IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Mon, 27 August 2018 23:48 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7319B130E60 for <netconf@ietfa.amsl.com>; Mon, 27 Aug 2018 16:48:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k-dT0qIGf5gg for <netconf@ietfa.amsl.com>; Mon, 27 Aug 2018 16:48:41 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C79A8130DDD for <netconf@ietf.org>; Mon, 27 Aug 2018 16:48:39 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7RNkOIH031098; Mon, 27 Aug 2018 16:48:38 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=KovgiKmSxhsEAddAbZTFfZEZky1SMLTOxZ6rWFrXfB0=; b=OBuJQEuMmt45b8k8WAYFv8POGCGSfh0FcmwqTO40QD8QQq1PBMjjuci6lmpRRGAO6fvV iOjD4IiRr6aAs75cCGwRHBdRAqxv51nLinqY8yPk4s6BML5zqAnen59zXEmpBB7Lx8LU +JwVeNnL1GIERupxIEqRHCBSd2t2OA7DZCJUxCreAilRLm5rWvxdFH6ePZYE7gAYGEit Vkpa61/9qr75VUjjmyWaWgY6IyNvHZSQQSxaMx/5YsDomdfn7OeujcphVUORLBxZ7EV9 IaUb/pS5NEixmzCx9/f5p6/DOGpHnnY2AOew7oStZM/Ht3Sg6Jc7pkA0Uq5V3cihORJl TQ==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0021.outbound.protection.outlook.com [216.32.181.21]) by mx0b-00273201.pphosted.com with ESMTP id 2m4t7x02jx-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 27 Aug 2018 16:48:38 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4841.namprd05.prod.outlook.com (20.176.112.10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.7; Mon, 27 Aug 2018 23:48:35 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%3]) with mapi id 15.20.1101.007; Mon, 27 Aug 2018 23:48:35 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASA
Date: Mon, 27 Aug 2018 23:48:35 +0000
Message-ID: <AD108D78-8E5D-429B-AFA9-8C84430F5186@juniper.net>
References: <AF6441A6-CFE4-470C-991D-AF9ACE46C648@juniper.net> <20180822.102452.1792964591006331128.mbj@tail-f.com> <28C3C2C7-22BE-4425-A26C-4A777FA68A95@juniper.net> <20180827.102118.630809612057220140.mbj@tail-f.com>
In-Reply-To: <20180827.102118.630809612057220140.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [193.110.55.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4841; 6:Y1cdXslzmuyBSIz0iY2iaa+fUY9qUYyaKpul7LV/63G0iLSSHzH1m8TjHqyGQWcB5YROliyyE/jFEM1BoqdA6N8COJ0WVSxQM2sY4Dq1wx+SAIQQHFhMI9lYvzEQ8tmTdjto1L4pJZPNT+j9I5JqFPDMe3KY2ZgGlDIvCoFR/1+JYJkJF3dqseXcl1kPZEkOiHRwPrc/yL72onEDgYsGwujLnIMVSa8VvpO6KkHmgYcLX10vSOXcOH+JrtNQJgDQzc3mAyK39Xy1rJhSWW+1enqO2bLVpHLN2o8Kf5Uw/onC3fDDwwlmQXNuvmSHRdp+nuFGclIGis80OQ6wtnAiOdiTttq3mCh5DPNblmRZTIehInYREOBHnJiA+PKxTGFo4adxzicFzbyy7j8wa1+pDsXxBaPwhTZZT3MPLIME3xvB0UD0Duxr4hlZePD/5n9OW6SXF+MGVX7CzDSY2F/ZWQ==; 5:CyVmIpBG6Kx7KV12L/51QHkgoFMRtS0LTW0wazWzVwtopXVmEQjD/Pdinpe/FkL+/HAk2nPGWhl/3/s/mGGd0e/PaErKrQgvz4bXLQobdqqH94gVl0ZVNakgY32QfncN6qoSFBh18OCPfbD/ZNWfAhxRVrvMQPNJ5L7VMjO4zo4=; 7:DvaN40sFlpi8adb9stFKUYdMQvuu649i9Nx62bouvv8UPizRba4G5D9xzd6vaNWs1uPqDPpJnx8CHAbsdg11koKrV/nNZC5N+u4t6BBl7qdP3yRbN2IIdZk4HCKKV6lYQrmsuHQZn3fhbe/8AJi6jjreQR9tN33wVa2Wj6wSUS0I9k9DLU7qyfVkmdz7jWc1f3lu7fjMQVPRNBCBZws3DO3Xh7YtRa39IDj3vTYFHokSOEkctCCh5BRue9Jxa+8c
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 063ba143-482c-4593-e93b-08d60c779ae1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4841;
x-ms-traffictypediagnostic: DM6PR05MB4841:
x-microsoft-antispam-prvs: <DM6PR05MB48413A14073E26DB3FA7C2BAA50B0@DM6PR05MB4841.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(788757137089);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123558120)(20161123560045)(20161123564045)(201708071742011)(7699049)(76991033); SRVR:DM6PR05MB4841; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4841;
x-forefront-prvs: 07778E4001
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(346002)(376002)(136003)(366004)(199004)(189003)(51444003)(66066001)(6506007)(58126008)(486006)(86362001)(36756003)(26005)(83716003)(6346003)(478600001)(4326008)(106356001)(8676002)(186003)(105586002)(25786009)(7736002)(6116002)(5250100002)(2906002)(229853002)(68736007)(81166006)(82746002)(14454004)(11346002)(33656002)(53936002)(6246003)(3846002)(99286004)(5660300001)(81156014)(2616005)(93886005)(316002)(8936002)(97736004)(2900100001)(256004)(6486002)(6436002)(76176011)(6916009)(6512007)(476003)(102836004)(305945005)(14444005)(446003)(35224004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4841; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: C1ExcTWbMTYzJevogrteUIj/kXXKfeSSBJJTo8lxt8fsx30+ZLckx4PLYnMLFx3KcZ+qHDHxVXKHMZYGqnF/UJ8U6tbshfIZyOvM1hd5rhm/g4BD0Sh3qWj4LiW8pD7FGHXwjm2XtKXVl/N1bk8dv9OPrZudsqOPFOVCasQETwq9+YK3pmR7DXqnvAKep3ztOMhiBxOCS71d6uaXsLT1vzQ0a7YxYE3v3Rkj46MWNd55B7eRJqcWvYzqGRpsdveTfMoQB6Jwwz+ZowEqJHyqYrjohN/IE18WmEYVeUgzz8Q/qCHblHwWze5CxrN7IMiEMKAeU1e5qXik+7qVElEbW6npedAgLATMPlatnv63CSI=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <1C69AF5229926941B88675109FC2F340@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 063ba143-482c-4593-e93b-08d60c779ae1
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 Aug 2018 23:48:35.7860 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4841
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-27_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808270238
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/EvO5rCCMTcQgRS8GMHB3ZSt74N0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Aug 2018 23:48:45 -0000

