IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Tue, 28 August 2018 19:11 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9E346128B14 for <netconf@ietfa.amsl.com>; Tue, 28 Aug 2018 12:11:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id m9rm30SWJU_5 for <netconf@ietfa.amsl.com>; Tue, 28 Aug 2018 12:11:40 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ED339129C6A for <netconf@ietf.org>; Tue, 28 Aug 2018 12:11:39 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7SJAc47011126; Tue, 28 Aug 2018 12:11:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=vJt7aycgCEkgf8Vc0z3BBpgL8MiBQmlq8qR0C7YnpJQ=; b=X6x/2IlbF6Q7WBORcLPwPZlHC3IjdPAcclWyoj9pfXpXzHTZo+7GfeYHQf+jHkolqgcF vQbQ02ekQp9xKFnj+wvCYfVN7Hch/JLCPZkNt7KXSnM1CKiQKR01685LHY8ZKWmTK82W p9Pa9evs4f9BRLb3s/1S5rHEcvpT5pfBabXr0X3NfIc+tH450K49YGh0XlUvgpb8Omrm vg1THBdcnBDxMJnEhPEHkCezpJp2FABS4ZJQJ/I0zFQEHIm4a3NftePqfA//yR/79qD4 3UzddS8FSj9rj89fYjGoIMCf8Xt6rHolcGCzAe3dnLCQmj9H5QOXZ0jl1Pb6Q6YfYlgo uA==
Received: from nam03-by2-obe.outbound.protection.outlook.com (mail-by2nam03lp0053.outbound.protection.outlook.com [216.32.180.53]) by mx0a-00273201.pphosted.com with ESMTP id 2m58d88haq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 28 Aug 2018 12:11:36 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4873.namprd05.prod.outlook.com (20.176.112.18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.13; Tue, 28 Aug 2018 19:11:28 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%3]) with mapi id 15.20.1101.007; Tue, 28 Aug 2018 19:11:28 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Balázs Kovács <balazs.kovacs@ericsson.com>, Martin Bjorklund <mbj@tail-f.com>, Balázs Lengyel <balazs.lengyel@ericsson.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASAgAC9gACAAHNjgIAAFAaA
Date: Tue, 28 Aug 2018 19:11:27 +0000
Message-ID: <C08E28A2-DB24-4456-969F-695F3EF8701D@juniper.net>
References: <28C3C2C7-22BE-4425-A26C-4A777FA68A95@juniper.net> <20180827.102118.630809612057220140.mbj@tail-f.com> <AD108D78-8E5D-429B-AFA9-8C84430F5186@juniper.net> <20180828.090648.398453385489817261.mbj@tail-f.com> <VI1PR0701MB2016F2754609FAEC242C9D51830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
In-Reply-To: <VI1PR0701MB2016F2754609FAEC242C9D51830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4873; 6:mQpV2TwRZOcdfIDfQJA28tYe5cmZDiWd7qYmPABZR9itZjhjdA0EOEb2kaR4RaGvlWylQXgG5YDCLH/mKc/UScYA4djV/Fe8dv7bA+8lqrzhdr7QLUb25Mq8bchirHpbMIF9c24SSCtMr1W/EjoXkh6XDy4KlIzmgaLKqFv0QwI1bs//iSeuZDEtOUX/QbAV6O2xrJnc8IIYhXsRAOLAoqnKMVzmiY4gbN4VdCCF/8gAjBGkFu5ef0278Qr48oYSZZzP30eV5RWyRv8HxVQG5SUYqH9TTMyOeHjiq6BaRtY3g5MV90X/GYyGbHQ/cCsNUFBuW6KPawUiIogbHi0HmYSbW0/Y/Ua6i3h42fNU1PLZSCLIio283I34siJwWxtR8RQSngPDEVZuspHNWyffBvTgcDyN70wHMaMJYaA5YUOnI0FpIeKPukoPv55HfY1rLMRldOKLB8zMZQerEorGbw==; 5:HX3lGHMM5b7uRUUjId/Hno6gsZNaYjK/usITS5yoabmnnRSsnzpwHXsCuz/sRyR0QQHUxzthfuQEeFHxYrKHqei3//gezMfe03m49+TUyZ3vkQSWcZcH8aHV/4h2GDfiuEumOnx00LaPCE5D/W844LlDjuvVqxdA6oq6y8EBLY0=; 7:I9+XC7xiM5cwsp4KpcOYOvF2qahy9axO9mMs6x4M8kYXJAWLfK1jR1V3yFBJTi55dm85UbtTy+5B7v+vs6c+tM377VtZ0sjUxxsOlZpROAU9oWQsHwjVsAHzQJlO6dLER2W36fhjLgcTedPKDVBoi1jYZ0sK/vcUPhB0mhtiQfrV3obM3d68ftx/Q2oym27JR+nB0PF0EFNPkpZmYBiJZUrn+jXZmeSvOiXl24B3b5ShIY/20rcCxVmrlgz62Q9Z
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 502ab22c-5922-4eb8-00c1-08d60d1a0e57
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4873;
x-ms-traffictypediagnostic: DM6PR05MB4873:
x-microsoft-antispam-prvs: <DM6PR05MB4873C7AD2E6903BA5831ABF8A50A0@DM6PR05MB4873.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231311)(944501410)(52105095)(93006095)(93001095)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(201708071742011)(7699049)(76991033); SRVR:DM6PR05MB4873; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4873;
x-forefront-prvs: 077884B8B5
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(396003)(346002)(39860400002)(376002)(136003)(199004)(189003)(2900100001)(6346003)(81156014)(305945005)(82746002)(58126008)(33656002)(14444005)(229853002)(8936002)(25786009)(26005)(5250100002)(2616005)(6436002)(99286004)(68736007)(476003)(256004)(102836004)(6512007)(66066001)(8676002)(486006)(7736002)(14454004)(5660300001)(4326008)(81166006)(83716003)(6246003)(76176011)(105586002)(6486002)(3846002)(93886005)(6116002)(86362001)(53936002)(36756003)(316002)(11346002)(2906002)(110136005)(446003)(97736004)(6506007)(106356001)(186003)(478600001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4873; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Z1x2Uz/uAMByi6vGlTOXftTUevhCog7E1YYaAdRPKY2A3nGlioXHi1rq0ynL7xOcxLdEhbTAfFcF1dtwp7YZZ6f0GeATM3snBdO8U+v0L7ctZaC+xBowX7RYXa2dmjauXUGWRv04PELkTZdNQfkKmyckiyzHM8PjoCX3qsaePekOTuwGTpy3U5hsdWcEUwZhr6c3w0/kkXR8mZwyBEya/pk+IDdqI/n8e0oljVv9xtXn9KSYETk5XUS0AJ16+XlQWEl1lQeMIgul5XZU0HJJKpWKFq2Rbgj7OuUJqdywqJpIM12socq//KQ2ChRCt9o450sW2qM2C2xnnICD6nCCmUKFg6o6txyMaQl7vk7afno=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C2252A08B6CD5D4FB7820B8C86E91BBB@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 502ab22c-5922-4eb8-00c1-08d60d1a0e57
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Aug 2018 19:11:27.9459 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4873
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-28_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808280185
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/bxfRNKsJqzfkFcDyecxinQMjCTw>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 28 Aug 2018 19:11:43 -0000


