IETF Logo Mail Archive

Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt

Kent Watsen <kent@watsen.net> Sun, 29 January 2023 02:24 UTC

Return-Path: <01000185fb56a54b-2f700d39-54d0-4e5d-913c-639b482df879-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67D6FC14CE2F for <netconf@ietfa.amsl.com>; Sat, 28 Jan 2023 18:24:03 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O_xWOIQj47jV for <netconf@ietfa.amsl.com>; Sat, 28 Jan 2023 18:23:59 -0800 (PST)
Received: from a48-94.smtp-out.amazonses.com (a48-94.smtp-out.amazonses.com [54.240.48.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CEE10C14CE28 for <netconf@ietf.org>; Sat, 28 Jan 2023 18:23:58 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1674959037; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=QLsrjBI7U/BWgTr5vo8Fw6x9n7g7yg3EDFLufDEfCvQ=; b=evGAHvIWWRCVfFBUQfYVH4B129uy2H4aTPSFUyHjmTHjMUebrI+ol41eDdTu28UJ S40RAvKD2J3unSx9UltmiSo75DR+dM1kbnuDu06GiK4RQY65HDirUA/0oLI0sOGPxua UqEs60fWyZHpbwnsFyNJ4ttAG6tLDnuWyAWz9mnE=
From: Kent Watsen <kent@watsen.net>
Message-ID: <01000185fb56a54b-2f700d39-54d0-4e5d-913c-639b482df879-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_E0214D81-D19A-4559-BE62-804BD1AA82B3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.400.51.1.1\))
Date: Sun, 29 Jan 2023 02:23:57 +0000
In-Reply-To: <AM7PR07MB6248AF994BDAE1934A9A3D8EA0C79@AM7PR07MB6248.eurprd07.prod.outlook.com>
Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "netconf@ietf.org" <netconf@ietf.org>
To: tom petch <ietfc@btconnect.com>
References: <167087094875.45631.5752947059896213334@ietfa.amsl.com> <AM7PR07MB6248CDDEA380E553031F4622A0C79@AM7PR07MB6248.eurprd07.prod.outlook.com> <c95d0f80-9ee9-8960-098c-1ec8060eb98d@sit.fraunhofer.de> <AM7PR07MB6248AF994BDAE1934A9A3D8EA0C79@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3731.400.51.1.1)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.01.29-54.240.48.94
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/wi2HBtwYEUhvIckZxhZm4wG2GNs>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 29 Jan 2023 02:24:03 -0000

Hi Tom,

Thank you for your review of the keystore draft.
Please see below for my responses to your comments.

Kent



> On Jan 18, 2023, at 11:48 AM, tom petch <ietfc@btconnect.com> wrote:
> 
> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
> Sent: 18 January 2023 12:56
> 
> Hi Tom,
> 
> to your comment on "Security 101" content. I do not see that basic
> repetition as a flaw considering the scope of audience, as implementers
> might occasionally tend not to read all useful, but only the minimal
> essential documents.
> 
> Having said that. Maybe the "Security 101" problem can be avoided by
> some well-selected references to the extend of "Security Considerations
> about key management of RFC-XXXX apply"? That could avoid the repetition
> a bit.
> 
> <tp>
> Henk
> 
> I am contrasting this I-D with RFC8177 on key chains which says
> '  Implementations with keys provided via this model should store them
>   using best current security practices.'
> which is the sort of statement I would expect to see in a routing or ops RFC, leaving the technical detail to a Security Area one!
> 
> Tom Petch
> 
> 
> 
> Viele Grüße,
> 
> Henk
> 
> On 18.01.23 13:37, tom petch wrote:
>> Some thoughts, editorial mostly, on this version of this I-D.
>> 
>> Generally, I find many of the identifiers cumbersome, up to nine hyphen separated elements; I would see three or four as good and five as tolerable, more than that error prone,
>> 
>>      grouping local-or-keystore-end-entity-cert-with-key-grouping
>> As ever, I see -grouping as prolix.  I would also like to shorten local-or-keystore as a generic term for well, locality, or location, or place or site or   .... there are lots of possible synonyms.  Also where the grouping is about a cert then I think that that should come before locality.  To me it is the cert that matters not the option about its locality
>> 
>> I would also like to shorten 'cert-with-key' which occurs many times but do not have an alternative to offer.

You're the first to bring this up.   Whilst you make good points, I'm unwilling to change names unless others chime in.

>> The other general comment is that in places this reads as Security 101, which I do not think that the Netconf WG should be publishing (even if the text has come from Security ADs or such like).  The changes here would be small, deletions mostly,  but I think should be made.  Thus comments about built-in keys SHOULD NOT be cleartext are nothing to do with a YANG module, they are or they are not and no YANG module is going to change that.   There are several such statements in sections 3, 4 and 5 which to me belong in a BCP from the Security Area.

See discuss with Henk at top.   IDK about the the keychain draft, does it's data-model contain nodes such as "cleartext-password", "hidden-password", or "encrypted-password"?   The particular paragraph mentioned regards "built-in" keys, a concept unique to this draft (AFAIK), and it seems proper for the draft to say that "Built-in key types SHOULD be either hidden or encrypted", but not cleartext (even if projected by NACM).   FWIW, I think that there were two SecDir reviews on these sections.

WRT "There are several such statements in sections 3, 4 and 5", please provide a complete list.


>> Some less contentious points.
>> 
>>      grouping asymmetric-key-pair-with-cert-grouping
>>      grouping asymmetric-key-pair-with-certs-grouping
>> I think an unfortunate pairing; that letter 's' buried in the middle will be missed.  Even
>>      grouping asymmetric-key-pair-with-cert
>>      grouping asymmetric-key-pair-with-certs
>> could cause erors.

The error you're concerned about seems like a small thing.  That is, even if the wrong name were entered, the tree-diagram or CLI/UI would quickly reveal.  So no a big deal?



>>    The term "keystore" is defined in this /draft /document/

Fixed - other instances (in this draft) are fixed as well.

>> The term "key" may be used to mean one of three things in this /draft:/document/
>> Well, four to be picky - you also have it from RFC2119

Yeap, like this one.  Fixed.


>> In the tree diagrams. the type 'string' seems to wander around, as in 2.1.3.7, and not stay in a predictable place

The tree-diagrams are generated using the latest version of pyang.  The closest RFC 8340 comes to providing guidance is "Additional whitespace may, for example, be used to "column align" fields (e.g., within a list or container) to improve readability".   I don't think we can fault pyang (though we could wish for better).

In lieu of fixing the tool, I could manually edit the tree diagrams, but that is both a lot of work and error-prone.  Note that the tree-diagrams are automatically generated and inserted every time I `make` and the document.


>> What happens to choice/case if no features are defined?  I do not know if YANG can enforce or cope with that.

Where are you?   Regardless, all the "choice" statements in ietf-keystore are "mandatory true", meaning that one case must be defined.


>> s.2.1.4
>> 'The protocol-accessible nodes for the "ietf-keystore" module are an instance'
>> perhaps instances

Fixed.


>> s.2.2.3
>>  a big section when there are no pages numbers - worth splitting into subsections IMHO

Subsections added.


>> prefix eku
>> we could do with a documentation-only YANG prefix; to me this looks too real, perhaps ex-eku

Changed to "ex-keystore-usage"


>> s.3
>> built-in keys
>> Built into what?  The YANG module?  suggest 'built into the device' or some such.

Now: "keys built-in into the server".



>> I-D.ma-netmod-with-system
>> needs to be Normative IMHO - I cannot understand system without it

This document is not dependent on that work; it merely offered the reference as a related work.

That said, searching for "system", I found and replaced several instances to use the word "server" instead.  I think this may've been the actual source of your confusion.

Also, updated ref to point to adopted name: "ietf-netmod-system-config".


>> copied into <running>
>> copied from where?

Two paragraphs up: "...they are present in <operational> (and <system>, if used)."


>> all key types may be copied
>> again, copied from where?

Again,  <operational> (and <system>, if used).   This paragraph also says <operational> a sentence later"


>> built-in key
>> lacks a terminal period

Fixed.


>> <running> data tree
>> Why data tree here when every else is just <running>?

Removed.


>> s.4 Nothing to do with Netconf IMHO!

The WG or the protocol?

Regardless, this draft defines a data-model and related semantics.  You may not be aware, but many wanted to see this section fleshed out.


>> s.5.3
>> SSH, TLS lack references

You're right, but this is in the template published by the IESG.  There are likely several dozen RFCs published this way...


Kent



>> 
>> Tom Petch
>> 
>> _______________________________________
>> From: netconf <netconf-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
>> Sent: 12 December 2022 18:49
>> To: i-d-announce@ietf.org
>> Cc: netconf@ietf.org
>> Subject: [netconf] I-D Action: draft-ietf-netconf-keystore-27.txt
>> 
>> 
>> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>> This draft is a work item of the Network Configuration WG of the IETF.
>> 
>>         Title           : A YANG Data Model for a Keystore
>>         Author          : Kent Watsen
>>   Filename        : draft-ietf-netconf-keystore-27.txt
>>   Pages           : 52
>>   Date            : 2022-12-12
>> 
>> Abstract:
>>    This document defines a YANG module called "ietf-keystore" that
>>    enables centralized configuration of both symmetric and asymmetric
>>    keys.  The secret value for both key types may be encrypted or
>>    hidden.  Asymmetric keys may be associated with certificates.
>>    Notifications are sent when certificates are about to expire.
>> 
>> 
>> The IETF datatracker status page for this draft is:
>> https://datatracker.ietf.org/doc/draft-ietf-netconf-keystore/
>> 
>> There is also an HTML version available at:
>> https://www.ietf.org/archive/id/draft-ietf-netconf-keystore-27.html
>> 
>> A diff from the previous version is available at:
>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-netconf-keystore-27
>> 
>> 
>> Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts
>> 
>> 
>> ____________________________
>> _______________________________________________
>> netconf mailing list
>> netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email