Re: [Netconf] Semi-configurable design in server model draft
Kent Watsen <kwatsen@juniper.net> Wed, 01 March 2017 03:39 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7105A12944F for <netconf@ietfa.amsl.com>; Tue, 28 Feb 2017 19:39:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H3zjShRUp43k for <netconf@ietfa.amsl.com>; Tue, 28 Feb 2017 19:39:50 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0130.outbound.protection.outlook.com [104.47.41.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05FF31293F0 for <netconf@ietf.org>; Tue, 28 Feb 2017 19:39:49 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=7vSqmUzMe1hoWcw/4pI9hoQ7RygiQXyPthFXl6A8Xqs=; b=YhPnyI6Maes+iwUTq1p5ve4jHb42wZLTYdCRl9jHW2e4US+Vqy55g3nkY6MEF2rUWa7afFoUN74gjUt7X1u5SDHqaFRAj3Nh+n32OYXGwig0hCqIBLEl4PeHEjuEgKHzWm7j/TCUuvgVm4spsztlZfD/yhFD1n8hEOlgdoJXQ4Y=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1441.namprd05.prod.outlook.com (10.160.117.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.2; Wed, 1 Mar 2017 03:39:48 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0947.011; Wed, 1 Mar 2017 03:39:48 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Semi-configurable design in server model draft
Thread-Index: AQHRt6undd9KBwAb2k2PocgHOjB2f5/MyM0AgABHOwCABBqFAIA8kgMAgXL7OAA=
Date: Wed, 01 Mar 2017 03:39:48 +0000
Message-ID: <D1CF4C4C-27B3-44A5-B021-FA9BEF2287DC@juniper.net>
References: <B1909F40-B306-441E-8F05-661A400A72E2@gmail.com> <CF412B7F-FCAB-452C-9AE0-8494B7E674F5@juniper.net> <D836466C-B19E-4B87-AE5B-6DC2F7ADC8A6@gmail.com> <20160530.102622.281213031392882639.mbj@tail-f.com> <06ADB831-7279-426F-A506-6868D96F8FCF@juniper.net>
In-Reply-To: <06ADB831-7279-426F-A506-6868D96F8FCF@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.10]
x-ms-office365-filtering-correlation-id: 386a6000-d99e-40b2-7c68-08d460549c8d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1441;
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1441; 7:f+ZIkh15PI7+5uuUa9bwh/ZfOjQXSBSFY5+GxUuRJiKt0pP5Bnn8Ad+fkHrlqxDaLVvCCVie9AetOZDFb0q93za1HXnFXtuwNX1QoNt0yGBfNgWXIiR5tXRuNXs9L8VYHFMVBV/tZG8MfZTM7RNx3I7QT1OHGsa8akb3sRQb6EToETJXnrEqbldtN38gLgGuGndhNxXT2kXitD4SR5LEdmxttIU2sSAWXSrYPEMiADlDQb/cOBNM1jfp+HVFUc4IeK0NGV2sL6F+b60UgWt4XPB2tYCydWa7zoypVhmGwgSaLKl3flJ8ZqKf9fg2546Vqujd14LLCyV7+/uWVe4Ozg==
x-microsoft-antispam-prvs: <BN3PR0501MB14417C772B7499837E463E68A5290@BN3PR0501MB1441.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820)(138986009662008);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026)(6041248)(20161123555025)(20161123558025)(20161123562025)(20161123560025)(20161123564025)(6072148); SRVR:BN3PR0501MB1441; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1441;
x-forefront-prvs: 0233768B38
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39850400002)(39410400002)(39860400002)(39840400002)(39450400003)(377454003)(24454002)(76104003)(110136004)(33656002)(81166006)(38730400002)(1730700003)(6246003)(92566002)(5660300001)(53936002)(8676002)(2900100001)(7736002)(93886004)(229853002)(53546006)(25786008)(36756003)(2906002)(5640700003)(99286003)(6436002)(6512007)(6306002)(3660700001)(3280700002)(4001350100001)(66066001)(305945005)(2351001)(2501003)(77096006)(189998001)(8936002)(6506006)(450100001)(83716003)(6916009)(50986999)(6486002)(86362001)(3846002)(6116002)(76176999)(122556002)(54356999)(2950100002)(106116001)(82746002)(102836003)(83506001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1441; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <9BCC8220A95B0B4C82DB67FDDC268550@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Mar 2017 03:39:48.3932 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1441
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/0yZ28lcHoFbiZyXbQZSm17qZmcQ>
Subject: Re: [Netconf] Semi-configurable design in server model draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 Mar 2017 03:39:52 -0000
Picking up where we left off, we discussed making 'private-key' configurable, as shown below, protected by nacm:default-deny-all. This, in lieu of having an action statement called 'generate-private-key', which is the crux of the issue described in the subject line.
