YANG Data Model for Key Chains
draft-ietf-rtgwg-yang-key-chain-24

[Ballot comment]
Thank you for addressing my DISCUSS.

Maybe it is just me, but it would have helped to say that "key string in ASCII" is a passphrase. I was not sure whether "key string" was a term used in Routing and/or YANG circles. The best place to clarify this is in Section 2  (Problem Statement)

[Ballot discuss]
After reading the discussion between Adam, Kathleen and Alia, I have the following concerns:

1) With the removal of aes-key-wrap from the data model it is now not possible to tell whether a particular key string is a passphrase or whether it contains an encrypted key.

[Ballot discuss]
Note: My discuss is based on version -20 that contained the AES key wrap.  I'd like to see that restored in the draft as it's important for the draft, and the rest of my discuss on that text will make more sense.

Thanks for your work on this draft.  There is one outstanding issue from the SecDir review that may require some updated text to resolve.  It seems use of the key wrap method in RFC5649 requires more guidance for implementations to use it with this YANG module.  It's good to know that this is in use for other modules, so having a clear reference either to another draft or the text being in this draft for later reference would be helpful.

In looking at this text within the draft, I think it would be better to pull the text out of the Security Considerations section and into an earlier section of the draft.  It's better to introduce this prior to enumerating security considerations for the draft since this something that would be implemented.  Then security considerations should mention the considerations of using this option versus just what's in NACM.

You have the text:

  When configured, the key-strings can be encrypted using the AES Key
  Wrap algorithm [AES-KEY-WRAP].  The AES key-encryption key (KEK) is
  not included in the YANG model and must be set or derived independent
  of key-chain configuration.  When AES key-encryption is used, the
  hex-key-string feature is also required since the encrypted keys will
  contain characters that are not representable in the YANG string
  built-in type [YANG].  AES key-encryption MAY be used for added key
  security in situations where the NETCONF Access Control Mode is not
  available.

I think it's pretty straightforward after looking at RFC5649, but maybe more text would be helpful to clarify for implementers.  This might mean more text from 5649 on what gets placed in the YANG data model where you have already allocated for this or including an example.

[Ballot discuss]
After reading the discussion between Adam, Kathleen and Alia, I have the following concerns:

1) With the removal of aes-key-wrap from the data model it is now not possible to tell whether a particular key string is a passphrase or whether it contains an encrypted key.

2) I really really think aes-key-wrap should be restored in the document. If there is no facility for doing wrapped keys, implementations will never support them.

I would like to at least discuss this.

[Ballot comment]
Maybe it is just me, but it would have helped to say that "key string in ASCII" is a passphrase. I was not sure whether "key string" was a term used in Routing and/or YANG circles.

[Ballot discuss]
Thanks for your work on this draft.  There is one outstanding issue from the SecDir review that may require some updated text to resolve.  It seems use of the key wrap method in RFC5649 requires more guidance for implementations to use it with this YANG module.  It's good to know that this is in use for other modules, so having a clear reference either to another draft or the text being in this draft for later reference would be helpful.

In looking at this text within the draft, I think it would be better to pull the text out of the Security Considerations section and into an earlier section of the draft.  It's better to introduce this prior to enumerating security considerations for the draft since this something that would be implemented.  Then security considerations should mention the considerations of using this option versus just what's in NACM.

You have the text:

  When configured, the key-strings can be encrypted using the AES Key
  Wrap algorithm [AES-KEY-WRAP].  The AES key-encryption key (KEK) is
  not included in the YANG model and must be set or derived independent
  of key-chain configuration.  When AES key-encryption is used, the
  hex-key-string feature is also required since the encrypted keys will
  contain characters that are not representable in the YANG string
  built-in type [YANG].  AES key-encryption MAY be used for added key
  security in situations where the NETCONF Access Control Mode is not
  available.

I think it's pretty straightforward after looking at RFC5649, but maybe more text would be helpful to clarify for implementers.  This might mean more text from 5649 on what gets placed in the YANG data model where you have already allocated for this or including an example.

[Ballot comment]
Thank you for working through the SecDir review and making the suggested updates.

Since the following text int he Security Considerations section is a recommendation, IMO it would be better to drop "or otherwise obfuscated" from the sentence as encrypting the keys really should be the recommendation.  Can we make this update?

  It is RECOMMENDED that keys be encrypted or otherwise obfuscated when
  stored internally on a network device supporting this specification.

If obfuscation is what happens more often in practice, maybe mention this as a fallback from the recommendation, but not make them sound equivalent?

[Ballot comment]
Editorial:

- To be aligned with the other feature descriptions:
OLD:

  feature accept-tolerance {
      description
        "To specify the tolerance or acceptance limit.";
    }

NEW:

  feature accept-tolerance {
      description
        "Support the tolerance or acceptance limit.";
    }

- I would spell out "Network Management Datastore Architecture" [NMDA]

All lights are green from a tooling point of view.
As a side note, since you used the new NMDA tree structure, I would warn all the draft authors with YANG modules that depend on this YANG module that they might have to update their modules. See    https://www.yangcatalog.org/yang-search/impact_analysis.php?modules[]=ietf-key-chain&recurse=0&rfcs=0 for the source of information.

[Ballot comment]
- The second paragraph in the Abstract seems very specific for an Abstract. Since this variation is covered in the Introduction, consider removing it from the Abstract.

- Since the syntax in section 1.2 is used only in section 3.3 (from which I kept referring back to it), consider moving it down into section 3 somewhere.

- Section 2.2 describes a scheme in which the key with the "most recent send lifetime" is used for sending. The data model allows for lifetimes to be indicated with "always." It seems that there should be treatment of the interaction between "most recent" and "always".

- The second paragraph of section 3 is a bit non-obvious on first reading -- consider spelling out that one chain has a valid send key but invalid receive key, and vice-versa.

- Copyright notice in the YANG file is 2015. Is that intentional?

- On page 11, in "grouping lifetime", "case start-end-time", "choice end-time", "case infinite", "description", replace "end-time in infinite" with "end-time is infinite".

- On page 14, there's a assertion that hex allows specification of "greater entropy with the same number of octets." It might be worth qualifying this as *stored* octets, since it's demonstrably more octets on the wire.

- Section 5 discusses the use of a KEK, distributed out-of-band, to decrypt the keys stored in this format. There appears to be no affordance for indicating the identity of which KEK to use, which would come in handy for the types of key rotation schemes I'm familiar with. Mostly, I'm worried about the "try it and see if it works" approach when you have two valid KEKs (as during a transition), as it's not clear that you will be able to distinguish success from failure in all cases.

- Section 5 also suggests keys be encrypted or obfuscated on the device that is to use them, presumably in a way that can be decrypted or unobfuscated using information also on the device. I don't know what the current security area thinking around this is, but given that the information needed to retrieve plaintext keys is necessarily present on the device, this seems like a fig-leaf that provides an illusion of security without providing any real benefit. That mis-impression seems potentially harmful.

- The IANA considerations section gives the YANG module prefix as "ietf-key-chain". The YANG module itself defines the prefix as "key-chain". I assume these should match each other?

[Ballot comment]
Fully editorial comment:
section 1 is just a copy of the abstract… this could be removed and section 2 could be used as section 1/intro (with sections 1.1, 1.2, and 2.1 as subsections; and section 2.2. could become the new section 2)

[Ballot comment]
Just a couple of editorial comments:

-2.2: "This MAY be accomplished by accepting all the keys that have a valid accept lifetime and sending the key with the most recent send lifetime."
As written, that MAY sounds like a statement of fact rather than a normative requirement. If it's intended as normative, please consider restating in terms of actual procedure (e.g. "The receiver MAY accept ...")

-3, first paragraph: "Is a "key chain key" a key in the keychain, or something else? (maybe a key _for_ the keychain)?

