IETF Logo Mail Archive

Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)

Kent Watsen <kwatsen@juniper.net> Tue, 15 January 2019 22:44 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE22312870E; Tue, 15 Jan 2019 14:44:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.254
X-Spam-Level:
X-Spam-Status: No, score=-5.254 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-4.553, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, KHOP_DYNAMIC=2, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8U4_ibekDjFf; Tue, 15 Jan 2019 14:44:12 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F3C0412867A; Tue, 15 Jan 2019 14:44:11 -0800 (PST)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id x0FMdQxf008715; Tue, 15 Jan 2019 14:44:05 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=26/1ja9Fclg/a1i55FHG+LhRxs8ORh1JNmyNS84PgXg=; b=sYWWz8//x+BLBgn44cyAsMfvmSw425eflZEOL6nk5sIPaLSVwYUB2cGNSPjHpZZQ4Ugr 36D8W3lZYXBM1CxazQsFFN7rnngJhqRuuVmPmIG+FYBf3kOUckdqjdKB/t+1oFuFV73d Z5Mqv4JqhqfVDJ8niljby0X0BU5V2mWr9xHPm/q7ZD8QP3n6yI5F1S0jPZan0QWoSqv+ fG78t+9Du+dFl08IcipEWAgEyVV9KhDswPSWLJN1AmMMNzR8oSIZVk7s9VdO23NlVVzZ y0VrIaIEnzmdYBTyqOBA515UOikLnn7QrS2JxdqC9RD6FO1GnthJtTkJmaty3XwP0w8z 0g==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2055.outbound.protection.outlook.com [104.47.37.55]) by mx0a-00273201.pphosted.com with ESMTP id 2q1m0k8e0w-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 15 Jan 2019 14:44:05 -0800
Received: from BYAPR05MB5416.namprd05.prod.outlook.com (20.177.184.221) by BYAPR05MB5960.namprd05.prod.outlook.com (20.178.52.209) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1537.10; Tue, 15 Jan 2019 22:43:59 +0000
Received: from BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b]) by BYAPR05MB5416.namprd05.prod.outlook.com ([fe80::ccee:5d54:3370:e50b%5]) with mapi id 15.20.1537.018; Tue, 15 Jan 2019 22:43:59 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Benjamin Kaduk <kaduk@mit.edu>
CC: Adam Roach <adam@nostrum.com>, Dave Crocker <dcrocker@bbiw.net>, Alexey Melnikov <aamelnikov@fastmail.fm>, The IESG <iesg@ietf.org>, "draft-ietf-netconf-zerotouch@ietf.org" <draft-ietf-netconf-zerotouch@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
Thread-Index: AQHUi5qky69pAtgeuk6GIUpsNSYi7qVz1VIAgCLBFICAB70FgIADj4qAgAJJm4CAAxXrAIAAYVAA//+xH4CAAacWAIAAD4+AgAADiwD//8aMAIAActaAgAFSQoCAAHCvAIAEHSWAgABsiwCAAUd1gA==
Date: Tue, 15 Jan 2019 22:43:59 +0000
Message-ID: <F68D5933-715C-4475-92B2-22DD06B5CA20@juniper.net>
References: <cc5adc78-6751-fabf-03d2-e0c65f8a6c91@bbiw.net> <F844EDFB-3E15-47FB-A714-06363B996FC2@juniper.net> <42cddba1-9f59-f19f-176f-197f0c0c0c96@bbiw.net> <32cfe06c-8204-a63a-263d-cb5b30a7a2fc@nostrum.com> <20190110183444.GN28515@kduck.mit.edu> <0CDD631D-47A4-4478-A250-85603C653D23@juniper.net> <f9e64452-a2e1-fb18-80b1-b2c5fa9c54ac@nostrum.com> <3ABB2B04-DB2C-4E2C-86C7-40D83D440DFB@juniper.net> <20190112005406.GU28515@kduck.mit.edu> <A1F059FB-5229-45B9-9EBB-CF60B78FF454@juniper.net> <20190114221155.GL28515@kduck.mit.edu>
In-Reply-To: <20190114221155.GL28515@kduck.mit.edu>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.5.181209
