On 10/03/2017 22:39, Michael H. Behringer wrote: > On 09/03/2017 20:37, Brian E Carpenter wrote: >> On 10/03/2017 05:53, Barry Leiba wrote: >>>> > Personal opinion: encryption should be a MUST. >>>> >>>> I believe that we will have situations where we have a secured ACP into a >>>> NOC >>>> (to an edge router or VM hypervisor), and then we will have some >>>> unencrypted, >>>> but secured links to platforms in transition. >>>> >>>> It will be easy to add the GRASP daemon to answer resource requests to the >>>> platform, but hard to add the ACP to that platform without a forklift >>>> upgrade. >>>> >>>> This is why I think it is a SHOULD, as much as I want it to transition to >>>> being a MUST. >>> This brings up a common rant that I have: >>> We should be putting into our protocol specs what we want the protocol >>> to be, not some compromise that comes from knowing that not everyone >>> will comply with everything from the start. >>> >>> If the right thing is to say "MUST encrypt", but we know there'll be a >>> transition period during which that's not fully practical, then we >>> should say that. Something like this added to Section 3.5.1: >>> >>> NEW >>> In some cases there will be a transition period, in which it might not >>> be practical to run with strong encryption right away. It's important >>> to keep this period as short as possible, and to upgrade to a fully >>> encrypted setup as soon as possible. >>> END >> or perhaps more precisely: >> >> During initialization of nodes there will be a transition period... >> >> Whether this is phrased as an exception to the MUST or as the justification >> for ignoring the SHOULD is a matter of taste, I think. > > Confused about this last comment. MichaelR pointed out the case of a > legacy network management platform, where you can easily add GRASP, but > not ACP support. I concur with this view: We saw this a lot in customer > deployment discussions. > > When you say "during initialization of nodes", Brian, do you mean of > management stations or of nodes out there in the network?
It's supposed to mean *before* the node has a valid certificate, i.e. no kind of security can be made to work. So we're talking about milliseconds to seconds of exposure, I hope, while BRSKI does its job. > In my understanding I would have written something like "until network > management systems can be upgraded to full ACP support ..." Right, that's a different type of transition... but there wouldn't we want to insist on (D)TLS or something like that? (Which again assumes certificates are available.) We can further clarify the text, for sure. Brian > > What am I missing? > Michael > > _______________________________________________ > Anima mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/anima > _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
