IETF Logo Mail Archive

Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-keystore-20

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Fri, 16 April 2021 12:38 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7CD1B3A240B; Fri, 16 Apr 2021 05:38:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dLB1nRHsz4Zn; Fri, 16 Apr 2021 05:37:57 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60082.outbound.protection.outlook.com [40.107.6.82]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CC8B93A2433; Fri, 16 Apr 2021 05:37:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=kgtIPDm8UdT6y9XYDthJ9y0q5uc/ecFUgAWOh3xm+QO9C4JnLdBc7RH8HF/G6mBAvmJzzr4YEN9POAriEvXMg2ZPKHDrdPZJpZaXo/O9yTMx0/CtSpK/DYUL1PnXy7B5uSiS7yoig0o8996kZZ6k2sbvyGqTi/mdvxtgL/jWvNenYnL9qWHkwRNrf69rKN6G8OoLL7PK7Xi4VHP7XIqFet9Gna/+76llWoBBtEyLWJwqRwA87tCt+ZJBjHPs7m7Z7WbPcNK5cfRfOjVEVUSnwlsD+9VeTEZup5vGViTntzcTy616hKVNDsTpIArqwu8OLt/c7+Cu+BhgmEk3RHngag==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fB9Qjq0P5LY36o7TasL+07/JZfcZ9ZgvDD1mCJ/94+M=; b=cScu+Kw0Ed5rWNmdJbqbY8OLsQzTuID3J5m84cRnoYPn8KozxUPrmSROBMs4co5k8ngKt7UnRRbQDX9vSpko1seXAVuI7kx6yTYVwngi9Q6fMHwQorIYgTOCB+BrvUkVHCmUANFJpGWFC6JtZr9LfXi8LYsl2mGT7ROAo7NrogPqQ3r5blRO+z2VWtBe8SpkYlHGBRXdku2/lVCgpJdJ7mSQYIV0kZz84rLg+XKNhVWvMp7bxGtHFQaKDHNFV7n1+mJWOZQK6H6t8LX54AVnjWxiUNswqENdHtcl5QFledYfmSH7HalKONABmZLsiMFwp1wR/O3glT9mcni0yEKCAQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fB9Qjq0P5LY36o7TasL+07/JZfcZ9ZgvDD1mCJ/94+M=; b=f6j6hhBo5bBF4qJCUi9q/XqCODKeNWqjnBWvYjeHMH/jx9NFcdRs2n0xc5SBYgH16Y2suplHIVBYt281vfeEvcmntKdXWi+U7azFISej+K0f39TMqsnqE3sKtqyeYka68GmdWk0GgqyfWNRzn5WJdqxtkyiVt4s3zq3yoOF0Hxs=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1297.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:262::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16; Fri, 16 Apr 2021 12:37:53 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::e8a2:9886:8dfa:41c6%4]) with mapi id 15.20.4042.019; Fri, 16 Apr 2021 12:37:53 +0000
Date: Fri, 16 Apr 2021 14:37:49 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: YANG Doctors <yang-doctors@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210416123749.246d6irnd3oso3x4@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, YANG Doctors <yang-doctors@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
References: <161064362767.26403.10249622617283363882@ietfa.amsl.com> <010001778e68398d-c2bff7b8-4c4e-4f30-a962-1ce39e2ece13-000000@email.amazonses.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <010001778e68398d-c2bff7b8-4c4e-4f30-a962-1ce39e2ece13-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: PR1P264CA0034.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:19f::21) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by PR1P264CA0034.FRAP264.PROD.OUTLOOK.COM (2603:10a6:102:19f::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4042.16 via Frontend Transport; Fri, 16 Apr 2021 12:37:53 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 8f5928ee-fe64-482c-a854-08d900d47445
