IETF Logo Mail Archive

Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sdi-06.txt

tom petch <ietfc@btconnect.com> Tue, 07 April 2020 09:06 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 15A373A1963 for <opsawg@ietfa.amsl.com>; Tue, 7 Apr 2020 02:06:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xB3v45UutNNj for <opsawg@ietfa.amsl.com>; Tue, 7 Apr 2020 02:06:46 -0700 (PDT)
Received: from EUR03-AM5-obe.outbound.protection.outlook.com (mail-eopbgr30136.outbound.protection.outlook.com [40.107.3.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7C2473A1962 for <opsawg@ietf.org>; Tue, 7 Apr 2020 02:06:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=e7V9CMUIHF2lVDJgTel2YRImNygUWI4SDJEflk5GF7cmURcIAaZnFv4oRzBq6SPuRCuFc/gmJQmsEj2tfkaz89Uc1KVuQN+lpNwufFFY5XVdgyQSGVam8gyeFO53Nd5U9g4jpJPF4OH30A4UbKi97ralex5DRYHn2Uuu386ELD6QZBl+ArklzLpEm0s/atteYcfFTU1oCQlR7RZ+1CVNKEW8Q47WUGgrJVh6IkqZiKy0WE6+pHGiTIRRbC+l/eysV9S9Vtwf7BmpvmEUSVWFBn7OSVEsqegvGkWsOcgFBxIuGYs6nwycbHxXar2avPKLJi1C9ndVbYIP4F0AGmpf/g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uhvskjr4k6TsXYAOYuuHbC4degA9c7d5loT3IXWIbp8=; b=KefbJbPCfaxslMKI3BmFt3jXZsJKU0OrEggmvAU4J0PRfmfNZcz5hsmXEg1Ec5pzlonXrOKojef2a6Hy8XUc9ENRgwbgIvCEKE4jH4pQZZEnrPsxfXE+ekb/fUNfhxoNvj9/CFk+RaW00RfVR0DdIDDwu4t2J/UZ7GY99S3TmG0+NKYP7deDfodU8LGH7H81WG6lTXGBGeKqenJb30iGa1OHVhWiKw8GAgLPizKQ6AN0Vr/L+27qWskxeoNEcN0mYRbvsQkZ+ZNofmdY5hJB/DJ6ytveQBhCsBig2MTkWSSzTiNLUnb0laKoYMZAmSZVnF1tqKk8IOWKCUNlgnNv7A==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uhvskjr4k6TsXYAOYuuHbC4degA9c7d5loT3IXWIbp8=; b=ldIf+Q9xMmv63lbSa4zJgDn4zeMmBUpMWz1pD1svm0RGIUS8i+8OAZTEYbpr9Aan3cFzXkya0NAf/tWt4BgqsrACyNjdB++1MvKkBi37fBs8g0YRErrTq3dqrzSq9LnCI4ngOaPQroe51TLXe1ZYc8KbOeARKKME3VDAvWnyCaU=
Received: from DB7PR07MB5657.eurprd07.prod.outlook.com (20.178.85.222) by DB7PR07MB5466.eurprd07.prod.outlook.com (20.178.46.207) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2900.14; Tue, 7 Apr 2020 09:06:43 +0000
Received: from DB7PR07MB5657.eurprd07.prod.outlook.com ([fe80::a438:bbc9:2ffe:33ee]) by DB7PR07MB5657.eurprd07.prod.outlook.com ([fe80::a438:bbc9:2ffe:33ee%5]) with mapi id 15.20.2900.012; Tue, 7 Apr 2020 09:06:43 +0000
From: tom petch <ietfc@btconnect.com>
To: Warren Kumari <warren@kumari.net>
CC: "opsawg@ietf.org" <opsawg@ietf.org>
Thread-Topic: [OPSAWG] I-D Action: draft-ietf-opsawg-sdi-06.txt
Thread-Index: AQHWCfg7OICJyubiukuZB1JQVnMIPahr51s+gABOyoCAASuwRA==
Date: Tue, 07 Apr 2020 09:06:43 +0000
Message-ID: <DB7PR07MB5657F26424D41AFEB7F4718BA0C30@DB7PR07MB5657.eurprd07.prod.outlook.com>
References: <158594643249.23574.16483224996635431528@ietfa.amsl.com> <DB7PR07MB5657863B6A4D9948881C2DBCA0C20@DB7PR07MB5657.eurprd07.prod.outlook.com>, <CAHw9_iKn56LbAwgPvXjsXuQ=6JDQGozvMO4P6LjQgTzM2X0-6g@mail.gmail.com>
In-Reply-To: <CAHw9_iKn56LbAwgPvXjsXuQ=6JDQGozvMO4P6LjQgTzM2X0-6g@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
x-originating-ip: [81.131.229.19]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5109eec0-cbb4-4486-5e9e-08d7dad2fdd8
x-ms-traffictypediagnostic: DB7PR07MB5466:
x-microsoft-antispam-prvs: <DB7PR07MB54668720FD0554B8414591C7A0C30@DB7PR07MB5466.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 036614DD9C
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5657.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(39860400002)(366004)(346002)(136003)(396003)(376002)(6916009)(52536014)(186003)(76116006)(33656002)(91956017)(66574012)(2906002)(7696005)(966005)(86362001)(30864003)(8676002)(316002)(478600001)(71200400001)(4326008)(9686003)(5660300002)(53546011)(81166006)(66446008)(45080400002)(66556008)(8936002)(64756008)(6506007)(66946007)(81156014)(26005)(55016002)(66476007); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: eACF0vSgGwct95QrON2i6QqzjxV+8YlAGnZprh3AKhS8w0t+mLYTBwe0jas6wpYlNxjNF686M4iZUIZtqiB630gc7N/jXd96Yhiv7MrcB/bCgqI7cEiqZxs2Hk3VLxsV3Hbu3x1Vbu33dGV+SSagBh0PZiGXkYKs7HY+NivubOg2ZIee4EpqMv9Xv7E95jcd1ZbLvDV26EncbArylO8ZtWRCpVfwiNyAQnbpEaI9NdHg/geVF7tyIjNaM4vy5d7x52GkhDXtN9flMdtBw3iVUlvxy49qg16nqo/WeQRHG9b0Q2nWIZw5LU/gIpNJKOwz8ESraqAXzHHu5tWe1YxHeOyVjc47S86OgzHfMA4LYcDmpYjS89fT+VH8K277caww/JPbh9gqbOiD4A2uaSKjUgzXLkrJ6Pj347aTc734r0BZFqH0avYvLXilXiq49bTxbo7JXtPoQJaQTcz49xJjgTDzlJIpwK2n4AKtKeo5aQiEKS7rXxbLlCzdOT5Lme/9
x-ms-exchange-antispam-messagedata: 490nLobqNR1lXlqdOQDl4yKH9l9xanWNviGTKMFaBTPAOQH4pAcdILwWcBgTmyTloBvkdVDrbywNCtsOr0hytUJ0Y1pUQrWNgs+vhkBUV6Cs6mtOF6CRLscnGpXsem9xXTbYVbDYS5ZYC/kJSB64jQ==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5109eec0-cbb4-4486-5e9e-08d7dad2fdd8
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Apr 2020 09:06:43.1878 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7gcCj3JaDS0j2UTaGo6zR/TFQKBHU1rj99NvfJ5x0afxg6jKumedlPNDqaJmZqBzOQ6jpxtF62608sBl+o1cCA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB5466
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/R7ggCJAJHIChjruES9Oxub6Ey-g>
Subject: Re: [OPSAWG] I-D Action: draft-ietf-opsawg-sdi-06.txt
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 07 Apr 2020 09:06:49 -0000

