IETF Logo Mail Archive

Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Wed, 24 June 2020 13:58 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72AA63A0DE1 for <opsawg@ietfa.amsl.com>; Wed, 24 Jun 2020 06:58:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZGOmUQQSjE6M for <opsawg@ietfa.amsl.com>; Wed, 24 Jun 2020 06:58:39 -0700 (PDT)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D1583A0DC3 for <opsawg@ietf.org>; Wed, 24 Jun 2020 06:58:39 -0700 (PDT)
Received: by mail-lf1-x131.google.com with SMTP id t74so1339769lff.2 for <opsawg@ietf.org>; Wed, 24 Jun 2020 06:58:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=ygC/YyeGxCAw2uQfUOjQ709zbT7NynR+QmTTaiWoKv4=; b=qchnyyQOT9elOjTrE4HrmFFXX5e9d6+27Cu7NhHsbVBy6chFcDKOHqZgfiGTcEKaLq 95zWybM7rw3A/nOQL6WoIM9C/UF1sAIHTPYPdTnH9EFJCfQC274IBK3MGQGlGr2DLlWX gXHIVnOK9onPevCqhrbb816cK1I6cBPMl3ts+IAcpGChj4Rna9Qn2YNs0wyg7L6qp6VO dBXN4OOJQIAb2AsaPCpH2/r8Jkp/ReIUgg+tLlCuUTiFgmzLbBea5bbJrbGHDaykSXGK NTyDh2mbNbuIuWutq9iShoiJMcXUVjbwyHAvDwW6GS2x7dqMxDmyfORqeujsRCHqVbIa rOUA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=ygC/YyeGxCAw2uQfUOjQ709zbT7NynR+QmTTaiWoKv4=; b=OpuYqQf1EvJZWwKdi/VbTwYvqhJCbN29i0TiJkrqQH5cv8KrHSA6PepH+Njbtf5sN8 uRJDInSGOp8Scc5DsZk/Tl+7WC30m7rM9CwOUt9HBp6sqjFscn3e6quept5vewNbblCe PWcgDm6Nia5okONMlZ/5iYEe1lyLh/XD9qAbskOq+onMXy6CwKFbIkAW4izmJW7DRo3V TSd4DASrb5eaNSWyq7EccBFY68cd9DZHy7Jhcmmq60BLBRxc5SfBR72akofVfkcFd/EE DZ6SZF0aTU+r/phfW8Q3WAd2Sbv2tq1KiqbURdZZDCxBvyumFlTOoZqFNRnFtISNwBzO 3IgA==
X-Gm-Message-State: AOAM5320DyyQVxNubS6SlzDp/y/chATeyYBrIQXMuxycN3oYBf3V2jLV B47XgYmWj4Lqajl+XLNadkWcaDj4GGMmIHBfV4eyKNX9ST0=
X-Google-Smtp-Source: ABdhPJyEr+jIx4q5VxZsYnbGcWdhOF2AV75rd2MD8pvVBIWPTl4JGIFsu/dB3GIzR+dnnTRTXHRcSFutfUK5P7+ZX2Y=
X-Received: by 2002:a05:6512:104b:: with SMTP id c11mr10296113lfb.88.1593007117145; Wed, 24 Jun 2020 06:58:37 -0700 (PDT)
MIME-Version: 1.0
References: <158984040300.28588.491740181156676621@ietfa.amsl.com> <CAHw9_i+Rqh0zfpLM8BbusztZrrQwCzey9hRV8ZVyXUJ82pRVsw@mail.gmail.com> <426d0030fbf1440d9f246a69e7858c59@cert.org> <CAHw9_iLbA=XhHkigi8=tqOnkzq-0QpWrLU6uv2P1D9y9F5CYDw@mail.gmail.com> <00220137aa0c49ff8307ab7da4e02e14@cert.org>
In-Reply-To: <00220137aa0c49ff8307ab7da4e02e14@cert.org>
From: Warren Kumari <warren@kumari.net>
Date: Wed, 24 Jun 2020 09:57:59 -0400
Message-ID: <CAHw9_iJ5gb0NmQ7nbjWMKGn-Nt-wZNwgd-5B8_d_2y9-3jrsZA@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-opsawg-sdi@ietf.org" <draft-ietf-opsawg-sdi@ietf.org>, OpsAWG-Chairs <opsawg-chairs@ietf.org>, opsawg <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/bYmKHSqc_FzS1csGvguppzhOa7Y>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 13:58:41 -0000

On Wed, Jun 24, 2020 at 9:37 AM Roman Danyliw <rdd@cert.org> wrote:
>
> Hi Warren!
>
> > -----Original Message-----
> > From: Warren Kumari <warren@kumari.net>
> > Sent: Tuesday, June 23, 2020 4:21 PM
> > To: Roman Danyliw <rdd@cert.org>
> > Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org; OpsAWG-Chairs
> > <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>; Michael Richardson
> > <mcr+ietf@sandelman.ca>
> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with
> > DISCUSS and COMMENT)
> >
> > On Thu, May 21, 2020 at 10:09 AM Roman Danyliw <rdd@cert.org> wrote:
> > >
> > > Hi Warren!
> > >
> > > Thanks for the response and -11.  More inline ...
> > >
> > > > -----Original Message-----
> > > > From: Warren Kumari <warren@kumari.net>
> > > > Sent: Tuesday, May 19, 2020 2:35 PM
> > > > To: Roman Danyliw <rdd@cert.org>
> > > > Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org;
> > > > OpsAWG-Chairs <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>;
> > > > Michael Richardson <mcr+ietf@sandelman.ca>
> > > > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10:
> > > > (with DISCUSS and COMMENT)
> > > >
> > > > On Mon, May 18, 2020 at 6:20 PM Roman Danyliw via Datatracker
> > > > <noreply@ietf.org> wrote:
> > > > >
> > > > > Roman Danyliw has entered the following ballot position for
> > > > > draft-ietf-opsawg-sdi-10: Discuss
> > > > >
> > > > > When responding, please keep the subject line intact and reply to
> > > > > all email addresses included in the To and CC lines. (Feel free to
> > > > > cut this introductory paragraph, however.)
> > > > >
> > > > >
> > > > > Please refer to
> > > > > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > > > > for more information about IESG DISCUSS and COMMENT positions.
> > > > >
> > > > >
> > > > > The document, along with other ballot positions, can be found here:
> > > > > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/
> > > > >
> > > > >
> > > > >
> > > > > ------------------------------------------------------------------
> > > > > ----
> > > > > DISCUSS:
> > > > > ------------------------------------------------------------------
> > > > > ----
> > > > >
> > > > > ** Section 3.2.  If keying material is being distributed as a
> > > > > certificate, do the expected behaviors of certificate process apply?
> > > > > For example, how is expiration handled?
> > > > >
> > > > > --  If a customer downloads a certificate from the publication
> > > > > server and it is expired, what should be done?
> > > > >
> > > > > -- If a certificate is loaded in the TPM of the device, should the
> > > > > client stop accepting configurations if it expires?
> > >
> > > The text in -11 works for me.  If you think there are alternatives to using
> > X.509 in this reference architecture it might be worth mentioning.
> > >
> > > > > ** Section 4.3.  “After retrieving the config file, the device
> > > > > needs to determine if it is encrypted or not.  If it is not
> > > > > encrypted, the existing behavior is used.”  What downgrade
> > > > > protection is assumed or
> > > > recommended here.
> > > > > A rogue data center employee could re-target a DHCP response to a
> > > > > server of choice which provides only unencrypted, tainted
> > > > > configuration.  It would seem that a device expecting an encrypted
> > > > > configuration should not accepted unencrypted ones (or at least
> > > > > this should
> > > > be a policy consideration).
> > > > >
> > > >
> > > > Thank you very much for your review.
> > > >
> > > > I have addressed these (and below) in
> > > > https://github.com/wkumari/draft-wkumari-opsawg-
> > > > sdi/commit/22d2ad52983e03309796867db22b88a5960bf039
> > > > (and will be posting a new version of the draft soon, once I address
> > > > other comments as well).
> > > > For those following along at home, Roman kindly provided me some
> > > > text to clarify the above.
> > >
> > > For the downgrade issue noted above.  I think we need a little more text.  My
> > concern is around the following text:
> > >
> > > Section 4.3:
> > > After retrieving the configuration file, the device needs to determine
> > > if it is encrypted or not. If it is not encrypted, the existing
> > > behavior is used.
> > >
> > > If a new device supports this architecture and the deployment environment
> > supports it too (which should be known), but the device still gets an
> > unencrypted config, that should be a sign of something suspicious.  I would
> > envision language here that says that devices should abort.
> >
> > Added: "If the device has been configured to only support encrypted
> > configuration
> >         and determines that the configuration file is not encrypted, it should
> > abort."
>
> The above text would address my concern.  Thanks.

Awesome, thank you.
I've just pushed a new version -13 with this (and Ben's comments).

Thank you again,
W

>
> [snip]
>
> Regards,
> Roman



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email