IETF Logo Mail Archive

Re: [Netconf] ietf-system-keychain draft module

Kent Watsen <kwatsen@juniper.net> Tue, 02 August 2016 20:12 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D852812D942 for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 13:12:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.922
X-Spam-Level:
X-Spam-Status: No, score=-1.922 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nf08mBuOdLPM for <netconf@ietfa.amsl.com>; Tue, 2 Aug 2016 13:12:45 -0700 (PDT)
Received: from NAM01-SN1-obe.outbound.protection.outlook.com (mail-sn1nam01on0103.outbound.protection.outlook.com [104.47.32.103]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CAED012D944 for <netconf@ietf.org>; Tue, 2 Aug 2016 13:12:44 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=23TwCP4wP5l3WrI72puzQUUHs0sx/pRWA8att9W4DwY=; b=Srxdptfh0cQhO7CfsMWoL1eu66E1V2A5naHrPsBMBgWwk5WxthAv/uHm4k2/Bd4aKIG6gJgZSRDCmSZaGMAAb2UZf+ruwfBc3K0rxhom/jzM5MHp+6HJCEATTykLUWQ9SXZ7nbrfy1095I5GXFbbXKN8jB4TiVnIkD55SPN6n68=
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com (10.160.149.11) by CY1PR0501MB1452.namprd05.prod.outlook.com (10.160.149.13) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.557.8; Tue, 2 Aug 2016 20:12:39 +0000
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) by CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) with mapi id 15.01.0557.009; Tue, 2 Aug 2016 20:12:40 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Michal Vaško <mvasko@cesnet.cz>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] ietf-system-keychain draft module
Thread-Index: AQHR7Md7Tbc+eDrJn0O20Dk5OwjRFaA119MA
Date: Tue, 02 Aug 2016 20:12:39 +0000
Message-ID: <91B0EC86-7879-4F94-81F5-FDE72928EBCA@juniper.net>
References: <4bcf-57a0a980-25-18bcab00@35396507>
In-Reply-To: <4bcf-57a0a980-25-18bcab00@35396507>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.18.0.160709
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.12]
x-ms-office365-filtering-correlation-id: 7de2b0d8-444b-4cae-90cb-08d3bb115ac8
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1452; 6:QLrOC+MHF/wUITTFOZnji3yfLII2RA3abABLDwfkno6YQb5gkyxYVl10tdRYU/kD6pPCiN/NZrsq0dogdeodPitN/yyAt14kGJVtkojTZ9tFsZfN1YUaVu+AF9vdJkwAvoTuue93eGJq9V/gbneSgLZkpHtrrPOsUvf/bl4zFEUQKoDIrGt771okrbJUvLzUsjaKOVvhxA7JCvHgqigrr54iOG3lU1vbLjis6c/9IGmRA2C9knIwl3SRv9Phfw+j2GFGM37x82ysTAHlVcGSp0WgIMUar6R58kZet3qXw++4LMIJdMIOYWXXjq8s74MyDsHMNJd8AFPqTTPbQ6Cqnw==; 5:w2WeqafBfmKxP3IEQ+qluiIfg4C7iV2yzi2+Um4dyI9UfF8tVSGx5alFAtOWQDON96zpkfuhCrQvsPd0yZN8ftxt8D6Vl9JL2/DBYr+dsTiHHFYakH08fWj6Zgyi9jDX2AkcRDyRCN7xrO9qALmjQg==; 24:sYiED3Z5CyUm4hfdIz+yQ9E9+Aty4p1F+6z8UHb+AEiWRu5bA10nNYGA3rmQA7elrFdEGw4ow2Y6rY1hjnFz9iRR8g32njUEKSwbjWNg7pA=; 7:t/+zOA4dGHkE7L3EW9KXUpn/s5+xIGO8lO2bnezKuoiZNmNsUWHc34TYgcWo9L6eDGHKkkFKWboxe7jOikOglKNIyW1ypVqKKHRZ3Hulr7LfzWPCDpgaN/bmiBUuoTryXIScXIV5pdHjEGfpuOL4m6gZwNA9oTCOYyxqskjjs+9gk78X2q7I2dQ7bSOwTF/VdWTrJi5M1M7hUbjoyOarVW0U9pBcGzHu61+Mgi4Mx9drrEeRh6p5IqmTgqKw1CZU
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CY1PR0501MB1452;
x-microsoft-antispam-prvs: <CY1PR0501MB14528DCFA9B9F0CC72DC7600A5050@CY1PR0501MB1452.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(278428928389397)(166708455590820)(211171220733660);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046)(6055026); SRVR:CY1PR0501MB1452; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1452;
x-forefront-prvs: 0022134A87
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(377454003)(51444003)(76104003)(24454002)(199003)(71364002)(189002)(10400500002)(105586002)(68736007)(102836003)(3846002)(36756003)(83716003)(6116002)(87936001)(107886002)(86362001)(3280700002)(189998001)(4001350100001)(33656002)(66066001)(2501003)(5001770100001)(54356999)(3660700001)(19580395003)(305945005)(15975445007)(230783001)(586003)(5002640100001)(7736002)(7846002)(101416001)(2906002)(122556002)(50986999)(92566002)(106356001)(97736004)(77096005)(83506001)(8936002)(2950100001)(106116001)(551544002)(81156014)(81166006)(82746002)(76176999)(8676002)(99286002)(19580405001)(345774005)(2900100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1452; H:CY1PR0501MB1450.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <AD3E09D905587C4F95451CBFDD103D60@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2016 20:12:39.9702 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1452
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/2QDic0YMN_C68VeNPY33vgS5OtM>
Subject: Re: [Netconf] ietf-system-keychain draft module
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2016 20:12:47 -0000

