During discovery I can see there being two sets of clients, those with
and without an identity.
For those with an identity there may be an opportunity to identify which
onboarding network to settle upon faster.
The identity could be placed in the SNI of the ClientHello[1] as it need
not be DNS related and may be treated as opaque data instead.
This would have no affect on certificate selection[2] but instead be
used by the server to determine if it was an identity it is willing to
service and when not returns a TLS alert ('access_denied').
Upon seeing this the client would then know to move on to another
network transparently cycling them till it struck gold.
This would remove the need for a device to wait for L3 to light up and
execute any discovery there to determine eligibility for enrolment.
[1] SNI is only being used here to aid me describing my thinking, a
ClientHello extension could be used if preferred
[2] This could simultaneously be used for routing allowing the server to
drop the device into a different VLAN or apply different networking
filter rules
--
Alexander Clouter
_______________________________________________
Emu mailing list -- [email protected]
To unsubscribe send an email to [email protected]
