Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

What is crypto-algorithm for in openconfig-keychain model ? #785

Closed
m26singhvi opened this issue Jan 12, 2023 · 3 comments
Closed

What is crypto-algorithm for in openconfig-keychain model ? #785

m26singhvi opened this issue Jan 12, 2023 · 3 comments

Comments

@m26singhvi
Copy link
Contributor

In openconfig-keychain model,

leaf crypto-algorithm {
      type identityref {
        base oc-keychain-types:CRYPTO_TYPE;
      }
      description
        "Cryptographic algorithm associated with the key.  Note that not all cryptographic
        algorithms are available in all contexts (e.g., across different protocols).";
    }

What is this for, as this provided for every key which is configured in the keychain and can be different in the same keychain.

My understanding is this crypto type specifies the encryption in which the key is configured. Is that correct ?
@m26singhvi m26singhvi changed the title What is CRYPTO_TYPE for in openconfig-keychain model ? What is crypto-algorithm for in openconfig-keychain model ? Jan 12, 2023
@m26singhvi m26singhvi mentioned this issue Jan 16, 2023
Closed
@joshpfosi
Copy link

To provide a bit more context: One obvious use case for the openconfig-keychain model could be to implement the configuration frontend for a key management system for TCP AO (RFC5925). The cryptographic algorithm in this context could refer to (1) the specific the Message Authentication Code (MAC) to be used to hash TCP segments. Alternatively, the algorithm could be (2) used by an OpenConfig speaker to convey (to the receiver) the algorithm used to encrypt the keying information (namely, key-id in the model). Which is intended?

@morrowc
Copy link

morrowc commented Jan 18, 2023

<howdy - comment snipe>

The top of the keychain yang model has this text:

description "This module describes a YANG model for keychain configuration and management. These keys can be changed frequently to increase security in long-lived connections. A keychain can be used for authenticaion in a number of scenarios, including in routing protocols (e.g. BGP, IS-IS, OSPF). A keychain provides a solution for storing a number of different keys, each key string value is associated with a specific key id, name, the lifetime that the key is valid and an encryption algorithm. This model defines a central location for defining named keychains, which may be then referenced by other models such as routing protocol management.";

this, to me, sounds like a standard keychain/table setup vendors normally implement for MACSEC, ISIS or OSPF autnentication schemes. Effectively this is a registry of:

keyid key valid-use-times algorithm
1 fo0b4r Jan 1 1970 - Jan 1 heat-death-of-universe chachacha

I believe the intent is to permit you to have 1 location to store all of this data, and reference the key table content later in other use-cases (your isis authentication, or macsec key management, etc).

So, in joshpfosi's text I believe this makes sense as #1 not #2.

@dplore dplore closed this as completed Jan 18, 2023
@dplore
Copy link
Member

dplore commented Jan 18, 2023

Please feel free to reopen if @morrowc 's response needs clarification.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@morrowc @joshpfosi @dplore @m26singhvi