[Anima] AD review of draft-ietf-anima-brski-cloud-08
"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 19 January 2024 12:21 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0616EC14F749; Fri, 19 Jan 2024 04:21:53 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.904
X-Spam-Level:
X-Spam-Status: No, score=-11.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jzI5i_cX5eEo; Fri, 19 Jan 2024 04:21:49 -0800 (PST)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6CBFC14F736; Fri, 19 Jan 2024 04:21:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; i=@cisco.com; l=43563; q=dns/txt; s=iport; t=1705666908; x=1706876508; h=from:to:cc:subject:date:message-id:mime-version; bh=xkfOHJ41JH1T9WbFVivmQqy9qoh7F/l8WW7iwMDyc6Q=; b=knR490fYVg2FbwmRFavmYb1i90YKCBjlYl/Pk7ME/uyj8fk1wgNwqqjq CspQ/3PS+5G2OqDhwXOpi9NaDUls7bDDe1Xa3t8hQH+i/etnsc5c4bDIU 8xwHpkfK4HI6e7AwW37gweHOiJaTC1kV5YeCk8qKYcwx9j7JqMxuS1lbe g=;
X-CSE-ConnectionGUID: P8C50uc+QeaV87VmdkdB1A==
X-CSE-MsgGUID: U2fM52n6R1qSVHGnDad4Kg==
X-IPAS-Result: A0ANAADRaKplmJRdJa1RCRwBAQEBAQEHAQESAQEEBAEBQCWBFgcBAQsBgTUxUnoCgQUSiGYDhE5fiGeBFpxxgX4PAQEBDQEBRAQBAYUGAodFAiY0CQ4BAgQBAQEBAwIDAQEBAQEBAQEGAQEFAQEBAgEHBRQBAQEBAQEBAR4ZBQ4QJ4U7CDaGSBZZDhIBGiYBPhcQBAENDRqCXgGCF0gDAalzAYFAAoooeIE0gQGCFgWyfYFIAYgbAYFOiFQnG4FJRIEVQoIwhQ0DERqEEoIvBIEXgQCCLzZdg212jE2BTSMDfghvGw8eNxEQEw0DCG4dAjE8AwUDBDIKEgwLIQUTQgNABkkLAwIaBQMDBIEwBQ0aAhAsJgMDEkkCEBQDOAMDBgMKMTBVQQxQA2UfMgk8DwwaAhsbDScjAixAAwkKEgIWAyQWBDYRCQsmAyoGNwISDAYGCV0mFgkEJQMIBANUAyN0EQMECgMUBwsHeIMTA0QdQAMLbT0UIQYOGwUEgTYFlD+CQmwFAQIPUwQUCTUjDSA2BQ4BATM7CxQLBRoNklUQJoJ7i2OOSZNBgToKhBGhTBepMGSYUyCgbYI3GYRnAgQCBAUCDgEBBoFjOi0bgRNwFYMjURkPV4MBilQNCZNPgTECBwsBAQMJiG4CJgQDa18BAQ
IronPort-PHdr: A9a23:TtHtnhaVvJTmrucSx68sw1D/LTDmhN3EVzX9orIuj7ZIN6O78IunY ArU5O5mixnCWoCIo/5Hiu+Dq6n7QiRA+peOtnkebYZBHwEIk8QYngEsQYaFBET3IeSsbnkSF 8VZX1gj9Ha+YgBOAMirX1TJuTWp6CIKXBD2NA57POPwT5TNjsCr0Oaa8JzIaAIOjz24Mvt+K RysplDJv9INyct6f7w8yBbCvjNEev8Dw2RuKBPbk0P359y7+9ho9CE4hg==
IronPort-Data: A9a23:SLQflaOeRCVQEt7vrR2Hl8FynXyQoLVcMsEvi/4bfWQNrUor0TUFy WAZWTuBbK6IMWCmLo9zPNjl9k1XvpWHnd9hHHM5pCpnJ55oRWUpJjg4wmPYZX76whjrFRo/h ykmQoCdaphyFjmF/kvF3oHJ9RFUzbuPSqf3FNnKMyVwQR4MYCo6gHqPocZh6mJTqYb/W17lV e/a+ZWFZAf8gm8saQr41orawP9RlKWq0N8nlgRWicBj5Df2i3QTBZQDEqC9R1OQrl58R7PSq 07rldlVz0uBl/sfIorNfoXTLiXmdoXv0T2m0RK6bUQNbi9q/UTe2o5jXBYVhNw+Zz+hx7idw /0V3XC8pJtA0qDkwIwgvxdk/y5WBf1tpefaKjuGvMWtnxL4dnfvz983JRRjVWEY0r4f7WBm7 /cULnUGaQqOwrvshrm6UeJrwM8kKaEHPqtG5Somlm6fXK1gGMyTK0nJzYcwMDMYnN9PGerZY eISaCFka1LLZBgn1lI/Uc1kw7r42CahG9FegG/Pq49quW6N9lVo64bNH9z5c9DWZsoAyy50o UqdojymWUtFXDCF8hKM9HOpj8fOkD/1HoUIG9WQ+uRjjkHWx2EPBlgfU1q+qLyzkFW9WpdUL 0sJ9mwnqawa9UG3QJ/6RRLQnZKflgQXV9wVGOog5UTUkOzf4h2SAS4PSTsphMEaWNEefWwBi weUlJDQCDVR4OKrTH6e+p3NhGbnUcQKFlMqaSgBRAoDxtDspoAvkx7CJuqP9obo3rUZ/hmtk 1i3QDgCulkFsSIcO0yGEb3vmTmgoN3CSRQ4o1yNGGmk9Qh+IoWiYuRECGQ3D94ecu51rXHY4 BDofvRyCshVXflhcwTWH40w8EmBvartDdElqQcH82Md3zqs4WW/Wotb/StzIkxkWu5dJme0P heJ51MOucIKVJdPUUORS9/gYyjN5fWxfekJqtiEBjazSsEoK1/Zpn0GibC4hjyzziDAbp3Ty b/ALJ7zVixFYUiW5DG3XOwamaQ63TwzwHibRJbwiXyaPUm2OhaopUM+GALWNIgRtfrcyC2Mq oo3H5XRkX13DrahChQ7BKZOdzjm21BhW8CvwyGWH8beSjdb9JYJUKWKn+J8K9w1w8y4VI7gp xmAZ6OR83Km7VXvIgSRYXclY7TqNauTZ1piVcDwFT5EA0QeXLs=
