openconfig / gnoi

gRPC Network Operations Interface (gNOI) defines a set of gRPC-based microservices for executing operational commands on network devices.
Apache License 2.0
159 stars 69 forks source link

gnoi cert.proto: Need clarity on certificate validation during install and rotate #86

Open Devendra-Vamsi opened 2 years ago

Devendra-Vamsi commented 2 years ago

Section "Validate installed certificate" from page https://github.com/openconfig/gnoi/blob/master/docs/simplified_security_model.md#validate-installed-certificate insists that the target device needs to verify the new certificate(let's say ee-cert1) being installed with a CA cert(let's say ca-cert1) in the CA pool.

  1. Is the target device guaranteed to be provided with that CA cert(ca-cert1) from the gNOI client beforehand?
  2. If the CA cert(ca-cert1) is not present or if the certificate(ee-cert1) verification fails with CA cert(ca-cert1), should the target device fail the install RPC?
  3. Is the expected behavior applicable for rotate() RPC as well?
samribeiro commented 2 years ago

1) yes, either via a previous gNOI install using the ca_certificates field (https://github.com/openconfig/gnoi/blob/master/cert/cert.proto#L303) or during the same install using the same field, or via another mechanism that is not gNOI;

2) yes;

3) yes;