IETF Logo Mail Archive

Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

Esko Dijk <esko.dijk@iotconsultancy.nl> Mon, 14 October 2019 14:50 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 07D22120110; Mon, 14 Oct 2019 07:50:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.889
X-Spam-Level:
X-Spam-Status: No, score=-1.889 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancynl.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y-FayU7WZK-z; Mon, 14 Oct 2019 07:50:30 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150124.outbound.protection.outlook.com [40.107.15.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF858120106; Mon, 14 Oct 2019 07:50:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=edrphcAG95kLQZTQof2ZfKtSBvbSBXrtht5AnT4n8RE0RZWtl2Sf0U8FJ1XnpF8nw0pI3qMRjSv4NeNrb0qiz62a8zaEPEjJLz6aMz73Ev9deigsP35zEHmdjmy3cit2rIpvVYo2kZjiW/TjN6bS+e1h9dA/UsD5Byf06elYgqu1KXHBnA263ZuZZ6U/3/PfBwzx2pFpjOMLOVmUWKvtnKmDZiPCqtiXfpKPYIkaJ1F4cjWEULs+6DyiLqfwfwkGChNIWz0OEjAh10DQE0yx38tDznpu6jsgZyiOAzkg/b8TI0Sb72CARHyqlWM5wzozsnBXjjv4ld6PA8Opl5oQdw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMHE4/r0SQ80b9lhArnowaO5nCO5+5Locq3xomJkTX4=; b=ah4L6+rhMe92D+HjMryUgEsi37bojfuJMOt/0r+MzOVPGMG96Dfj4nsJTi+Qe2pflB7jigaxuh+iYE4/oWb4BQGsYk/fbZnYCrWeH5pO4duczhubr+1m4kWgnxjM5F5qgZL8vndAyTnFyntRZbLWOlepQXl7/IkS2KMBCKVeCvHX+h96NYOMqJ4uF7LcfFO+8rshsRVGhuAEO06kLAFgLbpx5+fgvf7reV1SIijlCoCzfQiDVUNcTcLmm4AjT/FCSNvpQf+siiRX57LXv29FoYb2/X5VMSptBysh7PizO4Tf2qd2NLOP/uf4nDn4/Dhd5KAGb/cmU7awEnwTPX42Jg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancynl.onmicrosoft.com; s=selector2-iotconsultancynl-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lMHE4/r0SQ80b9lhArnowaO5nCO5+5Locq3xomJkTX4=; b=HzLswwIz1rv2mwK7QfdjonnOcRRyojZkGzB60kRWVaFduVPWIss+0U9Kx4nvNzlzVDBUySAD8LhMEiPQ7XTNFnxz/G1D5aEaEaWPlPwr4GIeKvwFXlKgn17HmSdp+vecgR3AYTztgyz0Dqxe3Yjxqi1WFhbUxzqQt4oDEdWySdw=
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM (10.161.62.28) by AM5P190MB0355.EURP190.PROD.OUTLOOK.COM (10.161.64.11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.16; Mon, 14 Oct 2019 14:50:23 +0000
Received: from AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::9db:9b27:7118:48dc]) by AM5P190MB0275.EURP190.PROD.OUTLOOK.COM ([fe80::9db:9b27:7118:48dc%7]) with mapi id 15.20.2347.023; Mon, 14 Oct 2019 14:50:23 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org>
CC: "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
Thread-Index: AQHVgaG9zAFQo+S+FUuSBtMsWvKuKadaNnxQ
Date: Mon, 14 Oct 2019 14:50:23 +0000
Message-ID: <AM5P190MB0275D56DCE1CD8E4E86409EBFD900@AM5P190MB0275.EURP190.PROD.OUTLOOK.COM>
References: <157095596011.20750.2703747454081790983@ietfa.amsl.com>
In-Reply-To: <157095596011.20750.2703747454081790983@ietfa.amsl.com>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=esko.dijk@iotconsultancy.nl;
x-originating-ip: [2001:1c02:3102:5a00:4c8a:ff15:68b0:e4ae]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: ba4a16cc-1898-4918-1540-08d750b5d7b6
x-ms-traffictypediagnostic: AM5P190MB0355:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <AM5P190MB0355BE1C0AECD31487890FAFFD900@AM5P190MB0355.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 01901B3451
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(376002)(39830400003)(366004)(136003)(346002)(199004)(189003)(13464003)(14444005)(6116002)(4326008)(256004)(33656002)(966005)(2501003)(508600001)(25786009)(52536014)(71200400001)(71190400001)(450100002)(5660300002)(4001150100001)(2906002)(14454004)(316002)(55016002)(305945005)(102836004)(7736002)(9686003)(186003)(6436002)(7696005)(64756008)(76176011)(66556008)(66476007)(6506007)(66446008)(66946007)(53546011)(74316002)(5640700003)(486006)(44832011)(76116006)(2351001)(8676002)(46003)(446003)(476003)(11346002)(229853002)(86362001)(81166006)(81156014)(6916009)(6246003)(6306002)(99286004)(8936002); DIR:OUT; SFP:1102; SCL:1; SRVR:AM5P190MB0355; H:AM5P190MB0275.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: iotconsultancy.nl does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5pGz7EHFFrDjySoVMf2q2A6jdH73U63o13DwLNVUd2Euvz6vRiGGWhRV+ov8SQt7T4A2oArKljFt+RfUEEtyyrtxq1ZVD4SMnBKRQH8rL5zoIh/MqSKuC9aFsAInVYws3c8oUx7mZDf0L+Y5zz3YIb/8dJ8vdQ21mpaYdvdeqPGawKNbHAlAE6aRIrNMQWke5cvnudcZYs2koX63Mq6SKLSOmbcTpM9ayy3sPxxCki3UQL7hD+cDrnzZFWoTth9nnLqiVjc61hnf/DFKEJEZDivf2i8c0z1g0JDXzuHkCGyWmywD0oLRJ5J2rRtle8hxY9+nfTDEcDMUyhdMUQkygYBNM5G0LQzcKlK+CXxXwQY7EkGwiIKSKQFZxREl16ZtnFTBlySp5Qzdvjggiy8JcgOa3QthDWQx2mZXlm9SmKWoVdx5HXCCRgL8ll/ZP3OLqFXWnYfi7Yr38ecdIyw0/w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-Network-Message-Id: ba4a16cc-1898-4918-1540-08d750b5d7b6
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Oct 2019 14:50:23.1921 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: R+A9WxKEVBj/804l2pDWKsAcz29tk876TSo8NCAFH+nF8/lM8rDqJng8FId81OzzN/G1i3LTv5rASTSlIlNLWzzHQI+tKw2lZOoTYlgx3g0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5P190MB0355
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/f2waKEMOn7WrQNl6TJIRQdpc1uQ>
Subject: Re: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 Oct 2019 14:50:33 -0000

