IETF Logo Mail Archive

Re: [Rats] retrieving reference measurements

Guy Fedorkow <gfedorkow@juniper.net> Wed, 29 April 2020 16:19 UTC

Return-Path: <gfedorkow@juniper.net>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB8E3A139D for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:19:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.1
X-Spam-Level:
X-Spam-Status: No, score=-2.1 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net header.b=wUunEwNy; dkim=pass (1024-bit key) header.d=juniper.net header.b=LFPaWmjE
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2hBymvXWA__e for <rats@ietfa.amsl.com>; Wed, 29 Apr 2020 09:19:17 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 976B63A1399 for <rats@ietf.org>; Wed, 29 Apr 2020 09:19:17 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id 03TG2Ep4007758; Wed, 29 Apr 2020 09:19:16 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=wUunEwNyiSYJBOZ+oEJVVONLNk25Qkpl3PMcrn8lKP/pNWl7H9DxmKgMVGkLBsu0mEDw CrwapMpswgE/06xWUD1s7o40zbQXbTCuuJye3XvUuCMH37vG6HDAU9iILzQe2XpTCoje OAptQJ/RGvsGFDRx2HcvxbLlzKu9nBW6dDCTlbDcaoOJMVco5L7C2PJhrBbnkQhVNtwc wXHNVfgHgRQoUaswGNAlhYyAXysO7fvqfP5GihCJZamEjHY4pXrUDclxIEx0igg+GM/C R0vMRx5plz+7pfDNont7DovM/XTIibNhHnTAQjy9yScjGqHbdE8Pqfi+Ayy+RRDe73eM 1g==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp2058.outbound.protection.outlook.com [104.47.37.58]) by mx0b-00273201.pphosted.com with ESMTP id 30mk4fyu25-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 29 Apr 2020 09:19:15 -0700
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Enu9+YU9+FpoFSb236KZ0Binr0r0tzzQDic4pcWlxPxE6KAGqN9p4hTbkdvgO5dzGXR4Bj0nLoRGBflUqHNCCfqrgGS3ItVR9D2uKnyVrBzk5Ur0wJ2wamvwlub69y/VbjDnzA2rBKtzTFWWB5tyvTx/66wwqGBmQF3hpa2NFsUgTEseEB4Q6kRF3XC1f/H0bSuW98oNEXAw2VmhCsZlg7zzshCTyg7E3dva16JzG3qIIXtNzMST29tI8RBJPEXPrO9sn7oWZOBSqkdx+F6TUkh7wb5SVh9TlIK3JEfRJn/sa+8JNJ6oltI4T7hHvJiuqrLMtDe2F6hLNRSr09u//w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=GMk/eMWZSCIrHm4PU85TfPc8gNmnz1H1rTR2KIQXb4PtB7N+n/Edrvn4a1Lo083tVpi26KBOfr0Cf8gwtLEmv2OrAl2MATc5V9dpoKnIdqrEWErl7P3EBNinb8SPvvaHENsxiB/7el1jt4eU4SkRjL8g7HAc+pDxCHndAS2BCUQdkX7eLJfXq55QnzGZTsrgNiOl7drDKj0KySSyiingUvQvIi5hjDu+I7NywJZpiNiCD0JQLfIXHwpLb4pqeF4rZIwbYPHwJZhDC1lnGQDQ6XX3CicUnt4hmA1PC+gbdPKgorz2/hBqxlZcViTl/hy6iXcRA6TiNp21a+9jOxZe6Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=juniper.net; dmarc=pass action=none header.from=juniper.net; dkim=pass header.d=juniper.net; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=wByITQDSW+zVAlkRyHRTK/6CERqyCAqUHn0Z4xb4vrs=; b=LFPaWmjEbgptLp0zmwux6r3urDGHjjnNxuOpTXME3kN3N5GEoADqIV4g/xzXz8yjgdFDMOjh41EPfY70gj/BofVI26Fkp/xdxv6DC28ZrXSq7b/crzCQk9gCf7PXDA8t/FWWI/F8QppN+jYX26ZSmLaSuFG/NVrGyk6IHOQmOa8=
Received: from DM6PR05MB6889.namprd05.prod.outlook.com (2603:10b6:5:204::22) by DM6SPR01MB0080.namprd05.prod.outlook.com (2603:10b6:5:1c1::10) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2979.11; Wed, 29 Apr 2020 16:19:13 +0000
Received: from DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1]) by DM6PR05MB6889.namprd05.prod.outlook.com ([fe80::99d5:e781:8291:de1%7]) with mapi id 15.20.2979.013; Wed, 29 Apr 2020 16:19:13 +0000
From: Guy Fedorkow <gfedorkow@juniper.net>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, William Bellingrath <wbellingrath@juniper.net>
Thread-Topic: retrieving reference measurements
Thread-Index: AdYeLLsj977MpbIWSBiRE1EIoB5bdgADjkuAAAFrpgA=
Date: Wed, 29 Apr 2020 16:19:13 +0000
Message-ID: <DM6PR05MB6889C3D6B8C636C2AD30D51FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com>
References: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de>
In-Reply-To: <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Enabled=True; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SiteId=bea78b3c-4cdb-4130-854a-1d193232e5f4; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Owner=gfedorkow@juniper.net; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_SetDate=2020-04-29T16:19:10.2462358Z; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Name=Juniper Business Use Only; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Application=Microsoft Azure Information Protection; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_ActionId=58b322b0-9e0e-499f-aa89-36ec28860dca; MSIP_Label_0633b888-ae0d-4341-a75f-06e04137d755_Extended_MSFT_Method=Automatic
dlp-product: dlpe-windows
dlp-version: 11.3.2.8
dlp-reaction: no-action
authentication-results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=juniper.net;
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: bfdf4180-f2b4-4b19-6136-08d7ec590e5d
x-ms-traffictypediagnostic: DM6SPR01MB0080:
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DM6SPR01MB0080DCCA1C1ACDF2FAA70562BAAD0@DM6SPR01MB0080.namprd05.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 03883BD916
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2lxepaAL8Us4lILXguSWgxx3wXCgljtrEJFRrS6HCC1UUg3gBdSaM5emkXOd5lPev67kP8tKPMecd1ZEyLpgpF80/hVva56liDZYV3rKR1SgJBwVIX0bZAGYNHHhbPhmY2wB51cks50uZ3kFZPJKUG51ve1xutzPswtTpWTMTlAye29PAVjf8DEbgVhmBNbgDLy7Uq+64r7w2TEFW0VVSksRUCP3qvJR566M3sTb0KlrgHWSpZ/FT3yePgt72BIEi31YTP4SohCtOXxZak25Ii1PL3GX49NhGOU1lhcUqPr/g6QjBHsnpL7CoPbjAeJWp0JbfFolQlzb1RiaWGt3ZHfHE51H+2PYyS7pklaY9mBXJLeAqwJFtf2Xp6B+7XAyHJ5dLeLkix2kq+S2i7X0KlvI4JDeT6M0j7tdnNHF/hBlrc71PQEP9Iu0z/dnoKB4sfyWtpBcBM7dI3z27jqceLFQ4ikMN2NVDYkKgFC6IJGLJzfbSRFCeGCIEXg/I/8Xb6mzwWFKzMEeIFdefosaBg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR05MB6889.namprd05.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(346002)(376002)(39860400002)(366004)(396003)(136003)(7696005)(6916009)(71200400001)(3480700007)(7116003)(316002)(26005)(5660300002)(2906002)(107886003)(55016002)(8936002)(66446008)(966005)(66616009)(66476007)(33656002)(66574012)(66556008)(64756008)(66946007)(54906003)(76116006)(4326008)(99936003)(478600001)(9686003)(6506007)(8676002)(186003)(53546011)(52536014)(86362001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: d+MrXMLR50aVqvmDJ4XtRUR6gthH4JE598SmftXhaWvuQ/k67XRCZ10rHpMeVKyo9emi6wP9aMwjJ61UAxHq71vfllZ42rjc8gpZGn41siFqpgnLrl6srOIlgPaWIHO3DICU+w5EHy1lp3N978A+fU6D8xPyCKlO1ptz93nwV0VKDcvK5bSB7zxc13bILVonj6r0z0x9KaEgN8Jd7mSl9vndNLxoROUBI7kjQ9xIRcdJ/CAUFb/4c8jXn76e+NhU3evHTYiWvKX43xVLUjkxKGTTviESWvZrrtOXgJURY5+u+dEdw7g2WcTlJ2GK03Mi4TORL/y5DJ8Gqpr6Hj6uCUjXrBXu7xJ85Vmc1d165BBSsEgtkFkDE0TEmOpic8oNjCWmHkkePTTXY54BtybEqSXHCNogmxxnfhg5GUg5hxoj7u3/NkfGyu3718upKtViZycjrTqOwXNhiL4xI7ZI2s5xLg/Vup8feHdb3wwITQk5Lt8dlFhDkWg5vPxmiX1fAynvyZXaqtLJJZtfOVOfnsdUHgRPDEKMIDHT9E6pCRfDQN9l40U9e5RCniqr95otKmX6qAYKvtWNLd6P7pjiEsWh88AWTjpyftJ/VCFxYKwR/u2854jK+AOjZn1gHslMlgBKAzx8C5TPp5QwJ3sBbIaA16ORzb0rMSgGAHUbJxq/kLAfrTPOqVDzurkF3JGHuOO7ig8Dx/Zh/yuHBMTBIuzNtc6rckkywhjAZXd4hNsS1UKP46UoOP5q0C9xE+HMcYDSY6jH/aEvMkOtgs/YcUqVBB1ck1XKXO3I0By/+nI=
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_01CD_01D61E20.63184510"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: bfdf4180-f2b4-4b19-6136-08d7ec590e5d
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Apr 2020 16:19:13.3099 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: obTOVXFPFuqj0y9jfHjBROQjJa8pdfV91+wrk4P+qJGowh5oFCGOmvuwqw1tVtok1aHdcOliarInykf10Y7a1w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6SPR01MB0080
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.138, 18.0.676 definitions=2020-04-29_08:2020-04-29, 2020-04-29 signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 suspectscore=0 mlxlogscore=999 impostorscore=0 bulkscore=0 phishscore=0 lowpriorityscore=0 adultscore=0 spamscore=0 clxscore=1015 malwarescore=0 priorityscore=1501 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2003020000 definitions=main-2004290130
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/AtkCBRVMJw60GiFQKMtN1TZz_Rk>
Subject: Re: [Rats] retrieving reference measurements
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Apr 2020 16:19:20 -0000

