Michael Behringer (mbehring) <mbehr...@cisco.com> wrote: > I had already sent out an early version of the state machines before, > here an update.
> To the high level state machine, I added a state "Proxy mode". A node > is in that state when the ACP is up AND it can see a registrar. Other > than that, I think the high level diagram should be ok. Looking for > feedback. I disagree with this state or machine. The proxy process is, as you described, dependant upon having reached the In ACP mode, and having discovered a Registrar. That's true. Assuming IKEv2 (whether keying IPsec, or keying MACSEC [%]) There is some RPL state machine inside the In ACP state as well, but I'm not But, I wouldn't describe it as a seperate state, rather it's an attribute of having reached In ACP mode. I would expect the ACP process, once it has been informed by the RPL daemon that it has found a ground RPL DODAG to join, that it would spawn off the Join Assistant process. The Join Assistant would then open a TCP socket to receive the GRASP reply (binding the socket to the ACP ULA address), and then do a GRASP M_DISCOVERY. Once it gets a response from a Registrar, it would begin listening for New Node discovery messages and relaying. This would be a seperate state machine. Would you like this in the bootstrapping document? > The state machine for the BRSKI pledge (it's a detail on the ANIMA > state machine) still has a lot of open questions. Most are under > discussion. I tried to illustrate where we have open points. You have listed: Discovery: mDNS or GRASP? one discovery method for BRSKI and ACP, or several? multicast domain info? packet formats BRSKI: Feedback to the pledge? (specifically: Reason for rejection / retry?) Let me be more specific, because I think these are not open questions. Discovery of AN peer: - GRASP M_FLOOD (MTI) Discovery of Join Assistant by Pledge: - GRASP M_FLOOD (MUST for JA, SHOULD for Pledge) - mDNS (SHOULD for JA, MAY for Pledge) The "multicast domain info" question is vague to me, but if you mean the multicast scope, it's LL, scope=2. (scope=1 being host) Packet formats are determined by GRASP and mDNS. The feedback to the pledge about rejection would occur inside of EST, and so is about RFC7030, right? [%] - Linux now has a MACSEC implementation I noticed. If supporting MACSEC is interesting to many, then we need a KMP for it, and we need to negotiate it's use via IKEv2. I suggest that a document doing this would not be very long or difficult to pass through the IPsec WG. If supporting MACSEC is not a priority now, then as long as we negotiate the ACP using IKEv2, then we can add it later on rather easily.
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima