IETF Logo Mail Archive

Re: [Iotops] [Rats] 802.1AR device identity

Guy Fedorkow <gfedorkow@juniper.net> Mon, 19 April 2021 12:24 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: iotops@ietfa.amsl.com
Delivered-To: iotops@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 54DF33A2F68; Mon, 19 Apr 2021 05:24:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.199
X-Spam-Level:
X-Spam-Status: No, score=-0.199 tagged_above=-999 required=5 tests=[DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=LgNR3n6p; dkim=pass (1024-bit key) header.d=juniper.net header.b=ZcJth+oH
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Vocf3j91eGYE; Mon, 19 Apr 2021 05:24:06 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0A3533A2F6D; Mon, 19 Apr 2021 05:24:05 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 13JCHmTa010715; Mon, 19 Apr 2021 05:24:03 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=vJLibrWRG3ZoZ7aFMl6PJC04js0jJx3cLz1rYg/Yp4g=; b=LgNR3n6pLFiyKluwhT8BYvWuuETSrXQJqcnfoI2/pfXAUatZ7Ff2RJ9lvUPzvGl4qo8G XH3Hoa/dlYE3OJupO9cusLrE0hCG/X88PvcNV1PwS9xj4GUfC/L5GWrv+3pys2OGYBdJ +6vQCYAr+Vk7+ZcRw2KplZCS6OA4CpBeAjpXUbXHPF/GyBZO2KgP2lLGf5iFDrvpIelM ZTV2/pno4xw9N0qDmD9vnV+Fh44/bh1fnZvgh9Onb0PV+e0bSxHjRE6M8duy/aaJsSu6 QQtwH5BQONHjznbRdkosnS+07uKXkC6DnuEJfdlwl3YmXVIYZGtQK9/KteUGODyMY7e0 Bw==
Received: from nam12-mw2-obe.outbound.protection.outlook.com (mail-mw2nam12lp2049.outbound.protection.outlook.com [104.47.66.49]) by mx0a-00273201.pphosted.com with ESMTP id 380q0ts5sx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Mon, 19 Apr 2021 05:24:03 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T9o+ysUasbH9oih096TeQ2Jsw9s2JR6z6tGeHcVB99xEoGN+XemZD85LDbbPbO3UdDC4JoNLj0ifv7dQEsSaNZVtC0aizr6UAnXr4pq7NBU+OHhOi6VT360TEIPX4Qv74hMrecViuMo9SYt/1M1hrzzjQuEhZr2gsRd2lfv++7qbtYJntLqb9mdHRuFUTPwD1KWY4R6jvfo4mccUZIgWCX2Na5W4Uw+LrxZDThjH6qg4ZGImJ+e9ENZjOJ6762dai5pFmTaTq1SSJFGh213oLFw2ti8BwC8gorQcba9V5li8CpsHvrJvBgMZzFvNubiqjfPm5yeh5dfctxzApp1x8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vJLibrWRG3ZoZ7aFMl6PJC04js0jJx3cLz1rYg/Yp4g=; b=C9+2WIpNl0AKtqI3p1/EwE9OOa7VjUYNfLf/XfyhPX4xfQX7dCprEOHpVOw3IBvE/sBiv4LkuNQplRvPYl8ppBeEY3MWvwtN5U7aLWYYJOq0BJEzWqiReqRwH7oQX1p5srZ8IO9am4cbAk+VowTfS4GbVsojWQFoETmaiF//HjDzeaA5ryArrR9JpmPb7tHAIDEmxvTM7WUVSmpzw2VwiWbqRevqACBwb368MTy7gwpABXImoYzJpt0m89NU/ZZZVaZf9LbODcwEqdXlb8y00C42B/4uQgWlro989vMkhdYERbV57wbvLOGiEegisJuOrTSsbqZr8bGzc8zVjIXDgw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vJLibrWRG3ZoZ7aFMl6PJC04js0jJx3cLz1rYg/Yp4g=; b=ZcJth+oHaZDb33qCmVFb4T0F3BgKEE7ksGStc8LDFPkZ+QIR+jBxj+uRilmKWU09D67UmLd+pwErQNliQTaMCnWIbFYWLmqxEZGKHAyo48ooAJHdfE3/2yxY5ch6SH6bc8Co2joPhn8sItDByogOFdd8SZ3Ux/sOB0+eitmqCAg=
Received: from BLAPR05MB7378.namprd05.prod.outlook.com (2603:10b6:208:298::10) by BLAPR05MB7361.namprd05.prod.outlook.com (2603:10b6:208:292::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.6; Mon, 19 Apr 2021 12:24:00 +0000
Received: from BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::a935:fb1d:c457:972a]) by BLAPR05MB7378.namprd05.prod.outlook.com ([fe80::a935:fb1d:c457:972a%3]) with mapi id 15.20.4065.018; Mon, 19 Apr 2021 12:24:00 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Eliot Lear <lear@cisco.com>, Laurence Lundblade <lgl@island-resort.com>
CC: Ira McDonald <blueroofmusic@gmail.com>, "rats@ietf.org" <rats@ietf.org>, "Smith, Ned" <ned.smith@intel.com>, "iotops@ietf.org" <iotops@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Thread-Topic: [Rats] 802.1AR device identity
Thread-Index: AQHXFd/v8NyDidhntUK49t5dagx8x6p9q74A//+FwoCAAVufAP//5OOAgACzxwCAAAOuAIAXhE8AgArnz9CAGPKigIABd0Xg
Date: Mon, 19 Apr 2021 12:24:00 +0000
Message-ID: <BLAPR05MB7378079759DB7978ED613C74BA499@BLAPR05MB7378.namprd05.prod.outlook.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <0C1A8AE6-E6C3-4AF9-9E4F-5841FB450BE3@intel.com> <957A467D-4FE4-4031-98D2-6936D014A37C@cisco.com> <62FFA122-047E-468C-A2DD-5A0E4E8EAF74@intel.com> <9EE53DF3-17AD-495D-9BE7-C15B92EF6B99@island-resort.com> <CAN40gSsCbjpVuCQwsWWjGwfL=cARHcAa0ZPsm+sk8H=9_otZUw@mail.gmail.com> <3593A760-335F-40AF-AC43-7E2D7A1EFF7B@island-resort.com> <BLAPR05MB7378A9F73457513AC951F82FBA7A9@BLAPR05MB7378.namprd05.prod.outlook.com> <07EAF7BF-1595-448D-9164-3903E15C5A50@cisco.com>
In-Reply-To: <07EAF7BF-1595-448D-9164-3903E15C5A50@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2021-04-19T12:23:58Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=5a60f453-789b-4854-91a3-ba6bcebed7d6; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [24.62.29.247]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dd828a3a-ed82-42c5-c58a-08d9032e02ef
x-ms-traffictypediagnostic: BLAPR05MB7361:
x-microsoft-antispam-prvs: <BLAPR05MB7361907CA5B279A911DC0B75BA499@BLAPR05MB7361.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2GgbL42MFIN5cW6SKtO1fpGOowbl3hxL2fku9UtH8Brm3vEMG7BwkasMHkoD/IfQqrUry5AeJEX3XE4F3mNILOxjoa7Byj525t+CboOPuw6DpoRQf15z7rIr4YKGJ6wd8Mrc2RjgjKoKJmx4v+TsHj6Vxtcnv31mKnrOJ3LqApVh1Cd35DlWmmhUPnx6jiSd1XiEjddpPXw6A7udBoHJYXp8V0Zk9iSfrK9Ge5sMJVz533YP6GJprtcMRztT84PZwMrBjymD/DLZDpcbIgK/pW3ifirG0R6CLB/K+I/VOGIlRNCGbBg8Fss/ZBUlsWVRkAGM0Jmf7RqhwSyOlvOKy5ZjdB4IsuUFhdfnGFiPPS549HnOnOxt7B34nz2RDUaW7aLD/NimT1VHyAcfWftDRkLCjGpaaA+e2A25feNj5Na8Xd/ehX3dw4U6ZsfdV+Un3vrbLnrkx28KWGe3YT/URiE9SqKxQsZ7apy5baM+UK/I4L7eDk0Hd4cNC0My0jdX0wvgGP1UXUOcCFdfHbUEcoLQHX+x4HWlNCmMxLGCNNFOwi+nU5+0qbZskzCTyCg41mnPopS5y/zU8FkoS5jFM9GPQDb0l1YgwJ9G05/JqNw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BLAPR05MB7378.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(136003)(396003)(39860400002)(346002)(366004)(376002)(86362001)(6506007)(8936002)(122000001)(38100700002)(54906003)(7696005)(2906002)(66946007)(71200400001)(66556008)(4326008)(52536014)(66616009)(55016002)(110136005)(5660300002)(9686003)(66476007)(76116006)(66446008)(8676002)(64756008)(33656002)(316002)(4270600006)(26005)(186003)(99936003)(558084003)(478600001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Czr/Oiye26hr1zsCtVPyu/Ae8