Home - News ( United States | United Kingdom | Italy | Germany ) - Football scores

Showing content from https://www.rfc-editor.org/rfc/rfc8994.xml below:

...engineers almost immediately recognized that they had misdiagnosed the problem. However, they were unable to resolve the issue by restoring the link because the network management tools required to do so remotely relied on the same paths they had just disabled.

1. Autonomic functions communicate over the ACP. The ACP therefore directly supports Autonomic Networking functions, as described in . For example, GRASP ("" ) runs securely inside the ACP and depends on the ACP as its "security and transport substrate".
2. A controller or network management system can use ACP to securely bootstrap network devices in remote locations, even if the (data plane) network in between is not yet configured; no bootstrap configuration that is dependent on the data plane is required. An example of such a secure bootstrap process is described in "" .
3. An operator can use ACP to access remote devices using protocols such as Secure SHell (SSH) or Network Configuration Protocol (NETCONF), even if the network is misconfigured or unconfigured.

ACP:

Autonomic Control Plane. The autonomic function as defined in this document. It provides secure, zero-touch (automated) transitive (network-wide) IPv6 connectivity for all nodes in the same ACP domain as well as a GRASP instance running across this ACP IPv6 connectivity. The ACP is primarily meant to be used as a component of the ANI to enable Autonomic Networks , but it can equally be used in simple ANI networks (with no other autonomic functions) or completely by itself.

ACP address:

An IPv6 address assigned to the ACP node. It is stored in the acp-node-name of the ACP certificate .

ACP address range or set:

The ACP address may imply a range or set of addresses that the node can assign for different purposes. This address range or set is derived by the node from the format of the ACP address called the addressing sub-scheme.

ACP certificate:

A Local Device IDentity ( LDevID ) certificate conforming to "" that carries the acp-node-name , which is used by the ACP to learn its address in the ACP and to derive and cryptographically assert its membership in the ACP domain. In the context of the ANI, the ACP certificate is also called the ANI certificate. In the context of AN, the ACP certificate is also called the AN certificate.

ACP connect interface:

An interface on an ACP node that provides access to the ACP for non-ACP-capable nodes without using an ACP secure channel. See .

ACP domain:

The ACP domain is the set of nodes with ACP certificates that allow them to authenticate each other as members of the ACP domain. See also .

ACP loopback interface:

The loopback interface in the ACP VRF that has the ACP address assigned to it. See .

ACP network:

The ACP network comprises all the nodes that have access to the ACP. It is the set of active and transitively connected nodes of an ACP domain plus all nodes that get access to the ACP of that domain via ACP edge nodes.

ACP (ULA) prefix(es):

The /48 IPv6 address prefixes used across the ACP. In the normal or simple case, the ACP has one Unique Local Address (ULA) prefix, see . The ACP routing table may include multiple ULA prefixes if the rsub option is used to create addresses from more than one ULA prefix. See . The ACP may also include non-ULA prefixes if those are configured on ACP connect interfaces. See .

ACP secure channel:

A channel authenticated via ACP certificates providing integrity protection and confidentiality through encryption. These channels are established between (normally) adjacent ACP nodes to carry ACP VRF traffic in-band over the same links and paths as data plane traffic but isolate it from the data plane traffic and secure it.

ACP secure channel protocol:

The protocol used to build an ACP secure channel, e.g., Internet Key Exchange Protocol version 2 (IKEv2) with IPsec or DTLS.

ACP virtual interface:

An interface in the ACP VRF mapped to one or more ACP secure channels. See .

acp-node-name field:

An information field in the ACP certificate in which the following ACP-relevant information is encoded: the ACP domain name, the ACP IPv6 address of the node, and optional additional role attributes about the node.

AN:

Autonomic Network. A network according to . Its main components are ANI , autonomic functions , and Intent .

(AN) Domain Name:

An FQDN (Fully Qualified Domain Name) in the acp-node-name of the domain certificate. See .

ANI (nodes/network):

Autonomic Network Infrastructure. The ANI is the infrastructure to enable Autonomic Networks . It includes ACP, BRSKI, and GRASP. Every Autonomic Network includes the ANI, but not every ANI network needs to include autonomic functions beyond the ANI (nor Intent ). An ANI network without further autonomic functions can, for example, support secure zero-touch (automated) bootstrap and stable connectivity for SDN networks, see .

ANIMA:

Autonomic Networking Integrated Model and Approach. ACP, BRSKI, and GRASP are specifications of the IETF ANIMA Working Group.

ASA:

Autonomic Service Agent. Autonomic software modules running on an ANI device. The components making up the ANI (BRSKI, ACP, and GRASP) are also described as ASAs.

autonomic function:

A function and/or service in an Autonomic Network (AN) composed of one or more ASAs across one or more ANI nodes.

BRSKI:

Bootstrapping Remote Secure Key Infrastructure . A protocol extending EST to enable secure zero-touch bootstrap in conjunction with ACP. ANI nodes use ACP, BRSKI, and GRASP.

CA:

Certification Authority. An entity that issues digital certificates. A CA uses its private key to sign the certificates it issues. Relying parties use the public key in the CA certificate to validate the signature.

CRL:

Certificate Revocation List. A list of revoked certificates is required to revoke certificates before their lifetime expires.

data plane:

The counterpoint to the ACP VRF in an ACP node: the forwarding of user traffic in non-autonomous nodes and/or networks and also any non-autonomous control and/or management plane functions. In a fully Autonomic Network node, the data plane is managed autonomically via autonomic functions and Intent . See for more details.

device:

A physical system or physical node.

enrollment:

The process by which a node authenticates itself to a network with an initial identity, which is often called an Initial Device IDentity (IDevID) certificate, and acquires from the network a network-specific identity, which is often called an LDevID certificate, and certificates of one or more trust anchor(s) . In the ACP, the LDevID certificate is called the ACP certificate .

EST:

Enrollment over Secure Transport . IETF Standards Track protocol for enrollment of a node with an LDevID certificate. BRSKI is based on EST.

GRASP:

GeneRic Autonomic Signaling Protocol. An extensible signaling protocol required by the ACP for ACP neighbor discovery.

The ACP also provides the "security and transport substrate" for the "ACP instance of GRASP". This instance of GRASP runs across the ACP secure channels to support BRSKI and other NOC and/or OAM or autonomic functions . See .

IDevID:

An Initial Device IDentity X.509 certificate installed by the vendor on new equipment. The IDevID certificate contains information that establishes the identity of the node in the context of its vendor and/or manufacturer such as device model and/or type and serial number. See . The IDevID certificate cannot be used as a node identifier for the ACP because they are not provisioned by the owner of the network, so they can not directly indicate an ACP domain they belong to.

in-band (as in management or signaling):

In-band management traffic and/or control plane signaling uses the same network resources such as routers and/or switches and network links that it manages and/or controls. In-band is the standard management and signaling mechanism in IP networks. Compared to out-of-band , the in-band mechanism requires no additional physical resources, but it introduces potentially circular dependencies for its correct operations. See .

Intent:

The policy language of an Autonomic Network according to .

Loopback interface:

See ACP loopback interface .

LDevID:

A Local Device IDentity is an X.509 certificate installed during enrollment . The domain certificate used by the ACP is an LDevID certificate. See .

management:

Used in this document as another word for OAM .

MASA (service):

Manufacturer Authorized Signing Authority. A vendor and/or manufacturer or delegated cloud service on the Internet used as part of the BRSKI protocol.

MIC:

Manufacturer Installed Certificate. A synonym for an IDevID in referenced materials. This term is not used in this document.

native interface:

Interfaces existing on a node without configuration of the already running node. On physical nodes, these are usually physical interfaces; on virtual nodes, their equivalent.

NOC:

Network Operations Center.

node:

A system supporting the ACP according to this document. A node can be virtual or physical. Physical nodes are called devices.

Node-ID:

The identifier of an ACP node inside that ACP. It is either the last 64 bits (see ) or 78 bits (see ) of the ACP address.

OAM:

Operations, Administration, and Management. Includes network monitoring.

Operational Technology (OT):

"The hardware and software dedicated to detecting or causing changes in physical processes through direct monitoring and/or control of physical devices such as valves, pumps, etc." . In most cases today, OT networks are well separated from Information Technology (IT) networks.

out-of-band (management) network:

An out-of-band network is a secondary network used to manage a primary network. The equipment of the primary network is connected to the out-of-band network via dedicated management ports on the primary network equipment. Serial (console) management ports were historically most common; however, higher-end network equipment now also has Ethernet ports dedicated only to management. An out-of-band network provides management access to the primary network independent of the configuration state of the primary network. See .

out-of-band network, virtual:

The ACP can be called a virtual out-of-band network for management and control because it attempts to provide the benefits of a (physical) out-of-band network even though it is physically carried in-band . See .

root CA:

root Certification Authority. A CA for which the root CA key update procedures of , can be applied.

RPL:

IPv6 Routing Protocol for Low-Power and Lossy Networks. The routing protocol used in the ACP. See .

registrar (ACP, ANI/BRSKI):

An ACP registrar is an entity (software and/or person) that orchestrates the enrollment of ACP nodes with the ACP certificate . ANI nodes use BRSKI, so ANI registrars are also called BRSKI registrars. For non-ANI ACP nodes, the registrar mechanisms are not defined in this document. See . Renewal and other maintenance (such as revocation) of ACP certificates may be performed by entities other than registrars. EST must be supported for ACP certificate renewal (see ). BRSKI is an extension of EST, so ANI/BRSKI registrars can easily support ACP domain certificate renewal in addition to initial enrollment.

RPI:

RPL Packet Information. Network extension headers for use with RPL . Not used with RPL in the ACP. See .

RPL:

Routing Protocol for Low-Power and Lossy Networks. The routing protocol used in the ACP. See .

sUDI:

secured Unique Device Identifier. This is a synonym of IDevID in referenced material. This term is not used in this document.

TA:

Trust Anchor. A TA is an entity that is trusted for the purpose of certificate validation. TA information such as self-signed certificate(s) of the TA is configured into the ACP node as part of enrollment . See .

UDI:

Unique Device Identifier. In the context of this document, unsecured identity information of a node typically consists of at least a device model and/or type and a serial number, often in a vendor-specific format. See sUDI and LDevID .

ULA (Global ID prefix):

A Unique Local Address is an IPv6 address in the block fc00::/7, defined in "" . ULA is the IPv6 successor of the IPv4 private address space ("" ). ULAs have important differences over IPv4 private addresses that are beneficial for and exploited by the ACP, such as the locally assigned Global ID prefix, which is the first 48 bits of a ULA address . In this document, this prefix is abbreviated as "ULA prefix".

(ACP) VRF:

The ACP is modeled in this document as a Virtual Routing and Forwarding instance. This means that it is based on a "virtual router" consisting of a separate IPv6 forwarding table to which the ACP virtual interfaces are attached and an associated IPv6 routing table separate from the data plane. Unlike the VRFs on MPLS/VPN Provider Edge ("" ) or LISP xTR ("" ), the ACP VRF does not have any special "core facing" functionality or routing and/or mapping protocols shared across multiple VRFs. In vendor products, a VRF such as the ACP VRF may also be referred to as a VRF-lite.

(ACP) Zone:

An ACP zone is a set of ACP nodes using the same zone field value in their ACP address according to . Zones are a mechanism to support structured addressing of ACP addresses within the same /48 ULA prefix.

• For management plane protocols, the ACP provides the functionality of a Virtual out-of-Band (VooB) channel, by providing connectivity to all nodes regardless of their data plane configuration, and routing and forwarding tables.
• For control plane protocols, the ACP allows their operation even when the data plane is temporarily faulty, or during transitional events, such as routing changes, which may affect the control plane at least temporarily. This is specifically important for autonomic service agents, which could affect data plane connectivity.

