[nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up
刘鹏辉 <liupenghui1982@163.com> Fri, 11 April 2025 03:14 UTC
Return-Path: <liupenghui1982@163.com>
X-Original-To: nasr@mail2.ietf.org
Delivered-To: nasr@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 20B351A7B8B8; Thu, 10 Apr 2025 20:14:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -1.846
X-Spam-Level:
X-Spam-Status: No, score=-1.846 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (1024-bit key) header.d=163.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VIqPin9cuBIS; Thu, 10 Apr 2025 20:14:10 -0700 (PDT)
Received: from m16.mail.163.com (m16.mail.163.com [117.135.210.4]) by mail2.ietf.org (Postfix) with ESMTP id 7F7B71A7B860; Thu, 10 Apr 2025 20:14:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:Subject:Content-Type:MIME-Version: Message-ID; bh=UcwpBxGe3hJK3HkJhZfrW9CAOluPrjQMuPcyuBijiH8=; b=G sWnZY2i7rumDKKnTlPGiyIqpvtPukr6JsPYBVsWskQwBILbqvOLo/cHm51QW4rmo +w4j9vciMslYzaks0KGSErkZHwAgOXlkYMf9suJ7xZQnE9fcnOOIMvlwzDs34BwG T0eCQ8e1fuxQb+benXEBA6xr8SA/lHC/yPcq9+6Ozk=
Received: from liupenghui1982$163.com ( [218.17.115.213] ) by ajax-webmail-wmsvr-40-107 (Coremail) ; Fri, 11 Apr 2025 11:13:33 +0800 (CST)
X-Originating-IP: [218.17.115.213]
Date: Fri, 11 Apr 2025 11:13:33 +0800
From: 刘鹏辉 <liupenghui1982@163.com>
To: Toerless Eckert <tte@cs.fau.de>
X-Priority: 3
X-Mailer: Coremail Webmail Server Version XT5.0.14 build 20240801(9da12a7b) Copyright (c) 2002-2025 www.mailtech.cn 163com
In-Reply-To: <Z_heIJ4DDae5uX_-@faui48e.informatik.uni-erlangen.de>
References: <ef08bf0afa924713acc629dff8156761@huawei.com> <2025040312042771743841@chinamobile.com> <CAL02cgSg53nOB8BCSNCLGC78r41P_1VzBPoj2yOJP1qbS0jqfA@mail.gmail.com> <CABcZeBPFaJMsWyNozXS+osh251631vCStkrmOk=WQig5c1_0qw@mail.gmail.com> <19058.1743968487@obiwan.sandelman.ca> <CABcZeBPGt-OLy9KGpTM22neE7F9ysD=Wm0zK6yHZoQ3gFHXqGw@mail.gmail.com> <fd1b5da9-8d5c-c0f6-c801-578c45529f45@ietf.contact> <CABcZeBPEBrQYBH8oH3-JhQbcxi0djcsGVhSJXO3f-jEvdPik_w@mail.gmail.com> <Z_heIJ4DDae5uX_-@faui48e.informatik.uni-erlangen.de>
X-CM-CTRLMSGS: MzPE4XRyYWNlS2V5PXByZV81NDgwM2Y5OTczZjQyNmVlZjAzMjRjZWJhN2ZjN WJiZQ==
X-NTES-SC: AL_Qu2fBv+fvkoq5SCeYOkfmU4Uh+49Ucq0u/kk2IJePZp6jCHp5yw4ZFlTL2fzy/CDBzCrkAiHSilM+NZqY6xEWaApNJj8ocJD077G5F79W5uPXw==
Content-Type: multipart/related; boundary="----=_Part_54173_1811052551.1744341213073"
MIME-Version: 1.0
Message-ID: <66c9816f.3829.19622d69f92.Coremail.liupenghui1982@163.com>
X-Coremail-Locale: zh_CN
X-CM-TRANSID: aygvCgDHD6HdiPhn37STAA--.63991W
X-CM-SenderInfo: xolx1v5qjk3xarzyjqqrwthudrp/xtbB0gIsxmf4hjd2LAAAsO
X-Coremail-Antispam: 1U5529EdanIXcx71UUUUU7vcSsGvfC2KfnxnUU==
Message-ID-Hash: GSFC4XSAGVXMU4TXQEZ53ORYS3G7KOWG
X-Message-ID-Hash: GSFC4XSAGVXMU4TXQEZ53ORYS3G7KOWG
X-MailFrom: liupenghui1982@163.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Eric Rescorla <ekr@rtfm.com>, Henk Birkholz <henk.birkholz@ietf.contact>, Michael Richardson <mcr+ietf@sandelman.ca>, "nasr@ietf.org" <nasr@ietf.org>, IETF SAAG <saag@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up
List-Id: Network Attestation for Secure Routing <nasr.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/nasr/WBHL6rUV-E1BswD_S8uCNNWXLMQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nasr>
List-Help: <mailto:nasr-request@ietf.org?subject=help>
List-Owner: <mailto:nasr-owner@ietf.org>
List-Post: <mailto:nasr@ietf.org>
List-Subscribe: <mailto:nasr-join@ietf.org>
List-Unsubscribe: <mailto:nasr-leave@ietf.org>
Hi all, As I mentioned before, as a trusted node, network devices must first pass some form of third-party authoritative trusted authentication (or operator customized authentication), and at the same time run pre built authenticated trusted components on the device. These trusted components have undergone strict testing and cannot run other non authenticated software on the network. By obtaining these authentication information (as evidence) to prove whether the network device is a trusted node, it is selected by the arranger when providing business services. These authentication information as evidence, such as certificates, operational status, configuration information, etc., should be available for customers to query. The orchestration and network equipment here are owned by the operator. The POT containing evidence is retained along with the transmitted business data for verification in case of legal issues. NASR is written into the SLA as a service to clarify the responsibilities of both parties. If these cannot be met, customers may as well choose physical dedicated lines to transmit data without the need for NASR. BR, Penghui liu At 2025-04-11 08:11:12, "Toerless Eckert" <tte@cs.fau.de> wrote: >Eric, > >>From my understanding, this analysis does not need to be constrained to >configuration state. In fact, i would never want to trust configuration state >alone, but only configuration and operational state. > >This is the same for existing rats for e.g.: secure bootstrap. The attestation provided >by a device is not that it has some "operating system file with some cert/signature", >but that that is actually the running OS. > >In the same way, you would start collecting enough attestation to trust the commands >through which you retrieve operational state (including prior valiation of all credentials >to talk to the routers). Such as (YANG equiv) "show int * macsec state" >or the like (to circle back to my most favourite feature ;-). Which would show >enough details to know the credentials of the peer and that the interfaces traffic >is MacSEC secured with approved session and data encryption protocols. > >It is then the controller who provides the attestation for the fact that the network >(or subdomain or whatever) is running MacSec beteween all members. > >And if we could get scripts into routers to do this analysis of operational state >locally on a router, that would be even better, because then it could probably >be extending what the router can attest to itself - and the NASR controller needs to >primarily provide only attestation as to the seamless connectivity of the per-hop >encrypted topoloy or path of interest. > >Cheers > toerless > >On Thu, Apr 10, 2025 at 12:28:39PM -0700, Eric Rescorla wrote: >> On Thu, Apr 10, 2025 at 11:02 AM Henk Birkholz <henk.birkholz@ietf.contact> >> wrote: >> >> > Hi ekr, >> > >> > auditing the "correctness" of configuration or configurable state is an >> > additional step that comes with its own security considerations, I think. >> > >> > The fact that a network device is trustworthy (it is doing what it is >> > intended to do (by the Verifier Owner) and nothing else) does not >> > directly translate to an operational state that is doing what every >> > Relying Party expects it to do, I think. >> > >> > In remote attestation, the Verifier can be considered a trusted third >> > party that takes on the burden of Evidence appraisal. As there are can >> > be a quite colorful bouquet of Attester and Evidence types, that >> > (sometimes quite significant burden/complexity) burden of Evidence >> > appraisal is off-loaded to Verifiers so that the audience of Relying >> > Parties can consume digestible Attestation Results tailored to their needs. >> > >> > If there is additional "relevant stuff" w.r.t. a network device which >> > needs to be evaluated, that might be a task that remote attestation is >> > only in support of - but that does not seem to be an explicit part of >> > establishing trust in the trustworthiness in a remote peer/router. Or am >> > I missing something very obvious here? >> > >> >> I don't know if you're missing something, but I don't really see how >> this addresses my point, which is about the complexity of evaluating >> the relevant Evidence, not about who does it. Specifically, my concern >> is that it will not be practical to determine whether a given router >> configuration enforces the high level semantics desired by the >> Relying Party, e.g., that the data is going directly from this system >> to system B without any ability for anyone else to see it. In order >> to ensure this, someone has to know that all configuration values >> that might implicate this guarantee are in known good states. That >> could happen by, for instance: >> >> - The Verifier seeing Claims for all the relevant configuration values >> - The vendor determining which configuration values are relevant >> and causing the device to emit a higher level Claim >> >> But in either case, someone needs to take on the analysis of all >> the configuration values. Has this been done for the types of devices >> in question? >> >> -Ekr >> >> >> > >> > >> > Viele Grüße, >> > >> > Henk >> > >> > On 06.04.25 22:52, Eric Rescorla wrote: >> > > >> > > >> > > On Sun, Apr 6, 2025 at 12:41 PM Michael Richardson >> > > <mcr+ietf@sandelman.ca <mailto:mcr%2Bietf@sandelman.ca>> wrote: >> > > >> > > >> > > Eric Rescorla <ekr@rtfm.com <mailto:ekr@rtfm.com>> wrote: >> > > > However, it's not clear to me that that's true in this case, >> > > because >> > > > unlike media players, network devices are highly configurable >> > > and a >> > > > large number of the configuration directives might impact the >> > > relevant >> > > > security claims. Thus, determining whether an element is >> > policy >> > > > conformant is a matter of knowing not just what code it is >> > > running >> > > > but the state of every relevant configuration directive. One >> > > could >> > > > imagine this working at least three ways: >> > > >> > > I think you are making routers sound way more complicated than they >> > are. >> > > >> > > >> > > 1. 90% of directives have little to no affect. >> > > (I have one toe in the routing/operations space. I'm ASN26227) >> > > >> > > >> > > Perhaps, but they still need to be individually examined in order to >> > > to determine that. Has someone done that? >> > > >> > > >> > > 2. they are significantly less complicated than Windows, yet all >> > > that media >> > > based DRM stuff you mentioned is dependant upon windows boot >> > > doing the >> > > right thing. >> > > >> > > >> > > But essentially none of the relevant stuff that needs to be attested to >> > > is configurable (by design). You just attest to the CDM contents. >> > > >> > > >> > > > In the former case, it is quite likely that there will be a >> > large >> > > > number of valid states, because each directive may have >> > multiple >> > > > acceptable values, and so you end up with combinatoric >> > explosion >> > > > issues if you just have a list of hashes [0]. In the latter >> > > case we >> > > >> > > yet, the *routing* people with the expertise here, and a few >> > > operators seem >> > > pretty sure they can do this. >> > > >> > > >> > > It's not uncommon to see people be overconfident about things >> > > prior to attempting them, especially in the area of security. Has >> > > someone actually gone through the exercise of examining every >> > > directive and determining which ones are relevant? >> > > >> > > -Ekr >> > > >> > > >> > > > Either approach requires studying the impact of every existing >> > > > configuration directive for each device type to know what the >> > > > impact will be on the relevant policy claims. This seems >> > > challenging >> > > > at best. >> > > >> > > -- >> > > Michael Richardson <mcr+IETF@sandelman.ca >> > > <mailto:mcr%2BIETF@sandelman.ca>> . o O ( IPv6 IøT consulting ) >> > > Sandelman Software Works Inc, Ottawa and Worldwide >> > > >> > > >> > > >> > > >> > > _______________________________________________ >> > > saag mailing list -- saag@ietf.org <mailto:saag@ietf.org> >> > > To unsubscribe send an email to saag-leave@ietf.org >> > > <mailto:saag-leave@ietf.org> >> > > >> > > >> -- >> nasr mailing list -- nasr@ietf.org >> To unsubscribe send an email to nasr-leave@ietf.org > > >-- >--- >tte@cs.fau.de > >-- >nasr mailing list -- nasr@ietf.org >To unsubscribe send an email to nasr-leave@ietf.org
- [nasr] NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up 刘鹏辉
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Richard Barnes
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Michael Richardson
- [nasr] Summary of Discussions So far---Re: [saag]… Meiling Chen
- [nasr] Re: Summary of Discussions So far---Re: [s… Luigi IANNONE
- [nasr] Re: Summary of Discussions So far---Re: [s… Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Watson Ladd
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Henk Birkholz
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Stephen Farrell
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: NASR BOF Follow-Up Liuchunchi(Peter)
- [nasr] Re: [saag] Re: NASR BOF Follow-Up Toerless Eckert
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Liuchunchi(Peter)
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Meiling Chen
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Adrian Farrel
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Luigi IANNONE
- [nasr] Re: [saag] Re: Re: Re: Re: Re: NASR BOF Fo… Eric Rescorla
- [nasr] Re: [saag] Re: Re: NASR BOF Follow-Up Carsten Bormann