IETF Logo Mail Archive

Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02

Kent Watsen <kwatsen@juniper.net> Wed, 02 August 2017 23:47 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: yang-doctors@ietfa.amsl.com
Delivered-To: yang-doctors@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2833D126C7A; Wed, 2 Aug 2017 16:47:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.022
X-Spam-Level:
X-Spam-Status: No, score=-2.022 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H4=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id D1qa0X9p8EOa; Wed, 2 Aug 2017 16:47:44 -0700 (PDT)
Received: from NAM03-CO1-obe.outbound.protection.outlook.com (mail-co1nam03on0138.outbound.protection.outlook.com [104.47.40.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0E101131C91; Wed, 2 Aug 2017 16:47:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=Ezmdko83GyYXDDd5M7XaUMvrRECPOvr7xk4FUhHkmGU=; b=DbphlQKJ1BNaShrIbMe4TK8TeAgkSvYTp8Fa3cB7E2R1I76OKbhnoairCcMFPGoZH2FVlvUinxYRjL36lQrPYlM1iaPvfg9CoCppBIHXW+0Rr75MVp4ncazeGkdvetcmReZmOrKh3mZ9oOMoh8zPzSjp28gt4y4Uf6bky0C21x8=
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com (10.160.117.151) by BN3PR0501MB1170.namprd05.prod.outlook.com (10.160.113.155) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256) id 15.1.1320.10; Wed, 2 Aug 2017 23:47:42 +0000
Received: from BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) by BN3PR0501MB1442.namprd05.prod.outlook.com ([10.160.117.151]) with mapi id 15.01.1320.010; Wed, 2 Aug 2017 23:47:42 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "yang-doctors@ietf.org" <yang-doctors@ietf.org>, "draft-ietf-netconf-keystore.all@ietf.org" <draft-ietf-netconf-keystore.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Yangdoctors last call review of draft-ietf-netconf-keystore-02
Thread-Index: AQHS/tjFB6LSB6mMA0ixt1H16U9uU6Jbyb8AgAEruACAC1e7gIAAnl+AgAA4dACAAE3eAP//00kAgABFrwCABIqHgIAATTQAgAMwH4A=
Date: Wed, 02 Aug 2017 23:47:42 +0000
Message-ID: <DEE37B41-0EB4-43E3-8C48-34057BEB4AF6@juniper.net>
References: <150028100874.32703.14161403810529927281@ietfa.amsl.com> <B1AC6895-5681-48F8-B7E7-418118120B4E@juniper.net> <20170720165942.GB21506@elstar.local> <F5E9973C-FCCD-4A96-B0D3-8C735CE911D3@juniper.net> <20170728073923.GA28870@elstar.local> <701F31A6-9941-4DE4-AE7E-00E859F103F8@juniper.net> <20170728154008.GA29865@elstar.local> <53886D3E-8A0C-4664-A7BD-1E708A80EE9D@juniper.net> <20170728170930.GA30054@elstar.local> <7079A8FA-A8C6-4677-9DBA-2A00637AD023@juniper.net> <20170731190640.GC32546@elstar.local>
In-Reply-To: <20170731190640.GC32546@elstar.local>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
x-originating-ip: [66.129.241.11]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BN3PR0501MB1170; 6:dfMw7ofG+SbjVQfnn1hH+7BU8f+o5B8yFZ6pOn/GOs8FqUpYLLncLHEAaGLm3IkFLxxR0oLXvLMbRBHPdz+74LYOhHA20XNMBIz+Yolwh6GDGAIbObVcJMRKkGGpXHX4amJy5AwRH34DAe9Vh99xCZS4TwDBC2xq0Uu59UCnhC5WhXgSfDmZZAc7jRHqApC/FOq+ba3y8z4YkKn7i2GNfqZCtGYMmJkWAXe7LJXBB5H1nXkh8x4znNJAfy8KID/RY+UqeEAisxaeezSXBDV/wbGHwdfVq+n7RWGgJ6Yw7cbZbWE1+/JMgNueXSDd96YuJEJyl9wF4GE5twetODHJIA==; 5:YMxk31ePu7XrR3RJrM08ZnC/fIFxiud+3XwOC+ZVr5F0YOzD6FaUeUQQz1S/9pMfTNPBkbmLSXWLw8p8cgf6S2GtElrvRHFGBQEEsx+L/ynwfvvFC8VFdbAXE+uMc3B0z3xrYjon0QbG/iqr9W16Ow==; 24:7LeyfSdr0wlR+bSG5uy9uiG3coHemT7XvB0FqJLR6JC7B4xizSnHbNQP0KAUWVYSLFUAsZccAdPcVgh7JHDDvID6Zc57uDbehTj/IL+x2AE=; 7:bzlWTERp0M4hw7bqJschu8bv8yTKbyWpbqj2rasuAV4FVmTXMHxNYZ87/sr/yBdmwGFZ0RjZBBMfRys1iyrwDx7hVbdAd9bKORbn7N2yV7UzHjwmBEJ9q1XQmwFULiocEUERtPVRTv0OdWKKZci4A3yf4f5bbN1MDBaKgTImOePslFfl+nb1ElRFeYvhF1lAlMgJkIGvrhjCHYzh6hifxOXe0hkH7Pa0OEpwVBFgNY8=
x-ms-office365-filtering-correlation-id: 2d42864d-396b-4b3a-5023-08d4da00ddcc
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(300000500095)(300135000095)(300000501095)(300135300095)(22001)(300000502095)(300135100095)(2017030254152)(48565401081)(300000503095)(300135400095)(2017052603031)(201703131423075)(201703031133081)(201702281549075)(300000504095)(300135200095)(300000505095)(300135600095)(300000506095)(300135500095); SRVR:BN3PR0501MB1170;
x-ms-traffictypediagnostic: BN3PR0501MB1170:
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-microsoft-antispam-prvs: <BN3PR0501MB1170DDC2847DFB38F21C2458A5B00@BN3PR0501MB1170.namprd05.prod.outlook.com>
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(100000700101)(100105000095)(100000701101)(100105300095)(100000702101)(100105100095)(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(100000703101)(100105400095)(10201501046)(6055026)(6041248)(20161123564025)(20161123560025)(20161123555025)(20161123562025)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(6072148)(100000704101)(100105200095)(100000705101)(100105500095); SRVR:BN3PR0501MB1170; BCL:0; PCL:0; RULEID:(100000800101)(100110000095)(100000801101)(100110300095)(100000802101)(100110100095)(100000803101)(100110400095)(100000804101)(100110200095)(100000805101)(100110500095); SRVR:BN3PR0501MB1170;
x-forefront-prvs: 0387D64A71
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(6009001)(39450400003)(39860400002)(39850400002)(39410400002)(39840400002)(39400400002)(199003)(189002)(43784003)(51444003)(8936002)(478600001)(66066001)(14454004)(6436002)(6916009)(2900100001)(97736004)(230783001)(189998001)(93886004)(83716003)(7736002)(2950100002)(50986999)(305945005)(101416001)(83506001)(54356999)(76176999)(36756003)(86362001)(4001350100001)(68736007)(6512007)(81156014)(81166006)(8676002)(33656002)(82746002)(38730400002)(106356001)(2906002)(3846002)(4326008)(110136004)(54906002)(53936002)(99286003)(5660300001)(102836003)(77096006)(6116002)(6486002)(6506006)(229853002)(25786009)(105586002)(3280700002)(3660700001)(6246003); DIR:OUT; SFP:1102; SCL:1; SRVR:BN3PR0501MB1170; H:BN3PR0501MB1442.namprd05.prod.outlook.com; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <0A668B1CC2E0C14F9B781DCDC03C9F9F@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 02 Aug 2017 23:47:42.1154 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN3PR0501MB1170
Archived-At: <https://mailarchive.ietf.org/arch/msg/yang-doctors/FSv5LOH5CudxZAY2ebjPaSGeYFs>
Subject: Re: [yang-doctors] Yangdoctors last call review of draft-ietf-netconf-keystore-02
X-BeenThere: yang-doctors@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Email list of the yang-doctors directorate <yang-doctors.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/yang-doctors/>
List-Post: <mailto:yang-doctors@ietf.org>
List-Help: <mailto:yang-doctors-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/yang-doctors>, <mailto:yang-doctors-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Aug 2017 23:47:46 -0000

Hi Juergen,

> <snip/>
> Yes, the host-key resides on the server, the public part of the host
> key may be stored on a client in a known-hosts file so that client can
> check whether it talks to the right server. So far so good.
>
> It seems /keystore/trusted-host-keys/trusted-host-key represents
> /etc/ssh/ssh_known_hosts (i.e. a _global_ known hosts list) and there
> is no way to learn the public known host key from a server via the
> YANG module. Can I request creation of a hew host key? There is
> generate-private-key but that seems to be more tied to X.509 stuff.

The 'generate-private-key' action is no way meant to be just for X.509
stuff.  But I acknowledge that there might be a semantic-gap here.
For instance, if one wants to ask an SSH server to generate a new
host-key, one expects an API called something like 'generate-host-key'
(inside an SSH namespace, or as an action to the server instance),
rather than first generating the 'key' and then separately saying that
it's the host-key.  I think that this could be caulked up to saying
that there is a base API layer and then, separately, higher level
layers that use it, but it's worth the discussion if it makes sense
at all...


> Note that this does not model ~/.ssh/known-hosts since the list is not
> on a per user account base. It would actually be the equivalence of a
> global /etc/ssh/ssh_known_hosts file.

Not exactly.  As it is undetermined who, or which models, point to the
keystore host-key lists.  In some data models, it might be global and,
in others, user specific.


>> <snip/>
>> No, your system most likely does not use a keystore mechanism.  For
>> instance, OpenSSL's `ssh-keygen` utility just writes to a local file.
>> We're doing something a little different here, which is a cause for
>> careful review (thanks again).  Taking a step back, one of the drivers
>> for this keystore mechanism is to centralize the /trusted-host-keys
>> and /trusted-certificates, as these lists are referenced from many
>> locations.  Less important to centralize are the private keys, as
>> the keys (always?) have a single use.  The only reason for centralizing
>> the private keys is to give keys created via the generate-private-key
>> action a place to be listed before they are used for some purpose...
>
> The question is whether there is value to centralize beyond the
> differnet key systems. Is there really added value to try to treat SSH
> keys and X.509 in the same list infrastructure or are they at the end
> just different things? What about other keys, i.e., for signing DNS
> zones or RPKI keys? Is it useful to try to put all of these keys that
> serve different purposes into a common structure? The open source
> people maintaining software packages seem to keep things separate. Is
> Junos having such a centralized asymmetric keystore? How about IOS XR?
> Others? If not, why would a standard do this?

JUNOS is not having a centralized keystore.  I can't speak for IOS or
others, but I guess not.  This model is suggesting a *conceptual*
keystore.   As the keystore draft says:

   It is not required that a system has an operating system level
   keystore utility to implement this module.

But to your higher-lever question, is there value to treating such
various keys similarly, all I can say is that all such private keys
should be protected and, as such, the nacm:default-deny-all property
given here is apropos.

Kent

v2.23.0 | Report a Bug | By Email