Re: [Rats] Pull request for the charra YANG model

"Bill Sulzen (bsulzen)" <bsulzen@cisco.com> Mon, 22 June 2020 14:33 UTC

Return-Path: <bsulzen@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8D8F3A0DC5 for <rats@ietfa.amsl.com>; Mon, 22 Jun 2020 07:33:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.598
X-Spam-Level:
X-Spam-Status: No, score=-9.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=B2d89Bs0; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=yrp6FlBv
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mAjXTGNQHxzq for <rats@ietfa.amsl.com>; Mon, 22 Jun 2020 07:33:19 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B77A13A0DD4 for <rats@ietf.org>; Mon, 22 Jun 2020 07:33:19 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=20933; q=dns/txt; s=iport; t=1592836399; x=1594045999; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=Q267syMtTDbYwyMGycp+XsYKhAOG/dm0oQK6pRKGGRY=; b=B2d89Bs0KoOX3ufdsQ6s/mpCBCkz1HE4hIQl9juf8B6uabtxkUSet0Jx qrD8aU2XVsrbCokbXtnudaFxIIRI1ny6B61eQQ/h+ziBY/t8KpaYFPPOq 6b+/ygTaZ5R7vB8wHTkhHnqAx8+dipV0JV9AMBM847kti314ZvCTOmrx+ U=;
X-Files: smime.p7s : 3983
IronPort-PHdr: =?us-ascii?q?9a23=3A3kDqRxL7nenesAxUXtmcpTVXNCE6p7X5OBIU4Z?= =?us-ascii?q?M7irVIN76u5InmIFeGvKk/h17SVoKd4PVB2KLasKHlDGoH55vJ8HUPa4dFWB?= =?us-ascii?q?JNj8IK1xchD8iIBQyeTrbqYiU2Ed4EWApj+He2YkNUA835IVbVpy764TsbAB?= =?us-ascii?q?6qMw1zK6z8EZLTiMLi0ee09tXTbgxEiSD7b6l1KUC9rB7asY8dho4xJw=3D?= =?us-ascii?q?=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CwAABwwPBe/4MNJK1mGgEBAQEBAQE?= =?us-ascii?q?BAQEDAQEBARIBAQEBAgIBAQEBQIFKgSMvUQdvKy0vLAqHYAONRIdWjBaEaIJ?= =?us-ascii?q?SA1UEBwEBAQkDAQEjCgIEAQGERwKCKwIkOBMCAwEBCwEBBQEBAQIBBgRthVs?= =?us-ascii?q?MhXIBAQEBAxIbEwEBNwEPAgEIEQQBAS8CMB0IAQEEAQ0FCAYUgwWBfk0DHw8?= =?us-ascii?q?BDqsiAoE5iGF0gTSDAQEBBYFHQIM8GIIHBwMGgTiBU4EUiDmBQxqBQT+BEUO?= =?us-ascii?q?CHy4+axkBdGMCgTYrFRaDGoItmQmBEZo9CoJahCiCVIFGkQeCcY5AjUqRK4o?= =?us-ascii?q?VlDMCBAIEBQIOAQEFgWoigVZwFYMkUBcCDY4eg3GKHQE4dAI1AgYIAQEDCXy?= =?us-ascii?q?NIoE1AYEQAQE?=
X-IronPort-AV: E=Sophos;i="5.75,267,1589241600"; d="p7s'?scan'208,217";a="517838950"
Received: from alln-core-1.cisco.com ([173.36.13.131]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 22 Jun 2020 14:33:18 +0000
Received: from XCH-ALN-005.cisco.com (xch-aln-005.cisco.com [173.36.7.15]) by alln-core-1.cisco.com (8.15.2/8.15.2) with ESMTPS id 05MEXIHa023830 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 22 Jun 2020 14:33:18 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-005.cisco.com (173.36.7.15) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 09:33:18 -0500
Received: from xhs-rtp-002.cisco.com (64.101.210.229) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 22 Jun 2020 10:33:16 -0400
Received: from NAM04-BN3-obe.outbound.protection.outlook.com (64.101.32.56) by xhs-rtp-002.cisco.com (64.101.210.229) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 22 Jun 2020 10:33:16 -0400
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QMh+VE9N3FQHo4au1BRanNlFdO4xZtSFwN1AhhlHBTEHcDoMI86Kr+CTS2meLgLC3KFz5jFHASNOicCCQOpwfFTI4fRWj93jvfJ2UJWXDujq2Lxilkhn3kXAqvLxmdiLxu1EcBU5Uz0vKqxlMVQ3elYr4IcxTR4IwpRZYZQQSalnSno9e2tE/pq62j9OGMFU4uRpezT7zc/QD7FDFnqEV1AP9uE/2rKocAkt9KqwNf4A9rC1uTwU3SbFbRamYjL7rlSk4e62OUT4zoTv39UsUHfToJVKe4doFB1zQV+pzlFpirEEcdBJEQOwwjHSzEEhoEYpnS1jjUsQ3AayZkTEuA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PRKTiWsE3NgnU3aSrp47aWLk2mRR3fSy3HSi+abVA/E=; b=oJ4b4nN0QilWY7Zc3FIY5clFBhd2Sw1lHwdH+DFA4R4OinftI+Xr8+EXjzyYJ6BxMPwiB7b4gIetJB+ursjv1ELg1bfsUWnZ0lE78XH4t5M+znWY3E0FqPnnecMg3gWA4KDiEUtEWSRcSQTZi/q9bapunDFcXIthF8ijMadvP1ckn3Tu5SW8YHlkHnJJ48RQuwWu8/gMjmt6b/0piDgGhK8DxBQp5KPjJJ7Av84sOqF8nRxRqOc4Eqj9uyA1kskBU0o648TMJKAGvOUyHCfE2LLEAmY4cgt2P8eyAbMk8hopHQWZ/K4DR5PqF79/i9y0UGf7j/ZDz4mMTclf1DCBEg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=PRKTiWsE3NgnU3aSrp47aWLk2mRR3fSy3HSi+abVA/E=; b=yrp6FlBvlQfqRDM+6VsF6XFNwcopsuHlycJlJzBemXQg114ZngJW/EFTIkZraiECRQ+sGHuYWPguorUklwbwJInKZF7bd6LFVHrlonFqO3fKIe7LUhWKJsU/h2RN3+kuYo1gbDxzjQQB1HhDdPpNy8WMCE2eUtwGNJKX6dT3tP0=
Received: from MN2PR11MB3901.namprd11.prod.outlook.com (2603:10b6:208:138::12) by MN2PR11MB3742.namprd11.prod.outlook.com (2603:10b6:208:f9::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3109.23; Mon, 22 Jun 2020 14:33:15 +0000
Received: from MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::8492:8c63:dd5f:39c7]) by MN2PR11MB3901.namprd11.prod.outlook.com ([fe80::8492:8c63:dd5f:39c7%5]) with mapi id 15.20.3109.027; Mon, 22 Jun 2020 14:33:15 +0000
From: "Bill Sulzen (bsulzen)" <bsulzen@cisco.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>, "henk.birkholz@sit.fraunhofer.de" <henk.birkholz@sit.fraunhofer.de>, "michael.eckel@sit.fraunhofer.de" <michael.eckel@sit.fraunhofer.de>, "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>, "frank.xialiang@huawei.com" <frank.xialiang@huawei.com>, "tom.laffey@hpe.com" <tom.laffey@hpe.com>, "Guy Fedorkow" <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: Pull request for the charra YANG model
Thread-Index: AdY/QqQk1SROUlurQ+m5+hKLyk0H7wJXtqdA
Date: Mon, 22 Jun 2020 14:33:15 +0000
Message-ID: <MN2PR11MB39016CB3B22D48F9F5796CCEB9970@MN2PR11MB3901.namprd11.prod.outlook.com>
References: <BL0PR11MB3122BBADA32A88AEFEB53E4FA1830@BL0PR11MB3122.namprd11.prod.outlook.com>
In-Reply-To: <BL0PR11MB3122BBADA32A88AEFEB53E4FA1830@BL0PR11MB3122.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [24.162.241.222]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 4a91a631-0639-42e9-8e46-08d816b93360
x-ms-traffictypediagnostic: MN2PR11MB3742:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <MN2PR11MB3742A70E6C99B13D2715ABD2B9970@MN2PR11MB3742.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0442E569BC
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: dsYbCYpByHRmw6QDiYTK8B4wublWre35ty5RFkZxUNImIw7PW4A/ZCJVdUjNCcTyfsBqx1n5o1p72NCl54lrbBYn1VfLlevMVE0PnTfc3tQ/LUroR3m4LZAU+RE+nLI6GKKSYKmzffsRC8W+ji8afgat4BJFnzjs8Lt/QvOFVQs8f+dzQbR3H3yzibgT37dLcuknOCysNwanaKa7dn80ZQRVCfRzVL/hEwfevR/dSKaVfrzz4MGNSe9ZGeHdzfyZovPUaOYkT8pWU8vPlH5f9wb6YeMn5/7aCDOZLL+2iAbUML+/XNhOA4jqrHuPYETqATiXltUCanQvRKL4ACqlnHFMuyOUsignGP1NvAhq11bDmEJvpcVG2IdgEVZ68695I67+YM6F9gyHXEq8kT0ikA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR11MB3901.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(376002)(136003)(396003)(366004)(346002)(39860400002)(33656002)(86362001)(26005)(83380400001)(53546011)(6506007)(5660300002)(7696005)(8936002)(186003)(71200400001)(66616009)(66476007)(66946007)(110136005)(166002)(9686003)(52536014)(66556008)(76116006)(99936003)(8676002)(55016002)(316002)(66446008)(64756008)(2906002)(478600001)(4326008); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: GX6TqEg35bs7zpoqDotQqNW0CkhwCxfFuRS4PsiPX9d4L4Nio0f+ZwHvEarm/X9pCvTUnUwiT8WoZN4+fZvPki8Bb5feuMTNDbm9n11FoIf5ai6EWDEfOebbY3AH3tJSoXznqZLwQJBE3J1egwD6AijYzueog0hE4wYBlImX4D9It/HWXgdhGk4CCi/0R0xMT6vlU+HF4JkgyyZ+/Hzx+V83x40srks3veqy+42VllPylAWyd/XI991AQwrFrUtK1nzESCa1cMHEqE5/8lmJrSUE7iCOFEaf5EVE06vnTjllaWnRy7Hr6md3PcaMw1PblwXilKgWniGjR3syqUR/u3HUPuHESRO71h+1KRh61ywjA3FVKpEg8Bj2hcxsrld6Q2GeuuqiLeWd9KzZ6HVD1y2DtrIeMhiWcwlgBgH2pkccFXQucC3ncsltuhBtpFdF28jE5HG7sDB+Xb8Czs4jmj1+IV7ftPuT0WXURn7s6oAjuboZ41+LdML4ErQi074G
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_008C_01D64880.88DFF240"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 4a91a631-0639-42e9-8e46-08d816b93360
X-MS-Exchange-CrossTenant-originalarrivaltime: 22 Jun 2020 14:33:15.7063 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: dOZAyOHmjwQBVd/q6sAQ8G1DCYG8k01LzazJ7ACNvOtOxPz/2kyjM7bOavpVYP7mBnT6A1+JzQNfvati21ex2g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR11MB3742
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.15, xch-aln-005.cisco.com
X-Outbound-Node: alln-core-1.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/IbJ2kBXPbDCF1UBJAwuQxEVTyhU>
Subject: Re: [Rats] Pull request for the charra YANG model
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jun 2020 14:33:25 -0000

Eric,

 

Regarding your issue:

 

*	Most devices do not have multiple line cards. Because of that, we
should not have nested keys of [node id] [tpm name]. This adds unnecessary
complexity for the vast majority of users. Instead the tpm should have a
mandatory leafref back to node-id when compute-nodes is not null.

as I read the updated attestation tree, there still is support for multiple
TPMs in a given management plane (i.e. there's still support for multiple
linecards - AKA "composite systems.") But if a given linecard/node within a
management plane entity, then they would have to be differentiated by
tpm-name rather than by node-id. Is that correct?

 

Thanks,

Bill

 

From: Eric Voit (evoit) 
Sent: Wednesday, June 10, 2020 12:18 PM
To: henk.birkholz@sit.fraunhofer.de; michael.eckel@sit.fraunhofer.de;
Shwetha Bhandari (shwethab) <shwethab@cisco.com>om>; Bill Sulzen (bsulzen)
<bsulzen@cisco.com>om>; frank.xialiang@huawei.com; tom.laffey@hpe.com; Guy
Fedorkow <gfedorkow@juniper.net>
Cc: rats@ietf.org
Subject: Pull request for the charra YANG model

 

Henk,         Michael,

Shwetha,   Bill,

Frank,        Tom,

Guy,

 

As authors of the Charra YANG model, I wanted to let you know I have created
a pull request
<https://github.com/ietf-rats-wg/basic-yang-module/pull/8/files> .  I am
proposing some fixes due to a number of concerns
<https://github.com/ietf-rats-wg/basic-yang-module/issues/6>  I had about
the YANG model:

 

*	PCR numbers should be their own type, not a UINT8. PCRs should be
limited to [0..31]
*	We should use ENUMs instead of strings for TCG and IETF crypto
algorithm types. Strings allow lots of errors to be introduced which we can
protect using a larger, more detailed ENUM construct.
*	Most devices do not have multiple line cards. Because of that, we
should not have nested keys of [node id] [tpm name]. This adds unnecessary
complexity for the vast majority of users. Instead the tpm should have a
mandatory leafref back to node-id when compute-nodes is not null.
*	The YANG doctors will not let us have a TPM-Name of "ALL". Instead
of "ALL" we should be able to assume that an RPC means all hardware based
TPMs if a specific TPM is not named in the RPC. 
*	We should add leaf for a unique 'certificate-name' is used. This
allows for a cleaner certificate migration path, and most RPC users won't
need to track node-ids. 
*	We should have optional YANG features for TPM1.2 and TPM2.0 so that
RPCs are not exposed when there are no such TPMs of that type are supported.
*	We should create new reusable groupings rather than repeat
definitions. 

If your guys have suggestions and improvements for this pull request, that
would be great.   I also think the netequip boot pull request
<https://github.com/ietf-rats-wg/basic-yang-module/pull/5>  can also be
integrated.

 

Thanks,

Eric