IETF Logo Mail Archive

Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).

Michael Richardson <mcr+ietf@sandelman.ca> Mon, 02 May 2022 17:22 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2029BC1594B0 for <anima@ietfa.amsl.com>; Mon, 2 May 2022 10:22:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QyrpjlCsshag for <anima@ietfa.amsl.com>; Mon, 2 May 2022 10:22:40 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B7A40C1594B2 for <anima@ietf.org>; Mon, 2 May 2022 10:22:38 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id 3AF2938F2B; Mon, 2 May 2022 13:35:36 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id QCNNO_dCHYjT; Mon, 2 May 2022 13:35:34 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 2B88B38F22; Mon, 2 May 2022 13:35:34 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=sandelman.ca; s=mail; t=1651512934; bh=H01ER3Tq1dfcMLT0b9LuTwWGP6rEdKs88P7o1Ta65nU=; h=From:To:Subject:In-Reply-To:References:Date:From; b=OyscSKX/on3YNUqUaevWTnwMCv0fCDK71DEyYGZNaa443D1CCVHqgqYLWgGDdtxLu qRO1/0xnAzEf1LZ7Bo8qQXCIzpAE5LSHJ6LIjiAOoKzOQZA0X79uoic4bAjh3AsEyj UpT1oq9UKEU465G8ObHSiwO/7uVWu7N58VjMo0qed+5jAqFKiWnjc0/Gsm6tUeLpMa BARnCnNwJSXRx9+g/Gf0wRIhzQe7oDmXIlFSef1R8mFrzJWGhrUoLnNkOrJMAgbdBr amoipNgoIF9oyeym4gQ22tFYSckY/tULDWBf3EiWzfjbxyZPz+R3nDU8rT/8YhnNCG pSxyWHf9wBkJA==
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 1E6F5277; Mon, 2 May 2022 13:22:33 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>, anima@ietf.org
In-Reply-To: <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de>
References: <YlWUA7xhMU2XtJsz@faui48e.informatik.uni-erlangen.de> <388791.1649870361@dooku> <Ymc57cpieDGAcn1X@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 27.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Mon, 02 May 2022 13:22:33 -0400
Message-ID: <8866.1651512153@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/baEvUriUhcLR0QeLiusrhtAY0cw>
Subject: Re: [Anima] Discovery of proxy/registrar insufficient (GRASP and more).
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.34
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 May 2022 17:22:46 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    > (1)

    >> Yes, you are right, we need to have a new objective to announce.
    >> I guess that we don't really think about the constrained-join-proxy really
    >> being used in an ACP context, but we really should that right.

    > I don't think this is true. As soon as EST-COAPS proliferates as an RFC,
    > the choice of TLS vs. COAPS becomes not only a necessity for constrained
    > devices, but also a preference choice by solution designers. Less code
    > modules etc.

We may be using different terminology, and being in violent agreement.

I am saying that the existing GRASP M_FLOOD specified in RFC8995,

RFC8995 4.1.1 says:

   flood-message = [M_FLOOD, session-id, initiator, ttl,
                    +[objective, (locator-option / [])]]

   objective = ["AN_Proxy", objective-flags, loop-count,
                                          objective-value]

...
   locator-option    = [ O_IPv6_LOCATOR, ipv6-address,
                       transport-proto, port-number ]
   ipv6-address      = the v6 LL of the Proxy
   $transport-proto /= IPPROTO_TCP   ; note that this can be any value
                                    ; from the IANA protocol registry,
                                    ; as per RFC 8990, Section 2.9.5.1,
                                    ; Note 3.

and I'm saying that we'd have:
   $transport-proto /= IPPROTO_UDP  ; ...

to indicate to use CoAPS (UDP/DTLS).  That's in the latest draft in section
6.1.2 (for AN_Registrar) and 6.2.2 (AN_Proxy).  But section 6.2/6.3 is wrong, and
I'm fixing it at:

   https://github.com/anima-wg/constrained-join-proxy/pull/20

Brian, in RFC8995, we leave "objective-value" empty, while this document
wants to set it to "BRSKI_JP", and I don't think that does anything useful.

    > (2)

    > Separate question: Do we have a good understanding which solution
    > that needs the constrained proxy will use which discovery mechanism ?

    > I am asking because if/where there are gaps in supported discovery mechanisms,
    > we might be able to suggest GRASP without ACP. Which would be somewhat of another
    > draft..

GRASP DULL is easy.
In some sense, for IoT networks, there is *only* the ACP :-)

    >> We decided that Registrars will be responsible for interoperation, and will
    >> support all protocols the operator expects to use.   If you buy a Registrar
    >> that does not do X and a pledge that only does X, then it fails, and you were
    >> stupid.

    > (4)

    > In the first place this needs to be written down.

    > But i'd rather like to argue it away because i think it is an unnecessary
    > constraining "hack".

    > Why have all this discovery mechanisms when they are not even used correctly.
    > Underspecifying the exact service(s) a Registrar offers is like announcing
    > "Oh, go to google for the WHATEVER services".

No, that's not at all what we said.

    > I don't see that implementations would get more complex, but rather
    > simpler if we simply are able to distinguish the different protocol options
    > by their service name/parameters and have proxies/clients be able to select
    > them.

I think that we did exactly this.

    >> You aren't wrong, but you also aren't right.
    >> Pledges are expected to try all options (possibly concurrently if they have
    >> CPU/ram) until they find one that works.    There is no reason the join proxy
    >> needs to know the details of the Registrar supports, only that they support a
    >> way to talk to it.

    > (5)

    > That "trial&error" too should be described if its here to stay. Even if just
    > through a reference to an appropriate section in 8995 (if its in there, not sure).

I don't think that we need to have a document that says read 8995 in a dozen places.

    > How about cert renewal, did you folks discuss if this would ever be something
    > pledges would want to do through the proxy ? In the case of ACP we did

Nope, never. Just like in BRSKI.

    >> > I wonder if the names choosen for est-coaps discovery, brski.jp and
    >> > brski.rjp are ideal indicative of the fact that we're rather defining
    >> > brski-est-coaps.jp and brski-est-coaps.rjp. I guess beauty/explicitness
    >>
    >> Fair point.

    > (7)

    > I guess a compromise for (4) would be new text that leaves the decision for
    > how to deal with the next enrollment protocol/encoding to such a followu draft:

    > IF implementers of a new variant feel that all existing/deployed registrars
    > will and should be able to support the new protocol variant (e.g.: brski-xmp-xyz),
    > then that protocol option does not need to come up with a new
    > variation.

You can bikeshed the names. I don't really care.

    >> Because, we defined the proxy to have a standard interface.

    > What does that mean ? Do all proxies need to support both modes, or
    > is there only the requirement for one mode, but some undefined entity has to
    > figue out what registrar/proxies in some network should decide to use ?

What does "what does that mean"?  I wrote an explanation, that I don't think
you read.

The "standard" interface from a join proxy to the pledge (if it's DTLS) is to
use CoAP over DTLS, on the port given.  The details of how it gets back to
the Registrar is irrelevant to the pledge.
(If it's TLS, then it's RFC8995.
(If it's OSCORE/EDHOC, then it's TBD)

    >> (Except for CoAP/OSCORE vs CoAPS above)

    > OSCORE = ?

OSCORE. RFC8613.

--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.23.0 | Report a Bug | By Email