IETF Logo Mail Archive

[netconf] AD review of draft-ietf-netconf-sztp-csr

"Rob Wilton (rwilton)" <rwilton@cisco.com> Mon, 21 June 2021 08:50 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B2F3D3A28FC; Mon, 21 Jun 2021 01:50:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.996
X-Spam-Level:
X-Spam-Status: No, score=-9.996 tagged_above=-999 required=5 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=DzLhhdgL; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=W71PS7QD
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iOVBXyAdL0CX; Mon, 21 Jun 2021 01:50:28 -0700 (PDT)
Received: from rcdn-iport-6.cisco.com (rcdn-iport-6.cisco.com [173.37.86.77]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDA843A2915; Mon, 21 Jun 2021 01:50:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4474; q=dns/txt; s=iport; t=1624265427; x=1625475027; h=from:to:cc:subject:date:message-id: content-transfer-encoding:mime-version; bh=rSCg1DwjOqAImuNJTVLTcd9pUEwD42Pfw1vgsmuE1ZA=; b=DzLhhdgL8+HFXvPfZStxsLDoFJuo7UptBigkOCl/2P41gWcRmAsqX4Xz VRshFvvrrY10ZR0KtmZutzUeyB4GFQUhAB+lXQIhpNfRldAC0FBFBIdme sSBi65YumJ43MzZ+o0nOHn6p/1I40+x31AtUZ3FxQm81ze75JRkXc/Axm Q=;
IronPort-PHdr: A9a23:GWZCMR+fSmQvl/9uWDnoyV9kXcBvk7T5IgBT7YAo2PpCcaWmqpLlOkGXpfBgl0TAUoiT7fVYw/HXvKbtVS1lg96BvXkOfYYKW0oDjsMbzA0tHMDDDlf0f7bmaiUgF5FEU1lot3iwLUlSHpP4YFvf6n2/5DIfAFPxLw1wc+/0AYXVyc+w0rPaxg==
IronPort-HdrOrdr: A9a23:ICnCuKBWCxNtxbnlHegssceALOsnbusQ8zAXPh9KKCC9I/b3qynxppsmPEfP+UsssHFJo6HmBEDyewKhyXcT2/heAV7CZniohILMFuFfBOTZskbd8kHFh4tgPMRbAulD4b/LfCJHZK/BiWHSebtNsbr3kpxA7t2uqUuFODsaE52ImD0JczpzfHcGIDVuNN4cLt6x98BHrz2vdTA8dcKgHEQIWODFupniiI/mSQRuPW9m1CC+yReTrJLqGRmR2RkTFxlVx605zGTDmwvloo2+rvCAzAPG3WO71eUUpDKh8KoAOCW/sLlQFtzesHfuWG2nYczFgNkBmpDr1L/tqqiUn/5vBbUq15qbRBDLnfKk4Xif7N9p0Q649bdd6kGT/PAQg1kBepB8bMtiA2rkwltls9dm3K1R2WWF85JREBPbhSz4o8PFThdwiyOP0DEfeMMo/jViuLElGfdsRE0kjTdoOYZFGDi/5JEsEeFoAs2Z7PFKcUmCZ3ScumV02tSjUnk6Ax/DGyE5y4Go+ikTmGo8w1oTxcQZkHtF/JUhS4Nc7+CBNqhzjrlBQsIfcKo4DuYcRsm8DHDLXHv3QSivyJTcZdc60lf22tLKCZkOlZOXka0zvewPcc76ISBlXEYJCjfT4OO1re12ziw=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AICQAlUtBg/5FdJa1agQmBV4FTUQd3WjcxC4gFA4U5iGqPXopCglMDVAsBAQENAQE/AgQBAYRQAoJtAiU3Bg4CBAEBARIBAQUBAQECAQYEcROFaA2GSBYoBgEBKQ4BEQE+QiYBBAENDRqCUIJVAy8BA5pcAYE6AoofeIE0gQGCBwEBBgQEhTUYgjEJgTqCe4hDgQ0keyccgUlEgRVDh0oag0uCLoMaBQECYgQUHiB8JTYDBQsBGgEDCgIXBgk6kHurCQqDH54XEqVylVidR4FZRwIVhEQCBAIEBQIOAQEGgWolgVlwFYMkUBcCDo4oAxaDTopeczgCBgoBAQMJfIsFAYEQAQE
X-IronPort-AV: E=Sophos;i="5.83,289,1616457600"; d="scan'208";a="905576607"
Received: from rcdn-core-9.cisco.com ([173.37.93.145]) by rcdn-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 21 Jun 2021 08:50:26 +0000
Received: from mail.cisco.com (xbe-rcd-001.cisco.com [173.37.102.16]) by rcdn-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id 15L8oQJk029952 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 21 Jun 2021 08:50:26 GMT
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xbe-rcd-001.cisco.com (173.37.102.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 21 Jun 2021 03:50:26 -0500
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Mon, 21 Jun 2021 03:50:26 -0500
Received: from NAM11-DM6-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Mon, 21 Jun 2021 03:50:26 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GU0egkX4qS3Pa9uWD/qNgOIvNCQ6guLR/SDmFTco8h6hC4UJrCAe2ZwMGSgCpzPLj0SoaQjl2xQQMwtx46IQTuYJKKguCR/G+gWob9IzAKkK1L9WcJtjBaoAC0VPwHtpVnbBa6cX2/db5Lw8/em6N5Px+e6WlD3GfFcsA8Nc9Tkwq4imj2iJ9QcYKhUN9Gepes89PRK6mnLupMAsM0WsHluGGxpHOmw/kHmhLJgSIIDN3M6EloJoWbVhrwU65iI2fjl/rDh5tKVByd9gCwiWPMfy+Ky8RcrmcqsIl6ElZDuDr8gy6Ne2vbKvVhh7QgjThYKNC+kFb7xcTo5LXgBMkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0NHLfRjSPx8Qk4AbbKsd1bOiX0TxgAbzZ4wyyiv6lW0=; b=csuoxJMboL8unPvW6JwItSkyyJbqp8UIsRFqza4KNje5FMi/NlgGZEh83kXMTTW3fqMkKst4mwc6E8WgvLzn5gs8jyc/PXvzB1xNwaPQ2qf8f0dj78YWH+wu429jG1Y9/JY/7lYvjTm9AhMgYhTPfGmMXQ8dgJZ2vWDls+0lsdN/QnXbXnOfT9I50na1aGSg3Gj7ISHjfRsLSZSE8g68hO5DMBSPUrKADHM711FZr/OFLT5wx5V67ZJydkVsQa1U1aqe9MJtnC/N175aNt0Pe9EinNQjDEw0L7nCFpVXYexRBskrvgsFmTIKzRE7dpsNs5yNj7dpKe9NC1hAErrWRw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0NHLfRjSPx8Qk4AbbKsd1bOiX0TxgAbzZ4wyyiv6lW0=; b=W71PS7QDBPDMHuqpTjBLMG0u6Xnz6jH+EkOvE7ix4M+WMg6bZAD7PS+EwRNkOCarZCHrCDtq1+O/oS50qmPdYIihNaeIK9qasDsDiJrgyI3nzx5DnDMk/lPz9BBbEBD3Tf7/5FLEZ/C5B7wu8eT1P7QaB8WpqslED6hnoXElw6I=
Received: from DM4PR11MB5438.namprd11.prod.outlook.com (2603:10b6:5:399::21) by DM5PR11MB1819.namprd11.prod.outlook.com (2603:10b6:3:10a::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.23; Mon, 21 Jun 2021 08:50:25 +0000
Received: from DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::e14c:8880:1101:bb0c]) by DM4PR11MB5438.namprd11.prod.outlook.com ([fe80::e14c:8880:1101:bb0c%5]) with mapi id 15.20.4242.023; Mon, 21 Jun 2021 08:50:25 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-sztp-csr@ietf.org" <draft-ietf-netconf-sztp-csr@ietf.org>
CC: "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>
Thread-Topic: AD review of draft-ietf-netconf-sztp-csr
Thread-Index: Addmei+76OsPA+grSaqUN2qOgkG4uA==
Date: Mon, 21 Jun 2021 08:50:24 +0000
Message-ID: <DM4PR11MB543889219C08694C147C6DA4B50A9@DM4PR11MB5438.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [82.12.233.180]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 47264076-29b9-4e18-9f4a-08d934919c80
x-ms-traffictypediagnostic: DM5PR11MB1819:
x-microsoft-antispam-prvs: <DM5PR11MB1819DE26C56E802A41B39BCFB50A9@DM5PR11MB1819.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: x5CCtzPvLatsxcvFcS0a2kHfUJ0gMFqjsJcRIDzxpARWHkgvq60uCYeon2loiGGh4TsDr6QOAUBXdwDEEUbf9hN4T8rLPSSV/mOJ+HYjTJ3C4bTaZtNP1F2Ir3WFSZzNTVio4N9Y5RdOnf6683UxB6SnND7nNnhqIRfkog0FzZI05zEFNSNZOtQeRcjaO0YvsJ8yPTsFpPtc2x7rN40wd1LvoZgJV+Q/ZbehVXLiB/Z65gw8yUWnJroUiD8BPBHYHww2kxBw5EXjDYX0AW2IExxEk5jApT1+3OmoRL5922A28tu792zXcvZDmoAszLlk5aSRZBustlYOp81G07Tb0gSQmqjFamzAGvflCNaxw/KK+8BVd8FZ2RvDUUMckBqamQmGWozN1v1PflFw0fEsvlZJEdVyS7BoDSKMHmZKFNSmuR1sz6D7CAccnkvV+s7KXOgNnaSUuu7HD0BsL8fYXudLBRha1T4EYtOKNTR+DVRT37pndZm8KerFwWKkAX9T1SqF42G2y/WxgUOUigY98ORgsv4cUX2uY8Nj+rDl+PB7/yDwHB+0Pl8qCC671Ub7A7UVDotnCN6g8R06XjvcA224oNyXzBbKhXopKgd0isA=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM4PR11MB5438.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(376002)(346002)(396003)(136003)(316002)(186003)(110136005)(7696005)(8676002)(26005)(71200400001)(4326008)(6506007)(8936002)(2906002)(478600001)(33656002)(450100002)(66946007)(55016002)(52536014)(122000001)(38100700002)(83380400001)(86362001)(76116006)(9686003)(66476007)(5660300002)(66556008)(64756008)(66446008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: I/ecuGjp+qCf0fJmK3uYaPrp6FCCs8s4osY8yB8K0DWPbthImnNAx4rqgvD5unzWN0nDgYqzf7NxFAGyKG3XEUehSyfG2auOqdCiaRNtZeuA4pNkdN1LLHwLOkZtyo1mzlF3NStdlfzn9wu52lRmu5Qu0zPWi/GmkLdfRFlO59PW0FXrzjFYzJn6I4qesots9GbLiaCeU8fk88fmBiExFx1PB9j7Ozq88/HzhTxaB/7+BRgEEzQoHwHGD7oDIw4Ll6/0CQeig45O5MyZdajhMUg8pZKFpf7MFmiUngD3i6CAwIiIv+FrilW0CKqjEdWgtsY5cOw1yJnyxpxPizBwkfIbEnP12LTuIgkXOKdy8S8XATubtgDvQt7rHt1G3r+8bh7/VjGAsnZMLL6qwWZhDkkjUx+nW3mRvLmg/LSemlgKP2gvAVsAt+ARLflTqSjCmHNBnfNCYWSChZRFkzLRnJ8NnlBKSbopQ8VVzzD/GwArLeXv545aGENFi+510GKWVDAYfgXHqwMkjYPjE+1Z8nu4G6EjLNTaoGQxkqPC/+AWdiRU7mRZZRV3LM1hWdeWU8rv+UVsverrHmAicFPfjn4Y2ue84WglTIK2FkHQZFUsCuRx+Dcp6djFM/4SDpeiAlFzgI404el5bqmd971pDnqyFrb8mHeRgaBOKcObXpSyctQAI03aBB0BV5/7Ip33Ax2GWOPeihk8hQJMQ3Y5zDpNuofI1ll/GDUBerdHuG8upon75OoBr08F9w3fFcGtGUmHj+Bl1YRBpBqlxse1HbG6ByrxIhVC9lsqlWUP9hPmrBIE9UaUeTHquYYoHtaZwH6Yz8C01DmRHGCJwm3kJcQtG7WapvUip7d7N0s9J8D0QionouxU7XtUqsVNP4PPv1hWqpOEL3qrBWzON7mXTXUTy/Sz/4STrETKu7vMIFs60tqd5YeCb9dU9iiVnnrMKUqQu70v3E3GU6w1P0VCfpIbCCLlq9XkER+Q6LnJ27sgQY7tkWX7s7VmhSZR0vYCeXgafzM3P68r5XJptY78X+DD1hbdbQYne2EPi8TR5nDuqfwoS+tMu27h1t69LjGeirWcuUGpl+nZYxMh3mzpF5lIT3Fnam6rKcw3G1H3Xvhspx9RZJk1a5c8ghT9EP+bnuEJ8t1GMis1uq0MLrJotET6XmhlvavEFpRVnbncIW3pTOE81BCyPBbd2211Nf13GfMUSgY/2o5XmUEd271FxFTX3UxbNuuXZDAdWfDDvfwL2Ygfe5RE3+hZHKbaa+GgyJvrgNQ4nPj/iMHcHgpbxybjBcGVhcRYmKfsEUJ7v/aIIkMzBbJQmN/6oA/eZpdc
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5438.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 47264076-29b9-4e18-9f4a-08d934919c80
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2021 08:50:24.9337 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: he8DxIojWPyCaG+i23p7fYAsPQ0Qtwc1NZ7qzg2jhGaVbBFls3P0piFG32zu0tQ0WWw6XaCIWk37YMd54IjB8g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR11MB1819
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.16, xbe-rcd-001.cisco.com
X-Outbound-Node: rcdn-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/REiN1dcssOYk12Hspw2StjaMgMY>
Subject: [netconf] AD review of draft-ietf-netconf-sztp-csr
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Jun 2021 08:50:33 -0000

