IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Tue, 11 September 2018 19:41 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0F2D1130F1F for <netconf@ietfa.amsl.com>; Tue, 11 Sep 2018 12:41:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7cN6Uu746c2u for <netconf@ietfa.amsl.com>; Tue, 11 Sep 2018 12:41:02 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC7F1130F29 for <netconf@ietf.org>; Tue, 11 Sep 2018 12:41:01 -0700 (PDT)
Received: from pps.filterd (m0108163.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w8BJdnVp013769; Tue, 11 Sep 2018 12:40:59 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=qvuptQEequR5ar4Mh19jwwET/ZrIIh0bsZtbyxDvbU4=; b=ARQK6KxXsMIU/oaZdsiUzW7XindFWiFaETwGzL1BZI/B1VnFrKi3eON33L+DwDFy5hg+ ZyvlhAgnuOLbXd3x+7D+eqaJ0n3TJhvEA8NmcGdntI10X3SnXRzNmc9X5BBPafVWENOq U98Y7zNh17c4m1w24XrRueFyGO3/zw1ZK6hGWELL3aaLuW425cHDweejy38P1J3QNUph tMPm0eGEPwMsjROKjvmNUVBMdM4IfnAxfV9E+ICxWb35c1Xl7jrUB9ufNx7QVfXYkk8f wseJQSCfsvRVG5ENVnTnrm/79MtDw8CroznG/felIW3GAu+sxZWxPWkz6p/ULKklFLrD 8A==
Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp0241.outbound.protection.outlook.com [216.32.181.241]) by mx0b-00273201.pphosted.com with ESMTP id 2mehc68ce6-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 11 Sep 2018 12:40:59 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4362.namprd05.prod.outlook.com (20.176.78.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.11; Tue, 11 Sep 2018 19:40:57 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1143.010; Tue, 11 Sep 2018 19:40:57 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "balazs.kovacs@ericsson.com" <balazs.kovacs@ericsson.com>, "balazs.lengyel@ericsson.com" <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASAgAC9gACAAHNjgIAAFAaAgAEgEwCAAicPgIAF1PmAgAF1VYCACj3EgIAAtxgAgACClQA=
Date: Tue, 11 Sep 2018 19:40:57 +0000
Message-ID: <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net>
References: <20180903.121823.1406711858636851159.mbj@tail-f.com> <VI1PR0701MB20166AC7017AACC865EAE4AC83030@VI1PR0701MB2016.eurprd07.prod.outlook.com> <185C7E6D-7EF1-4FFE-9A9B-74BA7E16D946@juniper.net> <20180911.095334.2041631968993039535.mbj@tail-f.com>
In-Reply-To: <20180911.095334.2041631968993039535.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4362; 6:leZFdRT7FdGmH7p5iNHkCE9DHg4DohMefqxGcqfKKhUfUvulLVnryz7DnDuGv3U7OG/0NK0RKUrpYN5S/CWn5sQGq1gJGCwx25zMIUH1/V8/SNZHMmp7Kr2t/p1uzNZmBxeVE4ILPD5MLW52XEqJ9ugLA166drWrfgcQScta+f8pZPzqYoMJ5RloO4Tfz5n9uJfHnUlTwSerg2leWwM8koTuF9cH/T2yo0i16a76xR60snclO0k9Zm2GTK7oNSXRG0F9U+H67Rk4lDvvCZsKRLMf4ijn8qSeq1Wnz6dornEGL5YvcwiOViQrcG4/rlcOTTxr38TkITX0DcF8Vez++pHjIEk5NY23OeXrn7Hpncomx1BsRmLxlOMzQDfc46mxNCV42jFK8CTGTPWp/16BR+9QdwetRq2jNFHKJTPrsf+7vzhDev2VjumVuuzLVvUikhzqY9xjt8Vvkgoru77f/w==; 5:VcklYgS8HGb5rG8HGNThVb1c/z3LsjMhfYFBTE9i4LpPiqlrYjtOFS8FAqIcxOpTKZaAq+3RLnL3XcLDjwvVccGvqHbhDjYIbuKRIoErfxiAfhJo0GPppLH2PFklS8iPViFx8KpFtEpOd2SxJyyLgavic2Ssdl8yoqlbxhI0V5o=; 7:NUAmRX/72HGwOwX+pry8yeIzQrb8C7uRbrds7x8scmC8ViLoLGGcgRTy2/kotaaVo+vXOh4waAzKE2QeIM/kyJchV8wyk0O2+xTSdJPdnKGVqb3XMmE7GiHifODX+sV0qXBVyQ32xR9LQjvGuRzxQqrdreP6vJ6/hmJgwhIx4U7rCxF79+s2peG8sfdPTV5Dvd+Oyef3kCUBoODT9JxU7s4+/DcoAbBAhPpZ6DP70wUDlhHp8cESQ9bzTb0+yX9d
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 70466042-abcf-40f3-2326-08d6181e7ea9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4362;
x-ms-traffictypediagnostic: DM6PR05MB4362:
x-microsoft-antispam-prvs: <DM6PR05MB4362C8BC94C571A3A5F41E79A5040@DM6PR05MB4362.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(17755550239193);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123562045)(20161123558120)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699050); SRVR:DM6PR05MB4362; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4362;
x-forefront-prvs: 0792DBEAD0
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(136003)(396003)(376002)(39860400002)(366004)(346002)(199004)(189003)(26005)(476003)(36756003)(446003)(186003)(6436002)(6306002)(6512007)(76176011)(7736002)(14454004)(8676002)(486006)(6916009)(2616005)(305945005)(97736004)(6506007)(105586002)(86362001)(478600001)(14444005)(68736007)(106356001)(256004)(11346002)(966005)(82746002)(229853002)(83716003)(2900100001)(102836004)(81166006)(8936002)(33656002)(53936002)(5250100002)(66066001)(81156014)(58126008)(2906002)(3846002)(6116002)(5660300001)(6246003)(6486002)(54906003)(93886005)(4326008)(316002)(25786009)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4362; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: jT4i63v3VSOB6D84vB5K0nLeTot6lMPh3fwukiaHBoKk66toAXXM/ejqUIh45sHJQ5PT8fUwjlVG6NfiDSQSHO3yQOTcl4LcphK8Tfuy4TZxiGOAjtxa/fEXyTCeYRiv6RuLpse+GGWi9vBdxs0SK187hycv2YBP/qw6qi8eAznwet/ZJm0H08fh1w/W6G9RqJu1yYfIxvM0rYEkYYONo5FoiBOT4R6bwHYneIUSsWlkOwbz/2dN6nT29E/7pu+W9p6vVspV/hOjw7GDb1ZGfhE8biG44zUOaTua2IZdN9VN7h4HnPFYUkNldo9tPNrKSYCgCevIpTw432K/A7vrT9EkYTu166NnkUK5dMJDOTE=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <2F10DFB8EF17FF4AA2A63B497831D67C@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 70466042-abcf-40f3-2326-08d6181e7ea9
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2018 19:40:57.0941 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4362
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-11_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809110193
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/SSWLgRTKesqxu5QatiuFCzjldZA>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 19:41:04 -0000


>> There are two solutions being discussed here.  
>> 
>> The first regards how to enable a certificate to be configured for a key
>> in <operational> (e.g., an LDevID cert for a preexisting key).  Both
>> solution (A) and (C) give us this - a la RFC 8342 Section C.3.2.
>> 
>> The second is how to delete a "hidden key" created by a client (note here
>> that I'm distinguishing this case from hidden keys not created by a client,
>> i.e., in <operational>, which cannot be deleted).  Here's where the ideas
>> diverge:
>> 
>>   - with (A), we keep the "generate" action outside the list entry (thus
>>     results are in <operational>, and add a new "delete-asymmetric-key"
>>     action is needed.
>> 
>>   - with (C), the action is moved inside the list entry, thus the list
>>     entry node itself in <intended>, and hence can be removed from
>>     <intended> via a normal config operation (no special action needed).
>> 
>> I don't see an issue configuring certificates in either case.  As I wrote
>> above, both solution (A) and (C) give us this. (C) still has to handle
>> the case where the key is in <operational> same as (A).  With (C), it's
>> the 1% case, whereas with (A) it’s the 100% case.
>
> How can a key be in operational but not in config in (C)?  I.e., what
> is the 1% case?

Maybe too subtle, but in my first paragraph above said "e.g., an LDevID
cert for a preexisting key".  I'm referring to how, during manufacturing,
a private key and an associated IDevID certificate are created and loaded
onto the device.  This key and cert are immutable, but another cert could
be loaded for the same key.  This is the scenario captured in the example
in: https://tools.ietf.org/html/draft-ietf-netconf-keystore-05#section-3.2.
(search for "tpm-protected-key").  This is the 1% case.



>> They seem close.  For the purpose of creating a key, (C) is more
>> complicated.  For the purpose of deleting a key, (C) seems easier.
>
> For the purpose of creating a certificate (A) is more complicated.

How is that so?  Actually, it seems that (A) and (C) are identical
in this respect, from a protocol perspective.  The only difference
is in the backend, where it uses the RFC 8342 Section C.3.2 overlay
behavior.


> Depending on the answer above, (C) has the advantage that references
> (leafrefs) to a key can be require instance true.  With (A) they have
> to be require instance false, since some keys only exists in
> operational, which means that whenever there is a reference to a key,
> that model and code must be able to handle the case that the key
> doesn't exist.

Even with (C), some keys can be in <operational> - the 1% case, right?

Yes, if *all* keys had a presence in <intended>, then learefs to keys
could be "require-instance true".


Kent // contributor

v2.23.0 | Report a Bug | By Email