op56u40T56ImaHQyr6auh2UsnDiSTv6wj4ShTOkz8Y0J0WcXti95I7JQBIE+CbmXmrOqPA996Get3NTSYqmFktlNLP06WTC0fqs53VjjtWb7coKbtkeW65Th8LyFb913cZU654QsihE1BnKy2tiL1chqKZ2hwRNCrhh8W/7n9AwnuqeS5Jrd3BUa2sHY/c4vY/G4TR1dh3GxY5k09WALlyAqFLKmg2QKSAjqBKid4xuFeIUbxjU1fNFpwq6gtNSiezg3N61mZeJNXc63NTbUk0uExI3TEaNDGHA9tQtY8dwypIGIDeZ9cQ62mYk/Inaa2ecTWvo13182B8U1nM5EM1oIFXJg2IrawHNqOVz8ixqrOoMAmTUZdtmwMa10CFYh6IUs+FCQKVhb4rSuC+yrVt19+NNeNK+cDXYep8734Esm6c/M1RUIx9vtzreNjjT5qhbT/jy1BLYEJFoKP8SMQD3tnnjUzaQJ1TWdwjEKoQbGPNq10mGcH4tGfkze/D+qSPBq05PTiPoD7tRitG19nzM+na63cqVit3fincUvHjeUHRgQV1hJNAEW+xtdle7Musya4wFhVaLHcjpc4UMQ2gmgTv3tOTpXXZnkoADmiyBjTK6kpK7gac/ESxPvRnciDDTJ/+c0lLKgBLwDhboN1g97uMXJM/wha7uFW1pYHp4esdb+oTWwt8d6SpiVyb9OEdTPEKF87ARqj6mkYeDL0Xp/PzfTgC1Iqgko8vtrBoXq7Ze8KEBTYfVIW+IgpkRltCcPtYmXVAmSL0Nx86B0t0PJfGmG1YR4UU1eS2R+qvCRUg7xpoKkKQ/xlTOWquQwR42IBvOCVJPtcN3nWwP4Sce8BBLxnE+o3Jrxc0BwV9pU8xpfbmKnV83ZQryIJ6fBDYYnv9g5DcFQNNwXAySdGQHQ/qDy1cKIZySO5i18pb4GJp/qcG+2k7JClZ5p0VaAV6JdHLXU8++YKma/h43g8iS9QKqQUiivFDbKFxgZQKdTwPbysFom0LQtFabuzfkfyNL1KRgxr6uxq/Le5EMZH/VyiEQOgkxT6HPycdVTQntcSl7AccUrK0ek9sPDcT/c/t5R5wY2CsCkbXY0XiiXVsII7tdcPQf42YpyQf+wniODaK+U325X7pEDZq8ugghnC9K0mYJoh6dufH9RUohKqdd1hV3t4yyXPF+N7bLOwQaPsGkYt8U1kQw3gi2X3NcuMDl0dqoM9t1H0cyH7Duf1Nm4xsXQ3cLFn4xr25jsfIjp323c5hcPlhUbDD6z/o2ZuSMSh/4aeAs/3tEbCw=
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg="pgp-sha256"; boundary="=-=ymdwEPK3CXo5sT=-="
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BLAPR05MB7378.namprd05.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dd828a3a-ed82-42c5-c58a-08d9032e02ef
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 Apr 2021 12:24:00.0869 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: z4gyPkSYUIZNxpF2LtHGRzbXFOAm/PdpAAdFtkv+jP6hE4L2+bIfE243Gefr5n4crFZPbkOj0XOntNiZt9UYdA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BLAPR05MB7361
X-Proofpoint-ORIG-GUID: 2_8ODXR9Af9YF6fVRmF5_9aO_lnZGjHV
X-Proofpoint-GUID: 2_8ODXR9Af9YF6fVRmF5_9aO_lnZGjHV
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391, 18.0.761 definitions=2021-04-19_07:2021-04-16, 2021-04-19 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 malwarescore=0 spamscore=0 adultscore=0 impostorscore=0 lowpriorityscore=0 phishscore=0 clxscore=1015 bulkscore=0 mlxscore=0 suspectscore=0 priorityscore=1501 mlxlogscore=999 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104060000 definitions=main-2104190087
Archived-At: <https://mailarchive.ietf.org/arch/msg/iotops/sffxU6b_QNAK6igAyqK8DiyYbLU>
Subject: Re: [Iotops] [Rats] 802.1AR device identity
X-BeenThere: iotops@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IOT Operations <iotops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/iotops>, <mailto:iotops-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/iotops/>
List-Post: <mailto:iotops@ietf.org>
List-Help: <mailto:iotops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/iotops>, <mailto:iotops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 19 Apr 2021 12:24:11 -0000

