Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

RFE: Network+Device trust: Spire Agent EAP(oL) Device Attestation #4281

Closed
mmaymann opened this issue Jun 22, 2023 · 6 comments
Closed

RFE: Network+Device trust: Spire Agent EAP(oL) Device Attestation #4281

mmaymann opened this issue Jun 22, 2023 · 6 comments
Assignees
@evan2645
Labels
triage/in-progress Issue triage is in progress

Comments

@mmaymann
Copy link

mmaymann commented Jun 22, 2023
edited
Loading

Roots of trust:

  1. Manufacturer: Spire (FDO)
  2. SupplyChain: Spire (FDO)
  3. Network: This RFE = Spire + SONiC (L2 security + agentless support)
  4. Device: This RFE = Spire + SONiC ((P)NAC/ACL)
  5. User: Spire + KeyCloak + Biometric MFA Securitykey
  6. Workload: Spire + KeyCloak
  7. Data: Spire + KeyCloak

This RFE is regarding 3+4. Network+Device based root of trust (B below):

A. XIoT Onboarding: Manufacturer produces device + forwards ownership to company using SpireServerFDO + CaptivePortal
B. XIoT attestation: agentless EAP(oL) device (-> AP) -> SONiCSpireAgentEAP(L2) -> SpireServer -> SONiCSpireAgent(P)NAC/ACL:
-- 802.1x EAP(oL)-TLS X.509 certificate check
-- TPM_Certify_Info(2) (PCR status): Firmware version, BootLoader, OS version, firewall enabled, antivirus enabled, ...
--- Additional Keylime functionality? into upstream
--- MUD (Manufacturer Usage Description) -> ITAM -> XIoT identification
--- SBOM (SoftwareBillOfMaterial) -> ITAM -> continuous lightweight vulnerability scanning -> proactive remediation actions
-- (P)NAC/ACL: SpireServer -> SONiC NAC
C. Company provisions validated devices to their desired state
D. Day2 operations (Realtime Spire Network+Device+User+Workload+Data attestation)

I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture - directly from network devices.

Suggestions/enhancements would be highly appreciated :)

Thanks in advance :)
This was referenced Jun 22, 2023
Open
Closed
@mmaymann mmaymann changed the title RFE: Remote XIoT attestation RFE: Remote XIoT (EAP-TLS?) attestation Jun 22, 2023
@mmaymann mmaymann changed the title RFE: Remote XIoT (EAP-TLS?) attestation RFE: Remote XIoT (TPM 802.1x x.509 EAP-TLS signed PCR quotes?) attestation Jun 22, 2023
@mmaymann mmaymann mentioned this issue Jun 22, 2023
Closed
@evan2645 evan2645 added the triage/in-progress Issue triage is in progress label Jun 22, 2023
@mmaymann mmaymann changed the title RFE: Remote XIoT (TPM 802.1x x.509 EAP-TLS signed PCR quotes?) attestation RFE: Remote XIoT (TPM 802.1x x.509 EAP(oL)-TLS signed PCR quotes?) attestation Jun 23, 2023
@mmaymann mmaymann changed the title RFE: Remote XIoT (TPM 802.1x x.509 EAP(oL)-TLS signed PCR quotes?) attestation RFE: Attestation Verifier Jun 23, 2023
@mmaymann mmaymann changed the title RFE: Attestation Verifier RFE: Remote clientless attestation Jun 24, 2023
@mmaymann mmaymann changed the title RFE: Remote clientless attestation RFE: Spire Authenticator - remote clientless device attestation Jun 25, 2023
@mmaymann mmaymann changed the title RFE: Spire Authenticator - remote clientless device attestation RFE: Spire Agent EAP(oL) support Jun 25, 2023
@mmaymann mmaymann changed the title RFE: Spire Agent EAP(oL) support RFE: Spire Agent EAP(oL) Node/Device Attestation plugin Jun 25, 2023
@mmaymann mmaymann mentioned this issue Jun 27, 2023
Closed
@mmaymann mmaymann changed the title RFE: Spire Agent EAP(oL) Node/Device Attestation plugin RFE: HW based root of trust: Spire Agent EAP(oL) Node/Device Attestation Jun 27, 2023
@mmaymann mmaymann changed the title RFE: HW based root of trust: Spire Agent EAP(oL) Node/Device Attestation RFE: Network+Device trust: Spire Agent EAP(oL) Node/Device Attestation Jun 27, 2023
@mmaymann mmaymann changed the title RFE: Network+Device trust: Spire Agent EAP(oL) Node/Device Attestation RFE: Network+Device trust: Spire Agent EAP(oL) Device Attestation Jun 27, 2023
@mmaymann mmaymann mentioned this issue Jun 30, 2023
Closed
@evan2645
Copy link
Member

evan2645 commented Jul 6, 2023

What is SpireServerFDO? I'm a little bit lost on all the info here and feel like there's some larger context that I'm missing.

I am familiar though with EAP et al. It's not technically agentless since usually you still need a supplicant running? 😅 Personally speaking, I'd only reach for EAP if I was trying to protect L2 network access, which is not a goal for SPIRE ... SPIRE is cloud native software and operates at the application layer.

I'm having a hard time coming up with solutions on how to use SPIRE to back an EAP handshake .. and also the value of doing so. I don't think SPIRE will change to speak EAP or 802.1x directly. Why are the existing SPIRE mechanisms insufficient?

@mmaymann
Copy link
Author

mmaymann commented Jul 6, 2023
edited
Loading

Hi @evan2645,
Thanks for your reply :)

  1. SpireServerFDO is Fido Device Onboard Rendezvous functionality that could be integrated into Spire Server mentioned in RFE: SCM trust: SpireServer FDO Rendezvous + CaptivePortal #4289.
  2. Agentless = Spire agentless devices = devices that are not able to run Spire Agent (IoT devices etc.).
    Applying POLP in a ZeroTrust infrastucture, where devices that have not been - preferably hardware - attested are not allowed:
    Spire(Agentless)Device -> SONiC_EAP(oL)_TPM_Attest -> SpireAgentonSONiC -> SpireServer -> SpireAgentonSONiC -> SONiC(P)NAC/ProvisionACL -> Spire(Agentless)Device provisioning -> SONiC(P)NAC/ProductionACL
    I have given my free OSS GoldenPath KubernetesNative version of a GitOps Zero-Conf|Trust|Touch XIoT management target architecture.
  3. Would it be possible to join a community session or perhaps a 1-1 where we could discuss if/how/where to potentially best implement this functionality?

Thanks in advance :)

@evan2645
Copy link
Member

Would it be possible to join a community session or perhaps a 1-1 where we could discuss if/how/where to potentially best implement this functionality?

That would be great! I think it will help a lot. My recommendation is to join the SIG-SPIRE call .. the next one is scheduled for next Thursday the 20th, at 10:30am Pacific. Anything you can bring to share and set context (diagrams, slides, etc) would be super helpful, but it is an informal call so don't worry too much.

@mmaymann
Copy link
Author

@evan2645 awesome :)
Sounds really cool... I will be able to participate earliest 17.8 - I have added it to my calendar and will try to prepare a small presentation for that.
Thanks :)

@evan2645
Copy link
Member

Awesome! That date works, I can help to make sure you have time on the agenda. If you can join the Slack and send me a DM, that would also be great: https://slack.spiffe.io

I'm going to go ahead and close these issues out for now, and we can re-open them once we talk, if it makes sense. Thanks again, looking forward to it!

@alwaysastudent
Copy link

Awesome! That date works, I can help to make sure you have time on the agenda. If you can join the Slack and send me a DM, that would also be great: https://slack.spiffe.io

I'm going to go ahead and close these issues out for now, and we can re-open them once we talk, if it makes sense. Thanks again, looking forward to it!

@mmaymann @evan2645 what came out of the meeting?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@evan2645 evan2645

Labels
triage/in-progress Issue triage is in progress
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@alwaysastudent @evan2645 @mmaymann