Re: [Rats] Call for adoption (after draft rename) for Yang module draft

Laurence Lundblade <lgl@island-resort.com> Tue, 12 November 2019 20:22 UTC

Return-Path: <lgl@island-resort.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 18164120887 for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 12:22:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hZN3bVWD3Hf7 for <rats@ietfa.amsl.com>; Tue, 12 Nov 2019 12:22:01 -0800 (PST)
Received: from p3plsmtpa09-01.prod.phx3.secureserver.net (p3plsmtpa09-01.prod.phx3.secureserver.net [173.201.193.230]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 588FA12085E for <rats@ietf.org>; Tue, 12 Nov 2019 12:22:01 -0800 (PST)
Received: from [10.141.0.10] ([45.56.150.139]) by :SMTPAUTH: with ESMTPA id Ucfoin5ZCnaIyUcfoiB0Yi; Tue, 12 Nov 2019 13:22:00 -0700
From: Laurence Lundblade <lgl@island-resort.com>
Message-Id: <CF49BC50-29A6-4A68-8FF6-0B0229B19F37@island-resort.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_CAA04234-1AD5-4EC7-8DFB-74562A916F48"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 12 Nov 2019 12:21:59 -0800
In-Reply-To: <DM6PR11MB415482CA6DB46BAAAE15A00EA1770@DM6PR11MB4154.namprd11.prod.outlook.com>
Cc: Dave Thaler <dthaler=40microsoft.com@dmarc.ietf.org>, "Smith, Ned" <ned.smith@intel.com>, "Oliver, Ian (Nokia - FI/Espoo)" <ian.oliver@nokia-bell-labs.com>, "Nancy Cam-Winget (ncamwing)" <ncamwing@cisco.com>, "rats@ietf.org" <rats@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
To: "Eric Voit (evoit)" <evoit@cisco.com>
References: <8B173958-FC2A-4D1D-A81C-F324AB632CD7@cisco.com> <147F9159-6055-4E55-ABDC-43DFE3498BF1@island-resort.com> <ce5f8206-74dc-36bb-0093-a93045d5c67f@sit.fraunhofer.de> <0A7E3A4F-8534-4E98-BCB7-1454E07699F4@island-resort.com> <C3AE2645-49C8-4313-BCED-02FEB576B614@cisco.com> <1C8A1884-A37D-45E3-8C11-2FC5A083B245@island-resort.com> <HE1PR0702MB375366C5F7FE5C497C35D73B8F740@HE1PR0702MB3753.eurprd07.prod.outlook.com> <7106C9D3-8ED1-419E-81F8-4CDA799BEDAE@intel.com> <MWHPR21MB07844F61BEFAE03F9E7DD290A3770@MWHPR21MB0784.namprd21.prod.outlook.com> <DM6PR11MB415482CA6DB46BAAAE15A00EA1770@DM6PR11MB4154.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-CMAE-Envelope: MS4wfDabtjWhaWDoVclU9qyi/GL11ztY8ddDWsLzwpU2V+K9i+zQvJoWkF+MRUtkstQeDpq5/4m2Rp2w0lduSbZPVyNW0wPKfQFYgJb0kWWh9bBoYj51O7Ca WPRYGKGKcVvh6u1cXt2G6V0oTpw/Crf4HzDazAq9zBHJ+HOL5fl/iCcFDMx0WtvphMqKLfabFvdcIGiPxy3dIxCMN+t8hTzTLKvJKXy/Bleud4mvEyQrl55x IauNHe48P7Yes2cimiPKApulhVE/edu18OzFy5McmRmoA/EwWr4/5aeduKSUGreeBpPRpdQnYuOlUVzG+zLJ9j2TbgZjRltphNFdtc76mxM+NhYSuowG3gcn 4bOb9bM1lBy15cEnHHVOVHOoaorTHqw/ZiErT6A+I6jZWO6NfRg=
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/qFI10QO0x9pGNWghwqB5_KNDEKE>
Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote Attestation Procedures <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 12 Nov 2019 20:22:04 -0000

Here’s three possible versions of the RATS YANG Module:
1) As is today, TPM only, no separation of transport from attestation token. no EAT
2) As is today + EAT transport. There’s separation of transport from token format for EAT, but not for TPM attestation
3) Full separation of transport from attestation token.  The RATS YANG modules focuses on transport

I want a commitment to 2) or 3) for adoption. I agree that RATS should support some YANG-based means for attestation for routers.

