Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

Randy Bush <randy@psg.com> Mon, 01 October 2018 19:37 UTC

Return-Path: <randy@psg.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 350CA130EDE; Mon, 1 Oct 2018 12:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Level:
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mZJD4qZNYM8o; Mon, 1 Oct 2018 12:37:03 -0700 (PDT)
Received: from ran.psg.com (ran.psg.com [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B6DE5130EC9; Mon, 1 Oct 2018 12:37:03 -0700 (PDT)
Received: from localhost ([127.0.0.1] helo=ryuu.rg.net) by ran.psg.com with esmtp (Exim 4.90_1) (envelope-from <randy@psg.com>) id 1g7401-0000i6-7c; Mon, 01 Oct 2018 19:36:57 +0000
Date: Mon, 01 Oct 2018 12:36:56 -0700
Message-ID: <m2tvm5ihlz.wl-randy@psg.com>
From: Randy Bush <randy@psg.com>
To: Michael Richardson <mcr+ietf@sandelman.ca>
Cc: "Joel M. Halpern" <jmh@joelhalpern.com>, Brian E Carpenter <brian.e.carpenter@gmail.com>, Christian Huitema <huitema@huitema.net>, draft-ietf-anima-bootstrapping-keyinfra.all@ietf.org, IETF Rinse Repeat <ietf@ietf.org>, anima@ietf.org, Security Directorate <secdir@ietf.org>
In-Reply-To: <3136.1538342967@localhost>
References: <153826253306.18743.9250084704876465818@ietfa.amsl.com> <m2sh1qkebi.wl-randy@psg.com> <0cbdf93d-c432-57f5-5000-8595b006d6d0@gmail.com> <e5e77a61-b8cf-cb8d-dfc3-05b8312b3adb@joelhalpern.com> <3136.1538342967@localhost>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/s3bnkITXmhFHZvKJzwZQk9V1cbw>
Subject: Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Oct 2018 19:37:15 -0000

>> a stunning review as usual.  but i have two questions which you kind
>> of finessed.  they are simple binary, i.e. yes/no, questions that the
>> end user, to whom the IETF is ultimately responsible, really cares
>> about.
>
>> if the manufacturer's servers go down, either permanently or even for
>> a day, does the device i have purchased still work?  i.e. is it fail
>> soft? [0]
> 
> First, BRSKI as used by ANIMA is specifically not targetted at Things.
> (We are developing profiles of BRSKI that are about Things, but I
> think that this internet-draft should not be be evaluated on that
> basis).
> 
> It's targetted at routers and other devices found at ISPs or
> Enterprises.

i missed where i said light bulbs.  i do have some of those, but i run
routers, servers, etc.; and do not want $vendor to break my network for
*any* reason.

> Second, the only time the manufacturer's servers need to be alive is
> when device ownership is claimed.

i.e. when i sell the router to some other op.  that was my second
question.

> Once the device is claimed, it joins *YOUR* network, and trusts your
> infrastructure, not the manufacturer.  Whether or not the device will
> *operate* without the manufacturer's servers is really outside of
> BRSKI.

ahhh.  we just sell the guns, we do not say how they are used.

>> That answer seems to imply that if the MASA is down before I try to
>> transfer my device, and if the MASA is still down when the recipient
>> tries to get my device working, it won't work.
>
>> Which seems to mean that once a MASA goes down permanently, any new
>> can not get a device reliant on that MASA to work.
>
>> Seems a pretty severe limitation.
> 
> You are answering a different question than Randy asked

no.  he is speaking to the second question i asked.  and his answer
deeply concerns me.

> This is a pretty important question and we have discussed it at
> length.  I remain concerned, but as far as I can see, we have this
> problem already.

if i understand correctly, it creates a new problem, needing the
manufacturer's consent for me to resell my light^Hrouter.

> It fundamentally depends upon a number of things which unfortunately, the
> manufacturer has ultimate decision making about.

see above about guns

randy