IETF Logo Mail Archive

[I2nsf] AD review follow-up on draft-ietf-i2nsf-registration-interface-dm-22

Roman Danyliw <rdd@cert.org> Wed, 11 January 2023 16:25 UTC

Return-Path: <rdd@cert.org>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E6C79C15C532 for <i2nsf@ietfa.amsl.com>; Wed, 11 Jan 2023 08:25:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nMvxSMYzQB0c for <i2nsf@ietfa.amsl.com>; Wed, 11 Jan 2023 08:25:16 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0136.outbound.protection.office365.us [23.103.209.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5CFE2C15C530 for <i2nsf@ietf.org>; Wed, 11 Jan 2023 08:25:14 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=HZBRHIssbeQoZg4hRJFy50fI//ZTjY+uw4u7vPepQmX6/qWHBiWoY6SKP+IB37GgaonKSrMsRA2JQtKAy2J7WsvbkgmPBq5skKFg8cT029aNnnc7MTlnZQI4omcp7Oe6r1TboNkPcxtLSBAQwdCFo1GZYwOkevUYEZbojllQXwuRN93ogikfpRzZXsrXiaCuS13WdHvPbTu4Yd7YD/USGg7MLJM2WjHpdWVWboLcUH1cYBp5WK2pUjvP/dfWVZl8qbgfnFRFcmTS4uiTomozwVx6j6AKR5FLdK6T3lI4E3JuSKFiBWZQi3UYvYjM/JRZ8POr3XqIQCmkHjfCHUqWuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=b8+AcDlSr+uFKH5JY/g6+pyChj9sEvGWrBIyjRIFvuo=; b=d/eWRbNCbT5XGKY1ToIKb7GrMwqIe7OilOhMQ4iWehKmXH2Z8Q4e2ZMzXEn+nQhDM2++LkmpZBn0DMfSMjcGh25OzsIlOEurBWm91+nlK6h3hXNoyKRUY9CZqvOWEnqQ8Use50ax4dttyz7TqhgVAzl1xQl+CRTiahiuZIeGcYhu3/s60oPLXO6v9stXNSHDVTsVSWgscQDpcUUHNqPXBs+gpTj67JXKJtlgoxGVr4/DOzYMdpCoxsC6ppBvByqdghIAp6uYUj5ACBT/1621JuqMW7oQ8Hj0oE3jG9ThTqPHIuUFBK0uOcNufs0bfXL+BBmJSabLFQU5g1SKS9XjFg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=b8+AcDlSr+uFKH5JY/g6+pyChj9sEvGWrBIyjRIFvuo=; b=WEiIHRsIVBlKjAdBV7kShZPhd5XCmAxkCfynL8H0jfGIxXTrKeKivpLcdXl34RS+4DWTOLjC3cjbKdo7wCH9Qk3yere81QJ152NQfdzkTIP7TIkxQkH2HhDAY20oqTJtU0+XzqMbX/zE4BcjsS7iDu8EeFmtnyjFZh+cAUf/jk4=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1240.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17a::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Wed, 11 Jan 2023 16:25:11 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dacc:e769:564c:f0e]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::dacc:e769:564c:f0e%6]) with mapi id 15.20.5944.019; Wed, 11 Jan 2023 16:25:11 +0000
From: Roman Danyliw <rdd@cert.org>
To: "i2nsf@ietf.org" <i2nsf@ietf.org>
Thread-Topic: AD review follow-up on draft-ietf-i2nsf-registration-interface-dm-22
Thread-Index: Adkl2O08XbAjgjd7TBe4/dErGs0Wyg==
Date: Wed, 11 Jan 2023 16:25:11 +0000
Message-ID: <BN2P110MB1107AC9CE676242748E71AE6DCFC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1240:EE_
x-ms-office365-filtering-correlation-id: c8427b62-f765-4e71-5668-08daf3f06971
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: frk3fV6wAs6x189kDte5x3h31BHI4QF921xBswPAItoY56V58Zkv39HyRRmMUlqoGQoAB/qMkl9Kmqtxt1noGSY7Yj6aOa2sAcW49Za172HKKYBGGqawntGTt7ELPoej27g3ZDiyb2uiIqd1t2elCRmQ0sLUKlGyG4kySUuzQTGbokSL/MxMNB3lnJv1t65ykKj8Wl+fbr7+CYTtYgkiDE3byvGchs6ZPYA5YcW1tAt4atxeUiByxhcNlmZsm2e8MpvS58FHQ2v4NAfQjoYdyJePdgNr+j2zaN1w6ez+f2bQb8pHNeUEoyNVMKvOdv2AEh9TcGx5aj/c/N21ubxhyUfJbVO0Rjz2A0TmUJ63d3Pah4qYP8QybZkDW+FZ4d47JSlSbvEL7aDTTw0xdtZuxLCAe7H++PiJOLqtvZbDuXpNhA+k9IKy8BNKu6vkczJrhAtnCKOYZWOex3GVA8z8rktHgKjezWh6rNkL2K16QNm20tTdgTjATb1RjMZ1X0Qt3IyliXiFBBYz0U8oekbKY+CONA6xUZuQZ+UlIjGueuyDOEiL9uELa6sEcI/2LcwJ1+NTYZAsKXAgeFW2WSWiQdzghhvGQlE49gpeAzDIQVzMgF5HWUHleoQJY4AxSh92LTEBK4OgfzjbKBCDCMbR3w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230022)(39830400003)(396003)(366004)(136003)(451199015)(64756008)(8676002)(83380400001)(66946007)(8936002)(66556008)(66476007)(26005)(71200400001)(41300700001)(66446008)(9686003)(55016003)(5660300002)(52536014)(76116006)(186003)(6506007)(2906002)(33656002)(508600001)(7696005)(86362001)(6916009)(38100700002)(38070700005)(41320700001)(82960400001)(122000001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: UT3TKimcWycXDZRZK90Ru0z316K9MKn4/hNnyxVwYP8f2WR4b0deIboinZ5rBM6TP7vI6XJifiwQ2XJs33tagBGrtStIywKvcykbhroJUuWMHxeiduJQP8r1cLjm0PUtyk1OsaAsHPn3UShVvwVqXnBh6IUNMyRqLSIv2j3nSnxWENfQpfaLFmvfmdZDgpDJcVzpVAuMinu0l9oZg7YGKBhSBvNCzprA2TuN0LwM+hQgftOD6IvhyLnM6JpPR5b8JwT5tcLLfq0pX4LYT0NvcXXtWA7z32w1uFbeXB8jPpI2CS6/M+g4BUXEocmpXtBrK20McDeYohZRRVPdhCjT8pV+i7h+FWse56SgJl69Q4yyEwwJjD5rU6EKlakUiYbblMm0R+aguenFXhfGGM9StXKX0DC78FduPseYT3T7opg=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: c8427b62-f765-4e71-5668-08daf3f06971
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jan 2023 16:25:11.2457 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1240
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/1Ixrl8tIHj97JLMP1FdPTKRDgnw>
Subject: [I2nsf] AD review follow-up on draft-ietf-i2nsf-registration-interface-dm-22
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Jan 2023 16:25:21 -0000

Hi

I performed an AD review on draft-ietf-i2nsf-registration-interface-dm-21 (https://mailarchive.ietf.org/arch/msg/i2nsf/82QQzd1J6A8xqlyv5ZBRn4_xZCs/).  The authors produced at -22 in response.  Thank you!

To make it easier to track the remaining issues, I've created this new thread. The following is feedback on -22:

** Architectural considerations #1 (Flows between the Security Controller and DMS)

Thanks for the new text in -22 to clarify that the Security Controller is the NETCONF/RESTCONF server and the DMS is the client.  With this understanding I have a few more questions centered around the three objectives described in Section 3.

(a) Section 3. “Registering NSFs with the I2NSF framework”

-- How does the DMS know that it’s supposed to connect to the Security Controller?  For -21:

[-21] How does the Security Controller discover the DMS?
=> [PAUL] This information should be known when an agreement for subscribing to the
security service is approved between the I2NSF User and the vendor. The vendor should
provide the DMS information to the Security Controller for such connection. The method of
exchanging this information is out of the scope of this document.

Can these out-of-scope assumptions please be documented.

-- How is the credentialling provisioned so that the DMS can log-in to the Security Controller?

(b) Section 3. “Asking DMS about some required capabilities”.  Additionally, Section 5.1.2.2 notes that “In this case, Security Controller makes a description of the required capabilities using this module and then queries DMS about which NSF(s) can provide these capabilities.”

-- If the Security Controller is the NETCONF/RESTCONF server and the DMS is the client, what is the mechanism by which questions are posed to the DMS?  Does the Security Controller use the RPC mechanism defined in Section 5.1.2.2 (with the DMS operating a registration server interface)?

-- If the Security Controller use using the RPC mechanism, is the following newly added text in Section 1 entirely accurate:

Section 1. “Note that in either NETCONF [RFC6241] or RESTCONF [RFC8040] parlance through the I2NSF Registration Interface, the Security Controller is the server, and the DMS is the client because the Security Controller and DMS run the server and client for either NETCONF or RESTCONF, respectively.”

-- If the DMS is running a Registration Interface already to satisfy responses to the RPC mechanism, why can’t this same mechanism be used to satisfying the “Registering NSFs with the I2NSF Framework” step?  It would simplify the architecture.

** Architectural Considerations 2 (scope of the DMS)

Per -21:

Per the local provisioning information.
 
(a) Section 4.1.1.1 “The registration interface can control the usages and limitations of the created instance and make the appropriate request according to the status.)”

(b) Section 4.1.2.  The “NSF Access Information” (or grouping nsf-access-info per the YANG module) appears to specify the IP address of an NSF

(c) YANG.  rpc nsf-capability-query has the DMS returning nsf-access-info which is an IP address of an nsf.

Why would the DMS be privy to what appears to be local configuration information.  Does the DMS have a role in provisioning the NSF?  Is there any information about the Security Controller’s configuration stored on the DMS (beyond authorization or authentication information)?

-21 response:
=> [PAUL] The DMS is the system developed by the vendor that provides and deploys the
NSF. The NSF information is unknown to the Security Controller until it is registered by
the DMS. Hence, the DMS knows the local configuration information and informs the
Security Controller of the information. 

Thanks for this explanation and the addition of name and password into nsf-access-info.  I still have some confusion on the architecture and semantics of these fields, and the implications they may have for the security and operational considerations of I2NSF registration interface.  In re-read RFC8329 and the model here, I feel that we need either tighter scoping or at least more explanation on the role of the DMS.

-- Looking at nsf-specification and nsf-access-info, it appears that two classes of information are being shared.  The former describes a capability of the NSF, and the latter is a provisioning information.  Is there an assumption that the DMS is both providing the software for and the NSF _and_ also operating the NSF used by the Security Controller?  This seems to be the case in your response.  My scan of RFC8329 and the descriptive text of the DMS here does not explicitly say that.  Are self-hosted or third party-hosting options of an NSF precluded by this architecture?

-- If the DMS “provides and deploys the NSF” how is the orchestration of the NSFs expected to occur.  When the DMS returns the nsf-access-info of an NSF, does that mean it is ready to be fielded in production by the Security Controller?  Let’s say that a Security Controller no longer needs an NSF, how does it turn it off?

** Section 5.1.2.1. and 5.2  nsf-access-information.

Thanks for the edits here from -21.
       +--rw name?                  string
   +--rw password?              ianach:crypt-hash

    leaf username {
      type string;
      description
        "The user name string identifying the credentials for the
         authentication.";
    }
    leaf password {
      type ianach:crypt-hash;
      description
        "The password for the username for the authentication.
         Any plain-text password must be converted to a hashed value
         as soon as possible";
    }

I wanted to discuss the degree of flexibility warranted here.

-- I asked about this credentialing information in my -21 feedback.  The above fields were added.  I want to make sure that the WG wants to have this credential management in-scope.  It would also be possible to say that this is handled out of band, pre-negotiated with every DMS.

If credential management will be in scope, these would be other matters to consider:

-- If SSH is used, should a list of authorized-keys also be supported?

-- Should there be flexibility for this information to be entirely omitted and these credentials to be provisioned out-of-band, in addition, to an in-band mechanism specified in the module?

-- If this mechanism is used to give the Security Controller the password for the first time, doesn’t “plaintext” ($0$) have to be used?  If the DMS provided a hashed password, it isn’t clear what the Controller would do with it.

-- Should there be guidance stating that password resets and associated credentials changes? 

** Section 7.  Remind the reader of the risks of externally operated NSFs already documented in Section of RFC8329.

** Section 7. Editorial. Please do not use the word “illegally” in the text here to describe the attacker behavior.  

Thanks,
Roman

v2.23.0 | Report a Bug | By Email