Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Dave Thaler <dthaler@microsoft.com> Wed, 13 November 2019 00:56 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AECFE1200C1 for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 16:56:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FqZrMp6wP2Qk for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 16:56:36 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740097.outbound.protection.outlook.com [40.107.74.97]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 595C7120091 for <rats@ietf.org>; Tue, 12 Nov 2019 16:56:36 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=NbHqbA5PEnz600ATOyv/ICn6GYt2l4uXnbDP2yIq03R75ON7vsceGo1QfUJEpyyzPcUAgRjwHX0S/8l2b/KFbpZgecqbrGxBl4c1nUcq9Q3CsZSeS3AugdotLRpmLY9aFoaVeMzm1MdGfF/fQMKE+Uj3ZdvzKjeKWecULUWjCJHsiphKHU6Y+e8G48qr41boc0q38SQYG8tDYafOzrWTBJiM9qtu2TqbQG5ZDX1tgGkmVVNW3ZiJKssYVmMQVAhnodaPHNKXlCOYHta+qJBc3Wl5io5AGMcn7T5E3+TPdAiwsbtj1xujuEk+KVgXeFy0TRCS5cQWV5JhxPApvU8GRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kwHo10WqoI1TsbtVaNCAhryr57jzyqsPIpH27xH/4jE=; b=Pn6hoqIxxmaM6Uos0gUeQ0+hG67WIYlonwxvN9lHH8rjisFSjyRhHUGZs+wFzcRR0NM01rXzj6mH5vb0+Wgdb6AimepmHC9r5cNPTQYxGRnpuhWrtiqtuWafUsnMkJbk8NsPNj2GpXCyY355R2KV3ZQLtmIv9l4SkrLsuwQWoh+s2OkqL8MKep/7PZ/kDciQ9VPyoIqdAwkUW+Q1l3s/tgoFIRO7wcXLHMouP8y2GGNWKAizTJ78XLz5oOjLRFfdjAfLAjE/dyWIcnEE+LJlk5oKHk1QkwpxhvauQY+/e399ITqj+ttWQg51wN2JLHozExUJzqz6lR1RGXYVQCYbag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=kwHo10WqoI1TsbtVaNCAhryr57jzyqsPIpH27xH/4jE=; b=IbD7VqALGTLCEjimY44hJkzBJUq8v1gdS5WSpgrgRZyDadaWKJVGmQGGA+3av3WdsH0+JIDfdkl2PxDhXz928J7OengzKetjmLfmGeli4YUD4L522oaXmP/S9lxXwfXrJJdqDVlAF+zV2/+rvb8OdgFQgKHsc3RP4IGoN2eBvE8=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0751.namprd21.prod.outlook.com (10.173.51.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2451.11; Wed, 13 Nov 2019 00:56:31 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%12]) with mapi id 15.20.2474.001; Wed, 13 Nov 2019 00:56:31 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: Laurence Lundblade <lgl@island-resort.com>
CC: "Smith, Ned" <ned.smith@intel.com>, "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "rats@ietf.org" <rats@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Thread-Topic: [Rats] Call for adoption (after draft rename) for Yang module draft
Thread-Index: AQHVlCwI8/lytau3hU+AhCwtIdg/0ad+jL2AgAAHhQCAAAO1AIAF46wAgACM2YCAAJAzgIAAtdsAgAB9XUCAAEfhAIABOB8A
Date: Wed, 13 Nov 2019 00:56:31 +0000
Message-ID: <MWHPR21MB07844205580533759AF4C3FAA3760@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <8B173958-FC2A-4D1D-A81C-F324AB632CD7@cisco.com> <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com> <7106C9D3-8ED1-419E-81F8-4CDA799BEDAE@intel.com> <MWHPR21MB07844F61BEFAE03F9E7DD290A3770@MWHPR21MB0784.namprd21.prod.outlook.com> <9D447837-954B-4717-B4EC-22FE9A5EF36B@island-resort.com>
In-Reply-To: <9D447837-954B-4717-B4EC-22FE9A5EF36B@island-resort.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-13T00:56:31.2432067Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=5eec0ca3-330b-4a6f-9c24-a1fe8c673ce5; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [2001:4898:80e8:0:f8a5:16bc:386f:88f5]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 9abf0742-57c4-4370-526c-08d767d452b5
x-ms-traffictypediagnostic: MWHPR21MB0751:
x-microsoft-antispam-prvs: <MWHPR21MB07517DEB9777123DE86626FDA3760@MWHPR21MB0751.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 0220D4B98D
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(979002)(136003)(366004)(39860400002)(396003)(376002)(346002)(199004)(189003)(52314003)(25584004)(71200400001)(76116006)(6116002)(81156014)(66574012)(8936002)(81166006)(8676002)(52536014)(790700001)(5660300002)(66446008)(66556008)(66946007)(256004)(25786009)(10290500003)(14444005)(14454004)(478600001)(229853002)(66476007)(6436002)(236005)(6306002)(54896002)(2906002)(33656002)(64756008)(55016002)(9686003)(4326008)(6246003)(186003)(8990500004)(10090500001)(71190400001)(74316002)(7736002)(76176011)(606006)(102836004)(486006)(446003)(46003)(86362001)(99286004)(54906003)(53546011)(476003)(6916009)(6506007)(22452003)(316002)(11346002)(7696005)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0751; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KUY2CrHSAqMnTeG75uiuZPcrxRNLWmFBwumwWYQ4kYV3LU6iNeK4bnZ+uMzlSO09fvKUH+QcLSDFBsWruBbQ/KYnae5jfVrPNqwRGLtCKxbFjXx3NWZ4aani5rSwoJ/Js9LQi6ydcXz42qJCNRunnA0wcOGKWu7gQTVRBWg51xWoMbwvfwowRCdOHR+sxgLqLl8Rx7nEOosKc7GqTiM6V5t2noAaTLjQwHGKTK2zUofShL6/cgkZ8vKBSuvp7N/mNjqDthIiXy7ofF8f+8Vl2lI+tN+oXJEIgP6qo7Nle7FMfs0m68MR97jSyUvdsjgh7saWkgruwRfXIt45Nr8oGWbPxbNBkUpweQyFqXpQa2WCgTvz02bESW4av32tXwG+baqMDVLAui2sMTXTKtgK/Ofr5ZH0zSOIByDGOGlzEhGDkpprr96efthrlKYt1ity
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_MWHPR21MB07844205580533759AF4C3FAA3760MWHPR21MB0784namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9abf0742-57c4-4370-526c-08d767d452b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 13 Nov 2019 00:56:31.2727 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: M3lqiq6JRNglXPpH9hEOVXY9X6B/Ukf2ylF3nb+aNWXnGiIBEpf8/6NylxhVPyKUckq7VjcSJRtgkMWtSUnmcNgUNgbwZzUJRS7g9t3vsjo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0751
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/KMBPRyGfWcLTJTJ8t4kOLva05aI>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Nov 2019 00:56:40 -0000

