Re: [netconf] client identification in ietf-netconf-server

Kent Watsen <kent+ietf@watsen.net> Tue, 05 November 2019 02:27 UTC

Return-Path: <0100016e39631e46-c007fd65-2e51-47a6-bd27-764f5257a16c-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C605B120033 for <netconf@ietfa.amsl.com>; Mon, 4 Nov 2019 18:27:10 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 98U8ZMAXIOFi for <netconf@ietfa.amsl.com>; Mon, 4 Nov 2019 18:27:09 -0800 (PST)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D312812000F for <netconf@ietf.org>; Mon, 4 Nov 2019 18:27:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1572920827; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=yWrLcoc3BFSmd4ySEYmrCdsIP8l4ukYtncxDDuBsFQg=; b=BygZNdlPouIgRIQRbOtn0dTH2Pxt4rGpDW0iLpGcv/V8UQ15Jv01/8ivPk3QM2Av KeOaOpPaZt8yo3sxoezeOifyelQSwdwFBmoiIbMtGVUYZgdWuj4UnNOXT1527EZweTe jz+5PNZdoXTz+vwyWFrTw4Ef0jOOGxkg2cs/aQfg=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016e39631e46-c007fd65-2e51-47a6-bd27-764f5257a16c-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_15C1EAA2-6D2C-46F3-86E4-4D330547DB49"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 5 Nov 2019 02:27:07 +0000
In-Reply-To: <20191104.111319.869021723410428870.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <20191104.111319.869021723410428870.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.11.05-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/BooQsExLgPB7NTd8p4dCRNHPpT4>
Subject: Re: [netconf] client identification in ietf-netconf-server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Nov 2019 02:27:11 -0000

Hi Martin,


> The ietf-netconf-server module has this:
> 
>  grouping netconf-server-grouping {
>    ...
>    container client-identification {
>      ...
>      container cert-maps {
>        when "../../../../tls";
>        uses x509c2n:cert-to-name;
>        ...
>      }
>    }
>  }
> 
> Note the "when" expression.  This means that the grouping has a strong
> depency on where is it used.  We should try to avoid such a design.


Would this be better?   

OLD
       when "../../../../tls";

NEW
	if-feature "tls-listen or tls-call-home";



> But should't this cert-to-name list be available when x509-certs are
> used also with SSH?

Hmmm.  I'd assumed that, with RFC 6187, the username was still passed as its own field, but I see this in Section 4:

   For the purposes of user authentication, the mapping between
   certificates and user names is left as an implementation and
   configuration issue for implementers and system administrators.

So you may be right about that.  I only ever looked at RFC 6187 from the perspective of the server presenting an IDevID certificate.  But, assuming it's true, then perhaps this:

NEWEST:
	if-feature "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";



> The current data model for ssh specifies certs on
> a per-user basis. But this requires lots of configuration in the case
> that the cert encodes the user name (even though the name is in the
> cert you have to configure each user on each device).  I suggest we
> align the model for SSH with the TLS model for cert identification.

We certainly want to factor out configuration where possible.  I'd need to look into this more.  Perhaps you can send a diff?


