Re: [Iot-onboarding] FW: New Version Notification for draft-friel-anima-brski-cloud-00.txt

"Owen Friel (ofriel)" <ofriel@cisco.com> Mon, 16 September 2019 09:49 UTC

Return-Path: <ofriel@cisco.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1349A120839 for <iot-onboarding@ietfa.amsl.com>; Mon, 16 Sep 2019 02:49:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=D+K67K64; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Ns7Dfm43
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpOJ5Ff3WmxL for <iot-onboarding@ietfa.amsl.com>; Mon, 16 Sep 2019 02:49:44 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B4CE120810 for <iot-onboarding@ietf.org>; Mon, 16 Sep 2019 02:49:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4633; q=dns/txt; s=iport; t=1568627384; x=1569836984; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Eoy2szFs9uDRiBxRZNaQ00fCyworpRsiIeLP8FNVVUw=; b=D+K67K64nvJrEKVhQKbI/XuE8dsXQZyLOldV1R/IG5ycpOc0p8YmEyPu /m7p4s/zc9mW6pTrSFdPrC9wAow3YGZ9AzluqLMSAJ5vtxxfmXF+nxQAD WXHeAydxlxJe/8MXw+MgjZ82sI4TRs2dX2mBTWzKzm0BQRxMd1Odghxzc I=;
IronPort-PHdr: =?us-ascii?q?9a23=3AcLheDxe5m6kk61QiNVuSM0lflGMj4e+mNxMJ6p?= =?us-ascii?q?chl7NFe7ii+JKnJkHE+PFxlwKYD57D5adCjOzb++D7VGoM7IzJkUhKcYcEFn?= =?us-ascii?q?pnwd4TgxRmBceEDUPhK/u/aCIgHclGfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ANAABNWX9d/4ENJK1dCRoBAQEBAQI?= =?us-ascii?q?BAQEBBwIBAQEBgVQEAQEBAQsBgURQA21WIAQLKgqHXgOKb4Jcl3GBLoEkA1Q?= =?us-ascii?q?JAQEBDAEBJwYCAQGBS4J0AoJtIzUIDgIDCQEBBAEBAQIBBQRthS4MhUoBAQE?= =?us-ascii?q?DARIoBgEBNQIBBAcEAgEIEQQBAQEeEDIdCAIEDgUIGoMBgWoDDg8BDp8dAoE?= =?us-ascii?q?4iGGCJYJ9AQEFhQoYghcJgTQBi3cYgUA/gRFGgkw+gmECAoE1FBiDO4ImjHI?= =?us-ascii?q?PGZ9UCoIihwWOFpkZjCKJc5B2AgQCBAUCDgEBBYFUAzOBWHAVgycJgjk4gmZ?= =?us-ascii?q?UilNzgSmOKgGBIgEB?=
X-IronPort-AV: E=Sophos;i="5.64,512,1559520000"; d="scan'208";a="631570905"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 16 Sep 2019 09:49:43 +0000
Received: from XCH-ALN-020.cisco.com (xch-aln-020.cisco.com [173.36.7.30]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x8G9nhDb018659 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 16 Sep 2019 09:49:43 GMT
Received: from xhs-aln-001.cisco.com (173.37.135.118) by XCH-ALN-020.cisco.com (173.36.7.30) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 04:49:42 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Mon, 16 Sep 2019 04:49:42 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Mon, 16 Sep 2019 04:49:42 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Ngi+3lmfFi1WIauK73ClQeMnp7xK7rN1dSyFwotyyrTKI2R7JL33+AvLZDq1yasE1dhSJIVtOczrj61QROJOL0wa1XjjF6AQyyDBFidt8BnFu7KDQPcgZbiiVEK0etsipKuppBJcc2xtM1ZdKBNBel/ChMPzPy/nJeOavQqcCTB11KlmgoU8w8LSS4j+VbJnNcj5x1mgO8oNbmSlv48IyIt+eBqIxnJWyCjceaCDNNXPUqKSWCo+wXYcEN8BkZVhWmWDAOeW5idVY46he32lsLZY3WgaEE7zTLHcN/NqiMrtKmvXPAKowy+JYwX1wHBhUsCUdt9c5KZRPeg5jEA3ug==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OdPmGC5Zn9S74jazczfhaL6nVw+nAl1qKnrINHHxMbw=; b=DKk1yHHyxtTN0LBfnf6G7k8G1JHRtn7+QIW/7nVztck66hP2vlEojQbP0A7l1UWc32+Ea+gydtmyIdr2rdvc2neNgmTZ7LDzm7O68Xw4PDuy1xTGFhI5CPRKImlnZH9oFaTh5SS/5eZTWmJpoJarVUG1pSA8C6vsx1vveQcuq16cMN5chbBI8J17EeWAGphR2N7XFjnQWI/MfH0m9MLsHt6rIzhVZ3rP673TvHpljrckLHb3AxfIOEOsmOfJYaQc1X3ldR9I64OP3+Ic3B1CLFoH4L608Hv0U9F6YuWdlXxX8Cu16pZbkxSkRFyCYO86QJDtsXJo9tEByw4z4gfJfA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=OdPmGC5Zn9S74jazczfhaL6nVw+nAl1qKnrINHHxMbw=; b=Ns7Dfm43U2aFF1u5tlSVfCUFo5rFbs9onJCeWG4a5GUVon1PNy52kbVp5/KGJL0D5cycS+T5iy5taJAn2OmFeFFn+O3HD17keuCKAdtsNnPft0DjsohDgA5wEq+Gb/pHzpOrXcdVm8Rhs4Adgs8hgtbywFgj5JB/cQ3meVzDPrg=
