-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdraft-voit-rats-trustworthy-path-routing-05.txt
1792 lines (1252 loc) · 62.3 KB
/
draft-voit-rats-trustworthy-path-routing-05.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
RATS Working Group E. Voit
Internet-Draft C. Gaddam
Intended status: Standards Track Cisco
Expires: September 2, 2022 G. Fedorkow
Juniper
H. Birkholz
Fraunhofer SIT
M. Chen
China Mobile
March 01, 2022
Trusted Path Routing
draft-voit-rats-trustworthy-path-routing-05
Abstract
There are end-users who believe encryption technologies like IPSec
alone are insufficient to protect the confidentiality of their highly
sensitive traffic flows. These end-users want their flows to
traverse devices which have been freshly appraised and verified for
trustworthiness. This specification describes Trusted Path Routing.
Trusted Path Routing protects sensitive flows as they transit a
network by forwarding traffic to/from sensitive subnets across
network devices recently appraised as trustworthy.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current Internet-
Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 2, 2022.
Copyright Notice
Copyright (c) 2022 IETF Trust and the persons identified as the
document authors. All rights reserved.
Voit, et al. Expires September 2, 2022 [Page 1]
Internet-Draft trust-path March 2022
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with respect
to this document. Code Components extracted from this document must
include Simplified BSD License text as described in Section 4.e of
the Trust Legal Provisions and are provided without warranty as
described in the Simplified BSD License.
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 2
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1. Terms . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.2. Requirements Notation . . . . . . . . . . . . . . . . . . 4
3. Implementation Prerequisites . . . . . . . . . . . . . . . . 4
4. End-to-end Solution . . . . . . . . . . . . . . . . . . . . . 5
4.1. Network Topology Assembly . . . . . . . . . . . . . . . . 5
4.2. Attestation Information Flows . . . . . . . . . . . . . . 6
4.2.1. Step 1 . . . . . . . . . . . . . . . . . . . . . . . 8
4.2.2. Step 2 . . . . . . . . . . . . . . . . . . . . . . . 8
4.2.3. Step 3 . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.4. Step 4 . . . . . . . . . . . . . . . . . . . . . . . 12
4.2.5. Step 5 . . . . . . . . . . . . . . . . . . . . . . . 14
4.2.6. Step 6 . . . . . . . . . . . . . . . . . . . . . . . 16
5. YANG Module . . . . . . . . . . . . . . . . . . . . . . . . . 16
6. Security Considerations . . . . . . . . . . . . . . . . . . . 27
7. References . . . . . . . . . . . . . . . . . . . . . . . . . 27
7.1. Normative References . . . . . . . . . . . . . . . . . . 28
7.2. Informative References . . . . . . . . . . . . . . . . . 28
Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 29
Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 29
Appendix C. Open Questions . . . . . . . . . . . . . . . . . . . 31
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 31
1. Introduction
There are end-users who believe encryption technologies like IPSec
alone are insufficient to protect the confidentiality of their highly
sensitive traffic flows. These customers want their highly sensitive
flows to be transported over only network devices recently verified
as trustworthy.
By using a router's embedded TPM based cryptoprocessors in
conjunction with the Remote Attestation context established by
[attestation-results], a network provider can identify potentially
compromised devices as well as potentially exploitable (or even
Voit, et al. Expires September 2, 2022 [Page 2]
Internet-Draft trust-path March 2022
exploited) vulnerabilities. Using this knowledge, it is then
possible to redirect sensitive flows around these devices while other
remediations are potentially considered by Network Operations.
Trusted Path Routing allows the establishing Trusted Topologies which
only include trust-verified network devices. Membership in a Trusted
Topology is established and maintained via an exchange of Stamped
Passports at the link layer between peering network devices. As
links to Attesting Devices are appraised as meeting at least a
minimum set of formally defined Trustworthiness Claims, the links are
then included as members of this Trusted Topology. Routing protocols
are then used to propagate topology state throughout a network.
IP Packets to and from end-user designated Sensitive Subnets are then
forwarded into this Trusted Topology at each network boundary. This
is done by an end user identifying sensitive IP subnets where flows
with applications using these IP subnets need enhanced privacy
guarantees. Trusted Path Routing passes flows to/from these
Sensitive Subnets over a Trusted Topology able to meet these
guarantees. The Trusted Topology itself consists of the
interconnection of network devices where each potentially transited
device has been verified as achieving a specific set of
Trustworthiness Claims during its most recent trustworthiness
appraisal. Interesting sets of Trustworthiness Claims might be
marketed to end-users in the following ways:
o all transited devices have booted with known hardware and firmware
o all transited devices are from a specific set of vendors and are
running known software containing the latest patches
o no guarantees provided
2. Terminology
2.1. Terms
The following terms are imported from [RATS-Arch]: Attester,
Evidence, Passport, Relying Party, and Verifier.
The following terms are impored from [attestation-results]:
Trustworthiness Claim, Trustworthiness Vector, AR-augmented Evidence
Newly defined terms for this document:
Attested Device - a network connected Attester where a Verifier's
most recent appraisal of Evidence has returned a Trustworthiness
Vector.
Voit, et al. Expires September 2, 2022 [Page 3]
Internet-Draft trust-path March 2022
Stamped Passport - AR-augmented Evidence which can take two forms.
First if the Attester uses a TPM2, the the Verifier Proof-of-
Freshness includes the <clock>, <reset-counter>, <restart-counter>
and <safe> objects from a recent TPM2 quote made by that Attester,
and the Relying Party Proof-of-Freshness is returned along with
the timeticks as objects embedded within the most recent TPM quote
signed by the same TPM2. Second, if the Attester uses a TPM1.2:
the Verifier Proof-of-Freshness includes a global timestamp from
that Verifier, and the Relying Party Proof-of-Freshness is
embedded within a more recent TPM quote signed by the same TPM
Attesting Environment.
Sensitive Subnet - an IP address range where IP packets to or from
that range desire confidentially guarantees beyond those of non-
identified subnets. In practice, flows to or from a Sensitive
Subnet must only have their IP headers and encapsulated payloads
accessible/visible only by Attested Devices supporting one or more
Trustworthiness Vectors.
Transparently-Transited Device - a network device within an network
domain where any packets originally passed into that network
domain are completely opaque on that network device at Layer 3 and
above.
Trusted Topology - a topology which includes only Attested Devices
and Transparently-Transited Devices.
2.2. Requirements Notation
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
3. Implementation Prerequisites
The specification is a valid instance of [attestation-results]. This
specification works under the following protocol and preconfiguration
prerequisite assumptions:
o All Attested Devices support the TPM remote attestation profile as
laid out in [RATS-Device], and include either [TPM2.0] or
[TPM1.2].
o One or more Verifier A's as defined in [attestation-results]
'Interaction Model' continuously appraise each of the Attested
Voit, et al. Expires September 2, 2022 [Page 4]
Internet-Draft trust-path March 2022
Devices in a network domain, and these Verifiers return the
Attestation Results back to each originating Attested Device.
o The Attested Devices are connected via link layer protocols such
as [MACSEC] or [IEEE-802.1X].
o Each Attester can pass a Stamped Passport to a Relying Party /
Verifier B as defined in [attestation-results] 'Interaction Model'
within [RFC3748] over that link layer protocol.
o A Trusted Topology such as [I-D.ietf-lsr-flex-algo] exists in an
IGP domain for the forwarding of Sensitive Subnet traffic. This
Topology will carry traffic across a set of Attested Devices which
currently meet at a defined set of Trustworthiness Vectors.
o A Relying Party is able to use mechanisms such as
[I-D.ietf-lsr-flex-algo]'s affinity to include/exclude links as
part of the Trusted Topology based on the appraisal of a Stamped
Passport.
o Customer designated Sensitive Subnets and their requested
Trustworthiness Vectors have been identified and associated with
external interfaces to/from Attested Devices at the edge of a
network. Traffic to a Sensitive Subnet can be passed into the
Trusted Topology by the Attested Device.
o Relying Party/Verifier B trusts information signed by Verifier A.
Verifier B has also been pre-provisioned with certificates or
public keys necessary to confirm that Stamped Passports came from
Verifier A.
4. End-to-end Solution
4.1. Network Topology Assembly
To be included in a Trusted Topology, Stamped Passports are shared
between Attested Devices (such as routers) as part of link layer
authentication. Upon receiving and appraising the Stamped Passport
during the link layer authentication phase, the Relying Party
Attested Device decides if this link should be added as an active
adjacency for a particular Trusted Topology. In Figure 1 below, this
might be done by applying an Appraisal Policy for Attestation
Results. The policy within each device might specify the evalutation
of a 'hardware' claim as defined in [attestation-results],
Section 2.3.4. With the appraisal, an Attesting Device be most
recently appraised with the 'hardware' Trustworthiness Claim in the
'affirming' range. If Attested Device has been appraised outside
that range, it would not become part of the Trustworthy Topology.
Voit, et al. Expires September 2, 2022 [Page 5]
Internet-Draft trust-path March 2022
When enough links have been successfully added, the Trusted Topology
will support edge-to-edge forwarding as routing protocols flood the
adjacency information across the network domain.
.------------. .----------.
| Attested | | Edge |
.----------. | Device 'x' | | Attested |
| Attested | | | | Device |
| Device | | | | |
| | | trust>---------------<no_trust |
| no_trust>--<trust | .----------. | |---Sensitive
| | '------------' | trust>==<trust | Subnet
| trust>==================<trust | | |
'----------' | | '----------'
| Attested |
| Device |
'----------'
Figure 1: Trusted Path Topology Assembly
As the process described above repeats over time across the set of
links within a network domain, Trusted Topologies can be extended and
maintained. Traffic to and from Sensitive Subnets is then identified
at the edges of the network domain and passed into this Trusted
Topology. Traffic exchanged with Sensitive Subnets can then be
forwarded across that Trusted Topology from all edges of the network
domain. After the initial Trusted Topology establishment, new and
existing devices will continue to provide incremental Stamped
Passports. As each link is added/removed from the Trusted Topology,
the topology will adjust itself accordingly.
Ultimately from an operator and users point of view, the delivered
network will be more secure and therefore the service provided more
valuable. As network operators attach great importance to the innate
security of links, also delivering security for transited network and
networking devices will also prove valuable.
4.2. Attestation Information Flows
Critical to the establishment and maintenance of a Trusted Topology
is the Stamped Passport. A Stamped Passport is comprised of Evidence
from both an Attester and a Verifier. A Stamped Passport is a valid
type of AR-augmented evidence as described in [attestation-results].
Stamped Passports are exchanged between adjacent network devices over
a link layer protocols like 802.1x or MACSEC. As both sides of a
link may need might need to appraise the other, independent Stamped
Passports will often be transmitted from either side of the link.
Voit, et al. Expires September 2, 2022 [Page 6]
Internet-Draft trust-path March 2022
Additionally, as link layer protocols will continuously re-
authenticate the link, this allows for fresh Stamped Passports to be
constantly appraised by either side of the connection.
Each Stamped Passport will include the most recent Verifier provided
Attestation Results, as well as the most recent TPM Quote for that
Attester. Upon receiving this information as part of link layer
authentication, the Relying Party Router appraises the results and
decides if this link should be added to a Trusted Topology.
Figure 2 describes this flow of information using the time
definitions described in [RATS-Arch], and the information flows
defined in Section 7 of [RATS-Interactions]. This figure is also a
valid embodiment of the "Interaction Model" described within
[attestation-results]. (Note that the Relying Party must also be an
Attested Device in order to attract Sensitive Subnet traffic which
may flow from the Attester.)
.------------------.
| Attester |
| |
| (Attested Device |
| / Router) | .------------------.
| .-------------. | | Relying Party |
| | TPM based | | | / Verifier B |
| | Attesting | | .----------. | |
| | Environment | | | Verifier | | (Attested Device |
| '-------------' | | A | | / Router) |
'------------------' '----------' '------------------'
time(VG) | |
|<------nonce--------------time(NS) |
| | |
time(EG)(1)------Evidence------------>| |
| time(RG) |
|<------Attestation Results-(2) |
~ ~ ~
time(VG')? | |
~ ~ ~
|<------nonce---------------------------------(3)time(NS')
| | |
time(EG')(4)------Stamped Passport---------------------->|
| | time(RG',RA')(5)
(6)
~
time(RX')
Figure 2: Trusted Path Timing
Voit, et al. Expires September 2, 2022 [Page 7]
Internet-Draft trust-path March 2022
To summarize Figure 2 above, Evidence about a specific Attester is
generated. Some subset of this evidence will be in the form of PCR
quotes which are signed by a TPM that exists as the Attester's
Attesting Environment. This Evidence will be delibered to and
appraised by Verifier A. Verifier A will then appraise the Attester
and give it a Trustworthiness Vector. This Trustworthiness Vector is
then signed by Verifier A and be returned as Attestation Results to
the Attester. Later, when a request comes in from a Relying Party,
the Attester assembles and returns a Stamped Passport. The Stamped
Passport contains all the information necessary for Verifier B to
appraise the most recent Trustworthiness Vector of the Attester.
