Re: [Netconf] WG LC for zerotouch

[Kent Watsen <kwatsen@juniper.net>]

Hi Martin,

Again, trimming down to just open threads.

>> >> > o  Section 7.2
>> >> >
>> >> >  Adding custom query parameters like this breaks the normal YANG
>> >> >  contract.  If I understand this correctly, the instance data tree
>> >> >  presented to the client is supposed to change based on these query
>> >> >  parameters.
>> >> 
>> >> Correct.  The idea is that the response could vary based on the input
>> >> query params.  Of course, in case there was any doubt, the response 
>> >> would always conform to same YANG schema.
>> >
>> >See below.
>> >
>> >> >  If you really need to have that functionality, it would better to
>> >> >  model the device-specific data as an action; input would be the
>> >> >  os-name, os-version etc, and output would be the
>> >> >  zerotouch-information and voucher etc.
>> >> 
>> >> I thought of this as well, but didn't do anything about it as my 
>> >> last message to the list said that we'd add "query parameters"
>> >> and I wanted to follow through on that statement.
>> >> 
>> >> But what is the issue?  Is it primarily that using query params 
>> >> on GET should be limited to returning different representations
>> >> of a resource, and this use seems to be returning different 
>> >> resources altogether?
>> >
>> > Yes, this is my concern.  A normal RESTCONF / YANG server has *one*
>> > single instance of the operational state, and it just provides an API
>> > to this data.  It can be filtered and pruned based on access rights,
>> > but not modified from the outside based on query parameters.
>> 
>> I agree, it seems more proper.  Okay, let's make this change.  No
>> objections from the WG, right?  As a heads-up for those following
>> along, this change doesn't affect the essence of the solution, but
>> the diff will appear somewhat big...
>> 
>> 
>> >> FWIW, if we were to do this, we might also consider moving the 
>> >> 'serial-number' field from the URL to an input field
>> >
>> > Hmm, did you mean 'unique-id'?
>> 
>> Yes. But what about the idea, moving 'unique-id' from the URL path
>> to an input param?  Or, even more dramatically, we could remove 
>> 'unique-id' altogether, relying instead on the RESTCONF username
>> extracted from the DevID certificate?
>
> See below.
>
>> If relying on the extracted username, note that none of the 
>> 'cert-to-name' identities defined in RFC 7407, which is also
>> used in draft-ietf-netconf-restconf-client-server, would work.
>> The 'common-name' identity is closest, but what is really needed
>> is a combination of a 'serialNumber' attribute and an optional
>> 'hardwareModuleName' attribute (not all DevID certs define it).
>
> Ok.  I've tried to find a spec for the DevID, but couldn't find a
> public version.

Here's the part you're looking for:


  7.2.8 subject
  The DevID subject field shall uniquely identify the device 
  associated with the particular DevID credential within the
  issuer’s domain of significance. The formatting of this field
  shall contain a unique X.500 Distinguished Name (DN). This
  may include the unique device serial number assigned by the
  manufacturer or any other suitable unique DN value that the
  issuer prefers. In the case of a third-party CA or a standards
  certification agency, this can contain the manufacturer’s
  identity information.  The subject field’s DN encoding should
  include the “serialNumber” attribute with the device’s unique
  serial number.

  7.2.9 subjectAltName
  The non-critical DevID subjectAltName extension may supplement
  the subject field identity information as specified in RFC 5280
  by containing a hardwareModuleName as specified in RFC 4108.



>> I suppose that this is an issue for the afore-mentioned restconf
>> client/server draft more so than this one though.  Still, since
>> we're talking about it, assuming we did this, would that draft
>> add said identities, or would a 7407bis be better?
>
> I think that such an identitiy could be defined in this draft.  Isn't
> such an identity quite specific to this use case?

okay, but in which module? - it just needs to be a module imported
wherever ietf-x509-cert-to-name is used (ietf-netconf-server and 
ietf-restconf-server) but not any module defined in this draft.
So maybe yet another module is needed in this draft: ietf-more-
x509-cert-to-name-identities? - naming suggestions welcomed! ;)



> >> >  I suggest you shorten the lines of the examples even more, so that
> >> >  the examples are properly indented in the draft (they are currently
> >> >  outdented)
> >> 
> >> It's hard to make the lines much shorter with the URN being so long.
> >> Options are 1) don't indent just the xmlns line or 2) move from two-
> >> space indent to single-space indent.  Do you have a preference?
> >
> > In the second example you use (1).  You can also use "\", which you
> > are also already using.
> 
> So I do, albeit only in the HTTP-header parts, not the HTTP-body parts.
> 
> FWIW, my build-script inserts source files in situ as directed by
> processing instructions. I can modify the build-script to do the 
> auto-'\' insertion logic on some column-boundary, but it may need
> a complimentary update on the extraction tools.  Do we need some 
> sort of standard around this?
> 
> I'm aware that here you're only talking about examples, which 
> currently are not extracted via tools, but the same auto-'\' 
> insertion logic could also help with the YANG modules, as they
> could become unwieldy too...though I suppose liberal use of 
> groupings could always be employed to keep line-lengths in
> check.  Okay, but still, a YANG Doctors discussion at IETF 99
> suggested introducing the ability to auto-extract and validate
> examples in drafts too, to automate as much of the YD review
> process as possible, so still I think there may be a need for
> a '\' standard of some sort here.  Thoughts?

This is still open.


>> > I just found another outdented figure in section 5.3, which probably
>> > is easier to fix.
>> 
>> Huh?  I don't see it.  The figure in 5.3 looks okay to me...
>
> Yes, my bad.  I think I meant 5.2.

