Re: [Netconf] send 'version' in zerotouch url?
Kent Watsen <kwatsen@juniper.net> Tue, 22 August 2017 18:56 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 782AF1323C0 for <netconf@ietfa.amsl.com>; Tue, 22 Aug 2017 11:56:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.801
X-Spam-Level:
X-Spam-Status: No, score=-4.801 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-2.8, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yF5onF5bdRBN for <netconf@ietfa.amsl.com>; Tue, 22 Aug 2017 11:56:18 -0700 (PDT)
Received: from NAM02-SN1-obe.outbound.protection.outlook.com (mail-sn1nam02on0137.outbound.protection.outlook.com [104.47.36.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4D8AA1323B8 for <netconf@ietf.org>; Tue, 22 Aug 2017 11:56:18 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=BEESCzKtkLHhmE1Ld0tmd/7k7dvvy14x45SMvCAA1As=; b=Mt5cg8nJ2KPTlIe5KZgaD14yc1WArWtxhkCmmdC8JQ557TDVs7UdEslZsXN0K9KQSPXcn2kvgnXgr+/HSNr/QcvWGdrw35fCUU5U8FLDwUXxLLEWpOiAME4bB5QMCJVyUq1A2Q9EMgt/CatKygnJ+mVDvZS0iisQOgbjd/haVtk=
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com (10.160.149.11) by CY1PR0501MB1241.namprd05.prod.outlook.com (10.160.225.152) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1385.4; Tue, 22 Aug 2017 18:56:16 +0000
Received: from CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) by CY1PR0501MB1450.namprd05.prod.outlook.com ([10.160.149.11]) with mapi id 15.01.1385.008; Tue, 22 Aug 2017 18:56:16 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] send 'version' in zerotouch url?
Thread-Index: AQHTG3hVIRQDzsenIkK0F81ZhuuEkQ==
Date: Tue, 22 Aug 2017 18:56:16 +0000
Message-ID: <13059E81-66EB-40A4-AC34-BE35C4B748FA@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1241; 6:77nCJ3QccBcMB9cRnW6/JcrtCiG1dxEO1D/GXO0TrfsUjqTT/oufEY37baPKWBjReNHvqX0RpQvRwLf5hH+93ohmmBlrifpwM6Z8R4CWTMHGWuU7H9wg76pbNTp9eARQKFPqgVPVWXz/D0Z1Pqw69HP5EEB8txUCJrSk4KbcIQP0nD+A2sriZqX8ZlQDIV96aXdsoISvQWKaVL7LpGlYq3SYEwWJSuO9bHicoyUgh04bMs3DfU7I2grYRVzBobvhi3hJIQNRB5e0ezYV2aNjk9ctkI8QXS9hRI0lu4jF1ZlMJ8xfAcZnp0kg2lKSWSI2F8PjyRKb8JFCq11KS2Qw1g==; 5:/926Lazm1s9bxkNi3sV+Jboyx0m632c2fkeiz9L2R+3dR/grGVPHVh6HznI3toxLBWy1Zxc9wD2FirJs7rE2RKRULDOWr911jLTktIrVSrlclgEXhexykkfCCLxvRUHmkwmpZgiGgoVp0AVIy9Iteg==; 24:Mb9Q4MJonl0Bhad/dtUWSLZPyPXBUPboxR1HILpKwx57Lgltqmuc78K2cvZ2mcrjJP9cc/UaCyvcDqBSyprvXIlVtsYIGWb8sWvqYyK5WoQ=; 7:ja7hDemN5gCGjFBSBrsgOt9TNKm8vtZxsXeWrvP0rsTQYaR9wGRo0nmJkLZtI1zYRoQJejyjspxFf230QbcW8t9Bf1zbgkCwyphAYXZS1XPhr5tYNkkrzhNEat49DxrJu5iUVB4j4aw77YJ2K/BLpSKQ7N4It8W77v2T58gr8hTXDlvnNoMrfIp2czbmsxvsM4UNScIRyn/tAGcKNEtbIkscTBk59Nx5DpQXjucnKZc=
x-ms-exchange-antispam-srfa-diagnostics: SSOS;
x-ms-office365-filtering-correlation-id: 29763256-7a60-4897-630b-08d4e98f77d3
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(300000502095)(300135100095)(22001)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603172)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:CY1PR0501MB1241;
x-ms-traffictypediagnostic: CY1PR0501MB1241:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863);
x-microsoft-antispam-prvs: <CY1PR0501MB1241B179FFEC1ECC074E5964A5840@CY1PR0501MB1241.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(10201501046)(100000703101)(100105400095)(93006095)(93001095)(3002001)(6055026)(6041248)(20161123555025)(20161123560025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123564025)(20161123562025)(6072148)(201708071742011)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:CY1PR0501MB1241; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:CY1PR0501MB1241;
x-forefront-prvs: 04073E895A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39860400002)(199003)(189002)(51444003)(40224003)(83716003)(6436002)(81156014)(2906002)(82746002)(6246003)(3280700002)(68736007)(3660700001)(110136004)(53936002)(83506001)(14454004)(6512007)(99286003)(66066001)(4001350100001)(478600001)(5640700003)(5660300001)(189998001)(86362001)(6916009)(97736004)(54356999)(8676002)(50986999)(2501003)(6116002)(81166006)(305945005)(6486002)(77096006)(101416001)(102836003)(25786009)(1730700003)(3846002)(7736002)(2900100001)(229853002)(6506006)(33656002)(105586002)(8936002)(106356001)(2351001)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1241; H:CY1PR0501MB1450.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <6A2C436614097B45BFEAC1DD45E1F00E@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Aug 2017 18:56:16.4613 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1241
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ay5OroWU4t_wbgv3V1ioMpllyGY>
Subject: Re: [Netconf] send 'version' in zerotouch url?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 18:56:20 -0000
[Note: this issue is blocking the posting of an updated zerotouch draft, which would then be ready for a (presumably) final Last Call] Second try ;) The issue regards when a device learns of a bootstrap server's address/port via an insecure mechanism (e.g., DHCP or a DNS record). As such, the device will not have a trust-anchor certificate to authenticate the bootstrap server's TLS certificate with. For such cases, the draft allows the device to establish the TLS connection with the bootstrap server anyways (e.g., by blindly accepting the server's certificate). However, the concern is that the bootstrap server may "owned" by an attacker... To safeguard against this scenario, the draft (1) says that the device MUST verify (via a signature) any data it obtains from the [untrusted] bootstrap server and (2) takes steps to limit the amount of data the device sends to the [untrusted] bootstrap server. Currently, the draft has robust support for goal #1 and partial support for goal #2. For goal #1, the draft defines a signed-data solution (owner certificates, ownership vouchers, etc.). For goal #2, the draft prevents the device from sending its IDevID certificate or POST-ing its 'update-progress' notifications when connected to untrusted servers, even though it inconsistently requires the device send its "unique-id" and now, maybe, per the subject line, its "version". The question is, do we want to adhere to goal #2 or not. What does adhering to goal #2 look like? - we need to state that the "unique-id" and "version" (if we go for it) values in the URL are munged via a salted hashing algorithm (salt to prevent dictionary attacks). Again, the *current* definition of "unique-id" has enough wiggle-room to enable vendors to hash these values if they want, but do we want to make it mandatory to be consistent? What does NOT adhering to goal #2 look it? - I think that we say that devices MUST always send their IDevID certificate - this doesn't hurt (since the IDevID certificate doesn't contain much beyond serial number) while actually helping to prevent MiTM attacks (since a spoofed bootstrap server wouldn't know the device's IDevID private key). But I'm conflicted if devices should send their progress updates to untrusted bootstrap servers, since the progress updates contain data above and beyond what devices would otherwise provide. To address this, we might state that it's okay for devices to send progress updates to untrusted servers if and only if they are first able to verify the signature over the signed data, since that somewhat demonstrates the bootstrap server's authenticity. Thoughts? Kent // contributor
- [Netconf] send 'version' in zerotouch url? Kent Watsen
- Re: [Netconf] send 'version' in zerotouch url? Kent Watsen
- Re: [Netconf] send 'version' in zerotouch url? Kent Watsen