IETF115 ANIMA WG Meeting Minutes Thursday, November 10th, Session II Mezzanine 10-11, 1300-1500 UTC (1:00 PM - 3 PM local time) Chaired by Toerless Eckert (local), Sheng Jiang (remote) 01 Chair slides 15:00 - 15:10 Presenter: Toerless Eckert (local), Sheng Jiang (remote) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-01-chair-slides-00 No slots requested WG documents draft-ietf-anima-brski-cloud-04 (unchanged from IETF114) draft-ietf-anima-grasp-distribution-05 (unchanged from IETF114) Authors working on enhanced next revision including demonstratable mechanism in text to explain how it works. Planning to be publishing for IETF116 (from Xun.Xiao@huawei.com) draft-ietf-anima-voucher-delegation-02 (unchanged from IETF114) draft-ietf-anima-rfc8366bis-00 (expired, no update since IETF113) Michael: BRSKI cloud waiting for WGC for 2 IETF Michael: voucher delegation may be irrelevant. Use cases came from number of different places, like OPCUA, but they moved on. Time has passed. What they (OPCUA) called voucher was not what we call voucher. They do have an interesting process to build assemblied though. Siemens may have different interet in voucher delegation, Micheal does not know what Siemens wants. If we do not figure out customer, then consider what to do (kill), otherwise enhance it accordingly to the customer demands (explaining upon question by Steffen Fries). rfc8366bis may be important, but low priority now for authors, will be raised in michaels queue when constrained stuff gets up in priority. 02 15:20 - 15:35 Status & next steps for draft-ietf-anima-constrained-voucher (15 minutes) Draft: draft-ietf-anima-constrained-voucher-18 (unchanged from IETF114 - waiting for shepher review Toerless Eckert) Presenter: Esko Dijk (local) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-constrained-brski URL for recorded demo: (no recorded demo) Esko giving live demonstration starting pledges nad finish to do enrollment, testing concurrency of registrar behavior. This test is only using Eskos code forked from openthread project ˇ°OpenThread-Registrarˇ±. Does by default not test the other existing codebases. But could access other peoples code (via IPv6 connection). For this test, no discovery was done, no discovery code is implemented; but rather preconfigured address of registrar. Are all the > 1 year old issues of early review closed ? Yes, think so, where range of issues in github opened for those and should be resolved. Show of hand, who has read latest version: 2 hands. Chairs: reviews by more people is a next step. 03 15:10 - 15:20 Update on constrained BRSKI join proxy (10 minutes) Draft: draft-ietf-anima-constrained-join-proxy-13 (was -11 at IETF114) Presenter: Michael Richardson (local) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-constrained-join-proxy-status-00 Main rewrite to now use CoAP header after longer discussion in IANA review by CoAP experts (due to CoAP discovery) Rob Wilton: does this need another WG last call ? Not quite clear ? Michael: Yes. Toerless: Yes. New version is out on datatracker, please compare. Toerless: Benefits ? Michael: Device is otherwise speaking CoAP, we removed non-CoAP code (special CDDL code), this code is also likely a lot more used than the enrolment code. Should result in more code stability/less bugs. Peter is now retired, Michael is only author left. Esko: Using CoAP does have some impact on behavior. How about response to request ? Do we create additional messages that are not needed e.g. ˇ°2.04 Changedˇ± response to POST request. Michael: We use non-confirmable. Esko: but even non-confirmable request will have a response. Don't want 2.04 response message coming back. Has no value here. The server could just suppress it. Michael: rfc9031 thought got it right ? rfc9031 got it wrong ?.. Rob: Please have more cross-review to solve issues like this! Rob did send document back to WG so it can go through another WG last-call. 04 15:35 - 15:45 An Autonomic Mechanism for Resource-based Network Services Auto-deployment (10 minutes) Draft: draft-ietf-anima-network-service-auto-deployment-03 (was -02 at IETF114) Presenter: Sheng Jiang (remote) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-a-generic-autonomic-deployment-and-management-mechanism-for-resource-based-network-services-01 Esko: Overall security model. All initators have to be authenticated. They are authenticated the moment they join the ACP. Toerless explaining how authentication is derived from ANI certificate (BRSKI), e.g.: via TLS or ACP. Sheng: how to do authentication for purpose of this document is out of scope. 05 15:55 - 16:05 Update on JWS voucher (5 minutes) Draft: draft-ietf-anima-jws-voucher-05 (was -04 at IETF114) Presenter: Thomas Werner (remote) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-update-on-jws-signed-vouchers-00 Maybe ask authors of JWS RFC for review if we use this - JOSE WG. Send request for review to JOSE working group. 06 16:05 - 16:15 Update BRSKI with Pledge in Responder Mode (BRSKI-PRM) (10 minutes) Draft: draft-ietf-anima-brski-prm-05 (was -04 at IETF114) Presenter: Steffen Fries (remote) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-update-brski-with-pledge-in-responder-mode-brski-prm-00 YANG augmentation is only open issue. Michael asked beginning of August, waiting in Michael who owns the process, applies to different odcuments. got something wrong in rfc8366 - can't combine things so far. Michael will repost tomorrow. SECDIR early review and also a YANG Doctor early review was proposed before WGLC. The YANG Doctor's review is intended once the YANG augmentation is solved. SECDIR review can be triggered immediately. 07 16:15 - 16:25 Update on BRSKI alternative enrollment (BRSKI-AE) (10 Minutes) Draft: draft-ietf-anima-brski-ae-03 (was -02 IETF114) Presenter: David von Oheimb (remote) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-update-on-brski-ae-alternative-enrollment-protocols-in-brski-00 The WG chairs will align on potential early reviews, e.g., by SECDIR, before WGLC. 07.5 Hackathon - VPN: Michael Richardson: Trying to use IETF VPN for several years because BRSKI testing really requires VPN (l2 virtual connectivity). Has been a problem for a long time. Buy smallest router (vendor:) WiFi+ethernet virtually bridged L2 vi IETF then, also get IPv6 prefi. Caveat is that it only works except for 10 days around IETF, because the IETF headend is then moving/shipped and at IETF. 09 KIRA: Distributed Scalable ID-based Routing with Fast Forwarding Presenter: Roland Bless (local) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-kira-anima-00 URL: https://mailarchive.ietf.org/arch/msg/anima/M9VhjN_4XKMNdjZJjKvU_ZL_-H0 Robust connectivity for control plane Michael: One issue of ACP is forming too many adjcencies when not needed. What we don't have in RPL is reasonable origin authentication. Routing protoccol (RPL) does not leverage the authentication/certificates we have with ACP/BRSKI. Fell off agenda (again) ANI Autoconfiguration via DNS (10 minutes) Draft: draft-eckert-anima-services-dns-autoconfig-04 (only refresh since IETF114) Draft: draft-eckert-anima-grasp-dnssd-02 (only refresh since IETF114) Presenter: Toerless Eckert (local) Slides: https://datatracker.ietf.org/meeting/115/materials/slides-115-anima-08-ani-autoconfiguration-via-dns-00 Note: Fell off the agenda at IETF1114 due to running out of time ToBe Done: Now: Toerless: review ACP errata reported 0. BRSKI-AE - WGLC first. 1. Ask for early reviews from directorates for BRSKI prm: iotdir, security, - yang still open issue. 2. BRSKI cloud last call - been waiting longest ?! 3. BRSKI-PRM WGLC ?! 4. ensure enough review has been done on constrained BRSKI proxy, then do WGLC. Before IETF116: recheck what we want to do with voucher-delegation.