IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Balázs Kovács <balazs.kovacs@ericsson.com> Thu, 11 October 2018 14:47 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 52365130E9E for <netconf@ietfa.amsl.com>; Thu, 11 Oct 2018 07:47:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.321
X-Spam-Level:
X-Spam-Status: No, score=-3.321 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=H7VBjVNi; dkim=pass (1024-bit key) header.d=ericsson.com header.b=IKPQNvLu
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Pv8wt5pNRTlz for <netconf@ietfa.amsl.com>; Thu, 11 Oct 2018 07:47:11 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AB4A8126CC7 for <netconf@ietf.org>; Thu, 11 Oct 2018 07:47:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1539269229; x=1541861229; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=nL3ZGUfTs+vkq3uRxiRVvFx5GbNKxil7fw+TYFs8Zk8=; b=H7VBjVNiNdGVkQAmGrHkRi5OE6qjBAPu5x/qIo/VvybdJkNSIx27jU09wUOQa4fJ c+J4dlwxpIW5EzjDGm2rFc8vuVpom2gaAIo0FifLLflTu3U7f3sOdSyGeHtBAGeS G9X0CyVNFCjqFpA8031xVAnAgBMbfQ3ve7TAoWaFyXk=;
X-AuditID: c1b4fb30-776849e0000047d2-82-5bbf626cbd61
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id D9.0F.18386.C626FBB5; Thu, 11 Oct 2018 16:47:08 +0200 (CEST)
Received: from ESESBMR502.ericsson.se (153.88.183.134) by ESESSMB503.ericsson.se (153.88.183.191) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 11 Oct 2018 16:47:07 +0200
Received: from ESESBMB505.ericsson.se (153.88.183.172) by ESESBMR502.ericsson.se (153.88.183.134) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Thu, 11 Oct 2018 16:47:06 +0200
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB505.ericsson.se (153.88.183.172) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Thu, 11 Oct 2018 16:47:07 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=nL3ZGUfTs+vkq3uRxiRVvFx5GbNKxil7fw+TYFs8Zk8=; b=IKPQNvLui5c1jPXCLXac9Jye5WDeWi1s0eYppdn4R9/wVv6MSffGai06xANtEx3f2Si9MMlJRWL/XVQIf2D+MXmfrgNbDJy4627+roToWaWl6EgQsBWMJcqL/B0uPiFNMB1gMvZjO+3sg3kcKJVXsTOX8RrDYsZnTc/P343hLaI=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB1966.eurprd07.prod.outlook.com (10.167.209.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1228.20; Thu, 11 Oct 2018 14:47:05 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::b0f7:7595:9501:6d8d]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::b0f7:7595:9501:6d8d%4]) with mapi id 15.20.1228.020; Thu, 11 Oct 2018 14:47:04 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kwatsen@juniper.net>, Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4npYduSZhsf/U2Th8xceQbCUaSAzHaAgEmH34CAAG1ZgIAA+nAAgAPuH4CAA+yKAIABAxSAgAB6cACAAHFXIIAAWSCAgADMp9CAAnp9gIAFkemAgAFwH/CACoYJAIAAdAkAgADFpICACRlvgIAAdmGAgACclYCAACUMUIAAoXkAgAAWIACAIB/ScIAAPI5wgAETNICAAkoF8A==
Date: Thu, 11 Oct 2018 14:47:04 +0000
Message-ID: <VI1PR0701MB2016D840CE109F34F276C82D83E10@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <20180918.090227.98113334613843662.mbj@tail-f.com> <VI1PR0701MB2016707AE81A6F77719461D4831D0@VI1PR0701MB2016.eurprd07.prod.outlook.com> <A9FACF6E-2207-4FD3-966A-3482DC96B35D@juniper.net> <20180918.221210.1111111634668608576.mbj@tail-f.com> <VI1PR0701MB2016CB295B311EFCF2F7632C83E70@VI1PR0701MB2016.eurprd07.prod.outlook.com> <VI1PR0701MB2016753ED14EC8BFEE82F45C83E70@VI1PR0701MB2016.eurprd07.prod.outlook.com> <B6C88812-91FF-4242-AA16-B5301DB86C9F@juniper.net>
