Re: [Rats] 802.1AR device identity

"Smith, Ned" <ned.smith@intel.com> Wed, 10 March 2021 19:02 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C56F3A15F7 for <rats@ietfa.amsl.com>; Wed, 10 Mar 2021 11:02:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zQB9DsAw7eEp for <rats@ietfa.amsl.com>; Wed, 10 Mar 2021 11:02:42 -0800 (PST)
Received: from mga04.intel.com (mga04.intel.com [192.55.52.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CDCE53A15F9 for <rats@ietf.org>; Wed, 10 Mar 2021 11:02:42 -0800 (PST)
IronPort-SDR: P/S13wH5ggNF4FXTAsbj2i6zb/EANx4U+ME+Xr3cTkXWiFgq2SJTFLG28yiTR2Q8B7oGUWvkC1 ZZqnF9uFADNA==
X-IronPort-AV: E=McAfee;i="6000,8403,9919"; a="186163343"
X-IronPort-AV: E=Sophos;i="5.81,238,1610438400"; d="scan'208,217";a="186163343"
Received: from orsmga002.jf.intel.com ([10.7.209.21]) by fmsmga104.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 10 Mar 2021 11:02:40 -0800
IronPort-SDR: cjYAcavKKmrc1To3MYIUkrsCflt+HjwHCDFqlp7QAwUzYjvrZWDXA9CUqFySGlIkFbN1slc0VQ EmfTZIhsmELA==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.81,238,1610438400"; d="scan'208,217";a="386742130"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga002.jf.intel.com with ESMTP; 10 Mar 2021 11:02:38 -0800
Received: from orsmsx611.amr.corp.intel.com (10.22.229.24) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Wed, 10 Mar 2021 11:02:38 -0800
Received: from ORSEDG602.ED.cps.intel.com (10.7.248.7) by orsmsx611.amr.corp.intel.com (10.22.229.24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Wed, 10 Mar 2021 11:02:38 -0800
Received: from NAM10-DM6-obe.outbound.protection.outlook.com (104.47.58.102) by edgegateway.intel.com (134.134.137.103) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Wed, 10 Mar 2021 11:02:37 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=TacLDroVdZVSOyWuVheX+//WRevrl1SMd1dNnnJeXFOQ1p4ojHVcUaRznLyGio6TLSso8KXs8ot1zGfmiDaAtvjaHmUMnA9/GS7khbg0t4gkgcIvORSPlCsx8IcHcybzXV5wfUVGGwIMK5uNzhIx0mx7s4rWefMculIY0XbhbKbhgBqVDz9DBjPqgDLux/zr8yPJevzpXaB7XSrNq8f/fFeJm+gdZCgcbaMcfScT8WhZl8jr+rsUO8OwmNzOwR5a3C8Yb3XJttz9+eZYsHTPNZOMFjoMEe5khV5ftSJ+yphwsOkYA1c3xzn62qyuoDr0TwD+Q2OcN3H5+ARoi0aFSA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pQT03q/4xF0atJJMOnArijrzQDsvVnHrwwiDy7qg+8A=; b=EpFkxzISMFshIh0VtyM+i8hqp8CA2gXn4qG9fiEIqykkz8f9NMPiYCBpFdGqMuKz1HIITENBWSieegdauFLB78mdom+zNil2+0sUhcUkiN3vLq6nYblHMlUrVPi4Zd1Q4COVcI0o/189orabvi7M2ufgSC8CBq/1mWD7TZ3XFLpqBrRn8GVhBJ4WiaCGJZHyKJD9tzgljefbdHLOvCRMDWLA2VoF87coRbSuDsb8vaUe/rbZvc56q/2ZV2C0gQe2NUV6S9bImLiC5JKhel6ACtl4E5jpFArikq0kNQMx0PDUzpOtX2fbniO5ZYXRdqLzXHi15f8Xn1dgNMdjIOoUpQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pQT03q/4xF0atJJMOnArijrzQDsvVnHrwwiDy7qg+8A=; b=DmXr2Y8Mk6UzqXYdb2P91BRhWUCWG+oXLch7E/Ug4nDkcdUOm2oe/gL6Z6srmWtmaQ2qixpqMmw6/lI6zAlIv+kZ8CLA75+WyG9Hh98l7QMjG5Q4CBiSwqBbgWiaErhWM7Ixs38EwJ/qgGkQ9+umrjm1uHEnIdMbC7KYpBjmong=
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by CO1PR11MB4802.namprd11.prod.outlook.com (2603:10b6:303:96::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3912.18; Wed, 10 Mar 2021 19:02:37 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::b424:905d:3819:d9f0]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::b424:905d:3819:d9f0%3]) with mapi id 15.20.3912.030; Wed, 10 Mar 2021 19:02:36 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>, Laurence Lundblade <lgl@island-resort.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] 802.1AR device identity
Thread-Index: AQHXFd/v8NyDidhntUK49t5dagx8xw==
Date: Wed, 10 Mar 2021 19:02:36 +0000
Message-ID: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=true; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2021-03-10T15:58:31Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Method=Standard; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=0633b888-ae0d-4341-a75f-06e04137d755; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=55fcf178-02e0-40f5-a962-a9e746f276f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ContentBits=2
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: dmarc.ietf.org; dkim=none (message not signed) header.d=none;dmarc.ietf.org; dmarc=none action=none header.from=intel.com;
x-originating-ip: [50.53.43.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: dc6f3f7a-f22a-415c-c8d3-08d8e3f711e9
x-ms-traffictypediagnostic: CO1PR11MB4802:
x-microsoft-antispam-prvs: <CO1PR11MB4802809ADD3AE76A43B98BCDE5919@CO1PR11MB4802.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: zyYFQ9QIy1OGhyGC4+5ybRB/AA4BCDY/Wbt8dTAjIUvK5hLJfTsjqDztXR0Bv2YwTc2CkhztZLfd0u9nD0IrVv9xPUGX3KxyeLKkdPyzp8/IMho9Nco4Syla2cQSfDcqqKtEwXV64ipVu/kEvx3DZRETsxmLV5tlhbvnzmPJqsv4WCWAfDBDmdERalSUREinE/JVEgm8rrYlu37K9TiM6Qiyqnb6eLG8Z6JssqkMGBLIPuDkVKQm/3Zfu1CAZhMGRA2bbrBm2w5IUuFPqpc6UdtyWfmAN80D8sVLB8etvuN4rOPq0WPUAV8yzPu8XE5j4XwfuXn1ZbMMV0nFbVkqrMPQjB3T0aNvAQkKzEt+42u5EF5df5LQa1R7mtdK4DN+IuSzdmEiOmBzEHuf3b4yRPH4MUUvai0wvExboj8r4SMGFtp/XiQXpBjXR9sj/4LAIQnD3n8w3y5A8j9LcmuhmuDptOHNPLVjScMSkwQ5YaxK5/Jw0vMSRXtlqv33KGyV8hi1J4QYOfLGi/SrtRa6Bc1drT7496Za2WwXwIPXCf7ibB5nXCOPgffnHY/SHOmOwoHSWzJ8RZXYwTIYiCNJvyuZ2gWl9ZvhhFqB2eIaJOsIEpBkqbA5M26IZIMosSiCYbyP60B4UNj7Dqcu+gCCRRy4wfG64PvH69hDKBCdpNw=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(346002)(136003)(39860400002)(396003)(66476007)(6486002)(66556008)(66446008)(966005)(316002)(8676002)(186003)(26005)(66946007)(71200400001)(36756003)(4326008)(6512007)(2906002)(478600001)(53546011)(2616005)(76116006)(86362001)(110136005)(166002)(8936002)(33656002)(5660300002)(83380400001)(6506007)(64756008)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?utf-8?B?VHVPU0p4M2xwVUcxbmJvWElLVWJ5cDYvSVlvcVVGL2FsOXV1YzdBTjdHYXll?= =?utf-8?B?SldFenZVQy9GS2xHT1BiWW1qQkFGNlk0RDVQcmtoM1BzdnV3UmZtWUJqQXoy?= =?utf-8?B?VXhPOERRaHArTGs1VE1WSXJLSVJ1bCtqM05nTHB3emNOR3k1bzZnS29YVHJ3?= =?utf-8?B?cUp1Rjc0R1lXc201dW92L2VnaTIwYW50cGgxV3J3amRtMlFZY0ZKdkhxUXN4?= =?utf-8?B?WUF1eDIxRmJZdTIrTkdNWnVsUVJFMXhXdkZIZ0VsR0tFTVJ0S1lPZHJEdGxN?= =?utf-8?B?bWhRSlhFQ3J2b2xiK3dxOU92RnIrcExyY0FpNHlyODBVVnZ4cFFhdGE5M25U?= =?utf-8?B?SWdGMHRBR0lQRjZXRlFxVUNKV1FDd3lRMElpQ2xrVWlOelFLY1FYeWdaNWl5?= =?utf-8?B?a1JWRlBkclpsbGkvQk50TVl4N3puSmNidUFuVnpsM2NUWmJOVkpsd1l0WThY?= =?utf-8?B?Mm5Fb1lXU2hoYXNFTTVPY2JERFdWVWxCRG53bGtubDFXTTIzYXlRaDRQeGJa?= =?utf-8?B?cURyVGF6WEE1UjBpa2VvU1RIbUZVTzcva2t0NzNsRGdyM3p2ZzZkM3NmZlJx?= =?utf-8?B?dXJPUzV3VTNvWHZON2FCZEVRVnFtUDkyRmswbWlrQndNalRVSkRMMzMwWGJY?= =?utf-8?B?cGFlYUJoQzA5TFA5em9vRDBlYktuZjV4R3d4QXl3b0xnaUtsZnRtSXR1TVZM?= =?utf-8?B?cElUS04weFp0QmtJWUowb21CQzcvcGZGUXVzSjQ4b1o5ZDVaWVdoM25WTEN1?= =?utf-8?B?ZFovc2Z6WGRtVXNKVk1BdnZldzFicW5XRzZwRWVmZEh5THpUOStDSkRZdFdo?= =?utf-8?B?NEJMTFdYbWY0WkpaeUdXb2k3ZVBSU1BKZUEwSVJhNjZHaDY3NjFSTHFHbzA4?= =?utf-8?B?YTUyMnBzd21haTRlaFN2TFVTMnV0OUFRYWNXdVFIL2dNQit5RlY3NnEzWnEz?= =?utf-8?B?R3EzR1hmRjNCNkc4cXVNckJRWEpPc1JOYkU5RUNIeUJWcFBONkU4Wi9Xd2FO?= =?utf-8?B?cEhwY3oxeDZHanJiczJvSGFjZ1czWUg0RVJramRKQy80S0RKaGhmYVZwZmxQ?= =?utf-8?B?bGdKUGNGbElncGZDOTJFeGtXYTlMUTNLU1dRRzZ6T2FxYnNtVXk1WVVSeTJ6?= =?utf-8?B?YlNldFhUSTVBbkJPb0FLL2w3SGd5T1BBajFES0pQTElwcCtrSFZRY0pmbWtS?= =?utf-8?B?NUhyZWxFSFUyZEdmakExcmlLeUZ1YmJuT3hYcCtka0pySUVsejZaZTF2YURQ?= =?utf-8?B?OVhuZXZlTUZyYlVzTEhocGw3NmtUaGhZbHlwUFkxZWFaU2N1d1l5d25yL0lP?= =?utf-8?B?MDN4Sk9tVkRvckdPTEc0N21lczNjK0NyMVgwdXhJcWEwVXFuNFRxMUF6MnI4?= =?utf-8?B?Q3Q4M3REZENkd08xeFB1VDVPL3dtQ2J1ZnpPYWE5d2tqL2J6TG54aUxEMGEz?= =?utf-8?B?V1c0SUhHQVB5NExQS2tIbnA1TnVGUjdrckhZbFR6anFGZDY0QVFOZ2RBSGQ4?= =?utf-8?B?azFTY29PTWdyN3B6OExEVkF6QkVLektYT3d6UXZzK2FUY1pNZWZpRnZvVlFG?= =?utf-8?B?V1BWZXFOTVpGanlkOFplSCtwb2h0Q3U3Z0JJeWJVT2hmYXNXT3d3TXNrVStn?= =?utf-8?B?QzFxVS9hYmhaTTBiUXBnbUVNaFhsZFR3ZEZJVkxPVHFIL05sODZIZEZyTHNo?= =?utf-8?B?b01PVnVZd0IxK3ZhT3RWUUwvQS9rSUtvdWpiMnhtcE03c29XZVFpQ0JFK0h0?= =?utf-8?Q?J7DDKSVs66WD4fuuNLdpGYjDnYqOGN4eOWzKEiZ?=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_D197C29D95C44696BE22703E14DFFE35intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: dc6f3f7a-f22a-415c-c8d3-08d8e3f711e9
X-MS-Exchange-CrossTenant-originalarrivaltime: 10 Mar 2021 19:02:36.8801 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: e9oUYmZfwDYUio49CIyWO9pm7wtB32OXqclFvtedBM9MuE1fPRSoOeKyFO5W/3sdQ8HRwpK/2cwp5GyBg3DlCw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR11MB4802
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/JDCPzqRLGE7sSr0_NWpPqrz0wV4>
Subject: Re: [Rats] 802.1AR device identity
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 10 Mar 2021 19:02:45 -0000

The 802.1AR spec doesn’t AFAIK require IDevIDs that can’t change. But not curtain. Is says things like:

A

device’s DevID module stores each of its DevID secrets securely and supports signing operations that prove

possession of the secret (and thus that the device is the subject of the associated DevID certificate), while

ensuring that the secret remains confidential so the device cannot be impersonated by others.

An Initial Device Identifier (IDevID) provided by a device’s supplier can be supplemented by one or more

Local Device Identifiers (LDevIDs), each using an existing or a freshly generated secret, facilitating

enrollment (provisioning of authentication and authorization credentials to authenticated devices) by a local

network administrator.



A device with DevID capability incorporates a globally unique manufacturer provided Initial Device

Identifier (IDevID), stored in a way that protects it from modification.


LDevIDs can also be used as the sole identifier (by disabling the IDevID) to

assure the privacy of the user of a DevID and the equipment in which it is installed.

-Ned
From: RATS <rats-bounces@ietf.org> on behalf of Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>
Date: Wednesday, March 10, 2021 at 7:59 AM
To: Laurence Lundblade <lgl@island-resort.com>
Cc: "rats@ietf.org" <rats@ietf.org>
Subject: [Rats] 802.1AR device identity

Hi Laurence,
  We talked about device identity on the RATS call today.
  For RIV, we’re relying on this IEEE spec:
https://1.ieee802.org/security/802-1ar/
  That spec defines Initial and Local Device Identities.  Initial DevID is set by the manufacturer and can’t be changed or replaced, while the Local DevID can be set and erased by the owner of the gear.
  The spec doesn’t address deciding which identity to use for any specific application, but the intent clearly is to allow the owner to use the manufacturer-supplied identity to install an owner-specific identity in a device, and erase the owner-specific identity leaving the manufacturer identity in place when the device is decommissioned.

  Many different specs must have examined this problem, but of course it never hurts to re-use some of these ideas where possible.
  Thx
/guy



Juniper Business Use Only