Re: [Rats] I-D Action: draft-ietf-rats-tpm-based-network-device-attest-12.txt

Hi Guy,
I'm glad the comment was adopted, I have reviewed draft-ietf-rats-tpm-based-network-device-attest-12, but I failed to find the corresponding change.

Best,
Meiling 
From: Guy Fedorkow
Date: 2022-02-23 22:31
To: rats@ietf.org; i-d-announce@ietf.org
CC: jmfitz2@cyber.nsa.gov; William Bellingrath; Eric Voit $evoit$; Seth Ross
Subject: Re: [Rats] I-D Action: draft-ietf-rats-tpm-based-network-device-attest-12.txt
We've uploaded a new version of RIV in response to Ben Kaduk's careful review of the RIV draft.
The DISCUSS point was the draft status of the TCG Common Event Log.  While that's not quite resolved at TCG, there's a good chance that the document will be released for publication by the end of this month, February.  If that happens on time, the issue will resolve itself.  If not, we will DISCUSS further, depending on the prognosis.

Included below are the detailed responses to Ben's comments.  While we were at it, we addressed Meiling's comment by tweaking a few words to require a TCG-compatible cryptoprocessor, rather than implying a need for specific hardware.

Please let Jess, Eric and myself know if there are other issues.

Thanks,
/guy

Juniper Business Use Only

-----Original Message-----
From: Benjamin Kaduk via Datatracker <noreply@ietf.org> 
Sent: Thursday, February 3, 2022 12:06 AM
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-rats-tpm-based-network-device-attest@ietf.org; rats-chairs@ietf.org; rats@ietf.org; ncamwing@cisco.com; ncamwing@cisco.com
Subject: Benjamin Kaduk's Discuss on draft-ietf-rats-tpm-based-network-device-attest-11: (with DISCUSS and COMMENT)

[External Email. Be cautious of content]

Benjamin Kaduk has entered the following ballot position for
draft-ietf-rats-tpm-based-network-device-attest-11: Discuss

----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Something of a process question, but in §2.3 we refer to [Canonical-Event-Log] in a normative manner ("MUST be formatted according to ..."), but the referenced document is marked as "draft" and "work in progress", with warning that "Readers should not design products based on this document".  Are we planning to hold publication of this document until the TCG dependency is finalized?
[guy] The Canonical Event Log document is at the last stage of approval, and should be public by end of February

----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

There are quite a few requirements that are stated in multiple locations in this document, using normative language in the multiple locations.
This can lead to confusion and ambiguity if the different statements are found to be subtly different, and I would recommend making a normative statement of each requirement exactly once, with other instances merely mentioning as a statement of fact that the behavior in question is required.  I note some (but presumably not all) instances in the section-by-section remarks as they occur.

Other than that, it's generally well-written and was quite easy to follow.
Thanks!  (That, of course, could not possibly keep me from having further comments to make, though...)

Section 1.5

   3.  Conveyance of Evidence reliably transports the collected Evidence
       from Attester to a Verifier to allow a management station to
       perform a meaningful appraisal in Step 4.  The transport is
       typically carried out via a management network.  The channel must
       provide integrity and authenticity, and, in some use cases, may
       also require confidentiality.

It seems like there is some subtlety here if we insist that the communications channel to a potentially untrustworthy endpoint will provide integrity and authenticity (let alone confidentiality).  I suggest giving more clarity on what threats these technical measures are protecting against in relation to the potentially untrusted endpoint.

[guy] the TPM attestation message is signed by a key only known to the TPM, so getting that information to the Verifier does not need a secure channel.  We've added "Note that the attestation evidence provided by the TPM is signed by a key known only to the TPM, so that validity of this specific critical information is not dependent on security of the channel."

Section 2.1

   The result is that the Verifier can verify the device's identity by
   checking the subject attribute of the distinguished name and
   signature of the certificate containing the TPM's attestation public

Please just refer to the Subject [RFC5280] of the certificate; per draft-ietf-uta-rfc6125bis the subjectAltName (not the DN) is the preferred representation for this information.

[guy] oops, I confused Common Name and Subject.  We've added a note pointing out that the use of Subject and SubjectAltName is not the same in 802.1AR as TLS.

   *  Credentials - Administrators may wish to verify via attestation
      that public keys (and other credentials) outside the Root of Trust
      have not been subject to unauthorized tampering.  (By definition,

It's a bit surprising to see public keys referred to as Credentials; while a private key or a signed certificate might be deemed a credential, a public key devoid of other context seems to just be a public key.  Unless the intent was to refer to public keys that are entries in a trust store, in which they might be said to be credentials of the trusted entities that hold the corresponding private keys?

[guy] We've removed the parens and "other"; i.e. it's checking public keys and credentials, whatever they may be

Section 2.2

   *  When separate Identity and Attestation keys are used, the
      Attestation Key (AK) and its X.509 certificate should parallel the
      DevID, with the same device ID information as the DevID
      certificate (that is, the same subject and subjectAltName (if
      present), even though the key pairs are different).  This allows a
      quote from the device, signed by an AK, to be linked directly to
      the device that provided it, by examining the corresponding AK
      certificate.  [...]

This seems to also implicitly assume that the issuer of these certificates does not issue any other credentials using the same subject information.
When the device serial number is included, this seems pretty reliable, but in other cases the situation is less clear.

[guy] changed to "with the same unique device identification as the DevID certificate"

Section 2.3

   5.  Quotes MUST be retrieved from the TPM according to TCG TAP
       Information Model [TAP] and the CHARRA YANG model
       [I-D.ietf-rats-yang-tpm-charra].  While the TAP IM gives a
       [...]
       the signature, to preserve the trust model.  The
       [I-D.ietf-rats-yang-tpm-charra] can be used for this purpose.

If we're going to MUST-level require something, then "can be used for this purpose" seems inaccurate -- wouldn't "is used" be better?

[guy] CHARRA is a MUST.  I put 'is used'.

Section 2.4

   *  The product to be attested MUST be shipped by the equipment vendor
      with both an IEEE 802.1AR Device Identity and an Initial
      Attestation Key (IAK) with certificate in place.  The IAK

I feel like this is maybe the third time we've had "MUST ship with IDevID and IAK"; once is probably enough, and would avoid any confusion if the different locations in the text are subsequently found to be subtly different.
(A couple of the other requirements in this section are, I think, duplicates for the second time.)

[guy] We reviewed the MUSTs and I've tried to eliminate the ones that seem to intersect.

Section 2.4.2

   Quotes from a TPM can provide evidence of the state of a device up to
   the time the evidence was recorded, but to make sense of the quote in
   most cases an event log that identifies which software modules
   contributed which values to the quote during startup MUST also be
   provided.  [...]

The "in most cases" seems to be a heavy qualifier on the "MUST".  How do I know when the "MUST" does not apply?  (Or does it always apply, and there are just rare instances where it is not actually needed for Verifier
operation?)

[guy] We reworded to say that a log may not be needed in every case, but if it is, the second MUST is still a MUST

Section 3.1.1

   A secure Device Identity (DevID) in the form of an IEEE 802.1AR DevID
   certificate [IEEE-802-1AR] MUST be provisioned in the Attester's
   TPMs.

(Fourth time as a "MUST"?)

[guy]

Section 3.2.1

   Network Management systems MUST retrieve signed PCR based Evidence
   using [I-D.ietf-rats-yang-tpm-charra] with NETCONF or RESTCONF.

We had a MUST-level requirement up in §3.2 for "accomplished via an interface that implements the YANG Data Model for [tpm-charra]", but this one also requires (NETCONF or RESTCONF), excluding potential future developments such as CORECONF.  This is exactly the sort of skew between restatements of a single requirement that has been problematic in other documents, as I alluded to previously.

