Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt

"Eric Voit (evoit)" <evoit@cisco.com> Thu, 24 October 2019 12:46 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B65A12010C for <rats@ietfa.amsl.com>; Thu, 24 Oct 2019 05:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VTaEYoOH; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=Xk0kpQ2m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qriycqyLtF3R for <rats@ietfa.amsl.com>; Thu, 24 Oct 2019 05:46:04 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 978E81200DE for <rats@ietf.org>; Thu, 24 Oct 2019 05:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11672; q=dns/txt; s=iport; t=1571921164; x=1573130764; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=qsroxAw+4PXb0Ic36Vl4F7Iez58gOs1MEA/PEFIl3JA=; b=VTaEYoOHHlZr55TExCY9jiww29lj6cNUt4u5+/Tc8lWq7ClA9tKuVUoY Uap8c0VRBiTTdD0zuU0V0mIGwlmJKTAez3JLZXUk4A8yE2wcG1rcJ4gGu zaJ0Ueh1GYc7wJmcgssXnEQBYgtvMB4HymMa/7Z2XtK2wWiYeswi63zvF E=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3AT0sNABNCeVgzBBN8XM8l6mtXPHoupqn0MwgJ65?= =?us-ascii?q?Eul7NJdOG58o//OFDEuKU/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETB?= =?us-ascii?q?oZkYMTlg0kDtSCDBj2MvnrcwQxHd9JUxlu+HToeUU=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CkBQDJm7Fd/51dJa1lHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgXuBSyknBWwqLSAECyoKhB6DRwOKYIJemAOCUgNUAgcBAQEJAwE?= =?us-ascii?q?BGAsKAgEBhEACgz0kOBMCAwkBAQQBAQECAQUEbYU3DIVQAQEBAQIBAQEQER0?= =?us-ascii?q?BASwEBwEECwIBBgIVDwEaAwICAiULFBECBA4FCAEFDQeCNUyBeU0DDhEPAQI?= =?us-ascii?q?MlnyQYgKBOIhhdYEygn4BAQWBNAEDAg5Bgn8YghAHCYE2gVOHc4I6DxiBQD+?= =?us-ascii?q?BEUaBTn4+glcLAQEBAQEBFoFJFRsMglIygiyPeJ1vCoIkg0aCMoEXjjaCO3K?= =?us-ascii?q?GYo9Dj3mGaYUGjB0CBAIEBQIOAQEFgWkigVhwFRohgmwJRxAUgwYLGINQhRS?= =?us-ascii?q?FP3QBgSiNWwGBKQEB?=
X-IronPort-AV: E=Sophos;i="5.68,224,1569283200"; d="p7s'?scan'208";a="349826492"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Oct 2019 12:46:02 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x9OCk1VI007298 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 24 Oct 2019 12:46:02 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 07:46:01 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 07:46:00 -0500
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 24 Oct 2019 07:46:00 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XfyKBuS9+dbYpbKTQ285XXkP5dJaQyvDgjhY012Ktuq+xYJKfywmukcp4b8b7S9Tzo3nwZJfbF0KafVoKKjqWQwuGd9qyYuDlGSRpcbWb0FWKUiG5kEhi58x1u3RaqRn2Yehmj7UQV2s+fymI+tvSLIqVqBS5a4hfEyxoYkmnnTQce7LG787JERcQCaU1gtGyiC6Ii6YKzuMRdL8/o1ahmA8PGeDCq80M7z5PeY+SsjKMaVU4dNQ9kUqwJaZlWIpRcsbmJaZ3UZGS6Hd5/c8fJlC+xL2HDZTWe8cyHwdw+Qj6mMcMvP0z5SyvseVxNmEuiUbhlh6cHB7elSpzbjj2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SNlehC0PvOCEc6uLzLOMdLzIgGpD+0HjPpUFbqGORR8=; b=bLw0UpfwzC2+hX39YqeB2mz1pcVxK9fhVWagPDIDiLhKq6XOXA5lKNSLrhh2KeSRyRmOf+3WaUUW/ospdA08g607uNkvLWkn+6ATGPi3sf9/beElAX89bZtJ99d+UGmf3WVbXoCwsV22thCp+KCyNWOvwaAfoK5aHc9u0umxlS9He7Up1quKZwfnQ7Trc16bEC2xWZLGPA9qvApQNBFtZC5r+U3x3VVr9CbwiZnwMYjCeRvoj4/TXJsXA8755TQfWZRzdixB1T/VFqrQfi42OKCBckU7Bp78hHaYpVl5NimCJp20Q8hGSSSymV8odLauHH1UmbB2iR+YVg95J+pTmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SNlehC0PvOCEc6uLzLOMdLzIgGpD+0HjPpUFbqGORR8=; b=Xk0kpQ2mUbZeVa6FQK8bvJTGbIxX7eL6s7kbsW438NKuIyb3Y5yHQRfsisE+aTI3bsS5fqUqdso48VKVtgXEjG8PO6Va46p2mF3OYxqRIaFiyNZYXE6dO2n2sX8Pa4zoTiYy8REUEqT0IoOfT6C/7te2s8tTfBIdCWexBsSBoEg=
Received: from BN7PR11MB2627.namprd11.prod.outlook.com (52.135.255.31) by BN7PR11MB2531.namprd11.prod.outlook.com (52.135.243.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.24; Thu, 24 Oct 2019 12:45:59 +0000
Received: from BN7PR11MB2627.namprd11.prod.outlook.com ([fe80::f067:b6d2:8855:b605]) by BN7PR11MB2627.namprd11.prod.outlook.com ([fe80::f067:b6d2:8855:b605%6]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 12:45:59 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: I-D Action: draft-xia-rats-pubsub-model-01.txt
Thread-Index: AQHViBDOUI4rb/HFBUK0zshVl4zGpqdlEcGwgAOpqICAAFOgUIAArEcA
Date: Thu, 24 Oct 2019 12:45:58 +0000
Message-ID: <BN7PR11MB26271718BBB4C711C15F460FA16A0@BN7PR11MB2627.namprd11.prod.outlook.com>
References: <157166335792.31879.1954974781212349601@ietfa.amsl.com> <C02846B1344F344EB4FAA6FA7AF481F13E9ABCCD@dggemm511-mbs.china.huawei.com> <SN6PR11MB263844CBF5EC4BF9EAA11604A16B0@SN6PR11MB2638.namprd11.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F13E9BCDAD@dggemm511-mbs.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F13E9BCDAD@dggemm511-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 71d72573-b7bf-4d78-7dea-08d758801ee1
x-ms-traffictypediagnostic: BN7PR11MB2531:
x-microsoft-antispam-prvs: <BN7PR11MB2531DD590B405876F27DD706A16A0@BN7PR11MB2531.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(136003)(366004)(396003)(376002)(199004)(189003)(7736002)(86362001)(486006)(74316002)(476003)(305945005)(26005)(3846002)(229853002)(6116002)(4326008)(446003)(11346002)(6916009)(14454004)(966005)(478600001)(66066001)(6246003)(2906002)(33656002)(256004)(14444005)(6306002)(9686003)(55016002)(25786009)(6436002)(71190400001)(71200400001)(52536014)(5660300002)(4001150100001)(99286004)(66476007)(66556008)(64756008)(66446008)(66616009)(76116006)(316002)(99936001)(66574012)(102836004)(76176011)(7696005)(186003)(8936002)(8676002)(6506007)(66946007)(81166006)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2531; H:BN7PR11MB2627.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5gmqOFjOtw2jmh3bweSLiMmKpo62wSCPEJI2OI9lFQp9FVxaAF4Y4hg0r8IX837sF75g4lEzq5LKPKVdFUFPildx8LDqtlA4OYeyTZIbFXTSkyuEsW92gU8MSboxT3uWiLwFpHorDUAZEGWIUPeERnV8U/IsSjKifAjN8craf3Dt1sOkySNf5DOkmKu0cUdLrQko+kRdehv8N7FgS1se936dtByB3Gm7W0ODvljF4uGO3F9Xx3WIyDyVvguNy53beA3ZnsCM+Zur7MolTQggxRK+Z+1D62sa7Se/bigMHYo/tLhwLtMSif+319/WlhDCNofEvdqYsqNuEW/dSTTKi1qYixuypQX4ReCQ0tr1dgVaMD6fASYwcJgM0YHVm0vX295AfPE6gT+Oe85UTJBquoS4KRnrNTM9natE0UHnVyvecbDWaD7wpJeZSZhIOmrV
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0DD9_01D58A45.A1CD71F0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 71d72573-b7bf-4d78-7dea-08d758801ee1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 12:45:59.0198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pZ3RhCwNaSa6n9KyHvzxYXwLgWfm6ia1A7+nb25duRRBuE1Kdu7FklmJkZYZj01W
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2531
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.20, xch-aln-010.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ajKp5aiSCmnA3hsj2LITxyvhNzY>
Subject: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 12:46:07 -0000

