Re: [netconf] ietf crypto types - permanently hidden

Andy Bierman <andy@yumaworks.com> Wed, 01 May 2019 16:19 UTC

Return-Path: <andy@yumaworks.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BEA1612011A for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 09:19:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks-com.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SZu-xwlzNDmW for <netconf@ietfa.amsl.com>; Wed, 1 May 2019 09:19:52 -0700 (PDT)
Received: from mail-lj1-x233.google.com (mail-lj1-x233.google.com [IPv6:2a00:1450:4864:20::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C347D1200D5 for <netconf@ietf.org>; Wed, 1 May 2019 09:19:51 -0700 (PDT)
Received: by mail-lj1-x233.google.com with SMTP id z26so15903236ljj.2 for <netconf@ietf.org>; Wed, 01 May 2019 09:19:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks-com.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=up/c/5eSagQAiB8Rn+M3orN62nDFUpoByFCcyujY0Ko=; b=lQZfMhlZaVmBxCLZhvmMACwAKMs18HL6DF4bBOgI1/m8L9yJcGeTW5VCCRcKD9E70P gop+5zuQFAKy2C8MujB2+KJNdAmIHqB0pc5zIp4Xmcr57TO8JaoTwQdJ8be2BZghG237 lAlzzxDcUFIIaz8/w6rAwj4oLxk3SFe0saUGXAsqFYVmS0OXwWiCng/4t29h4GlaytW+ yNnb4IE3BFyoDTfaWkzEa8cEkf5c5ZSbnsMWpvxSkK9AO9LQP0/9om84rhZwm+zngAk5 Aznmn2vUlJgVxs1jDZ3Bw13UXtzHGQU6gUDy+MS8w0RIXHLYd86e0WNC85P/E0tcW0v1 O5Yw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=up/c/5eSagQAiB8Rn+M3orN62nDFUpoByFCcyujY0Ko=; b=gvLU3XiB9c+Z2ycjSQwiJwjhwXF5CzuSpxMIIEcrGTpoMwc7Tfqg/bsg8w5MenadN7 bW1SNeBQSaz6HmL1/MCRlKmyPjbC5+N3ZPss8JJHnF00DipoWcw4aS/Z4jo5zXkuc7Vb KZi/DM/xmlVSMeyTuJXB+MkmKCjeRm8PbxWT+fZfHHZ2Mtra0R/YN3ce52q8iTmaB5rr UudYJf62V/2wi6PQyVZTX8f2mMZGW7SkQxs7JAgXuFHxOSXjLuDmugvYaJV78vzki5ki Ka0tvgI/FEprxemgcGGR+sRl7ifxN8PsJKg7lOCjWh9/X7J193u7HP6ARmARGFytXeHU sWhg==
X-Gm-Message-State: APjAAAVvhB2IjRIVAjE/0hBxz96QuFxFSnh2vJ5RI4wgDVSnUIMN/PBR nQPoC4G7cN/i3qdTmw+Ov7EaondTNS5E99RaUV1YoQ==
X-Google-Smtp-Source: APXvYqxgmMY5WjI/Ho5UzpgWdQmFDLIaPT460zeyDusp2+/L8v7JCqElDZ8xLji7QNQ9UPzsRZ9ucqquuu4yAsmHsW4=
X-Received: by 2002:a2e:9855:: with SMTP id e21mr5287362ljj.180.1556727589742; Wed, 01 May 2019 09:19:49 -0700 (PDT)
MIME-Version: 1.0
References: <0100016a69e36565-37279712-e5de-4c48-9a8a-7397d54c11b3-000000@email.amazonses.com> <VI1PR07MB47353B20AF138B5B8B702285833A0@VI1PR07MB4735.eurprd07.prod.outlook.com> <0100016a6e2130be-ee556dd0-e993-459f-be28-65fe1f74ece8-000000@email.amazonses.com> <20190430.144930.844252169549242587.mbj@tail-f.com> <0100016a6f64a438-50e97747-d12b-429b-8147-8bf6ed82bdac-000000@email.amazonses.com> <acef56d17fc64102ae24bb8fcb8c828d@XCH-RCD-007.cisco.com>
In-Reply-To: <acef56d17fc64102ae24bb8fcb8c828d@XCH-RCD-007.cisco.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Wed, 1 May 2019 09:19:38 -0700
Message-ID: <CABCOCHS=mETbXUNm4pC45HPLtLu-r6QfX6xQAWCGxb7jfR19_w@mail.gmail.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000fffc250587d5e291"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/E_zgIj_3z7F1gkC-8kqRqwbev_Y>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 01 May 2019 16:19:55 -0000

On Wed, May 1, 2019 at 3:17 AM Rob Wilton (rwilton) <rwilton@cisco.com>;
wrote:

> Hi Kent,
>
>
>
> I’m slightly lost here, so my comments may not be that helpful 😊
>
>
>
> I don’t understand why do we need an explicit action to create/install the
> key?  In particular, why can’t there just be a regular (intend based)
> configuration leaf that is “use-system-defined-key”?  The key values could
> be reported in <intended> and/or <operational>, suitably protected via
> NACM, or they could be kept entirely hidden.
>
>
>
> I also agree with Martin/Andy that it is highly desirable to allow a
> device to be configured with a single configuration input file, provided
> from <startup> or <edit-config|data>.  I think that anything that would
> require, or encourage, multiple RPC interactions to setup the device would
> seem to be a big backwards step in terms of device management.
>
>
>
> I’m not opposed to RPCs or actions to manage hidden keys on the device if:
>
> (i)               these don’t get written to <running> (because they are
> not regular configuration), and
>
> (ii)              there is a sensible/secure mechanism to configure the
> device without requiring any extra RPCs/actions to configure the device.
> I.e. the RPCs/actions should only be used for exceptional management of the
> keys on the device.
>
>
The document-oriented configuration came from a requirement identified
at the IAB Network Management Workshop (way back when).
It is critical for rebooting, swapping out a defective device, etc.

This seems to be a good test for whether NMDA is useful as designed.
It seems obvious that something has to be stored in <running> and
then transformed as it is applied to <intended>.

I don't see how an action or RPC approach meets the operator requirements
identified in RFC 3535.

The "server created config" problem could be viewed as an access control
problem.
There are proprietary YANG extensions that implement this approach.


>
> Thanks,
> Rob
>
>
>

Andy


>
>
> *From:* netconf <netconf-bounces@ietf.org>; *On Behalf Of *Kent Watsen
> *Sent:* 30 April 2019 18:57
> *To:* Martin Bjorklund <mbj@tail-f.com>;
> *Cc:* netconf@ietf.org
> *Subject:* Re: [netconf] ietf crypto types - permanently hidden
>
>
>
>
>
>
>
> I (still) object to this.  Actions shouldn't create config.  We
>
> already have generic protcol operations to do this.  We go from a
> document-oriented configuration model towards a command-oriented
> model.  Not good.  In RESTCONF, the generic methods support things
> like ETags, which I suspect you don't want to replicate in this
> action?   Will the action support all error-options of edit-config,
> like rollback-on-error?
>
>
>
> The specifics for how this could work would need to be defined.  Given
> that it is a special case, I think that we could constrain it heavily and
> target simple solution.   Depending how much text is required to describe
> it, it might be good to define an extension statement that could be placed
> on the actions.  While an extension statement may seem like it opens the
> gates for general use, we could further define the extension statement as
> being something that MUST NOT be used when general purpose operations are
> suitable such that, at least with the IETF, it could only be used in
> extraordinary circumstances.
>
>
>
>
>
> Some comments on the new text:
>
> In action generate-hidden-key, it should be stated that the public-key
> will be populated, and that the private-key will exist but report
> 'permanently-hidden'.
>
>
>
> Okay, but before making the edit, see comment below about lifetimes...
>
>
>
>
>
>
>
> In action install-hidden-key, shouldn't both public-key and
> private-key be mandatory?  Also state that the private-key will report
> 'permanently-hidden'.
>
>
>
> Indeed, fixed.
>
>
>
>
>
> In leaf private-key, the type binary part of the union doesn't have a
> description, and the description for the leaf itself says:
>
>       A binary that contains the value of the private key.
>
> which is not quite correct.
>
> I think we should state that the enum 'permanently-hidden' is only
> reported in operational state.
>
>
>
> The 'type' statement doesn't have 'description' as a substatement,
>
> but, point taken, two updates:
>
>
>
> In leaf private-key:
>
>   OLD:
>
>       A binary that contains the value of the private key.
>
>   NEW:
>
>       Either a binary that contains the value of the private key or, in
>
>       the case of a hidden key, the value 'permanently-hidden'.
>
>
>
> In enum permanently-hidden:
>
>   OLD:
>
>        The private key is inaccessible due to being protected by the
>
>        system (e.g., a cryptographic hardware module).
>   NEW:
>
>        The private key is inaccessible due to being protected by the
>
>        system (e.g., a cryptographic hardware module).  Since hidden
>
>        keys are only ever reported in <operational>, the value
>
>        'permanently-hidden' never appears in <intended>.
>
>
>
>
>
> The new descriptions say:
>
>            [...] present only in
>            <operational> and bound to the lifetime of the parent
>            'config true' node.
>
> Aren't all nodes bound to the lifetime of their parent?
> The action is invoked in a node that exists in <operational> and it
> creates a key.  What does the statement tell me?
>
>
>
> This seems like something new (and maybe wrong) and hence needs to be
> explained.  This seems new because we are saying that the lifetime of an
> operational value is tied to the lifetime of a configured value.  Normally
> we talk about how operational values exist on their own and that, if one
> wants to override/extend them (e.g., associate a certificate to the private
> key created by the manufacturer), configuration would overlay the
> operational values.  By extension, if the configuration is removed, the
> operational values go back to their original state (i.e., existing on their
> own).   Here we're saying that, if the configuration (for the parent node)
> is removed, the operational values are removed as well.
>
>
>
> Note that this statement was added because Juergen asked about how hidden
> keys could be removed/replaced.   We iterated towards not wanting to
> support the "replace" case, and this seemed like an easy way to handle the
> "remove" case.  Another way to do this would be via another action such as
> 'remove-hidden-key'.   What do you think would be best?
>
>
>
>
>
> Kent // contributor
>
>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>