Re: [Netconf] Semi-configurable design in server model draft
Kent Watsen <kwatsen@juniper.net> Fri, 27 May 2016 17:31 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B923B12D77C for <netconf@ietfa.amsl.com>; Fri, 27 May 2016 10:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKELW6p1CLEG for <netconf@ietfa.amsl.com>; Fri, 27 May 2016 10:31:50 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1bon0797.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::1:797]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E901D12D0A7 for <netconf@ietf.org>; Fri, 27 May 2016 10:31:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=bcwuPf4ft2NS3zo55gIeFBb+GnnkIA385kkwNJ04b3w=; b=b/p4ii85PgDr39IZDnN6gxpC8mcxNrX76sYPovFUiYn8T+uXitYy5d9GA19hDRJZZl9DkbNabszoDDE8Rnu+yXDuhTwksqFZzERJnJrCxbsfrscxcUBm5W8pCdiZE664cMnZ2Yi9cOA62O+UJjV4H6P21YECVQ0eFJoUCfDOkZA=
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com (10.160.149.11) by CY1PR0501MB1449.namprd05.prod.outlook.com (10.160.148.155) with Microsoft SMTP Server (TLS) id 15.1.501.7; Fri, 27 May 2016 17:31:29 +0000
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) by CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) with mapi id 15.01.0501.016; Fri, 27 May 2016 17:31:29 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>, Netconf <netconf@ietf.org>
Thread-Topic: [Netconf] Semi-configurable design in server model draft
Thread-Index: AQHRt6undd9KBwAb2k2PocgHOjB2f5/MyM0A
Date: Fri, 27 May 2016 17:31:28 +0000
Message-ID: <CF412B7F-FCAB-452C-9AE0-8494B7E674F5@juniper.net>
References: <B1909F40-B306-441E-8F05-661A400A72E2@gmail.com>
In-Reply-To: <B1909F40-B306-441E-8F05-661A400A72E2@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.16.0.160506
authentication-results: gmail.com; dkim=none (message not signed) header.d=none;gmail.com; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.11]
x-ms-office365-filtering-correlation-id: 7acda86b-1180-4e38-c219-08d38654bcb6
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1449; 5:rHHrgjX+Xalmptz3n7chSxXo5BLe4ciEzbVyEPbab+nGwzT+pMGJ4d6UDfOFERkbM22oBmGsfWTH8k4B+t2XGfDETViXHAZn1CLdk3YAVphFD8ZdgurAMvo/WWn3JK6BDmufYRkTjgoSt1jtkKcrqg==; 24:mAedTgtgqAJ4HIJQYgDoP8kYqZsTrGh1O1PRWnWjchqC/2nkG2rMq0lqyIPs5yOi957q5S6Gq3jSsnAaUfQNvugE/TEyOlAdXc8PNs9ZQ2k=; 7:mC52awkwCmFx7A20yu4DZjf47l4Rw++iGh+3NC9csuaRRq57+tfbIN/YK+XV4SU8ul6YCNSlKW8Bi31K/3VfxfgjyJ2xrEPCPdMDUmrWjjqzdQ3y9GPuuLhquYydTdIlL446cHbAmXkLoa7Rxf4bbygIeFv/d2lbbeRUG9Ql4/4WdP9annXYVi2Q5tkTGuQ5
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1449;
x-microsoft-antispam-prvs: <CY1PR0501MB14498345427EF8ECE48A7841A5420@CY1PR0501MB1449.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:CY1PR0501MB1449; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1449;
x-forefront-prvs: 09555FB1AD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(51444003)(377454003)(36756003)(102836003)(6116002)(1220700001)(586003)(106116001)(19300405004)(10400500002)(5001770100001)(16236675004)(3846002)(19580395003)(3660700001)(3280700002)(19580405001)(2906002)(5008740100001)(92566002)(76176999)(54356999)(50986999)(5002640100001)(8936002)(19625215002)(11100500001)(122556002)(2900100001)(82746002)(87936001)(15975445007)(2950100001)(99286002)(77096005)(81166006)(83716003)(8676002)(83506001)(107886002)(4001350100001)(189998001)(66066001)(86362001)(5004730100002)(33656002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1449; H:CY1PR0501MB1450.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_CF412B7FFCAB452C9AE08494B7E674F5junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2016 17:31:29.0059 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1449
Archived-At: <http://mailarchive.ietf.org/arch/msg/netconf/0_fV_G16j-bU71OfzZo7gB0wVVY>
Subject: Re: [Netconf] Semi-configurable design in server model draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 27 May 2016 17:31:53 -0000
It should be noted that the following exchange happened on Apr 7th:
<kent>
Yes, the action statements are intended to update the running datastore. Presumably because the actions are either generating or loading a new key, there would not be a real world locking issue, but I can see how this might lead to undesirable results. Access control (NACM) was removed when we moved to the keychain based approach, but presumably the private key would need to protected by nacm:default-deny-all.