Hi Frank,

> From: Xialiang (Frank, Network Standard & Patent Dept), Wednesday, October 23, 2019 11:32 PM
> To: Eric Voit (evoit) <evoit@cisco.com>
> 
> Hi Eric,
> Thank you for good comments!
> 
> Please see inline:
> 
> -----邮件原件-----
> 发件人: RATS [mailto:rats-bounces@ietf.org] 代表 Eric Voit (evoit)
> 发送时间: 2019年10月24日 5:38
> 收件人: Xialiang (Frank, Network Standard & Patent Dept)
> <frank.xialiang@huawei.com>om>; rats@ietf.org
> 主题: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt
> 
> Hi Frank,
> 
> A few quick thoughts.
> 
> (1) The best way to deliver a nonce is to augment the <establish-
> subscription> RPC from RFC8639.  This requires just one object update.   To
> make this work effectively, we would need to expand the draft-birkholz-rats-
> basic-yang-module to also include data nodes for PCR state, rather than just
> the current RPCs.  BTW: If we base the data nodes on existing groupings, this
> actually is not a big change.
> [Frank]: I don't understand your point exactly. Since nonce for freshness
> checking and protecting against replay attack is used by a randomly
> generating and varied in each notification message way, I think current
> dynamic subscription or configured subscription both need some extension
> for achieving this goal. And what is the point of your next statement of
> including data nodes for PCR state rather than just the current RPCs? Do you
> mean by this way the PCR state can be acquired by netconf push solution?

Yes.  One way to do this would be sending a TUDA Sync token in the RPC response, or the subscription-started notification.

Eric
 
> (2) Figure 2 & 3 mix the context of both stream subscriptions (RFC8639) and
> datastore subscriptions (RFC8641).  What you want is an RFC8641
> subscription to draft-birkholz-rats-basic-yang-module, and an independent
> RFC8639 subscription to event streams like pcr-trust-evidence.  The results of
> these subscriptions can be independently correlated at the verifier.
> [Frank]: You are right. Figure 2 is an example of using configured
> subscriptions to acquire the on-change state of PCR since they are very
> important event for RATS protocol. Figure 3 is an example of using netconf
> push (datastore subscriptions) to periodically get bios-log-trust-evidence for
> normal checking task. Figure 4 is an example of using the pre-defined events
> as the update trigger according the relatively new ECA netconf method. But I
> generally agree with your idea of their relation.
> 
> (3) Interestingly, the need to subscribe on-change to the values of individual
> PCRs (rather than a hash across multiple PCRs) is a perfect example of why a
> router will need to do pre-processing and summarization of signed
> information coming off a TPM.  This is in contrast to people who believe that
> a cryptoprocessor's raw feed is sufficient for all off-router applications.  A
> raw feed from a TPM is simply not sufficent.
> 
> Eric
> 
> > From: Xialiang (Frank, Network Standard & Patent Dept), October 21,
> > 2019 9:13 AM
> >
> > Hi,
> > We submit a new draft describing a method of using the netconf pub/sub
> > model in the RATS interaction procedure, to increase its flexibility,
> > efficiency and scalability.
> >
> > Warmly welcome your comments!
> >
> > B.R.
> > Frank
> >
> >
> > -----邮件原件-----
> > 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表
> > internet-drafts@ietf.org
> > 发送时间: 2019年10月21日 21:09
> > 收件人: i-d-announce@ietf.org
> > 主题: I-D Action: draft-xia-rats-pubsub-model-01.txt
> >
> >
> > A New Internet-Draft is available from the on-line Internet-Drafts
> directories.
> >
> >
> >         Title           : Using Netconf Pub/Sub Model for RATS Interaction
> > Procedure
> >         Authors         : Liang Xia (Frank)
> >                           Wei Pan
> > 	Filename        : draft-xia-rats-pubsub-model-01.txt
> > 	Pages           : 14
> > 	Date            : 2019-10-21
> >
> > Abstract:
> >    This draft defines the a new method of using the netconf pub/sub
> >    model in the RATS interaction procedure, to increse its flexibility,
> >    efficiency and scalability.
> >
> >
> > The IETF datatracker status page for this draft is:
> > https://datatracker.ietf.org/doc/draft-xia-rats-pubsub-model/
> >
> > There are also htmlized versions available at:
> > https://tools.ietf.org/html/draft-xia-rats-pubsub-model-01
> > https://datatracker.ietf.org/doc/html/draft-xia-rats-pubsub-model-01
> >
> > A diff from the previous version is available at:
> > https://www.ietf.org/rfcdiff?url2=draft-xia-rats-pubsub-model-01
> >
> >
> > Please note that it may take a couple of minutes from the time of
> > submission until the htmlized version and diff are available at
> tools.ietf.org.
> >
> > Internet-Drafts are also available by anonymous FTP at:
> > ftp://ftp.ietf.org/internet-drafts/
> >
> > _______________________________________________
> > I-D-Announce mailing list
> > I-D-Announce@ietf.org
> > https://www.ietf.org/mailman/listinfo/i-d-announce
> > Internet-Draft directories: http://www.ietf.org/shadow.html or
> > ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> > _______________________________________________
> > RATS mailing list
> > RATS@ietf.org
> > https://www.ietf.org/mailman/listinfo/rats