Re: [Rats] retrieving reference measurements
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 29 April 2020 15:29 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7EF3A12ED for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 08:29:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3q-jMWogxhA2 for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 08:29:39 -0700 (PDT)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C5303A12F2 for <rats@ietf.org>; Wed, 29 Apr 2020 08:29:37 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2HCCQAfnKle/xoHYZlmgQmDcW4DVS80lHUtm1oLAQEBAQEBAQEBBgEBIwoCBAEBAoRCAoIuJDgTAhABAQYBAQEBAQUEAgJphVYMg1R+AQEBAQEBAQEBAQEBAQEBAQEBARYCQ1USAR8BBTIBBUEQCw4KLlcGDQEHAQEXgwsBgnsFC7MzgTSEPQKBEYNUgToGgTiMQQ+BTD+BOA+CWj6CZwEBA4FKhgoEsRGBJAeBS31/BIcQj24jkAIFjQCZUJNCAgQCCQIVgWkjgVZNJIM5TxgNm0GFRIEoAgYBBwEBAwl8kF4BgQoFAQE
X-IPAS-Result: A2HCCQAfnKle/xoHYZlmgQmDcW4DVS80lHUtm1oLAQEBAQEBAQEBBgEBIwoCBAEBAoRCAoIuJDgTAhABAQYBAQEBAQUEAgJphVYMg1R+AQEBAQEBAQEBAQEBAQEBAQEBARYCQ1USAR8BBTIBBUEQCw4KLlcGDQEHAQEXgwsBgnsFC7MzgTSEPQKBEYNUgToGgTiMQQ+BTD+BOA+CWj6CZwEBA4FKhgoEsRGBJAeBS31/BIcQj24jkAIFjQCZUJNCAgQCCQIVgWkjgVZNJIM5TxgNm0GFRIEoAgYBBwEBAwl8kF4BgQoFAQE
X-IronPort-AV: E=Sophos;i="5.73,332,1583190000"; d="scan'208";a="21570812"
Received: from mail-mtas26.fraunhofer.de ([153.97.7.26]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 17:29:32 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BHDQDUnKle/1lIDI1mgQmDcW4DVDA0lHUtm1oLAQMBAQEBAQYBASMKAgQBAYREAoItJDgTAhABAQUBAQECAQUEbYVWDIVyAQUyAQVBEAsOCi5XBg0BBwEBF4MLAYMAC7M5gTSEPQKBEYNZgToGgTiMQQ+BTD+BOA+CWj6CZwEBA4FKhgoEsRGBJAeBS31/BIcQj24jkAIFjQCZUJNCAgQCCQIVgWkigVZNJIM5TxgNm0GFREFnAgYBBwEBAwl8kF4BgQoFAQE
X-IronPort-AV: E=Sophos;i="5.73,332,1583190000"; d="scan'208";a="112610206"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaS26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 17:29:28 +0200
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 03TFTRg0010066 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 29 Apr 2020 17:29:28 +0200
Received: from [192.168.16.50] (79.234.123.239) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 29 Apr 2020 17:29:22 +0200
To: Guy Fedorkow <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, William Bellingrath <wbellingrath@juniper.net>
References: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de>
Date: Wed, 29 Apr 2020 17:29:21 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.123.239]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/33vc6hJ7q-EBxXJUmtMy9zTUdC0>
Subject: Re: [Rats] retrieving reference measurements
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 15:29:42 -0000
Hi Guy, I think it would be strange for a network equipment device to expose a potentially vulnerable management to the open internet, too :) Luckily, there will probably be a "higher level" constituent in the network that an Attester's DevID can be presented to (typically this is or is close to a device that is also a Verifier). And these systems generally have a way to "reach out" to the internet. The typically already existing "path" to follow here is the way updates find their way to a "network equipment device". If you are air-gap'ed or completely isolated wrt every layer 2 topology, it may start to become a bit tricky, but your are running around with usb sticks in hand to do updates then, too. YANG is a big solution for big problems. But you can use a YANG server to retrieve RIM that are stored on the Attester itself, of course. These probably are outdated at some point and then leave you with the same illustrated above, again. Viele Grüße, Henk On 29.04.20 15:56, Guy Fedorkow wrote: > Hi Henk, > > I see your proposal for identifying URIs for reference measurements in > https://tools.ietf.org/html/draft-birkholz-rats-mud-00 > > I realize that some constrained devices may not want to do this, but > do you think draft-charra could be extended to allow retrieval of the > signed reference measurements directly from the device being attested, > via the YANG / Netconf interface? > > Ironic as it may sound, I’m sure you know that many operators ensure > that their internet routers cannot access the public internet. > > Thanks, > > /guy > > > Juniper Business Use Only >
- [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Eliot Lear
- Re: [Rats] retrieving reference measurements Panwei (William)
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Shwetha Bhandari (shwethab)