IETF Logo Mail Archive

Re: [Netconf] zerotouch issues found while preparing -20

Kent Watsen <kwatsen@juniper.net> Fri, 02 February 2018 18:11 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB4D012DA22 for <netconf@ietfa.amsl.com>; Fri, 2 Feb 2018 10:11:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W8x7Ju6vPyPp for <netconf@ietfa.amsl.com>; Fri, 2 Feb 2018 10:11:09 -0800 (PST)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1A4B8127871 for <netconf@ietf.org>; Fri, 2 Feb 2018 10:11:09 -0800 (PST)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w12HKiRR006581; Fri, 2 Feb 2018 09:22:40 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=m92Nxf6WzzAa3RhquNmkGYXYXIc7PffWbYl2RyfDUEM=; b=YLxckf3I5d6L+tb83wvvGrqcxiyfkYC8kLxhNrIYlVHRNqoHktYuMBlFvQvZh6f40ZzK z+PBeA9zRIkwPHWLQEVl75ijOWvOCVHGD0Qag1EJHeUBGpT/6mL1hadZGx672m4IWpRo bTV/eHpdrvnUtaDot6q29Dlcz2jtM1rs8tiLxsepuyM6VSn7AlYnG/3c37PguPmEWJt+ 3jnQueZS3pX0gfwzgoleHV52+SnWdBaoZOUybhzy/lga8kanMnsUCNywTDeX37QyJjwX QT0eWx4XIIdHaxIwMBKLviIhlWzP/aWkC2bWyj7HEz44HsGBC0XY620KxxOWPwzrxb54 qA==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0184.outbound.protection.outlook.com [216.32.180.184]) by mx0b-00273201.pphosted.com with ESMTP id 2fvv40g0ky-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 02 Feb 2018 09:22:39 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3067.namprd05.prod.outlook.com (10.173.218.141) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.20.485.3; Fri, 2 Feb 2018 17:22:38 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) by DM5PR05MB3484.namprd05.prod.outlook.com ([10.174.240.147]) with mapi id 15.20.0464.012; Fri, 2 Feb 2018 17:22:38 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] zerotouch issues found while preparing -20
Thread-Index: AQHTlyuJU12+v6DK80a7U7VvcTdjHqOLeMKAgAWZ7QA=
Date: Fri, 02 Feb 2018 17:22:38 +0000
Message-ID: <1BB82558-FBF3-4359-BE23-A1F5F60F8E88@juniper.net>
References: <EB9ED782-BAAF-44EF-9191-C31B76266208@juniper.net> <D1D48535-0755-4CC3-9D63-DFC25298421D@gmail.com>
In-Reply-To: <D1D48535-0755-4CC3-9D63-DFC25298421D@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3067; 7:7jFCoCa/E0eJbGdwVR8JnTxTLzk9b1uTAaKRqg1NxpXtkHeLyKdnY+cX137fpJL57Ouqnny2j5OwIYEWj9MIEwGf4gdDgpvsdraC9j9u9Cplkiy5NPfOOyMH0XQy8FuaTSRQYDYulAENEMKrnLWoD8aMCVNrd1Gmcgh/SsO0uHJ94DX0a2Q3AIQqQPGWgVCiPk3bQA3tyQFKCowEfgBdUUHxupWb5BYBo7vedNUCy9fFcJecDP8/HDmIeBJ69Nvp
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: fb9766a1-78b7-4ed8-5a55-08d56a618ee0
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB3067;
x-ms-traffictypediagnostic: DM5PR05MB3067:
x-microsoft-antispam-prvs: <DM5PR05MB3067974C86739916612F53BCA5F90@DM5PR05MB3067.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040501)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231101)(2400082)(944501161)(3002001)(10201501046)(6055026)(6041288)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123558120)(6072148)(201708071742011); SRVR:DM5PR05MB3067; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3067;
x-forefront-prvs: 05715BE7FD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(366004)(376002)(39380400002)(189003)(199004)(966005)(8936002)(81156014)(8676002)(6306002)(3660700001)(99286004)(6512007)(1411001)(3280700002)(39060400002)(2900100001)(316002)(2950100002)(66066001)(6486002)(83716003)(86362001)(7736002)(6916009)(305945005)(6246003)(6436002)(53936002)(14454004)(551544002)(81166006)(36756003)(26005)(6346003)(2906002)(102836004)(6506007)(58126008)(33656002)(6116002)(97736004)(3846002)(105586002)(59450400001)(229853002)(77096007)(68736007)(83506002)(5660300001)(478600001)(4326008)(82746002)(106356001)(76176011)(25786009)(186003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3067; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: xMRBfurBj7NtWnsbIcUjrgcYpPTWdnyMtT6Zf8D9g06bQy8gMNtrO3c7G+F/OcNLc7vCBhtLQ5zKePvVrM9GOQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <119A6B7FBAA2764CA1BD9B1EA2271307@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: fb9766a1-78b7-4ed8-5a55-08d56a618ee0
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Feb 2018 17:22:38.3920 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3067
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-02_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802020212
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/7fMoA83Jp5c1J10810JjLHZx74E>
Subject: Re: [Netconf] zerotouch issues found while preparing -20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 02 Feb 2018 18:11:11 -0000

Hi Mahesh,



>> Separately, here are a couple other things we might consider doing:
>> 
>> 1) move from PKCS7 to CMS (RFC5652).   CMS is IETF's version of PKCS7.
>> It's practically identical.  The IESG requested this change when the
>> anima-voucher draft went through its IETF Last Call, and so I expect
>> the same change will be requested for this draft as well.
>
> As shepherd of the document, I would prefer that this be addressed 
> now than wait for a IESG request. 
>
> How big a change is this? And what are the differences between CMS and
> PKCS7? Are there any backward compatibility implications?

For the most part, it is a global search and replace.  But, like with the
voucher draft, we will want some language allowing cmsVersion=1, which 
signals that it's actually the legacy PKCS7 format.   We'll also likely 
need to define an OID in the SMI Security for S/MIME CMS Content Type 
Registry, something like "id-ct-zerotouch-information+json".  Lastly,
I'll want to update my tools to process CMS files, to ensure there are
no gotchas that we're not thinking about.


Okay, I'll start looking into this.


>> 2) modify the draft's statement that devices MUST send an IDevID 
>> certificate to one that says devices MUST send an IDevID certificate
>> and/or HTTP-level authentication.   This wording is consistent with
>> RFC 8040 Section 2.5 and, by allowing HTTP-level authentication, it
>> will better represent products shipping by a number of vendors,
>> whereby the installer can, for instance, type in a password into
>> the device while it's booting.  This appears to be a popular
>> low-barrier choice, as implementing IDevID is not easy.
>
> As a contributor I would be ok with RFC 8040 wording.
>
> As a shepherd, how big is the change? Also what is the impact on
> security? Does the Security Consideration section need to be updated?

Hmmm, the IDevID language is engrained.   The certificate and private
key show up in the "Initial State" diagram [1].  The Security Considerations
section would need to be updated.  Importantly, we'd have to say that, if
other credentials are used, they MUST uniquely identify the device.  For
instance, the "username" should be the device's serial-number.  Furthermore,
for provisional connections to an untrusted server, we'd have to explain
that no password should be sent in this case.

[1] https://tools.ietf.org/html/draft-ietf-netconf-zerotouch-19#section-5.1

I could do this in a branch, if it helps.

Kent

v2.23.0 | Report a Bug | By Email