Hi Michael,
On 05/07/2016 07:47, Michael Richardson wrote:
>
> Brian E Carpenter <[email protected]> wrote:
> >> b. MUST: Performs DNS-based Service Discovery [RFC6763] over
> >> Multicast DNS [RFC6762] searching for the service
> >> "_bootstrapks._tcp.local.".
>
> > I missed the bit where we got consensus to only specify DNSSD for
> > discovery. My understanding was that since all ANs will contain the ANI
> > components, GRASP discovery was an equally valid option.
>
> This topic has come up repeatedly, and we have discussed it a lot.
> Maybe we need to do a full WG Consensus call about this?
Well, let's see if we can work it out ...
>
> ===
>
> We really like GRASP, and we want to use to find pieces of the bootstrap
> system.
>
> a) We believe that bootstrap will be used by many devices which do not have
> a full AN stack.
> And it could be that a line card that will have a full AN stack, doesn't
> even have a full AN stack when it boots up the first time. It might not
> even know that it will have a full AN stack until such time as it receives
> its first firmware update after/during NETCONF-style bootstrap.
Yes. So some careful phrasing about the default behaviour as well as the
MTI is needed, in any case.
> b) We believe that having a MTI that is already present in constrained
> devices that might never do a full AN is a win.
Certainly. I am not objecting to an MTI but the text I quoted excludes
alternatives to the MTI.
> c) From a long history of security standpoint, we believe that restricting
> GRASP to work within the secured ACP (only) will have significant attack
> surface advantages. While one could run a second GRASP instance that is
> disconnected from the first on the proxy node, it would have to get a
> number of configuration parameters via the secured GRASP side.
We're only talking about discovery here. So I really don't understand that
argument. GRASP discovery returns a transport locator (address, protocol, port).
By definition GRASP is running insecurely pre-bootstrap - it isn't a question
of an instance, it's actually a mode of operation. Once you've got the
transport locator you can do whatever you need to with it. GRASP will refuse
to perform any "real" operations (negotiation or synchronization) unless
it's secured.
I just don't see any security difference between mDNS or DNSSD for
"_bootstrapks._tcp.local." and grasp.discover() for an objective called,
for example, "_bootstrapks._tcp.local."
>
> The history of computing is replete with examples of priviledge escalation
> attacks from situations that were not originally envisioned.
Indeed. Exactly why GRASP says:
The ACP, or in its absence the local PKI, sets the boundary within
which nodes are trusted as GRASP peers. A GRASP implementation MUST
refuse to execute any GRASP functions except discovery if there is
neither an operational ACP nor an operational TLS environment.
Regards
Brian
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
