[Netconf] Security Directorate early review of zerotouch draft

Kent Watsen <kwatsen@juniper.net> Fri, 10 August 2018 00:50 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53B1F130FF2 for <netconf@ietfa.amsl.com>; Thu, 9 Aug 2018 17:50:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IcZqvXmBkNqu for <netconf@ietfa.amsl.com>; Thu, 9 Aug 2018 17:50:34 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1F314130F3B for <netconf@ietf.org>; Thu, 9 Aug 2018 17:50:34 -0700 (PDT)
Received: from pps.filterd (m0108157.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7A0nRqu017114 for <netconf@ietf.org>; Thu, 9 Aug 2018 17:50:33 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=ElzGrZV5ACTqyfCJdiAux/ElcvcMmQ7jjafq4KoWjOs=; b=eTGPF89+PJC6c7nofcS2SULQ02ekRyboFjOchHxR6W1nSue7Wl6ZMgYQdFkEaEsW14lb J9w95ocKgDAFHZzbEttYY9fsKfx6r9BzRrJ3CxGaWb8zjBkKAQ71WYn1kxNdF5bHs1Rz 2Ouwbop3ubwe6VLSZtgp7B8vMpIPECQQdt4bvtgPmhzYoQVJxgpD6cg8/ar0r2ep4jgI ben2ergKBvb3rp/NpNcTb4PcVuxyauHhrXHQTkkI4uhSoAfDpeONmOQxw0JHQwzthgQz fEAtSZgDVlTf6sNTJlWfuc4gS6+dxzkp4y3YHYXGt27rw7rb/JuPJ1+c3vwd2CXF62sJ Sw==
Received: from nam05-by2-obe.outbound.protection.outlook.com (mail-by2nam05lp0245.outbound.protection.outlook.com [216.32.181.245]) by mx0a-00273201.pphosted.com with ESMTP id 2krt740qhn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for <netconf@ietf.org>; Thu, 09 Aug 2018 17:50:33 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4426.namprd05.prod.outlook.com (20.176.78.159) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1038.13; Fri, 10 Aug 2018 00:50:31 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258%2]) with mapi id 15.20.1059.010; Fri, 10 Aug 2018 00:50:31 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Security Directorate early review of zerotouch draft
Thread-Index: AQHUMEQjn7hWFw07k0CfhSgb+EU6xg==
Date: Fri, 10 Aug 2018 00:50:31 +0000
Message-ID: <F596AE1A-862F-47D0-B331-F0077A20EE5F@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4426; 6:TfQI1tbwCoxO9wp8WNdsb8igzF4UA8/wVchH2N+agOabR/UeJDCfBorTBSHyRBCK5vuCTXhpnas/iE0ebLQhi05HL0/eFEIxJhGPA43POfkY+yAS0NranSbffD7TLAkPDWg2AX/otY9b25ZzxG3BNHzmuvUK8CRHxmomXh3deb1Rtrljz7s/s0j++brTAsfvXKcsRLndpd59zV8Hj74RKyWdqolTa+uTFXKu3CheViRtXNAtxEjZ96nZLHQtwviue5i+3stRvLjbmWhuPfgPt3+KG/JHaMki3+JOUmzdwdJ1iDH7vUaiB3bwZ89x05p/Mrwl0Xl1GeALV8ErfeT4iXNnyJ9xaIKWAQKE3r75yzcc/N1F82jRUk9EbXo/Hyr3f1gmQGXKeA1dqcGBf7p6fnwMcIUl4AS7Q6DnyECDADZowQvJVoLnFYpnqV7mGDw/OvMqMfESYho3wODtidRhxg==; 5:Wo9z2IsZrEGOOBo9CmOhbSkTbv3v/A3c9GhA+4jAgsc0vBiotfJz3DwXSV/X2ol2/cEJDLaRebFu4ge7qmtR7ynsc25wmmCPy0wvN57q58GkegqejsVgeVbyATV0bc1ha8HN44Oe5VByasq3kmC23AR1PV9iQmbXxJgk2eVvbPo=; 7:eMjP0j38YLl8vM5MoJkXfeVBiVtCM6kb4o3l3gWHjDUC1cUc4iourt6PWn+9yW5rCM3FrT2jA6eF3AgJ636tNUJL8u++vWGZQTIXnc8LxnSSbjSG6wfTj9vCWipioZRmkPBi+mnnrKjZpw/O/iATpyHT+uHCHTuEQQMHdVA2uiGpvyzIjUwXyTvMWOIzv1aEBfiAbeP/Wmvw15A/AlhBgwoVALB85VghTvdC+RrDb6dpOKkkiW+Hs9fVxYsmn14R
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 927d3427-ce1e-4e25-2d68-08d5fe5b4633
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4426;
x-ms-traffictypediagnostic: DM6PR05MB4426:
x-microsoft-antispam-prvs: <DM6PR05MB44262E051008CBB0AA02E796A5240@DM6PR05MB4426.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:DM6PR05MB4426; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4426;
x-forefront-prvs: 07607ED19A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(39860400002)(396003)(136003)(346002)(376002)(366004)(189003)(199004)(966005)(5250100002)(2501003)(316002)(102836004)(6506007)(66066001)(15650500001)(5660300001)(2900100001)(33656002)(2906002)(14454004)(14444005)(81156014)(81166006)(1730700003)(6916009)(26005)(83716003)(97736004)(53936002)(2616005)(58126008)(476003)(2351001)(486006)(256004)(8676002)(186003)(36756003)(8936002)(6436002)(478600001)(106356001)(86362001)(3846002)(6116002)(25786009)(7736002)(82746002)(68736007)(6512007)(6306002)(305945005)(5640700003)(105586002)(99286004)(6486002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4426; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: ojzUsTdEHMs3dafZgWONCWs+RD/x2clXCFYrufw52i15lFpwwUu+7g3rejPOKakUshRDbnjwK4/TkqV7cQKZssWkvVhcCrXVG8j+3yJrUrNr+EhrMtlJJwKsijRbxZbWu65RCQbOVcOvllYAeevcjRGFGMKTKw8pPLGL0fMmwdCeIK6y5Ehegu3cUTQ5zCsWCtuNcVrXGWqOpOda+mnv9L/PklbLDo5tvKfwMYvx1UXkAetjh/kWrOdBhsEkHsu04hsEGWwWymcHmywcNHy/dXsb+MmX/oBb7Q2P2Y9RzZttn3vSnjb4E/addxlDlkETzxfWA7pS2qjEDUENX8U56l6GSDIVcLeO2ukud4nHX1k=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <70D6DC768732424BBEB7C447421CD904@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 927d3427-ce1e-4e25-2d68-08d5fe5b4633
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Aug 2018 00:50:31.4570 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4426
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-09_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808100007
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/gmuGpDVxWwBviIw78KZAao1GJ0k>
Subject: [Netconf] Security Directorate early review of zerotouch draft
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 10 Aug 2018 00:50:37 -0000

As previously mentioned, the Security Directorate submitted a review:
https://mailarchive.ietf.org/arch/msg/secdir/RNtvpWPTgB9KqRaOmYzLGEYsrHs

One of the issues regards the validity period for zerotouch information.
Currently, there's no "not-before" or "not-after" values.  The issue
is that a signed bootstrapping data may be repurposed (i.e., a replay
attack).

One "fix" is to just document it as a Security Consideration and move
on.  But I notice that the voucher draft (RFC8366) has this:

     yang-data voucher-artifact:
         +---- voucher
            +---- created-on             yang:date-and-time
            +---- expires-on?            yang:date-and-time
            ...

And thus maybe we should do the following? (the '+' lines):

     yang-data zerotouch-information:
       +-- (information-type)
          +--:(redirect-information)
          |  +-- redirect-information
+         |     +-- not-before?                  yang:date-and-time
+         |     +-- not-after?                   yang:date-and-time
          |     +-- bootstrap-server* [address]
          |        +-- address                   inet:host
          |        +-- port?                     inet:port-number
          |        +-- trust-anchor?             cms
          +--:(onboarding-information)
             +-- onboarding-information
+               +-- not-before?                  yang:date-and-time
+               +-- not-after?                   yang:date-and-time
                +-- boot-image
                |  +-- os-name?                  string
                |  +-- os-version?               string
                |  +-- download-uri*             inet:uri
                |  +-- image-verification* [hash-algorithm]
                |     +-- hash-algorithm         identityref
                |     +-- hash-value             yang:hex-string
                +-- configuration-handling?      enumeration
                +-- pre-configuration-script?    script
                +-- configuration?               binary
                +-- post-configuration-script?   script


For signed zerotouch information, this enables the lifetime of the
artifact to be bounded, without depending on the expiration of the
owner certificate.

I don't see a downside to doing this (other than the effort to make
it happen).  I've also proposed this solution in the thread with the
SecDir, so we'll also get his response as to if it resolves his issue.

Any thoughts from the WG?  If not, then I'll plan to make this change
in -23 as well.

Kent // contributor