Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16

Randy Bush <> Mon, 01 October 2018 19:37 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 350CA130EDE; Mon, 1 Oct 2018 12:37:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -6.901
X-Spam-Status: No, score=-6.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mZJD4qZNYM8o; Mon, 1 Oct 2018 12:37:03 -0700 (PDT)
Received: from ( [IPv6:2001:418:8006::18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B6DE5130EC9; Mon, 1 Oct 2018 12:37:03 -0700 (PDT)
Received: from localhost ([] by with esmtp (Exim 4.90_1) (envelope-from <>) id 1g7401-0000i6-7c; Mon, 01 Oct 2018 19:36:57 +0000
Date: Mon, 01 Oct 2018 12:36:56 -0700
Message-ID: <>
From: Randy Bush <>
To: Michael Richardson <>
Cc: "Joel M. Halpern" <>, Brian E Carpenter <>, Christian Huitema <>,, IETF Rinse Repeat <>,, Security Directorate <>
In-Reply-To: <3136.1538342967@localhost>
References: <> <> <> <> <3136.1538342967@localhost>
User-Agent: Wanderlust/2.15.9 (Almost Unreal) Emacs/25.3 Mule/6.0 (HANACHIRUSATO)
MIME-Version: 1.0 (generated by SEMI-EPG 1.14.7 - "Harue")
Content-Type: text/plain; charset=US-ASCII
Archived-At: <>
Subject: Re: [secdir] [Anima] Secdir last call review of draft-ietf-anima-bootstrapping-keyinfra-16
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 01 Oct 2018 19:37:15 -0000

>> a stunning review as usual.  but i have two questions which you kind
>> of finessed.  they are simple binary, i.e. yes/no, questions that the
>> end user, to whom the IETF is ultimately responsible, really cares
>> about.
>> if the manufacturer's servers go down, either permanently or even for
>> a day, does the device i have purchased still work?  i.e. is it fail
>> soft? [0]
> First, BRSKI as used by ANIMA is specifically not targetted at Things.
> (We are developing profiles of BRSKI that are about Things, but I
> think that this internet-draft should not be be evaluated on that
> basis).
> It's targetted at routers and other devices found at ISPs or
> Enterprises.

i missed where i said light bulbs.  i do have some of those, but i run
routers, servers, etc.; and do not want $vendor to break my network for
*any* reason.

> Second, the only time the manufacturer's servers need to be alive is
> when device ownership is claimed.

i.e. when i sell the router to some other op.  that was my second

> Once the device is claimed, it joins *YOUR* network, and trusts your
> infrastructure, not the manufacturer.  Whether or not the device will
> *operate* without the manufacturer's servers is really outside of

ahhh.  we just sell the guns, we do not say how they are used.

>> That answer seems to imply that if the MASA is down before I try to
>> transfer my device, and if the MASA is still down when the recipient
>> tries to get my device working, it won't work.
>> Which seems to mean that once a MASA goes down permanently, any new
>> can not get a device reliant on that MASA to work.
>> Seems a pretty severe limitation.
> You are answering a different question than Randy asked

no.  he is speaking to the second question i asked.  and his answer
deeply concerns me.

> This is a pretty important question and we have discussed it at
> length.  I remain concerned, but as far as I can see, we have this
> problem already.

if i understand correctly, it creates a new problem, needing the
manufacturer's consent for me to resell my light^Hrouter.

> It fundamentally depends upon a number of things which unfortunately, the
> manufacturer has ultimate decision making about.

see above about guns