1. The ACP should provide robust connectivity: as far as possible, it should be independent of configured addressing, configuration, and routing. Requirements 2 and 3 build on this requirement, but they also have value on their own.
2. The ACP must have a separate address space from the data plane. This separate address space provides traceability, ease of debugging, separation from data plane, and infrastructure security (filtering based on known address space).
3. The ACP must use an autonomically managed address space. An autonomically managed address space provides ease of bootstrap and setup ("autonomic"), and robustness (the administrator cannot break network easily). This document uses ULA for this purpose, see .
4. The ACP must be generic, that is, it must be usable by all the functions and protocols of the ANI. Clients of the ACP must not be tied to a particular application or transport protocol.
5. The ACP must provide security: messages coming through the ACP must be authenticated to be from a trusted node, and it is very strongly recommended that they be encrypted.

1. The node creates a VRF instance or a similar virtual context for the ACP.
2. The node assigns its ULA IPv6 address (prefix) (see ), which is learned from the acp-node-name (see ) of its ACP certificate (see ), to an ACP loopback interface (see ) and connects this interface to the ACP VRF.
3. The node establishes a list of candidate peer adjacencies and candidate channel types to try for the adjacency. This is automatic for all candidate link-local adjacencies (see ) across all native interfaces (see ). If a candidate peer is discovered via multiple interfaces, this will result in one adjacency per interface. If the ACP node has multiple interfaces connecting to the same subnet across which it is also operating as an L2 switch in the data plane, it employs methods for ACP with L2 switching, see .
4. For each entry in the candidate adjacency list, the node negotiates a secure tunnel using the candidate channel types. See .
5. The node authenticates the peer node during secure channel setup and authorizes it to become part of the ACP according to .
6. Unsuccessful authentication of a candidate peer results in throttled connection retries for as long as the candidate peer is discoverable. See .
7. Each successfully established secure channel is mapped to an ACP virtual interface, which is placed into the ACP VRF. See .
8. Each node runs a lightweight routing protocol (see ) to announce reachability of the ACP loopback address (or prefix) across the ACP.
9. This completes the creation of the ACP with hop-by-hop secure tunnels, auto-addressing, and auto-routing. The node is now an ACP node with a running ACP.

• None of the above operations (except the following explicitly configured ones) are reflected in the configuration of the node.
• Non-ACP network management systems (NMS) or SDN controllers have to be explicitly configured for connection to the ACP.
• Additional candidate peer adjacencies for ACP connections across non-ACP Layer 3 clouds requires explicit configuration. See .

1. Formatting notes:
   1. The rsub component needs to be in the local-part: if the format just had routing-subdomain as the domain part of the acp-node-name, rsub and acp-domain-name could not be separated from each other to determine in the ACP domain membership check which part is the acp-domain-name and which is solely for creating a different ULA prefix.
   2. If both acp-address and rsub are omitted from AcpNodeName, the local-part will have the format "++extension(s)". The two plus characters are necessary so the node can unambiguously parse that both acp-address and rsub are omitted.
2. The encoding of the ACP domain name and ACP address as described in this section is used for the following reasons:
   1. The acp-node-name is the identifier of a node's ACP. It includes the necessary components to identify a node's ACP both from within the ACP as well as from the outside of the ACP.
   2. For manual and/or automated diagnostics and backend management of devices and ACPs, it is necessary to have an easily human-readable and software-parsable standard, single string representation of the information in the acp-node-name. For example, inventory or other backend systems can always identify an entity by one unique string field but not by a combination of multiple fields, which would be necessary if there were no single string representation.
   3. If the encoding was not such a string, it would be necessary to define a second standard encoding to provide this format (standard string encoding) for operator consumption.
   4. Addresses of the form <local>@<domain> have become the preferred format for identifiers of entities in many systems, including the majority of user identifiers in web or mobile applications such as multi-domain single-sign-on systems.
3. Compatibilities:
   1. It should be possible to use the ACP certificate as an LDevID certificate on the system for uses besides the ACP. Therefore, the information element required for the ACP should be encoded so that it minimizes the possibility of creating incompatibilities with other such uses. The attributes of the subject field, for example, are often used in non-ACP applications and therefore should not be occupied by new ACP values.
   2. The element should not require additional ASN.1 encoding and/or decoding because libraries for accessing certificate information, especially for embedded devices, may not support extended ASN.1 decoding beyond predefined, mandatory fields. subjectAltName / otherName is already used with a single string parameter for several otherNames (see "" , "" , "" , "" ).
   3. The element required for the ACP should minimize the risk of being misinterpreted by other uses of the LDevID certificate. It also must not be misinterpreted as an email address, hence the use of the otherName / rfc822Name option in the certificate would be inappropriate.

1. The peer has proved ownership of the private key associated with the certificate's public key. This check is performed by the security association protocol used, for example, Section of "Internet Key Exchange Protocol Version 2 (IKEv2)" .
2. The peer's certificate passes certificate path validation as defined in , against one of the TAs associated with the ACP node's ACP certificate (see ). This includes verification of the validity (lifetime) of the certificates in the path.
3. If the peer's certificate indicates a CRLDP ( ) or OCSP responder ( ), then the peer's certificate MUST be valid according to those mechanisms when they are available: an OCSP check for the peer's certificate across the ACP must succeed, or the peer's certificate must not be listed in the CRL retrieved from the CRLDP. These mechanisms are not available when the ACP node has no ACP or non-ACP connectivity to retrieve a current CRL or has no access an OCSP responder, and the security association protocol itself also has no way to communicate the CRL or OCSP check. Retries to learn revocation via OCSP or CRL SHOULD be made using the same backoff as described in . If and when the ACP node then learns that an ACP peer's certificate is invalid for which Rule 3 had to be skipped during ACP secure channel establishment, then the ACP secure channel to that peer MUST be closed even if this peer is the only connectivity to access CRL/OCSP. This applies (of course) to all ACP secure channels to this peer if there are multiple. The ACP secure channel connection MUST be retried periodically to support the case that the neighbor acquires a new, valid certificate.
4. The peer's certificate has a syntactically valid acp-node-name field, and the acp-domain-name in that peer's acp-node-name is the same as in this ACP node's certificate (lowercase normalized).

1. The acp-address field of the candidate peer certificate's AcpNodeName is not omitted but is either 32HEXDIG or 0, according to .

• Steps 1 through 4 constitute standard certificate validity verification and private key authentication as defined by and security association protocols (such as IKEv2 ) when leveraging certificates.
• Except for its public key, Steps 1 through 4 do not include the verification of any preexisting form of a certificate's identity elements, such as a web server's domain name prefix, which is often encoded in the certificate common name. Step 5 is an equivalent step for the AcpNodeName.
• Step 4 constitutes standard CRL and OCSP checks refined for the case of missing connectivity and limited-functionality security association protocols.
• Steps 1 through 4 authorize the building of any secure connection between members of the same ACP domain except for ACP secure channels.
• Step 5 is the additional verification of the presence of an ACP address as necessary for ACP secure channels.
• Steps 1 through 5 therefore authorize the building of an ACP secure channel.

• An ACP node may choose to attempt to initiate the different feasible ACP secure channel protocols it supports according to its local policies sequentially or in parallel, but it MUST support acting as a responder to all of them in parallel.
• Once the first ACP secure channel protocol connection to a specific peer IPv6 address passes peer authentication, the two peers know each other's certificate because those ACP certificates are used by all secure channel protocols for mutual authentication. The peer with the higher Node-ID in the AcpNodeName of its ACP certificate takes on the role of the Decider towards the peer. The other peer takes on the role of the Follower. The Decider selects which secure channel protocol to ultimately use.
• The Follower becomes passive: it does not attempt to further initiate ACP secure channel protocol connections with the Decider and does not consider it to be an error when the Decider closes secure channels. The Decider becomes the active party, continuing to attempt the setup of secure channel protocols with the Follower. This process terminates when the Decider arrives at the "best" ACP secure channel connection option that also works with the Follower ("best" from the Decider's point of view).
• A peer with a "0" acp-address in its AcpNodeName takes on the role of Follower when peering with a node that has a non-"0" acp-address (note that this specification does not fully define the behavior of ACP secure channel negotiation for nodes with a "0" ACP address field, it only defines interoperability with such ACP nodes).

[1]

Node 1 sends GRASP "AN_ACP" message to announce itself.

[2]

Node 2 sends GRASP "AN_ACP" message to announce itself.

[3]

Node 2 receives [1] from Node 1.

[4:C1]

Because of [3], Node 2 starts as initiator on its preferred secure channel protocol towards Node 1. Connection C1.

[5]

Node 1 receives [2] from Node 2.

[6:C2]

Because of [5], Node 1 starts as initiator on its preferred secure channel protocol towards Node 2. Connection C2.

[7:C1]

Node 1 and Node 2 have authenticated each other's certificate on connection C1 as valid ACP peers.

[8:C1]

Node 1's certificate has a lower ACP Node-ID than Node 2's, therefore Node 1 considers itself the Follower and Node 2 the Decider on connection C1. Connection setup C1 is completed.

[9]

Node 1 refrains from attempting any further secure channel connections to Node 2 (the Decider) as learned from [2] because it knows from [8:C1] that it is the Follower relative to Node 2.

[10:C2]

Node 1 and Node 2 have authenticated each other's certificate on connection C2 (like [7:C1]).

[11:C2]

Node 1's certificate has a lower ACP Node-ID than Node 2's, therefore Node 1 considers itself the Follower and Node 2 the Decider on connection C2, but they also identify that C2 is to the same mutual peer as their C1, so this has no further impact: the roles Decider and Follower where already assigned between these two peers by [8:C1].

[12:C2]

Node 2 (the Decider) closes C1. Node 1 is fine with this, because of its role as the Follower (from [8:C1]).

[13]

Node 2 (the Decider) and Node 1 (the Follower) start data transfer across C2, which makes it become a secure channel for the ACP.

• ENCR_NULL AH MUST NOT be used (because it does not provide confidentiality).
• ENCR_AES_GCM_16 is the only MTI ESP encryption algorithm for ACP via IPsec/ESP (it is already listed as MUST in ).
• ENCR_AES_CBC with AUTH_HMAC_SHA2_256_128 (as the ESP authentication algorithm) and ENCR_AES_CCM_8 MAY be supported. If either provides higher performance than ENCR_AES_GCM_16, it SHOULD be supported.
• ENCR_CHACHA20_POLY1305 SHOULD be supported at equal or higher performance than ENCR_AES_GCM_16. If that performance is not feasible, it MAY be supported.

• There is no requirement to interoperate with legacy equipment in ACP secure channels, so a single MTI encryption algorithm for IPsec in ACP secure channels is sufficient for interoperability and allows for the most lightweight implementations.
• ENCR_AES_GCM_16 is an Authenticated Encryption with Associated Data (AEAD) cipher mode, so no additional ESP authentication algorithm is needed, simplifying the MTI requirements of IPsec for the ACP.
• There is no MTI requirement for the support of ENCR_AES_CBC because ENCR_AES_GCM_16 is assumed to be feasible with less cost and/or higher performance in modern devices' hardware-accelerated implementations compared to ENCR-AES_CBC.
• ENCR_CHACHA20_POLY1305 is mandatory in because of its target use as a fallback algorithm in case weaknesses in AES are uncovered. Unfortunately, there is currently no way to automatically propagate across an ACP a policy to disallow use of AES-based algorithms, so this target benefit of ENCR_CHACHA20_POLY1305 cannot fully be adopted yet for the ACP. Therefore, this algorithm is only recommended. Changing from AES to this algorithm with a potentially big drop in performance could also render the ACP inoperable. Therefore, there is a performance requirement against this algorithm so that it could become an effective security backup to AES for the ACP once a policy to switch over to it or prefer it is available in an ACP framework.

• There is more experience with DTLS 1.2 across the spectrum of target ACP nodes.
• Firmware of lower-end, embedded ACP nodes may not support a newer version for a long time.
• There are significant changes with DTLS 1.3, such as a different record layer requiring time to gain implementation and deployment experience especially on lower-end devices with limited code space.
• The existing BCP for DTLS 1.2 may take an equally longer time to be updated with experience from a newer DTLS version.
• There are no significant benefits of DTLS 1.3 over DTLS 1.2 that are use-case relevant in the context of the ACP options for DTLS. For example, signaling performance improvements for session setup in DTLS 1.3 is not important for the ACP given the long-lived nature of ACP secure channel connections and the fact that DTLS connections are mostly link local (short RTT).

• Secure channel methods such as IPsec may provide protection against additional attacks, for example, reset attacks.
• The secure channel method may leverage hardware acceleration, and there may be little or no gain in eliminating it.
• The security model for ACP GRASP is no different than other ACP traffic. Instead, there is just another layer of protection against certain attacks from the inside, which is important due to the role of GRASP in the ACP.

• Usage: autonomic addresses are exclusively used for self-management functions inside a trusted domain. They are not used for user traffic. Communications with entities outside the trusted domain use another address space, for example, a normally managed routable address space (called "data plane" in this document).
• Separation: autonomic address space is used separately from user address space and other address realms. This supports the robustness requirement.
• Loopback only: only ACP loopback interfaces (and potentially those configured for ACP connect, see ) carry routable address(es); all other interfaces (called ACP virtual interfaces) only use IPv6 link-local addresses. The usage of IPv6 link-local addressing is discussed in "" .
• Use of ULA: for loopback interfaces of ACP nodes, we use ULA with the L bit set to 1 (as defined in ). Note that the random hash for ACP loopback addresses uses the definition in and not the one in .
• No external connectivity: the addresses do not provide access to the Internet. If a node requires further connectivity, it should use another, traditionally managed addressing scheme in parallel.
• Addresses in the ACP are permanent and do not support temporary addresses as defined in "" .
• Addresses in the ACP are not considered sensitive on privacy grounds because ACP nodes are not expected to be end-user hosts, and therefore ACP addresses do not represent end users or groups of end users. All ACP nodes are in one (potentially federated) administrative domain. For ACP traffic, the nodes are assumed to be either candidate hosts or transit nodes. There are no transit nodes with fewer privileges to know the identity of other hosts in the ACP. Therefore, ACP addresses do not need to be pseudorandom as discussed in "" . Because they are not propagated to untrusted (non-ACP) nodes and stay within a domain (of trust), we also do not consider them to be subject to scanning attacks.

• Simplicity, reliability, and scale: if other network-layer protocols were supported, each would have to have its own set of security associations, routing table, and process, etc.
• Autonomic functions do not require IPv4: autonomic functions and autonomic service agents are new concepts. They can be exclusively built on IPv6 from day one. There is no need for backward compatibility.
• OAM protocols do not require IPv4: the ACP may carry OAM protocols. All relevant protocols (SNMP, TFTP, SSH, SCP, RADIUS, Diameter, NETCONF, etc.) are available in IPv6. See also for how ACP could be made to interoperate with IPv4-only OAM.

fd:

Identifies a locally defined ULA address.

hash(routing-subdomain):

The 40-bit ULA Global ID (a term from ) for ACP addresses carried in the acp-node-name in the ACP certificates are the first 40 bits of the SHA-256 hash of the routing-subdomain from the same acp-node-name. In the example of , the routing-subdomain is "area51.research.acp.example.com", and the 40-bit ULA Global ID is 89b714f3db. When creating a new routing-subdomain for an existing Autonomic Network, it MUST be ensured that rsub is selected so the resulting hash of the routing-subdomain does not collide with the hash of any preexisting routing-subdomains of the Autonomic Network. This ensures that ACP addresses created by registrars for different routing subdomains do not collide with each other. To allow for extensibility, the fact that the ULA Global ID is a hash of the routing-subdomain SHOULD NOT be assumed by any ACP node during normal operations. The hash function is only executed during the creation of the certificate. If BRSKI is used, then the BRSKI registrar will create the acp-node-name in response to the EST Certificate Signing Request (CSR) Attributes Request message sent by the pledge. Establishing connectivity between different ACPs (different acp-domain-names) is outside the scope of this specification. If it is being done through future extensions, then the rsub of all routing-subdomains across those Autonomic Networks needs to be selected so that the resulting routing-subdomain hashes do not collide. For example, a large cooperation with its own private TA may want to create different Autonomic Networks that initially do not connect but where the option to do so should be kept open. When taking this possibility into account, it is always easy to select rsub so that no collisions happen.

Type:

This field allows different addressing sub-schemes. This addresses the "upgradability" requirement. Assignment of types for this field will be maintained by IANA.

(sub-scheme):

The sub-scheme may imply a range or set of addresses assigned to the node. This is called the ACP address range/set and explained in each sub-scheme.

Type:

MUST be 0.

Z:

MUST be 0.

Zone-ID:

A value for a network zone.

Node-ID:

A unique value for each node. The 64-bit Node-ID must be unique across the ACP domain for each node. It is derived and composed as follows:

Registrar-ID (48 bits):

A number unique inside the domain identifying the ACP registrar that assigned the Node-ID to the node. One or more domain-wide unique identifiers of the ACP registrar can be used for this purpose. See .

Node-Number:

A number to make the Node-ID unique. This can be sequentially assigned by the ACP registrar owning the Registrar-ID.

V (1 bit):

Virtualization bit:

0:

Indicates the ACP itself ("ACP node base system)

1:

Indicates the optional "host" context on the ACP node (see below).

Type:

MUST be 0.

Z:

MUST be 1.

Subnet-ID:

Configured subnet identifier.

Interface Identifier:

Interface identifier according to .

F:

Format bit. This bit determines the format of the subsequent bits.

V:

Virtualization bit: this is a field that is either 8 or 16 bits. For F=0, it is 8 bits, for F=1 it is 16 bits. The V-bits are assigned by the ACP node. In the ACP certificate's ACP address (), the V-bits are always set to 0.

Registrar-ID:

To maximize Node-Number and V, the Registrar-ID is reduced to 46 bits. One or more domain-wide unique identifiers of the ACP registrar can be used for this purpose. See .

Node-Number:

The Node-Number is unique to each ACP node. There are two formats for the Node-Number. When F=0, the Node-Number is 23 bits, for F=1, it is 15 bits. Each format of Node-Number is considered to be in a unique number space.

• Use the 'K' flag in unsolicited DAO to indicate change from previous information (to require DAO-ACK).
• Retry such DAO DAO-RETRIES(3) times with DAO-ACK_TIME_OUT(256ms) in between.

Objective Function (OF):

Use Objective Function Zero (OF0) ("" ). Metric containers are not used.

rank_factor:

Derived from link speed: if less than or equal to 100 Mbps, LOW_SPEED_FACTOR(5), else HIGH_SPEED_FACTOR(1). This is a simple rank differentiation between typical "low speed" or IoT links that commonly max out at 100 Mbps and typical infrastructure links with speeds of 1 Gbps or higher. Given how the path selection for the ACP focuses only on reachability but not on path cost optimization, no attempts at finer-grained path optimization are made.

Global Repair:

We assume stable links and ranks (metrics), so there is no need to periodically rebuild the DODAG. The DODAG version is only incremented under catastrophic events (e.g., administrative action).

Local Repair:

As soon as link breakage is detected, the ACP node sends a No-Path DAO for all the targets that were reachable only via this link. As soon as link repair is detected, the ACP node validates if this link provides a better parent. If so, a new rank is computed by the ACP node, and it sends a new DIO that advertises the new rank. Then it sends a DAO with a new path sequence about itself. When using ACP multi-access virtual interfaces, local repair can be triggered directly by peer breakage, see .

stretch_rank:

None provided ("not stretched").

Data-Path Validation:

Not used.

Trickle:

Not used.

Administrative Preference ( --to become root):

The preference is indicated in the DODAGPreference field of DIO message.

Explicitly configured "root":

0b100

ACP registrar (default):

0b011

ACP connect (non-registrar):

0b010

Default:

0b001

1. IPv6 addresses are assigned to interfaces, not nodes. IPv6 continues the IPv4 model that a subnet prefix is associated with one link, see Section of "IP Version 6 Addressing Architecture" .
2. IPv6 implementations commonly do not allow assignment of the same IPv6 global-scope address in the same VRF to more than one interface.
3. Global-scope addresses assigned to interfaces that connect to other nodes (external interfaces) may not be stable addresses for communications because any such interface could fail due to reasons external to the node. This could render the addresses assigned to that interface unusable.
4. If failure of the subnet does not bring down the interface and make the addresses unusable, it could result in unreachability of the address because the shortest path to the node might go through one of the other nodes on the same subnet, which could equally consider the subnet to be operational even though it is not.
5. Many OAM service implementations on routers cannot deal with more than one peer address, often because they already expect that a single loopback address can be used, especially to provide a stable address under failure of external interfaces or links.
6. Even when an application supports multiple addresses to a peer, it can only use one address at a time for a connection with the most widely deployed transport protocols, TCP and UDP. While "" / solves this problem, it is not widely adopted by implementations of router OAM services.
7. To completely autonomously assign global-scope addresses to subnets connecting to other nodes, it would be necessary for every node to have an amount of prefix address space on the order of the maximum number of subnets that the node could connect to, and then the node would have to negotiate with adjacent nodes across those subnets which address space to use for each subnet.
8. Using global-scope addresses for subnets between nodes is unnecessary if those subnets only connect routers, such as ACP secure channels, because they can communicate to remote nodes via their global-scope loopback addresses. Using global-scope addresses for those external subnets is therefore wasteful for the address space and also unnecessarily increases the size of the routing and forwarding tables, which, especially for the ACP, is highly undesirable because it should attempt to minimize the per-node overhead of the ACP VRF.
9. For all these reasons, the ACP addressing sub-schemes do not consider ACP addresses for subnets connecting ACP nodes.

• The local and remote address can be IPv4 or IPv6 and are typically global-scope addresses.
• The VRF across which the connection is built (and in which local-addr exists) can be specified. If vrf is not specified, it is the default VRF on the node. In DULL GRASP, the VRF is implied by the interface across which DULL GRASP operates.
• If local address is "any", the local address used when initiating a secure channel connection is decided by source address selection ( for IPv6). As a responder, the connection listens on all addresses of the node in the selected VRF.
• Configuration of port is only required for methods where no defaults exist (e.g., "DTLS").
• If the remote address is "any", the connection is only a responder. It is a "hub" that can be used by multiple remote peers to connect simultaneously -- without having to know or configure their addresses, for example, a hub site for remote "spoke" sites reachable over the Internet.
• The pmtu parameter should be configurable to overcome issues or limitations of Path MTU Discovery (PMTUD).
• IKEv2/IPsec to remote peers should support the optional NAT Traversal (NAT-T) procedures.

• describes the recommended capabilities of operator diagnostics of ACP nodes.
• describes at a high level how an ACP registrar needs to work, what its configuration parameters are, and specific issues impacting the choices of deployment design due to renewal and revocation issues. It describes a model where ACP registrars have their own sub-CA to provide the most distributed deployment option for ACP registrars, and it describes considerations for centralized policy control of ACP registrar operations.
• describes suggested ACP node behavior and operational interfaces (configuration options) to manage the ACP in so-called greenfield devices (previously unconfigured) and brownfield devices (preconfigured).

