Re: [netconf] crypto-types fallback strategy

"Rob Wilton (rwilton)" <rwilton@cisco.com> Tue, 17 September 2019 14:09 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EC678120059 for <netconf@ietfa.amsl.com>; Tue, 17 Sep 2019 07:09:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VHXgA/bA; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=JnNCs9qb
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iqTM2RmwdAee for <netconf@ietfa.amsl.com>; Tue, 17 Sep 2019 07:09:38 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 75BC912002E for <netconf@ietf.org>; Tue, 17 Sep 2019 07:09:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=32470; q=dns/txt; s=iport; t=1568729378; x=1569938978; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=BQxOU5Miht74y4JltH/P9VM5nbWYLFg9gqA6Q9Zvo1s=; b=VHXgA/bA8AHhg6aRM98fxc2ptqUuftJHKtMwB+4otUIPgQg5ZUlnsj5Q uDbS3mNl5eJce8PrwSPkVm7FkzxUOfeaj5pNIJDkM81kCfYrq9TjZGvBE BfewbavvXVjvZhoTtywonIFgPX52H//VycDWmYGbT/HkM5a5/zxzwGWG6 g=;
IronPort-PHdr: =?us-ascii?q?9a23=3AaSyA1Ra0MHxEmZjKIHHYoz//LSx94ef9IxIV55?= =?us-ascii?q?w7irlHbqWk+dH4MVfC4el20gebRp3VvvRDjeee87vtX2AN+96giDgDa9QNMn?= =?us-ascii?q?1NksAKh0olCc+BB1f8KavwcC0+AMNEfFRk5Hq8d0NSHZW2ag=3D=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AOAACh6IBd/5BdJa1dCRoBAQEBAQI?= =?us-ascii?q?BAQEBBwIBAQEBgVQEAQEBAQsBgRUvKScDbVYgBAsqCoQXg0cDineCXIlljg2?= =?us-ascii?q?BLoEkA1QJAQEBDAEBLQIBAYQ/AheCZSM1CA4CAwkBAQQBAQECAQUEbYUuDIV?= =?us-ascii?q?KAQEBAQMSEQoTAQE3AQ8CAQgRBAEBIQoCAgIfER0IAgQBDQUIGoMBgR1NAx0?= =?us-ascii?q?BAqJhAoE4iGFzgTKCfQEBBYUPDQuCFwmBNAGKNIElHhiBQD+BEUaCTD6CGoI?= =?us-ascii?q?ALIMJMoImj1GFJYkdjh9BCoIikQGEG5kajgqKFI5wAgQCBAUCDgEBBYFUATW?= =?us-ascii?q?BWHAVgyeCQgsYgQQBB4JDilNzgSmOKgGBIgEB?=
X-IronPort-AV: E=Sophos;i="5.64,516,1559520000"; d="scan'208,217";a="632353886"
Received: from rcdn-core-8.cisco.com ([173.37.93.144]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Sep 2019 14:09:36 +0000
Received: from XCH-RCD-017.cisco.com (xch-rcd-017.cisco.com [173.37.102.27]) by rcdn-core-8.cisco.com (8.15.2/8.15.2) with ESMTPS id x8HE9aBh017748 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Sep 2019 14:09:36 GMT
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by XCH-RCD-017.cisco.com (173.37.102.27) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 17 Sep 2019 09:09:35 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 17 Sep 2019 10:09:35 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 17 Sep 2019 09:09:34 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R2O69CZ7/RcoGrAMN8b6BBvMJrnAlQXHxZjL9VlR6fAUiJoMBv3mzPatESPvP3F4Ofg1vGWNNw4pDY3VQPzussvQBgjPopA2cHlumUAS17+PWy7NChgYXz1ESRQVXc2V/7KfVpQpA4ZsOeKkBMEngdmJuNn1je3VwH1RLdvBs2EvfTouIuGis10c7GzepIuS6yCv6jJtGNNBMuYcv89SdnS5QVDHO+J8Ptp5l6f4dq5rchQcx3rli1R3GWiIQv3DKZQsoPDkd9gnMq7Gts5SKIR7cPqpVrDVfmw4As6ieX2Ih4B7qLjr8wJotZHiIQUQKgoh9wFkhycGS4s5k0ndTg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BQxOU5Miht74y4JltH/P9VM5nbWYLFg9gqA6Q9Zvo1s=; b=oGMX4wuxb9lzuuC/mlEvOHKlxsTnGOUebnvzRODazD6Rxt62zDGlUxpaJGmYdt1xgHs6gROczTBoawasu2OfIctCREMyt2vwG+b3sE/cUfOQPefLvuq+Pn9zGU3oU2GHNxtPs1b96UKdbk96IM8RvMZjOsY6pOj9BAPyHtgfiFBWcHd68V4vXt20uvqfFQgaLHunZ8UtZ66sQsREQmCdrK8CfVoQbxwbHYsWKydey7H8L5euq7M55xjw6R5jN3pz4xyzgUgCsr9Hry5n5A9ZBYfgnt6vXRvT6y/fPFsPRVUImj3mOFy3ieiQybkAxLyKqZOzT5GDRH25dG5vTL8C7Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BQxOU5Miht74y4JltH/P9VM5nbWYLFg9gqA6Q9Zvo1s=; b=JnNCs9qbJw0LbQ8AWaByp8vzv681m9gEvIKMWgp36OPIKo9la5f3lMRAwddFqZq6Gtou9sUcQ8AABjUd/SSwRorRRDCtoszBj8DRRzlRCDADf6gp1lBYZhckx5tiFa3b3ByrkVDS337doXZ8HWVwohBm49G7vgBhrYNngnAfuCE=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (52.135.38.209) by