[guy] We simplified the wording.  You have to use a secure channel, period.

   Implementations that use NETCONF MUST do so over a TLS or SSH secure
   tunnel.  Implementations that use RESTCONF transport MUST do so over
   a TLS or SSH secure tunnel.

This is not a requirement I've seen before.  Everything else typically just uses the YANG security considerations boilerplate that notes that the mandatory (to implement) secure transport for RESTCONF is TLS and the mandatory secure transport for NETCONF is SSH.  I don't even know that you
*can* use SSH for RESTCONF (NETCONF seems pretty clear that TLS is okay).

[guy] We simplified the wording.  You have to use a secure channel, period.

Section 3.3

   In this application, each device may need to be equipped with signed
   RIMs to act as an Attester, and also an Appraisal Policy for Evidence
   and a selection of trusted X.509 root certificates, to allow the
   device to act as a Verifier.  An existing link layer protocol such as
   802.1X [IEEE-802.1X] or 802.1AE [IEEE-802.1AE], with Evidence being
   enclosed over a variant of EAP [RFC3748] or LLDP [LLDP] are suitable
   methods for such an exchange.

Should we say that the details of those "variant"s being out of scope for this document?  (What we do say is pretty far from a complete solution.)

[guy] We added: "Details of peer-to-peer operation are out of scope for this document."

Section 5

Do we want to incorporate by reference the security considerations discussed in any other documents?

There may also be some banal things to say about the security of the system as a whole being compromised if any omissions are made when building the parts for measuring code, configuration, etc.

[guy] We added notes to look at YANG and TLS security considerations

Section 5.1

   With these elements, the device's manufacturer and serial number can
   be identified by analyzing the DevID certificate plus the chain of
   intermediate certificates leading back to the manufacturer's root
   certificate.  As is conventional in TLS or SSH connections, a random
   nonce must be signed by the device in response to a challenge,
   proving possession of its DevID private key.

   RIV uses the DevID to validate a TLS or SSH connection to the device
   as the attestation session begins.  Security of this process derives
   from TLS or SSH security, with the DevID providing proof that the
   session terminates on the intended device.  See [RFC8446], [RFC4253].

   Evidence of software integrity is delivered in the form of a quote
   signed by the TPM itself.  Because the contents of the quote are
   signed inside the TPM, any external modification (including

I think somewhere in here would be a good place to reiterate that we require a binding between the DevID key and the AK as residing in the same TPM on the device, and that we rely on the presence of the device serial number as Subject information combined with trust in the manufacturer to not reuse serial numbers (or sign bogus stuff) in order to obtain that binding.
(Or maybe it fits better near the start of this section where we specifically list the two different sets of keypairs.)

[guy] fixed

Section 5.2

   *  The entire device could be spoofed.  If the Verifier goes to
      appraise a specific Attester, it might be redirected to a
      different Attester.  Use of the 802.1AR Device Identity (DevID) in
      the TPM ensures that the Verifier's TLS or SSH session is in fact
      terminating on the right device.

We might mention that if the device in question is compromised it could then go and tunnel the contents of that TLS or SSH session to a different Attester.  (As I understand it, we then go on to talk about how such an attack would be detected/prevented.)

[guy] We've added the third case explicitly, and tweaked the structure a bit.

   This is accomplished in RIV through use of an AK certificate with the
   same elements as the DevID (same manufacturer's serial number, signed
   by the same manufacturer's key), but containing the device's unique
   AK public key instead of the DevID public key.

I would probably reiterate that it is vital to the security of the system to enforce that the AK and DevID certificates are signed by the same manufacturer's key.

[guy] wording tweaked

Section 5.4

   *  TCG document [Platform-DevID-TPM-2.0] shows how the initial
      Attestation keys can be used to certify LDevID and LAK keys.  Use
      of the LDevID and LAK allows the device owner to use a uniform
      identity structure across device types from multiple manufacturers
      (in the same way that an "Asset Tag" is used by many enterprises
      to identify devices they own).  [...]

