draft-ietf-anima-bootstrapping-keyinfra-10.txt   draft-ietf-anima-bootstrapping-keyinfra-11.txt 
ANIMA WG M. Pritikin ANIMA WG M. Pritikin
Internet-Draft Cisco Internet-Draft Cisco
Intended status: Standards Track M. Richardson Intended status: Standards Track M. Richardson
Expires: August 17, 2018 SSW Expires: August 24, 2018 SSW
M. Behringer M. Behringer
S. Bjarnason S. Bjarnason
Arbor Networks Arbor Networks
K. Watsen K. Watsen
Juniper Networks Juniper Networks
February 13, 2018 2 20, 2018
Bootstrapping Remote Secure Key Infrastructures (BRSKI) Bootstrapping Remote Secure Key Infrastructures (BRSKI)
draft-ietf-anima-bootstrapping-keyinfra-10 draft-ietf-anima-bootstrapping-keyinfra-11
Abstract Abstract
This document specifies automated bootstrapping of a remote secure This document specifies automated bootstrapping of a remote secure
key infrastructure (BRSKI) using vendor installed X.509 certificate, key infrastructure (BRSKI) using manufacturer installed X.509
in combination with a vendor's authorizing service, both online and certificate, in combination with a manufacturer's authorizing
offline. Bootstrapping a new device can occur using a routable service, both online and offline. Bootstrapping a new device can
address and a cloud service, or using only link-local connectivity, occur using a routable address and a cloud service, or using only
or on limited/disconnected networks. Support for lower security link-local connectivity, or on limited/disconnected networks.
models, including devices with minimal identity, is described for Support for lower security models, including devices with minimal
legacy reasons but not encouraged. Bootstrapping is complete when identity, is described for legacy reasons but not encouraged.
the cryptographic identity of the new key infrastructure is Bootstrapping is complete when the cryptographic identity of the new
successfully deployed to the device but the established secure key infrastructure is successfully deployed to the device but the
connection can be used to deploy a locally issued certificate to the established secure connection can be used to deploy a locally issued
device as well. certificate to the device as well.
Status of This Memo Status of This Memo
This Internet-Draft is submitted in full conformance with the This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet- working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/. Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
This Internet-Draft will expire on August 17, 2018. This Internet-Draft will expire on August 24, 2018.
Copyright Notice Copyright Notice
Copyright (c) 2018 IETF Trust and the persons identified as the Copyright (c) 2018 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of (https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents publication of this document. Please review these documents
skipping to change at page 2, line 26 skipping to change at page 2, line 26
include Simplified BSD License text as described in Section 4.e of include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License. described in the Simplified BSD License.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Other Bootstrapping Approaches . . . . . . . . . . . . . 5 1.1. Other Bootstrapping Approaches . . . . . . . . . . . . . 5
1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6 1.2. Terminology . . . . . . . . . . . . . . . . . . . . . . . 6
1.3. Scope of solution . . . . . . . . . . . . . . . . . . . . 8 1.3. Scope of solution . . . . . . . . . . . . . . . . . . . . 8
1.4. Leveraging the new key infrastructure / next steps . . . 9 1.4. Leveraging the new key infrastructure / next steps . . . 10
2. Architectural Overview . . . . . . . . . . . . . . . . . . . 10 1.5. Requirements for Autonomic Network Infrastructure (ANI)
2.1. Behavior of a Pledge . . . . . . . . . . . . . . . . . . 11 devices . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.2. Secure Imprinting using Vouchers . . . . . . . . . . . . 13 2. Architectural Overview . . . . . . . . . . . . . . . . . . . 11
2.3. Initial Device Identifier . . . . . . . . . . . . . . . . 14 2.1. Behavior of a Pledge . . . . . . . . . . . . . . . . . . 12
2.4. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 15 2.2. Secure Imprinting using Vouchers . . . . . . . . . . . . 14
2.4.1. Architectural component: Pledge . . . . . . . . . . . 17 2.3. Initial Device Identifier . . . . . . . . . . . . . . . . 15
2.4.2. Architectural component: Circuit Proxy . . . . . . . 17 2.4. Protocol Flow . . . . . . . . . . . . . . . . . . . . . . 16
2.4.3. Architectural component: Domain Registrar . . . . . . 17 2.4.1. Architectural component: Pledge . . . . . . . . . . . 18
2.4.4. Architectural component: Vendor Service . . . . . . . 17 2.4.2. Architectural component: Circuit Proxy . . . . . . . 18
2.5. Lack of realtime clock . . . . . . . . . . . . . . . . . 17 2.4.3. Architectural component: Domain Registrar . . . . . . 18
2.6. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 18 2.4.4. Architectural component: Manufacturer Service . . . . 18
2.7. Determining the MASA to contact . . . . . . . . . . . . . 18 2.5. Lack of realtime clock . . . . . . . . . . . . . . . . . 18
3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 19 2.6. Cloud Registrar . . . . . . . . . . . . . . . . . . . . . 19
3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 19 2.7. Determining the MASA to contact . . . . . . . . . . . . . 20
3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 20 3. Voucher-Request artifact . . . . . . . . . . . . . . . . . . 20
3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 22 3.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 20
4. Proxy details . . . . . . . . . . . . . . . . . . . . . . . . 24 3.2. Examples . . . . . . . . . . . . . . . . . . . . . . . . 21
4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 25 3.3. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 23
4.1.1. Proxy Grasp announcements . . . . . . . . . . . . . . 26 4. Proxy details . . . . . . . . . . . . . . . . . . . . . . . . 26
4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 27 4.1. Pledge discovery of Proxy . . . . . . . . . . . . . . . . 27
4.3. HTTPS proxy connection to Registrar . . . . . . . . . . . 27 4.1.1. Proxy GRASP announcements . . . . . . . . . . . . . . 28
4.4. Proxy discovery of Registrar . . . . . . . . . . . . . . 28 4.2. CoAP connection to Registrar . . . . . . . . . . . . . . 28
5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 29 4.3. HTTPS Proxy connection to Registrar . . . . . . . . . . . 28
5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 31 4.4. Proxy discovery of Registrar . . . . . . . . . . . . . . 29
5.2. Pledge Requests Voucher from the Registrar . . . . . . . 31 5. Protocol Details . . . . . . . . . . . . . . . . . . . . . . 30
5.3. BRSKI-MASA TLS establishment details . . . . . . . . . . 33 5.1. BRSKI-EST TLS establishment details . . . . . . . . . . . 32
5.4. Registrar Requests Voucher from MASA . . . . . . . . . . 33 5.2. Pledge Requests Voucher from the Registrar . . . . . . . 32
5.5. Voucher Response . . . . . . . . . . . . . . . . . . . . 36 5.3. BRSKI-MASA TLS establishment details . . . . . . . . . . 34
5.4. Registrar Requests Voucher from MASA . . . . . . . . . . 34
5.5. Voucher Response . . . . . . . . . . . . . . . . . . . . 37
5.5.1. Completing authentication of Provisional TLS 5.5.1. Completing authentication of Provisional TLS
connection . . . . . . . . . . . . . . . . . . . . . 37 connection . . . . . . . . . . . . . . . . . . . . . 38
5.6. Voucher Status Telemetry . . . . . . . . . . . . . . . . 38 5.6. Voucher Status Telemetry . . . . . . . . . . . . . . . . 39
5.7. MASA authorization log Request . . . . . . . . . . . . . 39 5.7. MASA authorization log Request . . . . . . . . . . . . . 40
5.7.1. MASA authorization log Response . . . . . . . . . . . 40 5.7.1. MASA authorization log Response . . . . . . . . . . . 41
5.8. EST Integration for PKI bootstrapping . . . . . . . . . . 41 5.8. EST Integration for PKI bootstrapping . . . . . . . . . . 42
5.8.1. EST Distribution of CA Certificates . . . . . . . . . 42 5.8.1. EST Distribution of CA Certificates . . . . . . . . . 43
5.8.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 42 5.8.2. EST CSR Attributes . . . . . . . . . . . . . . . . . 43
5.8.3. EST Client Certificate Request . . . . . . . . . . . 43 5.8.3. EST Client Certificate Request . . . . . . . . . . . 44
5.8.4. Enrollment Status Telemetry . . . . . . . . . . . . . 43 5.8.4. Enrollment Status Telemetry . . . . . . . . . . . . . 44
5.8.5. EST over CoAP . . . . . . . . . . . . . . . . . . . . 44 5.8.5. EST over CoAP . . . . . . . . . . . . . . . . . . . . 45
6. Reduced security operational modes . . . . . . . . . . . . . 44 6. Reduced security operational modes . . . . . . . . . . . . . 45
6.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 44 6.1. Trust Model . . . . . . . . . . . . . . . . . . . . . . . 46
6.2. Pledge security reductions . . . . . . . . . . . . . . . 45 6.2. Pledge security reductions . . . . . . . . . . . . . . . 46
6.3. Registrar security reductions . . . . . . . . . . . . . . 46 6.3. Registrar security reductions . . . . . . . . . . . . . . 47
6.4. MASA security reductions . . . . . . . . . . . . . . . . 47 6.4. MASA security reductions . . . . . . . . . . . . . . . . 48
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 48 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 49
7.1. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 48 7.1. PKIX Registry . . . . . . . . . . . . . . . . . . . . . . 49
7.2. Voucher Status Telemetry . . . . . . . . . . . . . . . . 48 7.2. Voucher Status Telemetry . . . . . . . . . . . . . . . . 49
8. Security Considerations . . . . . . . . . . . . . . . . . . . 48 8. Security Considerations . . . . . . . . . . . . . . . . . . . 49
8.1. Freshness in Voucher-Requests . . . . . . . . . . . . . . 50 8.1. Freshness in Voucher-Requests . . . . . . . . . . . . . . 51
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 51 9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 52
10. References . . . . . . . . . . . . . . . . . . . . . . . . . 51 10. References . . . . . . . . . . . . . . . . . . . . . . . . . 52
10.1. Normative References . . . . . . . . . . . . . . . . . . 51 10.1. Normative References . . . . . . . . . . . . . . . . . . 52
10.2. Informative References . . . . . . . . . . . . . . . . . 54 10.2. Informative References . . . . . . . . . . . . . . . . . 55
Appendix A. IPv4 operations . . . . . . . . . . . . . . . . . . 55 Appendix A. IPv4 operations . . . . . . . . . . . . . . . . . . 56
A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 55 A.1. IPv4 Link Local addresses . . . . . . . . . . . . . . . . 57
A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 55 A.2. Use of DHCPv4 . . . . . . . . . . . . . . . . . . . . . . 57
Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 55 Appendix B. mDNS / DNSSD proxy discovery options . . . . . . . . 57
Appendix C. IPIP Join Proxy mechanism . . . . . . . . . . . . . 56 Appendix C. IPIP Join Proxy mechanism . . . . . . . . . . . . . 58
C.1. Multiple Join networks on the Join Proxy side . . . . . . 57 C.1. Multiple Join networks on the Join Proxy side . . . . . . 58
C.2. Automatic configuration of tunnels on Registrar . . . . . 57 C.2. Automatic configuration of tunnels on Registrar . . . . . 59
C.3. Proxy Neighbor Discovery by Join Proxy . . . . . . . . . 58 C.3. Proxy Neighbor Discovery by Join Proxy . . . . . . . . . 59
C.4. Use of connected sockets; or IP_PKTINFO for CoAP on C.4. Use of connected sockets; or IP_PKTINFO for CoAP on
Registrar . . . . . . . . . . . . . . . . . . . . . . . . 58 Registrar . . . . . . . . . . . . . . . . . . . . . . . . 60
C.5. Use of socket extension rather than virtual interface . . 58 C.5. Use of socket extension rather than virtual interface . . 60
Appendix D. MUD Extension . . . . . . . . . . . . . . . . . . . 59 Appendix D. MUD Extension . . . . . . . . . . . . . . . . . . . 60
Appendix E. Example Vouchers . . . . . . . . . . . . . . . . . . 61 Appendix E. Example Vouchers . . . . . . . . . . . . . . . . . . 62
E.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 61 E.1. Keys involved . . . . . . . . . . . . . . . . . . . . . . 62
E.1.1. MASA key pair for voucher signatures . . . . . . . . 61 E.1.1. MASA key pair for voucher signatures . . . . . . . . 62
E.1.2. Manufacturer key pair for IDevID signatures . . . . . 61 E.1.2. Manufacturer key pair for IDevID signatures . . . . . 62
E.1.3. Registrar key pair . . . . . . . . . . . . . . . . . 62 E.1.3. Registrar key pair . . . . . . . . . . . . . . . . . 63
E.1.4. Pledge key pair . . . . . . . . . . . . . . . . . . . 64 E.1.4. Pledge key pair . . . . . . . . . . . . . . . . . . . 65
E.2. Example process . . . . . . . . . . . . . . . . . . . . . 65 E.2. Example process . . . . . . . . . . . . . . . . . . . . . 66
E.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 65 E.2.1. Pledge to Registrar . . . . . . . . . . . . . . . . . 66
E.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 71 E.2.2. Registrar to MASA . . . . . . . . . . . . . . . . . . 72
E.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 77 E.2.3. MASA to Registrar . . . . . . . . . . . . . . . . . . 78
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 82 Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 83
1. Introduction 1. Introduction
BRSKI provides a foundation to securely answer the following BRSKI provides a foundation to securely answer the following
questions between an element of the network domain called the questions between an element of the network domain called the
"Registrar" and an unconfigured and untouched device called a "Registrar" and an unconfigured and untouched device called a
"Pledge": "Pledge":
o Registrar authenticating the Pledge: "Who is this device? What is o Registrar authenticating the Pledge: "Who is this device? What is
its identity?" its identity?"
o Registrar authorization the Pledge: "Is it mine? Do I want it? o Registrar authoring the Pledge: "Is it mine? Do I want it? What
What are the chances it has been compromised?" are the chances it has been compromised?"
o Pledge authenticating the Registrar/Domain: "What is this domain's o Pledge authenticating the Registrar/Domain: "What is this domain's
identity?" identity?"
o Pledge authorization the Registrar: "Should I join it?" o Pledge authorizing the Registrar: "Should I join it?"
This document details protocols and messages to the endpoints to This document details protocols and messages to the endpoints to
answer the above questions. The Registrar actions derive from Pledge answer the above questions. The Registrar actions derive from Pledge
identity, third party cloud service communications, and local access identity, third party cloud service communications, and local access
control lists. The Pledge actions derive from a cryptographically control lists. The Pledge actions derive from a cryptographically
protected "voucher" message delivered through the Registrar but protected "voucher" message delivered through the Registrar but
originating at a Manufacturer Authorized Signing Authority. originating at a Manufacturer Authorized Signing Authority.
The syntactic details of vouchers are described in detail in The syntactic details of vouchers are described in detail in
[I-D.ietf-anima-voucher]. This document details automated protocol [I-D.ietf-anima-voucher]. This document details automated protocol
mechanisms to obtain vouchers, including the definition of a mechanisms to obtain vouchers, including the definition of a
'voucher-request' message that is a minor extension to the voucher 'voucher-request' message that is a minor extension to the voucher
format (see Section 3). format (see Section 3) defined by [I-D.ietf-anima-voucher].
BRSKI results in the Pledge storing an X.509 root certificate BRSKI results in the Pledge storing an X.509 root certificate
sufficient for verifying the Registrar identity. In the process a sufficient for verifying the Registrar identity. In the process a
TLS connection is established which can be directly used for TLS connection is established that can be directly used for
Enrollment over Secure Transport (EST). In effect BRSKI provides an Enrollment over Secure Transport (EST). In effect BRSKI provides an
automated mechanism for the "Bootstrap Distribution of CA automated mechanism for the "Bootstrap Distribution of CA
Certificates" described in [RFC7030] Section 4.1.1 wherein the Pledge Certificates" described in [RFC7030] Section 4.1.1 wherein the Pledge
"MUST [...]. engage a human user to authorize the CA certificate "MUST [...] engage a human user to authorize the CA certificate using
using out-of-band" information". With BRSKI the Pledge now can out-of-band" information". With BRSKI the Pledge now can automate
automate this process using the voucher. Integration with a complete this process using the voucher. Integration with a complete EST
EST enrollment is optional but trivial. enrollment is optional but trivial.
BRSKI is agile enough to support bootstrapping alternative key BRSKI is agile enough to support bootstrapping alternative key
infrastructures, such as a symmetric key solutions, but no such infrastructures, such as a symmetric key solutions, but no such
system is described in this document. system is described in this document.
1.1. Other Bootstrapping Approaches 1.1. Other Bootstrapping Approaches
To literally "pull yourself up by the bootstraps" is an impossible To literally "pull yourself up by the bootstraps" is an impossible
action. Similarly the secure establishment of a key infrastructure action. Similarly the secure establishment of a key infrastructure
without external help is also an impossibility. Today it is commonly without external help is also an impossibility. Today it is commonly
accepted that the initial connections between nodes are insecure, accepted that the initial connections between nodes are insecure,
until key distribution is complete, or that domain-specific keying until key distribution is complete, or that domain-specific keying
material is pre-provisioned on each new device in a costly and non- material (often pre-shared keys, including mechanisms like SIM cards)
scalable manner. Existing mechanisms are known as non-secured 'Trust is pre-provisioned on each new device in a costly and non-scalable
on First Use' (TOFU) [RFC7435], 'resurrecting duckling' manner. Existing mechanisms are known as non-secured 'Trust on First
Use' (TOFU) [RFC7435], 'resurrecting duckling'
[Stajano99theresurrecting] or 'pre-staging'. [Stajano99theresurrecting] or 'pre-staging'.
Another approach is to try and minimize user actions during Another approach is to try and minimize user actions during
bootstrapping. The enrollment protocol EST [RFC7030] details a set bootstrapping. The enrollment protocol EST [RFC7030] details a set
of non-autonomic bootstrapping methods in this vein: of non-autonomic bootstrapping methods in this vein:
o using the Implicit Trust Anchor database (not an autonomic o using the Implicit Trust Anchor database (not an autonomic
solution because the URL must be securely distributed), solution because the URL must be securely distributed),
o engaging a human user to authorize the CA certificate using out- o engaging a human user to authorize the CA certificate using out-
skipping to change at page 5, line 39 skipping to change at page 5, line 44
because the distribution of an explicit TA database is not because the distribution of an explicit TA database is not
autonomic), autonomic),
o and using a Certificate-Less TLS mutual authentication method (not o and using a Certificate-Less TLS mutual authentication method (not
an autonomic solution because the distribution of symmetric key an autonomic solution because the distribution of symmetric key
material is not autonomic). material is not autonomic).
These "touch" methods do not meet the requirements for zero-touch. These "touch" methods do not meet the requirements for zero-touch.
There are "call home" technologies where the Pledge first establishes There are "call home" technologies where the Pledge first establishes
a connection to a well known vendor service using a common client- a connection to a well known manufacturer service using a common
server authentication model. After mutual authentication appropriate client-server authentication model. After mutual authentication,
credentials to authenticate the target domain are transfered to the appropriate credentials to authenticate the target domain are
Pledge. This creates serveral problems and limitations: transfered to the Pledge. This creates serveral problems and
limitations:
o the pledge requires realtime connectivity to the vendor service, o the Pledge requires realtime connectivity to the manufacturer
service,
o the domain identity is exposed to the vendor service (this is a o the domain identity is exposed to the manufacturer service (this
privacy concern), is a privacy concern),
o the vendor is responsible for making the authorization decisions o the manufacturer is responsible for making the authorization
(this is a liability concern), decisions (this is a liability concern),
BRSKI addresses these issues by defining extensions to the EST BRSKI addresses these issues by defining extensions to the EST
protocol for the automated distribution of vouchers. protocol for the automated distribution of vouchers.
1.2. Terminology 1.2. Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in "OPTIONAL" in this document are to be interpreted as described in
[RFC2119]. [RFC2119].
The following terms are defined for clarity: The following terms are defined for clarity:
domainID: The domain IDentity is the 160-bit SHA-1 hash of the BIT domainID: The domain IDentity is the 160-bit SHA-1 hash of the BIT
STRING of the subjectPublicKey of the root certificate for the STRING of the subjectPublicKey of the root certificate for the
registrars in the domain. This is consistent with the subject key Registrars in the domain. This is consistent with the subject key
identifier (Section 4.2.1.2 [RFC5280]). identifier (Section 4.2.1.2 [RFC5280]).
drop ship: The physical distribution of equipment containing the drop ship: The physical distribution of equipment containing the
"factory default" configuration to a final destination. In zero- "factory default" configuration to a final destination. In zero-
touch scenarios there is no staging or pre-configuration during touch scenarios there is no staging or pre-configuration during
drop-ship. drop-ship.
imprint: The process where a device obtains the cryptographic key imprint: The process where a device obtains the cryptographic key
material to identify and trust future interactions with a network. material to identify and trust future interactions with a network.
This term is taken from Konrad Lorenz's work in biology with new This term is taken from Konrad Lorenz's work in biology with new
ducklings: during a critical period, the duckling would assume ducklings: during a critical period, the duckling would assume
that anything that looks like a mother duck is in fact their that anything that looks like a mother duck is in fact their
mother. An equivalent for a device is to obtain the fingerprint mother. An equivalent for a device is to obtain the fingerprint
of the network's root certification authority certificate. A of the network's root certification authority certificate. A
device that imprints on an attacker suffers a similar fate to a device that imprints on an attacker suffers a similar fate to a
duckling that imprints on a hungry wolf. Securely imprinting is a duckling that imprints on a hungry wolf. Securely imprinting is a
primary focus of this document.[imprinting]. The analogy to primary focus of this document [imprinting]. The analogy to
Lorenz's work was first noted in [Stajano99theresurrecting]. Lorenz's work was first noted in [Stajano99theresurrecting].
enrollment: The process where a device presents key material to a enrollment: The process where a device presents key material to a
network and acquires a network specific identity. For example network and acquires a network specific identity. For example
when a certificate signing request is presented to a certification when a certificate signing request is presented to a certification
authority and a certificate is obtained in response. authority and a certificate is obtained in response.
Pledge: The prospective device, which has an identity installed by a Pledge: The prospective device, which has an identity installed at
third-party (e.g., vendor, manufacturer or integrator). the factory.
Voucher A signed statement from the MASA service that indicates to a Voucher: A signed artifact from the MASA that indicates to a Pledge
Pledge the cryptographic identity of the Registrar it should the cryptographic identity of the Registrar it should trust.
trust. There are different types of vouchers depending on how There are different types of vouchers depending on how that trust
that trust asserted. Multiple voucher types are defined in is asserted. Multiple voucher types are defined in
[I-D.ietf-anima-voucher] [I-D.ietf-anima-voucher]
Domain: The set of entities that trust a common key infrastructure Domain: The set of entities that trust a common key infrastructure
trust anchor. This includes the Proxy, Registrar, Domain trust anchor. This includes the Proxy, Registrar, Domain
Certificate Authority, Management components and any existing Certificate Authority, Management components and any existing
entity that is already a member of the domain. entity that is already a member of the domain.
Domain CA: The domain Certification Authority (CA) provides Domain CA: The domain Certification Authority (CA) provides
certification functionalities to the domain. At a minimum it certification functionalities to the domain. At a minimum it
provides certification functionalities to a Registrar and stores provides certification functionalities to a Registrar and stores
skipping to change at page 7, line 25 skipping to change at page 7, line 31
Join Registrar (and Coordinator): A representative of the domain Join Registrar (and Coordinator): A representative of the domain
that is configured, perhaps autonomically, to decide whether a new that is configured, perhaps autonomically, to decide whether a new
device is allowed to join the domain. The administrator of the device is allowed to join the domain. The administrator of the
domain interfaces with a Join Registrar (and Coordinator) to domain interfaces with a Join Registrar (and Coordinator) to
control this process. Typically a Join Registrar is "inside" its control this process. Typically a Join Registrar is "inside" its
domain. For simplicity this document often refers to this as just domain. For simplicity this document often refers to this as just
"Registrar". The term JRC is used in common with other bootstrap "Registrar". The term JRC is used in common with other bootstrap
mechanisms. mechanisms.
Join Proxy: A domain entity that helps the pledge join the domain. (Public) Key Infrastructure: The collection of systems and processes
that sustain the activities of a public key system. In an ANIMA
Autonomic system, this includes a Domain Certification Authority
(CA), (Join) Registrar which acts as an [RFC5280] Registrar, as
well as appropriate certificate revocation list (CRL) distribution
points and/or OCSP ([RFC6960]) servers.
Join Proxy: A domain entity that helps the Pledge join the domain.
A Proxy facilitates communication for devices that find themselves A Proxy facilitates communication for devices that find themselves
in an environment where they are not provided connectivity until in an environment where they are not provided connectivity until
after they are validated as members of the domain. The pledge is after they are validated as members of the domain. The Pledge is
unaware that they are communicating with a proxy rather than unaware that they are communicating with a Proxy rather than
directly with a Registrar. directly with a Registrar.
MASA Service: A third-party Manufacturer Authorized Signing MASA Service: A third-party Manufacturer Authorized Signing
Authority (MASA) service on the global Internet. The MASA signs Authority (MASA) service on the global Internet. The MASA signs
vouchers. It also provides a repository for audit log information vouchers. It also provides a repository for audit log information
of privacy protected bootstrapping events. It does not track of privacy protected bootstrapping events. It does not track
ownership. ownership.
Ownership Tracker: An Ownership Tracker service on the global Ownership Tracker: An Ownership Tracker service on the global
internet. The Ownership Tracker uses business processes to internet. The Ownership Tracker uses business processes to
accurately track ownership of all devices shipped against domains accurately track ownership of all devices shipped against domains
that have purchased them. Although optional this component allows that have purchased them. Although optional, this component
vendors to provide additional value in cases where their sales and allows vendors to provide additional value in cases where their
distribution channels allow for accurately tracking of such sales and distribution channels allow for accurately tracking of
ownership. Ownership tracking information is indicated in such ownership. Ownership tracking information is indicated in
vouchers as described in [I-D.ietf-anima-voucher] vouchers as described in [I-D.ietf-anima-voucher]
IDevID: An Initial Device Identity X.509 certificate installed by IDevID: An Initial Device Identity X.509 certificate installed by
the vendor on new equipment. the vendor on new equipment.
TOFU: Trust on First Use. Used similarly to [RFC7435]. This is TOFU: Trust on First Use. Used similarly to [RFC7435]. This is
where a Pledge device makes no security decisions but rather where a Pledge device makes no security decisions but rather
simply trusts the first Registrar it is contacted by. This is simply trusts the first Registrar it is contacted by. This is
also known as the "resurrecting duckling" model. also known as the "resurrecting duckling" model.
nonced: a voucher (or request) that contains a nonce (the normal nonced: a voucher (or request) that contains a nonce (the normal
case). case).
nonceless: a voucher (or request) that does not contain a nonce, nonceless: a voucher (or request) that does not contain a nonce,
relying upon accurate clocks for expiration, or which does not relying upon accurate clocks for expiration, or which does not
expire. expire.
manufacturer: the term manufacturer is used throughout this document
to be the entity that created the device. This is typically the
"original equipment manufacturer" or OEM, but in more complex
situations it could be a "value added retailer" (VAR), or possibly
even a systems integrator. In general, it a goal of BRSKI to
eliminate small distinctions between different sales channels.
The reason for this is that it permits a single device, with a
uniform firmware load, to be shipped directly to all customers.
This eliminates costs for the manufacturer. This also reduces the
number of products supported in the field increasing the chance
that firmware will be more up to date.
ANI: The Autonomic Network Infrastructure as defined by
[I-D.ietf-anima-autonomic-control-plane]. This document details
specific requirements for pledges, proxies and registrars when
they are part of an ANI.
1.3. Scope of solution 1.3. Scope of solution
Questions have been posed as to whether this solution is suitable in Questions have been posed as to whether this solution is suitable in
general for Internet of Things (IoT) networks. This depends on the general for Internet of Things (IoT) networks. This depends on the
capabilities of the devices in question. The terminology of capabilities of the devices in question. The terminology of
[RFC7228] is best used to describe the boundaries. [RFC7228] is best used to describe the boundaries.
The solution described in this document is aimed in general at non- The solution described in this document is aimed in general at non-
constrained (i.e. class 2+) devices operating on a non-Challenged constrained (i.e., class 2+) devices operating on a non-Challenged
network. The entire solution as described here is not intended to be network. The entire solution as described here is not intended to be
useable as-is by constrained devices operating on challenged networks useable as-is by constrained devices operating on challenged networks
(such as 802.15.4 LLNs). (such as 802.15.4 LLNs).
In many target applications, the systems involved are large router In many target applications, the systems involved are large router
platforms with multi-gigabit inter-connections, mounted in controlled platforms with multi-gigabit inter-connections, mounted in controlled
access data centers. But this solution is not exclusive to the access data centers. But this solution is not exclusive to the
large, it is intended to scale to thousands of devices located in large, it is intended to scale to thousands of devices located in
hostile environments, such as ISP provided CPE devices which are hostile environments, such as ISP provided CPE devices which are
drop-shipped to the end user. The situation where an order is drop-shipped to the end user. The situation where an order is
fulfilled from distributed warehouse from a common stock and shipped fulfilled from distributed warehouse from a common stock and shipped
directly to the target location at the request of the domain owner is directly to the target location at the request of the domain owner is
explicitly supported. That stock ("SKU") could be provided to a explicitly supported. That stock ("SKU") could be provided to a
number of potential domain owners, and the eventual domain owner will number of potential domain owners, and the eventual domain owner will
not know a-priori which device will go to which location. not know a-priori which device will go to which location.
The bootstrapping process can take minutes to complete depending on The bootstrapping process can take minutes to complete depending on
the network infrastructure and device processing speed. The network the network infrastructure and device processing speed. The network
communication itself is not optimized for speed; for privacy reasons, communication itself is not optimized for speed; for privacy reasons,
the discovery process allows for the Pledge to avoid announcing it's the discovery process allows for the Pledge to avoid announcing its
presence through broadcasting. presence through broadcasting.
This protocol is not intended for low latency handoffs. In networks This protocol is not intended for low latency handoffs. In networks
requiring such things, the pledge SHOULD already have been enrolled. requiring such things, the Pledge SHOULD already have been enrolled.
Specifically, there are protocol aspects described here which might Specifically, there are protocol aspects described here that might
result in congestion collapse or energy-exhaustion of intermediate result in congestion collapse or energy-exhaustion of intermediate
battery powered routers in an LLN. Those types of networks SHOULD battery powered routers in an LLN. Those types of networks SHOULD
NOT use this solution. These limitations are predominately related NOT use this solution. These limitations are predominately related
to the large credential and key sizes required for device to the large credential and key sizes required for device
authentication. Defining symmetric key techniques that meet the authentication. Defining symmetric key techniques that meet the
operational requirements is out-of-scope but the underlying protocol operational requirements is out-of-scope but the underlying protocol
operations (TLS handshake and signing structures) have sufficient operations (TLS handshake and signing structures) have sufficient
algorithm agility to support such techniques when defined. algorithm agility to support such techniques when defined.
The imprint protocol described here could, however, be used by non- The imprint protocol described here could, however, be used by non-
energy constrained devices joining a non-constrained network (for energy constrained devices joining a non-constrained network (for
instance, smart light bulbs are usually mains powered, and speak instance, smart light bulbs are usually mains powered, and speak
802.11). It could also be used by non-constrained devices across a 802.11). It could also be used by non-constrained devices across a
non-energy constrained, but challenged network (such as 802.15.4). non-energy constrained, but challenged network (such as 802.15.4).
The certificate contents, and the process by which the four questions The certificate contents, and the process by which the four questions
above are resolved do apply to constrained devices. It is simply the above are resolved do apply to constrained devices. It is simply the
actual on-the-wire imprint protocol which could be inappropriate. actual on-the-wire imprint protocol that could be inappropriate.
This document presumes that network access control has either already This document presumes that network access control has either already
occurred, is not required, or is integrated by the proxy and occurred, is not required, or is integrated by the Proxy and
registrar in such a way that the device itself does not need to be Registrar in such a way that the device itself does not need to be
aware of the details. Although the use of an X.509 Initial Device aware of the details. Although the use of an X.509 Initial Device
Identity is consistant with IEEE 802.1AR [IDevID], and allows for Identity is consistant with IEEE 802.1AR [IDevID], and allows for
alignment with 802.1X network access control methods, its use here is alignment with 802.1X network access control methods, its use here is
for Pledge authentication rather than network access control. for Pledge authentication rather than network access control.
Integrating this protocol with network access control, perhaps as an Integrating this protocol with network access control, perhaps as an
Extensible Authentication Protocol (EAP) method (see [RFC3748]), is Extensible Authentication Protocol (EAP) method (see [RFC3748]), is
out-of-scope. out-of-scope.
1.4. Leveraging the new key infrastructure / next steps 1.4. Leveraging the new key infrastructure / next steps
As a result of the protocol described herein the bootstrapped devices As a result of the protocol described herein, the bootstrapped
have a common trust anchor and a certificate has optionally been devices have a common trust anchor and a certificate has optionally
issued from a local PKI. This makes it possible to automatically been issued from a local PKI. This makes it possible to
deploy services across the domain in a secure manner. automatically deploy services across the domain in a secure manner.
Services which benefit from this: Services that benefit from this:
o Device management. o Device management.
o Routing authentication. o Routing authentication.
o Service discovery. o Service discovery.
The major beneficiary is that it possible to use the credentials The major beneficiary is that it possible to use the credentials
deployed by this protocol to secure the Autonomic Control Plane (ACP) deployed by this protocol to secure the Autonomic Control Plane (ACP)
([I-D.ietf-anima-autonomic-control-plane]). ([I-D.ietf-anima-autonomic-control-plane]).
1.5. Requirements for Autonomic Network Infrastructure (ANI) devices
The BRSKI protocol can be used in a number of environments. Some of
the flexibility in this document is the result of users out of the
ANI scope. This section defines the base requirements for ANI
devices.
For devices that intend to become part of an Autonomic Network
Infrastructure (ANI) ([I-D.ietf-anima-reference-model]) that includes
an Autonomic Control Plane
([I-D.ietf-anima-autonomic-control-plane]), the following actions are
required and MUST be performed by the Pledge:
o BRSKI: Request Voucher
o EST: CA Certificates Request
o EST: CSR Attributes
o EST: Client Certificate Request
o BRSKI: Enrollment status Telemetry
The ANI Registrar (JRC) MUST support all the BRSKI and above listed
EST operations.
All ANI devices SHOULD support the BRSKI proxy function, using
circuit proxies. Other proxy methods are optional, and may be
enabled only if the JRC indicates support for them in it's
announcement. (See Section 4.4)
2. Architectural Overview 2. Architectural Overview
The logical elements of the bootstrapping framework are described in The logical elements of the bootstrapping framework are described in
this section. Figure 1 provides a simplified overview of the this section. Figure 1 provides a simplified overview of the
components. Each component is logical and may be combined with other components. Each component is logical and may be combined with other
components as necessary. components as necessary.
+------------------------+ +------------------------+
+--------------Drop Ship--------------->| Vendor Service | +--------------Drop Ship--------------->| Vendor Service |
| +------------------------+ | +------------------------+
skipping to change at page 10, line 35 skipping to change at page 11, line 42
| | . +------------+ +-----------+ | . | | . +------------+ +-----------+ | .
| | . | | | | | . | | . | | | | | .
|Pledge | . | Circuit | | Domain <-------+ . |Pledge | . | Circuit | | Domain <-------+ .
| | . | Proxy | | Registrar | . | | . | Proxy | | Registrar | .
| <-------->............<-------> (PKI RA) | . | <-------->............<-------> (PKI RA) | .
| | | BRSKI-EST | | . | | | BRSKI-EST | | .
| | . | | +-----+-----+ . | | . | | +-----+-----+ .
|IDevID | . +------------+ | EST RFC7030 . |IDevID | . +------------+ | EST RFC7030 .
| | . +-----------------+----------+ . | | . +-----------------+----------+ .
| | . | Key Infrastructure | . | | . | Key Infrastructure | .
| | . | (e.g. PKI Certificate | . | | . | (e.g., PKI Certificate | .
+-------+ . | Authority) | . +-------+ . | Authority) | .
. +----------------------------+ . . +----------------------------+ .
. . . .
................................................ ................................................
"Domain" components "Domain" components
Figure 1 Figure 1
We assume a multi-vendor network. In such an environment there could We assume a multi-vendor network. In such an environment there could
be a Vendor Service for each vendor that supports devices following be a Manufacturer Service for each manufacturer that supports devices
this document's specification, or an integrator could provide a following this document's specification, or an integrator could
generic service authorized by multiple vendors. It is unlikely that provide a generic service authorized by multiple manufacturers. It
an integrator could provide Ownership Tracking services for multiple is unlikely that an integrator could provide Ownership Tracking
vendors due to the required sales channel integrations necessary to services for multiple manufacturers due to the required sales channel
track ownership. integrations necessary to track ownership.
The domain is the managed network infrastructure with a Key The domain is the managed network infrastructure with a Key
Infrastructure the Pledge is joining. The a domain provides initial Infrastructure the Pledge is joining. The domain provides initial
device connectivity sufficient for bootstrapping with a Circuit device connectivity sufficient for bootstrapping with a Circuit
Proxy. The Domain Registrar authenticates the Pledge, makes Proxy. The Domain Registrar authenticates the Pledge, makes
authorization decisions, and distributes vouchers obtained from the authorization decisions, and distributes vouchers obtained from the
Vendor Service. Optionally the Registrar also acts as a PKI Manufacturer Service. Optionally the Registrar also acts as a PKI
Registration Authority. Registration Authority.
2.1. Behavior of a Pledge 2.1. Behavior of a Pledge
The pledge goes through a series of steps which are outlined here at The Pledge goes through a series of steps, which are outlined here at
a high level. a high level.
+--------------+ +--------------+
| Factory | | Factory |
| default | | default |
+------+-------+ +------+-------+
| |
+------v-------+ +------v-------+
| Discover | | Discover |
+------------> | +------------> |
skipping to change at page 12, line 28 skipping to change at page 13, line 28
| rejected +------+-------+ | rejected +------+-------+
| | | |
| +------v-------+ | +------v-------+
| | Request | | | Request |
| | Join | | | Join |
| +------+-------+ | +------+-------+
| | | |
| +------v-------+ | +------v-------+
| | Imprint | Optional | | Imprint | Optional
^------------+ <--+Manual input (Appendix C) ^------------+ <--+Manual input (Appendix C)
| Bad Vendor +------+-------+ | Bad MASA +------+-------+
| response | send Voucher Status Telemetry | response | send Voucher Status Telemetry
| +------v-------+ | +------v-------+
| | Enroll | | | Enroll |
^------------+ | ^------------+ |
| Enroll +------+-------+ | Enroll +------+-------+
| Failure | | Failure |
| +------v-------+ | +------v-------+
| | Enrolled | | | Enrolled |
^------------+ | ^------------+ |
Factory +--------------+ Factory +--------------+
reset reset
Figure 2 Figure 2
State descriptions for the pledge are as follows: State descriptions for the Pledge are as follows:
1. Discover a communication channel to a Registrar. 1. Discover a communication channel to a Registrar.
2. Identify itself. This is done by presenting an X.509 IDevID 2. Identify itself. This is done by presenting an X.509 IDevID
credential to the discovered Registrar (via the Proxy) in a TLS credential to the discovered Registrar (via the Proxy) in a TLS
handshake. (The Registrar credentials are only provisionally handshake. (The Registrar credentials are only provisionally
accepted at this time). accepted at this time).
3. Requests to Join the discovered Registrar. A unique nonce can be 3. Request to Join the discovered Registrar. A unique nonce can be
included ensuring that any responses can be associated with this included ensuring that any responses can be associated with this
particular bootstrapping attempt. particular bootstrapping attempt.
4. Imprint on the Registrar. This requires verification of the 4. Imprint on the Registrar. This requires verification of the
vendor service provided voucher. A voucher contains sufficient manufacturer service provided voucher. A voucher contains
information for the Pledge to complete authentication of a sufficient information for the Pledge to complete authentication
Registrar. (It enables the Pledge to finish authentication of of a Registrar. (It enables the Pledge to finish authentication
the Registrar TLS server certificate). of the Registrar TLS server certificate).
5. Enroll. By accepting the domain specific information from a 5. Enroll. By accepting the domain specific information from a
Registrar, and by obtaining a domain certificate from a Registrar Registrar, and by obtaining a domain certificate from a Registrar
using a standard enrollment protocol, e.g. Enrollment over using a standard enrollment protocol, e.g. Enrollment over
Secure Transport (EST) [RFC7030]. Secure Transport (EST) [RFC7030].
6. The Pledge is now a member of, and can be managed by, the domain 6. The Pledge is now a member of, and can be managed by, the domain
and will only repeat the discovery aspects of bootstrapping if it and will only repeat the discovery aspects of bootstrapping if it
is returned to factory default settings. is returned to factory default settings.
2.2. Secure Imprinting using Vouchers 2.2. Secure Imprinting using Vouchers
A voucher is a cryptographically protected statement to the Pledge A voucher is a cryptographically protected artifact (a digital
device authorizing a zero-touch imprint on the Registrar domain. signature) to the Pledge device authorizing a zero-touch imprint on
the Registrar domain.
The format and cryptographic mechanism of vouchers is described in The format and cryptographic mechanism of vouchers is described in
detail in [I-D.ietf-anima-voucher]. detail in [I-D.ietf-anima-voucher].
Vouchers provide a flexible mechanism to secure imprinting: the Vouchers provide a flexible mechanism to secure imprinting: the
Pledge device only imprints when a voucher can be validated. At the Pledge device only imprints when a voucher can be validated. At the
lowest security levels the MASA server can indiscriminately issue lowest security levels the MASA server can indiscriminately issue
vouchers. At the highest security levels issuance of vouchers can be vouchers. At the highest security levels issuance of vouchers can be
integrated with complex sales channel integrations that are beyond integrated with complex sales channel integrations that are beyond
the scope of this document. This provides the flexibility for a the scope of this document. This provides the flexibility for a
number of use cases via a single common protocol mechanism on the number of use cases via a single common protocol mechanism on the
Pledge and Registrar devices that are to be widely deployed in the Pledge and Registrar devices that are to be widely deployed in the
field. The MASA vendor services have the flexibility to leverage field. The MASA services have the flexibility to leverage either the
either the currently defined claim mechanisms or to experiment with currently defined claim mechanisms or to experiment with higher or
higher or lower security levels. lower security levels.
Vouchers provide a signed but non-encrypted communication channel Vouchers provide a signed but non-encrypted communication channel
between the Pledge, the MASA, and the Registrar. The Registrar among the Pledge, the MASA, and the Registrar. The Registrar
maintains control over the transport and policy decisions allowing maintains control over the transport and policy decisions allowing
the local security policy of the domain network to be enforced. the local security policy of the domain network to be enforced.
2.3. Initial Device Identifier 2.3. Initial Device Identifier
Pledge authentication and Pledge voucher-request signing is via an Pledge authentication and Pledge voucher-request signing is via an
X.509 certificate installed during the manufacturing process. This X.509 certificate installed during the manufacturing process. This
Initial Device Identifier provides a basis for authenticating the Initial Device Identifier provides a basis for authenticating the
Pledge during subsequent protocol exchanges and informing the Pledge during subsequent protocol exchanges and informing the
Registrar of the MASA URI. There is no requirement for a common root Registrar of the MASA URI. There is no requirement for a common root
PKI hierarchy. Each device vendor can generate their own root PKI hierarchy. Each device manufacturer can generate its own root
certificate. certificate.
The following previously defined fields are in the X.509 IDevID The following previously defined fields are in the X.509 IDevID
certificate: certificate:
o The subject field's DN encoding MUST include the "serialNumber" o The subject field's DN encoding MUST include the "serialNumber"
attribute with the device's unique serial number. attribute with the device's unique serial number.
o The subject-alt field's encoding SHOULD include a non-critical o The subject-alt field's encoding SHOULD include a non-critical
version of the RFC4108 defined HardwareModuleName. version of the RFC4108 defined HardwareModuleName.
In order to build the voucher "serial-number" field these IDevID In order to build the voucher "serial-number" field these IDevID
fields need to be converted into a serial-number of "type string". fields need to be converted into a serial-number of "type string".
The following methods is used depending on the first available IDevID The following methods are used depending on the first available
certificate field (attempted in this order): IDevID certificate field (attempted in this order):
o An RFC4514 String Representation of the Distinguished Name o An RFC4514 String Representation of the Distinguished Name
"serialNumber" attribute. "serialNumber" attribute.
o The HardwareModuleName hwSerialNum OCTET STRING base64 encoded. o The HardwareModuleName hwSerialNum OCTET STRING base64 encoded.
o The RFC4514 String Representation of the Distinguished Name o The RFC4514 String Representation of the Distinguished Name
"common name" attribute. "common name" attribute.
The following newly defined field SHOULD be in the X.509 IDevID The following newly defined field SHOULD be in the X.509 IDevID
certificate: An X.509 non-critical certificate extension that certificate: An X.509 non-critical certificate extension that
contains a single Uniform Resource Identifier (URI) that points to an contains a single Uniform Resource Identifier (URI) that points to an
on-line Manufacturer Authorized Signing Authority. The URI is on-line Manufacturer Authorized Signing Authority. The URI is
represented as described in Section 7.4 of [RFC5280]. represented as described in Section 7.4 of [RFC5280].
Any Internationalized Resource Identifiers (IRIs) MUST be mapped to Any Internationalized Resource Identifiers (IRIs) MUST be mapped to
URIs as specified in Section 3.1 of [RFC3987] before they are placed URIs as specified in Section 3.1 of [RFC3987] before they are placed
in the certificate extension. The URI provides the authority in the certificate extension. The URI provides the authority
information. The BRSKI .well-known tree is described in Section 5 information. The BRSKI "/.well-known" tree ([RFC5785]) is described
in Section 5.
The new extension is identified as follows: The new extension is identified as follows:
<CODE BEGINS> <CODE BEGINS>
MASAURLExtnModule-2016 { iso(1) identified-organization(3) dod(6) MASAURLExtnModule-2016 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-MASAURLExtn2016(TBD) } id-mod(0) id-mod-MASAURLExtn2016(TBD) }
DEFINITIONS IMPLICIT TAGS ::= BEGIN DEFINITIONS IMPLICIT TAGS ::= BEGIN
skipping to change at page 16, line 6 skipping to change at page 17, line 12
A representative flow is shown in Figure 3: A representative flow is shown in Figure 3:
+--------+ +---------+ +------------+ +------------+ +--------+ +---------+ +------------+ +------------+
| Pledge | | Circuit | | Domain | | Vendor | | Pledge | | Circuit | | Domain | | Vendor |
| | | Proxy | | Registrar | | Service | | | | Proxy | | Registrar | | Service |
| | | | | (JRC) | | (MASA) | | | | | | (JRC) | | (MASA) |
+--------+ +---------+ +------------+ +------------+ +--------+ +---------+ +------------+ +------------+
| | | Internet | | | | Internet |
|<-RFC4862 IPv6 addr | | | |<-RFC4862 IPv6 addr | | |
|<-RFC3927 IPv4 addr | Appendix A | | |<-RFC3927 IPv4 addr | Appendix A | Legend |
| | | | |-------------------->| | C - circuit |
|-------------------->| | | | optional: mDNS query| Appendix B | proxy |
| optional: mDNS query| Appendix B | | | RFC6763/RFC6762 | | P - provisional |
| RFC6763/RFC6762 | | | |<--------------------| | TLS connection |
| | | |
|<--------------------| | |
| GRASP M_FLOOD | | | | GRASP M_FLOOD | | |
| periodic broadcast| | | | periodic broadcast| | |
| | | |
|<------------------->C<----------------->| | |<------------------->C<----------------->| |
| TLS via the Circuit Proxy | | | TLS via the Circuit Proxy | |
|<--Registrar TLS server authentication---| | |<--Registrar TLS server authentication---| |
[PROVISIONAL accept of server cert] | | [PROVISIONAL accept of server cert] | |
P---X.509 client authentication---------->| | P---X.509 client authentication---------->| |
P | | | P | | |
P---Voucher Request (include nonce)------>| | P---Voucher Request (include nonce)------>| |
P | | |
P | /---> | | P | /---> | |
P | | [accept device?] | P | | [accept device?] |
P | | [contact Vendor] | P | | [contact Vendor] |
P | | |--Pledge ID-------->| P | | |--Pledge ID-------->|
P | | |--Domain ID-------->| P | | |--Domain ID-------->|
P | | |--optional:nonce--->| P | | |--optional:nonce--->|
P | | | [extract DomainID] P | | | [extract DomainID]
P | | | |
P | optional: | [update audit log] P | optional: | [update audit log]
P | |can | | P | |can | |
P | |occur | | P | |occur | |
P | |in | | P | |in | |
P | |advance | | P | |advance | |
P | |if | | P | |if | |
P | |nonceless | | P | |nonceless | |
P | | |<- voucher ---------| P | | |<- voucher ---------|
P | \----> | | P | \----> | |
P | | |
P<------voucher---------------------------| | P<------voucher---------------------------| |
[verify voucher ] | | | [verify voucher , [verify provisional cert| | |
[verify provisional cert| | |
| | | |
|---------------------------------------->| | |---------------------------------------->| |
| [voucher status telemetry] |<-device audit log--| | [voucher status telemetry] |<-device audit log--|
| | [verify audit log and voucher] | | | [verify audit log and voucher] |
| | | |
|<--------------------------------------->| | |<--------------------------------------->| |
| Continue with RFC7030 enrollment | | | Continue with RFC7030 enrollment | |
| using now bidirectionally authenticated | | | using now bidirectionally authenticated | |
| TLS session. | | | | TLS session. | | |
| | | |
Figure 3 Figure 3
2.4.1. Architectural component: Pledge 2.4.1. Architectural component: Pledge
The Pledge is the device which is attempting to join. Until the The Pledge is the device that is attempting to join. Until the
pledge completes the enrollment process, it has network connectivity Pledge completes the enrollment process, it has network connectivity
only to the Proxy. only to the Proxy.
2.4.2. Architectural component: Circuit Proxy 2.4.2. Architectural component: Circuit Proxy
The (Circuit) Proxy provides HTTPS connectivity between the pledge The (Circuit) Proxy provides HTTPS connectivity between the Pledge
and the registrar. The proxy mechanism is described in Section 4, and the Registrar. The Proxy mechanism is described in Section 4,
with an optional stateless mechanism described in Appendix C. with an optional stateless mechanism described in Appendix C.
2.4.3. Architectural component: Domain Registrar 2.4.3. Architectural component: Domain Registrar
The Domain Registrar (having the formal name Join Registrar/ The Domain Registrar (having the formal name Join Registrar/
Coordinator (JRC)), operates as a CMC Registrar, terminating the EST Coordinator (JRC), operates as a CMC Registrar, terminating the EST
and BRSKI connections. The Registrar is manually configured or and BRSKI connections. The Registrar is manually configured or
distributed with a list of trust anchors necessary to authenticate distributed with a list of trust anchors necessary to authenticate
any Pledge device expected on the network. The Registrar any Pledge device expected on the network. The Registrar
communicates with the Vendor supplied MASA to establish ownership. communicates with the MASA to establish ownership.
2.4.4. Architectural component: Vendor Service 2.4.4. Architectural component: Manufacturer Service
The Vendor Service provides two logically seperate functions: the The Manufacturer Service provides two logically seperate functions:
Manufacturer Authorized Signing Authority (MASA), and an ownership the Manufacturer Authorized Signing Authority (MASA), and an
tracking/auditing function. ownership tracking/auditing function.
2.5. Lack of realtime clock 2.5. Lack of realtime clock
Many devices when bootstrapping do not have knowledge of the current Many devices when bootstrapping do not have knowledge of the current
time. Mechanisms like Network Time Protocols can not be secured time. Mechanisms such as Network Time Protocols cannot be secured
until bootstrapping is complete. Therefore bootstrapping is defined until bootstrapping is complete. Therefore bootstrapping is defined
in a method that does not require knowledge of the current time. in a method that does not require knowledge of the current time.
Unfortunately there are moments during bootstrapping when Unfortunately there are moments during bootstrapping when
certificates are verified, such as during the TLS handshake, where certificates are verified, such as during the TLS handshake, where
validity periods are confirmed. This paradoxical "catch-22" is validity periods are confirmed. This paradoxical "catch-22" is
resolved by the Pledge maintaining a concept of the current "window" resolved by the Pledge maintaining a concept of the current "window"
of presumed time validity that is continually refined throughout the of presumed time validity that is continually refined throughout the
bootstrapping process as follows: bootstrapping process as follows:
o Initially the Pledge does not know the current time. o Initially the Pledge does not know the current time.
o During Pledge authentiation by the Registrar a realtime clock can o During Pledge authentiation by the Registrar a realtime clock can
be used by the Registrar. This bullet expands on a closely be used by the Registrar. This bullet expands on a closely
related issue regarding Pledge lifetimes. RFC5280 indicates that related issue regarding Pledge lifetimes. RFC5280 indicates that
long lived Pledge certifiates "SHOULD be assigned the long lived Pledge certifiates "SHOULD be assigned the
GeneralizedTime value of 99991231235959Z" [RFC7030] so the GeneralizedTime value of 99991231235959Z" [RFC7030], so the
Registrar MUST support such lifetimes and SHOULD support ignoring Registrar MUST support such lifetimes and SHOULD support ignoring
Pledge lifetimes if they did not follow the RFC5280 Pledge lifetimes if they did not follow the RFC5280
recommendations. recommendations.
o The Pledge authenticates the voucher presented to it. During this o The Pledge authenticates the voucher presented to it. During this
authentication the Pledge ignores certificate lifetimes (by authentication the Pledge ignores certificate lifetimes (by
necessity because it does not have a realtime clock). necessity because it does not have a realtime clock).
o If the voucher contains a nonce then the Pledge MUST confirm the o If the voucher contains a nonce then the Pledge MUST confirm the
nonce matches the original Pledge voucher-request. This ensures nonce matches the original Pledge voucher-request. This ensures
skipping to change at page 18, line 34 skipping to change at page 19, line 28
subsequent certificate validity periods checked during RFC5280 subsequent certificate validity periods checked during RFC5280
path validation MUST occur within this window. path validation MUST occur within this window.
o When accepting an enrollment certificate the validity period o When accepting an enrollment certificate the validity period
within the new certificate is assumed to be valid by the Pledge. within the new certificate is assumed to be valid by the Pledge.
The Pledge is now willing to use this credential for client The Pledge is now willing to use this credential for client
authentication. authentication.
2.6. Cloud Registrar 2.6. Cloud Registrar
The Pledge MAY contact a well known URI of a cloud Registrar if a There are transitional situations where devices may be deployed into
local Registrar can not be discovered or if the Pledge's target use legacy networks that use proprietary bootstrapping mechanisms based
cases do not include a local Registrar. upon the base EST ([RFC7030]). The same device may also be deployed
into an ANIMA environment. This may be due to incremental
replacement of a legacy situation with ANIMA.
There are additionally some greenfield situations involving an
entirely new installation where a device may have some kind of
management uplink that it can use (such as via 3G network for
instance). In such a future situation, the device might use this
management interface to learn that it should configure itself by to-
be-determined mechanism (such as an Intent) to become the local
Registrar.
In order to support these scenarios, the Pledge MAY contact a well
known URI of a cloud Registrar if a local Registrar cannot be
discovered or if the Pledge's target use cases do not include a local
Registrar.
If the Pledge uses a well known URI for contacting a cloud Registrar If the Pledge uses a well known URI for contacting a cloud Registrar
an Implicit Trust Anchor database (see [RFC7030]) MUST be used to an Implicit Trust Anchor database (see [RFC7030]) MUST be used to
authenticate service as described in RFC6125. This is consistent authenticate service as described in [RFC6125]. This is consistent
with the human user configuration of an EST server URI in [RFC7030] with the human user configuration of an EST server URI in [RFC7030]
which also depends on RFC6125. which also depends on RFC6125.
2.7. Determining the MASA to contact 2.7. Determining the MASA to contact
The registrar needs to be able to contact a MASA that is trusted by The Registrar needs to be able to contact a MASA that is trusted by
the Pledge in order to obtain vouchers. There are three mechanisms the Pledge in order to obtain vouchers. There are three mechanisms
described: described:
The device's Initial Device Identifier will normally contain the MASA The device's Initial Device Identifier will normally contain the MASA
URL as detailed in Section 2.3. This is the RECOMMENDED mechanism. URL as detailed in Section 2.3. This is the RECOMMENDED mechanism.
If the Registrar is integrated with [I-D.ietf-opsawg-mud] and the If the Registrar is integrated with [I-D.ietf-opsawg-mud] and the
Pledge IDevID contains the id-pe-mud-url then the Registrar MAY Pledge IDevID contains the id-pe-mud-url then the Registrar MAY
attempt to obtain the MASA URL from the MUD file. The MUD file attempt to obtain the MASA URL from the MUD file. The MUD file
extension for the MASA URL is defined in Appendix D. extension for the MASA URL is defined in Appendix D.
It can be operationally difficult to ensure the necessary X.509 It can be operationally difficult to ensure the necessary X.509
extensions are in the Pledge's' IDevID due to the difficulty of extensions are in the Pledge's IDevID due to the difficulty of
aligning current Pledge manufacturing with software releases and aligning current Pledge manufacturing with software releases and
development. As a final fallback the Registrar MAY be manually development. As a final fallback the Registrar MAY be manually
configured or distributed with a MASA URL for each vendor. Note that configured or distributed with a MASA URL for each manufacturer.
the Registrar can only select the configured MASA URL based on the Note that the Registrar can only select the configured MASA URL based
trust anchor -- so vendors can only leverage this approach if they on the trust anchor -- so manufacturers can only leverage this
ensure a single MASA URL works for all Pledge's associated with each approach if they ensure a single MASA URL works for all Pledge's
trust anchor. associated with each trust anchor.
3. Voucher-Request artifact 3. Voucher-Request artifact
The Pledge voucher-request is how a Pledge requests a voucher. The The Pledge voucher-request is how a Pledge requests a voucher. The
Pledge forms a voucher-request and submits it to the Registrar. The Pledge forms a voucher-request and submits it to the Registrar. The
Registrar in turn submits a voucher-request to the MASA server. To Registrar in turn submits a voucher-request to the MASA server. To
help differentiate this document refers to "Pledge voucher-request" help differentiate this document refers to "Pledge voucher-request"
and "Registrar voucher-request" when indicating the source is and "Registrar voucher-request" when indicating the source is
beneficial. The "proximity-registrar-cert" leaf is used in Pledge beneficial. The "proximity-registrar-cert" leaf defined in this
voucher-requests. The "prior-signed-voucher-request" is used in section is used in Pledge voucher-requests. The "prior-signed-
Registrar voucher-requests that include a Pledge voucher-request. voucher-request" is used in Registrar voucher-requests that include a
Pledge voucher-request.
Unless otherwise signaled (outside the voucher-request artifact), the Unless otherwise signaled (outside the voucher-request artifact), the
signing structure is as defined for vouchers, see signing structure is as defined for vouchers, see
[I-D.ietf-anima-voucher]. [I-D.ietf-anima-voucher].
3.1. Tree Diagram 3.1. Tree Diagram
The following tree diagram illustrates a high-level view of a The following tree diagram illustrates a high-level view of a
voucher-request document. The notation used in this diagram is voucher-request document. The notation used in this diagram is
described in [I-D.ietf-anima-voucher]. Each node in the diagram is described in [I-D.ietf-anima-voucher]. Each node in the diagram is
skipping to change at page 20, line 24 skipping to change at page 21, line 24
+---- pinned-domain-cert? binary +---- pinned-domain-cert? binary
+---- domain-cert-revocation-checks? boolean +---- domain-cert-revocation-checks? boolean
+---- nonce? binary +---- nonce? binary
+---- last-renewal-date? yang:date-and-time +---- last-renewal-date? yang:date-and-time
+---- prior-signed-voucher-request? binary +---- prior-signed-voucher-request? binary
+---- proximity-registrar-cert? binary +---- proximity-registrar-cert? binary
3.2. Examples 3.2. Examples
This section provides voucher examples for illustration purposes. This section provides voucher examples for illustration purposes.
That these examples conform to the encoding rules defined in These examples conform to the encoding rules defined in [RFC7951].
[RFC7951].
Example (1) The following example illustrates a Pledge voucher- Example (1) The following example illustrates a Pledge voucher-
request. The assertion leaf is indicated as 'proximity' request. The assertion leaf is indicated as 'proximity'
and the Registrar's TLS server certificate is included and the Registrar's TLS server certificate is included
in the 'proximity-registrar-cert' leaf. See in the 'proximity-registrar-cert' leaf. See
Section 5.2. Section 5.2.
{ {
"ietf-voucher-request:voucher": { "ietf-voucher-request:voucher": {
"nonce": "62a2e7693d82fcda2624de58fb6722e5", "nonce": "62a2e7693d82fcda2624de58fb6722e5",
"created-on": "2017-01-01T00:00:00.000Z", "created-on": "2017-01-01T00:00:00.000Z",
"assertion": "proximity", "assertion": "proximity",
"proximity-registrar-cert": "base64encodedvalue==" "proximity-registrar-cert": "base64encodedvalue=="
} }
} }
Example (2) The following example illustrates a Registrar voucher- Example (2) The following example illustrates a Registrar voucher-
request. The 'prior-signed-voucher-request' leaf is request. The 'prior-signed-voucher-request' leaf is
populated with the Pledge's voucher-request (such as the populated with the Pledge's voucher-request (such as the
prior example). See Section 5.4. prior example). The Pledge's voucher-request, if a
signed artifact with a CMS format signature is a binary
object. In the JSON encoding used here it must be
base64 encoded. The nonce, created-on and assertion is
carried forward. serial-number is extracted from the
Pledge's Client Certificate from the TLS connection.
See Section 5.4.
{ {
"ietf-voucher-request:voucher": { "ietf-voucher-request:voucher": {
"nonce": "62a2e7693d82fcda2624de58fb6722e5", "nonce": "62a2e7693d82fcda2624de58fb6722e5",
"created-on": "2017-01-01T00:00:02.000Z", "created-on": "2017-01-01T00:00:02.000Z",
"assertion": "proximity", "assertion": "proximity",
"idevid-issuer": "base64encodedvalue==" "idevid-issuer": "base64encodedvalue=="
"serial-number": "JADA123456789" "serial-number": "JADA123456789"
"prior-signed-voucher": "base64encodedvalue==" "prior-signed-voucher": "base64encodedvalue=="
} }
skipping to change at page 21, line 36 skipping to change at page 22, line 36
"created-on": "2017-01-01T00:00:02.000Z", "created-on": "2017-01-01T00:00:02.000Z",
"assertion": "TBD", "assertion": "TBD",
"idevid-issuer": "base64encodedvalue==" "idevid-issuer": "base64encodedvalue=="
"serial-number": "JADA123456789" "serial-number": "JADA123456789"
} }
} }
Example (4) The following example illustrates a Registrar voucher- Example (4) The following example illustrates a Registrar voucher-
request. The 'prior-signed-voucher-request' leaf is not request. The 'prior-signed-voucher-request' leaf is not
populated with the Pledge voucher-request because the populated with the Pledge voucher-request because the
Pledge did not sign it's own request. This form might Pledge did not sign its own request. This form might be
be used when more constrained Pledges are being used when more constrained Pledges are being deployed.
deployed. The nonce is populated from the Pledge's The nonce is populated from the Pledge's request. See
request. See Section 5.4. Section 5.4.
{ {
"ietf-voucher-request:voucher": { "ietf-voucher-request:voucher": {
"nonce": "62a2e7693d82fcda2624de58fb6722e5", "nonce": "62a2e7693d82fcda2624de58fb6722e5",
"created-on": "2017-01-01T00:00:02.000Z", "created-on": "2017-01-01T00:00:02.000Z",
"assertion": "proximity", "assertion": "proximity",
"idevid-issuer": "base64encodedvalue==" "idevid-issuer": "base64encodedvalue=="
"serial-number": "JADA123456789" "serial-number": "JADA123456789"
} }
} }
3.3. YANG Module 3.3. YANG Module
Following is a YANG [RFC7950] module formally extending the Following is a YANG [RFC7950] module formally extending the
[I-D.ietf-anima-voucher] voucher into a voucher-request. [I-D.ietf-anima-voucher] voucher into a voucher-request.
<CODE BEGINS> file "yang/ietf-voucher-request@2018-02-13.yang" <CODE BEGINS> file "ietf-voucher-request@2018-02-14.yang"
module ietf-voucher-request { module ietf-voucher-request {
yang-version 1.1; yang-version 1.1;
namespace namespace
"urn:ietf:params:xml:ns:yang:ietf-voucher-request"; "urn:ietf:params:xml:ns:yang:ietf-voucher-request";
prefix "vch"; prefix "vch";
import ietf-restconf { import ietf-restconf {
prefix rc; prefix rc;
description description "This import statement is only present to access
"This import statement is only present to access
the yang-data extension defined in RFC 8040."; the yang-data extension defined in RFC 8040.";
reference "RFC 8040: RESTCONF Protocol"; reference "RFC 8040: RESTCONF Protocol";
} }
import ietf-voucher { import ietf-voucher {
prefix v; prefix v;
description description "This module defines the format for a voucher, which is produced by
"FIXME"; a pledge's manufacturer or delegate (MASA) to securely assign a
reference "RFC ????: Voucher Profile for Bootstrapping Protocols"; pledge to an 'owner', so that the pledge may establish a secure
conn ection to the owner's network infrastructure";
reference "RFC YYYY: Voucher Profile for Bootstrapping Protocols";
} }
organization organization
"IETF ANIMA Working Group"; "IETF ANIMA Working Group";
contact contact
"WG Web: <http://tools.ietf.org/wg/anima/> "WG Web: <http://tools.ietf.org/wg/anima/>
WG List: <mailto:anima@ietf.org> WG List: <mailto:anima@ietf.org>
Author: Kent Watsen Author: Kent Watsen
<mailto:kwatsen@juniper.net> <mailto:kwatsen@juniper.net>
Author: Max Pritikin Author: Max Pritikin
<mailto:pritikin@cisco.com> <mailto:pritikin@cisco.com>
Author: Michael Richardson Author: Michael Richardson
<mailto:mcr+ietf@sandelman.ca> <mailto:mcr+ietf@sandelman.ca>
Author: Toerless Eckert Author: Toerless Eckert
<mailto:tte+ietf@cs.fau.de>"; <mailto:tte+ietf@cs.fau.de>";
description description
"This module... FIXME "This module module defines the format for a voucher request.
It is a superset of the voucher itself.
This artifact may be optionally signed.
It provides content to the MASA for consideration
during a voucher request.
The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT',
'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'MAY', and 'OPTIONAL' in
the module text are to be interpreted as described in RFC 2119. the module text are to be interpreted as described in RFC 2119.
Copyright (c) 2017 IETF Trust and the persons identified as Copyright (c) 2017 IETF Trust and the persons identified as
authors of the code. All rights reserved. authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or without Redistribution and use in source and binary forms, with or without
modification, is permitted pursuant to, and subject to the license modification, is permitted pursuant to, and subject to the license
terms contained in, the Simplified BSD License set forth in Section terms contained in, the Simplified BSD License set forth in Section
4.c of the IETF Trust's Legal Provisions Relating to IETF Documents 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents
(http://trustee.ietf.org/license-info). (http://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices."; itself for full legal notices.";
revision "2018-02-13" { revision "2018-02-14" {
description description
"Initial version"; "Initial version";
reference reference
"RFC XXXX: Voucher Profile for Bootstrapping Protocols"; "RFC XXXX: Voucher Profile for Bootstrapping Protocols";
} }
// Top-level statement // Top-level statement
rc:yang-data voucher-request-artifact { rc:yang-data voucher-request-artifact {
uses voucher-request-grouping; uses voucher-request-grouping;
} }
skipping to change at page 24, line 45 skipping to change at page 26, line 4
Pledge's voucher request if the proximity assertion is Pledge's voucher request if the proximity assertion is
populated."; populated.";
} }
} }
} }
} }
} }
<CODE ENDS> <CODE ENDS>
4. Proxy details 4. Proxy details
The role of the Proxy is to facilitate communications. The Proxy The role of the Proxy is to facilitate communications. The Proxy
forwards packets between the Pledge and a Registrar that has been forwards packets between the Pledge and a Registrar that has been
configured on the Proxy. configured on the Proxy.
The Proxy does not terminate the TLS handshake: it passes streams of The Proxy does not terminate the TLS handshake: it passes streams of
bytes onward without examination. bytes onward without examination.
A proxy MAY assume TLS framing for auditing purposes, but MUST NOT A Proxy MAY assume TLS framing for auditing purposes, but MUST NOT
assume any TLS version. assume any TLS version.
A Proxy is always assumed even if it is directly integrated into a A Proxy is always assumed even if it is directly integrated into a
Registrar. (In a completely autonomic network, the Registrar MUST Registrar. (In a completely autonomic network, the Registrar MUST
provide proxy functionality so that it can be discovered, and the provide Proxy functionality so that it can be discovered, and the
network can grow concentrically around the Registrar) network can grow concentrically around the Registrar.)
As a result of the Proxy Discovery process in section Section 4.1.1, As a result of the Proxy Discovery process in Section 4.1.1, the port
the port number exposed by the proxy does not need to be well known, number exposed by the Proxy does not need to be well known, or
or require an IANA allocation. require an IANA allocation.
If the Proxy joins an Autonomic Control Plane If the Proxy joins an Autonomic Control Plane
([I-D.ietf-anima-autonomic-control-plane]) it SHOULD use Autonomic ([I-D.ietf-anima-autonomic-control-plane]) it SHOULD use Autonomic
Control Plane secured GRASP ([I-D.ietf-anima-grasp]) to discovery the Control Plane secured GRASP ([I-D.ietf-anima-grasp]) to discover the
Registrar address and port. As part of the discovery process, the Registrar address and port. As part of the discovery process, the
proxy mechanism (Circuit Proxy vs IPIP encapsulation) is agreed to Proxy mechanism (Circuit Proxy vs IPIP encapsulation) is agreed to
between the Registrar and Join Proxy. between the Registrar and Join Proxy.
For the IPIP encapsulation methods (described in Appendix C), the For the IPIP encapsulation methods (described in Appendix C), the
port announced by the Proxy SHOULD be the same as on the registrar in port announced by the Proxy SHOULD be the same as on the Registrar in
order for the proxy to remain stateless. order for the Proxy to remain stateless.
In order to permit the proxy functionality to be implemented on the In order to permit the Proxy functionality to be implemented on the
maximum variety of devices the chosen mechanism SHOULD use the maximum variety of devices the chosen mechanism SHOULD use the
minimum amount of state on the proxy device. While many devices in minimum amount of state on the Proxy device. While many devices in
the ANIMA target space will be rather large routers, the proxy the ANIMA target space will be rather large routers, the Proxy
function is likely to be implemented in the control plane CPU of such function is likely to be implemented in the control plane CPU of such
a device, with available capabilities for the proxy function similar a device, with available capabilities for the Proxy function similar
to many class 2 IoT devices. to many class 2 IoT devices.
The document [I-D.richardson-anima-state-for-joinrouter] provides a The document [I-D.richardson-anima-state-for-joinrouter] provides a
more extensive analysis and background of the alternative proxy more extensive analysis and background of the alternative Proxy
methods. methods.
4.1. Pledge discovery of Proxy 4.1. Pledge discovery of Proxy
The result of discovery is a logical communication with a Registrar, The result of discovery is a logical communication with a Registrar,
through a Proxy. The Proxy is transparent to the Pledge but is through a Proxy. The Proxy is transparent to the Pledge but is
always assumed to exist. always assumed to exist.
To discover the Proxy the Pledge performs the following actions: To discover the Proxy the Pledge performs the following actions:
skipping to change at page 26, line 4 skipping to change at page 27, line 15
4.1. Pledge discovery of Proxy 4.1. Pledge discovery of Proxy
The result of discovery is a logical communication with a Registrar, The result of discovery is a logical communication with a Registrar,
through a Proxy. The Proxy is transparent to the Pledge but is through a Proxy. The Proxy is transparent to the Pledge but is
always assumed to exist. always assumed to exist.
To discover the Proxy the Pledge performs the following actions: To discover the Proxy the Pledge performs the following actions:
1. MUST: Obtains a local address using IPv6 methods as described in 1. MUST: Obtains a local address using IPv6 methods as described in
[RFC4862] IPv6 Stateless Address AutoConfiguration. Use of [RFC4862] IPv6 Stateless Address AutoConfiguration. Use of
[RFC4941] temporary addresses is encouraged. A new temporary [RFC4941] temporary addresses is encouraged. A new temporary
address SHOULD be allocated whenever the discovery process is address SHOULD be allocated whenever the discovery process is
forced to restart due to failures. Pledges will generally prefer forced to restart due to failures. Pledges will generally prefer
use of IPv6 Link-Local addresses, and discovery of Proxy will be use of IPv6 Link-Local addresses, and discovery of Proxy will be
by Link-Local mechanisms. IPv4 methods are described in by Link-Local mechanisms. IPv4 methods are described in
Appendix A Appendix A
2. MUST: Listen for GRASP M_FLOOD ([I-D.ietf-anima-grasp]) 2. MUST: Listen for GRASP M_FLOOD ([I-D.ietf-anima-grasp])
announcements of the objective: "AN_Proxy". See section announcements of the objective: "AN_Proxy". See section
Section 4.1.1 for the details of the objective. The Pledge may Section 4.1.1 for the details of the objective. The Pledge MAY
listen concurrently for other sources of information, see listen concurrently for other sources of information, see
Appendix B. Appendix B.
Once a proxy is discovered the Pledge communicates with a Registrar Once a Proxy is discovered the Pledge communicates with a Registrar
through the proxy using the bootstrapping protocol defined in through the Proxy using the bootstrapping protocol defined in
Section 5. Section 5.
Each discovery method attempted SHOULD exponentially back-off Each discovery method attempted SHOULD exponentially back-off
attempts (to a maximum of one hour) to avoid overloading the network attempts (to a maximum of one hour) to avoid overloading the network
infrastructure with discovery. The back-off timer for each method infrastructure with discovery. The back-off timer for each method
MUST be independent of other methods. MUST be independent of other methods.
Methods SHOULD be run in parallel to avoid head of queue problems Methods SHOULD be run in parallel to avoid head of queue problems
wherein an attacker running a fake proxy or registrar can operate wherein an attacker running a fake Proxy or Registrar can operate
protocol actions intentionally slowly. protocol actions intentionally slowly.
Once a connection to a Registrar is established (e.g. establishment Once a connection to a Registrar is established (e.g. establishment
of a TLS session key) there are expectations of more timely of a TLS session key) there are expectations of more timely
responses, see Section 5.2. responses, see Section 5.2.
Once all discovered services are attempted the device SHOULD return Once all discovered services are attempted the device SHOULD return
to listening for GRASP M_FLOOD. It should periodically retry the to listening for GRASP M_FLOOD. It SHOULD periodically retry the
vendor specific mechanisms. The Pledge MAY prioritize selection manufacturer specific mechanisms. The Pledge MAY prioritize
order as appropriate for the anticipated environment. selection order as appropriate for the anticipated environment.
4.1.1. Proxy Grasp announcements 4.1.1. Proxy GRASP announcements
A proxy uses the GRASP M_FLOOD mechanism to announce itself. The A Proxy uses the GRASP M_FLOOD mechanism to announce itself. The
pledge SHOULD listen for messages of these form. This announcement Pledge SHOULD listen for messages of this form. This announcement
can be within the same message as the ACP announcement detailed in can be within the same message as the ACP announcement detailed in
[I-D.ietf-anima-autonomic-control-plane]. The M_FLOOD is formatted [I-D.ietf-anima-autonomic-control-plane]. The M_FLOOD is formatted
as follows: as follows:
[M_FLOOD, 12340815, h'fe80::1', 180000, [M_FLOOD, 12340815, h'fe80::1', 180000,
["AN_Proxy", 4, 1, ""], ["AN_Proxy", 4, 1, ""],
[O_IPv6_LOCATOR, [O_IPv6_LOCATOR,
h'fe80::1', 'TCP', 4443]] h'fe80::1', 'TCP', 4443]]
Figure 6b: Proxy Discovery Figure 6b: Proxy Discovery
skipping to change at page 27, line 29 skipping to change at page 28, line 37
ttl = 180000 ; 180,000 ms (3 minutes) ttl = 180000 ; 180,000 ms (3 minutes)
initiator = ACP address to contact Registrar initiator = ACP address to contact Registrar
objective-flags = sync-only ; as in GRASP spec objective-flags = sync-only ; as in GRASP spec
sync-only = 4 ; M_FLOOD only requires synchronization sync-only = 4 ; M_FLOOD only requires synchronization
loop-count = 1 ; one hop only loop-count = 1 ; one hop only
objective-value = any ; none objective-value = any ; none
locator = [ O_IPv6_LOCATOR, ipv6-address, locator = [ O_IPv6_LOCATOR, ipv6-address,
transport-proto, port-number ] transport-proto, port-number ]
ipv6-address = the v6 LL of the proxy ipv6-address = the v6 LL of the Proxy
transport-proto = IPPROTO_TCP / IPPROTO_UDP / IPPROTO_IPV6 transport-proto = IPPROTO_TCP / IPPROTO_UDP / IPPROTO_IPV6
port-number = selected by proxy port-number = selected by Proxy
Figure 6c: AN_Proxy CDDL Figure 6c: AN_Proxy CDDL
4.2. CoAP connection to Registrar 4.2. CoAP connection to Registrar
The use of CoAP to connect from Pledge to Registrar is out of scope The use of CoAP to connect from Pledge to Registrar is out of scope
for this document, and may be described in future work. for this document, and may be described in future work.
4.3. HTTPS proxy connection to Registrar 4.3. HTTPS Proxy connection to Registrar
The proxy SHOULD also provide one of: an IPIP encapsulation of HTTP The Proxy SHOULD also provide one of: an IPIP encapsulation of HTTP
traffic to the registrar, or a TCP circuit proxy that connects the traffic to the Registrar, or a TCP circuit Proxy that connects the
Pledge to a Registrar. Pledge to a Registrar.
When the Proxy provides a circuit proxy to a Registrar the Registrar When the Proxy provides a circuit Proxy to a Registrar the Registrar
MUST accept HTTPS connections. MUST accept HTTPS connections.
4.4. Proxy discovery of Registrar 4.4. Proxy discovery of Registrar
The Registrar SHOULD announce itself so that proxies can find it and The Registrar SHOULD announce itself so that proxies can find it and
determine what kind of connections can be terminated. determine what kind of connections can be terminated.
The registrar announces itself using GRASP M_FLOOD messages. The The Registrar announces itself using GRASP M_FLOOD messages. The
M_FLOOD is formatted as follows: M_FLOOD is formatted as follows:
[M_FLOOD, 12340815, h'fda379a6f6ee0000200000064000001', 180000, [M_FLOOD, 12340815, h'fda379a6f6ee0000200000064000001', 180000,
["AN_join_registrar", 4, 255, "EST-TLS"], ["AN_join_registrar", 4, 255, "EST-TLS"],
[O_IPv6_LOCATOR, [O_IPv6_LOCATOR,
h'fda379a6f6ee0000200000064000001', TCP, 80 h'fda379a6f6ee0000200000064000001', TCP, 80
Figure 6: Registrar Discovery Figure 7a: Registrar Discovery
The formal CDDL definition is: The formal CDDL definition is:
flood-message = [M_FLOOD, session-id, initiator, ttl, flood-message = [M_FLOOD, session-id, initiator, ttl,
+[objective, (locator-option / [])]] +[objective, (locator-option / [])]]
objective = ["AN_join_registrar", objective-flags, loop-count, objective = ["AN_join_registrar", objective-flags, loop-count,
objective-value] objective-value]
initiator = ACP address to contact Registrar initiator = ACP address to contact Registrar
objective-flags = sync-only ; as in GRASP spec objective-flags = sync-only ; as in GRASP spec
sync-only = 4 ; M_FLOOD only requires synchronization sync-only = 4 ; M_FLOOD only requires synchronization
loop-count = 255 ; mandatory maximum loop-count = 255 ; mandatory maximum
objective-value = text ; name of the (list of) of supported objective-value = text ; name of the (list of) of supported
; protocols: "EST-TLS" for RFC7030. ; protocols: "EST-TLS" for RFC7030.
Figure 7: AN_join_registrar CDDL Figure 7: AN_join_registrar CDDL
The M_FLOOD message MUST be sent periodically. The period is subject The M_FLOOD message MUST be sent periodically. The period is subject
to network administrator policy (EST server configuration). It must to network administrator policy (EST server configuration). It must
be so low that the aggregate amount of periodic M_FLOODs from all EST be sufficiently low that the aggregate amount of periodic M_FLOODs
servers causes negligible traffic across the ACP. from all EST servers causes negligible traffic across the ACP.
The locators are to be interpreted as follows: The locators are to be interpreted as follows:
locator1 = [O_IPv6_LOCATOR, fd45:1345::6789, 6, 443] locator1 = [O_IPv6_LOCATOR, fd45:1345::6789, 6, 443]
locator2 = [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683] locator2 = [O_IPv6_LOCATOR, fd45:1345::6789, 17, 5683]
locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil] locator3 = [O_IPv6_LOCATOR, fe80::1234, 41, nil]
Figure 7: Registrar Response A protocol of 6 indicates that TCP proxying on the indicated port is
desired. A protocol of 17 indicates that UDP proxying on the
The set of locators is to be interpreted as follows. A protocol of 6 indicated port is desired. In each case, the traffic SHOULD be
indicates that TCP proxying on the indicated port is desired. A proxied to the same port at the ULA address provided.
protocol of 17 indicates that UDP proxying on the indicated port is
desired. In each case, the traffic SHOULD be proxied to the same
port at the ULA address provided.
A protocol of 41 indicates that packets may be IPIP proxy'ed. In the A protocol of 41 indicates that packets may be IPIP proxy'ed. In the
case of that IPIP proxying is used, then the provided link-local case of that IPIP proxying is used, then the provided link-local
address MUST be advertised on the local link using proxy neighbour address MUST be advertised on the local link using proxy neighbour
discovery. The Join Proxy MAY limit forwarded traffic to the discovery. The Join Proxy MAY limit forwarded traffic to the
protocol (6 and 17) and port numbers indicated by locator1 and protocol (6 and 17) and port numbers indicated by locator1 and
locator2. The address to which the IPIP traffic should be sent is locator2. The address to which the IPIP traffic should be sent is
the initiator address (an ACP address of the Registrar), not the the initiator address (an ACP address of the Registrar), not the
address given in the locator. address given in the locator.
Registrars MUST accept TCP / UDP traffic on the ports given at the Registrars MUST accept TCP / UDP traffic on the ports given at the
ACP address of the Registrar. If the Registrar supports IPIP ACP address of the Registrar. If the Registrar supports IPIP
ntunnelling, it MUST also accept traffic encapsulated with IPIP. tunnelling, it MUST also accept traffic encapsulated with IPIP.
Registrars MUST accept HTTPS/EST traffic on the TCP ports indicated. Registrars MUST accept HTTPS/EST traffic on the TCP ports indicated.
Registrars MAY accept DTLS/CoAP/EST traffic on the UDP in addition to Registrars MAY accept DTLS/CoAP/EST traffic on the UDP ports, in
TCP traffic. addition to TCP traffic.
5. Protocol Details 5. Protocol Details
The Pledge MUST initiate BRSKI after boot if it is unconfigured. The The Pledge MUST initiate BRSKI after boot if it is unconfigured. The
Pledge MUST NOT automatically initiate BRSKI if it has been Pledge MUST NOT automatically initiate BRSKI if it has been
configured or is in the process of being configured. configured or is in the process of being configured.
BRSKI is described as extensions to EST [RFC7030] to reduce the BRSKI is described as extensions to EST [RFC7030]. The goal of these
number of TLS connections and crypto operations required on the extensions is to reduce the number of TLS connections and crypto
Pledge. The Registrar implements the BRSKI REST interface within the operations required on the Pledge. The Registrar implements the
same .well-known URI tree as the existing EST URIs as described in BRSKI REST interface within the same "/.well-known" URI tree as the
EST [RFC7030] section 3.2.2. The communication channel between the existing EST URIs as described in EST [RFC7030] section 3.2.2. The
Pledge and the Registrar is referred to as "BRSKI-EST" (see communication channel between the Pledge and the Registrar is
Figure 1). referred to as "BRSKI-EST" (see Figure 1).
The communication channel between the Registrar and MASA is similarly The communication channel between the Registrar and MASA is similarly
described as extensions to EST within the same ./well-known tree. described as extensions to EST within the same "/.well-known" tree.
For clarity this channel is referred to as "BRSKI-MASA". (See For clarity this channel is referred to as "BRSKI-MASA". (See
Figure 1). Figure 1).
MASA URI is "https:// authority "./well-known/est". MASA URI is "https://" authority "/.well-known/est".
BRSKI uses EST message formats for existing operations, uses JSON BRSKI uses existing CMS message formats for existing EST operations.
[RFC7159] for all new operations defined here, and voucher formats. BRSKI uses JSON [RFC7159] for all new operations defined here, and
voucher formats.
While EST section 3.2 does not insist upon use of HTTP 1.1 persistent While EST section 3.2 does not insist upon use of HTTP 1.1 persistent
connections, BRSKI-EST connections SHOULD use persistent connections. connections, BRSKI-EST connections SHOULD use persistent connections.
The intention of this guidance is to ensure the provisional TLS The intention of this guidance is to ensure the provisional TLS
authentication occurs only once and is properly managed. authentication occurs only once and is properly managed.
Summarized automation extensions for the BRSKI-EST flow are: Summarized automation extensions for the BRSKI-EST flow are:
o The Pledge provisionally accepts the Registrar certificate during o The Pledge provisionally accepts the Registrar certificate during
the TLS handshake as detailed in Section 5.1. the TLS handshake as detailed in Section 5.1.
o If the Registrar responds with a redirection to other web origins o If the Registrar responds with a redirection to other web origins
the Pledge MUST follow only a single redirection. (EST supports the Pledge MUST follow only a single redirection. (EST supports
skipping to change at page 30, line 13 skipping to change at page 31, line 16
authentication occurs only once and is properly managed. authentication occurs only once and is properly managed.
Summarized automation extensions for the BRSKI-EST flow are: Summarized automation extensions for the BRSKI-EST flow are:
o The Pledge provisionally accepts the Registrar certificate during o The Pledge provisionally accepts the Registrar certificate during
the TLS handshake as detailed in Section 5.1. the TLS handshake as detailed in Section 5.1.
o If the Registrar responds with a redirection to other web origins o If the Registrar responds with a redirection to other web origins
the Pledge MUST follow only a single redirection. (EST supports the Pledge MUST follow only a single redirection. (EST supports
redirection but does not allow redirections to other web origins redirection but does not allow redirections to other web origins
without user input). without user input.)
o The Registar MAY respond with an HTTP 202 ("the request has been o The Registar MAY respond with an HTTP 202 ("the request has been
accepted for processing, but the processing has not been accepted for processing, but the processing has not been
completed") as described in EST [RFC7030] section 4.2.3 wherein completed") as described in EST [RFC7030] section 4.2.3 wherein
the client "MUST wait at least the specified 'retry-after' time the client "MUST wait at least the specified 'retry-after' time
before repeating the same request". The Pledge is RECOMMENDED to before repeating the same request". The Pledge is RECOMMENDED to
provide local feed (blinked LED etc) during this wait cycle if provide local feed (blinked LED etc) during this wait cycle if
mechanisms for this are available. To prevent an attacker mechanisms for this are available. To prevent an attacker
Registrar from significantly delaying bootstrapping the Pledge Registrar from significantly delaying bootstrapping the Pledge
MUST limit the 'retry-after' time to 60 seconds. To avoid MUST limit the 'retry-after' time to 60 seconds. To avoid
blocking on a single erroneous Registrar the Pledge MUST drop the blocking on a single erroneous Registrar the Pledge MUST drop the
connection after 5 seconds in which there has been no progress on connection after 5 seconds in which there has been no progress on
the TCP connection. It should proceed to other discovered the TCP connection. It should proceed to other discovered
Registrars if there are any. If there were no other Registrars Registrars if there are any. If there were no other Registrars
discovered, the pledge MAY continue to wait, as long as it is discovered, the Pledge MAY continue to wait, as long as it is
concurrently listening for new proxy announcements. concurrently listening for new Proxy announcements.
o Ideally the Pledge could keep track of the appropriate retry-after o Ideally the Pledge could keep track of the appropriate retry-after
value for any number of outstanding Registrars but this would value for any number of outstanding Registrars but this would
involve a large state table on the Pledge. Instead the pledge MAY involve a large state table on the Pledge. Instead the Pledge MAY
ignore the exact retry-after value in favor of a single hard coded ignore the exact retry-after value in favor of a single hard coded
value that takes effect between discovery ([[ProxyDiscovery]]) value that takes effect between discovery attempts. A Registrar
attempts. A Registrar that is unable to complete the transaction that is unable to complete the transaction the first time due to
the first time due to timing reasons will have future chances. timing reasons will have future chances.
o The Pledge requests and validates a voucher using the new REST o The Pledge requests and validates a voucher using the new REST
calls described below. calls described below.
o If necessary the Pledge calls the EST defined /cacerts method to o If necessary the Pledge calls the EST defined /cacerts method to
obtain the domain owners' CA certificate. The pinned-domain- obtain the domain owners' CA certificate. The pinned-domain-
certificate element from the voucher should validate this certificate element from the voucher should validate this
certificate, or be identical to it. certificate, or be identical to it.
o The Pledge completes authentication of the server certificate as o The Pledge completes authentication of the server certificate as
detailed in Section 5.5.1. This moves the BRSKI-EST TLS detailed in Section 5.5.1. This moves the BRSKI-EST TLS
connection out of the provisional state. Optionally, the BRSKI- connection out of the provisional state. Optionally, the BRSKI-
EST TLS connection can now be used for EST enrollment. EST TLS connection can now be used for EST enrollment.
The extensions for a Registrar (equivalent to EST server) are: The extensions for a Registrar (equivalent to EST server) are:
o Client authentication is automated using Initial Device Identity o Client authentication is automated using Initial Device Identity
(IDevID) as per the EST certificate based client authentication. (IDevID) as per the EST certificate based client authentication.
The subject field's DN encoding MUST include the "serialNumber" The subject field's DN encoding MUST include the "serialNumber"
attribute with the device's unique serial number. In the language attribute with the device's unique serial number. In the language
of RFC6125 this provides for a SERIALNUM-ID category of identifier of [RFC6125] this provides for a SERIALNUM-ID category of
that can be included in a certificate and therefore that can also identifier that can be included in a certificate and therefore
be used for matching purposes. The SERIALNUM-ID whitelist is that can also be used for matching purposes. The SERIALNUM-ID
collated according to vendor trust anchor since serial numbers are whitelist is collated according to manufacturer trust anchor since
not globally unique. serial numbers are not globally unique.
o The Registrar requests and validates the Voucher from the vendor o The Registrar requests and validates the Voucher from the MASA.
authorized MASA service.
o The Registrar forwards the Voucher to the Pledge when requested. o The Registrar forwards the Voucher to the Pledge when requested.
o The Registar performs log verifications in addition to local o The Registar performs log verifications in addition to local
authorization checks before accepting optional Pledge device authorization checks before accepting optional Pledge device
enrollment requests. enrollment requests.
5.1. BRSKI-EST TLS establishment details 5.1. BRSKI-EST TLS establishment details
The Pledge establishes the TLS connection with the Registrar through The Pledge establishes the TLS connection with the Registrar through
the circuit proxy (see Section 4) but the TLS handshake is with the the circuit proxy (see Section 4) but the TLS handshake is with the
Registar. The BRSKI-EST Pledge is the TLS client and the BRSKI-EST Registar. The BRSKI-EST Pledge is the TLS client and the BRSKI-EST
Registrar is the TLS server. All security associations established Registrar is the TLS server. All security associations established
are between the Pledge and the Registrar regardless of proxy are between the Pledge and the Registrar regardless of proxy
operations. operations.
Establishment of the BRSKI-EST TLS connection is as specified in EST Establishment of the BRSKI-EST TLS connection is as specified in EST
[RFC7030] section 4.1.1 "Bootstrap Distribution of CA Certificates" [RFC7030] section 4.1.1 "Bootstrap Distribution of CA Certificates"
[RFC7030] wherein the client is authenticated with the IDevID [RFC7030] wherein the client is authenticated with the IDevID
certificate, and the EST server (the Registrar) is provisionally certificate, and the EST server (the Registrar) is provisionally
authenticated with a unverified server certificate. authenticated with an unverified server certificate.
The Pledge maintains a security paranoia concerning the provisional The Pledge maintains a security paranoia concerning the provisional
state, and all data received, until a voucher is received and state, and all data received, until a voucher is received and
verified as specified in Section 5.5.1 verified as specified in Section 5.5.1
5.2. Pledge Requests Voucher from the Registrar 5.2. Pledge Requests Voucher from the Registrar
When the Pledge bootstraps it makes a request for a Voucher from a When the Pledge bootstraps it makes a request for a Voucher from a
Registrar. Registrar.
skipping to change at page 32, line 11 skipping to change at page 33, line 16
"/.well-known/est/requestvoucher". "/.well-known/est/requestvoucher".
The request media types are: The request media types are:
application/voucher-cms+json The request is a "YANG-defined JSON application/voucher-cms+json The request is a "YANG-defined JSON
document that has been signed using a CMS structure" as described document that has been signed using a CMS structure" as described
in Section 3 using the JSON encoding described in [RFC7951]. The in Section 3 using the JSON encoding described in [RFC7951]. The
Pledge SHOULD sign the request using the Section 2.3 credential. Pledge SHOULD sign the request using the Section 2.3 credential.
application/json The request is the "YANG-defined JSON document" as application/json The request is the "YANG-defined JSON document" as
described in Section 3 with exception that it is not within a described in Section 3 with the exception that it is not within a
PKCS#7 structure. It is protected only by the TLS client PKCS#7 structure. It is protected only by the TLS client
authentication. This reduces the cryptographic requirements on authentication. This reduces the cryptographic requirements on
the Pledge. the Pledge.
For simplicity the term 'voucher-request' is used to refer to either For simplicity the term 'voucher-request' is used to refer to either
of these media types. Registrar impementations SHOULD anticipate of these media types. Registrar impementations SHOULD anticipate
future media types but of course will simply fail the request if future media types but of course will simply fail the request if
those types are not yet known. those types are not yet known.
The Pledge populates the voucher-request fields as follows: The Pledge populates the voucher-request fields as follows:
skipping to change at page 32, line 48 skipping to change at page 34, line 4
MUST be populated in a Pledge voucher-request if the "proximity" MUST be populated in a Pledge voucher-request if the "proximity"
assertion is populated. assertion is populated.
All other fields MAY be omitted in the Pledge voucher-request. All other fields MAY be omitted in the Pledge voucher-request.
An example JSON payload of a Pledge voucher-request is in Section 3.2 An example JSON payload of a Pledge voucher-request is in Section 3.2
Example 1. Example 1.
The Registrar validates the client identity as described in EST The Registrar validates the client identity as described in EST
[RFC7030] section 3.3.2. If the request is signed the Registrar [RFC7030] section 3.3.2. If the request is signed the Registrar
confirms the 'proximity' asserion and associated 'proximity- confirms that the 'proximity' asserion and associated 'proximity-
registrar-cert' are correct. The registrar performs authorization as registrar-cert' are correct. The Registrar performs authorization as
detailed in [[EDNOTE: UNRESOLVED. See Appendix D "Pledge detailed in [[EDNOTE: UNRESOLVED. See Appendix D "Pledge
Authorization"]]. If these validations fail the Registrar SHOULD Authorization"]]. If these validations fail the Registrar SHOULD
respond with an appropriate HTTP error code. respond with an appropriate HTTP error code.
If authorization is successful the Registrar obtains a voucher from If authorization is successful the Registrar obtains a voucher from
the MASA service (see Section 5.4) and returns that MASA signed the MASA service (see Section 5.4) and returns that MASA signed
voucher to the pledge as described in Section 5.5. voucher to the Pledge as described in Section 5.5.
5.3. BRSKI-MASA TLS establishment details 5.3. BRSKI-MASA TLS establishment details
The BRSKI-MASA TLS connection is a 'normal' TLS connection The BRSKI-MASA TLS connection is a 'normal' TLS connection
appropriate for HTTPS REST interfaces. The Registrar initiates the appropriate for HTTPS REST interfaces. The Registrar initiates the
connection and uses the MASA URL obtained as described in Section 2.7 connection and uses the MASA URL obtained as described in Section 2.7
for RFC6125 authentication of the MASA server. for [RFC6125] authentication of the MASA server.
The primary method of Registrar "authentication" by the MASA is The primary method of Registrar "authentication" by the MASA is
detailed in Section 5.4. As detailed in Section 8 the MASA might detailed in Section 5.4. As detailed in Section 8 the MASA might
find it necessary to request additional Registrar authentication. find it necessary to request additional Registrar authentication.
Registrars MUST be prepared to support TLS client certificate Registrars MUST be prepared to support TLS client certificate
authentication and HTTP Basic or Digest authentication as described authentication and HTTP Basic or Digest authentication as described
in RFC7030 for EST clients. Implementors are advised that contacting in RFC7030 for EST clients. Implementors are advised that contacting
the MASA is to establish a secured REST connection with a web service the MASA is to establish a secured REST connection with a web service
and that there are a number of authentication models being explored and that there are a number of authentication models being explored
within the industry. Registrars are RECOMMENDED to fail gracefully within the industry. Registrars are RECOMMENDED to fail gracefully
skipping to change at page 34, line 14 skipping to change at page 35, line 19
created-on: Registrars are RECOMMENDED to populate this field. This created-on: Registrars are RECOMMENDED to populate this field. This
provides additional information to the MASA. provides additional information to the MASA.
nonce: The optional nonce value from the Pledge request if desired nonce: The optional nonce value from the Pledge request if desired
(see below). (see below).
serial-number: The serial number of the Pledge the Registrar would serial-number: The serial number of the Pledge the Registrar would
like a voucher for. like a voucher for.
idevid-issuer: The idevid-issuer value from the pledge certificate idevid-issuer: The idevid-issuer value from the Pledge certificate
is included to ensure a statistically unique identity. The is included to ensure a statistically unique identity. The
Pledge's serial number is extracted from the X.509 IDevID. See Pledge's serial number is extracted from the X.509 IDevID. See
Section 2.3. Section 2.3.
prior-signed-voucher: If a signed Pledge voucher-request was prior-signed-voucher: If a signed Pledge voucher-request was
received then it SHOULD be included in the Registrar voucher- received then it SHOULD be included in the Registrar voucher-
request. (NOTE: what is included is the complete Pledge voucher- request. (NOTE: what is included is the complete Pledge voucher-
request, inclusive of the 'assertion', 'proximity-registrar-cert', request, inclusive of the 'assertion', 'proximity-registrar-cert',
etc wrapped by the pledge's original signature). etc wrapped by the Pledge's original signature).
A nonceless Registrar voucher-request MAY be submitted to the MASA. A nonceless Registrar voucher-request MAY be submitted to the MASA.
Doing so allows the Registrar to request a Voucher when the Pledge is Doing so allows the Registrar to request a Voucher when the Pledge is
offline, or when the Registrar is expected to be offline when the offline, or when the Registrar is expected to be offline when the
Pledge is being deployed. These use cases require the Registrar to Pledge is being deployed. These use cases require the Registrar to
learn the appropriate IDevID SerialNumber field from the physical learn the appropriate IDevID SerialNumber field from the physical
device labeling or from the sales channel (out-of-scope of this device labeling or from the sales channel (out-of-scope for this
document). If a nonceless voucher-reqeust is submitted the MASA document). If a nonceless voucher-reqeust is submitted the MASA
server MUST authenticate the Registrar as described in either EST server MUST authenticate the Registrar as described in either EST
[RFC7030] section 3.2, section 3.3, or by validating the Registrar's [RFC7030] section 3.2, section 3.3, or by validating the Registrar's
certificate used to sign the Registrar voucher-request. Any of these certificate used to sign the Registrar voucher-request. Any of these
methods reduce the risk of DDoS attacks and provide an authenticated methods reduce the risk of DDoS attacks and provide an authenticated
identity as an input to sales channel integration and authorizations identity as an input to sales channel integration and authorizations
(the actual sale-channel integration is also out-of-scope of this (the actual sale-channel integration is also out-of-scope of this
document). document).
All other fields MAY be omitted in the Registrar voucher-request. All other fields MAY be omitted in the Registrar voucher-request.
Example JSON payloads of Registrar voucher-requests are in Example JSON payloads of Registrar voucher-requests are in
Section 3.2 Example 2 through 4. Section 3.2 Examples 2 through 4.
The MASA verifies that the Registrar voucher-request is internally The MASA verifies that the Registrar voucher-request is internally
consistent but does not necessarily authenticate the Registrar consistent but does not necessarily authenticate the Registrar
certificate since the registrar is not know to the MASA server in certificate since the Registrar is not known to the MASA server in
advance. The MASA validation checks before issuing a voucher are as advance. The MASA performs the following actions and validation
follows: checks before issuing a voucher:
Renew for expired voucher: As described in [I-D.ietf-anima-voucher] Renew for expired voucher: As described in [I-D.ietf-anima-voucher]
vouchers are normally short lived to avoid revocation issues. If vouchers are normally short lived to avoid revocation issues. If
the request is for a previous (expired) voucher using the same the request is for a previous (expired) voucher using the same
Registrar (as determined by the Registrar pinned-domain-cert) and Registrar (as determined by the Registrar pinned-domain-cert) and
the MASA has not been informed that the claim is invalid then the the MASA has not been informed that the claim is invalid then the
request for a renewed voucher SHOULD be automatically authorized. request for a renewed voucher SHOULD be automatically authorized.
