ACP status IETF 103 Montreal 2018

Slides:



Advertisements
Similar presentations
CT-KIP Magnus Nyström, RSA Security OTPS Workshop, October 2005.
Advertisements

Overview of draft-ietf-sidr-roa-format-01.txt Matt Lepinski BBN Technologies.
Slide Set 15: IP Multicast. In this set What is multicasting ? Issues related to IP Multicast Section 4.4.
Slide #1IETF 77 – Roll WG – March 2010 ROLL RPL IETF 77 status draft-ietf-roll-rpl Tim Winter Pascal Thubert Design Team.
2002 년 2 학기이동인터넷프로토콜 1 Mobile IP:Overview 년 2 학기이동인터넷프로토콜 2 Mobile IP overview Is Mobile IP an official standard? What problems does Mobile IP solve?
DHCP: Dual-Stack Issues draft-ietf-dhc-dual-stack-01 Tim Chown dhc WG, IETF 60, San Diego, August 2, 2004.
Prefix Delegation Protocol Selection T.J. Kniveton MEXT Working Group IETF 70 - December ’07 - Vancouver.
1 Stable Connectivity IETF 91 11/2014 Honolulu draft-eckert-anima-stable-connectivity-00 T.Eckert M. Behringer.
July 16, Diameter EAP Application (draft-ietf-aaa-eap-02.txt) on behalf of...
Draft-vandevelde-v6ops-addcon-00.txt IPv6 Unicast Address Assignment Considerations Gunter Van de Velde (editor) Tim Chown Ciprian Popoviciu IETF 65, March.
Yang Shi (Richard), Yong Zhang IETF 74 th 26 March 2009, San Francisco CAPWAP WG MIB Drafts Report.
Real-time Flow Management 2 BOF: Remote Packet Capture Extensions Jürgen Quittek NEC Europe Ltd, Heidelberg, Germany Georg Carle GMD.
Interdomain multicast routing with IPv6 Stig Venaas University of Southampton Jerome Durand RENATER Mickael Hoerdt University Louis Pasteur - LSIIT.
SHIM6 Protocol Drafts Overview Geoff Huston, Marcelo Bagnulo, Erik Nordmark.
6TSCH Webex 05/24/2013. Agenda BoF recap[5min] Webinar announcement[5min] Centralized routing requirements draft [10min + 5min Q&A] updated TSCH draft[5min]
19.1 Chapter 19 Network Layer: Logical Addressing Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.
CDNI Requirements (draft-lefaucheur-cdni-requirements-02) CDNI Working Group IETF 81 Quebec City, Canada July 28, 2011 Kent Leung Yiu.
1 Arkko, 57th IETF: SEND base protocol issue list Issues in the SEND base document draft-ietf-send-ipsec-01.txt
Privacy Considerations for Internet Protocols Alissa Cooper 1.
Node Information Queries July 2002 Yokohama IETF Bob Hinden / Nokia.
PCE-based Computation for Inter-domain P2MP LSP draft-zhao-pce-pcep-inter-domain-p2mp-procedures-00.txt Quintin Zhao, Huawei Technology David Amzallag,
Doc.: IEEE /0093r0 Submission NameAffiliationsAddressPhone Hitoshi MORIOKAAllied Telesis R&D Center Tenjin, Chuo-ku, Fukuoka
NEMO Basic Support update IETF 61. Status IANA assignments done Very close to AUTH48 call Some issues raised recently We need to figure out if we want.
DHCP Vrushali sonar. Outline DHCP DHCPv6 Comparison Security issues Summary.
Click to edit Master title style Click to add subtitle © 2008 Wichorus Inc. All rights reserved. CONFIDENTIAL - DO NOT DISTRIBUTE rfc3775bis Issues November.
