Re: [Anima] Mirja Kühlewind's No Objection on draft-ietf-anima-bootstrapping-keyinfra-22: (with COMMENT)
Michael Richardson <mcr+ietf@sandelman.ca> Tue, 16 July 2019 17:01 UTC
Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A84141209C7; Tue, 16 Jul 2019 10:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iezmO0morotO; Tue, 16 Jul 2019 10:01:52 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7D8E120088; Tue, 16 Jul 2019 10:01:52 -0700 (PDT)
Received: from sandelman.ca (unknown [IPv6:2607:f0b0:f:2:56b2:3ff:fe0b:d84]) by tuna.sandelman.ca (Postfix) with ESMTP id 32BA03808A; Tue, 16 Jul 2019 13:01:49 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id C4ED7B52; Tue, 16 Jul 2019 13:01:51 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: =?utf-8?q?Mirja_K=C3=BChlewind?= <ietf@kuehlewind.net>
cc: The IESG <iesg@ietf.org>, draft-ietf-anima-bootstrapping-keyinfra@ietf.org, tte+ietf@cs.fau.de, anima@ietf.org, anima-chairs@ietf.org
In-Reply-To: <156285232840.32370.18027192977627346503.idtracker@ietfa.amsl.com>
References: <156285232840.32370.18027192977627346503.idtracker@ietfa.amsl.com>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 24.5.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Tue, 16 Jul 2019 13:01:51 -0400
Message-ID: <24814.1563296511@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/rfjmbH9Dc7p4vmfh8orMVxhXQmk>
Subject: Re: [Anima] Mirja Kühlewind's No Objection on draft-ietf-anima-bootstrapping-keyinfra-22: (with COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Jul 2019 17:01:55 -0000
{I almost hit the 'n'ext key on this email when I read you had No
Objection... I wonder if the DT should link the comments in the DT
to the thread that results}
Mirja Kühlewind via Datatracker <noreply@ietf.org> wrote:
> I agree with Alissa's discuss that the conclusion of section 10(.3)
> should be to recommend a manual configuration mode. Also with respect
okay.
> to section 10.2: if ownership is "enforced" by the manufacturer, there
> should also probably be a way for the buyer to check if ownership was
> transferred by the saler during the re-sale process.
So you are asking for an additional API from the JRC to the MASA.
It would need to include something like:
a) a POST from selling-JRC to MASA to ask MASA for if a resale would be granted.
This could result in some statement that the seller could show to the
buyer that would validate that the transaction can occur.
b) a POST from selling-JRC to MASA to indicate to whom the sale was made,
this would have to include some reference to the buyer.
c) a GET from the selling-JRc and also buyer-JRC that would ask who
the current owners is supposed to be.
(c) could in theory be done with the auditlog, provided that the (b) process
installed the buyer as an authorized entity that could query the auditlog.
It would probably be better to have the MASA do the thinking here, rather
than the JRC.
I can imagine creating such APIs. There probably needs to be some
buyer-JRC/seller-JRC APIs, or at least conventions. This could easily become
a rathole attracting all sorts of online sales API. Were this to be added to
this document, or to an extension document, I'd want to have significant
involvement from some people who build financial/sales systems, or at least
From the operations divisions of some buyers (operators) and sellers (vendors).
> Two other small comments on more load related points:
> 1) sec 4.1: "Connection attempts SHOULD be run in parallel to avoid
> head of queue problems wherein an attacker running a fake proxy or
> registrar could perform protocol actions intentionally slowly. The
> pledge SHOULD continue to listen to for additional GRASP M_FLOOD
> messages during the connection attempts." One minor comment: Maybe
> also say explicitly, while running in parallel, one should not send all
> initial messages at exactly the same time but pace them out (e.g. one
> every 3 secs) to avoid network overload when initial connectivity is
> very constraint.
I take your point.
In the ANIMA ACP situation, please think about the situation as being a
multiport BFR with three+ 100G fiber connections to other cities. Or, one or
more ports plugged into some (unmanaged or probably outsourced) L2 fabric that
has multiple other ACP devices on it.
> 2) sec 4.3: " It must be sufficiently low that the aggregate amount of
> periodic M_FLOODs from all EST servers causes negligible traffic across
> the ACP." I know this is a little bit a blurry requirement but I would
> still like to see a MUST here. Or maybe give an upper bound for the
> maximum frequency, e.g. MUST NOT send more than once per minute...? Not
> sure it there is a reasonable value here.
I'm hesistant to write anything specific here. There are two reasons.
One is that we really don't have any experience running ACPs yet, or how much
bandwidth will typically be available, and we also don't know how many JRCs
a typical operator might deploy.
The second reason is that I think that this should really be dealt with in:
https://datatracker.ietf.org/doc/draft-ietf-anima-autonomic-control-plane/
(or mabe https://datatracker.ietf.org/doc/draft-ietf-anima-grasp/)
ACP section 6.1.4.1 defines an M_FLOOD for the SRV.est. This is not
necessarily the JRC, btw, as certificate renewal might be performed by
a different system than enrollment. It does say:
The M_FLOOD message MUST be sent periodically. The default SHOULD be
60 seconds, the value SHOULD be operator configurable but SHOULD be
not smaller than 60 seconds. The frequency of sending MUST be such
that the aggregate amount of periodic M_FLOODs from all flooding
sources cause only negligible traffic across the ACP.
I will copy this text.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
- [Anima] Mirja Kühlewind's No Objection on draft-i… Mirja Kühlewind via Datatracker
- Re: [Anima] Mirja Kühlewind's No Objection on dra… Michael Richardson
- Re: [Anima] Mirja Kühlewind's No Objection on dra… Mirja Kuehlewind
- Re: [Anima] Mirja Kühlewind's No Objection on dra… Michael Richardson
- Re: [Anima] Mirja Kühlewind's No Objection on dra… Mirja Kuehlewind