Based on the Verifier B appraisal, the link will be included or not
in a Trusted Topology maintained on the Relying Party.
More details on the mechanisms used in the construction,
verification, and transmitting of the Stamped Passport are listed
below. These numbers match to both the numbered steps of Figure 2
and numbered steps described in Section 3 of [attestation-results]:
4.2.1. Step 1
Evidence about and Attester is generated. A portion of this Evidence
will include a PCR quote signed by a TPM private LDevID key that
exists within the Attester's TPM based Attesting Environment. The
Attester sends a signed TPM Quote which includes PCR measurements to
Verifier A at time(EG).
There are two alternatives for Verifier A to acquire this signed
Evidence:
o Subscription to the <attestation> stream defined in
[stream-subscription]. Note: this method is recommended as it
will minimize the interval between when a PCR change is made in a
TPM, and when the PCR change appraisal is incorporated within a
subsequent Stamped Passport.
o Periodic polling of RPC <tpm20-challenge-response-attestation> or
the RPC <tpm12-challenge-response-attestation> which are defined
in [RATS-YANG].
4.2.2. Step 2
Verifier A appraises the Evidence from Step 1. A portion of this
appraisal process will follow the appraisal process flow described
below. This appraisal process MUST be able to set at least the
following set of Trustworthiness Claims from [attestation-results]:
'hardware', 'instance-identity', and 'executables'. The
Voit, et al. Expires September 2, 2022 [Page 8]
Internet-Draft trust-path March 2022
establishment of a Trustworthiness Vector uses the following Figure 3
logic on the Verifier:
Start: TPM Quote Received, log received, or appraisal timer expired
for the the Attesting network device.
Appraisal 0: set Trustworthiness Vector = Null
Appraisal 1: Is there sufficient fresh signed evidence to appraise?
(yes) - No Action
(no) - Goto End
Appraisal 2: Appraise Hardware Integrity PCRs
if (hardware NOT "0") - push onto vector
if (hardware NOT affirming or warning), go to End
Appraisal 3: Appraise Attesting Environment identity
if (instance-identity <> "0") - push onto vector
Appraisal 4: Appraise executable loaded and filesystem integrity
if (executables NOT "0") - push onto vector
if (executables NOT affirming or warning), go to End
Appraisal 5: Appraise all remaining Trustworthiness Claims
Independently and set as appropriate.
End
Figure 3: Verifier A Appraisal Flow
After the appraisal and generation of the Trustworthiness Vector, the
following are assembled as the set of Attestation Results from this
particular appraisal cycle:
(2.1) the Public Attestation Key which was used to validate the TPM
Quote of Step 1. This is encoded by <public-key>, <public-key-
format>, and <public-key-algorithm-type>.
(2.2) the appraised Trustworthiness Vector of the Attester as
calculated in Figure 3
(2.3) the PCR state information from the TPM Quote of (1) plus the
time information associated with the TPM Quote of (1). Specifically
if the Attester has a TPM2, then the values of the TPM PCRs are
included (i.e., <TPM2B_DIGEST>, <tpm20-hash-algo>, and <pcr-index>),
as are the timing counters from the TPM (i.e., <clock>, <reset-
counter>, <restart-counter>, and <safe>). Likewise if the Attester
has a TPM1.2, the TPM PCR values of the <pcr-index> and <pcr-value>
Voit, et al. Expires September 2, 2022 [Page 9]
Internet-Draft trust-path March 2022
are included. Timing information comes from the Verifier itself via
the <timestamp> object.
(2.4) a Verifier A signature across (2.1) though (2.3). This
signature is encoded by <verifier-signature>, <verifier-key-
algorithm-type>, and <verifier-signature-key-name>.
Immediately subsequent to each Verifier appraisal cycle of an
Attester, these Attestation Results MUST be pushed to the Attesting
Router. This is done via a daatstore write to the following YANG
model on the Attester. A YANG tree showing the relevant YANG objects
is below. The YANG model describing each of these objects is
described later in the document. Note however that although the YANG
model shows the specific objects which are needed, the specific set
of objects needs to be encoded in CDDL. This makes the payload going
over TLS more efficient. Look for this encoding in a new version of
the draft which is pending.
Voit, et al. Expires September 2, 2022 [Page 10]
Internet-Draft trust-path March 2022
module: ietf-trustworthiness-claims
+--rw attestation-results!
+--rw (tpm-specification-version)?
+--:(tpm20-attestation-results-cddl) {taa:tpm20}?
| +--rw tpm20-attestation-results-cddl
| +--rw trustworthiness-vector
| | +--rw hardware? hardware
| | +--rw instance-identity? instance-identity
| | +--rw executables? executables
| | +--rw configuration? configuration
| +--rw tpm20-pcr-selection* [tpm20-hash-algo]
| | +--rw tpm20-hash-algo identityref
| | +--rw pcr-index* tpm:pcr
| +--rw TPM2B_DIGEST binary
| +--rw clock uint64
| +--rw reset-counter uint32
| +--rw restart-counter uint32
| +--rw safe boolean
| +--rw attester-certificate-name
| | tpm:certificate-name-ref
| +--rw appraisal-timestamp
| | yang:date-and-time
| +--rw verifier-algorithm-type identityref
| +--rw verifier-signature binary
| +--rw verifier-certificate-keystore-ref
| tpm:certificate-name-ref
+--:(tpm12-attestation-results-cddl) {taa:tpm12}?
+--rw tpm12-attestation-results-cddl
+--rw trustworthiness-vector
| +--rw hardware? hardware
| +--rw instance-identity? instance-identity
| +--rw executables? executables
| +--rw configuration? configuration
+--rw pcr-index* pcr
+--rw tpm12-pcr-value* binary
+--rw tpm12-hash-algo identityref
+--rw TPM12-quote-timestamp
| yang:date-and-time
+--rw attester-certificate-name
| tpm:certificate-name-ref
+--rw appraisal-timestamp
| yang:date-and-time
+--rw verifier-algorithm-type identityref
+--rw verifier-signature binary
+--rw verifier-certificate-keystore-ref
tpm:certificate-name-ref
Figure 4: Attestation Results Tree
Voit, et al. Expires September 2, 2022 [Page 11]
Internet-Draft trust-path March 2022
4.2.3. Step 3
At time(NS') some form of time-based freshness (such as a nonce or
Epoch Handle [RATS-Interactions]) will be generated in a way which
makes it available to the Relying Party. Soon after time(NS'), a
Relying Party will make a Link Layer authentication request to an
Attester via a either [MACSEC] or [IEEE-802.1X]. This connection
request MUST expect the return of [RFC3748] credentials from the
Attester.
4.2.4. Step 4
Upon receipt of the Link Layer request from Step 3, a Stamped
Passport is generated and sent to the Relying Party. The Stamped
Passport MUST include the following:
(4.1) The Attestation Results from Step 2
(4.2) New signed, verifiably fresh PCR measurements based on a TPM
quote at time(EG') which incorporates the freshness information known
by the Relying Party from Step 3. If it is a nonce, the freshness
information will have been delivered as part of the link layer
connection request in Steps 3.
Stamped Passports contain following objects, defined in this document
via YANG. A subsequent draft will convert the objects below into
CDDL format so that the objects can efficiently be passed over EAP.
If an Attester includes a TPM2, these YANG objects are:
Voit, et al. Expires September 2, 2022 [Page 12]
Internet-Draft trust-path March 2022
+---n tpm20-stamped-passport
+--ro attestation-results
| +--ro trustworthiness-vector
| | +--ro hardware? hardware
| | +--ro instance-identity? instance-identity
| | +--ro executables? executables
| | +--ro configuration? configuration
| +--ro tpm20-pcr-selection* [tpm20-hash-algo]
| | +--ro tpm20-hash-algo identityref
| | +--ro pcr-index* tpm:pcr
| +--ro TPM2B_DIGEST binary
| +--ro clock uint64
| +--ro reset-counter uint32
| +--ro restart-counter uint32
| +--ro safe boolean
| +--ro attester-certificate-name
| | tpm:certificate-name-ref
| +--ro appraisal-timestamp
| | yang:date-and-time
| +--ro verifier-algorithm-type identityref
| +--ro verifier-signature binary
| +--ro verifier-certificate-keystore-ref
| tpm:certificate-name-ref
+--ro tpm20-quote
+--ro TPMS_QUOTE_INFO binary
+--ro quote-signature binary
Figure 5: YANG Tree for a TPM2 Stamped Passport
Note that where a TPM2.0 is used, the PCR numbers and hash algorithms
quoted in Step 1 MUST match the PCR numbers and hash algorithms
quoted in this step.
And if the Attester is a TPM1.2, the YANG object are:
Voit, et al. Expires September 2, 2022 [Page 13]
Internet-Draft trust-path March 2022
+---n tpm12-stamped-passport
+--ro attestation-results
| +--ro trustworthiness-vector
| | +--ro hardware? hardware
| | +--ro instance-identity? instance-identity
| | +--ro executables? executables
| | +--ro configuration? configuration
| +--ro pcr-index* pcr
| +--ro tpm12-pcr-value* binary
| +--ro tpm12-hash-algo identityref
| +--ro TPM12-quote-timestamp
| | yang:date-and-time
| +--ro attester-certificate-name
| | tpm:certificate-name-ref
| +--ro appraisal-timestamp
| | yang:date-and-time
| +--ro verifier-algorithm-type identityref
| +--ro verifier-signature binary
| +--ro verifier-certificate-keystore-ref
| tpm:certificate-name-ref
+--ro tpm12-quote
+--ro TPM_QUOTE2? binary
Figure 6: YANG Tree for a TPM1.2 Stamped Passport
With either of these passport formats, if the TPM quote is verifiably
fresh, then the state of the Attester can be appraised by a network
peer.
Note that with [MACSEC] or [IEEE-802.1X], Step 3 plus Step 4 will
repeat periodically independently of any subsequent iteration Steps 1
and Step 2. This allows for periodic reauthentication of the link
layer in a way not bound to the updating of Verifier A's Attestation
Results.
4.2.5. Step 5
Upon receipt of the Stamped Passport generated in Step 4, the Relying
Party appraises this Stamped Passport as per its Appraisal Policy for
Attestation Results. The result of this application will determine
how the Stamped Passport will impact adjacencies within a Trusted
Topology. The decision process is as follows:
(5.1) Verify that (4.2) includes the freshness context from Step 3.
(5.2) Use a local certificate to validate the signature (4.1).
(5.3) Verify that the hash from (4.2) matches (4.1)
Voit, et al. Expires September 2, 2022 [Page 14]
Internet-Draft trust-path March 2022
(5.4) Use the identity of (2.1) to validate the signature of (4.2).
(5.5) Failure of any steps (5.1) through (5.4) means the link does
not meet minimum validation criteria, therefore appraise the link as
having a null Verifier B Trustworthiness Vector. Jump to Step 6.
(5.6) Compare the time(EG) TPM state to the time(EG') TPM state
o If TPM2.0
1. If the <TPM2B_DIGEST>, <reset-counter>, <restart-counter> and
<safe> are equal between the Attestation Results and the TPM
Quote at time(EG') then Relying Party can accept (2.1) as the
link's Trustworthiness Vector. Jump to Step 6.
2. If the <reset-counter>, <restart-counter> and <safe> are equal
between the Attestation Results and the TPM Quote at
time(EG'), and the <clock> object from time(EG') has not
incremented by an unacceptable number of seconds since the
Attestation Result, then Relying Party can accept (2.1) as the
link's Trustworthiness Vector. Jump to Step 6.)
3. Assign the link a null Trustworthiness Vector.
o If TPM1.2
1. If the <pcr-index>'s and <tpm12-pcr-value>'s are equal between
the Attestation Results and the TPM Quote at time(EG'), then
Relying Party can accept (2.1) as the link's Trustworthiness
Vector. Jump to step (6).
2. If the time hasn't incremented an unacceptable number of
seconds from the Attestation Results <timestamp> and the
system clock of the Relying Party, then Relying Party can
accept (2.1) as the link's Trustworthiness Vector. Jump to
step 6.)
3. Assign the link a null Trustworthiness Vector.
(5.7) Assemble the Verifier B Trustworthiness Vector
1. Copy Verifier A Trustworthiness Vector to Verifier B
Trustworthiness Vector
2. Prune any Trustworthiness Claims the Relying Party doesn't accept
from this Verifier.
Voit, et al. Expires September 2, 2022 [Page 15]
Internet-Draft trust-path March 2022
4.2.6. Step 6
After the Trustworthiness Vector has been validated or reset, based
on the link's Trustworthiness Vector, the Relying Party adjusts the
link affinity of the corresponding ISIS [I-D.ietf-lsr-flex-algo]
topology. ISIS will then replicate the link state across the IGP
domain. Traffic will then avoid links which do not have a qualifying
Trustworthiness Vector.
5. YANG Module
This YANG module imports modules from [RATS-YANG], [crypto-types] and
[RFC6021].
<CODE BEGINS> [email protected]
module ietf-trustworthiness-claims {
yang-version 1.1;
namespace
"urn:ietf:params:xml:ns:yang:ietf-trustworthiness-claims";
prefix tc;
import ietf-yang-types {
prefix yang;
}
import ietf-tcg-algs {
prefix taa;
reference
"draft-ietf-rats-yang-tpm-charra";
}
import ietf-tpm-remote-attestation {
prefix tpm;
reference
"draft-ietf-rats-yang-tpm-charra";
}
organization "IETF";
contact
"WG Web: <http://tools.ietf.org/wg/rats/>
WG List: <mailto:[email protected]>
Editor: Eric Voit
<mailto:[email protected]>";
description
"This module contains conceptual YANG specifications for
subscribing to attestation streams being generated from TPM chips.
Copyright (c) 2020 IETF Trust and the persons identified as
Voit, et al. Expires September 2, 2022 [Page 16]
Internet-Draft trust-path March 2022
authors of the code. All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, is permitted pursuant to, and subject to the license
terms contained in, the Simplified BSD License set forth in
Section 4.c of the IETF Trust's Legal Provisions Relating to IETF
Documents (https://trustee.ietf.org/license-info).
This version of this YANG module is part of RFC XXXX; see the RFC
itself for full legal notices.";
revision 2021-11-03 {
description
"Initial version.";
reference
"draft-voit-rats-trustworthy-path-routing";
}
/*
* TYPEDEF
*/
typedef trustworthiness-claim {
type int8;
description
"A Verifier asserted value designed to enable a common
understanding of a Verifier trustworthiness appraisal. The
value assignments for this 8 bit signed integer will follow
these guidelines:
Affirming: The Verifier affirms the Attester support for this
aspect of trustworthiness
- Values 2 to 31: A standards enumerated reason for affirming.
- Values -2 to -32: A non-standard reason for affirming.
Warning: The Verifier warns about this aspect of trustworthiness.
- Values 32 to 63: A standards enumerated reason for the
warning.
- Values -33 to -64: A non-standard reason for the warning.
Contraindicated: The Verifier asserts the Attester is explicitly
untrustworthy in regard to this aspect.
- Values 64 to 127: A standards enumerated reason for the
contraindication.
- Values -65 to -128: A non-standard reason for the
contraindication.
Voit, et al. Expires September 2, 2022 [Page 17]
Internet-Draft trust-path March 2022
None: The Verifier makes no assertions about this Trustworthiness
Claim. The following values are reserved with the following
meanings across all instances of trustworthiness-claim.
- Value 0: Note: this should always be always treated
equivalently by the Relying Party as no claim being made.
I.e., the RP's Appraisal Policy for Attestation Results
SHOULD NOT make any distinction between a Trustworthiness
Claim with enumeration '0', and no Trustworthiness Claim
being provided.
- Value 1: The Evidence received contains unexpected elements
which the Verifier is unable to parse. An example might be
that the wrong type of Evidence has been delivered.
- Value -1: An unexpected error occurred during the Verifier's
appraisal processing. Note: while no claim is being made, the
Relying Party MAY make a distinction between a
Trustworthiness Claim with enumeration '-1', and no
Trustworthiness Claim being provided.";
}
typedef hardware {
type trustworthiness-claim;
description
"A Verifier has appraised any Attester hardware and firmware
which are able to expose fingerprints of their identity and
running code.
The following are specific reserved values of hardware and
the meanings of these reserved values:
0: No assertion
1: The Verifer cannot parse unexpected Evidence
-1:Verifier malfunction
2: An Attester has passed its hardware and/or firmware
verifications needed to demonstrate that these are
genuine/supported.
32:An Attester contains only genuine/supported hardware and/or
firmware, but there are known security vulnerabilities.
96:Attester hardware and/or firmware is recognized, but its
trustworthiness is contraindicated.