IETF Logo Mail Archive

Re: [Netconf] Semi-configurable design in server model draft

Kent Watsen <kwatsen@juniper.net> Thu, 02 March 2017 00:36 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5561B1296B8 for <netconf@ietfa.amsl.com>; Wed, 1 Mar 2017 16:36:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M1WmyixUtsqA for <netconf@ietfa.amsl.com>; Wed, 1 Mar 2017 16:35:59 -0800 (PST)
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (mail-dm3nam03on0133.outbound.protection.outlook.com [104.47.41.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0422A129696 for <netconf@ietf.org>; Wed, 1 Mar 2017 16:35:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=b1uLsEDBZCYA5D+HO4+ssUIeybneqamKSRHPoE5PjFk=; b=BnO1g+yixFZR1bpO8tcW7EPlFwzi32gq6yCLr1KOJ8DW0eUZylO5vUZS+oyYtcPINyNIkqIUvqJuFijeX6WVcnfDs9x0Ng1r10Ja96GWiCuR7NHAZISto3CT8rmJf5VcnZ/BIWUttSHN0W+BaVAU/64tcZ8ffcPcsAgz6j6u+Nc=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1443.namprd05.prod.outlook.com (10.160.117.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.947.2; Thu, 2 Mar 2017 00:35:57 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.0947.011; Thu, 2 Mar 2017 00:35:57 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Semi-configurable design in server model draft
Thread-Index: AQHRt6undd9KBwAb2k2PocgHOjB2f5/MyM0AgABHOwCABBqFAIA8kgMAgXL7OACAAV74AA==
Date: Thu, 02 Mar 2017 00:35:57 +0000
Message-ID: <389E2901-3526-4A94-8A45-4DF995C5F71C@juniper.net>
References: <B1909F40-B306-441E-8F05-661A400A72E2@gmail.com> <CF412B7F-FCAB-452C-9AE0-8494B7E674F5@juniper.net> <D836466C-B19E-4B87-AE5B-6DC2F7ADC8A6@gmail.com> <20160530.102622.281213031392882639.mbj@tail-f.com> <06ADB831-7279-426F-A506-6868D96F8FCF@juniper.net> <D1CF4C4C-27B3-44A5-B021-FA9BEF2287DC@juniper.net>
In-Reply-To: <D1CF4C4C-27B3-44A5-B021-FA9BEF2287DC@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.1f.0.170216
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.10]
x-ms-office365-filtering-correlation-id: 958bd272-71f4-49ea-bc53-08d461041805
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(48565401081); SRVR:BN3PR0501MB1443;
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1443; 7:WCZwcalX56rJ/6Q8FQyKRRST798kTYCDNv/zchj2FBgFJX00vgLfTIKbtoXFRj5JUYpNKH2HVjTUltKi1YCbYXfiSdeEL6TeXho47uXTS7EnfzNi0tKuh/qH+EB4hGRJrj2aUWhe1Qhduz3PundPihbEbnn05JOiSYH4dgG5hz4pdeYJFnQLOUsJl08TazPNJL/3jebARwVtPT6UrtYoyCmRu53D7hSbkc7OErJXo/AdxOTJmU62MCGrSLmyVcCy+TIblDnXwGAYogyq7suiRAk7b+kpHRxZ/4SP3Hf+rS+EcFD0xPgO0c02CtsSeXWSuo+TJFW8AoY2gJZz8uGwEw==
x-microsoft-antispam-prvs: <BN3PR0501MB14435551400FCF336CB4E210A5280@BN3PR0501MB1443.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863)(166708455590820);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040375)(601004)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6055026)(6041248)(20161123564025)(20161123560025)(20161123558025)(20161123562025)(20161123555025)(6072148); SRVR:BN3PR0501MB1443; BCL:0; PCL:0; RULEID:; SRVR:BN3PR0501MB1443;
x-forefront-prvs: 023495660C
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(39450400003)(39410400002)(39840400002)(39850400002)(1730700003)(36756003)(6306002)(86362001)(106116001)(92566002)(8676002)(6512007)(2351001)(3660700001)(8936002)(81166006)(2900100001)(3280700002)(122556002)(102836003)(6116002)(3846002)(2906002)(93886004)(33656002)(99286003)(450100001)(189998001)(77096006)(76176999)(50986999)(2501003)(54356999)(6916009)(110136004)(83716003)(6486002)(38730400002)(7736002)(2950100002)(229853002)(6436002)(25786008)(305945005)(53936002)(6246003)(5660300001)(83506001)(5640700003)(6506006)(82746002)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1443; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <AF049EF0A51D8C47B136CC240EF8BF50@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Mar 2017 00:35:57.5625 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1443
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/OK5HdrhS3PLEODESfvYoNKKA7Q0>
Subject: Re: [Netconf] Semi-configurable design in server model draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 02 Mar 2017 00:36:01 -0000

Replying to myself here, the answer came during a revised-datastore authors call earlier today.  The solution is for the configuration to use the same list key value as used by the system.  For example, assume the system created:

  <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
    <keys>
      <key origin='system'>     <-- revised-datastore metadata
        <name>DevID Key</name>
        ...
        <certificates>
          <certificate>
            <name>IDevID certificate<name>
            <value>base64-encoded X.509 cert</value>
          </certificate>
        </certificates>
      </key>
    </keys>
  </keystore>


At this point, there is no "configuration", just a system-generated key that shows in the operational state.  Now a client can configure an LDevID certificate for it as follows:

     <rpc message-id="101"
          xmlns="urn:ietf:params:xml:ns:netconf:base:1.0">
       <edit-config>
         <target>
           <running/>
         </target>
         <config>
           <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
             <keys>
               <key>
                 <name>DevID Key</name>   <-- note: same key value
                 <certificates>
                   <certificate>
                     <name>LDevID certificate<name>
                     <value>base64-encoded X.509 cert</value>
                   </certificate>
                 </certificates>
               </key>
             </keys>
           </keystore>
         </config>
       </edit-config>
     </rpc>


After this, another <get-data> request on the operational state datastore returns the following result.  Note: I'm going a little bit out on a limb here with regards to the recursive application of the 'origin' annotation, at least it hasn't been discussed before, but it seems obvious that this is what we'd want.

  <keystore xmlns="urn:ietf:params:xml:ns:yang:ietf-keystore">
    <keys>
      <key origin='static'>     <-- used to be 'system'
        <name>DevID Key</name>
        ...
        <certificates>
          <certificate origin='system'>    <-- now this is 'system'
            <name>IDevID certificate<name>
            <value>base64-encoded X.509 cert</value>
          </certificate>
          <certificate>
            <name>LDevID certificate<name>
            <value>base64-encoded X.509 cert</value>
          </certificate>
        </certificates>
      </key>
    </keys>
  </keystore>


Does this make sense to everyone?  Can we move forward with this approach?  I'll assume it is if no one responds otherwise in a few days.

Thanks,
Kent


-----ORIGINAL MESSAGE-----

Picking up where we left off, we discussed making 'private-key' configurable, as shown below, protected by nacm:default-deny-all.  This, in lieu of having an action statement called 'generate-private-key', which is the crux of the issue described in the subject line.

    +--rw keystore
       +--rw keys
          +--rw key* [name]
             +--rw name                            string
             +--rw private-key?                    binary
             +--ro algorithm?                      identityref
             +--ro key-length?                     uint32
             +--ro public-key                      binary
             +--rw certificates
                +--rw certificate* [name]
                   +--rw name     string
                   +--rw value?   binary

This resolves one issue, but then raises another, which is how to fully support system-generated keys, such as a key created by a TPM, that need to have certificates configured for them, such as IDevID or an LDevID certificates from IEEE 802.1AR.

Again, while we now know to use the operational state datastore to represent system-generated values, the problem becomes how to *configure* certificates for these system-generated keys, specifically the IDevID and LDevID certificates.  

But, as seen in the tree-diagram above, this is not a leafref problem, which might be solved using a solution like the one proposed for the I2RS topo model, where a require-instance false leafref in the running datastore *can* point to a node in the operational state datastore.  No, here the 'certificate' nodes are descendants of the 'key' node, so the leafref solution doesn't apply.

I don't have any good ideas for how to address this issue. Does anyone have any thoughts on how we should handle it?

[ref: https://github.com/netconf-wg/keystore/issues/2]

Thanks,
Kent

v2.23.0 | Report a Bug | By Email