IETF Logo Mail Archive

Re: [OPSAWG] [Anima] dealing with multiple manufacturer services with a single certificate extension

"Max Pritikin (pritikin)" <pritikin@cisco.com> Mon, 24 April 2017 15:52 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 36C6B131739; Mon, 24 Apr 2017 08:52:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QTP5sfFgBOP3; Mon, 24 Apr 2017 08:52:03 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9605F12F28E; Mon, 24 Apr 2017 08:52:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=19888; q=dns/txt; s=iport; t=1493049122; x=1494258722; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=bfqrIKLSaBTIl3hKWToqlts4N4J3h9V10KF+1+PYOwY=; b=chSM2h+N6Qo4l79hCVZAySaaqA50PKmRsadpuPVzgkdSUtAqN6QMkKSd shOUk0Lfm7p3AsZ6o/AyXK+FDnxsQG6wz84ZE9VfUOPSmV509yI386JA1 8YvmA8YYr577PKMwcp7XEMr9aMqWy6Il2ZYYO52NBYPbtHyc7e5O8fkK7 M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0C7AQAXHv5Y/4YNJK1cEwEBBAEBAQEBAQEBAQEBBwEBAQEBgm47K2F6EgeDYIoVkUiQUYU1gg8hAQqFeAIag3g/GAECAQEBAQEBAWsohRYCAQMBASFEBwsQAgEGAj8DAgICJQsUEQIEDgWKHA6MZZwtEYEggiYrinMBAQEBAQEBAQEBAQEBAQEBAQEBAQEYBYgwKwuCY4ddLoIxBYlEk30BhxaLb4IAj1eIb4spAR84gQZjFUQRAYIUgkADHBmBSnUBiCiBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.37,245,1488844800"; d="scan'208,217";a="415113707"
Received: from alln-core-12.cisco.com ([173.36.13.134]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 24 Apr 2017 15:52:01 +0000
Received: from XCH-ALN-014.cisco.com (xch-aln-014.cisco.com [173.36.7.24]) by alln-core-12.cisco.com (8.14.5/8.14.5) with ESMTP id v3OFq14G021694 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 24 Apr 2017 15:52:01 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-014.cisco.com (173.36.7.24) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Mon, 24 Apr 2017 10:52:00 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1210.000; Mon, 24 Apr 2017 10:52:00 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Eliot Lear <lear@cisco.com>
CC: "ibagdona@gmail.com" <ibagdona@gmail.com>, Zhoutianran <zhoutianran@huawei.com>, "opsawg@ietf.org" <opsawg@ietf.org>, Anima WG <anima@ietf.org>
Thread-Topic: [Anima] dealing with multiple manufacturer services with a single certificate extension
Thread-Index: AQHSvCQhd5qqrdmB6UuuwhRam3JFFaHVAPOA
Date: Mon, 24 Apr 2017 15:52:00 +0000
Message-ID: <43DF7C00-FC3B-4327-9EE4-13ED6520E580@cisco.com>
References: <031d87aa-1839-d7af-0723-dd9a2aa7ad0a@cisco.com>
In-Reply-To: <031d87aa-1839-d7af-0723-dd9a2aa7ad0a@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: multipart/alternative; boundary="_000_43DF7C00FC3B43279EE413ED6520E580ciscocom_"
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/4vmHzLSNtvJrazcL9uxPD01EL3o>
Subject: Re: [OPSAWG] [Anima] dealing with multiple manufacturer services with a single certificate extension
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Apr 2017 15:52:05 -0000

I’ve been agitating for a combined form. My thanks to Eliot for continuing the conversation. Below I provide some details from the current BRSKI draft to flesh out the conversation and then present an argument for my position.

On Apr 23, 2017, at 5:23 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:

Hi everyone,

Just a quick update on this document.  I am preparing for the next version of the draft.  There is one major change contemplated that is not yet addressed.

I received feedback from the IETF Chicago meeting regarding how best to structure URLs in manufacturer certificates.  There are currently two planned, one for MUD and one for ANIMA/BRSKI.  The question is whether these should be combined.

I had said in Chicago that I would ask various manufacturers about whether additional complexity on the backend is worth saving the bytes in the certificate.  There was, as you might imagine, a mixed response.  A number of manufacturers answered, “No, and in fact we want to do our own certificate extensions”.  Others simply answered “No, the code requirements for ANIMA will probably make the cert extension a relatively minimal matter”.  And some manufacturers, said, “yes, every byte counts.”  I am proceeding in a way that accommodates the 3rd group for now, but I seek discussion.

If we combine the URLs the way it would work is that there would be a service endpoint along the lines of the following:

  *   https://example.com/.well-known/mfg/modelname

Given that the .well-known concept is already well defined the approach taken in the BRSKI draft (s2.3) is to include only the “manufacturer” authority:
https://example.com

From here the relying party can use the .well-known constructs to access any variety of manufacturer services which I expect to include
https://example.com/.well-known/brksi
https://example.com/.well-known/mud
etc

This minimizes the information stored within the certificate itself. A single extension indicating the “manufacturer services authority”. Building a full URL to these services is done using the .well-known method.

At that point, we would need to deference, introducing some additional complexity somewhere in the system.  We should be mindful of the following issue:

  1.  Versioning should be supported OUTSIDE of the referenced service.  The more that is done, the more freedom the referenced service has the ability to change.
  2.  Versioning of services should not be done in lock step.  That is, if we keep the versioning information in the URL, that means that when the MUD version is bumped, so too would the ANIMA version.  It is possible to keep a registry that would indicate URL versioning and then map to all the different versions of whatever is referenced, but that seems ridiculously complex.
  3.  The resolution mechanism to services should be independent of how the URL is gotten by the various {MUD/ANIMA/...} controllers.  And thus, if a MUD controller receives the URL via LLDP or DHCP, the same processing should occur as if it was received via a certificate.  This simplifies code paths, and will hence reduce risk of bugs.  It will also follow the principle of least astonishment.

It seems to me the simplest way to handle this sort of thing is to create a table that MUD/ANIMA controllers simply download when they see the URL.  It might look something like this:

{
   "mfg-services" : [
     "mud", "v1", "https://mud.example.com/Frobmaster3000.json"<https://mud.example.com/Frobmaster3000.json>,
     "anima", "v1", "https://masa.example.com/masa-service"<https://masa.example.com/masa-service>
   ]
}


Using a .well-known to query a host about which possible interfaces are available has precedent. For an alternative example also see,
https://tools.ietf.org/html/rfc6415
"The client obtains the host-meta document for a given host by sending

        an HTTP [RFC2616<https://tools.ietf.org/html/rfc2616>] or an HTTPS [RFC2818<https://tools.ietf.org/html/rfc2818>] GET request to the host for
        the "/.well-known/host-meta” path […]”


I see this as an optional redirection that MUD or BRSKI or future protocols might define but don’t see it as a necessary part of the manufacturing certificate extension definition. I’d think we could stop at an extension to provide the root authority to form .well-known URLs. Simpler, smaller, and just as flexible.

As a side note using this approach imposes a difficulty on MUD: the model and serial number information need to be carried elsewhere and normatively defined - MUD can no longer depend on a distinct URL for each class of device. So while I see this as an improvement for IETF as a whole it is problematic for MUD itself and I appreciate the willingness of the MUD authors to discuss it.

- max



This sort of change would be required in both the ANIMA and MUD services, but could then be used for any other manufacturer-based service.  Is this what people want?  For MUD, this amounts to a simple additional file retrieval.  For ANIMA, the same.  Then one simply dereferences the table.  Most importantly, all implementations need to be prepared to handle the case where a particular service is NOT listed (this might seem like a big duh, but I figured I'd mention it).

Comments?





Eliot

_______________________________________________
Anima mailing list
Anima@ietf.org<mailto:Anima@ietf.org>
https://www.ietf.org/mailman/listinfo/anima

v2.23.0 | Report a Bug | By Email