A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.

Slides:

Advertisements

Similar presentations

IETF – March 22, 2001 Improving Network Renumbering in Mobile IPv6 Changes to Tunneled Router Solicit/Advert T.J. Kniveton Nokia Research Center Mountain.

Advertisements

1 © 2001, Cisco Systems, Inc. All rights reserved. © 2004, Cisco Systems, Inc. All rights reserved. Location Conveyance in SIP draft-ietf-sipping-location-requirements-02.

Adapted Multimedia Internet KEYing (AMIKEY): An extension of Multimedia Internet KEYing (MIKEY) Methods for Generic LLN Environments draft-alexander-roll-mikey-lln-key-mgmt-01.txt.

1 IETF 74, 30 Jul 2009draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt Applicability of Keying Methods for RSVP security draft-ietf-tsvwg-rsvp-security-groupkeying-05.txt.

Secure Network Bootstrapping Infrastructure May 15, 2014.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

CSCI 530 Lab Firewalls. Overview Firewalls Capabilities Limitations What are we limiting with a firewall? General Network Security Strategies Packet Filtering.

Draft-ietf-v6ops-ra-guard-00.txt1 IPv6 RA-Guard draft-ietf-v6ops-ra-guard-00.txt G. Van de Velde, E. Levy- Abegnoli, C. Popoviciu, J. Mohácsi 72nd IETF.

Bootstrapping Key Infrastructures Max Pritikin IETF 91, 10 Nov 2014 Aloha!

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Asymmetric Extended Route Optimization (AERO)

Applicability Statement v1.1 Feedback: DirectTrust May 5, 2015.

Light Weight Access Point Protocol (LWAPP) IETF 57 Pat Calhoun, Airespace.

1 Stable Connectivity IETF 91 11/2014 Honolulu draft-eckert-anima-stable-connectivity-00 T.Eckert M. Behringer.

Autonomic Prefix Management in Large-scale Networks ANIMA WG IETF 91, November 2014 draft-jiang-anima-prefix-management Sheng Jiang Brian Carpenter Qiong.

1 Brian Carpenter (editor) Bing Liu (editor) Michael Richardson Tom Taylor Laurent Ciavaglia Michael Behringer Jéferson Campos Nobre IETF 93 July 2015.

MCTS Guide to Microsoft Windows Server 2008 Applications Infrastructure Configuration (Exam # ) Chapter Five Windows Server 2008 Remote Desktop Services,

SIP working group IETF#70 Essential corrections Keith Drage.

IETF-91 (Hawaii) ANIMA WG Meeting Session Session Room Coral 5 November10 th, 2014 ANIMA WG Last update: November.

Protocol Requirements draft-bryan-p2psip-requirements-00.txt D. Bryan/SIPeerior-editor S. Baset/Columbia University M. Matuszewski/Nokia H. Sinnreich/Adobe.

1 IETF 91, 10 Nov 2014draft-behringer-anima-reference-model-00.txt A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt.

Interconnecting Cisco Networking Devices Part 1 Pass4sureusa Pass4sure.

1 Brian Carpenter (editor) Bing Liu (editor) Carsten Bormann IETF 95 April 2016 GeneRic Autonomic Signaling Protocol draft-ietf-anima-grasp-04.

Thoughts on the LMAP protocol(s) LMAP Interim meeting, Dublin, 15 th September 2014 Philip Eardley Al Morton Jason Weil 1.

Anima IETF 93 draft-pritikin-anima-bootstrapping- keyinfra-02 Design Team Update.

Thoughts on Bootstrapping Mobility Securely Chairs, with help from James Kempf, Jari Arkko MIP6 WG/BOF 57 th IETF Vienna Wed. July 16, 2003.

1 Pascal URIEN, IETF 61th, Washington DC, 10th November 2004 draft-urien-eap-smartcard-06.txt “EAP-Support in Smartcard”

Bing Liu (speaker), Sheng WG, ietf96, July 2016

Bootstrapping Key Infrastructures

6tisch security design team: progress since Toronto

DNS Discovery Discussion draft-ietf-ipngwg-dns-discovery-00.txt

Dynamic Routing Protocols II OSPF

91th IETF, 10 Nov 2014 Michael Behringer Steinthor Bjarnason Balaji BL

Open issues with PANA Protocol

Host Power Management Deep Dive

CSE Retargeting to AE, IPE, and NoDN Hosted Resources

Bing Liu (speaker), Sheng WG, ietf97, November 2016

PANA Discussion and Open Issues (draft-ietf-pana-pana-01.txt)

Module Overview Installing and Configuring a Network Policy Server

PANA Issues and Resolutions

Autonomic Prefix Management in Large-scale Networks

IETF 55 IPv6 Working Group IPv6 Node Requirements

TGaq Service Transaction Protocol for ANDSF Discovery Service

Goals of soBGP Verify the origin of advertisements

Wednesday, 9:30-11:00, Grand Ballroom 3, Morning session I

BRSKI overview and issues

Distributed Mobility Management (DMM) WG DMM Work Item: Forwarding Path & Signaling Management (FPSM) draft-ietf-dmm-fpc-cpdp-01.txt IETF93, Prague.