[Ballot comment]

I had a few minor comments, mainly on the explanatory text -- I'm not a YANG expert (that's Benoit's job :-)):

1: "A key chain can be used by any service or application requiring authentication or encryption." - from my reading, this only symmetric keys; should this be "A key chain can be used by any service or application requiring authentication or encryption using symmetric keys"?

2: "They are also used to support of security requirements (e.g., TCP-AO Algorithms [TCP-AO-ALGORITHMS]) not implemented by vendors or only a single vendor." -- if it is not implemented, why put a key string on a device? Perhaps this was intended to be "not **yet** implemented..." ?

(Via drafts-lastcall@iana.org): IESG/Authors/WG Chairs:

The IANA Services Operator has completed its review of draft-ietf-rtgwg-yang-key-chain-15.txt. If any part of this review is inaccurate, please let us know.

The IANA Services Operator understands that, upon approval of this document, there is a single action which we must complete.

In the NS subregistry of the IETF XML registry located at:

https://www.iana.org/assignments/xml-registry/

a single, new entry is to be added as follows:

ID: yang:ietf-key-chain
URI: urn:ietf:params:xml:ns:yang:ietf-key-chain
Filename: [ TBD-at-registration ]
Reference: [ RFC-to-be ]

Because this registry requires Expert Review [RFC5226] for registration, we've contacted the IESG-designated expert in a separate ticket to request approval. Expert review should be completed before your document can be approved for publication as an RFC.

The IANA Services Operator understands that this is the only action required to be completed upon approval of this document.

Note:  The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed.

Thank you,

Sabrina Tanamal
IANA Services Specialist
PTI

Request for posting confirmation emailed to previous authors: Yi Yang , Yingzhen Qu , rtgwg-chairs@ietf.org, Derek Yeung , Zhaohui Zhang , Ing-Wher Chen , Acee Lindem

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: rtgwg-chairs@ietf.org, draft-ietf-rtgwg-yang-key-chain@ietf.org, akatlas@gmail.com, Jeff Tantsura , jefftant.ietf@gmail.com, rtgwg@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Routing Key Chain YANG Data Model) to Proposed Standard


The IESG has received a request from the Routing Area Working Group WG
(rtgwg) to consider the following document:
- 'Routing Key Chain YANG Data Model'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-04-07. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes the key chain YANG data model.  A key chain
  is a list of elements each containing a key string, send lifetime,
  accept lifetime, and algorithm (authentication or encryption).  By
  properly overlapping the send and accept lifetimes of multiple key
  chain elements, key strings and algorithms may be gracefully updated.
  By representing them in a YANG data model, key distribution can be
  automated.  Key chains are commonly used for routing protocol
  authentication and other applications.  In some applications, the
  protocols do not use the key chain element key directly, but rather a
  key derivation function is used to derive a short-lived key from the
  key chain element key (e.g., the Master Keys used in the TCP
  Authentication Option.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-rtgwg-yang-key-chain/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-rtgwg-yang-key-chain/ballot/


No IPR declarations have been submitted directly on this I-D.

The following Last Call announcement was sent out:

From: The IESG
To: IETF-Announce
CC: rtgwg-chairs@ietf.org, draft-ietf-rtgwg-yang-key-chain@ietf.org, akatlas@gmail.com, Jeff Tantsura , jefftant.ietf@gmail.com, rtgwg@ietf.org
Reply-To: ietf@ietf.org
Sender:
Subject: Last Call:  (Routing Key Chain YANG Data Model) to Proposed Standard


The IESG has received a request from the Routing Area Working Group WG
(rtgwg) to consider the following document:
- 'Routing Key Chain YANG Data Model'
  as Proposed Standard

The IESG plans to make a decision in the next few weeks, and solicits
final comments on this action. Please send substantive comments to the
ietf@ietf.org mailing lists by 2017-03-30. Exceptionally, comments may be
sent to iesg@ietf.org instead. In either case, please retain the
beginning of the Subject line to allow automated sorting.

Abstract


  This document describes the key chain YANG data model.  A key chain
  is a list of elements each containing a key string, send lifetime,
  accept lifetime, and algorithm (authentication or encryption).  By
  properly overlapping the send and accept lifetimes of multiple key
  chain elements, key strings and algorithms may be gracefully updated.
  By representing them in a YANG data model, key distribution can be
  automated.  Key chains are commonly used for routing protocol
  authentication and other applications.  In some applications, the
  protocols do not use the key chain element key directly, but rather a
  key derivation function is used to derive a short-lived key from the
  key chain element key (e.g., the Master Keys used in the TCP
  Authentication Option.




The file can be obtained via
https://datatracker.ietf.org/doc/draft-ietf-rtgwg-yang-key-chain/

IESG discussion can be tracked via
https://datatracker.ietf.org/doc/draft-ietf-rtgwg-yang-key-chain/ballot/


No IPR declarations have been submitted directly on this I-D.

(1) What type of RFC is being requested (BCP, Proposed Standard,
Internet Standard, Informational, Experimental, or Historic)?  Why
is this the proper type of RFC?  Is this type of RFC indicated in the
title page header?

  The Intended Status is 'Proposed Standard'. 
  The type of RFC is properly indicated in the title page header.
  This document describes the key chain YANG data model.

(2) The IESG approval announcement includes a Document Announcement
Write-Up. Please provide such a Document Announcement Write-Up. Recent
examples can be found in the "Action" announcements for approved
documents. The approval announcement contains the following sections:

Technical Summary
 

  This document describes a YANG data model for key chains.  Key
  chains have been implemented and deployed by most of
  network equipment vendors.  Providing a standard YANG model will
  facilitate automated key distribution and non-disruptive key
  rollover in a vendor independent way.

Working Group Summary

  This draft has been thoroughly discussed in the WG, very good feedback had been provided by SP and vendor community.
  The draft adoption and progress has received full support from the WG.
  All comments have been addressed.  The draft is ready for publication.

Document Quality

  The draft went to many rounds of reviews by YANG-Doctors as well as implementors, which resulted in a very high quality document.
  There are existing implementations and multiple vendors have shown significant interest in the topic. 

Personnel

  Jeff Tantsura is the Document Shepherd.
  Alia Atlas is the Responsible Area Director.

(3) Briefly describe the review of this document that was performed by
the Document Shepherd.  If this version of the document is not ready
for publication, please explain why the document is being forwarded to
the IESG.

  The draft has been thoroughly reviewed by the Shepherd.
  All comments have been addressed.  The draft is ready for publication.

(4) Does the document Shepherd have any concerns about the depth or
breadth of the reviews that have been performed?

  No concerns.

(5) Do portions of the document need review from a particular or from
broader perspective, e.g., security, operational complexity, AAA, DNS,
DHCP, XML, or internationalization? If so, describe the review that
took place.

  The draft has been reviewed by Security Area, Routing Directorate QA and YANG Doctors

(6) Describe any specific concerns or issues that the Document Shepherd
has with this document that the Responsible Area Director and/or the
IESG should be aware of? For example, perhaps he or she is uncomfortable
with certain parts of the document, or has concerns whether there really
is a need for it. In any event, if the WG has discussed those issues and
has indicated that it still wishes to advance the document, detail those
concerns here.

  N/A

(7) Has each author confirmed that any and all appropriate IPR
disclosures required for full conformance with the provisions of BCP 78
and BCP 79 have already been filed. If not, explain why.

  Yes.  Every author has confirmed.

(8) Has an IPR disclosure been filed that references this document?
If so, summarize any WG discussion and conclusion regarding the IPR
disclosures.

  Yes.  The authors have been asked (and they answered) on the WG
  list about IPR at every step of the process.  There haven't been
  any concerns raised on the list.

(9) How solid is the WG consensus behind this document? Does it
represent the strong concurrence of a few individuals, with others
being silent, or does the WG as a whole understand and agree with it? 

  The draft adoption and progress had received full support from the WG.
 
