IETF Logo Mail Archive

Re: [Netconf] zerotouch issues found while preparing -20

Kent Watsen <kwatsen@juniper.net> Thu, 22 February 2018 23:16 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9558F126B6D for <netconf@ietfa.amsl.com>; Thu, 22 Feb 2018 15:16:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6ufzKhuSZ3or for <netconf@ietfa.amsl.com>; Thu, 22 Feb 2018 15:16:12 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2F2E5124207 for <netconf@ietf.org>; Thu, 22 Feb 2018 15:16:12 -0800 (PST)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w1MNEhAk018293; Thu, 22 Feb 2018 15:16:11 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=maiM0pvd14Z/PbygdmY18jRm3GohsEGwezj7jAtUk98=; b=yckIr0ZkSyn5ykGGKpve4ngI8gY5w/SVe3msI1CN7KMpCsz+1+kfNl/2I5h/Ucie7cF/ 0vuuaetF4/uJBHTNFByVCdJXTMDXlLdCrMGZRk4uOQoGG3q27Okz4M+1ub1EWtKEAgUZ /4QLFc5itJfdkfoI94+n7i9Jj1pFn/Kq2xqwlpLIwpAGfvhXcbX2Bqv7ER6J4JeV7kb9 NzYgDcvHE7WXsCwSUyARRYeg5rEEBwW/Zt6B4/GBLPwUQa3uuszs3hkhoukxRiaRBHw7 ESLn/Kq9l2bhjSTAwuFJ9ueT90ov6F+xDu3UEkzF2uGlgK83HsRTtg/1vJisRCY7ajcy wA==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0015.outbound.protection.outlook.com [216.32.181.15]) by mx0a-00273201.pphosted.com with ESMTP id 2ga7bgg04x-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 22 Feb 2018 15:16:10 -0800
Received: from DM5PR05MB3484.namprd05.prod.outlook.com (10.174.240.147) by DM5PR05MB3353.namprd05.prod.outlook.com (10.174.191.142) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.548.6; Thu, 22 Feb 2018 23:16:09 +0000
Received: from DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::507:f464:b89a:c64b]) by DM5PR05MB3484.namprd05.prod.outlook.com ([fe80::507:f464:b89a:c64b%3]) with mapi id 15.20.0548.005; Thu, 22 Feb 2018 23:16:09 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Mahesh Jethanandani <mjethanandani@gmail.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] zerotouch issues found while preparing -20
Thread-Index: AQHTlyuJU12+v6DK80a7U7VvcTdjHqOLeMKAgAWZ7QCAH9FlAA==
Date: Thu, 22 Feb 2018 23:16:09 +0000
Message-ID: <321056A5-5095-417E-8FCC-05402A77C7BD@juniper.net>
References: <EB9ED782-BAAF-44EF-9191-C31B76266208@juniper.net> <D1D48535-0755-4CC3-9D63-DFC25298421D@gmail.com> <1BB82558-FBF3-4359-BE23-A1F5F60F8E88@juniper.net>
In-Reply-To: <1BB82558-FBF3-4359-BE23-A1F5F60F8E88@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM5PR05MB3353; 7:y4/RFUnE441RjJfqRFL3WuhE+/+Uyh9y6mBrj24oa/2WcA8aZZWJl//Vek8mpoMfK9zrW3ChYIVS0PrL2mcI0pUab/kqVC7luT5pLmXE43cyxJYlTRPl9/IAoiMpcxnKO77zw+ataugBjOZq/V1KPlE1AqWPLlGa3QDInUM3Rxndzs2W/9xeqGvulxzOfHnBkIhPd8EUd97AcnyO+qKrztSjpdSKHoPx3ZGNpERTVBdIjHy2DxEExNzFCPAyLkpS
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: ad1ed092-ce9a-485e-b550-08d57a4a41b7
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(2017052603307)(7153060)(7193020); SRVR:DM5PR05MB3353;
x-ms-traffictypediagnostic: DM5PR05MB3353:
x-microsoft-antispam-prvs: <DM5PR05MB3353F5F8E2211A2B1C9457ACA5CD0@DM5PR05MB3353.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(10436049006162)(166708455590820)(192374486261705);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001082)(6040501)(2401047)(5005006)(8121501046)(3002001)(10201501046)(93006095)(93001095)(3231166)(944501161)(52105095)(6055026)(6041288)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011); SRVR:DM5PR05MB3353; BCL:0; PCL:0; RULEID:; SRVR:DM5PR05MB3353;
x-forefront-prvs: 059185FE08
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(39380400002)(366004)(396003)(39860400002)(189003)(199004)(6436002)(6486002)(58126008)(316002)(25786009)(82746002)(102836004)(53936002)(4326008)(36756003)(26005)(229853002)(6346003)(186003)(478600001)(68736007)(6916009)(6506007)(59450400001)(83716003)(33656002)(2950100002)(105586002)(14454004)(6512007)(6306002)(1411001)(76176011)(99286004)(106356001)(6246003)(551544002)(966005)(86362001)(3660700001)(2900100001)(3280700002)(8676002)(5250100002)(5660300001)(575784001)(66066001)(3846002)(6116002)(7736002)(2906002)(39060400002)(81166006)(81156014)(8936002)(305945005)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR05MB3353; H:DM5PR05MB3484.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 3p9TSHIYS5mUWIaGU0x4KXHvq0gXviJrB+jV+wq/AwDa7mq3XZO7wYYlmuVqc+Xj4Vg3l030o8AqwZ1E9h5Ht0uyC+H+qLHnzHvpBBU7cdIPaEJo5Qp2FR35UtYGHea0vB606Y3Oylahf8+aGXXedy4VaiC/2mV9IkLlFkpTtlU=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <7B763209F171A04ABDF15C25DC436178@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: ad1ed092-ce9a-485e-b550-08d57a4a41b7
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Feb 2018 23:16:09.0319 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR05MB3353
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-02-22_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802220289
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Cmueg9yTzPg-HrvVLAFyy3kgycw>
Subject: Re: [Netconf] zerotouch issues found while preparing -20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 22 Feb 2018 23:16:14 -0000

Finally responding to the point #2 below regarding relaxing to IDevID requirement, here's the git commit that does it:

  https://github.com/netconf-wg/zero-touch/commit/00330bda813bf45bfdfedc077d8de5f6d99e0e7c

Unfortunately, this update also captures a little bit of me converting the normative module "ietf-zerotouch-device" to non-normative module called "example-zerotouch-device".  Please ignore.

Unless there are any objections, I'll merge this branch into master for the -20 update as well.

Thanks,
Kent  // author


===== original message =====

Hi Mahesh,

>> Separately, here are a couple other things we might consider doing:
>> 
>> 1) move from PKCS7 to CMS (RFC5652).   CMS is IETF's version of PKCS7.
>> It's practically identical.  The IESG requested this change when the
>> anima-voucher draft went through its IETF Last Call, and so I expect
>> the same change will be requested for this draft as well.
>
> As shepherd of the document, I would prefer that this be addressed 
> now than wait for a IESG request. 
>
> How big a change is this? And what are the differences between CMS and
> PKCS7? Are there any backward compatibility implications?

For the most part, it is a global search and replace.  But, like with the
voucher draft, we will want some language allowing cmsVersion=1, which 
signals that it's actually the legacy PKCS7 format.   We'll also likely 
need to define an OID in the SMI Security for S/MIME CMS Content Type 
Registry, something like "id-ct-zerotouch-information+json".  Lastly,
I'll want to update my tools to process CMS files, to ensure there are
no gotchas that we're not thinking about.


Okay, I'll start looking into this.


>> 2) modify the draft's statement that devices MUST send an IDevID 
>> certificate to one that says devices MUST send an IDevID certificate
>> and/or HTTP-level authentication.   This wording is consistent with
>> RFC 8040 Section 2.5 and, by allowing HTTP-level authentication, it
>> will better represent products shipping by a number of vendors,
>> whereby the installer can, for instance, type in a password into
>> the device while it's booting.  This appears to be a popular
>> low-barrier choice, as implementing IDevID is not easy.
>
> As a contributor I would be ok with RFC 8040 wording.
>
> As a shepherd, how big is the change? Also what is the impact on
> security? Does the Security Consideration section need to be updated?

Hmmm, the IDevID language is engrained.   The certificate and private
key show up in the "Initial State" diagram [1].  The Security Considerations
section would need to be updated.  Importantly, we'd have to say that, if
other credentials are used, they MUST uniquely identify the device.  For
instance, the "username" should be the device's serial-number.  Furthermore,
for provisional connections to an untrusted server, we'd have to explain
that no password should be sent in this case.

[1] https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dnetconf-2Dzerotouch-2D19-23section-2D5.1&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=vV_Z0ZP3DUf7QDUoYY7GKCDzTslbnJ7ZMEbMRdmcg3w&s=abEL52lwlT6fgx7lZOeYdlJCj-8m009-svd0Q9c-8wg&e=

I could do this in a branch, if it helps.

Kent



_______________________________________________
Netconf mailing list
Netconf@ietf.org
https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwICAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=vV_Z0ZP3DUf7QDUoYY7GKCDzTslbnJ7ZMEbMRdmcg3w&s=g_m4WDMK_wYxHTpWPMZDWEuYA9YyM_DmgqXMCsMVIw4&e=

v2.23.0 | Report a Bug | By Email