Re: [netmod] system configuration/datastore and the keystore/truststore drafts
Andy Bierman <andy@yumaworks.com> Mon, 27 March 2023 17:47 UTC
Return-Path: <andy@yumaworks.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7A3CDC151B06 for <netmod@ietfa.amsl.com>; Mon, 27 Mar 2023 10:47:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.095
X-Spam-Level:
X-Spam-Status: No, score=-7.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=yumaworks.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id czEO1V91Ju5m for <netmod@ietfa.amsl.com>; Mon, 27 Mar 2023 10:47:43 -0700 (PDT)
Received: from mail-lj1-x236.google.com (mail-lj1-x236.google.com [IPv6:2a00:1450:4864:20::236]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 530A6C15154C for <netmod@ietf.org>; Mon, 27 Mar 2023 10:47:43 -0700 (PDT)
Received: by mail-lj1-x236.google.com with SMTP id a11so9900301lji.6 for <netmod@ietf.org>; Mon, 27 Mar 2023 10:47:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yumaworks.com; s=google; t=1679939261; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=154Ay1KdF/7G3ePhoBkeDBqRU2SFzIFTtk9D+gfr6Uk=; b=YhLW4CXX3ZTVYNu6LdV7D938NKQs8maYGRdh2hdYtcMlTARv3IUTOU1TB+c9r7X+Ky GsyKGdEVGFSWoSlpydH4x5aBxhMcjaJDT5f/uMkB65zmt3UU5VmELNwmX4RpQaep1aWO c9bnwKLqNUdLtWOm1hignUVGLxqaOTiNkgnckkI1FxUuSCStU+k5e/0SoLi/Ky5IZYZk DbJzFQBdoP9Yr49BHckaXlc9TQgjqXxQmuOz5+gsu3xOL5x29ub6XZJlT02u8uis4s8t OkNEB3cBxNUbYQr1G4qKygMjPwlIIx0xs6F12wZIjIa2QwcCbF2yLklgNzj6c9dtmLFH 8QJw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1679939261; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=154Ay1KdF/7G3ePhoBkeDBqRU2SFzIFTtk9D+gfr6Uk=; b=Zs12DSo8b53JamPNxv17oEDYwhIubsZPNWW++r46bNLNFXQINGrLyhz3Hv9elPDDIh rLNXU4CS+Es4OoCV/viBTZKyk0QrFCrKsPNqLEwPD0f+V3JgZKzCNlBaSejXs8N8deeZ ya0i4U9dbz4n/ku7DnaXKqVPDRUkqA5u5db+p1DHEcvX4R/Q2ZbpRlPK/3zRDWCrNSLK KBGKbPZ+BiIeZb7O0JROgVINn1upQVH7XS5ELKgxcT7mzJlO2lb9scPFvw3LK417BB9x AN5MONiPArpIiHv7mfEHFt824TvDapMJyZmuWuWQEj5CDXnpgscgJta4DigiLyYKA4fF F7XQ==
X-Gm-Message-State: AAQBX9fr4c/MdMSEX535YVWxGOFEQijZWXb3ygY6YMtq/6oL/d3fEz/R qPl7b3/c91F627XynZRcZVa1RRM4GOU43TT7l0J/dA==
X-Google-Smtp-Source: AKy350b6neLPN20fSbamcfMhYBsYiJq2E/A7558PFj2iQdW7AykXpThz3NuO3u71hx7xvA64EDbC5DmSThCrzjfT+jo=
X-Received: by 2002:a2e:9b0e:0:b0:29a:9053:ed21 with SMTP id u14-20020a2e9b0e000000b0029a9053ed21mr3872342lji.8.1679939261184; Mon, 27 Mar 2023 10:47:41 -0700 (PDT)
MIME-Version: 1.0
References: <BY5PR11MB4196F5D1D14983C6E475E3D1B58A9@BY5PR11MB4196.namprd11.prod.outlook.com> <20230326172343.yxz2zopaspamwfl2@anna> <BY5PR11MB41968488309734094A72CD09B58B9@BY5PR11MB4196.namprd11.prod.outlook.com> <EBE48ADC-5B2C-419E-891C-0694153FEA44@tail-f.com>
In-Reply-To: <EBE48ADC-5B2C-419E-891C-0694153FEA44@tail-f.com>
From: Andy Bierman <andy@yumaworks.com>
Date: Mon, 27 Mar 2023 10:47:29 -0700
Message-ID: <CABCOCHRnNHEdbR5kQCVu4NvGpNJT2NCkT5Fd4ifVZ8th1F772A@mail.gmail.com>
To: Jan Lindblad <janl@tail-f.com>
Cc: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>, Jürgen Schönwälder <jschoenwaelder@constructor.university>, "draft-ietf-netmod-system-config@ietf.org" <draft-ietf-netmod-system-config@ietf.org>, Kent Watsen <kent@watsen.net>, "netmod@ietf.org" <netmod@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e84e6505f7e55676"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/gMIzw5HMwHPglpK3kfsZf-1Rm4U>
Subject: Re: [netmod] system configuration/datastore and the keystore/truststore drafts
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Mar 2023 17:47:47 -0000
On Sun, Mar 26, 2023 at 7:04 PM Jan Lindblad <janl@tail-f.com> wrote: > Rob, Jürgen, Kent, WG, > > I am strongly opposed to giving up the idea that running must always be > valid. This is one of the landmark properties that has made NETCONF the > most useful management interface for network automation ever. For anyone > not up to that, we already have SNMP and there is also a wide assortment of > REST-based APIs out there. > > I'm slightly appalled :-) that dropping this tenet is even discussed. In > particular, I find it strange that such a small stone in one shoe would > make us consider abandoning the whole trip. > > No customer would ever let us take away this tenet, no matter what RFC comes out. There are corner cases where a server is executing with a <running> datastore that does not pass all YANG constraints and all description-stmt semantics. For example, there are data models with top-level mandatory NP-containers. Loading the empty YANG module causes the datastore validation to fail. Our server has a mode where it will start with a bad <running> datastore and allow an operator to fix the config. No edit-config to running or commit will succeed unless all validation passes (that is specified in 6241). There are lots of complex implementation-specific ways to get the server datastores loaded at runtime. Code runs and then <running> is setup somehow. The idea that <running> must be totally empty unless a client has set the data seems to be an NMDA thing. IMO it is not a good idea to make NMDA even more complicated to handle minor corner-cases. I'm no crypto expert and know little about how TPM modules work, but I was > under the impression that part of the beauty with TPMs was that you would > *not* copy keys around in the rest of the system. Instead you'd just refer > to the keys in the TPM. This is similar to how you'd typically refer to > hardware in slots. > > So if we treat TPM keys like they were hardware, we are back to our usual > discussion about how to treat validity of running with respect to hardware. > Either servers reject references in running to pieces of hardware that > happens to be missing at this point in time (which may make it hard to > install backups taken earlier, if the hardware setup has changed since), or > servers accept references to pieces of hardware that are currently missing, > and just mark them as operationally down. No need to change any RFCs to go > with either of these approaches, I believe, and certainly not break > fundamentals. > > Does this make sense, or is there a crypto angle here that I am missing? > > Best Regards, > /jan > > Andy > > > > > On 27 Mar 2023, at 02:01, Rob Wilton (rwilton) < > rwilton=40cisco.com@dmarc.ietf.org> wrote: > > Hi Jürgen, Kent, > > If we can take that interpretation (and I agree I think that was the > spirit of how I thought that NMDA works, particularly for templating and > inactive configuration). > > However, my concern comes from the MUST in this paragraph of RFC 8342 (and > RFC 7950 also states that <running> must always be valid): > > 5.1.3. The Running Configuration Datastore (<running>) > > The running configuration datastore (<running>) is a configuration > datastore that holds the current configuration of the device. It MAY > include configuration that requires further transformation before it > can be applied, e.g., inactive configuration, or template-mechanism- > oriented configuration that needs further expansion. However, > <running> MUST always be a valid configuration data tree, as defined > in Section 8.1 of [RFC7950]. > > And the current version of the system datastore draft ( > https://datatracker.ietf.org/doc/draft-ietf-netmod-system-config/), 5.1. > Conceptual Model of Datastores, has text like: > > All above three types of system configurations will appear in > <system>. Clients MAY reference nodes defined in <system>, override > values of configurations defined in <system>, and configure > descendant nodes of system-defined nodes, by copying or writing > intended configurations into the target configuration datastore > (e.g., <running>). > > Servers MUST enforce that configuration references in <running> are > resolved within the <running> datastore and ensure that <running> > contains any referenced system configuration. Clients MUST either > explicitly copy system-defined nodes into <running> or use the > "resolve-system" parameter. The server MUST enforce that the > referenced system nodes configured into <running> by the client is > consistent with <system>. Note that <system> aware clients know how > to discover what nodes exist in <system>. How clients unaware of the > <system> datastore can find appropriate configurations is beyond the > scope of this document. > > But, if the WG agrees that for NMDA, the actual validation happens on > <intended> and not <running> then I understand that to mean that <running> > on its own may not be valid, and it is only "implicitly valid" after doing > the processing between <running> and <intended> and <intended> must always > be valid. > > Further, I think that this means that there isn't any requirement (from a > validation correctness point of view) to require system configuration to be > copied into <running>. Of course, there may be other reasons why a client > may want system configuration to be copied into <running>, e.g., so that it > can be returned in a get request of <running>. > > If the WG agrees that this is the right direction then I think that it > would be helpful for the system configuration datastore to perhaps update > (or clarify) section 5.1.3 of RFC 8342, and perhaps provide an updated > diagram with how the system datastore fits into the picture. I think that > there would be further updates required to the system configuration > datastore draft to clarify the expected behaviour, and we should also think > carefully about the text and perhaps examples in the truststore/keystore > drafts (since they currently state that the keys/certificates must be > copied into <running>, and I think that we are saying with NMDA that this > is not required). > > Thanks, > Rob > > > -----Original Message----- > From: Jürgen Schönwälder <jschoenwaelder@constructor.university> > Sent: 26 March 2023 13:24 > To: Rob Wilton (rwilton) <rwilton@cisco.com> > Cc: netmod@ietf.org > Subject: Re: [netmod] system configuration/datastore and the > keystore/truststore drafts > > Rob, > > my reading of Figure 2 of RFC 8342 is that validation happens on > intended and not on running. I assume the system config is folded in > between running and intended. This seems to be inline with the > approach taken by the system config draft. This, of course, leaves is > open what actually happens if keys are removed and cause a subsequent > validation error. Ideally, such a transaction key removal transaction > should fail, but whether this will be enforced if the transaction > takes place outside the configuration management system may be a bit > wishful thinking. > > /js > > On Sun, Mar 26, 2023 at 04:28:46PM +0000, Rob Wilton (rwilton) wrote: > > Hi, > > I'm in the process of AD reviewing Kent's keystore and truststore drafts in > > NETCONF. > > > In both of these drafts, there is a desire to be able to use keys or > > certificates that are managed on the device, potentially as part of a TPM, > and yet be able to reference those keys/certificates from the device > configuration. There is also some reference to how this configuration may > work with the system datastore. > > > https://www.ietf.org/archive/id/draft-ietf-netconf-keystore-27.html#name- > > support-for-built-in-keys gives an example. > > > Looking at the current version of the system datastore, > > https://datatracker.ietf.org/doc/draft-ietf-netmod-system-config/01/, my > understanding is that this draft reinforces the requirement that <running> > is > always valid. Hence any data nodes in the <system> datastore, that are > referenced from the configuration in the <running> datastore, MUST also be > copied into <running>, so that it validates. Unreferenced descendant > configuration (that won't stop <running> from validating) can be left in > system, which is then merged with <running>, and validated as part of > <intended>. > > > This is the approach that the keystore/truststore explains. However, there > > is separately the issue that the build in keys and certificates may be > updated > via an out of band process, such that the current keys/certificates are > stored > on the device, and a stale copy of the keys/certificates ends up in the > running configuration. The keystore/truststore draft mitigates this by > stating > that if the key/certificate config differs between <running> and <system>, > then the values in <running> are ignored and the values in <system> take > priority. However, my understanding is that this behaviour is the reverse > of > what we normally expect when merging configuration in the <running> and > <system> datastores, where configuration in <running> overrides > configuration in <system>. Ultimately, I think that this means that we > would > need special handling for key/truststore configuration rather than just > following the normal behaviour. > > > Hence, I wonder whether we are making this more complex than > > necessary. Rather than requiring that <running> is always independently > valid from <intended>, then would it not be simpler to allow <running> to > have invalid configuration but always require that whenever <running> is > changed then <intended> is updated and must always be valid. This would > allow <running> to reference configuration in <system> without requiring it > to be copied into <running>. > > > I still think that we should allow the configuration to be copied into > > <running> for clients that also want <running> to be validate independently > from <intended>, but otherwise, the requirement of copying keys are > certificates into running doesn't seem ideal. > > > Any thoughts? > > Regards, > Rob > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod > > > -- > Jürgen Schönwälder Constructor University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://constructor.university/> > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod > > > _______________________________________________ > netmod mailing list > netmod@ietf.org > https://www.ietf.org/mailman/listinfo/netmod >
- [netmod] system configuration/datastore and the k… Rob Wilton (rwilton)
- Re: [netmod] system configuration/datastore and t… Jürgen Schönwälder
- Re: [netmod] system configuration/datastore and t… Kent Watsen
- Re: [netmod] system configuration/datastore and t… Rob Wilton (rwilton)
- Re: [netmod] system configuration/datastore and t… Jan Lindblad
- Re: [netmod] system configuration/datastore and t… Jürgen Schönwälder
- Re: [netmod] system configuration/datastore and t… maqiufang (A)
- Re: [netmod] system configuration/datastore and t… maqiufang (A)
- Re: [netmod] system configuration/datastore and t… Andy Bierman
- Re: [netmod] system configuration/datastore and t… Kent Watsen
- Re: [netmod] system configuration/datastore and t… Andy Bierman
- Re: [netmod] system configuration/datastore and t… Jan Lindblad (jlindbla)
- Re: [netmod] system configuration/datastore and t… Jürgen Schönwälder
- Re: [netmod] system configuration/datastore and t… Kent Watsen
- Re: [netmod] system configuration/datastore and t… Jürgen Schönwälder
- Re: [netmod] system configuration/datastore and t… Kent Watsen