• Developing the logic to identify common issues requires operational experience with the components of the ANI. Letting each management system define its own analysis is inefficient.
• When the ANI is not operating correctly, it may not be possible to run diagnostics remotely because of missing connectivity. The ANI should therefore have diagnostic capabilities available locally on the nodes themselves.
• Certain operations are difficult or impossible to monitor in real time, such as initial bootstrap issues in a network location where no capabilities exist to attach local diagnostics. Therefore, it is important to also define how to capture (log) diagnostics locally for later retrieval. Ideally, these captures are also nonvolatile so that they can survive extended power-off conditions, for example, when a device that fails to be brought up zero-touch is sent for diagnostics at a more appropriate location.

• Check if the necessary configurations to make ACP/ANI operational are correct (see for a discussion of such commands).
• Does the system time look reasonable, or could it be the default system time after battery failure of the clock chip? Certificate checks depend on reasonable notion of time.
• Does the node have keying material, such as domain certificate, TA certificates, etc.?
• If there is no keying material and the ANI is supported/enabled, check the state of BRSKI (not detailed in this example).
• Check the validity of the domain certificate:
  • Does the certificate validate against the TA?
  • Has it been revoked?
  • Was the last scheduled attempt to retrieve a CRL successful? (e.g., do we know that our CRL information is up to date?)
  • Is the certificate valid? The validity start time is in the past, and the expiration time is in the future?
  • Does the certificate have a correctly formatted acp-node-name field?
• Was the ACP VRF successfully created?
• Is ACP enabled on one or more interfaces that are up and running?

• Is the interface physically up? Does it have an IPv6 link-local address?
• Is it enabled for ACP?
• Do we successfully send DULL GRASP messages to the interface? (Are there link-layer errors?)
• Do we receive DULL GRASP messages on the interface? If not, some intervening L2 equipment performing bad MLD snooping could have caused problems. Provide, e.g., diagnostics of the MLD querier IPv6 and MAC address.
• Do we see the ACP objective in any DULL GRASP message from that interface? Diagnose the supported secure channel methods.
• Do we know the MAC address of the neighbor with the ACP objective? If not, diagnose SLAAC/ND state.
• When did we last attempt to build an ACP secure channel to the neighbor?
• If it failed:
  • Did the neighbor close the connection on us, or did we close the connection on it because the domain certificate membership failed?
  • If the neighbor closed the connection on us, provide any error diagnostics from the secure channel protocol.
  • If we failed the attempt, display our local reason:
    • There was no common secure channel protocol supported by the two neighbors (this could not happen on nodes supporting this specification because it mandates common support for IPsec).
    • Did the ACP certificate membership check ( ) fail?
      • The neighbor's certificate is not signed directly or indirectly by one of the node's TA. Provide diagnostics which TA it has (can identify whom the device belongs to).
      • The neighbor's certificate does not have the same domain (or no domain at all). Diagnose acp-domain-name and potentially other cert info.
      • The neighbor's certificate has been revoked or could not be authenticated by OCSP.
      • The neighbor's certificate has expired, or it is not yet valid.
  • Are there any other connection issues, e.g., IKEv2/IPsec, DTLS?

• Are there one or more active ACP neighbors with secure channels?
• Is RPL for the ACP running?
• Is there a default route to the root in the ACP routing table?
• Is there, for each direct ACP neighbor not reachable over the ACP virtual interface to the root, a route in the ACP routing table?
• Is ACP GRASP running?
• Is at least one "SRV.est" objective cached (to support certificate renewal)?
• Is there at least one BRSKI registrar objective cached? (If BRSKI is supported.)
• Is the BRSKI proxy operating normally on all interfaces where ACP is operating?

1. BRSKI does not allow for a neighboring device to identify the pledge's IDevID certificate. Only the selected BRSKI registrar can do this, but it may be difficult to disseminate information from those BRSKI registrars about undesired pledges to locations and/or nodes where information about those pledges is desired.
2. LLDP disseminates information about nodes, such as node model, type, and/or software and interface name and/or number of the connection, to their immediate neighbors. This information is often helpful or even necessary in network diagnostics. It can equally be considered too insecure to make this information available unprotected to all possible neighbors.

• A URL to the TA and credentials so that the ACP registrar can let the TA sign candidate ACP node certificates.
• The ACP domain name.
• The Registrar-ID to use. This could default to a MAC address of the ACP registrar.
• For recovery, the next usable Node-IDs for the Zone Addressing Sub-Scheme (Zone-ID 0) and for the Vlong Addressing Sub-Scheme (/112 and /120). These IDs would only need to be provisioned after recovering from a crash. Some other mechanism would be required to remember these IDs in a backup location or to recover them from the set of currently known ACP nodes.
• Policies on whether the candidate ACP nodes should receive a domain certificate or not, for example, based on the device's IDevID certificate as in BRSKI. The ACP registrar may whitelist or blacklist based on a device's "serialNumber" attribute in the subject field distinguished name encoding of its IDevID certificate.
• Policies on what type of address prefix to assign to a candidate ACP device, likely based on the same information.
• For BRSKI or other mechanisms using vouchers: parameters to determine how to retrieve vouchers for specific types of secure bootstrap candidate ACP nodes (such as MASA URLs), unless this information is automatically learned, such as from the IDevID certificate of candidate ACP nodes (as defined in BRSKI).

1. The ACP registrar cannot directly assign certificates to nodes and therefore needs an "online" connection to the TA.
2. Recovery from a compromised ACP registrar is difficult. When an ACP registrar is compromised, it can insert, for example, a conflicting acp-node-name and thereby create an attack against other ACP nodes through the ACP routing protocol.