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB5960; 6:2QLc75PrpN1JS3RJ9vCC5bCjiI5Z5cP0PsX3ekvXlla9bzu3lQ4eByBIqo/OABEj+6o3jrJlH2QMJSpIGUKK6X8C118P4tAwnUTNOy1wBSKbVgiKuHS6bAP+dCBz1GnKGxKck/O/ykC0CV9Qcj5f2QyL8O+svZm94uHnkm2qBqP/AeeYFI7x3NF7iNl37Fa9w//de5tT3oeXpxuUNhNZ/cm8OuDkE3qGMJJakekVc825hHOlVSV2nVBDE6v2Cwkns8ZtlW8dMoc0zEvEl2bx0MBOm2JINNGY2g1EtAKe3LP6PvLaAfT3JQiSqIhn6EGrJz4zRnawasjFZiMNbOaRbTSHwNjYSTyVpC+9tWrA4gLIIT/n1Qn5gW0YIEGs5Xk0BRc3o6294gQzvCI9RsPAOeLpqx9eab+1mwIsSLfZPIU8pF7Vh0549um0SUKF8O3N9YWaqj1rO1NFkhSp8jo46Q==; 5:+/YvYXRJCSR5yp85J8GbJcvpillSPD7iNjhy3gbyrYThPb/50rePN+O+4QmvMyxQCP0SmYO4IN5GUGYABD8GOOJKKWfFSP0z0D1YuYDQz5jE9kytkYryVaMMcRNhz4mQrLp1pjrJhcZ5BsjHE9HWCuzXGxWCRdIl+QgPEuMVBdHswk0j/RDwkhb1dcjd/RY+I73lGU/HlvKUI2nwnpEJLQ==; 7:YD4m428vDejgGy4oA30pKHaGx45PZPLrDVvTeoWNOZPb9OMPLMRkfBJjTgIOoTVtjQl0no8+z5i0s9GrqpMQKukZVOEUNqH1gX6iobPPHfaIZkPA/NYo+bitn68pjBNvJBtkMKpiOM4z1WrRqG5/Yw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b108d873-3e38-4e3e-abd4-08d67b3af087
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600109)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB5960;
x-ms-traffictypediagnostic: BYAPR05MB5960:
x-microsoft-antispam-prvs: <BYAPR05MB5960C12F8B0544885836A585A5810@BYAPR05MB5960.namprd05.prod.outlook.com>
x-forefront-prvs: 0918748D70
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(376002)(136003)(366004)(199004)(189003)(40224003)(81156014)(5660300001)(2906002)(14454004)(81166006)(6486002)(76176011)(478600001)(6436002)(83716004)(8676002)(71200400001)(66066001)(71190400001)(25786009)(53936002)(8936002)(86362001)(14444005)(256004)(58126008)(6916009)(4326008)(54906003)(97736004)(316002)(2616005)(2171002)(3846002)(82746002)(6116002)(6246003)(6506007)(26005)(68736007)(486006)(106356001)(446003)(105586002)(36756003)(305945005)(99286004)(11346002)(229853002)(6512007)(476003)(102836004)(93886005)(7736002)(186003)(33656002); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB5960; H:BYAPR05MB5416.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: IaYHi4w3BAcwVKzQ4y9fkDYxhC4vgpNKHL68l0AQxp39cL1xLFNV5M/YZc4jz3o6nK2fPb+oc0dyUyKZYa4gxTZSbQCo1Q/hlT8kd7bHRulvzxgo/MzV01byip4WAVsqNJaRZy8dhRaHj2X8zzE5GiINOnqifaDg26olVRkBlDSRSuBYhLgtqqn4hhwoaPn4XEX8fow3GvEB+nTFstfVEj9lnBNHzbC1clUehyiKNbNnuPQqufWYRR0Iz0BiNimnAHUz3nmvEuxgpljA9o6fuBhHDkSMNkDPkg12daB820VjQxn4nUG5+ZnLrsZsoelFH5O/YSzEjHcXo2pYInfGEZa8F9IPGlZkyD2xPUOTlh1Gi9QIsbDAt1+zkrjrZbo7iETclAVwXeXyxxr2em6kvpmTpPByJH4I0GQCxnt9IE0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <A4866D055A11234FB256232073F27CB6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b108d873-3e38-4e3e-abd4-08d67b3af087
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jan 2019 22:43:59.1475 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB5960
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-01-15_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1901150179
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/dhx123BdGEwbmaGngvzUBHQU7ko>
Subject: Re: [Netconf] Benjamin Kaduk's Discuss on draft-ietf-netconf-zerotouch-25: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jan 2019 22:44:15 -0000

Hi Benjamin,


>> Yes, that is the correct URL.  I've fixed it in my local copy.  
>> The 802.1AR spec is behind a paywall, but it says this about the serial number:
>> 
>>   An IDevID certificate subject field be non-null and should
>>   include a   unique device serial number encoded as the 
>>   serialNumber attribute(RFC 5280 X520SerialNumber).
>> 
>> From RFC 5280:
>> 
>>    X520SerialNumber ::=    PrintableString (SIZE (1..ub-serial-number))
>> 
>>    ub-serial-number INTEGER ::= 64
>> 
>>    The character string type PrintableString supports a very basic Latin
>>    character set: the lowercase letters 'a' through 'z', uppercase
>>    letters 'A' through 'Z', the digits '0' through '9', eleven special
>>    characters ' = ( ) + , - . / : ? and space.
>> 
>> Any comments/concerns about this?
>
> Sigh.  There could be some excitement here (but might not be), but I think
> I'm going to have to defer to some people with more DNS (and X.500)
> expertise.  There's several potential (but not certain) issues here,
> including at least:
>
> (1) ub-serial-number is 64, and the maximum length of a DNS label is 64
> octets, so we have no room for escaping or encoding at the margins.
>
> (2) RFC 1034 suggests that DNS domain name comparisons should be performed
> in a case-insensitive manner (for alphabetic ASCII a-z/A-Z), but that
> labels themselves can contain arbitrary octets.  There is some placation
> here in that X.520 appears to define the Serial Number attribute should use
> a caseIgnoreMatch equality matching rule, so maybe this is a non-issue.
>
> (3) Those extra characters (other than '-') are not allowed in DNS host
> names.  AIUI, that technically shouldn't be a problem for this usage, but
> I'm not 100% confident, and maybe some implementations are wrong.
>
> (4) Using '.' in a label is pretty rare and require escaping for textual
> presentation (but this is not inherently a fatal flaw and would not hit the
> 64-character limit on label length).
>
> But on the whole, the question I want to ask myself here is along the lines
> of "how likely is there to be implementation incompatibility in this
> space?".  If serial numbers in practice are not using the full flexibility,
> this could still be a non-issue.

Be aware that the draft must, in general, say something about the serial
number for each source of bootstrapping information (and note that the
draft leaves open the possibility that more "sources" may be defined in
the future):

  Removable Storage:
    - okay, well, the draft punts on providing an actual file-naming
      convention but, in theory, there could be a directory per 
      serial-number.  E.g., /<serial-number>/<artifact-file>.

  DNS:
    - TXT in <serial-number>._sztp.local.   (multicast)
    - TXT in <serial-number>._sztp.<domain>.  (unicast)

  DHCP:
    - the draft punts here as well. DHCP is the only source of
      bootstrapping information defined by the document that
      doesn't support device-specific response (bootp payloads
      are *way* too small!)

  SZTP Bootstrap Server:
    - device MUST identify/authenticate itself using its serial-number.
    - device SHOULD use a client-certificate (DevID RECOMMENDED)
    - device MAY use an HTTP authentication scheme but, if it does so,
      it MUST identify itself using its serial-number.

Lastly, for any source, if "signed data" is returned, the ownership
voucher [RFC 8366] defines a "serial-number" leaf that MUST be
populated with the serial number value.

In general, it is felt that, if a device vendor's serial-numbers
contain characters that are not supported by some protocol or format,
then that is their problem to solve.  That said, most protocol/formats
will define some escaping mechanism and, if not, the vendor can create
some mapping.

As for serial-number lengths exceeding some limit, then it may mean
that the device vendor either can't use that bootstrapping strategy,
or, again, they come up with a mapping of some sort (e.g., a hash).
But I doubt serial numbers ever get so long, as they are many times
typed or spoken, and users would revolt if they were too long ;)

My hope is that we can ignore this concern altogether, or maybe just
have a Security Considerations section that essentially captures the
above.  Thoughts?

Kent

v2.23.0 | Report a Bug | By Email