I see what you're saying. You're right about this breaking backup and restore. The only way to fix it is for the backup (<get-config>) to contain the private keys. But note that systems using a TPM actually have NO WAY to get the private key out of the TPM - only the TPM itself has access to the private key. So for these systems, backup/restore (RMA) is impossible, even with root-level access on the command line.
I'm not sure if I understand your first option. Do you mean the client would create a dummy private key entry (a placeholder) and then call an action to populate the key with data?
</kent>
<martin>
Yes, but since the private key is not part of the config, the action
will not touch the running config.
</martin>
<kent>
I don't think the private keys can be config false, since they are referenced by config true nodes in the tls/ssh-server modules.
</kent>
<martin>
You can have a require-instance false leafref to the config false of
keys, and then describe what will happen if some server is configured
to point to a private key that doesn't exist.
There are systems with tamper-proof hw that won't allow you to access
the keys unless a physical token is present (e.g. a USB stick). In
such systems, you may very well end up with config that refers to a
key that isn't available.
Question 1: If the private key is not stored in special HW, do we
want to support backup/restore of such keys?
If the answer is yes:
Use a config list and a separate -state list.
Make all references point to the -state list (in order to handle
TPM etc)
If the answer is no:
Use only a config false list and define actions to manipulate
the list.
</martin>
Regarding Martin’s question #1 (note: there wasn’t a question #2), I think that the answer is “yes, we’d like to support backup/restore of private keys”. Is this the WG’s opinion as well?
Thanks,
Kent
From: Netconf <netconf-bounces@ietf.org> on behalf of Mahesh Jethanandani <mjethanandani@gmail.com>
Date: Thursday, May 26, 2016 at 8:06 PM
To: "netconf@ietf.org" <netconf@ietf.org>
Subject: [Netconf] Semi-configurable design in server model draft
One of the issues that Kent brought up in the interim meeting was the issue of configuring the private key. Some background on that issue dates back to the thread that started with Martin reviewing the document and here is what he brought up in that review.
o Section 4.1
I think the "semi-configurable" design has some issues. You have
defined some actions that actually modifies the configuration of the
system. It is not clear which config datastore is modified.
Presumably running. Interactions with locking and access control
are not described. Also, the resulting configuration is not
complete - i.e., you cannot do <copy-config> to save/restore a
backup. This is fine, since you really don't want to expose the
private keys in the config backup. But some discussion is needed
around this subject. What happens if I generate a private key with
your action, backup that config and then restore it? What happens
with config that has references to such a key?
One way to avoid that the actions modify the configuration could be
to move them into the private-key list. One drawback is that two
operations are needed in order to create a (usable) key - first
create the config in running, then call the action.
Another option might be to model the keys as config false data.
This also solves the problem that some keys (in TPM for example)
are not deletable.
The two suggestions that Kent brought to the meeting on whether to make it a leaf or an action.
Leafs can be backed up or restored. But private-keys in TPM never leave the source. How do we support special hardware like TPM?
Making it an action requires creation of a dummy private key, and then call action to populate the data in it, as Martin states above. What happens if the key is not available but is referenced by the system?
Kent, is that a fair summary of the issue?
Let the discussion begin :-)
Mahesh Jethanandani
mjethanandani@gmail.com<mailto:mjethanandani@gmail.com>
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- [Netconf] Semi-configurable design in server mode… Mahesh Jethanandani
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- Re: [Netconf] Semi-configurable design in server … Mahesh Jethanandani
- Re: [Netconf] Semi-configurable design in server … Martin Bjorklund
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- Re: [Netconf] Semi-configurable design in server … Kent Watsen