IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Balázs Kovács <balazs.kovacs@ericsson.com> Tue, 11 September 2018 07:58 UTC

Return-Path: <balazs.kovacs@ericsson.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C37F4126DBF for <netconf@ietfa.amsl.com>; Tue, 11 Sep 2018 00:58:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.331
X-Spam-Level:
X-Spam-Status: No, score=-3.331 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.979, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com header.b=bXZIuf8t; dkim=pass (1024-bit key) header.d=ericsson.com header.b=W9aXzrdS
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id S4xPD_-w0Q4F for <netconf@ietfa.amsl.com>; Tue, 11 Sep 2018 00:58:41 -0700 (PDT)
Received: from sessmg22.ericsson.net (sessmg22.ericsson.net [193.180.251.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6F614130E65 for <netconf@ietf.org>; Tue, 11 Sep 2018 00:58:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; d=ericsson.com; s=mailgw201801; c=relaxed/simple; q=dns/txt; i=@ericsson.com; t=1536652718; h=From:Sender:Reply-To:Subject:Date:Message-ID:To:CC:MIME-Version:Content-Type: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=2GjyY5LLAMucfgxxxW3f9wiKexP6pZ6FD+dwj/Vu438=; b=bXZIuf8twlJCKqGSkqN0TjiRgf6buxUDol3hk0RfU7zw6aw5E9gd84qpqgxQbFWN 7RaPBLU69FoW3ls/La0RkOyr4CDaJf2aCfBNMvF0YdWTUMj3+IfwBhGxi+rOXFoU /Ywb5eKrABVGZMH4pQXmxR8EvxZAZWJM2ecrw9FsT0w=;
X-AuditID: c1b4fb3a-2f5ff70000007a64-38-5b9775ae8213
Received: from ESESSMB503.ericsson.se (Unknown_Domain [153.88.183.121]) by sessmg22.ericsson.net (Symantec Mail Security) with SMTP id 5B.63.31332.EA5779B5; Tue, 11 Sep 2018 09:58:38 +0200 (CEST)
Received: from ESESSMB504.ericsson.se (153.88.183.165) by ESESSMB503.ericsson.se (153.88.183.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3; Tue, 11 Sep 2018 09:58:38 +0200
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (153.88.183.157) by ESESSMB504.ericsson.se (153.88.183.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1466.3 via Frontend Transport; Tue, 11 Sep 2018 09:58:38 +0200
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2GjyY5LLAMucfgxxxW3f9wiKexP6pZ6FD+dwj/Vu438=; b=W9aXzrdSPxzCAwbNTMuCzBB++9ygHBHIKQJFKdrEfaT0UbTxrRvY9pBgfWW7jap8/8FOvDwl+2ksAdlcjrTXq3JgbS0RaKTiwjfiH66gNEOzhC0jVT72BJKnr1zPQQdyHw8k1YARIBZyuc46PQzlOSZAWb7wsmWhf4N9nYJ0gHI=
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com (10.167.209.150) by VI1PR0701MB2622.eurprd07.prod.outlook.com (10.173.78.140) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.11; Tue, 11 Sep 2018 07:58:37 +0000
Received: from VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9]) by VI1PR0701MB2016.eurprd07.prod.outlook.com ([fe80::bd7a:c3c7:f6f1:4e9%4]) with mapi id 15.20.1143.010; Tue, 11 Sep 2018 07:58:36 +0000
From: Balázs Kovács <balazs.kovacs@ericsson.com>
To: Martin Bjorklund <mbj@tail-f.com>, "kwatsen@juniper.net" <kwatsen@juniper.net>
CC: Balázs Lengyel <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4npYduSZhsf/U2Th8xceQbCUaSAzHaAgEmH34CAAG1ZgIAA+nAAgAPuH4CAA+yKAIABAxSAgAB6cACAAHFXIIAAWSCAgADMp9CAAnp9gIAFkemAgAFwH/CACoYJAIAAdAkAgAAAVuA=
Date: Tue, 11 Sep 2018 07:58:36 +0000
Message-ID: <VI1PR0701MB2016F6E003E3D80A44E1EFA083040@VI1PR0701MB2016.eurprd07.prod.outlook.com>
References: <20180903.121823.1406711858636851159.mbj@tail-f.com> <VI1PR0701MB20166AC7017AACC865EAE4AC83030@VI1PR0701MB2016.eurprd07.prod.outlook.com> <185C7E6D-7EF1-4FFE-9A9B-74BA7E16D946@juniper.net> <20180911.095334.2041631968993039535.mbj@tail-f.com>
In-Reply-To: <20180911.095334.2041631968993039535.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=balazs.kovacs@ericsson.com;
x-originating-ip: [89.135.192.225]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; VI1PR0701MB2622; 6:LnQsLp7j1xzUWP35hy0hen/GEWKBtNtnowqETih50O55xttEdZxZvipdSLqDAxxS7sUSbCjJxvtEyEIUw8uuxDxyiElIeKk2hYLEAKBSP+FYUwU5YPv35pXk8rcli83DiK/z55fiK2GsV2nqBEkDVX1op26McD6HbnX9aw0dBYv6awmkk8zrEeZcWrlxgWh/A7jdcmqUqYrRfr+pevUaZ3LEj1HVEyZRxl5QvkV6ta6HvLBN6vKZhnq/7sJFOVH+UyzCt1URRzz1NRtVCaS2H2RjH9cjCL8TZd+FWDLXpH6Ugq9kCqpeXijBgnqagByLAc+ZP9TcLL8FhyfVjvWV9t3R5jYRHEDusTgPsTQA+sHb8Am7HkhpFp2ZO7ql11VVCXKiWZ98jtmkYAeJJQB3lI8hEKe924uQI75mEA4H/ayJgse8RWqhqpEn6sLphnDqBmNU8SXDTU3I9SJppg6obA==; 5:NvqBOavXigkQT8y+oDHmIUfB6wStdCtbgeOPqLyUJxv+Y47uJMhxiiReaDsr+ntlG6gjQHEvysDiaWc4HHvFeSsxMC+UQ+5PLp1LIGuWLtlWxiVx89stxG0tmwKYp25U3EkfS/EifPbee4Sfq/0+aZYZcZOvnarsctN2LewjBNU=; 7:Ofa8EESVFW+lnf5n5jZF9u6jItCSBuZWlAsCd0ju1eXue4PwU94PyElrUD1yidG/iStum3Eit8VtXcabjB8TVkyDBhyv8pnE31Dj34aYjMDKpdXKUuyp6/Cdr+0BDhLAhR11FM+Wu9jNpDtZrjMVQMBE7bJAmtZncBQ1Z7Ie7qtdMeD3TtUnmHeUUcwpSsvqUheOuEFczJ3iL5e6Tuz6ttgICOLyvtPwoXFdzXtdTpawSZXBLAXLl5ngU7PrlAFD
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10009020)(136003)(346002)(39860400002)(366004)(376002)(396003)(199004)(189003)(51444003)(13464003)(81166006)(81156014)(446003)(186003)(54906003)(5250100002)(110136005)(7696005)(6506007)(6436002)(2900100001)(76176011)(53546011)(476003)(68736007)(8676002)(486006)(97736004)(53936002)(102836004)(2501003)(9686003)(11346002)(93886005)(8936002)(6116002)(99286004)(3846002)(26005)(55016002)(85202003)(14444005)(256004)(6246003)(229853002)(7736002)(33656002)(478600001)(25786009)(66066001)(14454004)(106356001)(1941001)(316002)(5660300001)(105586002)(4326008)(86362001)(85182001)(74316002)(305945005)(2906002); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1PR0701MB2622; H:VI1PR0701MB2016.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: e3725460-0412-438a-33d2-08d617bc60aa
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(5600074)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:VI1PR0701MB2622;
x-ms-traffictypediagnostic: VI1PR0701MB2622:
x-microsoft-antispam-prvs: <VI1PR0701MB262237C57618E0932ADD1C8783040@VI1PR0701MB2622.eurprd07.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(138986009662008)(248295561703944)(17755550239193);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(3002001)(10201501046)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201708071742011)(7699050); SRVR:VI1PR0701MB2622; BCL:0; PCL:0; RULEID:; SRVR:VI1PR0701MB2622;
x-forefront-prvs: 0792DBEAD0
received-spf: None (protection.outlook.com: ericsson.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: 948r2oaTs+3Lf0LJjrvVTMqGkS3h1RGdjwh1xmHV7GGXavmvpi8xzv/y2IQ/rHzWXW//TlUdjeInQ4KlPdBa2Hi8R4Lng9pVdgacZIpCxaF8AQGwsVCGGMT9C+AY+m8xqwe4Q8ixqeu/mvH3vjuhCHxOUo5F0MutEF74xFsHJXC2YBWnWuNzFHIW9cGdEQneFR8O40/Nqna1kBb6WVa/filQUDAcIPlVq1PIqjfm6DeslxndUuf5CpMKwyKL1Oq5bjS95+MSARmwYuuOqF+97dUyL8M0/6tzApDubnGr3epcmtDEzqM7kZjXFUH5JC0EcJZlC7xkrBqo98+pQcBHQ3RlpCHxhIaU6ZxA/5MCJzM=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: e3725460-0412-438a-33d2-08d617bc60aa
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Sep 2018 07:58:36.1600 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0701MB2622
X-OriginatorOrg: ericsson.com
X-Brightmail-Tracker: H4sIAAAAAAAAA02Se0hTcRTH+e3e7V5Hi19T82AFtQh6+EiTMI3w0R9aSA8NfGA68/rAJ7vT 1L9EQXBLG9bcXDZTV5SZuiFMfKQOIzTBR5mxCWWOyt4RmG9zuwv673PO95zzPZzfjybEKr43 nZ0vZ2T50lyJQEg2xJtLfTuKNEnH3373Dx5qpIKVyg9UsNpk44cRUQbDCi9qtmKGijKutpIX iUTh6XQmN7uYkfmfSRVm2YwGqvBpbMn06BhZjtovKRBNAw4C4+IFBRLSYvwMQVflGKVAbtvB EoKqtXBOMPBA3VdLOQISqwjQTM7yOUXLg6UXGzwusCMw3ZwnHf0CHAkTnxZ4DvbAcaBoruM7 mMA5sPx4xZl3x+egd8CGuJrzcEM5SDoGeWA9AuPIsnMREh8C+61hwsEinApdbTUU51bJA4uh 2TnVDYdD15jW2YDwbvgz1s7j3LzAam9yMmAMhv4JgmNPWFzY5HP1ydDzZY7i8hLQfrbyOd4H 001K5DADPESB/r3J1RwAzx8NEpygF4B13exyiIGRH+sCThhFsNX3zSX4wMSaTsBxAbRNaV2c C7ZxC1KhAN1/2+q234XAR6Cz159LH4DbynlK57zALhhtsJP3ENmGPFmGZfMyAwP9GFn2NZYt yPfLZ+QmtP1PhrvXQnrQ8MdwC8I0kuwQ/U7RJIn50mK2NM+CgCYkHqJen/oksShdWlrGyApS ZEW5DGtBe2hS4iWKyAhOFONMqZzJYZhCRvZP5dFu3uUoUlATX9GZ8XBjhqm3yWsDqzJiTFdP lbgdVjSo+3xDxwOjJ08ciy2+/rVi9krygFndqlpv27u50J9ZnVB3tsvcOXfH85W+Wp/2+tfP qSdlD9LFIT13mzWtU9a04YT7uCWB1F7eKfeMPrl6ML5lfaux+03S/nfGjlD3iJdBPmHiuH4J yWZJA44SMlb6Fx+OjiwjAwAA
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/k8vkyRKdR_7KcUrQ_H6EACbbOgM>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Sep 2018 07:58:44 -0000

Hi Kent and Martin,

I agree with the comments of Martin. If you look at the whole use case of key and certificate provisioning, (C) is simpler for both creation and removal. The issue of leafrefs adds even more on the side of (C).

Br,
Balazs

-----Original Message-----
From: Martin Bjorklund <mbj@tail-f.com> 
Sent: Tuesday, September 11, 2018 9:54 AM
To: kwatsen@juniper.net
Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; Balázs Lengyel <balazs.lengyel@ericsson.com>; netconf@ietf.org
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings

Hi,        

Kent Watsen <kwatsen@juniper.net> wrote:
> 
> There are two solutions being discussed here.  
> 
> The first regards how to enable a certificate to be configured for a 
> key in <operational> (e.g., an LDevID cert for a preexisting key).  
> Both solution (A) and (C) give us this - a la RFC 8342 Section C.3.2.
> 
> The second is how to delete a "hidden key" created by a client (note 
> here that I'm distinguishing this case from hidden keys not created by 
> a client, i.e., in <operational>, which cannot be deleted).  Here's 
> where the ideas
> diverge:
> 
>   - with (A), we keep the "generate" action outside the list entry (thus
>     results are in <operational>, and add a new "delete-asymmetric-key"
>     action is needed.
> 
>   - with (C), the action is moved inside the list entry, thus the list
>     entry node itself in <intended>, and hence can be removed from
>     <intended> via a normal config operation (no special action needed).
> 
> I don't see an issue configuring certificates in either case.  As I 
> wrote above, both solution (A) and (C) give us this. (C) still has to 
> handle the case where the key is in <operational> same as (A).  With 
> (C), it's the 1% case, whereas with (A) it’s the 100% case.

How can a key be in operational but not in config in (C)?  I.e., what is the 1% case?

> They seem close.  For the purpose of creating a key, (C) is more 
> complicated.  For the purpose of deleting a key, (C) seems easier.

For the purpose of creating a certificate (A) is more complicated.

Depending on the answer above, (C) has the advantage that references
(leafrefs) to a key can be require instance true.  With (A) they have to be require instance false, since some keys only exists in operational, which means that whenever there is a reference to a key, that model and code must be able to handle the case that the key doesn't exist.





