Re: [Casm] prefix assignment

Brian E Carpenter <brian.e.carpenter@gmail.com> Wed, 29 March 2017 16:13 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: casm@ietfa.amsl.com
Delivered-To: casm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3563012943D; Wed, 29 Mar 2017 09:13:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Level:
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqhOfUkWceSO; Wed, 29 Mar 2017 09:13:46 -0700 (PDT)
Received: from mail-io0-x242.google.com (mail-io0-x242.google.com [IPv6:2607:f8b0:4001:c06::242]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7470F129876; Wed, 29 Mar 2017 09:13:39 -0700 (PDT)
Received: by mail-io0-x242.google.com with SMTP id f84so278811ioj.0; Wed, 29 Mar 2017 09:13:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:references:cc:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-transfer-encoding; bh=DGYijWLnAJNW+R5cgLp4KNibgxvBxyPBwdlW20qNAWc=; b=JNRKI2yDcdhEGe8fn7YYL0ufmT1iuvACNDaov8lBqJchxjnkSWoBEI7kpDzPP0V69Z UeNSyyCxsLMue4oWF34pA2qWUnW7B4Ajw9eyr3Z3a6l6pOR+jec3Q3e4A91eGnPvKwP5 B/v25xwVhingtAO08iHw0AhfkNFU9RM4EQ7n9gVK7gejEYNhStu8mQG4HbX6W44gWtBX 6uld7afMKWlZfPpJEqfujywOXQG3xyJMpE1wDOstJMGLGmqMdRjKN5ARR1qqZnugoPoH yoj44qM2F008lq4dxol8VhtYeG/dJZ/WflIK/+oByAWY4XhFZUvH/B4IXhtcmZRcGEBD S/vA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:cc:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-transfer-encoding; bh=DGYijWLnAJNW+R5cgLp4KNibgxvBxyPBwdlW20qNAWc=; b=rew6F+OhFn/US34F9UbNRVB0nQcOhJ7RasBRnMeVAx7p9Id8NUSYGN7+fQrL+HPfvc qDoGMuYLGyGWzAHej2I/2nTbAaejbHOdp59PqZvwso9gfqykWO0l9hG0dcp12K7+2JK+ RpCiba4YwMH6UA8eFqCW/gbhXZH3vrtmIzbKs+GWrqhtQLQZsoQJ6YLOywRnaVMOUZys U/KsWv29fYl+fD8G6Fo+qWsW8jrQq7IAEtBLbcko8n4TprBtfjQX8i2GZYFwSsSIsVqS SC/NMvSjPT7BQltATbm0JqhNvBgCK/Y1babCBEy/nZkae+yho5c4jc7rUuW8+vtCMsvs hDCg==
X-Gm-Message-State: AFeK/H1qP5aViKzEQrR+f1iuX1rgjI5JcAe7G51gqnKlWuSZEF/9BWCxRg178JlgzqFq6w==
X-Received: by 10.107.47.130 with SMTP id v2mr1507287iov.201.1490804018715; Wed, 29 Mar 2017 09:13:38 -0700 (PDT)
Received: from ?IPv6:2001:67c:370:128:28cc:dc4c:9703:6781? (t2001067c0370012828ccdc4c97036781.v6.meeting.ietf.org. [2001:67c:370:128:28cc:dc4c:9703:6781]) by smtp.gmail.com with ESMTPSA id o97sm1760077ioi.53.2017.03.29.09.13.38 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 29 Mar 2017 09:13:38 -0700 (PDT)
To: Michael Richardson <mcr+ietf@sandelman.ca>, casm@ietf.org, anima@ietf.org
References: <21984.1490644275@obiwan.sandelman.ca> <CANMVOuzYpcBdG2ZOhEXRnQU0Q=_i0i-09SPKzruJnznVoWW=OA@mail.gmail.com> <9240.1490649148@obiwan.sandelman.ca> <672bec4c-0e93-362c-21bf-99938cd0a066@gmail.com> <27800.1490654163@obiwan.sandelman.ca> <27680a33-708d-84b7-f378-3a47ee71840a@gmail.com> <2491.1490716597@obiwan.sandelman.ca> <5a41375c-2a4c-d5ca-e703-06d8e76f8728@gmail.com> <28218.1490799848@obiwan.sandelman.ca>
Cc: Mark Townsley <townsley@cisco.com>, homenet@ietf.org
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <a34d8ff0-b2d1-b74c-2fd7-00e269b834ed@gmail.com>
Date: Thu, 30 Mar 2017 05:13:43 +1300
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <28218.1490799848@obiwan.sandelman.ca>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/casm/qWg_s9IcggZtyDpqjlVR6OYtLFQ>
Subject: Re: [Casm] prefix assignment
X-BeenThere: casm@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Coordinated Address Space Management <casm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/casm>, <mailto:casm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/casm/>
List-Post: <mailto:casm@ietf.org>
List-Help: <mailto:casm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/casm>, <mailto:casm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Mar 2017 16:13:49 -0000

OK, I'll front-post.

