IETF Logo Mail Archive

Re: [Anima] Revision of scope of MASA in the BRSKI - Reg

Toerless Eckert <tte@cs.fau.de> Sun, 15 July 2018 07:19 UTC

Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87D4E130E9E for <anima@ietfa.amsl.com>; Sun, 15 Jul 2018 00:19:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.95
X-Spam-Level:
X-Spam-Status: No, score=-3.95 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7gLcN6qh2YFB for <anima@ietfa.amsl.com>; Sun, 15 Jul 2018 00:19:33 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48BE3130E82 for <anima@ietf.org>; Sun, 15 Jul 2018 00:19:33 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 5186F58C4AF; Sun, 15 Jul 2018 09:19:28 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 3E9AB4402CB; Sun, 15 Jul 2018 09:19:28 +0200 (CEST)
Date: Sun, 15 Jul 2018 09:19:28 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: "Owen Friel (ofriel)" <ofriel=40cisco.com@dmarc.ietf.org>
Cc: Eliot Lear <lear=40cisco.com@dmarc.ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>, "anima@ietf.org" <anima@ietf.org>
Message-ID: <20180715071928.4jrzecdfh3gmaveq@faui48f.informatik.uni-erlangen.de>
References: <007b01d414f8$313d68a0$93b839e0$@cdac.in> <5778.1530989932@localhost> <20180710062956.qa5gllnk3m4jlkgp@faui48f.informatik.uni-erlangen.de> <d1e87fd2-da1b-b2b7-0c70-f5362622ab90@cisco.com> <4205.1531408349@localhost> <2bc5e605-db14-dd24-05d7-4170f176b103@cisco.com> <523b2a1dc6654463921771ebb045eda8@XCH-ALN-012.cisco.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <523b2a1dc6654463921771ebb045eda8@XCH-ALN-012.cisco.com>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/rcNwfm9zHHPv9Y5S5QQ9_WfzOqg>
Subject: Re: [Anima] Revision of scope of MASA in the BRSKI - Reg
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 15 Jul 2018 07:19:38 -0000

Owen,

I've associated draft-friel-brski-over-802dot11 to anima so folks
will see it in data tracker. Next time post new work for a particular
WG with draft-<group>-<friel>-<whatever>, that will make it happen
automatically.

2.1.1.1) There is no need to bother the MASA with sales
integration just so that the owner will know whether or not
it owns a particular device. Any protocol from the manufacturer/reseller
to the owner will suffice.

I recommend carrier pidgeons with USB sticks trained to insert them into
a USB slot releasing a food portion. Great protection against against
unrecognize NSA interception of the channel especially for vendors
products on the NSA shortlist ;-))

Kidding aside: A standard protocol for sales information disemination
would be great, and given how its for bootstrap automation it would
be fine for ANIMA. I would jus resist of mixing it with BRSKI/MASA
unless there is clear evidence of not keeping it modular. Especially
given how it cold come from the reseller, and nothe vendor.

2.1.1.2) This read a bit confused. I think it should mention
two methods: One is the aove mentioned to know what you own - independent
of MASA (yor last sentence in 2.1.1.2 confused this option with the
MASA). The other option is just to try the MASA in the absence
of better information. BUT: If you only try the MASA, you should
only do this automatically if you do know the MASA has sales
integation. Otherwise you better include a manual checkpoint before
enrollment.

2.1.2) This section is a bit unmotivated even though its part of the
best solution, but that solution requires more details than just WiFi.

Aka: You want to allow announcement (using any of the options
you specified) of open access SSID that allow to connect to cloud-registrars.
These do not even have to be free internet access. Ideally we would
think about an unencrypted channel to the cloud registrar that
relies only on authenticated but unencrypted messages. That way
the owner of the AP can veryify and constrict communications
to only cloud-registrar-enrollment so that this access is not
as a side-channel to gain full internet access. TLS 1.2 still allows
zero-encryption, that would be the easiest option. TLS 1.3 removed it *sigh*.

Note also that we have not defined cloud-registrar behavior. I
think Eliot wold jus like to add something like WiFi SSID to
vouchers, but i would rather like to see it as a separate
"next-step after enrolment" message

Cheers
    Toerless

v2.23.0 | Report a Bug | By Email