Re: [Netconf] Mandatory local configuration in Keystore groupings
Martin Bjorklund <mbj@tail-f.com> Tue, 18 September 2018 07:02 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C8F128D68 for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 00:02:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id I96mEn30ZUGi for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 00:02:34 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id 0AED3126F72 for <netconf@ietf.org>; Tue, 18 Sep 2018 00:02:33 -0700 (PDT)
Received: from localhost (unknown [173.38.220.61]) by mail.tail-f.com (Postfix) with ESMTPSA id 60BF91AE02BE; Tue, 18 Sep 2018 09:02:28 +0200 (CEST)
Date: Tue, 18 Sep 2018 09:02:27 +0200
Message-Id: <20180918.090227.98113334613843662.mbj@tail-f.com>
To: kwatsen@juniper.net
Cc: balazs.kovacs@ericsson.com, balazs.lengyel@ericsson.com, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
References: <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com> <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Rt4s0dmvbRxw197xidSsbUNA4b0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 07:02:36 -0000
Hi, Ok, so we have these two alternatives illustrated below. There are some details that probably are wrong, but it doesn't really matter at this stage. With (A), there is one more action to control the lifespan of keys (delete-hidden-key). In the case that the key is given as config, A and C works in the same way. In the case that the key is permanent, A and C also works in the same way. A and C differ in how hidden keys are handled. In order to create a hidden key + certificate, the steps are: A: 1. call generate-hidden-key with a given name 2. create an asymmetric-key with the same name in the config 3. call generate-certificate-signing-request 4. <get hold of a cert> 5. create the certificate in the config (step 1 and 2 can be done in reverse order) C 1. create an asymmetric-key in the config 2. call generate-hidden-key on this key 3. call generate-certificate-signing-request 4. <get hold of a cert> 5. create the certificate in the config In order to delete a hidden key completely: A: 1. call delete-hidden-key on the asymmetric-key to be deleted 2. delete the asymmetric-key from the config C: 1. delete the asymmetric-key from the config In summary, they are very similar. One possible twist that probably works best for C could be to use leafrefs with require instance true, and say that in order to use a permanent key (created during manufacturing), you first need to create config for the key (more or less empty config). The benefit is that we get proper leafref validation (no dangling pointers to handle in all other models). FWIW, this is the approach taken in ietf-interfaces. If we don't do this twist, I think that we can use either of A and C. /martin Kent Watsen <kwatsen@juniper.net> wrote: > > > With (A), once you have generated the key, you first have to create > > the config for it, then invoke the action. With (C) (99% of) the > > keys already exist in the config, so you can just invoke the action. > > I don't follow. What I see is that, with (A), a hidden key can be > created with a single action invocation while, with (C), first a > configuration operation is needed to create the "asymmetric-key" > (without the three leafs) followed by an action invocation (to > populate the three leafs). > > > > To summarize, A and C both get the job done. Which one is better is > > probably subjective. I think (C) is might be easier to understand. > > Okay, let's see how it looks. Bubbling all the ideas to the top, I > created the below tree-diagrams. Note, in both cases, the three > "mandatory true" leafs are replaced with an all-or-nothing "must" > expression: > > > (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys; > and an action statement is used to delete all hidden keys. > > +--rw keystore > +--rw asymmetric-keys > +--rw asymmetric-key* [name] > | +--rw name string > | +--rw algorithm? ct:key-algorithm-ref > | +--rw public-key? binary > | +--rw private-key? union > | +---m "(algorithm and public-key and private-key) > | | or not (algorithm or public-key or private-key)"; > | +--rw certificates > | | +--rw certificate* [name] > | | +--rw name string > | | +--rw cert ct:end-entity-cert-cms > | | +---n certificate-expiration > | | +-- expiration-date? yang:date-and-time > | +---x generate-certificate-signing-request > | | +---w input // KEY MAY BE IN <OPERATONAL> > | | | +---w subject binary > | | | +---w attributes? binary > | | +--ro output > | | +--ro certificate-signing-request binary > | +---x delete-hidden-key > | // no params > +---x generate-hidden-key > | +---w input // RESULT IN <OPERATONAL> > | +---w name string > | +---w algorithm ct:key-algorithm-ref > +---x load-hidden-key > +---w input // RESULT IN <OPERATONAL> > +---w name string > +---w algorithm ct:key-algorithm-ref > +---w public-key binary > +---w private-key union > > > (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys > created in <operational> (i.e., during manufacturing). But if there is > even just one key created during Manufacturing, and it doesn't appear > in <intended>, then leafrefs still need to be "require-instance false", > right? Also, it seems that such keys could never be deleted, unlike > other hidden keys, but that is probably okay (correct behavior). > > +--rw keystore > +--rw asymmetric-keys > +--rw asymmetric-key* [name] > +--rw name string > +--rw algorithm? ct:key-algorithm-ref > +--rw public-key? binary > +--rw private-key? union > +---m "(algorithm and public-key and private-key) > | or not (algorithm or public-key or private-key)"; > +--rw certificates > | +--rw certificate* [name] > | +--rw name string > | +--rw cert ct:end-entity-cert-cms > | +---n certificate-expiration > | +-- expiration-date? yang:date-and-time > +---x generate-hidden-key > | +---w input // RESULT IN <OPERATONAL> > | +---w name string > | +---w algorithm ct:key-algorithm-ref > +---x load-hidden-key > | +---w input // RESULT IN <OPERATONAL> > | +---w name string > | +---w algorithm ct:key-algorithm-ref > | +---w public-key binary > | +---w private-key union > +---x generate-certificate-signing-request > +---w input // KEY MAY BE IN <OPERATONAL> > | +---w subject binary > | +---w attributes? binary > +--ro output > +--ro certificate-signing-request binary > > > > > Kent // contributor > > >
- [Netconf] Mandatory local configuration in Keysto… Balazs Lengyel
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen