IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Rob Wilton (rwilton)" <rwilton@cisco.com> Tue, 17 September 2019 10:10 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DF84412080F for <netconf@ietfa.amsl.com>; Tue, 17 Sep 2019 03:10:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.499
X-Spam-Level:
X-Spam-Status: No, score=-14.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=i+IXzA1e; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=0j8OE5JT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n0TGcyBUJovB for <netconf@ietfa.amsl.com>; Tue, 17 Sep 2019 03:10:54 -0700 (PDT)
Received: from rcdn-iport-2.cisco.com (rcdn-iport-2.cisco.com [173.37.86.73]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 81CDD12080A for <netconf@ietf.org>; Tue, 17 Sep 2019 03:10:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=33622; q=dns/txt; s=iport; t=1568715054; x=1569924654; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=13uQTxHo46S9OdzlY+CyVU5iQycikRWyfgNB95UfEzg=; b=i+IXzA1eIAJ2cmswIVCrQtjnjwxFuWCixYMcIVEsLAVAgXrBSN9sbGvx E5ZFa50jKo1kLDDtmuYG8b1E1glHlf/Pi9fATzrLmd1Hpg8b+E9HlzKAd wkkxr1RklMFNSQUsFphmQhTGWeanUtrPEetNMRTRDhUPDAyGDsJXnv7t1 c=;
IronPort-PHdr: 9a23:JofsdRyNRCGYtw3XCy+N+z0EezQntrPoPwUc9psgjfdUf7+++4j5YhSN/u1j2VnOW4iTq+lJjebbqejBYSQB+t7A1RJKa5lQT1kAgMQSkRYnBZufFkz/MPnsRyc7B89FElRi+iLzPA==
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0AOAADmsIBd/4ENJK1bAQkaAQEBAQECAQEBAQcCAQEBAYFUBAEBAQELAYEVLyQsA21WIAQLKgqEF4NHA4pyglyJZYkkhGmBLoEkA1QJAQEBDAEBLQIBAYQ/AheCWyM1CA4CAwkBAQQBAQECAQUEbYUuDIVKAQEBBBIRChMBATcBDwIBCBEEAQEhCgICAh8RHQgCBA4FCBqDAYEdTQMdAQKiKgKBOIhhc4Eygn0BAQWFEg0LghcJgTQBijSBQxiBQD+BV4FOfj6CGoF/ASwVgnQygiaPUYUlJJcYQQqCIokVh2yEG5kamB6OcAIEAgQFAg4BAQWBVAMzgVhwFYMngkILAReDT4pTc4EpjioBgSIBAQ
X-IronPort-AV: E=Sophos;i="5.64,516,1559520000"; d="scan'208,217";a="635324889"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 17 Sep 2019 10:10:34 +0000
Received: from XCH-RCD-002.cisco.com (xch-rcd-002.cisco.com [173.37.102.12]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id x8HAAYpr029625 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Tue, 17 Sep 2019 10:10:34 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-002.cisco.com (173.37.102.12) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 17 Sep 2019 05:10:33 -0500
Received: from xhs-rtp-001.cisco.com (64.101.210.228) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Tue, 17 Sep 2019 05:10:33 -0500
Received: from NAM04-CO1-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-001.cisco.com (64.101.210.228) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Tue, 17 Sep 2019 06:10:33 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bQvE7jYlvr87OamNjc05GZDKe6OKpo1fVwoawrZ5jhqsQMpP9ZPhbTmM2KyreY0npLbavaeHVkqE+0wxEyqHp80M7apAF0i7otYV8k/0e3mJh3kCsS/z8bivDnJxz/Zz5/WnBuvrZzqJGX4dDNS0lSIZyJSY9NW4KnsTUkcflrIpsP5bzeyuHiRXxsXwJS+9b0WNZ8zfG76feWJjeI6eUEs8gpbhsyYBwlljk84ZeVuL1KWPKZNnN8kmlcENigmMh8HOaJyaXvz92gRjSAQBt0hngJ/Vt5JtCAFdhkM0vdTo79lu9mCvN6o1y5HxjkE/ROSnkEBC8qaZzd26PwQSgA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=13uQTxHo46S9OdzlY+CyVU5iQycikRWyfgNB95UfEzg=; b=lESdaacQjK1WB7hM3psIl9V5zgs0GtC8DbtqCbEXNTSkKyrnwrsC83EKYJKStOAMbF8dLI/u7oF8rBspL/PFXvL06qH2rpGjhGyzrHdYuF5H7azV3LWU298n9cSM2qAEgulRZ014A2IRbFZj8oLt1Qyadx/CxNtq1TuNzg/Bj4H84X1GISLSVbpGDIzfEewvytvwQ1Or99H40t7TMGepsSRKbP+Ew0GBQBmhsR7TmdWFyWnhD4pG6GewT3BnCb/8CxqINVXXC55y1/tBIhJQn11YmM1+q8HNZQHqfmcS7vYybrhjMPKTZi5CcwTJa/cozXe6g4LgIog/9gJpNm8rNA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=13uQTxHo46S9OdzlY+CyVU5iQycikRWyfgNB95UfEzg=; b=0j8OE5JTangCsd0OVuJVPjciLoDQ9b1lyhh4aqHfWbDexXF2AiDartPPym8phjc21fXGepz+Ll2f/iwp72zR9F4q+hLcR6YP9oErJHIewHfxNiY620e/zmKIb50JaCSFz/+aA5ZQjx8PdaMI88T59x605XveP/2pJYAtct6coWw=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (52.135.38.209) by