Closed mmaymann closed 11 months ago
What is SpireServerFDO? I'm a little bit lost on all the info here and feel like there's some larger context that I'm missing.
I am familiar though with EAP et al. It's not technically agentless since usually you still need a supplicant running? 😅 Personally speaking, I'd only reach for EAP if I was trying to protect L2 network access, which is not a goal for SPIRE ... SPIRE is cloud native software and operates at the application layer.
I'm having a hard time coming up with solutions on how to use SPIRE to back an EAP handshake .. and also the value of doing so. I don't think SPIRE will change to speak EAP or 802.1x directly. Why are the existing SPIRE mechanisms insufficient?
Hi @evan2645, Thanks for your reply :)
Thanks in advance :)
Would it be possible to join a community session or perhaps a 1-1 where we could discuss if/how/where to potentially best implement this functionality?
That would be great! I think it will help a lot. My recommendation is to join the SIG-SPIRE call .. the next one is scheduled for next Thursday the 20th, at 10:30am Pacific. Anything you can bring to share and set context (diagrams, slides, etc) would be super helpful, but it is an informal call so don't worry too much.
@evan2645 awesome :) Sounds really cool... I will be able to participate earliest 17.8 - I have added it to my calendar and will try to prepare a small presentation for that. Thanks :)
Awesome! That date works, I can help to make sure you have time on the agenda. If you can join the Slack and send me a DM, that would also be great: https://slack.spiffe.io
I'm going to go ahead and close these issues out for now, and we can re-open them once we talk, if it makes sense. Thanks again, looking forward to it!
Roots of trust:
This RFE is regarding 3+4. Network+Device based root of trust (B below):
A. XIoT Onboarding: Manufacturer produces device + forwards ownership to company using SpireServerFDO + CaptivePortal B. XIoT attestation: agentless EAP(oL) device (-> AP) -> SONiCSpireAgentEAP(L2) -> SpireServer -> SONiCSpireAgent(P)NAC/ACL: -- 802.1x EAP(oL)-TLS X.509 certificate check -- TPM_Certify_Info(2) (PCR status): Firmware version, BootLoader, OS version, firewall enabled, antivirus enabled, ... --- Additional Keylime functionality? into upstream --- MUD (Manufacturer Usage Description) -> ITAM -> XIoT identification --- SBOM (SoftwareBillOfMaterial) -> ITAM -> continuous lightweight vulnerability scanning -> proactive remediation actions -- (P)NAC/ACL: SpireServer -> SONiC NAC C. Company provisions validated devices to their desired state D. Day2 operations (Realtime Spire Network+Device+User+Workload+Data attestation)
I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture - directly from network devices.
Suggestions/enhancements would be highly appreciated :)
Thanks in advance :)