Your choice. I think the text is more succinct > if all the grasp stuff is clearly in 4.1.1. > > 2) Changes for 4.3 > > a) The objective-value "EST-TLS" serves no purpose and is wrong. > Please remove it from the syntax, ak: no objective-value, like > also no objective-value in 4.1.1 > - Its unnecessary, because if its used for all possible methods > (TLS, IPinIP, ..) then it doesn't provide additional information > and is redundant. > - It is wrong, because the protocol would not just be EST, but BRSKI. > - It is wrong, because for CoAP there would be no TLS. > > b) Please consider improving the example as above for 4.1.1: > - lead in text for example > - example title > - [ [ objective, locator-option ] ] structure fix > - Ideally also include both TLS and IPinIP options in example > > Also: > - I find the use of port 80 in the example highly confusing given how > the TCP connection MUST use TLS. Please change to AB80 (anything but 80). > > c) The CDDL syntax should be more consistent with 4.1.1: > - locator-option not optional > - locator, ipv6-address, transport-proto, port-number could > be included in syntax. > > d) "network administrator policy (EST server configuration)" > > You where making during ACP review the point that BRSKI Registrar (for enrollment) > would not necessarily be the same as the EST server for cert renewal, > therefore the mentioning of "EST server" is confusing. would be > less confusing if the term (BRSKI) Registrar was used everywhere, > and "EST server" only when there is a real reason. > > e) "A protocol of 41 indicates that packets may be IPIP proxy'ed" > > So, unless we get back to my shepherd review "bikeshed" of introducing > different objective value strings for different proxy methods, > the "transport-proto" is the only way for the proxy to identify the > method, so this sentence needs to say "will be" instead of "may be". > > Also: Delete following "In the case of that IPIP proxying is used, then". > > Also: "MUST be advertised on the" -> "MUST be advertised by the Proxy on the". > > f) the mechanism you are describing with locator1, locator2 and locator3 > would be highly obfuscated: > > In GRASP, every objective can have only one locator as seen from the syntax. > What you are proposing would mean that you are announcing three separate > AN_join_registrar objectives (of course, they can all be together in a single > M_Flood), but then effectively you're saying that those three objectives > do really describe a single IPinIP mechanism. > > So, your full example locators with objectives would be: > > [["AN_join_registrar", 4, 255], [O_IPv6_LOCATOR, fd45:1345::6789, 6, 443]] ] > [["AN_join_registrar", 4, 255], [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683] ] > [["AN_join_registrar", 4, 255], [O_IPv6_LOCATOR, fe80::1234, 41, 0] ] > > Is this join registrar supporting ANI TLS proxy ? > Aka: i can't distinguish for the TCP locator whether it just indicates > a permitted TCP port for the IPinIP proxy or whether it indicates > the TCP port supported for IPinIP. And even if the proxy supports both, > its not clear to me that the TCP ports for "native" would be the same as > for IPinIP. Maybe its different code-paths == different ports. > > Likewise UDP port could be CoAP proxy or again a parameter for IPinIP. > > I would suggest to only use a single objective for IPinIP, aka: the line with > 41, 0, and encode the TCP/UDP locators to use inside of the IPinIP proxy > mechanisms as the objective-value when using the IPinIPi method: > > objective-value = *( [ ipv6-locator-option ] ) ; only for IPinIP proxy > > Then we could show an example like this: > > [M_FLOOD, 12340815, h'fda379a6f6ee00000200000064000001', 180000, > [ ["AN_join_registrar", 4, 255 ], > [O_IPv6_LOCATOR, h'fda379a6f6ee0::200000064000001', 6, 443] > ], > [ ["AN_join_registrar", 4, 255, > [[O_IPv6_LOCATOR, h'fda379a6f6ee0::200000064000001', 6, 4443], > [O_IPv6_LOCATOR, h'fda379a6f6ee0::200000064000001',17, 5683]] > ], > [O_IPv6_LOCATOR, fe80::1234, 41, 0] > ] > ] > > That would include your two constraining locators for the IPinIP proxy > and separately the "native" circuit proxy. And as mentioned in the > intro for 4.1.1, the same structure of information for the IPinIP proxy > would be necessary for AN_Proxy. > > > I'll stop here. Let me know what you think. I'll be happy to help apply the > fixes / send diff if this is ok. with you. > > Cheers > Toerless > >> -- >> ] Never tell me the odds! | ipv6 mesh networks [ >> ] Michael Richardson, Sandelman Software Works | network architect [ >> ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [ >> > > > >> _______________________________________________ >> Anima mailing list >> Anima@ietf.org >> https://www.ietf.org/mailman/listinfo/anima > > _______________________________________________ > Anima mailing list > Anima@ietf.org > https://www.ietf.org/mailman/listinfo/anima >
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Michael Richardson
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Toerless Eckert
- [Anima] GRASP details - WGLC draft-ietf-anima-boo… Toerless Eckert
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Michael Richardson
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Toerless Eckert
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Brian E Carpenter
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Toerless Eckert
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Brian E Carpenter
- Re: [Anima] GRASP details - WGLC draft-ietf-anima… Brian E Carpenter