Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-keystore-34: (with DISCUSS and COMMENT)
Kent Watsen <kent+ietf@watsen.net> Sun, 10 March 2024 20:58 UTC
Return-Path: <0100018e2a288eb9-9d28b734-a44e-455f-86b2-fa4a59fc2550-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8ED64C14F600; Sun, 10 Mar 2024 13:58:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dR0VBEqUMY4M; Sun, 10 Mar 2024 13:58:07 -0700 (PDT)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 436C1C14F5F9; Sun, 10 Mar 2024 13:58:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1710104285; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=cqAsJSgutp2ToRxNrtYOJo0DjJbRJuOqzE4cD0zdy/Y=; b=Gv98siOOfvg7/p+pCVjaTisgXHR52qY1k9SUdilzC/+E8J0McuF/rMe88lWCQnmz SDpdDUWd6MlU6TYe8xyP/MhrgZHmwfqt98QOEr64DKXL4Lq6ameXAwUsoqgKszkPRsE BxHGicjpRb2fuDEk/82a+ePQI3I1R/Tl7y1cRkEs=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018e2a288eb9-9d28b734-a44e-455f-86b2-fa4a59fc2550-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_F12B2724-F90D-477D-8B85-845CA260CB12"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Sun, 10 Mar 2024 20:58:04 +0000
In-Reply-To: <171002473443.48083.16449488482146802214@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-keystore@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, Qin Wu <bill.wu@huawei.com>, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Roman Danyliw <rdd@cert.org>
References: <171002473443.48083.16449488482146802214@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.03.10-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/C--4DlPOa2A9h_24amYJDYsj5TY>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-keystore-34: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 10 Mar 2024 20:58:11 -0000
Hi Roman, Thank you for clearing your DISCUSS ballot on all 4 drafts. Your response for three of the drafts contained no additional comments (and hence I won’t reply to them). But, for the “keystore” draft, two responses came… The first response (below) had more DISCUSS comments. The second response contained just one COMMENT, which was/is the same COMMENT contained below. IDK if you changed your mind on the new DISCUSS comments but, in any case, they are good comments, so please find my responses below. PS: I'll post updates to the drafts ASAP. I may ask for special permission to post before the window opens again. That said, I’m still hoping to hear back from Murray, to clear his DISCUSS positions, so that may cause a delay... Kent // author > On Mar 9, 2024, at 5:52 PM, Roman Danyliw via Datatracker <noreply@ietf.org> wrote: > > Roman Danyliw has entered the following ballot position for > draft-ietf-netconf-keystore-34: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ > for more information about how to handle DISCUSS and COMMENT positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-netconf-keystore/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** Section 4. This section seems to define a workflow and mandatory server > capabilities above and beyond what is typically done by a RESTCONF/NETCONF > using a YANG module. The introduction of this section says it applies to > backup and restore. I’m having some trouble a few of the details. Yes, this section is different. But it answers one of the most asked questions. I added this as the second paragraph to Section 4: The approach presented in this section is not normative. This section answers how a configuration containing secrets that are encrypted by a built-in key (<xref target="built-ins"/>) can be backup'ed from one server and restored on a different server, when each server has unique master keys. The API defined by the "ietf-keystore" YANG module presented in this document is sufficient to support the workflow described in this section. > Section 4.1, “If a KEK is a symmetric key, then the server MUST provide an API > for administrators to encrypt other keys without needing to know the symmetric > key's value.” > > -- When in the backup and restore process is the administrator using this API > and what is the relationship between it’s use and the YANG module? I observe > that the API in question isn’t labeled (in a way I recognized) in the workflow > diagram in Section 4.3. Perhaps the administrator is constructing a YANG-based > configuration by hand and using this API to encrypt a key? > > -- Is the expectation that this API is accessible over the network? Can the > admin only invoke it locally? Are there any controls expected to govern who > gets to invoke this mandatory API? > > -- Is the “server” here the NETCONF/RESTCONF server? Does it have to be? I > ask because this text says, “the server”. However, Section 4.2 allows for > generation+encryption “outside of the server” My previous response leans into this a bit saying "The API defined by the 'ietf-keystore' YANG module presented in this document is sufficient…”. But For clarity, the sequence of steps might be: - Crypto officer generates a clear-text private key - both the “ssh-client-server” and the “tls-client-esrver” drafts define a `generate-asymmetric-key-pair()` RPC enabling this creation. - Crypto officer stores the clear-text private key in a safe - e.g., on a dedicated air-gapped laptop - Regular admin decides to bring Server1 online - Regular admin sends Server1’s MK pub-key to Crypto officer - Crypto officer encrypts the clear-text private key using Server1’s MK - using CMS’s “EnvelopedData” (per the “crypto-types” draft) - this is a local operation (no NETCONF or RESTCONF API used) - Crypto officer sends the encrypted private key to Regular admin - this is KEK1 - Regular admin configures KEK1 on Server1 - using the “keystore” API defined in this draft - Regular admin configures the rest of Server1’s config, - including other keys encrypted with KEK1 - using a combination of standard NETCONF/RESTCONF commands and the “keystore” API defined in this draft - Regular admin backups Server1’s configuration - using standard NETCONF/RESTCONF commands - Server1’s power supply shorts, frying the board, it’s dead. - Regular admin decides to bring Server2 online - Regular admin sends Server2’s MK pub-key to Crypto officer - Crypto officer encrypts the clear-text private key using Server2’s MK - using CMS’s “EnvelopedData” (per the “crypto-types” draft) - this is a local operation (no NETCONF or RESTCONF API used) - Crypto officer sends the encrypted private key to Regular admin - this is KEK2 - Regular admin restores Server1’s configuration on Server2 - using standard NETCONF/RESTCONF commands - but this doesn’t work since Server2 can’t decrypt KEK1 - Regular admin configures KEK2 on Server2 (overwriting KEK1) - using the “keystore” API defined in this draft - now Server2 can decrypt KEK2 and the device works again Makes sense? Yes, “server” is always a NETCONF or RESTCONF server. The “outside the server” bit regards local operations that a Crypto Officer performs (e.g., using the OpenSSL API). > Section 4.2, “Implementations SHOULD provide an API that simultaneously > generates and encrypts a key (symmetric or asymmetric) using a KEK. > > -- (related to the above) Implementations of what? Is this normative guidance > for NETCONF/RESTCONF server now provide additional functionality? A couple small updates: OLD: Implementations SHOULD NEW: Implementations of servers implementing the "ietf-keystore” module SHOULD I also added to the end of that paragraph this (hopefully helpful) forward-reference: Such API is defined in the "ietf-ssh-common" and the "ietf-tls-common" YANG modules defined in <xref target="I-D.ietf-netconf-ssh-client-server"/>, and <xref target="I-D.ietf-netconf-tls-client-server"/>, respectively. > ** Section 5.1. > In order to satisfy the expectations of a "keystore", it is > RECOMMENDED that implementations ensure that the keystore contents > are encrypted when persisted to non-volatile memory. > > If this recommendation is NOT followed how would this expectation be satisfied. > Wouldn’t ensuring that the keystore is encrypted be mandatory? Especially if > cleartext passwords are used? Good point. I added these two paragraphs the the end of Section 5.1: The keystore contents may be encrypted either by encrypting the contents individually (e.g., using the "encrypted” value formats) or, in case cleartext values are used (which is NOT RECOMMENDED per <xref section="3.5" target="I-D.ietf-netconf-crypto-types"/>), then, e.g., disk-level encryption may be used. If the keystore contents are not encrypted when persisted, then server implementations MUST ensure the persisted storage is inaccessible. Clearer? > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Sandra Murphy for the IETF LC SECDIR review and Magnus Nyström for > the early SECDIR review. > > Thanks for the explanation on the Section 4.* crytpo API. I recommend adding > clarifying language to the effect of the details and authorization model > associated with this API is out of scope for this document. I’m trying to understand this comment. I even went back to my response I sent to you on Jan 31. I don’t understand. Perhaps this comment is a hold-over from the misunderstanding expressed above regarding the needed API. My impression is that you thought it was an API defined outside of this document when, in fact, it is the API defined by this document (in YANG) and, as such, subject to the authorizations given by the NACM layer. With that misunderstanding resolved, do you see how I’m unsure how your comment applies? On a side-note, I did update the "generate-asymmetric-key-pair" RPCs to return the location to where hidden keys are created. This was the “bug” I reported finding in my Jan 31 email. > Thanks for addressing my other DISCUSS and COMMENT feedback. Thank you! Kent
- [netconf] Roman Danyliw's Discuss on draft-ietf-n… Roman Danyliw via Datatracker
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Kent Watsen
- Re: [netconf] Roman Danyliw's Discuss on draft-ie… Roman Danyliw