From: Warren Kumari <warren@kumari.net>
Sent: 06 April 2020 16:07
On Mon, Apr 6, 2020 at 6:36 AM tom petch <ietfc@btconnect.com> wrote:
>
<tp>
Warren, 
understanding better what you have in mind, I suggest a few changes to the Abstract and Introduction, as below.  My language is probably a bit tighter, omitting some adverbs but that is just a matter of style.  The changes are not great but for me they make the (limited) scope clearer (and yes, all the cases which I had in mind are now excluded:-)

Tom Petch


                        draft-ietf-opsawg-sdi-06

Abstract


   Deploying a new network device in a location 
   where the operator has no staff of its own often requires that an employee
   physically travel to the location to perform the initial install and
   configuration, even in shared datacenters with "smart-hands" type
   support.  In many cases, this could be avoided if there were a
   secure way to initially provision the device.

   This document extends existing auto-install / Zero-Touch Provisioning
   mechanisms to make the process more secure.

 1.  Introduction

   In a growing, global network, significant amounts of time and money
   are spent deploying new devices and "forklift" upgrading
   existing devices.  In many cases, these devices are in shared
   datacenters (for example, Internet Exchange Points (IXP) or "carrier
   neutral datacenters"), which have staff on hand that can be
   contracted to perform tasks including physical installs, device
   reboots, loading initial configurations, etc.  There are also a
   number of (often vendor proprietary) protocols to perform initial
   device installs and configurations - for example, many network
   devices will attempt to use DHCP [RFC2131]to get an IP address and
   configuration server, and then fetch and install a configuration when
   they are first powered on.

  The configurations of network devices contain a significant amount of
   security related and / or proprietary information (for example,
   RADIUS [RFC2865] or TACACS+ [I-D.ietf-opsawg-tacacs] secrets).
   Exposing these to a third party to load onto a new device (or using
   an auto-install techniques which fetch an unencrypted config file via
   TFTP [RFC1350]), or something similar, is an unacceptable security risk for many
   operators, and so they send employees to remote locations to
   perform the initial configuration work; this costs, time and money.

   There are some workarounds to this, such as asking the vendor to pre-
   configure the devices before shipping it; asking the smart-hands to
   install a terminal server; providing a minimal, unsecured
   configuration and using that to bootstrap to a complete
   configuration, etc; but these are often clumsy and have security
   issues - for example, in the terminal server case, the console port
   connection could be easily snooped.

   This document layers security onto existing auto-install solutions to
   provide a secure method to initially configure new devices.  It is
   optimized for simplicity, both for the implementor and the operator;
   it is explicitly not intended to be an "all singing, all dancing"
   fully featured system for managing installed / deployed devices, nor


   is it intended to solve all use-cases - rather it is a simple
   targeted solution to solve a common operational issue where the 
   network device has been delivered, fibre laid (as appropriate) 
   but there is no trusted member of the operator's staff to perform
   the initial configuration.
  
   Solutions
   such as Secure Zero Touch Provisioning (SZTP)[RFC8572],
   [I-D.ietf-anima-bootstrapping-keyinfra] and the like are much more
   fully featured, but also more complex to implement and / or are not
   widely deployed yet.

   This solution is specifically designed to be a simple method on top
   of exiting device functionality.  If devices do not support this new
   method, they can continue to use the existing functionality.  In
   addition, operators can choose to use this to protect their
   configuration information, or can continue to use the existing
   functionality.

   The issue of securely installing devices is in no way a new issue,
   nor is it limited to network devices; it occurs when deploying
   servers, PCs, IoT devices, and in many other situations.  While the
   solution described in this document is obvious (encrypt the config,
   then decrypt it with a device key), this document only discusses the
   use for network devices, such as routers and switches.









> Warren
>
> Where I think I get confused with this is its context.  Abstract talks of travelling to a datacentre and elsewhere there are references to a POP, both of which to me have a flavour of a well-staffed high in technical expertise locations where this sort of work is little needed.  I think more of enterprise, where an organisation may have two well equipped data centres and dozens or hundreds of locations with little or no support staff where this issue is paramount.  I think that this is more a question of language than of changing the technical details but it does keep jarring with me.  In the same vein, the references to routers jars with me since while that may be an issue in an operator POP, I see the need to configure other kinds of servers as more pressing.
>
> The other more technical issue is TFTP which yes, I expect will be widely used but which, IMHO, is only ever used over a LAN and so, short of VLAN, which indeed some enterprise do use, implies that the device and config server are on the same LAN, ie in the same building or at least campus.  Again, it is a question of context, is it assumed that device and server are proximal?

It is often surprising to me just how much one's experiences and
situations influence one's assumptions and outlook - it seems that I
may have assumed that others have the same experiences / didn't
explain the context well.