IronPort-HdrOrdr: A9a23:3oxcFaMd3kFo9sBcT5z255DYdb4zR+YMi2TDiHoBKiC9I/b5qy nxppUmPEfP+UossREb9expOMG7MBXhHO1OkPYs1NaZLUPbUQSTXftfBOfZslnd8k7Fh6NgPM VbAtVD4bTLZDAQ47eZkWyF+r0bsaC6GdWT9JzjJgBWPHlXgs9bnmBEIzfeOHdbACNBAp00Ho ed4M1omxqMEE58Uu2LQlM+c6zmvdPkqLLKCCRqO/cg0mazpALtzIS/PwmT3x8YXT8K66wl63 L5nwvw4bjmm+2nyzfHvlWjoKh+qZ/E8J9uFcaMgs8aJnHHkQCzfrlsXLWEoXQcvPyv0lA3i9 PByi1QcfibqkmhP11dkyGdmDUI4wxeqUMKDmXoxEcLlPaJBA7SzfAxwb6xPCGprHbI9+sMrp 6jl1jpxqa/Symw0BgUI7PzJkhXfo3emwtlrccDy3NYSocQc7lXsMgW+15UCo4JGGbg5JkgC/ QGNrCU2B96SyLsU5nihBgY/PW8GnAoWhuWSEkLvcKYlzBQgXBi1kMdgMgShG0J+p4xQ4RNo7 2sCNUiqJheCssNKa5tDuYIRsW6TmTLXBLXKWqXZVDqDrsONX7Bo4P+pL81+OapcpoVy4Zaou WIbHpI8WopP07+A8yH25NGthjLXWWmRDzojtpT4pBo04eMMIYD8RfzPWzGv/HQ0cn3WPerK8 pbEKgmcMPeEQ==
X-Talos-CUID: 9a23:AzA3YmBRjyRF+sT6ExE33xNMB8tmS3DU8iePHUq0CmpDEZTAHA==
X-Talos-MUID: 9a23:0Ua+swyM1TNwonh9DI8CsdUJX06aqJn0BmVQy5NYgZCdDhJQFDGxhTjrYYByfw==
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-12.cisco.com ([173.37.93.148]) by rcdn-iport-7.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2024 12:21:47 +0000
Received: from alln-opgw-4.cisco.com (alln-opgw-4.cisco.com [173.37.147.252]) by rcdn-core-12.cisco.com (8.15.2/8.15.2) with ESMTPS id 40JCLlLC025263 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Fri, 19 Jan 2024 12:21:47 GMT
X-CSE-ConnectionGUID: 0WOpUQ+tQumvH3r71BwfAw==
X-CSE-MsgGUID: PlKe57WiRT2tAehjZqMGNQ==
Authentication-Results: alln-opgw-4.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=rwilton@cisco.com; dmarc=pass (p=reject dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.05,204,1701129600"; d="scan'208,217";a="20608056"
Received: from mail-bn1nam02lp2041.outbound.protection.outlook.com (HELO NAM02-BN1-obe.outbound.protection.outlook.com) ([104.47.51.41]) by alln-opgw-4.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 19 Jan 2024 12:21:47 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WjuIgKYsNCTZJ4EpA1zwEm7ap03jvui7K43Y9GDra4DJdDcC1Ejr/ISYXtDJiFzkvnzBgdDADRh8RevRmoF3ViM55b2zzD+APjj+Rv6X2io8hFumc8cXrPz2S8XDCal4MVZcDzP2AKRBAyTtzLhr4/CZF8bIkHSoo9YniDWq2fpfPNalefrI2P8MUg9d7LbzrMmpPnodLZceeycXmXSCEMpXsBPriEYCJ7W1xYGtztvetX2KNusKx1+jquU+8cWAysr5HKlK0ZGijyKuKrcFOFl6Awkz/iSE+Ux26vSXRBCBuCWGBr9A5p9/qg7sRPPVmHGsbxz1KyBFlO2HwfZ6zQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=xkfOHJ41JH1T9WbFVivmQqy9qoh7F/l8WW7iwMDyc6Q=; b=SC9b9SJNTPPZ+RgqSMzkJywooL2VlStCcrDkTp4afhjcWYnPrxqYDHvR74yzqNpwKWuQo0sJ5V0lvFODUp3vHyQQRVKpwVXs8Ipj56u61C/54LUr59eBITlqJ93kHOr5QYSEZxG6IniXa9reIrubWZWuFRMyjRXfr/Ltfg2o5J5gjdvnXn3Pdf/dYki7NHfkhqjbgbtPhBYX8Qsy+kkC2zNkefsohfr9Ur1PYIh9W8GDjeOHDSTnYxrSnQHfPasbCm/+FW5H/OXqgOJzFLZ0cIfSCHF5csKP13//mEQeRW8Vr7i7yNbMkha1YAvWPjlKi9vMfZA6sIyWJ6NvYs23ww==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
