IETF Logo Mail Archive

Re: [netconf] AD review of draft-ietf-netconf-trust-anchors-20

Kent Watsen <kent+ietf@watsen.net> Mon, 03 July 2023 17:10 UTC

Return-Path: <010001891cbc06e6-f3f1a7f5-c772-4517-a3ac-7c4c041351dc-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E14C15107C; Mon, 3 Jul 2023 10:10:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.885
X-Spam-Level:
X-Spam-Status: No, score=-1.885 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LdYpD6Lv8hVj; Mon, 3 Jul 2023 10:10:36 -0700 (PDT)
Received: from a48-95.smtp-out.amazonses.com (a48-95.smtp-out.amazonses.com [54.240.48.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0C6C3C151079; Mon, 3 Jul 2023 10:10:32 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1688404232; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=mSUxvUHiImsCdnkQApaTUoo5EU53DxSw12se+SEoyTc=; b=WNAy2nzDB7lV3rR6diwA8VGlJpXvg7iSVGxZcOh2hYG/U4aIAd1A0FWn6e5Uacn/ +LzVs9M1ufN4Sic6jFOj50tBECxww1BLBu84fvU4x+kKKwQ4AFMFT1lDCXrXvQYaczE iHdv2pnOBZQ7zXCEad94H+qUnIJLSioeqI4AR7hM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <010001891cbc06e6-f3f1a7f5-c772-4517-a3ac-7c4c041351dc-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_D1DF2344-C250-4C61-A589-ADC2839D3AE4"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Mon, 03 Jul 2023 17:10:31 +0000
In-Reply-To: <BY5PR11MB4196075FD7486BD1E2097A7CB523A@BY5PR11MB4196.namprd11.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, "draft-ietf-netconf-trust-anchors.all@ietf.org" <draft-ietf-netconf-trust-anchors.all@ietf.org>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>
References: <BY5PR11MB419685E4DE8012B1050759DBB5869@BY5PR11MB4196.namprd11.prod.outlook.com> <0100018719a4bdbb-3411052b-bab3-4aa6-b888-09fec65d0504-000000@email.amazonses.com> <BY5PR11MB4196075FD7486BD1E2097A7CB523A@BY5PR11MB4196.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.07.03-54.240.48.95
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/juCzTA_59OWro8SAAroJjUX9jAM>
Subject: Re: [netconf] AD review of draft-ietf-netconf-trust-anchors-20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 03 Jul 2023 17:10:37 -0000

Hi Rob,

> On Jun 23, 2023, at 6:35 AM, Rob Wilton (rwilton) <rwilton@cisco.com> wrote:
> 
> Hi Kent,
> 
> And replies to your comments on this draft as well are inline ...

Thank you.



> From: Kent Watsen <kent+ietf@watsen.net>
> Sent: 25 March 2023 16:41
> To: Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org>
> Cc: netconf@ietf.org; draft-ietf-netconf-trust-anchors.all@ietf.org
> Subject: Re: [netconf] AD review of draft-ietf-netconf-trust-anchors-20
> 
> Hi Rob,
> 
> Thank you for your review!
> Please see below for comments.
> 
> Kent // author
> 
> 
> 
> 
> On Mar 22, 2023, at 5:51 AM, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org<mailto:rwilton=40cisco.com@dmarc.ietf.org>> wrote:
> 
> Hi Kent,
> 
> Here are my review comments for draft-ietf-netconf-trust-anchors.  This document is also well written, so I would like to thank you, the shepherd, and WG for a high-quality document.
> 
> As before, I have a few comments, but will note that I'm not a security expert and hence some of my questions/comments may be due to my security ignorance ...
> 
> I really think that the key question about copying the certificates into running, and also how that will play with system datastore.  Further details inline below, but I will also flag this as an email to Netmod.  Hopefully there will be some time to discuss this.

Regarding the key question.

Section 3 <https://datatracker.ietf.org/doc/html/draft-ietf-netconf-trust-anchors-21#section-3> says:

The primary characteristic of the built-in trust anchors is that they are provided by the server, as opposed to configuration. As such, they are present in <operational>, and <system> [I-D.ietf-netmod-system-config <https://datatracker.ietf.org/doc/html/draft-ietf-netmod-system-config-01>], if implemented.

That is, I think that it is out-of-scope for this draft.  Whatever solution the system-config draft identifies (including if the WG decides to not support offline-validation, and therefore discards the need to copy system data into <running> entirely) is perfectly fine.   From an AD-review perspective, do you see a need to update to this draft in any way? 



As for “system-config” being discussed In NETMOD, the draft currently says (or will say) when system config is copied into <running>, only the “key” fields (i.e., a cert’s name) need to be copied.  If a software-update changes the value of a trust-anchor while leaving the trust-anchor’s name the same, the clients are blissfully unaware.

The guidance the system-config draft is providing (or will provide) is that only necessary nodes (keys, and nodes referenced by “must” or “when” expressions) need to be copied.  But that language does not preclude the client from copying *all* the nodes, in which case the cert-data *would* be copied  and, if updated via a software-upgrade, could be out of date.  

Two options:

1) The system-draft says non-necessary fields MUST NOT be copied into <running>.  This may be difficult to enforce, but I believe it’s viable.

2) The system-draft says that it is the server’s responsibility to migrate the data in running/startup/candidate during a software update.

Thoughts?  (Again noting that this convo should be on the NETMOD list)



> I agree with the sentiment.  Specifically, given the understanding:
>   * for <system> before YANG-next: nodes are always coped into <running>.
>   * for <system> after YANG-next: nodes are coped into <running> only when needed.
> 
> But maybe we can spin it towards the future, by assuming NMDA will be fully realized someday?
> 
>   Built-in bags of trust anchors and/or specific trust anchors, that
>   are referenced by configutation (e.g., a "leafref"), MUST be present
>   in a datastore in order for the datastore to be valid.  For instance,
>   built-in nodes originating in <system> (from
>   [I-D.ietf-netmod-system-config]) will (per [RFC8342]) implicitly
>   propogate to <intended>, ensuring references to them will be resolved
>   in <intended>.
> 
> Actually, given that the "system-config" draft is now adopted (it didn't even exist when that text was first written), this draft could more broadly replace "built-in" with "system-defined" (no need for another term, right?) and then delete the next three paragraphs (as the mechanics should be defined in the system-config draft):

> [Rob Wilton (rwilton)]
> Thinking about this over the last couple of days, I wonder if it is better just to say less, and only say (note fixed typo for 'configutation') :
> 
>   Built-in bags of trust anchors and/or specific trust anchors, that
>   are referenced by configuration (e.g., a "leafref"), MUST be present
>   in a datastore in order for the datastore to be valid.

Updated. This item is resolved.


> I think that this paragraph may also be worth keeping:
> 
>   Built-in bags and/or their trust anchors MAY be copied into other
>   parts of the configuration but, by doing so, they lose their
>   association to the built-in entries and any assurances afforded by
>   knowing they are/were built-in.
> 
> But then removing the other two paragraphs, as you suggest.
> 
> 
> ===START: these 3 paragraphs could be removed===
> 
> 
>   The built-in bags and/or their trust anchors MUST be copied into
>   <running> using the same "key" values if it is desired for the server
>   to maintain/update them (e.g., a software update may update a bag of
>   trusted public CA certificates used for TLS-client connections).
> 
>   Built-in bags and/or their trust anchors MAY be copied into other
>   parts of the configuration but, by doing so, they lose their
>   association to the built-in entries and any assurances afforded by
>   knowing they are/were built-in.
> 
>   The built-in bags and/or their trust anchors are immutable by
>   configuration operations.  Servers MUST ignore attempts to modify any
>   aspect of built-in bags and/or their trust anchors from <running>.
> 
> ===STOP: these 3 paragraphs could be removed===
> 
> 
> Thoughts?

