IETF Logo Mail Archive

Re: [Netconf] Mandatory local configuration in Keystore groupings

Kent Watsen <kwatsen@juniper.net> Mon, 17 September 2018 21:42 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DA959130DC6 for <netconf@ietfa.amsl.com>; Mon, 17 Sep 2018 14:42:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NcJ3UjlGWr89 for <netconf@ietfa.amsl.com>; Mon, 17 Sep 2018 14:42:08 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 784801293FB for <netconf@ietf.org>; Mon, 17 Sep 2018 14:42:08 -0700 (PDT)
Received: from pps.filterd (m0108161.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w8HLfR8k020121; Mon, 17 Sep 2018 14:42:05 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=uE/17n6ik1HMbJAgf+GJF+KFi3y1XBrOeSEhlV0Tkto=; b=lIw//p3ha5tgJJ83ZSwlvbHxIKAX0Otfh6fLHNvaZ6mYqYoxbDdlyOaBUEEFnRNYDiyo RVcYicdkAKTWUg1RJDkWvXoy3BXYbBJd5irw/0fT043BRQqF68J2ixhpklRd7WFRvmtc P9AMK1bHhT9niAikb2pNdfcJ1ln9+WIRYlU9KmqjTU0zBtzhxWVeM1JMe/z8d4OVFQlP WRVfGBRLqUDIGxNorCfRN6TRgfzJyQktYPIaKa2/seFebmWqHQX29wP3o+jTNkDacvor mqGO9LVV19eyA+mpSbJQipot5DxJjkh35X8L06hDiiBP4J1BUnUh5eUkS+2Q1R32E9wb lQ==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp0019.outbound.protection.outlook.com [216.32.180.19]) by mx0b-00273201.pphosted.com with ESMTP id 2mj9rkhcd9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 17 Sep 2018 14:42:05 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4603.namprd05.prod.outlook.com (20.176.109.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1143.11; Mon, 17 Sep 2018 21:42:01 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1164.014; Mon, 17 Sep 2018 21:42:01 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Martin Bjorklund <mbj@tail-f.com>
CC: "balazs.kovacs@ericsson.com" <balazs.kovacs@ericsson.com>, "balazs.lengyel@ericsson.com" <balazs.lengyel@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] Mandatory local configuration in Keystore groupings
Thread-Index: AQHUE4rJV5t3ZASQT0G65kk51KFdjKSAiWUAgEnK74CAACpJAIABPX8AgAOrEACABC+ZAIAAwASAgAC9gACAAHNjgIAAFAaAgAEgEwCAAicPgIAF1PmAgAF1VYCACj3EgIAAtxgAgACClQCACVx+gIAAM1IA
Date: Mon, 17 Sep 2018 21:42:01 +0000
Message-ID: <C024B669-5B39-47C9-91FE-3C8D3698BB1D@juniper.net>
References: <185C7E6D-7EF1-4FFE-9A9B-74BA7E16D946@juniper.net> <20180911.095334.2041631968993039535.mbj@tail-f.com> <1F126D9A-775C-4590-A645-6529C3066C14@juniper.net> <20180917.163819.1278530557866964677.mbj@tail-f.com>
In-Reply-To: <20180917.163819.1278530557866964677.mbj@tail-f.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4603; 6:s0eUu4S9IQZhKSKyayvqbeGfU1Ph0uJLk/B/bu0988xSEblr9qLNCcdwSX7WJj4tWDPR4OQgqjBR8GF6pe6pSTnSCWwC0HmiSsgFqmwtatRvBc1YROh+D1pRENgwJyxx+1x4g9Ow/JYyv7Tto4ofkA8gNVaeMvYhPEfbxrTKA2BniMwy40l97XWU5h4qZn71f2UyVnAmMREQcCDxjYvWd0l3DmZZyJ/FDh0sF2Lkk3cR+REgBmYrUbHGIIfesW2PGrRI2hQT+dfiiVeXY/FtzkOfq2wRM6L7pOakO5HDaWgf8PQ6g2X7ipiTosKPOwaZ8eLZprdSbBHSHmZYRM+JiqxStm/iJZg7Zg8n4m8TPzKQYPHHZRdVwrzMEXuE6MzIP5mJNV5IuoHwxooae+LG8l2aqz9MIffAfvtRuNCBR4HPPYPO1G8ab1dp5VX8qhT6Ku+/uJKlSZQL+93vkI6Vmg==; 5:a7Mkio/mlrKeSXvvmFcZ/O6b37SsfcQAMxyFgg6CJJ+Z0/lkoEOcK+ahFz3+R0txZfpYltVIbCAUN9V+tMsxIVpeyBpyTbjeTfUvLTLbGfA5JIs3qKJNKSy4m6DFDBmLXtc9IH1artsWZdXnzvy6YexC8d86hsvEfjQJCTeplL4=; 7:7WT4BAPtAWEblBw5y0GV8haYBT0zILoEyVDxmioL9OYdL7aHKOlfwBLpekGn1IeuFZYJL2lA/A7n+q5fob2bQhiBBbTJJcxbgecgjWjjFg1mFfG/a7p1QvZLVHzoNRNqHTXoxgk184z+PvK5gAuGNXukDasJHDxqiMcwq7939omS/69RKpd1kVnJDcHPwygzknqAxfwSokICn/uzBsna2eatBTLl0ZoCkZ5xuHFR9d3pTsZigWmUujfCMyAdoV8g
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: d0c6ee94-cb87-4841-be83-08d61ce666db
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4603;
x-ms-traffictypediagnostic: DM6PR05MB4603:
x-microsoft-antispam-prvs: <DM6PR05MB4603BA54801520DA7416C490A51E0@DM6PR05MB4603.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3002001)(10201501046)(93006095)(93001095)(3231355)(944501410)(52105095)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123562045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699050); SRVR:DM6PR05MB4603; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4603;
x-forefront-prvs: 0798146F16
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(366004)(39860400002)(396003)(136003)(376002)(346002)(189003)(199004)(478600001)(25786009)(3846002)(66066001)(6436002)(7736002)(81156014)(81166006)(6916009)(99286004)(4326008)(76176011)(97736004)(5250100002)(486006)(316002)(6116002)(6486002)(6512007)(5660300001)(11346002)(2616005)(58126008)(86362001)(229853002)(54906003)(305945005)(68736007)(476003)(53936002)(446003)(6506007)(93886005)(14454004)(102836004)(82746002)(14444005)(256004)(8676002)(33656002)(186003)(8936002)(106356001)(36756003)(83716003)(26005)(2906002)(105586002)(6246003)(2900100001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4603; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: vTj23u60MlBqd20URAjv09VVRJ5PSFenHly86QTIghfAuJo7uHcOntx4cI7YRUoR/XFQwAx8ojf8LuHuG+yC/kXZNaSRiMBo2I2ovVH0XH1Isj53lz9vSRm8hnVFBiFzS7eeFYu9luCKfMxlPPrGQv2GMPy7J7sTBcaj7PMxal12C/WTK5beC2dU8SdZNol7tdEcurmZbVWn+qErhT3lOaF9aOJY5jvfwsxNFn3sOzzP4GSOZkVovuzEQDEZFyrNQjpPjX6Si1bs3THmIp0IDl7Zg7ttp0GHJWOI2h2LkpnYarohJicAD/O5RnxV83UnPEX7IlQB76jxlp6+5GkeGpwOgNWcjfCTf+FNOlCf0ag=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <BFFC4EA457C8BA49A6872A38BA656C1D@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: d0c6ee94-cb87-4841-be83-08d61ce666db
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Sep 2018 21:42:01.1835 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4603
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-09-17_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1809170215
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xt1vtzy-AjYenlLwVhKaT2MFpFw>
Subject: Re: [Netconf] Mandatory local configuration in Keystore groupings
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 17 Sep 2018 21:42:11 -0000

> With (A), once you have generated the key, you first have to create
> the config for it, then invoke the action.   With (C) (99% of) the 
> keys already exist in the config, so you can just invoke the action.

I don't follow.  What I see is that, with (A), a hidden key can be 
created with a single action invocation while, with (C), first a 
configuration operation is needed to create the "asymmetric-key" 
(without the three leafs) followed by an action invocation (to 
populate the three leafs).


> To summarize, A and C both get the job done.  Which one is better is
> probably subjective.  I think (C) is might be easier to understand.

Okay, let's see how it looks.  Bubbling all the ideas to the top, I 
created the below tree-diagrams.  Note, in both cases, the three 
"mandatory true" leafs are replaced with an all-or-nothing "must" 
expression:


(A) Uses RFC 8342 Section C.3.2 style config overlays for all hidden keys;
    and an action statement is used to delete all hidden keys.

     +--rw keystore
        +--rw asymmetric-keys
           +--rw asymmetric-key* [name]
           |  +--rw name                            string
           |  +--rw algorithm?                      ct:key-algorithm-ref
           |  +--rw public-key?                     binary
           |  +--rw private-key?                    union
           |  +---m "(algorithm and public-key and private-key)
           |  |       or not (algorithm or public-key or private-key)";
           |  +--rw certificates
           |  |  +--rw certificate* [name]
           |  |     +--rw name                      string
           |  |     +--rw cert                      ct:end-entity-cert-cms
           |  |     +---n certificate-expiration
           |  |        +-- expiration-date?         yang:date-and-time
           |  +---x generate-certificate-signing-request
           |  |  +---w input                        // KEY MAY BE IN <OPERATONAL>
           |  |  |  +---w subject                   binary
           |  |  |  +---w attributes?               binary
           |  |  +--ro output
           |  |     +--ro certificate-signing-request    binary
           |  +---x delete-hidden-key
           |        // no params
           +---x generate-hidden-key
           |  +---w input                           // RESULT IN <OPERATONAL>
           |     +---w name                         string
           |     +---w algorithm                    ct:key-algorithm-ref
           +---x load-hidden-key
              +---w input                           // RESULT IN <OPERATONAL>
                 +---w name                         string
                 +---w algorithm                    ct:key-algorithm-ref
                 +---w public-key                   binary
                 +---w private-key                  union


(C) Uses RFC 8342 Section C.3.2 style config overlays only for hidden keys
    created in <operational> (i.e., during manufacturing).  But if there is
    even just one key created during Manufacturing, and it doesn't appear
    in <intended>, then leafrefs still need to be "require-instance false",
    right? Also, it seems that such keys could never be deleted, unlike 
    other hidden keys, but that is probably okay (correct behavior).

     +--rw keystore
        +--rw asymmetric-keys
           +--rw asymmetric-key* [name]
              +--rw name                            string
              +--rw algorithm?                      ct:key-algorithm-ref
              +--rw public-key?                     binary
              +--rw private-key?                    union
              +---m "(algorithm and public-key and private-key)
              |       or not (algorithm or public-key or private-key)";
              +--rw certificates
              |  +--rw certificate* [name]
              |     +--rw name                      string
              |     +--rw cert                      ct:end-entity-cert-cms 
              |     +---n certificate-expiration
              |        +-- expiration-date?         yang:date-and-time
              +---x generate-hidden-key
              |  +---w input                        // RESULT IN <OPERATONAL>
              |     +---w name                      string
              |     +---w algorithm                 ct:key-algorithm-ref
              +---x load-hidden-key
              |  +---w input                        // RESULT IN <OPERATONAL>
              |     +---w name                      string
              |     +---w algorithm                 ct:key-algorithm-ref
              |     +---w public-key                binary
              |     +---w private-key               union
              +---x generate-certificate-signing-request
                 +---w input                        // KEY MAY BE IN <OPERATONAL>
                 |  +---w subject                   binary
                 |  +---w attributes?               binary
                 +--ro output
                    +--ro certificate-signing-request    binary




Kent // contributor

v2.23.0 | Report a Bug | By Email