MN2PR11MB3933.namprd11.prod.outlook.com (10.255.180.211) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2263.20; Tue, 17 Sep 2019 10:10:32 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::6db3:f4c:467b:30f6%7]) with mapi id 15.20.2263.023; Tue, 17 Sep 2019 10:10:32 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, Russ Housley <housley@vigilsec.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxVu0aQE+n/K0iPwVgOy8FH/KcpQIdQgAVLFQCAARKfAA==
Date: Tue, 17 Sep 2019 10:10:31 +0000
Message-ID: <MN2PR11MB4366F63419F6BD4EF106766FB58F0@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d3afa694e-ce58ee3a-792f-4c0e-89bb-83d0128a5194-000000@email.amazonses.com>
In-Reply-To: <0100016d3afa694e-ce58ee3a-792f-4c0e-89bb-83d0128a5194-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [173.38.220.61]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: d6ffb689-bd87-4c82-2a70-08d73b57461f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(5600167)(711020)(4605104)(1401327)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(2017052603328)(7193020); SRVR:MN2PR11MB3933;
x-ms-traffictypediagnostic: MN2PR11MB3933:
x-microsoft-antispam-prvs: <MN2PR11MB39335E12A5DAEBCCFF535803B58F0@MN2PR11MB3933.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 01630974C0
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(979002)(4636009)(396003)(39860400002)(136003)(346002)(376002)(366004)(51444003)(199004)(54094003)(189003)(66556008)(8936002)(476003)(2906002)(71190400001)(86362001)(486006)(25786009)(71200400001)(14444005)(256004)(66446008)(6436002)(54906003)(55016002)(9686003)(229853002)(316002)(54896002)(33656002)(64756008)(66476007)(4326008)(81156014)(66946007)(76116006)(6306002)(8676002)(81166006)(7696005)(478600001)(7736002)(446003)(74316002)(99286004)(52536014)(66066001)(186003)(9326002)(6246003)(11346002)(102836004)(3846002)(5660300002)(790700001)(6506007)(53546011)(26005)(14454004)(6116002)(76176011)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB3933; H:MN2PR11MB4366.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: MMwBLfMegA44jVKs9FQCYhiDoImkDmkoUL2bDVOO+NRnlthYm87+l476X1y27t2K3YkCuiSIg7LPCWHcwQbkwjvl9aVAmYZ2C2SbhHE8nHnEx5LeggWgN84Yz0N0sGS+79NPYhoUZpCc3AY3oZs1hF9/n6lQlskTJ9urVlHXK+DoagxAqeJ7iFHiuNWWuu+Q+8BG4ID9JCjl8qrpQr0ClHFNGnHLU87a4gnlNvlfdAl3J9G+DmSAkRQRa2RCVPOv2GnOmWswjdMcUOdj1UkE60rtLGpoWRC4PfI6OX0lvfMc4ddbAIlElkp7plRK9dJXP2OnawjdE6C2YyaIQj7JEJydkUYbWLtqByxrouQWJpkhqwLnaKj9OML9PSlycW4Vq0ZNPgDTS4vpw/3PIYZD3CN6lJM+z7BYDOeGuHj5Czg=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MN2PR11MB4366F63419F6BD4EF106766FB58F0MN2PR11MB4366namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: d6ffb689-bd87-4c82-2a70-08d73b57461f
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2019 10:10:31.9006 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: vvLDuOI/f4ETtGy0DgBVwdwNyYnpnQRCVbJbErxxYAh+/mSOYfsMrWzB/JMP6YUXOD3qP62EG3ha7JfinHECqw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3933
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.12, xch-rcd-002.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/VPT-TP7if39uVFo5xn8UqdpI-M4>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Sep 2019 10:10:58 -0000

Hi Kent,

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 16 September 2019 17:49
To: Rob Wilton (rwilton) <rwilton@cisco.com>
Cc: netconf@ietf.org; Russ Housley <housley@vigilsec.com>; Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>; Sean Turner <sean@sn3rd.com>
Subject: Re: [netconf] crypto-types fallback strategy


Hi Rob,




1.      I think that using a numerical OID to identify crypto algorithms doesn’t seem like a great choice.  Seeing a config file say something like “rsaEncryption” instead of some OID string seems to be much more human friendly.  And as Martin says, using the OID name has no guarantees of being unique.

On only this very last point, I'm unsure about that.
[RW]
The full numerical OID string is unique, but very hard to be interpreted by a human.  The human readable OID name (e.g. for just the last element) is not unique.

I agree with Juergen, in that I think that using OIDs as names for encryption protocols is probably a mistake and tying us into the past.





2.      I wonder if changing from identifiers to enums was a mistake.  If we were to use YANG identifiers then we wouldn’t need to define them all now, and they wouldn’t all need to be defined in the same YANG module.  In fact, if we were to go back to using identifiers then perhaps NETCONF should restrict itself to only defining the identifiers that we actually need now, and leave the rest to the security folks to figure out, probably as separate modules defining the extra identifiers that they need, or as a bis version of the crypto-types draft if required.

Seems like a reasonable approach, but I don't know how that differs, in the end, from the uber definition some folks have voiced a concern for.  Maybe we need to understand better what that concern is better.
[RW]
Oops, my comment about should have been identities rather than identifiers!

I think that it is helpful that identities are extensible and can easily be constructed in a modular way.  E.g. defining identities in different YANG modules, and/or putting them under if-feature allows implementations to choose which ones they actually support.

In ietf-crypto-types I would define the base identities for:


hash-algorithm, asymmetric-key-algorithm, mac-algorithm, encryption-algorithm, encryption-and-mac-algorithm, signature-algorithm, key-exchange-algorithm

Note, as an aside, I am I also wondering whether the “encryption-and-mac-algorithm” identity should derive from both “mac-algorithm” and “encryption-algorithm”?  Or perhaps it doesn’t need to be defined at all, and the actual identities can just derive from two base identities?

I then suggest that we put different identities into different YANG modules, perhaps something roughly like:

  *   Ietf-crypto-sha-types.yang for the SHA hash identities (RFC 6234)
  *   Ietf-crypto-rsa-types for RSA asymmetric-key-algorithm (RC 8017)
  *   Ietf-crypto-elliptic-curve-types for the Elliptic Curve based algorithms (RFC 6090, 5480, 8422)
  *   Ietf-crypto-mac-types – I’m not really sure how to organize the MAC algorithm types, or even if they need to be defined now.
  *   Ietf-crypto-aes-types – AES encryption types (RFC 4309)
  *   Ietf-crypto-ssh-types – das-sha1, rsaasa-pkcs1-sha1 (RFC 4253)
  *   Ietf-crypto-tls-types – (RFC 8446)
  *   Ietf-cyprto-dhe-types – Diffier Hellman key exchange (RFC 7919).  Actually, the key-exchanges algorithm types might need to be split up a bit further.

The key step is that I would say that NETCONF should only standardizes the ones that we need now.  For the others, we could potentially create the YANG modules and either hand this off to the security groups, or work whether them to standardize these through the appropriate WGs.




3.      I’m not sure that I understand why we would always want to always use ASN.1 to describe the keys for all algorithms.  Could we just leave the algorithm identities to define what format they use?   If we were to go back to using identities when we could have the choice of using multiple inheritance and then have a separate set of identities to allow the key formats to be defined.  Note, I have no objection to ASN.1 being used for some/most the keys if that is the right encoding.

Perhaps we can do both, say that the field is parsed according to its "algorithm" value, but for now, all algorithm identifiers happen to point to ASN.1 structures.
[RW]
Yes, in essence I think that is what I’m suggesting.

If this is really common, then an identity for “ASN.1 encoded” could also be defined and inherited by crypto type identities above.  I think that this depends on how useful it is to programmatically know that they are encoded in ASN.1

Thanks,
Rob

Hopefully the comments are useful, apologies if they are not!

All good.  Keep them coming.


Kent

v2.23.0 | Report a Bug | By Email