Answers to clarifying questions…

From: Laurence Lundblade <lgl@island-resort.com>;
Sent: Monday, November 11, 2019 9:57 PM
To: Dave Thaler <dthaler@microsoft.com>;
Cc: Smith, Ned <ned.smith@intel.com>;; Oliver, Ian (Nokia - FI/Espoo) <ian.oliver@nokia-bell-labs.com>;; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>;; rats@ietf.org; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>;
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Clarifying questions and comments.

Where did this table come from?

I created it based on my interpretation of statements made in draft-birkholz-rats-basic-yang-module and
draft-fedorkow-rats-network-device-attestation-01 (and based on Guy’s responses on this list to confirm/correct my understanding).
Of course since there seems to be some confusion about what YANG is, my statement about the applicability of the yang draft
may or may not be correct.   I will say I believe it is correct when the YANG module is used by any pull-based protocol like
netconf or restconf, which is the model draft-fedorkow-rats-network-device-attestation discusses as I understand it.
If you can encapsulate the YANG information inside some existing in-band protocol like 802.1x then it would be more aligned
with what I’m arguing since that would be usable both with and without the presence of a host firewall.

Is a firewall here a typical IP-level thing that filter Internet traffic? (If so, why is that relevant?). Or is it memory protection between the attestation host (e.g. RoT) and the other parts of the system? Something else?

Yes it’s a typical IP-level thing.  (See RFC 7288 for lots of IAB discussion on that term.)
It’s relevant because if the only way for a Relying Party to get attestation information is to separately ask the attester
via a different protocol that the attester has to accept unsolicited inbound communication for, then a host firewall whose
job it is to prevent unsolicited inbound communication will of course prevent that solution from working at all.
Whereas a mechanism that passes attestation information in a protocol the Attester initiates anyway, such as 802.1x
or any similar network authentication protocol, such conveyance will work with or without a firewall, and so be far more
broadly usable for network authentication, and be usable both by routers and non-routers, with a single common solution,
rather than having a bunch of point solutions.

What is privacy here? Is it the untrackability of attestations because they use ECDAA, shared keys or such? That is privacy in the web browser / GDPR sense.

Ask Guy, it’s from his draft ☺
But my own interpretation is that privacy means the network cannot tell that the specific device now is Bob’s or Alice’s device,
and cannot tell that the specific device is the same device it saw yesterday.
See section 5 of RFC 6973.

Various solutions at various layers may or may not provide this property.
For example, MAC address randomization is an example of a technique to try to provide this property, and
draft-ietf-dnssd-prireq is an example of IETF work on providing this for DNS service discovery.
Intel’s EPID arguably addresses this for their scenarios, the general point being that
It is possible to attest to the trustworthiness of a device without revealing a unique device identifier.
Whether that’s a requirement or not depends on the use case, the administrator, the device, etc.
But draft-fedorkow-rats-network-device-attestation is constrained only to cases that don’t need privacy,
and my reading (perhaps incorrect) is that draft-birkholz-rats-basic-yang-module
also has that scope, in that it reveals some device identifier.   If it is changed so that is optional,
then its applicability widens.  I am just arguing for broad solutions, not narrow ones.

One of them is not like the other: Firmware. It typically isn’t isolated and doesn’t have a CPU.

ALL of them are not like the others.   Every one is unique in some way.  But people want attestation in all of these scenarios.
They don’t provide the same degree of strength, but that doesn’t mean you can’t have common protocols/techniques/claim formats/etc.

There are other isolating execution environment approaches such as separate CPUs and virtualization, particularly Microsoft VBS.

Agree, there are more RoT types in general, and I argue for solutions that can easily be extended to more of them.
(By “Firmware” I meant what you call “virtualization”, not just Microsoft VBS in particular, but just the notion that a hypervisor or firmware
provides some level of attestation guarantees for higher layer components.)

I didn’t mention AMD in the table either, and AMD has things like AMD-SEV and the recently announced<https://www.youtube.com/watch?v=yr56SaJ_0QI&list=PLbzoR-pLrL6rF8E5yyknJzrVQaHeYszTR&index=16&t=0s> SEV-SNP,
and for RISC-V there’s Hex-Five’s MultiZone.  Etc.

Dave

LL



On Nov 11, 2019, at 5:43 PM, Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org<mailto:dthaler=40microsoft.com@dmarc.ietf.org>> wrote:

                        Requirements?
         +--------------+---------------+---------++---------------
         |  RoT         | Host Firewall | Privacy ||   Solution
         |  Type        |   Enabled     | Needed  ||    Pieces
         +--------------+---------------+---------++---------------
      1  |  SGX         | No            | No      ||
      2  |  SGX         | No            | Yes     ||
      3  |  SGX         | Yes           | No      ||
      4  |  SGX         | Yes           | Yes     ||
      5  |  TrustZone   | No            | No      ||
      6  |  TrustZone   | No            | Yes     ||
      7  |  TrustZone   | Yes           | No      ||
      8  |  TrustZone   | Yes           | Yes     ||
      9  |  TPM         | No            | No      || draft-birkholz-rats-basic-yang-module-01
     10  |  TPM         | No            | Yes     ||
     11  |  TPM         | Yes           | No      ||
     12  |  TPM         | Yes           | Yes     ||
     13  |SecureElement | No            | No      ||
     14  |SecureElement | No            | Yes     ||
     15  |SecureElement | Yes           | No      ||
     16  |SecureElement | Yes           | Yes     ||
     17  | Firmware     | No            | No      ||
     18  | Firmware     | No            | Yes     ||
     19  | Firmware     | Yes           | No      ||
     20  | Firmware     | Yes           | Yes     ||