AD Review of draft-ietf-netconf-sztp-csr-03

Disclaimer, I am not a security expert and the security specific aspects
(e.g., the precise details of how the CSRs are encoded) is beyond my knowledge.
Hopefully this will be sufficiently checked by SEC DIR reviews and SEC AD,
whilst also acknowledging the expertise of the authors!

My main questions really relate to REST semantics.

1. It is always the case that the SZTP-client must do the handshake with
the server (i.e, populating the csr-support container, then getting a 400 error back,
before making the actual bootstrap request), or is it acceptable for the SZTP-client
to guess on acceptable parameters, and send a single request?  Obviously, this cannot
work in all cases, but I want to check whether it is allowed (or explicitly disallowed)
in any cases.


2. Section 2.2:
   Assuming the SZTP-server wishes to prompt the SZTP-client to provide
   a CSR, then it would respond with an HTTP 400 (Bad Request) error
   code:

I wonder whether returning a 400 "Bad Request" error is really the best return code, i.e., 
it wasn't clear to me whether this requesting the capabiltiies is really an error.
Did you consider potentially using other return codes?  Possibly:
  300 Multiple Choices,
  403 Fobidden,
  406 Not Acceptable


3. Does it make sense to recommend a default certificate-request-format that clients should
support, or does it make sense to not prioritize any particular certificate format, effectively
requiring that a generic server needs to support them all?


4. References.  RFC 3688 probably should be normative for the XML registry, noting that
RFC 6020 is normatively referenced.


Nits:

5. 
In the example data, would it helpful to add a sentence to explain
               "base64encodedvalue1=",
               "base64encodedvalue2=",
               "base64encodedvalue3="
			
Actually, given this convention is used in various places, there is a choice as to whether
to add a sentence to each example, or perhaps in the introduction.

			
6.
3.1.3.  Replay Attack Protection

   This RFC enables an SZTP-client to announce an ability to generate
   new key to use for its CSR.
   
"a new key"


7. In Security Considerations:
   Generating a new key each time enables the random bytes used to
   create the key to serve the dual-purpose of also acting like a
   "nonce" used in other mechanisms to detect replay attacks.
   
I wasn't clear to me what the two purposes are here.  One is acting like
a "nonce", but what is the other purpose?


8.
   In the case the SZTP-client must choose between the asymmetric key
   option versus a shared secret for origin authentication, it is
   RECOMMENDED that the SZTP-client choose using the asymmetric key
   option.
   
"In the case the" => "In the case that the ...

Terminology:
Should you add LDevID or IDevID

Potential spelling warnings:
descendent

Grammar Warnings (from tool):
Section: 2.3, draft text:
This module augments an RPC defined in [RFC8572], uses a data type defined in [I-D.ietf-netconf-crypto-types], has an normative references to [RFC2986] and [ITU.
Warning:  The plural noun "references" cannot be used with the article "an". Did you mean an normative reference or normative references?
Suggested change:  "an normative reference"

Section: 3.1.4, draft text:
Consistent with the recommendation presented in Section 9.6 of [RFC8572], SZTP-clients SHOULD NOT passed the "csr-support" input parameter to an untrusted SZTP-server. 
Warning:  The modal verb 'SHOULD' requires the verb's base form.
Suggested change:  "pass"

Section: 3.1.5, draft text:
All of the certificate request formats defined in this document (e.g., CMC, CMP, etc.), not including a raw PKCS#10, support origin authentication.
Warning:  Consider using all the.
Suggested change:  "All the"

Section: 3.1.5, draft text:
Typically only one possible origin authentication mechanism can possibly be used but, in the case that the SZTP-client authenticates itself using both TLS-level (e.g., IDevID) and HTTP-level credentials (e.g., Basic), as is allowed by Section 5.3 of [RFC8572], then the SZTP-client may need to choose between the two options.
Warning:  Did you forget a comma after a conjunctive/linking adverb?
Suggested change:  "Typically,"

Thanks,
Rob

v2.23.0 | Report a Bug | By Email