(10) Has anyone threatened an appeal or otherwise indicated extreme
discontent? If so, please summarize the areas of conflict in separate
email messages to the Responsible Area Director. (It should be in a
separate email because this questionnaire is publicly available.)

  No.

(11) Identify any ID nits the Document Shepherd has found in this
document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts
Checklist). Boilerplate checks are not enough; this check needs to be
thorough.

  No nits.

(12) Describe how the document meets any required formal review
criteria, such as the MIB Doctor, media type, and URI type reviews.

  The draft has been reviewed by YANG-Doctors, all the comments received have been properly addressed.

(13) Have all references within this document been identified as
either normative or informative?

  Yes

(14) Are there normative references to documents that are not ready for
advancement or are otherwise in an unclear state? If such normative
references exist, what is the plan for their completion?

  No.

(15) Are there downward normative references references (see RFC 3967)?
If so, list these downward references to support the Area Director in
the Last Call procedure.

  No.

(16) Will publication of this document change the status of any
existing RFCs? Are those RFCs listed on the title page header, listed
in the abstract, and discussed in the introduction? If the RFCs are not
listed in the Abstract and Introduction, explain why, and point to the
part of the document where the relationship of this document to the
other RFCs is discussed. If this information is not in the document,
explain why the WG considers it unnecessary.

  The state of other documents remains unchanged.

(17) Describe the Document Shepherd's review of the IANA considerations
section, especially with regard to its consistency with the body of the
document. Confirm that all protocol extensions that the document makes
are associated with the appropriate reservations in IANA registries.
Confirm that any referenced IANA registries have been clearly
identified. Confirm that newly created IANA registries include a
detailed specification of the initial contents for the registry, that
allocations procedures for future registrations are defined, and a
reasonable name for the new registry has been suggested (see RFC 5226).

  This draft registers a URI in the IETF XML registry and
  a YANG module in the YANG Module Names registry.

(18) List any new IANA registries that require Expert Review for future
allocations. Provide any public guidance that the IESG would find
useful in selecting the IANA Experts for these new registries.

  N/A

(19) Describe reviews and automated checks performed by the Document
Shepherd to validate sections of the document written in a formal
language, such as XML code, BNF rules, MIB definitions, etc.

  The draft has been reviewed by YANG-Doctors, all the comments received have been properly addressed.

Request for posting confirmation emailed to previous authors: "Yingzhen Qu" , "Ing-Wher Chen" , "Derek Yeung" , "Yi Yang" , rtgwg-chairs@ietf.org, "Acee Lindem" , "Zhaohui Zhang"

Request for posting confirmation emailed to previous authors: "Yingzhen Qu" , "Derek Yeung" , "Yi Yang" , rtgwg-chairs@ietf.org, "I. Chen" , "Acee Lindem" , "Zhaohui Zhang"

Request for posting confirmation emailed to previous authors: "Yingzhen Qu" , "Derek Yeung" , "Yi Yang" , rtgwg-chairs@ietf.org, "I. Chen" , "Acee Lindem" , "Zhaohui Zhang"

Request for posting confirmation emailed to previous authors: "Derek Yeung" , rtgwg-chairs@ietf.org, "I. Chen" , "Yi Yang" , "Acee Lindem" , "Zhaohui Zhang" , "Yingzhen Qu"

Request for posting confirmation emailed to previous authors: "Derek Yeung" , rtgwg-chairs@ietf.org, "I. Chen" , "Yi Yang" , "Acee Lindem" , "Zhaohui Zhang" , "Yingzhen Qu"

Request for posting confirmation emailed to previous authors: "Derek Yeung" , rtgwg-chairs@ietf.org, "I. Chen" , "Acee Lindem" , "Zhaohui Zhang" , "Yi Yang" , "Yingzhen Qu"

Request for posting confirmation emailed to previous authors: "Zhaohui (Jeffrey) Zhang" , "Derek M. Yeung" , rtgwg-chairs@ietf.org, "I. Chen" , "Acee Lindem" , "Yi Yang" , "Yingzhen Qu"