IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-zerotouch-22

Kent Watsen <kwatsen@juniper.net> Wed, 15 August 2018 01:59 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9B0DA130E4C; Tue, 14 Aug 2018 18:59:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gasWVgE9b5yy; Tue, 14 Aug 2018 18:59:14 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9FC0A130EE9; Tue, 14 Aug 2018 18:59:14 -0700 (PDT)
Received: from pps.filterd (m0108156.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7F1x9o6015031; Tue, 14 Aug 2018 18:59:13 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=qEeQt6WBLFoZ6qLL59tU2cgKtHyFLf7e4ktZQGIlfe8=; b=bASwwznGJyPWYGQI+iQJ4tmLrCyKFC4XnrtZGFad0zaV48iX3iUbGfdt3L5jkU88pVhp IOPiToy7IKHifJohSziODgDsGDw9NIkXgIE1v5uieqT8lHVOzocdYS3/7cxaItnydyaT Gkj9xksBiJnDPL8Bw7p5ZN2xbvj0klCy9KCDyV/wyNoZPPfEIPSmegESg93qYWTAsY9G +0cshvXIisiynBT8BRJ1Oyxk2aI6Cvt4Ft7K0rJRON0tqqzGxzYiMzrI+p3TTXyvRHFJ 0bnu4S5zC1cIRBJR3P7VrKc5wwz4XfZ+w6SCFonDVW7t4C8VaVV5X+6YKVfX9QthKA6G wQ==
Received: from nam05-dm3-obe.outbound.protection.outlook.com (mail-dm3nam05lp0117.outbound.protection.outlook.com [216.32.181.117]) by mx0a-00273201.pphosted.com with ESMTP id 2kuyrt952e-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Tue, 14 Aug 2018 18:59:13 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4396.namprd05.prod.outlook.com (20.176.78.153) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.19; Wed, 15 Aug 2018 01:59:11 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::e0bc:6a82:571d:258%2]) with mapi id 15.20.1059.010; Wed, 15 Aug 2018 01:59:11 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: David Mandelberg <david+work@mandelberg.org>, "draft-ietf-netconf-zerotouch.all@ietf.org" <draft-ietf-netconf-zerotouch.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: secdir review of draft-ietf-netconf-zerotouch-22
Thread-Index: AQHUI6TomGkNAzmsB0eB34I+6n1ia6SiHHoAgAeQwACADkkdgIAEszuAgANDMwA=
Date: Wed, 15 Aug 2018 01:59:10 +0000
Message-ID: <F0355112-AD44-49F3-9862-CC939AC768B7@juniper.net>
References: <361393b0-6666-08ff-bdf4-3ba3bf4323c7@mandelberg.org> <47EEE9B6-5BC2-4A1F-ABB2-2ACB1C494545@juniper.net> <4579f9bf-0ead-a6af-dc80-a841527414eb@mandelberg.org> <51E98D22-1DBF-4069-A750-90987EB96B0D@juniper.net> <bfeb8564-9390-c241-4585-2340de1345d2@mandelberg.org>
In-Reply-To: <bfeb8564-9390-c241-4585-2340de1345d2@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4396; 6:PBKMhHo2rF5RH+cdMAzCtN5OqiGp80srDWDgE/uSW/lfAqPW242xK5P+z9Jdd2W2o5tLFxVm/2USK9HlDQCD7oFfHsE3BCCnZmqcjDPcV6jFrogDb0VYU9so3yKCxthrADnOOjo9gbezbRN+z9dAJTDQ6fJYd/V/ji7g+2+k4vPwi1k0pKxI7H0PYMvkDpPYVOvzys9HDPlr4pzDgisy3bBS2ciuphsfLL1lsxf6WE3fWIiz1yHdT1YBHXp8QAcUZAMCNcjL0S89AO4DpSd98A3b1bveFtyZZLLFiSxh9ObwmQVGUtLHGqH5p0HgOASzHLQR5osPBdNzkE8OF+YHUPljISDPuC5IPEn6+wzeP6hUsNmmEs/zKZOKLSEvHwGURZS8lHihYqBox5fBfZc20cJhYbOODaCgPc411OYQmAsObsSV4BRRdoVWGtIz5rWHgZjf1EOn86uclnKGwtIREw==; 5:034+qheUH4sf+XfUPCRzkKfbDlKE45RWOpE2WzeZwLS9bV411NtmZtfd0jwABLj46CD31lIb49Xy4WXH9u06X5MsxSpLgphIRPajH/OYPoS3/0L32T0aLkUl1o7jcBp7bVJe/X8awt7tud9uuYQZstWm5Uh8FR0/jXdqAewMilA=; 7:sIlqXqfOUtIPCUEkpNJ12ioOZSc6PFKJ4bXewJxuL4NqQvqSQvfOJAvdA7/R3CFxgoavPor8jopoJsLwNgrIqKXWT8FtSQJFyo9LzfYPXAdm4SRXbmzjoMUyzGz2b1L74z+vi86/nIOPkaIJfx7rYpaD/Uu+VwTuqLkc5KjVgM1ZE6nZWZb9Ku5O2oP57YmJW6Ee5CvFHybGvZf8y37HDsewnjnLk1wuyAp7GIU+3VuK7Y/geFnCQfiMSIVNWPco
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: 33d48294-fc06-4b38-d31a-08d60252b1b9
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989117)(5600074)(711020)(4618075)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4396;
x-ms-traffictypediagnostic: DM6PR05MB4396:
x-microsoft-antispam-prvs: <DM6PR05MB4396FAA6D7193AE87153B845A53F0@DM6PR05MB4396.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(60795455431006)(158342451672863)(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:DM6PR05MB4396; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4396;
x-forefront-prvs: 07658B8EA3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(376002)(39860400002)(366004)(136003)(396003)(199004)(189003)(51444003)(8936002)(93886005)(97736004)(6116002)(6486002)(8676002)(229853002)(6306002)(6512007)(6436002)(6506007)(966005)(102836004)(14454004)(33656002)(76176011)(81166006)(81156014)(99286004)(2906002)(478600001)(316002)(66066001)(3846002)(2900100001)(82746002)(106356001)(86362001)(14444005)(5024004)(58126008)(5660300001)(105586002)(83716003)(11346002)(446003)(110136005)(256004)(2201001)(305945005)(476003)(2501003)(5250100002)(486006)(53936002)(6246003)(36756003)(26005)(2616005)(186003)(25786009)(68736007)(7736002); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4396; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: Anhd/+zBD3QpG/Q+awaiLRhlJ+h+akv4dDi6A4r6Supf+O3nna8dvF+vVZhfCB8LKcyZeDZsc5VUweJ2c0PcQ7k0JwGqSR3aXeTDgZdobzKO9bK6QwhDHfdcLCzXYsjthHOf+HJDxAkKhSpu97mT7LevHG8rZkoM2o0I73P16JzT9SGxPZVVzqkdbBCU6Y212xW2cCNkrR/VSRKlrQPCxaNCDcdcHI8m/HW98WfCIhfrcBkwEfCBAPqBtKWxFv3zD9MIL+eBHkoGQf3d9oktub6ox5ATN1x2PgzVuWKfJZT9QgBaPwvv/pa8/7wyMlD3Z6JfBVzJsMEDN+/0DkEq8MIfaMKo4aG7iWYiQ7e95wY=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F60529B3928E464E83821A7EE2342744@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 33d48294-fc06-4b38-d31a-08d60252b1b9
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Aug 2018 01:59:10.9891 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4396
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-14_12:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808150020
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/PzqlyIgR3nZVIra_00uVwMMPG0M>
Subject: Re: [secdir] secdir review of draft-ietf-netconf-zerotouch-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 15 Aug 2018 01:59:18 -0000

Hi David,

Trimming down to just the remaining items...


>> I was writing the Security Considerations for this when it seemed
>> that the better thing to do here is to instead add "not-before" and
>> "not-after" leafs to the zerotouch information artifact.  The draft
>> would then explain that devices MUST ensure the current time is in
>> between.
>> 
>> Would such an addition resolve this issue for you?
>
> Yes, that would work. It probably makes sense to say something in
> the security considerations about keeping those validity intervals
> short.
>
> If you prefer to leave the data formats and implementations unchanged, 
> you could also consider using per-CMS EE certificates, like the RPKI 
> does: https://tools.ietf.org/html/rfc6480#section-2.3. (I haven't 
> thought about how compatible that method is with zerotouch, I'm just
> mentioning it as an alternative in case it happens to be easier for you.)

Ah, this is an interesting idea.  Actually, I'd say that there is a
near 1-1 correspondence between EE certificates and what this draft
is calling the owner cert.  Section 3.2 says about owner certs:

   The owner certificate CMS structure MUST contain the owner
   certificate itself, as well as all intermediate certificates leading
   to the 'pinned-domain-cert' certificate specified in the ownership
   voucher.  The owner certificate artifact MAY optionally include the
   'pinned-domain-cert' as well.

While we conceptually think of the owner certificate as a singleton,
there is nothing in the draft that prevents a unique owner certificate
per device, which would allow for per-device validity and revocation to
be supported.

This being the case, I think that the following Security Consideration
section should be added:

   9.11.  Validity Period for Zero Touch Information

   Zero touch information does not specify a validity period.  For
   instance, neither redirect information nor onboarding information
   enable "not-before" or "not-after" values to be specified, and
   neither artifact alone can be revoked.

   For unsigned data provided by an untrusted source of bootstrapping
   data, it is not meaningful to discuss its validity period when the
   information itself has no authenticity and may have come from
   anywhere.

   For unsigned data provided by a trusted source of bootstrapping data,
   the availability of the data is the only measure of it being current.
   Since the untrusted data comes from a trusted source, its current
   availability is meaningful.

   For signed data, whether provided by an untrusted or trusted source
   of bootstrapping data, the validity is constrained by the validity of
   the both the ownership voucher and owner certificate used to
   authenticate it.

   The ownership voucher's validity is primarily constrained by the
   ownership voucher's "created-on" and "expires-on" nodes.  While
   [RFC8366] recommends short-lived vouchers (see Section 6.1), the
   "expires-on" node may be set to any point in the future, or omitted
   altogether to indicate that the voucher never expires.  The ownership
   voucher's validity is secondarily constrained by the manufacturer's
   PKI used to sign the voucher; whilst an ownership voucher cannot be
   revoked directly, the PKI used to sign it may be.

   The owner certificate's validity is primarily constrained by the
   X.509's validity field, the "notBefore" and "notAfter" values, as
   specified by the certificate authority that signed it.  The owner
   certificate's validity is secondarily constrained by the validity of
   the PKI used to sign the voucher.  Owner certificates may be revoked
   directly.

   For owners that wish to have maximum flexibility in their ability to
   specify and constrain the validity of signed data, it is RECOMMENDED
   that a unique owner certificate is created for each signed artifact.
   Not only does this enable a validity period to be specified, for each
   artifact, but it also enables to the validity of each artifact to be
   revoke.

What do you think?



>> Do you think it's worth adding a warning to operators somewhere to
>> remind them to change the flag? Or maybe the "device SHOULD report a
>> warning if the bootstrapping completes successfully but zerotouch
>> bootstrapping is still enabled"?

I forgot to respond to this comment of your before.  To address this
comment, I added the following:

   If the onboarding information was obtained from a trusted bootstrap
   server, and the result of the bootstrapping process did not disable
   the "flag to enable zerotouch bootstrapping" described in
   Section 5.1, the device SHOULD send an "bootstrap-warning" progress
   report.




>>> I think it's already clear what an error in paragraph 6 is. What I found
>>> unclear was what to do with errors in paragraphs 6 or 7. Yes, don't go
>>> on to the next step, but what about: In paragraph 6, should the device
>>> rollback any partial config update if there's an error? In paragraph 7,
>>> should the device rollback all config from paragraph 6 if there's an error?
>> 
>> This very same issue was raised to me separately and my response has been
>> to essentially rewrite section 5.6 to be crystal clear on how errors are
>> handled, especially with regard to state retained.  Please see attached
>> for a preview of -23.
>
> Much better, thanks!

FIW, this text is going thru a WG churn, but the essence of what I attached
before is being retained.




Kent

v2.23.0 | Report a Bug | By Email