Re: [Iot-onboarding] How to locate the EST server on a network?
Toerless Eckert <tte@cs.fau.de> Tue, 14 January 2020 17:37 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67DD21209E1 for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 09:37:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PsPcHK1Rs0WK for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 09:37:35 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501881208FE for <iot-onboarding@ietf.org>; Tue, 14 Jan 2020 09:37:35 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 69161548047; Tue, 14 Jan 2020 18:37:28 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 63497440059; Tue, 14 Jan 2020 18:37:28 +0100 (CET)
Date: Tue, 14 Jan 2020 18:37:28 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "M. Ranganathan" <mranga@gmail.com>
Cc: iot-onboarding@ietf.org
Message-ID: <20200114173728.GO14549@faui48f.informatik.uni-erlangen.de>
References: <CAHiu4JOFMeENPRnAF49rU7u7KpTSfPS9Kj+We72VVkQ4jcHVpw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHiu4JOFMeENPRnAF49rU7u7KpTSfPS9Kj+We72VVkQ4jcHVpw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/6pOEJ7PrWsy2IFKhl-Y7tbbqEPU>
Subject: Re: [Iot-onboarding] How to locate the EST server on a network?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 17:37:41 -0000
EST is not an automated secure enrollment protocol. Thats the one key piece
missing from it, and the reason why we are writing the BRSKI
specification effectively extends EST with automated enrollment.
EST is sufficient for secure automated renewal / key rollover, but
only for insecure automated initial enrolment. For secure automated
enrolment you would need BRSKI.
If you want to use BRSKI, you would use the DNS-SD service name
brski-registrar, see BRSKI draft section 8.6. If you just want to
do EST alone (again, that would only result in insecure "duckling"
initial enrolment but sufficient for renewal/rekeying), the
service name in DNS is "est". The ACP draft specifies the service
names for discovery via GRASP, which i guess might not be your
fist choice outside of ANIMA today ;-).
Beyond that, there are no standardized discovery mechanisms for
EST/BRSKI registrar AFAIK, but i think setting up DNS-SD RRs is
also today the most easily done service registration mechanism.
I wouldn't recommend hacking around with DHCP anymore for this
unless you must support a system setup without DNS available.
Cheers
Toerless
On Tue, Jan 14, 2020 at 11:55:04AM -0500, M. Ranganathan wrote:
> Hello,
>
> I am experimenting with EST. How does a device find the address of the
> EST server on a network so it can do a "simple enroll" ?
>
> Thanks,
>
> Ranga
>
> --
> M. Ranganathan
>
> --
> Iot-onboarding mailing list
> Iot-onboarding@ietf.org
> https://www.ietf.org/mailman/listinfo/iot-onboarding
--
---
tte@cs.fau.de
- [Iot-onboarding] How to locate the EST server on … M. Ranganathan
- Re: [Iot-onboarding] How to locate the EST server… Toerless Eckert
- Re: [Iot-onboarding] How to locate the EST server… Brian E Carpenter
- Re: [Iot-onboarding] How to locate the EST server… Michael Richardson