+--rw keystore
+--rw keys
+--rw key* [name]
+--rw name string
+--rw private-key? binary
+--ro algorithm? identityref
+--ro key-length? uint32
+--ro public-key binary
+--rw certificates
+--rw certificate* [name]
+--rw name string
+--rw value? binary
This resolves one issue, but then raises another, which is how to fully support system-generated keys, such as a key created by a TPM, that need to have certificates configured for them, such as IDevID or an LDevID certificates from IEEE 802.1AR.
Again, while we now know to use the operational state datastore to represent system-generated values, the problem becomes how to *configure* certificates for these system-generated keys, specifically the IDevID and LDevID certificates.
But, as seen in the tree-diagram above, this is not a leafref problem, which might be solved using a solution like the one proposed for the I2RS topo model, where a require-instance false leafref in the running datastore *can* point to a node in the operational state datastore. No, here the 'certificate' nodes are descendants of the 'key' node, so the leafref solution doesn't apply.
I don't have any good ideas for how to address this issue. Does anyone have any thoughts on how we should handle it?
[ref: https://github.com/netconf-wg/keystore/issues/2]
Thanks,
Kent
-----ORIGINAL MESSAGE-----
Hi Martin,
I’ve been trying to make sense of your suggestion, but nothing fits. The only thing that makes sense to me is to make “private-key” config true, so it’s generally configurable, for round-tripping. Then, to handle TPM-protected keys, we use something from the opstate solution, as the TPM-protected keys could be construed as “system generated”, at least the DevID private-key (the only TPM-protected key that I care about) could be seen that way.
But this doesn’t solve the whole problem. While the IDevID cert could also be “system generated”, the LDevID cert is not, and config true in intended can’t point to config true in applied. Maybe we hide/overlook this by claiming that setting an LDevID certificate is out-of-scope to the model, what do you think?
Kent
On 5/30/16, 4:26 AM, "Martin Bjorklund" <mbj@tail-f.com> wrote:
Mahesh Jethanandani <mjethanandani@gmail.com> wrote:
> [Chair hat off]
>
> > On May 27, 2016, at 10:31 AM, Kent Watsen <kwatsen@juniper.net> wrote:
> >
> > It should be noted that the following exchange happened on Apr 7th:
> >
> > <kent>
> > Yes, the action statements are intended to update the running
> > datastore. Presumably because the actions are either generating or
> > loading a new key, there would not be a real world locking issue, but
> > I can see how this might lead to undesirable results. Access control
> > (NACM) was removed when we moved to the keychain based approach, but
> > presumably the private key would need to protected by
> > nacm:default-deny-all.
> >
> > I see what you're saying. You're right about this breaking backup and
> > restore. The only way to fix it is for the backup (<get-config>) to
> > contain the private keys. But note that systems using a TPM actually
> > have NO WAY to get the private key out of the TPM - only the TPM
> > itself has access to the private key. So for these systems,
> > backup/restore (RMA) is impossible, even with root-level access on the
> > command line.
> >
> > I'm not sure if I understand your first option. Do you mean the
> > client would create a dummy private key entry (a placeholder) and then
> > call an action to populate the key with data?
> > </kent>
> >
> > <martin>
> > Yes, but since the private key is not part of the config, the action
> > will not touch the running config.
> > </martin>
> >
> > <kent>
> > I don't think the private keys can be config false, since they are
> > referenced by config true nodes in the tls/ssh-server modules.
