(CC trimmed to avoid distracting the IESG.) > With ACP, the data-plane for "internal" config could immediately be shut down > as soon as there is no ACP neighbor. > > Nice short term, small one pager ASA idea ;-))
Oh, I think every ASA should have this logic. In my prototype code, the ACP module provides a status function acp.status() and really that should be polled regularly, or there should be an event handler for "ACP down". My intention was that GRASP calls would fail with a "noSecurity" error code in that case. Actually the code is there but inactive, absent a real ACP. Regards Brian On 11-Sep-20 22:45, Toerless Eckert wrote: > On Sun, Aug 23, 2020 at 05:39:14PM -0400, Michael Richardson wrote: >> >> Robert Wilton via Datatracker <[email protected]> wrote: >> > 6.10.1. Fundamental Concepts of Autonomic Addressing >> >> > For a PE device or NID, how does it know which interfaces to run ACP >> > over? >> >> I think that "PE" here means "Provider Edge"? >> The answer is that it runs the GRASP DULL on *ALL* interfaces, because it the >> device may have no idea it is a Provider Edge device on that Interface. >> >> A Provider might want to turn this off, and they could well do that once the >> device has joined the ACP and gotten management control. But, the risk of >> doing that is that the cables will get plugged in wrong, and the operator >> will lose access to the device. > > In addition to loosing access to the device, the authenticated presence of > an ACP neighbor on an interface should also result in the appropriate > configuratoin > of the data plane, and in reverse the absence as well: > > When someone mis-plugs a cable, a CE facing interface might be miscabled to > a PE interface assumed to be inside the provider domain - and now the customer > could gain access to the SP infrastructure. Very often that infra is so > fragile > that one might be able to inject a virus in short time. A malicious attacker > today likely needs to get some insight into the SP network from someone and > then bribe a lowly paid worker to accidentially misplug a cable for 10 > minutes... > > With ACP, the data-plane for "internal" config could immediately be shut down > as soon as there is no ACP neighbor. > > Nice short term, small one pager ASA idea ;-)) > > Cheers > Toerless > >> In this case, I think that ANIMA's ACP prefers connectivity over the small >> amount of privacy lost by indicating that an IKEv2 is listening on an IPv6 >> Link-Local address. There is no security breach possible because the IKEv2 >> (or DTLS) connection will not complete without the right trust anchors >> present. >> >> A smart heuristic might be to include some kind of dead-man's switch. >> The management interface might turn the DULL off on some interfaces for a >> period of time, and if the management interface is lost, then the interfaces >> would stop being suppressed. This falls into the quality of implementation >> category at this point. >> >> -- >> Michael Richardson <[email protected]>, Sandelman Software Works >> -= IPv6 IoT consulting =- > > > _______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
