Re: [Ideas] Comments on draft-ccm-ideas-identity-use-cases-02

Tom Herbert <> Tue, 17 October 2017 22:17 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 4E471132D45 for <>; Tue, 17 Oct 2017 15:17:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id WYxHOySXPk7R for <>; Tue, 17 Oct 2017 15:17:46 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:400d:c09::22b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 0DD0E13304B for <>; Tue, 17 Oct 2017 15:17:46 -0700 (PDT)
Received: by with SMTP id k123so4035780qke.3 for <>; Tue, 17 Oct 2017 15:17:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20150623; h=mime-version:from:date:message-id:subject:to; bh=eqInE2Jfxg+OWw+41/NGMTt1yNGhLNGm/HFCHC9agMM=; b=ADPPw+XfO35OSWMG8QN8Y0NxF+iIUC6jtqFcxQwiAGe0nQjFspfEgr2AsFIhg/I/uK e3LnzW4NheATPhj0qu+qq5K5jlK87H/oeLtVVF6ykumW6sne8jAd1tdvxWfG2Bu5Lnle yb+yQ8/Pz/fkZpasKB0Gj+c3r0ZSyq7uRdHm36vtkB5Et7plUryTHWksNuEWUnAs7IA3 ugakLzBwYcJP9i/r44XBUOec1ZuAOF49CDuXJuv4u2jGyeW6JYrNC9dzHEllyL72xFic ELtfoivi0gl0IVT5Zl5hfZCmjLXMb440JHR5vTVy3DH684PUkRRSxcrxYWrlWftVfT6o oq7g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=eqInE2Jfxg+OWw+41/NGMTt1yNGhLNGm/HFCHC9agMM=; b=OEKwpOlRo7Pabka6NODEGZlk8k5lXqhg549qGtE8+BYPL/c9slYTpRDZsObF+5F8B+ uHum+W24wgf5emQZNLYjq0pzovVYYchjuOt/+G8v60GPBYYs4Hx/v8rYGoXesnNWaWjD 30u+j0bFWMId+cpl566XzkyGUWeYMYnz4cLqtGsF0pt26WXs7i/+QbP8rBeR7G38DljC VKNhGz3ZB2B9E6UenVN8fmDlNNZUR1LTVNZMSp4QYyyBhTlfZW1E9+2Iw+03s4TgEyjV VRMszZiYS+XVYQhN1S5tDd4u+zNH030sviNo9OrQUi/L65Z+5KsCjkomDFap1qKwJZhM TLgA==
X-Gm-Message-State: AMCzsaUOwg6r1vIxUFc7kWTB1GMk63IHLRjW8gJ9sk9Z20xuQFDlYWuB nrh8KSP5YgM6V8hqIcyau9GT3YrDU65DyEY/uE6NVmoc
X-Google-Smtp-Source: ABhQp+RES71au1MhhBXaW+oKEeme9FWkmxl5NDgcokJBhDr9EzPzNAtdS3CgV95vw3ZunDZiFLwRbKw2F5S/HCxmkIY=
X-Received: by with SMTP id f126mr19722691qkc.295.1508278664898; Tue, 17 Oct 2017 15:17:44 -0700 (PDT)
MIME-Version: 1.0
Received: by with HTTP; Tue, 17 Oct 2017 15:17:44 -0700 (PDT)
From: Tom Herbert <>
Date: Tue, 17 Oct 2017 15:17:44 -0700
Message-ID: <>
To:, Uma Chunduri <>
Content-Type: text/plain; charset="UTF-8"
Archived-At: <>
Subject: Re: [Ideas] Comments on draft-ccm-ideas-identity-use-cases-02
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 17 Oct 2017 22:17:47 -0000

> Coming back to the IDEAS work, one of the goals is to create a standardized mapping system with various ID services (mobility, access security, pub/sub,  grouping etc).
> There are various enterprise deployments where these services are needed and the ability to authorize  who can update mapping and who can request mapping is critical for deploying some of  these services.
> For ILA or  for DC VM mobility some of the services may not be needed or Identity is an overhead (but I saw from your responses earlier, you need authorization on who can update in a multi tenenant environments)
and that can be made optional if not needed.  But, I see you are
arguing on both sides.  If you have a better solution to address the
above needs please share it.


Authorization of operations on a mapping system is not optional,
however I don't see that this problem is unique to mapping systems nor
something that hasn't already been implemented. There are already many
built out networks that have implemented mapping systems that include
authorization of operations on the system. Google Cloud for instance
operates a huge multi-tenant network and I suspect they use LOAS to
authenticate access to the system since that is already what they use
for everything else anyway. And it makes sense for them to reuse the
authentication system that they are using for all of their other
services; I doubt anything defined IDEAS would change their minds on
authentication of their mapping system.

In my design for ILA, I'm fond of using TLS for communications which
provides both security (encryption) and verifiable identity in
certificates. The X.509 identity can be used to against ACLs to
control read and write access. Like Google, I also intend on using the
same method for other accessing shared critical services in my
network. If this is the same thing as identity being described in
IDEAS then I guess we're on the same page, but from the definitions of
identity being proposed I'm not sure it is equivalent.