IETF Logo Mail Archive

Re: [homenet] New draft : draft-bonnetain-hncp-security

Brian E Carpenter <brian.e.carpenter@gmail.com> Fri, 04 July 2014 20:34 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AC73A1B2F6D for <homenet@ietfa.amsl.com>; Fri, 4 Jul 2014 13:34:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AQotTf_RdfMv for <homenet@ietfa.amsl.com>; Fri, 4 Jul 2014 13:34:32 -0700 (PDT)
Received: from mail-pa0-x235.google.com (mail-pa0-x235.google.com [IPv6:2607:f8b0:400e:c03::235]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C704D1B2A12 for <homenet@ietf.org>; Fri, 4 Jul 2014 13:34:32 -0700 (PDT)
Received: by mail-pa0-f53.google.com with SMTP id ey11so2348835pad.26 for <homenet@ietf.org>; Fri, 04 Jul 2014 13:34:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=message-id:date:from:organization:user-agent:mime-version:to:cc :subject:references:in-reply-to:content-type :content-transfer-encoding; bh=NRiT7GuzcGgAnXCtw3J7bA7ESnv9ROYFhXl2Ny3vysA=; b=Wu0dPMPSHnB+PHbpI0d4U77yZa/uKjc6R1IrfDok7z4INrqUZMH1HjoGjZWBX1d/te 8/c2RZEo6X15EIGLH91JO1rKVVUXJEVkXobK6dDzyk5Yq3dAedZPrOoT7YDbby7LIS34 cidMWkfsedJDRUGWE3B3lu3QoA7tz3XTbaH1E+5e/5CWjLGzgm3DXDZgTL/3tym3Txps fFWxKiNWRAIWJlgmqZlvOhgS/I9dGWzhyMezl7vtjgzCjaxYBb4eJoxU5T0w9BXgmC9T IsPFTFLoeQsp+HqJ7xMTlXPrM2WMZTgDyDKoxOIgwNGSYYM7Mx1rz1jziyEa5h+NdZpC jyzg==
X-Received: by 10.68.166.36 with SMTP id zd4mr12780016pbb.54.1404506072269; Fri, 04 Jul 2014 13:34:32 -0700 (PDT)
Received: from [192.168.178.23] (24.198.69.111.dynamic.snap.net.nz. [111.69.198.24]) by mx.google.com with ESMTPSA id kn1sm45083475pbd.13.2014.07.04.13.34.30 for <multiple recipients> (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 04 Jul 2014 13:34:31 -0700 (PDT)
Message-ID: <53B70FE2.4020806@gmail.com>
Date: Sat, 05 Jul 2014 08:34:42 +1200
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
User-Agent: Thunderbird 2.0.0.6 (Windows/20070728)
MIME-Version: 1.0
To: Pierre Pfister <pierre.pfister@darou.fr>
References: <CAPqzxca6jqRuD1-c9yD7WEqj6LAnDDgV5_NV+YkF=+xBFZH-Gw@mail.gmail.com> <alpine.DEB.2.02.1407041443100.7929@uplift.swm.pp.se> <DCBA5E9E-33C3-449B-91D9-01BF5E46E0A6@darou.fr>
In-Reply-To: <DCBA5E9E-33C3-449B-91D9-01BF5E46E0A6@darou.fr>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/Fp33hgu1lk7qbMFN4D4RfRXRhgU
Cc: HOMENET <homenet@ietf.org>, Mikael Abrahamsson <swmike@swm.pp.se>
Subject: Re: [homenet] New draft : draft-bonnetain-hncp-security
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 20:34:34 -0000

On 05/07/2014 02:10, Pierre Pfister wrote:
> Hello Mikael,
> 
> There is indeed a quite large common basis between Homenet and ANIMA problem spaces. It appears that Homenet is one of the case that is presented as a possible use-case for the UCAN BoF (draft-carpenter-nmrg-homenet-an-use-case).

Yes. But I'll repeat here what I've said in private mail: using homenet
as a use case for autonomic networking is not intended to derail HNCP.
It's also a little different from "mainstream" autonomic networking
which is aimed at larger networks.

> IMHO, these similarities will have to be discussed in Toronto. Particularly, one issue is that UCAN is at an earlier stage of specification as well as it seems to target a more general problem. They are proposing a different configuration protocol: CDNP, which can result in the same features as HNCP, but with a very different design. If we had to summarize, HNCP is a database synchronization protocol while CDNP is a generic negotiation protocol, which is practically the same theoretically as you can share data thought negotiation and negotiate through data sharing (which is an approach widely used in the HNCP’s prefix assignment algorithm).

To be clear, UCAN is not even a WG forming BOF, and CNP (now renamed
CDNP) is probably only one proposal among several. But indeed, please
attend the UCAN BOF as well as homenet. However, the homenet use case
is only one among 7 use cases on the table in UCAN.

   Brian

> Nevertheless, most of the considerations we need to discuss related to Homenet and ANIMA are *not* specific to security considerations.
> 
> So, back to security, CDNP proposes to establish authorization based on a single CA for large networks and based on automatic processes for small networks (These processes are said to be out of the scope of the CDNP draft). 
> 
> On the other hand, HNCP security as defined in the proposed draft relies on generic trust relationships. These relationships could be established through different means. Centralized, decentralized, managed from the network or from a server outside the network, from one or multiple authorities, etc… This is, IMHO, important in order to offer vendors the largest flexibility in the way they want to manage their customer’s networks.
> 
> ‘Whether we use CNDP instead of HNCP' and ‘how to secure HNCP’ are orthogonal problems. So I’m not sure this is the right thread to compare ANIMA and Homenet. But if anyone thinks we should enforce the use of X.509 certificates, or have a different approach on how to secure HNCP, we are open to suggestions.
> 
> 
> Pierre 
> 
> 
> 
> 
> Le 4 juil. 2014 à 14:45, Mikael Abrahamsson <swmike@swm.pp.se> a écrit :
> 
>> On Fri, 4 Jul 2014, Bonnetain wrote:
>>
>>> What do you think of it ?
>> I am not good enough in this area to validate that the draft actually does the right things from a security context, but it looks like we in the homenet WG are getting very close to what they're doing in the "Autonomic Networking Integrated Model and Approach" ANIMA
>>
>> http://www.ietf.org/mail-archive/web/homenet/current/msg03639.html
>>
>> I think we need to decide how to relate to their work, ignore it, try to steer both work efforts so we have some communality, or split up the work (or something else).
>>
>> -- 
>> Mikael Abrahamsson    email: swmike@swm.pp.se
>>
>> _______________________________________________
>> homenet mailing list
>> homenet@ietf.org
>> https://www.ietf.org/mailman/listinfo/homenet
> 
> _______________________________________________
> homenet mailing list
> homenet@ietf.org
> https://www.ietf.org/mailman/listinfo/homenet
>

v2.23.0 | Report a Bug | By Email