Received: from LV8PR11MB8536.namprd11.prod.outlook.com (2603:10b6:408:1ec::19) by IA1PR11MB7854.namprd11.prod.outlook.com (2603:10b6:208:3f6::5) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7202.24; Fri, 19 Jan 2024 12:21:45 +0000
Received: from LV8PR11MB8536.namprd11.prod.outlook.com ([fe80::f662:b8bc:6176:256d]) by LV8PR11MB8536.namprd11.prod.outlook.com ([fe80::f662:b8bc:6176:256d%2]) with mapi id 15.20.7202.024; Fri, 19 Jan 2024 12:21:44 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-anima-brski-cloud.all@ietf.org" <draft-ietf-anima-brski-cloud.all@ietf.org>, "anima@ietf.org" <anima@ietf.org>
CC: Mahesh Jethanandani <mjethanandani@gmail.com>
Thread-Topic: AD review of draft-ietf-anima-brski-cloud-08
Thread-Index: AQHaSs3PFyuC2l4PjU+Q00bQLTrxoA==
Date: Fri, 19 Jan 2024 12:21:44 +0000
Message-ID: <LV8PR11MB85360CDB4EF19D6CBB0EE4EAB5702@LV8PR11MB8536.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: LV8PR11MB8536:EE_|IA1PR11MB7854:EE_
x-ms-office365-filtering-correlation-id: 7499afc8-544b-4f25-315b-08dc18e9334c
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: hOF6cKhcmyckMt6zSWmSJ1pW0ZtMYb80rrAT7h2H6BKTzqAqTlkuqGRIcmQuXq5IOYG9sL9v5uTI3xVRLsX5NsGK6B9N3aYx1Bc/Lo+ecgJ6XlmPmIS75D9yf2i9GXuDLDfezGz3JaPkuDjfURUzGzfADppxfkJwrq/qaGfW072fuuhmNU0Wjvgxvc3EOilotMgtXZOMpgZN8sn5FLL3YedxIm1ah2s5I1yyOns48ZtIzRJMe/xbxi7o/VyXUBN5q9rUVcaX6s1pZmC4WZ8G8RThjZcoDkfqxB1clC35sTGDtZxmdKfei/ZIDeteypHojISZuIhaP5aPCY5L1NndfAc+trgudzFCKXem18lK1FnQNr8TBtAeANjXb8HDrXR0BqPOIh16BTOo9CiXtOMyTjky59vn5jE7e8w7KsAMuS21bs3STm+eFKt4//LPhKd5Pf7YqeVUwoVf7Tq01KsxtdKzeUT88KZ8Ou2hdNxtyTiAlwvGXR6ZM7zFgrRgk10RsbusBav0b3oMslbjpb2GFCX8gbiFHaueBiDczFs3y0b3DtL/MdAd+KwpuOonGwRGj+rXTstFdmFWh/8CA9rNZ8VSWfIpDyh1O7RyppvITaLW7abx3MmdH+m6ij+bJMu4IM2Zks6kq/jhi6k/r+U5KgobULpEhA/rgCSVpL65x3g=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:LV8PR11MB8536.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230031)(39860400002)(346002)(376002)(136003)(396003)(366004)(230173577357003)(230922051799003)(230273577357003)(186009)(64100799003)(451199024)(1800799012)(55016003)(83380400001)(38070700009)(86362001)(33656002)(9686003)(5660300002)(316002)(9326002)(71200400001)(66556008)(66446008)(478600001)(110136005)(6506007)(7696005)(91956017)(2906002)(66476007)(64756008)(66946007)(76116006)(8936002)(38100700002)(8676002)(122000001)(41300700001)(52536014)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: u+6cou2G426u5qcgm8yj8L5jmIcjVbXuKwBJOECXW8g69tHdXnh/A4mbKuyCIrGWptPnJPqoxyPAJ85tWhF0QK6wsSqJxKBFsg1+S3WLgQ+9QhjeN00G1PNM06nlzCRM5LH9tlK1R3ywXX6xYSyNUMDUOs/R7KGabbGwJnkbrzw2xH9v+NVlXbhoGP3KQegkWCDaFV/XPj5n/1CmTyH++MzKaiewDUqdwfMI68I9tCLO180Db4tPoY3O3WQpcBrWYs4b4h8NaO/26KcF3AqvdCrhRQD125p7d4jiW0P+GB27XO4JR+sLKlORdsOpYjc651CsZuwv5zLdFAdl2qATMuvHGT98JCGmsfqivL0xkXWQ1KE3JD4G1T3vXY6ZuVFyn82UZCN7d+drRB7lOmEpIBx7Or38MfB6MArkIX/CVb3wwjqJ4IXKBn0iStCY+M8IzBb0PPMgwc2IGBg/bXZyg1DEKgpMb6klSIDYC4yuzlH+674