IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 18 September 2018 09:39 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EF26130EEF for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 02:39:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.312
X-Spam-Level:
X-Spam-Status: No, score=-4.312 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=OwFanf+p; dkim=pass (1024-bit key) header.d=ericsson.com header.b=KTI+dvaK
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JSP65zvSfon2 for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 02:39:50 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 60434130E98 for <netconf@ietf.org>; Tue, 18 Sep 2018 02:39:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1537263588; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=jf1SaoTPvfukYWzydjWPejAoYt61FDMI99D4p9xRbvM=; b=OwFanf+pHdzIJT6UPdVlplauJktEm9JGODb9up4kLAtnb9gEhWEIafRAdLBSeYgS VbcunwU7PT41v7z0hanbFWnOx9qX/4IueT4PIOI0kmhHCb2wSeV5C59Zqbb88MDp k1v9JzO6D/qjAahPNoQ9lR5XU9JcyWnfp+Z3OiODYJk=;
X-AuditID: c1b4fb3a-75d969c000003197-70-5ba0c7e48905
Received: from ESESBMB503.ericsson.se (Unknown_Domain [153.88.183.116]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id F1.E4.12695.4E7C0AB5; Tue, 18 Sep 2018 11:39:48 +0200 (CEST)
Received: from ESESBMR506.ericsson.se (153.88.183.202) by ESESBMB503.ericsson.se (153.88.183.170) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 18 Sep 2018 11:39:45 +0200
Received: from ESESSMB501.ericsson.se (153.88.183.162) by ESESBMR506.ericsson.se (153.88.183.202) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 18 Sep 2018 11:39:45 +0200
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB501.ericsson.se (153.88.183.162) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 18 Sep 2018 11:39:45 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=zYxnCqWtG1FokUzO7kZSxBMA+VRzH5gPwcqJ5sfbUl0=; b=KTI+dvaKjtuqZt5OBp8N0zkF1rFOKPWHHkUNaIlaaRzvOmY/0G3uJkjEQb0N+vLn6tiHC6+11olgsPxE/2M0nM2zabjPIttTVooMS0XEK51V/Sa2mm14Y+gYoDmnt5mKQdYFWrtFMRuaz2viS+E0+L2gS4z2CdjIwahuKO/2Iuk=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB2879.eurprd07.prod.outlook.com (10.173.71.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1164.15; Tue, 18 Sep 2018 09:39:44 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9%4]) with mapi id 15.20.1164.014; Tue, 18 Sep 2018 09:39:40 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Martin Bjorklund <mbj@tail-f.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>
CC: Balázs Lengyel <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4npYduSZhsf/U2Th8xceQbCUaSAzHaAgEmH34CAAG1ZgIAA+nAAgAPuH4CAA+yKAIABAxSAgAB6cACAAHFXIIAAWSCAgADMp9CAAnp9gIAFkemAgAFwH/CACoYJAIAAdAkAgADFpICACRlvgIAAdmGAgACclYCAACUMUA==
Date: Tue, 18 Sep 2018 09:39:40 +0000
Message-ID: <VI1PR0701MB2016707AE81A6F77719461D4831D0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com> <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net> <20180918.090227.98113334613843662.mbj@tail-f.com>
In-Reply-To: <20180918.090227.98113334613843662.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB2879; 6:RAZ5kzzvd0wcCvkt5lXI+Ukdnihx+e9QYJY7nwuftaPmOBQ+wx97VHw6GXawDarSa0EdJnnm6C+UxGdAZI7CRjo+Kr8c06z1184rFI95qXnzf7M77itfVq74U2C7JkGqJV4sCQ5Tpv+8NiIZqweT3S2Ec84eCWdoW7lCsK4jlbqeVoOAEuXpvzLkQ1/TrnnGAEp2OT9TIoUchY+Gk+zHuON56SdYmmeaH5flTNSQLRLkQE4tDl3AJfl8waOfOjshMASr7ZV1wyZvXoGb5IdUBSDzM/xqWSds+RZ+CTYT07N3cme5MDbNv0t2DdXTLEPBtTigtI/HAR4tUKYMGOksHrNttiA+a/xcWv+OnJA6K22qJOP/P2hMwYoC64SlJoHbvHmSOYvid73GCFjwpk7UGyg4/5jfIElNFUJUF9l1iOq7NJ5+d/DerdBKGF3LV5gCGbkb/dE3sRnuGlXJ17AUww==; 5:a9xh9TKxnluchkQ0iEHbCoN+u1x53Tf5s9x+2sX4QkNNSBJqtSP056P0AsRmtqYBKAVwuZLw5kmqehfoE+3FRWpDtgThY8fgGlx/SrZUAw56QwbHJ9l7LEHeAj5pJdWHGsbc4zqk26xeChmEg5Y1UkDTgm4GDy+ogG1RtQEKqFI=; 7:XInSlpAlG7aAmtS/wTbbelry8EVDc7ysTiZM2BcuQ9SBw+q5uKZi0BFPnNV/8oTKflQD6SjjRBSIBPngxAOd6Jmz4or5Qx093zrxeyILhWzyZ2mxMk01fyam4jtD8VCU+HnASb1PXKdJiQGo/9kxiGjzd7XyLajJa6R13HkOaBAwbuk2NulSCtNk8D+O4KY3/SPLX4FAQQc/ToQqtvLBytxBXJT4eTkdJ/KNCCUKO31aVajWR6SS/NnCsDBAkXi/
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(366004)(346002)(376002)(136003)(396003)(39860400002)(51444003)(199004)(13464003)(189003)(93886005)(486006)(6116002)(14444005)(256004)(476003)(25786009)(6246003)(3846002)(14454004)(26005)(186003)(2906002)(8936002)(5250100002)(2900100001)(316002)(11346002)(86362001)(478600001)(6346003)(97736004)(2501003)(446003)(66066001)(4326008)(6436002)(76176011)(1941001)(5660300001)(53936002)(33656002)(54906003)(102836004)(99286004)(7736002)(110136005)(229853002)(53546011)(305945005)(74316002)(9686003)(6506007)(8676002)(55016002)(7696005)(81156014)(81166006)(68736007)(106356001)(105586002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB2879; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: e06ce86a-7aa3-4866-2b51-08d61d4aa82f
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB2879;
x-ms-traffictypediagnostic: VI1PR0701MB2879:
x-microsoft-antispam-prvs: <VI1PR0701MB2879FAB64A366CC4AAD9BB81831D0@VI1PR0701MB2879.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008)(248295561703944)(37575265505322);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(149027)(150027)(6041310)(20161123558120)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(201708071742011)(7699050)(76991041); SRVR:VI1PR0701MB2879; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2879;
x-forefront-prvs: 0799B1B2D7
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-message-info: ZNFvrYfpQyPEdpKP3372VYlqm67UQ9MIq3w+qJlilBIGIyjOTNhZb9Wz9ERZ4Fma/yqKCZMHWFNIp4WxWSA8Pk60oK+kCukCwZXofWxa5f0gqDiYZbKKllJESgerAiJGAMOCh7EHAo530tQU4QZJMKZ+H2FSO+80mC/bVSORaOITmYe6UPaxWcItibpZwdR5AUK6q7RSlafOC8ntWEW+GMWV2bzR9dRFLeOZGRiedq+NgcinoC1DoHZpRMy97grNVzKS05apUbzjAdqChw5DjQ4WOgBLA4qb6Oq7s/6SOSB1B3q7xesdva0r/lnanntbH7xdPJLMPTl/yYTvIpYph2tNXIwPqk7u6nniWqwNZYo=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e06ce86a-7aa3-4866-2b51-08d61d4aa82f
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2018 09:39:40.5382 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2879
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTcRTH+e3e7d6tFr+W5kEJYugfZc1HD0aGT0pThP6QCA1y5fWBc8q9 S5v/ZIKim6RlA6eVs00llUjpOWc+QpcrFCOx6R8hrVbLPwLFV6Btuxb99/me8z18z4FDE7Lb wlC6SKNlWI1KLRdJSNPFF9qjboc5J3rVHakcuUcpDYZvlNI4sCBMJNKs1g1B2lz1LJXWv2kh zxPZktN5jLqonGGj4nMlha87aqkya9L1qs4lsgoNH9IjMQ34OIzNrJB6JKFleByBc34W8WIV wYZ3lPgnxmfsIl5YBeBwLwr8gsRNBHR6andsLQJwWdooXrgRTNgaBf4YET4DX00blJ+DcBbo O+4I/UxgNVSv9iI/78PpYBtaQLwnAxoMw4G1grANwXbfs8AwiSNgzTUUGJbiXHD1De6s+xnB autIwCTGCWDrryH8jPB+WHP2Cfi0EJh3twv4wzFY7dMEz8Hw48uWkGc5tHjnd/gAfGg3BAIA j1Bg2Zyg+EYMOB4N7ww3i6B+fY8e0T7O9IUpeP8kgkbHL8R7jkDvcBfFe0qhfknMly/B9lSz sAnFtv63Hs8K+GS8K+I5Ero6fhKtgZv3wqTJTZoR2YOCOYbjSgpiYxUMW3SV40o1Cg2jHUC+ Rxl9+vvUSzTqSRpDmEby3dLgV+YcmVBVzulKxhDQhDxIKlb7StI8la6SYUsvs9fUDDeGwmhS HiJNzldmy3CBSssUM0wZw/7tCmhxaBV6fCHfZCHbuvO33089b2OTFYMJ4WWZ0YneivBdXKyw 15leHzE3Y5hOl1QuR23Snc6Pb4xvi+PidNashzVPJrTLK7WNN+sW27Z6HINJ340z3Zobnit2 3Yk8s8drTF2PcJ9MORfmfZBS8e5+RvUxe/zZATK/wZU6pLulz6rTmQ7KSa5QFXOYYDnVH+a8 SKIkAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/XacYeBGSY4Dwhq7RKJu1zN2XPo0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 09:39:53 -0000

Hi,

I'd just emphasize that in creation step of hidden key, the name must be coordinated between step A/1&2 by external application logic. Same holds for deletion of hidden key for A/1&2. "Same name" is important.

Enabling the possibility for 'require instance true' would be also good remark on the side of (C).

Regarding manufactured keys, I would not expect manufactured keys to be used in other common models, such as in TLS/SSH use cases. If they have some specific use case, maybe those models could either have 'require instance false' or it could be said to create an empty key for them as Martin described.

Br,
Balazs

-----Original Message-----
From: Martin Bjorklund <mbj@tail-f.com> 
Sent: Tuesday, September 18, 2018 9:02 AM
To: kwatsen@juniper.net
Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; Balázs Lengyel <balazs.lengyel@ericsson.com>; netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings

Hi,

Ok, so we have these two alternatives illustrated below.  There are some details that probably are wrong, but it doesn't really matter at this stage.  With (A), there is one more action to control the lifespan of keys (delete-hidden-key).

In the case that the key is given as config, A and C works in the same way.

In the case that the key is permanent, A and C also works in the same way.

A and C differ in how hidden keys are handled.


In order to create a hidden key + certificate, the steps are:

A:  1. call generate-hidden-key with a given name
    2. create an asymmetric-key with the same name in the config
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

(step 1 and 2 can be done in reverse order)

C   1. create an asymmetric-key in the config
    2. call generate-hidden-key on this key
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

In order to delete a hidden key completely:

A:  1. call delete-hidden-key on the asymmetric-key to be deleted
    2. delete the asymmetric-key from the config

C:  1. delete the asymmetric-key from the config



In summary, they are very similar.

One possible twist that probably works best for C could be to use leafrefs with require instance true, and say that in order to use a permanent key (created during manufacturing), you first need to create config for the key (more or less empty config).  The benefit is that we get proper leafref validation (no dangling pointers to handle in all other models).  FWIW, this is the approach taken in ietf-interfaces.

If we don't do this twist, I think that we can use either of A and C.



/martin




Kent Watsen <kwatsen@juniper.net> wrote:
> 
> > With (A), once you have generated the key, you first have to create
> > the config for it, then invoke the action.   With (C) (99% of) the 
> > keys already exist in the config, so you can just invoke the action.
> 
> I don't follow.  What I see is that, with (A), a hidden key can be 
> created with a single action invocation while, with (C), first a 
> configuration operation is needed to create the "asymmetric-key"
> (without the three leafs) followed by an action invocation (to 
> populate the three leafs).
> 
> 
> > To summarize, A and C both get the job done.  Which one is better is 
> > probably subjective.  I think (C) is might be easier to understand.
> 
> Okay, let's see how it looks.  Bubbling all the ideas to the top, I 
> created the below tree-diagrams.  Note, in both cases, the three 
> "mandatory true" leafs are replaced with an all-or-nothing "must"
> expression:
> 
> 
> (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys;
>     and an action statement is used to delete all hidden keys.
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>            |  +--rw name                            string
>            |  +--rw algorithm?                      ct:key-algorithm-ref
>            |  +--rw public-key?                     binary
>            |  +--rw private-key?                    union
>            |  +---m "(algorithm and public-key and private-key)
>            |  |       or not (algorithm or public-key or private-key)";
>            |  +--rw certificates
>            |  |  +--rw certificate* [name]
>            |  |     +--rw name                      string
>            |  |     +--rw cert                      ct:end-entity-cert-cms
>            |  |     +---n certificate-expiration
>            |  |        +-- expiration-date?         yang:date-and-time
>            |  +---x generate-certificate-signing-request
>            |  |  +---w input                        // KEY MAY BE IN <OPERATONAL>
>            |  |  |  +---w subject                   binary
>            |  |  |  +---w attributes?               binary
>            |  |  +--ro output
>            |  |     +--ro certificate-signing-request    binary
>            |  +---x delete-hidden-key
>            |        // no params
>            +---x generate-hidden-key
>            |  +---w input                           // RESULT IN <OPERATONAL>
>            |     +---w name                         string
>            |     +---w algorithm                    ct:key-algorithm-ref
>            +---x load-hidden-key
>               +---w input                           // RESULT IN <OPERATONAL>
>                  +---w name                         string
>                  +---w algorithm                    ct:key-algorithm-ref
>                  +---w public-key                   binary
>                  +---w private-key                  union
> 
> 
> (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys
>     created in <operational> (i.e., during manufacturing).  But if there is
>     even just one key created during Manufacturing, and it doesn't appear
>     in <intended>, then leafrefs still need to be "require-instance false",
>     right? Also, it seems that such keys could never be deleted, unlike 
>     other hidden keys, but that is probably okay (correct behavior).
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>               +--rw name                            string
>               +--rw algorithm?                      ct:key-algorithm-ref
>               +--rw public-key?                     binary
>               +--rw private-key?                    union
>               +---m "(algorithm and public-key and private-key)
>               |       or not (algorithm or public-key or private-key)";
>               +--rw certificates
>               |  +--rw certificate* [name]
>               |     +--rw name                      string
>               |     +--rw cert                      ct:end-entity-cert-cms 
>               |     +---n certificate-expiration
>               |        +-- expiration-date?         yang:date-and-time
>               +---x generate-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               +---x load-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               |     +---w public-key                binary
>               |     +---w private-key               union
>               +---x generate-certificate-signing-request
>                  +---w input                        // KEY MAY BE IN <OPERATONAL>
>                  |  +---w subject                   binary
>                  |  +---w attributes?               binary
>                  +--ro output
>                     +--ro certificate-signing-request    binary
> 
> 
> 
> 
> Kent // contributor
> 
> 
>

v2.23.0 | Report a Bug | By Email