IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Balázs Kovács <balazs.kovacs@ericsson.com> Wed, 29 August 2018 08:22 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB9DF12F1A2 for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 01:22:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.332
X-Spam-Level:
X-Spam-Status: No, score=-3.332 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=K5LKqq5V; dkim=pass (1024-bit key) header.d=ericsson.com header.b=D4Um18qJ
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U_Bl2XPUSPGu for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 01:22:35 -0700 (PDT)
Received: from sesbmg22.ericsson.net (sesbmg22.ericsson.net [193.180.251.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2EB1E126CC7 for <netconf@ietf.org>; Wed, 29 Aug 2018 01:22:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1535530953; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=8z0CuYhMKkjeDI1UXiD6Jy7TfOSEihvrL2CUCAKi29E=; b=K5LKqq5VfU2qtKFOVUw1ezyzWd3fzNb4/dwDcrWBHacLh/GRppdcvdwr4Ne581jp g9iGLyxUxs7s0MNNhmzKqCFopQQ0doeIGX9Xz/70VxN71EW2bVH3ygKJGwsnmTLR 7ixMB1q4jbfbP5wkJLEC6lzVUb37iGyfQu+krHEwFT4=;
X-AuditID: c1b4fb30-fe1ff700000055da-d0-5b8657c90f9a
Received: from ESESBMB504.ericsson.se (Unknown_Domain [153.88.183.117]) by sesbmg22.ericsson.net (Symantec Mail Security) with SMTP id 39.14.21978.9C7568B5; Wed, 29 Aug 2018 10:22:33 +0200 (CEST)
Received: from ESESBMB504.ericsson.se (153.88.183.171) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Wed, 29 Aug 2018 10:22:33 +0200
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (153.88.183.157) by ESESBMB504.ericsson.se (153.88.183.171) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Wed, 29 Aug 2018 10:22:32 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8z0CuYhMKkjeDI1UXiD6Jy7TfOSEihvrL2CUCAKi29E=; b=D4Um18qJSO1rn7+rltdUkjB3Z6uuUmNrfLSHVlV53dMoKu30aH0C0FCCiP8Rco+xLVqZ0KDq2VeOPpEzFv0+XM/9E1VsB0MhyH9lcHL1TGfc5q8TpeQi+sgLYzRtRHflOKszXhVmcp3cDzgio1hjyQZlgiDNg+xh/KO0/ljI5ZM=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB2656.eurprd07.prod.outlook.com (10.173.78.150) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.9; Wed, 29 Aug 2018 08:22:31 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9%3]) with mapi id 15.20.1101.007; Wed, 29 Aug 2018 08:22:31 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Kent Watsen <kwatsen@juniper.net>, Martin Bjorklund <mbj@tail-f.com>, Balázs Lengyel <balazs.lengyel@ericsson.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4npYduSZhsf/U2Th8xceQbCUaSAzHaAgEmH34CAAG1ZgIAA+nAAgAPuH4CAA+yKAIABAxSAgAB6cACAAHFXIIAAWSCAgADMp9A=
Date: Wed, 29 Aug 2018 08:22:30 +0000
Message-ID: <VI1PR0701MB20167F4B50F4D92FA34A79AC83090@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <28C3C2C7-22BE-4425-A26C-4A777FA68A95@juniper.net> <20180827.102118.630809612057220140.mbj@tail-f.com> <AD108D78-8E5D-429B-AFA9-8C84430F5186@juniper.net> <20180828.090648.398453385489817261.mbj@tail-f.com> <VI1PR0701MB2016F2754609FAEC242C9D51830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com> <C08E28A2-DB24-4456-969F-695F3EF8701D@juniper.net>
In-Reply-To: <C08E28A2-DB24-4456-969F-695F3EF8701D@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB2656; 6:Y2yTPgA2wXp5a5iUNNMxZfohHc6Xj9JJxzWXODBiyi0VFPrqmu4ohf3DfqXL/HhEMF/Y2XOSTMvXFq6dC2Y93WZvWGgEAc54x7o8Gggw8rmjXVaqFbCMjCCFQTgGz88UWrdCqv5bKpPa+zuTkYqVXFH679JKVF+G4P8sPiHadkfnpGKhPW9qMyrMdftIRuhd2yVUkelOt/1lXxixMP63r+gw7EsQX8ZZdpmXLvtMMe9A3hYImkbhMoDsZwrFO9XqIPTg4v67PEUC03a1wyKijwUAq3UKnzaKLja+T3hholsDfQ76B4sFIp1E45IgE81BCC22HZj3qmcE0fRR9Del1zT0PtdHG73Z47ghMJgd0ppkPVhvIC7zxNEfLWcnD5B27XyadKTvzGACaGa/4u2oB4hl2NQm0peHjdZ1+rjxFuB3dTMDU4VlHFXS7wzYJx9EXl9ZGblx74T+3vsMAzXeiw==; 5:tmJIpN58I5ccLc9ueOWYbbETZ+Sx88SRjw/chJysbHgZODthxdCHRxBJ379F418Mjzdd4aanbGP1+mfVCLnysQKba2P0tErlqk1JDhbdwaxrFrZxfpKaGUqRkpRYdpG1U9HA/YSiT77AChyzowdQLpjFBV2Rsl9O7NqrNjyX58Q=; 7:GcSZeX2O/FDZ76q4zHsjOIoqPw9VQISq77Jjvq6rixYG46NSHEP62cVDUnXwHL5nkLeKysFIeGZkCSISdMTho2DVsPjPHEzqS30Ik8I3WRtT5B1ThfBtJ2Kyx/IlN4YXKWdCX0jnTvVl+ovcnY0HP+gBe+0Q+yfinDeanjXsbDO4VkaK9wsJ8T5gjTH/J9mgrJYidd1KmXK/LNhPH8mv5aZzrJeN//ZXdkJQ5CvciOvD/7gpLCdGkWw9em7l4CIB
