Re: [Rats] retrieving reference measurements
Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Wed, 29 April 2020 16:29 UTC
Return-Path: <henk.birkholz@sit.fraunhofer.de>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E61D03A13F5 for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:29:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8zxzdegnzoXl for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:29:50 -0700 (PDT)
Received: from mail-edgeKA27.fraunhofer.de (mail-edgeka27.fraunhofer.de [153.96.1.27]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1D7723A13DA for <rats@ietf.org>; Wed, 29 Apr 2020 09:29:48 -0700 (PDT)
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A2HpCQBBqqle/xoBYJlmHgEBCxIMQINxbgNVLyoKlHYtiXaPfYFnCwEBAQEBAQEBAQYBASMKAgQBAQKBToJ0AoIuJDgTAhABAQYBAQEBAQUEAgJphVYMg1R+AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEPAg02HjcSAR4BAQEBAzIBBUEMBAsOAwQBAQEuIS4IBg0BBQIBAReDCwGCSwMtBQuyWnSBNIVQgnENYoE6BoE4jEEPgUw/gREnD4JaPoIeSQEBA4EtARIBCYYKBI5poihaSgeBS31/BIcQiyyEQiOCW40nBY0AkVyHdIJFkH0CBAIJAhWBaSNmcE0kgzhQGA2PEIcdhRSFRHICNAIGAQcBAQMJfJBeAYEKBQEB
X-IPAS-Result: A2HpCQBBqqle/xoBYJlmHgEBCxIMQINxbgNVLyoKlHYtiXaPfYFnCwEBAQEBAQEBAQYBASMKAgQBAQKBToJ0AoIuJDgTAhABAQYBAQEBAQUEAgJphVYMg1R+AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEPAg02HjcSAR4BAQEBAzIBBUEMBAsOAwQBAQEuIS4IBg0BBQIBAReDCwGCSwMtBQuyWnSBNIVQgnENYoE6BoE4jEEPgUw/gREnD4JaPoIeSQEBA4EtARIBCYYKBI5poihaSgeBS31/BIcQiyyEQiOCW40nBY0AkVyHdIJFkH0CBAIJAhWBaSNmcE0kgzhQGA2PEIcdhRSFRHICNAIGAQcBAQMJfJBeAYEKBQEB
X-IronPort-AV: E=Sophos;i="5.73,332,1583190000"; d="scan'208";a="21571934"
Received: from mail-mtaka26.fraunhofer.de ([153.96.1.26]) by mail-edgeKA27.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 18:29:46 +0200
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BGCwClqqle/1lIDI1mHQEBAQEJARIBBQUBQIFHgipuA1QwKgqUdi2Jdo99gWcLAQMBAQEBAQYBASMKAgQBAYFQgnQCgi0kOBMCEAEBBQEBAQIBBQRthVYMhXEBAQEBAzIBBUEMBAsOAwQBAQEuIS4IBg0BBQIBAReDCwGCSwMyC7JadIE0hVCCcQ1igToGgTiMQQ+BTD+BEScPglo+gh5JAQEDgS0BEgEJhgoEjmmiKFpKB4FLfX8EhxCLLIRCI4JbjScFjQCRXId0gkWQfQIEAgkCFYFpImZwTSSDOFAYDY8Qhx2FFIVEQTECNAIGAQcBAQMJfJBeAYEKBQEB
X-IronPort-AV: E=Sophos;i="5.73,332,1583190000"; d="scan'208";a="81231348"
Received: from mailext.sit.fraunhofer.de ([141.12.72.89]) by mail-mtaKA26.fraunhofer.de with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 29 Apr 2020 18:29:44 +0200
Received: from mail.sit.fraunhofer.de (mail.sit.fraunhofer.de [141.12.84.171]) by mailext.sit.fraunhofer.de (8.15.2/8.15.2/Debian-10) with ESMTPS id 03TGThvw012688 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA256 bits=128 verify=NOT); Wed, 29 Apr 2020 18:29:43 +0200
Received: from [192.168.16.50] (79.234.123.239) by mail.sit.fraunhofer.de (141.12.84.171) with Microsoft SMTP Server (TLS) id 14.3.487.0; Wed, 29 Apr 2020 18:29:38 +0200
To: Guy Fedorkow <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, William Bellingrath <wbellingrath@juniper.net>
References: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de> <DM6PR05MB6889C3D6B8C636C2AD30D51FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <7a3b2b24-3dca-202b-fb83-3af52be25ee5@sit.fraunhofer.de>
Date: Wed, 29 Apr 2020 18:29:37 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.7.0
MIME-Version: 1.0
In-Reply-To: <DM6PR05MB6889C3D6B8C636C2AD30D51FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
X-Originating-IP: [79.234.123.239]
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/G6dUTS3zPxrYzHroTXF17HDsSwU>
Subject: Re: [Rats] retrieving reference measurements
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 16:30:01 -0000
Hi Guy, I think I misunderstood the intend of your initial question. I thought it was a "network isolation" question, but it is a "conveyance method" question, I think. CoSWID RIM tags use (and extend, actually), the payload-entry and therefore can be bundled in corresponding software/firmware packages that are updates. This is the reason why they are used in SUIT Manifests, too. If they are not included in a software package, they can be referred to via a MUD ULL / MUD File. MUD is simply a straight forward option to... point at device specific things. It is certainly not meant to be constraining options, it adds a increasingly popular one. Viele Grüße, Henk On 29.04.20 18:19, Guy Fedorkow wrote: > Hi Henk, > I understand that third-party RIMs could be used, but for embedded > equipment, it seems like the easiest path is to deliver the RIMs as part of > the vendor's software update package for the device. Operators have > well-worn procedures for getting software updates to devices; if the RIM is > just part of the package, they don't have to think about a new procedure at > all... > Maybe not for everyone, but it seems like it would be a common use-case... > Thanks > /guy > > > > Juniper Business Use Only > > -----Original Message----- > From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> > Sent: Wednesday, April 29, 2020 11:29 AM > To: Guy Fedorkow <gfedorkow@juniper.net> > Cc: rats@ietf.org; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; William > Bellingrath <wbellingrath@juniper.net> > Subject: Re: retrieving reference measurements > > [External Email. Be cautious of content] > > > Hi Guy, > > I think it would be strange for a network equipment device to expose a > potentially vulnerable management to the open internet, too :) > > Luckily, there will probably be a "higher level" constituent in the network > that an Attester's DevID can be presented to (typically this is or is close > to a device that is also a Verifier). And these systems generally have a way > to "reach out" to the internet. > > The typically already existing "path" to follow here is the way updates find > their way to a "network equipment device". If you are air-gap'ed or > completely isolated wrt every layer 2 topology, it may start to become a bit > tricky, but your are running around with usb sticks in hand to do updates > then, too. > > YANG is a big solution for big problems. But you can use a YANG server to > retrieve RIM that are stored on the Attester itself, of course. These > probably are outdated at some point and then leave you with the same > illustrated above, again. > > Viele Grüße, > > Henk > > > On 29.04.20 15:56, Guy Fedorkow wrote: >> Hi Henk, >> >> I see your proposal for identifying URIs for reference measurements in >> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-birkholz >> -rats-mud-00__;!!NEt6yMaO-gk!WdyQ3vQ51adw93UKoSwWvgPFs4395vPIWLjuzRBiF >> gldobaQ_dLIeFbhOWan0kBLDLY$ >> >> I realize that some constrained devices may not want to do this, >> but do you think draft-charra could be extended to allow retrieval of >> the signed reference measurements directly from the device being >> attested, via the YANG / Netconf interface? >> >> Ironic as it may sound, I’m sure you know that many operators >> ensure that their internet routers cannot access the public internet. >> >> Thanks, >> >> /guy >> >> >> Juniper Business Use Only >>
- [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Eliot Lear
- Re: [Rats] retrieving reference measurements Panwei (William)
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Shwetha Bhandari (shwethab)