MN2PR11MB3968.namprd11.prod.outlook.com (10.255.180.32) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.23; Tue, 17 Sep 2019 14:09:33 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6%7]) with mapi id 15.20.2263.023; Tue, 17 Sep 2019 14:09:33 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "Salz, Rich" <rsalz@akamai.com>, Kent Watsen <kent+ietf@watsen.net>
CC: Russ Housley <housley@vigilsec.com>, "netconf@ietf.org" <netconf@ietf.org>, Sean Turner <sean@sn3rd.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxVu0aQE+n/K0iPwVgOy8FH/KcpQIdQgAVLFQCAARKfAIAATvkAgAABvxA=
Date: Tue, 17 Sep 2019 14:09:33 +0000
Message-ID: <MN2PR11MB43669B3A47A39FD93B47292FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d3afa694e-ce58ee3a-792f-4c0e-89bb-83d0128a5194-000000@email.amazonses.com> <MN2PR11MB4366F63419F6BD4EF106766FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com> <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com>
In-Reply-To: <8053FDA0-77EA-488F-B5A7-F203359105E0@akamai.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [173.38.220.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 668e57ec-68a7-48b4-a5a2-08d73b78aa78
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MN2PR11MB3968;
x-ms-traffictypediagnostic: MN2PR11MB3968:
x-microsoft-antispam-prvs: <MN2PR11MB396889761CA7ADA2B0BEDF16B58F0@MN2PR11MB3968.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(366004)(376002)(39860400002)(136003)(346002)(396003)(189003)(199004)(51444003)(76176011)(55016002)(71200400001)(54906003)(110136005)(66946007)(66066001)(66556008)(6246003)(74316002)(11346002)(446003)(66476007)(229853002)(76116006)(6436002)(64756008)(9686003)(186003)(6306002)(99286004)(54896002)(8936002)(486006)(81166006)(9326002)(81156014)(7696005)(8676002)(26005)(102836004)(6506007)(2906002)(71190400001)(33656002)(14454004)(66446008)(25786009)(52536014)(5660300002)(7736002)(476003)(478600001)(3846002)(6116002)(4326008)(53546011)(14444005)(316002)(256004)(86362001)(790700001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3968; H:MN2PR11MB4366.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: mn8o4Wgb1sB+pZ0tVMn6+Omhu/vwLxkuPlTKWIi654DhDTTEL3LhGC/LcMUykJNko10b4pxfhxOwveTCWN0olttXyuQgKdxCfUAuguya2YKHZL+SP8gHDOJyYyAKoEuIhmdb2tPyu5A3ntjKzm54K7RABRbKqb4C95hPQ50pnv4WZ3EkvFwkNNmxHG0BPvlWh9ChhRdhhyXganrAwaGV6HKKZ8XBee37gNELBd/2ebvMb5CWSYH7BubsDtBJkA+aRpQsX+o55vhEmgyXTDFpsct+Vy7wLNI4Y6z50B2l8VbMtuKAz+7l0mA8r77VMoYV1bUJ+fjWfXUXn6thUzVUbQUtIIIYrKuodh5mzSe6g7S7MWnCe04fs42s7qUf/ogwU7DMRHn9fKM8COBVjgwQeq+ikHOPekUaF4uftkKKbKs=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB43669B3A47A39FD93B47292FB58F0MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 668e57ec-68a7-48b4-a5a2-08d73b78aa78
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2019 14:09:33.6693 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: Ckb2Pr8F2tQQOYCTiGc+SIg+zM0LypTKYl4UJoZfdPhs0AloTpxc3ser1MSRIoY7BTIQNmV/TPz176d/RqJmoA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3968
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.27, xch-rcd-017.cisco.com
X-Outbound-Node: rcdn-core-8.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Ot67YHmWzedETTkDqZRfq0-gOTE>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 14:09:41 -0000

Hi Rich,

From: Salz, Rich <rsalz@akamai.com>
Sent: 17 September 2019 14:55
To: Rob Wilton (rwilton) <rwilton@cisco.com>om>; Kent Watsen <kent+ietf@watsen.net>
Cc: Russ Housley <housley@vigilsec.com>om>; netconf@ietf.org; Sean Turner <sean@sn3rd.com>om>; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>
Subject: Re: [netconf] crypto-types fallback strategy


Ø  In ietf-crypto-types I would define the base identities for:


hash-algorithm, asymmetric-key-algorithm, mac-algorithm, encryption-algorithm, encryption-and-mac-algorithm, signature-algorithm, key-exchange-algorithm

[RW]
These base identities are just the ones that were already defined in cypto-types-08.  I.e. really I am just saying that defining the base identities in the crypto types draft is the right thing to do, whereas the actual identities can be defined in separate types modules.


I am not very comfortable with that division, as the same key material can be used in multiple places, and we’re transporting key material.  A symmetric key can be used to both encrypt data, and to do an HMAC “signature.”  As a minor note, it omits Key Derivation Functions, KDF, which are a key part of TLS 1.3 and used for “exporting” keys from TLS up to the application layer among other things.
[RW]
If you had an algorithm that can be used for multiple things then it can just derive from multiple base identities.

E.g. if you take “aes-128-ccm” (from draft-ietf-netconf-crypto-types-08) that is currently has “encryption-and-mac-algorithm” as its base, it could be defined as follows, allowing it to be used either as a mac-algorithm or an encryption algorithm:

    identity aes-128-ccm {
      base encryption-algorithm;
      base mac-algorithm;
      description
        "Encrypt message with AES algorithm in CCM mode with a key
         length of 128 bits; it can also be used for generating MAC";
      reference
        "RFC 4309:
           Using Advanced Encryption Standard (AES) CCM Mode with
           IPsec Encapsulating Security Payload (ESP)";
    }





Ø  The key step is that I would say that NETCONF should only standardizes the ones that we need now.

A very strong yes for this.


Ø    For the others, we could potentially create the YANG modules and either hand this off to the security groups, or work whether them to standardize these through the appropriate WGs.

I think it would be worthwhile to contact the Security AD’s and ask for time to present this somewhere, like the open SAAG meeting.
[RW]
I agree that seems like a good idea.  But I think that narrowing the scope to get these documents finished is the highest priority.

Thanks,
Rob