Re: [Anima-bootstrap] ownership vouchers?
"Max Pritikin (pritikin)" <pritikin@cisco.com> Tue, 26 April 2016 18:51 UTC
Return-Path: <pritikin@cisco.com>
X-Original-To: anima-bootstrap@ietfa.amsl.com
Delivered-To: anima-bootstrap@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55EA712D570 for <anima-bootstrap@ietfa.amsl.com>; Tue, 26 Apr 2016 11:51:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -15.517
X-Spam-Level:
X-Spam-Status: No, score=-15.517 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.996, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LxK9KPiuKlCg for <anima-bootstrap@ietfa.amsl.com>; Tue, 26 Apr 2016 11:51:21 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7DDC12D55F for <anima-bootstrap@ietf.org>; Tue, 26 Apr 2016 11:51:21 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=6228; q=dns/txt; s=iport; t=1461696681; x=1462906281; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=fWfflAlCUTuH0vhCFBYK+qYLrbQZXRwQADUU0UuXt7I=; b=YVKS6DN1hRttHrJLOhksZ5IjS6J/rPlwm1F+IhDqVqu0BnR+sDNvor6V 3PwxAijSSMzI4Toa59nlXuisvQUPr/e9oI5PT6aVF0Vb6KBCEMXPTmGzG ZC1lV4QJHKOMhwUlCWKk6pnc6Is1BBYNzFXc4/J0KiBq9W9inTgVVi9Zm g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AJAgCztx9X/5ldJa1VCYM4U30GuXkBDYF0IoVtAhyBIjgUAQEBAQEBAWUnhEEBAQEDASMRRQULAgEIDgoCAiYCAgIwFRACBA4FiCIIDrMZkRsBAQEBAQEBAQEBAQEBAQEBAQEBAQEVfIcaglaEFhEWgwIrgisFjVSKPAGFe4gbgjWMXI8vAR4BAUKCBRuBS2wBiC5/AQEB
X-IronPort-AV: E=Sophos;i="5.24,537,1454976000"; d="scan'208";a="265705492"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 26 Apr 2016 18:51:20 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id u3QIpKiu013420 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 26 Apr 2016 18:51:20 GMT
Received: from xch-aln-013.cisco.com (173.36.7.23) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1104.5; Tue, 26 Apr 2016 13:51:20 -0500
Received: from xch-aln-013.cisco.com ([173.36.7.23]) by XCH-ALN-013.cisco.com ([173.36.7.23]) with mapi id 15.00.1104.009; Tue, 26 Apr 2016 13:51:20 -0500
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Kent Watsen <kwatsen@juniper.net>
Thread-Topic: ownership vouchers?
Thread-Index: AQHRnz6KvSbUzAnF+kW3VDcOmCpiYJ+c7pGA
Date: Tue, 26 Apr 2016 18:51:19 +0000
Message-ID: <664CAC1A-21DF-4CA4-A474-2E7CBD5412D0@cisco.com>
References: <AC8506CD-B46D-4748-AE39-CE1DF93072BF@juniper.net>
In-Reply-To: <AC8506CD-B46D-4748-AE39-CE1DF93072BF@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.99.106.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <EA0B43A803B65845A6C4DA15D51ED97B@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/anima-bootstrap/X-ZMwMIx4E75yuCeJh0Bc-iDfWE>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, anima-bootstrap <anima-bootstrap@ietf.org>, "consultancy@vanderstok.org" <consultancy@vanderstok.org>, "Michael Behringer (mbehring)" <mbehring@cisco.com>
Subject: Re: [Anima-bootstrap] ownership vouchers?
