Re: [netconf] ietf crypto types - permanently hidden

Martin Bjorklund <mbj@tail-f.com> Fri, 03 May 2019 06:48 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A25D3120090 for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 23:48:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id a3n_QU5w_Wtu for <netconf@ietfa.amsl.com>; Thu, 2 May 2019 23:48:02 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 29846120044 for <netconf@ietf.org>; Thu, 2 May 2019 23:48:02 -0700 (PDT)
Received: from localhost (h-4-215.A165.priv.bahnhof.se [158.174.4.215]) by mail.tail-f.com (Postfix) with ESMTPSA id 78B411AE0389; Fri, 3 May 2019 08:47:57 +0200 (CEST)
Date: Fri, 03 May 2019 08:47:57 +0200 (CEST)
Message-Id: <20190503.084757.791827158808672980.mbj@tail-f.com>
To: rwilton@cisco.com
Cc: j.schoenwaelder@jacobs-university.de, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <e30aa60f31ba40e8abc9cfaeffad7802@XCH-RCD-007.cisco.com>
References: <20190430161223.cwqfsyyxbtnkqbl7@anna.jacobs.jacobs-university.de> <20190501.230622.158012882760210627.mbj@tail-f.com> <e30aa60f31ba40e8abc9cfaeffad7802@XCH-RCD-007.cisco.com>
X-Mailer: Mew version 6.7 on Emacs 25.2 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=utf-8
Content-Transfer-Encoding: base64
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NEIe0wsJSS6ixqxAkeucOQXv7is>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 06:48:05 -0000

"Rob Wilton (rwilton)" <rwilton@cisco.com>; wrote:
> Hi Martin,
> 
> > -----Original Message-----
> > From: netconf <netconf-bounces@ietf.org>; On Behalf Of Martin Bjorklund
> > Sent: 01 May 2019 22:06
> > To: j.schoenwaelder@jacobs-university.de
> > Cc: netconf@ietf.org
> > Subject: Re: [netconf] ietf crypto types - permanently hidden
> > 
> > Hi,
> > 
> > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>; wrote:
> > > On Tue, Apr 30, 2019 at 02:49:30PM +0200, Martin Bjorklund wrote:
> > > > Kent Watsen <kent+ietf@watsen.net>; wrote:
> > > > >
> > > > > Correct, as I didn’t think there was consensus yet.  Perhaps there
> > > > > is rough-consensus, and it may be that the only way to gauge that
> > > > > is to try and see how much push back there is.
> > > > >
> > > > > Okay, so how about this, based on this thread, there appears to be
> > > > > support to add a flag to control if a key should be “permanently
> > > > > hidden” or not, in which case configuration is created.
> > > >
> > > > I (still) object to this.  Actions shouldn't create config.  We
> > > > already have generic protcol operations to do this.  We go from a
> > > > document-oriented configuration model towards a command-oriented
> > > > model.  Not good.  In RESTCONF, the generic methods support things
> > > > like ETags, which I suspect you don't want to replicate in this
> > > > action?   Will the action support all error-options of edit-config,
> > > > like rollback-on-error?
> > > >
> > >
> > > Martin,
> > >
> > > do you have any proposal how to support the requirement to generate a
> > > key on the device that is workable with a document-oriented
> > > configuration model? Do you propose that the action/rpc returns the
> > > public key information as result data that then needs to be written
> > > back to the server and somehow matched to the key that is cached on
> > > the device? Perhaps you have other ideas I can't think of?
> > >
> > > I think I would be happy to not have this special hack but then we
> > > need a workable alternative. Key generation on devices is something
> > > that is being used - and may be even more used in the future the more
> > > we get special hardware support for storing keys.
> > 
> > So the current draft supports two use cases:
> > 
> >   1.  The client configures the private and public keys explicitly
> >       (simple case).  Both keys are availible in the config and
> >       operaional state.
> > 
> >   2.  The client asks the device to generate a "hidden" key which may
> >       be a key in special TPM hardware.
> > 
> > For 2, the client configures the name of the key (in <running>).  Then
> > the client
> > invokes the action (in <operational>).  The device generates a new key
> > pair
> > (perhaps in tpm-hw).  In <operational>, the public key is now visible
> > and the
> > private key has the special enum "permanently-hidden".
> 
> Why is a separate action required to create the keys? 
> 
> Why is the configuration to generate a hidden key not sufficient for
> the device to automatically allocate a key in the TPM module?

This is a very good question.  Why don't we have actions for
"create-interface', "create-user" or "create-acl"?  In all these cases
we have config that a device internally parses and translates to
some internal procedure (perhaps ifconfig, adduser, iptables etc).

In a way, this case is different b/c the client needs control of
*when* the key is generated.  We cannot copy & paste some config to
another device and expect it to work exactly the same.  OTOH that
probably is true for other things as well; if a user has been created
in the config there might be files owned by that user stored in the
home directory.

Also, we might need the option to re-generate the key (even though the
current version doesn't support this).  But *this* could be done w/ an
action (if we need to support it).

What did I miss; what makes this case special so that it can't be
handled like other config?


/martin