> For TLS, the data model has the following structure:
> 
>  +--rw netconf-server
>     +--rw listen! {ssh-listen or tls-listen}?
>        +--rw idle-timeout?   uint16
>        +--rw endpoint* [name]
>           +--rw name         string
>           +--rw (transport)
>              ...
>              +--:(tls) {tls-listen}?
> 
>    [ reset indentation to make the diagram easier to read ]
> 
>   +--rw tls
>      +--rw tcp-server-parameters
>      ...
>      +--rw tls-server-parameters
>      |  +--rw server-identity
>            ...
>      |  +--rw client-authentication!
>      |  |  +--rw (required-or-optional)
>      |  |  |  +--:(required)
>      |  |  |  |  +--rw required?    empty
>      |  |  |  +--:(optional)
>      |  |  |     +--rw optional?    empty
>      |  |  +--rw (local-or-external)
>      |  |     +--:(local)  {local-client-auth-supported}?
>      |  |     |  +--rw ca-certs!   {ts:x509-certificates}?
>      |  |     |  |  +--rw (local-or-truststore)
>      |  |     |  |     +--:(local)  {local-definitions-supported}?
>      |  |     |  |     |  +--rw local-definition
>      |  |     |  |     |     +--rw cert*   trust-anchor-cert-cms
>      |  |     |  |     |     +---n certificate-expiration
>      |  |     |  |     |        +-- expiration-date
>      |  |     |  |     |                yang:date-and-time
>      |  |     |  |     +--:(truststore)
>      |  |     |  |              {truststore-supported,x509-certificates}?
>      |  |     |  |        +--rw truststore-reference?
>      |  |     |  |                ts:certificates-ref
>      |  |     |  +--rw client-certs!  {ts:x509-certificates}?
>      |  |     |     +--rw (local-or-truststore)
>      |  |     |        +--:(local)  {local-definitions-supported}?
>      |  |     |        |  +--rw local-definition
>      |  |     |        |     +--rw cert*     trust-anchor-cert-cms
>      |  |     |        |     +---n certificate-expiration
>      |  |     |        |        +-- expiration-date
>      |  |     |        |                yang:date-and-time
>      |  |     |        +--:(truststore)
>      |  |     |                 {truststore-supported,x509-certificates}?
>      |  |     |           +--rw truststore-reference?
>      |  |     |                   ts:certificates-ref
>      |  |     +--:(external)
>      |  |              {external-client-auth-supported}?
>      |  |        +--rw client-auth-defined-elsewhere?
>      |  |                empty
>          ...
>      +--rw netconf-server-parameters
>         +--rw client-identification
>            +--rw cert-maps
>               +--rw cert-to-name* [id]
>                  +--rw id             uint32
>                  +--rw fingerprint
>                  |       x509c2n:tls-fingerprint
>                  +--rw map-type       identityref
>                  +--rw name           string




> It is not clear how this is used by the server to end up either with
> an authenticated user name or failed authentication.

Okay, let's fix that.


> First of all, how is the "required-or-optional" choice used in a
> NETCONF server?  What happens if an operation configures this to
> "optional"?  (side note: why is this a choice of empty leafs instead
> of a leaf?)

Hmmm, this 'choice' seems unneeded for NETCONF.  The "choice" is coming from the ietf-tls-server, and a similar "choice" is in ietf-http-server. It was put there, in part, for RESTCONF, as user-auth can occur at either (or both!) protocol layers...



> Second, I assume that the idea is that the server uses the config
> params in "local-or-external" and the certificate presented by the
> client and after this step is either accepted or rejected.  It is not
> clear what is supposed to happen if someone configures
> "client-auth-defined-elsewhere".  I think it is better to not define
> this case, but (perhaps) keep the choice and explain that other
> modules can augment additional config params here for other
> authentication mechanisms.

Well that's just the thing, the goal is to enable user-auth to NOT be defined here.  As the description statement in ietf-tls-server says:

          "Configuring credentials externally enables applications
           to place client authentication with client definitions,
           rather then in a part of a data model principally
           concerned with configuring the TLS transport.";


> Next, my guess is that the intention is that if the cert was accepted
> in the step above, it is checked in cert-to-name to see if a user name
> can be derived.

Yes.


> In another thread you mentioned that if a local cert is configured, it
> seems redundant to also configure the cert as a fingerprint in
> cert-to-name.  I'm not sure about this.  But perhaps you can use the
> same "map-type" and "name" leafs in the "client-cert" container?  It
> is not as easy for the "truststore-reference"; perhaps you'd have to
> augment the truststore with these leafs in this case.

In context, that statement I made before is a relatively minor objection.  That said, I don't understand your proposal, as you suggesting the recreate the essence of 'cert-to-name'?   Another idea I had was that the fingerprint could be in a "union" with also a truststore-reference, which is only mildly better...


Kent // contributor