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com (10.172.76.13) by CY4PR1101MB2277.namprd11.prod.outlook.com (10.172.77.8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.23; Mon, 16 Sep 2019 09:49:41 +0000
Received: from CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127]) by CY4PR1101MB2278.namprd11.prod.outlook.com ([fe80::686a:2f6e:32c2:5127%9]) with mapi id 15.20.2263.023; Mon, 16 Sep 2019 09:49:41 +0000
From: "Owen Friel (ofriel)" <ofriel@cisco.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
CC: "iot-onboarding@ietf.org" <iot-onboarding@ietf.org>
Thread-Topic: [Iot-onboarding] FW: New Version Notification for draft-friel-anima-brski-cloud-00.txt
Thread-Index: AQHVaBLJDWupB4qnOkeLl0xPwE45taclVtEwgAFFZQCAB2+AwA==
Date: Mon, 16 Sep 2019 09:49:41 +0000
Message-ID: <CY4PR1101MB22782F6DEDFC9C7C4D476C36DB8C0@CY4PR1101MB2278.namprd11.prod.outlook.com>
References: <156814578438.22642.14659802904628203855.idtracker@ietfa.amsl.com> <CY4PR1101MB2278AB70B3F1E210663E3A46DBB60@CY4PR1101MB2278.namprd11.prod.outlook.com> <7550.1568215974@dooku.sandelman.ca>
In-Reply-To: <7550.1568215974@dooku.sandelman.ca>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ofriel@cisco.com;
x-originating-ip: [64.103.40.28]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c55b3d40-afc0-4d0d-f56a-08d73a8b325a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:CY4PR1101MB2277;
x-ms-traffictypediagnostic: CY4PR1101MB2277:
x-ms-exchange-purlcount: 3
x-microsoft-antispam-prvs: <CY4PR1101MB2277AD12F57A977BDBD93D56DB8C0@CY4PR1101MB2277.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0162ACCC24
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(39860400002)(136003)(366004)(376002)(346002)(13464003)(51444003)(189003)(199004)(478600001)(71200400001)(9686003)(66066001)(7736002)(5660300002)(66574012)(229853002)(256004)(86362001)(14444005)(6306002)(486006)(186003)(446003)(476003)(11346002)(6436002)(55016002)(25786009)(2906002)(7110500001)(14454004)(316002)(6116002)(3846002)(4326008)(2420400007)(15650500001)(64756008)(52536014)(6246003)(53936002)(71190400001)(102836004)(66556008)(966005)(81156014)(8676002)(66476007)(66946007)(76176011)(66446008)(7696005)(53546011)(6506007)(33656002)(76116006)(8936002)(99286004)(74316002)(305945005)(26005)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:CY4PR1101MB2277; H:CY4PR1101MB2278.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: 119LEB29mGwjKrE2ZK+C7LhZWmxDgTkqxB5LhO6sFiUfe51pZTFfJn4tWbGpYL5d+Z9tDYZ8IozG3mkqo+cLvcku5ERDGATNwimoj1NXlAAdJUYHRwKczKsNIJu68HjKQzEY2d6kgKw5EJILx/XyUVGg/Io/bhdgq8s8E3ri2YDhE8VXGBzt4hWEXwfFcGoqJSpj0iO9OR9UQoUOvn1p1ZJN2x/0knLVuBuzDU+fZacV9Y9Xm2ixVbv0c4dB3plm/hM2teiZPvTcR36aFbpT1a1RY//wFhTveoaU6cRPvUE9yc4l/Y5lzvH0Q8/eW0b2JZwnJPyMLVkpcNw58X42YkhtBVNGh2+4gi8gdI9dZDftKFSYduNFRb7OWPDCzG1OKyd0kSKI3f/4V+1LplM7A3TAHhQ1RvLBd+dsaziWGd0=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: c55b3d40-afc0-4d0d-f56a-08d73a8b325a
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Sep 2019 09:49:41.4242 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jzTrwcZMOlkt9HWPFCjhF2Cb4dt6/eBAmrLWI11hrzITjpMYw+Lvov5XtcK6Eixz5p4qVnLP/9ncbPAaQbujtQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR1101MB2277
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.30, xch-aln-020.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/1e5F48NXsLzbS67t8xXXry3I6nw>
Subject: Re: [Iot-onboarding] FW: New Version Notification for draft-friel-anima-brski-cloud-00.txt
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 09:49:51 -0000