qtWgdxsQXKVRl+W/beEeT03wZjxrgxuORaWcO/7/0kV0RmApVjYz8vSJY0J9gieZsnuL+UbZxWSo83U56X+68y4QR4FowY77f2pW6aWyayBus+AmNC1qcgiPdeZ2sfA4l000mmjW3dZua5JfaDaK5yRZE9O8RUCmPJU4taW+dP9KzrljZFzEP4/Mt5eQNyHstXIWuZ0rVL79VxRYnbAkeR7r1ywmOKDb7zFOmjfoC23QBqvSz7CYhs0rNBbj6zjVSI1uOjkOpVhKblpqVWq7C9xLGE/WKM3m6rrtO/ycfZjtb3QmoCQZc89sJfwIWWbP5sEt0N1pJSvKqYk/0engyaXFCcxUkapvCLNKxR91GyhXIogO8b7uVFFVdgRqJrIs2s6YJMaRL8Xe4wNM8zGCuzEW3Q5xdnS4EX6ZHJ0S8GraWh4L7MeXxTzlEXVtdomIlc4Qi3KBjj6mWsEwhOykaGlVcFALcMWRIGjyWeBo5S4k/Pzxo/q9x+ixZm+/LbPc0gyYnnWcTXGvPwHw4XS7aD8Dp60hClsO9UcOJ8RPHJAQDZAqU5fChM0m0FgX9yEQeGtuvQfLQX8S78Phq8xz23y1qU8U8OZ0fIjlvoE3RkaAJf2qSawHiv1ZvV/DkxOvunVgKcTThdURfAz7hIUsN3Y/beJcCT1UHf52/ktQmUl8HW5Va1erCAQ/lhd8C4HJdjBVj5RgxS6187FfCummy4Gjk4/6frwPUdOXp/KTfMKR/UlT2oX2nlcmUZ2SNisbfxir+SK1cTNHm6eWnHNr+2mBF/QBkq3Y9fyNwxL3ebzRR1Rm5/zLtietz0YAPqt2Ou5NrQ9tdSft3EImCvwZO08f/IVbTxJB7vdL8aPzoCsFRUIopLQn58d4jKdSCfxbxmhTCLtL+Ziz4O7ZNJdY75m+YV2uQS6hImRIUb5MJ0WdAp2MWfCjooSyGtEWnXgDGLg1QtwgQSrKVlYGUytQZ/D7OC8zrdBAHOtuDVHUI7t6CcMephlyQbnLbY/1pXhWtT4RUIVpqKeqszA1dTACB4bHmHfSeQbMtAjc1BsJjnT0OEFtojFK52G3vm34bV35XRGGtbwUqY15E52dhRCP2sGgD86nL+Fi0qKzp1Ldea4BCFQONroEYJOrs8zApioUHop+8BKk1NPvYUACuay2Z5QOCLJ5v8Q2WGjUUew==
Content-Type: multipart/alternative; boundary="_000_LV8PR11MB85360CDB4EF19D6CBB0EE4EAB5702LV8PR11MB8536namp_"
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: LV8PR11MB8536.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7499afc8-544b-4f25-315b-08dc18e9334c
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Jan 2024 12:21:44.6634 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Yhj3VjZ6H1mI3ZgwxzjcAL3JHBGxGWp8DOi0Xdai4sPLuRQuKta9lW97VccwI3BGQnfI1Jv+NphG6tp+Ngls7w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: IA1PR11MB7854
X-Outbound-SMTP-Client: 173.37.147.252, alln-opgw-4.cisco.com
X-Outbound-Node: rcdn-core-12.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/dGHV2SYqN78hGdcelLbAeNB77aM>
Subject: [Anima] AD review of draft-ietf-anima-brski-cloud-08
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 12:21:53 -0000
Hi, Here is my AD review of draft-ietf-anima-brski-cloud-08. I confess that I’m not an expert on BRSKI and EST which has limited my ability to do a technical review, but which may be the reason that I found that document to be somewhat harder to understand. Anyway, I have the following comments: Moderate level comments: (1) p 11, sec 4. Protocol Details It wasn't entirely clear to me how what the split between Protocol Operation and Protocol Details is. Possibly adding a sentence or two to the beginning of each of these sections may help guide the reader. Minor level comments: (2) p 3, sec 1.2. Target Use Cases The pledge is not expected to know which of these two situations it is in. The pledge determines this based upon signals that it receives from the Cloud Registrar. The Cloud Registrar is expected to make the determination based upon the identity presented by the pledge. Rather