IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Tue, 18 September 2018 18:53 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 56EFF1252B7 for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 11:53:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k0ENcwypHi1E for <netconf@ietfa.amsl.com>; Tue, 18 Sep 2018 11:53:04 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C06BF130E1C for <netconf@ietf.org>; Tue, 18 Sep 2018 11:53:04 -0700 (PDT)
Received: from pps.filterd (m0108159.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w8IImvtV005924; Tue, 18 Sep 2018 11:53:01 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=XkZBBWFAZLLWy9M1xWYUPpy0hMUZqS2+4gsOLXeqKbU=; b=lUr8cJuHCrItEIAkR+Vj+1b2qTeSljvT9dvQT5dnXkuZqGfKdQRaJedHqTOCwuwL8bdN wA/AezgqtuWGwUDtj16T90X5DRnr4pAdQKkYHd2uHeR+ZuH3I5c6WNjG767TRhbatrPC 1yrbdSs3TgMxpYwRGiLm0gZtl4PZg78iqb2XUwZR5T4sMBMA1k64rD3WeFyEVHj9VzpZ LUMmlr3FkJwgJi3O1CAg30pYHzTU8qUht8sWyIgagzU+vdauwfmTKtzPzJIlsOZToSLo t1dcClOGhjIHDfdXrem4QzNDzg8qI5b7uakMVafjZ5DwnlY4PHZKxx42LBCOxVHM9g/1 rA==
Received: from nam05-co1-obe.outbound.protection.outlook.com (mail-co1nam05lp0088.outbound.protection.outlook.com [216.32.181.88]) by mx0a-00273201.pphosted.com with ESMTP id 2mk5re04nd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 18 Sep 2018 11:53:01 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4601.namprd05.prod.outlook.com (20.176.109.146) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.11; Tue, 18 Sep 2018 18:52:58 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1164.014; Tue, 18 Sep 2018 18:52:58 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Balázs Kovács <balazs.kovacs@ericsson.com>, Martin Bjorklund <mbj@tail-f.com>
CC: Balázs Lengyel <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASAgAC9gACAAHNjgIAAFAaAgAEgEwCAAicPgIAF1PmAgAF1VYCACj3EgIAAtxgAgACClQCACVx+gIAAM1IAgADfpYCAACvtAIAAV4eA
Date: Tue, 18 Sep 2018 18:52:58 +0000
Message-ID: <A9FACF6E-2207-4FD3-966A-3482DC96B35D@juniper.net>
References: <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com> <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net> <20180918.090227.98113334613843662.mbj@tail-f.com> <VI1PR0701MB2016707AE81A6F77719461D4831D0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
In-Reply-To: <VI1PR0701MB2016707AE81A6F77719461D4831D0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4601; 6:KeQcbpJwR8UKCmZNhsm69lQPDn5TaMBou4db+ENyAFR0bdvTim7bpIIgdel+q3UH61ms9EoNbmh61FC2g8WrwIDbfxA5LlanPsFtvMdXy/40lTwJ9QBVkHreRb9oLlzjVapjFsnwAYCkUmhH0yakI2psLdu5K5JqhHjYjUmMw5t5lX3zTcpzf6CuZvWDg1p4r8cYx3DrWIOP4BdqB9Q0OHUytYusu9T2AN2OquJtaPUvuqq9Q3mz3KnfA+BmEUhAfWAxY0BgmTrJdGlevntSLxINmi7eblCQwnz9aqywGx53hgN6Eg0IWgnNexrGEcJqOkPAr2Ft12+js3jCHD56YAMC9z0CENNAdtZn3UBvSbj9TH6g2aeRFTMmyiAbdXFpuhlTodhZvnEfydRaLumW4WDfF5XJRTqMYntu9irR09fmWy6AAxj1M29uvh/pr+QDIqiJcFPnPi+8Ov8y+L1zvQ==; 5:53ii2Yrt+M9xmkU3gBEhu7ombY/090OMavbcuIKZnEO4wGo2pWyhReV/C/BgpuXIL40Nm5H5P3yVt1k2So7WXxDIFNV7BFlq46w7mKQo4GYO51o/NM+FHkcPDIV5IfddW5cLF3U7lc57dfwGgF5vBN/PkmiPV22Kp3ARm3HGHZc=; 7:O97fOB5GOBcJ1lnGaC4pOZbnuoFAOCU5zuWPeXXB+qdV9gQq3t+ixfMEoWa5cMjFdT7XcfOzHkmitdXVuQZBkmKV/B/JFbYIWauBtPb8hvrleeCghek715Yi2VaYwKHtEP6bf2AMwH1PXdkhsvnPDFigBQVLD+zdjE7M/mh9BOTwqRMS7UXEfI2rBsfD9umElY/BiTNlzVQbdClp2gHBGkHDqaN4aEpHrses5xV7IMSLSmgLybsndjXubTFQq3Ap
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 69c66f43-7b54-45c1-7f68-08d61d97f3b9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4601;
x-ms-traffictypediagnostic: DM6PR05MB4601:
x-microsoft-antispam-prvs: <DM6PR05MB46014367532D6DA65C12A33CA51D0@DM6PR05MB4601.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(138986009662008)(37575265505322)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231355)(944501410)(52105095)(3002001)(10201501046)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123564045)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699050)(76991041); SRVR:DM6PR05MB4601; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4601;
x-forefront-prvs: 0799B1B2D7
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(39860400002)(346002)(136003)(366004)(376002)(189003)(13464003)(199004)(51444003)(2616005)(53936002)(76176011)(305945005)(66066001)(25786009)(7736002)(486006)(8676002)(5660300001)(6346003)(11346002)(316002)(476003)(81156014)(102836004)(97736004)(6436002)(58126008)(2900100001)(6512007)(26005)(446003)(6246003)(53546011)(186003)(6506007)(256004)(81166006)(14444005)(83716003)(6486002)(36756003)(110136005)(106356001)(99286004)(478600001)(8936002)(3846002)(4326008)(14454004)(54906003)(86362001)(93886005)(6116002)(2906002)(68736007)(33656002)(105586002)(82746002)(229853002)(5250100002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4601; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Hv07TEHFxW3eNzdVkyMURvUjIZEWMA6+EWkzP64DITiX2EanIwDyKtys8a4IyAbnPtehH5z40ClAYvzjeyyKxA6tUCi3r08e6xj2Ns8i+bgQ4vyVS22FHj6ATrzGDxPdynQkmu3WCVKvu93p3/UwB5HCSbLqtdphU70pLUb3XcOabnyPfC1IwVN4GImmaVz9ZooxMj2bLzajt8faMrsIzoDlORqnvwVBuFfnj4wnTLOps+so8cEdyzd486V1ydWQn5IU23rGUhlhMRivV9xPy4kC4y8Yrv4TuPq8A8cvxqJjIYqhD9Vj1ZqKHKFwgfOOzKpNDslGvKOohHebGNXER6nGgX9mf/LryNZTCJqxBZs=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <B4FBD54EBBB2C5468DBFD0E81B8FE1AF@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 69c66f43-7b54-45c1-7f68-08d61d97f3b9
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Sep 2018 18:52:58.4510 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4601
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-18_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809180183
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/h2ZChNIX2uETzc-5axFxyeMYCk0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 18 Sep 2018 18:53:08 -0000

I like Martin's "twist" - I don't view it as an extreme hardship (the 1% case), and I prefer (C) for supporting "require-instance true" as well as having one less action.  So, let's go with (C).

Martin, you mentioned some details might be wrong, are they wrong in (C)?  - I'd like to have it right when posting the next update...

Balazs, the desire to reference an IDevID could be from any SSH/TLS-based app, it would be hard to know in advance where.  No matter, with (C)+twist, we can have "require-instance true" always.

Kent // contributor


-----Original Message-----

Hi,

I'd just emphasize that in creation step of hidden key, the name must be coordinated between step A/1&2 by external application logic. Same holds for deletion of hidden key for A/1&2. "Same name" is important.

Enabling the possibility for 'require instance true' would be also good remark on the side of (C).

Regarding manufactured keys, I would not expect manufactured keys to be used in other common models, such as in TLS/SSH use cases. If they have some specific use case, maybe those models could either have 'require instance false' or it could be said to create an empty key for them as Martin described.

Br,
Balazs

-----Original Message-----
From: Martin Bjorklund <mbj@tail-f.com> 
Sent: Tuesday, September 18, 2018 9:02 AM
To: kwatsen@juniper.net
Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; Balázs Lengyel <balazs.lengyel@ericsson.com>; netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings

Hi,

Ok, so we have these two alternatives illustrated below.  There are some details that probably are wrong, but it doesn't really matter at this stage.  With (A), there is one more action to control the lifespan of keys (delete-hidden-key).

In the case that the key is given as config, A and C works in the same way.

In the case that the key is permanent, A and C also works in the same way.

A and C differ in how hidden keys are handled.


In order to create a hidden key + certificate, the steps are:

A:  1. call generate-hidden-key with a given name
    2. create an asymmetric-key with the same name in the config
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

(step 1 and 2 can be done in reverse order)

C   1. create an asymmetric-key in the config
    2. call generate-hidden-key on this key
    3. call generate-certificate-signing-request
    4. <get hold of a cert>
    5. create the certificate in the config

In order to delete a hidden key completely:

A:  1. call delete-hidden-key on the asymmetric-key to be deleted
    2. delete the asymmetric-key from the config

C:  1. delete the asymmetric-key from the config



In summary, they are very similar.

One possible twist that probably works best for C could be to use leafrefs with require instance true, and say that in order to use a permanent key (created during manufacturing), you first need to create config for the key (more or less empty config).  The benefit is that we get proper leafref validation (no dangling pointers to handle in all other models).  FWIW, this is the approach taken in ietf-interfaces.

If we don't do this twist, I think that we can use either of A and C.



/martin




Kent Watsen <kwatsen@juniper.net> wrote:
> 
> > With (A), once you have generated the key, you first have to create
> > the config for it, then invoke the action.   With (C) (99% of) the 
> > keys already exist in the config, so you can just invoke the action.
> 
> I don't follow.  What I see is that, with (A), a hidden key can be 
> created with a single action invocation while, with (C), first a 
> configuration operation is needed to create the "asymmetric-key"
> (without the three leafs) followed by an action invocation (to 
> populate the three leafs).
> 
> 
> > To summarize, A and C both get the job done.  Which one is better is 
> > probably subjective.  I think (C) is might be easier to understand.
> 
> Okay, let's see how it looks.  Bubbling all the ideas to the top, I 
> created the below tree-diagrams.  Note, in both cases, the three 
> "mandatory true" leafs are replaced with an all-or-nothing "must"
> expression:
> 
> 
> (A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys;
>     and an action statement is used to delete all hidden keys.
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>            |  +--rw name                            string
>            |  +--rw algorithm?                      ct:key-algorithm-ref
>            |  +--rw public-key?                     binary
>            |  +--rw private-key?                    union
>            |  +---m "(algorithm and public-key and private-key)
>            |  |       or not (algorithm or public-key or private-key)";
>            |  +--rw certificates
>            |  |  +--rw certificate* [name]
>            |  |     +--rw name                      string
>            |  |     +--rw cert                      ct:end-entity-cert-cms
>            |  |     +---n certificate-expiration
>            |  |        +-- expiration-date?         yang:date-and-time
>            |  +---x generate-certificate-signing-request
>            |  |  +---w input                        // KEY MAY BE IN <OPERATONAL>
>            |  |  |  +---w subject                   binary
>            |  |  |  +---w attributes?               binary
>            |  |  +--ro output
>            |  |     +--ro certificate-signing-request    binary
>            |  +---x delete-hidden-key
>            |        // no params
>            +---x generate-hidden-key
>            |  +---w input                           // RESULT IN <OPERATONAL>
>            |     +---w name                         string
>            |     +---w algorithm                    ct:key-algorithm-ref
>            +---x load-hidden-key
>               +---w input                           // RESULT IN <OPERATONAL>
>                  +---w name                         string
>                  +---w algorithm                    ct:key-algorithm-ref
>                  +---w public-key                   binary
>                  +---w private-key                  union
> 
> 
> (C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys
>     created in <operational> (i.e., during manufacturing).  But if there is
>     even just one key created during Manufacturing, and it doesn't appear
>     in <intended>, then leafrefs still need to be "require-instance false",
>     right? Also, it seems that such keys could never be deleted, unlike 
>     other hidden keys, but that is probably okay (correct behavior).
> 
>      +--rw keystore
>         +--rw asymmetric-keys
>            +--rw asymmetric-key* [name]
>               +--rw name                            string
>               +--rw algorithm?                      ct:key-algorithm-ref
>               +--rw public-key?                     binary
>               +--rw private-key?                    union
>               +---m "(algorithm and public-key and private-key)
>               |       or not (algorithm or public-key or private-key)";
>               +--rw certificates
>               |  +--rw certificate* [name]
>               |     +--rw name                      string
>               |     +--rw cert                      ct:end-entity-cert-cms 
>               |     +---n certificate-expiration
>               |        +-- expiration-date?         yang:date-and-time
>               +---x generate-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               +---x load-hidden-key
>               |  +---w input                        // RESULT IN <OPERATONAL>
>               |     +---w name                      string
>               |     +---w algorithm                 ct:key-algorithm-ref
>               |     +---w public-key                binary
>               |     +---w private-key               union
>               +---x generate-certificate-signing-request
>                  +---w input                        // KEY MAY BE IN <OPERATONAL>
>                  |  +---w subject                   binary
>                  |  +---w attributes?               binary
>                  +--ro output
>                     +--ro certificate-signing-request    binary
> 
> 
> 
> 
> Kent // contributor
> 
> 
>

v2.23.0 | Report a Bug | By Email