IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Fri, 24 August 2018 20:26 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C4085130DDF for <netconf@ietfa.amsl.com>; Fri, 24 Aug 2018 13:26:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gisHo5Qk2Nib for <netconf@ietfa.amsl.com>; Fri, 24 Aug 2018 13:26:01 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DFC61130DC0 for <netconf@ietf.org>; Fri, 24 Aug 2018 13:26:00 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7OKLCF8017752; Fri, 24 Aug 2018 13:25:58 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=ncOnbfvsmuLYTvb91ffFPtnRbpW5oLulixb0xJPLMkE=; b=fkLxI88jJzfyY/EDi7MUE+S5T2St9d+rawf0lMHSSqDAItdXWcn3DWRy0KUSET/3IX7S xUhmCgBl+b9LTg4edU8/iF7w/zYdRJxAMQUcPYAlR3aNSjBuD34N0qpdsVHCxlWpFfT/ S+eC9oZQ1amrF5OJtrlIZPsmJ5pjKiiXqZYP689+LD3BdbYJSfmBLt6ZmCuk/L8F2XSR Pzx0+XSZx7N13Bnvn03Lqi3FOvq26E82ACoT+Nyi8aDpWr8RvvShNFkIrNqZSjmhJn7L xW7+1mgVrMcwUKrcaK4OQWoJincqs9u3KDbT9VFIZ3RcmloiXM9tFbegkgtw4u1P8EsB fQ==
Received: from nam03-co1-obe.outbound.protection.outlook.com (mail-co1nam03lp0023.outbound.protection.outlook.com [216.32.181.23]) by mx0b-00273201.pphosted.com with ESMTP id 2m2mkr0da0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 24 Aug 2018 13:25:57 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4268.namprd05.prod.outlook.com (20.176.78.17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1080.11; Fri, 24 Aug 2018 20:25:55 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%3]) with mapi id 15.20.1101.007; Fri, 24 Aug 2018 20:25:55 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "balazs.lengyel@ericsson.com" <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEAA=
Date: Fri, 24 Aug 2018 20:25:55 +0000
Message-ID: <28C3C2C7-22BE-4425-A26C-4A777FA68A95@juniper.net>
References: <F33FF737-881B-4507-9182-500764777077@juniper.net> <20180821.125709.290789583505734258.mbj@tail-f.com> <AF6441A6-CFE4-470C-991D-AF9ACE46C648@juniper.net> <20180822.102452.1792964591006331128.mbj@tail-f.com>
In-Reply-To: <20180822.102452.1792964591006331128.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4268; 6:Iod3yqRqN/iQKGPYgiNUesOgkjeg3GUsnNsIZLlAFLsSr0E50kWPuRuuLVPWFesKG4qE6ggrox/pNb5KsrhdJwm15l1JiU4cRF8EofKOqlh6RPPeroupi4MIaXNp69fCyrdCE+nMNN7V273Vw6nDqNwipgqJJD0MgT5gT6ZG1HAi+GvTHJsDq4KsCnMxuWWGFKyKS0zfwreKJr1WM9LBl4ReW+ieD0/17XSZlOnYuK0MSFeVBy3K+C30kQH8pPdhXdGYFpq4jTHnh6YdUCDavhs02VST5M7l9hWzZNKYOjakAld29/O9IbxMFbLm95xaW59uuKJ6yZzsOJdJ5Tvr5AZ3WJmgPdMHmr9mDnfuwhVcbFJ/6P4dLytjX6+vcR3065mLh5h2LEQ5IzrBUg+BxtvvgfYNe1eVWGu4a2GggVUD0FQWhDcRr9XZOpL92+i5WvoffKdH5yACukt5AyFXig==; 5:RLjelmdi3qVwsRS/UKE7CJVM5kqvJCD3EFB3GXzd2Kxr+GDYuJN1mXAg0ly3PkQoNvk0wAPn8YDA7rJ252yGWk1gFLCztUOgfT46Ck8jRfHXCbrsxGbNy0CEWwYPjqlMH6QCEnbYkfFyRWaM8JnNZcj278fCb+EVjyzVdffDwj0=; 7:jJ78bhEMY0apLm6FIePaqWSPKZDVtLQvxW9XQcjMchT/x0zYsEewMGhD0P1cewrKbuLeKbiOaA7S8+3iKl8G6b+JVHWGDF5z15EeFvYaLcjqNTE8mA4n4b/2vDRV1kpPDw6D2HMrsxzqZOVLZt5lIWSUVm2lyl5uQH3DBGc7c4+3arp3DARuYKrv98cw0jizrIlaRoNwt9TW2UZLKwPk9VD/nnTHgatXe5bb10OkDcofYy4DwRSXlzx0+CGXoblU
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 1a5ff07e-9b00-491d-58ad-08d609ffcb6d
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4268;
x-ms-traffictypediagnostic: DM6PR05MB4268:
x-microsoft-antispam-prvs: <DM6PR05MB426846169B7B59CC5E29FD2EA5360@DM6PR05MB4268.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(3231311)(944501410)(52105095)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123562045)(20161123564045)(201708071742011)(7699016); SRVR:DM6PR05MB4268; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4268;
x-forefront-prvs: 07749F8C42
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(346002)(39860400002)(366004)(136003)(396003)(51444003)(199004)(189003)(6246003)(14454004)(76176011)(229853002)(3846002)(6116002)(6436002)(99286004)(6486002)(25786009)(2900100001)(316002)(54906003)(58126008)(4326008)(5250100002)(97736004)(106356001)(105586002)(7736002)(305945005)(5660300001)(83716003)(478600001)(93886005)(36756003)(81166006)(68736007)(81156014)(6916009)(8676002)(66066001)(2906002)(6512007)(486006)(82746002)(53936002)(8936002)(446003)(11346002)(86362001)(2616005)(476003)(186003)(26005)(33656002)(256004)(14444005)(6506007)(102836004)(35224004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4268; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: dP4c/EnTfiEdep2SKbNTH8J+R5dfpcOOPEpX6Sg8+5IsWtvyKsOA8xC6rkpdYNUyLwF9y/GR2h6a+UmVS0VCd/sITM/1l/c8RCYy7gyVp0VGlqTsUhQjGgJi9U5RznEUY1hEgp9fsCe7UEPpgU57nVxJFvYiEemuhpo+L8dpN1kkhiZYLHYWlHmGfppTYAcX7C6gQLSr1zWKUKncQJrYXnIXLxEHoTXIOGFRqZuhmMPWiMCJfDEuPaxgxGle/Rwp6Lwq6xkA0R7hEAxWh5irE7GsYgobEsDd7GYICps4TaGzN/F7OW6DnNHqT8K/x8tEvklFeootUob2NV43ACtJicIm8yTtDuazFomPs9BasKk=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <C19ECDD331F15A4FB33F5EAD894E3C1C@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 1a5ff07e-9b00-491d-58ad-08d609ffcb6d
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Aug 2018 20:25:55.2349 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4268
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-24_09:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808240207
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/p9OxT0lpp-V_Ha61Uug1owRDOnA>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Aug 2018 20:26:04 -0000


