[Anima] Re: Constrained join proxy - making it generic for multiple onboarding protocols?

Michael Richardson <mcr+ietf@sandelman.ca> Sat, 25 May 2024 01:09 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 75047C14F6A1 for <anima@ietfa.amsl.com>; Fri, 24 May 2024 18:09:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.397
X-Spam-Status: No, score=-4.397 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=sandelman.ca
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id ZHiazfDZpVDn for <anima@ietfa.amsl.com>; Fri, 24 May 2024 18:09:28 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca []) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C4C7C14F61B for <anima@ietf.org>; Fri, 24 May 2024 18:09:28 -0700 (PDT)
Received: from localhost (localhost []) by tuna.sandelman.ca (Postfix) with ESMTP id 42E073898D; Fri, 24 May 2024 21:09:27 -0400 (EDT)
Received: from tuna.sandelman.ca ([]) by localhost (localhost []) (amavisd-new, port 10024) with LMTP id YTbNlTEtgd-J; Fri, 24 May 2024 21:09:26 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca []) by tuna.sandelman.ca (Postfix) with ESMTP id 858EB3898C; Fri, 24 May 2024 21:09:26 -0400 (EDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sandelman.ca; s=mail; t=1716599366; bh=p/BYo/+13AUhCDJq6Rc5F8duRqcbBt9iDuWSRG7I6Rw=; h=From:To:Subject:In-Reply-To:References:Date:From; b=Om6QSbleDnKA4qyW10l5iDz2AGMsXNW1hmMziFFhmkZEOU9D/ykRt+TsKPHuprENj IokI5//hu7WVj2+dMSAt2Oxs2jZtk+BsQuYXqMs/Cmtpfr5tbG5Li/SUQKC26yGYtu t7dIALbs4oJMidBCBhueMPVIX9j/DYDym+aYkHaNy6eQ0gN+TYfJjAmf+Fl1+RgTTz TepK5IB3TdoHEoyeeKLQ0R0evNpmOKCVikgrajn5/tgjolawBUlmoC9PHf/vA6k279 AZP2iQBa2Nj1GaSUyOx3HEoXNDAUXM//8pERKbsQJqWclyVKX+uMkGVQTfPUVfeLBN 9nYAxCtALvLRw==
Received: from obiwan.sandelman.ca (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 7B91D10E6; Fri, 24 May 2024 21:09:26 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Esko Dijk <esko.dijk@iotconsultancy.nl>, "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <DU0P190MB1978F56BD192FC559E33BEDAFDF52@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
References: <DU0P190MB1978F56BD192FC559E33BEDAFDF52@DU0P190MB1978.EURP190.PROD.OUTLOOK.COM>
X-Mailer: MH-E 8.6+git; nmh 1.8+dev; GNU Emacs 28.2
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0;<'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Fri, 24 May 2024 21:09:26 -0400
Message-ID: <11285.1716599366@obiwan.sandelman.ca>
X-MailFrom: mcr+ietf@sandelman.ca
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-anima.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [Anima] Re: Constrained join proxy - making it generic for multiple onboarding protocols?
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/i_YmWLKZYT6O4jpb7V613r0kCYM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Owner: <mailto:anima-owner@ietf.org>
List-Post: <mailto:anima@ietf.org>
List-Subscribe: <mailto:anima-join@ietf.org>
List-Unsubscribe: <mailto:anima-leave@ietf.org>

Esko Dijk <esko.dijk@iotconsultancy.nl> wrote:
    > This week we had an interesting event at INRIA Paris, the lightweight
    > IoT security hackathon. Various onboarding / bootstrap approaches were
    > also discussed including new ones based on the EDHOC protocol and
    > existing ones (Thread, 6tisch, cBRSKI).

Sorry to have missed it, I'm glad you were there and that knowledge was shared!!

    > What I realized there is that all these zero-touch onboarding protocols
    > basically need and can use the same mechanism of relaying data, as
    > described in this draft. So it should be very well possible to make a

Yes.  The proxy can't and shouldn't look too deeply.
Modulo, some of the stateless stuff, which requires a bit more knowledge.

    > Basically the join proxy is just relaying data without knowing what's
    > inside - it could be any data, any format. As long as it gets delivered
    > to the right entity (e.g. a Registrar) that knows how to parse it and
    > what to send back.

But, we still have to figure out how to scale the discovery process itself so
that we aren't sending 9031 format join messages to a DTLS/cBRSKI-only Registrar.
That's the discovery draft.

Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide