Re: [Anima] I-D Action: draft-behringer-anima-autonomic-control-plane-00.txt
"Michael Behringer (mbehring)" <mbehring@cisco.com> Tue, 17 February 2015 07:47 UTC
Return-Path: <mbehring@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FF961A870D for <anima@ietfa.amsl.com>; Mon, 16 Feb 2015 23:47:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xKgMHynHr8z4 for <anima@ietfa.amsl.com>; Mon, 16 Feb 2015 23:47:42 -0800 (PST)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2213A1A8712 for <anima@ietf.org>; Mon, 16 Feb 2015 23:47:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5798; q=dns/txt; s=iport; t=1424159260; x=1425368860; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=RgE+7AXBjN3TIL/GrCHTCUWQpwiZ1oI9P7fHinpvSRE=; b=SdUEsVLjyUJ7yyo0Q52YCCqNZhoQ6bKKrcNjBvSWnA8RHii0qEOhLix6 ZJO2EeixekXe1FYHMD3DrcfCxjun+I5N87t4g0RWIJAZqoxbGmNUjkHl4 vjyhf621V2tdV6QskUjQb2CVhUXfEDlDcCjGQhGAkBTQBWFROyx71P8wc Q=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0B+BQDO8eJU/4wNJK1SCYMGgSwEgn+9GIgbAhx2QwEBAQEBAXyEDAEBAQMBIxFRBAIBCBEBAwEBAwIGHQMCAgIfERQBAgYIAgQBEgiFc4IeAwkItyeRSg2FPgEBAQEBAQEBAQEBAQEBAQEBAQEBAReBIYlrgkOBTyo4BoJiLoEUBY1MgWyHcYJehViGGYJGgz4igX2BcW8BgUN/AQEB
X-IronPort-AV: E=Sophos;i="5.09,593,1418083200"; d="scan'208";a="397086730"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by rcdn-iport-2.cisco.com with ESMTP; 17 Feb 2015 07:47:24 +0000
Received: from xhc-aln-x12.cisco.com (xhc-aln-x12.cisco.com [173.36.12.86]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id t1H7lOkp023352 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 17 Feb 2015 07:47:24 GMT
Received: from xmb-rcd-x14.cisco.com ([169.254.4.229]) by xhc-aln-x12.cisco.com ([173.36.12.86]) with mapi id 14.03.0195.001; Tue, 17 Feb 2015 01:47:24 -0600
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: Brian E Carpenter <brian.e.carpenter@gmail.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] I-D Action: draft-behringer-anima-autonomic-control-plane-00.txt
Thread-Index: AQHQSZO+Bvpqyrs2m02MQXzdxO8neZzy/1MggAEJVICAAG12AA==
Date: Tue, 17 Feb 2015 07:47:23 +0000
Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF22EC93E1@xmb-rcd-x14.cisco.com>
References: <20141017131337.4423.84144.idtracker@ietfa.amsl.com> <5457F566.4080409@gmail.com> <54CA9E92.10802@gmail.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF22EB8AB5@xmb-rcd-x14.cisco.com> <54E15BB5.6020005@gmail.com> <3AA7118E69D7CD4BA3ECD5716BAF28DF22EC817B@xmb-rcd-x14.cisco.com> <54E23F9D.3030709@gmail.com>
In-Reply-To: <54E23F9D.3030709@gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.55.238.136]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima/iDAEev2MqVnHsYjYqcXyWDx_gNY>
Subject: Re: [Anima] I-D Action: draft-behringer-anima-autonomic-control-plane-00.txt
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Feb 2015 07:47:44 -0000
> -----Original Message----- > From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com] > Sent: 16 February 2015 20:06 > To: Michael Behringer (mbehring); anima@ietf.org > Subject: Re: [Anima] I-D Action: draft-behringer-anima-autonomic-control- > plane-00.txt [...] > >>> Each neighbour in the adjacency table is authenticated. > >> > >> I think this falls right out of Discovery since the discovery > >> response would contain the relevant Domain Identity a.k.a. Device > >> Certifcate Tag and that can be checked with the CA. > > > > Right, but here the devil is in the detail. We need a security association > with the peer device. This association can be established via the discovery > protocol, and re-used for subsequent communications, such as the ACP. Or, > we could have the ACP establish its own security association. My feeling is > that we should establish one single SA and use it for all subsequent > operations. We need to cover this point in the reference architecture. > > I think I agree, except that anything can go wrong at any time, so it must > always be possible to recreate the SA. I don't think that changes whether we > use (D)TLS or IPsec - just keep the channel open unless it breaks or you run > out of resource. Of course. Which protocol to use is a detail, I think. The question is how many SAs we want between peers, and of course we need some keepalive mechanism, and re-establishment if the session goes down. I think we're in sync. [...] > >>> 3.4. Capability Negotiation > >> ... > >>> To establish a trusted secure > >>> communication channel, devices must be able to negotiate with each > >>> neighbour a set of parameters for establishing the communication > >>> channel, most notably channel type and security type. > >> > >> I think GDNP is very likely to end up simply using TLS (although > >> that's not > > > > TLS? Not DTLS? (sorry I haven't read all the mails) > > Well, it's an open issue right now; but I am 99% sure we'll need a TLS mode > for cases where the objective is a large data structure. I also have a feeling > that DTLS introduces a significant start-up overhead that makes the > difference compared to TLS start-up very small. That is a point we need to discuss in more detail. My feeling is that DTLS is more appropriate, especially when we start routing packets through this infrastructure within the ACP, but this clearly needs more thinking (on my side at least ;-) . That's probably also a good discussion to have in Dallas. [...] > > To me, GDNP between adjacent nodes should ALWAYS use link local > (Probably a "MUST" in the document). Link local has no dependency on > correct configuration, so conflicts with what the administrator does are > minimal. I feel very strongly about this. I see no reason to NOT use link > local. (But happy to be educated). > > We don't state that at the moment, although we do state the inverse: > a link-local address MUST NOT be used in a Divert option, because that is > intended to send you off-link. > > There's a slight complication there, which is that a device (router) that is > sending a Divert option needs to know the appropriate routeable address. > We need to figure out how it learns it in the first place. But I agree that link- > local is a safer choice whenever possible. OK, need to read the latest version of GDNP first before I can comment here :-) > > Now, we also want to negotiate / discover nodes that are not directly > adjacent. For this we need unicast (or multicast, anycast, possibly) to > routable addresses. To me, those routable addresses could either be > derived automatically, in which case it would likely be ULA, or configured, in > which case we'd have ULA or global addresses. > > The GDNP draft now says that a router running GDNP relays discovery > messages to all its interfaces, so that a non-router doesn't need to worry > about this issue. > > > > > Are we on the same page? (And apologies if your draft mentions this, > > haven't read the last two versions yet, sigh...) > > We're pretty close, I think, but there's work to be done... I agree. Michael [...]
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Brian E Carpenter
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Brian E Carpenter
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Michael Behringer (mbehring)
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Brian E Carpenter
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Michael Behringer (mbehring)
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Brian E Carpenter
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Michael Behringer (mbehring)
- Re: [Anima] I-D Action: draft-behringer-anima-aut… Michael Behringer (mbehring)