Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Wed, 24 June 2020 13:37 UTC
Return-Path: <rdd@cert.org>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ECF713A0DE3; Wed, 24 Jun 2020 06:37:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Level:
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qeBogzC60ffQ; Wed, 24 Jun 2020 06:37:17 -0700 (PDT)
Received: from veto.sei.cmu.edu (veto.sei.cmu.edu [147.72.252.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0846C3A0C69; Wed, 24 Jun 2020 06:37:16 -0700 (PDT)
Received: from delp.sei.cmu.edu (delp.sei.cmu.edu [10.64.21.31]) by veto.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05ODbFjA016026; Wed, 24 Jun 2020 09:37:15 -0400
DKIM-Filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu 05ODbFjA016026
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=yc2bmwvrj62m; t=1593005835; bh=xWuOp43S6p+kKFE1DblFvVJH2l8Zws+3CBeEaGFy5JQ=; h=From:To:CC:Subject:Date:References:In-Reply-To:From; b=ELBmJQ3VwmidA+TCJETPmYdmWyiWlFZ0eqD/AUr3O19aXfjvRKREGTH+cWKSM2Aj5 V+NmCPdFL5gcfdLF1aAd7HUdhusctg5S76QbecxizVcfwyTvudL2/QvWpO7Tv74aSd xlSpqZTzu4Yvpob6D/8q+ugD3frNW8O7MUXV2jMg=
Received: from CASCADE.ad.sei.cmu.edu (cascade.ad.sei.cmu.edu [10.64.28.248]) by delp.sei.cmu.edu (8.14.7/8.14.7) with ESMTP id 05ODbB3T026849; Wed, 24 Jun 2020 09:37:11 -0400
Received: from MURIEL.ad.sei.cmu.edu (147.72.252.47) by CASCADE.ad.sei.cmu.edu (10.64.28.248) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 24 Jun 2020 09:37:11 -0400
Received: from MORRIS.ad.sei.cmu.edu (147.72.252.46) by MURIEL.ad.sei.cmu.edu (147.72.252.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1979.3; Wed, 24 Jun 2020 09:37:10 -0400
Received: from MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb]) by MORRIS.ad.sei.cmu.edu ([fe80::555b:9498:552e:d1bb%13]) with mapi id 15.01.1979.003; Wed, 24 Jun 2020 09:37:10 -0400
From: Roman Danyliw <rdd@cert.org>
To: Warren Kumari <warren@kumari.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-opsawg-sdi@ietf.org" <draft-ietf-opsawg-sdi@ietf.org>, OpsAWG-Chairs <opsawg-chairs@ietf.org>, opsawg <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Thread-Topic: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
Thread-Index: AQHWLgxgAXmnC/Ypo0KIGmnCuZ2QXaiykIcAgDSOBQCAAN3N4A==
Date: Wed, 24 Jun 2020 13:37:10 +0000
Message-ID: <00220137aa0c49ff8307ab7da4e02e14@cert.org>
References: <158984040300.28588.491740181156676621@ietfa.amsl.com> <CAHw9_i+Rqh0zfpLM8BbusztZrrQwCzey9hRV8ZVyXUJ82pRVsw@mail.gmail.com> <426d0030fbf1440d9f246a69e7858c59@cert.org> <CAHw9_iLbA=XhHkigi8=tqOnkzq-0QpWrLU6uv2P1D9y9F5CYDw@mail.gmail.com>
In-Reply-To: <CAHw9_iLbA=XhHkigi8=tqOnkzq-0QpWrLU6uv2P1D9y9F5CYDw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.64.202.179]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/vD55ZJp-UKL9ZSvqD-5EUb9POg8>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jun 2020 13:37:19 -0000
Hi Warren! > -----Original Message----- > From: Warren Kumari <warren@kumari.net> > Sent: Tuesday, June 23, 2020 4:21 PM > To: Roman Danyliw <rdd@cert.org> > Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org; OpsAWG-Chairs > <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>; Michael Richardson > <mcr+ietf@sandelman.ca> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with > DISCUSS and COMMENT) > > On Thu, May 21, 2020 at 10:09 AM Roman Danyliw <rdd@cert.org> wrote: > > > > Hi Warren! > > > > Thanks for the response and -11. More inline ... > > > > > -----Original Message----- > > > From: Warren Kumari <warren@kumari.net> > > > Sent: Tuesday, May 19, 2020 2:35 PM > > > To: Roman Danyliw <rdd@cert.org> > > > Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org; > > > OpsAWG-Chairs <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>; > > > Michael Richardson <mcr+ietf@sandelman.ca> > > > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: > > > (with DISCUSS and COMMENT) > > > > > > On Mon, May 18, 2020 at 6:20 PM Roman Danyliw via Datatracker > > > <noreply@ietf.org> wrote: > > > > > > > > Roman Danyliw has entered the following ballot position for > > > > draft-ietf-opsawg-sdi-10: Discuss > > > > > > > > When responding, please keep the subject line intact and reply to > > > > all email addresses included in the To and CC lines. (Feel free to > > > > cut this introductory paragraph, however.) > > > > > > > > > > > > Please refer to > > > > https://www.ietf.org/iesg/statement/discuss-criteria.html > > > > for more information about IESG DISCUSS and COMMENT positions. > > > > > > > > > > > > The document, along with other ballot positions, can be found here: > > > > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/ > > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > > ---- > > > > DISCUSS: > > > > ------------------------------------------------------------------ > > > > ---- > > > > > > > > ** Section 3.2. If keying material is being distributed as a > > > > certificate, do the expected behaviors of certificate process apply? > > > > For example, how is expiration handled? > > > > > > > > -- If a customer downloads a certificate from the publication > > > > server and it is expired, what should be done? > > > > > > > > -- If a certificate is loaded in the TPM of the device, should the > > > > client stop accepting configurations if it expires? > > > > The text in -11 works for me. If you think there are alternatives to using > X.509 in this reference architecture it might be worth mentioning. > > > > > > ** Section 4.3. “After retrieving the config file, the device > > > > needs to determine if it is encrypted or not. If it is not > > > > encrypted, the existing behavior is used.” What downgrade > > > > protection is assumed or > > > recommended here. > > > > A rogue data center employee could re-target a DHCP response to a > > > > server of choice which provides only unencrypted, tainted > > > > configuration. It would seem that a device expecting an encrypted > > > > configuration should not accepted unencrypted ones (or at least > > > > this should > > > be a policy consideration). > > > > > > > > > > Thank you very much for your review. > > > > > > I have addressed these (and below) in > > > https://github.com/wkumari/draft-wkumari-opsawg- > > > sdi/commit/22d2ad52983e03309796867db22b88a5960bf039 > > > (and will be posting a new version of the draft soon, once I address > > > other comments as well). > > > For those following along at home, Roman kindly provided me some > > > text to clarify the above. > > > > For the downgrade issue noted above. I think we need a little more text. My > concern is around the following text: > > > > Section 4.3: > > After retrieving the configuration file, the device needs to determine > > if it is encrypted or not. If it is not encrypted, the existing > > behavior is used. > > > > If a new device supports this architecture and the deployment environment > supports it too (which should be known), but the device still gets an > unencrypted config, that should be a sign of something suspicious. I would > envision language here that says that devices should abort. > > Added: "If the device has been configured to only support encrypted > configuration > and determines that the configuration file is not encrypted, it should > abort." The above text would address my concern. Thanks. [snip] Regards, Roman
- [OPSAWG] Roman Danyliw's Discuss on draft-ietf-op… Roman Danyliw via Datatracker
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Warren Kumari
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Warren Kumari
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Roman Danyliw
- Re: [OPSAWG] Roman Danyliw's Discuss on draft-iet… Warren Kumari