[OPSAWG] dealing with multiple manufacturer services with a single certificate extension
Eliot Lear <lear@cisco.com> Sun, 23 April 2017 11:23 UTC
Return-Path: <lear@cisco.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FCD8128799; Sun, 23 Apr 2017 04:23:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.522
X-Spam-Level:
X-Spam-Status: No, score=-14.522 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id h8MmzfWjfWFV; Sun, 23 Apr 2017 04:23:56 -0700 (PDT)
Received: from aer-iport-2.cisco.com (aer-iport-2.cisco.com [173.38.203.52]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6202A1200FC; Sun, 23 Apr 2017 04:23:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9396; q=dns/txt; s=iport; t=1492946635; x=1494156235; h=to:from:subject:message-id:date:mime-version; bh=Cv48+ibPFELqcrbk1Dcepv1Hn3XszohlS0c1gp+j0jI=; b=VIZGIav6nmhFMTuW89ujToBxYzmeAM2govC+jvPTEYbyJQKBBPviON9Y 0HtiumdYhmVMrml9LXr1NvAG92sA60YlQCHDJ0Xpg9GOWvwhDGYKnurDi PTP3oKeHpT2+Z8lvXl5lwoPTLuRvdH0E3iMnBvx724Yan0hC6Ccuk7nqb 0=;
X-Files: signature.asc : 481
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DuAQAwjvxY/xbLJq1cEwEBBQEBAQECAQEBAQgBAQEBhDWBDINnihVzkFGQUYU1gg8HJYpFGAECAQEBAQEBAWsohT9vRAJfAQwIAQGKGA6NN5wtEYEggiYrimgBAQEBBgEBAQEBFAoFiDArC4VahGaCXwEEiUSTfYQNghF5i2+CAIh1hmKIb4sqHziBBiYdCBgVgmqCQAMcgX8kNQGJNQEBAQ
X-IronPort-AV: E=Sophos;i="5.37,238,1488844800"; d="asc'?scan'208,217";a="651348904"
Received: from aer-iport-nat.cisco.com (HELO aer-core-4.cisco.com) ([173.38.203.22]) by aer-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 23 Apr 2017 11:23:52 +0000
Received: from [10.61.83.5] (ams3-vpn-dhcp4870.cisco.com [10.61.83.5]) by aer-core-4.cisco.com (8.14.5/8.14.5) with ESMTP id v3NBNph0032118; Sun, 23 Apr 2017 11:23:52 GMT
To: ibagdona@gmail.com, Zhoutianran <zhoutianran@huawei.com>, "opsawg@ietf.org" <opsawg@ietf.org>, Anima WG <anima@ietf.org>
From: Eliot Lear <lear@cisco.com>
Message-ID: <031d87aa-1839-d7af-0723-dd9a2aa7ad0a@cisco.com>
Date: Sun, 23 Apr 2017 07:23:50 -0400
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:45.0) Gecko/20100101 Thunderbird/45.8.0
MIME-Version: 1.0
Content-Type: multipart/signed; micalg="pgp-sha256"; protocol="application/pgp-signature"; boundary="IpUVLBohmlhjLBCKImh03v8nKxPSRd8vE"
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/ZqvJa7zQSChqvN5HSeM8HoDtvBg>
Subject: [OPSAWG] dealing with multiple manufacturer services with a single certificate extension
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Apr 2017 11:23:57 -0000
Hi everyone, Just a quick update on this document. I am preparing for the next version of the draft. There is one major change contemplated that is not yet addressed. I received feedback from the IETF Chicago meeting regarding how best to structure URLs in manufacturer certificates. There are currently two planned, one for MUD and one for ANIMA/BRSKI. The question is whether these should be combined. I had said in Chicago that I would ask various manufacturers about whether additional complexity on the backend is worth saving the bytes in the certificate. There was, as you might imagine, a mixed response. A number of manufacturers answered, “No, and in fact we want to do our own certificate extensions”. Others simply answered “No, the code requirements for ANIMA will probably make the cert extension a relatively minimal matter”. And some manufacturers, said, “yes, every byte counts.” I am proceeding in a way that accommodates the 3rd group for now, but I seek discussion. If we combine the URLs the way it would work is that there would be a service endpoint along the lines of the following: * https://example.com/.well-known/mfg/modelname At that point, we would need to deference, introducing some additional complexity somewhere in the system. We should be mindful of the following issue: 1. Versioning should be supported OUTSIDE of the referenced service. The more that is done, the more freedom the referenced service has the ability to change. 2. Versioning of services should not be done in lock step. That is, if we keep the versioning information in the URL, that means that when the MUD version is bumped, so too would the ANIMA version. It is possible to keep a registry that would indicate URL versioning and then map to all the different versions of whatever is referenced, but that seems ridiculously complex. 3. The resolution mechanism to services should be independent of how the URL is gotten by the various {MUD/ANIMA/...} controllers. And thus, if a MUD controller receives the URL via LLDP or DHCP, the same processing should occur as if it was received via a certificate. This simplifies code paths, and will hence reduce risk of bugs. It will also follow the principle of least astonishment. It seems to me the simplest way to handle this sort of thing is to create a table that MUD/ANIMA controllers simply download when they see the URL. It might look something like this: { "mfg-services" : [ "mud", "v1", "https://mud.example.com/Frobmaster3000.json", "anima", "v1", "https://masa.example.com/masa-service" ] } This sort of change would be required in both the ANIMA and MUD services, but could then be used for any other manufacturer-based service. Is this what people want? For MUD, this amounts to a simple additional file retrieval. For ANIMA, the same. Then one simply dereferences the table. Most importantly, all implementations need to be prepared to handle the case where a particular service is NOT listed (this might seem like a big duh, but I figured I'd mention it). Comments? Eliot
- [OPSAWG] dealing with multiple manufacturer servi… Eliot Lear
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Max Pritikin (pritikin)
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Eliot Lear
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Michael Richardson
- Re: [OPSAWG] [Anima] dealing with multiple manufa… Eliot Lear