Re: [Anima-bootstrap] ownership vouchers?

Kent Watsen <> Tue, 03 May 2016 14:47 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9F30112D822 for <>; Tue, 3 May 2016 07:47:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iYQKchxfJTDm for <>; Tue, 3 May 2016 07:47:22 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fc10::761]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3D71B12B022 for <>; Tue, 3 May 2016 07:47:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-juniper-net; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=0phzKcYm5hnim07ktz+T91i6Z0wSvIVdIUT9T60wHoo=; b=EnEF266Ji1oKZtgCmQ0NkCmDR5XVr23N6gaqZp5/DXeO4e0CUQzFt+AN2WwXK1a3eaz1YQ1TKRpAo/w3/HQgHrYRdHZ6OS6ya4Vdi5kBmTyHSrvA7wEfJl6gW7+R6eDKzUOwCaue50gr3OO+ducsg/7+xTBiIKogTQWLswRLKe4=
Received: from ( by ( with Microsoft SMTP Server (TLS) id 15.1.477.8; Tue, 3 May 2016 14:47:02 +0000
Received: from ([]) by ([]) with mapi id 15.01.0477.014; Tue, 3 May 2016 14:47:02 +0000
From: Kent Watsen <>
To: "Max Pritikin (pritikin)" <>
Thread-Topic: ownership vouchers?
Thread-Index: AQHRnz6KvSbUzAnF+kW3VDcOmCpiYJ+c7pGAgAKrGACAAlDtAIAFKSwA
Date: Tue, 3 May 2016 14:47:02 +0000
Message-ID: <>
References: <> <> <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
user-agent: Microsoft-MacOutlook/f.15.1.160411
authentication-results:; dkim=none (message not signed) header.d=none;; dmarc=none action=none;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: []
x-ms-office365-filtering-correlation-id: 197052d4-2c3b-4bc6-cdfb-08d37361c9c1
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1450; 5:AWB2yNVDsYEM92F2ZEOGcspd/flk7zWM//WvH/Lc2pW6odXvWRRHGSWJ6+3b03KyVPRqIYqFLuInmOpNcrqhrNNnurBEY7HqyehYdbiKISCv3y5H/ygUudKTcazTkhXR2f+PG1HG6YxRodhL5gndeA==; 24:oFwOsnsqNAP9ZOVSYpy7SUeLkW+afH/IGFdTiz/KFIPadx8gTAufnJanqeTL4HhZFjyIyGv0S+4nAMShHfaZcs1rYW8Aw6Dfn+8z+tB+sJ4=; 7:+QbtD7ELC6giDI0RJ06sgWcJmsB0eaWNK7Z8cuztId0+Gy3kRKOZfll2zmFLfh2OJ9EoEIsaYB94s+nyEZTxEJO4y4/YDEDpEqvYM8ZmPMxoCLAsnSf53Mg/7TLOQscIsxbt3F4YyrS3Vxe7Qwnu2IARbUp7sUPDed30yzBLmWTtTbiyg8IGo3dpBWvQw1WK
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1450;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(138986009662008)(95692535739014);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(9101521096)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:CY1PR0501MB1450; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1450;
x-forefront-prvs: 0931CB1479
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(40224003)(377454003)(24454002)(83506001)(33656002)(4326007)(83716003)(93886004)(3280700002)(4001350100001)(66066001)(3480700004)(122556002)(19580405001)(92566002)(81166005)(82746002)(54356999)(99286002)(86362001)(36756003)(8936002)(50986999)(76176999)(19580395003)(3660700001)(5008740100001)(106116001)(11100500001)(189998001)(5004730100002)(3846002)(87936001)(102836003)(6116002)(10400500002)(5002640100001)(586003)(1220700001)(2900100001)(110136002)(15975445007)(77096005)(2950100001)(9944002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1450;; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2016 14:47:02.1909 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1450
Archived-At: <>
Cc: Michael Richardson <>, anima-bootstrap <>, "" <>, "Michael Behringer \(mbehring\)" <>
Subject: Re: [Anima-bootstrap] ownership vouchers?
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Mailing list for the bootstrap design team of the ANIMA WG <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 03 May 2016 14:47:25 -0000

Due to the conflict mentioned before, I'm not going to make today's meeting.  I will see if the other team can move to another day.

Responses below:

On 4/29/16, 6:58 PM, "Max Pritikin (pritikin)" <> wrote:

