IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Martin Bjorklund <mbj@tail-f.com> Tue, 18 September 2018 07:02 UTC

Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C8F128D68 for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 00:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I96mEn30ZUGi for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 00:02:34 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 0AED3126F72 for <netconf@ietf.org>; Tue, 18 Sep 2018 00:02:33 -0700 (PDT)
Received: from localhost (unknown [173.38.220.61]) by mail.tail-f.com (Postfix) with ESMTPSA id 60BF91AE02BE; Tue, 18 Sep 2018 09:02:28 +0200 (CEST)
Date: Tue, 18 Sep 2018 09:02:27 +0200
Message-Id: <20180918.090227.98113334613843662.mbj@tail-f.com>
To: kwatsen@juniper.net
Cc: balazs.kovacs@ericsson.com, balazs.lengyel@ericsson.com, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
References: <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com> <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Rt4s0dmvbRxw197xidSsbUNA4b0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 07:02:36 -0000

Hi,

Ok, so we have these two alternatives illustrated below.  There are
some details that probably are wrong, but it doesn't really matter at
this stage.  With (A), there is one more action to control the
lifespan of keys (delete-hidden-key).

In the case that the key is given as config, A and C works in the same
way.

In the case that the key is permanent, A and C also works in the same
way.

A and C differ in how hidden keys are handled.


In order to create a hidden key + certificate, the steps are:

A:  1. call generate-hidden-key with a given name
    2. create an asymmetric-key with the same name in the config
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

(step 1 and 2 can be done in reverse order)

C   1. create an asymmetric-key in the config
    2. call generate-hidden-key on this key
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

In order to delete a hidden key completely:

A:  1. call delete-hidden-key on the asymmetric-key to be deleted
    2. delete the asymmetric-key from the config

C:  1. delete the asymmetric-key from the config



In summary, they are very similar.

One possible twist that probably works best for C could be to use
leafrefs with require instance true, and say that in order to use a
permanent key (created during manufacturing), you first need to create
config for the key (more or less empty config).  The benefit is that
we get proper leafref validation (no dangling pointers to handle in
all other models).  FWIW, this is the approach taken in
ietf-interfaces.

If we don't do this twist, I think that we can use either of A and C.



/martin




Kent Watsen <kwatsen@juniper.net> wrote:
> 
> > With (A), once you have generated the key, you first have to create
> > the config for it, then invoke the action.   With (C) (99% of) the 
> > keys already exist in the config, so you can just invoke the action.
> 
> I don't follow.  What I see is that, with (A), a hidden key can be 
> created with a single action invocation while, with (C), first a 
> configuration operation is needed to create the "asymmetric-key" 
> (without the three leafs) followed by an action invocation (to 
> populate the three leafs).
> 
> 
> > To summarize, A and C both get the job done.  Which one is better is
> > probably subjective.  I think (C) is might be easier to understand.
> 
> Okay, let's see how it looks.  Bubbling all the ideas to the top, I 
> created the below tree-diagrams.  Note, in both cases, the three 
> "mandatory true" leafs are replaced with an all-or-nothing "must" 
> expression:
> 
> 
> (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys;
>     and an action statement is used to delete all hidden keys.
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>            |  +--rw name                            string
>            |  +--rw algorithm?                      ct:key-algorithm-ref
>            |  +--rw public-key?                     binary
>            |  +--rw private-key?                    union
>            |  +---m "(algorithm and public-key and private-key)
>            |  |       or not (algorithm or public-key or private-key)";
>            |  +--rw certificates
>            |  |  +--rw certificate* [name]
>            |  |     +--rw name                      string
>            |  |     +--rw cert                      ct:end-entity-cert-cms
>            |  |     +---n certificate-expiration
>            |  |        +-- expiration-date?         yang:date-and-time
>            |  +---x generate-certificate-signing-request
>            |  |  +---w input                        // KEY MAY BE IN <OPERATONAL>
>            |  |  |  +---w subject                   binary
>            |  |  |  +---w attributes?               binary
>            |  |  +--ro output
>            |  |     +--ro certificate-signing-request    binary
>            |  +---x delete-hidden-key
>            |        // no params
>            +---x generate-hidden-key
>            |  +---w input                           // RESULT IN <OPERATONAL>
>            |     +---w name                         string
>            |     +---w algorithm                    ct:key-algorithm-ref
>            +---x load-hidden-key
>               +---w input                           // RESULT IN <OPERATONAL>
>                  +---w name                         string
>                  +---w algorithm                    ct:key-algorithm-ref
>                  +---w public-key                   binary
>                  +---w private-key                  union
> 
> 
> (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys
>     created in <operational> (i.e., during manufacturing).  But if there is
>     even just one key created during Manufacturing, and it doesn't appear
>     in <intended>, then leafrefs still need to be "require-instance false",
>     right? Also, it seems that such keys could never be deleted, unlike 
>     other hidden keys, but that is probably okay (correct behavior).
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>               +--rw name                            string
>               +--rw algorithm?                      ct:key-algorithm-ref
>               +--rw public-key?                     binary
>               +--rw private-key?                    union
>               +---m "(algorithm and public-key and private-key)
>               |       or not (algorithm or public-key or private-key)";
>               +--rw certificates
>               |  +--rw certificate* [name]
>               |     +--rw name                      string
>               |     +--rw cert                      ct:end-entity-cert-cms 
>               |     +---n certificate-expiration
>               |        +-- expiration-date?         yang:date-and-time
>               +---x generate-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               +---x load-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               |     +---w public-key                binary
>               |     +---w private-key               union
>               +---x generate-certificate-signing-request
>                  +---w input                        // KEY MAY BE IN <OPERATONAL>
>                  |  +---w subject                   binary
>                  |  +---w attributes?               binary
>                  +--ro output
>                     +--ro certificate-signing-request    binary
> 
> 
> 
> 
> Kent // contributor
> 
> 
>

v2.23.0 | Report a Bug | By Email