IETF Logo Mail Archive

Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)

"Max Pritikin (pritikin)" <pritikin@cisco.com> Fri, 12 July 2019 15:21 UTC

Return-Path: <pritikin@cisco.com>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BD1112063C; Fri, 12 Jul 2019 08:21:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=aLimvUfm; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=aNsdzB2C
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eTTTIiSUz4wO; Fri, 12 Jul 2019 08:21:31 -0700 (PDT)
Received: from rcdn-iport-7.cisco.com (rcdn-iport-7.cisco.com [173.37.86.78]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CCB38120634; Fri, 12 Jul 2019 08:21:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=15835; q=dns/txt; s=iport; t=1562944891; x=1564154491; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=DYmxI23DE0FuckApkmWmkwptiOiVmArg9Lv2foSSaac=; b=aLimvUfmQcnJd+m/g4IcRT4wUt482L3kH/KCpLU9kHRws9wtTwQ8Y5FY CcII6KBWSKqGT9/LeT3/o3zD7pdSAQcianobNGn1w9A8H5L0RKHk1wS2A sIe4cKypaEAZkPET98Fr0ZDwiC/XcaYy02+pwuP92zXxQLXR13xImzNa7 o=;
IronPort-PHdr: 9a23:Se3IaBXBpJRAa9W/ashVs0HYpy3V8LGuZFwc94YnhrRSc6+q45XlOgnF6O5wiEPSA9yJ8OpK3uzRta2oGXcN55qMqjgjSNRNTFdE7KdehAk8GIiAAEz/IuTtankiBsVeVVxk+VmwMFNeH4D1YFiB6nA=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BVAQBGpChd/49dJa1lHAEBAQQBAQcEAQGBVgQBAQsBgRQvJCwDalUgBAsUFAqEEoNHA45LgjaTHYRUglIDVAkBAQEMAQElCAIBAYRAAheCPyM3Bg4BAwEBBAEBAgEFbYU8DIVLAgEDEhEdAQEyBQEPAgEIOwQDAgICMBQRAgQOBSKDAAGBHU0DHQECDKBaAoE4iGBxgTKCeQEBBYULGIISAwaBNAGLXheBf4ERJwwTgkw+gmEBAQIBgUhDgl0ygiaMLQ+CPIR+iGuNGG0JAoIZhliNMxuCLIckjjeLXIkekAcCBAIEBQIOAQEFgWYigVhwFWUBgkGCQTeDOoUUhT9yAYEojHErgQQBgSABAQ
X-IronPort-AV: E=Sophos;i="5.63,483,1557187200"; d="scan'208,217";a="589997679"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-7.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 12 Jul 2019 15:21:28 +0000
Received: from xch-rcd-011.cisco.com (xch-rcd-011.cisco.com [173.37.102.21]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id x6CFLSnY005670 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 12 Jul 2019 15:21:28 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-011.cisco.com (173.37.102.21) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 12 Jul 2019 10:21:27 -0500
Received: from xhs-rcd-003.cisco.com (173.37.227.248) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 12 Jul 2019 10:21:26 -0500
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-003.cisco.com (173.37.227.248) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Fri, 12 Jul 2019 10:21:26 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=HZBHagYZstlZq/+Kisvq4WPVALrsz6E/mpc2dxoArBwaR/jpu/bRn/8nnWg9VcQJE2cizOUDq+advRqQOz7hdUAOu66YlWvlA+iUz1tWYXn8bRJUqhsNFGsRjo2OLRvh2CeukG3Mswjf3JgmVIl4HR/2GEtOkzTOxwQjEm0QZXN91e/TldxCsxuaInCGjVrrajw/8rfSrX2xPiT7a0ujRbr4PWOB8W4aMuPjZ4K1q2tVwjpNacvC71eu0iNR18bNplnw8FJsRdH9q0+R9HP57WBZuduHK9E2/2B5YPEGB/Ef5cCkG99pL9tjgyCuGsWsslxGIQzfWJec77v6LmX8WQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DYmxI23DE0FuckApkmWmkwptiOiVmArg9Lv2foSSaac=; b=jvKd8wVEEd0LEY+2d3X7SKYwX8S/hq66GUq2Z5bXA4W9RRvX9Txtm3Ube2igFp4+LrKQLaFVTM6fn9e8ejEBYB384eLZxgWg7iSSKG/+d4eafecrCkPQCWUSnkfkTYpjH48M+1vcJWLGOxKdQpYhriFf+60kAX3zrI24mhpfCmw7QMqhmG9BnZTEivSBxCshNs5ZymoCniDhoParFHzE8xJd7sy/Oq7d5mcHWJ5snDnVtIEJb+FreRl1ZmROzRYlKiP1NKyxO2ugJh1QIWdTQ9q/9FW5xWLEpQF5gytx+U920cs/mR+R7zWqU0X8IEF4qg5+/xBCcbUIiJC8lFeKhg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1;spf=pass smtp.mailfrom=cisco.com;dmarc=pass action=none header.from=cisco.com;dkim=pass header.d=cisco.com;arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DYmxI23DE0FuckApkmWmkwptiOiVmArg9Lv2foSSaac=; b=aNsdzB2COkI4jxcqomhYVrLwP4VouRjKEqP0JWHZlZSn8cYkzf67dk/Rah9hmhmECEsBIG83nrx2IsiJb1tGuLZe1QPFP14x/MYJqTChQhmKTLS/RpYphrWAG0eHg1PiqVPSSM9HroNWXkvhzU6U1LvXdkGREV4fHlTPt5crg0c=
