IETF Logo Mail Archive

Re: [netconf] built-in trust anchors

Martin Björklund <mbj+ietf@4668.se> Thu, 14 January 2021 07:46 UTC

Return-Path: <mbj+ietf@4668.se>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D87A3A1217 for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 23:46:27 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.123
X-Spam-Level:
X-Spam-Status: No, score=-0.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_NAKED_TO_NUMERO=1.997, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=4668.se header.b=qQ/yULEo; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=PtB7zvJ+
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m13u1BJ1YeoZ for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 23:46:25 -0800 (PST)
Received: from wout4-smtp.messagingengine.com (wout4-smtp.messagingengine.com [64.147.123.20]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A33D73A1216 for <netconf@ietf.org>; Wed, 13 Jan 2021 23:46:25 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.west.internal (Postfix) with ESMTP id C52411362; Thu, 14 Jan 2021 02:46:23 -0500 (EST)
Received: from mailfrontend2 ([10.202.2.163]) by compute4.internal (MEProxy); Thu, 14 Jan 2021 02:46:23 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=4668.se; h=date :message-id:to:cc:subject:from:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm3; bh= uNBZEnFuD+tRzFeAYAd3Qz3n9Gcr0hUVJ99OD7aI7o4=; b=qQ/yULEoX5k7srxw riYGQFa8SIRL2ryX5dZEqOr7Oa0sSG+JXUyNKWgvCgJXs7gZ+tET2Z5x9ZyiatBl NvAHu4Ex41sQ2Q1Oya16E4aZd3OelLm3lC/MS61GIXRNNA8FeR07N4GfBP/nktFG nKH4e9420ssEtDJkVw/PZjfg5xDjx+gSxn414CC0mDEX9F7iwKjSz485udcgj2TZ mxm8wSLF0PRLkMXg6v+ufcsmPdXa0ZFiw2WAk71pWwDoZwBpD2LfeAliQskVDU// rmA2SROJz04tE2VN/IZRXYdkM2SGM6BfikBIcRnFfB8wJDbBW92o8iRfocWjxRI4 ojbs4A==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=uNBZEnFuD+tRzFeAYAd3Qz3n9Gcr0hUVJ99OD7aI7 o4=; b=PtB7zvJ+xBqRCsgUHMQh3RLNC133xGK5dPp1Sd7VkNWu3SK7UaGQHAtyy rtEAHJN0cx6686KsEQ5vTs7kQ8MSEtqmcrxZepFmW5XUULKltdgWR+74z4q5RdiG Q/OVtFdEfOMFv698R1aJQnJivyMBqk6f10aPVv8YI/LUGUuHqNJMyyDIxyAcDQaf BqbFsL8f2f9FjmU+p5/NUxfiG3vrwJlrbG4qG57wPbNWVVEBxYRbnm2zn6H0ThKU 6napFV/si5X26csqU6EXZdV/I6CKHXAp0cHN1aZJkxnIH2qDyX5S7n4FpGDatjJI PPwKmNMQHX9g6PYHCZZ0eDbYX9x5Q==
X-ME-Sender: <xms:z_b_Xxyb1C4UYoiXbBYnUwQZMg6sp7CgqBUppuFpNcYtEJa8RbkwKw> <xme:z_b_XxRPp4HbUVk3jaIuXKTAZfxEg2rlywmgBzi0S_f7u7ftl6TH34ZgUKFUIKw9V 8f1TwHvQIqONLQ_CcE>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedukedrtdeggdduudduucetufdoteggodetrfdotf fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen uceurghilhhouhhtmecufedttdenucenucfjughrpeffkffvuffhjghfofggtgfgsehtsg ertdertdejnecuhfhrohhmpeforghrthhinhcuuehjnphrkhhluhhnugcuoehmsghjodhi vghtfhesgeeiieekrdhsvgeqnecuggftrfgrthhtvghrnhepfeeiueeuleejueevjedtke fhvdegfedtjeekfeefieehveejheehueeijeethefhnecuffhomhgrihhnpehivghtfhdr ohhrghdpjhgrtghosghsqdhunhhivhgvrhhsihhthidruggvnecukfhppeduheekrdduje egrdegrddvudehnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhf rhhomhepmhgsjhdoihgvthhfseegieeikedrshgv
X-ME-Proxy: <xmx:z_b_X7X7GLsg5-fawODjLUI4I4cPQyu1PFkGJ_v92zjfkvwjaF6v9A> <xmx:z_b_Xzg2h2FFGKK0HdBfQE-YKaWgZ1_2TIX9zUvyi4gX6nKDL8pXbA> <xmx:z_b_XzAqLMkGDEVodUtK7PxMO3dNYIXtCyTd_YyNmCF2X_7zOmbOKw> <xmx:z_b_X2_QVurpl36GskZfuOgLwfLsToc9F_wQBlNIy7Wv1QJRjopxDw>
Received: from localhost (unknown [158.174.4.215]) by mail.messagingengine.com (Postfix) with ESMTPA id B1C231080059; Thu, 14 Jan 2021 02:46:22 -0500 (EST)
Date: Thu, 14 Jan 2021 08:46:21 +0100
Message-Id: <20210114.084621.1561500589637511150.id@4668.se>
To: kent+ietf@watsen.net
Cc: netconf@ietf.org
From: Martin Björklund <mbj+ietf@4668.se>
In-Reply-To: <01000176fc95b165-e1e7254b-3895-4267-8470-854552276315-000000@email.amazonses.com>
References: <20210113.122655.1074482340604641202.id@4668.se> <20210113150934.pg7ptdm5ljfuuhpp@anna.jacobs.jacobs-university.de> <01000176fc95b165-e1e7254b-3895-4267-8470-854552276315-000000@email.amazonses.com>
X-Mailer: Mew version 6.8 on Emacs 26.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset="utf-8"
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/F1I2vlOrJ76CrTqXgMZOdfgF_6I>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 07:46:27 -0000

Kent Watsen <kent+ietf@watsen.net> wrote:
> [Top-posting as this is a response to the entire thread, sans
> draft-ma-netconf-with-system, which I haven’t looked at yet].
> 
> Having "instance-required false” was an idea from before, but it
> didn’t make sense to disable validation for the 99% use-case to enable
> a 1% use-case.  There will only ever be a few built-in keys/certs
> (typically at most just one of each, to enable bootstrapping), whereas
> potentially many keys/certs will be configured over time (for normal
> ops).

Ok.

> Hiding all the descendent nodes except “name” for built-in keys/certs
> doesn’t work because the pubkey/cert is needed in order to encrypt
> data that only a device can decrypt

I don't understand this.  The descendent nodes would not be present in
'running', but they would be present in <operational> (b/c they are
present in the firmware).

>, as needed to support RMA
> scenarios (see
> https://tools.ietf.org/html/draft-ietf-netconf-keystore-20#section-4.3
> <https://tools.ietf.org/html/draft-ietf-netconf-keystore-20#section-4.3>
> starting with the 4th paragraph).
> 
> The built-in keys/certs are envisioned to be forever; they never
> expire nor are affected by firmware updates.

:)

> For the example of a
> list of public CAs (trust anchors such as Verisign, RSA, etc.), these
> SHOULD be in <startup> and admins SHOULD be allowed (NACM permitting)
> to add/remove entries.
> 
> I agree that the “illusion” text Martin quoted is "weird special
> handling”, but this was the best that could be envisioned after
> several tries.  You might recall there were two or three other
> variations (inc. the "instance-required false” mentioned above) that
> we tried before landing on this approach.

Since this problem comes up every now and then, it would be good with
a design pattern that can work in other cases as well.  It seems that
the "hidden" design already used in crypto-types can be used in this
case, as Jürgen suggested.  I don't remember this propsal from the
previous discussion; was it discussed?



/martin


> 
> K.
> 
> 
> > On Jan 13, 2021, at 10:09 AM, Juergen Schoenwaelder
> > <j.schoenwaelder@jacobs-university.de> wrote:
> > 
> > On Wed, Jan 13, 2021 at 12:26:55PM +0100, Martin Björklund wrote:
> >> Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> >>> After sleeping over it, I think a device should ship with the keys
> >>> listed in whatever is the equivalent of the factory default, i.e.,
> >>> they are initially in <running>. Deleting them should be possible with
> >>> the effect that no config can refer to these keys anymore (assuming
> >>> strong references). Putting the keys back into running makes them
> >>> available for config again.
> >> 
> >> This could work, but see below.
> >> 
> >>> I would be in favour to just have the names in runnning, not the
> >>> key/cert details. This avoids issues with entries that do not match,
> >>> and this then resembles hidden keys, for which details are also not
> >>> known in <running>. In fact, <hidden> keys likely have the same
> >>> property that they exist in the system (or a TPM), i.e., they are not
> >>> config that can be arbitrary changed. I would assume that the same
> >>> rules apply, if you delete a hidden key from <running>, it can't be
> >>> referenced and used anymore. Perhaps the discussion in the I-D should
> >>> be expanded to cover hidden keys as well.
> >> 
> >> I like the symmetry w/ hidden keys.  I assume that these entries would
> >> be explicitly marked in the config as being "built-in" or "hidden".
> >> 
> >>> I also expect that these special keys may be part of the firmware,
> >>> i.e., they may change with firmware updates. This can lead to stale
> >>> special keys that do not exist anymore in the firmware and new keys
> >>> that exist in the firmware but must be (manually) added to <running>
> >>> in order to use them.
> >> 
> >> So then the question is what happens if a key is removed from the
> >> firmware, but it exists (with just the name) in the config, and some
> >> part of the config reference it?
> >> 
> >> I think that this leads to the same problem as a weak leafref would
> >> do, so either solution would work.
> >> 
> > 
> > You will have a reference to a key that is not usable, which means you
> > get runtime failures (as you would get with certs that have expired or
> > other issues). Note that this is only becoming a problem if the
> > firmware update renames keys/certs. If the update only ships a new
> > keys/certs but keeps the names consistent, things will continue to
> > work. I can't tell whether this brittleness is something to be
> > concerned about or whether it falls into the usual 'things may go
> > wrong after an update' bag of surprises.
> > 
> > /js
> > 
> > -- 
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > 
> > _______________________________________________
> > netconf mailing list
> > netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
>

v2.23.0 | Report a Bug | By Email