• Deciding which candidate ACP node is permitted or not permitted into an ACP domain. This may not be a decision to be made upfront, so that a policy per "serialNumber" attribute in the subject field distinguished name encoding can be loaded into every ACP registrar. Instead, it may better be decided in real time, potentially including a human decision in a NOC.
• Tracking all enrolled ACP nodes and their certificate information. For example, in support of revoking an individual ACP node's certificates.
• Needing more flexible policies as to which type of address prefix or even which specific address prefix to assign to a candidate ACP node.

• When ACP nodes do not support an autonomic way to receive an ACP certificate, for example, BRSKI, then such a certificate needs to be configured via some preexisting mechanisms outside the scope of this specification. Today, routers typically have a variety of mechanisms to do this.
• Certificate maintenance requires PKI functions. Discovery of these functions across the ACP is automated (see ), but their configuration is not.
• When non-ACP-capable nodes such as preexisting NMS need to be physically connected to the ACP, the ACP node to which they attach needs to be configured with ACP connect according to . It is also possible to use that single physical connection to connect both to the ACP and the data plane of the network as explained in .
• When devices are not autonomically bootstrapped, explicit configuration to enable the ACP needs to be applied. See .
• When the ACP needs to be extended across interfaces other than L2, the ACP as defined in this document cannot auto-discover candidate neighbors automatically. Remote neighbors need to be configured, see .

• New neighbors will automatically join the ACP after successful validation and will become reachable using their unique ULA address across the ACP.
• When any changes happen in the topology, the routing protocol used in the ACP will automatically adapt to the changes and will continue to provide reachability to all nodes.
• The ACP tracks the validity of peer certificates and tears down ACP secure channels when a peer certificate has expired. When short-lived certificates with lifetimes on the order of OCSP/CRL refresh times are used, then this allows for removal of invalid peers (whose certificate was not renewed) at similar speeds as when using OCSP/CRL. The same benefit can be achieved when using CRL/OCSP, periodically refreshing the revocation information and also tearing down ACP secure channels when the peer's (long-lived) certificate is revoked. There is no requirement for ACP implementations to require this enhancement, though, in order to keep the mandatory implementations simpler.

• The usage of domain certificates depends on a valid supporting PKI infrastructure. If the chain of trust of this PKI infrastructure is compromised, the security of the ACP is also compromised. This is typically under the control of the network administrator.
• ACP nodes receive their certificates from ACP registrars. These ACP registrars are security-critical dependencies of the ACP. Procedures and protocols for ACP registrars are outside the scope of this specification as explained in ; only the requirements for the resulting ACP certificates are specified.
• Every ACP registrar (for enrollment of ACP certificates) and ACP EST server (for renewal of ACP certificates) is a security-critical entity and its protocols are security-critical protocols. Both need to be hardened against attacks, similar to a CA and its protocols. A malicious registrar can enroll malicious nodes to an ACP network (if the CA delegates this policy to the registrar) or break ACP routing, for example, by assigning duplicate ACP addresses to ACP nodes via their ACP certificates.
• ACP nodes that are ANI nodes rely on BRSKI as the protocol for ACP registrars. For ANI-type ACP nodes, the security considerations of BRSKI apply. It enables automated, secure enrollment of ACP certificates.
• BRSKI and potentially other ACP registrar protocol options require that nodes have an (X.509 v3 based) IDevID. IDevIDs are an option for ACP registrars to securely identify candidate ACP nodes that should be enrolled into an ACP domain.
• For IDevIDs to securely identify the node to which its IDevID is assigned, the node needs (1) to utilize hardware support such as a Trusted Platform Module (TPM) to protect against extraction and/or cloning of the private key of the IDevID and (2) a hardware/software infrastructure to prohibit execution of unauthenticated software to protect against malicious use of the IDevID.
• Like the IDevID, the ACP certificate should equally be protected from extraction or other abuse by the same ACP node infrastructure. This infrastructure for IDevID and ACP certificate is beneficial independent of the ACP registrar protocol used (BRSKI or other).
• Renewal of ACP certificates requires support for EST; therefore, the security considerations of related to certificate renewal and/or rekeying and TP renewal apply to the ACP. EST security considerations when using other than mutual certificate authentication do not apply, nor do considerations for initial enrollment via EST apply, except for ANI-type ACP nodes because BRSKI leverages EST.
• A malicious ACP node could declare itself to be an EST server via GRASP across the ACP if malicious software could be executed on it. The CA should therefore authenticate only known trustworthy EST servers, such as nodes with hardware protections against malicious software. When registrars use their ACP certificate to authenticate towards a CA, the id-kp-cmcRA extended key usage attribute allows the CA to determine that the ACP node was permitted during enrollment to act as an ACP registrar. Without the ability to talk to the CA, a malicious EST server can still attract ACP nodes attempting to renew their keying material, but they will fail to perform successful renewal of a valid ACP certificate. The ACP node attempting to use the malicious EST server can then continue to use a different EST server and log a failure against a malicious EST server.
• Malicious on-path ACP nodes may filter valid EST server announcements across the ACP, but such malicious ACP nodes could equally filter any ACP traffic such as the EST traffic itself. Either attack requires the ability to execute malicious software on an impaired ACP node, though.
• In the absence of malicious software injection, an attacker that can misconfigure an ACP node that supports EST server functionality could attempt to configure a malicious CA. This would not result in the ability to successfully renew ACP certificates, but it could result in DoS attacks by becoming an EST server and by making ACP nodes attempt their ACP certificate renewal via this impaired ACP node. This problem can be avoided when the EST server implementation can verify that the configured CA is indeed providing renewal for certificates of the node's ACP. The ability to do so depends on the protocol between the EST server and the CA, which is outside the scope of this document.

RetroSearch is an open source project built by @garambo | Open a GitHub Issue

Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo

HTML: 3.2 | Encoding: UTF-8 | Version: 0.7.4