[netconf] Comments on draft-ietf-netconf-keystore v17
"Eric Voit (evoit)" <evoit@cisco.com> Tue, 23 June 2020 20:42 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2866E3A0A30 for <netconf@ietfa.amsl.com>; Tue, 23 Jun 2020 13:42:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.599
X-Spam-Level:
X-Spam-Status: No, score=-9.599 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=b0UFM995; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=0HZwIVwK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KUFm-7p4TQC8 for <netconf@ietfa.amsl.com>; Tue, 23 Jun 2020 13:42:06 -0700 (PDT)
Received: from alln-iport-5.cisco.com (alln-iport-5.cisco.com [173.37.142.92]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98D53A0A1D for <netconf@ietf.org>; Tue, 23 Jun 2020 13:42:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=7778; q=dns/txt; s=iport; t=1592944925; x=1594154525; h=from:to:cc:subject:date:message-id:mime-version; bh=OVmijfJy22Iw1i+m0Rdr/ZDIAZHu25SM5eD16aXFlho=; b=b0UFM995TwM5tJvwWmEiEebQhEE5TOkZ5W+PKaX1+AhmTFhlCK52I9SU cuw3dPcxwk6Y8l1UJgrvLatk9/KREq3Y4FArHjMNho/7gkygcFKR8k6NE DIkDnbVS8ZJYF7+x9sU2bcB4yYT12sGbs7AStpoVnjPTA6R9vim9hshCE E=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:Q4a+kxQ/PE75ghdXfjxNcAc9LNpsv++ubAcI9poqja5Pea2//pPkeVbS/uhpkESQBNuJ9PtYkOfQ9abtRT9I7ZWAtSUEd5pBH18AhN4NlgMtSMiCFQXgLfHsYiB7eaYKVFJs83yhd0QAHsH4ag7Nq2Gp4DhUHBjjZkJ5I+3vEdvUiMK6n+m555zUZVBOgzywKbN/JRm7t0PfrM4T1IBjMa02jBDOpyhF
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CYCQBBaPJe/40NJK1mgQmDHCMuB4EaLS8sCodgA6YaglIDVQQHAQEBCQMBAS0CBAEBhEcCghMCJDgTAgMBAQsBAQUBAQECAQYEbYVbDIV1Fi4BATcBEQFQMCYBBA4NBhSDBYF+TQMfDwGtLgKBOYhhdIE0gwEBAQWFFxiCBwcJgTiBU4EUiV4BHRqBQT+BVIcwGoNFgi2aH5pBCoJaBIQlglSSTp57r3oCBAIEBQIOAQEFgWoigVZwFYMkUBcCDZIPilZ0NwIGCAEBAwl8jk8BMV8BAQ
X-IronPort-AV: E=Sophos;i="5.75,272,1589241600"; d="p7s'?scan'208";a="512591288"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-5.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Jun 2020 20:42:05 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id 05NKg4DX031646 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 23 Jun 2020 20:42:05 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 15:42:03 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Tue, 23 Jun 2020 16:42:03 -0400
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Tue, 23 Jun 2020 16:42:03 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=lmUeIdScAlutcTmjlIxvFzRS96ZYaR6/SO5EMmFE3tfUP8m/IPhodeg9sM2qqja+q2bXneb860bB70ws/kP1oydRJpzD72yhOvdp2aMjZfBU1BCS2RzgMbDCUDRtIsVIQ6YBQMECebhsQ8cjB355Z2hhZwMrYobwf22kw5kGHSjseFADTTGiy/Ov9e9antUkxdZRvOVnns+K6zAwemNDQbZR0O/Dug1ua4D9xT7ubhyvgV2t/7Mvc6HeRmU+lH/cECIM9y8GBmPH7aR3jf+Hd9BtEzLGkd2NKgWd6P4uGdfqm5Fd2ASqxFNe5wfsKwBxPDU5b9H16UUevSI0G8EL9Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ISpNdNFonwb745mnCEKsFEwMEMvsZXliU54ufoVpDFU=; b=jgsWBURCvfj71XYyUBRq9qBeMAOjUbmeRPa+KNu0Fv1xbTb1t794H+YndGxbKj1AYphTiEqYSD6fFkZf/hzA2yhd3KM6KYaDY0D/fuqD+C4FuBq5UEgAe5UOk9g4yH3OGO5oz6xLDiTNhy5AlzmzjQyrJczfEA/SXAwPuZraDk1bPl/GhlmoscyTmNhiiOtOhHsouQzVjlX8H6B7kj0zXlyPixt3ZvWo6T9UAHIqxQ2A6t1+uP8fkCbYtMlcRnSTlgojQpRIeVZeziNVQ9bWbZmTSjmoTXTLUH6MtM19/aS0iBr3+aF7iezlpYZZqCEUf2Bsyt9umNAJw6h87fCG+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ISpNdNFonwb745mnCEKsFEwMEMvsZXliU54ufoVpDFU=; b=0HZwIVwKKPhxgQf+NzuDC37SWBS9NFqz/hjyirXkWbXFilPjke03xFSBIySch7VwYOrsSpFqUmOR877ACaE/QCBqdUxIrdfLg+/bwYJvXu6zVUIjsuwb9DGz6Cd2Rz3QEDDjNMhjWO8ZJTsl7pd1IqAmQmEhJ3hnMfgVfwgWWR8=
Received: from BL0PR11MB3122.namprd11.prod.outlook.com (2603:10b6:208:75::32) by MN2PR11MB4680.namprd11.prod.outlook.com (2603:10b6:208:26d::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.21; Tue, 23 Jun 2020 20:42:02 +0000
Received: from BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::20ac:d8b4:4a4f:4290]) by BL0PR11MB3122.namprd11.prod.outlook.com ([fe80::20ac:d8b4:4a4f:4290%7]) with mapi id 15.20.3109.027; Tue, 23 Jun 2020 20:42:02 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Comments on draft-ietf-netconf-keystore v17
Thread-Index: AdZJi6eAeMmOZqZaQ3i6nM88A9zjLw==
Date: Tue, 23 Jun 2020 20:42:02 +0000
Message-ID: <BL0PR11MB31224C35E1100037780F7DE6A1940@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [108.18.114.139]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 537ae3f2-35ce-4ec6-90f6-08d817b5e248
x-ms-traffictypediagnostic: MN2PR11MB4680:
x-microsoft-antispam-prvs: <MN2PR11MB46802D94E0D42D5FF53D9961A1940@MN2PR11MB4680.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 04433051BF
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9wOv4TvisbadtesrkpraTdHSEOXlqvHtM0lmnDCwHG9ecGU3xyCZnfOxPg3miT3Ouewz615cu0HhF+AUsSpQWwyVZVv/jnVtDpjdnRsV+wzvawfFCcPtgpPZVb4Std5+s7uWHfxRTCah58n4kxGoLXyyJW5/Ls2Z4F4r57xinw+hRxHerK1zVJ0FGcztVR6i84ZNMpyuYCuFdubqedyRvg11EHpCESSpHABljyqUPXSbFyuar84XB2OvtLEPGlh5IzIaJ3NXZlBKhOgdx0hlo6D7WxQSYNCo91cmaisTI5j/x+GmGy203EToST6DUhDH
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BL0PR11MB3122.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(366004)(136003)(376002)(396003)(346002)(66574015)(55016002)(7696005)(9686003)(478600001)(186003)(6506007)(33656002)(316002)(26005)(86362001)(2906002)(99936003)(66616009)(66946007)(52536014)(66446008)(83380400001)(66476007)(5660300002)(4326008)(66556008)(8936002)(8676002)(71200400001)(76116006)(64756008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: cFXQ+58ZRFqh+5DGOJxsJl6WuE52cbLyJMzt4l+FHz79D1nw7rwLvOivHR8IvJh4CA8P1BNVZviuIkVxVpePQiH979GukCcC2b7wYCqtv764nGAigqBs56d7Zxdok6NEMPV2PIUgouldvcoXo21RNcNFbWg4onE/arNNQyx936AoXuEgeIrZiqRQCoZ1ToHHKq7lV9kKFZE6S9UdlMMled7bUzxaERRGd9sZdl2A3FOUt55uehHNMNkqX9zK+zC/o8DZmw/YG92Qo9ztzxgIVPokc4HHlEmz6Gjlzp4UJCgxrHTaxXmHP2iYrhSNWsYYODWh2fXUQiWIvEK0tcpyTT1Zsg4tTRYg0SqfC11RRG39mxnauWcvXg87uHMpwWH65FyazsLzWiYRKcJ0iKAPY9VvW2x+q5nRtGaMQgIa9gU62AtM2I2FYQyCeS32niRAgs8ciso3QxU0GLiLhN3c2BxcAcuAE5iwU85V766LwqGYVDWzwRqT8sEwBQ0/sgjO
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; boundary="----=_NextPart_000_0280_01D6497D.36D7A490"; micalg="SHA1"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 537ae3f2-35ce-4ec6-90f6-08d817b5e248
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Jun 2020 20:42:02.4372 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8LCCSgaXZFv6Vl2tUbUhUKMnw95Ny3DpTPZaGC/4f6HQpnqQ1fM/Iu4dx85cgFJh
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4680
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KrU69Fd4qFIKv2tZngSlEpzyX9Q>
Subject: [netconf] Comments on draft-ietf-netconf-keystore v17
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 20:42:08 -0000
Hi Kent, This is a well written document, and I do support progression. I do have some comments/questions... (1) Section 1: You say: Special consideration has been given for systems that have cryptographic hardware, such as a Trusted Protection Module (TPM). These systems are unique in that the cryptographic hardware hides the secret key values. To support such hardware, symmetric keys may have the value "hidden-key" and asymmetric keys may have the value "hidden-private-key". While how such keys are created or destroyed is outside the scope of this document, the Keystore can contain entries for such keys, enabling them to be referenced by other configuration elements. Question: Internally there might be several keystores on a router. An example is that there could be a TPMs for each different line card on a router. How is this YANG model about to expose which keys are associated with specific TPMs? E.g.: where in the model would you recommend such augmentations to the grouping statements be made? (2) This is likely a minor question: I have seen a need for "local-or-keystore-public-key-grouping" rather than "local-or-keystore-asymmetric-key-grouping". The only reason for the need is that the private-key is never accessible (TPM again), and the private key entries of the YANG model are never used. Is there a reason why you didn't have "local-or-keystore-public-key-grouping" beyond what could be perceived as redundancy? (3) Section 5:3 You Say: It was noted that, in this case, the second server would be unable to decrypt any of the keys encrypted by the first server. Question: It is possible for the first server to encrypt a keystore using the public key of the second server so that only the private key of the second server would have access to these keys. How do you see this option playing in the migration process? Thanks, Eric
- [netconf] Comments on draft-ietf-netconf-keystore… Eric Voit (evoit)
- Re: [netconf] Comments on draft-ietf-netconf-keys… Kent Watsen
- Re: [netconf] Comments on draft-ietf-netconf-keys… Eric Voit (evoit)
- Re: [netconf] Comments on draft-ietf-netconf-keys… Juergen Schoenwaelder