IETF Logo Mail Archive

[Iot-onboarding] draft-sarikaya-t2trg-sbootstrapping-05 is really good

Michael Richardson <mcr+ietf@sandelman.ca> Sun, 02 December 2018 20:38 UTC

Return-Path: <mcr@sandelman.ca>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C9D3E12E036; Sun, 2 Dec 2018 12:38:37 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aBwgR2O8BNWZ; Sun, 2 Dec 2018 12:38:35 -0800 (PST)
Received: from relay.sandelman.ca (relay.cooperix.net [IPv6:2a01:7e00::f03c:91ff:feae:de77]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3FF3126CC7; Sun, 2 Dec 2018 12:38:34 -0800 (PST)
Received: from dooku.sandelman.ca (unknown [IPv6:2a02:c7d:b752:2f00:c3eb:b5be:80ee:7c56]) by relay.sandelman.ca (Postfix) with ESMTPS id 8F99F1F8BE; Sun, 2 Dec 2018 20:38:32 +0000 (UTC)
Received: by dooku.sandelman.ca (Postfix, from userid 179) id 18CB6B8C; Sun, 2 Dec 2018 20:38:01 +0000 (GMT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: iot-onboarding@ietf.org, t2trg@ietf.org
cc: draft-sarikaya-t2trg-sbootstrapping@ietf.org
X-Attribution: mcr
X-Mailer: MH-E 8.6; nmh 1.6; GNU Emacs 24.5.1
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha256"; protocol="application/pgp-signature"
Date: Sun, 02 Dec 2018 20:38:01 -0000
Message-ID: <13966.1543783081@dooku.sandelman.ca>
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/JgI80Dnksm4hmRn3SYD916nm7d0>
Subject: [Iot-onboarding] draft-sarikaya-t2trg-sbootstrapping-05 is really good
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 02 Dec 2018 20:38:38 -0000

B. Sarikaya, M. Sethi and D. Garcia-Carillo
have done some very good work with 
  https://datatracker.ietf.org/doc/html/draft-sarikaya-t2trg-sbootstrapping-05

The intro section deals with "bootstrapping" vs "onboarding", and there is
also the term "enrollment"... 

Section 3 does not mention BRSKI, and it probably should, but you mention it
in section 4... not sure I understand why. I guess it is a managed method?


"Opportunistic and leap-of-faith methods"

I think that this category should be split up, and distinguish between
methods that are Opportunistic (no memory, no implied trust), those which
are LoF followed by Trust on First Use.

      Additionally, various
      online services such as Gmail and Facebook allow anyone to create
      a new identity during the initial setup and later only verify the
      continuity of the same identity.

Not sure I understand this, maybe a reference would be worth it.
Since I don't understand it, I don't know if it fits.

section 4.1 lists a bunch of one-touch (1+) methods as managed,
which I actually find puzzling.  I do not consider many of the methods listed
as enrollment or onboarding methods.  (By the (a) defintion of Introduction)
They are all (b) methods, yet you include BRSKI there.

[I-D.ietf-netconf-zerotouch] is an RFC8366 based mechanism, similar to BRSKI,
but using a different set of assumptions about communications, including none
(USB key).

4.2: I'm told that Thread version n+1 uses BRSKI.

DPP:    DPP (Device Provisioning Protocol) [dpp] is a 3 message
   authentication protocol currently being standardized by the WiFi
   Alliance for devices that rely on IEEE 802.11 link-layer for
   communication.  The current DPP specification is only aimed at
   networks that use WPA2-PSK (also known as WPA2-Home) for network
   access authentication. 

I was unaware that it was limited WPA2-PSK networks. I don't think that is
true. Maybe WPA2-PSK type networks are just the sweet spot where it makes
most sense.

Generally, I really like your section 1,2.
Section 3 could use a bit of work.

I don't think the survey in section 4 is worthwhile as is.

What I'd like to see is a clear set of terminology (a la RFC7228) that we can
subsequently use.  Some really clear clarification of what some terms mean.
I don't care if due to clashes with other word uses, we "Property Red",
"RFC89AB-bootstrapping"... (or use Caribean island names or whatever).

We could stop at that point, and then let the various documents apply the
terminology to themselves.
   "According to RFC89AB terminology, BRSKI is has Property Red, and
   should be categorized into the set of Jamaican-Zero-Touch protocols"

I think that getting section 4 nailed down is not very useful in an IETF
or IRTF specification.   It will take too long, and might cause arguments
that can't be resolved, even in IETF publication time.

Instead, write a survey article for a journal (the IETF Journal is always
looking for stuff...) that applies your terminology to various protocols.  

-- 
Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works
 -= IPv6 IoT consulting =-

v2.23.0 | Report a Bug | By Email