Re: [OPSAWG] [Anima] dealing with multiple manufacturer services with a single certificate extension
Eliot Lear <lear@cisco.com> Tue, 02 May 2017 08:47 UTC
Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0AE4D120454; Tue, 2 May 2017 01:47:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NFnFbw-_6Q2N; Tue, 2 May 2017 01:47:32 -0700 (PDT)
Received: from aer-iport-4.cisco.com (aer-iport-4.cisco.com [173.38.203.54]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 40F2113012B; Tue, 2 May 2017 01:42:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19516; q=dns/txt; s=iport; t=1493714543; x=1494924143; h=subject:to:references:cc:from:message-id:date: mime-version:in-reply-to; bh=t+1aP5UjK8dwihsSBc6tFZawXIMb9KW7qE0H24okSjE=; b=SDj8bi9MzpzicFsJJhSB10KigwCjb5n08+28VgIs5xzlnaKYu3Ef46Vh YvqFIFgiCaZPMOPah+nmvm6YqGsklX0KQRK7qpQCs44HTyvELHcoTzsxx wSIMa9/ZWBHwBBEYP2/T5W/zNwDA3tgsMiZWfb3CXS1Bh/vCpus36Y3N0 k=;
X-Files: signature.asc : 481
X-IronPort-AV: E=Sophos;i="5.37,404,1488844800"; d="asc'?scan'208,217";a="654397594"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 02 May 2017 08:42:21 +0000
Received: from [10.61.67.64] (ams3-vpn-dhcp832.cisco.com [10.61.67.64]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v428gK3W021775; Tue, 2 May 2017 08:42:20 GMT
To: "Max Pritikin (pritikin)" <pritikin@cisco.com>
References: <031d87aa-1839-d7af-0723-dd9a2aa7ad0a@cisco.com> <43DF7C00-FC3B-4327-9EE4-13ED6520E580@cisco.com>
Cc: "ibagdona@gmail.com" <ibagdona@gmail.com>, Zhoutianran <zhoutianran@huawei.com>, "opsawg@ietf.org" <opsawg@ietf.org>, Anima WG <anima@ietf.org>
From: Eliot Lear <lear@cisco.com>
Message-ID: <9298f306-400b-2c38-bed2-637183f35ea1@cisco.com>
Date: Tue, 02 May 2017 10:42:20 +0200
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
In-Reply-To: <43DF7C00-FC3B-4327-9EE4-13ED6520E580@cisco.com>
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="D9xHssxQfdkMVHo2VU1eVlv6pAQankivD"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/0knTJiQOocIZEgN08q1YwgLDVS0>
Subject: Re: [OPSAWG] [Anima] dealing with multiple manufacturer services with a single certificate extension
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 May 2017 08:47:35 -0000
Hi Max, On 4/24/17 5:52 PM, Max Pritikin (pritikin) wrote: > > I’ve been agitating for a combined form. My thanks to Eliot for > continuing the conversation. Below I provide some details from the > current BRSKI draft to flesh out the conversation and then present an > argument for my position. > >> On Apr 23, 2017, at 5:23 AM, Eliot Lear <lear@cisco.com >> <mailto:lear@cisco.com>> wrote: >> >> Hi everyone, >> >> Just a quick update on this document. I am preparing for the next >> version of the draft. There is one major change contemplated that is >> not yet addressed. >> >> I received feedback from the IETF Chicago meeting regarding how best >> to structure URLs in manufacturer certificates. There are currently >> two planned, one for MUD and one for ANIMA/BRSKI. The question is >> whether these should be combined. >> >> I had said in Chicago that I would ask various manufacturers about >> whether additional complexity on the backend is worth saving the >> bytes in the certificate. There was, as you might imagine, a mixed >> response. A number of manufacturers answered, “No, and in fact we >> want to do our own certificate extensions”. Others simply answered >> “No, the code requirements for ANIMA will probably make the cert >> extension a relatively minimal matter”. And some manufacturers, >> said, “yes, every byte counts.” I am proceeding in a way that >> accommodates the 3rd group for now, but I seek discussion. >> >> If we combine the URLs the way it would work is that there would be a >> service endpoint along the lines of the following: >> >> * https://example.com/.well-known/mfg/modelname >> > Given that the .well-known concept is already well defined the > approach taken in the BRSKI draft (s2.3) is to include only the > “manufacturer” authority: > https://example.com > > From here the relying party can use the .well-known constructs to > access any variety of manufacturer services which I expect to include > https://example.com/.well-known/brksi > https://example.com/.well-known/mud > etc > > This minimizes the information stored within the certificate itself. A > single extension indicating the “manufacturer services authority”. > Building a full URL to these services is done using the .well-known > method. One challenge here is that we need model information present, and you may need it as well to route to the correct BRSKI service (presuming there is more than one for manufacturer example.com). And so we would need to add at least the model back, or otherwise reflect the model in the authority section. I'm not a big fan of requiring that because it requires unnecessary interactions with DNS administration. >> At that point, we would need to deference, introducing some >> additional complexity somewhere in the system. We should be mindful >> of the following issue: >> >> 1. Versioning should be supported OUTSIDE of the referenced >> service. The more that is done, the more freedom the referenced >> service has the ability to change. >> 2. Versioning of services should not be done in lock step. That is, >> if we keep the versioning information in the URL, that means that >> when the MUD version is bumped, so too would the ANIMA version. >> It is possible to keep a registry that would indicate URL >> versioning and then map to all the different versions of whatever >> is referenced, but that seems ridiculously complex. >> 3. The resolution mechanism to services should be independent of how >> the URL is gotten by the various {MUD/ANIMA/...} controllers. >> And thus, if a MUD controller receives the URL via LLDP or DHCP, >> the same processing should occur as if it was received via a >> certificate. This simplifies code paths, and will hence reduce >> risk of bugs. It will also follow the principle of least >> astonishment. >> >> It seems to me the simplest way to handle this sort of thing is to >> create a table that MUD/ANIMA controllers simply download when they >> see the URL. It might look something like this: >> >> { >> "mfg-services" : [ >> "mud", "v1", "https://mud.example.com/Frobmaster3000.json", >> "anima", "v1", "https://masa.example.com/masa-service" >> ] >> } > Using a .well-known to query a host about which possible interfaces > are available has precedent. For an alternative example also see, > https://tools.ietf.org/html/rfc6415 > "The client obtains the host-meta document for a given host by sending > an HTTP [RFC2616 <https://tools.ietf.org/html/rfc2616>] or an HTTPS [RFC2818 <https://tools.ietf.org/html/rfc2818>] GET request to the host for > the "/.well-known/host-meta” path […]” > > > I see this as an optional redirection that MUD or BRSKI or future > protocols might define but don’t see it as a necessary part of the > manufacturing certificate extension definition. I’d think we could > stop at an extension to provide the root authority to form .well-known > URLs. Simpler, smaller, and just as flexible. But more complex, requiring a query as opposed to a straight retrieval, thus requiring additional work on the back end. > > > As a side note using this approach imposes a difficulty on MUD: the > model and serial number information need to be carried elsewhere and > normatively defined - MUD can no longer depend on a distinct URL for > each class of device. So while I see this as an improvement for IETF > as a whole it is problematic for MUD itself and I appreciate the > willingness of the MUD authors to discuss it. At the moment, more manufacturers are coming back to me to say that we should just leave these as separate and distinct mechanisms. I think that's the simplest approach. Eliot
- [OPSAWG] dealing with multiple manufacturer servi… Eliot Lear
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Max Pritikin (pritikin)
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Eliot Lear
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Michael Richardson
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Eliot Lear