Voucher signature consistency: The MASA MUST verify that the Voucher signature consistency: The MASA MUST verify that the
Registrar voucher-request is signed by a Registrar. This is Registrar voucher-request is signed by a Registrar. This is
confirmed by verifying that the id-kp-cmcRA extended key usage confirmed by verifying that the id-kp-cmcRA extended key usage
extension field (as detailed in EST RFC7030 section 3.6.1) exists extension field (as detailed in EST RFC7030 section 3.6.1) exists
in the certificate of the entity that signed the Registrar in the certificate of the entity that signed the Registrar
voucher-request. This verification is only a consistency check voucher-request. This verification is only a consistency check
that the unauthenticated domain CA intended this to be a that the unauthenticated domain CA intended this to be a
Registrar. Performing this check provides value to domain PKI by Registrar. Performing this check provides value to domain PKI by
assuring the domain administrator that the MASA service will only assuring the domain administrator that the MASA service will only
respect claims from authorized Registration Authorities of the respect claims from authorized Registration Authorities of the
domain. (The requirement for the Registrar to include the Domain domain. (The requirement for the Registrar to include the Domain
CA certificate in the signature structure was stated above). CA certificate in the signature structure was stated above.)
Registrar revocation consistency: The MASA SHOULD check for Registrar revocation consistency: The MASA SHOULD check for
revocation of the Registrar certificate. The maximum lifetime of revocation of the Registrar certificate. The maximum lifetime of
the voucher issued SHOULD NOT exceed the lifetime of the the voucher issued SHOULD NOT exceed the lifetime of the
Registrar's revocation validation (for example if the Registrar Registrar's revocation validation (for example if the Registrar
revocation status is indicated in a CRL that is valid for two revocation status is indicated in a CRL that is valid for two
weeks then that is an appropriate lifetime for the voucher). weeks then that is an appropriate lifetime for the voucher.)
Because the Registar certificate authority is unknown to the MASA Because the Registar certificate authority is unknown to the MASA
in advance this is only an extended consistency check and is not in advance this is only an extended consistency check and is not
required. The maximum lifetime of the voucher issued SHOULD NOT required. The maximum lifetime of the voucher issued SHOULD NOT
exceed the lifetime of the Registrar's revocation validation (for exceed the lifetime of the Registrar's revocation validation (for
example if the Registrar revocation status is indicated in a CRL example if the Registrar revocation status is indicated in a CRL
that is valid for two weeks then that is an appropriate lifetime that is valid for two weeks then that is an appropriate lifetime
for the voucher). for the voucher.)
Pledge proximity assertion: The MASA server MAY verify that the Pledge proximity assertion: The MASA server MAY verify that the
Registrar voucher-request includes the 'prior-signed-voucher' Registrar voucher-request includes the 'prior-signed-voucher'
field populated with a Pledge voucher-request that includes a field populated with a Pledge voucher-request that includes a
'proximity-registrar-cert' that is consistent with the certificate 'proximity-registrar-cert' that is consistent with the certificate
used to sign the Registrar voucher-request. The MASA server is used to sign the Registrar voucher-request. The MASA server is
aware of which Pledge's support signing of their voucher requests aware of which Pledge's support signing of their voucher requests
and can use this information to confirm proximity of the Pledge and can use this information to confirm proximity of the Pledge
with the Registrar. with the Registrar.
Registar (certificate) authentication: This only occurs if the Registar (certificate) authentication: This only occurs if the
Registrar voucher-request is nonceless. As noted above the Registrar voucher-request is nonceless. As noted above the
details concerning necessary sales-channel integration for the details concerning necessary sales-channel integration for the
MASA to authenticate a Registrar certificate is out-of-scope. MASA to authenticate a Registrar certificate is out-of-scope.
The Registrar's certificate chain is extracted from the signature The Registrar's certificate chain is extracted from the signature
method and the root certificate is used to populate the "pinned- method and the root certificate is used to populate the "pinned-
domain-cert" of the Voucher being issued. The domainID (e.g. hash of domain-cert" of the Voucher being issued. The domainID (e.g., hash
the root public key) is determined from the pinned-domain-cert and is of the root public key) is determined from the pinned-domain-cert and
used to update the audit log. is used to update the audit log.
5.5. Voucher Response 5.5. Voucher Response
The voucher response to requests from the Pledge and requests from a The voucher response to requests from the Pledge and requests from a
Registrar are in the same format. A Registrar either caches prior Registrar are in the same format. A Registrar either caches prior
MASA responses or dynamically requests a new Voucher based on local MASA responses or dynamically requests a new Voucher based on local
policy. policy.
If the join operation is successful, the server response MUST contain If the join operation is successful, the server response MUST contain
an HTTP 200 response code. The server MUST answer with a suitable an HTTP 200 response code. The server MUST answer with a suitable
4xx or 5xx HTTP [RFC2616] error code when a problem occurs. The 4xx or 5xx HTTP [RFC2616] error code when a problem occurs. In this
response data from the MASA server MUST be a plaintext human-readable case, the response data from the MASA server MUST be a plaintext
(ASCII, english) error message containing explanatory information human-readable (ASCII, English) error message containing explanatory
describing why the request was rejected. information describing why the request was rejected.
A 403 (Forbidden) response is appropriate if the voucher-request is A 403 (Forbidden) response is appropriate if the voucher-request is
not signed correctly, stale, or if the pledge has another outstanding not signed correctly, stale, or if the Pledge has another outstanding
voucher which can not be overridden. voucher that cannot be overridden.
A 404 (Not Found) response is appropriate when the request is for a A 404 (Not Found) response is appropriate when the request is for a
device which is not known to the MASA. device that is not known to the MASA.
A 406 (Not Acceptable) response is appropriate if a voucher of the A 406 (Not Acceptable) response is appropriate if a voucher of the
desired type, or using the desired algorithms (as indicated by the desired type, or using the desired algorithms (as indicated by the
Accept: headers, and algorithms used in the signature) can not be Accept: headers, and algorithms used in the signature) cannot be
issued, such as because the MASA knows the pledge can not process issued, such as because the MASA knows the Pledge cannot process that
that type. type.
A 415 (Unsupported Media Type) response is approriate for a request A 415 (Unsupported Media Type) response is approriate for a request
that has a voucher encoding that is not understood. that has a voucher encoding that is not understood.
The response media type is: The response media type is:
application/pkcs7-mime; smime-type=voucher The response is a "YANG- application/pkcs7-mime; smime-type=voucher The response is a "YANG-
defined JSON document that has been signed using a PKCS#7 defined JSON document that has been signed using a PKCS#7
structure" as described in [I-D.ietf-anima-voucher] using the JSON structure" as described in [I-D.ietf-anima-voucher] using the
encoded described in [RFC7951]. The MASA MUST sign the request. JSON encoded described in [RFC7951]. The MASA MUST sign the
request.
The syntactic details of vouchers are described in detail in The syntactic details of vouchers are described in detail in
[I-D.ietf-anima-voucher]. For example, the voucher consists of: [I-D.ietf-anima-voucher]. For example, the voucher consists of:
{ {
"ietf-voucher:voucher": { "ietf-voucher:voucher": {
"nonce": "62a2e7693d82fcda2624de58fb6722e5", "nonce": "62a2e7693d82fcda2624de58fb6722e5",
"assertion": "logging" "assertion": "logging"
"pinned-domain-cert": "base64encodedvalue==" "pinned-domain-cert": "base64encodedvalue=="
"serial-number": "JADA123456789" "serial-number": "JADA123456789"
} }
} }
The Pledge verifies the signed voucher using the manufacturer The Pledge verifies the signed voucher using the manufacturer
installed trust anchor associated with the vendor's selected installed trust anchor associated with the manufacturer's selected
Manufacturer Authorized Signing Authority. Manufacturer Authorized Signing Authority.
The 'pinned-domain-cert' element of the voucher contains the domain The 'pinned-domain-cert' element of the voucher contains the domain
CA's public key. The Pledge MUST use the 'pinned-domain-cert' trust CA's public key. The Pledge MUST use the 'pinned-domain-cert' trust
anchor to immediately complete authentication of the provisional TLS anchor to immediately complete authentication of the provisional TLS
connection. connection.
The Pledge MUST be prepared to parse and fail gracefully from a The Pledge MUST be prepared to parse and fail gracefully from a
Voucher response that does not contain a 'pinned-domain-cert' field. Voucher response that does not contain a 'pinned-domain-cert' field.
The Pledge MUST be prepared to ignore additional fields it does not The Pledge MUST be prepared to ignore additional fields that it does
recognize. not recognize.
5.5.1. Completing authentication of Provisional TLS connection 5.5.1. Completing authentication of Provisional TLS connection
If a Registrar's credentials can not be verified using the pinned- If a Registrar's credentials cannot be verified using the pinned-
domain-cert trust anchor from the voucher then the TLS connection is domain-cert trust anchor from the voucher then the TLS connection is
immediately discarded and the Pledge abandons attempts to bootstrap immediately discarded and the Pledge abandons attempts to bootstrap
with this discovered registrar. The pledge SHOULD send voucher with this discovered Registrar. The Pledge SHOULD send voucher
status telemetry (described below) before closing the TLS connection. status telemetry (described below) before closing the TLS connection.
The pledge MUST attempt to enroll using any other proxies it has The Pledge MUST attempt to enroll using any other proxies it has
found. It SHOULD return to the same proxy again after attempting found. It SHOULD return to the same proxy again after attempting
with other proxies. Attempts should be attempted in the exponential with other proxies. Attempts should be attempted in the exponential
backoff described earlier. Attempts SHOULD be repeated as failure backoff described earlier. Attempts SHOULD be repeated as failure
may be the result of a temporary inconsistently (an inconsistently may be the result of a temporary inconsistently (an inconsistently
rolled Registrar key, or some other mis-configuration). The rolled Registrar key, or some other mis-configuration.) The
inconsistently could also be the result an active MITM attack on the inconsistently could also be the result an active MITM attack on the
EST connection. EST connection.
The Registrar MUST use a certificate that chains to the pinned- The Registrar MUST use a certificate that chains to the pinned-
domain-cert as its TLS server certificate. domain-cert as its TLS server certificate.
The Pledge's PKIX path validation of a Registrar certificate's The Pledge's PKIX path validation of a Registrar certificate's
validity period information is as described in Section 2.5. Once the validity period information is as described in Section 2.5. Once the
PKIX path validation is successful the TLS connection is no longer PKIX path validation is successful the TLS connection is no longer
provisional. provisional.
The pinned-domain-cert is installed as an Explicit Trust Anchor for The pinned-domain-cert is installed as an Explicit Trust Anchor for
future operations. It can therefore can be used to authenticate any future operations. It can therefore can be used to authenticate any
dynamically discovered EST server that contain the id-kp-cmcRA dynamically discovered EST server that contain the id-kp-cmcRA
extended key usage extension as detailed in EST RFC7030 section extended key usage extension as detailed in EST RFC7030 section
3.6.1; but to reduce system complexity the Pledge SHOULD avoid 3.6.1; but to reduce system complexity the Pledge SHOULD avoid
additional discovery operations. Instead the Pledge SHOULD additional discovery operations. Instead the Pledge SHOULD
communicate directly with the Registrar as the EST server. The ' communicate directly with the Registrar as the EST server. The
pinned-domain-cert' is not a complete distribution of the EST section 'pinned-domain-cert' is not a complete distribution of the EST
4.1.3 CA Certificate Response which is an additional justification section 4.1.3 CA Certificate Response, which is an additional
for the recommendation to proceed with EST key management operations. justification for the recommendation to proceed with EST key
Once a full CA Certificate Response is obtained it is more management operations. Once a full CA Certificate Response is
authoritative for the domain than the limited 'pinned-domain-cert' obtained it is more authoritative for the domain than the limited
response.' 'pinned-domain-cert' response.
5.6. Voucher Status Telemetry 5.6. Voucher Status Telemetry
The domain is expected to provide indications to the system The domain is expected to provide indications to the system
administrators concerning device lifecycle status. To facilitate administrators concerning device lifecycle status. To facilitate
this it needs telemetry information concerning the device's status. this it needs telemetry information concerning the device's status.
To indicate Pledge status regarding the Voucher, the pledge MUST post To indicate Pledge status regarding the Voucher, the Pledge MUST post
a status message. a status message.
The posted data media type: application/json The posted data media type: application/json
The client HTTP POSTs the following to the server at the EST well The client HTTP POSTs the following to the server at the EST well
known URI /voucher_status. The Status field indicates if the Voucher known URI "/voucher_status". The Status field indicates if the
was acceptable. If it was not acceptable the Reason string indicates Voucher was acceptable. If it was not acceptable the Reason string
why. In the failure case this message is being sent to an indicates why. In the failure case this message is being sent to an
unauthenticated, potentially malicious Registrar and therefore the unauthenticated, potentially malicious Registrar and therefore the
Reason string SHOULD NOT provide information beneficial to an Reason string SHOULD NOT provide information beneficial to an
attacker. The operational benefit of this telemetry information is attacker. The operational benefit of this telemetry information is
balanced against the operational costs of not recording that an balanced against the operational costs of not recording that an
Voucher was ignored by a client the registar expected to continue Voucher was ignored by a client the registar expected to continue
joining the domain. joining the domain.
{ {
"version":"1", "version":"1",
"Status":FALSE /* TRUE=Success, FALSE=Fail" "Status":FALSE /* TRUE=Success, FALSE=Fail"
skipping to change at page 38, line 47 skipping to change at page 40, line 4
balanced against the operational costs of not recording that an balanced against the operational costs of not recording that an
Voucher was ignored by a client the registar expected to continue Voucher was ignored by a client the registar expected to continue
joining the domain. joining the domain.
{ {
"version":"1", "version":"1",
"Status":FALSE /* TRUE=Success, FALSE=Fail" "Status":FALSE /* TRUE=Success, FALSE=Fail"
"Reason":"Informative human readable message" "Reason":"Informative human readable message"
"reason-context": { additional JSON } "reason-context": { additional JSON }
} }
The server SHOULD respond with an HTTP 200 but MAY simply fail with The server SHOULD respond with an HTTP 200 but MAY simply fail with
an HTTP 404 error. The client ignores any response. Within the an HTTP 404 error. The client ignores any response. Within the
server logs the server SHOULD capture this telemetry information. server logs the server SHOULD capture this telemetry information.
The reason-context attribute is an arbitrary JSON object (literal The reason-context attribute is an arbitrary JSON object (literal
value or hash of values) which provides additional information value or hash of values) which provides additional information
specific to this pledge. The contents of this field are not subject specific to this Pledge. The contents of this field are not subject
to standardization." to standardization.
Additional standard responses MAY be added via Specification Additional standard responses MAY be added via Specification
Required. Required.
5.7. MASA authorization log Request 5.7. MASA authorization log Request
After receiving the voucher status telemetry Section 5.6, the After receiving the voucher status telemetry Section 5.6, the
Registrar SHOULD request the MASA authorization log from the MASA Registrar SHOULD request the MASA authorization log from the MASA
service using this EST extension. If a device had previously service using this EST extension. If a device had previously
registered with another domain, a Registrar of that domain would show registered with another domain, a Registrar of that domain would show
in the log. in the log.
This is done with an HTTP GET using the operation path value of This is done with an HTTP GET using the operation path value of
"/.well-known/est/requestauditlog". "/.well-known/est/requestauditlog".
The Registrar MUST HTTP POSTs the same Registrar voucher-request as The Registrar MUST HTTP POST the same Registrar voucher-request as it
it did when requesting a Voucher. It is posted to the did when requesting a Voucher. It is posted to the /requestauditlog
/requestauditlog URI instead. The "idevid-issuer" and "serial- URI instead. The "idevid-issuer" and "serial-number" informs the
number" informs the MASA server which log is requested so the MASA server which log is requested so the appropriate log can be
appropriate log can be prepared for the response. Using the same prepared for the response. Using the same media type and message
media type and message minimizes cryptographic and message operations minimizes cryptographic and message operations although it results in
although it results in additional network traffic. The relying MASA additional network traffic. The relying MASA server implementation
server implementation MAY leverage internal state to associate this MAY leverage internal state to associate this request with the
request with the original, and by now already validated, Registrar original, and by now already validated, Registrar voucher-request so
voucher-request so as to avoid an extra crypto validation. as to avoid an extra crypto validation.
A MASA which receives a request for a device which does not exist, or A MASA that receives a request for a device which does not exist, or
for which the requesting owner was never an owner returns an HTTP 404 for which the requesting owner was never an owner returns an HTTP 404
("Not found") code. ("Not found") code.
Rather than returning the audit log as a response to the POST (with a Rather than returning the audit log as a response to the POST (with a
return code 200), the MASA MAY instead return a 201 ("Created") return code 200), the MASA MAY instead return a 201 ("Created")
RESTful response ([RFC7231] section 7.1) containing a URL to the RESTful response ([RFC7231] section 7.1) containing a URL to the
prepared (and easily cachable) audit response. prepared (and easily cachable) audit response.
MASA servers that return URLs SHOULD take care to make the returned MASA servers that return URLs SHOULD take care to make the returned
URL unguessable. URLs containing a database number such as URL unguessable. URLs containing a database number such as
https://example.com/auditlog/1234 or the EUI of the device such https://example.com/auditlog/1234 or the EUI of the device such
https://example.com/auditlog/10-00-00-11-22-33, would be easily https://example.com/auditlog/10-00-00-11-22-33, would be easily
enumerable by an attacker. It is recommended put to put some enumerable by an attacker. It is recommended to put some meaningless
meaningless randomly generated slug that indexes a database instead. randomly generated slug that indexes a database instead.
A MASA that returns a code 200 MAY also include a Location: header A MASA that returns a code 200 MAY also include a Location: header
for future reference by the Registrar. for future reference by the Registrar.
The request media type is: The request media type is:
application/voucher-cms+json The request is a "YANG-defined JSON application/voucher-cms+json The request is a "YANG-defined JSON
document that has been signed using a CMS structure" as described document that has been signed using a CMS structure" as described
in Section 3 using the JSON encoded described in [RFC7951]. The in Section 3 using the JSON encoded described in [RFC7951]. The
Registrar MUST sign the request. The entire Registrar certificate Registrar MUST sign the request. The entire Registrar certificate
skipping to change at page 40, line 44 skipping to change at page 41, line 49
"nonced duplicates": <number of entries truncated>, "nonced duplicates": <number of entries truncated>,
"nonceless duplicates": <number of entries truncated>, "nonceless duplicates": <number of entries truncated>,
"arbitrary": <number of entries trucated> "arbitrary": <number of entries trucated>
} }
} }
A Registrar SHOULD use this log information to make an informed A Registrar SHOULD use this log information to make an informed
decision regarding the continued bootstrapping of the Pledge. For decision regarding the continued bootstrapping of the Pledge. For
example if the log includes an unexpected domainID then the Pledge example if the log includes an unexpected domainID then the Pledge
could have imprinted on an unexpected domain. If the log includes could have imprinted on an unexpected domain. If the log includes
nonceless entries then any registrar in the same domain could nonceless entries then any Registrar in the same domain could
theoretically trigger a reset of the device and take over management theoretically trigger a reset of the device and take over management
of the Pledge. Equipment that is purchased pre-owned can be expected of the Pledge. Equipment that is purchased pre-owned can be expected
to have an extensive history. A Registrar MAY request logs at future to have an extensive history. A Registrar MAY request logs at future
times. A Registrar MAY be configured to ignore the history of the times. A Registrar MAY be configured to ignore the history of the
device but it is RECOMMENDED that this only be configured if hardware device but it is RECOMMENDED that this only be configured if hardware
assisted NEA [RFC5209] is supported. assisted NEA [RFC5209] is supported.
Log entries can be compared against local history logs in search of Log entries can be compared against local history logs in search of
discrepancies. discrepancies.
skipping to change at page 41, line 24 skipping to change at page 42, line 28
arbitrarily truncated for length. The trunctation method(s) used arbitrarily truncated for length. The trunctation method(s) used
MUST be indicated in the JSON truncation dictionary using "nonced MUST be indicated in the JSON truncation dictionary using "nonced
duplicates", "nonceless duplicates", and "arbitrary" where the number duplicates", "nonceless duplicates", and "arbitrary" where the number
of entries that have been truncation is indicated. If the truncation of entries that have been truncation is indicated. If the truncation
count exceeds 1024 then the MASA MAY use this value without further count exceeds 1024 then the MASA MAY use this value without further
incrementing it. incrementing it.
A log where duplicate entries for the same domain have been truncated A log where duplicate entries for the same domain have been truncated
("nonced duplicates" and/or "nonceless duplicates) could still be ("nonced duplicates" and/or "nonceless duplicates) could still be
acceptable for informed decisions. A log that has had "arbitrary" acceptable for informed decisions. A log that has had "arbitrary"
truncations is less acceptable but vendor transparency is better than truncations is less acceptable but manufacturer transparency is
hidden truncations. better than hidden truncations.
This document specifies a simple log format as provided by the MASA This document specifies a simple log format as provided by the MASA
service to the registar. This format could be improved by service to the registar. This format could be improved by
distributed consensus technologies that integrate vouchers with a distributed consensus technologies that integrate vouchers with
technologies such as block-chain or hash trees or optimized logging technologies such as block-chain or hash trees or optimized logging
approaches. Doing so is out of the scope of this document but are approaches. Doing so is out of the scope of this document but is an
anticipated improvements for future work. As such, the Registrar anticipated improvements for future work. As such, the Registrar
client SHOULD anticipate new kinds of responses, and SHOULD provide client SHOULD anticipate new kinds of responses, and SHOULD provide
operator controls to indicate how to process unknown responses. operator controls to indicate how to process unknown responses.
5.8. EST Integration for PKI bootstrapping 5.8. EST Integration for PKI bootstrapping
The Pledge SHOULD follow the BRSKI operations with EST enrollment The Pledge SHOULD follow the BRSKI operations with EST enrollment
operations including "CA Certificates Request", "CSR Attributes" and operations including "CA Certificates Request", "CSR Attributes" and
"Client Certificate Request" or "Server-Side Key Generation" etc. "Client Certificate Request" or "Server-Side Key Generation", etc.
This is a relatively seamless integration since BRSKI REST calls This is a relatively seamless integration since BRSKI REST calls
provide an automated alternative to the manual bootstrapping method provide an automated alternative to the manual bootstrapping method
described in [RFC7030]. As noted above, use of HTTP 1.1 persistent described in [RFC7030]. As noted above, use of HTTP 1.1 persistent
connections simplifies the Pledge state machine. connections simplifies the Pledge state machine.
The Pledge is also RECOMMENDED to implement the following EST The Pledge is also RECOMMENDED to implement the EST automation
automation extensions. They supplement the RFC7030 EST to better extensions described below. They supplement the RFC7030 EST to
support automated devices that do not have an end user. better support automated devices that do not have an end user.
Although EST allows clients to obtain multiple certificates by Although EST allows clients to obtain multiple certificates by
sending multiple CSR requests BRSKI mandates use of the CSR sending multiple CSR requests BRSKI mandates use of the CSR
Attributes request and mandates that the Registrar validate the CSR Attributes request and mandates that the Registrar validate the CSR
against the expected attributes. This implies that client requests against the expected attributes. This implies that client requests
will "look the same" and therefore result in a single logical will "look the same" and therefore result in a single logical
certificate being issued even if the client were to make multiple certificate being issued even if the client were to make multiple
requests. Registrars MAY contain more complex logic but doing so is requests. Registrars MAY contain more complex logic but doing so is
out-of-scope of this specification. BRSKI does not signal any out-of-scope of this specification. BRSKI does not signal any
enhancement or restriction to this capability. Pledges that require enhancement or restriction to this capability. Pledges that require
skipping to change at page 42, line 21 skipping to change at page 43, line 29
Registrar. Registrar.
5.8.1. EST Distribution of CA Certificates 5.8.1. EST Distribution of CA Certificates
The Pledge MUST request the full EST Distribution of CA Certificates The Pledge MUST request the full EST Distribution of CA Certificates
message. See RFC7030, section 4.1. message. See RFC7030, section 4.1.
This ensures that the Pledge has the complete set of current CA This ensures that the Pledge has the complete set of current CA
certificates beyond the pinned-domain-cert (see Section 5.5.1 for a certificates beyond the pinned-domain-cert (see Section 5.5.1 for a
discussion of the limitations inherent in having a single certificate discussion of the limitations inherent in having a single certificate
instead of a full CA Certificates response). Although these instead of a full CA Certificates response.) Although these
limitations are acceptable during initial bootstrapping they are not limitations are acceptable during initial bootstrapping, they are not
appropriate for ongoing PKIX end entity certificate validation. appropriate for ongoing PKIX end entity certificate validation.
5.8.2. EST CSR Attributes 5.8.2. EST CSR Attributes
Automated bootstrapping occurs without local administrative Automated bootstrapping occurs without local administrative
configuration of the Pledge. In some deployments its plausible that configuration of the Pledge. In some deployments it is plausible
the Pledge generates a certificate request containing only identity that the Pledge generates a certificate request containing only
information known to the Pledge (essentially the X.509 IDevID identity information known to the Pledge (essentially the X.509
information) and ultimately receives a certificate containing domain IDevID information) and ultimately receives a certificate containing
specific identity information. Conceptually the CA has complete domain specific identity information. Conceptually the CA has
control over all fields issued in the end entity certificate. complete control over all fields issued in the end entity
Realistically this is operationally difficult with the current status certificate. Realistically this is operationally difficult with the
of PKI certificate authority deployments where the CSR is submitted current status of PKI certificate authority deployments, where the
to the CA via a number of non-standard protocols. Even with all CSR is submitted to the CA via a number of non-standard protocols.
standardized protocols used, it could operationally be problematic to Even with all standardized protocols used, it could operationally be
expect that service specific certificate fields can be created by a problematic to expect that service specific certificate fields can be
CA that is likely operated by a group that has no insight into created by a CA that is likely operated by a group that has no
different network services/protocols used. For example, the CA could insight into different network services/protocols used. For example,
even be outsourced. the CA could even be outsourced.
