[netconf] 答复: built-in trust anchors

"maqiufang (A)" <maqiufang1@huawei.com> Wed, 13 January 2021 13:22 UTC

Return-Path: <maqiufang1@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0A0B3A0DEB for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 05:22:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id K1xD95ENh3MD for <netconf@ietfa.amsl.com>; Wed, 13 Jan 2021 05:22:38 -0800 (PST)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 824C33A0DD5 for <netconf@ietf.org>; Wed, 13 Jan 2021 05:22:38 -0800 (PST)
Received: from fraeml741-chm.china.huawei.com (unknown [172.18.147.200]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4DG7LS2GMQz67ZlJ; Wed, 13 Jan 2021 21:18:40 +0800 (CST)
Received: from dggeme717-chm.china.huawei.com (10.1.199.113) by fraeml741-chm.china.huawei.com (10.206.15.222) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2106.2; Wed, 13 Jan 2021 14:22:33 +0100
Received: from dggeme770-chm.china.huawei.com (10.3.19.116) by dggeme717-chm.china.huawei.com (10.1.199.113) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2106.2; Wed, 13 Jan 2021 21:22:32 +0800
Received: from dggeme770-chm.china.huawei.com ([10.8.68.58]) by dggeme770-chm.china.huawei.com ([10.8.68.58]) with mapi id 15.01.2106.002; Wed, 13 Jan 2021 21:22:31 +0800
From: "maqiufang (A)" <maqiufang1@huawei.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, "Sterne, Jason (Nokia - CA/Ottawa)" <jason.sterne@nokia.com>
CC: Netconf <netconf@ietf.org>
Thread-Topic: [netconf] built-in trust anchors
Thread-Index: AdbpFFL2IioTw935RTC9hP47Cn7q7f//jDeAgAAyLwCAAJ82AP//KLkQ
Date: Wed, 13 Jan 2021 13:22:31 +0000
Message-ID: <599db28d34d0403d91dd17753b15b243@huawei.com>
References: <DM6PR08MB5084E8CF8D3D4D0E77C841CD9BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210112195951.oi7dlnnqpda7wavm@anna.jacobs.jacobs-university.de> <DM6PR08MB5084ED69870DF456DA8F1A509BAA0@DM6PR08MB5084.namprd08.prod.outlook.com> <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210113082918.zy4m4wtltstrs64h@anna.jacobs.jacobs-university.de>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.100.25]
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/qzJ2p0Ozzqz62JM6bwyakKnjdYU>
Subject: [netconf] =?gb2312?b?tPC4tDogIGJ1aWx0LWluIHRydXN0IGFuY2hvcnM=?=
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jan 2021 13:22:42 -0000

Hi, Juergen,

Apologize for my chiming in, I agree that setting require-instance as false can mitigate this issue, but cannot completely solve it.

Think differently,  we could introduce a system configuration datastore which might be implement using TPM. And it can update running with the system configuration automatically, after the system configuration has been altered as a consequence of device rebooting, inserting/removing a NIC , firmware updates as you mentioned, and so on.
In this case, the client do not have to copy the referenced certificates into <running> explicitly.
It should also be deletable, but it will be reloaded into running again if the system configuration is still present in the system.

In fact, this is exactly one of the motivation we proposed the draft (https://tools.ietf.org/html/draft-ma-netconf-with-system-01), i.e., how built-in items get into <running>. another motivation is to provide a mechanism for system configuration retrieval since not all server implementations treat the system configuration data in the same way.


Qiufang Ma


-----邮件原件-----
发件人: netconf [mailto:netconf-bounces@ietf.org] 代表 Juergen Schoenwaelder
发送时间: 2021年1月13日 16:29
收件人: Sterne, Jason (Nokia - CA/Ottawa) <jason.sterne@nokia.com>
抄送: Netconf <netconf@ietf.org>
主题: Re: [netconf] built-in trust anchors

After sleeping over it, I think a device should ship with the keys listed in whatever is the equivalent of the factory default, i.e., they are initially in <running>. Deleting them should be possible with the effect that no config can refer to these keys anymore (assuming strong references). Putting the keys back into running makes them available for config again.