> -----Original Message-----
> From: Iot-onboarding <iot-onboarding-bounces@ietf.org>; On Behalf Of Michael
> Richardson
> Sent: 11 September 2019 16:33
> To: Owen Friel (ofriel) <ofriel@cisco.com>;
> Cc: iot-onboarding@ietf.org
> Subject: Re: [Iot-onboarding] FW: New Version Notification for draft-friel-
> anima-brski-cloud-00.txt
> 
> 
> Owen Friel (ofriel) <ofriel@cisco.com>; wrote:
>     > FYI, as discussed earlier on the thread, published first cut of the default
> BRSKI cloud registrar draft.
> 
> Thanks for starting this document.  I will send pull requests once I know where
> you put it...
> 

https://github.com/upros/brski-cloud/blob/master/draft-friel-anima-brski-cloud.md

> 
> I think that there are a few high-level things that need to be clearer.
> 0) Why isn't is RFC8572 (SZTP) needs to be clearer.

Feel free to PR whatever explanatory text you want here.

> 
> 1) what does it mean to onboard to the cloud only.  While it is nice for the
>    IETF to make a standard for a manufacturer to interoperate with itself,
>    we should recognize that we don't need to.  This is basically how every
>    single home-IoT device that calls home works today.

As written, the draft doesn't explicitly talk about bootstrapping against a manufacturer service, it just describes using the cloud registrar to discover the service. There are scenarios where a thing can connect to a manufacturers own service, or can connect to a similar service hosted by an independent operator, with the thing having to discover which deployment model is in use. E.g. cisco phones/video endpoints can connect to cisco hosted and operated services (e.g. Webex or Broadcloud), service provider hosted services, or on-premise private operator managed services. That's a good example of a manufacturer having to interop with  itself and a third party.

> 
> 2) we should clarify some reasons why the device can not find the local
>    registrar.  One reason is that it's not local. I.e. a device being
>    bootstrapped at some other location.

For sure, I can add some example use case test.

> 
> 3) the device already has network connectivity.  Probably from a wire!!!
>    (maybe from an open WiFi though)
>    It's not core enterprise/ISP routing/switching equipment.
> 

Agreed, that's a basic currently unwritten assumption. For things with some kind of UX, it could also be a home wifi network running WPA2/3. Once on the network and with access to the internet, the thing then has to discover its service provider (e.g. core enterprise service exposed on internet via enterprise firewall).

> 4) there is probably a significant difference between a 301 redirect before
>    the voucher request and one that occurs after a voucher is issued.
>    A redirect before request would be based upon the TLS Client Certificate
>    identity.

How can you do a HTTP 301 redirect *before* the thing sends in the voucher request? You cannot do this at the TLS layer based purely on the TLS client cert.

> 
>    A redirect that occured during the voucher-request would be curious, and
>    I'm not sure what purpose it would serve, so I want to ignore this.
> 

Right, and I do not have a redirect before voucher request as an option.

>    A redirect in the form a voucher, is a different thing, pointing the
>    pledge to an EST server with which to continue.

Right, that's option 3.

> 
>    In fact, I would suggest that these are two MAJOR different modes, and
>    might even be different documents/protocols.  The argument for not being
>    separate is that it might be on a per-device basis that it makes the
>    decision.

All 3 options are all variations on HTTP redirect *after* the voucher request is sent.

> 
> 5) I think that this mechanism can never work without some amount of
>    supply-chain integration, otherwise the cloud MASA has no idea who the
>    correct customer is.  This is also implies that it doesn't work for the
>    various "HomeDepot" retail situations.
> 

Correct. This is explicitly documented in https://github.com/upros/brski-cloud/blob/master/draft-friel-anima-brski-cloud.md#pledge-ownership-lookup


> --
> ]               Never tell me the odds!                 | ipv6 mesh networks [
> ]   Michael Richardson, Sandelman Software Works        | network architect  [
> ]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [
> 
> 
> 
> 
>