Removed the other two paragraphs. This item is resolved.




>>> (2) p 28, sec 3.  Support for Built-in Trust Anchors
>>> 
>>>  The built-in bags and/or their trust anchors are immutable by
>>>  configuration operations.  Servers MUST ignore attempts to modify any
>>>  aspect of built-in bags and/or their trust anchors from <running>.
>>> 
>>> Is this really MUST ignore, or MUST reject?  I.e., Should they be rejecting any configuration attempt to modify the built-in bags and/or their trust anchors?  I think that this behaviour is consistent with the system datastore draft, but we should check.
>> 
>> Reject sounds more proper.  That said, this is one of the paragraphs I suggest removing, punting such mechanics to the system draft (and its continuations).
> [Rob Wilton (rwilton)]
> Yes, I agree to removing this.

Paragraph removed.  This item is resolved.





>>> But I guess that you also have the issue that if the trust anchors are completely copied into running and the trust store is subsequently updated out of band, then the certificates in the configuration differ from what is in trust-store (and hence system), and this is presumably an example of when they should be ignored.
>>> 
>>> My current expectation is that the system datastore will probably say that the running configuration always overrides the configuration in the system datastore, but this starts to look like a counter example, which potentially means that it may require special handling.
>> 
>> This is where the "immutable-flag" draft comes into play, so that it's clear when not allowed, and it shouldn't be allowed here.  If running wishes to use a different trust-anchor, then it should define a new trust-anchor and point to it, instead of hacking the built-in trust-anchor.
>> 
>> 
>> 
>>> Finally, are they still immutable even if copied into other parts of the configuration?  Presumably not, since at the point they are copied they lose their association with the built-in trust anchors.
>> 
>> No and true.  But then again, as soon as they're copied somewhere else in the config, they lose all history/association of having originated from a built-in, and therefore there's no need for the immutability to continue.
>> 
>> 
>> 
>> 
>>> (3) p 32, sec 6.2.  Informative References
>>> 
>>>  [I-D.ietf-netconf-trust-anchors]
>>>             Watsen, K., "A YANG Data Model for a Truststore", Work in
>>>             Progress, Internet-Draft, draft-ietf-netconf-trust-
>>>             anchors-19, 19 October 2022,
>>>             <https://datatracker.ietf.org/doc/html/draft-ietf-netconf-
>>>             trust-anchors-19<https://datatracker.ietf.org/doc/html/draft-ietf-netconf-%0b             trust-anchors-19>>.
>>> 
>>> The same comment as for the other drafts about a document not referencing itself also applies here.
>> 
>> Please see my response to your similar comment in the crypto-types draft review regarding the Editor's Note.
> [Rob Wilton (rwilton)]
> Ack.  I think that the same solution is needed here, i.e., slightly clearer instructions to the RFC editor.

Done. This item is resolved.



>>> Minor level comments:
>>> 
>>> (4) p 3, sec 1.  Introduction
>>> 
>>>     Provide groupings that enable raw public keys and certificates to
>>>     be configured locally or as references truststore instances.
>>>     Enable the truststore to be instantiated in other data models, in
>>>     addition to or in lieu of the central truststore instance.
>>> 
>>> Would it be helpful to have a brief sentence in this document, and perhaps the keystore document that highlights the main differences between keystore and truststore.  Alternatively, you could reference another document that defines these.
>> 
>> 
>> Yes, it would be helpful, but folks can also read the abstracts of both docs, yes?
>> 
>> Also, all the first-page results from googling "truststore vs keystore" are accurate, AFAICT, suggesting that these are reasonably well-known concepts

Rob, your email ended here.  Did you have a comment to make on this item?  Beware that my response to you that you’re responding to contained even more items after this one.   Additionally, I noticed formatting issues in that the quote-levels weren’t being set (I reset them manually above).  Together, I wonder if your full-response was sent to the list…

Kent

v2.23.0 | Report a Bug | By Email