>> I don't believe there is a security issue.  NACM or equivalent can
>> be used in either case.
>
> Yes, but it may be desirable to keep all keys in a single place,
> instead of scattered around.  But I'm ok with using a feature.

Yes, let's go with the feature.  I've added it to my local copy.

> BTW, all private keys should have nacm:default-deny-all.

I'd agree if we were only talking about backup/restore operations, 
which match the definition of a "recovery session", but here we're
trying to support workflows that would occur during normal operation
of the device, by administrators having sufficient permission.  The
Security Considerations section provides guidance on this too.



> Editorial issue: the draft uses both names "generate-private-key" and
> "generate-asymmetric-key".

fixed.


>> That said, the current action has no input parameter to direct 
>> the device to use an HSM or filesystem.  Perhaps there is a
>> need for a feature indicating the device has an HSM?
>
> I think that this is an implementation choice that doesn't have
> to be visible to the operator.  I.e., if there's special hw it
> will be used, else a filesystem (or something else) will be used.

No, what I meant was that generate-asymmetric-key could take an
input parameter (enum?), protected by a feature, that the client
could use to indicate the key needs to be permanently hidden, or
define the entire RPC to have that behavior?

Regarding the name, s/hardware-protected/permanently-hidden/?


> No, this won't work.  Note the text you quoted:
>
>     Otherwise [no prefix], a feature with the matching
>     name MUST be defined in the current module or an included submodule.
>
> the current module is the module that has the if-feature statement,
> i.e., ietf-keystore.

okay.  I was hoping that is could be the module using the grouping.


> But I think a global feature is fine.  Models can always add their own
> additional if-fetaure expressions via refinement.

True.



>> >  1)  Is the enum "hardware-protected" really a good name in this
>> >      case?
>> 
>> As opposed to what?
>
> In my use case I would implement "generate-asymmetric-key" and it
> would create the keys in the file system, and the public key would be
> available in <operational>.  I don't want to expose the private key in
> <operational>, so I would have to return "hardware-protected".  But it
> isn't hardware protected...

Would "permanently-hidden" be better?


> <snip/>
> I think this is the real issue.  So it might be that my use case of
> not wanting to expose private keys at all even if there's no TPM is
> explicitly not supported.  I.e., unless there's special hw present,
> all private keys MUST be exposed (but NACM-protected).

Now you have me second-guessing this.  Maybe a device, without special
hardware, could present the illusion of a permanently-hidden private
key - it's completely inaccessible from the device's supported 
interfaces, though actually present on the filesystem.


>> Unsure what you mean.  Currently all these values are configurable.
>> Or are you trying to find a way to only "configure" them in 
>> <operational>?
>
> Yes, *if* my use case of not exposing the private keys is supported,
> then it would be useful to be able to generate the keys off-box, and
> install them into <operational>.

Hmmm, sounds like *configuration*, not something goes into <operational>.

And, even if you did, that doesn't mean the keys are permanently-hidden.
I suppose the model could let them client set that parameter as well,
but it somewhat defeats to goal of *never* having the private key exposed,
not even as a once in a lifetime kind of thing.  That’s just my opinion,
we should ask for more opinions if you're not convinced.


>> The idea is to use the approach that was taken with the I2RS topology
>> model, using require-instance false.  Specifically, the 
>> "local-or-keystore-asymmetric-key-with-certs-grouping" has leaf 
>> "reference" of type "asymmetric-key-ref":
>>
>> <snip/>
>> 
>> Makes sense?
>
> Isn't the idea that once I have a certificate, I will write it into
> /keystore/asymmetric-keys/asymmetric-key/certificates/certificate?
>
> My question is how this is supposed to work for a hardware-protected
> key that only exists in <operational>?

Sorry, I think my example was wrong.  A better example might be the
interfaces example in Section C.3.2 in RFC 8342 [1], where the
configs overlay each other (e.g., matching keys).

For a hardware-protected key, the "asymmetric-key" (in keystore) still
appears in <operational> with an exposed "key" name, the "private-key"
value is set to "hardware-protected".  So the thinking is that a similar
path can be constructed in <intended>, while only adding/configuring the
certificates.

Actually, check out the example in keystore-05 at the end of page 7:

       <asymmetric-key or:origin="or:system">           <--- system generated
         <name>tpm-protected-key</name>
         <algorithm>ct:rsa2048</algorithm>
         <private-key>hardware-protected</private-key>  <--- hw protected
         <public-key>base64encodedvalue==</public-key>
         <certificates>
           <certificate>
             <name>builtin-idevid-cert</name>
             <cert>base64encodedvalue==</cert>
           </certificate>
           <certificate or:origin="or:intended">        <--- configured cert
             <name>my-ldevid-cert</name>
             <cert>base64encodedvalue==</cert>
           </certificate>
         </certificates>
       </asymmetric-key>



Kent // contributor

v2.23.0 | Report a Bug | By Email