Network Working Group | O. Friel |
Internet-Draft | Cisco |
Intended status: Standards Track | R. Shekh-Yusef |
Expires: March 13, 2020 | Avaya |
M. Richardson | |
Sandelman Software Works | |
September 10, 2019 |
BRSKI Cloud Registrar
draft-friel-anima-brski-cloud-00
This document specifies the behaviour of a BRSKI Cloud Registrar, and how a pledge can interact with a BRSKI Cloud Registrar when bootstrapping.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on March 13, 2020.
Copyright (c) 2019 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.
Bootstrapping Remote Secure Key Infrastructures (BRSKI) [I-D.ietf-anima-bootstrapping-keyinfra] specifies automated bootstrapping of an Autonomic Control Plane. BRSKI Section 2.7 describes how a pledge “MAY contact a well known URI of a cloud registrar if a local registrar cannot be discovered or if the pledge’s target use cases do not include a local registrar”.
This document further specifies use of a BRSKI cloud registrar and clarifies operations that are not sufficiently specified in BRSKI.
Two high level deployment models are documented here:
The high level architecture is illustrated in Figure 1. The pledge connects to the cloud registrar during bootstrap. The cloud registrar may redirect the pledge to a local registrar in order to complete bootstrap against the local registrar. If the cloud registrar handles the bootstrap process itself without redirecting the pledge to a local registrar, the cloud registrar may need to inform the pledge what domain to use for accessing services once bootstrap is complete.
Finally, when bootstrapping against a local registrar, the registrar may interact with a backend CA to assist in issuing certificates to the pledge. The mechanisms and protocols by which the registrar interacts with the CA are transparent to the pledge and are out-of-scope of this document.
The architecture illustrates shows the cloud registrar and MASA as being logically separate entities. The two functions could of course be integrated into a single service.
+--------+ +-----------+ | Pledge |---------------------------------------->| Cloud | +--------+ | Registrar | | +-----------+ | | +-----------+ +-----------+ +---------------->| Local |--------------->| MASA | | | Registrar | +-----------+ | +-----------+ | | +-----------+ | +--------------------->| CA | | +-----------+ | | +-----------+ +---------------->| Services | +-----------+
Figure 1
BRSKI defines how a pledge MAY contact a well known URI of a cloud registrar if a local registrar cannot be discovered. Additionally, certain pledge types may never attempt to discover a local registrar and may automatically bootstrap against a cloud registrar. The details of the URI are manufacturer specific, with BRSKI giving the example “brski-registrar.manufacturer.example.com”.
The pledge MUST use an Implicit Trust Anchor database (see [RFC7030]) to authenticate the cloud registrar service as described in [RFC6125]. The pledge MUST NOT establish a provisional TLS connection (see BRSKI section 5.1) with the cloud registrar.
The cloud registrar MUST validate the identity of the pledge by sending a TLS CertificateRequest message to the pledge during TLS session establishment. The cloud registrar MAY include a certificate_authorities field in the message to specify the set of allowed IDevID issuing CAs that pledges may use when establishing connections with the cloud registrar.
The cloud registrar MAY only allow connections from pledges that have an IDevID that is signed by one of a specific set of CAs, e.g. IDevIDs issued by certain manufacturers.
The cloud registrar MAY allow pledges to connect using self-signed identity certificates or using Raw Public Key [RFC7250] certificates.
After the pledge has established a full TLS connection with the cloud registrar and has verified the cloud registrar PKI identity, the pledge generates a voucher request message as outlined in BRSKI section 5.2, and sends the voucher request message to the cloud registrar.
When the cloud registrar has verified the identity of the pledge, determined the pledge ownership and has received the voucher request, there are two main options for handling the request.
The cloud registrar needs some suitable mechanism for knowing the correct owner of a connecting pledge based on the presented identity certificate. For example, if the pledge establishes TLS using an IDevID that is signed by a known manufacturing CA, the registrar could extract the serial number from the IDevID and use this to lookup a database of pledge IDevID serial numbers to owners.
Alternatively, if the cloud registrar allows pledges to connect using self-signed certificates, the registrar could use the thumbprint of the self-signed certificate to lookup a database of pledge self-signed certificate thumbprints to owners.
The mechanism by which the cloud registrar determines pledge ownership is out-of-scope of this document.
Once the cloud registar has determined pledge ownership, the cloud registrar may redirect the pledge to the owner’s local domain registrar in order to complete bootstrap. Ownership registration will require the owner to register their local domain. The mechanism by which pledge owners register their domain with the cloud registrar is out-of-scope of this document.
The cloud registrar replies to the voucher request with a suitable HTTP 3xx response code as per [I-D.ietf-httpbis-bcp56bis], including the owner’s local domain in the HTTP Location header.
