IETF Logo Mail Archive

Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Dave Thaler <dthaler@microsoft.com> Mon, 18 November 2019 08:52 UTC

Return-Path: <dthaler@microsoft.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC4F712084F for <rats@ietfa.amsl.com>; Mon, 18 Nov 2019 00:52:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.002
X-Spam-Level:
X-Spam-Status: No, score=-2.002 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pDsOZpEw_b7r for <rats@ietfa.amsl.com>; Mon, 18 Nov 2019 00:52:28 -0800 (PST)
Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-eopbgr740133.outbound.protection.outlook.com [40.107.74.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A1551200C3 for <rats@ietf.org>; Mon, 18 Nov 2019 00:52:28 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Gq1MVPoklK9ikp34+E54ciwM4wMZtb1dWwa/TzbvwWFr2vf4b4f4efIIptxAfRxoow8io4t78e3WollZBMr/v4GWCwm/YNVp0yGC9n8BsWB7ngZIRToLzU0i8zg4riDVBOL8JSvAkaAil1lOMpFy9znf/7ImUgLdDicS8jHIXPiQnqh7/qK8lMP+w4ZnIFAGi+QP0d1w/DwjD8TlIJaYoblt3wnG3KuQC0w0jk+c1upKBoxyyEsChiGU4tJOMgGJQe1hmCBIvDT/PpKIwe2/kqIY8fbtiy7/nfn6BULEfLwFZeM24gmsl2mR4gxKr/qh5K5Qg2epLNS2KMNmlVhnqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vzIZH/cFGB24JzkJDOtKbTJjkC1swQcXZkyoAEKbFgA=; b=IzSDHLGfedzgmA1F/bZ2EyE44SQWdhXULKBiDA4uPRCAP7ZkGNbxsxrnKqEVVOU/iBTfd0YVgzzTnc4p5pqpRb+fYO9ZJQtnykWOu3kqGd81SG3RBBVwdg8hVQD/wOXKN76PQ//NqrB1FLNWwPsM6yqLQU4sUo9+jdHpymPnKnje4TC5BkQ7z9J5UiwUicmVNV4vJkd7A7A5va2rkUrZ8bHjHVSkMUs19Y6kOPbWlFTCgZKB+WtsnXo2azyirK0jElf7GsXjO5RyIQQtgwWX9mtQOD6XWFlRnbwXTZQaTN0AJVBaWBtcg35w4pfK/TNbAoNwoNpDcp36txysMiwJMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vzIZH/cFGB24JzkJDOtKbTJjkC1swQcXZkyoAEKbFgA=; b=JcuREgcUwI5VSo0COS5wNfyGWdvMquCgEgHAsD1h+Vp4CVfPUIzasuTAX1Y6dnquH3F66NYu4T0hJ8krZlqNH3HfguDI7/N0+HvphsD2eKhFGWCQY/dk4cOq9meChinJ5DdQTSAe6PmcyZAlEh9DmaUSL2hnIqLu69J2lMA2fR8=
Received: from MWHPR21MB0784.namprd21.prod.outlook.com (10.173.51.150) by MWHPR21MB0142.namprd21.prod.outlook.com (10.173.52.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2495.4; Mon, 18 Nov 2019 08:52:26 +0000
Received: from MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439]) by MWHPR21MB0784.namprd21.prod.outlook.com ([fe80::8d41:8f86:8654:8439%12]) with mapi id 15.20.2495.004; Mon, 18 Nov 2019 08:52:26 +0000
From: Dave Thaler <dthaler@microsoft.com>
To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
CC: Laurence Lundblade <lgl@island-resort.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, "Smith, Ned" <ned.smith@intel.com>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "rats@ietf.org" <rats@ietf.org>
Thread-Topic: [Rats] Call for adoption (after draft rename) for Yang module draft
Thread-Index: AQHVlCwI8/lytau3hU+AhCwtIdg/0ad+jL2AgAAHhQCAAAO1AIAF46wAgACM2YCAAJAzgIAAtdsAgAB9XUCAAqYNAIABt5oQgARYS4CAAS4Y4A==
Date: Mon, 18 Nov 2019 08:52:26 +0000
Message-ID: <MWHPR21MB0784B0111EADA4A9A6C766D0A34D0@MWHPR21MB0784.namprd21.prod.outlook.com>
References: <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com> <7106C9D3-8ED1-419E-81F8-4CDA799BEDAE@intel.com> <MWHPR21MB07844F61BEFAE03F9E7DD290A3770@MWHPR21MB0784.namprd21.prod.outlook.com> <6E7D64B4-2049-4D0A-ADC5-CA3F0647779B@island-resort.com> <MWHPR21MB07840B6CF7BEE0A11ABE54BFA3700@MWHPR21MB0784.namprd21.prod.outlook.com> <20191117144129.llvg7fsrqgaqtgkn@anna.jacobs.jacobs-university.de>
In-Reply-To: <20191117144129.llvg7fsrqgaqtgkn@anna.jacobs.jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=True; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Owner=dthaler@ntdev.microsoft.com; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2019-11-18T08:52:25.0862728Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=General; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Application=Microsoft Azure Information Protection; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=2684d425-ab6c-41fc-9f6f-9668e8157b15; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Extended_MSFT_Method=Automatic
authentication-results: spf=none (sender IP is ) smtp.mailfrom=dthaler@microsoft.com;
x-originating-ip: [31.133.156.163]
x-ms-publictraffictype: Email
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: 0ac8cf54-5ea4-4a91-279c-08d76c04a2de
x-ms-traffictypediagnostic: MWHPR21MB0142:
x-microsoft-antispam-prvs: <MWHPR21MB01426DB879E352FBAA1929C8A34D0@MWHPR21MB0142.namprd21.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-forefront-prvs: 0225B0D5BC
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(366004)(136003)(346002)(396003)(376002)(52314003)(189003)(199004)(13464003)(3846002)(6116002)(22452003)(8990500004)(81156014)(81166006)(316002)(8676002)(6916009)(33656002)(4326008)(54906003)(66946007)(74316002)(7736002)(14454004)(66066001)(10290500003)(66476007)(66556008)(64756008)(76116006)(66446008)(305945005)(8936002)(2906002)(478600001)(186003)(26005)(99286004)(71190400001)(256004)(86362001)(71200400001)(6506007)(10090500001)(76176011)(6436002)(52536014)(102836004)(6306002)(25786009)(55016002)(9686003)(7696005)(6246003)(446003)(11346002)(229853002)(476003)(486006)(53546011)(5660300002); DIR:OUT; SFP:1102; SCL:1; SRVR:MWHPR21MB0142; H:MWHPR21MB0784.namprd21.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: +8Yo0X8k3duDF5fmE7cTajeihE40zPxsxtDz4+zIm1IZ1iMemuf3B9vM67ie1UamdNE+GhczCrn5g3Qxdrs90E9igwJqRxerV0u9/AfXbx2jNkNmJjug1eUZvJOYKmB1MCzj8ltn3nq+12lhfB2w5vp/pZa7OsusqhH8fVhBKyBOTWHoyvBnwWvurad+gU77npzp0bmCVwEph3bHvKsXjfINhPvBVCQ2ArdbOGytVnQk+/eoOSoioz+kl4AKRtRrgP8KMQsFuqUc4KoKDUzQcQFTEy1Zh9sWxuWLx1e/zPO3ZSFywG+ZhedP0J1SixDBEXyw3z0EQgsUJcdyn2jGKTR2GrKnoYZIS20BU4h5wlTa6OoTvPjU7Ts9CF/gs8TuyYYiJJUKWPGJKKngcjgEG03D9nVK5Ax2myh6JKdUjfx5gMwuCl3tT0wvOxZOoaylTLeUaVxxWT6Ee1i2JYhN92QCu+K8Bk41a6rbyGiDzDc=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0ac8cf54-5ea4-4a91-279c-08d76c04a2de
X-MS-Exchange-CrossTenant-originalarrivaltime: 18 Nov 2019 08:52:26.3062 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZtWcqdkkijqpxkWgqUrOMu/EdzdGbUpu19gb3yJgdCVE+WKp+oSKH3cg5H6v6sA23yRUdrK08TMO+Usb0b3iPWFv89nqEcsYu8bTAy8OhFw=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MWHPR21MB0142
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/oe-7dSu00gq2ZstoMkY0jOigZX4>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 18 Nov 2019 08:52:31 -0000

