Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)

"Joel M. Halpern" <jmh@joelhalpern.com> Thu, 05 October 2017 01:35 UTC

Return-Path: <jmh@joelhalpern.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 806A713450B; Wed, 4 Oct 2017 18:35:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.72
X-Spam-Level:
X-Spam-Status: No, score=-2.72 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=joelhalpern.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zobINrUkZp3k; Wed, 4 Oct 2017 18:35:43 -0700 (PDT)
Received: from mailb2.tigertech.net (mailb2.tigertech.net [208.80.4.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 19EC813450A; Wed, 4 Oct 2017 18:35:43 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by mailb2.tigertech.net (Postfix) with ESMTP id EF46846DC89; Wed, 4 Oct 2017 18:35:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=joelhalpern.com; s=1.tigertech; t=1507167342; bh=jdWyGcHuI3EbjUIywg90106ex37PzrNpsHQXTrInFR8=; h=Subject:To:Cc:References:From:Date:In-Reply-To:From; b=TnsePNd+F3AtESpgqTO60GO6Gn8SPq2D0F+xY/Schzqx49tlRTgwI6z2uXhC/BurM VsTMXyxBj0MiTej5muuoVi89IwObfXZGbYWKU8An+UBW7t11a4bZ2LxoCzdvX6+GAD u+WLLcslyTD87/SjgPU7z5gmGChG2laJEqmQPeuo=
X-Virus-Scanned: Debian amavisd-new at b2.tigertech.net
Received: from Joels-MacBook-Pro.local (unknown [50.225.209.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mailb2.tigertech.net (Postfix) with ESMTPSA id 6D8EC46DC44; Wed, 4 Oct 2017 18:35:40 -0700 (PDT)
To: Uma Chunduri <uma.chunduri@huawei.com>, Jari Arkko <jari.arkko@piuha.net>, "Eggert, Lars" <lars@netapp.com>
Cc: "ideas@ietf.org" <ideas@ietf.org>, "ietf@ietf.org" <ietf@ietf.org>
References: <150670160872.14128.2758037992338326085.idtracker@ietfa.amsl.com> <778d5504-ba4f-d418-7b20-356353bb0fb2@cs.tcd.ie> <D7D4AEE9-3BD0-4C8F-BCC6-7185AF7D37BA@netapp.com> <9C663B18-21CC-4A16-8B26-7994B12B1DC5@piuha.net> <25B4902B1192E84696414485F572685401A872DE@SJCEML701-CHM.china.huawei.com>
From: "Joel M. Halpern" <jmh@joelhalpern.com>
Message-ID: <33f100a0-5114-269c-adb4-5db6edb1fd4d@joelhalpern.com>
Date: Wed, 4 Oct 2017 21:35:38 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
MIME-Version: 1.0
In-Reply-To: <25B4902B1192E84696414485F572685401A872DE@SJCEML701-CHM.china.huawei.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/bhFLtxB6ss7qGrA1W-2AJtXOWgc>
Subject: Re: [Ideas] WG Review: IDentity Enabled Networks (ideas)
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Oct 2017 01:35:44 -0000

Uma,
     It simply does not follow that you need an identity in order to be 
able to update the mapping system.  You do need authentication.
      If you use DNS, then mechanissm such as the authentication used 
with dynamic DNS suffice.
      If you use LISP, then the keying associated with the delegation of 
the identifier works.
      If you use MobileIP, then you need the authentication with your 
home register.

     There is no need for any special Identity.

Yours,
Joel

On 10/4/17 8:46 PM, Uma Chunduri wrote:
> Jari,
> 
> 	> Secondly, I’m have similar concerns to Christian, Lars, Stephen and others.
> 	> More specifically, at the BOF the goal seemed to be creation of infrastructures to manage and track identities, and to bind them to entities that assigned them.
>                  > I am not at all sure that’s a desirable direction. And the charter says little about the assumptions behind the work.
> 	>To expand a bit on these concerns, the proposed work doesn’t consider at all the types of identifier operations that work on ephemeral identities (e.g., HIP, MP-TCP).
>                  >It would be sad if we created systems that forced us to manage identifiers from some infrastructure when all we needed to do in a particular case was “prove that you are
>                  >the same entity as in the other connection”, which can be done e2e and requires no infrastructure, or permanent identifiers.
> 
> 
> I hope you agree, when we talk about a mapping system - it's important
> 
>       - Who can update the mappings
>       - Who can access the mappings
> 
> Both needs AUTH and hence an Identity (EAP or whatever mechanism with anonymous or pseudonymous access) & provider ==> essentially an access ID.
> If you don't restrict who can access the mapping (2nd question) one would get a primitive system, but the ability to provide some control is useful for lot of scenarios (including lot of IoT/Vehicular nodes having mobility and multi-access).
> In any case, you should still restrict who can update whose mappings.
> 
> You need this "standardized" system with well-defined interfaces  for
>     a.  lot of local IoT/enterprise deployments and
>     b.  can be  extended through a federated system where only mapping of Identifiers and locations can be shared among providers for further reachability (central to any mobility system, regardless of which ID/LOC protocol).
> 
> With regard to privacy concerns raised, I still believe there are IETF approved solutions like https://tools.ietf.org/wg/abfab/ can be leveraged here too.
> 
> What data plane identifier is another aspect and that is governed by ID/LOC protocols.
> 
> --
> Uma C.
>