Re: [Rats] retrieving reference measurements
"Shwetha Bhandari (shwethab)" <shwethab@cisco.com> Mon, 04 May 2020 10:45 UTC
Return-Path: <shwethab@cisco.com>
X-Original-To: rats@ietfa.amsl.com
Delivered-To: rats@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7060F3A0795 for <rats@ietfa.amsl.com>; Mon, 4 May 2020 03:45:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.6
X-Spam-Level:
X-Spam-Status: No, score=-9.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=jU6OT+eW; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=x3VmASqt
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WPpIr_PFGdnd for <rats@ietfa.amsl.com>; Mon, 4 May 2020 03:45:34 -0700 (PDT)
Received: from alln-iport-4.cisco.com (alln-iport-4.cisco.com [173.37.142.91]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6159C3A0788 for <rats@ietf.org>; Mon, 4 May 2020 03:45:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=13240; q=dns/txt; s=iport; t=1588589134; x=1589798734; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=WHxJgV4vpIuHKzpQ+IQYjRX2rqZQ6r4IhGQs+nF4PKQ=; b=jU6OT+eWGwRfkjtd8q4k4UYqoiifo4Q6Ad1Tr4iZZ3Qtw5yxnZb+LmRA nDvILJ/hcdm6jDyY5seIhih6mgwDq6IeWlu/XxVjEdigO/FS6W2MDdEz2 xCQCvtdpcWhlsLHh4f5uWXToerrF8whoPgwrcEIwJA1qmxHGcorzbBmnn o=;
IronPort-PHdr: 9a23:X9sLFhc7DB6QR+n4kvIEWnTllGMj4e+mNxMJ6pchl7NFe7ii+JKnJkHE+PFxlwaSB9fA6u4ChfDfrqbgXmIN+9CNvSNKfJ9NUkoDjsMb10wlDdWeAEL2ZPjtc2QhHctEWVMkmhPzMUVcFMvkIVGHpHq04G0JGwm5OxB8O+L1HYDflYK72rP695jaeQ4dgj27bPt7Jwm3qgOEsM4QjO4AYqY8wxfEuD1GYeNTkGhpPlmU2R3745S9
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0DRBQBt8a9e/5JdJa1mHAEBAQEBAQcBARIBAQQEAQFAgUeBVCQtBW5YLyoKhBmDRgONR4l5jjyBQoEQA1QLAQEBDAEBGAsKAgQBAYFQgnQCF4IdJDgTAgMBAQsBAQUBAQECAQUEbYVWDIVxAQEBAQMBARAREQwBASwLAQsEAgEGAhEEAQEBAgIjAwICAh8GCxQBCAgCBAENBRsHgwQBgksDLQEBDpZikGcCgTmIYXaBMoMAAQEFgUZBg0sNC4IOAwaBDiqCY4lhGoFBP4ERJxyCTT6CHkkBAQMBgSwBEgEJGBeCezOCLY4wRYJUhj6ZKVtKCoJIiBiFe4U5hEodgluaRZAXgViHfIJGkQICBAIEBQIOAQEFgWkiZnBwFTsqAYI+UBgNjTyDBgwXg0+FFIVCdAI1AgYBBwEBAwl8kDoBgQoFAQE
X-IronPort-AV: E=Sophos;i="5.73,351,1583193600"; d="scan'208";a="472953640"
Received: from rcdn-core-10.cisco.com ([173.37.93.146]) by alln-iport-4.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 04 May 2020 10:45:32 +0000
Received: from XCH-ALN-004.cisco.com (xch-aln-004.cisco.com [173.36.7.14]) by rcdn-core-10.cisco.com (8.15.2/8.15.2) with ESMTPS id 044AjWL2004859 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Mon, 4 May 2020 10:45:32 GMT
Received: from xhs-aln-003.cisco.com (173.37.135.120) by XCH-ALN-004.cisco.com (173.36.7.14) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 4 May 2020 05:45:32 -0500
Received: from xhs-aln-002.cisco.com (173.37.135.119) by xhs-aln-003.cisco.com (173.37.135.120) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Mon, 4 May 2020 05:45:31 -0500
Received: from NAM12-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xhs-aln-002.cisco.com (173.37.135.119) with Microsoft SMTP Server (TLS) id 15.0.1497.2 via Frontend Transport; Mon, 4 May 2020 05:45:31 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Eb/T7msTUEoezowpepKphvALfoeCPoYrrlV1MzTsPpPIoR033xWa7fISGujeJ59aPknOxBhM8MAct/u1L5Md9TKCgGbq1jZgi05YiTrRkTdGOJSUc2uCF8v0Y50P9L9ZaIIfWLag0rMkdsgNxv8KE+QayGw2809IwlwnwhgFVS+MzzTUwi1Wiks0JeMa51yxHHjUi2YRe7ACh0oYnGlIQLqZSXoSc30V78Lr87EWXYb84hZ6m5nR2HrhfTWZV3EzxEjg1lHL3GBNqckMhUALTqbbMnPeVxRtDoV+L9AZ98zGRVAPRiKfWByJAKJR4SS7yOfxPknggDp9cC3Mbng/mQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WHxJgV4vpIuHKzpQ+IQYjRX2rqZQ6r4IhGQs+nF4PKQ=; b=mgWEazFFT0huoSPuwIx5czyQOPutFH/HQz1eSqTw5oqH7cD5Fw7WhOAEUwTJH1NXEiJ9cs9AWh0GfL7LU983xYB6tz7amb4imb1r4z0fedCzw5/+5WJwhfTGPgWoXm4d1lQylYelrMXaRk/Bo0ME1d2daH4w+VnRCwr8V+ByjEuJ+vdFOaeyB7IUTm6jOShEnloj2ZLAsTV85SY7jWDRLlsv8QlU5oXR/KAtkWl4r+XZWNANKNofFWHODniD3iLZCF+Mzi21srcpjtZINKIzmpDhzAkRU9YVmOB4WoGEwx+slXdR2HQopdtSGvWFsvTBuw74MgC5JKEFoLn+95ls+w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WHxJgV4vpIuHKzpQ+IQYjRX2rqZQ6r4IhGQs+nF4PKQ=; b=x3VmASqtDkcRBkYhWOOJw+4PSiLLmhFxcQ5eC88JfRC1EKt/xe3eB5rSWnQmBvxpwr+reIIxK+VRgzdf3TPGY3VzZpd6bPtbY5KUV1elXnCTgBhgfGGiJAmx1Hyb6S5eYgnHwLfFg9eJeVivC/wlz7/M1wnyf3g5tYkbLwsv/9M=
