Re: [Rats] retrieving reference measurements
Guy Fedorkow <gfedorkow@juniper.net> Wed, 29 April 2020 16:19 UTC
Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB8E3A139D for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=wUunEwNy; dkim=pass (1024-bit key) header.d=juniper.net header.b=LFPaWmjE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hBymvXWA__e for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:19:17 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 976B63A1399 for <rats@ietf.org>; Wed, 29 Apr 2020 09:19:17 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03TG2Ep4007758; Wed, 29 Apr 2020 09:19:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=wUunEwNyiSYJBOZ+oEJVVONLNk25Qkpl3PMcrn8lKP/pNWl7H9DxmKgMVGkLBsu0mEDw CrwapMpswgE/06xWUD1s7o40zbQXbTCuuJye3XvUuCMH37vG6HDAU9iILzQe2XpTCoje OAptQJ/RGvsGFDRx2HcvxbLlzKu9nBW6dDCTlbDcaoOJMVco5L7C2PJhrBbnkQhVNtwc wXHNVfgHgRQoUaswGNAlhYyAXysO7fvqfP5GihCJZamEjHY4pXrUDclxIEx0igg+GM/C R0vMRx5plz+7pfDNont7DovM/XTIibNhHnTAQjy9yScjGqHbdE8Pqfi+Ayy+RRDe73eM 1g==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2058.outbound.protection.outlook.com [104.47.37.58]) by mx0b-00273201.pphosted.com with ESMTP id 30mk4fyu25-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 29 Apr 2020 09:19:15 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Enu9+YU9+FpoFSb236KZ0Binr0r0tzzQDic4pcWlxPxE6KAGqN9p4hTbkdvgO5dzGXR4Bj0nLoRGBflUqHNCCfqrgGS3ItVR9D2uKnyVrBzk5Ur0wJ2wamvwlub69y/VbjDnzA2rBKtzTFWWB5tyvTx/66wwqGBmQF3hpa2NFsUgTEseEB4Q6kRF3XC1f/H0bSuW98oNEXAw2VmhCsZlg7zzshCTyg7E3dva16JzG3qIIXtNzMST29tI8RBJPEXPrO9sn7oWZOBSqkdx+F6TUkh7wb5SVh9TlIK3JEfRJn/sa+8JNJ6oltI4T7hHvJiuqrLMtDe2F6hLNRSr09u//w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=GMk/eMWZSCIrHm4PU85TfPc8gNmnz1H1rTR2KIQXb4PtB7N+n/Edrvn4a1Lo083tVpi26KBOfr0Cf8gwtLEmv2OrAl2MATc5V9dpoKnIdqrEWErl7P3EBNinb8SPvvaHENsxiB/7el1jt4eU4SkRjL8g7HAc+pDxCHndAS2BCUQdkX7eLJfXq55QnzGZTsrgNiOl7drDKj0KySSyiingUvQvIi5hjDu+I7NywJZpiNiCD0JQLfIXHwpLb4pqeF4rZIwbYPHwJZhDC1lnGQDQ6XX3CicUnt4hmA1PC+gbdPKgorz2/hBqxlZcViTl/hy6iXcRA6TiNp21a+9jOxZe6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=LFPaWmjEbgptLp0zmwux6r3urDGHjjnNxuOpTXME3kN3N5GEoADqIV4g/xzXz8yjgdFDMOjh41EPfY70gj/BofVI26Fkp/xdxv6DC28ZrXSq7b/crzCQk9gCf7PXDA8t/FWWI/F8QppN+jYX26ZSmLaSuFG/NVrGyk6IHOQmOa8=
Received: from DM6PR05MB6889.namprd05.prod.outlook.com (2603:10b6:5:204::22) by DM6SPR01MB0080.namprd05.prod.outlook.com (2603:10b6:5:1c1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.11; Wed, 29 Apr 2020 16:19:13 +0000
Received: from DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1]) by DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1%7]) with mapi id 15.20.2979.013; Wed, 29 Apr 2020 16:19:13 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, William Bellingrath <wbellingrath@juniper.net>
Thread-Topic: retrieving reference measurements
Thread-Index: AdYeLLsj977MpbIWSBiRE1EIoB5bdgADjkuAAAFrpgA=
Date: Wed, 29 Apr 2020 16:19:13 +0000
Message-ID: <DM6PR05MB6889C3D6B8C636C2AD30D51FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
References: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de>
In-Reply-To: <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-04-29T16:19:10.2462358Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=58b322b0-9e0e-499f-aa89-36ec28860dca; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
authentication-results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: bfdf4180-f2b4-4b19-6136-08d7ec590e5d
x-ms-traffictypediagnostic: DM6SPR01MB0080:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6SPR01MB0080DCCA1C1ACDF2FAA70562BAAD0@DM6SPR01MB0080.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03883BD916
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2lxepaAL8Us4lILXguSWgxx3wXCgljtrEJFRrS6HCC1UUg3gBdSaM5emkXOd5lPev67kP8tKPMecd1ZEyLpgpF80/hVva56liDZYV3rKR1SgJBwVIX0bZAGYNHHhbPhmY2wB51cks50uZ3kFZPJKUG51ve1xutzPswtTpWTMTlAye29PAVjf8DEbgVhmBNbgDLy7Uq+64r7w2TEFW0VVSksRUCP3qvJR566M3sTb0KlrgHWSpZ/FT3yePgt72BIEi31YTP4SohCtOXxZak25Ii1PL3GX49NhGOU1lhcUqPr/g6QjBHsnpL7CoPbjAeJWp0JbfFolQlzb1RiaWGt3ZHfHE51H+2PYyS7pklaY9mBXJLeAqwJFtf2Xp6B+7XAyHJ5dLeLkix2kq+S2i7X0KlvI4JDeT6M0j7tdnNHF/hBlrc71PQEP9Iu0z/dnoKB4sfyWtpBcBM7dI3z27jqceLFQ4ikMN2NVDYkKgFC6IJGLJzfbSRFCeGCIEXg/I/8Xb6mzwWFKzMEeIFdefosaBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6889.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(39860400002)(366004)(396003)(136003)(7696005)(6916009)(71200400001)(3480700007)(7116003)(316002)(26005)(5660300002)(2906002)(107886003)(55016002)(8936002)(66446008)(966005)(66616009)(66476007)(33656002)(66574012)(66556008)(64756008)(66946007)(54906003)(76116006)(4326008)(99936003)(478600001)(9686003)(6506007)(8676002)(186003)(53546011)(52536014)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: d+MrXMLR50aVqvmDJ4XtRUR6gthH4JE598SmftXhaWvuQ/k67XRCZ10rHpMeVKyo9emi6wP9aMwjJ61UAxHq71vfllZ42rjc8gpZGn41siFqpgnLrl6srOIlgPaWIHO3DICU+w5EHy1lp3N978A+fU6D8xPyCKlO1ptz93nwV0VKDcvK5bSB7zxc13bILVonj6r0z0x9KaEgN8Jd7mSl9vndNLxoROUBI7kjQ9xIRcdJ/CAUFb/4c8jXn76e+NhU3evHTYiWvKX43xVLUjkxKGTTviESWvZrrtOXgJURY5+u+dEdw7g2WcTlJ2GK03Mi4TORL/y5DJ8Gqpr6Hj6uCUjXrBXu7xJ85Vmc1d165BBSsEgtkFkDE0TEmOpic8oNjCWmHkkePTTXY54BtybEqSXHCNogmxxnfhg5GUg5hxoj7u3/NkfGyu3718upKtViZycjrTqOwXNhiL4xI7ZI2s5xLg/Vup8feHdb3wwITQk5Lt8dlFhDkWg5vPxmiX1fAynvyZXaqtLJJZtfOVOfnsdUHgRPDEKMIDHT9E6pCRfDQN9l40U9e5RCniqr95otKmX6qAYKvtWNLd6P7pjiEsWh88AWTjpyftJ/VCFxYKwR/u2854jK+AOjZn1gHslMlgBKAzx8C5TPp5QwJ3sBbIaA16ORzb0rMSgGAHUbJxq/kLAfrTPOqVDzurkF3JGHuOO7ig8Dx/Zh/yuHBMTBIuzNtc6rckkywhjAZXd4hNsS1UKP46UoOP5q0C9xE+HMcYDSY6jH/aEvMkOtgs/YcUqVBB1ck1XKXO3I0By/+nI=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01CD_01D61E20.63184510"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: bfdf4180-f2b4-4b19-6136-08d7ec590e5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2020 16:19:13.3099 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: obTOVXFPFuqj0y9jfHjBROQjJa8pdfV91+wrk4P+qJGowh5oFCGOmvuwqw1tVtok1aHdcOliarInykf10Y7a1w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6SPR01MB0080
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-29_08:2020-04-29, 2020-04-29 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004290130
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/AtkCBRVMJw60GiFQKMtN1TZz_Rk>
Subject: Re: [Rats] retrieving reference measurements
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 16:19:20 -0000
Hi Henk, I understand that third-party RIMs could be used, but for embedded equipment, it seems like the easiest path is to deliver the RIMs as part of the vendor's software update package for the device. Operators have well-worn procedures for getting software updates to devices; if the RIM is just part of the package, they don't have to think about a new procedure at all... Maybe not for everyone, but it seems like it would be a common use-case... Thanks /guy Juniper Business Use Only -----Original Message----- From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Sent: Wednesday, April 29, 2020 11:29 AM To: Guy Fedorkow <gfedorkow@juniper.net> Cc: rats@ietf.org; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; William Bellingrath <wbellingrath@juniper.net> Subject: Re: retrieving reference measurements [External Email. Be cautious of content] Hi Guy, I think it would be strange for a network equipment device to expose a potentially vulnerable management to the open internet, too :) Luckily, there will probably be a "higher level" constituent in the network that an Attester's DevID can be presented to (typically this is or is close to a device that is also a Verifier). And these systems generally have a way to "reach out" to the internet. The typically already existing "path" to follow here is the way updates find their way to a "network equipment device". If you are air-gap'ed or completely isolated wrt every layer 2 topology, it may start to become a bit tricky, but your are running around with usb sticks in hand to do updates then, too. YANG is a big solution for big problems. But you can use a YANG server to retrieve RIM that are stored on the Attester itself, of course. These probably are outdated at some point and then leave you with the same illustrated above, again. Viele Grüße, Henk On 29.04.20 15:56, Guy Fedorkow wrote: > Hi Henk, > > I see your proposal for identifying URIs for reference measurements in > https://urldefense.com/v3/__https://tools.ietf.org/html/draft-birkholz > -rats-mud-00__;!!NEt6yMaO-gk!WdyQ3vQ51adw93UKoSwWvgPFs4395vPIWLjuzRBiF > gldobaQ_dLIeFbhOWan0kBLDLY$ > > I realize that some constrained devices may not want to do this, > but do you think draft-charra could be extended to allow retrieval of > the signed reference measurements directly from the device being > attested, via the YANG / Netconf interface? > > Ironic as it may sound, Im sure you know that many operators > ensure that their internet routers cannot access the public internet. > > Thanks, > > /guy > > > Juniper Business Use Only >
- [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Eliot Lear
- Re: [Rats] retrieving reference measurements Panwei (William)
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Shwetha Bhandari (shwethab)