Thomas Watteyne <[email protected]> wrote: mcr> In the situation where the DAO from the JA carries the information mcr> about the JN, then the LBR/DODAG root would receive that mcr> information. The LBR needs to be told where the JCE is by mcr> out-of-scope means. I.e. you have to configure it: But of the common mcr> case where it's co-located. it's a no-op. mcr> As the JCE then reaches out *to* the JN, neither the JN nor the JA mcr> need to know who/where the JCE is.
> You seem to assume the JN does not talk end-to-end with the JCE, but
> the LBR serves as an application-layer proxy? Man-in-the-middle? I
> must be missing something.
no, that's not what I'm saying at all. I'm not sure how you get to that
conclusion from the above text....
> Related question: does the JN at some point learn the address of JCE
> and/or PCE? More generally, how is the "handover" done between the JCE
> and PCE?
In the case where the PCE and JCE are co-located... i.e. really different
aspects of the same process, I think the handover is easy. Where they are
not the same process, then there are really two problems:
1) how does the JCE/LBR tell the PCE about the new node?
2) how does the PCE <-> JN relationship work?
I think that the LBR/JCE/PCE protocol could eventually be subject to
standardization, but for the moment I'm happy to let this be vendor
proprietary.
The JCE will have programmed the JN with appropriate credentials and trust
anchors such that it can talk to the PCE. That happens during the join
process. The JN then restarts (probably, it should reboot) and joins the
"production" network, and sends DAOs, which means the LBR/DODAG root will
learn of the (new) node. Note that at this point there is really no
difference between the node being "new", and the node having just returned to
service/connectivity after some event. (Maybe nodes on the forklift power
down at night, or maybe they lose connectivity when the forklift leaves the
building... or a metal door opens/closes...)
The LBR will need to inform the PCE that it knows of a now connected node,
and the PCE will need to reach out using 6top. The PCE can authenticate the
new node using the locally significant credential, and the JN can
authenticate the PCE using the trust anchor that the JCE provisioned.
A power and compute-saving thing for the JCE to do would be to have the
JN provide the JCE with a session-resumption ticket... and for the JCE
to pass that onto the PCE.
--
Michael Richardson <[email protected]>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ 6tisch mailing list [email protected] https://www.ietf.org/mailman/listinfo/6tisch
