Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

Jari Arkko <jari.arkko@piuha.net> Wed, 04 October 2017 21:41 UTC

Return-Path: <jari.arkko@piuha.net>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C884B1321A2; Wed, 4 Oct 2017 14:41:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iriUvU7EiX4y; Wed, 4 Oct 2017 14:41:50 -0700 (PDT)
Received: from p130.piuha.net (p130.piuha.net [193.234.218.130]) by ietfa.amsl.com (Postfix) with ESMTP id B2D9E1344C9; Wed, 4 Oct 2017 14:41:49 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by p130.piuha.net (Postfix) with ESMTP id D05602D0E1; Thu, 5 Oct 2017 00:41:48 +0300 (EEST) (envelope-from jari.arkko@piuha.net)
X-Virus-Scanned: amavisd-new at piuha.net
Received: from p130.piuha.net ([127.0.0.1]) by localhost (p130.piuha.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id r1fbW5q2eaWE; Thu, 5 Oct 2017 00:41:48 +0300 (EEST)
Received: from [127.0.0.1] (p130.piuha.net [IPv6:2001:14b8:1829::130]) by p130.piuha.net (Postfix) with ESMTPS id 155572CE21; Thu, 5 Oct 2017 00:41:48 +0300 (EEST) (envelope-from jari.arkko@piuha.net)
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\))
From: Jari Arkko <jari.arkko@piuha.net>
In-Reply-To: <D7D4AEE9-3BD0-4C8F-BCC6-7185AF7D37BA@netapp.com>
Date: Thu, 5 Oct 2017 00:41:47 +0300
Cc: "ideas@ietf.org" <ideas@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <9C663B18-21CC-4A16-8B26-7994B12B1DC5@piuha.net>
References: <150670160872.14128.2758037992338326085.idtracker@ietfa.amsl.com> <778d5504-ba4f-d418-7b20-356353bb0fb2@cs.tcd.ie> <D7D4AEE9-3BD0-4C8F-BCC6-7185AF7D37BA@netapp.com>
To: "Eggert, Lars" <lars@netapp.com>
X-Mailer: Apple Mail (2.3273)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/UMQD2RtJ3v8CmhSBEBHfCsdLEqM>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Oct 2017 21:41:52 -0000

I was a bit surprised to see this come out of the IESG for 
review, given that we had fairly serious discussions about the
problems of the proposed approaches at the BOF, but I see little 
attention on those issues in the charter.

But, to state my opinion about working group being created with this
charter, I have comments from two directions.

First, from the point of view of “do we need this” or “do I need this”,
I’m a “meh”. If the HIP and LISP folk and everyone else were
screaming for this, and we had enough deployment that we saw the 
issues that the charter proposes, then sure. Not sure that’s case.

Secondly, I’m have similar concerns to Christian, Lars, Stephen and others.
More specifically, at the BOF the goal seemed to be creation of infrastructures
to manage and track identities, and to bind them to entities that assigned
them. I am not at all sure that’s a desirable direction. And the charter
says little about the assumptions behind the work.

To expand a bit on these concerns, the proposed work doesn’t consider
at all the types of identifier operations that work on ephemeral identities
(e.g., HIP, MP-TCP). It would be sad if we created systems that
forced us to manage identifiers from some infrastructure when all
we needed to do in a particular case was “prove that you are the
same entity as in the other connection”, which can be done e2e and
requires no infrastructure, or permanent identifiers.

The charter text also mentions “identifier changes” in what feels
like a special case for what I would think is rather the default.

I find concept of firewalls checking identity troublesome.

Now, I’m not opposed to creating a working group in the IETF in this
area, and to support various infrastructure needs of say mobility or
multihoming or anycast protoocols, but if we do it, we need to do
it right. Dino’s suggestion of mapping systems without the manage/
create aspect might be one potential useful direction. Another
way to think about this space is to consider nodes to have autonomy
in how they manage and create their identities, when they reveal
or do not reveal identities. Then we could ask what
helpful tasks might an infrastructure provide on top of that, e.g., 
mapping services or forwarding agent type designs.

Jari