IETF Logo Mail Archive

Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt

Kent Watsen <kent+ietf@watsen.net> Mon, 27 February 2023 22:34 UTC

Return-Path: <0100018695032483-25c29301-a353-4d92-aeb1-5531cb0a89bb-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 00DB7C16B5B8 for <netconf@ietfa.amsl.com>; Mon, 27 Feb 2023 14:34:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvlF_1DY53Mq for <netconf@ietfa.amsl.com>; Mon, 27 Feb 2023 14:34:19 -0800 (PST)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09A4AC16B5B6 for <netconf@ietf.org>; Mon, 27 Feb 2023 14:34:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1677537257; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=Ewfz1R8Zne433x4WF9MHLUh6QlhbbL4POPp306D1D6U=; b=CypWJkTt2bsICliGvSv8un5V2kMnuiPlNyyCwEBy9fcHFHcy9iZvLuCQMsBa49si l836zC3A5eoQDeD32s/oRb0/buvKwwRtMoPrzp5Ar3Oln0svbBMmKMUOe8c3+ZefryB vmtOXzngBfi0AxKhRB/fMt6M+SQslNCF9q6hqqNE=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <AM7PR07MB624889EAF4B5BC1DFF082DD4A0AB9@AM7PR07MB6248.eurprd07.prod.outlook.com>
Date: Mon, 27 Feb 2023 22:34:16 +0000
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <0100018695032483-25c29301-a353-4d92-aeb1-5531cb0a89bb-000000@email.amazonses.com>
References: <167087094875.45631.5752947059896213334@ietfa.amsl.com> <AM7PR07MB6248CDDEA380E553031F4622A0C79@AM7PR07MB6248.eurprd07.prod.outlook.com> <c95d0f80-9ee9-8960-098c-1ec8060eb98d@sit.fraunhofer.de> <AM7PR07MB6248AF994BDAE1934A9A3D8EA0C79@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000185fb56a54b-2f700d39-54d0-4e5d-913c-639b482df879-000000@email.amazonses.com> <AM7PR07MB624889EAF4B5BC1DFF082DD4A0AB9@AM7PR07MB6248.eurprd07.prod.outlook.com>
To: tom petch <ietfc@btconnect.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.02.27-54.240.48.90
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/moDvMEnyaE1tPm0_N2Invg7ZUMc>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Feb 2023 22:34:20 -0000


> On Feb 23, 2023, at 6:17 AM, tom petch <ietfc@btconnect.com> wrote:
> 
> From: Kent Watsen <kent@watsen.net>
> Sent: 29 January 2023 02:23
> 
> <inline under <tp> in several places >

As mentioned before, it is never easy to find your comments.  Please consider switching your webmail provider to something enabling threaded comments...


> The other general comment is that in places this reads as Security 101, which I do not think that the Netconf WG should be publishing (even if the text has come from Security ADs or such like).  The changes here would be small, deletions mostly,  but I think should be made.  Thus comments about built-in keys SHOULD NOT be cleartext are nothing to do with a YANG module, they are or they are not and no YANG module is going to change that.   There are several such statements in sections 3, 4 and 5 which to me belong in a BCP from the Security Area.
> 
> WRT "There are several such statements in sections 3, 4 and 5", please provide a complete list.
> 
> <tp>
> 
> Well pretty much the whole of section 4 and in Section 3 statements about built-in keys not being cleartext.  This seems as applicable to Kerberos as to NETCONF which is why I see it as a BCP the Security Area should produce.  That said, as other posts of mine may suggest, I do not have high expectations that the Security Area will produce material that other Areas will find a use for.
> </tp>

Moved and consolidated paragraphs:

        "Built-in key types SHOULD be either hidden or encrypted (possibly 
          both hidden and encrypted).  Built-in keys SHOULD NOT be cleartext, 
          even if protected by an access-control mechanism (e.g., NACM)."

           "It is RECOMMENDED that master keys (MKs) are built-in but, if
            this is not possible, access control mechanisms like NACM SHOULD
            be used to limit access to the MK's secret data to only the most
            trusted authorized clients (e.g., an organization’s crypto officer).
            In this case, it is RECOMMENDED that the MK is not built-in and hence
            is, effectively, just like a KEK. 

To the Security Considerations section.




> In the tree diagrams. the type 'string' seems to wander around, as in 2.1.3.7, and not stay in a predictable place
> 
> The tree-diagrams are generated using the latest version of pyang.  The closest RFC 8340 comes to providing guidance is "Additional whitespace may, for example, be used to "column align" fields (e.g., within a list or container) to improve readability".   I don't think we can fault pyang (though we could wish for better).
> 
> In lieu of fixing the tool, I could manually edit the tree diagrams, but that is both a lot of work and error-prone.  Note that the tree-diagrams are automatically generated and inserted every time I `make` and the document.
> 
> <tp>
> No, anyone editing tree diagrams should be banished from the IETF:-)
> 
> </tp>

+1  laugh



> What happens to choice/case if no features are defined?  I do not know if YANG can enforce or cope with that.
> 
> Where are you?   Regardless, all the "choice" statements in ietf-keystore are "mandatory true", meaning that one case must be defined.
> 
> <tp>
> 
> In the choice local-or-keystore in several groupings, both case have if-feature so what happens if the features are not present?  I do not know.
> </tp>

Then validation never succeeds.   The server must either implement one to the two provided features, or augment in it's own "case" statement.


> s.4 Nothing to do with Netconf IMHO!
> 
> The WG or the protocol?
> 
> <tp>
> The Ops Area of the IETF!
> </tp>
> 
> Regardless, this draft defines a data-model and related semantics.  You may not be aware, but many wanted to see this section fleshed out.
> 
> <tp>
> I am not surprised by that but see that as a comment on the lack of support from the Security Area rather than something for this WG to address.
> </tp>

I'm going to leave it in for the IESG what to do about Section 4.

But I'll say this, the WG was not happy with the model for built-in keys until it could be should how they could be 1) secured and 2) used/referenced in the config. 


> s.5.3
> SSH, TLS lack references
> 
> You're right, but this is in the template published by the IESG.  There are likely several dozen RFCs published this way...
> 
> <tp>
> Which is an issue that a revised security template for YANG modules should address, what does it look like for a module that is all identity or all grouping or such like.
> 
> Tom Petch
> </tp>


Not my problem.

Kent // author

v2.23.0 | Report a Bug | By Email