Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt
"Eric Voit (evoit)" <evoit@cisco.com> Thu, 24 October 2019 12:46 UTC
Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2B65A12010C for <rats@ietfa.amsl.com>; Thu, 24 Oct 2019 05:46:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=VTaEYoOH; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=Xk0kpQ2m
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qriycqyLtF3R for <rats@ietfa.amsl.com>; Thu, 24 Oct 2019 05:46:04 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 978E81200DE for <rats@ietf.org>; Thu, 24 Oct 2019 05:46:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=11672; q=dns/txt; s=iport; t=1571921164; x=1573130764; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=qsroxAw+4PXb0Ic36Vl4F7Iez58gOs1MEA/PEFIl3JA=; b=VTaEYoOHHlZr55TExCY9jiww29lj6cNUt4u5+/Tc8lWq7ClA9tKuVUoY Uap8c0VRBiTTdD0zuU0V0mIGwlmJKTAez3JLZXUk4A8yE2wcG1rcJ4gGu zaJ0Ueh1GYc7wJmcgssXnEQBYgtvMB4HymMa/7Z2XtK2wWiYeswi63zvF E=;
X-Files: smime.p7s : 3975
IronPort-PHdr: 9a23:T0sNABNCeVgzBBN8XM8l6mtXPHoupqn0MwgJ65Eul7NJdOG58o//OFDEuKU/l0fHCIPc7f8My/HbtaztQyQh2d6AqzhDFf4ETBoZkYMTlg0kDtSCDBj2MvnrcwQxHd9JUxlu+HToeUU=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0CkBQDJm7Fd/51dJa1lHAEBAQEBBwEBEQEEBAEBgXuBSyknBWwqLSAECyoKhB6DRwOKYIJemAOCUgNUAgcBAQEJAwEBGAsKAgEBhEACgz0kOBMCAwkBAQQBAQECAQUEbYU3DIVQAQEBAQIBAQEQER0BASwEBwEECwIBBgIVDwEaAwICAiULFBECBA4FCAEFDQeCNUyBeU0DDhEPAQIMlnyQYgKBOIhhdYEygn4BAQWBNAEDAg5Bgn8YghAHCYE2gVOHc4I6DxiBQD+BEUaBTn4+glcLAQEBAQEBFoFJFRsMglIygiyPeJ1vCoIkg0aCMoEXjjaCO3KGYo9Dj3mGaYUGjB0CBAIEBQIOAQEFgWkigVhwFRohgmwJRxAUgwYLGINQhRSFP3QBgSiNWwGBKQEB
X-IronPort-AV: E=Sophos;i="5.68,224,1569283200"; d="p7s'?scan'208";a="349826492"
Received: from rcdn-core-6.cisco.com ([173.37.93.157]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 24 Oct 2019 12:46:02 +0000
Received: from XCH-ALN-010.cisco.com (xch-aln-010.cisco.com [173.36.7.20]) by rcdn-core-6.cisco.com (8.15.2/8.15.2) with ESMTPS id x9OCk1VI007298 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 24 Oct 2019 12:46:02 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-010.cisco.com (173.36.7.20) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 07:46:01 -0500
Received: from xhs-aln-003.cisco.com (173.37.135.120) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Thu, 24 Oct 2019 07:46:00 -0500
Received: from NAM03-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Thu, 24 Oct 2019 07:46:00 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XfyKBuS9+dbYpbKTQ285XXkP5dJaQyvDgjhY012Ktuq+xYJKfywmukcp4b8b7S9Tzo3nwZJfbF0KafVoKKjqWQwuGd9qyYuDlGSRpcbWb0FWKUiG5kEhi58x1u3RaqRn2Yehmj7UQV2s+fymI+tvSLIqVqBS5a4hfEyxoYkmnnTQce7LG787JERcQCaU1gtGyiC6Ii6YKzuMRdL8/o1ahmA8PGeDCq80M7z5PeY+SsjKMaVU4dNQ9kUqwJaZlWIpRcsbmJaZ3UZGS6Hd5/c8fJlC+xL2HDZTWe8cyHwdw+Qj6mMcMvP0z5SyvseVxNmEuiUbhlh6cHB7elSpzbjj2A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SNlehC0PvOCEc6uLzLOMdLzIgGpD+0HjPpUFbqGORR8=; b=bLw0UpfwzC2+hX39YqeB2mz1pcVxK9fhVWagPDIDiLhKq6XOXA5lKNSLrhh2KeSRyRmOf+3WaUUW/ospdA08g607uNkvLWkn+6ATGPi3sf9/beElAX89bZtJ99d+UGmf3WVbXoCwsV22thCp+KCyNWOvwaAfoK5aHc9u0umxlS9He7Up1quKZwfnQ7Trc16bEC2xWZLGPA9qvApQNBFtZC5r+U3x3VVr9CbwiZnwMYjCeRvoj4/TXJsXA8755TQfWZRzdixB1T/VFqrQfi42OKCBckU7Bp78hHaYpVl5NimCJp20Q8hGSSSymV8odLauHH1UmbB2iR+YVg95J+pTmA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=SNlehC0PvOCEc6uLzLOMdLzIgGpD+0HjPpUFbqGORR8=; b=Xk0kpQ2mUbZeVa6FQK8bvJTGbIxX7eL6s7kbsW438NKuIyb3Y5yHQRfsisE+aTI3bsS5fqUqdso48VKVtgXEjG8PO6Va46p2mF3OYxqRIaFiyNZYXE6dO2n2sX8Pa4zoTiYy8REUEqT0IoOfT6C/7te2s8tTfBIdCWexBsSBoEg=
Received: from BN7PR11MB2627.namprd11.prod.outlook.com (52.135.255.31) by BN7PR11MB2531.namprd11.prod.outlook.com (52.135.243.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2367.24; Thu, 24 Oct 2019 12:45:59 +0000
Received: from BN7PR11MB2627.namprd11.prod.outlook.com ([fe80::f067:b6d2:8855:b605]) by BN7PR11MB2627.namprd11.prod.outlook.com ([fe80::f067:b6d2:8855:b605%6]) with mapi id 15.20.2387.021; Thu, 24 Oct 2019 12:45:59 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>
CC: "rats@ietf.org" <rats@ietf.org>
Thread-Topic: I-D Action: draft-xia-rats-pubsub-model-01.txt
Thread-Index: AQHViBDOUI4rb/HFBUK0zshVl4zGpqdlEcGwgAOpqICAAFOgUIAArEcA
Date: Thu, 24 Oct 2019 12:45:58 +0000
Message-ID: <BN7PR11MB26271718BBB4C711C15F460FA16A0@BN7PR11MB2627.namprd11.prod.outlook.com>
References: <157166335792.31879.1954974781212349601@ietfa.amsl.com> <C02846B1344F344EB4FAA6FA7AF481F13E9ABCCD@dggemm511-mbs.china.huawei.com> <SN6PR11MB263844CBF5EC4BF9EAA11604A16B0@SN6PR11MB2638.namprd11.prod.outlook.com> <C02846B1344F344EB4FAA6FA7AF481F13E9BCDAD@dggemm511-mbs.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F13E9BCDAD@dggemm511-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.82]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 71d72573-b7bf-4d78-7dea-08d758801ee1
x-ms-traffictypediagnostic: BN7PR11MB2531:
x-microsoft-antispam-prvs: <BN7PR11MB2531DD590B405876F27DD706A16A0@BN7PR11MB2531.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:7219;
x-forefront-prvs: 0200DDA8BE
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(346002)(39860400002)(136003)(366004)(396003)(376002)(199004)(189003)(7736002)(86362001)(486006)(74316002)(476003)(305945005)(26005)(3846002)(229853002)(6116002)(4326008)(446003)(11346002)(6916009)(14454004)(966005)(478600001)(66066001)(6246003)(2906002)(33656002)(256004)(14444005)(6306002)(9686003)(55016002)(25786009)(6436002)(71190400001)(71200400001)(52536014)(5660300002)(4001150100001)(99286004)(66476007)(66556008)(64756008)(66446008)(66616009)(76116006)(316002)(99936001)(66574012)(102836004)(76176011)(7696005)(186003)(8936002)(8676002)(6506007)(66946007)(81166006)(81156014); DIR:OUT; SFP:1101; SCL:1; SRVR:BN7PR11MB2531; H:BN7PR11MB2627.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 5gmqOFjOtw2jmh3bweSLiMmKpo62wSCPEJI2OI9lFQp9FVxaAF4Y4hg0r8IX837sF75g4lEzq5LKPKVdFUFPildx8LDqtlA4OYeyTZIbFXTSkyuEsW92gU8MSboxT3uWiLwFpHorDUAZEGWIUPeERnV8U/IsSjKifAjN8craf3Dt1sOkySNf5DOkmKu0cUdLrQko+kRdehv8N7FgS1se936dtByB3Gm7W0ODvljF4uGO3F9Xx3WIyDyVvguNy53beA3ZnsCM+Zur7MolTQggxRK+Z+1D62sa7Se/bigMHYo/tLhwLtMSif+319/WlhDCNofEvdqYsqNuEW/dSTTKi1qYixuypQX4ReCQ0tr1dgVaMD6fASYwcJgM0YHVm0vX295AfPE6gT+Oe85UTJBquoS4KRnrNTM9natE0UHnVyvecbDWaD7wpJeZSZhIOmrV
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg="SHA1"; boundary="----=_NextPart_000_0DD9_01D58A45.A1CD71F0"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 71d72573-b7bf-4d78-7dea-08d758801ee1
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 Oct 2019 12:45:59.0198 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: pZ3RhCwNaSa6n9KyHvzxYXwLgWfm6ia1A7+nb25duRRBuE1Kdu7FklmJkZYZj01W
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR11MB2531
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.20, xch-aln-010.cisco.com
X-Outbound-Node: rcdn-core-6.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/ajKp5aiSCmnA3hsj2LITxyvhNzY>
Subject: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Oct 2019 12:46:07 -0000
Hi Frank, > From: Xialiang (Frank, Network Standard & Patent Dept), Wednesday, October 23, 2019 11:32 PM > To: Eric Voit (evoit) <evoit@cisco.com> > > Hi Eric, > Thank you for good comments! > > Please see inline: > > -----邮件原件----- > 发件人: RATS [mailto:rats-bounces@ietf.org] 代表 Eric Voit (evoit) > 发送时间: 2019年10月24日 5:38 > 收件人: Xialiang (Frank, Network Standard & Patent Dept) > <frank.xialiang@huawei.com>; rats@ietf.org > 主题: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt > > Hi Frank, > > A few quick thoughts. > > (1) The best way to deliver a nonce is to augment the <establish- > subscription> RPC from RFC8639. This requires just one object update. To > make this work effectively, we would need to expand the draft-birkholz-rats- > basic-yang-module to also include data nodes for PCR state, rather than just > the current RPCs. BTW: If we base the data nodes on existing groupings, this > actually is not a big change. > [Frank]: I don't understand your point exactly. Since nonce for freshness > checking and protecting against replay attack is used by a randomly > generating and varied in each notification message way, I think current > dynamic subscription or configured subscription both need some extension > for achieving this goal. And what is the point of your next statement of > including data nodes for PCR state rather than just the current RPCs? Do you > mean by this way the PCR state can be acquired by netconf push solution? Yes. One way to do this would be sending a TUDA Sync token in the RPC response, or the subscription-started notification. Eric > (2) Figure 2 & 3 mix the context of both stream subscriptions (RFC8639) and > datastore subscriptions (RFC8641). What you want is an RFC8641 > subscription to draft-birkholz-rats-basic-yang-module, and an independent > RFC8639 subscription to event streams like pcr-trust-evidence. The results of > these subscriptions can be independently correlated at the verifier. > [Frank]: You are right. Figure 2 is an example of using configured > subscriptions to acquire the on-change state of PCR since they are very > important event for RATS protocol. Figure 3 is an example of using netconf > push (datastore subscriptions) to periodically get bios-log-trust-evidence for > normal checking task. Figure 4 is an example of using the pre-defined events > as the update trigger according the relatively new ECA netconf method. But I > generally agree with your idea of their relation. > > (3) Interestingly, the need to subscribe on-change to the values of individual > PCRs (rather than a hash across multiple PCRs) is a perfect example of why a > router will need to do pre-processing and summarization of signed > information coming off a TPM. This is in contrast to people who believe that > a cryptoprocessor's raw feed is sufficient for all off-router applications. A > raw feed from a TPM is simply not sufficent. > > Eric > > > From: Xialiang (Frank, Network Standard & Patent Dept), October 21, > > 2019 9:13 AM > > > > Hi, > > We submit a new draft describing a method of using the netconf pub/sub > > model in the RATS interaction procedure, to increase its flexibility, > > efficiency and scalability. > > > > Warmly welcome your comments! > > > > B.R. > > Frank > > > > > > -----邮件原件----- > > 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表 > > internet-drafts@ietf.org > > 发送时间: 2019年10月21日 21:09 > > 收件人: i-d-announce@ietf.org > > 主题: I-D Action: draft-xia-rats-pubsub-model-01.txt > > > > > > A New Internet-Draft is available from the on-line Internet-Drafts > directories. > > > > > > Title : Using Netconf Pub/Sub Model for RATS Interaction > > Procedure > > Authors : Liang Xia (Frank) > > Wei Pan > > Filename : draft-xia-rats-pubsub-model-01.txt > > Pages : 14 > > Date : 2019-10-21 > > > > Abstract: > > This draft defines the a new method of using the netconf pub/sub > > model in the RATS interaction procedure, to increse its flexibility, > > efficiency and scalability. > > > > > > The IETF datatracker status page for this draft is: > > https://datatracker.ietf.org/doc/draft-xia-rats-pubsub-model/ > > > > There are also htmlized versions available at: > > https://tools.ietf.org/html/draft-xia-rats-pubsub-model-01 > > https://datatracker.ietf.org/doc/html/draft-xia-rats-pubsub-model-01 > > > > A diff from the previous version is available at: > > https://www.ietf.org/rfcdiff?url2=draft-xia-rats-pubsub-model-01 > > > > > > Please note that it may take a couple of minutes from the time of > > submission until the htmlized version and diff are available at > tools.ietf.org. > > > > Internet-Drafts are also available by anonymous FTP at: > > ftp://ftp.ietf.org/internet-drafts/ > > > > _______________________________________________ > > I-D-Announce mailing list > > I-D-Announce@ietf.org > > https://www.ietf.org/mailman/listinfo/i-d-announce > > Internet-Draft directories: http://www.ietf.org/shadow.html or > > ftp://ftp.ietf.org/ietf/1shadow-sites.txt > > _______________________________________________ > > RATS mailing list > > RATS@ietf.org > > https://www.ietf.org/mailman/listinfo/rats
- [Rats] 转发: I-D Action: draft-xia-rats-pubsub-mode… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Rats] I-D Action: draft-xia-rats-pubsub-mode… Eric Voit (evoit)
- [Rats] 答复: I-D Action: draft-xia-rats-pubsub-mode… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [Rats] I-D Action: draft-xia-rats-pubsub-mode… Eric Voit (evoit)
- [Rats] 答复: I-D Action: draft-xia-rats-pubsub-mode… Xialiang (Frank, Network Standard & Patent Dept)