Towards PubSub and Storage integration in ANIMA

Sheng Jiang, Artur Hecker, Zoran Despotovic

Bing Liu, Fanghong Duan, Yongkang Zhang IETF July 2017

EEC-484/584 Computer Networks

Multicast Outline Multicast revisited

YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99

Wednesday, 9:30-12:00 Morning session I, Van Horne

Tuesday , 9:30-12:00 Morning session I, Buckingham

1 Guidelines for Autonomic Service Agents draft-carpenter-anima-asa-guidelines-00 Brian Carpenter Sheng Jiang IETF 97 November

By co-authors Sheng Jiang & Toerless Eckert

GeneRic Autonomic Signaling Protocol draft-ietf-anima-grasp-08

Recap At IETF 97 we presented the Voucher document for the first time as an ANIMA draft Bootstrapping Design team has met weekly since, about 50% discussion.

draft-eckert-anima-noc-autoconfig-00 draft-eckert-anima-grasp-dnssd-01

Bootstrapping Key Infrastructure over EAP draft-lear-eap-teap-brski

Bing Liu, Yuefeng Wu IETF July 2017

Policy enforcement and filtering for geospatial information

Bing Liu, Xun Xiao, Sheng Jiang, Artur Hecker

Trust Networking and Procedures for Autonomic Networking Update in -01

Tuesday (July 23rd, 2019) Two sessions ( minutes)

ACP status IETF 103 Montreal 2018

ANIMA recharter IETF 103 Bangkok

On ESS Mesh Device Discovery

Update on BRSKI-AE – Support for asynchronous enrollment

Presentation transcript:

A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless Eckert, Laurent Ciavaglia, Pierre Peloso, Bing Liu, Jefferson Nobre, John Strassner not published yet

State Machine: ANIMA Device Factory default This is BRSKI, as seen from pledge; see separate state machine auto-conf interfaces draft-ietf-anima-bootstrapping-keyinfra Bootstrapping open items: see BRSKI draft if not if successful Device has a domain certificate Enrolled ANIMA Neighbor discovered (mDNS) Join ACP draft-ietf-anima-autonomic-control-plane decision needed on mDNS / GRASP ACP “up” In ACP GRASP Discovery an ACP: Registrar found need to specify GRASP message format draft-ietf-anima-bootstrapping-keyinfra stop bootstrap proxy start bootstrap proxy This is BRSKI, as seen from proxy Registrar lost Proxy Mode MUST send discovery messages (because the pledge MAY send) : More work needed

State Machine: BRSKI Pledge Factory default A factory default device (pledge) is in one of these modes, hard coded: join any domain (first come first join)  No MASA required require audit token  MASA required, audit mode require authentication token  MASA required, ownership tracking mode auto-conf interfaces Discovery MUST listen MAY send receive: “invite from <neighbour> to <domain>” (handle received messages fifo, until “enrol” state) Request-Join (neighbour, domain) Max: “Identify is a separate step” receive: “reject <info>?” receive: “accept (<domain trust anchor> <enrolment info>)|( <audit_token>)|(<auth_token>)” Validation: If <I require auth_token>: if <auth_token> valid: next state: Enrolling else: blacklist <domain>; next state: Discovery elseif <I require audit_token>: if <audit_token> valid: next state: Enrolling else: next state: Enrolling. Validation validation failed (provide feedback) validation successful Does device accept either token type or require a specific one? Enrolling enrolment failed (provide feedback) enrolment successful Enrolled : More work needed Device has a domain certificate

State Machine: ACP Enrolled Device has a domain certificate If we make this a separate ASA... start ACP ASA Discovery MUST listen MUST send Need to define packet format. Discover <node>;<domain> Check policy for <domain>: Should we establish ACP? For now, default policy: “If in same domain”. Later we can have other policies. n y for each discovered AN adjacency Authenticate <node> Set up secure channel was this the first ACP tunnel? n y last ACP tunnel going down enable ACP routing and addressing Device is in the ACP. (Note: This does not mean it sees a registrar or other services. Just that there is an ACP.) In ACP : More work needed

Open questions / items State machines: describe ANIMA SM in reference draft, the other ones in the respective draft? Is “proxy mode” a separate state? (mcr: No!) Should we describe the RPL state machine in more detail? (probably! – see mail from mcr) In which draft? Probably BRSKI Define “factory reset” (should go into reference model) type 1: erase all but LDevID  Device doesn’t need to re-enrol type 2: erase all, including LDevID

Open questions / items Discovery protocols: Currently the drafts say: ACP draft: insecure GRASP. M_FLOOD BRSKI: mDNS. (Brian: If we use mDNS, ANI is not “self-contained”) Current discussion on list: (mail from mcr) Discovery of proxy by pledge: - GRASP M_FLOOD (MUST for proxy, SHOULD for Pledge) - mDNS (SHOULD for proxy, MAY for Pledge) Should it say: BRSKI may run in ANIMA context, or in different context (IoT) if “ANIMA” then use insecure GRASP if “other” then use mDNS (or other) But then we have insecure and secure GRASP concurrently, potential security concern.

Open questions / items In ACP draft: Clarify: ACP draft does NOT require BRSKI to run first. Keys could come for example from SIM cards. Discovery, general questions: should the discovery packet contain the domain info? Need to specify packet formats Follow-up security review from Nancy Complete section 7.3 (ASAs) Complete sections for bootstrap ASAs. Do we want to define the ACP as an ASA? Argument “for”: allows modularity Argument “against”: BRSKI: Feedback to the pledge? (specifically: Reason for rejection / retry?)