IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Thu, 05 July 2018 16:04 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2F1FB130ED2 for <netconf@ietfa.amsl.com>; Thu, 5 Jul 2018 09:04:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mom5_lm3rdio for <netconf@ietfa.amsl.com>; Thu, 5 Jul 2018 09:03:57 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C9519130F36 for <netconf@ietf.org>; Thu, 5 Jul 2018 09:03:57 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w65FxQsA014995; Thu, 5 Jul 2018 09:03:55 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=qCbbeJZ4Hm5/9VCCPAkem5RT+N3jXEcgBZRiRUYcNAQ=; b=MVWM4Phx2kBy3rzAf22ruVrpTyqvZqL1dd57nhLwPXodz3ZQgF23QC/M3DXDZDCuYcdY 7/XYBvtKotT9hJKtbYuUQ/eMImRcLCTGHmprjB80f73KKKA0yivYkhMcNudTt4DHtHDe w+TDBfSTc2WMZQ2oldo0nHTg0CABbNTFmRJ7gr3TIFs7Qn9Y/cg2f16cQ9ZEY4cd46p4 kmicOktIGHg8AmsVArwSnQFhbw24W8TxQ8uWfa8on6o7/FHBU99920tDgVRy0W5dQPVy chyCrSfaMpIfLZklDWD80YYtR9wR5bH30tR7IosaKIdrodP1EY++85YtIRblzjXIRKQO EQ==
Received: from nam01-bn3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0182.outbound.protection.outlook.com [216.32.180.182]) by mx0b-00273201.pphosted.com with ESMTP id 2k1m51gd54-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 05 Jul 2018 09:03:55 -0700
Received: from BYAPR05MB4230.namprd05.prod.outlook.com (52.135.200.153) by BYAPR05MB4261.namprd05.prod.outlook.com (20.176.252.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.930.17; Thu, 5 Jul 2018 16:03:53 +0000
Received: from BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc]) by BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc%4]) with mapi id 15.20.0930.016; Thu, 5 Jul 2018 16:03:53 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Balazs Lengyel <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUA
Date: Thu, 05 Jul 2018 16:03:53 +0000
Message-ID: <F33FF737-881B-4507-9182-500764777077@juniper.net>
References: <596667e1-b47f-c26a-1bb5-1520bccb6e93@ericsson.com>
In-Reply-To: <596667e1-b47f-c26a-1bb5-1520bccb6e93@ericsson.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4261; 7:BptUafxTsjWNqBDkSzzwrWau4BaegHzg+MuaGw0k8obJuC83St2ihs/Tk25e6RfCrG/czou2lauxu0scMU9f3s/n/LJoZnJYTWIVVXp4omShkOpIoV7ZPRk3jHTxyXbU2l7rbJnP05FxfKR6ML49QXLBwHl5laopODTtg/Y/fR4guTkUjvijWvi351yuyUaU+7Hb+SgRJk6ykxurVLs+rQ0pSjNNcPKLV801kZ9H7GyQquibyCArQS+3Rbssw39Q
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: b7f6ad24-9d3c-4488-70bd-08d5e290e7bf
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(48565401081)(5600053)(711020)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4261;
x-ms-traffictypediagnostic: BYAPR05MB4261:
x-microsoft-antispam-prvs: <BYAPR05MB426106E8406EC5D62870F5B7A5400@BYAPR05MB4261.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(192374486261705)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231254)(944501410)(52105095)(3002001)(10201501046)(6055026)(149027)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123562045)(20161123560045)(20161123564045)(20161123558120)(6072148)(201708071742011)(7699016); SRVR:BYAPR05MB4261; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB4261;
x-forefront-prvs: 0724FCD4CD
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(376002)(366004)(396003)(346002)(39860400002)(136003)(199004)(189003)(252514010)(236005)(6506007)(6512007)(478600001)(966005)(83716003)(186003)(66066001)(26005)(3846002)(6116002)(8936002)(11346002)(446003)(2501003)(5660300001)(9326002)(8676002)(86362001)(575784001)(105586002)(6486002)(58126008)(99286004)(110136005)(316002)(6246003)(82746002)(97736004)(6436002)(2906002)(106356001)(5250100002)(68736007)(76176011)(81166006)(14444005)(476003)(81156014)(2900100001)(486006)(7736002)(54896002)(102836004)(6306002)(229853002)(53936002)(256004)(36756003)(33656002)(2616005)(14454004)(25786009); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4261; H:BYAPR05MB4230.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: e89976q4ZCcHXFqVQ2VIHzC5b/2SJSipTgCCSRs3Q10k40jyQtue7O2Ick2JYjywWEQlbs+1Mp0ckQYsh/hzSYRFMy0NNNIne9lww/4MFDCnkGOrpCbkeh4jK0pARxH780QC4sw0mNRUa+wq0YLlkvA964LyrGWZx+Z2yklt0icQdxI9ulaW7F98xixYdrolsWzpR5W9Onwz2+qAujezNyoi6B7NwFOf/k//YKHHMYAZyKNQPeo4hDtCk+JSvSQFvjPSWknMU/tPR6Ejm2OmZdLMzJSw/Bc7sYXXCMHwHf1Z0Nw80P53jVQB/zhfqSmnz3DSu7R0GabF5Pe4EiLxzyfO/58uw1J0ZJOnv1eejK0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_F33FF737881B45079182500764777077junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b7f6ad24-9d3c-4488-70bd-08d5e290e7bf
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jul 2018 16:03:53.2363 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4261
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-07-05_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1806210000 definitions=main-1807050182
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/riasdJG3oZysvlmxG5lPYlkIT70>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jul 2018 16:04:10 -0000