Received: from BYAPR11MB3525.namprd11.prod.outlook.com (20.177.227.23) by BYAPR11MB3272.namprd11.prod.outlook.com (20.177.185.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2073.10; Fri, 12 Jul 2019 15:21:25 +0000
Received: from BYAPR11MB3525.namprd11.prod.outlook.com ([fe80::cc5d:56b1:d49d:40b0]) by BYAPR11MB3525.namprd11.prod.outlook.com ([fe80::cc5d:56b1:d49d:40b0%6]) with mapi id 15.20.2052.020; Fri, 12 Jul 2019 15:21:25 +0000
From: "Max Pritikin (pritikin)" <pritikin@cisco.com>
To: Eliot Lear <lear@cisco.com>
CC: Adam Roach <adam@nostrum.com>, Michael Richardson <mcr+ietf@sandelman.ca>, "draft-ietf-anima-bootstrapping-keyinfra@ietf.org" <draft-ietf-anima-bootstrapping-keyinfra@ietf.org>, Toerless Eckert <tte+ietf@cs.fau.de>, "anima@ietf.org" <anima@ietf.org>, The IESG <iesg@ietf.org>, "anima-chairs@ietf.org" <anima-chairs@ietf.org>
Thread-Topic: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
Thread-Index: AQHVN7Mam408jWZUSkSbpfvPpziaGKbF1cyAgAAp9gCAAJdHgIAAhH8A
Date: Fri, 12 Jul 2019 15:21:25 +0000
Message-ID: <4BC524D0-04E7-4ACC-8638-453643961D15@cisco.com>
References: <156282703648.15280.17739830959261983790.idtracker@ietfa.amsl.com> <17580.1562874933@localhost> <4679fba2-fdc9-e5ed-3474-12f4e26eca05@nostrum.com> <A1A92C21-91BC-447C-ADED-ABB744EDE98D@cisco.com>
In-Reply-To: <A1A92C21-91BC-447C-ADED-ABB744EDE98D@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=pritikin@cisco.com;
x-originating-ip: [72.163.2.253]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8c8c318d-9035-40f3-d0a6-08d706dc9ab3
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:BYAPR11MB3272;
x-ms-traffictypediagnostic: BYAPR11MB3272:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <BYAPR11MB32723EF4541D4BD16147FA27DAF20@BYAPR11MB3272.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00963989E5
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(136003)(376002)(396003)(346002)(39860400002)(366004)(199004)(189003)(37006003)(54906003)(6506007)(71200400001)(71190400001)(66446008)(64756008)(66556008)(66946007)(66476007)(236005)(4326008)(6116002)(3846002)(76116006)(5660300002)(54896002)(6246003)(486006)(53936002)(8676002)(102836004)(606006)(76176011)(66066001)(25786009)(86362001)(53546011)(6512007)(6306002)(36756003)(14444005)(11346002)(6636002)(68736007)(33656002)(2906002)(229853002)(476003)(446003)(2616005)(81156014)(8936002)(81166006)(186003)(26005)(6486002)(14454004)(6436002)(256004)(7736002)(316002)(966005)(478600001)(99286004)(6862004); DIR:OUT; SFP:1101; SCL:1; SRVR:BYAPR11MB3272; H:BYAPR11MB3525.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: KD2jkMuiX65ZpOSkkTHNCN0LYrsmxRSpaI/JuUECirPCHdcWz4VR+Wtxm3eAMDKfpNlILkJbsz0bn6SVm9x03XorQTcPJqLuQXKc1r4QpDWh6PaGzD0SOzlvHa2d2kDDjEw7raa4wf/VaZE8mtnlyXCYQ1AJ9bIO3khmGXXqFnWdyr5I/TOppi+WYukQigfWIjsQdOZdlNp3X0SBvqipY8Y3axD5/5TmpWrgUk5KkGlVs94eOFUzTEkfC3xuiK2TSBk6VUAMmM9gverzJJtDhjbvuEhfZYcXIFBTLyxlsoI/YuXAYPTi8HmOqkGJeeNENgQ48dya+xT0jRhYFbYnSTzso+kbC9jrSLqz0cB0b5RB45iZiwepavB/TyfVk27uJ/bgMP5J21MqLJ2TrS4wPtrYeM6Drx/IyjS21ZaWpj4=
Content-Type: multipart/alternative; boundary="_000_4BC524D004E74ACC8638453643961D15ciscocom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8c8c318d-9035-40f3-d0a6-08d706dc9ab3
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Jul 2019 15:21:25.2482 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pritikin@cisco.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR11MB3272
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.21, xch-rcd-011.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/LCmH9jGsgPh6T0jCihDsyiZGpqk>
Subject: Re: [Anima] Adam Roach's Discuss on draft-ietf-anima-bootstrapping-keyinfra-22: (with DISCUSS and COMMENT)
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 15:21:36 -0000

