IETF Logo Mail Archive

Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Thu, 21 May 2020 14:09 UTC

Return-Path: <rdd@cert.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 246553A0CE8; Thu, 21 May 2020 07:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3cwpskoI4ukH; Thu, 21 May 2020 07:09:00 -0700 (PDT)
Received: from taper.sei.cmu.edu (taper.sei.cmu.edu [147.72.252.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 677253A0CE1; Thu, 21 May 2020 07:09:00 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by taper.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04LE8xr7009843; Thu, 21 May 2020 10:08:59 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu 04LE8xr7009843
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1590070139; bh=WrdSxKCL2hkorEiVP1M1YbI/zxcpATgA63Y+a+kjSWA=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=tc+7fNSWH6HOLQseudCllMlJM4F8Zps8tLfhR0UZFc+affESlNqT4BdRnlRwtlE0K lbsEDiyCrqzeqQlVIgSj89ACHvKVkyMEvwED5BVKfk30dj5uFz6QzjkMa+zZQmj+m0 j5x9dfZBfWWZot7sOmGIfHfHpS2/4upHEWyB8zWM=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 04LE8ukF040103; Thu, 21 May 2020 10:08:56 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by CASCADE.ad.sei.cmu.edu (10.64.28.248) with Microsoft SMTP Server (TLS) id 14.3.487.0; Thu, 21 May 2020 10:08:56 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MORRIS.ad.sei.cmu.edu (147.72.252.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1847.3; Thu, 21 May 2020 10:08:55 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%22]) with mapi id 15.01.1847.007; Thu, 21 May 2020 10:08:55 -0400
From: Roman Danyliw <rdd@cert.org>
To: Warren Kumari <warren@kumari.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-opsawg-sdi@ietf.org" <draft-ietf-opsawg-sdi@ietf.org>, OpsAWG-Chairs <opsawg-chairs@ietf.org>, opsawg <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
Thread-Index: AQHWLgxgAXmnC/Ypo0KIGmnCuZ2QXaiykIcA
Date: Thu, 21 May 2020 14:08:55 +0000
Message-ID: <426d0030fbf1440d9f246a69e7858c59@cert.org>
References: <158984040300.28588.491740181156676621@ietfa.amsl.com> <CAHw9_i+Rqh0zfpLM8BbusztZrrQwCzey9hRV8ZVyXUJ82pRVsw@mail.gmail.com>
In-Reply-To: <CAHw9_i+Rqh0zfpLM8BbusztZrrQwCzey9hRV8ZVyXUJ82pRVsw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.68]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/mx6Fb8Zz-MMHOPDaC4wDpm3IVZ8>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 May 2020 14:09:04 -0000

Hi Warren!

Thanks for the response and -11.  More inline ...

> -----Original Message-----
> From: Warren Kumari <warren@kumari.net>
> Sent: Tuesday, May 19, 2020 2:35 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org; OpsAWG-Chairs
> <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>; Michael Richardson
> <mcr+ietf@sandelman.ca>
> Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with
> DISCUSS and COMMENT)
> 
> On Mon, May 18, 2020 at 6:20 PM Roman Danyliw via Datatracker
> <noreply@ietf.org> wrote:
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-opsawg-sdi-10: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut
> > this introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > for more information about IESG DISCUSS and COMMENT positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > ** Section 3.2.  If keying material is being distributed as a
> > certificate, do the expected behaviors of certificate process apply?
> > For example, how is expiration handled?
> >
> > --  If a customer downloads a certificate from the publication server
> > and it is expired, what should be done?
> >
> > -- If a certificate is loaded in the TPM of the device, should the
> > client stop accepting configurations if it expires?

The text in -11 works for me.  If you think there are alternatives to using X.509 in this reference architecture it might be worth mentioning.

> > ** Section 4.3.  “After retrieving the config file, the device needs
> > to determine if it is encrypted or not.  If it is not encrypted, the
> > existing behavior is used.”  What downgrade protection is assumed or
> recommended here.
> > A rogue data center employee could re-target a DHCP response to a
> > server of choice which provides only unencrypted, tainted
> > configuration.  It would seem that a device expecting an encrypted
> > configuration should not accepted unencrypted ones (or at least this should
> be a policy consideration).
> >
> 
> Thank you very much for your review.
> 
> I have addressed these (and below) in
> https://github.com/wkumari/draft-wkumari-opsawg-
> sdi/commit/22d2ad52983e03309796867db22b88a5960bf039
> (and will be posting a new version of the draft soon, once I address other
> comments as well).
> For those following along at home, Roman kindly provided me some text to
> clarify the above.

For the downgrade issue noted above.  I think we need a little more text.  My concern is around the following text:

Section 4.3:
After retrieving the configuration file, the device needs to
determine if it is encrypted or not. If it is not encrypted, the
existing behavior is used.

If a new device supports this architecture and the deployment environment supports it too (which should be known), but the device still gets an unencrypted config, that should be a sign of something suspicious.  I would envision language here that says that devices should abort.