Received: from CY4PR11MB0054.namprd11.prod.outlook.com (2603:10b6:910:79::27) by CY4PR11MB1877.namprd11.prod.outlook.com (2603:10b6:903:127::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2958.20; Mon, 4 May 2020 10:45:26 +0000
Received: from CY4PR11MB0054.namprd11.prod.outlook.com ([fe80::b5a3:69d0:593f:b9e7]) by CY4PR11MB0054.namprd11.prod.outlook.com ([fe80::b5a3:69d0:593f:b9e7%3]) with mapi id 15.20.2958.029; Mon, 4 May 2020 10:45:26 +0000
From: "Shwetha Bhandari (shwethab)" <shwethab@cisco.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "Panwei (William)" <william.panwei@huawei.com>, Guy Fedorkow <gfedorkow@juniper.net>
CC: "rats@ietf.org" <rats@ietf.org>, Jessica Fitzgerald-McKay <jmfmckay@gmail.com>, William Bellingrath <wbellingrath@juniper.net>
Thread-Topic: [Rats] retrieving reference measurements
Thread-Index: AQHWHkIOH+s0vtcIbk2boQQ7urGmQaiQSjuAgACwGICAAEvcAIAG27sA
Date: Mon, 04 May 2020 10:45:26 +0000
Message-ID: <4C4B1DF8-0CFF-459D-BFBA-914021F1CA4B@cisco.com>
References: <DM6PR05MB68895483D6F508C46748147FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <96c6bf0f-024d-972e-333f-edd288f3920f@sit.fraunhofer.de> <DM6PR05MB6889C3D6B8C636C2AD30D51FBAAD0@DM6PR05MB6889.namprd05.prod.outlook.com> <7a3b2b24-3dca-202b-fb83-3af52be25ee5@sit.fraunhofer.de> <a36018ab556c47aba8f14e36ce5fcdad@huawei.com> <318fe49a-40f9-d822-6ce8-015f0728f84b@sit.fraunhofer.de>
In-Reply-To: <318fe49a-40f9-d822-6ce8-015f0728f84b@sit.fraunhofer.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.21.0.200113
authentication-results: sit.fraunhofer.de; dkim=none (message not signed) header.d=none;sit.fraunhofer.de; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [122.172.170.208]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 613d23a9-687b-4c7f-efc8-08d7f0184197
x-ms-traffictypediagnostic: CY4PR11MB1877:
x-microsoft-antispam-prvs: <CY4PR11MB1877252D9A7526527CCBC935D6A60@CY4PR11MB1877.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 03932714EB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gXGYM8IjT/xv7ENtxpdtsihMSvxLLiPb/U1oxsvj5XDHSPNQxKKVhcg7YhJBl5ZH9QecKIhhi7IN9MAsIooIII95s7Dv9+w6AoyRq4aNEv9eddVR7VOU9dPn3rs+DNKZtNDxI5nQXY5CCKgAQ9AcbZ6fqzdxvVlCYw8tcrLTQirc8n4PPFYhCtommFF7WIJwg/y3NWtzNd7EDzpEggWm6St0tOQAvkzDSAVGvdFiNqewayCNJvWd07KO1nw/6O4qLj4m5gmU/Vf2rCg94/XFFuKIziPZFuC/2IKfdeWZMZgNm/mNiKe/ri99YIJ/sxsrw+J4y9CCsSs9YxlK7ufaImI/RrQqzmmpvuSdZLP9KVkCKP7Kq8Nw3WW0ke49zl4GwQCXHmllgls3NEFQKdDjN/pqinwzfLLcKRtj+A7JeYZJ1hoBjnsaxRBltTGKMNcpZm3uUwrXFeWaZi+SNlZV/HDLwIgD4X566PE2OxgvrXOAXeqvDGJokTEcl3VtwkDPIBF8GvNTAhWyMf1M3lH8Dg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:CY4PR11MB0054.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(4636009)(39860400002)(396003)(366004)(376002)(346002)(136003)(64756008)(66556008)(66946007)(66446008)(66476007)(53546011)(76116006)(26005)(91956017)(71200400001)(36756003)(33656002)(8936002)(54906003)(110136005)(8676002)(316002)(478600001)(86362001)(5660300002)(2616005)(966005)(4326008)(66574012)(186003)(55236004)(6512007)(2906002)(6486002)(6506007); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: jVo2SknYig6wIT1sAekkVkqe6zqUmUDFyWVxP+UFWOnkYa++FIfBiNFx7+/vTb5sKMoOqvIjdBWgpkL7BjHqCrU4WNu3RWOhi7vnEDBB8iMF6luI+IxG24d0Z3auzjYy0ENjRNOyjDPWp/r7kRVq+4M0p+EEOv7dATosvIYkW6G7ZVzD4zFBnPV7GjJCI1urIjjVPBjdOPpTX6/c5eCKLqBRJkCH1XKwmBpWFgYBm+nUS7XWP8/F5DbUyD2LWfFsDW2HCouFfUd5tRZq0VMW+JIAEWFXJo8wSTnYRlfNRUNYrr7b+cYYjDoAKDZtvSFa3t1K5aNv84v0O600ZYiM5MQuRJgEotzrPE2Lc+TphO/Xv1/OrNFB1v0pP21zCe/MHeLtunbCLRk3mE5hQcJJztHg3cK+OcsqirEtaRMxK2/9VypdA0/c9oVGz1G+9LweKeA11hRm9ON4KnElk7ZyF42s+kFTu+9AWMxnGm3MeGsyeW7yYmhqxZxe5xkPVvbjit5P/8wHxalwfFh1xkQsjuyu/4baGiXq8PDODlbqMLV8Hsl+DnmRO0Fz8vvDiI51vNlao6LYW6eFVFSYRVYbjSURfUP0rp1O/DKmsFoKRropKi4BMW61G6AVqcrqMzBfTEIsNFks+jP+GJ6q436UoFUtk8ROSzKha/eVEb4TEi+LhtqAYz00u+BgueqccyF1o49rMQRcZusBVXvtqVWI243oKDa6ArRq62XWsMNF5tQ/Y4nCpCaGhuq/XRaCDsIDNu0LRpqG59mUhyQJnUMa6JkIuaHAWsy73swNlfrbK5CjWYCcbL7OZx6o/gR/vqOR
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <5F57419FBFA37A4BAB5F6A8BF114A79D@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: 613d23a9-687b-4c7f-efc8-08d7f0184197
X-MS-Exchange-CrossTenant-originalarrivaltime: 04 May 2020 10:45:26.5000 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: WfpFj0DhosuNaDAxS+pn4yaxPlDbJraZUdEjvXyYTE96klE+uW8ywu/msWKerIB/LTDuiq89CgOFYgHEa7Ep6w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY4PR11MB1877
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.36.7.14, xch-aln-004.cisco.com
X-Outbound-Node: rcdn-core-10.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rats/wYF3AQVXAGDIeoPvvx45exoX_Bc>
Subject: Re: [Rats] retrieving reference measurements
X-BeenThere: rats@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Remote ATtestation procedureS <rats.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rats>, <mailto:rats-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rats/>
List-Post: <mailto:rats@ietf.org>
List-Help: <mailto:rats-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rats>, <mailto:rats-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 May 2020 10:45:36 -0000
Henk's questions on viability of yang modelling of the RIM so that a verifier can query it using existing Netconf/RESTconf interfaces seem very valid. In addition, Data model for RIM (Yang/CDDL) seem to be orthogonal to how the actual RIM is represented (XML/JSON/CBOR) and signed by the endorser. Are we suggesting that an endorser create multiple representation of RIM and sign it and make it available in the Software image/patch on the attester along with publishing it elsewhere? Thanks, Shwetha On 4/30/20, 1:02 PM, "RATS on behalf of Henk Birkholz" <rats-bounces@ietf.org on behalf of henk.birkholz@sit.fraunhofer.de> wrote: Hi Wei, hi Guy, it is relatively easy to include RIM (or as Dave highlighted we should fall back to Reference Values (Manifests) RVM) in software updates. I think there is wild agreement there. I think that is not the question, the question is how to retrieve them from the Attester and one option discussed are YANG management interfaces: As a test, I tried to model (Co)SWID as YANG once (https://datatracker.ietf.org/doc/draft-birkholz-yang-swid/): RIM/RVM can become quite big. Every reference value wrt to file integrity requires a file identifier that is applicable to file integrity measurements conducted by the Attester. Typically, a path and a file name are used (which apparently implies the existence of a file-system). Due to the volume of measurements, absolute path names create high redundancy in a RIM/RVM. (Co)SIWD address this issue by recreating a directory tree structure in the representation itself and therefore eliminating redundant segments in path notations. But - this requires the named type "directory" to be nested in the named type "directory" in order