Re: [Anima] Rtgdir telechat review of? draft-ietf-anima-autonomic-control-plane-13
Toerless Eckert <tte@cs.fau.de> Wed, 06 June 2018 21:51 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15531130DDC; Wed, 6 Jun 2018 14:51:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.951
X-Spam-Level:
X-Spam-Status: No, score=-3.951 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aPqvMKPPRlhA; Wed, 6 Jun 2018 14:51:50 -0700 (PDT)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D04F1130DD3; Wed, 6 Jun 2018 14:51:49 -0700 (PDT)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [131.188.34.52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 84D1A58C4C4; Wed, 6 Jun 2018 23:51:45 +0200 (CEST)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 811324401A4; Wed, 6 Jun 2018 23:51:45 +0200 (CEST)
Date: Wed, 06 Jun 2018 23:51:45 +0200
From: Toerless Eckert <tte@cs.fau.de>
To: "Joel M. Halpern" <jmh@joelhalpern.com>
Cc: rtg-dir@ietf.org, draft-ietf-anima-autonomic-control-plane.all@ietf.org, ietf@ietf.org, anima@ietf.org
Subject: Re: [Anima] Rtgdir telechat review of? draft-ietf-anima-autonomic-control-plane-13
Message-ID: <20180606215145.dzqan4quh26njthg@faui48f.informatik.uni-erlangen.de>
References: <20180514090425.o2yr33536jru53bu@faui48f.informatik.uni-erlangen.de> <20180514125003.60B4474D368@faui45.informatik.uni-erlangen.de> <20180515025807.zormnu7fqq5rq3uj@faui48f.informatik.uni-erlangen.de> <6c4f9527-1b96-9c14-ffe0-186a24eb9793@joelhalpern.com> <20180606203700.bewampnxs2vaevke@faui48f.informatik.uni-erlangen.de>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20180606203700.bewampnxs2vaevke@faui48f.informatik.uni-erlangen.de>
User-Agent: NeoMutt/20170113 (1.7.2)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/J_9PvCbWt_Lhx5HYHIcIMzixquY>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 06 Jun 2018 21:51:59 -0000
Ooopss.. diff was not pointing to absolute label for second URL, here is working one: http://tools.ietf.org//rfcdiff?url1=https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/54c9c16f3444b1db13c7cb05744e543dfcdfb63b/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane-14.txt&url2=https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/57825aac69216fd01d388810ee804c7f25e8ab7d/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane-14-jh3.txt On Wed, Jun 06, 2018 at 10:37:00PM +0200, Toerless Eckert wrote: > On Mon, May 14, 2018 at 11:15:58PM -0400, Joel M. Halpern wrote: > > (Sorry about the excess caps. Did not intentd to shout.) > > > > From some off-line disucssions, I understand that the actual address > > allocation is tied to the registration process. The registration process is > > not described in this document. > > > > As far as I can tell, the ACP does not depend upon the address allocation > > strategy. The address allocation strategy does require the ACP. And it > > requires and is closely coupled to the registration process. > > > > If that is true, the address allocation seems to be better described with > > the registration process. Which I presume is in the BRSKI document. > > > > All I would put in here is the basic ULA allocation (hash based generation) > > mechanism. > > Hi Joel (round 3) > > Here is the github version after the fixes discussed below > > https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/master/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane-14-jh3.txt > > Here is the diff vs. the prior version (round 2) > > http://tools.ietf.org//rfcdiff?url1=https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/54c9c16f3444b1db13c7cb05744e543dfcdfb63b/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane-14.txt&url2=https://raw.githubusercontent.com/anima-wg/autonomic-control-plane/master/draft-ietf-anima-autonomic-control-plane/draft-ietf-anima-autonomic-control-plane-14-jh3.txt > > Alas (but i think for the better), after > all the questions from and discussion with you, i tried to figure out how > to best document the answers to the questions you raised, and it started > answering why we need multiple address range - because have to waste > 48/46 bits on Registrar-IDs. Ok, Why ? Because we want multiple uncoordinated > registrars. Ok, what is a registrar. Especially when ACP does not use > BRSKI, which it claims it can. And how does certificate maintenance work > when you have multiple registrars. Aka: once i started to write text to > asnwer your questions i kinda got sucked into having the spec also answer > other questions. > > So, with this rev., we now define and use the term "ACP Registrar", > and define that thats a BRSKI Registrar in ANI nodes, but it can be > anything in non-ANI ACP nodes. Does not have to be software. It could > be you, if you want the job. Maybe Netconf or other protocols that > want to compete with BRSKI. > > Actually, verified i can be a registrar a long time ago, using old > crypto PKI CLI on ACP capable routers to manually hack in certificates > with specific properties i wanted. And getting them via web interface from > a CA. > > So, i think this is a very clean solution of documentation. The normative > part of the spec now has what i think was the minimum to define the > requirements for any ACP registrar including the most simple address > allocation example. > > So, then there is an informative section explaining the need for the > multiple address spaces because of those uncoordinated registrars. > And an informative section about how you would need to set up > such uncoordinated registrars, aka: each with their own sub-CA. All > in section 10.3 now. > > Then of course the whole point you made about about ACP addresses > being identifiers or not. So i wanted to document the point that they > are, but that also meant to explain how the ACP address information > will survive in the presence of renewal and re-enrollment with a different registrar > (which may not know the nodes assigned ACP address unless its presented > during re-enrollment/renewal). Then of course the case where a cert > is revoked maybe indirectly, because the registrar was attacked, not > the ACP node gets a new cert from another registrar but of course this is > is the only case where you want it to get a certificate with new ACP > address information (because the prior registrar became untrusted so > you don't trust what ACP information it assigned). > > So, this ended up being two new normative subsections in 6.1.3 - > re-enrollment and failing certificates, describing the requirements against ACP nodes > during renewal or failure of their cert. > > The informative part of the doc also got a section about registrars documenting > hopefully the key pieces: how it works in general (so folks get > an idea how they would be built with or without BRSKI), what parameters > they need, discussion about that multi-registrar renewal and sub-CA > case, and finally a discussion about how registrars could integrate > with centralized policy control. After all, the world is SDN, so if > we'd only document the cool distributed registrar case, this wouldn't sell well > in todays world *sigh*. > > The reasoning for this new text sections is all summarized/documented in the changelog for -14. > > I'd like to point out that even though this is a bunch of additional text, > it is in no way changing the way the ACP or registrars are meant to > operate. It is really just adding missing documentation about it. > > Hope this answers your questions and resolves your discuss. > > Cheers > Toerless -- --- tte@cs.fau.de
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Toerless Eckert
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Toerless Eckert
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Joel M. Halpern
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Joel M. Halpern
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Toerless Eckert
- Rtgdir telechat review of draft-ietf-anima-autono… Joel Halpern
- Re: Rtgdir telechat review of draft-ietf-anima-au… Toerless Eckert
- Re: Rtgdir telechat review of draft-ietf-anima-au… Joel M. Halpern
- Re: Rtgdir telechat review of draft-ietf-anima-au… Toerless Eckert
- Re: Rtgdir telechat review of draft-ietf-anima-au… Joel M. Halpern
- Re: Rtgdir telechat review of draft-ietf-anima-au… Brian E Carpenter
- Re: [Anima] Rtgdir telechat review of draft-ietf-… Toerless Eckert
- Re: [Anima] Rtgdir telechat review of draft-ietf-… jmh.direct
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Toerless Eckert
- Re: [Anima] Rtgdir telechat review of? draft-ietf… Joel M. Halpern