IETF Logo Mail Archive

Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)

Warren Kumari <warren@kumari.net> Tue, 23 June 2020 20:21 UTC

Return-Path: <warren@kumari.net>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D1DFF3A08FF for <opsawg@ietfa.amsl.com>; Tue, 23 Jun 2020 13:21:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=kumari-net.20150623.gappssmtp.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZZj7oXfYTZXV for <opsawg@ietfa.amsl.com>; Tue, 23 Jun 2020 13:21:34 -0700 (PDT)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4BBC3A0901 for <opsawg@ietf.org>; Tue, 23 Jun 2020 13:21:33 -0700 (PDT)
Received: by mail-lf1-x12c.google.com with SMTP id c11so39595lfh.8 for <opsawg@ietf.org>; Tue, 23 Jun 2020 13:21:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kumari-net.20150623.gappssmtp.com; s=20150623; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc:content-transfer-encoding; bh=JgpD361wWqdiMDiiC2W/70yuECgMXPixH/m5xWaGn4o=; b=HgWCCzKutHmXhD2FXdHXpryqEnDTqyX3kdAD9q3ox07nEg9S2BlhmqixXZBn4xTwBK FoErQMEnxcZnKbfmHDTOkBO8K0eVR7bYIY3MdvqEnXQ6qFVmsnsbEpyA0hrzd8VdOREA wVAP3sxEiA9SrmTldy7XpdZammtZkqxMBIMSrWculqA0BMdrkLvk+ovbsD4ozhGXtsum renK9r4Pj03xubFFhlj4F7uL88uBJ+8AXQjXZGg5p8ZFg4bznY5M2xjS+L4o+HjKi6Mv 093glhOpXBgszsgBcLuJMPqUqdb9n+9I7YnEpdIN21qFA3KORe+pKy8yb+8tvGsb/GtB HXbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc:content-transfer-encoding; bh=JgpD361wWqdiMDiiC2W/70yuECgMXPixH/m5xWaGn4o=; b=Oisb1z7ZXXyEYCXtzxeAGwSuHO0T07LC96HqhFOjsXTC0rdDe2LfvuiAJkFn9Jkv/P eudAz+hcBWpcRHd5rEO5r0WO/x53P9p73hS5NwlU56c0O3IC/PcoNILz3clpPhbFeE9V D7p35TWeNP5on+pDH5ZZ/Ct0WPuzBy10fJQD8bjCWbpRLMCo8167ScmNphSEPI6wEnF5 w7OeBb5APo78O9D3zV1Y2VFzPXk9zcO8XpwamTAQTZzCW3gRhop/Cn462cZowrdwyV2R zIxGw7P6/DBysHJk4IOW5i2uSVnX63NaYYRYJz+4S5eadn4m5TVMkQyW5RhVtgji6Q23 txAw==
X-Gm-Message-State: AOAM530Dh6V7TzOzjXI9ZOurMwLqqI96YL69WTv52KSOwaGk/A/UnCNs OJGq8BR+wJu7+Wt/VKufajCHhdgDkV0bMeJb+klwwQ==
X-Google-Smtp-Source: ABdhPJwh7/GupysU3bUz3p0CnkvW4pO4wimjxZxenJWMLcx6MPvwbRRIzQ51Rrg57POqIIbMz5hPaTaCrF+HzZQXr7o=
X-Received: by 2002:a05:6512:54d:: with SMTP id h13mr13655216lfl.8.1592943691134; Tue, 23 Jun 2020 13:21:31 -0700 (PDT)
MIME-Version: 1.0
References: <158984040300.28588.491740181156676621@ietfa.amsl.com> <CAHw9_i+Rqh0zfpLM8BbusztZrrQwCzey9hRV8ZVyXUJ82pRVsw@mail.gmail.com> <426d0030fbf1440d9f246a69e7858c59@cert.org>
In-Reply-To: <426d0030fbf1440d9f246a69e7858c59@cert.org>
From: Warren Kumari <warren@kumari.net>
Date: Tue, 23 Jun 2020 16:20:54 -0400
Message-ID: <CAHw9_iLbA=XhHkigi8=tqOnkzq-0QpWrLU6uv2P1D9y9F5CYDw@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, "draft-ietf-opsawg-sdi@ietf.org" <draft-ietf-opsawg-sdi@ietf.org>, OpsAWG-Chairs <opsawg-chairs@ietf.org>, opsawg <opsawg@ietf.org>, Michael Richardson <mcr+ietf@sandelman.ca>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/zRluunKWJOZa_b53yl5PZy0g-00>
Subject: Re: [OPSAWG] Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with DISCUSS and COMMENT)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Jun 2020 20:21:37 -0000

On Thu, May 21, 2020 at 10:09 AM Roman Danyliw <rdd@cert.org> wrote:
>
> Hi Warren!
>
> Thanks for the response and -11.  More inline ...
>
> > -----Original Message-----
> > From: Warren Kumari <warren@kumari.net>
> > Sent: Tuesday, May 19, 2020 2:35 PM
> > To: Roman Danyliw <rdd@cert.org>
> > Cc: The IESG <iesg@ietf.org>; draft-ietf-opsawg-sdi@ietf.org; OpsAWG-Chairs
> > <opsawg-chairs@ietf.org>; opsawg <opsawg@ietf.org>; Michael Richardson
> > <mcr+ietf@sandelman.ca>
> > Subject: Re: Roman Danyliw's Discuss on draft-ietf-opsawg-sdi-10: (with
> > DISCUSS and COMMENT)
> >
> > On Mon, May 18, 2020 at 6:20 PM Roman Danyliw via Datatracker
> > <noreply@ietf.org> wrote:
> > >
> > > Roman Danyliw has entered the following ballot position for
> > > draft-ietf-opsawg-sdi-10: Discuss
> > >
> > > When responding, please keep the subject line intact and reply to all
> > > email addresses included in the To and CC lines. (Feel free to cut
> > > this introductory paragraph, however.)
> > >
> > >
> > > Please refer to
> > > https://www.ietf.org/iesg/statement/discuss-criteria.html
> > > for more information about IESG DISCUSS and COMMENT positions.
> > >
> > >
> > > The document, along with other ballot positions, can be found here:
> > > https://datatracker.ietf.org/doc/draft-ietf-opsawg-sdi/
> > >
> > >
> > >
> > > ----------------------------------------------------------------------
> > > DISCUSS:
> > > ----------------------------------------------------------------------
> > >
> > > ** Section 3.2.  If keying material is being distributed as a
> > > certificate, do the expected behaviors of certificate process apply?
> > > For example, how is expiration handled?
> > >
> > > --  If a customer downloads a certificate from the publication server
> > > and it is expired, what should be done?
> > >
> > > -- If a certificate is loaded in the TPM of the device, should the
> > > client stop accepting configurations if it expires?
>
> The text in -11 works for me.  If you think there are alternatives to using X.509 in this reference architecture it might be worth mentioning.
>
> > > ** Section 4.3.  “After retrieving the config file, the device needs
> > > to determine if it is encrypted or not.  If it is not encrypted, the
> > > existing behavior is used.”  What downgrade protection is assumed or
> > recommended here.
> > > A rogue data center employee could re-target a DHCP response to a
> > > server of choice which provides only unencrypted, tainted
> > > configuration.  It would seem that a device expecting an encrypted
> > > configuration should not accepted unencrypted ones (or at least this should
> > be a policy consideration).
> > >
> >
> > Thank you very much for your review.
> >
> > I have addressed these (and below) in
> > https://github.com/wkumari/draft-wkumari-opsawg-
> > sdi/commit/22d2ad52983e03309796867db22b88a5960bf039
> > (and will be posting a new version of the draft soon, once I address other
> > comments as well).
> > For those following along at home, Roman kindly provided me some text to
> > clarify the above.
>
> For the downgrade issue noted above.  I think we need a little more text.  My concern is around the following text:
>
> Section 4.3:
> After retrieving the configuration file, the device needs to
> determine if it is encrypted or not. If it is not encrypted, the
> existing behavior is used.
>
> If a new device supports this architecture and the deployment environment supports it too (which should be known), but the device still gets an unencrypted config, that should be a sign of something suspicious.  I would envision language here that says that devices should abort.

Added: "If the device has been configured to only support encrypted
configuration
        and determines that the configuration file is not encrypted,
it should abort."

>
> > >
> > > ----------------------------------------------------------------------
> > > COMMENT:
> > > ----------------------------------------------------------------------
> > >
> > > ** I struggled a bit to understand where this solution was applicable.
> > > For
> > > example:
> > >
> > > Abstract: “This document extends existing auto-install / Zero-Touch
> > > Provisioning mechanisms to make the process more secure.”
> > >
> > > Section 1: “this document layers security onto existing auto-install
> > > solutions to provide a secure method to initially configure new devices”.
> > >
> > > -- Which “auto-install” and “zero touch provision mechanisms” is this
> > updating?
> >
> > I added some text to clean this up, and point at the archetype  - Cisco's
> > AutoInstall - https://www.cisco.com/c/en/us/td/docs/ios-
> > xml/ios/fundamentals/configuration/15mt/fundamentals-15-mt-book/cf-
> > autoinstall.html
> > It is by no means the only org which does this, but it has been around for a long
> > time, and is probably best known...
> >
> > >
> > > -- What exact preconditions are necessary to make this “solution”
> > > (reference
> > > architecture?) applicable?  Would this still be useful if the “auto-install”
> > > mechanism was encrypted?  What non-DHCP configurations should be
> > considered?
> > > Does the way the device identifier bind to the configuration matter?
> > > Because there is little specificity, it is difficult to review the security
> > properties.
> > >
> > > ** Per the Security Considerations, what new security services does
> > > this overlay provide?
> >
> > Added some text. Thank you!
> >
> > "This reference architecture is intended to incrementally improve upon
> >
> >    commonly accepted "auto-install" practices used today that may
> >    transmit configurations unencrypted (e.g., unencrypted config files
> >    which can be downloaded connecting to unprotected ports in
> >    datacenters, mailing initial config files on flash drives, or
> >    emailing config files and asking a third-party to copy and paste it
> >    over a serial terminal) or allow unrestricted access to these
> >    configurations.
> >
> >    This document describes an object level security design to provide
> >    confidentiality assurances for the configuration while it is in
> >    transit between the configuration server and the unprovisioned device
> >    even if the underly transport does not provide this security service.
> >
> >    The architecture provides no assurances about the source of the
> >    encrypted configuration or protect against theft and reuse of
> >    devices.
>
> Thanks for this update.  I think it is also worth adding that it protects configurations at rest on the config server.
>
> OLD
> This document describes an object level security design to provide
> confidentiality assurances for the configuration while it is in
> transit between the configuration server and the unprovisioned device
> even if the underly transport does not provide this security service.
>
> NEW
> This document describes an object level security design to provide
> confidentiality assurances for the configuration stored at rest on the configuration server; and for configuration while it is in
> transit between the configuration server and the unprovisioned device
> even if the underly transport does not provide this security service.

Thank you for providing text. Done (in GitHub -
https://github.com/wkumari/draft-wkumari-opsawg-sdi )

W

>
> Regards,
> Roman
>
> >
> > >
> > > ** Section 2.  Per “This document extends this (vendor specific) …”,
> > > what is “vendor specific” about this approach?
> > >
> > > ** Section 4.2. Per “The operator will then encrypt the initial
> > > configuration (for example, using SMIME [RFC5751]) using the key in
> > > the certificate, and place it on their TFTP server”, is this always a
> > > TFTP server, or is this only an example – I think this is an example?
> >
> > Ooh, yes. I changed it to "on their configuration server". Thank you!
> >
> > >
> > > ** Section 4.3.  Per “Give up, go home” in the figure, is there a
> > > retry procedure?  The text above states that “If it cannot decrypt the
> > > file, or if parsing the configurations fails, the device will either
> > > abort the auto-install process, or will repeat this process until it succeeds.”
> >
> > Good point - I should actually redo the diagram to include the retry, but I'm
> > also trying to keep it uncluttered. For now I just changed it to "Retry or Abort"
> > (this will show up in next commit)
> >
> > >
> > > ** Section 7.  Per “An attacker (e.g., a malicious datacenter
> > > employee)”, also a malicious shipping agent.
> > >
> > Good point. Added "e.g., a malicious datacenter employee, person in the supply
> > chain, etc.) "
> >
> > > ** Editorial
> > > -- Abstract.  Editorial. I would recommend generalized wording to
> > > replace the phrase ‘smart-hands’-type support.
> > >
> > > -- Section 1.  Editorial. “asking the smart-hands to …”, Recommend
> > > generalizing this reference.
> >
> > I changed it to "remote-hands" and remote support respectively. Thank you!
> >
> > >
> > > -- Section 1. Editorial. “not intended to be an ‘all singing, all dancing’
> > > fully featured system”, Recommend removing this colloquialism.
> >
> > Fair. Done.
> >
> > >
> > > -- Section 3.1. Typo. s/Each devices requires/Each device requires/
> >
> > DONE
> >
> > >
> > > -- Section 3.1.  Typo. s/cryptograthic/cryptographic/
> >
> > DONE
> >
> > >
> > > -- Section 4.3. Typo. s/dependant/dependent/
> >
> > DONE
> >
> > >
> > > -- Section 4.3. s/retrys/retries/
> >
> > DONE.
> >
> > I'm using VS Code as my XML editor at the moment, and it's lack of integrated
> > spell check exposes my poor typing skills :-)
> >
> > W
> > >
> > >
> > >
> >
> >
> > --
> > I don't think the execution is relevant when it was obviously a bad idea in the
> > first place.
> > This is like putting rabid weasels in your pants, and later expressing regret at
> > having chosen those particular rabid weasels and that pair of pants.
> >    ---maf



-- 
I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.
   ---maf

v2.23.0 | Report a Bug | By Email