Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)

Esko Dijk <esko.dijk@iotconsultancy.nl> Fri, 18 September 2020 11:44 UTC

Return-Path: <esko.dijk@iotconsultancy.nl>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9F3A3A0475 for <anima@ietfa.amsl.com>; Fri, 18 Sep 2020 04:44:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.101
X-Spam-Level:
X-Spam-Status: No, score=-2.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=iotconsultancy.nl
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gaL4wkAhEduH for <anima@ietfa.amsl.com>; Fri, 18 Sep 2020 04:44:41 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80120.outbound.protection.outlook.com [40.107.8.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD0283A0522 for <anima@ietf.org>; Fri, 18 Sep 2020 04:44:39 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UsO8wpBjvPI/05fbUA/CysSajVGV6mkcLyjhNDCWuRjcUOiJCgGdd+/Qos2/hOTE4sPS7Od/TmxxhNqY1qBMmCOXyqJaqzFQiLC09EkbQG74IAPGqgp60FZS9jaGrJNesxBXgN7V2R4uV0CIFaBbOoxSMEK14S/P8Hxqg9WIED2oXDyB65V/PnpA2jnr7m1m8iLUFyhX+3XcRHa9kPC/BS+UCj5pgEEKt40mDg2DJuZs9pUgFPaB9/fI9taYh7WIp1pzbGhqyAli+TdbHg0EgZTlfcSAbUhX4U1lOBV2tuBKQ4MB+q+dRRLwHBcdxDiEBkRRiRs/Dg4fMLJ5vB0Cxw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0m8ApXjXxwaAJb23xH1zZRvWghzpz5/dEpytGmzWZOo=; b=QpRwKy/yA93LejS4U2lo4QqewC9X6fsFpNWWHLIJ0HR1PSKKm6nGWx1ZNtokEUmYsej7oSxRI/xUlWouu1Q0QSw7UQi9RheYT9sECyeLJBj1NRa1ujK61YK8U3poTi8P8QgpWdcQc/bK2vQqMWrjUJbayZCScZUI9WmlQjajLSyKUz58iesuPlVMyJaggh6ouw8h6VT7CGKqzFUR4p4aN6GBwRWFkfkqEVuYmPv94oSr4avA3VX3X3tqH1rWKld4M1/8jJ5LFoVgC3d3B0kXvdi4Jrh9vGlXGDWkhJbFq83pfKBcP4MbcIksDYKJELDbID7pv4XPBpEUIeNKqffHrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=iotconsultancy.nl; dmarc=pass action=none header.from=iotconsultancy.nl; dkim=pass header.d=iotconsultancy.nl; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=iotconsultancy.nl; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0m8ApXjXxwaAJb23xH1zZRvWghzpz5/dEpytGmzWZOo=; b=rPsF7L55U+7bUtS1CbRQ0CueZnUPySPhyuBZ7BaeDo6j0il5IS8wHuZj0B0wQSPMCr+KrZPAbf8dXzR8VZyUi0hcqnrYZxjomNUIDL/WmLERlrTXlc06+CbSZqazz0Z4PRaFNwMkjzKTAKnEyZPTsRLLwfmCTxiGhZPZxtKukfg=
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:1d3::8) by AM0P190MB0786.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:199::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3391.13; Fri, 18 Sep 2020 11:44:36 +0000
Received: from AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::fcd5:1600:7331:bb3a]) by AM8P190MB0979.EURP190.PROD.OUTLOOK.COM ([fe80::fcd5:1600:7331:bb3a%6]) with mapi id 15.20.3391.011; Fri, 18 Sep 2020 11:44:36 +0000
From: Esko Dijk <esko.dijk@iotconsultancy.nl>
To: "Werner, Thomas" <thomas-werner@siemens.com>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: "steffen.fries@siemens.com" <steffen.fries@siemens.com>, "anima@ietf.org" <anima@ietf.org>
Thread-Topic: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)
Thread-Index: AdZmfbkJ/iBKc9n1QAWzDvrnlpnz3wADmPYAAPIt64AACz80gAAyc2+AAB60qYACmFVWgAABO3UAAWOu4iAEfV4V8A==
Date: Fri, 18 Sep 2020 11:44:36 +0000
Message-ID: <AM8P190MB0979CE69D3BB9F5C302CFCB8FD3F0@AM8P190MB0979.EURP190.PROD.OUTLOOK.COM>
References: <3f2d1790efb44ac39405a23dc592dd89@siemens.com> <20200730161142.GB62130@faui48f.informatik.uni-erlangen.de> <12431.1596541563@dooku> <2c4323c817134845ae7c36b41fd239c1@siemens.com> <11029.1596647559@localhost> <eee14f13f5cf4183bf69e999c5fcea04@siemens.com> <6058.1597841627@localhost> <f3981ca4bde844dbb27213ae96185967@siemens.com> <AM0PR10MB195606BD9019E5E94244175DE7540@AM0PR10MB1956.EURPRD10.PROD.OUTLOOK.COM>
In-Reply-To: <AM0PR10MB195606BD9019E5E94244175DE7540@AM0PR10MB1956.EURPRD10.PROD.OUTLOOK.COM>
Accept-Language: en-US, nl-NL
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Enabled=true; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SetDate=2020-08-19T13:29:02Z; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Method=Standard; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_Name=restricted-default; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_SiteId=38ae3bcd-9579-4fd4-adda-b42e1495d55a; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ActionId=255bcb19-b086-4eec-9a8b-cedfb332d40b; MSIP_Label_a59b6cd5-d141-4a33-8bf1-0ca04484304f_ContentBits=0
authentication-results: siemens.com; dkim=none (message not signed) header.d=none;siemens.com; dmarc=none action=none header.from=iotconsultancy.nl;
x-originating-ip: [85.147.167.236]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 92e1e000-7642-41d3-31cf-08d85bc83811
x-ms-traffictypediagnostic: AM0P190MB0786:
x-microsoft-antispam-prvs: <AM0P190MB0786E86AD07A47E11C3921E7FD3F0@AM0P190MB0786.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: vN6CQLUvNkVp1vo04fDUk76V4Tx7GVekq0wnhLXoifHf8ttJjgVihOxaD0lz2TnEXCNWJI0rrv8srzg8L1Bf/RbcN2mhdHBT9gMSVaF9FQo3EVXzTkRU3gUfvqSdFHCBp1kLtik0LFHRGAVPzmMXXmo55htJnnjaZ/2BhZRY7Nn8+zded1/p0zhBMIXzUCP/R6KSEvUdUUQ6F5MpVjVfRga9qtocOLGn0l+q05DODNgKrHaHK9CJHKQnhCRFh/nEy9MK1BfpRFgPvwobnwceFWoPnRf61BQZB8SSEk+2Y6GgaUw4iiZx+6tlltS/xdJdy8iDkgKsBfghXjALlVYIXTStmZZ8OYX2A/SiqEFQ2ibOCdy2Edzs8IPPSZXjnoRR3hPeT9Pwi1FlB1kwBMdQkgC4sdmFQhciK+asaNwkB9lBfsO/Wy2a/6XM7AqelqEWh+p7sN/MksOIyh5HRkeTO/jASiCesjDgo+zA3RryOf9HzepnJRkcfPTd7Lvwt84U
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM8P190MB0979.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(376002)(396003)(136003)(346002)(39830400003)(26005)(66574015)(186003)(66476007)(7696005)(66446008)(83380400001)(966005)(66556008)(4326008)(66946007)(64756008)(53546011)(6506007)(76116006)(71200400001)(2906002)(44832011)(8936002)(45080400002)(52536014)(8676002)(5660300002)(86362001)(55016002)(33656002)(9686003)(478600001)(110136005)(54906003)(316002)(166863002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: bnLLOBSRHhWdJSQAdHNNemsJOOOdgTlNYufn9EfehcHCfW01PCn+WSIqZsoiUPIjWJKyRPJM7q7MGwLDmbUpNeR/h+SOkP3V25TzjWLkUToj/zd6Y93dqJfKnPpXB0WAuSfEJBnvqd2WG/0psXuhlap/Y8o1YQc1nPhZXl0AcVqChZ7/Np9Tcrk2+ICdUcRNuJxz2cDgrvikXIUnJZLJWarPQUwY1bIrl0A62pnmKW4Rz2hod5/TtQH1U+iIcxn77zjnn2SbnZ0CsioWt4/5TvdPzk2flX+jPs0t4QlEsY0gI9HxmegL8DnwDs2G4X9i8sq745WxGK69acfP7Bjui0tPHoAkuFKZip0uIlpi2ZAesMUdiNjizuNxZlzhTy4Usq3cFXVTOJZDXGqc/QIqBDdF55hzPr99wfpugHthVZ9Xjl9vuDqP4l0aXpe4ax9bZFDmrvGHvM5HNBxSKWz8wq8Gt08qHddc2xfU0O2cPrAr0sWA0uf/9SLXj5bGP4fnl84sy5P7kVOsZFEhhCTCtZ1RKKC8/eSywAU38BfdZXaxamkNV9oEsqotZRCcI10fbUV67MI+G7fPbOj1M6qJo/PB7h2Non3GXwr4gj8btaPrXw0zeoHuRBDkEZC+yh9izZbxTMJbA1S2+kFISe+JbA==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: iotconsultancy.nl
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM8P190MB0979.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 92e1e000-7642-41d3-31cf-08d85bc83811
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2020 11:44:36.4376 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 58bbf628-15d2-46bc-820b-863b6774d44b
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: BWV8isv5MIC4y4jx/ENwMloGJqyLYIvuh+VpmcExO898Di1nMCwou8mGoV/5YUO6b4zXXEPoSyyL0v+0zNadG9LzYczdH8LRExuknbDt4Cs=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM0P190MB0786
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/UWCTFKTEvubL61p_UGrdFVUV_rc>
Subject: Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Sep 2020 11:44:44 -0000

Hi Thomas,

I created a Github issue for constrained-voucher to capture the outcome of this discussion:
https://github.com/anima-wg/constrained-voucher/issues/51

(Reminder: There are also a couple of more open issues. I can work on these too and have already contacted Peter about these.)

Esko

-----Original Message-----
From: Anima <anima-bounces@ietf.org> On Behalf Of Werner, Thomas
Sent: Wednesday, August 26, 2020 17:40
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: steffen.fries@siemens.com; anima@ietf.org
Subject: Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)

Hi Michael,

as already stated the renaming of the endpoints is just a cosmetic issue, machines would not care about.
Nevertheless as this came up now, I think the proposed changes are fine and should be included as you already outlined:
- https://ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-42&url2=https://raw.githubusercontent.com/anima-wg/anima-bootstrap/brski-est-rename/dtbootstrap-anima-keyinfra.txt 
- https://ietf.org/rfcdiff?url1=draft-ietf-anima-bootstrapping-keyinfra-41&url2=https://raw.githubusercontent.com/anima-wg/anima-bootstrap/brski-est-rename/dtbootstrap-anima-keyinfra.txt 

Summary for renaming:
1) /.well-known/est/requestvoucher    [used by pledge to registrar but also from registrar to MASA]
    --> /.well-known/brski/requestvoucher
2) /.well-known/est/voucher_status    [used by pledge to registrar]
  --> /.well-known/brski/voucher_status
3) /.well-known/est/requestauditlog   [used by registrar to MASA]
  --> /.well-known/brski/requestauditlog
4) /.well-known/est/enrollstatus          [used by pledge to registrar]
  --> /.well-known/brski/enrollstatus

Note: 
This changes should be also adopted by: https://tools.ietf.org/html/draft-ietf-anima-constrained-voucher-08 
With the result of two more characters "/est/" --> "brski", maybe the draft-ietf-anima-constrained-voucher should shrink this part to something like  "/br/", "/brs/", "bki"?


Best regards
Thomas



-----Ursprüngliche Nachricht-----
Von: Anima <anima-bounces@ietf.org> Im Auftrag von [ext] Fries, Steffen
Gesendet: Mittwoch, 19. August 2020 15:29
An: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: anima@ietf.org
Betreff: Re: [Anima] Handling of endpoint path names (from BRSKI-AE discussion today)

> From: Michael Richardson <mcr+ietf@sandelman.ca> Fries, Steffen 
> <steffen.fries@siemens.com> wrote:
>     >> I understand the use case with CoAP, where one wants to be able 
> to multicast a
>     >> request to /.well-known/core to find out which devices support 
> a particular
>     >> service.
>     >> HTTP does not have the same thing, so I don't see the point of 
> agility in the end
>     >> points if they are all in /.well-known anyway.
> 
>     > Agreed. As BRSKI-AE is intended to extend BRSKI and therefore uses
>     > HTTP, there is no need for a specific enhancement. The discovery using
>     > /.well-known will provide all available endpoints to the pledge, which
>     > then can evaluate the response. From an application perspective I would
>     > expect that the pledge may not support multiple enrollment approaches
>     > and simply try whatever he supports. The domain registrar would be the
>     > more capable component to support multiple options.
> 
> Can you explain to me why the discovery via /.well-known/brski is useful?
> This is on the *REGISTRAR*.
The intention was to let the pledge or the pledge-agent know in advance what enrollment options are available at the registrar side allowing the pledge to fail fast if it does not have a matching enrollment protocol. For the original BRSKI, this is not the case, as both sides support the same feature set. In BRSKI-AE allowing alternative enrollment protocols, the registrar may support multiple different ways. To avoid make support for specific protocols mandatory on the registrar side, discovery of supported options was intended. Based on the discussion we had after the last meeting I think the discovery of /.well-known/ would be sufficient.