Hi Michal,

Thank you for reporting your early attempt to implement this module.  I implemented an earlier version of this draft for the NETCONF Call Home reference implementation [1], but that was before we moved to the keychain-based approach.  I have updated the code during the last two Hackathons, but I keep hitting compatibility issues with the crypto libraries I’m using.   I think that those issues are almost behind me now, so soon I’ll be implementing the ietf-netconf-server, ietf-ssh-server, and ietf-system-keychain modules.

Regarding your query, this is a somewhat known issue [2].  Right now I think we’re waiting for Martin to get back from PTO to respond, but my inclination is that we might have to do exactly as you say: to let the private key data be in the data model, protected by just nacm:default-deny-all.  However, there will remain the issue that some private-keys will never be visible, such as those stored within a TPM (trusted protection module).  I think this means that the “private-key” leaf needs to be mandatory false, and we’ll need some kind of warning when the private key cannot be provided.   Or we make it mandatory true, with a description statement that explains when it might fail.  Perhaps a NETCONF notification could be used for this as well.  What do you think?

[1] https://github.com/Juniper/netconf-call-home (warning: new code not checked in yet)
[2] https://github.com/netconf-wg/system-keychain/issues/2

Thanks,
Kent


On 8/2/16, 10:09 AM, "Netconf on behalf of Michal Vaško" <netconf-bounces@ietf.org on behalf of mvasko@cesnet.cz> wrote:

    Hi,
    I started implementing this module and I encountered some problems. I would like to know how you are planning to solve them, if they are known and being worked on, or inform you about them.
    
    Regarding the list /keychain/private-keys/private-key, it is configurable. My guess is that the reason for this is being able to add certificate-chains to configured private keys. However, this enables the creation of instances of this list, which seems to me does not make sense and should be forbidden (or what is expected to happen in that case?). For creating new instances there are the actions generate-private-key and load-private-key, am I missing something?
    
    As for private keys themselves, the idea probably is to keep them internally safe somewhere, so they do not appear in configuration and thus are not accidentally compromised. However, this causes major implementation issues (I know this is not considered an argument, but I believe it should not be completely neglected). Why could not be private keys part of the configuration with the NACM extension default-deny-all? My point is that other applications (using this keychain) must simply somehow get to the private key itself. Currently, the confidentiality of these keys is ensured mainly by standard file system access control. Including these keys in NETCONF datastore with default-deny-all is basically similar, but may even be considered safer than a file system. The keys could still be encrypted using a password and thus useless without it. Naturally, this password would not be part of the configuration.
    
    Kind regards,
    Michal Vasko
    
    _______________________________________________
    Netconf mailing list
    Netconf@ietf.org
    https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email