Re: [Ideas] [lisp] WG Review: IDentity Enabled Networks (ideas)

Alexander Clemm <alexander.clemm@huawei.com> Wed, 11 October 2017 18:48 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: ideas@ietfa.amsl.com
Delivered-To: ideas@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 425F91331D7; Wed, 11 Oct 2017 11:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zSScPSDkL436; Wed, 11 Oct 2017 11:48:01 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 388941331DD; Wed, 11 Oct 2017 11:48:00 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml702-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DXJ38193; Wed, 11 Oct 2017 18:47:58 +0000 (GMT)
Received: from SJCEML701-CHM.china.huawei.com (10.208.112.40) by lhreml702-cah.china.huawei.com (10.201.108.43) with Microsoft SMTP Server (TLS) id 14.3.301.0; Wed, 11 Oct 2017 19:47:57 +0100
Received: from SJCEML521-MBX.china.huawei.com ([169.254.1.175]) by SJCEML701-CHM.china.huawei.com ([169.254.3.215]) with mapi id 14.03.0301.000; Wed, 11 Oct 2017 11:47:54 -0700
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Padma Pillay-Esnault <padma.ietf@gmail.com>, Christian Huitema <huitema@huitema.net>
CC: "ideas@ietf.org" <ideas@ietf.org>, "lisp@ietf.org list" <lisp@ietf.org>, Dino Farinacci <farinacci@gmail.com>, Robert Moskowitz <rgm-ietf@htt-consult.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, "ietf@ietf.org" <ietf@ietf.org>
Thread-Topic: [Ideas] [lisp] WG Review: IDentity Enabled Networks (ideas)
Thread-Index: AQHTQrcK0eH/tmmnfEmavTiozjDgVKLe+kVA
Date: Wed, 11 Oct 2017 18:47:52 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0EAA8E6D@sjceml521-mbx.china.huawei.com>
References: <150670160872.14128.2758037992338326085.idtracker@ietfa.amsl.com> <778d5504-ba4f-d418-7b20-356353bb0fb2@cs.tcd.ie> <CAMm+Lwg61PGrcmu=-e8ciD6Q+XmEaWWDys4g2M657VOjWmaGcg@mail.gmail.com> <CALx6S370-TuoUicWep5vV2NjLPS4d-HP1qVxW_nGrxhBLw6Eug@mail.gmail.com> <8kd5pq.oxb4pv.rtlo8t-qmf@mercury.scss.tcd.ie> <644DA50AFA8C314EA9BDDAC83BD38A2E0EAA7204@sjceml521-mbx.china.huawei.com> <dd2c3bd5-dd37-109b-2e81-0327db4daa09@cs.tcd.ie> <0BA14206-DC82-49EF-A625-B2425FA396F6@gmail.com> <1f254140-1340-6c7d-9c73-e7137562c685@gmail.com> <fa644cc2-161f-8884-3445-2b50d2c2ad23@htt-consult.com> <cf2ca920-f2d2-b65e-05eb-ebe3c30b76d1@huitema.net> <CAG-CQxrdS9L+2+bN=1NcPGuztn4U4OwSWUiNaVcS9Bsm2mtpfA@mail.gmail.com>
In-Reply-To: <CAG-CQxrdS9L+2+bN=1NcPGuztn4U4OwSWUiNaVcS9Bsm2mtpfA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.142]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0EAA8E6Dsjceml521mbxchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.59DE675E.0237, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.1.175, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 846096c927bee242d3d60c086cccb0f6
Archived-At: <https://mailarchive.ietf.org/arch/msg/ideas/iSDMPrVgHCeig_tJSrg8PLcKttw>
Subject: Re: [Ideas] [lisp] WG Review: IDentity Enabled Networks (ideas)
X-BeenThere: ideas@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: "Discussions relating to the development, clarification, and implementation of control-plane infrastructures and functionalities in ID enabled networks." <ideas.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ideas>, <mailto:ideas-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ideas/>
List-Post: <mailto:ideas@ietf.org>
List-Help: <mailto:ideas-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ideas>, <mailto:ideas-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Oct 2017 18:48:04 -0000

