[Rats] 答复: I-D Action: draft-xia-rats-pubsub-model-01.txt

"Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com> Thu, 24 October 2019 03:31 UTC

Return-Path: <frank.xialiang@huawei.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id 7CB5912010D for <rats@ietfa.amsl.com>; Wed, 23 Oct 2019 20:31:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 78E-CNGOLAcf for <rats@ietfa.amsl.com>; Wed, 23 Oct 2019 20:31:50 -0700 (PDT)
Received: from huawei.com (lhrrgout.huawei.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EE7BD1200F6 for <rats@ietf.org>; Wed, 23 Oct 2019 20:31:49 -0700 (PDT)
Received: from lhreml709-cah.china.huawei.com (unknown []) by Forcepoint Email with ESMTP id D613AF65FCCD295BE38E for <rats@ietf.org>; Thu, 24 Oct 2019 04:31:45 +0100 (IST)
Received: from DGGEMM404-HUB.china.huawei.com ( by lhreml709-cah.china.huawei.com ( with Microsoft SMTP Server (TLS) id 14.3.408.0; Thu, 24 Oct 2019 04:31:45 +0100
Received: from DGGEMM511-MBS.china.huawei.com ([]) by DGGEMM404-HUB.china.huawei.com ([]) with mapi id 14.03.0439.000; Thu, 24 Oct 2019 11:31:40 +0800
From: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
To: "Eric Voit (evoit)" <evoit@cisco.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: I-D Action: draft-xia-rats-pubsub-model-01.txt
Thread-Index: AQHViBDOUI4rb/HFBUK0zshVl4zGpqdlEcGwgAOpqICAAFOgUA==
Date: Thu, 24 Oct 2019 03:31:40 +0000
Message-ID: <C02846B1344F344EB4FAA6FA7AF481F13E9BCDAD@dggemm511-mbs.china.huawei.com>
References: <157166335792.31879.1954974781212349601@ietfa.amsl.com> <C02846B1344F344EB4FAA6FA7AF481F13E9ABCCD@dggemm511-mbs.china.huawei.com> <SN6PR11MB263844CBF5EC4BF9EAA11604A16B0@SN6PR11MB2638.namprd11.prod.outlook.com>
In-Reply-To: <SN6PR11MB263844CBF5EC4BF9EAA11604A16B0@SN6PR11MB2638.namprd11.prod.outlook.com>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/QWqRooTPvrkmaQMcbqKhQjGuvN8>
Subject: [Rats] =?utf-8?b?562U5aSNOiBJLUQgQWN0aW9uOiBkcmFmdC14aWEtcmF0?= =?utf-8?q?s-pubsub-model-01=2Etxt?=
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 03:31:52 -0000

Hi Eric,
Thank you for good comments!

Please see inline:

发件人: RATS [mailto:rats-bounces@ietf.org] 代表 Eric Voit (evoit)
发送时间: 2019年10月24日 5:38
收件人: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com>om>; rats@ietf.org
主题: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt

Hi Frank,

A few quick thoughts.

(1) The best way to deliver a nonce is to augment the <establish-subscription> RPC from RFC8639.  This requires just one object update.   To make this work effectively, we would need to expand the draft-birkholz-rats-basic-yang-module to also include data nodes for PCR state, rather than just the current RPCs.  BTW: If we base the data nodes on existing groupings, this actually is not a big change.
[Frank]: I don't understand your point exactly. Since nonce for freshness checking and protecting against replay attack is used by a randomly generating and varied in each notification message way, I think current dynamic subscription or configured subscription both need some extension for achieving this goal. And what is the point of your next statement of including data nodes for PCR state rather than just the current RPCs? Do you mean by this way the PCR state can be acquired by netconf push solution?

(2) Figure 2 & 3 mix the context of both stream subscriptions (RFC8639) and datastore subscriptions (RFC8641).  What you want is an RFC8641 subscription to draft-birkholz-rats-basic-yang-module, and an independent RFC8639 subscription to event streams like pcr-trust-evidence.  The results of these subscriptions can be independently correlated at the verifier.
[Frank]: You are right. Figure 2 is an example of using configured subscriptions to acquire the on-change state of PCR since they are very important event for RATS protocol. Figure 3 is an example of using netconf push (datastore subscriptions) to periodically get bios-log-trust-evidence for normal checking task. Figure 4 is an example of using the pre-defined events as the update trigger according the relatively new ECA netconf method. But I generally agree with your idea of their relation.

(3) Interestingly, the need to subscribe on-change to the values of individual PCRs (rather than a hash across multiple PCRs) is a perfect example of why a router will need to do pre-processing and summarization of signed information coming off a TPM.  This is in contrast to people who believe that a cryptoprocessor's raw feed is sufficient for all off-router applications.  A raw feed from a TPM is simply not sufficent.


> From: Xialiang (Frank, Network Standard & Patent Dept), October 21, 
> 2019 9:13 AM
> Hi,
> We submit a new draft describing a method of using the netconf pub/sub 
> model in the RATS interaction procedure, to increase its flexibility, 
> efficiency and scalability.
> Warmly welcome your comments!
> B.R.
> Frank
> -----邮件原件-----
> 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表
> internet-drafts@ietf.org
> 发送时间: 2019年10月21日 21:09
> 收件人: i-d-announce@ietf.org
> 主题: I-D Action: draft-xia-rats-pubsub-model-01.txt
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
>         Title           : Using Netconf Pub/Sub Model for RATS Interaction
> Procedure
>         Authors         : Liang Xia (Frank)
>                           Wei Pan
> 	Filename        : draft-xia-rats-pubsub-model-01.txt
> 	Pages           : 14
> 	Date            : 2019-10-21
> Abstract:
>    This draft defines the a new method of using the netconf pub/sub
>    model in the RATS interaction procedure, to increse its flexibility,
>    efficiency and scalability.
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-xia-rats-pubsub-model/
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-xia-rats-pubsub-model-01
> https://datatracker.ietf.org/doc/html/draft-xia-rats-pubsub-model-01
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-xia-rats-pubsub-model-01
> Please note that it may take a couple of minutes from the time of 
> submission until the htmlized version and diff are available at tools.ietf.org.
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html or 
> ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats