[netconf] Comments on draft-ietf-netconf-keystore v17

"Eric Voit (evoit)" <evoit@cisco.com> Tue, 23 June 2020 20:42 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2866E3A0A30 for <netconf@ietfa.amsl.com>; Tue, 23 Jun 2020 13:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=b0UFM995; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=0HZwIVwK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUFm-7p4TQC8 for <netconf@ietfa.amsl.com>; Tue, 23 Jun 2020 13:42:06 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98D53A0A1D for <netconf@ietf.org>; Tue, 23 Jun 2020 13:42:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7778; q=dns/txt; s=iport; t=1592944925; x=1594154525; h=from:to:cc:subject:date:message-id:mime-version; bh=OVmijfJy22Iw1i+m0Rdr/ZDIAZHu25SM5eD16aXFlho=; b=b0UFM995TwM5tJvwWmEiEebQhEE5TOkZ5W+PKaX1+AhmTFhlCK52I9SU cuw3dPcxwk6Y8l1UJgrvLatk9/KREq3Y4FArHjMNho/7gkygcFKR8k6NE DIkDnbVS8ZJYF7+x9sU2bcB4yYT12sGbs7AStpoVnjPTA6R9vim9hshCE E=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3AQ4a+kxQ/PE75ghdXfjxNcAc9LNpsv++ubAcI9p?= =?us-ascii?q?oqja5Pea2//pPkeVbS/uhpkESQBNuJ9PtYkOfQ9abtRT9I7ZWAtSUEd5pBH1?= =?us-ascii?q?8AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Nq2Gp4DhUHB?= =?us-ascii?q?jjZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/JRm7t0PfrM4T1IBjMa02jB?= =?us-ascii?q?DOpyhF?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CYCQBBaPJe/40NJK1mgQmDHCMuB4E?= =?us-ascii?q?aLS8sCodgA6YaglIDVQQHAQEBCQMBAS0CBAEBhEcCghMCJDgTAgMBAQsBAQU?= =?us-ascii?q?BAQECAQYEbYVbDIV1Fi4BATcBEQFQMCYBBA4NBhSDBYF+TQMfDwGtLgKBOYh?= =?us-ascii?q?hdIE0gwEBAQWFFxiCBwcJgTiBU4EUiV4BHRqBQT+BVIcwGoNFgi2aH5pBCoJ?= =?us-ascii?q?aBIQlglSSTp57r3oCBAIEBQIOAQEFgWoigVZwFYMkUBcCDZIPilZ0NwIGCAE?= =?us-ascii?q?BAwl8jk8BMV8BAQ?=
X-IronPort-AV: E=Sophos;i="5.75,272,1589241600"; d="p7s'?scan'208";a="512591288"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jun 2020 20:42:05 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 05NKg4DX031646 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 23 Jun 2020 20:42:05 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 15:42:03 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 16:42:03 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 23 Jun 2020 16:42:03 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lmUeIdScAlutcTmjlIxvFzRS96ZYaR6/SO5EMmFE3tfUP8m/IPhodeg9sM2qqja+q2bXneb860bB70ws/kP1oydRJpzD72yhOvdp2aMjZfBU1BCS2RzgMbDCUDRtIsVIQ6YBQMECebhsQ8cjB355Z2hhZwMrYobwf22kw5kGHSjseFADTTGiy/Ov9e9antUkxdZRvOVnns+K6zAwemNDQbZR0O/Dug1ua4D9xT7ubhyvgV2t/7Mvc6HeRmU+lH/cECIM9y8GBmPH7aR3jf+Hd9BtEzLGkd2NKgWd6P4uGdfqm5Fd2ASqxFNe5wfsKwBxPDU5b9H16UUevSI0G8EL9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ISpNdNFonwb745mnCEKsFEwMEMvsZXliU54ufoVpDFU=; b=jgsWBURCvfj71XYyUBRq9qBeMAOjUbmeRPa+KNu0Fv1xbTb1t794H+YndGxbKj1AYphTiEqYSD6fFkZf/hzA2yhd3KM6KYaDY0D/fuqD+C4FuBq5UEgAe5UOk9g4yH3OGO5oz6xLDiTNhy5AlzmzjQyrJczfEA/SXAwPuZraDk1bPl/GhlmoscyTmNhiiOtOhHsouQzVjlX8H6B7kj0zXlyPixt3ZvWo6T9UAHIqxQ2A6t1+uP8fkCbYtMlcRnSTlgojQpRIeVZeziNVQ9bWbZmTSjmoTXTLUH6MtM19/aS0iBr3+aF7iezlpYZZqCEUf2Bsyt9umNAJw6h87fCG+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ISpNdNFonwb745mnCEKsFEwMEMvsZXliU54ufoVpDFU=; b=0HZwIVwKKPhxgQf+NzuDC37SWBS9NFqz/hjyirXkWbXFilPjke03xFSBIySch7VwYOrsSpFqUmOR877ACaE/QCBqdUxIrdfLg+/bwYJvXu6zVUIjsuwb9DGz6Cd2Rz3QEDDjNMhjWO8ZJTsl7pd1IqAmQmEhJ3hnMfgVfwgWWR8=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4680.namprd11.prod.outlook.com (2603:10b6:208:26d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.21; Tue, 23 Jun 2020 20:42:02 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::20ac:d8b4:4a4f:4290]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::20ac:d8b4:4a4f:4290%7]) with mapi id 15.20.3109.027; Tue, 23 Jun 2020 20:42:02 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Comments on draft-ietf-netconf-keystore v17
Thread-Index: AdZJi6eAeMmOZqZaQ3i6nM88A9zjLw==
Date: Tue, 23 Jun 2020 20:42:02 +0000
Message-ID: <BL0PR11MB31224C35E1100037780F7DE6A1940@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.114.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 537ae3f2-35ce-4ec6-90f6-08d817b5e248
x-ms-traffictypediagnostic: MN2PR11MB4680:
x-microsoft-antispam-prvs: <MN2PR11MB46802D94E0D42D5FF53D9961A1940@MN2PR11MB4680.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04433051BF
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9wOv4TvisbadtesrkpraTdHSEOXlqvHtM0lmnDCwHG9ecGU3xyCZnfOxPg3miT3Ouewz615cu0HhF+AUsSpQWwyVZVv/jnVtDpjdnRsV+wzvawfFCcPtgpPZVb4Std5+s7uWHfxRTCah58n4kxGoLXyyJW5/Ls2Z4F4r57xinw+hRxHerK1zVJ0FGcztVR6i84ZNMpyuYCuFdubqedyRvg11EHpCESSpHABljyqUPXSbFyuar84XB2OvtLEPGlh5IzIaJ3NXZlBKhOgdx0hlo6D7WxQSYNCo91cmaisTI5j/x+GmGy203EToST6DUhDH
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(136003)(376002)(396003)(346002)(66574015)(55016002)(7696005)(9686003)(478600001)(186003)(6506007)(33656002)(316002)(26005)(86362001)(2906002)(99936003)(66616009)(66946007)(52536014)(66446008)(83380400001)(66476007)(5660300002)(4326008)(66556008)(8936002)(8676002)(71200400001)(76116006)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cFXQ+58ZRFqh+5DGOJxsJl6WuE52cbLyJMzt4l+FHz79D1nw7rwLvOivHR8IvJh4CA8P1BNVZviuIkVxVpePQiH979GukCcC2b7wYCqtv764nGAigqBs56d7Zxdok6NEMPV2PIUgouldvcoXo21RNcNFbWg4onE/arNNQyx936AoXuEgeIrZiqRQCoZ1ToHHKq7lV9kKFZE6S9UdlMMled7bUzxaERRGd9sZdl2A3FOUt55uehHNMNkqX9zK+zC/o8DZmw/YG92Qo9ztzxgIVPokc4HHlEmz6Gjlzp4UJCgxrHTaxXmHP2iYrhSNWsYYODWh2fXUQiWIvEK0tcpyTT1Zsg4tTRYg0SqfC11RRG39mxnauWcvXg87uHMpwWH65FyazsLzWiYRKcJ0iKAPY9VvW2x+q5nRtGaMQgIa9gU62AtM2I2FYQyCeS32niRAgs8ciso3QxU0GLiLhN3c2BxcAcuAE5iwU85V766LwqGYVDWzwRqT8sEwBQ0/sgjO
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0280_01D6497D.36D7A490"; micalg=SHA1
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 537ae3f2-35ce-4ec6-90f6-08d817b5e248
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2020 20:42:02.4372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8LCCSgaXZFv6Vl2tUbUhUKMnw95Ny3DpTPZaGC/4f6HQpnqQ1fM/Iu4dx85cgFJh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4680
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KrU69Fd4qFIKv2tZngSlEpzyX9Q>
Subject: [netconf] Comments on draft-ietf-netconf-keystore v17
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 20:42:08 -0000

Hi Kent,

This is a well written document, and I do support progression.  I do have
some comments/questions...


(1) Section 1: You say:
   Special consideration has been given for systems that have
   cryptographic hardware, such as a Trusted Protection Module (TPM).
   These systems are unique in that the cryptographic hardware hides the
   secret key values.  To support such hardware, symmetric keys may have
   the value "hidden-key" and asymmetric keys may have the value
   "hidden-private-key".  While how such keys are created or destroyed
   is outside the scope of this document, the Keystore can contain
   entries for such keys, enabling them to be referenced by other
   configuration elements.

Question: Internally there might be several keystores on a router.  An
example is that there could be a TPMs for each different line card on a
router.  How is this YANG model about to expose which keys are associated
with specific TPMs?   E.g.: where in the model would you recommend such
augmentations to the grouping statements be made?


(2) This is likely a minor question:   I have seen a need for
"local-or-keystore-public-key-grouping" rather than
"local-or-keystore-asymmetric-key-grouping".  The only reason for the need
is that the private-key is never accessible (TPM again), and the private key
entries of the YANG model are never used.   Is there a reason why you didn't
have "local-or-keystore-public-key-grouping" beyond what could be perceived
as redundancy?


(3) Section 5:3 You Say:
   It was noted that, in this case, the second server would be
   unable to decrypt any of the keys encrypted by the first server.

Question: It is possible for the first server to encrypt a keystore using
the public key of the second server so that only the private key of the
second server would have access to these keys.  How do you see this option
playing in the migration process?

Thanks,
Eric