>>> We could define a "load-asymmetric-key" action that has that behavior?
>>
>> Yes; if we decide to support this use case.  What do others think?
>>
> Would this action have 'name' and 'private-key' binary input and the 
> purpose to avoid setting the key via configuration and handling it 
> directly in <operational>? Is it an implementation risk to handle 
> the binary input via configuration but not via action?


The proposed "load-asymmetric-key" action would take 4 mandatory 
input parameters (name, alg, pub-key, and priv-key) and have no
output other than the key showing up in <operational> with the
private key "permanently-hidden".

To make things clearer, we might rename these actions to:
  - generate-permanently-hidden-asymmetric-key(...)
  - load-permanently-hidden-asymmetric-key(...)

Yes, use of these actions would be more secure since the private key
is thereafter permanently hidden.  If the goal is to have the private
key in configuration, then the action should not be used.


> In our opinion with Balazs L., we think it would be disadvantageous
> to change the model by ruining the containment relationship between
> certificate and corresponding asymmetric key. 

Can you say some more about this?  Is it mostly that the containment
is really intuitive?  That the relationship is linked both ways, 
whereas a leadref only goes one way?

Martin makes a case for 'B', but he also said that my 'b' was "Better"
but has scaling issues in the general case.  Perhaps we don't worry
about the general case here?


> The action of 'generate-asymmetric-key' is typically something that
> should have effect on the 'running' configuration too (by setting 
> the mandatory leaves) since the user wants to continue working with
> the result by deploying certificates or anything else related to 
> the created asymmetric key that needs configuration. 

Okay, but why use an action at all then?  Everything can be done via
standard configuration, right?


Kent // contributor

v2.23.0 | Report a Bug | By Email