[Anima] BRSKI-Cloud discussion (from private thread)

Michael Richardson <mcr+ietf@sandelman.ca> Wed, 30 October 2019 14:58 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 4C22C120847 for <anima@ietfa.amsl.com>; Wed, 30 Oct 2019 07:58:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id pbOevcBlm1SL for <anima@ietfa.amsl.com>; Wed, 30 Oct 2019 07:58:02 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 31C51120841 for <anima@ietf.org>; Wed, 30 Oct 2019 07:58:01 -0700 (PDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id F2A7E3818F for <anima@ietf.org>; Wed, 30 Oct 2019 10:55:15 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id A5B6085F for <anima@ietf.org>; Wed, 30 Oct 2019 10:58:00 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: anima@ietf.org
In-Reply-To: <MN2PR11MB3901E821016C74D2E36D3CF1DB610@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <MN2PR11MB3901BCD5FD2E8A3B58883ADDDB6B0@MN2PR11MB3901.namprd11.prod.outlook.com> <MN2PR11MB3901E821016C74D2E36D3CF1DB610@MN2PR11MB3901.namprd11.prod.outlook.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 30 Oct 2019 10:58:00 -0400
Message-ID: <29791.1572447480@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/glqA3DpPyybGe3N4oXKJh8yG8ZQ>
Subject: [Anima] BRSKI-Cloud discussion (from private thread)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 30 Oct 2019 14:58:05 -0000

It was written privately that:
    > “A 406 (Not Acceptable) ... The registrar SHOULD use this response if
    > it determines
    > the pledge is unacceptable due to inventory control, MASA audit-logs,
    > or any other reason.
    > ”

    > Michael: Its not clear in draft-29, but I am reading into this that if
    > ownership tracking is supported, that if the wrong Local Registrar
    > (i.e. not the owner) requests a voucher for a pledge, the MASA should
    > return a 406 response code.

yes, that's what's expected.

In explaining BRSKI via animated slideware about how things work (yestesday),
it has occured to me that MASA ought to probably restrict or delay simultaneous
voucher-requests from different domainIDs if they have no sales-channel
integration.  (There is a youtube screencast)

There is otherwise a kind of race condition that could occur.

That allows one domainID to clearly claim the device, and proceed to
enrollment (or fail) before the other one makes an attempt.

Back to the Cloud-Registrar:

    > If we are using any of the other 3 options “Voucher Request Handled by
    > Cloud Registrar”, the local domain does not see the Voucher response at
    > all. Voucher Request/Response handling is all done by the Cloud
    > Registrar.

The response voucher needs to include a pinned-domain-cert linking to the
Local Registrar so that the 3xx redirect can validate the Local Registrar

I think that we should have a discussion about option 2 (redirect at ENROLL)
vs option 3 (redirect via Voucher).  I'm not sure why we need both cases.

    > I think it looks like we need to do either

    > (i)               “Voucher Request Redirected to Local Domain
    > Registrar” where the cloud 3xxs the Voucher request and the Pledge
    > resends the Voucher Request via the local registrar (which you were
    > trying to avoid) OR

    > (ii)              “Voucher Request Handled by Cloud Registrar” option 2
    > or 3 *and* somehow get the pledge to include the Voucher in the EST
    > enrol API. This means that, similar to your flow in your slide, the
    > device has to treat the Voucher kind of like a Bearer token and include
    > the Voucher in the HTTP Authorization header of the EST enrol
    > request. So logically following on from that, it seems like it would
    > mean defining a new HTTP “Authorization: Voucher xxx” type, similar to
    > HTTP “Authorization: Bearer xxx”… Michael – have you ever considered
    > that scenario at all? A Voucher being used kinda like an OAuth Bearer
    > token..?

I don't think that I really understood the situation that waranteed it!
The question is whether the Local Registrar is an EST-only Registrar, or if
speaks BRSKI.

As an alternative to a new form of authentication, the Registrar, upon seeing
a client connect with an IDevID containing a serial number and a MASA URL,
could do a voucher-request to the MASA, and receive in response, the same
voucher that was issued to the Pledge.

As another alternative, the Voucher-Request POST that the Pledge does, could
be answered with a 201 Created and a Location: for the voucher object.  The
Pledge would retrieve it, and then, put that URL into a Referer: header field
on the POST.

Let's talk about the "3xx" responses.  From Wikipedia:

301 Moved Permanently
    This and all future requests should be directed to the given URI.

302 Found (Previously "Moved temporarily")
    Tells the client to look at (browse to) another URL. 302 has been superseded
    by 303 and 307. This is an example of industry practice contradicting the
    standard. The HTTP/1.0 specification (RFC 1945) required the client to
    perform a temporary redirect (the original describing phrase was "Moved
    Temporarily"),[22] but popular browsers implemented 302 with the
    functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303
    and 307 to distinguish between the two behaviours.[23] However, some Web
    applications and frameworks use the 302 status code as if it were the

303 See Other (since HTTP/1.1)
    The response to the request can be found under another URI using the GET
    method. When received in response to a POST (or PUT/DELETE), the client
    should presume that the server has received the data and should issue a new
    GET request to the given URI.

304 Not Modified (RFC 7232)
    Indicates that the resource has not been modified since the version specified
    by the request headers If-Modified-Since or If-None-Match. In such case,
    there is no need to retransmit the resource since the client still has a
    previously-downloaded copy.[26]

305 Use Proxy (since HTTP/1.1)
    The requested resource is available only through a proxy, the address for
    which is provided in the response. For security reasons, many HTTP clients
    (such as Mozilla Firefox and Internet Explorer) do not obey this status

306 Switch Proxy
    No longer used. Originally meant "Subsequent requests should use the
    specified proxy."[28]

307 Temporary Redirect (since HTTP/1.1)
    In this case, the request should be repeated with another URI; however,
    future requests should still use the original URI. In contrast to how 302 was
    historically implemented, the request method is not allowed to be changed
    when reissuing the original request. For example, a POST request should be
    repeated using another POST request.[29]

It seems that we should probably be answering the voucher-request POST with

Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-