IETF Logo Mail Archive

Re: [lmap] AD evaluation: draft-ietf-lmap-information-model-16

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 26 January 2017 09:52 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: lmap@ietfa.amsl.com
Delivered-To: lmap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2359129509 for <lmap@ietfa.amsl.com>; Thu, 26 Jan 2017 01:52:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.398
X-Spam-Level:
X-Spam-Status: No, score=-7.398 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-3.199, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sDQv-ZVdzrr0 for <lmap@ietfa.amsl.com>; Thu, 26 Jan 2017 01:52:23 -0800 (PST)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0B684129502 for <lmap@ietf.org>; Thu, 26 Jan 2017 01:52:22 -0800 (PST)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id C7C2D7F4; Thu, 26 Jan 2017 10:52:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.205]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id q532xmMcHQAa; Thu, 26 Jan 2017 10:52:17 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Thu, 26 Jan 2017 10:52:20 +0100 (CET)
Received: from localhost (demetrius4.jacobs-university.de [212.201.44.49]) by hermes.jacobs-university.de (Postfix) with ESMTP id 582A4200AC; Thu, 26 Jan 2017 10:52:20 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius4.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id i3A8g_QLCGwq; Thu, 26 Jan 2017 10:52:19 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 114AF200AB; Thu, 26 Jan 2017 10:52:19 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 073133E4CD5D; Thu, 26 Jan 2017 10:52:21 +0100 (CET)
Date: Thu, 26 Jan 2017 10:52:21 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Alissa Cooper <alissa@cooperw.in>
Message-ID: <20170126095221.GC43055@elstar.local>
Mail-Followup-To: Alissa Cooper <alissa@cooperw.in>, trevor.burbridge@bt.com, philip.eardley@bt.com, lmap@ietf.org
References: <2CB94EA6-A5F9-4770-9E76-0C7E8676E9CF@cooperw.in> <22680E7F-38D2-46FE-8549-CBB783ECAF32@cooperw.in> <20170124202801.GB38068@elstar.local> <248d21f7ec4546b0af1fe98e604a4c8e@rew09926dag03c.domain1.systemhost.net> <20170125091835.GB40411@elstar.jacobs.jacobs-university.de> <BC04FF1E-8F78-4D75-B3AF-9085A63DDC56@cooperw.in>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
X-Clacks-Overhead: GNU Terry Pratchett
Content-Transfer-Encoding: 8bit
In-Reply-To: <BC04FF1E-8F78-4D75-B3AF-9085A63DDC56@cooperw.in>
User-Agent: Mutt/1.6.0 (2016-04-01)
Archived-At: <https://mailarchive.ietf.org/arch/msg/lmap/oZkvqKy9TCXeMEJwW11L19esFzA>
Cc: trevor.burbridge@bt.com, philip.eardley@bt.com, lmap@ietf.org
Subject: Re: [lmap] AD evaluation: draft-ietf-lmap-information-model-16
X-BeenThere: lmap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Large Scale Measurement of Access network Performance <lmap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/lmap>, <mailto:lmap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/lmap/>
List-Post: <mailto:lmap@ietf.org>
List-Help: <mailto:lmap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/lmap>, <mailto:lmap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Jan 2017 09:52:25 -0000

On Wed, Jan 25, 2017 at 10:57:19AM -0500, Alissa Cooper wrote:
> Juergen,
> 
> > On Jan 25, 2017, at 4:18 AM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> > 
> > Trevor,
> > 
> > this is also the explanation I came up with but the document does not
> > really explain this. Alissa, would this resolve your comment if I try
> > to add text that tries to explain this distinction? Would it help to
> > add examples?
> 
> Explanation and examples would help, especially if some clear delineation about what belongs in each credential set can be given, albeit while remaining generic. But the bigger question is ...
> 
> > 
> > - SSH host keys are I think examples of MA credentials while SSH user
> >  authentication keys and authorization lists are channel
> >  credentials.
> > 
> > - X.509 certificates defining trust to X.509 root authorities are
> >  examples of MA credentials. while X.509 client ceritifcates for TLS
> >  communication are channel credentials.
> 
> … can you explain why you want the controller to be able to change each of these on the MA, from how they were pre-configured?
>

I will try to write some text. Here is the story line: The channel
credentials are relatively obvious (I think) since (i) credentials
often have an expire time (e.g., valid until in X.509 certificates)
and (ii) a controller may want to push channel credentials that are
necessary to talk to a collector or a different controller - i.e., an
initial bootstrap controller may want to redirect a device to another
controller taking care of the device subsequently. If you think about
this, then it may indeed be necessary to update MA credentials as well
in order to allow the MA to verify the credentials presented by a
collector or a different controller.

For an MA embedded in a more complex system, the management of the
credentials may not be controller specific or it may be done entirely
by a different component. In the YANG models, the LMAP model does not
deal with credential management at all. Instead, credentials are deal
with with the NETCONF/RESTCONF data models. And they again refer to
security protocol specific models (for SSH and TLS) and these again
refer to a keystore data model. All this is relatively complex and all
the LMAP information models says is that the functionality to manage
credentials is needed - but it leaves it opaque.

Do you think it is wrong to say that an LMAP controller may need to
update channel and MA credentials in the information model?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email