Re: [Iot-onboarding] How to locate the EST server on a network?
Brian E Carpenter <brian.e.carpenter@gmail.com> Tue, 14 January 2020 18:44 UTC
Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: iot-onboarding@ietfa.amsl.com
Delivered-To: iot-onboarding@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 93E20120BBA for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 10:44:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kV_Git-7c0bz for <iot-onboarding@ietfa.amsl.com>; Tue, 14 Jan 2020 10:44:09 -0800 (PST)
Received: from mail-pl1-x644.google.com (mail-pl1-x644.google.com [IPv6:2607:f8b0:4864:20::644]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D17A120BB4 for <iot-onboarding@ietf.org>; Tue, 14 Jan 2020 10:44:09 -0800 (PST)
Received: by mail-pl1-x644.google.com with SMTP id s21so5574533plr.7 for <iot-onboarding@ietf.org>; Tue, 14 Jan 2020 10:44:09 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:organization:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=O63vS7K1RCD6nipR1pne8gbMptBk6ZGkRM3+5QBipqk=; b=XCiUKolnBpUX5agXcpVyN4sADXF5i66X4yucJZWAOM7mP7cQarvbkFpURAVQwZVBqV Xqm9ptVMqHd9WQQmOmbFdhN1IsA0doSSEa6KkpEPticQkIpwrFAtyUCuGv/rFKELvloX j6UBh0m3QvvJ9vbPGCy+woC9971bVRMcbqRYwzYOAy+qpzi9oUpRzOUi5gV0B52s968H pXwNjNzPKav8Ptqua6UeZLOIi/iCEnZOxbzK9dVxuniy2SNOM/ao4uvg6AQZE9Ju81I4 LrBdPld6DfW0FWjJxO0+zLaawg2El14KfEznztV5mQUe2GnpH6yPskVQah1/HTyfFMp5 GvNg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:organization :message-id:date:user-agent:mime-version:in-reply-to :content-language:content-transfer-encoding; bh=O63vS7K1RCD6nipR1pne8gbMptBk6ZGkRM3+5QBipqk=; b=SWxavRgjNkXXLKBI7b/UWzDmXA/VPEHUq7TrTV6WwCmZhxxlrgbLLuOzwYLENTAWm8 N/FehEVOhz9qGitMNCPr1/xwY/ui0Wm63G0x5sQ93YFxlcQywmYoIYLuW/Q3E5aUfVHf TEQ4i+mSgpPXfTrWj/XPu6MJfbqP5WXMwKtJfiOavswLYxapi2GPsYX0fvAFae+Z+y9/ xKjdTOebMdQhq2P1uB83e3as5G7VKpaWnTbCpESVjN5c+tln2FNx9hjPV5hLNbbtULps FdhKH2HeqJbYxWU56AViaoDrP8MajZmtRMqOm1pMgj6IW4Xx+FHYXw+0KbQ/gNE/EiNZ Vvbw==
X-Gm-Message-State: APjAAAVgmNrzcta82BZTzGKQUNMVUrBA37i7qnSxshtxsn5GVOh9oUlw c3sP2xmsnyrPwl4qwHgktE8UpHaG
X-Google-Smtp-Source: APXvYqzgo9rviVSmPupiwvH9FcCL9CSpLmD/U1rtAJU1QscY/EWT+jV5H3VZlI4dlq/FXXDbDJye6A==
X-Received: by 2002:a17:90a:222c:: with SMTP id c41mr29733626pje.35.1579027448301; Tue, 14 Jan 2020 10:44:08 -0800 (PST)
Received: from [172.17.0.82] ([111.69.8.186]) by smtp.gmail.com with ESMTPSA id d27sm17791648pgm.53.2020.01.14.10.44.05 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 14 Jan 2020 10:44:07 -0800 (PST)
To: "M. Ranganathan" <mranga@gmail.com>
Cc: Toerless Eckert <tte@cs.fau.de>, iot-onboarding@ietf.org
References: <CAHiu4JOFMeENPRnAF49rU7u7KpTSfPS9Kj+We72VVkQ4jcHVpw@mail.gmail.com> <20200114173728.GO14549@faui48f.informatik.uni-erlangen.de>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <28e51f46-cb6b-b396-41ca-3ce5db269f07@gmail.com>
Date: Wed, 15 Jan 2020 07:44:03 +1300
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.9.1
MIME-Version: 1.0
In-Reply-To: <20200114173728.GO14549@faui48f.informatik.uni-erlangen.de>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/iot-onboarding/MGaNdwKXyr5hDwUDypizzOBXNdo>
Subject: Re: [Iot-onboarding] How to locate the EST server on a network?
X-BeenThere: iot-onboarding@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Discussion of IoT onboarding mechanisms <iot-onboarding.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iot-onboarding/>
List-Post: <mailto:iot-onboarding@ietf.org>
List-Help: <mailto:iot-onboarding-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iot-onboarding>, <mailto:iot-onboarding-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 14 Jan 2020 18:44:14 -0000
Hi Ranga, > The ACP draft specifies the service > names for discovery via GRASP, which i guess might not be your > fist choice outside of ANIMA today ;-). Definitely not for production. But for pure experimentation, if you like, it wouldn't be hard to put some code together, if you don't have a DNSSD option and you do enjoy Python hacking. Let me know if you want to do that, because I've written very similar code already. Regards Brian Carpenter On 15-Jan-20 06:37, Toerless Eckert wrote: > EST is not an automated secure enrollment protocol. Thats the one key piece > missing from it, and the reason why we are writing the BRSKI > specification effectively extends EST with automated enrollment. > > EST is sufficient for secure automated renewal / key rollover, but > only for insecure automated initial enrolment. For secure automated > enrolment you would need BRSKI. > > If you want to use BRSKI, you would use the DNS-SD service name > brski-registrar, see BRSKI draft section 8.6. If you just want to > do EST alone (again, that would only result in insecure "duckling" > initial enrolment but sufficient for renewal/rekeying), the > service name in DNS is "est". The ACP draft specifies the service > names for discovery via GRASP, which i guess might not be your > fist choice outside of ANIMA today ;-). > > Beyond that, there are no standardized discovery mechanisms for > EST/BRSKI registrar AFAIK, but i think setting up DNS-SD RRs is > also today the most easily done service registration mechanism. > I wouldn't recommend hacking around with DHCP anymore for this > unless you must support a system setup without DNS available. > > Cheers > Toerless > > On Tue, Jan 14, 2020 at 11:55:04AM -0500, M. Ranganathan wrote: >> Hello, >> >> I am experimenting with EST. How does a device find the address of the >> EST server on a network so it can do a "simple enroll" ? >> >> Thanks, >> >> Ranga >> >> -- >> M. Ranganathan >> >> -- >> Iot-onboarding mailing list >> Iot-onboarding@ietf.org >> https://www.ietf.org/mailman/listinfo/iot-onboarding >
- [Iot-onboarding] How to locate the EST server on … M. Ranganathan
- Re: [Iot-onboarding] How to locate the EST server… Toerless Eckert
- Re: [Iot-onboarding] How to locate the EST server… Brian E Carpenter
- Re: [Iot-onboarding] How to locate the EST server… Michael Richardson