It is quite common that operators want to install a peering router /
switch at a location where they have no employees - common examples of
this are IXP / POP / data-center / anywhere where they peer with
others (e.g Ashburn Equinix). While there are (often) technical people
at the location, they are either employed by the datacenter operator
(e.g Equinix, AMS-IX), or by one's "competitors" - this means that you
really don't want to hand them a copy of your config file and ask them
to stick it on the device. Operators generally order a circuit from
inside their network to the location, and then order a device to be
shipped there... and then have to dispatch a person to stick the
initial config on the device. Traditional (unencrypted) autoboot
doesn't solve this, because $whoever could just plug their laptop into
the newly installed circuit, perform the autoboot routine, and have a
copy of the config.

Another very common case is for an ISP (think Verizon, or Telus) to
deliver a circuit to a customer - they have a contractor which
delivers the fiber, and then roll a truck to have someone physically
plug in a PE / CPE router and install the initial config. Again, they
don't really want to hand the config to the user, and also cannot use
the current autoboot solutions for the same reason - the customer
could just plug their own device / laptop into the newly installed
circuit, autoboot and grab the config / join the IGP / whatever.

These are the specific use-case that this is intending to solve - many
/ almost all network devices already support some sort of autoboot
where they DHCP (or similar) and then fetch (TFTP is a very common
mechanism[0], but by no means the only one) an **unencrypted** config
file -- all that this document does is say "keep doing that, but
download an encrypted config instead". It intentionally is kept simple
- vendors already have their own autoboot functionality and this is a
simple patch to that. Vendors also already have a way to put
per-device state (such as a serial number, licence, and often crypto
goop in a TPM, etc) - in some cases all they will need to do is
publish the public key, indexed by the serial number (a number of
vendors have said that this will be trivial). The document is
intentionally kept flexible because so much of this builds on vendor
proprietary solutions; and so instead of saying "Step 1: Do X. Step 2:
Do Y, ... Step N: Do N", it describes the concept, and leaves it to
the (more than capable) vendors to figure out how to implement it in
their system.

This also is only aimed at network devices - other types of servers
may be more pressing, but this document tries not to boil the ocean -
it simply says "instead of grabbing an unencrypted config, grab an
encrypted one, decrypt it and done!"

Hopefully this better sets the scene / explains the context and use
case? I'm not sure if there is a concise way to explain this in the
draft...

W
[0]: I'm using in the document because it is the archetype, and
familiar to the intended audience...


>
> I would like to see these two points nailed down more after which I could propose some refinement to the language.
>
> Tom Petch
>
> ________________________________________
> From: OPSAWG <opsawg-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
> Sent: 03 April 2020 21:40
> To: i-d-announce@ietf.org
> Cc: opsawg@ietf.org
> Subject: [OPSAWG] I-D Action: draft-ietf-opsawg-sdi-06.txt
>
>
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> This draft is a work item of the Operations and Management Area Working Group WG of the IETF.
>
>         Title           : Secure Device Install
>         Authors         : Warren Kumari
>                           Colin Doyle
>         Filename        : draft-ietf-opsawg-sdi-06.txt
>         Pages           : 18
>         Date            : 2020-04-03
>
> Abstract:
>    Deploying a new network device often requires that an employee
>    physically travel to a datacenter to perform the initial install and
>    configuration, even in shared datacenters with "smart-hands" type
>    support.  In many cases, this could be avoided if there were a
>    standard, secure way to initially provision the devices.
>
>    This document extends existing auto-install / Zero-Touch Provisioning
>    mechanisms to make the process more secure.
>
>    [ Ed note: Text inside square brackets ([]) is additional background
>    information, answers to frequently asked questions, general musings,
>    etc.  They will be removed before publication.  This document is
>    being collaborated on in Github at: https://github.com/wkumari/draft-
>    wkumari-opsawg-sdi.  The most recent version of the document, open
>    issues, etc should all be available here.  The authors (gratefully)
>    accept pull requests. ]
>
>    [ Ed note: This document introduces concepts and serves as the basic
>    for discussion - because of this, it is conversational, and would
>    need to be firmed up before being published ]
>
>
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/
>
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-ietf-opsawg-sdi-06
> https://datatracker.ietf.org/doc/html/draft-ietf-opsawg-sdi-06
>
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-ietf-opsawg-sdi-06
>
>
> Please note that it may take a couple of minutes from the time of submission
> until the htmlized version and diff are available at tools.ietf.org.
>
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
>
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg
>
> _______________________________________________
> OPSAWG mailing list
> OPSAWG@ietf.org
> https://www.ietf.org/mailman/listinfo/opsawg



--
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email