In-Reply-To: <B6C88812-91FF-4242-AA16-B5301DB86C9F@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB1966; 6:nfkbs7mv6vfTW1K8dhhbvsLQBauFOUFaiL7Ezjc9NtMgTUP9FKpAvQsj+POYvwkucR/O4QzY2EHfBH5/Av9X30ze3jMZIMVlJReAICB16ZBh0I2TDs7hekgUGInif+4Pp9Ct6a5LYh3odyxylPtmhLXvoPjydP3qUto92laAhG58EIcGjZPw+mxx0ge9JeAq29MueVWLeJ8w+taQQjJ5dmpOd1MekVeZ6f8VIhXfemL1T3mXv7lVX4Z24L005Z/XKtELG/G8rJwfk1OAGIcTHt7NPq9hHGZ0ObZaLfI76iYFXlyrGFzWojkK8sKsDjRXCoPrl5YoK7Nj+F2xVWGsXhlODorWn3WPKONWeSlClkJM5KKLnYMi0xIZsYoSIu84bPwW0Rk9sH8hPpqeq+arooG1kwenJ+omNtHjqA6i9XQyizjsXNxXkjgIv77mqfgFa5R/ZO9nkAAhD49S9bzp4g==; 5:0OgAGhwhMxymytYL9+Eccs1l3fOtS1yYqcLmwa9BVMo6XVzpOY5ex77PF7RRBsK1k8Tqs+c8T5wRFfK04L1eET74RaAA9EmaKSynD/42Q5J/ThIfoE+Y4a1qFjx9z9MYjPRffemS3ZxODIPZGq15UCfbVC9S9nK+gW3iDHvaxZE=; 7:7RQrubUk7z5r0Ps6s48Dsq9LqYon/lFFkwu9Zw11Dwxib8gBvDpklaJq5XJsB/1Qhu0NirR0VOPDXl/XPR2xCjtLiygEY9u4yCEYjqlB5BaWr4bhB3cNKL/kKgnA3S3OG5ZXxk2XRwDYTUcJnJxGQQANyvENawNg41yfxc9Sf5a2Dt0NeTPXRl54iu8JyTQ8H/0KrxDOYNfMNVwN8TbklOZOzNjvjgAzPDUW/Re614GE9+8QeASkgv1l1whiFShy
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: bcabf538-81d5-4272-a6ab-08d62f88691c
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(5600074)(711020)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB1966;
x-ms-traffictypediagnostic: VI1PR0701MB1966:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-prvs: <VI1PR0701MB19664B2DEDDD58B58B1EF90383E10@VI1PR0701MB1966.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(138986009662008)(248295561703944)(37575265505322);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231355)(944501410)(52105095)(3002001)(149066)(150057)(6041310)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(201708071742011)(7699051)(76991055); SRVR:VI1PR0701MB1966; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB1966;
x-forefront-prvs: 08220FA8D6
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(136003)(366004)(39860400002)(376002)(346002)(199004)(189003)(13464003)(66574009)(93886005)(229853002)(55016002)(71200400001)(5660300001)(71190400001)(6436002)(85182001)(2906002)(14444005)(5250100002)(316002)(7696005)(53936002)(105586002)(4326008)(256004)(14454004)(25786009)(99286004)(110136005)(53546011)(76176011)(86362001)(106356001)(6246003)(6506007)(68736007)(186003)(476003)(26005)(33656002)(2900100001)(85202003)(478600001)(3846002)(1941001)(6116002)(66066001)(102836004)(97736004)(305945005)(9686003)(8936002)(11346002)(81166006)(486006)(446003)(8676002)(81156014)(7736002)(74316002)(76704002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB1966; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Sm9U+TnZnkJiSIbL8Pnuycb7xylu7wt7/RJ5aVSO2Z1JHkZFXRFNOUso8q8kfkounyod4j0jdKagIi3F/ktqAioZYNBxkI961+Q7f/Z1EGO0fQMzVkrmPRynsXbgHUmMUXwE3osvcrIblS1p8wvEepWreOfv5YS72CdMIunruFSmAibkSDuAtZhhnA72fPaW3kXsQeilc/h9Zycz9Im+FB70Gg6tKITiAGBsLn4Cwx9r4LhHf9rhAsRBicMe59AIvK72LbMgCNZmk4uLHOJDbKdxhVEERNMc35nr5g/DVOKBO02qq2cWJcZEVkGuSpurWykIeurQ2j/Y6vzPjN3Q6xrUYg95mP1pVsS+nDxA94M=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: bcabf538-81d5-4272-a6ab-08d62f88691c
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Oct 2018 14:47:04.4186 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB1966
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFupnleLIzCtJLcpLzFFi42KZGbG9UjcnaX+0wbwnNhYH5rBbdHc/Y7eY uuk2qwOzx5IlP5k8rjddZffY+GsxSwBzFJdNSmpOZllqkb5dAlfG3sk/2AseeVdM3n2WqYHx hWcXIyeHhICJxLZ5p1i7GLk4hASOMkq0XGpgh3C+MUoceHqYDc45PXcRI4SzhEmi9V0vUA8H B4vABGaJ7Uwgo4QEZjJJ3PmQA1HzjFHi6vYjYAk2AWeJ8y8eg9kiAh4SDZ+PsoHYzAKaEmv/ fmQGsYUFvCR27b3NCFHjLdHTvZ8FZJCIwCNGicuTf4MlWARUJeY97WYFsXkFEiT6nv6HOvwJ s8Sfbc1gRZwC9hItz7+A2YwCYhLfT61hgtgmLnHryXwmiK8FJJbsOc8MYYtKvHz8jxXCVpKY 8eoWlC0rcWl+N9jLEgIH2CW+HL4H1awr8WHqVKhmX4mmpR2sEEUnGSU6bn9jg0joSKze8J0F 4opYiR2v77BDxPMldj98xwJh50oc+fmPbQKj0SwkB84CBisoaNbv0ocIK0pM6X7IPgvsaUGJ kzOfsCxgZFnFKFqcWpyUm25kpJdalJlcXJyfp5eXWrKJEZhMDm75bbCD8eVzx0OMAhyMSjy8 zO77o4VYE8uKK3MPMUpwMCuJ8OrP2BctxJuSWFmVWpQfX1Sak1p8iFGag0VJnNfCb3OUkEB6 YklqdmpqQWoRTJaJg1OqgdGx6YbTjVsaHzz3rcxK7X1j8Wx2W0fB0y6L0AWzp/HJ/BGq5CtZ E/pyv4/Fl8kVx30/zPPKE7JQfyTgJv9dvUl/zukehU8nlryy+ipnv/TW2v7N/YHH37Wdig5+ 9OFMQPPVmZbXim4eXRa3/STXMonH9yfdchVetMSUYbOk3YWT78O4Pmb0mfoqsRRnJBpqMRcV JwIA6WlVbCIDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/GcIR2F-Fe3ZSgF1T2us6bVq9Ku4>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Oct 2018 14:47:13 -0000

Hi Kent,

One more issue. There are 3 local-or-keystore definitions in keystore. For example:

  grouping local-or-keystore-asymmetric-key-with-certs-grouping {
    description
      "A grouping that expands to allow the key to be either stored
       locally within the using data model, or be a reference to an
       asymmetric key stored in the keystore.";
    choice local-or-keystore {
      mandatory true;
      case local {
        if-feature "local-keys-supported";
        uses ct:asymmetric-key-pair-with-certs-grouping;
      }
      case keystore {
        if-feature "keystore-supported";
        leaf reference {
          type ks:asymmetric-key-ref;
          description
            "A reference to a value that exists in the keystore.";
        }
      }
      description
        "A choice between an inlined definition and a definition
         that exists in the keystore.";
    }
  }

I was thinking if the 'leaf reference' in 'case keystore' should rather be 'mandatory true'. I know it does not make a difference now when there is only a single leaf in that case (and we don't plan more), but maybe it is more secure to have the mandatory flag on.

Regarding the groupings:

I think the 'local' configurations in local-or-keystore groupings got too much capability in the end, and the locals became kind of full-fledged keystores. Shouldn't the local be simplified to binary privkey and certificate? I think local should be much simpler, but this is just my opinion. This of course impacts what should be moved to ct. Some detailed thoughts below:

1. Is the 'grouping local-or-keystore-asymmetric-key-with-certs-grouping' grouping used by any module? Client/server models seem to use only the ks:local-or-keystore-end-entity-certificate-grouping. Latter is lacking the action and cert is not in list. What was the objective with the local configuration? Shouldn't it be much more simple than the keystore capability? Shouldn't it be just for configuring a non-hidden key and corresponding cert? Even the current local configuration with hidden key generate/install seem to be stepping on the toes of keystore. Hidden key generation I guess would also need CSR creation to bind the hidden key with a cert (which is not part of the local branches).

2. I guess crypto-types should contain the groupings that are foreseen to be reused. But those that we see only for keystore, could possibly remain in keystore. 'asymmetric-key-pair-with-certs' grouping contain way too much keystore specific implementation in my opinion, so it should be in keystore and not reused (unless you really want to boost the capabilities of the 'local' configuration). I would also keep 'end-entity-cert-grouping' in keystore with the certificate expiration information. 'trust-anchor-cert-grouping' could stay in trust anchors, it just adds a leaf. ' asymmetric-key-pair-grouping' should be in keystore IF it is only for keystore. Maybe if this latter was simpler that the local configurations should also use, then that could be in ct.

Br,
Balazs


-----Original Message-----
From: Kent Watsen <kwatsen@juniper.net> 
Sent: Wednesday, October 10, 2018 4:48 AM
To: Balázs Kovács <balazs.kovacs@ericsson.com>; Martin Bjorklund <mbj@tail-f.com>
Cc: netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings

Hi Balazs,

Answering both of your messages here.


> I was checking it at the moment and noticed something that may be a miss.
>
>  typedef asymmetric-key-ref {
>    type leafref {
>      path "/ks:keystore/ks:asymmetric-keys/ks:asymmetric-key"
>           + "/ks:name";
>      require-instance false;
>    }
>    description
>      "This typedef enables modules to easily define a reference
>       to an asymmetric key stored in the keystore. The require
>       instance attribute is false to enable the referencing of
>       asymmetric keys that exist only in <operational>.";
>    reference
>      "RFC 8342: Network Management Datastore Architecture (NMDA)";  }
>
> I think we were discussing changing 'require-instance' to 'true' 
> in relation to the change toward alternative (C) as discussed below. 
> Should it be 'true' instead of 'false'?

Yes.  I removed the "require-instance" statement, and fixed the "description" statement in my local copy.  New description
statement:

      "This typedef enables modules to easily define a reference 
       to an asymmetric key stored in the keystore.";

I did the same for the asymmetric-key-certificate-ref typedef, as we should apply the same (C) trick there as well.  But doing this required removing the "mandatory true" from end-entity-cert-grouping.
For full measure, I also removed the "mandatory true" from the trust-anchor-cert-grouping, as that seemed to be the same issue as the others.


> One more question. I found this in ct:
>
>  grouping asymmetric-key-pair-with-certs-grouping {
>    description
>      "A private/public key pair and associated certificates.";
>    uses asymmetric-key-pair-grouping;
>    container certificates {
>      description
>        "Certificates associated with this asymmetric key.
>         More than one certificate supports, for instance,
>         a TPM-protected asymmetric key that has both IDevID
>         and LDevID certificates associated.";
>      list certificate {
>        must "../../algorithm
>               and ../../public-key
>                 and ../../private-key";
>        key name;
>        description
> ...
>
> Is it ok to have the must statement in the certificate list? 
> I think with (C) the idea was to have hidden keys represented in the 
> configuration for which certificates can still be configured, but 
> hidden keys will have no algorithm/public-key\ /private-key in 
> configuration. What's your view?

Yes.  I removed the "must" statement in my local copy and changed the description statement for /keystore/asymmetric-keys/asymmetric-key/name
as follows:

OLD:
            "An arbitrary name for the asymmetric key.";
NEW:
            "An arbitrary name for the asymmetric key.  If the name
             matches the name of a key that exists independently in
             <operational> (i.e., a 'permanently-hidden' key), then
             the 'algorithm', 'public-key', and 'private-key' nodes
             MUST NOT be configured.";

As well the description statement for asymmetric-key-pair-with-
certs-grouping/certificates/certificate/name:

OLD:
            "An arbitrary name for the certificate.";
NEW:
            "An arbitrary name for the certificate.  If the name
             matches the name of a certificate that exists
             independently in <operational> (i.e., an IDevID), 
             then the 'cert' node MUST NOT be configured.";



BTW, you probably noticed this comment in keystore:

  // MOVED TO CRYPTO TYPES DRAFT? - OKAY TO REMOVE HERE NOW?
  // <snip/>

Any thoughts about that move? - better?



Thanks,
Kent

v2.23.0 | Report a Bug | By Email