Where you want to plug in an ASA (autonomic service agent) is anywhere
you want plug in some intelligence to govern an automatic process.
Intelligence, for example, to figure out what to do if the user side
asks for a /48 and the ISP offers a /60. So the ASA might negotiate
a compromise at /56 and then PD does its thing. But we didn't want
to exclude a scenario where PD isn't available, hence a flag is
included.

About the domain boundary:

> I don't think that the ISP can trust to have code controlled by end users
> running in their ACP domain.

Right. But in ISP-provided CEs this could presumably be fixed, because
that code would be locked down. In a store-bought CE, isn't this exactly
where BRSKI will help us? There is certainly an issue for home-made CE
images, but they will be a tiny minority of users.

    Brian


On 30/03/2017 04:04, Michael Richardson wrote:
> 
> This discussion started in a private thread, so I'll try to bring people
> up-to-date by repeating and moving around text.
> 
> The ANIMA GRASP reference problem Autonomic Service Agent (ASA), is
> to do distributed prefix allocation.  This is very much in the space of
> *coordinated* address management.
> 
> (My take, BTW, is that CASM should be considered the first spin-off WG
> From ANIMA...)
> 
> Mark and Brian discussed how HNCP does prefix distribution within Homenet.
> 
> Brian then suggests:
> 
>   brian> But if the CE includes a little autonomic service agent (ASA) which
>   brian> is in the ISP's security domain (not the SOHO domain), it can act for
>   brian> HNCP to solicit address space from the ISP. That's the southern side
>   brian> of the CASM model and the northern side of HNCP.
> 
> I asked a simple question: don't we have DHCPv6 for this?
> 
> I also then asked:
> 
>     > a) the CPE device is now part of the ISP's ACP.
>     > That's okay if the CPE device is owned by the ISP and/or the CPE device
>     > includes some kind of trusted computation environment.
>     > {But a CPE owned by the ISP, might not be trusted by the home owner,
>     > so another router in between would be needed,
> 
> Brian answered:
>     > Really? Why not?
> 
> I don't think that the ISP can trust to have code controlled by end users
> running in their ACP domain.
> 
> I also think that many end-users will be quite reasonably upset that their
> ISPs can snoop on their internal traffic.  This may in fact violate many
> work-at-home agreements; which is often the case of why you see multiple
> routers/firewalls in documents like
>          https://datatracker.ietf.org/doc/html/draft-baker-fun-multi-router.
> 
> (Fred had more interesting diagrams in presentations, which I could dig up)
> 
>     >> b) DHCPv6 PD is already the protocol that solves prefix allocation across
>     >> trust boundaries.
> 
>     > Indeed. That's why we have "PD supported"  as a Boolean property of the
>     > PrefixManager objective. There's no intention to undermine PD.
> 
> Why do I need to run a protocol in order to find if I can run a protocol,
> when DHCP has the same mechanism already.  And use of DHCPv6 itself is well
> defined in cable and DSL connections already.
> 
>     >> I would think that the ISP's DSLAM/BMS/CMTS would have an ASA that deals with
>     >> prefixes.  It would speak DHCPv6-PD to the south, and GRASP/ASA to the north.
> 
>     > Yes, the DSLAM is definitely a good place to put one.
> 
> 
>     >> North of the ISP's device would be the ISP's (distributed) IPAM.
>     >> GRASP/ASA-Prefix would be the protocol between.
> 
>     > Anyway, my point is that these approaches (ANIMA, HNCP and PD) are
>     > complementary not competitors.
> 
> I don't see you saying that.
> 
> I see ou trying to extend two internal mechanisms (ANIMA in the ISP, and HNCP
> in the home) such that they interact directly, rather than using PD.  You
> say this right here:
> 
>   brian> But if the CE includes a little autonomic service agent (ASA) which
> 
> 
> --
> Michael Richardson <mcr+IETF@sandelman.ca>ca>, Sandelman Software Works
>  -= IPv6 IoT consulting =-
> 
> 
>