 
> > BTW, all private keys should have nacm:default-deny-all.

Updated in my local copy.  Added to the "asymmetric-key-pair-grouping"
grouping, so all downstream users inherit it as well.



> I think that the operation "generate-asymmetric-key" only affects
> "permanently-hidden" keys, doesn't it?  If the client wants visible
> keys, it will configure them in the config datastores.

It wasn't so locked down before.  How about the following two changes?

1. Updated the action's description statement:

      action generate-asymmetric-key {
        description
          "Requests the device to generate an asymmetric key using
           the specified asymmetric key algorithm.  This action is
           used to request the system the generate a key that is
           'permanently-hidden', perhaps because it is protected
           by a cryptographic hardware module.  The resulting
           asymmetric key is considered operational state and
           hence present only in <operational>.";

2. updated the enum's description statement:

          enum "permanently-hidden" {
            description
             "The private key is inaccessible due to being
              protected by the system (e.g., a cryptographic
              hardware module).  It is not possible to 
              configure a permanently hidden key, as a real
              private key value must be set.  Permanently
              hidden keys cannot be archived or backed up.";
          }   



> > Regarding the name, s/hardware-protected/permanently-hidden/?
>
> I think this is better.

Okay, but maybe it should be just "hidden"?



>> Now you have me second-guessing this.  Maybe a device, without special
>> hardware, could present the illusion of a permanently-hidden private
>> key - it's completely inaccessible from the device's supported 
>> interfaces, though actually present on the filesystem.
>
> This is what I would like to support.

Okay.



>> >> Unsure what you mean.  Currently all these values are configurable.
>> >> Or are you trying to find a way to only "configure" them in 
>> >> <operational>?
>> >
>> > Yes, *if* my use case of not exposing the private keys is supported,
>> > then it would be useful to be able to generate the keys off-box, and
>> > install them into <operational>.
>> 
>> Hmmm, sounds like *configuration*, not something goes into <operational>.
>> 
>> And, even if you did, that doesn't mean the keys are permanently-hidden.
>> I suppose the model could let the client set that parameter as well,
>> but it somewhat defeats to goal of *never* having the private key exposed,
>> not even as a once in a lifetime kind of thing.  That’s just my opinion,
>> we should ask for more opinions if you're not convinced.
>
> I'm not convinced either way, actually ;-)  It would be good to hear
> other opinions as well.

We could define a "load-asymmetric-key" action that has that behavior?



> This is what I would expect as well, but the model is not quite
> designed for this currently.  For example, suppose I generate a
> HSM-protected key with "generate-asymmetric-key".  It is then present
> in <operational>, with a public key etc.  Now I want to configure a
> certification for this key, so I have to create an entry in the
> "asymmetric-key" list, where I have to set both the
> private-key and public-key leafs (they are both mandatory); so I
> assume I have to use the exact values reported in <operational>?

Hmmm, using the same value could work, but it doesn't seem intuitive
and, from a general modelling perspective, doesn't scale e.g., what 
if there were 100 descendants?

A couple other options:

 a) make each leaf (algorithm, public-key, private-key) type be a
    union having an enumerated value like "in-operational"

 b) replace the three "mandatory true" with three "must" expressions
    that assert either all or none of the leafs are set.


> Another design could be to have the certificates in a separate list,
> with leafrefs (require-instance false) into the "asymmetric-key"
> list.

Perhaps, but let's see if we can make this work first.


Kent // contributor

v2.23.0 | Report a Bug | By Email