X-BeenThere: anima-bootstrap@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <anima-bootstrap.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima-bootstrap/>
List-Post: <mailto:anima-bootstrap@ietf.org>
List-Help: <mailto:anima-bootstrap-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima-bootstrap>, <mailto:anima-bootstrap-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 26 Apr 2016 18:51:23 -0000
> On Apr 25, 2016, at 4:05 PM, Kent Watsen <kwatsen@juniper.net> wrote: > > [Changing subject line] > > > > > On 4/18/16, 2:40 PM, "Michael Richardson" <mcr+ietf@sandelman.ca> wrote: > >> >> Kent Watsen <kwatsen@juniper.net> wrote: >>> Though I may not be a regular, I think that we could use a meeting or >>> two to discuss how to modify the Ownership Voucher definition to suit >>> ANIMA bootstrap. >> >> I agree that this is an important thing to do. >> Should we detail why this needs to be standardized? > > > I have one reason outside of ANIMA, which is to enable multi-vendor devices to pull signed data from DNS-SD. Specifically, look at the very last paragraph in Section 4.2 of the zerotouch draft (https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-08#section-4.2). > > Let's says we have two devices, from two different vendors. If they both do a DNS-SD lookup for say "_zerotouch._tcp.example.com", they'll both get the same signed data and, more to the point, the same ownership voucher. While a single voucher can span many devices, unless standardized, it could never span more than one vendor. I’m confused by this. The first paragraph of s4.2 indicates that "data provided using DNS-SD can only be redirect information (not bootstrap information)” so what we’re talking about is the normal DNS-SD service name to FQDN server name redirection? Because the device hasn’t been bootstrapped yet it can’t use DNS-SEC to secure this. We can’t even use the RFC6125 s6.5 SVR-ID work, again since we are not bootstrapped yet. There are two ways to proceed. We can either use message based protections around the redirection or we can use message based protections around the actual bootstrapping message. In the former case the DNS server needs to know the appropriate signed message format to respond with so it would need to know the type of device requesting the information. In s4.3 this is provided to a DHCP server, to address a similar problem, via "The device SHOULD again pass the Vendor Class Identifier (option 60) field in its DHCP lease request” but of course this isn’t secured for DHCP and doesn’t exist for DNS! I think we run into a rat hole of edge cases to deal with. The later case of course already exists. Does it make more sense to proceed with a provisional attempt to obtain the bootstrapping information you describe as “fallback” below but which anima BSKI takes as the primary flow? Interestingly what Anima BSKI does there conflicts with s4.4 where it says that, "When the device connects to an untrusted bootstrap server, the device MUST NOT send its IDevID certificate in the form of a client certificate, and MUST NOT send any notifications to the bootstrap server, using the "notification" action defined in Section 7.4”. In this case how does the boostrap server know what type of device to respond to? > That said, we may want to extend to concept of a "voucher" to a "bundle of vouchers" as, even with a single vendor case, the vouchers may by issued over time such that a single voucher doesn't span all the devices in a network. If there were support for bundles, all the vouchers within the bundle would have to have a common format, or else be tagged as to which [vendor-specific] format they're in. This might be a way to not have to standardize vouchers, but it seems easier to have a single format. I lean away from bundling because when you do so you’re leaking information about the network infrastructure. Its a hard call but I’d prefer to leak information about the new, untrusted, device rather than leaking information about my network. > I don't know how realistic it is that a single voucher would span all the devices in a domain at a given time, or how likely it is that anyone would configure their DNS server to return signed data. On that latter point, it certainly seems like a lot of effort given that the fallback position is to 1) return unsigned data, 2) let the device establish a provisional TLS connection to the bootstrap server, from which 3) it downloads signed data, potentially with a device-specific voucher. Yes, agreed. Plus if you have multiple vouchers each spanning different groups of devices then you have to select which voucher based on the client identity anyway. So I agree with where you’re thinking — to me the “fallback” is really the primary flow. - max > > Just thinking out loud here... > > Kent > > >
- [Anima-bootstrap] ownership vouchers? Kent Watsen
- Re: [Anima-bootstrap] ownership vouchers? Max Pritikin (pritikin)
- Re: [Anima-bootstrap] ownership vouchers? Kent Watsen
- Re: [Anima-bootstrap] ownership vouchers? Max Pritikin (pritikin)
- Re: [Anima-bootstrap] ownership vouchers? Kent Watsen
- [Anima-bootstrap] cool acronym discussion Michael Richardson
- Re: [Anima-bootstrap] ownership vouchers? Michael Richardson
- Re: [Anima-bootstrap] ownership vouchers? peter van der Stok