| OPSEC Working Group | S. Winter |
| Internet-Draft | RESTENA |
| Intended status: Standards Track | March 18, 2016 |
| Expires: September 19, 2016 |
A Configuration File Format for Network Services on Leaf Devices
draft-winter-opsec-netconfig-metadata-00
This document specifies a YANG module for transfering configuration information of deployments of network services towards leaf nodes (hosts) on the internet. Such configuration files are meant to be discovered, consumed and used by configuration agents on the host to achieve correct and secure setup of these services on the consuming device. This iteration of the I-D concentrates on Wi-Fi network setup and EAP credentials, but is extensible to cover a wide range including VPN, E-Mail and other services.
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at http://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."
This Internet-Draft will expire on September 19, 2016.
Copyright (c) 2016 IETF Trust and the persons identified as the document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (http://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document.
The IETF produces many protocols which require configuration by the respective end users. Many of those protocols can be configured securely or not, depending on whether features are turned on or off. One random example is E-Mail: "STARTTLS when available" allows MITM attacks towards plaintext; "STARTTLS always" prevents them. Another example is the Extensible Authentication Protocol (EAP, [RFC3748]) and its numerous EAP methods (for example EAP-TTLS [RFC5281], EAP-TLS [RFC5216] and EAP-pwd [RFC5931]); the methods have many properties which need to be setup on the EAP server and matched as configuration items on the EAP peer for a secure EAP deployment.
Setting up these protocols and services is comparatively easy if the end-user devices which are to be configured are under central administrative control, e.g. in closed enterprise environments. Group policies or device provisioning by the IT department can push the settings to user devices.
In other environments, for example "BYOD" scenarios where users bring their own devices which are not under enterprise control, service configuration is significantly harder as it has to be done by potentially very non-technical end users.
In the case of Wi-Fi and EAP, correct configuration of all EAP deployment parameters is required to make the resulting authentications
It would be desirable to be able to convey the configuration information of a deployment in a machine parseable way to the end-user device, so that all the details need not be known/understood by the user. Instead, the configuration agent on the device could consume the configuration information and set up all details automatically.
However, there is currently no standard way of communicating configuration parameters to devices.
This specification defines such a file format for network service configuration metadata. The source definition is a YANG module which allows for automatic derivation of XML and JSON formats.
The specification contains several top-level elements which form the building blocks of service configuration:
The specification allows for unique identification of all elements by attaching a UUID to each setting. Using this unique identification, all parts of the configuration file can then refer to this particular piece of information. In particular, several different Wi-Fi networks can reference the same EAPIdentityProvider (and thus the same ClientSideCredential) to indicate that the same authentication settings are valid on all the networks. Configuration agents consuming the file can then ask for the corresponding client-side password once and apply it to all configuration blocks referencing that credential. When considering a hypothetical setup of three Wi-Fi networks, a VPN connection and an E-Mail account which all use the same username and password, all of those can be installed by asking the user for that username/password combination only once.
Device manufacturers sometimes have developed their own proprietary configuration formats, examples include Apple's "mobileconfig" (MIME type application/x-apple-aspen-config), Microsoft's XML schemata for EAP methods for use with the command-line "netsh" tool, or Intel's "PRO/Set Wireless" binary configuration files. The multitude of proprietary file formats and their different levels of richness in expression of EAP details create a very heterogenous and non-interoperable landscape.
All of the solutions have their own excentricities or drawbacks. The Microsoft and Intel file formats are limited to Wi-Fi purposes. The Apple mobileconfig approach treats each service as distinct; the same hypothetical situation from the previous paragraph would trigger a username/password prompt five times consecutively during the installation which is rather annoying for end users.
New devices which would like to benefit from machine-parseable configuration information currently either have to choose to follow a competitor's approach and use that competitor's file format or have to develop their own. This situation is very unsatisfactory.
In this document, several words are used to signify the requirements of the specification. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. [RFC2119]
The schema files are currently hosted on this location:
The root of the Yang module is the container 'NetworkConfiguration', which contains any of the five elements Certificates, ClientSideCredentials, EAPIdentityProviderList, IPSettingsList, WiFiNetwork, ProviderInfo. These blocks carry the actual configuration information. Individual configuration elements are linked among each other to allow for re-use of the elements: a root CA certificate can be the trust root for multiple purposes; a client credential can be valid for multiple services.
Each linkable element is unique in the sense that it is identified by a UUID value which is required to be unique across the file. These linkable elements ("building blocks") are:
Consumers of configuration files MUST be able to fall back to user-interactive configuration for these parts if they are not specified (e.g. ask for the username and password during import of the configuration data). Configuration files which contain sensitive elements such as 'Password' MUST be handled with due care after the import on the device (e.g. ensure minimal file permissions, or delete the source file after installing).
