Re: [netconf] built-in trust anchors

Martin Björklund <mbj+ietf@4668.se> Wed, 13 January 2021 11:27 UTC

Return-Path: <mbj+ietf@4668.se>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 602313A09DE for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 03:27:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.123
X-Spam-Level:
X-Spam-Status: No, score=-0.123 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, PDS_NAKED_TO_NUMERO=1.997, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=4668.se header.b=PNKpDKD4; dkim=pass (2048-bit key) header.d=messagingengine.com header.b=o20BJGGy
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0DHykyuii8Cg for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 03:26:59 -0800 (PST)
Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 858E13A09D7 for <netconf@ietf.org>; Wed, 13 Jan 2021 03:26:59 -0800 (PST)
Received: from compute4.internal (compute4.nyi.internal [10.202.2.44]) by mailout.nyi.internal (Postfix) with ESMTP id C81335C00AB; Wed, 13 Jan 2021 06:26:58 -0500 (EST)
Received: from mailfrontend1 ([10.202.2.162]) by compute4.internal (MEProxy); Wed, 13 Jan 2021 06:26:58 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=4668.se; h=date :message-id:to:cc:subject:from:in-reply-to:references :mime-version:content-type:content-transfer-encoding; s=fm3; bh= 43WVD4mG1925f33uapGheNQuThf0+mUzkMjaA8MdT+0=; b=PNKpDKD4pKJXRhsM uTvgnc3gV85arXtN84Vb4CWeU1bnI3/XAxbPeXlt5C/G6MBi0uBrSjZ/QBRyDHvC FHx51kHiG/m2z7gOSDCU/kR7z3uFkeSpxxIPriIs8mSNzN5FFXEMlQVqli+II000 VQ38GISltL5nqi719tSu6ir8Jr8GWlS6R1zBSF5yK0z/bIqwECv9AqcD82pcN2hV +8zA9puqXAOYvjXGPnet2vcjp7UuyGsjibuvDapYof64ly3by514fKECzWBQ9ja7 Ji5fAHSDnmCJ8+9jsDlbGBew8fAsVz2MHmmWhXtTY3bsyRRpz2g9VmJATBHtjufy Ld1eBA==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :date:from:in-reply-to:message-id:mime-version:references :subject:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender :x-sasl-enc; s=fm1; bh=43WVD4mG1925f33uapGheNQuThf0+mUzkMjaA8MdT +0=; b=o20BJGGyEH+/NdB/9Kn5tzkm6iB98tgPQDCRr+lDcDPXIV+XyrX54iNK8 AMCrpFqjP4ncb77p3Mnp6tC8ugaVHzhslEGRv1x5xk/Pawht1jAIkWMOvxGAHQnT DAdykzHb9Aa+Xgnyk2WdkdIV3byXiHjP4YMLR2a6OaaCsLU6sGr1n0L0huZsdJ86 vydjUP9CILoGpLmVxCF+MkX2m0sMIKbu1Up8y4VTnCvZvdXNXTu+zCr4PRhr01Tr VhbS7YGOfqCvMDDRLLPQ/3G1fbb2YS1Ztd3PN7x6dsQqtXairt9DeCAAYYGD6XKr BD57aDJyJlgL2ZO0+9LMKu+wwVrNQ==
X-ME-Sender: <xms:Atn-X53ST19yKOYHssLLf__cKP2K6IyZTQRnOmal7EbaPx4rrtdAfw> <xme:Atn-XwHX5-KE9sO32FO2vuA53cSFzRy0IOhzaHQllAhW3UsMUgDwm_UKSn7kU0oY2 NdtDYg7aiA_Xwo0nMs>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedukedrtdefgddvkecutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffkvffuhfgjfhfogggtgfesthejre dtredtvdenucfhrhhomhepofgrrhhtihhnuceujhpnrhhklhhunhguuceomhgsjhdoihgv thhfseegieeikedrshgvqeenucggtffrrghtthgvrhhnpedtgefgtdduudejkeelvedvie dvveehieegfeefteefgfeffeekheffvdefveffgfenucfkphepudehkedrudejgedrgedr vdduheenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhmpe hmsghjodhivghtfhesgeeiieekrdhsvg
X-ME-Proxy: <xmx:Atn-X57JLfJVccBQ-lCoRu5CpfG5A9uwCdkipLCBb-N3SwwED9ysag> <xmx:Atn-X204LmdEmUZYXISZrtsxSCXIK3E8jQ08votbsJI06Mn_PD2H_A> <xmx:Atn-X8G4HzyR1e0vwqWvc_XjaB96BWhyQLxI9aEyL6SCURHOQGg5LQ> <xmx:Atn-X3M8Qxa5OJscI5bKb6xLOWx5DvKYjCCzk1IPWvqWrW6Ah1P74Q>
Received: from localhost (unknown [158.174.4.215]) by mail.messagingengine.com (Postfix) with ESMTPA id A625A240065; Wed, 13 Jan 2021 06:26:57 -0500 (EST)
Date: Wed, 13 Jan 2021 12:26:55 +0100
Message-Id: <20210113.122655.1074482340604641202.id@4668.se>
To: j.schoenwaelder@jacobs-university.de
Cc: jason.sterne@nokia.com, netconf@ietf.org
From: Martin Björklund <mbj+ietf@4668.se>
In-Reply-To: <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de>
References: <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de> <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de>
X-Mailer: Mew version 6.8 on Emacs 26.3
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/QHGfhwuZZeq4ndFYBw1ZwH33iUk>
Subject: Re: [netconf] built-in trust anchors
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 11:27:02 -0000

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:
> After sleeping over it, I think a device should ship with the keys
> listed in whatever is the equivalent of the factory default, i.e.,
> they are initially in <running>. Deleting them should be possible with
> the effect that no config can refer to these keys anymore (assuming
> strong references). Putting the keys back into running makes them
> available for config again.

