IETF Logo Mail Archive

Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)

"Acee Lindem (acee)" <acee@cisco.com> Wed, 26 April 2017 16:52 UTC

Return-Path: <acee@cisco.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6048212947C; Wed, 26 Apr 2017 09:52:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.523
X-Spam-Level:
X-Spam-Status: No, score=-14.523 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TRbLiuSQGYRu; Wed, 26 Apr 2017 09:52:26 -0700 (PDT)
Received: from alln-iport-2.cisco.com (alln-iport-2.cisco.com [173.37.142.89]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8577C129452; Wed, 26 Apr 2017 09:52:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5662; q=dns/txt; s=iport; t=1493225546; x=1494435146; h=from:to:cc:subject:date:message-id:references: in-reply-to:content-id:content-transfer-encoding: mime-version; bh=wVp/Nu9YeQgpbKpowfeGzkNbXsTvs+zTYYd82PNW90w=; b=eJ5dYn+gjD8UoolwX58nbRIuZm1sYv0xOc+l0avN4+g0tJz2GDTiAhNN sxpZw21eF3vZpemg3H18HZPEM3+5JJWNQTbxBlAP3y4LBoW+w+6Ej3k/g B0yTMaUxIm3hrAx9RHuIp2EDHoRzL3EKKb0fG77y52EGoYft8gKxjFifd 8=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: A0BlAQDjzwBZ/4wNJK1bGQEBAQEBAQEBAQEBBwEBAQEBg1VhgQwHg2GKFplrjUqCDyELhXgCGoQQPxgBAgEBAQEBAQFrKIUWAgEDAQEhEToLEAIBCBoCJgICAh8GCxUQAgQBDQWKAwMVDqpCgiaHOA2DXwEBAQEBAQEBAQEBAQEBAQEBAQEBARgFgQuHJ4MaglOBXhEBgyKCXwWJPJNXOwGHGIcnhEuCAoU3iiWIdIIliQ0BHzh/CGUVRIUigUp1AYZGgSGBDQEBAQ
X-IronPort-AV: E=Sophos;i="5.37,255,1488844800"; d="scan'208";a="413116566"
Received: from alln-core-7.cisco.com ([173.36.13.140]) by alln-iport-2.cisco.com with ESMTP/TLS/DHE-RSA-AES256-SHA; 26 Apr 2017 16:52:25 +0000
Received: from XCH-RTP-011.cisco.com (xch-rtp-011.cisco.com [64.101.220.151]) by alln-core-7.cisco.com (8.14.5/8.14.5) with ESMTP id v3QGqP42006715 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 26 Apr 2017 16:52:25 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-011.cisco.com (64.101.220.151) with Microsoft SMTP Server (TLS) id 15.0.1210.3; Wed, 26 Apr 2017 12:52:24 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1210.000; Wed, 26 Apr 2017 12:52:24 -0400
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Kathleen Moriarty <Kathleen.Moriarty.ietf@gmail.com>, The IESG <iesg@ietf.org>
CC: "rtgwg-chairs@ietf.org" <rtgwg-chairs@ietf.org>, "draft-ietf-rtgwg-yang-key-chain@ietf.org" <draft-ietf-rtgwg-yang-key-chain@ietf.org>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Subject: Re: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)
Thread-Topic: Kathleen Moriarty's Discuss on draft-ietf-rtgwg-yang-key-chain-20: (with DISCUSS and COMMENT)
Thread-Index: AQHSvqsBaK6mr1jQpUuQYLHDV2KBn6HX3ZuA
Date: Wed, 26 Apr 2017 16:52:24 +0000
Message-ID: <D52644AD.AB72A%acee@cisco.com>
References: <149322447211.30122.5870367500760951821.idtracker@ietfa.amsl.com>
In-Reply-To: <149322447211.30122.5870367500760951821.idtracker@ietfa.amsl.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.197]
Content-Type: text/plain; charset="utf-8"
Content-ID: <67F2C9F0A6365F40B0EAF57C127D1268@emea.cisco.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/w6TebilHlaLTd-b2St7TtqSGKu0>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Apr 2017 16:52:28 -0000

Kathleen, 

The lack of KEK specification is not a problem with the YANG key-chain
model, it with RFC 5649 and KEK. I’d request that yourself or someone in
the security area provide a reference or text. A primary reason KEK has
not been widely deployed is that RFC 5649 is woefully lacking in
operational guidance. If you can’t do this, I’ll remove the reference and
rely on NCACM similar to the shared-secret data node in RFC 7317.

Thanks
Acee

On 4/26/17, 12:34 PM, "rtgwg on behalf of Kathleen Moriarty"
<rtgwg-bounces@ietf.org on behalf of Kathleen.Moriarty.ietf@gmail.com>
wrote:

>Kathleen Moriarty has entered the following ballot position for
>draft-ietf-rtgwg-yang-key-chain-20: Discuss
>
>When responding, please keep the subject line intact and reply to all
>email addresses included in the To and CC lines. (Feel free to cut this
>introductory paragraph, however.)
>
>
>Please refer to https://www.ietf.org/iesg/statement/discuss-criteria.html
>for more information about IESG DISCUSS and COMMENT positions.
>
>
>The document, along with other ballot positions, can be found here:
>https://datatracker.ietf.org/doc/draft-ietf-rtgwg-yang-key-chain/
>
>
>
>----------------------------------------------------------------------
>DISCUSS:
>----------------------------------------------------------------------
>
>Thanks for your work on this draft.  There is one outstanding issue from
>the SecDir review that may require some updated text to resolve.  It
>seems use of the key wrap method in RFC5649 requires more guidance for
>implementations to use it with this YANG module.  It's good to know that
>this is in use for other modules, so having a clear reference either to
>another draft or the text being in this draft for later reference would
>be helpful.
>
>In looking at this text within the draft, I think it would be better to
>pull the text out of the Security Considerations section and into an
>earlier section of the draft.  It's better to introduce this prior to
>enumerating security considerations for the draft since this something
>that would be implemented.  Then security considerations should mention
>the considerations of using this option versus just what's in NACM.
>
>You have the text:
>
>  When configured, the key-strings can be encrypted using the AES Key
>   Wrap algorithm [AES-KEY-WRAP].  The AES key-encryption key (KEK) is
>   not included in the YANG model and must be set or derived
>independent
>   of key-chain configuration.  When AES key-encryption is used, the
>   hex-key-string feature is also required since the encrypted keys
>will
>   contain characters that are not representable in the YANG string
>   built-in type [YANG].  AES key-encryption MAY be used for added key
>   security in situations where the NETCONF Access Control Mode is not
>   available.
>
>I think it's pretty straightforward after looking at RFC5649, but maybe
>more text would be helpful to clarify for implementers.  This might mean
>more text from 5649 on what gets placed in the YANG data model where you
>have already allocated for this or including an example.
>
>
>----------------------------------------------------------------------
>COMMENT:
>----------------------------------------------------------------------
>
>Thank you for working through the SecDir review and making the suggested
>updates.
>
>Since the following text int he Security Considerations section is a
>recommendation, IMO it would be better to drop "or otherwise obfuscated"
>from the sentence as encrypting the keys really should be the
>recommendation.  Can we make this update?
>
>   It is RECOMMENDED that keys be encrypted or otherwise obfuscated
>when
>   stored internally on a network device supporting this specification.
>
>If obfuscation is what happens more often in practice, maybe mention this
>as a fallback from the recommendation, but not make them sound
>equivalent?
>
>
>_______________________________________________
>rtgwg mailing list
>rtgwg@ietf.org
>https://www.ietf.org/mailman/listinfo/rtgwg

v2.23.0 | Report a Bug | By Email