Hi Laurence,

  I agree that onboarding is the most-obvious use-case.  Security-related configuration that should be applied only to specific identified devices is another use.

  I think of IDevID as the serial number plate the manufacturer etches into a laptop, while LDevID is the asset tag the corporate IT department or its outsourced supplier sticks on the laptop.

  If you’re using the laptop in the same corporate context, the asset tag number is the uniform identifier across the org, and that’s likely to be the right thing to use.  If you bought it on ebay, use the IDevID!

  But it seems clear 802.1AR wasn’t designed with the intent of tracking devices through a chain of owners.  For that you might want something like the TCG Platform Certificate.

  /guy

 

 

From: Eliot Lear <lear@cisco.com> 
Sent: Sunday, April 18, 2021 9:52 AM
To: Guy Fedorkow <gfedorkow@juniper.net>
Cc: Laurence Lundblade <lgl@island-resort.com>; Ira McDonald <blueroofmusic@gmail.com>; rats@ietf.org; Smith, Ned <ned.smith@intel.com>; iotops@ietf.org; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Subject: Re: [Rats] 802.1AR device identity

 

Sorry for the delayed response:





	On 2 Apr 2021, at 19:05, Guy Fedorkow <gfedorkow@juniper.net <mailto:gfedorkow@juniper.net> > wrote:

	 

	Hi Laurence,

	  I agree that IDevID is intended to persist through the device’s lifetime, while LDevID is meant to represent the current owner.

 

Yes, that was the original intent, and even the current intent.  And while that is necessary, it may not be sufficient for long supply chains where ownership passes from one to another.  The LDevID is an owner-assigned name, and so the question is this: when an owner goes to transfer, does it need to use the IDevID again or should it use the LDevID?  There are benefits and drawbacks to both, but if the LDevID is used, then it is used as the IDevID would have been as part of that transfer.  The nice thing about FDO is that it keeps an entire record of these sorts of transfers.

 

Eliot

v2.23.0 | Report a Bug | By Email