FYI what you all are discussing are potential changes to the normative language of
https://tools.ietf.org/html/draft-ietf-anima-bootstrapping-keyinfra-22#section-7.2

Probably strengthening this paragraph from MAY/SHOULD to a MUST:

   3.  The pledge MAY have an operational mode where it skips voucher
       validation one time.  For example if a physical button is
       depressed during the bootstrapping operation.  This can be useful
       if the manufacturer service is unavailable.  This behavior SHOULD
       be available via local configuration or physical presence methods
       (such as use of a serial/craft console) to ensure new entities
       can always be deployed even when autonomic methods fail.  This
       allows for unsecured imprint.

If this is a suggested change please comment on the subsequent paragraph which reads:

It is RECOMMENDED that "trust on first use" or any method of skipping
   voucher validation (including use of craft serial console) only be
   available if hardware assisted Network Endpoint Assessment [RFC5209]
   is supported.  This recommendation ensures that domain network
   monitoring can detect innappropriate use of offline or emergency
   deployment procedures when voucher-based bootstrapping is not used.

The use of SHOULD and RECOMMEND are strong indicators of how this should be done. As much so as a MUST "security requirements we write into our specs, we'll have no means of enforcement”.

Since Eliot has brought up other options like being able to replace the MASA trust anchors or some form of  “self emitted” voucher here are the current thoughts along those lines:

If one possessed a nonceless voucher then one possesses a permanent token to enable bootstrapping of the device. This is the very first point in section 7.2 discussed above:

   1.  The pledge MUST accept nonceless vouchers.  This allows for a use
       case where the registrar can not connect to the MASA at the
       deployment time.  Logging and validity periods address the
       security considerations of supporting these use cases.

There are two ways to leverage this. Predominately his means that after a single BRSKI exchange any domain owner can opt out of any future BRSKI stuff and still be able to (re)perform over-the-wire bootstrapping (this is of course captured in the audit log). Additionally the privacy protections mean that this voucher can be tied to a transient keypair that could be distributed with the device for resale. So this can be passed on to entities further down the supply chain or during a resale of the device.

These two methods hit a large percentage of use cases being discussed while maintaining the audit log.

- max

On Jul 12, 2019, at 1:27 AM, Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>> wrote:

Hi Adam

On 12 Jul 2019, at 00:25, Adam Roach <adam@nostrum.com<mailto:adam@nostrum.com>> wrote:


The smallest change that would satisfy my concern would be a statement that says that devices conformant to this specification MUST contain a local means of bootstrapping that does not rely on any specific server being available. As with the security requirements we write into our specs, we'll have no means of enforcement. But as with the security requirements we write into our specs, we'll give interested parties just that little bit more leverage that might tip the scales towards the correct behavior.


I think this is easily possible within the paradigm of the document after the device has first been onboarded. At this stage, I would also suggest that the MUST be a SHOULD for another reason: there may be cases where it is in the customer best interest to prevent onboarding of a device just through proof of possession.  I am thinking of anti-theft mechanisms.  Having a discussion of this and the risks of not having any on-prem method ever seems like a reasonable add.

Eliot

v2.23.0 | Report a Bug | By Email