IETF Logo Mail Archive

Re: [Anima] Cloud BRSKI discussion -- Option 1 use cases

Brian E Carpenter <brian.e.carpenter@gmail.com> Sun, 24 November 2019 08:22 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0CB121200FF for <anima@ietfa.amsl.com>; Sun, 24 Nov 2019 00:22:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SolzymdjDW9t for <anima@ietfa.amsl.com>; Sun, 24 Nov 2019 00:22:50 -0800 (PST)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 538B71200FE for <anima@ietf.org>; Sun, 24 Nov 2019 00:22:50 -0800 (PST)
Received: by mail-pf1-x432.google.com with SMTP id p26so5742211pfq.8 for <anima@ietf.org>; Sun, 24 Nov 2019 00:22:50 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=fDukq7mobfgQeNh6/5ifDlru5bNvAJ1J42gkPZslBO4=; b=VCd2QHs/a9W4GC6YY/snkppWiU2PvqDj8ffwT0Bjsp2UNAmjGbHF0VQ6kqZj9jDaDz QlpTOErRUc2HMMpOx2fI3hyhtNSCfMDD+bcr2SpTBoSeRFcU7OEchnXBK8Ld/dAulkxo xcSxL4563GWUc6XUaEzGQnY8Az4MhzQF87nQ+oMuqyB5Xf4yoCWvw66ysI8Hzd1bqoHR VbFU5/ifMF+E9eiof9WaS6mZF1jdWy6biwZds7B0fSNtPRclWwV5vIBkb0dHNSVk/NEk HNTWZJk7mJLI0CF4vk0n4YK1qw8BvSPOEi25bKQpzz/eU0IGo7+tAQPVig1KTAIRq0rx qluA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=fDukq7mobfgQeNh6/5ifDlru5bNvAJ1J42gkPZslBO4=; b=k3h8Mxdqu60teXOXwNQs5sSZbU8bFH1IAdaMyMUEmWMSXOkCggDU8VVdE71ITv1avK Lth+AcdJkzTO9dl8pfJuiFZZIPC8LepSCTbNRCRjJFBYhejiCOdI0v6x2MABnOIWI21n XHNfqqjPVr44jhrvLZ3i800nQp+pcBvVdmgBqykZPGO0SSth5HB3mkFTWIJp7n1Lc5Q0 9Wbfg0CjvqEbVKx96O4KMs12MEtNhyTWweXgaFMLHB+7gPwJACFX84Wc7NehqZnkQWW2 yRVmMivci8qWHbWQlMJ8PtpjR9JrU9GlpBnmYcjT94vUsrbqIkOsMcW3v85nkZ98M6pl QlrQ==
X-Gm-Message-State: APjAAAUTNF4qcSm3kmkDjFvrrucv7XVbom43Aib3jPka9f82KcbZ0TlE /dR27cAvfUQ2+NGymIuKaracuszVHC8=
X-Google-Smtp-Source: APXvYqwbhyZuPmI96FVmMDFO6UtR+ybNQKqCi2YhW8+nFApGSDvqS39y363k/mOv43HtPDv9Mr+BYA==
X-Received: by 2002:a63:5920:: with SMTP id n32mr9185493pgb.359.1574583769387; Sun, 24 Nov 2019 00:22:49 -0800 (PST)
Received: from [192.168.9.49] ([111.223.108.130]) by smtp.gmail.com with ESMTPSA id y4sm3728054pfn.97.2019.11.24.00.22.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 24 Nov 2019 00:22:48 -0800 (PST)
To: Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
References: <5D36713D8A4E7348A7E10DF7437A4B9299B9FAD2@NKGEML515-MBX.china.huawei.com> <MN2PR11MB3901DD8CF27429ECAF1AA874DB780@MN2PR11MB3901.namprd11.prod.outlook.com> <28576.1574580524@dooku.sandelman.ca>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Message-ID: <9c60c895-9e14-c064-9f4a-306c5d7a1105@gmail.com>
Date: Sun, 24 Nov 2019 21:22:46 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <28576.1574580524@dooku.sandelman.ca>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/q7C5LiecsKNlVblE-lKgNfg1lzM>
Subject: Re: [Anima] Cloud BRSKI discussion -- Option 1 use cases
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 24 Nov 2019 08:22:52 -0000

One thing that doesn't seem to be clear either in BRSKI or in
draft-friel-anima-brski-cloud is where the Cloud Registrar's "well
known" URI comes from and how the pledge knows it. Is it vendor
specific or what?

Regards
   Brian (waiting in Changi)

On 24-Nov-19 20:28, Michael Richardson wrote:
> 
> Following up on the discussion at the WG meeting.
> The meeting materials are not yet converted to PDF, but let me attach the
> three pictures, and start three threads on these options, and also I will
> insert the ascii art from the document itself.
> All three:
> 
>     https://github.com/anima-wg/brski-cloud/blob/master/presentations/three-flows.png
> 
> In all cases the Pledge gets some kind of network connectivity.
> This could be an open WiFi, but is more often a cable plugged in with DHCPv4/IPv6.
> 
> 1) Cloud Registrar Redirects
> 
> This is the most non-cloudy of the solutions.  The time sequence is below,
> and the diagram is at:
>   https://github.com/anima-wg/brski-cloud/blob/master/presentations/option-1-cloud-redirect.png
> 
> 
> +--------+            +-----------+              +----------+
> | Pledge |            | Local     |              | Cloud RA |
> |        |            | Registrar |              | / MASA   |
> +--------+            +-----------+              +----------+
>     |                                                 |
>     | 1. Full TLS                                     |
>     |<----------------------------------------------->|
>     |                                                 |
>     | 2. Voucher Request                              |
>     |------------------------------------------------>|
>     |                                                 |
>     | 3. 3xx Location: localra.example.com            |
>     |<------------------------------------------------|
>     |                                                 |
>     | 4. Provisional TLS   |                          |
>     |<-------------------->|                          |
>     |                      |                          |
>     | 5. Voucher Request   |                          |
>     |--------------------->| 6. Voucher Request       |
>     |                      |------------------------->|
>     |                      |                          |
>     |                      | 7. Voucher Response      |
>     |                      |<-------------------------|
>     | 8. Voucher Response  |                          |
>     |<---------------------|                          |
>     |                      |                          |
>     | 9. Validate TLS      |                          |
>     |<-------------------->|                          |
>     |                      |                          |
>     | 10. etc.             |                          |
>     |--------------------->|                          |
> 
> 
> This is the simplest variation, the local registrar is simply not
> discoverable from the location of the Pledge.
> 
> The pledge is told of a way to reach the intended Registrar and process
> proceeds as normal.  Note that the registrar still has to be proven
> by voucher.   There could be attacks on the pledge via DNS.
> 
> This flow does not work at all for devices/manufacturers with poor supply
> integration, as the Cloud RA would have no idea where to redirect the device.
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
> 
> 
> _______________________________________________
> Anima mailing list
> Anima@ietf.org
> https://www.ietf.org/mailman/listinfo/anima
>

v2.23.0 | Report a Bug | By Email