Re: [Iot-onboarding] How to locate the EST server on a network?
Toerless Eckert <tte@cs.fau.de> Tue, 14 January 2020 17:37 UTC
Return-Path: <eckert@i4.informatik.uni-erlangen.de>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67DD21209E1 for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 09:37:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.949
X-Spam-Level:
X-Spam-Status: No, score=-3.949 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.25, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PsPcHK1Rs0WK for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 09:37:35 -0800 (PST)
Received: from faui40.informatik.uni-erlangen.de (faui40.informatik.uni-erlangen.de [131.188.34.40]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 501881208FE for <iot-onboarding@ietf.org>; Tue, 14 Jan 2020 09:37:35 -0800 (PST)
Received: from faui48f.informatik.uni-erlangen.de (faui48f.informatik.uni-erlangen.de [IPv6:2001:638:a000:4134::ffff:52]) by faui40.informatik.uni-erlangen.de (Postfix) with ESMTP id 69161548047; Tue, 14 Jan 2020 18:37:28 +0100 (CET)
Received: by faui48f.informatik.uni-erlangen.de (Postfix, from userid 10463) id 63497440059; Tue, 14 Jan 2020 18:37:28 +0100 (CET)
Date: Tue, 14 Jan 2020 18:37:28 +0100
From: Toerless Eckert <tte@cs.fau.de>
To: "M. Ranganathan" <mranga@gmail.com>
Cc: iot-onboarding@ietf.org
Message-ID: <20200114173728.GO14549@faui48f.informatik.uni-erlangen.de>
References: <CAHiu4JOFMeENPRnAF49rU7u7KpTSfPS9Kj+We72VVkQ4jcHVpw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <CAHiu4JOFMeENPRnAF49rU7u7KpTSfPS9Kj+We72VVkQ4jcHVpw@mail.gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/6pOEJ7PrWsy2IFKhl-Y7tbbqEPU>
Subject: Re: [Iot-onboarding] How to locate the EST server on a network?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 17:37:41 -0000
EST is not an automated secure enrollment protocol. Thats the one key piece missing from it, and the reason why we are writing the BRSKI specification effectively extends EST with automated enrollment. EST is sufficient for secure automated renewal / key rollover, but only for insecure automated initial enrolment. For secure automated enrolment you would need BRSKI. If you want to use BRSKI, you would use the DNS-SD service name brski-registrar, see BRSKI draft section 8.6. If you just want to do EST alone (again, that would only result in insecure "duckling" initial enrolment but sufficient for renewal/rekeying), the service name in DNS is "est". The ACP draft specifies the service names for discovery via GRASP, which i guess might not be your fist choice outside of ANIMA today ;-). Beyond that, there are no standardized discovery mechanisms for EST/BRSKI registrar AFAIK, but i think setting up DNS-SD RRs is also today the most easily done service registration mechanism. I wouldn't recommend hacking around with DHCP anymore for this unless you must support a system setup without DNS available. Cheers Toerless On Tue, Jan 14, 2020 at 11:55:04AM -0500, M. Ranganathan wrote: > Hello, > > I am experimenting with EST. How does a device find the address of the > EST server on a network so it can do a "simple enroll" ? > > Thanks, > > Ranga > > -- > M. Ranganathan > > -- > Iot-onboarding mailing list > Iot-onboarding@ietf.org > https://www.ietf.org/mailman/listinfo/iot-onboarding -- --- tte@cs.fau.de
- [Iot-onboarding] How to locate the EST server on … M. Ranganathan
- Re: [Iot-onboarding] How to locate the EST server… Toerless Eckert
- Re: [Iot-onboarding] How to locate the EST server… Brian E Carpenter
- Re: [Iot-onboarding] How to locate the EST server… Michael Richardson