X-MS-TrafficTypeDiagnostic: AM9P190MB1297:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB1297A99A7F8A2A3CB6B9BA70DE4C9@AM9P190MB1297.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Xapxya3d/JElI6D+vMXAnq1R26Lzcum1s2IktL5DLxt0TCTTDab2BbADZUWdNYAVgvHrhz1eWcKwJWIuZgPCQoz+eGqk26Akx3I90OGGCMPLXh8kr+ID3Lv6SdX/eE7HdocLLvVOhdviZBYdluefQu3CkjULZvXCw+Xt41Jzodr7fQdGktcmgSxhBgw6Q0mIMHvqS6VOSEZGTDMGsP8vge8GDqY8Ti591Ht5yOgPn1h+vczNHHvDu9yg+UQjOke3r3RIN7NcnffhFsyO1Kv7zNc24ScTdCx9WahdcBj0IU4AlTDjS5DyYsVADc8LiookIlbo9qXP+e9wfj70K05bmaf1xg+28dU4bZrNGEgROi6xxKOrIRUPEmkscdJDQ0h0DsAb3e/pogZl8oRuLK+MfH8q6bBX4B1GZUCP+/RqzUgyJf4sEnOZhhgz8rC3RTcYePHF+s3WVYP8t7w9FBn02PXhARbGQGSWGBklc0R/qEgGKpTBE+HrJDw/HU9+a92b26zZ1caLtJr+1QfDEPbMbV5Arz5vmR8LGSPg/XGJzp4Gu4wAcWib/sfICBD0AtDh1tjzEBFfp0bLTZEWQTtD4r8lLgqun+YPHdpg8mr/kUyZhFHKhkqNiPb98oYTcV88j3sx7ABtrnaSrf1qKXkSnC4gtWviOBagPr066fYBtHc2VAZ5+OmmBVsk20ds/z/fgcz25ca2YXAvr75ug8NyYc35zrxVRM1ElL6wxiG3V8w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(366004)(346002)(136003)(376002)(39850400004)(396003)(8676002)(478600001)(4326008)(8936002)(38350700002)(52116002)(16526019)(38100700002)(6666004)(5660300002)(316002)(786003)(66556008)(2906002)(86362001)(6486002)(54906003)(66946007)(3450700001)(1076003)(956004)(26005)(66476007)(83380400001)(186003)(6496006); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: L7ZjQbkpPfexfZGWPVZ/UM+JKPWbAduhx3Gz2f7sLldXW1yPZsyfWEQUtnKsmtyQvIB3EZgjjzHxH/+xBzccUTxilO1PUtp93U6PSZCIOlUYg3He5kczxZkYiSEw9eHkXHL1r1XRB4DLGWZwVsPJcOixNqAIzhaa3t7UUpHL8lUPEVMZilWnusdQGEbYzCZ3ljByrdUfYMnlnL2Us7YX3ZN/JUXI3ZO9TxlE/j/+z9TOy+SRpvdzJcIm0Llwpdap60TWt/G2gPODQ6v0Y6naBa1gEBEx6VN6iYeiyJUZltHQhT5+B9tgb+iOz+LYuTLHRa81fmWg3J/qxYsCRSkq/Ai4FkkUYqj01iNBq1Q9/nZmt7ll5eWuRMI1JV5LKhV9OYfokFRzYOmr/HbOSzzCgIm20wOA/I5PcJ7b/a9W55TmVq5wf+2mR9FCdkLD978yYTMAz9TWsOppGW2smaRaFIvJe0e56ceCeUWkR1AmKzFCkc+x7Hta1aMvntzwqofo51zGlGweoibj6H5QmM1VvbQ9b4OZrT2Ot0xX4P7yJ3fc9dGiDUn/cUsndvWtSiyq68QAOv3if/Jkh2mr4Np6K0w4sQW9xQNT9Lrp5/aXdgHqES7AusfXGLiYvNq2TPaGao4XwhC6rTMStcJjYVbm6HBagJRUfGyOlROGmahz9z1yDA8xU05XxpKM49wOXG+9AkxUiKJYZzHxpNow2jBH1rvn8n6LGaKZVKaGedCQH1kLAzH21F5qFJH7T2WMvXPZtYuAJxY8S977EnGJcfKM+FdHlI+5y5bh98VKtnkoIPL3pBkPe4Qtj76FLCGcS9jY/zuR5Ss02RqIeKBLXGsDzFge0pkRyHitYXWxWKAOxx78oZbUin9ivLpuM01IIWCl1RFywABoqNg47D7/GQi4xqWQWCsxReyC0LZsP58JjybISI2abqzyu6ZO+ALM/UisumM4oprD89uQhupttwO5ROiTmWnxLUteLPWWZpjXY/YLH8LZoUmfYemgYPHIUfDgz5zdpbAEBPbOmAD2307aKz+x4VMcNNv202zxSdsco0Sm0mCrgDmqeHnlJ0ODaavAMXBgbOZgr5/6W1B5m/SROYDJWR4pNuuQM92f1Lgb1VJn2NdqPVYz9ylQhWykXT6UnWKjG6QDqRb8kjD2/WA9AIQW4+kC3Cn/xw1bVagZtEmqx7NAtnWZ6S28UHwmvQAs2z6aZKFf6595wEQrmf8lf0rAb9Kksd5DYL67Srad0AqbtQ8y+kkccnPMm4wME0fu8NIUrbA0HAFBmurULBxWDOX+qCgrTN/yk2jhnPZMdT3U5wwJeCcytt3dvovcwKqO
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 8f5928ee-fe64-482c-a854-08d900d47445
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 16 Apr 2021 12:37:53.4549 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: vKrE+xyLg9vU3VvhQUYyjTgQs8z7qImVJKl/ZN4QiqM3x6PkkKBE/1Zm7UHAe0gXCodz5kTc9e7G6hDlNQGzeRIxPskFTS4kaX3Mf13X7iI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1297
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/lpR_ePeELjdInc19FBTcNunsQjQ>
Subject: Re: [netconf] Yangdoctors last call review of draft-ietf-netconf-keystore-20
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 16 Apr 2021 12:38:02 -0000

Trimming to the essential parts...

On Thu, Feb 11, 2021 at 12:05:31AM +0000, Kent Watsen wrote:

> > - Is the feature keystore-supported really needed? Does the YANG
> >  library not already provide the information whether a module has
> >  been implemented or just imported to access type and grouping
> >  definitions? OK, I know see that this is used to make definitions
> >  conditional, hence it makes sense. This means that my comment on
> >  truststore-supported in the other review can be ignored, I found
> >  the answer.
> 
> Please see my response to your comment in that draft’s review.  The net-net appears to us just needing to ensure things are clear enough.
>

See also my comment on the other document. My question was whether
this bit can already be picked up from the YANG library.

> BTW, “keystore-supported” may not be the best name.  “keystore-implemented” is closer, but maybe “keystore-module-implemented” or “central-keystore-implemented would be better still?   One question is if the “central” (or “global” or default?) prefix should be a term used throughout the draft.   The latest update has text like “… the keystore, when this module is implemented”, but this might be better if, e.g., “… the central keystore, when this module is implemented”.  Thoughts? 

I think this is better.
 
> >  YANG's reference mechanism via leafrefs is not really supporting
> >  well what you try to do. I understand the flexibility you want to
> >  achieve but it seems YANG 1.1 does not really support this well
> >  enough. What you would need is a leafref type that can be "anchored"
> >  at different places but we don't really have this...
> 
> I don’t understand this comment.  But looking to my previous comment, a way has been devised that works.  It may be kludgy relative to what you have in mind, but it seems to work.
>

Yes, kludgy is perhaps a good term. And you are hitting YANG's
limitations, there is not much you can do different.

> > - Section 4 points to keys being compromised 'when in transit' but I
> >  think we also want to protect keys at rest, i.e., sitting in a
> >  backup.
> 
> Actually, Section 4 is all about protecting keys at rest.  What text are you looking at?

I do not recall, lets ignore this comment.
 
> > - Section 4.3 talks about _highly_ restricted access mechanisms and
> >  _highly_ authorized clients and I am usually a bit confused what
> >  _highly_ means. But I am YANG doctor, not a security reviewer. ;-)
> 
> Trying to say that, e.g., the NACM should only allow a "crypto officer" access to the MK’s cleartext value.

So is NACM the 'highly restricted access mechanisms'? Should it be

OLD
  highly restricted access mechanisms SHOULD

NEW
  access control mechanisms like NACM SHOULD

OLD
  highly authorized clients

NEW
  authorized clients

My point is that "highly" simply does not mean anything (to me).

I browsed the diff, the changes look good to me.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email