IETF Logo Mail Archive

Re: [Netconf] zerotouch issues found while preparing -20

Mahesh Jethanandani <mjethanandani@gmail.com> Mon, 29 January 2018 22:50 UTC

Return-Path: <mjethanandani@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 046F712E855 for <netconf@ietfa.amsl.com>; Mon, 29 Jan 2018 14:50:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9QdzvEKugR02 for <netconf@ietfa.amsl.com>; Mon, 29 Jan 2018 14:50:28 -0800 (PST)
Received: from mail-it0-x230.google.com (mail-it0-x230.google.com [IPv6:2607:f8b0:4001:c0b::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 01EAF12DA3D for <netconf@ietf.org>; Mon, 29 Jan 2018 14:50:28 -0800 (PST)
Received: by mail-it0-x230.google.com with SMTP id 68so11241363ite.4 for <netconf@ietf.org>; Mon, 29 Jan 2018 14:50:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BKr9R9FbrhdTp7S9HaBAxh0FS7ttAzu4AOtiwxhtiKc=; b=hQHAkNaK7awW8DsbpHlZhy+W1YpGFnBrxnaYUrkj6oA0ZJA+Vr3ow+AB/9WDELOWpo xGlqmWXR6Ww7HLEWRZ8WnOR6l8GiGzyqRyrPsi//bHm9ERYWOcMb6DSvhs7Rs5JZx2Yj JyXETQnK3skngqcgUGs0CKnaq60s0NKjcf0CpytDmPbbFeOKt7Xz1/qGOaHPVX1xTB2w B/HSwyDDHFjtmpzKHZKGa42Wdke+AiTEYjemnAqlXeVoCVd+A9IkE7oQVXKi6dY65RtE co4sBegqk7Bg8VA2hhuXGkjU+uLVLCpAr+kYBkjn4dzZfFT/zT2bION3KJbYYHe678y6 B3LA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:subject:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; bh=BKr9R9FbrhdTp7S9HaBAxh0FS7ttAzu4AOtiwxhtiKc=; b=qmSJG9hTqiNZM/ZsJ376RGsf2zgBRusYjcztY2huVBcbNe6fll8WDn4Yzal7UOHIdu YN03h0bsne+5cE8VbLEB50L8Rx3qeTFbaFOyDX6hK9Uk8dFn+5bEQoyfIyP5cCUdroLk 7VrDYYHoFTtMmKwBWDwueiX8DMBCv/oEOYjsDZPFOP6J5QAv5L+WcYjutxneXXMBh+9G kvFijA8Z72W4BEeMZfpUuSnoKzU8d99yiBLEf8k9XpwckDoXcl5aqA1hYOvp8WgHuZbz pLDR4/DgHjb7MFv+vfo7QO0uLT0FY2gNRuLJEx3Wkpdq4P5fgUlDHi5/jl+/FtiUQfZO Zjfw==
X-Gm-Message-State: AKwxytf5EZiRozzY/yIQz+nUKLDVfL4HuhSPHxZ3tY+KZYe9zkEYJseW LD4EmoMhpgFV+zVQKsaRA/gPhT34
X-Google-Smtp-Source: AH8x226BUxIPkACFtVwhQx6m6Z+A4OZOIBHd93dTpBAyZKfmXEVYWYN8H7ZOboFRfOsaWOYFNZJP1A==
X-Received: by 10.36.79.19 with SMTP id c19mr15953399itb.148.1517266227141; Mon, 29 Jan 2018 14:50:27 -0800 (PST)
Received: from mahesh-m-m8d1.attlocal.net ([2600:1700:edb0:8fd0:8c7d:b427:24fb:d349]) by smtp.gmail.com with ESMTPSA id e21sm4157612ita.28.2018.01.29.14.50.26 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 29 Jan 2018 14:50:26 -0800 (PST)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.2 \(3445.5.20\))
From: Mahesh Jethanandani <mjethanandani@gmail.com>
In-Reply-To: <EB9ED782-BAAF-44EF-9191-C31B76266208@juniper.net>
Date: Mon, 29 Jan 2018 14:50:25 -0800
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <D1D48535-0755-4CC3-9D63-DFC25298421D@gmail.com>
References: <EB9ED782-BAAF-44EF-9191-C31B76266208@juniper.net>
To: Kent Watsen <kwatsen@juniper.net>
X-Mailer: Apple Mail (2.3445.5.20)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/H70mZIPkOgDhNst9hiTrgXIVLhY>
Subject: Re: [Netconf] zerotouch issues found while preparing -20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 29 Jan 2018 22:50:30 -0000


> On Jan 26, 2018, at 8:58 PM, Kent Watsen <kwatsen@juniper.net> wrote:
> 
> 
> I found another issue while updating my PoC code to the current draft.  The issue comes from the draft's "zerotouch-information" artifact, a PKCS7 structure, only supporting a JSON-encoded payload.  The reason why it only supports a JSON-encoded payload was discussed on list before, but it goes to aligning with what draft-ietf-anima-voucher does.  The issue manifests itself when the payload encodes "onboarding-information", which has an 'anydata' node called "configuration".  Being 'anydata' inside a JSON-encoded document means that the configuration itself must also be JSON-encoded, but this is a problem for devices that don't support JSON encoded configuration, and that it's not possible for a bootstrap server (that may not have access to the YANG for the configuration) to generically convert the JSON to XML. Stated the issue another way, the current solution couples the encoding of the submitted configuration with the encoding of the envelop that's used to convey the configuration
> .  To address that, I propose replacing the 'anydata' node with a 'leaf' of type binary.  I don't foresee any interoperability issue with this change, as already the data sent to the device must be device-specific.  To be clear about this proposal, here is a commit that illustrates the change:
> 
> https://github.com/netconf-wg/zero-touch/commit/14d92eec946b50eb980b51670ace6ce8bf2e2334
> 
> While this is a technical change, it doesn't change the solution in a material way, so I'm hoping that it doesn't necessitate another last call to approve.  If no objections are raised, I'll also apply this change to the pending -20 update.
> 
> Separately, here are a couple other things we might consider doing:
> 
> 1) move from PKCS7 to CMS (RFC5652).   CMS is IETF's version of PKCS7.   It's practically identical.  The IESG requested this change when the anima-voucher draft went through its IETF Last Call, and so I expect the same change will be requested for this draft as well.

As shepherd of the document, I would prefer that this be addressed now than wait for a IESG request.

How big a change is this? And what are the differences between CMS and PKCS7? Are there any backward compatibility implications?

> 
> 2) modify the draft's statement that devices MUST send an IDevID certificate to one that says devices MUST send an IDevID certificate and/or HTTP-level authentication.   This wording is consistent with RFC 8040 Section 2.5 and, by allowing HTTP-level authentication, it will better represent products shipping by a number of vendors, whereby the installer can, for instance, type in a password into the device while it's booting.  This appears to be a popular low-barrier choice, as implementing IDevID is not easy.

As a contributor I would be ok with RFC 8040 wording.

As a shepherd, how big is the change? Also what is the impact on security? Does the Security Consideration section need to be updated?

> 
> Thoughts?
> 
> Kent  // contributor
> 
> 
> 
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

Mahesh Jethanandani
mjethanandani@gmail.com

v2.23.0 | Report a Bug | By Email