'AuthenticationMethods' contains a sequence of 'AuthenticationMethod' groupings. Each such grouping specifies the properties of one supported authentication method of an EAPIdentityProvider. The content of this grouping is enumerated in section Section 2.2.2.1 The set of configuration parameters specified in the grouping depends on the particular EAP method to be configured.
For instance, EAP-PWD [RFC5931] does not require any server certificate parameters; EAP-FAST and TEAP are the only ones making use of Protected Access Credential (PAC) provisioning. On the other hand, properties such as outer ("anonymous") identity or the need for a trusted root Certification Authority are common to several EAP methods. The server- and client-side credential types of EAP methods are defined as a flat list of elements to choose from (see 'ServerSideCredential' and 'EAPClientSideCredential' below); see section Section 7.2 for a rationale.
Where the sequence of 'AuthenticationMethod' groupings contains more than one element, the order of appearance in the file indicates the server operator's preference for the supported EAP types; occurences earlier in the file indicate a more preferred authentication method.
When a consuming device receives multiple 'AuthenticationMethod' groupings inside 'AuthenticationMethods', it should attempt to install more preferred methods first. During interactive provisioning of EAP properties, if the configuration information for a preferred method is insufficient (e.g. the 'AuthenticationMethod' is EAP-TLS, but the configuration file does not contain the client certificate/private key and the device's credential store is not pre-loaded with the client's certificate), the device should query whether this more preferred method should be used (requiring the user to supplement the missing data) or whether a less-preferred method should be configured instead. In non-interactive provisioning scenarios, all methods should be tried non-interactively in order until one method can be installed; if no method can be installed in a fully automated way, provisioning is aborted.
The 'AuthenticationMethod' grouping contains
The 'InnerAuthenticationMethod' list itself contains the same 'EAPMethod', 'ServerSideCredentials' and 'EAPClientSideCredentials' elements as described in the preceding list, but differs in two points:
The server-side authentication of a mutually authenticating EAP method is typically based on X.509 certificates, which requires the EAP peer to be pre-provisioned with one or more trusted root Certification Authority (CA) prior to authenticating. A server is uniquely identified by presenting a certificate which is signed by these trusted CAs, and by the EAP peer verifying that the name of the server matches the expected one. Consequently, a (set of) CAs and a (set of) server names make up the ServerSideCredentials block.
Note that different EAP methods use different terminology when referring to trusted CA roots, server certificates, and server name identification. They also differ or have inherent ambiguity in their interpretation on where to extract the server name from (e.g. is the server name the CN part of the DistinguishedName, or is the server name one of the subjectAltName:DNS entries; what to do if there is a mismatch?). This specification introduces one single element for CA trust roots and naming; these notions map into the naming of the particular EAP methods very naturally. This specification can not remove the CN vs. sAN:DNS ambiguity in many EAP methods.
The actual ClientSideCredential is defined on the top-level and referenced here only by its UUID.
Besides the credentials themselves, there are a variety of EAP-specific properties pertaining to the credential. EAP methods make use of a subset of these properties only. One such property is the "Outer Identity" that some EAP methods support; another one the ClientSideMTU which is relevant when the client has to send large amounts of client credential data (e.g. a large client certificate). As with server-side credentials, the terminology for the properties may differ slightly between EAP types. The naming convention in this specification maps nicely into the method-specific terminology. Not all the criteria make sense in all contexts; for EAP methods which do not support a criterion, configuration files SHOULD NOT contain the corresponding elements, and consumers of the file MUST ignore these elements.
Specifying any one of these elements except the UUID of the ClientSideCredential is optional.
This specification needs to consider that user interaction during the installation time may be required; the user at the very least must be empowered to decide whether the configuration file was issued by a provider he has an account with; the provider may have hints for the user (e.g. which password to use for the login), or may want to display links to helpdesk pages in case the user has problems with the setup or use of his identity.
The 'ProviderInfo' container allows to specify a range of potentially useful information for display to the user (some of which is relevant only during installation time, other pieces of information could be retained by the configuration agent and displayed e.g. in case of failed authentication):
Some elements in this specification contain text to be displayed in User Interfaces; depending on the user's language preferences, it would be desirable to present the information in a local language. Other elements contain contact information, and those contact points may only be able to handle requests in a number of languages; it may be desirable to present only contact points to the user which are compatible with his language capabilities.
All elements which either contain localisable text, or which point to external resources in localised languages, use the grouping 'localized-non-interactive' or 'localized-interactive'. These groupings can occur more than once in the specification, which enables an iteration of all applicable languages. If the grouping is omitted or its 'lang' leaf is set to "C", the instance of the element is considered a default choice which is to be displayed if no other language is a better match.
If the entire file content consistently uses only one language set, e.g. all the elements are to be treated as "default" choices, the language can also be set for the entire 'EAPIdentityProvider' element in its own 'lang-tag' leaf.
The utility 'pyang' is used to derive XML Schema (XSD) from the YANG source. The Schema for this Internet-Draft was generated with pyang 1.4.1.
S/MIME, XMLDSIG, JOSE or underlying transport security. Decisions TBD. Nuff said :-)
For transports where the categorisation of file types via MIME types is possible (e.g. HTTP, E-Mail), this document assigns the MIME type
application/netconfig-metadata-xml
Edge devices can associate this MIME type to incoming files on such transports, and register the configuration agent which can consume the data in XML format as the default handler for this file type. By doing so, for example a single click or tap on a link to the file in the device's browser will invoke the configuration process.
This method of discovery is analogous to the Apple "mobileconfig" discovery on recent versions of Mac OS and iOS.
In situations where file types can not be determined by MIME type meta-information (e.g. when the file gets stored on a local filesystem), this document RECOMMENDs that configuration data in XML format files be stored with the extension
.netconfig-metadata-xml
to identify the file as containing configuration information in XML format. Edge devices can register the configuration agent which can consume the data with this file extension. By doing so, for example a single click or tap on the filename in the device's User Interface will invoke the configuration process.
For transports where the categorisation of file types via MIME types is possible (e.g. HTTP, E-Mail), this document assigns the MIME type
application/netconfig-metadata-json
Edge devices can associate this MIME type to incoming files on such transports, and register the configuration agent which can consume the data in JSON format as the default handler for this file type. By doing so, for example a single click or tap on a link to the file in the device's browser will invoke the configuration process.
In situations where file types can not be determined by MIME type meta-information (e.g. when the file gets stored on a local filesystem), this document RECOMMENDs that configuration data in JSON format files be stored with the extension
.netconfig-metadata-json
to identify the file as containing configuration information in JSON format. Edge devices can register the configuration agent which can consume the data with this file extension. By doing so, for example a single click or tap on the filename in the device's User Interface will invoke the configuration process.
XML is a popular choice for EAP configurations: Microsoft's "netsh" files, Apple's "mobileconfig" files, the Wi-Fi Alliance's "PerProviderSubscription Managed Object", and other vendor/SDO definitions are all using XML.
JSON file formats for EAP configuration exist as well; most notable are Google's most recent efforts for their Chromebook Operating system.
YANG has a very rich feature set, and can codify restrictions on which element is allowed when in a much more fine-grained way than XML Schema could. Since YANG modules can be converted to XML Schema and be instantiated as XML or JSON, they can serve as an abstract notion of EAP configuration which can be deployed on consumer devices in either of those two more popular formats as needed by the device in question.
RFC Editor Note: Please remove this section and the reference to [RFC6982] prior to publication.
This section records the status of known implementations of the protocol defined by this specification at the time of posting of this Internet-Draft, and is based on a proposal described in [RFC6982]. The description of implementations in this section is intended to assist the IETF in its decision processes in progressing drafts to RFCs. Please note that the listing of any individual implementation here does not imply endorsement by the IETF. Furthermore, no effort has been spent to verify the information presented here that was supplied by IETF contributors. This is not intended as, and must not be construed to be, a catalog of available implementations or their features. Readers are advised to note that other implementations may exist.
According to [RFC6982], "this will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature. It is up to the individual working groups to use this information as they see fit".
All of the implementations listed below interoperate from producer- to consumer-side of the EAP metadata specification.
Producers of the configuration files
Consumers of the configuration files
IANA is requested to allocate the MIME type "application/netconfig-metadata-xml" in the MIME Media Types / application registry (see section Section 5.1). The allocation should contain the following values:
IANA is requested to allocate the MIME type "application/netconfig-metadata-json" in the MIME Media Types / application registry (see section Section 5.1). The allocation should contain the following values:
IANA is requested to allocate the location "TBD" in the "well-known URIs" registry. The allocation should contain the following values:
IANA is requested to register the XML namespace "urn:ietf:params:xml:ns:netconfig-metadata-xml" in the "IETF XML Registry / ns". The allocation should contain the following values:
IANA is requested to register the XML schema "urn:ietf:params:xml:schema:netconfig-metadata-xml" in the "IETF XML Registry / schema". The allocation should contain the following values:
Tomasz Wolniewicz of Nicolaus Copernicus University in Torun, Poland, and Gareth J. Ayres of Swansea University in Swansea, United Kingdom, provided significant input into this specification.
| [RFC2119] | Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, March 1997. |
The following values will be used for the online MIME type registration at https://www.iana.org/form/media-types
DATA