> >
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > ** I struggled a bit to understand where this solution was applicable.
> > For
> > example:
> >
> > Abstract: “This document extends existing auto-install / Zero-Touch
> > Provisioning mechanisms to make the process more secure.”
> >
> > Section 1: “this document layers security onto existing auto-install
> > solutions to provide a secure method to initially configure new devices”.
> >
> > -- Which “auto-install” and “zero touch provision mechanisms” is this
> updating?
> 
> I added some text to clean this up, and point at the archetype  - Cisco's
> AutoInstall - https://www.cisco.com/c/en/us/td/docs/ios-
> xml/ios/fundamentals/configuration/15mt/fundamentals-15-mt-book/cf-
> autoinstall.html
> It is by no means the only org which does this, but it has been around for a long
> time, and is probably best known...
> 
> >
> > -- What exact preconditions are necessary to make this “solution”
> > (reference
> > architecture?) applicable?  Would this still be useful if the “auto-install”
> > mechanism was encrypted?  What non-DHCP configurations should be
> considered?
> > Does the way the device identifier bind to the configuration matter?
> > Because there is little specificity, it is difficult to review the security
> properties.
> >
> > ** Per the Security Considerations, what new security services does
> > this overlay provide?
> 
> Added some text. Thank you!
> 
> "This reference architecture is intended to incrementally improve upon
> 
>    commonly accepted "auto-install" practices used today that may
>    transmit configurations unencrypted (e.g., unencrypted config files
>    which can be downloaded connecting to unprotected ports in
>    datacenters, mailing initial config files on flash drives, or
>    emailing config files and asking a third-party to copy and paste it
>    over a serial terminal) or allow unrestricted access to these
>    configurations.
> 
>    This document describes an object level security design to provide
>    confidentiality assurances for the configuration while it is in
>    transit between the configuration server and the unprovisioned device
>    even if the underly transport does not provide this security service.
> 
>    The architecture provides no assurances about the source of the
>    encrypted configuration or protect against theft and reuse of
>    devices.

Thanks for this update.  I think it is also worth adding that it protects configurations at rest on the config server.

OLD
This document describes an object level security design to provide
confidentiality assurances for the configuration while it is in
transit between the configuration server and the unprovisioned device
even if the underly transport does not provide this security service.

NEW
This document describes an object level security design to provide
confidentiality assurances for the configuration stored at rest on the configuration server; and for configuration while it is in
transit between the configuration server and the unprovisioned device
even if the underly transport does not provide this security service.

Regards,
Roman

> 
> >
> > ** Section 2.  Per “This document extends this (vendor specific) …”,
> > what is “vendor specific” about this approach?
> >
> > ** Section 4.2. Per “The operator will then encrypt the initial
> > configuration (for example, using SMIME [RFC5751]) using the key in
> > the certificate, and place it on their TFTP server”, is this always a
> > TFTP server, or is this only an example – I think this is an example?
> 
> Ooh, yes. I changed it to "on their configuration server". Thank you!
> 
> >
> > ** Section 4.3.  Per “Give up, go home” in the figure, is there a
> > retry procedure?  The text above states that “If it cannot decrypt the
> > file, or if parsing the configurations fails, the device will either
> > abort the auto-install process, or will repeat this process until it succeeds.”
> 
> Good point - I should actually redo the diagram to include the retry, but I'm
> also trying to keep it uncluttered. For now I just changed it to "Retry or Abort"
> (this will show up in next commit)
> 
> >
> > ** Section 7.  Per “An attacker (e.g., a malicious datacenter
> > employee)”, also a malicious shipping agent.
> >
> Good point. Added "e.g., a malicious datacenter employee, person in the supply
> chain, etc.) "
> 
> > ** Editorial
> > -- Abstract.  Editorial. I would recommend generalized wording to
> > replace the phrase ‘smart-hands’-type support.
> >
> > -- Section 1.  Editorial. “asking the smart-hands to …”, Recommend
> > generalizing this reference.
> 
> I changed it to "remote-hands" and remote support respectively. Thank you!
> 
> >
> > -- Section 1. Editorial. “not intended to be an ‘all singing, all dancing’
> > fully featured system”, Recommend removing this colloquialism.
> 
> Fair. Done.
> 
> >
> > -- Section 3.1. Typo. s/Each devices requires/Each device requires/
> 
> DONE
> 
> >
> > -- Section 3.1.  Typo. s/cryptograthic/cryptographic/
> 
> DONE
> 
> >
> > -- Section 4.3. Typo. s/dependant/dependent/
> 
> DONE
> 
> >
> > -- Section 4.3. s/retrys/retries/
> 
> DONE.
> 
> I'm using VS Code as my XML editor at the moment, and it's lack of integrated
> spell check exposes my poor typing skills :-)
> 
> W
> >
> >
> >
> 
> 
> --
> I don't think the execution is relevant when it was obviously a bad idea in the
> first place.
> This is like putting rabid weasels in your pants, and later expressing regret at
> having chosen those particular rabid weasels and that pair of pants.
>    ---maf

v2.23.0 | Report a Bug | By Email