/martin


> 
> If the action is brought inside the list entry, then renaming it to 
> "generate-hidden-key" makes sense.
> 
> Kent // contributor
> 
> 
> 
> -----Original Message-----
> 
> Hi Martin,
> 
> I prefer your alternative (C) with some comments.
> 
> I'd keep the name of the action as 'generate-asymmetric-key'. I think the word 'asymmetric' gives a hint on its intended use case, so it is important (though it is already in an asymmetric-key list). The word 'hidden' is not that important for me since the action in itself hints that the key in this case is not provided by the operator, thus its binary value won't appear either. If operator needs to provide it, it has to go via the 'private-key' leaf. Or the action could be just called 'generate-key'.
> 
> A question still: it is unclear to me what the difference is between calling the action vs just configuring the 'private-key' to enum 'hidden'.
> 
> Br,
> Balazs
> 
> 
> > -----Original Message-----
> > From: Martin Bjorklund <mbj@tail-f.com>
> > Sent: Monday, September 3, 2018 12:18 PM
> > To: kwatsen@juniper.net
> > Cc: Balázs Kovács <balazs.kovacs@ericsson.com>; Balázs Lengyel 
> > <balazs.lengyel@ericsson.com>; netconf@ietf.org
> > Subject: Re: [Netconf] Mandatory local configuration in Keystore 
> > groupings
> > 
> > Kent Watsen <kwatsen@juniper.net> wrote:
> > > > Balazs> The certificates in keystore are useless without a 
> > > > Balazs> corresponding
> > > > private key, so certificates of a key cannot be in the 
> > > > configuration tree once the corresponding key is removed. By the 
> > > > way, how would a private key be removed from <operational> if it 
> > > > does not exist in configuration? If you do it with an action 
> > > > too, how would the corresponding certificates be removed from the configuration?
> > >
> > > Good points.
> > 
> > Yes.  The lifecycle of keys are not handled fully in the current 
> > draft.  But I think that if this is done properly, separating the 
> > config of keys and certificates would not change the lifecycle of 
> > how keys.  So let's first discuss how we want to handle creation and 
> > removal of the hidden keys (configured keys are not a problem).
> > 
> > With the current draft, a hidden key is created in <operation> with 
> > an action and may not be present in <running> and <intended>.  There 
> > is no way to delete such a key.  We would have to create a new action to remove it.
> > 
> > An alternative design could be to move the action 
> > "generate-asymmetric- key" into the "asymmetric-key" list (and maybe 
> > rename it to "generate- hidden-key").  A client would then first 
> > have to configure an entry in the "asymmetric-key" list, and then it 
> > can generate the hidden key.  If the asymmetric-key list entry is 
> > removed from <intended>, then presumably the corresponding hidden key is removed as well.
> > 
> > With this design, a separate "certificate" list could have normal 
> > leafref (require-instance true) into the "asymmetric-key" list.
> > However, with this new design my original issue with how 
> > certificates are handled goes away, so having them contained in the 
> > "asymmetric-key" list works fine.
> > 
> > > >> Martin makes a case for 'B', but he also said that my 'b' was 
> > > >> "Better" but has scaling issues in the general case.  Perhaps 
> > > >> we don't worry about the general case here?
> > > >
> > > > Balazs> Was it so? I saw an A and B model, A containing
> > > > must "(algorithm and public-key and private-key)
> > > >              or not (algorithm or public-key or private-key)"; 
> > > > and B containing the keys and the certificates in separate 
> > > > container, and a note "I think model B is cleaner".
> > >
> > > Right, but if you scroll up higher, I had previously had an (a) 
> > > and
> > > (b) [note lowercase] to which he said (b) was "better".  Maybe 
> > > it's moot, since his (A) was effectively my (b).
> > 
> > Here's the new alternative:
> > 
> > (C)
> > 
> >   container keystore {
> >     container asymmetric-keys {
> >       list asymmetric-key {
> >         key name;
> > 
> >         leaf name { ... }
> >         leaf algorithm { mandatory true; ... }
> > 
> >         leaf public-key { ... }
> >         leaf private-key { ... }
> > 
> >         // ensure that both or none are given
> >         must "(public-key and private-key)
> >               or not (public-key or private-key)";
> > 
> >         action generate-hidden-key { // no input params }
> > 
> >         container certificates {
> >           list certificate { ... }
> >         }
> >     }
> >   }
> > 
> > A possible extension to this would be to add anoter action next to
> > "generate-hidden-key":
> > 
> >    action install-hidden-key {
> >       leaf public-key { ... }
> >       leaf private-key { ... }
> >    }
> > 
> > 
> > One case to consider is that there may exist an entry in <intended> 
> > that has been configured but no hidden key has yet been generated.
> > Such an entry would then not exist in <operational>, and the action 
> > "generate-certificate-signing-request" would fail.
> > 
> > 
> > 
> > /martin
> 
>

v2.23.0 | Report a Bug | By Email