Michael Behringer (mbehring) <mbehr...@cisco.com> wrote:
> I had already sent out an early version of the state machines before,
> here an update.
> To the high level state machine, I added a state "Proxy mode". A node
> is in that state when the ACP is up AND it can see a registrar. Other
> than that, I think the high level diagram should be ok. Looking for
> feedback.
I disagree with this state or machine.
The proxy process is, as you described, dependant upon having reached the In
ACP mode, and having discovered a Registrar. That's true.
Assuming IKEv2 (whether keying IPsec, or keying MACSEC [%])
There is some RPL state machine inside the In ACP state as well, but
I'm not
But, I wouldn't describe it as a seperate state, rather it's an attribute
of having reached In ACP mode. I would expect the ACP process, once it has
been informed by the RPL daemon that it has found a ground RPL DODAG to join,
that it would spawn off the Join Assistant process.
The Join Assistant would then open a TCP socket to receive the GRASP reply
(binding the socket to the ACP ULA address), and then do a GRASP M_DISCOVERY.
Once it gets a response from a Registrar, it would begin listening for New
Node discovery messages and relaying. This would be a seperate state
machine. Would you like this in the bootstrapping document?
> The state machine for the BRSKI pledge (it's a detail on the ANIMA
> state machine) still has a lot of open questions. Most are under
> discussion. I tried to illustrate where we have open points.
You have listed:
Discovery:
mDNS or GRASP?
one discovery method for BRSKI and ACP, or several?
multicast domain info?
packet formats
BRSKI:
Feedback to the pledge? (specifically: Reason for rejection / retry?)
Let me be more specific, because I think these are not open questions.
Discovery of AN peer:
- GRASP M_FLOOD (MTI)
Discovery of Join Assistant by Pledge:
- GRASP M_FLOOD (MUST for JA, SHOULD for Pledge)
- mDNS (SHOULD for JA, MAY for Pledge)
The "multicast domain info" question is vague to me, but if you mean the
multicast scope, it's LL, scope=2. (scope=1 being host)
Packet formats are determined by GRASP and mDNS.
The feedback to the pledge about rejection would occur inside of EST,
and so is about RFC7030, right?
[%] - Linux now has a MACSEC implementation I noticed.
If supporting MACSEC is interesting to many, then we need a KMP for it,
and we need to negotiate it's use via IKEv2.
I suggest that a document doing this would not be very long or difficult
to pass through the IPsec WG.
If supporting MACSEC is not a priority now, then as long as we negotiate
the ACP using IKEv2, then we can add it later on rather easily.
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
