Re: [Rats] Charra v03? -- Ready for YANG Doctor review?

"Panwei (William)" <william.panwei@huawei.com> Sat, 10 October 2020 03:35 UTC

Return-Path: <william.panwei@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8F8D23A00E3 for <rats@ietfa.amsl.com>; Fri, 9 Oct 2020 20:35:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vHeT30_hPsOP for <rats@ietfa.amsl.com>; Fri, 9 Oct 2020 20:35:17 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com [185.176.76.210]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DA8783A00E0 for <rats@ietf.org>; Fri, 9 Oct 2020 20:35:16 -0700 (PDT)
Received: from lhreml743-chm.china.huawei.com (unknown [172.18.7.108]) by Forcepoint Email with ESMTP id 4D445DCCC805C732F5FD for <rats@ietf.org>; Sat, 10 Oct 2020 04:35:15 +0100 (IST)
Received: from nkgeml704-chm.china.huawei.com (10.98.57.158) by lhreml743-chm.china.huawei.com (10.201.108.193) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Sat, 10 Oct 2020 04:35:14 +0100
Received: from nkgeml705-chm.china.huawei.com (10.98.57.154) by nkgeml704-chm.china.huawei.com (10.98.57.158) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.1913.5; Sat, 10 Oct 2020 11:35:12 +0800
Received: from nkgeml705-chm.china.huawei.com ([10.98.57.154]) by nkgeml705-chm.china.huawei.com ([10.98.57.154]) with mapi id 15.01.1913.007; Sat, 10 Oct 2020 11:35:12 +0800
From: "Panwei (William)" <william.panwei@huawei.com>
To: Guy Fedorkow <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>, "Eric Voit (evoit)" <evoit@cisco.com>
Thread-Topic: Charra v03? -- Ready for YANG Doctor review?
Thread-Index: AdaN+Mh0COkr7bssS32ju+PDTl/lwQB5ylgQAA28UhAAKB+9UAAUrTzAA1A1CXAAGlnmoA==
Date: Sat, 10 Oct 2020 03:35:11 +0000
Message-ID: <2af5a135f708428eb15dc3fea34ccadd@huawei.com>
References: <BYAPR11MB3125AFA653F91CDE62D8FE61A13F0@BYAPR11MB3125.namprd11.prod.outlook.com> <5c2c03297a834ca3b5bb3a4ed7d2b2b3@huawei.com> <MW2SPR01MB00288E073A1CD18F8B5F2023A13A0@MW2SPR01MB0028.namprd11.prod.outlook.com> <31412534a97a4f90bbdfa8dafce945ef@huawei.com> <BYAPR11MB3125C80A1036D6F82D0A0D4FA1320@BYAPR11MB3125.namprd11.prod.outlook.com> <BLAPR05MB73788B16210272DA322C6A31BA080@BLAPR05MB7378.namprd05.prod.outlook.com>
In-Reply-To: <BLAPR05MB73788B16210272DA322C6A31BA080@BLAPR05MB7378.namprd05.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.136.99.125]
Content-Type: multipart/alternative; boundary="_000_2af5a135f708428eb15dc3fea34ccaddhuaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/9FU_4vjMW60NWSlz10tbwRUkRiI>
Subject: Re: [Rats] Charra v03? -- Ready for YANG Doctor review?
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 10 Oct 2020 03:35:20 -0000

Hi Guy,

I didn't intent to bring the details of vTPM into CHARRA, and I just wanted to use it as an example to illustrate the potential log volume issue. But anyway, thanks for pointing out that to me.

Regards & Thanks!
Wei Pan

From: Guy Fedorkow [mailto:gfedorkow@juniper.net]
Sent: Friday, October 9, 2020 10:51 PM
To: Panwei (William) <william.panwei@huawei.com>
Cc: rats@ietf.org; Eric Voit (evoit) <evoit@cisco.com>
Subject: RE: Charra v03? -- Ready for YANG Doctor review?

Hi Wei Pan,
  As Eric says, the vTPM in isolation is not so hard, but it has a number of thorny questions relating the vTPM to underlying hardware.  Although I know there are some restrictions in access, but the TCG has a Virtual Platform Work Group dedicated to examining these issues and proposing solutions that balance security and flexibility.  If it's possible, it might be good to get involved with that work...
  Thanks
/guy




Juniper Business Use Only
From: Eric Voit (evoit) <evoit@cisco.com<mailto:evoit@cisco.com>>
Sent: Tuesday, September 29, 2020 8:16 AM
To: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>; draft-ietf-rats-yang-tpm-charra@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>
Cc: draft-ietf-rats-yang-tpm-charra.chairs@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra.chairs@ietf.org>
Subject: RE: Charra v03? -- Ready for YANG Doctor review?

Hi Wei Pan,

One vTPM can be handled without a volume issue.  But if we are talking lots of vTPMs, then we should examine the business purpose here.  One possibility you mention below is VNF.  A subset of the VNF is that you have vTPM serving a logical router. Certainly many vTPMs like this can increase the volume. However other significant changes will be needed before we can do a meaningful attestation of a vTPM per logical routing.  This will include:

  *   Being able to prove that a vTPM is *currently* bound to a specific physical device (potentially an x86 server.)
  *   Being able to get the attestation information about the physical device (this requires a business relationship with the hardware operator.)
  *   Proving that there is no MITM software between a virtual router and a physical device.

The Charra model is not in a position to handle the full set of virtual device requirements yet.  Nor is draft-ietf-rats-tpm-based-network-device-attest documenting these operating requirements.

As a result what we can do right now is ensure that we don't preclude what you say below.  I.e., we don't preclude "compressing the log records into a file and transferring the file by using some file transfer protocol".

I don't see anything in the current Charra which should limit sending log messages in other transports, not anything which would preclude.  Nor anything which would preclude "compressing the log records into a file and transferring the file by using some file transfer protocol".   So I don't think we are limiting future solutions with the current Charra definition.

So I think it is safe not to worry about the volume question right now.  Perhaps we should start with new drafts once the VNF topic becomes more pressing?

Thoughts?
Eric


From: Panwei, September 22, 2020 8:43 AM
Hi Eric,

For IMA and Network Equipment Boot, the log is essential for the appraisal. Because the Known Good Values are for the files and not directly for the PCRs, and the Verifier needs the log to simulate the extending processes and compare the result with the PCR values received from the Attester.
The logs have the possibility of being very large. For example, in the VNF scenario, the Attester has the ability to launch many virtual machines that have their vTPMs. If one Attester has 1024 virtual machines, each virtual machine has 1024 files to be loaded and measured, and each file has a 100bytes~ log record, then the whole log will exceed 100Mbytes.
I know to address this issue there are other ways rather than NETCONF. One simple choice I assume is that we can add an optional element 'log-file-name' in the log output RPC, when the Attester uses this element it doesn't need to send the log entries in this RPC and indicates to the Verifier that the Verifier can retrieve the log file later by some other file transfer means. In my thinking, this method is quite simple and no big change, while also increases the interoperability. But I don't know how do you feel about it?

Regards & Thanks!
Wei Pan

From: Eric Voit (evoit) [mailto:evoit@cisco.com]
Sent: Monday, September 21, 2020 9:25 PM
To: Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>; draft-ietf-rats-yang-tpm-charra@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>
Cc: draft-ietf-rats-yang-tpm-charra.chairs@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra.chairs@ietf.org>
Subject: RE: Charra v03? -- Ready for YANG Doctor review?

Hello Wei Pan,

I am hoping this is not an issue for the Charra model for several reasons:


  *   The speed at which a TPM can do extend operations is hardware limited.  As a result I hope we don't see massively large logs.  (I am hoping that IMA logs are as large as we are ever going to get.)
  *   Code on the Attester should be able to do some pre-filtering on the types of information which might make it into a PCR.   Not everything needs to be measured.
  *   Where there does need to be *a lot* of record interpretation, there will be more need for vendor specific Verifiers.  (This is in contrast with things like Known Good Values, which can be published to many Verifiers.)
  *   There are many other ways to get large logs which are not NETCONF based.   We can always standardize choices beyond NETCONF if there is a business need for such interoperability.

Thanks,
Eric

From: Panwei (William), September 21, 2020 3:20 AM
Hi Eric, authors,

Thanks for your updating. I have one comment but not coming from your revising of the YANG model.

I have mentioned a potential scalability issue before (https://mailarchive.ietf.org/arch/msg/rats/qFq91oujxykEqBGYIW3N8ljaN68/), but unfortunately there was no more discussion about it.
The situation I'm concerned about is that when the number of log records is too many, transferring them directly using the NETCONF RPCs may be a problem because it's not so efficient. The bandwidth would be heavily consumed, and other management messages may be interfered.
I know there may be some methods to address this issue, for example, compressing the log records into a file and transferring the file by using some file transfer protocols. But these methods also need interoperability between the Attester and Verifier. So I don't know whether CHARRA draft should give a standard way to address the issue.

Regards & Thanks!
Wei Pan

From: Eric Voit (evoit) [mailto:evoit@cisco.com]
Sent: Saturday, September 19, 2020 4:31 AM
To: draft-ietf-rats-yang-tpm-charra@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra@ietf.org>; Panwei (William) <william.panwei@huawei.com<mailto:william.panwei@huawei.com>>
Cc: draft-ietf-rats-yang-tpm-charra.chairs@ietf.org<mailto:draft-ietf-rats-yang-tpm-charra.chairs@ietf.org>
Subject: Charra v03? -- Ready for YANG Doctor review?

Hi Co-authors,

I just did some minor scrubbing, and added text describing  various elements of the YANG model within the mainline Charra text.

The compiled draft hasn't been merged from the pull requests<https://github.com/ietf-rats-wg/basic-yang-module/pulls> in the main repository yet.   But if/when the merging is done, it should look something like:
https://github.com/ericvoit/basic-yang-module/blob/master/draft-ietf-rats-yang-tpm-charra.txt

I believe the draft is ready for initial review by the YANG doctors.  I also believe this version is ready for posting as v03.

Any thoughts/comments/objections?

Eric