> In reading BRSKI-AE, I seem to be missing any place where the PUSH 
> mechanism is described.  In a PUSH use case, what protocol would the 
> pledge expose to the pledge-agent and/or commissioner?
This is currently left outside in terms of the protocol. The intention was to only specify the necessary (signature wrapped) data objects to be exchanged, to be open regarding the underlying transport between the pledge and the pledge-agent. This also would allow to use an arbitrary pledge-agent, but this is up for discussion. I'm currently thinking about the necessity to be able to authenticate the pledge-agent using an LDevID, if we solely rely on the objects. Authentication could also be done using HTTP authentication merely to authorize the pledge-agent to act as proxy between the pledge and the registrar. 

> As far as I can tell, in the PULL case, when CMP (or another 
> mechanism) will be used, there is still a voucher exchange first.  The 
> Registrar can express it's preference in the (parboiled) voucher-request from Registrar to MASA.
PULL was meant to describe the behavior of the pledge to start the onboarding while PUSH was more the trigger from the pledge-agent.
As the enrollment is between the pledge, the registrar, and the CA, I would not see a need to include this information in the voucher. This should be done as outlined in BRSKI. 
> 
> The MASA, if the pledge supports the desired enrollment protocol, 
> could include the hint.  In fact, the MASA could include an entire URL 
> with meta- data about the protocol to use.
> 
> This would jive very nicely with the brski-cloud mechanism!!!
Hm, haven't though about this. In case of standard BRSKI I would not see a need, as it would be handled by the domain registrar, but in case of the cloud registrar, it would provide the option to point to the right domain registrar supporting the enrollment. 

> 
>     > For the constraint case (not contained in BRSKI), the discovery of
>     > specific endpoints is more important to not overload the pledge.
> 
> I don't understand this at all.  What do you mean, overload the pledge?
> Are you talking about network or code space or what?
I was referring to the discovery of specific endpoints. In case of /.well-known the registrar would deliver all endpoints including their options supported, while in case of asking for a specific endpoint only delivers the specific options of that endpoint. What I meant to say was that the pledge only gets the necessary information about the endpoints he needs not all. So it would relate to the processing on the pledge. 

> 
>     >> If there is value in renaming, then lets do it RIGHT NOW.
>     >> I DO NOT WANT to confuse the market by having an RFC come out, 
> followed by
>     >> another one 'correcting' it six months later.
>     >> I CAN NOT live with that situation.
> 
>     > As stated before, the value from my understanding is more clarity
>     > (distinct naming) regarding the provided services/endpoints.
> 
> yes, but that's a cosmetic issue.
> it appeals to humans, but it makes no technical difference.
> Nevertheless, if we can do this quickly, then let's do it.
> I've provided proposed text in the form of a diff, the ADs have agreed 
> to a process, the chairs , just need to run it.
It may be cosmetic, but it would be consistent regarding the functionality provided by the specific endpoint if alternative enrollment options are used.  

> 
> I hope that your(Siemens) Thomas Werner will comment.
I will give him a trigger ;-)

Best regards
Steffen
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works 
> -= IPv6 IoT consulting =-

_______________________________________________
Anima mailing list
Anima@ietf.org
https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fanima&amp;data=02%7C01%7Cthomas-werner%40siemens.com%7Cff1afabca2014c1fa20208d84443e0f9%7C38ae3bcd95794fd4addab42e1495d55a%7C1%7C0%7C637334405616918902&amp;sdata=cL0Aa22O9Ef7QYWEEME%2Bvjb5aRTj%2BGxhlCYqfWBuUoY%3D&amp;reserved=0

_______________________________________________
Anima mailing list
Anima@ietf.org
https://www.ietf.org/mailman/listinfo/anima