Re: [I2nsf] AD review follow-up on draft-ietf-i2nsf-registration-interface-dm-22
"Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com> Thu, 23 February 2023 13:55 UTC
Return-Path: <jaehoon.paul@gmail.com>
X-Original-To: i2nsf@ietfa.amsl.com
Delivered-To: i2nsf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BB326C14F74E for <i2nsf@ietfa.amsl.com>; Thu, 23 Feb 2023 05:55:50 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.074
X-Spam-Level:
X-Spam-Status: No, score=-2.074 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FREEMAIL_DOC_PDF=0.01, T_HK_NAME_FM_MR_MRS=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1Lr6gWzmO66b for <i2nsf@ietfa.amsl.com>; Thu, 23 Feb 2023 05:55:49 -0800 (PST)
Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5B351C14F726 for <i2nsf@ietf.org>; Thu, 23 Feb 2023 05:55:49 -0800 (PST)
Received: by mail-pl1-x62d.google.com with SMTP id s5so12866725plg.0 for <i2nsf@ietf.org>; Thu, 23 Feb 2023 05:55:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7gCwGvalxTBhZu5Ii3cs30C8+PAShaOqOEX1LJJP7X0=; b=Oube5KHjeZg0PRggoC7g86AQBNjVHN5eY2dvJEJ5IsVSrYw49uedvxdQ3Xm4Xum2LS 7R6CP23Lwayxw4DXLrUe94JKuLB3COv4ssS1eLQkqqUmRExfK7C09Ft8am+wVdKFFejN TgnOLdMf9xnRX9xbGhgwq/4aSD6WhQRj7AZ96L9uwT1H9zde/30E8V9RwJtd5/H9x6ZH puShSR3mFZFihEG25OSVf5y6Yxgw3Tr934KVZAeRKhc03EPe7ClYCEhhIg/C9pTx7GPg 0ZZfQ5qBN91ppmh2JNg9oyCt58BKhG6kPAUeZcCCI9VRgP9i2e3IKxMCIDm1+rv1iYcM f3xg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7gCwGvalxTBhZu5Ii3cs30C8+PAShaOqOEX1LJJP7X0=; b=2F6ScD5UnUzLvdm/5CzBfYQERCMTnk35mqKUQIIdIN6WjOCXYTsv1MYG7gsUI9eZks vUtKpqeswIHwe/zatxQ/r1nO+TjYs5rrtEtiUvmYVDZE1a4B3daCHL3moJTtNxasrNMR AgNdPt3EeaKjUisD+sI6pG0TScIkZVA+v0Jnq6hP3W6u+pGTXDhjfJK+ZoxKd1bdPBIu 0U5mHACNoq2DrssYPDuCzdP8xFpKvghOoS5UjAFRZIxcPIlAU8RILmoXVQ8P/9UZ+pXN UGNNj2wv7WFxJbwKOXVBdVoJq9a6iEoF/lqbMmSg9kSqHW+v2b17myp3+hqXKKrlxt6h jZLQ==
X-Gm-Message-State: AO0yUKXhrAv6f4BUw8QmvEyE6r3+EXL2XYCTw0POy3ry/7jBL8LYuw0W 1lTgbXywVOoy4rMJmoZ/XaB5JewUHUgyksuHaBU=
X-Google-Smtp-Source: AK7set/gLWCxI8TrjlsdzKxBgUpjO9oijIrBb+gXR71i99ns3Bkh9rCaAwhg9NAMEO37YQPXGXpdJRStcPQlPR3eD4g=
X-Received: by 2002:a17:90b:4f4e:b0:233:e51a:49dc with SMTP id pj14-20020a17090b4f4e00b00233e51a49dcmr3056760pjb.45.1677160548088; Thu, 23 Feb 2023 05:55:48 -0800 (PST)
MIME-Version: 1.0
References: <BN2P110MB1107AC9CE676242748E71AE6DCFC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
In-Reply-To: <BN2P110MB1107AC9CE676242748E71AE6DCFC9@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
From: "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Date: Thu, 23 Feb 2023 22:55:11 +0900
Message-ID: <CAPK2DewYH5gWOmn_gNRxqShbsYDdk4PmDOSgNcQORzJ3YgeR1Q@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: "i2nsf@ietf.org" <i2nsf@ietf.org>, Patrick Lingga <patricklink888@gmail.com>, skku-iotlab-members <skku-iotlab-members@googlegroups.com>, "Mr. Jaehoon Paul Jeong" <jaehoon.paul@gmail.com>
Content-Type: multipart/mixed; boundary="000000000000b3c4e605f55e5ed8"
Archived-At: <https://mailarchive.ietf.org/arch/msg/i2nsf/TJ0MOReZQY7z7zkrPo2DJy2CWSU>
Subject: Re: [I2nsf] AD review follow-up on draft-ietf-i2nsf-registration-interface-dm-22
X-BeenThere: i2nsf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "*I2NSF: Interface to Network Security Functions mailing list*" <i2nsf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/i2nsf/>
List-Post: <mailto:i2nsf@ietf.org>
List-Help: <mailto:i2nsf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/i2nsf>, <mailto:i2nsf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 13:55:50 -0000
Hi Roman, The revision for Registration Interface is done by Patrick and me: https://datatracker.ietf.org/doc/html/draft-ietf-i2nsf-registration-interface-dm-23 I attach the revision letter. If you are satisfied with this revision, please move it forward. Thanks. Best Regards, Paul On Thu, Jan 12, 2023 at 1:25 AM Roman Danyliw <rdd@cert.org> wrote: > Hi > > I performed an AD review on draft-ietf-i2nsf-registration-interface-dm-21 ( > https://mailarchive.ietf.org/arch/msg/i2nsf/82QQzd1J6A8xqlyv5ZBRn4_xZCs/). > The authors produced at -22 in response. Thank you! > > To make it easier to track the remaining issues, I've created this new > thread. The following is feedback on -22: > > ** Architectural considerations #1 (Flows between the Security Controller > and DMS) > > Thanks for the new text in -22 to clarify that the Security Controller is > the NETCONF/RESTCONF server and the DMS is the client. With this > understanding I have a few more questions centered around the three > objectives described in Section 3. > > (a) Section 3. “Registering NSFs with the I2NSF framework” > > -- How does the DMS know that it’s supposed to connect to the Security > Controller? For -21: > > [-21] How does the Security Controller discover the DMS? > => [PAUL] This information should be known when an agreement for > subscribing to the > security service is approved between the I2NSF User and the vendor. The > vendor should > provide the DMS information to the Security Controller for such > connection. The method of > exchanging this information is out of the scope of this document. > > Can these out-of-scope assumptions please be documented. > > -- How is the credentialling provisioned so that the DMS can log-in to the > Security Controller? > > (b) Section 3. “Asking DMS about some required capabilities”. > Additionally, Section 5.1.2.2 notes that “In this case, Security Controller > makes a description of the required capabilities using this module and then > queries DMS about which NSF(s) can provide these capabilities.” > > -- If the Security Controller is the NETCONF/RESTCONF server and the DMS > is the client, what is the mechanism by which questions are posed to the > DMS? Does the Security Controller use the RPC mechanism defined in Section > 5.1.2.2 (with the DMS operating a registration server interface)? > > -- If the Security Controller use using the RPC mechanism, is the > following newly added text in Section 1 entirely accurate: > > Section 1. “Note that in either NETCONF [RFC6241] or RESTCONF [RFC8040] > parlance through the I2NSF Registration Interface, the Security Controller > is the server, and the DMS is the client because the Security Controller > and DMS run the server and client for either NETCONF or RESTCONF, > respectively.” > > -- If the DMS is running a Registration Interface already to satisfy > responses to the RPC mechanism, why can’t this same mechanism be used to > satisfying the “Registering NSFs with the I2NSF Framework” step? It would > simplify the architecture. > > ** Architectural Considerations 2 (scope of the DMS) > > Per -21: > > Per the local provisioning information. > > (a) Section 4.1.1.1 “The registration interface can control the usages and > limitations of the created instance and make the appropriate request > according to the status.)” > > (b) Section 4.1.2. The “NSF Access Information” (or grouping > nsf-access-info per the YANG module) appears to specify the IP address of > an NSF > > (c) YANG. rpc nsf-capability-query has the DMS returning nsf-access-info > which is an IP address of an nsf. > > Why would the DMS be privy to what appears to be local configuration > information. Does the DMS have a role in provisioning the NSF? Is there > any information about the Security Controller’s configuration stored on the > DMS (beyond authorization or authentication information)? > > -21 response: > => [PAUL] The DMS is the system developed by the vendor that provides and > deploys the > NSF. The NSF information is unknown to the Security Controller until it is > registered by > the DMS. Hence, the DMS knows the local configuration information and > informs the > Security Controller of the information. > > Thanks for this explanation and the addition of name and password into > nsf-access-info. I still have some confusion on the architecture and > semantics of these fields, and the implications they may have for the > security and operational considerations of I2NSF registration interface. > In re-read RFC8329 and the model here, I feel that we need either tighter > scoping or at least more explanation on the role of the DMS. > > -- Looking at nsf-specification and nsf-access-info, it appears that two > classes of information are being shared. The former describes a capability > of the NSF, and the latter is a provisioning information. Is there an > assumption that the DMS is both providing the software for and the NSF > _and_ also operating the NSF used by the Security Controller? This seems > to be the case in your response. My scan of RFC8329 and the descriptive > text of the DMS here does not explicitly say that. Are self-hosted or > third party-hosting options of an NSF precluded by this architecture? > > -- If the DMS “provides and deploys the NSF” how is the orchestration of > the NSFs expected to occur. When the DMS returns the nsf-access-info of an > NSF, does that mean it is ready to be fielded in production by the Security > Controller? Let’s say that a Security Controller no longer needs an NSF, > how does it turn it off? > > ** Section 5.1.2.1. and 5.2 nsf-access-information. > > Thanks for the edits here from -21. > +--rw name? string > +--rw password? ianach:crypt-hash > > leaf username { > type string; > description > "The user name string identifying the credentials for the > authentication."; > } > leaf password { > type ianach:crypt-hash; > description > "The password for the username for the authentication. > Any plain-text password must be converted to a hashed value > as soon as possible"; > } > > I wanted to discuss the degree of flexibility warranted here. > > -- I asked about this credentialing information in my -21 feedback. The > above fields were added. I want to make sure that the WG wants to have > this credential management in-scope. It would also be possible to say that > this is handled out of band, pre-negotiated with every DMS. > > If credential management will be in scope, these would be other matters to > consider: > > -- If SSH is used, should a list of authorized-keys also be supported? > > -- Should there be flexibility for this information to be entirely omitted > and these credentials to be provisioned out-of-band, in addition, to an > in-band mechanism specified in the module? > > -- If this mechanism is used to give the Security Controller the password > for the first time, doesn’t “plaintext” ($0$) have to be used? If the DMS > provided a hashed password, it isn’t clear what the Controller would do > with it. > > -- Should there be guidance stating that password resets and associated > credentials changes? > > ** Section 7. Remind the reader of the risks of externally operated NSFs > already documented in Section of RFC8329. > > ** Section 7. Editorial. Please do not use the word “illegally” in the > text here to describe the attacker behavior. > > Thanks, > Roman > _______________________________________________ > I2nsf mailing list > I2nsf@ietf.org > https://www.ietf.org/mailman/listinfo/i2nsf >
- [I2nsf] AD review follow-up on draft-ietf-i2nsf-r… Roman Danyliw
- Re: [I2nsf] AD review follow-up on draft-ietf-i2n… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] AD review follow-up on draft-ietf-i2n… Mr. Jaehoon Paul Jeong
- Re: [I2nsf] AD review follow-up on draft-ietf-i2n… Roman Danyliw
- Re: [I2nsf] AD review follow-up on draft-ietf-i2n… Mr. Jaehoon Paul Jeong