RFE: Network+Device trust: Spire Agent EAP(oL) Device Attestation

[mmaymann]

Roots of trust:

1. Manufacturer: Spire (FDO)
2. SupplyChain: Spire (FDO)
3. Network: This RFE = Spire + SONiC (L2 security + agentless support)
4. Device: This RFE = Spire + SONiC ((P)NAC/ACL)
5. User: Spire + KeyCloak + Biometric MFA Securitykey
6. Workload: Spire + KeyCloak
7. Data: Spire + KeyCloak

This RFE is regarding 3+4. Network+Device based root of trust (B below):

A. XIoT Onboarding: Manufacturer produces device + forwards ownership to company using SpireServerFDO + CaptivePortal B. XIoT attestation: agentless EAP(oL) device (-> AP) -> SONiCSpireAgentEAP(L2) -> SpireServer -> SONiCSpireAgent(P)NAC/ACL: -- 802.1x EAP(oL)-TLS X.509 certificate check -- TPM_Certify_Info(2) (PCR status): Firmware version, BootLoader, OS version, firewall enabled, antivirus enabled, ... --- Additional Keylime functionality? into upstream --- MUD (Manufacturer Usage Description) -> ITAM -> XIoT identification --- SBOM (SoftwareBillOfMaterial) -> ITAM -> continuous lightweight vulnerability scanning -> proactive remediation actions -- (P)NAC/ACL: SpireServer -> SONiC NAC C. Company provisions validated devices to their desired state D. Day2 operations (Realtime Spire Network+Device+User+Workload+Data attestation)

I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture - directly from network devices.

Suggestions/enhancements would be highly appreciated :)

Thanks in advance :)

[evan2645]

What is SpireServerFDO? I'm a little bit lost on all the info here and feel like there's some larger context that I'm missing.

I am familiar though with EAP et al. It's not technically agentless since usually you still need a supplicant running? 😅 Personally speaking, I'd only reach for EAP if I was trying to protect L2 network access, which is not a goal for SPIRE ... SPIRE is cloud native software and operates at the application layer.

I'm having a hard time coming up with solutions on how to use SPIRE to back an EAP handshake .. and also the value of doing so. I don't think SPIRE will change to speak EAP or 802.1x directly. Why are the existing SPIRE mechanisms insufficient?

[mmaymann]

Hi @evan2645, Thanks for your reply :)

1. SpireServerFDO is Fido Device Onboard Rendezvous functionality that could be integrated into Spire Server mentioned in https://github.com/spiffe/spire/issues/4289.
2. Agentless = Spire agentless devices = devices that are not able to run Spire Agent (IoT devices etc.). Applying POLP in a ZeroTrust infrastucture, where devices that have not been - preferably hardware - attested are not allowed: Spire(Agentless)Device -> SONiC_EAP(oL)_TPM_Attest -> SpireAgentonSONiC -> SpireServer -> SpireAgentonSONiC -> SONiC(P)NAC/ProvisionACL -> Spire(Agentless)Device provisioning -> SONiC(P)NAC/ProductionACL I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture.
3. Would it be possible to join a community session or perhaps a 1-1 where we could discuss if/how/where to potentially best implement this functionality?

Thanks in advance :)

[evan2645]

Would it be possible to join a community session or perhaps a 1-1 where we could discuss if/how/where to potentially best implement this functionality?

That would be great! I think it will help a lot. My recommendation is to join the SIG-SPIRE call .. the next one is scheduled for next Thursday the 20th, at 10:30am Pacific. Anything you can bring to share and set context (diagrams, slides, etc) would be super helpful, but it is an informal call so don't worry too much.

[mmaymann]

@evan2645 awesome :) Sounds really cool... I will be able to participate earliest 17.8 - I have added it to my calendar and will try to prepare a small presentation for that. Thanks :)

[evan2645]

Awesome! That date works, I can help to make sure you have time on the agenda. If you can join the Slack and send me a DM, that would also be great: https://slack.spiffe.io

I'm going to go ahead and close these issues out for now, and we can re-open them once we talk, if it makes sense. Thanks again, looking forward to it!