The pledge should complete BRSKI bootstrap as per standard BRSKI operation after following the HTTP redirect. The pledge should establish a provisional TLS connection with specified local domain registrar. The pledge should not use its Implicit Trust Anchor database for validating the local domain registrar identity. The pledge should send a voucher request message via the local domain registrar. When the pledge downloads a voucher, it can validate the TLS connection to the local domain registrar and continue with enrollment and bootstrap as per standard BRSKI operation.
If the cloud registrar issues a voucher, it returns the voucher in a HTTP response with a suitable 2xx response code as per [I-D.ietf-httpbis-bcp56bis].
[[ TODO ]] There are a few options here:
[[ TODO ]] Missing detailed BRSKI steps e.g. CSR attributes, logging, etc.
+--------+ +-----------+ +----------+ | Pledge | | Local | | Cloud RA | | | | Registrar | | / MASA | +--------+ +-----------+ +----------+ | | | 1. Full TLS | |<----------------------------------------------->| | | | 2. Voucher Request | |------------------------------------------------>| | | | 3. 3xx Location: localra.example.com | |<------------------------------------------------| | | | 4. Provisional TLS | | |<-------------------->| | | | | | 5. Voucher Request | | |--------------------->| 6. Voucher Request | | |------------------------->| | | | | | 7. Voucher Response | | |<-------------------------| | 8. Voucher Response | | |<---------------------| | | | | | 9. Validate TLS | | |<-------------------->| | | | | | 10. etc. | | |--------------------->| |
[[ TODO: it is TBD which of the following three options should be used. Possibly 1 or 2 of them, maybe all 3. It is possible that some options will be explicitly NOT recommended. There are standards implications too as two of the options require including a DNS-ID in a Voucher. ]]
The Voucher includes the service domain to use after EST enroll is complete.
+--------+ +-----------+ +----------+ | Pledge | | Local | | Cloud RA | | | | Service | | / MASA | +--------+ +-----------+ +----------+ | | | 1. Full TLS | |<----------------------------------------------->| | | | 2. Voucher Request | |------------------------------------------------>| | | | 3. Voucher Response {service:fqdn} | |<------------------------------------------------| | | | 4. EST enroll | |------------------------------------------------>| | | | 5. Certificate | |<------------------------------------------------| | | | 6. Full TLS | | |<-------------------->| | | | | | 7. Service Access | | |--------------------->| |
As trust is already established via the Voucher, the pledge does a full TLS handshake against the local RA.
+--------+ +-----------+ +----------+ | Pledge | | Local | | Cloud RA | | | | Registrar | | / MASA | +--------+ +-----------+ +----------+ | | | 1. Full TLS | |<----------------------------------------------->| | | | 2. Voucher Request | |------------------------------------------------>| | | | 3. Voucher Response | |<------------------------------------------------| | | | 4. EST enroll | |------------------------------------------------>| | | | 5. 3xx Location: localra.example.com | |<------------------------------------------------| | | | 6. Full TLS | | |<-------------------->| | | | | | 7. EST Enrol | | |--------------------->| | | | | | 8. Certificate | | |<---------------------| | | | | | 9. etc. | | |--------------------->| |
The Voucher includes the EST domain to use for EST enroll. It is assumed services are accessed at that domain too. As trust is already established via the Voucher, the pledge does a full TLS handshake against the local RA.
+--------+ +-----------+ +----------+ | Pledge | | Local | | Cloud RA | | | | Registrar | | / MASA | +--------+ +-----------+ +----------+ | | | 1. Full TLS | |<----------------------------------------------->| | | | 2. Voucher Request | |------------------------------------------------>| | | | 3. Voucher Response {localra:fqdn} | |<------------------------------------------------| | | | 4. Full TLS | | |<-------------------->| | | | | | 5. EST Enrol | | |--------------------->| | | | | | 6. Certificate | | |<---------------------| | | | | | 7. etc. | | |--------------------->| |
BRSKI section 5.9.2 specifies that the pledge MUST send a CSR Attributes request to the registrar. The registrar MAY use this mechanism to instruct the pledge about the identities it should include in the CSR request it sends as part of enrollment. The registrar may use this mechanism to tell the pledge what Subject or Subject Alternative Name identity information to include in its CSR request. This can be useful if the Subject must have a specific value in order to complete enrollment with the CA.
For example, the pledge may only be aware of its IDevID Subject which includes a manufacturer serial number, but must include a specific fully qualified domain name in the CSR in order to complete domain ownership proofs required by the CA. As another example, the registrar may deem the manufacturer serial number in an IDevID as personally identifiable information, and may want to specify a new random opaque identifier that the pledge should use in its CSR.
[[ TODO ]]
[[ TODO ]]