Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-13.txt

"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 26 February 2020 10:03 UTC

Return-Path: <rwilton@cisco.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 646793A11F5 for <netmod@ietfa.amsl.com>; Wed, 26 Feb 2020 02:03:05 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=Bcq3dQ1K; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=gFsTdmaT
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5uJSIUvVM1k6 for <netmod@ietfa.amsl.com>; Wed, 26 Feb 2020 02:03:03 -0800 (PST)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4240A3A11F1 for <netmod@ietf.org>; Wed, 26 Feb 2020 02:03:03 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9652; q=dns/txt; s=iport; t=1582711383; x=1583920983; h=from:to:subject:date:message-id:references:in-reply-to: content-transfer-encoding:mime-version; bh=D57NuQSYdKCJmiuh//Cz9gOApgiMXyP1yfuY68FEHjc=; b=Bcq3dQ1KD6+LLTET+t+aWmUWh3/8z9h8qes1EcAlhVk1OC6cxd+bC8HZ f3jaMHifuU78dNg9HhflO5a3a6z+9ZKOQZ82sIwqsOSuutXdoT1UToQi5 8OKb+vIpYqdmju+D2BfurK751Wfe4AsPPUS6PoP3Kdr+eIlUpFgkarbtY s=;
IronPort-PHdr: =?us-ascii?q?9a23=3AwyvuGxKVxUh8N6YLuNmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeBvad2lFGcW4Ld5roEkOfQv636EU04qZea+DFnEtRXUg?= =?us-ascii?q?Mdz8AfngguGsmAXFfkLfr2aCoSF8VZX1gj9Ha+YgBY?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0AJDgBiQVZe/5xdJa1mHgELHINPUAV?= =?us-ascii?q?sWCAECyoKhAqDRgOKYU6CEZgUgUKBEANUCQEBAQwBARgLCgIEAQGDe0UCF4F?= =?us-ascii?q?pJDgTAgMNAQEFAQEBAgEFBG2FNwyFYwEBAQECAQEBEBERDAEBLAwEBwQCAQY?= =?us-ascii?q?CDgMBAwEBAwIjAwICAiULFAECBggBAQQBEggBEAmDBYJKAw4gAQ6SRJBnAoE?= =?us-ascii?q?5iGJ1gTKCfwEBBYEvAQMCDkGDCBiCDAmBDiqMJBqBQT+BEUeCTD6CWQsBAQE?= =?us-ascii?q?BAQEYgS8BAQIYgw8ygiyNTAeDEp81CoI8h1GMSYJngkl9hx6ETot8jTaBOoF?= =?us-ascii?q?Nhy+FMI0bAgQCBAUCDgEBBYFpIoFYcBUaIYJsCUcYDYEajQODc4UUhUF0AoE?= =?us-ascii?q?njXMBJwSBBwGBDwEB?=
X-IronPort-AV: E=Sophos;i="5.70,487,1574121600"; d="scan'208";a="437007086"
Received: from rcdn-core-5.cisco.com ([173.37.93.156]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 26 Feb 2020 10:03:02 +0000
Received: from XCH-RCD-004.cisco.com (xch-rcd-004.cisco.com [173.37.102.14]) by rcdn-core-5.cisco.com (8.15.2/8.15.2) with ESMTPS id 01QA32XX014511 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Feb 2020 10:03:02 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-RCD-004.cisco.com (173.37.102.14) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Feb 2020 04:03:01 -0600
Received: from xhs-rcd-002.cisco.com (173.37.227.247) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 26 Feb 2020 04:03:01 -0600
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (72.163.14.9) by xhs-rcd-002.cisco.com (173.37.227.247) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 26 Feb 2020 04:03:01 -0600
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OJTVrd0G9FhShuevtg/HB3CaamkOUBTrTZDsmvI//eOV8KUaL/zylbla8LD5jTcIR24MveyBQL6erLEbsOjzXDfJ/zKNQdRM1MVMW2Rcr+xJcMMgLEJiS1CmEC9yJ5vfARH3S7Epy/rJGFuyaoLXiSwqXXHgFN8AahhjrsZoHBW0nICP8gPtDTjB8HK/XwrmWoMAEws+2QIGbdhVk+5R8NUT/X+HIPOfg5qr5HjI+wv2pPNa8RCm8n3ih6xD0woLK4lXcZPzLCfNB0Zf4O04TTYpYU9MsNt0V1uI6lN6OZWm9jXCO7kN40BLxSScrUwCsc2IR4EPQzRpdZgFOhDMDw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D57NuQSYdKCJmiuh//Cz9gOApgiMXyP1yfuY68FEHjc=; b=k5uOQLVEPUvIkoJcz7Hw6WMJjvy7Dr1qSQ29OhJSi6uxbf8juezyD88M586XgSi1NbfVDShSSFk/+o8ptFxhdYzwcb8bLcKyqgLCTLYu+m/fpQILns5NMi2Ow8eLDT6Wnw7FuvdWXSvVS2L9ZalI3MeR86yCCCfm7s6kXfkkAWnB4dfS+/YvD13xJTSxWxO/vLA0iTFx7VzSd31uwscMtmWbtVe2ovmS3ZqCHKtzx0fzypG9VQbmUs6B+tl8xIeq7YEH3+wXGW0zfi//b4V1dnpnhDCEJ2dEOcW3xYJGPECvG8NTz0B2WGu0UDEd3BHBEroGJHzYeSGmuEN9MDURtQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=D57NuQSYdKCJmiuh//Cz9gOApgiMXyP1yfuY68FEHjc=; b=gFsTdmaTNIq2XHUwjeVGK7WVHI6i2xFZnrMTyMSePvIf8sidiYzDVAQKQouxr91C29/2gq+v0rqxU03r0A1SVTnXtOSPFALe9DKLPeNFHQvNhY6c7QMmVMzO/H4RVo3QjSWXHZ9gNrApfw2i+dRDo13dhsaCs3uskA4Oy9uIFGI=
Received: from MN2PR11MB4366.namprd11.prod.outlook.com (2603:10b6:208:190::17) by MN2PR11MB4206.namprd11.prod.outlook.com (2603:10b6:208:188::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2750.21; Wed, 26 Feb 2020 10:03:00 +0000
Received: from MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::b9ce:1058:5fa6:44a1]) by MN2PR11MB4366.namprd11.prod.outlook.com ([fe80::b9ce:1058:5fa6:44a1%7]) with mapi id 15.20.2750.021; Wed, 26 Feb 2020 10:03:00 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: Qin Wu <bill.wu@huawei.com>, "netmod@ietf.org" <netmod@ietf.org>
Thread-Topic: I-D Action: draft-ietf-netmod-factory-default-13.txt
Thread-Index: AdXsP+leryuA4u6PTwK1QY7Ar/2/jgAR78pw
Date: Wed, 26 Feb 2020 10:02:59 +0000
Message-ID: <MN2PR11MB4366839027EA71554A2E05BAB5EA0@MN2PR11MB4366.namprd11.prod.outlook.com>
References: <B8F9A780D330094D99AF023C5877DABAAD4E42C7@dggeml511-mbx.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAAD4E42C7@dggeml511-mbx.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=rwilton@cisco.com;
x-originating-ip: [173.38.220.50]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b537e52-8ee6-4965-3606-08d7baa30fa8
x-ms-traffictypediagnostic: MN2PR11MB4206:
x-microsoft-antispam-prvs: <MN2PR11MB4206C244C6DDFA1617D203A6B5EA0@MN2PR11MB4206.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0325F6C77B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(366004)(39860400002)(376002)(346002)(136003)(199004)(189003)(55016002)(33656002)(9686003)(26005)(7696005)(478600001)(316002)(966005)(186003)(86362001)(53546011)(6506007)(81156014)(81166006)(76116006)(5660300002)(52536014)(64756008)(8936002)(71200400001)(110136005)(2906002)(66556008)(66446008)(66574012)(66476007)(66946007)(8676002); DIR:OUT; SFP:1101; SCL:1; SRVR:MN2PR11MB4206; H:MN2PR11MB4366.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: jltOH4tV2NxPcQjTeWV9tlf+MEVy4+gPX7cEnoZpko1BVIgIhRlgLWT5SZ1c4Lo97g2bsEIfqXknJtMxoQofJFP8XjruVxsPyjS4d22vFIx0YOreAKn8GfF6HnBsZou70LkmoyGFOJDON+X/qsju7yuamUGwi5rvBenO10VIEJmwQjR82mo4/XT4YolpXTRWoHU9nYy+wsquVm6bVhNEPsbbTNFwKozhJOafya6PnFZC/Fu6tPUttJ6xzAlirB+Uab+GBQTmAO9+XZZVUIy93ft0gGrQ20NIroLfjZD+IL5jEBTY8T3UO5QUJCH6yQpm/Yoyyo+x2kNF3L5SpzKRDIMEswaWk+RKBujgEaGWkcp1NbTDFY1U5W3y8xiov0hk3HPHEpHoNQpBsRNpzD/+6HWmF53FpUmuKc9OqLJhkBhRzoKPPjylcSWlbAeQ7pEBzl1LVFGSyQ7VUebtPjj1MYcArvxkyWYvCS/hoW52US83e+FCx/JkReTmjfspedc2FHr+cz7q+xG77/CY2FJ/Mw==
x-ms-exchange-antispam-messagedata: 58Q9v3YsTU4PKp/2Fd7WCOdlSZXzXMjQP4cZfWSvW7XxAx7Eu1IDww8KE/YVuzfbs5yC8vAaztCdmfwNAD58A5b7YsmtyZ3AtrbOv3KlxUNUsUPxyMmffEpgIDDo1EVifOSKWSkLRSXHf5Wx4QxwCw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b537e52-8ee6-4965-3606-08d7baa30fa8
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Feb 2020 10:02:59.8673 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: tzlp3yzMwfsD+fYKTllDYrx94UngrQJUPfk2V1BSNoN074yJCie8BdJwbiw2J7Iqergzch9Tpn7jQb2PKtFG7A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB4206
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.14, xch-rcd-004.cisco.com
X-Outbound-Node: rcdn-core-5.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/BjumtdK2BJ3HEECWcsf6f9NfHYY>
Subject: Re: [netmod] I-D Action: draft-ietf-netmod-factory-default-13.txt
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Feb 2020 10:03:05 -0000

Hi Qin,

Please see inline ...

> -----Original Message-----
> From: Qin Wu <bill.wu@huawei.com>
> Sent: 26 February 2020 01:15
> To: Rob Wilton (rwilton) <rwilton@cisco.com>om>; netmod@ietf.org
> Subject: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> 
> Hi, Rob:
> -----邮件原件-----
> 发件人: Rob Wilton (rwilton) [mailto:rwilton@cisco.com]
> 发送时间: 2020年2月26日 2:02
> 收件人: Qin Wu <bill.wu@huawei.com>om>; netmod@ietf.org
> 主题: RE: I-D Action: draft-ietf-netmod-factory-default-13.txt
> 
> Hi Qin,
> 
> I think that you may have accidentally removed the RFC editor instructions
> in the YANG module that presumably we want to still keep?
> 
> 	 	// RFC Ed.: update the date below with the date of RFC
> publication
>  	      // and remove this note.
>  	      // RFC Ed.: replace XXXX with actual RFC number and remove
> this
>  	      // note.
> [Qin]: My understanding is RFC Note is used to send a note to RFC Editor,
> after RFC Editor take action, the RFC Editor note should go away and will
> not stay in the YANG module any more.
> What do you suggest? Don't include "and remove this note" in the RFC
> Editor note?
[RW] 
Apologies, I had read the diff the wrong way round.  Your instruction here is fine, and no further change is required.


> 
> For the update to the security section, my concern wasn't so much about no
> longer being able to access a private key, but more that a client cannot
> rely on any private data being unrecoverable after the factory-reset RPC.
> i.e. they can't just use the factory-reset RPC and then sell the device on
> ebay, with the assumption that all private data has been properly
> cleansed.
> 
> OLD:
> 
> 
>  	   The non-volatile storage is expected to be wiped clean and reset
> back
>  	   to the factory default state, but there is no guarantee that the
> data
>  	   is wiped according to any particular data cleansing standard, and
> the
>  	   owner of the device MUST NOT rely on any temporary data (e.g.,
>  	   including private keys) for recovery after the factory-reset RPC
> has
>  	   been invoked.
> 
> NEW:
> 
> 
>  	   The non-volatile storage is expected to be wiped clean and reset
> back
>  	   to the factory default state, but there is no guarantee that the
> data
>  	   is wiped according to any particular data cleansing standard, and
> the
>  	   owner of the device MUST NOT rely on any sensitive data (e.g.,
>  	   private keys) being forensically unrecoverable from the device's
>           non-volatile storage after a factory-reset RPC has been invoked.
> 
> [Qin]: I am not lawyer, when you use the word "forensically". But the
> "factory-reset" RPC operation has been restricted by using the "default-
> deny-all" access control defined in RFC8341. I am not sure any end user
> can take advantage of factory-reset RPC as the client. Let me know if my
> understanding is correct.
> 

Your current text says, "users need to be aware that private keys might not be recoverable after a factory-reset RPC".  But this isn't a security consideration, this is just an inconvenience, and I believe the text is section 2 is sufficient.

My concern is entirely the other way around, i.e. "users need to be aware that private information might still be recoverable after a factory-reset RPC", because a factory-reset RPC does not guarantee that it won't be.  Section 2 recommends that security sensitive data be overwritten with 0's, but this is only a SHOULD, and writing 0's doesn't meet the standard industry requirements of ensuring that the data won't be subsequently recoverable.

When electronic equipment reaches the end of its useful life then normally the company will ensure that all private data is destroyed from any media before it can be resold.  E.g. in the US this might be done to the DoD 5220.22 standard.

I don't want clients using the factory-reset RPC to think that it is sufficient for them to avoid properly wiping any non-volatile storage.

Does that help clarify the security concern that I'm asking you to please address?

Thanks,
Rob


> Thanks,
> Rob
> 
> 
> > -----Original Message-----
> > From: netmod <netmod-bounces@ietf.org> On Behalf Of Qin Wu
> > Sent: 25 February 2020 12:39
> > To: netmod@ietf.org
> > Subject: Re: [netmod] I-D Action:
> > draft-ietf-netmod-factory-default-13.txt
> >
> > v-13 is posted, the diff is:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-netmod-factory-default-13
> > Thanks Rob for valuable review.
> >
> > -Qin
> > -----邮件原件-----
> > 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表
> internet-
> > drafts@ietf.org
> > 发送时间: 2020年2月25日 20:36
> > 收件人: i-d-announce@ietf.org
> > 抄送: netmod@ietf.org
> > 主题: I-D Action: draft-ietf-netmod-factory-default-13.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> > directories.
> > This draft is a work item of the Network Modeling WG of the IETF.
> >
> >         Title           : A YANG Data Model for Factory Default Settings
> >         Authors         : Qin Wu
> >                           Balazs Lengyel
> >                           Ye Niu
> > 	Filename        : draft-ietf-netmod-factory-default-13.txt
> > 	Pages           : 12
> > 	Date            : 2020-02-25
> >
> > Abstract:
> >    This document defines a YANG data model to allow clients to reset a
> >    server back to its factory default condition.  It also defines a
> >    "factory-default" datastore to allow clients to read the factory
> >    default configuration for the device.
> >
> >    The YANG data model in this document conforms to the Network
> >    Management Datastore Architecture (NMDA) defined in RFC 8342.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-ietf-netmod-factory-default/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-ietf-netmod-factory-default-13
> > https://datatracker.ietf.org/doc/html/draft-ietf-netmod-factory-defaul
> > t-13
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-ietf-netmod-factory-default-13
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at
> > tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> >
> > _______________________________________________
> > I-D-Announce mailing list
> > I-D-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/i-d-announce
> > Internet-Draft directories: http://www.ietf.org/shadow.html or
> > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > _______________________________________________
> > netmod mailing list
> > netmod@ietf.org
> > https://www.ietf.org/mailman/listinfo/netmod