IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Tue, 21 August 2018 17:28 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EB7CF130F74 for <netconf@ietfa.amsl.com>; Tue, 21 Aug 2018 10:28:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.709
X-Spam-Level:
X-Spam-Status: No, score=-2.709 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001, WEIRD_PORT=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7K34VveCI2QM for <netconf@ietfa.amsl.com>; Tue, 21 Aug 2018 10:28:40 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6E28130F52 for <netconf@ietf.org>; Tue, 21 Aug 2018 10:28:39 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7LHO4Yq001452; Tue, 21 Aug 2018 10:28:35 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=bdMm9QfQmf/s49khxAIQzHdTyNoLdd0bsqYuzRq4f/4=; b=KrZIT6GvHx3KnZTk/RuvaGiJy1/i7JrlNHnkwEAw4ns5wDA3u1Uj2cjKoe4tQMQmnHt+ bhY3fr1b/MZctds2RS2WDFMGvZb0gX16W/WUCGpeiTNx4hCK1SpI8nI15puCcQulWN4P b4U3b/ZusNRUy/gYT5EVEztAaX/GDQ52i7t23QfRsPcdNrrAOmYOBBAes06fCfIFc2Tn SIfcvGOMdf64MyOJ3sSuR/4LhYhaCGmsvVtLuG7j5qdRAVIj9Yz2DInCVEVxXCJdUqO1 WS/56L3O8BWFPCQey2E64SMTB4blY6FUTrowPA6geDeqPmMqdT7Z+I3UJiclRnaY7p+O pw==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0051.outbound.protection.outlook.com [216.32.180.51]) by mx0b-00273201.pphosted.com with ESMTP id 2m0hb08v2f-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 21 Aug 2018 10:28:34 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4620.namprd05.prod.outlook.com (20.176.109.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.19; Tue, 21 Aug 2018 17:28:32 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::14ab:9da7:be4a:fbaf]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::14ab:9da7:be4a:fbaf%4]) with mapi id 15.20.1080.010; Tue, 21 Aug 2018 17:28:32 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "balazs.lengyel@ericsson.com" <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAA==
Date: Tue, 21 Aug 2018 17:28:31 +0000
Message-ID: <AF6441A6-CFE4-470C-991D-AF9ACE46C648@juniper.net>
References: <596667e1-b47f-c26a-1bb5-1520bccb6e93@ericsson.com> <F33FF737-881B-4507-9182-500764777077@juniper.net> <20180821.125709.290789583505734258.mbj@tail-f.com>
In-Reply-To: <20180821.125709.290789583505734258.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4620; 6:/k8yypk+Ax9kvqTBxnZ62lmWPqLk4JbffqgjwFN6/xXThvCL4Q6P1pfUXGYPxtkY1PXQ56xEE9RPTpJsiYH3SOreJGJlgkZtyJMr7+VQCO3PLUyFLAD+R8POzsRgEAZVwizdwlm5Aic/6w8p4glWbp7ANYLlovukM0oUS2DyGG9I8K7/jtgmRtKgGHhF99PCNh2g7xtF/V0ugaJBiuPnu0R1F0yqWOi51SWa0rGNvXd2FzNLgthdQlieu8NKT07RYYjkLWJ32MR9UVYRsiq+Wv5l4haghLFnxtmskXhwGRpikZj3Kvt8GARZcCJoE5ZfeNv2Ej8eiOsUpTnoHh3mFYwE1UY+gvWBnTbg8/eE55SgTViEtHEO/4GmQqbprNNZw3EvcjaPJSfmQMGoKZzONE4NFvnjdqDz5oB6iwp4VGSjSexjn3yFdldo5T3pHsoQEBPrQfhY8aPmbN4v9f5CCA==; 5:2azXhtmcwaPaRV6P5ccKcm5fGjra9K43MviQaGW8Bg7eq8bV/c9sWZAzttcLwDiDfaC00En1B7LFkWJaMXu20keI9mAK/o8lhtink6nB9EQJOLXTPnNV9PWpA8QquByVpWha4c4RSDUbY9ox7m0kSrupAZuE9Sjw/eMFppzFh6w=; 7:l6/uEfQyKiZEcLa4/dEqb9woR8zxFo5X6a/0AFZhi6iVUe2Ul57s+pluog9aLjMybWA6zWxyZ0ccAcp2YtjVnQxmN2tq5+IXGNV+ghwCGeOIzlkIxCYpIbirVg5eOull34MVo4J+LTgtEBA7+/QuDnyoVxgtncp6CyRJ31vH+RoTmQGVXuneUisndjoOYc4YZ070lOHsTm02DJECVQLXTL68hvZANfGHIwIKzykMUHTbYTYL2DrmFbOXJjCTJXKL
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 687bde5c-36b3-41d5-4dee-08d6078b8443
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(49563074)(7193020); SRVR:DM6PR05MB4620;
x-ms-traffictypediagnostic: DM6PR05MB4620:
x-microsoft-antispam-prvs: <DM6PR05MB4620EC39BABA1A67FD26AEE1A5310@DM6PR05MB4620.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(102415395)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM6PR05MB4620; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4620;
x-forefront-prvs: 0771670921
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(396003)(376002)(366004)(39860400002)(346002)(136003)(279900001)(51444003)(57704003)(199004)(189003)(476003)(446003)(8676002)(66066001)(6916009)(14454004)(486006)(2616005)(966005)(2906002)(25786009)(6436002)(316002)(5250100002)(186003)(86362001)(6506007)(11346002)(76176011)(97736004)(81156014)(82746002)(81166006)(99936001)(478600001)(102836004)(26005)(19625305001)(5660300001)(33656002)(256004)(14444005)(6512007)(68736007)(83716003)(6116002)(99286004)(8936002)(5024004)(53936002)(6246003)(105586002)(58126008)(229853002)(36756003)(3846002)(7736002)(305945005)(2900100001)(54906003)(106356001)(6306002)(6486002)(4326008)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4620; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 0sxNK7s1Y6PZTxIIcyrBAXqytrMsImH9IpgrtLAXbB9MIqIsd5qOPY4i4T70V7sqUNufjs2CjJXv2Whv6cCdimcjIJZw5VHEM7NLJ44UC2v1762BP4xbmGRVz1lKbhuDd1Gz+1zyrggthYqZty7MTEZdolVzc8umVR61BIcoiSr19EkNPLVBJ4Br5E4RfHHLqui+eNNaNpvEME/H/uXrWqAiKnR+XvWIULkNtfaUiL0QdGKiluqfVf++c6u54t7S+76isG04Kxmp/RcjCdu55HvIwlQNYVdtl9FiUckUQEUUB+aJlDs46HepDMWSPPdYJERJRQ35wV8NANrJxkdsr9UvYw0MsJe7LOgrI2X9eH8=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/mixed; boundary="_003_AF6441A6CFE4470C991DAF9ACE46C648junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 687bde5c-36b3-41d5-4dee-08d6078b8443
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Aug 2018 17:28:31.9105 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4620
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-21_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808210180
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/F-EQQ15-NsKMGEnbHkkHahibKPM>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 17:28:42 -0000



> Do we need to support the "local" or inline key configuration at all?

The two attached slides were presented at the IETF 102 meeting.

The ensuing discussion is captured in lines 279-312 here:
http://etherpad.tools.ietf.org:9000/p/notes-ietf-102-netconf.


> I would prefer to make the keystore model mandatory and remove the
> local cases from the client server models.  It seems better from a
> security pow to handle all keys in one place in the model, instead of
> having (possibly) private keys exposed in various places in the
> model.

I don't believe there is a security issue.  NACM or equivalent can
be used in either case.


> Also, the keystore has operations to generate new keys, which
> the local case doesn't have, so the local case also lacks some
> capabilities.

True, but the generate-private-key operation is really only 
intended to be used to direct an HSM (i.e. a TPM) to generate
a key.  

That said, the current action has no input parameter to direct 
the device to use an HSM or filesystem.  Perhaps there is a
need for a feature indicating the device has an HSM?


>  I think the model(s) will be less complex w/o the local
> case.  (At the very least, I think there should be a feature
> for the local cases, probably your case (2) below).

Yes, from the minutes, we want to add the feature "local-keys-supported".

BTW, I think that I misspoke before about it being a global on/off
switch (not per-use).  RFC 7950 says in Section 7.20.2:

   If a prefix is present on a feature name in the boolean expression,
   the prefixed name refers to a feature defined in the module that was
   imported with that prefix, or the local module if the prefix matches
   the local module's prefix.  Otherwise, a feature with the matching
   name MUST be defined in the current module or an included submodule.

So, if ietf-keystore.yang has this (note the "local-keys-supported"):

  grouping local-or-keystore-asymmetric-key-grouping {
    description
      "A grouping that expands to allow the key to be either stored
       locally within the using data model, or be a reference to an
       asymmetric key stored in the keystore.";
    choice local-or-keystore {
      mandatory true;
      if-feature "local-keys-supported";
      case local {
        uses asymmetric-key-pair-grouping;
      }
      case keystore {
        if-feature "keystore-implemented";
        leaf reference {
          type ks:asymmetric-key-ref;
          mandatory true;
          description
            "A reference to a value that exists in the keystore.";
        }
      }
      description
        "A choice between an inlined definition and a definition
         that exists in the keystore.";
    }
  }

and that grouping is used by the "ssh-server-grouping" in 
ietf-ssh-server.yang, which it is, and that grouping is used by the 
"netconf-server-grouping" in ietf-netconf-server.yang, which it is, 
and that grouping is used by some application-level module called 
"example-foo-bar.yang" that defines prefix "fb", then it seems that
maybe the foo-bar module could itself define a feature called 
"local-keys-supported" to control the underlying feature?


> I am looking at implementing the keystore model on a regular device
> for something like OpenSSH.  I don't want to expose the private keys
> at all.  I think this is possible, by not implementing ietf-keystore
> in the conventional configuration datastores, but only in
> <operational>.  New keys can still be generated with the action
> "generate-asymmetric-key".

Keystore can be implemented in both datastores.  Keys created by the
action are only present in <operational>.  The last sentence of
the action's description statement says this.


> Two questions:
>
>  1)  Is the enum "hardware-protected" really a good name in this
>      case?

As opposed to what?  In -02, this enum was called "INACCESSIBLE", 
and in -01 there was another enum called "RESTRICTED" with description
statement "The private key is restricted due to access-control".
  
We removed RESTRICTED because we said it was an access-control 
implementation thing as to how filtered-out nodes are represented 
(e.g., a dummy parameter or just missing).  And we changed 
INACCESSBLE to hardware-protected in an attempt to be more specific.

Reaching back in time, there was a thread where we discussed the 
need to support backup/restore workflows, and then a subsequent 
discussion about those keys needing to be editable outside a 
recovery session (Security Considerations on page 22). Thus, we
reasoned the only time the private key is truly not available is
when it's being shielded by something outside the control of the
system, which led us to "hardware".


>  2)  Wouldn't it make sense to add a new operation to install an
>      existing key into the keystore, with params "name", "algorithm",
>      "private-key", "public-key"?

Unsure what you mean.  Currently all these values are configurable.
Or are you trying to find a way to only "configure" them in 
<operational>?


> And a question about certificates.  Keys that are proteced by TPM are
> not present in the configuration, only in <operational>, right?  

Right.


> If so, how can I install a certificate for such a key?  Would it be
> better if the certificate list was separated from the key list?

The idea is to use the approach that was taken with the I2RS topology
model, using require-instance false.  Specifically, the 
"local-or-keystore-asymmetric-key-with-certs-grouping" has leaf 
"reference" of type "asymmetric-key-ref":

     typedef asymmetric-key-ref {
       type leafref {
         path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
              + "/ks:name";
         require-instance false;
       }
       description
         "This typedef enables modules to easily define a reference
          to an asymmetric key stored in the keystore. The require
          instance attribute is false to enable the referencing of
          asymmetric keys that exist only in <operational>.";
       reference
         "RFC 8342: Network Management Datastore Architecture (NMDA)";
     }

Makes sense?


Kent // contributor

v2.23.0 | Report a Bug | By Email