Re: [netconf] built-in trust anchors

tom petch <ietfc@btconnect.com> Thu, 14 January 2021 11:49 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 800543A145E for <netconf@ietfa.amsl.com>; Thu, 14 Jan 2021 03:49:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id uSnZDfyPYQfc for <netconf@ietfa.amsl.com>; Thu, 14 Jan 2021 03:49:52 -0800 (PST)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80122.outbound.protection.outlook.com [40.107.8.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28FA23A13ED for <netconf@ietf.org>; Thu, 14 Jan 2021 03:49:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RfEmfayZTM1ehddH/GHzCdbjd9k0/S8yuuQabu1ERXPE4xlz0n7zHl56uNeXNRzKi1z5q3tE2JNOICfFnkB4jsnHzYrJ9K6rB+bAjv0e2IBQlovwLdY7NmvNVWJj6/gous/jeQPhHR+i6qzOXBn0FTwB2uV2aA2NG0gXFWvbRPs0sALzp6XA5ozb0YEX+ipa2MDvpBrfkVpexU1f2WTiumZlo2omhUCQon1EC6s6PJLx8wEgp8oT+fUo726am6HJlKf3x+30NnQLLqPv+/nYxRskP53+gLZwtBYVvDT27bWJKBz5R5AlShh4b4sx6YXr64YWSwvYW57Wxho4zu1ucw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X6cxaVbn28ETDSkOA1MY25fknC4Nf9LS2/ak7piNDKY=; b=MmUiP0gV6UNTykPGH4g6pzTc3prcVZnseEazpFiAqGnIy0YNzPSad1BUKwKslvIAyNhoSq3AcyKDj+T/U+lioDEYPE7y/YnRsaIR/eI4sqdjnkodfEgTJLqjAzS3PXNYj06NNETO8RyVCtkUZEY1ts445UAuWt0MJnQGNkjXM/K/BMY3lC/xDBFerXCzt5lP3/utSXab3rXi7GWfdv7BwXFLktbslZxQkX0AsTLd8nTGgIQgy6k3n0WEoFpQAo7EQF67T+ZJYJuyKZKQVlpXtvQGVXzW27vFkYmBa9UHoWbq+1EX8HAGbCU7s3o9tYYSqRNvKmzKH12NqNh5z3McJg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=X6cxaVbn28ETDSkOA1MY25fknC4Nf9LS2/ak7piNDKY=; b=Fm47AHZ2fUfR8v+xm2dHmnOZsRQx3uXxv25ijnhleo4/D9sH7XzTV1j92eRvhQPK1F74EHEB4/cEiCyoSxdDKwimzFu+pLmqP6qP7K1FLo/PBn3/imDyi5ssEWw0vIJnuQOvvalLC09FIAaLsoDNX1GiC8wzDwgm2OSlvyX5Ml4=
Received: from (2603:10a6:20b:134::11) by AM7PR07MB6325.eurprd07.prod.outlook.com (2603:10a6:20b:13e::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3784.4; Thu, 14 Jan 2021 11:49:42 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::6d46:4f3c:643:4849]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::6d46:4f3c:643:4849%5]) with mapi id 15.20.3763.009; Thu, 14 Jan 2021 11:49:42 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7QACSnGAAAYuKwAAE/5wAAAN/Yv/AALRw4AAKEkU+g==
Date: Thu, 14 Jan 2021 11:49:42 +0000
Message-ID: <AM7PR07MB624827F7CCED289056F991FBA0A80@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de> <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de> <20210113.122655.1074482340604641202.id@4668.se> <20210113150934.pg7ptdm5ljfuuhpp@anna.jacobs.jacobs-university.de>, <01000176fc95b165-e1e7254b-3895-4267-8470-854552276315-000000@email.amazonses.com>
In-Reply-To: <01000176fc95b165-e1e7254b-3895-4267-8470-854552276315-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.146.121.140]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: aabaf339-9428-4de2-1b4f-08d8b8827b18
x-ms-traffictypediagnostic: AM7PR07MB6325:
x-microsoft-antispam-prvs: <AM7PR07MB63253A6837FD71653C452621A0A80@AM7PR07MB6325.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: RfAiItgf/jvvHdIgqET25nvZZ//JbtjCAYDTpoQ2r1DHItyY9jMLlLQ/Ma3nJXU38jIn0fi3mMuP+d7+e5OmQc25z9N51gRMOTdtOYuQBuorvcUJOXg2NJRyCiGjBggp9ruBDqak97bckG+TCEcKbE/jk55XCv0BC4J4bBf01wKM2UAU61aQQ9Dc+WZxuzbIOMHqHPZhV5SOi2wlAHfFTMZUex3oLoG1aBPZjW1GEMEbApyPYCPkGDtpiXryfAB56eey0MgErwbJTid7udpxHyjADNyFZV55g6et0ohvH6kr4kpUg755i46mgikrObCSDOPaFUi8LWMhQ25wEq4GMuhuDFuvUlxsJjCEChkjxDblz8svM72duBRDHINYnadGD9++uq11WBk1jS/AfsVwTXW+tw4hmCZsn/kJFMEzroDhMZfbZeyjWb7Q2s6KNj+Ag3O9P6UZHL741OHb9XAdlJQR/ntN34uVq/o48ySwtZAUh4iuX2CJoLc+XTDJ3dZiqM1z8jwu+zNEARTtcfjDyVrFpVlVsNZujjgejzUw/wYsb+bCXTADkMQgvRCAifeRfFk8SqrDWjK3SZ6fLopxNu/qgMUmE7bKdaA4ENIC0qUC5oqOt0k+wEOm2I98EDGTL+yWFkPqPmqApTw8vB3K5A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(136003)(396003)(366004)(376002)(346002)(76116006)(6506007)(53546011)(478600001)(66946007)(2906002)(9686003)(66574015)(83380400001)(110136005)(26005)(91956017)(66476007)(316002)(71200400001)(55016002)(7696005)(45080400002)(5660300002)(33656002)(8676002)(64756008)(52536014)(966005)(186003)(83080400002)(66446008)(86362001)(8936002)(66556008); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?emT9Uu/+1ilP0iI80RAMO3P3ciN5Uho5EO+e5NeLmPbHXnNZ6nYXsTrA?= =?Windows-1252?Q?CDiMBpOxyIHb4xJqBcEPcu2njq86lybY6ccICYhV5/5s/mS5iZSs1qm6?= =?Windows-1252?Q?QpbRjptKGWNFNs/NbTvnIu9IvRGSdUWj6rF2zPcPTNKEMz/2Pi5UyFTV?= =?Windows-1252?Q?7X02+r36zCjVeqjDJVrG35o03m0whlCi9WUgq9nlsE9Rod837H+54cUH?= =?Windows-1252?Q?8mYpOGG7dPaYJIbX++MB60YA5XiSfSy9CT7mgSiqW1zzVGAdp8ZS/vBQ?= =?Windows-1252?Q?F/pBpgfGeJhJbQzVe4eWoc6PvuKyJsrjZNl+CIuDcwrKg3fiaxU+yVbg?= =?Windows-1252?Q?zV2ZL8ShWYgcXFpVYyVTt346mWjfOUgVRI/qJzyCpODK4wHsejbrjVCm?= =?Windows-1252?Q?OoBjwEi3Aghs7y8wZ7p/rmqS94BM6sZk0XPvG+lvvPl0JKgxzkCHdQaE?= =?Windows-1252?Q?WJuekni9rsf0JTCFx/9JmKOPjgE0SE79sna6Ov1+cxjZWYSxa7BL70oB?= =?Windows-1252?Q?x9BEzGz8JLKPYi1jNRPSffyA2aaQ4DMBc7/2j5f1dI3P4TM1mUCwSggn?= =?Windows-1252?Q?fVBRK/xnhSZY6YLWJMZec4jOGFeeBwYXT6AWuHR7zv6+G8eLXf9m6+w7?= =?Windows-1252?Q?hAk0hMYQwfAFuoQM/XMIVlBnm0jD6COawivWf2806q+F+o0W/7PaaAyr?= =?Windows-1252?Q?4Ia/R2GorxUSb7FlJ90tmcEVIvvula7GwKHgp/smQcAtmek+4+z8Q5lW?= =?Windows-1252?Q?K7P48CDqSe0aep7u3eYhxUVyPviTwhil98uBIPzDuCESqR3teUOqsfLg?= =?Windows-1252?Q?xMr3hHEtyUjeu6N3sD9J3luWpjBlGIGOpt/tjMXSXqHENSIrHTnX2QBz?= =?Windows-1252?Q?gM6RUbaUHAgMLpyS2e/cOzoR5IhaPu5osxxa3JLz0yUzm+xeE2ofruks?= =?Windows-1252?Q?wMdpw4pVqQwvP/yxQXQaeOv+3JDaxWJHHPLQmJlJDyTnhsNYaWrVZOVp?= =?Windows-1252?Q?H2LXmxC4Ic/pDAkPwbGWlrdCecVCIWbvFtUAJ32NYUKW2UWZTbk=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: aabaf339-9428-4de2-1b4f-08d8b8827b18
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Jan 2021 11:49:42.2565 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ut9LT4fUZ4mzmQrONnvQd79blfV5I6mryQ3Wa9OQtE/GxVIP/1xjqpAjTKRcddwZlN4wS9i/4fPN0hCc5wWxww==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6325
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mhT6l5U81M9xML8OrpEsFnIttgo>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2021 11:49:55 -0000

From: netconf <netconf-bounces@ietf.org> on behalf of Kent Watsen <kent+ietf@watsen.net>
Sent: 13 January 2021 16:30
[Top-posting as this is a response to the entire thread, sans draft-ma-netconf-with-system, which I haven’t looked at yet].

Having "instance-required false” was an idea from before, but it didn’t make sense to disable validation for the 99% use-case to enable a 1% use-case.  There will only ever be a few built-in keys/certs (typically at most just one of each, to enable bootstrapping), whereas potentially many keys/certs will be configured over time (for normal ops).

<tp>
depends where you are.  For me, the great advance in Internet security was when Microsoft built in the certificates I needed to access sites securely, in the shrink-wrapped software.  I do not know how many there are but it is now rare for me to need to add one.

By contrast other certificates are ephemeral, used for a session and then discarded.

I can guess the model you have in mind but suspect that it is not the common one when looking at security across the Internet as a whole.

Tom Petch

Hiding all the descendent nodes except “name” for built-in keys/certs doesn’t work because the pubkey/cert is needed in order to encrypt data that only a device can decrypt, as needed to support RMA scenarios (see https://tools.ietf.org/html/draft-ietf-netconf-keystore-20#section-4.3 starting with the 4th paragraph).

The built-in keys/certs are envisioned to be forever; they never expire nor are affected by firmware updates.  For the example of a list of public CAs (trust anchors such as Verisign, RSA, etc.), these SHOULD be in <startup> and admins SHOULD be allowed (NACM permitting) to add/remove entries.

I agree that the “illusion” text Martin quoted is "weird special handling”, but this was the best that could be envisioned after several tries.  You might recall there were two or three other variations (inc. the "instance-required false” mentioned above) that we tried before landing on this approach.

K.


On Jan 13, 2021, at 10:09 AM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de<mailto:j.schoenwaelder@jacobs-university.de>> wrote:

On Wed, Jan 13, 2021 at 12:26:55PM +0100, Martin Björklund wrote:
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de<mailto:j.schoenwaelder@jacobs-university.de>> wrote:
After sleeping over it, I think a device should ship with the keys
listed in whatever is the equivalent of the factory default, i.e.,
they are initially in <running>. Deleting them should be possible with
the effect that no config can refer to these keys anymore (assuming
strong references). Putting the keys back into running makes them
available for config again.

This could work, but see below.

I would be in favour to just have the names in runnning, not the
key/cert details. This avoids issues with entries that do not match,
and this then resembles hidden keys, for which details are also not
known in <running>. In fact, <hidden> keys likely have the same
property that they exist in the system (or a TPM), i.e., they are not
config that can be arbitrary changed. I would assume that the same
rules apply, if you delete a hidden key from <running>, it can't be
referenced and used anymore. Perhaps the discussion in the I-D should
be expanded to cover hidden keys as well.

I like the symmetry w/ hidden keys.  I assume that these entries would
be explicitly marked in the config as being "built-in" or "hidden".

I also expect that these special keys may be part of the firmware,
i.e., they may change with firmware updates. This can lead to stale
special keys that do not exist anymore in the firmware and new keys
that exist in the firmware but must be (manually) added to <running>
in order to use them.

So then the question is what happens if a key is removed from the
firmware, but it exists (with just the name) in the config, and some
part of the config reference it?

I think that this leads to the same problem as a weak leafref would
do, so either solution would work.


You will have a reference to a key that is not usable, which means you
get runtime failures (as you would get with certs that have expired or
other issues). Note that this is only becoming a problem if the
firmware update renames keys/certs. If the update only ships a new
keys/certs but keeps the names consistent, things will continue to
work. I can't tell whether this brittleness is something to be
concerned about or whether it falls into the usual 'things may go
wrong after an update' bag of surprises.

/js

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

_______________________________________________
netconf mailing list
netconf@ietf.org<mailto:netconf@ietf.org>
https://www.ietf.org/mailman/listinfo/netconf