IETF Logo Mail Archive

Re: [Anima] Homogeneous vs. heterogeneous trust domains (Re: What elements of IETF ANIMA can be used for I2NSF?)

"Michael Behringer (mbehring)" <mbehring@cisco.com> Tue, 28 October 2014 10:57 UTC

Return-Path: <mbehring@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2CBE11A1B86 for <anima@ietfa.amsl.com>; Tue, 28 Oct 2014 03:57:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.511
X-Spam-Level:
X-Spam-Status: No, score=-14.511 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id l9NS4zBcOKZx for <anima@ietfa.amsl.com>; Tue, 28 Oct 2014 03:57:40 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5E0C1A1B8A for <anima@ietf.org>; Tue, 28 Oct 2014 03:57:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=3131; q=dns/txt; s=iport; t=1414493860; x=1415703460; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=bQOr8Um7mDyRJBbwEEfqAuN6FwjWlg/QvCxwW+IMwOA=; b=f+OAmbo+WULb7U1ajBl48nJxe45We5pH0CwkTT33xNuO7UhXx0sB5rKh DDDrPiMvJiqcAoZ0HmjSFC1j0cNL7cMcBleasobzWLVQXXefPXXoPvnhd EeqhlWJvoFaJ2HYGsa6m8pwo0CqTAkqO6nPuWdIYh19fJyi0h5lUxEfNY A=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgkFAFl1T1StJA2J/2dsb2JhbABcgw6BLATVfgKBHRYBfYQCAQEBBDo6BQwEAgEIEQQBAQEKFAUEByERFAkIAgQBDQUIE4gRAxLETw2GOAEBAQEBAQEBAQEBAQEBAQEBAQEBAReOToIJMQcGgyeBHgEEkgeJSZFihl2CNIFEbAGBR4EDAQEB
X-IronPort-AV: E=Sophos;i="5.04,802,1406592000"; d="scan'208";a="90985088"
Received: from alln-core-4.cisco.com ([173.36.13.137]) by alln-iport-2.cisco.com with ESMTP; 28 Oct 2014 10:57:39 +0000
Received: from xhc-rcd-x13.cisco.com (xhc-rcd-x13.cisco.com [173.37.183.87]) by alln-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id s9SAvdL7018614 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 28 Oct 2014 10:57:39 GMT
Received: from xmb-rcd-x14.cisco.com ([169.254.4.159]) by xhc-rcd-x13.cisco.com ([173.37.183.87]) with mapi id 14.03.0195.001; Tue, 28 Oct 2014 05:57:39 -0500
From: "Michael Behringer (mbehring)" <mbehring@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>, Brian E Carpenter <brian.e.carpenter@gmail.com>
Thread-Topic: [Anima] Homogeneous vs. heterogeneous trust domains (Re: What elements of IETF ANIMA can be used for I2NSF?)
Thread-Index: AQHP7vl5rqomTnVCSkOSUuYStXVkopw+uR0AgAS8OYCAAAyGgIAAFXcAgACegAD///AFAA==
Date: Tue, 28 Oct 2014 10:57:39 +0000
Message-ID: <3AA7118E69D7CD4BA3ECD5716BAF28DF21C9DAAA@xmb-rcd-x14.cisco.com>
References: <4A95BA014132FF49AE685FAB4B9F17F645E2074F@dfweml701-chm> <54495813.4050703@gmail.com> <54495A00.4000302@gmail.com> <54499D7E.4060007@gmail.com> <20141027004833.GA4665@cisco.com> <12570.1414373603@sandelman.ca> <544DB2E4.5020808@gmail.com> <17335.1414412250@sandelman.ca>
In-Reply-To: <17335.1414412250@sandelman.ca>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.61.173.215]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/anima/ivh08X1tQvEoNIh9d5KSkNdwoms
Cc: "anima@ietf.org" <anima@ietf.org>
Subject: Re: [Anima] Homogeneous vs. heterogeneous trust domains (Re: What elements of IETF ANIMA can be used for I2NSF?)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Oct 2014 10:57:42 -0000

Toerless summed it up nicely. 

Inside a domain (for example, an enterprise network), you want a single trust domain. The owner of that enterprise network wants all those devices under one trust anchor. (Of course he can create sub-domains, or several domains). 

Before they form part of a single domain, devices come from various vendors, or are imprinted in various ways. In that part there are many trust domains. As Brian points out, some domains will accept a call home functions, others will not. 

Bottom line: We need a process which gets devices from various origins and trust domains, and various ways to initialise them to a single trust domain, for example an enterprise network. draft-pritikin-bootstrapping-keyinfrastructures tries to explain what this process could look like. 

Michael

[typing this offline on a plane - apologies I don't respond to the latest message]


> -----Original Message-----
> From: Anima [mailto:anima-bounces@ietf.org] On Behalf Of Michael
> Richardson
> Sent: 27 October 2014 13:18
> To: Brian E Carpenter
> Cc: anima@ietf.org
> Subject: Re: [Anima] Homogeneous vs. heterogeneous trust domains (Re:
> What elements of IETF ANIMA can be used for I2NSF?)
> 
> 
> Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>     >> Toerless Eckert <eckert@cisco.com> wrote: > I hope you are both right
>     >> but talk about different stages.
>     >>
>     >> > We want common trust anchors for the running autonomic network
> and >
>     >> those ultimately should be defined by the owner of the network. But >
>     >> during enrollment of devices into that owners network, the
>     >> manufacturer > installed certificate and trust-points in the
>     >> to-be-enrolled devices > will differ by vendor.
>     >>
>     >> Yes from me.  This is the critical part that we (an SDO) has to get
>     >> right.
> 
>     > That might be the way to do it. But another way is that when an
>     > operator receives a new box, the box goes to a central place to have a
>     > locally generated key pair and certificate installed, before going to
>     > the warehouse for a later truck roll. I don't think we can exclude that
>     > solution for a highly paranoid operator, who wants absolutely no
>     > traffic about the enrollment to go outside. I think we need to keep
>     > both options open.
> 
> I don't see this as two options. It's one.
> 
> All that you've said is that the operator did the initial imprinting in
> the warehouse rather than in the field.   If all boxes in the field have been
> imprinted in this way, then there are no additional trust issues.
> If some have been installed this way, and some have not, perhaps there are
> bridge CAs needed to enable to the imprinted boxes to trust the "stock"
> machines.
> 
> Why do you think that this is two ways?  Maybe I'm missing something.
> 
> 
> 
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
> -= IPv6 IoT consulting =-
> 
>

v2.23.0 | Report a Bug | By Email