than "which of these two situations", perhaps it would be clearer as "which of the two situatations described in sections 1.2.1 and 1.2.2 below" (3) p 4, sec 2. Architecture Finally, when bootstrapping against an owner Registrar, this Registrar may interact with a backend CA to assist in issuing certificates to the pledge. The mechanisms and protocols by which the Registrar interacts with the CA are transparent to the pledge and are out-of-scope of this document. Possibly this paragraph and the previous one would be better in the reverse order. In particular, it is unclear to me whether using ESP services constitutes "bootstrapping against an owner Registrar", or wheher the third paragraph ony covers the "Cloud Registrar may redirect the pledge to an owner Registrar" case. (4) p 8, sec 3.1.3. Pledge Issues Voucher Request After the pledge has established a full TLS connection with the Cloud Registrar and has verified the Cloud Registrar PKI identity, the pledge generates a voucher request message as outlined in BRSKI section 5.2, and sends the voucher request message to the Cloud Registrar. What is meant by a "full TLS connection"? (5) p 8, sec 3.2. Cloud Registrar Handles Voucher Request If the request is correct and the Registrar is able to handle it, but unable to determine ownership, then it MUST return a 401 Unauthorized response to the pledge. This signals to the Pledge that there is currently no known owner domain for it, but that retrying later might resolve this situation. The Registrar MAY also include a Retry-After header that includes a time to defer. A pledge with some kind of indicator (such as a screen or LED) SHOULD consider this an onboarding failure, and indicate this to the operator. I'm slightly surprised that it is only a MAY for including the Retry-After header rather than SHOULD. (6) p 10, sec 3.3.1. Redirect Response The pledge MUST establish a provisional TLS connection with specified local domain Registrar. The pledge MUST NOT use its Implicit Trust Anchor database for validating the local domain Registrar identity. The pledge MUST send a voucher request message via the local domain Registrar. It wasn't obvious to me why the pledge MUST NOT use it's implicit trust anchor database, and whether providing justification (or an explanation) would be helpful. Is this because it is just following the standard BRSKI flow from this point? Nit level comments: (7) p 0, sec Bootstrapping Remote Secure Key Infrastructures defines how to onboard a device securely into an operator maintained infrastructure. It assumes that there is local network infrastructure for the device to discover and to help the device. This document extends the new device behaviour so that if no local infrastructure is available, such as in a home or remote office, that the device can use a well defined "call-home" mechanism to find the operator maintained infrastructure. Perhaps "and help the device". (8) p 4, sec 1.2.1. Owner Registrar Discovery A typical example is an enduser deploying a pledge in a home or small branch office, where the pledge belongs to the enduser's employer. There is no local domain Registrar, and the pledge needs to discover and bootstrap with the employer's Registrar which is deployed in headquarters. For example, an enduser is deploying an IP phone in a home office and the phone needs to register to an IP PBX deployed in their employer's office. Perhaps "in their headquarters." or "within the employer's network." (9) p 5, sec 2. Architecture There are two different mechanisms for a Cloud Registrar to handle voucher requests. It can redirect the request to Owner Registrar for handling, or it can return a voucher that pins the actual Owner Registrar. When returning a voucher, additional bootstrapping information embedded in the voucher. Both mechanisms are described in detail later in this document. to the Owner Registrar (10) p 5, sec 2. Architecture There are two different mechanisms for a Cloud Registrar to handle voucher requests. It can redirect the request to Owner Registrar for handling, or it can return a voucher that pins the actual Owner Registrar. When returning a voucher, additional bootstrapping information embedded in the voucher. Both mechanisms are described in detail later in this document. information embedded => 'information is embedded', or 'information can be embedded'. (11) p 5, sec 2. Architecture As depicted in Figure 1, there are a number of parties involve in the process. The Manufacturer, or Original Equipment Maker (OEM) builds the device, but also is expected to run the MASA, or arrange for it to exist. involve => involved (12) p 8, sec 3.2. Cloud Registrar Handles Voucher Request The Cloud Registrar must determine pledge ownership. Prior to ownership determination, the Registrar checks the request for correctness and if it is unwilling or unable to handle the request, it MUST return a suitable 4xx or 5xx error response to the pledge as defined by [BRSKI] and HTTP. In the case of an unknown pledge a 404 is returned, for a malformed request 400 is returned, or in case of server overload 503. Suggest "503 is returned". (13) p 10, sec 3.3.1. Redirect Response The pledge MUST establish a provisional TLS connection with specified local domain Registrar. The pledge MUST NOT use its Implicit Trust Anchor database for validating the local domain Registrar identity. The pledge MUST send a voucher request message via the local domain Registrar. Should that be with a specified ..., or with the specified ... In additional, I also ran a grammar checker on the draft. It can sometimes be a bit hit and miss, but you may want to check them anyway. Spellings to check: CertificateRequest, enduser, pledgeOwnershipLookup, registar, requestvoucher, Grammar Warnings: Section: abstract, draft text: This document extends the new device behaviour so that if no local infrastructure