Besides the minor issues mentioned in the Gen-ART review, there also still a couple of open issues in the tracker https://github.com/anima-wg/anima-bootstrap/issues 
Shouldn't these be resolved also? Or is it already planned to do that later?  Rejection of issues is also fine of course as long as all issues are closed before the document gets published!

Best regards
Esko

Esko Dijk IoT Consultancy |  Email/Skype: esko.dijk@iotconsultancy.nl    |   +31 6 1264 2103

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Dan Romascanu via Datatracker
Sent: Sunday, October 13, 2019 10:39
To: gen-art@ietf.org
Cc: draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org; dromasca@gmail.com; ietf@ietf.org; anima@ietf.org
Subject: [Anima] Genart telechat review of draft-ietf-anima-bootstrapping-keyinfra-28

Reviewer: Dan Romascanu
Review result: Ready with Issues

I am the assigned Gen-ART reviewer for this draft. The General Area Review Team (Gen-ART) reviews all IETF documents being processed by the IESG for the IETF Chair. Please wait for direction from your document shepherd or AD before posting a new version of the draft.

For more information, please see the FAQ at

<https://trac.ietf.org/trac/gen/wiki/GenArtfaq>.

Document: draft-ietf-anima-bootstrapping-keyinfra-??
Reviewer: Dan Romascanu
Review Date: 2019-10-13
IETF LC End Date: None
IESG Telechat date: 2019-10-17

Summary: Ready with Issues

This document specifies automated bootstrapping of an Autonomic Control Plane by creating a Remote Secure Key Infrastructure (acronym BRSKI) using manufacturer installed X.509 certificates, in combination with a manufacturer's authorizing service, both online and offline.

Christian Huitema and Jari Arkko have performed early reviews of previous versions of the document for SecDir and Gen-ART. As far as I can tell, most if not all of their major concerns concerning applicability and security have been addressed in the latest versions. A few more minor issues described below would better be clarified before approval.

I also observe that the document has consistent Operational implications but there is no OPS-DIR review so far, as well as a YANG module and several other references to YANG, but there is no YANG Doctors review. I hope that these will be available prior to the IESG review.

Major issues:

Minor issues:

1. The Pledge definition in section 1.2:

> Pledge:  The prospective device, which has an identity installed at
      the factory.

while in the Introduction:

> ... new (unconfigured) devices that are called pledges in this
   document.

These two definitions seem different. The definition in 1.2 does not include the fact that the device is 'new (unconfigured'. Also, arguably 'identity installed at the factory' may be considered a form of configuration.

2. The document lacks an Operational Considerations section, which I believe is needed, taking into consideration the length and complexity of the document.
There are many operational issues spread across the document concerning the type and resources of devices, speed of the bootstrapping process, migration pass, impact on network operation. I suggest to consider adding such a section pointing to the place where these issues are discussed and adding the necessary information if missing. Appendix A.1 in RFC 5706 can be used as a checklist of the issues to be discussed in such a section.

3. Section 5.4:

> Use of TLS 1.3 (or newer) is encouraged.  TLS 1.2 or newer is
   REQUIRED.

What is the reason for using 'encouraged'? Why not RECOMMENDED?

Nits/editorial comments:

1. The Abstract includes:

'To do this a Remote Secure Key Infrastructure (BRSKI) is created'

Later in the document BRSKI is idefined as a protocol. It would be good to clarify if BRSKI = BRSKI protocol

2. In Section 1 - Introduction, 3rd paragraph:

s/it's default modes/its default modes/
s/it's strongest modes/its strongest modes/

3. Please expand non-obvious acronyms at first occurrence: EST protocol, LLNs, REST interface, LDAP, GRASP, CDDL, CSR

4. I would suggest alphabetic order listing of the terms in section 1.2

5. Section 1.3.1 - a reference for LDevID would be useful

6. Section 7:

s/Use of the suggested mechanism/Use of the suggested mechanisms/


_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email