Re: [Netconf] zerotouch/17: How to verify boot-image integrity?

Kent Watsen <kwatsen@juniper.net> Tue, 16 August 2016 00:01 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CB97C12D7BA for <netconf@ietfa.amsl.com>; Mon, 15 Aug 2016 17:01:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.921
X-Spam-Level:
X-Spam-Status: No, score=-1.921 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=junipernetworks.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WZ_dBjS4DuB4 for <netconf@ietfa.amsl.com>; Mon, 15 Aug 2016 17:01:53 -0700 (PDT)
Received: from NAM03-BY2-obe.outbound.protection.outlook.com (mail-by2nam03on0114.outbound.protection.outlook.com [104.47.42.114]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DBC3912D5EC for <netconf@ietf.org>; Mon, 15 Aug 2016 17:01:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=junipernetworks.onmicrosoft.com; s=selector1-juniper-net; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=kDyeBpWGttb6og82m2pmR4anMVDLnKrj8Rwkk0Ge1ZQ=; b=iAwcIIdukusH4VED9sFt6Wmr7Ppn5uxmm8U1ugcY3oNL0W8c2RRgS6Zj4ykyAZPJ/ueRtNOGRsBwvEbXxLxeYRpSwdvK4q4SUVv/sWoZEw5M7gOKziGKqAUc41/UeKxxEH88JRogFO+K55SlNhaSqRlQ2dQCLch+Yrc5ocHbE3E=
Received: from DM2PR0501MB1455.namprd05.prod.outlook.com (10.161.224.152) by DM2PR0501MB1454.namprd05.prod.outlook.com (10.161.224.151) with Microsoft SMTP Server (version=TLS1_0, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384) id 15.1.557.8; Tue, 16 Aug 2016 00:01:50 +0000
Received: from DM2PR0501MB1455.namprd05.prod.outlook.com ([10.161.224.152]) by DM2PR0501MB1455.namprd05.prod.outlook.com ([10.161.224.152]) with mapi id 15.01.0557.009; Tue, 16 Aug 2016 00:01:49 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] zerotouch/17: How to verify boot-image integrity?
Thread-Index: AQHR1+0zZ+YKXSlsgEa0qw/6IXOQEaANMM8AgD1/DYA=
Date: Tue, 16 Aug 2016 00:01:49 +0000
Message-ID: <3526F999-12EE-4F57-A5BB-86397D60A650@juniper.net>
References: <8C077DAC-4A77-4467-9B2E-E04F226DBBC1@juniper.net> <CABCOCHTqgf+mcVU8iUmUrvgf1RB8ORuLK==S2bTAP-eO8=b8Bg@mail.gmail.com>
In-Reply-To: <CABCOCHTqgf+mcVU8iUmUrvgf1RB8ORuLK==S2bTAP-eO8=b8Bg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.18.0.160709
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [66.129.241.11]
x-ms-office365-filtering-correlation-id: e2e0284a-a6f0-4544-5c1f-08d3c568859e
x-microsoft-exchange-diagnostics: 1; DM2PR0501MB1454; 6:gOY25zMQTNNMsWLXg9U+eJLhINSI81Dsef09G2ehaGeD+qubSzQCNHw59AaZxGl4Kio47SsJlQV93MlSIGN9qjqI1I/oMTRndhacYl8TtxSYFT2RVwf8BwxcqrMKFmasSquEULfy+hMAAvt+n9peTjcsQJjcscqeMvUQ6dK9cesEmu/7WdKvNFmZW0iDsFwRDgdC+9sSMlAGS3ppYLXMs87MxBfL6eguTGKR7+Zst27HP5CVwWEUX03P+5SYnZQNz3rrN8hgdQK+vXw4yAhIzd08iaySWJnMQ4cg6kk29L104CtYqNvzhrZ6D9XwXcTg9jEUCdfRsUwXg8nyVa4TJg==; 5:LJW6Pd23CVtY34PsXwFZp/k0JJUlhsGcrgaKKHUuwpx/EdlAtxxaBU/T7mRwA+bWWjBY18GhrHTyrlL6yDh+TCpCkhMobCl3LatDu20p9AIGYOkek3CZ5VJrWzTPlQM+VzSAtzVmckIM6ExyyXTlcg==; 24:oTXD4OvWZPq5lXpQlI5ALGIme7c3bpHx9MYCVUJH5mX1XmAk07bdMkRxMwK22TbsEv3pO2W32Ml/NvfEL8shfD/luJolrfJeqGusiSvEMHM=; 7:WqLDJap32hGJj3MM+VdztX8NpACvxeaQhF6r3o3uQGzRGmXrwJvbTiy0FIBiyvpSni9goXc2mqw2FqlVBxki9B4vmSS1hDyWxMyCtNYqvnVfYXZOvU1NDS6kaAsajYHsum10edPk3+17tWyxquKSbrgX09Rrc7kKF2cR0o531R6kY7RIHqi5mENTJAEGpIW6vFqhbkJb4aflcZWXv74ctcHmClfgoIfwqvCjasjQN5LQGeLAT+lW0VMCWf/iG2Gl
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:DM2PR0501MB1454;
x-microsoft-antispam-prvs: <DM2PR0501MB1454D728414DF836BA620BE0A5130@DM2PR0501MB1454.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705)(21748063052155);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026); SRVR:DM2PR0501MB1454; BCL:0; PCL:0; RULEID:; SRVR:DM2PR0501MB1454;
x-forefront-prvs: 0036736630
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(7916002)(189002)(76104003)(199003)(2351001)(83716003)(5002640100001)(6116002)(81166006)(1730700003)(99286002)(8676002)(106356001)(81156014)(8936002)(68736007)(105586002)(82746002)(102836003)(586003)(2906002)(50986999)(76176999)(7846002)(101416001)(10400500002)(2501003)(54356999)(87936001)(36756003)(33656002)(575784001)(3846002)(7736002)(77096005)(19580395003)(450100001)(10710500007)(15650500001)(122556002)(92566002)(3660700001)(106116001)(2420400007)(19625215002)(97736004)(86362001)(19300405004)(110136002)(4001350100001)(5640700001)(107886002)(2900100001)(3280700002)(66066001)(15975445007)(16236675004)(189998001)(7110500001)(83506001)(2950100001)(104396002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM2PR0501MB1454; H:DM2PR0501MB1455.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_3526F99912EE4F57A5BB86397D60A650junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Aug 2016 00:01:49.6609 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM2PR0501MB1454
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/UQjFAw5AQaqPXLp-JKTuO1d2Mek>
Subject: Re: [Netconf] zerotouch/17: How to verify boot-image integrity?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Aug 2016 00:01:55 -0000

This issue was discussed in Berlin.  The minutes capture the following:

    Issue #17:
    RW: My preference is NOT to do nothing. I support option #3 - encode both.
    KW: it is good not to have to worry about outdated security methods, hence option 1 is not a good idea.

Listening to the audio recording, it seems that we were leaning towards option #3  - that is, a format that allows us to use SHA256 now, and gracefully add support for additional algorithms in the future if needed.

During the meeting, we discussed an option for the Security Area to quickly publish a new draft defining a generic hashing format, but I’m not sure if it’s needed, as it seems that we could more easily do it using a ‘choice’ statement as follows:

     container boot-image {
        leaf name {
           type string;
        }
        choice name {
           leaf sha256 {      <--- this would be the only choice for now
              type string;
           }
           mandatory true;
        }
        <snip/>
     }

In this way, future revisions of the module can add new ‘case’ statements.  This solution results in a simple instance encoding, for example:

  <boot-image>
     <name>boot-image-v3.2R1.6.img</name>
    <sha256>9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08</sha256>
    ...
  </boot-image>


What do you think?  I’ll assume this is okay If no objections are raised by the end of this week.

Thanks,
Kent