Hi Henk,
  I understand that third-party RIMs could be used, but for embedded
equipment, it seems like the easiest path is to deliver the RIMs as part of
the vendor's software update package for the device.  Operators have
well-worn procedures for getting software updates to devices; if the RIM is
just part of the package, they don't have to think about a new procedure at
all...
  Maybe not for everyone, but it seems like it would be a common use-case...
Thanks
/guy



Juniper Business Use Only

-----Original Message-----
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> 
Sent: Wednesday, April 29, 2020 11:29 AM
To: Guy Fedorkow <gfedorkow@juniper.net>
Cc: rats@ietf.org; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; William
Bellingrath <wbellingrath@juniper.net>
Subject: Re: retrieving reference measurements

[External Email. Be cautious of content]


Hi Guy,

I think it would be strange for a network equipment device to expose a
potentially vulnerable management to the open internet, too :)

Luckily, there will probably be a "higher level" constituent in the network
that an Attester's DevID can be presented to (typically this is or is close
to a device that is also a Verifier). And these systems generally have a way
to "reach out" to the internet.

The typically already existing "path" to follow here is the way updates find
their way to a "network equipment device". If you are air-gap'ed or
completely isolated wrt every layer 2 topology, it may start to become a bit
tricky, but your are running around with usb sticks in hand to do updates
then, too.

YANG is a big solution for big problems. But you can use a YANG server to
retrieve RIM that are stored on the Attester itself, of course. These
probably are outdated at some point and then leave you with the same
illustrated above, again.

Viele Grüße,

Henk


On 29.04.20 15:56, Guy Fedorkow wrote:
> Hi Henk,
>
> I see your proposal for identifying URIs for reference measurements in 
> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-birkholz
> -rats-mud-00__;!!NEt6yMaO-gk!WdyQ3vQ51adw93UKoSwWvgPFs4395vPIWLjuzRBiF
> gldobaQ_dLIeFbhOWan0kBLDLY$
>
>    I realize that some constrained devices may not want to do this, 
> but do you think draft-charra could be extended to allow retrieval of 
> the signed reference measurements directly from the device being 
> attested, via the YANG / Netconf interface?
>
>    Ironic as it may sound, I’m sure you know that many operators 
> ensure that their internet routers cannot access the public internet.
>
>    Thanks,
>
> /guy
>
>
> Juniper Business Use Only
>

v2.23.0 | Report a Bug | By Email