This could work, but see below.

> I would be in favour to just have the names in runnning, not the
> key/cert details. This avoids issues with entries that do not match,
> and this then resembles hidden keys, for which details are also not
> known in <running>. In fact, <hidden> keys likely have the same
> property that they exist in the system (or a TPM), i.e., they are not
> config that can be arbitrary changed. I would assume that the same
> rules apply, if you delete a hidden key from <running>, it can't be
> referenced and used anymore. Perhaps the discussion in the I-D should
> be expanded to cover hidden keys as well.

I like the symmetry w/ hidden keys.  I assume that these entries would
be explicitly marked in the config as being "built-in" or "hidden".

> I also expect that these special keys may be part of the firmware,
> i.e., they may change with firmware updates. This can lead to stale
> special keys that do not exist anymore in the firmware and new keys
> that exist in the firmware but must be (manually) added to <running>
> in order to use them.

So then the question is what happens if a key is removed from the
firmware, but it exists (with just the name) in the config, and some
part of the config reference it?

I think that this leads to the same problem as a weak leafref would
do, so either solution would work.


/martin


> 
> /js
> 
> On Tue, Jan 12, 2021 at 10:59:28PM +0000, Sterne, Jason (Nokia - CA/Ottawa) wrote:
> > Yes - adding require-instance false would eliminate the issue about built-in anchors in <running>. But there are useful advantages to keeping require-instance true. I don't have a strong feeling though one way or the other.
> > 
> > But assuming we keep require-instance true then the question still remains of how built-in items get into <running> (and are they deletable, and do we only need keys in running, etc).
> > 
> > Jason
> > 
> > > -----Original Message-----
> > > From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> > > Sent: Tuesday, January 12, 2021 3:00 PM
> > > To: Sterne, Jason (Nokia - CA/Ottawa) <jason.sterne@nokia.com>
> > > Cc: Netconf <netconf@ietf.org>
> > > Subject: Re: [netconf] built-in trust anchors
> > > 
> > > Jason,
> > > 
> > > since the leafref typedefs are weak references that do not require
> > > that the certs/keys exist (there is no 'require-instance true'), it
> > > may be OK to not have the certs/keys in <running> in terms of validity
> > > of the <running> datastore.
> > > 
> > > Oops, I had to reread RFC 7950 (section 9.9.3): if require-instance is
> > > not present, it defaults to true, so my review comment about weak
> > > references is incorrect, these are actually strong references and
> > > hence there is the need to copy what is referenced. Setting
> > > require-instance to false may resolve this (but we loose the ability
> > > to catch references to certs/keys that do not exist).
> > > 
> > > /js
> > > 
> > > On Tue, Jan 12, 2021 at 07:02:04PM +0000, Sterne, Jason (Nokia - CA/Ottawa)
> > > wrote:
> > > > Hi all,
> > > >
> > > > I noticed Jurgen's comment about built-in trust anchors in his YANG doctor
> > > review of trust-anchors-13. I wanted to pull that out into a dedicated
> > > thread/discussion here.
> > > >
> > > > Jurgen:
> > > >
> > > >
> > > > - Section 3 talks about populating <running> with built-in trust
> > > >
> > > >   anchors.
> > > >
> > > >
> > > >
> > > >    In order for the built-in trust anchors to be referenced by
> > > >
> > > >    configuration, the referenced certificates MUST first be copied into
> > > >
> > > >    <running>.  The certificates SHOULD be copied into <running> using
> > > >
> > > >    the same "key" values, so that the server can bind them to the built-
> > > >
> > > >    in entries.
> > > >
> > > >
> > > >
> > > >   Is the idea that this copy operation is an explicit management
> > > >
> > > >   operation or can implementations populate <running> with this
> > > >
> > > >   data automatically?
> > > >
> > > > I suppose a server *could* populate this in running as part of a built-in
> > > startup datastore in the absence of a startup datastore (i.e. as contents of a
> > > RFC8808 factory default). But I assume it is desirable to be able to delete the
> > > running copy of a built-in item. So the system would have to avoid populating
> > > these unless it is loading the factory default.
> > > >
> > > > But even if the system can populate these, we'd also want the client/user
> > > to be able to explicitly populate them as well (i.e. in case they delete one
> > > from running, and want to add it back in to reference it).
> > > >
> > > > In either case (system population of running, or client population of
> > > running), do we really need to put the contents of the bag or the cert into
> > > running?  Or is populating the list key enough since the operational copy
> > > shows what contents are in use for that list entry?
> > > >
> > > > Jason
> > > 
> > > > _______________________________________________
> > > > netconf mailing list
> > > > netconf@ietf.org
> > > > https://www.ietf.org/mailman/listinfo/netconf
> > > 
> > > 
> > > --
> > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf