Re: [netconf] ietf crypto types - permanently hidden

"Rob Wilton (rwilton)" <rwilton@cisco.com> Fri, 03 May 2019 09:15 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 126BE1200B8 for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 02:15:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.502
X-Spam-Level:
X-Spam-Status: No, score=-14.502 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Watw9ZB4ZnhM for <netconf@ietfa.amsl.com>; Fri, 3 May 2019 02:15:43 -0700 (PDT)
Received: from alln-iport-6.cisco.com (alln-iport-6.cisco.com [173.37.142.93]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3490512006D for <netconf@ietf.org>; Fri, 3 May 2019 02:15:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9172; q=dns/txt; s=iport; t=1556874943; x=1558084543; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-transfer-encoding:mime-version; bh=Wkpi9IPT0SZqhaLt0Zd+sf6Ru9JymnIUReWAHEsJub0=; b=ArA2zp6sixBl6P+f9Cv5hNVnM2OxslSO6dSpojR91ks/UrgcVXPqjBh3 T4AfIVTSfaWJIwzzhtgdHBrmrlFUvAM1XM+f1bQTceGJfkIgZRgnV2v3I jPj7z/k6dQiKeHpXhu32zysEt6uTPilIe3t0D+cRg3q5EfgOmsfZvfWni g=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0ADAADVBcxc/5ldJa1bCAIZAQEBAQE?= =?us-ascii?q?BAQEBAQEBBwEBAQEBAYFRBAEBAQEBCwGCEIFtKAqEBogcjQh+l1QUgWcOAQG?= =?us-ascii?q?EbQIXhh0jNAkOAQMBAQQBAQIBAm0ohUoBAQEDASMRRQwEAgEIDgIBBAEBAQI?= =?us-ascii?q?CEhQCAgIwFQgIAgQOBQgThQMPrimBL4o1gQsnAYoIgSYdF4FAP4ERgl01PoQ?= =?us-ascii?q?ZEwJeDII2glgEixCCPYRslHQJAoIJkjwjlUaDbp0TAhEVgTAfOIFWcBWDJ4I?= =?us-ascii?q?bF44fQTGQRoEigSEBAQ?=
X-IronPort-AV: E=Sophos;i="5.60,425,1549929600"; d="scan'208";a="270874927"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by alln-iport-6.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 03 May 2019 09:15:41 +0000
Received: from XCH-ALN-007.cisco.com (xch-aln-007.cisco.com [173.36.7.17]) by rcdn-core-2.cisco.com (8.15.2/8.15.2) with ESMTPS id x439FfS9013148 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Fri, 3 May 2019 09:15:41 GMT
Received: from xch-rcd-007.cisco.com (173.37.102.17) by XCH-ALN-007.cisco.com (173.36.7.17) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 3 May 2019 04:15:41 -0500
Received: from xch-rcd-007.cisco.com ([173.37.102.17]) by XCH-RCD-007.cisco.com ([173.37.102.17]) with mapi id 15.00.1473.003; Fri, 3 May 2019 04:15:40 -0500
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "j.schoenwaelder@jacobs-university.de" <j.schoenwaelder@jacobs-university.de>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] ietf crypto types - permanently hidden
Thread-Index: AdTf8DCbvspujhISQkyURJOX9ReFpAL4+PiAAAVM54ADt02zAAAGzCgAAAQfJ4AABQvugADqhRSAAAgkE4AAKD/bgAABK6oAAAGYSwAABxXrgAA8jwUAAA4ykpAAOGfLgAAGk8Wg
Date: Fri, 3 May 2019 09:15:40 +0000
Message-ID: <3208a877354745fa85188b81a3d8aa24@XCH-RCD-007.cisco.com>
References: <20190430161223.cwqfsyyxbtnkqbl7@anna.jacobs.jacobs-university.de> <20190501.230622.158012882760210627.mbj@tail-f.com> <e30aa60f31ba40e8abc9cfaeffad7802@XCH-RCD-007.cisco.com> <20190503.084757.791827158808672980.mbj@tail-f.com>
In-Reply-To: <20190503.084757.791827158808672980.mbj@tail-f.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.63.23.60]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-Outbound-SMTP-Client: 173.36.7.17, xch-aln-007.cisco.com
X-Outbound-Node: rcdn-core-2.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Xnr1sb-FbI5_56MS5wodLWdHmWM>
Subject: Re: [netconf] ietf crypto types - permanently hidden
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 May 2019 09:15:45 -0000


> -----Original Message-----
> From: Martin Bjorklund <mbj@tail-f.com>;
> Sent: 03 May 2019 07:48
> To: Rob Wilton (rwilton) <rwilton@cisco.com>;
> Cc: j.schoenwaelder@jacobs-university.de; netconf@ietf.org
> Subject: Re: [netconf] ietf crypto types - permanently hidden
> 
> "Rob Wilton (rwilton)" <rwilton@cisco.com>; wrote:
> > Hi Martin,
> >
> > > -----Original Message-----
> > > From: netconf <netconf-bounces@ietf.org>; On Behalf Of Martin
> > > Bjorklund
> > > Sent: 01 May 2019 22:06
> > > To: j.schoenwaelder@jacobs-university.de
> > > Cc: netconf@ietf.org
> > > Subject: Re: [netconf] ietf crypto types - permanently hidden
> > >
> > > Hi,
> > >
> > > Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>; wrote:
> > > > On Tue, Apr 30, 2019 at 02:49:30PM +0200, Martin Bjorklund wrote:
> > > > > Kent Watsen <kent+ietf@watsen.net>; wrote:
> > > > > >
> > > > > > Correct, as I didn’t think there was consensus yet.  Perhaps
> > > > > > there is rough-consensus, and it may be that the only way to
> > > > > > gauge that is to try and see how much push back there is.
> > > > > >
> > > > > > Okay, so how about this, based on this thread, there appears
> > > > > > to be support to add a flag to control if a key should be
> > > > > > “permanently hidden” or not, in which case configuration is created.
> > > > >
> > > > > I (still) object to this.  Actions shouldn't create config.  We
> > > > > already have generic protcol operations to do this.  We go from
> > > > > a document-oriented configuration model towards a
> > > > > command-oriented model.  Not good.  In RESTCONF, the generic
> > > > > methods support things like ETags, which I suspect you don't want to
> replicate in this
> > > > > action?   Will the action support all error-options of edit-config,
> > > > > like rollback-on-error?
> > > > >
> > > >
> > > > Martin,
> > > >
> > > > do you have any proposal how to support the requirement to
> > > > generate a key on the device that is workable with a
> > > > document-oriented configuration model? Do you propose that the
> > > > action/rpc returns the public key information as result data that
> > > > then needs to be written back to the server and somehow matched to
> > > > the key that is cached on the device? Perhaps you have other ideas I can't
> think of?
> > > >
> > > > I think I would be happy to not have this special hack but then we
> > > > need a workable alternative. Key generation on devices is
> > > > something that is being used - and may be even more used in the
> > > > future the more we get special hardware support for storing keys.
> > >
> > > So the current draft supports two use cases:
> > >
> > >   1.  The client configures the private and public keys explicitly
> > >       (simple case).  Both keys are availible in the config and
> > >       operaional state.
> > >
> > >   2.  The client asks the device to generate a "hidden" key which may
> > >       be a key in special TPM hardware.
> > >
> > > For 2, the client configures the name of the key (in <running>).
> > > Then the client invokes the action (in <operational>).  The device
> > > generates a new key pair (perhaps in tpm-hw).  In <operational>, the
> > > public key is now visible and the private key has the special enum
> > > "permanently-hidden".
> >
> > Why is a separate action required to create the keys?
> >
> > Why is the configuration to generate a hidden key not sufficient for
> > the device to automatically allocate a key in the TPM module?
> 
> This is a very good question.  Why don't we have actions for "create-interface',
> "create-user" or "create-acl"?  In all these cases we have config that a device
> internally parses and translates to some internal procedure (perhaps ifconfig,
> adduser, iptables etc).

For me, the ideal goal is that the configuration is intent based.  I.e. rather than telling the device what sequence of steps it should perform, it is telling the device what state the device should be trying to get into.

So for an interface, the intent of the interface configuration is "I want interface XXX to exist on the device, be enabled, have this IPv4 address configured on it".  As a client, I don't care what internal steps the device needs to take to reach this state, if it gets to this desired state.  Similarly, if something transiently goes wrong on the device, then it should always try to recover towards the desired state expressed in the intended configuration.

I think that users is a slightly orthogonal issue.  I think that the external primary manageability key for users should be unique usernames.  Certainly, whenever I log into any machine it is my username that I use to identify myself.  When I look folks up in the directory I do it via their name, not their userid.  In some cases, it might be desirable to use the same userid across multiple machines.  This can be achieved by having extra optional configuration to express this.  Otherwise, I think that userids should primarily be treated as internal user identifiers that need to persisted along with any files associated with the user.

> 
> In a way, this case is different b/c the client needs control of
> *when* the key is generated.  We cannot copy & paste some config to another
> device and expect it to work exactly the same.  OTOH that probably is true for
> other things as well; if a user has been created in the config there might be files
> owned by that user stored in the home directory.
> 
> Also, we might need the option to re-generate the key (even though the current
> version doesn't support this).  But *this* could be done w/ an action (if we need
> to support it).

Exactly.  Using an action to regenerate an internally managed key is fine.  This is equivalent to an action to reboot a linecard or clear some statistics.  This hasn't changed the intent of what the desired state the system should be in.

The alternative to the action would be to remove the config, wait until the device has confirmed that the key is removed (in operational), and then configure it again.


> 
> What did I miss; what makes this case special so that it can't be handled like
> other config?

For me, I think that the special cases are:
 (i) The ability to force a key to be recreated (i.e. the action described above)
 (ii) The ability to program a client defined key pair in a private way that is not visible in the configuration.  Have we considered a solution that puts these into the configuration but has them encrypted with a device specific public/private key pair.

Thanks,
Rob


> 
> 
> /martin