Re: [Netconf] Mandatory local configuration in Keystore groupings
Martin Bjorklund <mbj@tail-f.com> Tue, 21 August 2018 10:57 UTC
Return-Path: <mbj@tail-f.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1A496130E0F for <netconf@ietfa.amsl.com>; Tue, 21 Aug 2018 03:57:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ukSatoJwCYXr for <netconf@ietfa.amsl.com>; Tue, 21 Aug 2018 03:57:14 -0700 (PDT)
Received: from mail.tail-f.com (mail.tail-f.com [46.21.102.45]) by ietfa.amsl.com (Postfix) with ESMTP id AFE00130DEB for <netconf@ietf.org>; Tue, 21 Aug 2018 03:57:14 -0700 (PDT)
Received: from localhost (unknown [173.38.220.61]) by mail.tail-f.com (Postfix) with ESMTPSA id 3B6051AE0589; Tue, 21 Aug 2018 12:57:10 +0200 (CEST)
Date: Tue, 21 Aug 2018 12:57:09 +0200
Message-Id: <20180821.125709.290789583505734258.mbj@tail-f.com>
To: kwatsen@juniper.net
Cc: balazs.lengyel@ericsson.com, netconf@ietf.org
From: Martin Bjorklund <mbj@tail-f.com>
In-Reply-To: <F33FF737-881B-4507-9182-500764777077@juniper.net>
References: <596667e1-b47f-c26a-1bb5-1520bccb6e93@ericsson.com> <F33FF737-881B-4507-9182-500764777077@juniper.net>
X-Mailer: Mew version 6.7 on Emacs 24.5 / Mule 6.0 (HANACHIRUSATO)
Mime-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/lug3sK469fEbQqUFKh3k_npkp5I>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 21 Aug 2018 10:57:17 -0000
Hi, I have started to look at implementing the client/server/keystore modules, specifically the SSH server model for NETCONF. In this process, I have some comments on the model. Do we need to support the "local" or inline key configuration at all? I would prefer to make the keystore model mandatory and remove the local cases from the client server models. It seems better from a security pow to handle all keys in one place in the model, instead of having (possibly) private keys exposed in various places in the model. Also, the keystore has operations to generate new keys, which the local case doesn't have, so the local case also lacks some capabilities. I think the model(s) will be less complex w/o the local case. (At the very least, I think there should be a feature for the local cases, probably your case (2) below). I am looking at implementing the keystore model on a regular device for something like OpenSSH. I don't want to expose the private keys at all. I think this is possible, by not implementing ietf-keystore in the conventional configuration datastores, but only in <operational>. New keys can still be generated with the action "generate-asymmetric-key". Two questions: 1) Is the enum "hardware-protected" really a good name in this case? 2) Wouldn't it make sense to add a new operation to install an existing key into the keystore, with params "name", "algorithm", "private-key", "public-key"? And a question about certificates. Keys that are proteced by TPM are not present in the configuration, only in <operational>, right? If so, how can I install a certificate for such a key? Would it be better if the certificate list was separated from the key list? /martin Kent Watsen <kwatsen@juniper.net> wrote: > Hi Balazs, > > This issue is (was?) also being discussed here: > https://mailarchive.ietf.org/arch/msg/netconf/tpmAeH9KLBWF0YglZ8CJmm4MW4o. > > Expanding on (c) on that page, assuming we do this at all, the choices > are: > > 1: add "if-defined 'not keystore-implemented'" to the "local" choice. > This would > be a *global* on/off switch, not per use of the grouping. > > 2: add "if-defined 'local-keys-supported'" to the "local" choice. > This would be a > *global* on/off switch, not per use of the grouping. > > 3: do nothing; let downstream modules augment-in their own if-feature > statements > for the "choice" statement when the groupings are used. This would > allow define > for *local* (not global) on/off switch. > > 4. remove support for keystore being optional to implement. That is, > regarding your > comment in the link below to support keys that are not shared, we > could require > that the keys still exist in keystore and leave it to the application > to ensure it doesn't > reference such keys more than once. > > https://mailarchive.ietf.org/arch/msg/netconf/xYYf0NSeT9mgtJ1KH-h7SYLSmXA > > Thoughts? > > Kent > > > On 7/4/18, 7:26 AM, "Netconf on behalf of Balazs Lengyel" > <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf > of balazs.lengyel@ericsson.com<mailto:balazs.lengyel@ericsson.com>> > wrote: > > > Hello Kent, > I was reading draft-ietf-netconf-keystore-05. I noticed that in the > groupings > local-or-keystore-end-entity-certificate-grouping, > local-or-keystore-asymmetric-key-grouping and > local-or-keystore-asymmetric-key-with-certs-grouping > the keystore case is qualified with an > if-feature "keystore-implemented" > statement. However the local case is not qualified with if-feature. In > ,many of our network nodes we want to implement a central keystore, > and do NOT want to allow local security configuration. So please add > if-feature "not keystore-implemented" > or > if-feature "local-keystore-allowed" > to the local case of these groupings. > > regards Balazs Lengyel > > -- > > Balazs Lengyel Ericsson Hungary Ltd. > > Senior Specialist > > Mobile: +36-70-330-7909 email: > Balazs.Lengyel@ericsson.com<mailto:Balazs.Lengyel@ericsson.com>
- [Netconf] Mandatory local configuration in Keysto… Balazs Lengyel
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Martin Bjorklund
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen
- Re: [Netconf] Mandatory local configuration in Ke… Balázs Kovács
- Re: [Netconf] Mandatory local configuration in Ke… Kent Watsen