is available, such as in a home or remote office, that the device can use a well defined "call-home" mechanism to find the operator maintained infrastructure. Warning: This word is normally spelled with a hyphen. Suggested change: "well-defined" Section: 2.1, draft text: There are are DHCP options that a network operator can configure to accomplish any of these options. Warning: Possible typo: you repeated a word Suggested change: "are" Section: 2.1, draft text: For wireless use cases, some kind of existing WiFi onboarding mechanism such as WPS. Warning: Did you mean Wi-Fi? (This is the officially approved term by the Wi-Fi Alliance.) Suggested change: "Wi-Fi" Section: 3.1.2, draft text: In order to make use of a Cloud Registrar, the Pledge MUST be manufactured with pre-loaded trust-anchors that are used to validate the TLS connection. Warning: This word is normally spelled as one. Suggested change: "preloaded" Section: 3.2.1, draft text: Alternatively, if the Cloud Registrar allows pledges to connect using self-signed certificates, the Registrar could use the thumbprint of the self-signed certificate to lookup a database of pledge self-signed certificate thumbprints to owners. Warning: The word "lookup" is a noun. The verb is spelled with a white space. Suggested change: "look up" Section: 3.2.2, draft text: In case of redirection, the Cloud Registrar replies to the voucher request with a HTTP 307 Temporary Redirect response code, including the owner's local domain in the HTTP Location header. Warning: Use an instead of 'a' if the following word starts with a vowel sound, e.g. 'an article', 'an hour'. Suggested change: "an" Section: 3.2.3, draft text: If the Cloud Registrar issues a voucher, it returns the voucher in a HTTP response with a 200 response code. Warning: Use an instead of 'a' if the following word starts with a vowel sound, e.g. 'an article', 'an hour'. Suggested change: "an" Section: 4.1, draft text: The assumption is that the owner Registrar domain is accessible and the pledge can establish a network connection with the owner Registrar. Warning: Use a comma before "and" if it connects two independent clauses (unless they are closely connected and short). Suggested change: ", and" Section: 7, draft text: The Cloud Registrar described in this document inherits all of the issues that are described in [BRSKI]. Warning: Consider using all the. Suggested change: "all the" Section: 7, draft text: All of the considerations for operation of the MASA also apply to operation of the Cloud Registrar. Warning: Consider using All the. Suggested change: "All the" Section: 7.4, draft text: The Cloud Registrar actually does all of the voucher processing as specified in [BRSKI]. Warning: Consider using all the. Suggested change: "all the" Regards, Rob
- [Anima] AD review of draft-ietf-anima-brski-cloud… Rob Wilton (rwilton)
- Re: [Anima] AD review of draft-ietf-anima-brski-c… Michael Richardson