Re: [Anima] We want BRSKI and ACP!

Michael Richardson <> Wed, 11 March 2020 17:38 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3ACC93A0F3F for <>; Wed, 11 Mar 2020 10:38:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.888
X-Spam-Status: No, score=-1.888 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, T_SPF_PERMERROR=0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id dwGgbRIIlWEX for <>; Wed, 11 Mar 2020 10:38:25 -0700 (PDT)
Received: from ( [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 57B3D3A0F39 for <>; Wed, 11 Mar 2020 10:38:25 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id D9CFD38986; Wed, 11 Mar 2020 13:37:08 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by (Postfix) with ESMTP id B8C0EAE8; Wed, 11 Mar 2020 13:38:21 -0400 (EDT)
From: Michael Richardson <>
To: Toerless Eckert <>, Brian E Carpenter <>, Warren Kumari <>,, Anima WG <>,
In-Reply-To: <>
References: <> <6011.1583935076@localhost> <>
X-Mailer: MH-E 8.6; nmh 1.7+dev; GNU Emacs 25.1.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Wed, 11 Mar 2020 13:38:21 -0400
Message-ID: <3681.1583948301@localhost>
Archived-At: <>
Subject: Re: [Anima] We want BRSKI and ACP!
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Mar 2020 17:38:27 -0000

Toerless Eckert <> wrote:
    > In addition, during february, i also started to reach out to IPsec
    > mailing list to further discuss details of the proposed enhancements to
    > the IPsec profile. I ran out of time last week, and plan to finalize
    > those fixes quickly (together with the WG fix sugestions i received for
    > -24).

I helped Toerless, although I disagree with some of his points.

The IPsec WG seems to disagree with me (hardly surprising), but should there
be a virtual meeting for IPsecME, I would suggest we attempt to put up two

    > In addition, i will also reach out directly to the IPsec experts i know
    > and ask for the rfc822name encoding. I did that already last year, but
    > never received replies.

No, none of them care about rfc822name encoding.

No products can directly deal with the rfc822name encoding as is, and since
we aren't generating Traffic Selectors based upon the certificate (we use
RPL and VTI), it doesn't really matter.  IPsec IKEv2 will need to accept
connections from any node that has the right CA signature.

    > Eric told me, he wants to put ACP back onto the IESG agenda for April,
    > and this would result in a new IETF review.

I think you mean, IESG review.

Michael Richardson <>, Sandelman Software Works
 -= IPv6 IoT consulting =-