Fixed.


>> >> > o  Section 9
>> >> >
>> >> >  Should you also mention that /device list should be protected by
>> >> >  nacm rules?
>> >> 
>> >> Yes, indeed, I left out the standard security template for the bootstrap
>> >> server YANG module.  Will add.
>> >> 
>> >> 
>> >> >  If the RESTCONF user name is the device's unique-id, then a single
>> >> >  NACM rule can be used:
>> >> >
>> >> >       <rule>
>> >> >         <name>allow-device</name>
>> >> >         <path xmlns:ztbs="urn:ietf:params:xml:ns:yang:\ietf-zerotouch-bootstrap-server">
>> >> >           /ztbs:device[ztbs:unique-id=$USER]
>> >> >         </path>
>> >> >         <access-operations>read</access-operations>
>> >> >         <action>permit</action>
>> >> >       </rule>
>> >> 
>> >> Yes, but would you expect this to appear in the draft?  Typically,
>> >> the specific NACM rule syntax is left as an exercise to the reader...
>> >
>> > In order to do this, the "username" must be the same as the
>> > "unique-id".  This requires the client cert to be constructed
>> > properly.
>> 
>> Agreed.  In this case, the client cert is a DevID cert, and  802.1AR 
>> governs its construction.  Not too many options there.  Of course, 
>> the mapping of said cert to username is being discussed above wrt the
>> cert-to-name mapping logic... 
>> 
>> 
>> >> Since the NACM rule is not obvious, and due to the cert implications,
>> >> I think it would be very helpful with an appendix that describes how
>> >> this can be set up.
>> 
>> I think that this will depend on if we go with an action or a top-level 
>> RPC. If an action, then NACM may have a place and an example may help.
>> But, if using a top-level RPC, then it seems that the server has no 
>> option but to auth the DevID cert and provide a RESTCONF username-specific
>> response - NACM can't constrain it any further, right?
> 
> Correct.

Well, maybe not entirely correct.  It looks like NACM rules can 
constrain RPCs using the "rpc-name" rule type.  But, in this case,
an NACM group containing a list of users that matched exactly each 
device would have to be maintained, which isn't quite a nice as
using the $USER variable.



>>> (note: this seems
>>> more secure to me - I like it)
>>
>> Hmm, I think it is less clear.  With an explicit list and actions, you
>> can use NACM to do the access control.  With top-level RPCs, the
>> implementation of the RPC has to do the access control.

Right, but it wouldn't be "access control" so much as something akin
to a 404.  When establishing the RC connection, the server must first
auth the client's cert (at the TLS-level) that, in the case of an 
IDevID cert, most like maps to checking to see if it has a chain of
trust to the vendor's CA cert.  Then cert-maps is used to extract a
username; in the IDevID case, it is most likely some combo of the 
serialNumber and hardwareModuleName attributes.  This username is 
fed into the RPC handling logic which will do some internal lookup
and either find a match (and return data) or not (and return an error).
No need for NACM in this flow is there?

 
> Also, a list of devices is more transparent - I mean, this list must
> somehow exist anyway, but with top-level RPCs it will be hidden.

A list of devices needs to exist in the database, and the NBI, but
not the SBI, right?


> Maybe implementations want to add additional objects to this list, for
> monitoring or something.

Unsure.  The point of the SBI is that the device only receives a 
device-specific response, no other objects are ever included, right?
But maybe you mean some implementations will want to modify the format
of the device-specific response, which I agree is possible, but that
doesn't impact if we use an RPC versus an action.  Do you agree?


>> >> > o  Other comment
>> >> >
>> >> >  Is it assumed that there will be a vendor-specific YANG module to
>> >> >  enable the zero-touch process?  Did you consider an
>> >> >  ietf-zerotouch-device module for this purpose?  Such a configuration
>> >> >  must be carefully designed to allow for a "merge" configuration file
>> >> >  to actually disable the zero touch process.
>> >> 
>> >> It is assumed to be vendor-specific currently.  I have not thought to
>> >> define a ietf-zerotouch-device module as of yet that, presumably, would
>> >> contain a boolean or an enum (but not a p-container) for enabling the
>> >> service.  Do you think we should add such a module to the draft, or just
>> >> put a note somewhere about it?
>> >
>> > I don't have a strong opinion, but if there's not a standard module
>> > for this, the text should mention that it is assumed that vendors
>> > define this themselves.   Hmm, I think I would prefer a standard
>> > module; it would make the solution more complete.
>> 
>> We can add a module, but maybe it should be called something like
>> ietf-zerotouch-bootstrap-client, to mirror the ietf-zerotouch-
>> bootstrap-server module? - though this may be a mismatch as the
>> former regards a southbound protocol and the latter regards a
>> configuration model...
>> 
>> Maybe we can discuss what would be in this model.  I'm not sure if
>> I'm oversimplifying it, but I think the module might be just a single
>> config true leaf called something like "enabled".   There might also
>> be some config false leafs for the stuff mentioned in section 5.1, 
>> though it doing so is not so important since the bootstrapping only
>> occurs once (not ongoing management).  So a module would primarily
>> be for the "enabled" leaf.  Anything else?  Still think it's worth it?
>
> I'm not sure.  It does seem odd to write that we expect vendors to
> provide this single leaf in a proprietary module, but maybe it is ok.

Okay, I'll add a ietf-zerotouch-device module.  It doesn't hurt.  
Vendors can use it or not.  If nothing else, at least they can
reference it for their native model.


Kent