Re: [homenet] New draft : draft-bonnetain-hncp-security
Pierre Pfister <pierre.pfister@darou.fr> Fri, 04 July 2014 14:10 UTC
Return-Path: <SRS0=mLgV=37=darou.fr=pierre.pfister@bounces.m4x.org>
X-Original-To: homenet@ietfa.amsl.com
Delivered-To: homenet@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 35F501B29B5 for <homenet@ietfa.amsl.com>; Fri, 4 Jul 2014 07:10:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.202
X-Spam-Level:
X-Spam-Status: No, score=-4.202 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 15sPH7zIqm0C for <homenet@ietfa.amsl.com>; Fri, 4 Jul 2014 07:10:22 -0700 (PDT)
Received: from mx1.polytechnique.org (mx1.polytechnique.org [129.104.30.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7B1D71B29B3 for <homenet@ietf.org>; Fri, 4 Jul 2014 07:10:18 -0700 (PDT)
Received: from [10.148.10.22] (173-38-208-169.cisco.com [173.38.208.169]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ssl.polytechnique.org (Postfix) with ESMTPSA id A287F1408EFA0; Fri, 4 Jul 2014 16:10:15 +0200 (CEST)
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 7.3 \(1878.6\))
From: Pierre Pfister <pierre.pfister@darou.fr>
In-Reply-To: <alpine.DEB.2.02.1407041443100.7929@uplift.swm.pp.se>
Date: Fri, 04 Jul 2014 16:10:14 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <DCBA5E9E-33C3-449B-91D9-01BF5E46E0A6@darou.fr>
References: <CAPqzxca6jqRuD1-c9yD7WEqj6LAnDDgV5_NV+YkF=+xBFZH-Gw@mail.gmail.com> <alpine.DEB.2.02.1407041443100.7929@uplift.swm.pp.se>
To: Mikael Abrahamsson <swmike@swm.pp.se>
X-Mailer: Apple Mail (2.1878.6)
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Fri Jul 4 16:10:16 2014 +0200 (CEST))
Archived-At: http://mailarchive.ietf.org/arch/msg/homenet/QLPQ4QM033zkH15g7wv_6QPGZeU
Cc: HOMENET <homenet@ietf.org>
Subject: Re: [homenet] New draft : draft-bonnetain-hncp-security
X-BeenThere: homenet@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <homenet.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/homenet>, <mailto:homenet-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/homenet/>
List-Post: <mailto:homenet@ietf.org>
List-Help: <mailto:homenet-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/homenet>, <mailto:homenet-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 Jul 2014 14:10:47 -0000
Hello Mikael, There is indeed a quite large common basis between Homenet and ANIMA problem spaces. It appears that Homenet is one of the case that is presented as a possible use-case for the UCAN BoF (draft-carpenter-nmrg-homenet-an-use-case). IMHO, these similarities will have to be discussed in Toronto. Particularly, one issue is that UCAN is at an earlier stage of specification as well as it seems to target a more general problem. They are proposing a different configuration protocol: CDNP, which can result in the same features as HNCP, but with a very different design. If we had to summarize, HNCP is a database synchronization protocol while CDNP is a generic negotiation protocol, which is practically the same theoretically as you can share data thought negotiation and negotiate through data sharing (which is an approach widely used in the HNCP’s prefix assignment algorithm). Nevertheless, most of the considerations we need to discuss related to Homenet and ANIMA are *not* specific to security considerations. So, back to security, CDNP proposes to establish authorization based on a single CA for large networks and based on automatic processes for small networks (These processes are said to be out of the scope of the CDNP draft). On the other hand, HNCP security as defined in the proposed draft relies on generic trust relationships. These relationships could be established through different means. Centralized, decentralized, managed from the network or from a server outside the network, from one or multiple authorities, etc… This is, IMHO, important in order to offer vendors the largest flexibility in the way they want to manage their customer’s networks. ‘Whether we use CNDP instead of HNCP' and ‘how to secure HNCP’ are orthogonal problems. So I’m not sure this is the right thread to compare ANIMA and Homenet. But if anyone thinks we should enforce the use of X.509 certificates, or have a different approach on how to secure HNCP, we are open to suggestions. Pierre Le 4 juil. 2014 à 14:45, Mikael Abrahamsson <swmike@swm.pp.se> a écrit : > On Fri, 4 Jul 2014, Bonnetain wrote: > >> What do you think of it ? > > I am not good enough in this area to validate that the draft actually does the right things from a security context, but it looks like we in the homenet WG are getting very close to what they're doing in the "Autonomic Networking Integrated Model and Approach" ANIMA > > http://www.ietf.org/mail-archive/web/homenet/current/msg03639.html > > I think we need to decide how to relate to their work, ignore it, try to steer both work efforts so we have some communality, or split up the work (or something else). > > -- > Mikael Abrahamsson email: swmike@swm.pp.se > > _______________________________________________ > homenet mailing list > homenet@ietf.org > https://www.ietf.org/mailman/listinfo/homenet
- [homenet] New draft : draft-bonnetain-hncp-securi… Bonnetain
- Re: [homenet] New draft : draft-bonnetain-hncp-se… Mikael Abrahamsson
- Re: [homenet] New draft : draft-bonnetain-hncp-se… Pierre Pfister
- Re: [homenet] New draft : draft-bonnetain-hncp-se… Ted Lemon
- Re: [homenet] New draft : draft-bonnetain-hncp-se… Brian E Carpenter