Hi Balazs,

This issue is (was?) also being discussed here:  https://mailarchive.ietf.org/arch/msg/netconf/tpmAeH9KLBWF0YglZ8CJmm4MW4o.

Expanding on (c) on that page, assuming we do this at all, the choices are:

  1: add "if-defined 'not keystore-implemented'" to the "local" choice.  This would
       be a *global* on/off switch, not per use of the grouping.

  2: add "if-defined 'local-keys-supported'" to the "local" choice.  This would be a
       *global* on/off switch, not per use of the grouping.

  3: do nothing; let downstream modules augment-in their own if-feature statements
      for the "choice" statement when the groupings are used.  This would allow define
       for *local* (not global) on/off switch.

  4. remove support for keystore being optional to implement.  That is, regarding your
      comment in the link below to support keys that are not shared, we could require
       that the keys still exist in keystore and leave it to the application to ensure it doesn't
       reference such keys more than once.

      https://mailarchive.ietf.org/arch/msg/netconf/xYYf0NSeT9mgtJ1KH-h7SYLSmXA

Thoughts?

Kent


On 7/4/18, 7:26 AM, "Netconf on behalf of Balazs Lengyel" <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf of balazs.lengyel@ericsson.com<mailto:balazs.lengyel@ericsson.com>> wrote:


Hello Kent,
I was reading draft-ietf-netconf-keystore-05. I noticed that in the groupings
local-or-keystore-end-entity-certificate-grouping, local-or-keystore-asymmetric-key-grouping and local-or-keystore-asymmetric-key-with-certs-grouping
the keystore case is qualified with an
if-feature "keystore-implemented"
statement. However the local case is not qualified with if-feature. In ,many of our network nodes we want to implement a central keystore, and do NOT want to allow local security configuration. So please add
if-feature "not keystore-implemented"
or
if-feature "local-keystore-allowed"
to the local case of these groupings.

regards Balazs Lengyel

--

Balazs Lengyel                       Ericsson Hungary Ltd.

Senior Specialist

Mobile: +36-70-330-7909              email: Balazs.Lengyel@ericsson.com<mailto:Balazs.Lengyel@ericsson.com>

v2.23.0 | Report a Bug | By Email