IETF Logo Mail Archive

Re: [Rats] 802.1AR device identity

"Smith, Ned" <ned.smith@intel.com> Thu, 11 March 2021 16:17 UTC

Return-Path: <ned.smith@intel.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 865403A12A7; Thu, 11 Mar 2021 08:17:00 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.898
X-Spam-Level:
X-Spam-Status: No, score=-6.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=intel.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id A9Pwj5mAbLWI; Thu, 11 Mar 2021 08:16:58 -0800 (PST)
Received: from mga14.intel.com (mga14.intel.com [192.55.52.115]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 109013A12A9; Thu, 11 Mar 2021 08:16:57 -0800 (PST)
IronPort-SDR: Ev8U1DOu9XucZAc87/nw/MMnrJT1eu5lJCPEYS2/Aq+r8vr79oYQarp8CWgzi7+E7ANB4rye2C lfQbjBd8HH4w==
X-IronPort-AV: E=McAfee;i="6000,8403,9920"; a="188057335"
X-IronPort-AV: E=Sophos;i="5.81,241,1610438400"; d="scan'208,217";a="188057335"
Received: from orsmga006.jf.intel.com ([10.7.209.51]) by fmsmga103.fm.intel.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 11 Mar 2021 08:16:50 -0800
IronPort-SDR: Y7G4QxfBPQ6hKmRZ+BDaj1WMPUCvZD38xictg4kcqZb6+d/a/KcUAQTSE5g8Z6uvHQH236Wn2b a8D5tzBKNGzw==
X-ExtLoop1: 1
X-IronPort-AV: E=Sophos;i="5.81,241,1610438400"; d="scan'208,217";a="372370467"
Received: from orsmsx603.amr.corp.intel.com ([10.22.229.16]) by orsmga006.jf.intel.com with ESMTP; 11 Mar 2021 08:16:50 -0800
Received: from orsmsx606.amr.corp.intel.com (10.22.229.19) by ORSMSX603.amr.corp.intel.com (10.22.229.16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2; Thu, 11 Mar 2021 08:16:49 -0800
Received: from orsedg603.ED.cps.intel.com (10.7.248.4) by orsmsx606.amr.corp.intel.com (10.22.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2106.2 via Frontend Transport; Thu, 11 Mar 2021 08:16:49 -0800
Received: from NAM10-BN7-obe.outbound.protection.outlook.com (104.47.70.106) by edgegateway.intel.com (134.134.137.100) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2106.2; Thu, 11 Mar 2021 08:16:49 -0800
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=RnxQlG09v2+hMWqm7yz0r4VvAagP26/+CwT5vGgRe8mqRCTMa9gASTQDTXYVpvYtDctvzXHCTn47K1auZOS3ZqGLl5ryKvUZaXiHDLQEjAl3Ro6ikSovNigANpAsuiRjIg7OJ7Mpe4LwHvKs1dGoHr3dpYewA9DmWxivwYYXAiQrLvkQ4Yr5ySG9he0DSxp5NNY24VYqiqgFDVW2v4wZpnjDbNjao1kVv/rL+WeMzCmV1Sn4qJCepcAlEGzdt/U+tjiNIWqaxMDCuH2kNMT/IUlXr5UwoaCdg9QFiefNDeQAeLISNKyAiidxvHeJSIn/7eTWTLClyD37lVQpep/bSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s5Zi4mBIKSw2XMg2RdtGDuxFEBVpR77GluC3kwgKxh8=; b=cOUZ9/vZxZcMGO8GOem+i0pLgMQEhmP8FG2Jan4AHbYIUpDcNY1hH7oXKpF2Oe9TrBDgZXntI/1ZuAvYVZxqeTCVHf93/eFaLVjUy6O12PyB1IQTWgZ6Nxe9XauPVU5Un3pBzEqWxqWeaHmhx7t860QhICXqjfzRTdHGdP30KvbJt2KGzvXJQxDOIe5AOGTbxIfzmi36lrUYItVyF3FXGKj0HW3Qnrrortq4FANjHlDEUd62wJBVJ8JNU0gCfw3woP3/GPmdNR65r3JsSgqlMnFCdT85H7ARlh+5zGtzsBoEpeEh+pVA6c5ojYsQYgNHa/djh/5xG0aqtyrRmBIjGw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=intel.com; dmarc=pass action=none header.from=intel.com; dkim=pass header.d=intel.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=intel.onmicrosoft.com; s=selector2-intel-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=s5Zi4mBIKSw2XMg2RdtGDuxFEBVpR77GluC3kwgKxh8=; b=MZxQbehkYzEEozJOXi6X8El/lw2+obmIgnxvSqiJMKJdfYxMYAtInKlsgQBvxdDJPFegMwfeh+SOmYHjoSGRoKIV68grLeJ+/hto9a8ZXZUCrAPZFs020xaPeP/Dt8tp9aKimSW2Qd+/dlYU9G5RwdxbtUGhi60fVhdBt55pI9s=
Received: from CO1PR11MB5169.namprd11.prod.outlook.com (2603:10b6:303:95::19) by MWHPR11MB1902.namprd11.prod.outlook.com (2603:10b6:300:10f::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3933.31; Thu, 11 Mar 2021 16:16:47 +0000
Received: from CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::b424:905d:3819:d9f0]) by CO1PR11MB5169.namprd11.prod.outlook.com ([fe80::b424:905d:3819:d9f0%3]) with mapi id 15.20.3933.031; Thu, 11 Mar 2021 16:16:47 +0000
From: "Smith, Ned" <ned.smith@intel.com>
To: Eliot Lear <lear@cisco.com>
CC: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>, Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Thread-Topic: [Rats] 802.1AR device identity
Thread-Index: AQHXFd/v8NyDidhntUK49t5dagx8x6p9q74A//+FwoCAAVufAP//5OOA
Date: Thu, 11 Mar 2021 16:16:47 +0000
Message-ID: <62FFA122-047E-468C-A2DD-5A0E4E8EAF74@intel.com>
References: <D197C29D-95C4-4696-BE22-703E14DFFE35@intel.com> <E0971364-E3AD-40C6-A08A-A0BA7E64D18F@cisco.com> <0C1A8AE6-E6C3-4AF9-9E4F-5841FB450BE3@intel.com> <957A467D-4FE4-4031-98D2-6936D014A37C@cisco.com>
In-Reply-To: <957A467D-4FE4-4031-98D2-6936D014A37C@cisco.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.46.21021202
authentication-results: cisco.com; dkim=none (message not signed) header.d=none;cisco.com; dmarc=none action=none header.from=intel.com;
x-originating-ip: [50.53.43.22]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3a3fa6d9-5e86-4794-ebd3-08d8e4a91219
x-ms-traffictypediagnostic: MWHPR11MB1902:
x-microsoft-antispam-prvs: <MWHPR11MB19025657DF997D2AB0DCA240E5909@MWHPR11MB1902.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: wNUF2osP7ZDdS+yVL72J7ChLYlWuO48ozBN39VZx2bTtW3CO+SHfm2ALgA7YqDk+0zJPMwUsaycOMFpSaac1DMRnySQVN+j7Url7/Wbk/BaOSKGhguOr7+UQJmdDEfCUJBLgZkAbBlwlzrvajQG5Df5z1sTb2b9f44FOpWnr+2BnBIJKjGjuZzjmwr8bbgYBaw1xeckiAQDZPBmFpWzrb82Go0pRlX5wwSZNBB/mpl8TVYOdf+dA5ceH723PIF99W44libWz/xetNZt3C0qM98l58Vo++IfBNRuDcDJG9mSneU0ykoN3O8YcAnbtm3OQji3vmsDCO0Us5O8hHyEpa1rKZgFVwIr8JmZRfnXIGoZILx8kNV5eOLEq5jEXxAstXOwP91zMWWY3RUkhMvnWgBUHoi5FC6Vh5teYX6PAaHA4Iyr/A3N8zYo7vL+dZiTEyyE3lXBdWWKFyF/uENz8EKR+fAy1QVXa/ZO4lH5bIGvOvMzpKdY3f9DOrF9tD6LqTNg9S6rAdTWZPg+Aivbt6r/g7nJnDUUWG5wcR8g+NAbGVq3AsGWqNfCuE1ybrTvqf1VyVZgR9ewb4jZNcSH878eOZ810+frQ0Hy01rmoODlQ8LcDi86HrFICptIGIC14T7CXpSD1yS5d3jNtnwX1a7zw+TSZMsSrDdJLJxp1Bz2WtyNPDLTIEi372yQAbXfP
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CO1PR11MB5169.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(39860400002)(396003)(366004)(346002)(136003)(6916009)(6486002)(71200400001)(36756003)(26005)(8936002)(2906002)(6512007)(86362001)(166002)(186003)(33656002)(83380400001)(6506007)(76116006)(966005)(64756008)(66556008)(53546011)(66446008)(66476007)(91956017)(66946007)(8676002)(5660300002)(4326008)(478600001)(2616005)(54906003)(316002)(45980500001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: Kat/3mYqHb33A6wN+fLCPDhEfwbzsKH6mtCjtoHaMQyBYWbUExxMaIm8uyE5aOilTHC138Kun2kqsOaYkjx7QsrYxv7CoJZGkvwAcAA9VC6RQhZBrWA7oy0gP3UMqu8t6/LhztG0o6fQsj9QZMEBPilwT3rp+VeZlJyz5Nq/eZK2uliPQ859/PDBb0CyoIReBYt/r7d4WafOcMdcO+L4KsY5oK3Wt6NBICeLvKGj8mFTqORDLEHpymMI6HrGTGvXEfxcCnlxU4jFRfJtNMCr0o++RXA4ZDDqDnAYtIzZxAFJ9KjycwyuNfL7H4aUCLgB6QOumKyNyxNhEQd8RzEGhnotdDQf2YPn0qpRp3ZIV9PUuz0tbjYibWmTUt4QHD2+Trn8ofOr0KPv0m2Yf4IdO9pKHKbGCFkI2jy9vOtUFC/CQb9kbi3NRLtS9vRoDnKjeirh4b2M5Hb6UK6fLV9Oe6hRbUZpyNw/lwxQ33rXHKLQxt5YyIwhdiTTt8Wzci25yvAzfhkP31jqK+3ZuM+phGFhnQWiIwr8+p6z5xW8Tn0WBdnx/3hi08XBOcMmNAzNVOh3huCewB7CRP2a2PTkKHRDR8qmvYnp90zlOO5dOW0h2lkXuWzJoP2OLM/w2VpQGMtlmNR+7DBzrIq+5JDNnrYyk0eqeiSXNwZuquzcnqQlC1gLNjWECkKPZDiFYTNLzrrYFbENrUMwQetz3FGmktusap22OHh7bZETLqfVWjM+vw34CdJded7SChegac6CM8vJ4SibYibUY6AYW/ZXnHec3qEHjjHSLSHjf+Pu1pdFbdbdKEWzxX1wPgrx3CoKE2L+WjNEe/5dWaD3inOT3bs1ousItAEua1c6OxxfSlk2FkLwEJxkutoxhz9BehtgFh9wUNkcq+/HpYoGYfClr/J28DgzzzkYgtC6wD6sO+toHUOPg63rwklPUkAIHI6BW4jtjS71h0HxS5L9Gq3J32pyHMgR0pTlzT5gJqUl59SXxa8AR/VC95Wz0kVa9L3ICgP2AslbIJOcJNdg5vAaembG2nqjfkk7KXozgMpCMxTclt5h+ZlFXoDgYR8pIXzX/it0PITh+OSUNS5TTPxnlkpr7Rv3Xm9kx1S+amUaoKFh6tc2QN3qND46rdMgw8WAxZhnRKfeQDklmHgjlpBkaJoNCa8fnNuRKH2iMrK+qwCUL7h2kR8juvOYfrClioJQ1oMWiHLi5zFgzJbZoWfqR8iIzSY5T8RD8mp/AAMFfhZ0FrOVmvYIyO/E53Gan/jpib3BqghY1e4OyOCHgTujLKUB6G/CoqiTqy6D/NlQE40scgi27OkQCPZ30zI7EY8S
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_62FFA122047E468CA2DD5A0E4E8EAF74intelcom_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CO1PR11MB5169.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 3a3fa6d9-5e86-4794-ebd3-08d8e4a91219
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Mar 2021 16:16:47.5766 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 46c98d88-e344-4ed4-8496-4ed7712e255d
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +bU2pcCgsb3v2UyKr9cxLRNTMNM9AMI/+ujeaIRj/dycproJKNw31dtd7txxDgYdShOGlVSotyXs71L68d0PdQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR11MB1902
X-OriginatorOrg: intel.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/MYz6eFA4cG0uDveWF9u64MsOtF0>
Subject: Re: [Rats] 802.1AR device identity
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 11 Mar 2021 16:17:01 -0000

See inline nms>.
From: Eliot Lear <lear@cisco.com>
Date: Thursday, March 11, 2021 at 1:54 AM
To: "Smith, Ned" <ned.smith@intel.com>
Cc: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org>, Laurence Lundblade <lgl@island-resort.com>, "rats@ietf.org" <rats@ietf.org>, "iotops@ietf.org" <iotops@ietf.org>
Subject: Re: [Rats] 802.1AR device identity

Thanks, Ned.  My point really was to talk about the impetus for making an iDevID change.  There’s one more obvious one that I didn’t mention.  If you want to make use of tools like ANIMA BRSKI / RFC 8366 to transition from iDevID -> lDevID and you have a supply chain to manage, monkeying with what is called the iDevID in those transactions might help.  A better approach might be to integrate FDO (ledger based transfers).
Nms> I’m not familiar with the FDO acronym (First Device Onboard?) or how the 802.1AR use case context for iDevID/LDevID relates to ledger based transfers. This feels like a deep topic that maybe should be a talk or slides that the RATS WG understands better?

Eliot



On 10 Mar 2021, at 22:09, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

Regarding “a standard protected TLV list  that deployments could receive through a standard interface.  These are attestations of a form”

The TLV list is a statement made by a manufacturer about the recoverability of device / device ID. We might call them Vendor Assertions for now.

The RATS Arch describes Endorsements which are “statements about the integrity of the signing capability”. It isn’t clear to me that mutability/immutability of an IdevID key is covered under the definition for Endorsements. The architecture didn’t define terminology for Vendor Assertions that don’t fit the definition for Endorsements or Reference Values.

Bringing this back to the original thread. The vendor is likely the most authoritative entity to make assertions about the mutability/immutability properties of the IDevID (key). If a standard tries to codify it in a specification it tends to suffer from ambiguity or it defines an implementation. (both have compliance challenges)

Hence, a reasonable way forward is for vendors to make claims about IDevID mutability properties. Providing the community with a vocabulary for making such claims is probably the best facilitation a standard could do.

From: Eliot Lear <lear@cisco.com<mailto:lear@cisco.com>>
Date: Wednesday, March 10, 2021 at 12:27 PM
To: "Smith, Ned" <ned.smith@intel.com<mailto:ned.smith@intel.com>>
Cc: Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org<mailto:gfedorkow=40juniper.net@dmarc.ietf.org>>, Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>, "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>, <iotops@ietf.org<mailto:iotops@ietf.org>>
Subject: Re: [Rats] 802.1AR device identity

Yeah, this is an issue that comes up from time to time.  How “immutable” should that iDevID be?  I’ve had this thought in two different contexts:
•         What if the signature algorithm, CA, or private key used to protect the iDevID has been compromised?  Can one recover with an update?
•         What if there are attributes in the cert that I want to dink and share with the deployment?

I’d like to take that latter case off the table, but then we need to seriously think about RATS or SUIT providing a standard protected TLV list  that deployments could receive through a standard interface.  These are attestations of a form, but they’re not really measurements, as has been previously discussed here.

Eliot




On 10 Mar 2021, at 20:02, Smith, Ned <ned.smith@intel.com<mailto:ned.smith@intel.com>> wrote:

The 802.1AR spec doesn’t AFAIK require IDevIDs that can’t change. But not curtain. Is says things like:
A
device’s DevID module stores each of its DevID secrets securely and supports signing operations that prove
possession of the secret (and thus that the device is the subject of the associated DevID certificate), while
ensuring that the secret remains confidential so the device cannot be impersonated by others.
An Initial Device Identifier (IDevID) provided by a device’s supplier can be supplemented by one or more
Local Device Identifiers (LDevIDs), each using an existing or a freshly generated secret, facilitating
enrollment (provisioning of authentication and authorization credentials to authenticated devices) by a local
network administrator.

A device with DevID capability incorporates a globally unique manufacturer provided Initial Device
Identifier (IDevID), stored in a way that protects it from modification.

LDevIDs can also be used as the sole identifier (by disabling the IDevID) to
assure the privacy of the user of a DevID and the equipment in which it is installed.

-Ned
From: RATS <rats-bounces@ietf.org<mailto:rats-bounces@ietf.org>> on behalf of Guy Fedorkow <gfedorkow=40juniper.net@dmarc.ietf.org<mailto:gfedorkow=40juniper.net@dmarc.ietf.org>>
Date: Wednesday, March 10, 2021 at 7:59 AM
To: Laurence Lundblade <lgl@island-resort.com<mailto:lgl@island-resort.com>>
Cc: "rats@ietf.org<mailto:rats@ietf.org>" <rats@ietf.org<mailto:rats@ietf.org>>
Subject: [Rats] 802.1AR device identity

Hi Laurence,
  We talked about device identity on the RATS call today.
  For RIV, we’re relying on this IEEE spec:
https://1.ieee802.org/security/802-1ar/
  That spec defines Initial and Local Device Identities.  Initial DevID is set by the manufacturer and can’t be changed or replaced, while the Local DevID can be set and erased by the owner of the gear.
  The spec doesn’t address deciding which identity to use for any specific application, but the intent clearly is to allow the owner to use the manufacturer-supplied identity to install an owner-specific identity in a device, and erase the owner-specific identity leaving the manufacturer identity in place when the device is decommissioned.

  Many different specs must have examined this problem, but of course it never hurts to re-use some of these ideas where possible.
  Thx
/guy



Juniper Business Use Only
_______________________________________________
RATS mailing list
RATS@ietf.org<mailto:RATS@ietf.org>
https://www.ietf.org/mailman/listinfo/rats

v2.23.0 | Report a Bug | By Email