I think we should go into more detail on how the requirements that applied to manufacturers as relate to IDevID+IAK are translated to requirements on device owners when they elect to use local device credentials.  E.g., the requirement to use the same subject information in the certificates remains, as does the requirement to not issue certs to multiple devices that use the same identifier.  On the other hand, though, the requirement for being signed "by the same manufacturer key" seems to need modification, as the "same key" is going go be higher up in the certification path now.  (Hmm, maybe in a slightly different spot in the section, as it also applies to the "any other mechanism" bullet point.)

[guy] for an LAK, the owner can link the LAK and LDevID any way they want, including, e.g. a spreadsheet.  We've added a note to say how 'following the same practice of linking these keys as the manufacturer keys would be advisable.' With an xref to that section

   Clearly, local keys can't be used for secure Zero Touch provisioning;
   installation of the local keys can only be done by some process that
   runs before the device is installed for network operation.

How does this assertion relate to what BRSKI (RFC 8995) does?

[guy] We added "or using procedures such as those outlined in Bootstrapping Remote Secure Key Infrastructure (BRSKI) {{RFC8995}}"

Section 5.5

   RIV also depends on reliable Reference Values, as expressed by the
   RIM [RIM].  The definition of trust procedures for RIMs is out of
   scope for RIV, and the device owner is free to use any policy to
   validate a set of reference measurements.  RIMs may be conveyed out-
   of-band or in-band, as part of the attestation process (see
   Section 3.1.3).  But for network devices, where software is usually
   shipped as a self-contained package, RIMs signed by the manufacturer
   and delivered in-band may be more convenient for the device owner.

Is there a risk of a "replay attack" for in-band delivery of RIM data?
That is, deliberaly giving the peer stale RIM data that corresponds to an old (e.g., vulnerable) firmware instead of the latest one (for patched firmware)?

[guy] We added: "It should also be noted that, while RIV can provide a reliable indication that a known software package is in use by the device, and that the package has not been tampered, it is the device owner's responsibility to determine that it's the correct package for the application."

Section 9.2

   to record the results, and a Root of Trust for Reporting to report
   the results [TCGRoT], [SP800-155], [SP800-193].

The [TCGRoT] reference contains the word "reporting" only once, in a non-normative note that lists the "one or more security-specific functions" that a RoT can perform, so it may not be a particularly good reference here.  [SP800-193] seems to mention reporting only insofar as to say that RTRec is for Recovery, not Reporting.

[guy] We moved the list of xref's to the next sentence: "While there are many complex aspects of a Root of Trust, [], [], []"

Section 9.4

   --------------------------------------------------------------------
   | Connect the TPM to the TLS stack                | Vendor TLS     |
   |    o  Use the DevID in the TPM to authenticate  | stack (This    |
   |       TAP connections, identifying the device   | action is      |
   |                                                 | simply         |
   |                                                 | configuring TLS|
   |                                               | to use the DevID |
   |                                               | as its client    |
   |                                               | certificate)     |

Configuring a TLS stack to use a certificate with inaccessible private key is not always a "simple" action :)

[guy] ok, strike the word simply.

   | Make CoSWID tags for BIOS/Loader/Kernel objects | IETF CoSWID    |

Should we use RFC numbers/I-D names in addition to prose names?

[guy] CoSWID is mentioned along with its SACM name a few times above, and doesn't fit so well in the small space here.

Section 10.1

It will be interesting to see what the RFC Editor thinks about [IMA] as a normative reference.  I seem to recall some controversy over in NFSv4 about whether IMA was suitable to reference in an RFC...

[guy] holding breath

RFC 7950 is cited only once, in a context that does not call out to be classified as normative.  (Perhaps it should be cited from other locations if it is indeed expected to be normative?)

[guy] ok, I see;  CHARRA is Normative in this doc, and it's the one with the normative dependence on RFC7590, not RIV.  We put 7950 in the Informative bucket

I'm not convinced that RFC 8572 needs to be classified as normative.
While it does appear adjacent to a MUST, that seems to be of the form "if you might be used for 8572, you MUST do <X> to be prepared".  Only the <X> seems normative in that construction, not any use of 8572.

[guy] yes

Section 10.2

If "A normative taxonomy of terms is given in [I-D.ietf-rats-architecture]", how could we possibly classify that draft as informative?

[guy] ok, We've changed it.

NITS

I found both https://urldefense.com/v3/__https://github.com/ietf-rats-wg__;!!NEt6yMaO-gk!SV7coEKN63TVVGYwBnvEpfI0uYDxj3gG_qgSExiY7Q4tgGPAhSC_tdWWGMlPsOZAozg$  and https://urldefense.com/v3/__https://github.com/ietf-rats__;!!NEt6yMaO-gk!SV7coEKN63TVVGYwBnvEpfI0uYDxj3gG_qgSExiY7Q4tgGPAhSC_tdWWGMlP7RifTZY$  but neither seemed to have a repo that holds current and ongoing development for this document, so I gave up and am submitting these the old-fashioned way.

[guy] I am a dinosaur (but not purple)

Section 1

   A generic architecture for remote attestation has been defined in
   [I-D.ietf-rats-architecture].  Additionally, the use cases for
   remotely attesting networking devices are discussed within Section 6
   of [I-D.richardson-rats-usecases].  [...]

I suggest s/the use cases/use cases/ -- no need to implicitly claim to be an exhaustive listing.

[guy] ok

Section 1.2

   or a threat detection and mitigation tool, etc.).  While informally
   referred to as attestation, this document focuses on a specific
   subset of attestation tasks, defined here as Remote Integrity
   Verification (RIV).  RIV takes a network equipment centric
   perspective that includes a set of protocols and procedures for

I suggest s/RIV takes/RIV in this document takes/

I also think that "network-equipment-centric" should be hyphenated, but the RFC Editor will probably catch it if we're unsure.

[guy] ok

Section 1.5

   Software used to boot a device can be described as a chain of
   measurements, anchored at the start by a Root of Trust for

I don't think that software in general can be described *as* a bunch of measurements.  To say it is described *by* a bunch of measurements seems much less problematic.

[guy] changed to "Software used to boot a device can be identified by a chain"

Section 1.7

   *  This solution is for use in non-privacy-preserving applications
      (for example, networking, Industrial IoT), avoiding the need for a
      Privacy Certificate Authority for attestation keys [AK-Enrollment]

The referenced document seems to indicate that the term "Attestation CA"
is now preferred to "Privacy CA".

[guy] changed "avoiding the need for a Privacy Certificate Authority (also called an Attestation CA) for attestation keys"

   *  Run-Time Attestation: The Linux Integrity Measurement Architecture
      [IMA] attests each process launched after a device is started (and
      is in scope for RIV), but continuous run-time attestation of Linux

Perhaps "in scope for RIV in general"?

[guy] fixed

      or other multi-threaded operating system processes after they've
      started considerably expands the scope of the problem.  Many

I think that, sentence-structure wise, "they've" refers to the processes having started, but perhaps we intend to refer to the OSes as having started?

  [guy] yes, it's the 'after the OS has started'

   *  Processor Sleep Modes: Network equipment typically does not
      "sleep", so sleep and hibernate modes are not considered.
      Although out of scope for RIV, Trusted Computing Group
      specifications do encompass sleep and hibernate states.

Are they out of scope for RIV in general or just for RIV as handled in this document (for network equipment)?

[guy] "Although out of scope
  for RIV in this document, Trusted Computing Group specifications do encompass sleep and hibernate states, which could be incorporated into remote attestation for network equipment in the future, given a compelling need."

   *  Virtualization and Containerization: In a non-virtualized system,
      the host OS is responsible for measuring each User Space file or
      process, but that's the end of the boot process.  For virtualized

We could probably tighten this up around "that's the end of the boot process".  Is it that "the boot process (which is what this document considers itself with) ends once the files have been verified" or maybe "such measurement occurs after the boot process has completed"?

[guy] We tweaked to emphasize that the hypervisor has to run a whole new chain of trust

Section 2.1

       Reset---------------flow-of-time-during-boot--...------->

Is the '...' (vs '---') intentional?

[guy] tweaked

Section 2.3

   2.  For devices using UEFI and Linux, measurements of firmware and
       bootable modules MUST be taken according to TCG PC Client
       [PC-Client-EFI-TPM-1.2] or [PC-Client-BIOS-TPM-2.0], and Linux
       IMA [IMA]

Full stop at end of sentence.

[guy] ok.

Section 3.3

Figure 5 lacks a "Step 0B" annotation (though I'd be hard-pressed to find a place to fit it in)
[guy] There's always a way.

Section 9.3

Why is there a box in Figure 6 for UDP, that doesn't line up with anything else?

Also, the TAP (PTS2.0) box seems misaligned.

[guy] yes, the UDP box is now gone, and the columns lined up more carefully.

-----Original Message-----
From: RATS <rats-bounces@ietf.org> On Behalf Of internet-drafts@ietf.org
Sent: Wednesday, February 23, 2022 9:21 AM
To: i-d-announce@ietf.org
Cc: rats@ietf.org
Subject: [Rats] I-D Action: draft-ietf-rats-tpm-based-network-device-attest-12.txt

[External Email. Be cautious of content]

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Remote ATtestation ProcedureS WG of the IETF.

        Title           : TPM-based Network Device Remote Integrity Verification
        Authors         : Guy Fedorkow
                          Eric Voit
                          Jessica Fitzgerald-McKay
        Filename        : draft-ietf-rats-tpm-based-network-device-attest-12.txt
        Pages           : 45
        Date            : 2022-02-23

Abstract:
   This document describes a workflow for remote attestation of the
   integrity of firmware and software installed on network devices that
   contain Trusted Platform Modules [TPM1.2], [TPM2.0], as defined by
   the Trusted Computing Group (TCG).

The IETF datatracker status page for this draft is:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/draft-ietf-rats-tpm-based-network-device-attest/__;!!NEt6yMaO-gk!U_qnaajFcRb385L1sAcAU4Ad3LQYL1s4ZbqUPBGK7QNSm4nhpQJ5vv47m6AOuuG9mY0$

There is also an htmlized version available at:
https://urldefense.com/v3/__https://datatracker.ietf.org/doc/html/draft-ietf-rats-tpm-based-network-device-attest-12__;!!NEt6yMaO-gk!U_qnaajFcRb385L1sAcAU4Ad3LQYL1s4ZbqUPBGK7QNSm4nhpQJ5vv47m6AO1wUESaI$

A diff from the previous version is available at:
https://urldefense.com/v3/__https://www.ietf.org/rfcdiff?url2=draft-ietf-rats-tpm-based-network-device-attest-12__;!!NEt6yMaO-gk!U_qnaajFcRb385L1sAcAU4Ad3LQYL1s4ZbqUPBGK7QNSm4nhpQJ5vv47m6AOCBSjd4k$

Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts

_______________________________________________
RATS mailing list
RATS@ietf.org
https://urldefense.com/v3/__https://www.ietf.org/mailman/listinfo/rats__;!!NEt6yMaO-gk!U_qnaajFcRb385L1sAcAU4Ad3LQYL1s4ZbqUPBGK7QNSm4nhpQJ5vv47m6AO5amIo_o$

_______________________________________________
RATS mailing list
RATS@ietf.org
https://www.ietf.org/mailman/listinfo/rats