>> On Apr 28, 2016, at 2:36 PM, Kent Watsen <> wrote:
>> On 4/26/16, 2:51 PM, "Max Pritikin (pritikin)" <> wrote:
>>>> On Apr 25, 2016, at 4:05 PM, Kent Watsen <> wrote:
>>>> [Changing subject line]
>>>> On 4/18/16, 2:40 PM, "Michael Richardson" <> wrote:
>>>>> Kent Watsen <> wrote:
>>>>>> Though I may not be a regular, I think that we could use a meeting or
>>>>>> two to discuss how to modify the Ownership Voucher definition to suit
>>>>>> ANIMA bootstrap.
>>>>> I agree that this is an important thing to do.
>>>>> Should we detail why this needs to be standardized?
>>>> I have one reason outside of ANIMA, which is to enable multi-vendor devices to pull signed data from DNS-SD.  Specifically, look at the very last paragraph in Section 4.2 of the zerotouch draft (
>>>> Let's says we have two devices, from two different vendors.  If they both do a DNS-SD lookup for say "", they'll both get the same signed data and, more to the point, the same ownership voucher.  While a single voucher can span many devices, unless standardized, it could never span more than one vendor.
>>> I’m confused by this.
>> But it seems from below you do get it...   :)
>>> The first paragraph of s4.2 indicates that "data provided using DNS-SD can only be redirect information (not bootstrap information)” so what we’re talking about is the normal DNS-SD service name to FQDN server name redirection? Because the device hasn’t been bootstrapped yet it can’t use DNS-SEC to secure this. We can’t even use the RFC6125 s6.5 SVR-ID work, again since we are not bootstrapped yet.
>>> There are two ways to proceed. We can either use message based protections around the redirection or we can use message based protections around the actual bootstrapping message. In the former case the DNS server needs to know the appropriate signed message format to respond with so it would need to know the type of device requesting the information. In s4.3 this is provided to a DHCP server, to address a similar problem, via "The device SHOULD again pass the Vendor Class Identifier (option 60) field in its DHCP lease request” but of course this isn’t secured for DHCP and doesn’t exist for DNS! I think we run into a rat hole of edge cases to deal with. The later case of course already exists.
>> Right, but if there were a standard format for Ownership Voucher, the need to pass Vendor Class Identifier for DHCP, or the equivalent (if there were one) for DNS, disappears.  This is my point for why the NETCONF Zero Touch draft might like to see the Ownership Voucher standardized (answering Michael's original question).  Of course, there is the additional reason that we haven't started discussing yet, which is that a standardized format could be shared by the ANIMA draft...
>>> Does it make more sense to proceed with a provisional attempt to obtain the bootstrapping information you describe as “fallback” below but which anima BSKI takes as the primary flow?
>> It's a "fallback" only in the context below.  From a draft perspective, they're just options on equal footing; implementations can decide which they want to use.
>> Off topic: what happened to the 'R' in BSKI?  I really liked the idea of calling it brewski  ;)
>We all agree ‘brewski’ is the best name. But defining the ‘BRSKI’ backronym never really happened. Not too late to change it… :)
>>> Interestingly what Anima BSKI does there conflicts with s4.4 where it says that, "When
>>>  the device connects to an untrusted bootstrap server, the device MUST
>>>  NOT send its IDevID certificate in the form of a client certificate,
>>>  and MUST NOT send any notifications to the bootstrap server, using
>>>  the "notification" action defined in Section 7.4”. In this case how does the boostrap server know what type of device to respond to?
>> It knows because of the URL the device uses, when accessing the bootstrap server, encodes the device's serial number.  E.g., GET
>This is of course not secured, but I understand that its just a hint and worse case is a DoS which was an option to the attacker anyway.

Yes, but when the device knows it's establishing a provisional TLS connection to an untrusted server, it must be a *signed* hint...

>Any comment about the netconf s4.4 normative text rejecting the primary device authentication method of BrSKI? Is that a problem we should resolve?

I don't think that there is a conflict as s4.4 regards a "bootstrap server", as defined in s1.2 (Terminology):

   Bootstrap Server:  The term "bootstrap server" is used within this
       document to mean any RESTCONF server implementing the YANG module
       defined in Section 7.4.

The BrSKI server is a different thing, having a different API.  Admittedly "bootstrap server" sounds like it might apply to a broad spectrum of servers that serve the purpose of bootstrapping, but that's not what is intended here.

>>>> That said, we may want to extend to concept of a "voucher" to a "bundle of vouchers" as, even with a single vendor case, the vouchers may by issued over time such that a single voucher doesn't span all the devices in a network.  If there were support for bundles, all the vouchers within the bundle would have to have a common format, or else be tagged as to which [vendor-specific] format they're in.  This might be a way to not have to standardize vouchers, but it seems easier to have a single format.
>>> I lean away from bundling because when you do so you’re leaking information about the network infrastructure. It's a hard call but I’d prefer to leak information about the new, untrusted, device rather than leaking information about my network.
>> Fair enough
>>>> I don't know how realistic it is that a single voucher would span all the devices in a domain at a given time, or how likely it is that anyone would configure their DNS server to return signed data.  On that latter point, it certainly seems like a lot of effort given that the fallback position is to 1) return unsigned data, 2) let the device establish a provisional TLS connection to the bootstrap server, from which 3) it downloads signed data, potentially with a device-specific voucher.
>>> Yes, agreed. Plus if you have multiple vouchers each spanning different groups of devices then you have to select which voucher based on the client identity anyway. So I agree with where you’re thinking — to me the “fallback” is really the primary flow.
>> Right.  The draft defines the option for completeness, but implementations may not use that option very often.
>This option introduces a lot of complexity to the message format. Is it worth it?

Are we still talking about supporting signed data for DNS-SD?  It's optional, folks wanting DNS-SD without the hassle can just use a standard DNS SVR record for the equivalent of unsigned data.

But the real question that remains is if there is desire within the ANIMA team to standardize on a voucher format that can be used by both solutions?

>- max
>> Kent