Re: [netconf] ietf crypto types - permanently hidden

"Rob Wilton (rwilton)" <rwilton@cisco.com> Tue, 07 May 2019 13:34 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF5DE12012C for <netconf@ietfa.amsl.com>; Tue, 7 May 2019 06:34:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RWW5-7XLmz6E for <netconf@ietfa.amsl.com>; Tue, 7 May 2019 06:34:23 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C8059120026 for <netconf@ietf.org>; Tue, 7 May 2019 06:34:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4944; q=dns/txt; s=iport; t=1557236062; x=1558445662; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=DiVn1rqyuzZ3J6PLkmCkDO+zXDX57Zafa0Ozijo9F6U=; b=MZCwfvEdjQU6wYkirVEKB4Du6xaB6lJI7SwBd59CITMUZ2tIaydWQcNP k/jl401+DjZfn/yGVWLSr5tu3g+P651XO8su6GcuvH2xmWG6K2yee9CLc Rxa/sn72kDh/W3Cu3OQuGJZ29Q4dPLeq6//EXekI3yiCTEWK+fYOyQR35 s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AEAACTiNFc/40NJK1kGgEBAQEBAgE?= =?us-ascii?q?BAQEHAgEBAQGBUQUBAQEBCwGCEIFtKAqMIo0ImFKBew4BAYRtAoIWIzQJDgE?= =?us-ascii?q?DAQEEAQECAQJtKIVKAQEBAQMnEz8MBAIBCA4DAQMBAQEeEDIXBggCBA4FCBO?= =?us-ascii?q?FEq5zM4oygTIBigqBJh0XgUA/gRGDEj6EAIYmBKdBCQKCCZJEI4IQk0aDcIl?= =?us-ascii?q?Sk1QCERWBMB84gVZwFYMnkFABQTGPaiuBBIEhAQE?=
X-IronPort-AV: E=Sophos;i="5.60,441,1549929600"; d="scan'208";a="272613362"
Received: from alln-core-8.cisco.com ([173.36.13.141]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 07 May 2019 13:34:21 +0000
Received: from XCH-RCD-006.cisco.com (xch-rcd-006.cisco.com [173.37.102.16]) by alln-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x47DYLMN005273 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 7 May 2019 13:34:21 GMT
Received: from xch-rcd-007.cisco.com (173.37.102.17) by XCH-RCD-006.cisco.com (173.37.102.16) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 7 May 2019 08:34:20 -0500
Received: from xch-rcd-007.cisco.com ([173.37.102.17]) by XCH-RCD-007.cisco.com ([173.37.102.17]) with mapi id 15.00.1473.003; Tue, 7 May 2019 08:34:20 -0500
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "kent+ietf@watsen.net" <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ietf crypto types - permanently hidden
Thread-Index: AdTf8DCbvspujhISQkyURJOX9ReFpAL4+PiAAAVM54ADt02zAAAGzCgAAAQfJ4AABQvugADqhRSAAAgkE4AAKD/bgAABK6oAAAGYSwAABxXrgAA8jwUAAA4ykpAAOGfLgAAGk8WgAAOK8oAACbL7AAAASZ0AALNATcAADWJ/AAAITk0A
Date: Tue, 7 May 2019 13:34:20 +0000
Message-ID: <637d22b885a94bf4bd6c4bb53904dac9@XCH-RCD-007.cisco.com>
References: <0100016a7e7a9e54-d4987061-96d8-49f3-a2bf-36b98851b3a3-000000@email.amazonses.com> <0100016a7e822689-e6fdbdbe-ba84-43e1-aefe-47196fe692e3-000000@email.amazonses.com> <e6930b6e52a642bda9f1bd76731ce9c3@XCH-RCD-007.cisco.com> <20190507.141926.1879619200930898148.mbj@tail-f.com>
In-Reply-To: <20190507.141926.1879619200930898148.mbj@tail-f.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.63.23.60]
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.37.102.16, xch-rcd-006.cisco.com
X-Outbound-Node: alln-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/L55pWituCbbk3gRQKuJOsDDvocw>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 May 2019 13:34:25 -0000


> -----Original Message-----
> From: Martin Bjorklund <mbj@tail-f.com>;
> Sent: 07 May 2019 13:19
> To: Rob Wilton (rwilton) <rwilton@cisco.com>;
> Cc: kent+ietf@watsen.net; netconf@ietf.org
> Subject: Re: [netconf] ietf crypto types - permanently hidden
> 
> "Rob Wilton (rwilton)" <rwilton@cisco.com>; wrote:
> > Hi Kent,
> >
> > The problem that I have with <generate-key> generating configuration
> > directly in <running> is that <running> on the device is now different
> > from what the management system thinks should be in <running> on the
> > device.
> >
> > I.e. it breaks the architectural simplicity that it is only the client
> > that controls what goes into in <running>, e.g. perhaps that can be
> > summarized by this flow:
> >
> > "Update client's desired    ->   "Push to
> > config"                         <running>"
> >           ^                        |
> >           |                        \/
> > "Client notified of         <-   "Apply config,
> > changes in <operational>"       <operational> updated"
> >
> >
> > However, I would not be opposed to allowing <generate-key> create
> > configuration that is persisted separately from <running> and injected
> > into <intended> (e.g. merged with <running>)
> 
> But this isn't really allowed by the architecture in 8342, imo.  If this
> would have been the case, we'd have another box with config going into
> "intended".  8342 allows "configuration transformations" between running
> and intended.

I'm not sure.  The definition of a configuration transformation is quite broad:
   o  configuration transformation: The addition, modification, or
      removal of configuration between the <running> and <intended>
      datastores.  Examples of configuration transformations include the
      removal of inactive configuration and the configuration produced
      through the expansion of templates.

In the NMDA discussions, we considered the idea of a template on the device that injects configuration into intended, and this case doesn't seem miles away from there.

However, I'm not sure that now is the right time for a discussion for what transformations between <running> and <intended> are allowed.  If we can agree on a solution that doesn't require it, and doesn't update <running>, then I would probably be OK with that as well.

> 
> > , hence allowing leaf-refs
> > in config validation to work as expected.  I think that this would
> > allow device reboot to work as expected.
> >
> > If the clients would like to see the keys in the configuration then
> > they can monitor <operational> (or <intended>), and then add the keys,
> > either in raw form, or encrypted in some way.  But I still think that
> > it is architecturally cleaner if it is always the client that updates
> > the <running> configuration and never the device.
> 
> I agree.  I think it would be worthwile to explore the "non-action-based"
> solution that Rob proposed.  Is there anything in that solution that
> doesn't work?
> 
> 
> /martin

Thanks,
Rob

> 
> 
> 
> >
> > Thanks,
> > Rob
> >
> >
> >
> > From: netconf <netconf-bounces@ietf.org>; On Behalf Of Kent Watsen
> > Sent: 03 May 2019 17:24
> > To: netconf@ietf.org
> > Subject: Re: [netconf] ietf crypto types - permanently hidden
> >
> > I had an idea last night that might inch us closer to a solution.
> >
> > Essentially, the generate/install-key operations always populate
> > <operational>, even for keys that are not-hidden, but then a follow-up
> > operation (something like <copy-config>) replicates the not-hidden key
> > in <operational> to <running>.  Two options:
> >
> > 1) A regular-access admin executes the actions to generate the key,
> > get a CSR, configure a resulting signed certificate, etc. and then, as
> > a second step later in time, a special-access admin replicates the key
> > to <running> (perhaps using standard <get-confg> and <edit-config>),
> > so that it can be included in a standard backup and restored to *any*
> > device (since this key is "not-hidden", it isn't encrypted with a
> > device-specific key and hence can be migrated).
> >
> > 2) A regular-access admin executes the actions to generate the key,
> > get a CSR, configure a resulting signed certificate, etc. and then, as
> > a second step (ideally immediately after), the regular-access admin
> > executes a command like <copy-config>, but rather than copying the
> > entire datastore, it just copies a subtree.
> >
> > Neither option seems great.  #1 is unappealing being it necessitates
> > coordination between clients.  #2 is unappealing because defining a
> > generic operation for this special case seems too much.
> >
> > IMO, allowing <generate-key> to create the configuration directly is
> > the only client-friendly answer.
> >
> >
> > Kent // contributor
> >