Brian E Carpenter <brian.e.carpen...@gmail.com> wrote:
> Just trying to check my understanding. In section 5.5.1 we have:
I'm behind on their latest changes, but I'll catch up.
> In 5.4.2 we have:
>> The registrar-agent MAY use
>>
>> * "product-serial-number._brski-pledge._tcp.local", to discover a
>> specific pledge, e.g., when connected to a local network.
>>
>> * "_brski-pledge._tcp.local" to get a list of pledges to be
>> bootstrapped.
> So where does the list at "_brski-pledge._tcp.local" come from? Is
> that configured in the same way as section 5.5.1 suggests, except that
> it's configured into the host providing _brski-pledge._tcp.local?
The Registrar-Agent does an mDNS query _brski-pledge._tcp.local to discover
all the pledges on the local LAN. It will receive multiple answers,
of the product-serial-number._brski-pledge._tcp.local form, I think.
> In any case, isn't the list of pledges itself a point of attack for
> someone attempting to install a rogue device? So the security of the
> list of pledges should perhaps be discussed in the Security
> Considerations, even though it's outside the protocol itself.
The Rogue device would have to come from a certified Manufacturer, i.e. one
known to the Registrar. As per RFC8995 section 11.5:
"Manually configuring each manufacturer's trust anchor."
...
but, perhaps I don't understand your question well enough.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | network architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
--
Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works
-= IPv6 IoT consulting =-
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
