Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

GRASP discovery of EST-COAPS server for renewals. #227

Open
mcr opened this issue May 5, 2022 · 9 comments
Open

GRASP discovery of EST-COAPS server for renewals. #227

mcr opened this issue May 5, 2022 · 9 comments
Labels
future Any topic that is postponed to a new draft/document or a future version

Comments

@mcr
Copy link
Member

mcr commented May 5, 2022

RFC8994 section 6.2.5.1 needs to be Extended to include an objective that describes where the EST server can be found that will take care of certificate renewals for devices which are already onboard.
@toerless
Copy link
Member

toerless commented May 5, 2022

Thoughts:

As in ACP [RFC8994], but with objective SRV.est-coaps - i already registered est-coaps.

The more fundamental question is whether we could simplify and just use the same objective as for the constrained brski registrar because the networks are never so large that a registrar can not also renewe certificates. In ANI we where worried about short-lived certificarte renewal load and therefore wanted to be able to split up registrar from mere est-servers (aka: so one can scale up est-server functionality without impacting registrars).

@mcr
Copy link
Member Author

mcr commented Jul 12, 2022

This is done in latest -18 document.

@mcr mcr closed this as completed Jul 12, 2022
@mcr mcr reopened this Jul 12, 2022
@mcr
Copy link
Member Author

mcr commented Jul 12, 2022

How does a device discover EST -coaps server using GRASP.
Need to extend: 6.2.5.1. GRASP Objective for EST Server
ACP nodes that are EST servers MUST announce their service in the ACP via GRASP Flood Synchronization (M_FLOOD) messages. See [RFC8990], Section 2.8.11 for the definition of this message type and Figure 4 for an example.

[M_FLOOD, 12340815, h'fd89b714f3db0000200000064000001', 210000,
[["SRV.est", 4, 255 ],
[O_IPv6_LOCATOR,
h'fd89b714f3db0000200000064000001', IPPROTO_TCP, 443]]
]

@mcr mcr self-assigned this Jul 12, 2022
@EskoDijk
Copy link
Collaborator

EskoDijk commented Nov 2, 2022

One key design concept of BRSKI (RFC 8995) is that the "Registrar" or JRC is defined as equivalent to the "EST server". So both are one and the same. So couldn't we just say we discover the Registrar (as already defined) and by that we've found the EST server?

(Or, is there a situation possible that a Registrar is not available anymore after initial bootstrap of all devices and that a "regular EST server" is placed in the network instead?)

@mcr
Copy link
Member Author

mcr commented Nov 2, 2022

One key design concept of BRSKI (RFC 8995) is that the "Registrar" or JRC is defined as equivalent to the "EST server". So both are one and the same. So couldn't we just say we discover the Registrar (as already defined) and by that we've found the EST server?

Yes/no.

(Or, is there a situation possible that a Registrar is not available anymore after initial bootstrap of all devices and that a "regular EST server" is placed in the network instead?)

Yes, that's the case. One is that the Registrar might be turned off/disabled when there are no devices to bootstrap.
Either that means that it just becomes an EST server, or might be that it just gets powered off.
The other case is that the network is big enough that there is a need for multiple EST servers to deal with all the devices renewing certificates at regular intervals. If the devices get synchronized in some way because of notAfter being all the same, then it could be that the EST server is going to get hit.
A third situation is that the access to the right HSM to actually issue the certificates is only available during "office hours", when the people are there with the keys to enable it. Then, again, it might be important to have multiple EST server available so that all devices get connected, or that the EST server is never unavailable due to hardware or software fault.

@EskoDijk
Copy link
Collaborator

EskoDijk commented Nov 2, 2022

Hmm, these servers could advertise themselves as "Registrars" (JRC) but that may give the wrong signal if they are not actually Registrar. So it makes sense to have a separate discovery option for EST-servers.

Then we need to add the proposed section to our draft?

@mcr
Copy link
Member Author

mcr commented Nov 2, 2022

Hmm. Do we actually need to say anything? Or does RFC7030 and RFC9148 say everything there is to say about finding an EST server? (Well, it's RFC8994 for GRASP discovery of EST)

@EskoDijk
Copy link
Collaborator

EskoDijk commented Nov 3, 2022

Yes the idea here was we need to say something about GRASP discovery of the EST server, since it differs from the GRASP discovery of the EST server in RFC 8994. IPPROTO_TCP becomes IPPROTO_UDP for example.

So a reference to 8994 would be most useful for this and the mention of what would differ for the constrained case.

@EskoDijk EskoDijk added the future Any topic that is postponed to a new draft/document or a future version label Dec 13, 2023
@EskoDijk
Copy link
Collaborator

Item marked as "future", because GRASP discovery is currently removed from the draft - this is saved up for draft-eckert-brski-discovery.

@mcr mcr removed their assignment Feb 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
future Any topic that is postponed to a new draft/document or a future version
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mcr @toerless @EskoDijk