Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt

"Eric Voit (evoit)" <evoit@cisco.com> Wed, 23 October 2019 21:38 UTC

Return-Path: <evoit@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 990AB120100 for <rats@ietfa.amsl.com>; Wed, 23 Oct 2019 14:38:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.501
X-Spam-Level:
X-Spam-Status: No, score=-14.501 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=krTOR/p+; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=cisco.onmicrosoft.com header.b=tlEz7XPR
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id O6Lm1brR2NKI for <rats@ietfa.amsl.com>; Wed, 23 Oct 2019 14:38:23 -0700 (PDT)
Received: from alln-iport-3.cisco.com (alln-iport-3.cisco.com [173.37.142.90]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 316EA1200A4 for <rats@ietf.org>; Wed, 23 Oct 2019 14:38:23 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=9603; q=dns/txt; s=iport; t=1571866703; x=1573076303; h=from:to:subject:date:message-id:references:in-reply-to: mime-version; bh=UgjZ/szeMqV8smK1X/ezqpxbXRGVBYolHvbzVxRebTQ=; b=krTOR/p+l9YaMiZmVp/9IKYtyEBqeIjUS/oCIF9dDTf9+P+fPRxQ4kbm cfdw3bAOMD3S+H4uPUaR0eokGKa6dRW8YkeFoO9TLOkgQljx01W5Z/rZU ifuagjFuV9Rvd0FD5c2MdslRmTfggJImRNFXKCkDtKW9HVkBdSxkYDkaG c=;
X-Files: smime.p7s : 3975
IronPort-PHdr: =?us-ascii?q?9a23=3AMzmwvhUu+A+Peg1AvchNl5pmud3V8LGuZFwc94?= =?us-ascii?q?YnhrRSc6+q45XlOgnF6O5wiEPSANWJ8OpK3uzRta2oGXcN55qMqjgjSNRNTF?= =?us-ascii?q?dE7KdehAk8GIiAAEz/IuTtank3AsNDSHdu/mqwNg5eH8OtL1A=3D?=
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0DhAgALyLBd/5pdJa1lHAEBAQEBBwE?= =?us-ascii?q?BEQEEBAEBgWoEAQELAYFKKScFbCotIAQLKgqEHYNHA4pcToIQmAOCUgNUAgc?= =?us-ascii?q?BAQEJAwEBGAsKAgEBhEACgzQkNwYOAgMBAwIDAQEEAQEBAgEFBG2FNwyFUAE?= =?us-ascii?q?BAQECAQEBEBEdAQEsDAQLAgEGAhUPARoDAgICJQsUEQIEARIIAQUUgjVMgXl?= =?us-ascii?q?NAw4RDwECDJdAkGICgTiIYXWBMoJ+AQEFgTQBAwIOQYMDGIIQBwmBNgGBUoo?= =?us-ascii?q?tDxiBQD+BEUaBTn4+glcLAQEBAQEBFoFJMIJeMoIsj3iObY5+CoIkg0WCMoE?= =?us-ascii?q?XjjSCO3KGYo9BjjaBP4ZohQWMHAIEAgQFAg4BAQWBaCOBWHAVGiGCbAlHEBS?= =?us-ascii?q?DBgsYgQQBCIJDhRSFP3QBgSiNegGBKQEB?=
X-IronPort-AV: E=Sophos;i="5.68,222,1569283200"; d="p7s'?scan'208";a="363739251"
Received: from rcdn-core-3.cisco.com ([173.37.93.154]) by alln-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 23 Oct 2019 21:38:21 +0000
Received: from XCH-ALN-019.cisco.com (xch-aln-019.cisco.com [173.36.7.29]) by rcdn-core-3.cisco.com (8.15.2/8.15.2) with ESMTPS id x9NLcLhd024235 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 23 Oct 2019 21:38:21 GMT
Received: from xhs-rtp-003.cisco.com (64.101.210.230) by XCH-ALN-019.cisco.com (173.36.7.29) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 23 Oct 2019 16:38:20 -0500
Received: from xhs-aln-001.cisco.com (173.37.135.118) by xhs-rtp-003.cisco.com (64.101.210.230) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 23 Oct 2019 17:38:19 -0400
Received: from NAM05-DM3-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-001.cisco.com (173.37.135.118) with Microsoft SMTP Server (TLS) id 15.0.1473.3 via Frontend Transport; Wed, 23 Oct 2019 16:38:19 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=PZiTekXuoL+zrhBEUG2FX/WDGxTAGC8j4TQfinphbF62wR1VKKH7yaR4xRfa5z3ufeu2l0f2FwFjk+9Hka68vajMnziT4+MrLdbrtAeqX9DTPnFNsZqNbqpDGGyORcCsy2+p1uUTG1BVJYpw/JfpC6I9zgHgoIQp7YFuY6d08ypB4XM8Z5CoEWdGsdlfk8OtcWKF/O+Wy3vWnSN1NH/kht/QIkY7kjWRynim1g+4XM0HiQebV5LGr1hbM1VLXX4a6jPToKRcppdja48MF63HhhuSbFJLwuJ3U+OwPUeA+yUqYHUHYKXZy7rA85bfEzdN0yZg8siTKkybpKt80Dnd+w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9ZMUYfNA7G06vnkimUMyjzGQxJpp+ubMZNC4+RfXbwM=; b=gaDgQgB8aKGA76ohF79eFu5gLw+Kq7g93IzVUJgQ2wRtm0DhOyhVc6Y1gQVMSqa1Ir4m04R/HXR9S5diO5SP/+W74PibEWx2U023NsPUSnHeCAS6+qn3Xso7GsjUjiXwlAxmOD6uE/R4xA4zjEdUdki6yLXzEQ0IVFwxgbpZeqXOw95Fohy2gqf0IKMc/2z+4Ch7VsAy/iV34veGXvgJxJe/oMfpANBzRs80D5AtLgNe131wYmWRdbE+ONpTGUSISznsqtNfAo+OubGZB5UK5m9ZjQDkLRZIHIvR1Wyp9eWwiyi2QkqBkigW2du2le7Cwh2kcEZxzPvB1SadU0V/+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=9ZMUYfNA7G06vnkimUMyjzGQxJpp+ubMZNC4+RfXbwM=; b=tlEz7XPROddnnHebiB+GosEVoI6Z5+/1Nzip/xu0V61TWfYBI1hvmeWGFgm16RGr/xUiYIxCeWmPkDVbylXsS79JYPJ3229kj3ICgD2goUVvicA9WtYkqfBB/8dCoZg3De/GR1Cj9eFxvX1Mel2bGvJDr7gSaEpeW8J6m3zJvz8=
Received: from SN6PR11MB2638.namprd11.prod.outlook.com (52.135.91.149) by SN6PR11MB3040.namprd11.prod.outlook.com (52.135.125.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.21; Wed, 23 Oct 2019 21:38:18 +0000
Received: from SN6PR11MB2638.namprd11.prod.outlook.com ([fe80::9c01:442e:c8fa:f0d8]) by SN6PR11MB2638.namprd11.prod.outlook.com ([fe80::9c01:442e:c8fa:f0d8%2]) with mapi id 15.20.2367.022; Wed, 23 Oct 2019 21:38:18 +0000
From: "Eric Voit (evoit)" <evoit@cisco.com>
To: "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: I-D Action: draft-xia-rats-pubsub-model-01.txt
Thread-Index: AQHViBDOUI4rb/HFBUK0zshVl4zGpqdlEcGwgAOpqIA=
Date: Wed, 23 Oct 2019 21:38:18 +0000
Message-ID: <SN6PR11MB263844CBF5EC4BF9EAA11604A16B0@SN6PR11MB2638.namprd11.prod.outlook.com>
References: <157166335792.31879.1954974781212349601@ietfa.amsl.com> <C02846B1344F344EB4FAA6FA7AF481F13E9ABCCD@dggemm511-mbs.china.huawei.com>
In-Reply-To: <C02846B1344F344EB4FAA6FA7AF481F13E9ABCCD@dggemm511-mbs.china.huawei.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=evoit@cisco.com;
x-originating-ip: [173.38.117.65]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3b380275-b292-4a78-f91a-08d7580151e1
x-ms-traffictypediagnostic: SN6PR11MB3040:
x-microsoft-antispam-prvs: <SN6PR11MB304020A132685B4401CA1CA8A16B0@SN6PR11MB3040.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5797;
x-forefront-prvs: 019919A9E4
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(4636009)(396003)(136003)(366004)(39860400002)(346002)(376002)(199004)(189003)(256004)(316002)(2906002)(186003)(966005)(7696005)(99286004)(76176011)(2501003)(66066001)(66556008)(9686003)(66476007)(66946007)(6246003)(86362001)(76116006)(66446008)(6306002)(229853002)(66616009)(64756008)(25786009)(52536014)(5660300002)(55016002)(3846002)(6116002)(8936002)(66574012)(71200400001)(476003)(81156014)(8676002)(6506007)(81166006)(478600001)(446003)(26005)(14454004)(71190400001)(4001150100001)(11346002)(6436002)(33656002)(74316002)(486006)(99936001)(305945005)(14444005)(102836004)(110136005)(7736002); DIR:OUT; SFP:1101; SCL:1; SRVR:SN6PR11MB3040; H:SN6PR11MB2638.namprd11.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: cisco.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: LB4h1YvVb03xMVlCK2lY8dl+1J3hFLdnuI8As9fOhSFoXY03yhmv4C93w5eFFpFUhsDaKOgodEFDSWflEyFe13T6MUuX5hbMGyERpu9U5YWbacFemezi+pakK8CnbTKUbel9goSMji4nOKo0HopBH8UyGv4Q7xG+CN5aTVc2EPC2HURfW/fgoXk+9D1aiz3M2KbiagcIvetEN7turVd/QmcXEjVQLAsucjGNZitHLZRLPmDoMb8SCU4Y2chuX0EBFprFa9l2+1X5FyELPTostFHmT+aHm/xDbqtmks7c5/UmIouJXPYa0Mi8iQMj5pqtLWKRp+3puXKSrSm/61DtEVagC6jEFNMP6rpgIY1JlYcW6XixPog5/1nTwZKrlklkqQ/7H32ruvsbHUsvC0xy10+rb68Wfu478yMZgN9CHWcsVCJ+tXqqTI/7W9gdJuPV
x-ms-exchange-transport-forked: True
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_0D6C_01D589C8.A6621D10"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 3b380275-b292-4a78-f91a-08d7580151e1
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Oct 2019 21:38:18.6920 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 219SZPzBxyGuZBnYBwyyOK+0H8HUox6el4FIb38LEfckj/t9ALpDb7Ud7GNaqKTe
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR11MB3040
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.29, xch-aln-019.cisco.com
X-Outbound-Node: rcdn-core-3.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/mWSZ5-8Ym7Rv-LBniE9RXL7dIzo>
Subject: Re: [Rats] I-D Action: draft-xia-rats-pubsub-model-01.txt
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 23 Oct 2019 21:38:25 -0000

Hi Frank,

A few quick thoughts.

(1) The best way to deliver a nonce is to augment the <establish-subscription> RPC from RFC8639.  This requires just one object update.   To make this work effectively, we would need to expand the draft-birkholz-rats-basic-yang-module to also include data nodes for PCR state, rather than just the current RPCs.  BTW: If we base the data nodes on existing groupings, this actually is not a big change.

(2) Figure 2 & 3 mix the context of both stream subscriptions (RFC8639) and datastore subscriptions (RFC8641).  What you want is an RFC8641 subscription to draft-birkholz-rats-basic-yang-module, and an independent RFC8639 subscription to event streams like pcr-trust-evidence.  The results of these subscriptions can be independently correlated at the verifier.

(3) Interestingly, the need to subscribe on-change to the values of individual PCRs (rather than a hash across multiple PCRs) is a perfect example of why a router will need to do pre-processing and summarization of signed information coming off a TPM.  This is in contrast to people who believe that a cryptoprocessor's raw feed is sufficient for all off-router applications.  A raw feed from a TPM is simply not sufficent.

Eric

> From: Xialiang (Frank, Network Standard & Patent Dept), October 21, 2019 9:13 AM
> 
> Hi,
> We submit a new draft describing a method of using the netconf pub/sub
> model in the RATS interaction procedure, to increase its flexibility, efficiency
> and scalability.
> 
> Warmly welcome your comments!
> 
> B.R.
> Frank
> 
> 
> -----邮件原件-----
> 发件人: I-D-Announce [mailto:i-d-announce-bounces@ietf.org] 代表
> internet-drafts@ietf.org
> 发送时间: 2019年10月21日 21:09
> 收件人: i-d-announce@ietf.org
> 主题: I-D Action: draft-xia-rats-pubsub-model-01.txt
> 
> 
> A New Internet-Draft is available from the on-line Internet-Drafts directories.
> 
> 
>         Title           : Using Netconf Pub/Sub Model for RATS Interaction
> Procedure
>         Authors         : Liang Xia (Frank)
>                           Wei Pan
> 	Filename        : draft-xia-rats-pubsub-model-01.txt
> 	Pages           : 14
> 	Date            : 2019-10-21
> 
> Abstract:
>    This draft defines the a new method of using the netconf pub/sub
>    model in the RATS interaction procedure, to increse its flexibility,
>    efficiency and scalability.
> 
> 
> The IETF datatracker status page for this draft is:
> https://datatracker.ietf.org/doc/draft-xia-rats-pubsub-model/
> 
> There are also htmlized versions available at:
> https://tools.ietf.org/html/draft-xia-rats-pubsub-model-01
> https://datatracker.ietf.org/doc/html/draft-xia-rats-pubsub-model-01
> 
> A diff from the previous version is available at:
> https://www.ietf.org/rfcdiff?url2=draft-xia-rats-pubsub-model-01
> 
> 
> Please note that it may take a couple of minutes from the time of
> submission until the htmlized version and diff are available at tools.ietf.org.
> 
> Internet-Drafts are also available by anonymous FTP at:
> ftp://ftp.ietf.org/internet-drafts/
> 
> _______________________________________________
> I-D-Announce mailing list
> I-D-Announce@ietf.org
> https://www.ietf.org/mailman/listinfo/i-d-announce
> Internet-Draft directories: http://www.ietf.org/shadow.html or
> ftp://ftp.ietf.org/ietf/1shadow-sites.txt
> _______________________________________________
> RATS mailing list
> RATS@ietf.org
> https://www.ietf.org/mailman/listinfo/rats