Re: [netconf] client identification in ietf-netconf-server

Kent Watsen <kent+ietf@watsen.net> Thu, 14 November 2019 15:57 UTC

Return-Path: <0100016e6aa1e34a-48a429a3-1b27-433a-b533-52748a0c29b1-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7A071200B8 for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 07:57:08 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lXOwfvsVs9RS for <netconf@ietfa.amsl.com>; Thu, 14 Nov 2019 07:57:06 -0800 (PST)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48352120033 for <netconf@ietf.org>; Thu, 14 Nov 2019 07:57:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1573747024; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=W9KMRCyQ2JXGP0fGBqP+YK//crA4ypFdT8MScxOGh6o=; b=AW1Mb7KrGbe8wUp0nfugO06j8DW9jyc4VjY0cmHoBIF47OxXMymzt6nKHXOXeAP7 abZi6d/Xrxam2cb/pIyWybIaWrzjrl/Mb+ZBI3CvyVydInqWJPXJSSIsUiPGvuw5ptM EwKSct23jKXimIu4cdNgMnrJsQkpc8SlVlWYWldE=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016e6aa1e34a-48a429a3-1b27-433a-b533-52748a0c29b1-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_736B9A22-F4BD-4ADC-8831-A5EB21DFAA91"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Thu, 14 Nov 2019 15:57:04 +0000
In-Reply-To: <20191114.085152.69723351117040013.mbj@tail-f.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Martin Bjorklund <mbj@tail-f.com>
References: <0100016e4d8323b0-2a182947-485d-43e6-908c-13bc5ad2f210-000000@email.amazonses.com> <20191111.110013.2019956803552089416.mbj@tail-f.com> <0100016e661a2f48-26561fed-a533-4aec-8ad1-d68582b82b39-000000@email.amazonses.com> <20191114.085152.69723351117040013.mbj@tail-f.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.11.14-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/XN4ms3waP1OEd3Pq2Lj4CCQ_AM4>
Subject: Re: [netconf] client identification in ietf-netconf-server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Nov 2019 15:57:09 -0000


> On Nov 14, 2019, at 2:51 AM, Martin Bjorklund <mbj@tail-f.com> wrote:
> 
> Kent Watsen <kent+ietf@watsen.net> wrote:
>> Hi Martin,
>> 
>> 
>>> Martin Bjorklund <mbj@tail-f.com> wrote:
>>> 
>>> Hi,
>>> 
>>> Kent Watsen <kent+ietf@watsen.net> wrote:
>>>> 
>>>> Hi Martin,
>>>> 
>>>> [Not trimming down because too much context would be lost.]
>>>> 
>>>> 
>>>>>>> The ietf-netconf-server module has this:
>>>>>>> 
>>>>>>> grouping netconf-server-grouping {
>>>>>>> ...
>>>>>>> container client-identification {
>>>>>>>   ...
>>>>>>>   container cert-maps {
>>>>>>>     when "../../../../tls";
>>>>>>>     uses x509c2n:cert-to-name;
>>>>>>>     ...
>>>>>>>   }
>>>>>>> }
>>>>>>> }
>>>>>>> 
>>>>>>> Note the "when" expression.  This means that the grouping has a strong
>>>>>>> depency on where is it used.  We should try to avoid such a design.
>>>>>> 
>>>>>> 
>>>>>> Would this be better?   
>>>>>> 
>>>>>> OLD
>>>>>>     when "../../../../tls";
>>>>>> 
>>>>>> NEW
>>>>>> 	if-feature "tls-listen or tls-call-home";
>>>>> 
>>>>> Yes, but see below.
>>>>> 
>>>>> 
>>>>>>> But should't this cert-to-name list be available when x509-certs are
>>>>>>> used also with SSH?
>>>>>> 
>>>>>> Hmmm.  I'd assumed that, with RFC 6187, the username was still passed
>>>>>> as its own field, but I see this in Section 4:
>>>>>> 
>>>>>> For the purposes of user authentication, the mapping between
>>>>>> certificates and user names is left as an implementation and
>>>>>> configuration issue for implementers and system administrators.
>>>>> 
>>>>> If the username was used as identification it would mean that with a
>>>>> valid cert I could present myself as any user!
>>>>> 
>>>>>> So you may be right about that.  I only ever looked at RFC 6187 from
>>>>>> the perspective of the server presenting an IDevID certificate.  But,
>>>>>> assuming it's true, then perhaps this:
>>>>>> 
>>>>>> NEWEST:
>>>>>> 	if-feature "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
>>>>> 
>>>>> Ok.
>>>>> 
>>>>> This gives:
>>>>> 
>>>>> grouping netconf-server-grouping {
>>>>>  description ...;
>>>>>  container client-identification {
>>>>>    description
>>>>>      "Specifies a mapping through which clients MAY be identified
>>>>>       (i.e., the NETCONF username) from a supplied certificate.
>>>>>       Note that a client MAY alternatively be identified via an
>>>>>       alternate authentication scheme.";
>>>>>    container cert-maps {
>>>>>      if-feature "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
>>>> 
>>>> Yes.
>>>> 
>>>>> But since the description of the "client-identification" says that it
>>>>> is used only with certificates, perhaps that container's name should
>>>>> reflect this, and the if-feature statement moved to that container?
>>>>> Perhaps:
>>>>> 
>>>>>  container client-cert-identification
>>>>>    if-feature "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
>>>>> 
>>>>> and also perhaps remove 'cert-maps', and use the cert-to-name grouping
>>>>> directly here?
>>>> 
>>>> Good.  My only hesitation is that someday there may be a need for
>>>> another way to identify clients, but that sounds too far out (even for
>>>> me) to squabble over.  But a better name is needed.
>>>> "cert-based-client-identification" would be more accurate, but that
>>>> seems overly long.  Looking at a snippet of config might help...
>>>> 
>>>>     netconf-server-parameters : {
>>>>       something-here : [
>>>>         {
>>>>           cert-to-name : { ... }
>>>>           cert-to-name : { ... },
>>>>           ...
>>>>           cert-to-name : { ... }
>>>>         }
>>>>       ]
>>>>     }
>>>> 
>>>> How about "cert-to-name-mappings"?  ( know, almost the same length,
>>>> but half the number of syllables!).  But that name leaves out the word
>>>> "identity", which is may be important in security circles, so maybe
>>>> "client-identity-mappings"?
>>> 
>>> I think this name is as generic as "client-identification".  The best
>>> so far imo is "cert-based-client-identification".  A bit long, but
>>> descripitive.
>> 
>> Actually, I think we should go back to "client-identification" now that raw-public-key and pre-shared/pairwise-symmetric key (PSK) has been added as alternate ways that TLS clients and servers may identify themselves and authenticate peers.   Thus it seems that there is a need to map usernames from things other than just certificates.
> 
> I think I'll have to see how that works out.  But if the container is
> more general than just client certificates, then the description text
> needs to be updated.

Agreed.  Actually, saying just this was going to be my response a couple days ago, but then I saw how everything flattened out and I held my tongue.  But, yes, updating the description text would be a prerequisite.

In an effort to stem the effort, unless someone else wants to drive it, and the WG agrees, I think that it would be okay for the NETCONF/RESTCONF modules to leave defining how to map PSK/RPK keys to usernames to a future effort.   We will have successfully added PSK/RPK keys for Henk's needs (CoAP), while having a clear path for to proceed if ever NETCONF wants to pick it up.



>>> Hmm, I realize that I have misunderstood 'host-keys' here.  How
>>> exactly is this supposed to be used?  This is the client
>>> authentication part of a server.  How is the *host* key used here by
>>> the server?   I mean, the client doesn't present a host key to the
>>> server, so I don't understand what this is.
>> 
>> It seems that I've been overzealous with the term "host-key" here.  In SSH, a "host-key" is a special term for the server's public key.  Clients may also authenticate using a public key, but there isn't a special term for that case.   RFC 4252 states that clients can authenticate using "publickey", "password", and "hostbased".   Per RFC 6187, section 1, 1st paragraph, the "publickey" algorithm is is also used for X.509 certificates (e.g., x509v3-rsa2048-sha256).
> 
> So what is the conclusion?  Remove host-key here?  Or was the
> intention that this is the user's public key?

User's publickey.


Kent // contributor