Dave seems to be saying none at all.

Which do you want?  My guess is one MUST be pursued by RATS. You’d be happy with 1) and probably 2). 3) is probably still to fuzzy to say.

LL


> On Nov 12, 2019, at 11:14 AM, Eric Voit (evoit) <evoit@cisco.com>; wrote:
> 
> As a network equipment vendor, TEEP environments and EAT format work highlight interesting futures.  And I support these works on that basis.
>  
> On the other hand, TPMs are embedded today in routers.  And they are integrated to existing network operations applications.  However we have no standardized based industry management model.  And therefore today we see no applications which span equipment vendor types.
>  
> So the TPM based YANG has immediate applicability, and should be adopted. 
>  
> Eric
>  
> From: RATS, November 11, 2019 8:43 PM
> 
> As far as I can understand from draft-birkholz-rats-basic-yang-module-01 and
> draft-fedorkow-rats-network-device-attestation-01, they break down the use case
> space as follows:
>  
>                         Requirements?
>          +--------------+---------------+---------++---------------
>          |  RoT         | Host Firewall | Privacy ||   Solution   
>          |  Type        |   Enabled     | Needed  ||    Pieces    
>          +--------------+---------------+---------++---------------
>       1  |  SGX         | No            | No      ||
>       2  |  SGX         | No            | Yes     ||
>       3  |  SGX         | Yes           | No      ||
>       4  |  SGX         | Yes           | Yes     ||
>       5  |  TrustZone   | No            | No      ||
>       6  |  TrustZone   | No            | Yes     ||
>       7  |  TrustZone   | Yes           | No      ||
>       8  |  TrustZone   | Yes           | Yes     ||
>       9  |  TPM         | No            | No      || draft-birkholz-rats-basic-yang-module-01
>      10  |  TPM         | No            | Yes     ||
>      11  |  TPM         | Yes           | No      ||
>      12  |  TPM         | Yes           | Yes     ||
>      13  |SecureElement | No            | No      ||
>      14  |SecureElement | No            | Yes     ||
>      15  |SecureElement | Yes           | No      ||
>      16  |SecureElement | Yes           | Yes     ||
>      17  | Firmware     | No            | No      ||
>      18  | Firmware     | No            | Yes     ||
>      19  | Firmware     | Yes           | No      ||
>      20  | Firmware     | Yes           | Yes     ||
>      ... |   ...        |               |         ||
>  
> And draft-fedorkow-rats-network-device-attestation-01 further scopes itself down
> by only being applicable to cases with "embedded" apps only = Yes, and where
> the security policy is only an Exact match against reference values = Yes.
> I believe that the yang draft doesn't have those two restrictions, from my reading.
> However, the point is that both drafts are VERY narrow, and in the table shown above,
> only address 1 out of 20 possibilies in that space.
>  
> In contrast, the TEEP WG decided that it was not interested in narrow scopings
> (specifically something Global Platform specific), but instead wanted one general solution.
>  
> If the RATS WG spends effort on something that only addresses a single row out of 20+ rows,
> then do we expect 19+ other solutions to also be done in the WG?  Or could we work on things
> that are broader and happen to also work for row 9?
>  
> I've seen others commenting on the fact that the YANG module only supports TPMs and not
> other things (EATs etc), which would just add support for a couple more rows, but still not
> be general.
>  
> Personally, I would much rather see the WG spend effort on things that really are generic,
> i.e., work with or without host firewalls, work with multiple RoT/TEE types, etc., rather
> than seeing an explosion of point solutions.
>  
> Dave
>  
> From: RATS <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org>> On Behalf Of Smith, Ned
> Sent: Monday, November 11, 2019 10:12 AM
> To: Oliver, Ian (Nokia - FI/Espoo) <ian.oliver@nokia-bell-labs.com <mailto:ian.oliver@nokia-bell-labs.com>>; Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>; Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com <mailto:ncamwing@cisco.com>>
> Cc: rats@ietf.org <mailto:rats@ietf.org>; Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>
> Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
>  
> Right. This implies the RATS “token” should support existing “binary” formats as an encapsulation (signed by a second TA where the TPM is a first TA) or as a conveyance (unsigned?) token. Possibly, the only added value of the latter is a tag that identifies it as a TPM binary format?
>  
>  
> On 11/10/19, 23:21 PM, "RATS on behalf of Oliver, Ian (Nokia - FI/Espoo)" <rats-bounces@ietf.org <mailto:rats-bounces@ietf.org> on behalf of ian.oliver@nokia-bell-labs.com <mailto:ian.oliver@nokia-bell-labs.com>> wrote:
>  
> > Remote TPM attestations are useful and necessary the short run, but are of very limited capability. I believe that > EAT will replace TPM attestations in the long run (maybe decades) because they are far more expressive. I know > others believe that too. 
>  
> I would disagree with the statement of "short run" ... TPM is practically the only existing standardised (hardware, software, firmware, measurement - x86 only etc) hardware root of trust in common use, ie: practically all x86 machines,  The attestation mechanisms provided are going to be around for a very long time. 
>  
> From telco experience, 30 years ago we said SS7 would only be around in the short term.
>  
> > Thus, I am opposed to adoption with the current TPM-only draft. I’d be OK with the current draft and a promise > to add EAT to it.
>  
> Agree
>  
> Ian
>  
> --
> 
> Dr. Ian Oliver
> 
> Cybersecurity Research
> 
> Distinguished Member of Technical Staff
> 
> Nokia Bell Labs
> 
> +358 50 483 6237
> 
>  
> From: Laurence Lundblade <lgl@island-resort.com <mailto:lgl@island-resort.com>>
> Sent: 11 November 2019 00:44
> To: Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com <mailto:ncamwing@cisco.com>>
> Cc: Henk Birkholz <henk.birkholz@sit.fraunhofer.de <mailto:henk.birkholz@sit.fraunhofer.de>>; rats@ietf..org <mailto:rats@ietf..org> <rats@ietf.org <mailto:rats@ietf.org>>
> Subject: Re: [Rats] Call for adoption (after draft rename) for Yang module draft
>  
>  
> On Nov 10, 2019, at 2:20 PM, Nancy Cam-Winget (ncamwing) <ncamwing@cisco.com <mailto:ncamwing@cisco.com>> wrote:
>  
> So, Laurence, are you still OK with the adoption of the current draft with a rename for now?
> Thanks, Nancy
>  
> I think the value add to the larger RATS effort of adding EAT support to this YANG protocol is really high. It a core thing to do that helps bring together the two attestation worlds and make the TPM and EAT work here less like ships in the night.
>  
> Remote TPM attestations are useful and necessary the short run, but are of very limited capability. I believe that EAT will replace TPM attestations in the long run (maybe decades) because they are far more expressive. I know others believe that too. 
>  
> If we don’t include EAT in the YANG mode it is sort of like defining HTTP to only convey HTML to the exclusion of PDF. We’re defining an attestation protocol that can only move one kind of attestation even though we have consensus on what the other one looks like.
>  
> It seems relatively simple to add EAT support (or promise to add EAT support). Pretty sure I heard Henk agree to add it.
>  
> Thus, I am opposed to adoption with the current TPM-only draft. I’d be OK with the current draft and a promise to add EAT to it.
>  
> LL
>