> > </kent>
> >
> > <martin>
> > You can have a require-instance false leafref to the config false of
> > keys, and then describe what will happen if some server is configured
> > to point to a private key that doesn't exist.
> >
> > There are systems with tamper-proof hw that won't allow you to access
> > the keys unless a physical token is present (e.g. a USB stick). In
> > such systems, you may very well end up with config that refers to a
> > key that isn't available.
> >
> > Question 1: If the private key is not stored in special HW, do we
> > want to support backup/restore of such keys?
> >
> > If the answer is yes:
> > Use a config list and a separate -state list.
> > Make all references point to the -state list (in order to handle
> > TPM etc)
> >
> > If the answer is no:
> > Use only a config false list and define actions to manipulate
> > the list.
> > </martin>
> >
> >
> > Regarding Martin’s question #1 (note: there wasn’t a question #2), I
> > think that the answer is “yes, we’d like to support backup/restore of
> > private keys”. Is this the WG’s opinion as well?
>
> My personal opinion is yes also. But I am a little confused here. If
> TPM does not allow for keys to be exported, what would be reflected in
> the -state list?
The -state list would contain just the name of the key; not the key
itself.
> And if a config true node refers to this config false
> node, what are we “describing” that will happen? Is there a when
> statement?
For example, if the intended config of the NETCONF server contains a
reference to a key that doesn't exist in -state, for example b/c the
special hw couldn't be accessed, then the NETCONF server wouldn't be
started. If we have some "oper-status" leaf for the NETCONF server,
it could indicate the reason that the server wasn't started
("missing-key" or something).
/martin
>
> >
> >
> > Thanks,
> > Kent
> >
> >
> > From: Netconf <netconf-bounces@ietf.org> on behalf of Mahesh
> > Jethanandani <mjethanandani@gmail.com>
> > Date: Thursday, May 26, 2016 at 8:06 PM
> > To: "netconf@ietf.org" <netconf@ietf.org>
> > Subject: [Netconf] Semi-configurable design in server model draft
> >
> > One of the issues that Kent brought up in the interim meeting was the
> > issue of configuring the private key. Some background on that issue
> > dates back to the thread that started with Martin reviewing the
> > document and here is what he brought up in that review.
> >
> > o Section 4.1
> >
> > I think the "semi-configurable" design has some issues. You have
> > defined some actions that actually modifies the configuration of the
> > system. It is not clear which config datastore is modified.
> > Presumably running. Interactions with locking and access control
> > are not described. Also, the resulting configuration is not
> > complete - i.e., you cannot do <copy-config> to save/restore a
> > backup. This is fine, since you really don't want to expose the
> > private keys in the config backup. But some discussion is needed
> > around this subject. What happens if I generate a private key with
> > your action, backup that config and then restore it? What happens
> > with config that has references to such a key?
> >
> > One way to avoid that the actions modify the configuration could be
> > to move them into the private-key list. One drawback is that two
> > operations are needed in order to create a (usable) key - first
> > create the config in running, then call the action.
> >
> > Another option might be to model the keys as config false data.
> > This also solves the problem that some keys (in TPM for example)
> > are not deletable.
> > The two suggestions that Kent brought to the meeting on whether to
> > make it a leaf or an action.
> >
> > Leafs can be backed up or restored. But private-keys in TPM never
> > leave the source. How do we support special hardware like TPM?
> >
> > Making it an action requires creation of a dummy private key, and then
> > call action to populate the data in it, as Martin states above. What
> > happens if the key is not available but is referenced by the system?
> >
> > Kent, is that a fair summary of the issue?
> >
> > Let the discussion begin :-)
> >
> > Mahesh Jethanandani
> > mjethanandani@gmail.com <mailto:mjethanandani@gmail.com>
> >
> >
> >
>
> Mahesh Jethanandani
> mjethanandani@gmail.com
>
>
>
>
>
_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- [Netconf] Semi-configurable design in server mode… Mahesh Jethanandani
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- Re: [Netconf] Semi-configurable design in server … Mahesh Jethanandani
- Re: [Netconf] Semi-configurable design in server … Martin Bjorklund
- Re: [Netconf] Semi-configurable design in server … Kent Watsen
- Re: [Netconf] Semi-configurable design in server … Kent Watsen