Two additional thoughts inline, <ALEX>

From: Ideas [mailto:ideas-bounces@ietf.org] On Behalf Of Padma Pillay-Esnault
Sent: Wednesday, October 11, 2017 10:33 AM
To: Christian Huitema <huitema@huitema.net>;
Cc: ideas@ietf.org; lisp@ietf.org list <lisp@ietf.org>;; Dino Farinacci <farinacci@gmail.com>;; Robert Moskowitz <rgm-ietf@htt-consult.com>;; Brian E Carpenter <brian.e.carpenter@gmail.com>;; ietf@ietf.org
Subject: Re: [Ideas] [lisp] WG Review: IDentity Enabled Networks (ideas)



On Wed, Oct 11, 2017 at 9:15 AM, Christian Huitema <huitema@huitema.net<mailto:huitema@huitema.net>> wrote:

On 10/11/2017 7:56 AM, Robert Moskowitz wrote:
and 'identity' is a red flag.

Whow there!  You were part of the Namespace Research Group?  I think?  I was and we we worked a lot on this and came to the conclusion that there could be no conclusion.  Not even a rough concensus, it seemed.

I have been using 'identity' to apply to things for 20 years. Pretty much ever since I started working with things.  Anyone that holds the position that 'identity' means we are talking only about people are allowing their thinking to be clouded.

I am concerned that the current proponents of the IDEAS work are mainly resisting the feedback, treating it as some roadblock put in the path of their work by misguided privacy purists, and attempting to remove the roadblocks by adding some weasel words to the charter. I would feel much more confident if these proponents acknowledged the tension between privacy and stable identifiers of any sort, if that tension was clearly noted in the charter, and if privacy goals were clearly stated.

As one of the proponents, I feel I need to speak up because blanket statements are just not helping.

Speaking on behalf of my fellow proponents, we have always welcomed constructive feedback from people who want/can contribute and make the technology better. We have been willing to clarify the charter (clarification does not mean weaseling).

If it is helpful to  move forward, I am willing to volunteer for this work and discuss with anyone to ensure constructive feedback and comments are addressed.

<ALEX> +1 on welcoming constructive feedback.  To incorporate it we need to update documents.  An update to the ccm use case document was posted yesterday (rev -02) which incorporates a lot of the feedback given.  Clearly, this will not be the last update and other documents need to follow.
</ALEX>


Specifically, I think there is a contradiction between some of documents. For example, draft-padma-ideas-problem-statement-01 states that:

   o  A single entity may have multiple IDs, and IDs of the same entity

      may have different life spans that are different from the lifespan

      of the entity.  Furthermore, it is understood that IDs may have

      different lifecycles, which may be permanent or ephemeral by

      choice or design.



   o  Ephemeral (temporary) IDs may be used as a short-lived pseudonym

      for a permanent ID to protect the privacy of the related entity.
But then, draft-ccm-ideas-identity-use-cases-01 states that:

   a.  Unique and Permanent Identity representing the entity enables

       authentication (AUTH) with the mapping and Identity services

       infrastructure.  While it is possible to do AUTH on Identifiers

       those are not permanently associated to the entity.  Moreover,

       AUTH operation is a relatively an expensive and inefficient

       procedure (compared to LOC resolution for example) and can cause

       excessive startup delays for lot of applications.



As said earlier this draft was not updated by the authors and a new version was posted yesterday.

https://www.ietf.org/mail-archive/web/ideas/current/msg00520.html

<ALEX> I think you meant to say it *was* updated ;-)
draft-padma-ideas-problem-statement will presumably be one of the documents that are next in line for updating.  </ALEX>

The tension is obvious. On one hand, the ephemeral identifiers envisaged in the problem statement would pretty much align the privacy properties of the ID to those of IPv6 privacy addresses, and that's good. On the other hand, the requirement to perform authentication on identities completely negates that property.

I would be fine if the support for "Unique and Permanent Identity" was explicitly excluded from the charter.

AFAIK, none of the proponents resisted that.

There is obviously a need to support some form of access control to a mapping database,

Agreed.

but you do not need a reference to a permanent identity for that -- systems similar to CGA would work just fine.


The identity of the device is just adding a lever of identifier which effectively allows authentication to modify the identifiers used by that device but also what the users of these identifiers can look up. If we had used "user of identifier" it would have been misconstrued for humans. So damn if you do and damn if you don't ...

We are open for discussions anytime.

Padma






--

Christian Huitema

_______________________________________________
lisp mailing list
lisp@ietf.org<mailto:lisp@ietf.org>
https://www.ietf.org/mailman/listinfo/lisp