1 cellhost-ipv6-52.ppt/ December 13, 2001 / John A. Loughney Minimum IPv6 Functionality for a Cellular Host John Loughney, Pertti Suomela, Juha Wiljakka,
Draft-ietf-p2psip-base-08 Cullen Jennings Bruce Lowekamp Eric Rescorla Salman Baset Henning Schulzrinne March 25, 2010.
1 IETF 91, 10 Nov 2014draft-behringer-anima-reference-model-00.txt A Reference Model for Autonomic Networking draft-behringer-anima-reference-model-00.txt.
IPv6 Transition/Co-existence Security Considerations draft-ietf-v6ops-security-overview-04.txt Elwyn Davies Suresh Krishnan Pekka Savola IETF-66, Montreal,
Doc.: IEEE /0122r0 Submission January 2012 Dorothy Stanley, Aruba NetworksSlide 1 IEEE IETF Liaison Report Date: Authors:
Bing Liu (speaker), Sheng WG, ietf96, July 2016
Bootstrapping Key Infrastructures
IETF88 Vancouver Immediate options for Multrans avoiding NAT ?
Transmission of IP Packets over IEEE 802
28 October 2016 Webex IPv6 over the TSCH mode of IEEE e
91th IETF, 10 Nov 2014  Michael Behringer Steinthor Bjarnason Balaji BL
Open issues with PANA Protocol
draft-litkowski-isis-yang-isis-cfg IETF 90 - Toronto
Autonomic Prefix Management in Large-scale Networks
A Reference Model for Autonomic Networking draft-ietf-anima-reference-model-03.txt 97th IETF, Nov 2016 Michael Behringer (editor), Brian Carpenter, Toerless.
IP Router-Alert Considerations and usage
In-Band Authentication Extension for Protocol Independent Multicast (PIM) draft-bhatia-zhang-pim-auth-extension-00 Manav Bhatia
Chapter 4 Data Link Layer Switching
Towards PubSub and Storage integration in ANIMA
Network Virtualization
Link State on Data Center Fabrics
Network Layer: Logical Addressing
Bing Liu, Fanghong Duan, Yongkang Zhang IETF July 2017
YANG model for ANI IETF101 draft-eckert-anima-enosuchd-raft-yet-99
Wednesday, 9:30-12:00 Morning session I, Van Horne
Resource Certificate Profile
Sept 2004 doc.: IEEE a Nov 2004 Project: IEEE P Working Group for Wireless Personal Area Networks (WPANs) Submission Title:
Problem & Proposal for User Plane Support for QoS Mapping
Tuesday , 9:30-12:00 Morning session I, Buckingham
By co-authors Sheng Jiang & Toerless Eckert
David Noveck IETF99 at Prague July 20, 2017
GeneRic Autonomic Signaling Protocol draft-ietf-anima-grasp-08
MAPID for User Plane Support
Resource Certificate Profile SIDR WG Meeting IETF 66, July 2006
draft-eckert-anima-noc-autoconfig-00 draft-eckert-anima-grasp-dnssd-01
Remedy for beacon bloat
Bing Liu, Yuefeng Wu IETF July 2017
draft-ietf-bier-ipv6-requirements-01
ANIMA recharter IETF 103 Bangkok
A Firmware Update Architecture for Internet of Things Devices
Deprecating ASM for Interdomain Multicast IETF 102 Montreal 2018
DetNet Data Plane Solutions draft-ietf-detnet-dp-sol-ip-02  draft-ietf-detnet-dp-sol-mpls-02  Bala’zs Varga, Jouni Korhonen, Janos Farkas, Lou Berger,
TCB Control Block Sharing: 2140bis draft-ietf-tcpm-2140bis-00
Large-Scale Deterministic Network Update
DetNet Architecture Updates
Presentation transcript:

ACP status IETF 103 Montreal 2018 draft-ietf-anima-autonomic-control-plane-18 Toerless Eckert tte+ietf@cs.fau.de (Huawei USA) Michael Behringer michael.h.behringer@gmail.com Steinthor Bjarnason sbjarnason@arbor.net v1.0

Status IETF 102: draft-ietf-anima-autonomic-control-plane-16 On IESG Telechat beginning of August draft-ietf-anima-autonomic-control-plane-17/18 Alissa Cooper review Elwyn Davies review (GEN-ART) Frank Xialiang (early SECDIR) Missing fix from Pascal Thuberts review Staging -19. security review

Main changes -16 -> -18 (1) Introduced option “0” for ACP address in certificate Required for NOC nodes that assign local address differently Especially connected via ACP connect, normal IPv6 subnet procedures Certificate now indicates that the address is not assigned via Cert Currently no ANI mechanism relies on verifying ACP address, only node itself uses it to assign its ACP address Marked all sections normative/informative Requirements section is INFORMATIVE Use _MUST_, _SHOULD_ to indicate these are solutoin requirements, not RFC2119 style requirements Removed almost all “futures” considerations from normative text Created appendix A.10 for the ones we want to document Clarified “rsub” is important NOW, not only future E.g.: also helps to avoid any ULA hashes in interconncted ACPs.

Main changes -16 -> -18 (2) A.8 Intent Elaborated more extensively here about the key issue of designing any Intent solution (or information distribution) carrying ACP Intent/Information: Circular dependencies: Intent/Information says something about ACP that the ACP would need to know before ACP can be correctly built This must be understood and avoided for future work on information distirbution / Intent. Section gives some ideas: Example: Connecting multicast ACP domains. Allow ONLY “intent” information to be passed between them, then that inten determines how ACP continues to autoconfigure itself. Mostly a problem statement, not a proposed solution. Important to keep in ACP doc as appendix because we do want to work on information distribution.

Main changes -16 -> -18 (3) A.10.2 Dependency against IPv6 data plane (from Alissa’s review) Misconfiguring IPv6 data plane so that there is not even link-local IPv6 connectivity will break this specifications ACP connectivity. Relying on Data-Plane IPv6 link-local for encapsulation was conscious choice of ACP authors to keep complexity limited All better solutions are maybe not difficult, but might not work across all possible media for all possible platforms Aka: better link-encap than data-plane link-local is best done as simple add-on documents A.10.2 outlines some options Not all options require actual spec/interop extensions, just impleemntation local Example: SR-IOV: second MAC on NIC Use one MAC for ACP, another for data-plane Different virtual interfaces, data-plane does not see ACP virtual-NIC

Main changes -16 -> -18 (4) A 10.5 Role assignments One of the main security issues with the “simple” ACP group security model is that it can not distinguish which node/ACP-certificate can do what. Aka: If we use ACP domain certificate to allow NetConf/SSH/CLI configuration of devices, then this could be triggered from any device Some router in ACP is hacked into, now worst case you could configure from this router any other router. Ongoing work towards -19 also documents this better (security issue) Suggested future work option/solution: Put simple role flags into certificte “normal ACP node” vs. “privileged NOC node” Will see if/how this will be refined through security review

Main changes -16 -> -18 (5) A.10.4. RPL enhancements ..... USA ...... ..... Europe ...... NOC1 NOC2 | | | metric 100 | ACP1 --------------------------- ACP2 . | | . WAN | metric 10 metric 20 | . Core | | . ACP3 --------------------------- ACP4 . | | . Sites ACP10 ACP11 . Figure 16: Dual NOC RPL ROOT

Next up SecDir / SEC AD review -> version -19 Benjamin Kaduk / Eric Rescorla 70% through (first round reply). Unfortunately delayed (time alloc issue last two months) Some important issues: Lowest common denominator security profile that can be support in commonly expected router accelerated crypto HW: AES256 bits ok ?! GTM mode ok ? Elliptic Curve vs. RSA should be fine, no HW impact I am aware of ? Constrained device support in ACP “opportunistic” We do want Ipsec/DTLS to be specified for secure channels To ensure we get practical support for extensible autoconfig choice of security protocol BUT: Tha is NOT complete support for constrained devices TCP use by ACP-GRASP likely not sufficient for constrained devices Have/improved text how this can be added later on (DTLS) Do not feel confident about standardizing this part now in ACP though.

Thank You! time

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.