RATS Working Group H. Birkholz Internet-Draft Fraunhofer SIT Intended status: Standards Track March 10, 2020 Expires: September 11, 2020 MUD-Based RATS Resources Discovery draft-birkholz-rats-mud-00 Abstract Manufacturer Usage Description (MUD) files and the MUD URI that point to them are defined in RFC 8520. This document introduces a new type of MUD file to be delivered in conjunction with a MUD file signature and/or to be referenced via a MUD URI embedded in an IEEE 802.1AR Secure Device Identifier (DevID). A DevID is a device specific pub- key identity document that can be presented to other entities, e.g. a network management system. If this entity is also a verifier as defined by the IETF Remote ATtestation procedureS (RATS) architecture, this verifier can use the references found in the MUD file specified in this document in order to discover appropriate Reference Integrity Measurements (RIM), Endorsement Documents, or even globally suitable Remote Attestation Services (RAS). All three types of theses resources are required to conduct RATS. Hence, the MUD file defined in this document enables remote attestation procedures by supporting the discovery of these required resources or services. Status of This Memo This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet- Drafts is at https://datatracker.ietf.org/drafts/current/. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress." This Internet-Draft will expire on September 11, 2020. Birkholz Expires September 11, 2020 [Page 1] Internet-Draft Muddy Rats March 2020 Copyright Notice Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. Table of Contents 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2 1.1. Requirements Notation . . . . . . . . . . . . . . . . . . 4 2. MUD URIs in DevIDs . . . . . . . . . . . . . . . . . . . . . 4 3. MUD File Signatures . . . . . . . . . . . . . . . . . . . . . 4 4. Trusting MUD URIs and MUD Files . . . . . . . . . . . . . . . 4 4.1. Trusting RATS Resources referenced by a MUD File . . . . 5 5. Specification of RATS MUD files referenced by MUD URIs . . . 5 5.1. Tree Diagram . . . . . . . . . . . . . . . . . . . . . . 5 5.2. YANG Module . . . . . . . . . . . . . . . . . . . . . . . 5 6. Privacy Considerations . . . . . . . . . . . . . . . . . . . 8 7. Security Considerations . . . . . . . . . . . . . . . . . . . 8 8. References . . . . . . . . . . . . . . . . . . . . . . . . . 8 8.1. Normative References . . . . . . . . . . . . . . . . . . 8 8.2. Informative References . . . . . . . . . . . . . . . . . 9 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . 9 1. Introduction Verifiers, Endorsers, and Attesters are roles defined in the RATS Architecture [I-D.ietf-rats-architecture]. In the RATS architecture, the Attester role relies on the Verifier and Endorser roles to enable the appraisal of Attestation Evidence produced by said Attesters; and to create corresponding Attestation Results. Attestation Results compose a believable chunk of information that can be digested by Relying Parities in order to assess an Attester's trustworthiness. The assessment of a remote peer's trustworthiness is vital to steer any future protocol interaction between the Attester and the remote Relying Party. To create these Attestation Results to be consumed by Relying Parties, the Attestation Evidence an Attester creates has to be processed by one or more appropriate Verifiers. Birkholz Expires September 11, 2020 [Page 2] Internet-Draft Muddy Rats March 2020 This document defines a procedure that enables the discovery of viable resources for RATS services in a local scope: 1.) Reference Integrity Measurements, and 2.) Endorsement documents. Additionally, a third option is provided: this document defines the option to enable the discovery of remote Verfiers: 3.) Remote Attestation Services (RAS) in a global scope (if no local trusted authorities are available). Attestation Policies and Endorsements are required to enable an appropriate appraisal of Attestation Evidence in a fashion that helps Relying Parties to digest the corresponding Attestation Results. This document defines the use of MUD URIs embedded in Secure Device Identifiers (IEEE 802.1AR DevIDs) as defined by [RFC8520]. These DevIDs are enrolled on the Attester by manufacturers or related supply chain entities with appropriate authority. The DevIDs can be presented to local Network Management Systems, AAA-services (e.g. via IEEE 802.1X), or other points of first contact (e.g. [RFC8071]) in a local scope. These local entities of authority can digest the DevID and conduct trust decisions based on the DevID by tracing associated certification paths and trust anchors [RFC4949]. If the DevID presented by the Attester is deemed to be trusted by the local trust authority, the MUD URI embedded is considered to be a trusted source of viable (and if their Identity Documents are also to be trusted - believable) Attestation Policies, Endorsements, and even globally available RAS. In essence, the MUD file that is referenced by the DevID presented refers to sources of Attestation Policies and Endorsements recommended by the manufacturer or related supply chain entities with appropriate authority. These sources are required by appraisal procedures conducted by Verifiers in order to create well-founded Attestation Results. For example, trusted Endorses can enrich Attestation Results by vouching for the quality of hardware components, the composition of a Composite Attester, or other security characteristics of an Attester. This specification does not define the format of Attestation Policies and Endorsement documents. A type of Attestation Policies and their representation is defined in [I-D.birkholz-rats-coswid-rim]. A specific format of Endorsements for hardware components based on [I-D.ietf-rats-eat] is defined in [I-D.birkholz-rats-endorsement- eat]. Birkholz Expires September 11, 2020 [Page 3] Internet-Draft Muddy Rats March 2020 1.1. Requirements Notation The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. 2. MUD URIs in DevIDs The MUD URI embedded in a DevID presented by an Attester points to a MUD file. [RFC8520] defines the format of how to embed MUD URIs in Secure Device Identifiers. This document uses this specification and does neither modify nor augment the definition about how to compose a MUD URI. 3. MUD File Signatures As the resources required by a Verifier's appraisal procedures have to be trustworthy, a MUD signature file for a corresponding MUD File MUST be available. The MUD File MUST also include a reference to its MUD signature file via the 'mud-signature' statement. A MUD signature MAY be referenced in the DevID, but entities consuming this information must be aware that a MUD File can change. If MUD file changed (the MUD signature in the DevID does not match any more), a MUD signature file referenced in the MUD File itself MUST exist and MUST be available. If both the signature embedded in a DevID and referenced by a MUD File do not match, the MUD File SHOULD NOT be trusted. 4. Trusting MUD URIs and MUD Files The level of assurance about the integrity of a MUD URI embedded in a DevID is based on the level of trust put into the corresponding trust anchor associated with the DevID. If you cannot establish a level of trust towards the entity that signed a DevID (the signer), the embedded MUD URI SHOULD NOT be trusted. The level of assurance about the integrity of a MUD file is based on the level of trust put into the entity that created the corresponding MUD File Signature. If you cannot establish a level of trust put into the corresponding trust anchor associated with the MUD signature file, the referenced MUD File SHOULD NOT be trusted. Birkholz Expires September 11, 2020 [Page 4] Internet-Draft Muddy Rats March 2020 4.1. Trusting RATS Resources referenced by a MUD File Reference Integrity Measurements and Endorsement documents that are referenced by a MUD File MUST be signed. The signing procedures, the format of corresponding Identity documents, and the establishment of trust relationships associated with these resources are out-of-scope of this document. 5. Specification of RATS MUD files referenced by MUD URIs The MUD URI embedded in a DevID presented by an Attester points to a MUD File. At the time of writing this -00 I-D, MUD URIs always point to a piece of data that is a YANG-modeled XML file with a structure specified in the style of a YANG module definition ([RFC7950] and corresponding updates: [RFC8342], [RFC8526]). This document specifies a YANG module augment definition for generic MUD files to create RATS MUD files. The following definition MUST be used, if a MUD URI points to a RATS MUD file. 5.1. Tree Diagram The following tree diagram [RFC8340] provides an overview of the data model for the "ietf-mud-rats" module augment. module: ietf-mud-rats augment /mud:mud: +--rw ras | +--rw ras-uris* inet:uri +--rw rim | +--rw rim-uris* inet:uri +--rw edt +--rw edt-uris* inet:uri 5.2. YANG Module This YANG module has normative references to [RFC6991] and augments [RFC8520]. file ietf-mud-rats@2019-03-09.yang module ietf-mud-rats { yang-version 1.1; namespace "urn:ietf:params:xml:ns:yang:ietf-mud-rats"; prefix "mud-rats"; import ietf-mud { Birkholz Expires September 11, 2020 [Page 5] Internet-Draft Muddy Rats March 2020 prefix "mud"; } import ietf-inet-types { prefix "inet"; } organization "IETF RATS (Remote ATtestation procedureS) Working Group"; contact "WG Web: http://tools.ietf.org/wg/rats/ WG List: rats@ietf.org Author: Eliot Lear Author: Henk Birkholz "; description "This YANG module augments the ietf-mud model to provide for three optional lists to enable Remote Attestation Procedures so that this device type may be used as a controller for other MUD-enabled devices. Copyright (c) 2020 IETF Trust and the persons identified as authors of the code. All rights reserved. Redistribution and use in source and binary forms, with or without modification, is permitted pursuant to, and subject to the license terms contained in, the Simplified BSD License set forth in Section 4.c of the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info). This version of this YANG module is part of RFC XXXX (https://www.rfc-editor.org/info/rfcXXXX); see the RFC itself for full legal notices. The key words 'MUST', 'MUST NOT', 'REQUIRED', 'SHALL', 'SHALL NOT', 'SHOULD', 'SHOULD NOT', 'RECOMMENDED', 'NOT RECOMMENDED', 'MAY', and 'OPTIONAL' in this document are to be interpreted as described in BCP 14 (RFC 2119) (RFC 8174) when, and only when, they appear in all capitals, as shown here."; revision 2020-03-09 { description "Initial proposed standard."; reference "RFC XXXX: MUD Extension to find RATS supply chain entity resources: remote attestation services, endorsement documents, and reference integrity measurement"; Birkholz Expires September 11, 2020 [Page 6] Internet-Draft Muddy Rats March 2020 } grouping mud-rats-grouping { description "Grouping to locate RATS services"; container ras { description "Lists of Remote Attestation Service (RAS/Verifiers) candidates."; leaf-list ras-uris { type inet:uri; description "A list of Verifiers that can appraise evidence produced by the entity that presents a DevID including this MUD URI."; } } container rim { description "Lists of Reference Integrity Measurement (RIM) candidates."; leaf-list rim-uris { type inet:uri; description "A list of RIM CoSWID that provide reference integrity measurements represented as signed CoSWID using the CoSWID RIM extension."; } } container edt { description "List of Endorsements for Roots of Trusts (e.g. Endorsement Key Certificates)."; leaf-list edt-uris { type inet:uri; description "A list of Endorsements that vouch for the characteristics of Roots of Trusts the entity possesses."; } } } augment "/mud:mud" { uses mud-rats-grouping; description "add mud-rats URI resources"; } } Birkholz Expires September 11, 2020 [Page 7] Internet-Draft Muddy Rats March 2020 6. Privacy Considerations Potentially 7. Security Considerations Most likely a summary of the trust relationship corresponding to the RATS architecture 8. References 8.1. Normative References [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997, . [RFC6991] Schoenwaelder, J., Ed., "Common YANG Data Types", RFC 6991, DOI 10.17487/RFC6991, July 2013, . [RFC7950] Bjorklund, M., Ed., "The YANG 1.1 Data Modeling Language", RFC 7950, DOI 10.17487/RFC7950, August 2016, . [RFC8071] Watsen, K., "NETCONF Call Home and RESTCONF Call Home", RFC 8071, DOI 10.17487/RFC8071, February 2017, . [RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, May 2017, . [RFC8340] Bjorklund, M. and L. Berger, Ed., "YANG Tree Diagrams", BCP 215, RFC 8340, DOI 10.17487/RFC8340, March 2018, . [RFC8342] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "Network Management Datastore Architecture (NMDA)", RFC 8342, DOI 10.17487/RFC8342, March 2018, . [RFC8520] Lear, E., Droms, R., and D. Romascanu, "Manufacturer Usage Description Specification", RFC 8520, DOI 10.17487/RFC8520, March 2019, . Birkholz Expires September 11, 2020 [Page 8] Internet-Draft Muddy Rats March 2020 [RFC8526] Bjorklund, M., Schoenwaelder, J., Shafer, P., Watsen, K., and R. Wilton, "NETCONF Extensions to Support the Network Management Datastore Architecture", RFC 8526, DOI 10.17487/RFC8526, March 2019, . 8.2. Informative References [I-D.ietf-rats-architecture] Birkholz, H., Thaler, D., Richardson, M., Smith, N., and W. Pan, "Remote Attestation Procedures Architecture", draft-ietf-rats-architecture-02 (work in progress), March 2020. [I-D.ietf-rats-eat] Mandyam, G., Lundblade, L., Ballesteros, M., and J. O'Donoghue, "The Entity Attestation Token (EAT)", draft- ietf-rats-eat-03 (work in progress), February 2020. [RFC4949] Shirey, R., "Internet Security Glossary, Version 2", FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007, . Author's Address Henk Birkholz Fraunhofer SIT Rheinstrasse 75 Darmstadt 64295 Germany Email: henk.birkholz@sit.fraunhofer.de Birkholz Expires September 11, 2020 [Page 9]