to construct that tree. That is possible in XML and CBOR, but not in YANG modeled data. In YANG, a circular use of statements (via groupings) is not allowed. Hence, it is not possible to use this "optimization" applied in (Co)SWID. The alternative is to fall-back to absolute paths and create an even larger volume of YANG model data. This would also break simple interoperability between YANG-SWID and (Co)SWID. It is not impossible - but at the moment I have doubts that it is feasible, though (and I arrived at the conclusion by trying to create a corresponding YANG module). If the module in draft-birkholz-yang-swid is acceptable (in general, details might still to be fixed) including the absolute path notation it uses, then we can revive that I-D. It's not that I did not thought about your proposal here already, I just thought it was not viable enough. Viele Grüße, Henk On 30.04.20 04:59, Panwei (William) wrote: > Hi Henk, Guy, > > I think the key point is that the YANG-modeled reference measurements or the YANG-modeled RIM should be defined. I also suggested this in my comments on draft-birkholz-rats-mud. I think there are two main reasons: > > 1) draft-birkholz-rats-coswid-rim defined the CoSWID-styled reference measurements. Meanwhile, draft-birkholz-rats-mud defines a YANG-modeled URI pointing at the reference measurements. So, by combining the two ideas together, the YANG-modeled reference measurements or YANG-modeled RIM can be defined directly in the MUD File. This way has an advantage that the Verifiers that only support YANG don't need to support CoSWID and do more implementation. > > 2) There is a use case that the reference measurements (signed by the vendor) can be stored at the network devices. In this case, the reference measurements can be retrieved by the Verifier via the YANG / NETCONF interface. Henk's concern is how to update the reference measurements when the network devices update, and Guy's suggestion is that the new reference measurements (also signed by the vendor) can be part of the vendor's software update package. > I agree with Guy that this is a reasonable use case, and there is a doable solution. (Besides, I also think this path for delivering reference measurements can be used by other devices as well.) Therefore, for the network devices that use the YANG / NETCONF interface, the YANG-modeled reference measurements or YANG-modeled RIM should be defined. And Guy proposed to define the YANG-modeled reference measurements in DraftC. > > So I think the YANG-modeled reference measurements are worthy to be defined, in draft-rats-mud or draft-charra or an independent draft. > > Regards & Thanks! > Wei Pan > >> -----Original Message----- >> From: RATS [mailto:rats-bounces@ietf.org] On Behalf Of Henk Birkholz >> Sent: Thursday, April 30, 2020 12:30 AM >> To: Guy Fedorkow <gfedorkow@juniper.net> >> Cc: rats@ietf.org; William Bellingrath <wbellingrath@juniper.net>; Jessica >> Fitzgerald-McKay <jmfmckay@gmail.com> >> Subject: Re: [Rats] retrieving reference measurements >> >> Hi Guy, >> >> I think I misunderstood the intend of your initial question. I thought it was a >> "network isolation" question, but it is a "conveyance method" >> question, I think. >> >> CoSWID RIM tags use (and extend, actually), the payload-entry and >> therefore can be bundled in corresponding software/firmware packages >> that are updates. This is the reason why they are used in SUIT Manifests, too. >> >> If they are not included in a software package, they can be referred to via a >> MUD ULL / MUD File. MUD is simply a straight forward option to... >> point at device specific things. It is certainly not meant to be constraining >> options, it adds a increasingly popular one. >> >> Viele Grüße, >> >> Henk >> >> >> >> On 29.04.20 18:19, Guy Fedorkow wrote: >>> Hi Henk, >>> I understand that third-party RIMs could be used, but for embedded >>> equipment, it seems like the easiest path is to deliver the RIMs as >>> part of the vendor's software update package for the device. >>> Operators have well-worn procedures for getting software updates to >>> devices; if the RIM is just part of the package, they don't have to >>> think about a new procedure at all... >>> Maybe not for everyone, but it seems like it would be a common >> use-case... >>> Thanks >>> /guy >>> >>> >>> >>> Juniper Business Use Only >>> >>> -----Original Message----- >>> From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de> >>> Sent: Wednesday, April 29, 2020 11:29 AM >>> To: Guy Fedorkow <gfedorkow@juniper.net> >>> Cc: rats@ietf.org; Jessica Fitzgerald-McKay <jmfmckay@gmail.com>; >>> William Bellingrath <wbellingrath@juniper.net> >>> Subject: Re: retrieving reference measurements >>> >>> [External Email. Be cautious of content] >>> >>> >>> Hi Guy, >>> >>> I think it would be strange for a network equipment device to expose a >>> potentially vulnerable management to the open internet, too :) >>> >>> Luckily, there will probably be a "higher level" constituent in the >>> network that an Attester's DevID can be presented to (typically this >>> is or is close to a device that is also a Verifier). And these systems >>> generally have a way to "reach out" to the internet. >>> >>> The typically already existing "path" to follow here is the way >>> updates find their way to a "network equipment device". If you are >>> air-gap'ed or completely isolated wrt every layer 2 topology, it may >>> start to become a bit tricky, but your are running around with usb >>> sticks in hand to do updates then, too. >>> >>> YANG is a big solution for big problems. But you can use a YANG server >>> to retrieve RIM that are stored on the Attester itself, of course. >>> These probably are outdated at some point and then leave you with the >>> same illustrated above, again. >>> >>> Viele Grüße, >>> >>> Henk >>> >>> >>> On 29.04.20 15:56, Guy Fedorkow wrote: >>>> Hi Henk, >>>> >>>> I see your proposal for identifying URIs for reference measurements >>>> in >>>> https://urldefense.com/v3/__https://tools.ietf.org/html/draft-birkhol >>>> z >>>> >> -rats-mud-00__;!!NEt6yMaO-gk!WdyQ3vQ51adw93UKoSwWvgPFs4395vPI >> WLjuzRBi >>>> F >>>> gldobaQ_dLIeFbhOWan0kBLDLY$ >>>> >>>> I realize that some constrained devices may not want to do this, >>>> but do you think draft-charra could be extended to allow retrieval of >>>> the signed reference measurements directly from the device being >>>> attested, via the YANG / Netconf interface? >>>> >>>> Ironic as it may sound, I'm sure you know that many operators >>>> ensure that their internet routers cannot access the public internet. >>>> >>>> Thanks, >>>> >>>> /guy >>>> >>>> >>>> Juniper Business Use Only >>>> >> >> _______________________________________________ >> RATS mailing list >> RATS@ietf.org >> https://www.ietf.org/mailman/listinfo/rats _______________________________________________ RATS mailing list RATS@ietf.org https://www.ietf.org/mailman/listinfo/rats
- [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Guy Fedorkow
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Eliot Lear
- Re: [Rats] retrieving reference measurements Panwei (William)
- Re: [Rats] retrieving reference measurements Henk Birkholz
- Re: [Rats] retrieving reference measurements Shwetha Bhandari (shwethab)