Re: [OPSAWG] WG adoption poll for draft-wkumari-opsawg-sdi-04
Warren Kumari <warren@kumari.net> Mon, 24 June 2019 08:38 UTC
Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E7C8A120114 for <opsawg@ietfa.amsl.com>; Mon, 24 Jun 2019 01:38:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BtdsteroGF9Z for <opsawg@ietfa.amsl.com>; Mon, 24 Jun 2019 01:38:01 -0700 (PDT)
Received: from mail-qt1-x82c.google.com (mail-qt1-x82c.google.com [IPv6:2607:f8b0:4864:20::82c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8E3C7120048 for <opsawg@ietf.org>; Mon, 24 Jun 2019 01:38:01 -0700 (PDT)
Received: by mail-qt1-x82c.google.com with SMTP id p15so13615181qtl.3 for <opsawg@ietf.org>; Mon, 24 Jun 2019 01:38:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=Ug5kZcYQAD2q6mjhOeyWkt51O/f527M4VoB2+y6hYsE=; b=UTywL0RAeZpZC3mtl8F3VztcStzW8JhBRnXflS2sVqalWqRoHtyctQJ6x/M3FzFizj YqvhGNLzTCMSaqL0bNDeb7ZzC41nPtaj+MWGzDG+6d9xgtj78gqB/VrrNkzSYpqz52tx F7vZL6W6cfBbXe1L6EHxHyiys335VVOW16KjutxN4+rfFvMnJssrYDgQqzEf1zXhTn0N aDt/vUuhU8HR8QfVn9/x9zyBvuzC33myfDYCOxmkqnWHoyOFCCEaj1d+znT/jMjPke++ FMFzlzeShugPeGLmJ1tI6TRA9nM9WS9jw5G5okFPRDtr6rsvfNYOFynQsdNkuavUalxy 4LNQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=Ug5kZcYQAD2q6mjhOeyWkt51O/f527M4VoB2+y6hYsE=; b=PvGZSmtCtAi7/2mnbULC0F/dEHnqqTxTwepNdFYwMeAeJnY2BKmkvny2Ku5JdaJr2z cPrFMlQ1OxHOQPNKvt+dIysQQg67bnQ8BliuyCkuM6uScNT2v8balBoA7ff2XA/QKc6x louSI9UdGNX5bjOIMhfNIFlTV/bAbYMyI2bLweGlvxgYgtj9JZW4yCnkSfW5RXz/+aY4 bnYHR/i2hynVBYJOZ+S0IUPcn722KsN77htZVn/tBHnUdhS7zPgUviaKqeLJiKX5Ywio cb96/f1TfhyhVOsYmjeYJlqe+TDwHCuDLFkSp03e2ShjArPUSlboIFMwPt66wRuLBnlT vTiA==
X-Gm-Message-State: APjAAAXvpEcv/6VipQ+8xfTGL2IXI20+eg5p8SXjfwodWqXquVauPQve LOCbgTBlrj6gn9f5bIrQC+aD57UtZtRbCSJ4k9FyMQ==
X-Google-Smtp-Source: APXvYqzqu0BDNJD73Dx0nKaOmDky45lkWGy1hyzalFayhMF0lIBtkuofFcFZD4bFjm05XfXVSklcqknTf18Ma8WB+Fc=
X-Received: by 2002:ac8:3811:: with SMTP id q17mr97806188qtb.315.1561365480045; Mon, 24 Jun 2019 01:38:00 -0700 (PDT)
MIME-Version: 1.0
References: <B8F9A780D330094D99AF023C5877DABAA49AAE33@nkgeml513-mbx.china.huawei.com>
In-Reply-To: <B8F9A780D330094D99AF023C5877DABAA49AAE33@nkgeml513-mbx.china.huawei.com>
From: Warren Kumari <warren@kumari.net>
Date: Mon, 24 Jun 2019 09:37:21 +0100
Message-ID: <CAHw9_iLCoCQ9FOO+uasJuOBYmBO3b=FAX0gwTP1y=_k13yX5ww@mail.gmail.com>
To: Qin Wu <bill.wu@huawei.com>
Cc: Michael Richardson <mcr+ietf@sandelman.ca>, "opsawg@ietf.org" <opsawg@ietf.org>, OpsAWG Chairs <opsawg-chairs@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/qzUCxOJ-0W5TmMjb78dRcz_S7Ac>
Subject: Re: [OPSAWG] WG adoption poll for draft-wkumari-opsawg-sdi-04
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 Jun 2019 08:38:04 -0000
On Mon, Jun 24, 2019 at 2:51 AM Qin Wu <bill.wu@huawei.com> wrote: > > Interesting, try to understand the key difference between device enroll in secure environment and device enroll in in secure environment? I'm unsure what you are asking; I'm guessing perhaps you meant "in an insecure environment"? This completely depends on what you mean by "insecure", but "probably". As always, once the device has been configured, if an attacker has physical access to the device, they can probably do things like unsolder the flash / nvram and read the config off that -- but that has nothing to do with this technology, it is an existing issue. If you use this mechanism to initially configure the device, and the network is compromised, and the attacker knows the serial number / UUID of the device, and the attacker can provide DHCP, the attacker *could* make the device download and install a config file --- this largely means that the attacker could (temporarily) steal the device - but threat seems a: unrealistic and b: the threat is minor / you have much larger issues :-) > Does the mechanism proposed in this draft work for the device behind the firewall or NAT? Yes -- the device *only* needs to be able to download the (encrypted) config file, it doesn't need to contact anything else, nor does anything need reach the device. This means that it can be run behind a NAT, firewall, or a even a network which is completely disconnected from the Internet. > > -Qin Wu > -----邮件原件----- > 发件人: OPSAWG [mailto:opsawg-bounces@ietf.org] 代表 Michael Richardson > 发送时间: 2019年6月19日 8:47 > 收件人: Warren Kumari <warren@kumari.net> > 抄送: opsawg@ietf.org; OpsAWG Chairs <opsawg-chairs@ietf.org> > 主题: Re: [OPSAWG] WG adoption poll for draft-wkumari-opsawg-sdi-04 > > > Warren Kumari <warren@kumari.net> wrote: > > Here is a link to the slidedeck from IETF104 to refresh your memory - > > https://datatracker.ietf.org/meeting/104/materials/slides-104-opsawg-draft-wkumari-opsawg-sdi-01.pdf > > -- basically the entire document is summarized in 2 slides (slide 9, > > 10). If you'd prefer video -- https://youtu.be/a479Zohc5yg?t=1266 > > > The main design criteria for this was to be as simple as possible, to > > make it trivial to implement and use. This is specifically designed to > > just augment existing auto-install functionality; there are much more > > ambitious and fully featured solutions (such as ANIMA and RFC 8572) > > available for those who can / want to use them. > > Your claim that BRSKI is too complex is interesting, and I'd like to discuss this with you over beer. But, I appreciate you trying to do this. > Saving CO2 expended by silly airplane flights is appreciated. > > We did consider a protocol such as you describe. > The limitation is that it does not necessarily enroll the new device into the ISP's security domain, and we really wanted that. > > The Config file provided could do that, and as you say, some staging mechanism could also use ssh to do that as well. But, that wouldn't really be a standard, and we needed something more specific. > > I think you need a bit more text to explain why the device should trust the DHCP server; and also how the owner convinces the manufacturer to turn over this key. As written, it looks like if I get a good look at the label of a BFR I have a good chance of getting the key, and I'm sure you intend something more involved. > > It's unclear to me if this key should be retained in the factory reset situation or not; I think you offer both possibilities, but each version has some security gotchas, and I think it needs to be explained. > > I would like you to consider specifying a standard format for the encrypted > configuration. CMS, PGP, JOSE, COSE... pick one or more. That way, we can > have tools that can support a multiple of vendors equipment. > > Failing such a choice, I don't see anything in this description which a manufacturer can't unilaterally do today. So maybe it's a BCP, and and it can go into an RFP. I don't think it's Informational: BCP or STD. > > > I'd really appreciate your review and comment; it's short (if you > > ignore the ASCII art diagrams and example appendix and similar it is 7 > > or 8 pages, and much of that is background). W > > Adopt it. > > ps: it would be nice if the initial DHCP request included a MUD URL, so that > the infrastructure can know what the device is expected to do, > particularly if that might involve calling home to get the latest > firmware before operating. > Should the device get any kind of Internet access from the DHCP server? > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works -= IPv6 IoT consulting =- > > > -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf
- [OPSAWG] WG adoption poll for draft-wkumari-opsaw… Tianran Zhou
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Warren Kumari
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Joe Clarke (jclarke)
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Michael Richardson
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Qin Wu
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Warren Kumari
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Qin Wu
- Re: [OPSAWG] WG adoption poll for draft-wkumari-o… Tianran Zhou