To alleviate these operational difficulties, the Pledge MUST request To alleviate these operational difficulties, the Pledge MUST request
the EST "CSR Attributes" from the EST server and the EST server needs the EST "CSR Attributes" from the EST server and the EST server needs
to be able to reply with the attributes necessary for use of the to be able to reply with the attributes necessary for use of the
certificate in its intended protocols/services. This approach allows certificate in its intended protocols/services. This approach allows
for minimal CA integrations and instead the local infrastructure (EST for minimal CA integrations and instead the local infrastructure (EST
server) informs the Pledge of the proper fields to include in the server) informs the Pledge of the proper fields to include in the
generated CSR. This approach is beneficial to automated boostrapping generated CSR. This approach is beneficial to automated boostrapping
in the widest number of environments. in the widest number of environments.
If the hardwareModuleName in the X.509 IDevID is populated then it If the hardwareModuleName in the X.509 IDevID is populated then it
SHOULD by default be propagated to the LDevID along with the SHOULD by default be propagated to the LDevID along with the
hwSerialNum. The EST server SHOULD support local policy concerning hwSerialNum. The EST server SHOULD support local policy concerning
this functionality. this functionality.
In networks using the BRSKI enrolled certificate to authenticate the In networks using the BRSKI enrolled certificate to authenticate the
ACP (Autonomic Control Plane), the EST attributes MUST include the ACP (Autonomic Control Plane), the EST attributes MUST include the
"ACP information" field. See "ACP information" field. See
[I-D.ietf-anima-autonomic-control-plane] for more details. [I-D.ietf-anima-autonomic-control-plane] for more details.
The Registar MUST also confirm the resulting CSR is formatted as The Registar MUST also confirm that the resulting CSR is formatted as
indicated before forwarding the request to a CA. If the Registar is indicated before forwarding the request to a CA. If the Registar is
communicating with the CA using a protocol like full CMC which communicating with the CA using a protocol such as full CMC, which
provides mechanisms to override the CSR attributes, then these provides mechanisms to override the CSR attributes, then these
mechanisms MAY be used even if the client ignores CSR Attribute mechanisms MAY be used even if the client ignores CSR Attribute
guidance. guidance.
5.8.3. EST Client Certificate Request 5.8.3. EST Client Certificate Request
The Pledge MUST request a new client certificate. See RFC7030, The Pledge MUST request a new client certificate. See RFC7030,
section 4.2. section 4.2.
5.8.4. Enrollment Status Telemetry 5.8.4. Enrollment Status Telemetry
For automated bootstrapping of devices the adminstrative elements For automated bootstrapping of devices, the adminstrative elements
providing bootstrapping also provide indications to the system providing bootstrapping also provide indications to the system
administrators concerning device lifecycle status. This might administrators concerning device lifecycle status. This might
include information concerning attempted bootstrapping messages seen include information concerning attempted bootstrapping messages seen
by the client, MASA provides logs and status of credential by the client, MASA provides logs and status of credential
enrollment. The EST protocol assumes an end user and therefore does enrollment. The EST protocol assumes an end user and therefore does
not include a final success indication back to the server. This is not include a final success indication back to the server. This is
insufficient for automated use cases. insufficient for automated use cases.
To indicate successful enrollment the client SHOULD re-negotiate the To indicate successful enrollment the client SHOULD re-negotiate the
EST TLS session using the newly obtained credentials. This occurs by EST TLS session using the newly obtained credentials. This occurs by
the client initiating a new TLS ClientHello message on the existing the client initiating a new TLS ClientHello message on the existing
TLS connection. The client MAY simply close the old TLS session and TLS connection. The client MAY simply close the old TLS session and
start a new one. The server MUST support either model. start a new one. The server MUST support either model.
In the case of a FAIL the Reason string indicates why the most recent In the case of a FAIL, the Reason string indicates why the most
enrollment failed. The SubjectKeyIdentifier field MUST be included recent enrollment failed. The SubjectKeyIdentifier field MUST be
if the enrollment attempt was for a keypair that is locally known to included if the enrollment attempt was for a keypair that is locally
the client. If EST /serverkeygen was used and failed then the field known to the client. If EST /serverkeygen was used and failed then
is omitted from the status telemetry. the field is omitted from the status telemetry.
In the case of a SUCCESS the Reason string is omitted. The In the case of a SUCCESS the Reason string is omitted. The
SubjectKeyIdentifier is included so that the server can record the SubjectKeyIdentifier is included so that the server can record the
successful certificate distribution. successful certificate distribution.
Status media type: application/json Status media type: application/json
The client HTTP POSTs the following to the server at the new EST well The client HTTP POSTs the following to the server at the new EST well
known URI /enrollstatus. known URI /enrollstatus.
skipping to change at page 45, line 4 skipping to change at page 46, line 6
work. work.
6. Reduced security operational modes 6. Reduced security operational modes
A common requirement of bootstrapping is to support less secure A common requirement of bootstrapping is to support less secure
operational modes for support specific use cases. The following operational modes for support specific use cases. The following
sections detail specific ways that the Pledge, Registrar and MASA can sections detail specific ways that the Pledge, Registrar and MASA can
be configured to run in a less secure mode for the indicated reasons. be configured to run in a less secure mode for the indicated reasons.
6.1. Trust Model 6.1. Trust Model
+--------+ +---------+ +------------+ +------------+ +--------+ +---------+ +------------+ +------------+
| Pledge | | Circuit | | Domain | | Vendor | | Pledge | | Circuit | | Domain | |Manufacturer|
| | | Proxy | | Registrar | | Service | | | | Proxy | | Registrar | | Service |
| | | | | | | (Internet | | | | | | | | (Internet) |
+--------+ +---------+ +------------+ +------------+ +--------+ +---------+ +------------+ +------------+
Figure 10 Figure 10
Pledge: The Pledge could be compromised and providing an attack Pledge: The Pledge could be compromised and providing an attack
vector for malware. The entity is trusted to only imprint using vector for malware. The entity is trusted to only imprint using
secure methods described in this document. Additional endpoint secure methods described in this document. Additional endpoint
assessment techniques are RECOMMENDED but are out-of-scope of this assessment techniques are RECOMMENDED but are out-of-scope of this
document. document.
Proxy: Provides proxy functionalities but is not involved in Proxy: Provides proxy functionalities but is not involved in
security considerations. security considerations.
Registrar: When interacting with a MASA server a Registrar makes all Registrar: When interacting with a MASA server a Registrar makes all
decisions. When Ownership Vouchers are involved a Registrar is decisions. When Ownership Vouchers are involved a Registrar is
only a conduit and all security decisions are made on the vendor only a conduit and all security decisions are made on the
service. manufacturer service.
Vendor Service, MASA: This form of vendor service is trusted to Vendor Service, MASA: This form of manufacturer service is trusted
accurately log all claim attempts and to provide authoritative log to accurately log all claim attempts and to provide authoritative
information to Registrars. The MASA does not know which devices log information to Registrars. The MASA does not know which
are associated with which domains. These claims could be devices are associated with which domains. These claims could be
strengthened by using cryptographic log techniques to provide strengthened by using cryptographic log techniques to provide
append only, cryptographic assured, publicly auditable logs. append only, cryptographic assured, publicly auditable logs.
Current text provides only for a trusted vendor. Current text provides only for a trusted manufacturer.
Vendor Service, Ownership Validation: This form of vendor service is Vendor Service, Ownership Validation: This form of manufacturer
trusted to accurately know which device is owned by which domain. service is trusted to accurately know which device is owned by
which domain.
6.2. Pledge security reductions 6.2. Pledge security reductions
The Pledge can choose to accept vouchers using less secure methods. The Pledge can choose to accept vouchers using less secure methods.
These methods enable offline and emergency (touch based) deployment These methods enable offline and emergency (touch based) deployment
use cases: use cases:
1. The Pledge MUST accept nonceless vouchers. This allows for 1. The Pledge MUST accept nonceless vouchers. This allows for
offline use cases. Logging and validity periods address the offline use cases. Logging and validity periods address the
inherent security considerations of supporting these use cases. inherent security considerations of supporting these use cases.
2. The Pledge MAY support "trust on first use" for physical 2. The Pledge MAY support "trust on first use" for physical
interfaces such as a local console port or physical user interfaces such as a local console port or physical user
interface but MUST NOT support "trust on first use" on network interface but MUST NOT support "trust on first use" on network
interfaces. This is because "trust on first use" permanently interfaces. This is because "trust on first use" permanently
degrades the security for all use cases. degrades the security for all use cases.
3. The Pledge MAY have an operational mode where it skips Voucher 3. The Pledge MAY have an operational mode where it skips Voucher
validation one time. For example if a physical button is validation one time. For example if a physical button is
depressed during the bootstrapping operation. This can be useful depressed during the bootstrapping operation. This can be useful
if the vendor service is unavailable. This behavior SHOULD be if the manufacturer service is unavailable. This behavior SHOULD
available via local configuration or physical presence methods to be available via local configuration or physical presence methods
ensure new entities can always be deployed even when autonomic to ensure new entities can always be deployed even when autonomic
methods fail. This allows for unsecured imprint. methods fail. This allows for unsecured imprint.
It is RECOMMENDED that "trust on first use" or skipping voucher It is RECOMMENDED that "trust on first use" or skipping voucher
validation only be available if hardware assisted Network Endpoint validation only be available if hardware assisted Network Endpoint
Assessment [RFC5209] is supported. This recommendation ensures that Assessment [RFC5209] is supported. This recommendation ensures that
domain network monitoring can detect innappropriate use of offline or domain network monitoring can detect innappropriate use of offline or
emergency deployment procedures. emergency deployment procedures.
6.3. Registrar security reductions 6.3. Registrar security reductions
A Registrar can choose to accept devices using less secure methods. A Registrar can choose to accept devices using less secure methods.
These methods are acceptable when low security models are needed, as These methods are acceptable when low security models are needed, as
the security decisions are being made by the local administrator, but the security decisions are being made by the local administrator, but
they MUST NOT be the default behavior: they MUST NOT be the default behavior:
1. A registrar MAY choose to accept all devices, or all devices of a 1. A Registrar MAY choose to accept all devices, or all devices of a
particular type, at the administrator's discretion. This could particular type, at the administrator's discretion. This could
occur when informing all Registrars of unique identifiers of new occur when informing all Registrars of unique identifiers of new
entities might be operationally difficult. entities might be operationally difficult.
2. A registrar MAY choose to accept devices that claim a unique 2. A Registrar MAY choose to accept devices that claim a unique
identity without the benefit of authenticating that claimed identity without the benefit of authenticating that claimed
identity. This could occur when the Pledge does not include an identity. This could occur when the Pledge does not include an
X.509 IDevID factory installed credential. New Entities without X.509 IDevID factory installed credential. New Entities without
an X.509 IDevID credential MAY form the Section 5.2 request using an X.509 IDevID credential MAY form the Section 5.2 request using
the Section 5.4 format to ensure the Pledge's serial number the Section 5.4 format to ensure the Pledge's serial number
information is provided to the Registar (this includes the IDevID information is provided to the Registar (this includes the IDevID
AuthorityKeyIdentifier value which would be statically configured AuthorityKeyIdentifier value, which would be statically
on the Pledge). The Pledge MAY refuse to provide a TLS client configured on the Pledge.) The Pledge MAY refuse to provide a
certificate (as one is not available). The Pledge SHOULD support TLS client certificate (as one is not available.) The Pledge
HTTP-based or certificate-less TLS authentication as described in SHOULD support HTTP-based or certificate-less TLS authentication
EST RFC7030 section 3.3.2. A Registrar MUST NOT accept as described in EST RFC7030 section 3.3.2. A Registrar MUST NOT
unauthenticated New Entities unless it has been configured to do accept unauthenticated New Entities unless it has been configured
so by an administrator that has verified that only expected new to do so by an administrator that has verified that only expected
entities can communicate with a Registrar (presumably via a new entities can communicate with a Registrar (presumably via a
physically secured perimeter). physically secured perimeter.)
3. A Registrar MAY submit a nonceless voucher-requests to MASA 3. A Registrar MAY submit a nonceless voucher-requests to the MASA
service (by not including a nonce in the voucher-request). The service (by not including a nonce in the voucher-request.) The
resulting Vouchers can then be stored by the Registrar until they resulting Vouchers can then be stored by the Registrar until they
are needed during bootstrapping operations. This is for use are needed during bootstrapping operations. This is for use
cases where target network is protected by an air gap and cases where the target network is protected by an air gap and
therefore can not contact the MASA service during Pledge therefore cannot contact the MASA service during Pledge
deployment. deployment.
4. A registrar MAY ignore unrecognized nonceless log entries. This 4. A Registrar MAY ignore unrecognized nonceless log entries. This
could occur when used equipment is purchased with a valid history could occur when used equipment is purchased with a valid history
being deployed in air gap networks that required permanent being deployed in air gap networks that required permanent
Vouchers. Vouchers.
6.4. MASA security reductions 6.4. MASA security reductions
Lower security modes chosen by the MASA service effect all device Lower security modes chosen by the MASA service affect all device
deployments unless bound to the specific device identities. In which deployments unless bound to the specific device identities. In which
case these modes can be provided as additional features for specific case these modes can be provided as additional features for specific
customers. The MASA service can choose to run in less secure modes customers. The MASA service can choose to run in less secure modes
by: by:
1. Not enforcing that a nonce is in the Voucher. This results in 1. Not enforcing that a nonce is in the Voucher. This results in
distribution of Voucher that never expires and in effect makes distribution of a Voucher that never expires and in effect makes
the Domain an always trusted entity to the Pledge during any the Domain an always trusted entity to the Pledge during any
subsequent bootstrapping attempts. That this occurred is subsequent bootstrapping attempts. That this occurred is
captured in the log information so that the Registrar can make captured in the log information so that the Registrar can make
appropriate security decisions when a Pledge joins the Domain. appropriate security decisions when a Pledge joins the Domain.
This is useful to support use cases where Registrars might not be This is useful to support use cases where Registrars might not be
online during actual device deployment. Because this results in online during actual device deployment. Because this results in
long lived Voucher and does not require the proof that the device a long lived Voucher and does not require the proof that the
is online this is only accepted when the Registrar is device is online, this is only accepted when the Registrar is
authenticated by the MASA server and authorized to provide this authenticated by the MASA server and authorized to provide this
functionality. The MASA server is RECOMMENDED to use this functionality. The MASA server is RECOMMENDED to use this
functionality only in concert with an enhanced level of ownership functionality only in concert with an enhanced level of ownership
tracking (out-of-scope). If the Pledge device is known to have a tracking (out-of-scope.) If the Pledge device is known to have a
real-time-clock that is set from the factory use of a voucher real-time-clock that is set from the factory, use of a voucher
validity period is RECOMMENDED. validity period is RECOMMENDED.
2. Not verifying ownership before responding with an Voucher. This 2. Not verifying ownership before responding with a Voucher. This
is expected to be a common operational model because doing so is expected to be a common operational model because doing so
relieves the vendor providing MASA services from having to track relieves the manufacturer providing MASA services from having to
ownership during shipping and supply chain and allows for a very track ownership during shipping and supply chain and allows for a
low overhead MASA service. A Registrar uses the audit log very low overhead MASA service. A Registrar uses the audit log
information as a defense in depth strategy to ensure that this information as a defense in depth strategy to ensure that this
does not occur unexpectedly (for example when purchasing new does not occur unexpectedly (for example when purchasing new
equipment the Registrar would throw an error if any audit log equipment the Registrar would throw an error if any audit log
information is reported). The MASA should verify the 'prior- information is reported.) The MASA should verify the 'prior-
signed-voucher' information for Pledge's that support that signed-voucher' information for Pledges that support that
functionality. This provides a proof-of-proximity check that functionality. This provides a proof-of-proximity check that
reduces the need for ownership verification. reduces the need for ownership verification.
7. IANA Considerations 7. IANA Considerations
This document requires the following IANA actions: This document requires the following IANA actions:
7.1. PKIX Registry 7.1. PKIX Registry
IANA is requested to register the following: IANA is requested to register the following:
skipping to change at page 48, line 40 skipping to change at page 49, line 42
o Reason o Reason
o reason-context o reason-context
8. Security Considerations 8. Security Considerations
There are uses cases where the MASA could be unavailable or There are uses cases where the MASA could be unavailable or
uncooperative to the Registrar. They include planned and unplanned uncooperative to the Registrar. They include planned and unplanned
network partitions, changes to MASA policy, or other instances where network partitions, changes to MASA policy, or other instances where
MASA policy rejects a claim. These introduce an operational risk to MASA policy rejects a claim. These introduce an operational risk to
the Registrar owner that MASA/vendor behavior might limit the ability the Registrar owner that MASA behavior might limit the ability to re-
to re-boostrap a Pledge device. For example this might be an issue boostrap a Pledge device. For example this might be an issue during
during disaster recovery. This risk can be mitigated by Registrars disaster recovery. This risk can be mitigated by Registrars that
that request and maintain long term copies of "nonceless" Vouchers. request and maintain long term copies of "nonceless" Vouchers. In
In that way they are guaranteed to be able to repeat bootstrapping that way they are guaranteed to be able to repeat bootstrapping for
for their devices. their devices.
The issuance of nonceless vouchers themselves create a security The issuance of nonceless vouchers themselves creates a security
concern. If the Registrar of a previous domain can intercept concern. If the Registrar of a previous domain can intercept
protocol communications then it can use a previously issued nonceless protocol communications then it can use a previously issued nonceless
voucher to establish management control of a pledge device even after voucher to establish management control of a Pledge device even after
having sold it. This risk is mitigated by recording the issuance of having sold it. This risk is mitigated by recording the issuance of
such vouchers in the MASA audit log that is verified by the such vouchers in the MASA audit log that is verified by the
subsequent Registrar. This reduces the resale value of the equipment subsequent Registrar. This reduces the resale value of the equipment
because future owners will detect the lowered security inherent in because future owners will detect the lowered security inherent in
the existence of a nonceless voucher that would be trusted by their the existence of a nonceless voucher that would be trusted by their
Pledge. This reflects a balance between partition resistant recovery Pledge. This reflects a balance between partition resistant recovery
and security of future bootstrapping. Registrars take the Pledge's and security of future bootstrapping. Registrars take the Pledge's
audit history into account when applying policy to new devices. audit history into account when applying policy to new devices.
The MASA server is exposed to DoS attacks wherein attackers claim an The MASA server is exposed to DoS attacks wherein attackers claim an
unbounded number of devices. Ensuring a Registrar is representative unbounded number of devices. Ensuring a Registrar is representative
of a valid vendor customer, even without validating ownership of of a valid manufacturer customer, even without validating ownership
specific Pledge devices, helps to mitigate this. Pledge signatures of specific Pledge devices, helps to mitigate this. Pledge
on the Pledge voucher-request, as forwarded by the Registrar in the signatures on the Pledge voucher-request, as forwarded by the
prior-signed-voucher field of the Registrar voucher-request, Registrar in the prior-signed-voucher field of the Registrar voucher-
significantly reduce this risk by ensuring the MASA can confirm request, significantly reduce this risk by ensuring the MASA can
proximity between the Pledge and the Registrar making the request. confirm proximity between the Pledge and the Registrar making the
This mechanism is optional to allow for constrained devices. request. This mechanism is optional to allow for constrained
devices.
To facilitate logging and administrative oversight in addition to To facilitate logging and administrative oversight in addition to
triggering Registration verification of MASA logs the Pledge reports triggering Registration verification of MASA logs the Pledge reports
on Voucher parsing status to the Registrar. In the case of a failure on Voucher parsing status to the Registrar. In the case of a
this information is informative to a potentially malicious Registar failure, this information is informative to a potentially malicious
but this is mandated anyway because of the operational benefits of an Registar but this is mandated anyway because of the operational
informed administrator in cases where the failure is indicative of a benefits of an informed administrator in cases where the failure is
problem. The Registrar is RECOMMENDED to verify MASA logs if voucher indicative of a problem. The Registrar is RECOMMENDED to verify MASA
status telemetry is not received. logs if voucher status telemetry is not received.
The MASA authorization log includes a hash of the domainID for each The MASA authorization log includes a hash of the domainID for each
registrar a voucher has been issued to. This information is closely Registrar a voucher has been issued to. This information is closely
related to the actual domain identity, especially when paired with related to the actual domain identity, especially when paired with
the anti-DDoS authentication information the MASA might collect. the anti-DDoS authentication information the MASA might collect.
This could provide sufficient information for the MASA service to This could provide sufficient information for the MASA service to
build a detailed understanding the devices that have been provisioned build a detailed understanding the devices that have been provisioned
within a domain. There are a number of design choices that mitigate within a domain. There are a number of design choices that mitigate
this risk. The domain can maintain some privacy since it has not this risk. The domain can maintain some privacy since it has not
necessarily been authenticated and is not authoritatively bound to necessarily been authenticated and is not authoritatively bound to
the supply chain. Additionally the domainID captures only the the supply chain. Additionally the domainID captures only the
unauthenticated subject key identifier of the domain. A privacy unauthenticated subject key identifier of the domain. A privacy
sensitive domain could theoretically generate a new domainID for each sensitive domain could theoretically generate a new domainID for each
device being deployed. Similarly a privacy sensitive domain would device being deployed. Similarly a privacy sensitive domain would
likely purchase devices that support proximity assertions from a likely purchase devices that support proximity assertions from a
vendor that does not require sales channel integrations. This would manufacturer that does not require sales channel integrations. This
result in a significant level of privacy while maintaining the would result in a significant level of privacy while maintaining the
security characteristics provided by Registrar based audit log security characteristics provided by Registrar based audit log
inspection. inspection.
To facilitate truely limited clients EST RFC7030 section 3.3.2 To facilitate truely limited clients EST RFC7030 section 3.3.2
requirements that the client MUST support a client authentication requirements that the client MUST support a client authentication
model have been reduced in Section 6 to a statement that the model have been reduced in Section 6 to a statement that the
Registrar "MAY" choose to accept devices that fail cryptographic Registrar "MAY" choose to accept devices that fail cryptographic
authentication. This reflects current (poor) practices in shipping authentication. This reflects current (poor) practices in shipping
devices without a cryptographic identity that are NOT RECOMMENDED. devices without a cryptographic identity that are NOT RECOMMENDED.
During the provisional period of the connection the Pledge MUST treat During the provisional period of the connection the Pledge MUST treat
all HTTP header and content data as untrusted data. HTTP libraries all HTTP header and content data as untrusted data. HTTP libraries
are regularly exposed to non-secured HTTP traffic: mature libraries are regularly exposed to non-secured HTTP traffic: mature libraries
should not have any problems. should not have any problems.
Pledge's might chose to engage in protocol operations with multiple Pledges might chose to engage in protocol operations with multiple
discovered Registrars in parallel. As noted above they will only do discovered Registrars in parallel. As noted above they will only do
so with distinct nonce values, but the end result could be multiple so with distinct nonce values, but the end result could be multiple
voucher's issued from the MASA if all registrars attempt to claim the vouchers issued from the MASA if all Registrars attempt to claim the
device. This is not a failure and the Pledge choses whichever device. This is not a failure and the Pledge choses whichever
voucher to accept based on internal logic. The Registrar's verifying voucher to accept based on internal logic. The Registrar's verifying
log information will see multiple entries and take this into account log information will see multiple entries and take this into account
for their analytics purposes. for their analytics purposes.
8.1. Freshness in Voucher-Requests 8.1. Freshness in Voucher-Requests
A concern has been raised that the Pledge voucher-request should A concern has been raised that the Pledge voucher-request should
contain some content (a nonce) provided by the Registrar and/or MASA contain some content (a nonce) provided by the Registrar and/or MASA
in order for those actors to verify that the Pledge voucher-request in order for those actors to verify that the Pledge voucher-request
is fresh. is fresh.
There are a number of operational problems with getting a nonce from There are a number of operational problems with getting a nonce from
the MASA to the pledge. It is somewhat easier to collect a random the MASA to the Pledge. It is somewhat easier to collect a random
value from the Registrar, but as the Registrar is not yet vouched value from the Registrar, but as the Registrar is not yet vouched
for, such a Registrar nonce has little value. There are privacy and for, such a Registrar nonce has little value. There are privacy and
logistical challenges to addressing these operational issues, so if logistical challenges to addressing these operational issues, so if
such a thing were to be considered, it would have to provide some such a thing were to be considered, it would have to provide some
clear value. This section examines the impacts of not having a fresh clear value. This section examines the impacts of not having a fresh
Pledge voucher-request. Pledge voucher-request.
Because the Registrar authenticates the Pledge a full Man-in-the- Because the Registrar authenticates the Pledge, a full Man-in-the-
Middle attack is not possible, despite the provisional TLS Middle attack is not possible, despite the provisional TLS
authentication by the Pledge (see Section 5). Instead we examine the authentication by the Pledge (see Section 5.) Instead we examine the
case of a fake Registrar (Rm) that communicates with the Pledge in case of a fake Registrar (Rm) that communicates with the Pledge in
parallel or in close time proximity with the intended Registrar. parallel or in close time proximity with the intended Registrar.
(This scenario is intentionally supported as described in (This scenario is intentionally supported as described in
Section 4.1). Section 4.1.)
The fake Registrar (Rm) can obtain a voucher signed by the MASA The fake Registrar (Rm) can obtain a voucher signed by the MASA
either directly or through arbitrary intermediaries. Assuming that either directly or through arbitrary intermediaries. Assuming that
the MASA accepts the Registar voucher-request (either because Rm is the MASA accepts the Registar voucher-request (either because Rm is
collaborating with a legitimate Registrar according to supply chain collaborating with a legitimate Registrar according to supply chain
information, or because the MASA is in audit-log only mode), then a information, or because the MASA is in audit-log only mode), then a
voucher linking the pledge to the Registrar Rm is issued. voucher linking the Pledge to the Registrar Rm is issued.
Such a voucher, when passed back to the Pledge, would link the pledge Such a voucher, when passed back to the Pledge, would link the Pledge
to Registrar Rm, and would permit the Pledge to end the provisional to Registrar Rm, and would permit the Pledge to end the provisional
state. It now trusts Rm and, if it has any security vulnerabilities state. It now trusts Rm and, if it has any security vulnerabilities
leveragable by an Rm with full administrative control, can be assumed leveragable by an Rm with full administrative control, can be assumed
to be a threat against the intended Registrar. to be a threat against the intended Registrar.
This flow is mitigated by the intended Registar verifying the audit This flow is mitigated by the intended Registar verifying the audit
logs available from the MASA as described in Section 5.7. Rm might logs available from the MASA as described in Section 5.7. Rm might
chose to wait until after the intended Registrar completes the chose to wait until after the intended Registrar completes the
authorization process before submitting the now-stale Pledge voucher- authorization process before submitting the now-stale Pledge voucher-
request. The Rm would need to remove the Pledge's nonce. request. The Rm would need to remove the Pledge's nonce.
skipping to change at page 51, line 35 skipping to change at page 52, line 38
o Ongoing network monitoring for unexpected bootstrapping attempts o Ongoing network monitoring for unexpected bootstrapping attempts
by Pledges. by Pledges.
o Retreival and examination of MASA log information upon the o Retreival and examination of MASA log information upon the
occurance of any such unexpected events. Rm will be listed in the occurance of any such unexpected events. Rm will be listed in the
logs. logs.
9. Acknowledgements 9. Acknowledgements
We would like to thank the various reviewers for their input, in We would like to thank the various reviewers for their input, in
particular Brian Carpenter, Toerless Eckert, Fuyu Eleven, Eliot Lear, particular William Atwood, Brian Carpenter, Toerless Eckert, Fuyu
Sergey Kasatkin, Markus Stenberg, and Peter van der Stok Eleven, Eliot Lear, Sergey Kasatkin, Markus Stenberg, and Peter van
der Stok
10. References 10. References
10.1. Normative References 10.1. Normative References
[I-D.ietf-anima-autonomic-control-plane] [I-D.ietf-anima-autonomic-control-plane]
Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic Eckert, T., Behringer, M., and S. Bjarnason, "An Autonomic
Control Plane (ACP)", draft-ietf-anima-autonomic-control- Control Plane (ACP)", draft-ietf-anima-autonomic-control-
plane-13 (work in progress), December 2017. plane-13 (work in progress), December 2017.
skipping to change at page 53, line 24 skipping to change at page 54, line 24
<https://www.rfc-editor.org/info/rfc5386>. <https://www.rfc-editor.org/info/rfc5386>.
[RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70, [RFC5652] Housley, R., "Cryptographic Message Syntax (CMS)", STD 70,
RFC 5652, DOI 10.17487/RFC5652, September 2009, RFC 5652, DOI 10.17487/RFC5652, September 2009,
<https://www.rfc-editor.org/info/rfc5652>. <https://www.rfc-editor.org/info/rfc5652>.
[RFC5660] Williams, N., "IPsec Channels: Connection Latching", [RFC5660] Williams, N., "IPsec Channels: Connection Latching",
RFC 5660, DOI 10.17487/RFC5660, October 2009, RFC 5660, DOI 10.17487/RFC5660, October 2009,
<https://www.rfc-editor.org/info/rfc5660>. <https://www.rfc-editor.org/info/rfc5660>.
[RFC6125] Saint-Andre, P. and J. Hodges, "Representation and
Verification of Domain-Based Application Service Identity
within Internet Public Key Infrastructure Using X.509
(PKIX) Certificates in the Context of Transport Layer
Security (TLS)", RFC 6125, DOI 10.17487/RFC6125, March
2011, <https://www.rfc-editor.org/info/rfc6125>.
[RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762, [RFC6762] Cheshire, S. and M. Krochmal, "Multicast DNS", RFC 6762,
DOI 10.17487/RFC6762, February 2013, DOI 10.17487/RFC6762, February 2013,
<https://www.rfc-editor.org/info/rfc6762>. <https://www.rfc-editor.org/info/rfc6762>.
[RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service [RFC6763] Cheshire, S. and M. Krochmal, "DNS-Based Service
Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013, Discovery", RFC 6763, DOI 10.17487/RFC6763, February 2013,
<https://www.rfc-editor.org/info/rfc6763>. <https://www.rfc-editor.org/info/rfc6763>.
[RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed., [RFC7030] Pritikin, M., Ed., Yee, P., Ed., and D. Harkins, Ed.,
"Enrollment over Secure Transport", RFC 7030, "Enrollment over Secure Transport", RFC 7030,
skipping to change at page 54, line 7 skipping to change at page 55, line 15
[RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language",
RFC 7950, DOI 10.17487/RFC7950, August 2016, RFC 7950, DOI 10.17487/RFC7950, August 2016,
<https://www.rfc-editor.org/info/rfc7950>. <https://www.rfc-editor.org/info/rfc7950>.
[RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG", [RFC7951] Lhotka, L., "JSON Encoding of Data Modeled with YANG",
RFC 7951, DOI 10.17487/RFC7951, August 2016, RFC 7951, DOI 10.17487/RFC7951, August 2016,
<https://www.rfc-editor.org/info/rfc7951>. <https://www.rfc-editor.org/info/rfc7951>.
10.2. Informative References 10.2. Informative References
[I-D.behringer-homenet-trust-bootstrap] [I-D.ietf-anima-reference-model]
Behringer, M., Pritikin, M., and S. Bjarnason, Behringer, M., Carpenter, B., Eckert, T., Ciavaglia, L.,
"Bootstrapping Trust on a Homenet", draft-behringer- Pierre, P., Liu, B., Nobre, J., and J. Strassner, "A
homenet-trust-bootstrap-02 (work in progress), February Reference Model for Autonomic Networking", draft-ietf-
2014. anima-reference-model-05 (work in progress), October 2017.
[I-D.ietf-netconf-zerotouch] [I-D.ietf-netconf-zerotouch]
Watsen, K., Abrahamsson, M., and I. Farrer, "Zero Touch Watsen, K., Abrahamsson, M., and I. Farrer, "Zero Touch
Provisioning for NETCONF or RESTCONF based Management", Provisioning for NETCONF or RESTCONF based Management",
draft-ietf-netconf-zerotouch-19 (work in progress), draft-ietf-netconf-zerotouch-19 (work in progress),
October 2017. October 2017.
[I-D.ietf-opsawg-mud] [I-D.ietf-opsawg-mud]
Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage
Description Specification", draft-ietf-opsawg-mud-15 (work Description Specification", draft-ietf-opsawg-mud-15 (work
skipping to change at page 54, line 43 skipping to change at page 56, line 5
progress), January 2018. progress), January 2018.
[imprinting] [imprinting]
Wikipedia, "Wikipedia article: Imprinting", July 2015, Wikipedia, "Wikipedia article: Imprinting", July 2015,
<https://en.wikipedia.org/wiki/Imprinting_(psychology)>. <https://en.wikipedia.org/wiki/Imprinting_(psychology)>.
[RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in [RFC2473] Conta, A. and S. Deering, "Generic Packet Tunneling in
IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473, IPv6 Specification", RFC 2473, DOI 10.17487/RFC2473,
December 1998, <https://www.rfc-editor.org/info/rfc2473>. December 1998, <https://www.rfc-editor.org/info/rfc2473>.
[RFC2663] Srisuresh, P. and M. Holdrege, "IP Network Address
Translator (NAT) Terminology and Considerations",
RFC 2663, DOI 10.17487/RFC2663, August 1999,
<https://www.rfc-editor.org/info/rfc2663>.
[RFC5785] Nottingham, M. and E. Hammer-Lahav, "Defining Well-Known
Uniform Resource Identifiers (URIs)", RFC 5785,
DOI 10.17487/RFC5785, April 2010,
<https://www.rfc-editor.org/info/rfc5785>.
[RFC6960] Santesson, S., Myers, M., Ankney, R., Malpani, A.,
Galperin, S., and C. Adams, "X.509 Internet Public Key
Infrastructure Online Certificate Status Protocol - OCSP",
RFC 6960, DOI 10.17487/RFC6960, June 2013,
<https://www.rfc-editor.org/info/rfc6960>.
[RFC7217] Gont, F., "A Method for Generating Semantically Opaque [RFC7217] Gont, F., "A Method for Generating Semantically Opaque
Interface Identifiers with IPv6 Stateless Address Interface Identifiers with IPv6 Stateless Address
Autoconfiguration (SLAAC)", RFC 7217, Autoconfiguration (SLAAC)", RFC 7217,
DOI 10.17487/RFC7217, April 2014, DOI 10.17487/RFC7217, April 2014,
<https://www.rfc-editor.org/info/rfc7217>. <https://www.rfc-editor.org/info/rfc7217>.
[RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer [RFC7231] Fielding, R., Ed. and J. Reschke, Ed., "Hypertext Transfer
Protocol (HTTP/1.1): Semantics and Content", RFC 7231, Protocol (HTTP/1.1): Semantics and Content", RFC 7231,
DOI 10.17487/RFC7231, June 2014, DOI 10.17487/RFC7231, June 2014,
<https://www.rfc-editor.org/info/rfc7231>. <https://www.rfc-editor.org/info/rfc7231>.
skipping to change at page 55, line 22 skipping to change at page 57, line 4
DOI 10.17487/RFC7575, June 2015, DOI 10.17487/RFC7575, June 2015,
<https://www.rfc-editor.org/info/rfc7575>. <https://www.rfc-editor.org/info/rfc7575>.
[Stajano99theresurrecting] [Stajano99theresurrecting]
Stajano, F. and R. Anderson, "The resurrecting duckling: Stajano, F. and R. Anderson, "The resurrecting duckling:
security issues for ad-hoc wireless networks", 1999, security issues for ad-hoc wireless networks", 1999,
<https://www.cl.cam.ac.uk/~fms27/ <https://www.cl.cam.ac.uk/~fms27/
papers/1999-StajanoAnd-duckling.pdf>. papers/1999-StajanoAnd-duckling.pdf>.
Appendix A. IPv4 operations Appendix A. IPv4 operations
A.1. IPv4 Link Local addresses A.1. IPv4 Link Local addresses
Instead of an IPv6 link-local address, an IPv4 address may be Instead of an IPv6 link-local address, an IPv4 address may be
generated using [RFC3927] Dynamic Configuration of IPv4 Link-Local generated using [RFC3927] Dynamic Configuration of IPv4 Link-Local
Addresses. Addresses.
In the case that an IPv4 Local-Local address is formed, then the In the case that an IPv4 Link-Local address is formed, then the
bootstrap process would continue as in the IPv6 case by looking for a bootstrap process would continue as in the IPv6 case by looking for a
(circuit) proxy. (circuit) proxy.
A.2. Use of DHCPv4 A.2. Use of DHCPv4
The Plege MAY obtain an IP address via DHCP [RFC2131]. The DHCP The Plege MAY obtain an IP address via DHCP [RFC2131]. The DHCP
provided parameters for the Domain Name System can be used to perform provided parameters for the Domain Name System can be used to perform
DNS operations if all local discovery attempts fail. DNS operations if all local discovery attempts fail.
Appendix B. mDNS / DNSSD proxy discovery options Appendix B. mDNS / DNSSD proxy discovery options
skipping to change at page 56, line 5 skipping to change at page 57, line 34
"_bootstrapks._tcp.local.". "_bootstrapks._tcp.local.".
To prevent unaccceptable levels of network traffic the congestion To prevent unaccceptable levels of network traffic the congestion
avoidance mechanisms specified in [RFC6762] section 7 MUST be avoidance mechanisms specified in [RFC6762] section 7 MUST be
followed. The Pledge SHOULD listen for an unsolicited broadcast followed. The Pledge SHOULD listen for an unsolicited broadcast
response as described in [RFC6762]. This allows devices to avoid response as described in [RFC6762]. This allows devices to avoid
announcing their presence via mDNS broadcasts and instead silently announcing their presence via mDNS broadcasts and instead silently
join a network by watching for periodic unsolicited broadcast join a network by watching for periodic unsolicited broadcast
responses. responses.
Performs DNS-based Service Discovery [RFC6763] over normal DNS The service searched for is "_bootstrapks._tcp.example.com". In this
operations. The service searched for is case the domain "example.com" is discovered as described in [RFC6763]
"_bootstrapks._tcp.example.com". In this case the domain section 11. This method is only available if the host has received a
"example.com" is discovered as described in [RFC6763] section 11. useable IPv4 address via DHCPv4 as suggested in Appendix A.2.
This method is only available if the host has received a useable IPv4
address via DHCPv4 as suggested in Appendix A.
If no local bootstrapks service is located using the GRASP If no local bootstrapks service is located using the GRASP
mechanisms, or the above mentioned DNS-based Service Discovery mechanisms, or the above mentioned DNS-based Service Discovery
methods the Pledge MAY contact a well known vendor provided methods, the Pledge MAY contact a well known manufacturer provided
bootstrapping server by performing a DNS lookup using a well known bootstrapping server by performing a DNS lookup using a well known
URI such as "bootstrapks.vendor-example.com". The details of the URI URI such as "bootstrapks.manufacturer-example.com". The details of
are vendor specific. Vendors that leverage this method on the Pledge the URI are manufacturer specific. Manufacturers that leverage this
are responsible for providing the bootstrapks service. method on the Pledge are responsible for providing the bootstrapks
service.
The current DNS services returned during each query is maintained The current DNS services returned during each query are maintained
until bootstrapping is completed. If bootstrapping fails and the until bootstrapping is completed. If bootstrapping fails and the
Pledge returns to the Discovery state it picks up where it left off Pledge returns to the Discovery state, it picks up where it left off
and continues attempting bootstrapping. For example if the first and continues attempting bootstrapping. For example, if the first
Multicast DNS _bootstrapks._tcp.local response doesn't work then the Multicast DNS _bootstrapks._tcp.local response doesn't work then the
second and third responses are tried. If these fail the Pledge moves second and third responses are tried. If these fail the Pledge moves
on to normal DNS-based Service Discovery. on to normal DNS-based Service Discovery.
Appendix C. IPIP Join Proxy mechanism Appendix C. IPIP Join Proxy mechanism
The Circuit Proxy mechanism suffers from requiring a state on the The Circuit Proxy mechanism suffers from requiring a state on the
Join Proxy for each connection that is relayed. The Circuit Proxy Join Proxy for each connection that is relayed. The Circuit Proxy
can be considered a kind of Algorithm Gateway [FIND-good-REF]. can be considered a kind of Algorithm Gateway (see [RFC2663], section
2.9).
An alternative to proxying at the TCP layer is to selectively forward An alternative to proxying at the TCP layer is to selectively forward
at the IP layer. This moves all per-connection to the Join at the IP layer. This moves all per-connection to the Join
Registrar. The IPIP tunnel statelessly forwards packets. This Registrar. The IPIP tunnel statelessly forwards packets. This
section provides some explanation of some of the details of the section provides some explanation of some of the details of the
Registrar discovery procotol which are not important to Circuit Registrar discovery procotol, which are not important to Circuit
Proxy, and some implementation advice. Proxy, and some implementation advice.
The IPIP tunnel is described in [RFC2473]. Each such tunnel is The IPIP tunnel is described in [RFC2473]. Each such tunnel is
considered a unidirectional construct, but two tunnels may be considered a unidirectional construct, but two tunnels may be
associated to form a bidirectional mechanism. An IPIP tunnel is associated to form a bidirectional mechanism. An IPIP tunnel is
setup as follows. The outer addresses are an ACP address of the Join setup as follows. The outer addresses are an ACP address of the Join
Proxy, and the ACP address of the Join Registrar. The inner Proxy, and the ACP address of the Join Registrar. The inner
addresses seen in the tunnel are the link-local addresses of the addresses seen in the tunnel are the link-local addresses of the
network on which the join activity is occuring. network on which the join activity is occuring.
skipping to change at page 57, line 4 skipping to change at page 58, line 34
associated to form a bidirectional mechanism. An IPIP tunnel is associated to form a bidirectional mechanism. An IPIP tunnel is
setup as follows. The outer addresses are an ACP address of the Join setup as follows. The outer addresses are an ACP address of the Join
Proxy, and the ACP address of the Join Registrar. The inner Proxy, and the ACP address of the Join Registrar. The inner
addresses seen in the tunnel are the link-local addresses of the addresses seen in the tunnel are the link-local addresses of the
network on which the join activity is occuring. network on which the join activity is occuring.
One way to look at this construct is to consider that the Registrar One way to look at this construct is to consider that the Registrar
is extending attaching an interface to the network on which the Join is extending attaching an interface to the network on which the Join
Proxy is physically present. The Registrar then interacts as if it Proxy is physically present. The Registrar then interacts as if it
were present on that network using link-local (fe80::) addresses. were present on that network using link-local (fe80::) addresses.
The Join node is unaware that the traffic is being proxied through a The Join node is unaware that the traffic is being proxied through a
tunnel, and does not need any special routing. tunnel, and does not need any special routing.
There are a number of considerations with this mechanism which There are a number of considerations with this mechanism which cause
require cause some minor amounts of complexity. Note that due to the some minor amounts of complexity. Note that due to the tunnels, the
tunnels, the Registrar sees multiple connections to a fe80::/10 Registrar sees multiple connections to a fe80::/10 network on not
network on not just physical interfaces, but on each of the virtual just physical interfaces, but on each of the virtual interfaces
interfaces represending the tunnels. representing the tunnels.
C.1. Multiple Join networks on the Join Proxy side C.1. Multiple Join networks on the Join Proxy side
The Join Proxy will in the general case be a routing device with The Join Proxy will in the general case be a routing device with
multiple interfaces. Even a device as simple as a wifi access point multiple interfaces. Even a device as simple as a wifi access point
may have wired, and multiple frequencies of wireless interfaces, may have wired, and multiple frequencies of wireless interfaces,
potentially with multiple ESSIDs. potentially with multiple ESSIDs.
Each of these interfaces on the Join Proxy may be seperate L3 routing Each of these interfaces on the Join Proxy may be separate L3 routing
domains, and therefore will have a unique set of link-local domains, and therefore will have a unique set of link-local
addresses. An IPIP packet being returned by the Registrar needs to addresses. An IPIP packet being returned by the Registrar needs to
be forwarded to the correct interface, so the Join Proxy needs an be forwarded to the correct interface, so the Join Proxy needs an
additional key to distinguish which network the packet should be additional key to distinguish which network the packet should be
returned to. returned to.
The simplest way to get this additional key is to allocate an The simplest way to get this additional key is to allocate an
additional ACP address; one address for each network on which join additional ACP address; one address for each network on which join
traffic is occuring. The Join Proxy SHOULD do a GRASP M_NEG_SYN for traffic is occuring. The Join Proxy SHOULD do a GRASP M_NEG_SYN for
each interface which they wish to relay traffic, as this allows the each interface for which they wish to relay traffic, as this allows
Registrar to do any static tunnel configuration that may be required. the Registrar to do any static tunnel configuration that may be
required.
C.2. Automatic configuration of tunnels on Registrar C.2. Automatic configuration of tunnels on Registrar
The Join Proxy is expected to do a GRASP negotiation with the proxy The Join Proxy is expected to do a GRASP negotiation with the Proxy
for each Join Interface that it needs to relay traffic from. This is for each Join Interface that it needs to relay traffic from. This is
to permit Registrars to configure the appropriate virtual interfaces to permit Registrars to configure the appropriate virtual interfaces
before join traffic arrives. before join traffic arrives.
A Registrar serving a large number of interfaces may not wish to A Registrar serving a large number of interfaces may not wish to
allocate resources to every interface at all times, but can instead allocate resources to every interface at all times, but can instead
dynamically allocate interfaces. It can do this by monitoring IPIP dynamically allocate interfaces. It can do this by monitoring IPIP
traffic that arrives on it's ACP interface, and when packets arrive traffic that arrives on its ACP interface, and when packets arrive
from new Join Proxys, it can dynamically configure virtual from new Join Proxys, it can dynamically configure virtual
interfaces. interfaces.
A more sophisticated Registrar willing to modify the behaviour of A more sophisticated Registrar willing to modify the behaviour of its
it's TCP and UDP stack could note the IPIP traffic origination in the TCP and UDP stack could note the IPIP traffic origination in the
socket control block and make information available to the TCP layer socket control block and make information available to the TCP layer
(for HTTPS connections), or to the application (for CoAP connections) (for HTTPS connections), or to the application (for CoAP connections)
via a proprietary extension to the socket API. via a proprietary extension to the socket API.
C.3. Proxy Neighbor Discovery by Join Proxy C.3. Proxy Neighbor Discovery by Join Proxy
The Join Proxy MUST answer neighbor discovery messages for the The Join Proxy MUST answer neighbor discovery messages for the
address given by the Registrar as being it's link-local address. The address given by the Registrar as being its link-local address. The
Join Proxy must also advertise this address as the address to which Join Proxy must also advertise this address as the address to which
to connect to when advertising it's existence. to connect when advertising its existence.
This proxy neighbor discovery means that the pledge will create TCP This Proxy neighbor discovery means that the Pledge will create TCP
and UDP connections to the correct Registrar address. This matters and UDP connections to the correct Registrar address. This matters
as the TCP and UDP pseudo-header checksum includes the destination as the TCP and UDP pseudo-header checksum includes the destination
address, and for the proxy to remain completely stateless, it must address, and for the Proxy to remain completely stateless, it must
not be necessary for the checksum to be updated. not be necessary for the checksum to be updated.
C.4. Use of connected sockets; or IP_PKTINFO for CoAP on Registrar C.4. Use of connected sockets; or IP_PKTINFO for CoAP on Registrar
TCP connections on the registrar SHOULD properly capture the ifindex TCP connections on the Registrar SHOULD properly capture the ifindex
of the incoming connection into the socket structure. This is normal of the incoming connection into the socket structure. This is normal
IPv6 socket API processing. The outgoing responses will go out on IPv6 socket API processing. The outgoing responses will go out on
the same (virtual) interface by ifindex. the same (virtual) interface by ifindex.
When using UDP sockets with CoAP, the application will have to pay When using UDP sockets with CoAP, the application will have to pay
attention to the incoming ifindex on the socket. Access to this attention to the incoming ifindex on the socket. Access to this
information is available using the IP_PKTINFO auxiliary extension information is available using the IP_PKTINFO auxiliary extension,
which is a standard part of the IPv6 sockets API. which is a standard part of the IPv6 sockets API [RFC3542].
A registrar application could, after receipt of an initial CoAP A Registrar application could, after receipt of an initial CoAP
message from the Pledge, create a connected UDP socket (including the message from the Pledge, create a connected UDP socket (including the
ifindex information). The kernel would then take care of accurate ifindex information.) The kernel would then take care of accurate
demultiplexing upon receive, and subsequent transmission to the demultiplexing upon receive, and subsequent transmission to the
correct interface. correct interface.
C.5. Use of socket extension rather than virtual interface C.5. Use of socket extension rather than virtual interface
Some operating systems on which a Registrar need be implemented may Some operating systems on which a Registrar needs to be implemented
find need for a virtual interface per Join Proxy to be problematic. may find need for a virtual interface per Join Proxy to be
There are other mechanism which can make be done. problematic. There are other mechanisms which can be implemented.
If the IPIP decapsulator can mark the (SYN) packet inside the kernel If the IPIP decapsulator can mark the (SYN) packet inside the kernel
with the address of the Join Proxy sending the traffic, then an with the address of the Join Proxy sending the traffic, then an
interface per Join Proxy may not be needed. The outgoing path need interface per Join Proxy may not be needed. The outgoing path need
just pay attention to this extra information and add an appropriate just pay attention to this extra information and add an appropriate
IPIP header on outgoing. A CoAP over UDP mechanism may need to IPIP header on outgoing. A CoAP over UDP mechanism may need to
expose this extra information to the application as the UDP sockets expose this extra information to the application as the UDP sockets
are often not connected, and the application will need to specify the are often not connected, and the application will need to specify the
outgoing path on each packet send. outgoing path on each packet sent.
Such an additional socket mechanism has not been standardized. Such an additional socket mechanism has not been standardized.
Terminating L2TP connections over IPsec transport mode suffers from Terminating L2TP connections over IPsec transport mode suffers from
the same challenges. the same challenges.
Appendix D. MUD Extension Appendix D. MUD Extension
The following extension augments the MUD model to include a single The following extension augments the MUD model to include a single
node, as described in [I-D.ietf-opsawg-mud] section 3.6, using the node, as described in [I-D.ietf-opsawg-mud] section 3.6, using the
following sample module that has the following tree structure: following sample module that has the following tree structure:
module: ietf-mud-brski-masa module: ietf-mud-brski-masa
augment /ietf-mud:mud: augment /ietf-mud:mud:
+--rw masa-server? inet:uri +--rw masa-server? inet:uri
The model is defined as follows: The model is defined as follows:
<CODE BEGINS> <CODE BEGINS> file "ietf-mud-extension@2018-02-14.yang"
module ietf-mud-brski-masa { module ietf-mud-brski-masa {
yang-version 1.1; yang-version 1.1;
namespace "urn:ietf:params:xml:ns:yang:ietf-mud-brski-masa"; namespace "urn:ietf:params:xml:ns:yang:ietf-mud-brski-masa";
prefix ietf-mud-brski-masa; prefix ietf-mud-brski-masa;
import ietf-mud { import ietf-mud {
prefix ietf-mud; prefix ietf-mud;
} }
import ietf-inet-types { import ietf-inet-types {
prefix inet; prefix inet;
} }
skipping to change at page 60, line 28 skipping to change at page 61, line 28
"IETF ANIMA (Autonomic Networking Integrated Model and "IETF ANIMA (Autonomic Networking Integrated Model and
Approach) Working Group"; Approach) Working Group";
contact contact
"WG Web: http://tools.ietf.org/wg/anima/ "WG Web: http://tools.ietf.org/wg/anima/
WG List: anima@ietf.org WG List: anima@ietf.org
"; ";
description description
"BRSKI extension to a MUD file to indicate the "BRSKI extension to a MUD file to indicate the
MASA URL."; MASA URL.";
revision 2017-10-09 { revision 2018-02-14 {
description description
"Initial revision."; "Initial revision.";
reference reference
"RFC XXXX: Manufacturer Usage Description "RFC XXXX: Manufacturer Usage Description
Specification"; Specification";
} }
augment "/ietf-mud:mud" { augment "/ietf-mud:mud" {
description description
"BRSKI extension to a MUD file to indicate the "BRSKI extension to a MUD file to indicate the
skipping to change at page 61, line 8 skipping to change at page 62, line 8
description description
"This value is the URI of the MASA server"; "This value is the URI of the MASA server";
} }
} }
} }
<CODE ENDS> <CODE ENDS>
Appendix E. Example Vouchers Appendix E. Example Vouchers
Three entities are involved in a voucher: the MASA issues (signs) it, Three entities are involved in a voucher: the MASA issues (signs) it,
the registrar's public key is mentioned in the voucher, and the the Registrar's public key is mentioned in the voucher, and the
pledge validates it. In order to provide reproduceable examples the Pledge validates it. In order to provide reproduceable examples the
public and private keys for an example MASA and Registrar are first public and private keys for an example MASA and Registrar are first
listed. listed.
E.1. Keys involved E.1. Keys involved
The Manufacturer has a Certificate Authority that signs the Pledge's The Manufacturer has a Certificate Authority that signs the Pledge's
IDevID. In addition the Manufacturer's signing authority (the MASA) IDevID. In addition the Manufacturer's signing authority (the MASA)
signs the vouchers, and that certificate must distributed to the signs the vouchers, and that certificate must distributed to the
devices at manufacturing time so that vouchers can be validated. devices at manufacturing time so that vouchers can be validated.
skipping to change at page 62, line 29 skipping to change at page 63, line 29
BgNVBAMMDVVuc3RydW5nIE1BU0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZAH3R BgNVBAMMDVVuc3RydW5nIE1BU0EwdjAQBgcqhkjOPQIBBgUrgQQAIgNiAATZAH3R
b2FvIJOnts+vXuWW35ofyNbCHzjAzOi2kWZFE1ByurKImNcNMFGirGnRXIXGqWCf b2FvIJOnts+vXuWW35ofyNbCHzjAzOi2kWZFE1ByurKImNcNMFGirGnRXIXGqWCf
w5ICgJ8CuM3vV5ty9bf7KUlOkejzTvv+5PV++elkP9HQ83vqTAws2WwWTxKjEDAO w5ICgJ8CuM3vV5ty9bf7KUlOkejzTvv+5PV++elkP9HQ83vqTAws2WwWTxKjEDAO
MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDZwAwZAIwGb0oyM0doP6t3/LSPL5O MAwGA1UdEwEB/wQCMAAwCgYIKoZIzj0EAwIDZwAwZAIwGb0oyM0doP6t3/LSPL5O
DuatEwMYh7WGO+IYTHC8K7EyHBOmCYReKT2+GhV/CLWzAjBNy6UMJTt1tsxJsJqd DuatEwMYh7WGO+IYTHC8K7EyHBOmCYReKT2+GhV/CLWzAjBNy6UMJTt1tsxJsJqd
MPUIFj+4wZg1AOIb/JoA6M7r33pwLQTrHRxEzVMGfWOkYUw= MPUIFj+4wZg1AOIb/JoA6M7r33pwLQTrHRxEzVMGfWOkYUw=
-----END CERTIFICATE----- -----END CERTIFICATE-----
E.1.3. Registrar key pair E.1.3. Registrar key pair
The registrar key (or chain) is the representative of the domain The Registrar key (or chain) is the representative of the domain
owner. This key signs Registrar voucher-requests: owner. This key signs Registrar voucher-requests:
-----BEGIN EC PRIVATE KEY----- -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIF+obiToYYYeMifPsZvrjWJ0yFsCJwIFhpokmT/TULmXoAoGCCqGSM49 MHcCAQEEIF+obiToYYYeMifPsZvrjWJ0yFsCJwIFhpokmT/TULmXoAoGCCqGSM49
AwEHoUQDQgAENWQOzcNMUjP0NrtfeBc0DJLWfeMGgCFdIv6FUz4DifM1ujMBec/g AwEHoUQDQgAENWQOzcNMUjP0NrtfeBc0DJLWfeMGgCFdIv6FUz4DifM1ujMBec/g
6W/P6boTmyTGdFOh/8HwKUerL5bpneK8sg== 6W/P6boTmyTGdFOh/8HwKUerL5bpneK8sg==
-----END EC PRIVATE KEY----- -----END EC PRIVATE KEY-----
The public key is indicated in a pledge voucher-request to show The public key is indicated in a Pledge voucher-request to show
proximity. proximity.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIIBrjCCATOgAwIBAgIBAzAKBggqhkjOPQQDAzBOMRIwEAYKCZImiZPyLGQBGRYC MIIBrjCCATOgAwIBAgIBAzAKBggqhkjOPQQDAzBOMRIwEAYKCZImiZPyLGQBGRYC
Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHTAbBgNVBAMMFFVuc3RydW5n Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHTAbBgNVBAMMFFVuc3RydW5n
IEZvdW50YWluIENBMB4XDTE3MDkwNTAxMTI0NVoXDTE5MDkwNTAxMTI0NVowQzES IEZvdW50YWluIENBMB4XDTE3MDkwNTAxMTI0NVoXDTE5MDkwNTAxMTI0NVowQzES
MBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJc2FuZGVsbWFuMRIw MBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJc2FuZGVsbWFuMRIw
EAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ1ZA7N EAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQ1ZA7N
w0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6MwF5z+Dpb8/puhObJMZ0U6H/ w0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6MwF5z+Dpb8/puhObJMZ0U6H/
wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMDA2kAMGYCMQC3 wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAAMAoGCCqGSM49BAMDA2kAMGYCMQC3
/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY2jkDx062nuNifVKtyaara3F30AIkKSEC /iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY2jkDx062nuNifVKtyaara3F30AIkKSEC
MQDi29efbTLbdtDk3tecY/rD7V77XaJ6nYCmdDCR54TrSFNLgxvt1lyFM+0fYpYR MQDi29efbTLbdtDk3tecY/rD7V77XaJ6nYCmdDCR54TrSFNLgxvt1lyFM+0fYpYR
c3o= c3o=
-----END CERTIFICATE----- -----END CERTIFICATE-----
The registrar public certificate as decoded by openssl's x509 The Registrar public certificate as decoded by openssl's x509
utility. Note that the registrar certificate is marked with the utility. Note that the Registrar certificate is marked with the
cmcRA extension. cmcRA extension.
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 3 (0x3) Serial Number: 3 (0x3)
Signature Algorithm: ecdsa-with-SHA384 Signature Algorithm: ecdsa-with-SHA384
Issuer: DC = ca, DC = sandelman, CN = Unstrung Fount Issuer: DC = ca, DC = sandelman, CN = Unstrung Fount
ain CA ain CA
Validity Validity
skipping to change at page 64, line 7 skipping to change at page 65, line 7
9e:e3:62:7d:52:ad:c9:a6:ab:6b:71:77:d0:02:24:29:21: 9e:e3:62:7d:52:ad:c9:a6:ab:6b:71:77:d0:02:24:29:21:
02: 02:
31:00:e2:db:d7:9f:6d:32:db:76:d0:e4:de:d7:9c:63:fa: 31:00:e2:db:d7:9f:6d:32:db:76:d0:e4:de:d7:9c:63:fa:
c3: c3:
ed:5e:fb:5d:a2:7a:9d:80:a6:74:30:91:e7:84:eb:48:53: ed:5e:fb:5d:a2:7a:9d:80:a6:74:30:91:e7:84:eb:48:53:
4b: 4b:
83:1b:ed:d6:5c:85:33:ed:1f:62:96:11:73:7a 83:1b:ed:d6:5c:85:33:ed:1f:62:96:11:73:7a
E.1.4. Pledge key pair E.1.4. Pledge key pair
The pledge has an IDevID key pair built in at manufacturing time: The Pledge has an IDevID key pair built in at manufacturing time:
-----BEGIN EC PRIVATE KEY----- -----BEGIN EC PRIVATE KEY-----
MHcCAQEEIL+ue8PQcN+M7LFBGPsompYwobI/rsoHnTb2a+0hO+8joAoGCCqGSM49 MHcCAQEEIL+ue8PQcN+M7LFBGPsompYwobI/rsoHnTb2a+0hO+8joAoGCCqGSM49
AwEHoUQDQgAEumBVaDlX87WyME8CJToyt9NWy6sYw0DTbjjJIn79pgr7ALa//Y8p AwEHoUQDQgAEumBVaDlX87WyME8CJToyt9NWy6sYw0DTbjjJIn79pgr7ALa//Y8p
r70WpK1SIaiUeeFw7e+lCzTp1Z+wJu14Bg== r70WpK1SIaiUeeFw7e+lCzTp1Z+wJu14Bg==
-----END EC PRIVATE KEY----- -----END EC PRIVATE KEY-----
The public key is used by the registrar to find the MASA. The MASA The public key is used by the Registrar to find the MASA. The MASA
URL is in an extension described in Section 2.3. RFC-EDITOR: Note URL is in an extension described in Section 2.3. RFC-EDITOR: Note
that these certificates are using a Private Enterprise Number for the that these certificates are using a Private Enterprise Number for the
not-yet-assigned by IANA MASA URL, and need to be replaced before not-yet-assigned by IANA MASA URL, and need to be replaced before
AUTH48. AUTH48.
-----BEGIN CERTIFICATE----- -----BEGIN CERTIFICATE-----
MIICMjCCAbegAwIBAgIBDDAKBggqhkjOPQQDAjBNMRIwEAYKCZImiZPyLGQBGRYC MIICMjCCAbegAwIBAgIBDDAKBggqhkjOPQQDAjBNMRIwEAYKCZImiZPyLGQBGRYC
Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5n Y2ExGTAXBgoJkiaJk/IsZAEZFglzYW5kZWxtYW4xHDAaBgNVBAMME1Vuc3RydW5n
IEhpZ2h3YXkgQ0EwIBcNMTcxMDEyMTM1MjUyWhgPMjk5OTEyMzEwMDAwMDBaMEsx IEhpZ2h3YXkgQ0EwIBcNMTcxMDEyMTM1MjUyWhgPMjk5OTEyMzEwMDAwMDBaMEsx
EjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkWCXNhbmRlbG1hbjEa EjAQBgoJkiaJk/IsZAEZFgJjYTEZMBcGCgmSJomT8ixkARkWCXNhbmRlbG1hbjEa
MBgGA1UEAwwRMDAtRDAtRTUtRjItMDAtMDIwWTATBgcqhkjOPQIBBggqhkjOPQMB MBgGA1UEAwwRMDAtRDAtRTUtRjItMDAtMDIwWTATBgcqhkjOPQIBBggqhkjOPQMB
BwNCAARJp5i0dU1aUnR2u8wMRwgkNupNbNM7m1n0mj+0KJZjcPIqID+trPjTSobt BwNCAARJp5i0dU1aUnR2u8wMRwgkNupNbNM7m1n0mj+0KJZjcPIqID+trPjTSobt
uIdpRPfGZ8hU/nIUveqwyoYI8BPbo4GHMIGEMB0GA1UdDgQWBBQdMRZhthFQmzz6 uIdpRPfGZ8hU/nIUveqwyoYI8BPbo4GHMIGEMB0GA1UdDgQWBBQdMRZhthFQmzz6
E7YVXzkL7XZDKjAJBgNVHRMEAjAAMCsGA1UdEQQkMCKgIAYJKwYBBAGC7lIBoBMM E7YVXzkL7XZDKjAJBgNVHRMEAjAAMCsGA1UdEQQkMCKgIAYJKwYBBAGC7lIBoBMM
ETAwLUQwLUU1LUYyLTAwLTAyMCsGCSsGAQQBgu5SAgQeDBxodHRwczovL2hpZ2h3 ETAwLUQwLUU1LUYyLTAwLTAyMCsGCSsGAQQBgu5SAgQeDBxodHRwczovL2hpZ2h3
YXkuc2FuZGVsbWFuLmNhMAoGCCqGSM49BAMCA2kAMGYCMQDhJ1N+eanW1U/e5qoM YXkuc2FuZGVsbWFuLmNhMAoGCCqGSM49BAMCA2kAMGYCMQDhJ1N+eanW1U/e5qoM
SGvUvWHR7uic8cJbh7vXy580nBs8bpNn60k/+IzvEUetMzICMQCr1uxvdYeKq7mb SGvUvWHR7uic8cJbh7vXy580nBs8bpNn60k/+IzvEUetMzICMQCr1uxvdYeKq7mb
RXCR4ZCJsw67fJ7jyXZbCUSir+3wBT2+lWggzPDRgYB5ABb7sAw= RXCR4ZCJsw67fJ7jyXZbCUSir+3wBT2+lWggzPDRgYB5ABb7sAw=
-----END CERTIFICATE----- -----END CERTIFICATE-----
The pledge public certificate as decoded by openssl's x509 utility so The Pledge public certificate as decoded by openssl's x509 utility so
that the extensions can be seen. A second custom Extension is that the extensions can be seen. A second custom Extension is
included to provided to contain the EUI48/EUI64 that the pledge will included to provided to contain the EUI48/EUI64 that the Pledge will
configure. configure.
Certificate: Certificate:
Data: Data:
Version: 3 (0x2) Version: 3 (0x2)
Serial Number: 12 (0xc) Serial Number: 12 (0xc)
Signature Algorithm: ecdsa-with-SHA256 Signature Algorithm: ecdsa-with-SHA256
Issuer: DC = ca, DC = sandelman, CN = Unstrung Highw Issuer: DC = ca, DC = sandelman, CN = Unstrung Highw
ay CA ay CA
Validity Validity
skipping to change at page 65, line 49 skipping to change at page 66, line 49
be: be:
95:68:20:cc:f0:d1:81:80:79:00:16:fb:b0:0c 95:68:20:cc:f0:d1:81:80:79:00:16:fb:b0:0c
E.2. Example process E.2. Example process
RFC-EDITOR: these examples will need to be replaced with CMS versions RFC-EDITOR: these examples will need to be replaced with CMS versions
once IANA has assigned the eContentType in [I-D.ietf-anima-voucher]. once IANA has assigned the eContentType in [I-D.ietf-anima-voucher].
E.2.1. Pledge to Registrar E.2.1. Pledge to Registrar
As described in Section 5.2, the pledge will sign a pledge voucher- As described in Section 5.2, the Pledge will sign a Pledge voucher-
request containing the Registrar's public key in the proximity- request containing the Registrar's public key in the proximity-
registrar-cert field. The base64 has been wrapped at 60 characters registrar-cert field. The base64 has been wrapped at 60 characters
for presentation reasons. for presentation reasons.
MIIHHAYJKoZIhvcNAQcCoIIHDTCCBwkCAQExDzANBglghkgBZQMEAgEFADCC MIIHHAYJKoZIhvcNAQcCoIIHDTCCBwkCAQExDzANBglghkgBZQMEAgEFADCC
Aw4GCSqGSIb3DQEHAaCCAv8EggL7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2 Aw4GCSqGSIb3DQEHAaCCAv8EggL7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2
b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i
OiIyMDE3LTA5LTAxIiwic2VyaWFsLW51bWJlciI6IjAwLUQwLUU1LUYyLTAw OiIyMDE3LTA5LTAxIiwic2VyaWFsLW51bWJlciI6IjAwLUQwLUU1LUYyLTAw
LTAyIiwibm9uY2UiOiJEc3M5OXNCcjNwTk1PQUNlLUxZWTd3IiwicHJveGlt LTAyIiwibm9uY2UiOiJEc3M5OXNCcjNwTk1PQUNlLUxZWTd3IiwicHJveGlt
aXR5LXJlZ2lzdHJhci1jZXJ0IjoiTUlJQnJqQ0NBVE9nQXdJQkFnSUJBekFL aXR5LXJlZ2lzdHJhci1jZXJ0IjoiTUlJQnJqQ0NBVE9nQXdJQkFnSUJBekFL
skipping to change at page 71, line 21 skipping to change at page 72, line 21
MTI0NVowQzESMBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJ MTI0NVowQzESMBAGCgmSJomT8ixkARkWAmNhMRkwFwYKCZImiZPyLGQBGRYJ
c2FuZGVsbWFuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggq c2FuZGVsbWFuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggq
hkjOPQMBBwNCAAQ1ZA7Nw0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6 hkjOPQMBBwNCAAQ1ZA7Nw0xSM/Q2u194FzQMktZ94waAIV0i/oVTPgOJ8zW6
MwF5z+Dpb8/puhObJMZ0U6H/wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAA MwF5z+Dpb8/puhObJMZ0U6H/wfApR6svlumd4ryyow0wCzAJBgNVHRMEAjAA
MAoGCCqGSM49BAMDA2kAMGYCMQC3/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY MAoGCCqGSM49BAMDA2kAMGYCMQC3/iTQJ3evYYcgbXhbmzrp64t3QC6qjIeY
2jkDx062nuNifVKtyaara3F30AIkKSECMQDi29efbTLbdtDk3tecY/rD7V77 2jkDx062nuNifVKtyaara3F30AIkKSECMQDi29efbTLbdtDk3tecY/rD7V77
XaJ6nYCmdDCR54TrSFNLgxvt1lyFM+0fYpYRc3o="}} XaJ6nYCmdDCR54TrSFNLgxvt1lyFM+0fYpYRc3o="}}
E.2.2. Registrar to MASA E.2.2. Registrar to MASA
As described in Section 5.4 the Registrar will sign a registrar As described in Section 5.4 the Registrar will sign a Registrar
voucher-request, and will include pledge's voucher request in the voucher-request, and will include Pledge's voucher request in the
prior-signed-voucher-request. prior-signed-voucher-request.
MIIN2gYJKoZIhvcNAQcCoIINyzCCDccCAQExDzANBglghkgBZQMEAgEFADCC MIIN2gYJKoZIhvcNAQcCoIINyzCCDccCAQExDzANBglghkgBZQMEAgEFADCC
Ck4GCSqGSIb3DQEHAaCCCj8Eggo7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2 Ck4GCSqGSIb3DQEHAaCCCj8Eggo7eyJpZXRmLXZvdWNoZXItcmVxdWVzdDp2
b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i b3VjaGVyIjp7ImFzc2VydGlvbiI6InByb3hpbWl0eSIsImNyZWF0ZWQtb24i
OiIyMDE3LTA5LTE1VDAwOjAwOjAwLjAwMFoiLCJzZXJpYWwtbnVtYmVyIjoi OiIyMDE3LTA5LTE1VDAwOjAwOjAwLjAwMFoiLCJzZXJpYWwtbnVtYmVyIjoi
SkFEQTEyMzQ1Njc4OSIsIm5vbmNlIjoiYWJjZDEyMzQiLCJwcmlvci1zaWdu SkFEQTEyMzQ1Njc4OSIsIm5vbmNlIjoiYWJjZDEyMzQiLCJwcmlvci1zaWdu
ZWQtdm91Y2hlci1yZXF1ZXN0IjoiTUlJSEhRWUpLb1pJaHZjTkFRY0NvSUlI ZWQtdm91Y2hlci1yZXF1ZXN0IjoiTUlJSEhRWUpLb1pJaHZjTkFRY0NvSUlI
RGpDQ0J3b0NBUUV4RHpBTkJnbGdoa2dCWlFNRUFnRUZBRENDQXc0R0NTcUdT RGpDQ0J3b0NBUUV4RHpBTkJnbGdoa2dCWlFNRUFnRUZBRENDQXc0R0NTcUdT
SWIzRFFFSEFhQ0NBdjhFZ2dMN2V5SnBaWFJtTFhadmRXTm9aWEl0Y21WeGRX SWIzRFFFSEFhQ0NBdjhFZ2dMN2V5SnBaWFJtTFhadmRXTm9aWEl0Y21WeGRX
skipping to change at page 77, line 16 skipping to change at page 78, line 16
3467:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S 3467:d=6 hl=2 l= 8 prim: OBJECT :ecdsa-with-S
HA256 HA256
3477:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30 3477:d=5 hl=2 l= 71 prim: OCTET STRING [HEX DUMP]:30
4502200DDA79B8F52530AA7B1854000FBCA9020A85BFCABE2A426DE9CDCE 4502200DDA79B8F52530AA7B1854000FBCA9020A85BFCABE2A426DE9CDCE
EE2569548F02210083D6EF019318A9BE2830BC80E659F8E561D27172FA33 EE2569548F02210083D6EF019318A9BE2830BC80E659F8E561D27172FA33
3637DFAB98F750783B46 3637DFAB98F750783B46
E.2.3. MASA to Registrar E.2.3. MASA to Registrar
The MASA will return a voucher to the Registrar, to be relayed to the The MASA will return a voucher to the Registrar, to be relayed to the
pledge. Pledge.
MIIG3AYJKoZIhvcNAQcCoIIGzTCCBskCAQExDzANBglghkgBZQMEAgEFADCC MIIG3AYJKoZIhvcNAQcCoIIGzTCCBskCAQExDzANBglghkgBZQMEAgEFADCC
AxAGCSqGSIb3DQEHAaCCAwEEggL9eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6 AxAGCSqGSIb3DQEHAaCCAwEEggL9eyJpZXRmLXZvdWNoZXI6dm91Y2hlciI6
eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJjcmVhdGVkLW9uIjoiMjAxNy0xMC0x eyJhc3NlcnRpb24iOiJsb2dnZWQiLCJjcmVhdGVkLW9uIjoiMjAxNy0xMC0x
MlQxMzo1NDozMS40MzktMDQ6MDAiLCJzZXJpYWwtbnVtYmVyIjoiMDAtRDAt MlQxMzo1NDozMS40MzktMDQ6MDAiLCJzZXJpYWwtbnVtYmVyIjoiMDAtRDAt
RTUtRjItMDAtMDIiLCJub25jZSI6IkRzczk5c0JyM3BOTU9BQ2UtTFlZN3ci RTUtRjItMDAtMDIiLCJub25jZSI6IkRzczk5c0JyM3BOTU9BQ2UtTFlZN3ci
LCJwaW5uZWQtZG9tYWluLWNlcnQiOiJNSUlCcmpDQ0FUT2dBd0lCQWdJQkF6 LCJwaW5uZWQtZG9tYWluLWNlcnQiOiJNSUlCcmpDQ0FUT2dBd0lCQWdJQkF6
QUtCZ2dxaGtqT1BRUURBekJPTVJJd0VBWUtDWkltaVpQeUxHUUJHUllDWTJF QUtCZ2dxaGtqT1BRUURBekJPTVJJd0VBWUtDWkltaVpQeUxHUUJHUllDWTJF
eEdUQVhCZ29Ka2lhSmsvSXNaQUVaRmdsellXNWtaV3h0WVc0eEhUQWJCZ05W eEdUQVhCZ29Ka2lhSmsvSXNaQUVaRmdsellXNWtaV3h0WVc0eEhUQWJCZ05W
QkFNTUZGVnVjM1J5ZFc1bklFWnZkVzUwWVdsdUlFTkJNQjRYRFRFM01Ea3dO QkFNTUZGVnVjM1J5ZFc1bklFWnZkVzUwWVdsdUlFTkJNQjRYRFRFM01Ea3dO
skipping to change at page 82, line 37 skipping to change at page 83, line 37
Email: pritikin@cisco.com Email: pritikin@cisco.com
Michael C. Richardson Michael C. Richardson
Sandelman Software Works Sandelman Software Works
Email: mcr+ietf@sandelman.ca Email: mcr+ietf@sandelman.ca
URI: http://www.sandelman.ca/ URI: http://www.sandelman.ca/
Michael H. Behringer Michael H. Behringer
Email: Michael.H.Behring@gmail.com Email: Michael.H.Behringer@gmail.com
Steinthor Bjarnason Steinthor Bjarnason
Arbor Networks Arbor Networks
Email: sbjarnason@arbor.net Email: sbjarnason@arbor.net
Kent Watsen Kent Watsen
Juniper Networks Juniper Networks
Email: kwatsen@juniper.net Email: kwatsen@juniper.net
 End of changes. 248 change blocks. 
536 lines changed or deleted 636 lines changed or added

This html diff was produced by rfcdiff 1.46. The latest version is available from http://tools.ietf.org/tools/rfcdiff/