Re: [Anima] Is this how BRSKI/IPIP works?

Eliot Lear <> Sun, 16 July 2017 17:50 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id D5A0C124C27 for <>; Sun, 16 Jul 2017 10:50:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -14.503
X-Spam-Status: No, score=-14.503 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id cWOoGSP8xC6B for <>; Sun, 16 Jul 2017 10:50:16 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 5086D120724 for <>; Sun, 16 Jul 2017 10:50:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple;;; l=3269; q=dns/txt; s=iport; t=1500227416; x=1501437016; h=subject:to:cc:references:from:message-id:date: mime-version:in-reply-to; bh=2ZROXsMvipIbE+ELPBJWhHdGoS3sKO9paOT1rVXJgsA=; b=It21Pkbv0zTXNRG/hOb2DhnKHWB1uV2eMSnMEMoVQ2a3DDVNsiIc7GBa TWURDjxBikHX/UWfXNu0OAo97DdGaJPxtdlp6n5c1PONCO950fLMjOYMx gt1enfMvixC5xyPGXaRmNQKBbp88EZ5V58zoGynoVvhBsuVTNP+WSur4u E=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.40,370,1496102400"; d="asc'?scan'208";a="656125567"
Received: from (HELO ([]) by with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 16 Jul 2017 17:50:12 +0000
Received: from [] ([]) by (8.14.5/8.14.5) with ESMTP id v6GHoB6e026037; Sun, 16 Jul 2017 17:50:11 GMT
To: Toerless Eckert <>
Cc: Brian E Carpenter <>, Anima WG <>
References: <> <> <> <> <> <>
From: Eliot Lear <>
Message-ID: <>
Date: Sun, 16 Jul 2017 19:50:11 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="dvSrEd9ErugwvbsO28PsrwgwJOFwOBJd9"
Archived-At: <>
Subject: Re: [Anima] Is this how BRSKI/IPIP works?
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 16 Jul 2017 17:50:19 -0000

On 7/16/17 7:24 PM, Toerless Eckert wrote:
> Sorry, cathing up late with the thread.
> Thanks, Eliot. Thats good information. The MAC address based limited
> link-local address space is a problem for devices running a proxy.
> Do you have an idea about some class of devices that has the issue
> that you describe and that could be proxies ?

Sure.  Just about any device that does a poor job of randomization or
have a low amount of entropy.  And that, I'm afraid, is a very large
swathe of stuff.  But again, I think the diagram Brian drew out
indicates the problem to be with autonomic node, not the border device,
and there the problem will be assuredly more pronounced.

> I know about these crazy LED lightbulbs that actually build a mesh
> network. Is that what you where alluding to ? 
> But would those type of devices really be able to do all the
> security stuff of ANIM/BRSKI ?

Good question.  I do think that lightbulbs are likely to do okay with
this stuff, but smaller devices will probably not, simply as a matter of
COGS.  There are different forms of sensor networks in which the devices
are highly constrained.  It may be possible to pre-store a certain
amount of entropy, which can ease some of this, but in those cases
developers will need to be economical.  The use of different forms of
interface addresses, including CGAs needs to take into account this