Re: [Dots] Questions about draft-moskowitz-dots-identities-00
Robert Moskowitz <rgm@htt-consult.com> Fri, 11 November 2016 04:42 UTC
Return-Path: <rgm@htt-consult.com>
X-Original-To: dots@ietfa.amsl.com
Delivered-To: dots@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 457C21299A6 for <dots@ietfa.amsl.com>; Thu, 10 Nov 2016 20:42:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.697
X-Spam-Level:
X-Spam-Status: No, score=-5.697 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-1.497, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id i8MaNdAE3Qmg for <dots@ietfa.amsl.com>; Thu, 10 Nov 2016 20:42:06 -0800 (PST)
Received: from z9m9z.htt-consult.com (z9m9z.htt-consult.com [50.253.254.3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 49FFE129473 for <dots@ietf.org>; Thu, 10 Nov 2016 20:42:06 -0800 (PST)
Received: from localhost (localhost [127.0.0.1]) by z9m9z.htt-consult.com (Postfix) with ESMTP id AC6DB6236A; Thu, 10 Nov 2016 23:42:03 -0500 (EST)
X-Virus-Scanned: amavisd-new at htt-consult.com
Received: from z9m9z.htt-consult.com ([127.0.0.1]) by localhost (z9m9z.htt-consult.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id BUcIguTCzf-X; Thu, 10 Nov 2016 23:41:56 -0500 (EST)
Received: from lx120e.htt-consult.com (unknown [121.131.192.98]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by z9m9z.htt-consult.com (Postfix) with ESMTPSA id A6C2A62363; Thu, 10 Nov 2016 23:41:52 -0500 (EST)
To: "Roman D. Danyliw" <rdd@cert.org>, "Xialiang (Frank)" <frank.xialiang@huawei.com>, Daniel Migault <daniel.migault@ericsson.com>, "Mortensen, Andrew" <amortensen@arbor.net>
References: <359EC4B99E040048A7131E0F4E113AFC0104EAE8B1@marathon>
From: Robert Moskowitz <rgm@htt-consult.com>
Message-ID: <21775d0c-e994-d337-9028-bafcfe160515@htt-consult.com>
Date: Fri, 11 Nov 2016 13:41:46 +0900
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
MIME-Version: 1.0
In-Reply-To: <359EC4B99E040048A7131E0F4E113AFC0104EAE8B1@marathon>
Content-Type: multipart/alternative; boundary="------------BF1E534C44E7A42D90455384"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dots/rqqdmQSvxd5YegvRlK7bLGvwHRM>
Cc: "dots@ietf.org" <dots@ietf.org>
Subject: Re: [Dots] Questions about draft-moskowitz-dots-identities-00
X-BeenThere: dots@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: "List for discussion of DDoS Open Threat Signaling \(DOTS\) technology and directions." <dots.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dots>, <mailto:dots-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dots/>
List-Post: <mailto:dots@ietf.org>
List-Help: <mailto:dots-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dots>, <mailto:dots-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 11 Nov 2016 04:42:08 -0000
I had limited time and thought organization to 'get it all down' and still working. Almost regardless of the security mechanism used for DOTS transport(s), identities are crucial and called out in the requirements draft for 'mutual authentication' (I would have to pull up the draft. I will add a section on this on identities-01). So what are the identities used for mutual authentication? X.509 certs are often used for this, but how does a machine acquire its cert? A very involved and painful human controlled process or something better? IEEE 802.1AR lays the groundwork for device identities. ANIMA and NETCONF are working on leveraging this. I have spoken with Max and others, and have my thoughts on how to do close to a 'zerotouch' for certificates in DOTS agents. As to RawPublicKeys, it again comes down to the security protocol. DTLS with CoAP particularly uses RawPublicKeys. Or there is HIP/ESP or other work I am doing where HITs can fit the bill. So I am laying out here how identities are setup. I will send you my transport thoughts that have been going between Frank, Sue Hares, and me shortly. On 11/11/2016 01:29 PM, Roman D. Danyliw wrote: > > Hello Bob, Frank, Daniel and Andrew! > > Thanks for producing and submitting this draft! > > (chair hat off) > > The document lays out the a strong case in Section 1 about why in the > abstract human readable names have problems. Section 1.1 and 1.2 > highlight alternatives. However, I’m having difficulty linking these > approaches with specific applications in a particular DOTS protocol > draft. Can you share a bit more of what you had in mind in applying > 802.1AR or RFC7401? > > Thanks, > > Roman >
- [Dots] Questions about draft-moskowitz-dots-ident… Roman D. Danyliw
- Re: [Dots] Questions about draft-moskowitz-dots-i… Robert Moskowitz