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(366004)(376002)(346002)(396003)(39860400002)(136003)(199004)(189003)(13464003)(85202003)(81156014)(14444005)(186003)(486006)(6246003)(476003)(74316002)(8936002)(305945005)(7736002)(25786009)(4326008)(86362001)(316002)(53546011)(97736004)(229853002)(11346002)(5250100002)(99286004)(76176011)(68736007)(33656002)(6506007)(256004)(105586002)(6436002)(106356001)(7696005)(110136005)(26005)(2900100001)(9686003)(102836004)(5660300001)(93886005)(66066001)(6636002)(55016002)(53936002)(3846002)(6116002)(14454004)(478600001)(81166006)(1941001)(85182001)(2906002)(446003)(8676002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB2656; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: 104270ce-8912-4d12-f01f-08d60d889082
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB2656;
x-ms-traffictypediagnostic: VI1PR0701MB2656:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-microsoft-antispam-prvs: <VI1PR0701MB2656342E9A0553FF30AFD6FB83090@VI1PR0701MB2656.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(138986009662008)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(823301075)(93006095)(93001095)(3231340)(944501410)(52105095)(3002001)(10201501046)(149027)(150027)(6041310)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(201708071742011)(7699049)(76991033); SRVR:VI1PR0701MB2656; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2656;
x-forefront-prvs: 077929D941
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: kwpHeJqpYpZhw62WzCTnLlKlldw33ZJ3TlvdE5CgEgI3zTC6LKd6xCdhk8mNsvTzStABoY23boT2RGP3dJp64hyPBg1sev7RYv01c+zaLYhxnX1JxUxB5Guo4m+5D/0urffpRpsdFQ96WxPpUVFyewsjvovRsAA3qR9HoLcBBEfE/q2CyfPl2B9a9dOb/kUXbaWjQqftuV+qYQai2D1RCl736SISB7G3AIXwHSo9eZ+Kz4qPb4+Tw8DtLTUpFZJ217x4HO1UBitsPg+8PyElWCzo9KqXKeB/nlJPWSgRQ72R6Ge9xwi8ya9jdygcX8QfcNDoCEFXHD+MKTVpq4cKPtEDPDi42QXSfIiVQES6i2c=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 104270ce-8912-4d12-f01f-08d60d889082
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2018 08:22:31.0092 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2656
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Sa0hTYRjHe8852zmTRq9L88HqQwMJw3t+mBld6MuwJmVEoZZbetCZOtlR mQWhRUZbiOLMlJmGoygVS2WKtLyQ2vZBlyDlJSEVTSekBJVK2c7OCfr2+7//587LkIpKSSij LyhijQW6PKU0gKq/0lMc6bpckRbjmATVgI1WWSxLtKq2c0ZyilTb7ZuE+uOdSVr9equFOk+m BhzPYvP0Jawx+oQ2IMcxQhfOJ5jGbFa6DNlVZiRjAMfDt0GH1IwCGAUeRjC03IME8QOB592W RBB2Ap47vQQvKFxFwmhnh5hTR8D7mR0xbBHB+tt5KV9Zis/A+NcFf0oQNiNYmmokeIPE4dD+ e4PkeS9Ogj7nDOI5CJ+Fh5Z+SuASaPpu9ReicBgMPvL6Y+RYC7VPzGJrLwEtazafYBgZPgnt 99V8DML74Ke7TewVAtOLTYSwKgb7m3FS4GBYWfgjEVgJj1enRT4IE00W/wUAD9Cw1lVDC0Ys jL7oJwXDLAWX1y1W0oDnqUdkF4KRPgU/EOAIcI9dFAa6Cr3eWbGOARon1pHA6bDmXJBUodiG /2Zt8GXzN+roixaeD4HV8oVu8K8fCK76RaoZUS9RMMdy1/Oz4+KiWKM+k+MMBVEFbFEn8v2S we7tmF60snx6CGEGKXfLP5yrSFNIdCVcaf4QAoZUBslTYnxP8ixd6U3WaMgwFuex3BDaz1DK ELkquStVgbN1RewNli1kjf9cgpGFlqF47b1buyof6DU1R1sPp3jmPmVV346eY/aUxGnKcwzp db8uNE85nPS1nUTbM0aT+1nfvq201W9Mbh4ORLKxyFyidWU7vNs6n+DtdbYdk65Xz8q0RZeW ueQk0wFTxiv1XeswWR2WXxYbudrulmsSl1zTi+V5mQZTd0XlZgcdoaS4HF3sEdLI6f4CKIdG RSEDAAA=
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/hmPSBxyiZl4IkB0lc1BSiiejEs0>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 08:22:38 -0000

Hi Kent,

See below.
Br,
Balazs

-----Original Message-----
From: Kent Watsen <kwatsen@juniper.net> 
Sent: Tuesday, August 28, 2018 9:11 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>; Martin Bjorklund <mbj@tail-f.com>; Balázs Lengyel <balazs.lengyel@ericsson.com>
Cc: netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings



>>> We could define a "load-asymmetric-key" action that has that behavior?
>>
>> Yes; if we decide to support this use case.  What do others think?
>>
> Would this action have 'name' and 'private-key' binary input and the 
> purpose to avoid setting the key via configuration and handling it 
> directly in <operational>? Is it an implementation risk to handle the 
> binary input via configuration but not via action?


The proposed "load-asymmetric-key" action would take 4 mandatory input parameters (name, alg, pub-key, and priv-key) and have no output other than the key showing up in <operational> with the private key "permanently-hidden".

To make things clearer, we might rename these actions to:
  - generate-permanently-hidden-asymmetric-key(...)
  - load-permanently-hidden-asymmetric-key(...)

Yes, use of these actions would be more secure since the private key is thereafter permanently hidden.  If the goal is to have the private key in configuration, then the action should not be used.

Balazs> I preferred the original short name and for me it was clear that this action produces a 'hidden' key. I actually like the idea of changing the 'hardware-protected' enum literal to 'hidden'.

Balazs> I myself just started to realize that you intend to maintain an operational tree that is out-of-sync with the configuration tree. For example, a public key can be determined from the private key. It is ok to require an instance of public key (with must) for a private key, but why is it mandatory to configure it? I did expect the public key filled in either by generate-asymmetric-key action, or by configuring private key. Also the private-key, the public-key, and the algorithm leaves need to be in sync (all valid in respect to the other).

> In our opinion with Balazs L., we think it would be disadvantageous to 
> change the model by ruining the containment relationship between 
> certificate and corresponding asymmetric key.

Can you say some more about this?  Is it mostly that the containment is really intuitive?  That the relationship is linked both ways, whereas a leadref only goes one way?

Balazs> The certificates in keystore are useless without a corresponding private key, so certificates of a key cannot be in the configuration tree once the corresponding key is removed. By the way, how would a private key be removed from <operational> if it does not exist in configuration? If you do it with an action too, how would the corresponding certificates be removed from the configuration?

Martin makes a case for 'B', but he also said that my 'b' was "Better"
but has scaling issues in the general case.  Perhaps we don't worry about the general case here?

Balazs> Was it so? I saw an A and B model, A containing 
must "(algorithm and public-key and private-key)
              or not (algorithm or public-key or private-key)";
and B containing the keys and the certificates in separate container, and a note "I think model B is cleaner".
If I got it well, model A would keep the containment and produce the key name after invoking the action (affecting the configuration tree!?) at least covering the key removal use case properly.

Balazs> If the key generation and load only affects the <operational> only, I would rather vote for model A having the containment relationship between key and certificate(s). Plus, I would also think about the mandatory statements in the configuration tree whether all 4 leaves (name, private-key, public-key, alg) or just name and private key needs to be configured.

> The action of 'generate-asymmetric-key' is typically something that 
> should have effect on the 'running' configuration too (by setting the 
> mandatory leaves) since the user wants to continue working with the 
> result by deploying certificates or anything else related to the 
> created asymmetric key that needs configuration.

Okay, but why use an action at all then?  Everything can be done via standard configuration, right?

Balazs> That is actually a good question. Until the enum had the literal 'hardware-protected' only the configuration use case of the private-key was a bit unclear. Now I assume configuring the private-key as 'hidden' could do the same as generate-private-key, but in that case the operator has no means to configure the public key (the removal of the mandatory condition for the public key could solve this). Regarding 'alg', I guess if hidden private key is asked, then algorithm is an input, but if binary private-key is configured, then it is rather implicit. Would the action be needed then?

Balazs> The action in this case seem to make sense only if the purpose of the actions is really to only affect <operational>. But based on the above, I doubt yet how affecting configuration can be avoided (even with alt A -> to maintain consistent composition of key and cert) I think this question goes back to some YANG principles and is beyond my YANG competence.


Kent // contributor

v2.23.0 | Report a Bug | By Email