Challenge response can be done in a protocol initiated by the Attester, whether the Attester talks directly to the Verifier (passport model),
or indirectly via a Relying Party (normal background check model), without having the device needing to run a server of some sort like netconf or restconf.

At the hackathon, Nancy provided the first actual answer to my question I've seen, so I'll try to summarize it here.
I'm also going to use "device initiated" instead of "push", and "verifier initiated" instead of "pull" in case others have different definitions of push/pull than I intend.

Here's the two cases I've heard for device attestations that are verifier initiated (or "network initiated" if you prefer since these are network use cases):
Case 1) The network notices anomalous traffic coming from a device already on the network, which triggers a verifier to ask the device to attest to its health (which may have changed since it was last attested).  Here there might even be no Relying Party involved per se. 
Case 2) The network has not noticed anything odd, but wants to proactively query a device anyway, e.g., because the network's appraisal policy of what is considered trustworthy has just changed.  Again there might even be no Relying Party involved.

It was also pointed out at the hackathon that using a L2 protocol like EAP to trigger the device to attest, can work in cases where a host firewall is present.
However, not all devices/links use EAP.

Dave

-----Original Message-----
From: Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> 
Sent: Sunday, November 17, 2019 10:41 PM
To: Dave Thaler <dthaler@microsoft.com>
Cc: Laurence Lundblade <lgl@island-resort.com>; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com>; Oliver, Ian (Nokia - FI/Espoo) <ian.oliver@nokia-bell-labs.com>; Smith, Ned <ned.smith@intel.com>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de>; rats@ietf.org
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft

On Fri, Nov 15, 2019 at 07:38:32AM +0000, Dave Thaler wrote:
> 
> If there is a compelling reason to support a pull-based mechanism, and we get consensus that we need it, then great.
> But so far I haven’t heard one.
>

I hope I get the terminology right...

Research papers I have seen often use a challenge response model where the 'verifier' sends a specific challenge that the 'attester' has to answer (often with time constraints, minimizing the chance to relay the challenge and such things). I think I pointed this out before.

Perhaps RATS does not need this form of challenge response attestation and perhaps RATS is fine with the assumption that the attester somehow knows which claims a verifier needs. But then it would be nice to spell this out clearly so that people looking for challenge response attestation attestation flows know that RATS is not for them.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.jacobs-university.de%2F&amp;data=02%7C01%7Cdthaler%40microsoft.com%7C6dddd58781f6453012ea08d76b6c40b3%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637095985013049843&amp;sdata=0LoEUlR96Nh%2BAQfVufe7EWD7yY7qQkLyklZphmltb8c%3D&amp;reserved=0>

v2.23.0 | Report a Bug | By Email