I would be in favour to just have the names in runnning, not the key/cert details. This avoids issues with entries that do not match, and this then resembles hidden keys, for which details are also not known in <running>. In fact, <hidden> keys likely have the same property that they exist in the system (or a TPM), i.e., they are not config that can be arbitrary changed. I would assume that the same rules apply, if you delete a hidden key from <running>, it can't be referenced and used anymore. Perhaps the discussion in the I-D should be expanded to cover hidden keys as well.

I also expect that these special keys may be part of the firmware, i.e., they may change with firmware updates. This can lead to stale special keys that do not exist anymore in the firmware and new keys that exist in the firmware but must be (manually) added to <running> in order to use them.

/js

On Tue, Jan 12, 2021 at 10:59:28PM +0000, Sterne, Jason (Nokia - CA/Ottawa) wrote:
> Yes - adding require-instance false would eliminate the issue about built-in anchors in <running>. But there are useful advantages to keeping require-instance true. I don't have a strong feeling though one way or the other.
> 
> But assuming we keep require-instance true then the question still remains of how built-in items get into <running> (and are they deletable, and do we only need keys in running, etc).
> 
> Jason
> 
> > -----Original Message-----
> > From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
> > Sent: Tuesday, January 12, 2021 3:00 PM
> > To: Sterne, Jason (Nokia - CA/Ottawa) <jason.sterne@nokia.com>
> > Cc: Netconf <netconf@ietf.org>
> > Subject: Re: [netconf] built-in trust anchors
> > 
> > Jason,
> > 
> > since the leafref typedefs are weak references that do not require 
> > that the certs/keys exist (there is no 'require-instance true'), it 
> > may be OK to not have the certs/keys in <running> in terms of 
> > validity of the <running> datastore.
> > 
> > Oops, I had to reread RFC 7950 (section 9.9.3): if require-instance 
> > is not present, it defaults to true, so my review comment about weak 
> > references is incorrect, these are actually strong references and 
> > hence there is the need to copy what is referenced. Setting 
> > require-instance to false may resolve this (but we loose the ability 
> > to catch references to certs/keys that do not exist).
> > 
> > /js
> > 
> > On Tue, Jan 12, 2021 at 07:02:04PM +0000, Sterne, Jason (Nokia - 
> > CA/Ottawa)
> > wrote:
> > > Hi all,
> > >
> > > I noticed Jurgen's comment about built-in trust anchors in his 
> > > YANG doctor
> > review of trust-anchors-13. I wanted to pull that out into a 
> > dedicated thread/discussion here.
> > >
> > > Jurgen:
> > >
> > >
> > > - Section 3 talks about populating <running> with built-in trust
> > >
> > >   anchors.
> > >
> > >
> > >
> > >    In order for the built-in trust anchors to be referenced by
> > >
> > >    configuration, the referenced certificates MUST first be copied 
> > > into
> > >
> > >    <running>.  The certificates SHOULD be copied into <running> 
> > > using
> > >
> > >    the same "key" values, so that the server can bind them to the 
> > > built-
> > >
> > >    in entries.
> > >
> > >
> > >
> > >   Is the idea that this copy operation is an explicit management
> > >
> > >   operation or can implementations populate <running> with this
> > >
> > >   data automatically?
> > >
> > > I suppose a server *could* populate this in running as part of a 
> > > built-in
> > startup datastore in the absence of a startup datastore (i.e. as 
> > contents of a
> > RFC8808 factory default). But I assume it is desirable to be able to 
> > delete the running copy of a built-in item. So the system would have 
> > to avoid populating these unless it is loading the factory default.
> > >
> > > But even if the system can populate these, we'd also want the 
> > > client/user
> > to be able to explicitly populate them as well (i.e. in case they 
> > delete one from running, and want to add it back in to reference it).
> > >
> > > In either case (system population of running, or client population 
> > > of
> > running), do we really need to put the contents of the bag or the 
> > cert into running?  Or is populating the list key enough since the 
> > operational copy shows what contents are in use for that list entry?
> > >
> > > Jason
> > 
> > > _______________________________________________
> > > netconf mailing list
> > > netconf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/netconf
> > 
> > 
> > --
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf