IETF Logo Mail Archive

Re: [secdir] secdir review of draft-ietf-netconf-zerotouch-22

Kent Watsen <kwatsen@juniper.net> Mon, 20 August 2018 14:41 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 163B8130F62; Mon, 20 Aug 2018 07:41:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.711
X-Spam-Level:
X-Spam-Status: No, score=-2.711 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EiTs0Nmfh_wo; Mon, 20 Aug 2018 07:41:12 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0817F130E3F; Mon, 20 Aug 2018 07:41:11 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7KEe1m6013270; Mon, 20 Aug 2018 07:41:11 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=N5VMdoht7WKybc8z6sJcPvwmkUqea2FA5lsnyg8mqv8=; b=SSFONBMM68B3NbmSK0SzKjxA5v7WhO92SJsDO3A72NxXeqK6LTNHg69m+LqGtUTrlVzD uRo1GkCTfilfuZO81BbbnHN1zwJFy7cS77CFYdFonzBoxv2P1jxZapVCRtk1dtFm3/18 eShSkiShYdOr1otq0sdMviVvMYx8VtMHozmAwliQLtNQN1JkTqOBFl8KiMKVdMcOJtq5 /GOkXhGzOQZciyEGkBIYhTsHKSEtymWELt14XK0NbUJ533RKFJk6Eswt4TeC8hWj0h2D xgRvsZqMzQyBPZUpMk14JCf4lfykXpwJ8FC8FO30WCWMr3DH5uv/pCdWAIX5u0B8/m8/ ng==
Received: from nam02-cy1-obe.outbound.protection.outlook.com (mail-cys01nam02lp0053.outbound.protection.outlook.com [207.46.163.53]) by mx0b-00273201.pphosted.com with ESMTP id 2kyw6wr8vf-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 20 Aug 2018 07:41:10 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4811.namprd05.prod.outlook.com (20.176.111.220) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1059.20; Mon, 20 Aug 2018 14:41:09 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::14ab:9da7:be4a:fbaf]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::14ab:9da7:be4a:fbaf%4]) with mapi id 15.20.1080.010; Mon, 20 Aug 2018 14:41:09 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: David Mandelberg <david+work@mandelberg.org>, "draft-ietf-netconf-zerotouch.all@ietf.org" <draft-ietf-netconf-zerotouch.all@ietf.org>, "iesg@ietf.org" <iesg@ietf.org>, "secdir@ietf.org" <secdir@ietf.org>
Thread-Topic: secdir review of draft-ietf-netconf-zerotouch-22
Thread-Index: AQHUNDtdBjpwOvULXkm7/Nl6y9h5TKTEqb0AgAPSa4A=
Date: Mon, 20 Aug 2018 14:41:09 +0000
Message-ID: <A2A6287D-8FF3-4AAF-9B9D-EC15F740FBA5@juniper.net>
References: <361393b0-6666-08ff-bdf4-3ba3bf4323c7@mandelberg.org> <47EEE9B6-5BC2-4A1F-ABB2-2ACB1C494545@juniper.net> <4579f9bf-0ead-a6af-dc80-a841527414eb@mandelberg.org> <51E98D22-1DBF-4069-A750-90987EB96B0D@juniper.net> <bfeb8564-9390-c241-4585-2340de1345d2@mandelberg.org> <F0355112-AD44-49F3-9862-CC939AC768B7@juniper.net> <b661ba01-cf1f-adef-54bf-e1fe4366ab0c@mandelberg.org>
In-Reply-To: <b661ba01-cf1f-adef-54bf-e1fe4366ab0c@mandelberg.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.12]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4811; 6:FLltVbxKYQiHbQky3TCmkaCT42cnCbkFhIjFGQHB+de7mSNr1EQ2xxC+RLKDiM5ZBwkuunleO1PjvUkmIUsX70qAaW02njXfZlbDhuQXGbc/mNtw261vu86AovDc7WykY/HQ7SnliafQxUZd+DA8MLAAo4Ov4zweUJiv7CFhcUNi7jMJ3MnqhEtb2f94McU+Se5u/mrqYQWAJCxab1ojMFb/p9sOMyXq/8G/Gde8QkQlQHNGBd2c2EzyIqkO2ymDtgfdNTPswPAK6K3QceQBhQvrMiN4sp1f+36CTvW+kydt7by+UNriNBrglbHlX0E9EBmVq8rO59fe1JEOKQ9qHHWoJJ16YoyccpkbtgsE2pAL5WIutZjmyDOxKG7HAqk5LQnnS1lgGLTuhFicOCetmb/9G4Lbu1qUr4IA6B9c1VMXD2ZQi45ptX2xGrGfLttIfUm03dUVlRRgPEFNxb/new==; 5:tBcPmyEPnaZktpjLeK5qYcOpjFmqDTT1iXEK4yP5LfQw9/JqIa2ufZyJHaFPpKeRYKmf3cU2EB3iTiOpTFu8kbCq4Qz8J/XAs+V8WlZQaz4Hcras3TDcnrhyjqgPEyR6HRiiS9Qual50GMGPHAhHBdOXb35U3h2qxnVUKBvSfG0=; 7:Gti6/XCyA2/Mz4jMksoLGeZqu4oKyoGeg+WHTmDOJvVig7d3igV7fEe3TF5m1oaPtTph0pId8TUNIiC4HcOzKoVl0nRTFPuwMnuTXOTiQF+UYD8P94w3N+WPWZluoWXdBLkPi4BOySrMIDSv1v+xCXanZHbz2wBMHpPp16peTGU76LhKcXwYjqp+i2DBupRPwI9wVyAbUDq9Yz8B+HLbGu8FQQrm+REumEO39v4p/16Nq51O3IZbonkEBxRQdwmD
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: c05d89ec-4300-446f-388f-08d606aaf7d1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4811;
x-ms-traffictypediagnostic: DM6PR05MB4811:
x-microsoft-antispam-prvs: <DM6PR05MB4811B6359F240EDF3FBE055AA5320@DM6PR05MB4811.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(20180801012)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(3231311)(944501410)(52105095)(10201501046)(3002001)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123564045)(20161123562045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699016); SRVR:DM6PR05MB4811; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4811;
x-forefront-prvs: 0770F75EA9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(346002)(376002)(136003)(39860400002)(396003)(199004)(69224002)(189003)(26005)(66066001)(83716003)(186003)(81156014)(81166006)(6506007)(102836004)(76176011)(99286004)(105586002)(82746002)(33656002)(2616005)(2906002)(5250100002)(25786009)(93886005)(106356001)(3846002)(6116002)(446003)(11346002)(2501003)(8936002)(5660300001)(6486002)(6512007)(7736002)(14454004)(305945005)(8676002)(316002)(2900100001)(229853002)(36756003)(110136005)(58126008)(478600001)(6436002)(6246003)(68736007)(486006)(2201001)(86362001)(476003)(256004)(53936002)(97736004); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4811; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: IX0qo19xWngIHdNLtQS91pGZMBbBYOPe7OYzyO6v9NozBoZHZXge+U1QYKXERIpZ0NAn9Xxy/eiPY0h2aWLwThlQ80oO9AW5XzBdMpkvHTLn3CljBxCsT/hK7I276uFu2pbq2K5Kj6zOfyxa417w8zT8jXF9VM0F6hxGOQSWmqNgnGM5qvRY3++VhwCuto6jk+5R1476OK2KZH7xle8xldtD9G3Uj2BlmwjihCJoj+GfTzZAxDC75Knk2jeZlybQMhYRh4xhCg4Nw//KZgR5bnqyMGdohiRn0JDsKFiQZvbKIjwMR1udhG4eKnmqOXzVRp0FqGnKsLZIV91X9ULzi8Zdl9QaO6a2n5Vn0vpvsC0=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <483BE572163BF343845992B44A7E8702@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: c05d89ec-4300-446f-388f-08d606aaf7d1
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Aug 2018 14:41:09.1082 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4811
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-20_05:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=885 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808200158
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/UrzC1oa2a2ML5y4Bh8q29d14ArI>
Subject: Re: [secdir] secdir review of draft-ietf-netconf-zerotouch-22
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2018 14:41:14 -0000

Hi David,

Resolving the remaining nit.

>>     For unsigned data provided by a trusted source of bootstrapping data,
>>     the availability of the data is the only measure of it being current.
>>     Since the untrusted data comes from a trusted source, its current
>>     availability is meaningful.
>
> (nit) The only trusted sources of bootstrapping data are TLS servers, 
> right? I think this paragraph would be a bit stronger if you explicitly 
> mentioned that TLS's integrity guarantee and replay protection are what 
> you're relying on here.

Now the paragraph says:

   For unsigned data provided by a trusted source of bootstrapping data
   (i.e., a bootstrap server), the availability of the data is the only
   measure of it being current.  Since the untrusted data comes from a
   trusted source, its current availability is meaningful and, since
   bootstrap servers use TLS, the contents of the exchange cannot be
   modified or replayed.

Okay?

Thanks for all the great suggestions!

Kent

v2.23.0 | Report a Bug | By Email