IETF Logo Mail Archive

Re: [alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-15: (with DISCUSS and COMMENT)

Jensen Zhang <jingxuan.n.zhang@gmail.com> Thu, 26 October 2023 11:31 UTC

Return-Path: <jingxuan.n.zhang@gmail.com>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F4111C151534; Thu, 26 Oct 2023 04:31:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iUficGeouIQy; Thu, 26 Oct 2023 04:31:25 -0700 (PDT)
Received: from mail-lf1-x12a.google.com (mail-lf1-x12a.google.com [IPv6:2a00:1450:4864:20::12a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F33DBC151522; Thu, 26 Oct 2023 04:31:24 -0700 (PDT)
Received: by mail-lf1-x12a.google.com with SMTP id 2adb3069b0e04-50802148be9so882599e87.2; Thu, 26 Oct 2023 04:31:24 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698319883; x=1698924683; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=o1aXUW4YO3HtQEWUoJXj2Ubdo4xdgq0f1OjIbLOa2YI=; b=VI2QGU8eJ/xzjj7MS6UyVbNFR4ho3vaWv+a4lLoAF9m1CFwS00M/3slIXZzRiyd4wP M4xG08Sm7LQA2gTS/jQDXl4ovo0X8OZi1ysgagkhii+yJGzVXKag8po50kxHDhWJLAWK JldQySCs/rqZ3m1sG73Tgq4s52L5h/hnagLfufXOmmTdIjDWPlBNYffvA2sNh5CQByd2 bXvBNDEqgN1spM/t3qgthuwjl15JQ/X9D35hbT3broNDLxZQm6V1Bx6MnrSOzeOVD2Y/ eWzEI7A4c2yYnQp8Ydz+q/bLO2D4XbF1qFY2d1yMpg3tAYmhbY0V8nYt+fhY6GE+QkO6 Werg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698319883; x=1698924683; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=o1aXUW4YO3HtQEWUoJXj2Ubdo4xdgq0f1OjIbLOa2YI=; b=ByYhQH6gaInffk8ICV0OtopzGRoJwI1Yc+iuinXnTxOCaai7tATluES1jbC+DW16gk w3NJiMvHr/cpaYvEMQkptoNgIh6wIS9ZdlRJyvo8qxhd5N34wSFbk+gsBeJhRq+bg/OY wFR9oVLQZZ1LDvjaNEXv3gmZwNfwXPGnW6vPcqoqz4/VNpKr8uV7jtdSalGhIX37a9RO BQcGTRDhpNzbHrGj72fqiqD4HRrWmbnisIn/VXb/MyIbA255YU9BquZpnTYInqs+/Ui6 JkadxcO4Fy6BF7f/Q44JTAdwJW3AYxuoC7LLGjTZWsQB38K8VX6PDekkD1uSPdSGTJ5T Mqng==
X-Gm-Message-State: AOJu0YxQSQV5ztOviSyAuX7vXvTiZLszbOPq2CEf6HvsG12RpIXACWZO /6GUCRcDPx/EaIpulGkKhVWkGV9b/JuXqISrakVau9a+0Cz3nA==
X-Google-Smtp-Source: AGHT+IHlUnN6V3hxdwOrYMWz71vJEoZ0SfIKceKgxPcYqoKR57Qh4NmGe1imn9mY7EPPUWRs01fTx2yb8dhbJbuq54U=
X-Received: by 2002:ac2:4852:0:b0:507:a58f:79ad with SMTP id 18-20020ac24852000000b00507a58f79admr12130888lfy.61.1698319882847; Thu, 26 Oct 2023 04:31:22 -0700 (PDT)
MIME-Version: 1.0
References: <169816463683.31331.13343222574159977659@ietfa.amsl.com>
In-Reply-To: <169816463683.31331.13343222574159977659@ietfa.amsl.com>
From: Jensen Zhang <jingxuan.n.zhang@gmail.com>
Date: Thu, 26 Oct 2023 19:31:09 +0800
Message-ID: <CAAbpuyrkDMnrL4mdNzhFve6r9K=vBU6iigPp=zzvF3mSx9wLvQ@mail.gmail.com>
To: Roman Danyliw <rdd@cert.org>
Cc: The IESG <iesg@ietf.org>, draft-ietf-alto-oam-yang@ietf.org, alto-chairs@ietf.org, alto@ietf.org, mohamed.boucadair@orange.com
Content-Type: multipart/alternative; boundary="00000000000055108c06089ce9aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/kR5mnjth5HKZZkKepK3Ttkaab3s>
Subject: Re: [alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-15: (with DISCUSS and COMMENT)
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Oct 2023 11:31:29 -0000

Hi Roman,

Many thanks for all the comments. Please see my responses inline below.

Thanks,
Jensen


On Wed, Oct 25, 2023 at 12:23 AM Roman Danyliw via Datatracker <
noreply@ietf.org> wrote:

> Roman Danyliw has entered the following ballot position for
> draft-ietf-alto-oam-yang-15: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-alto-oam-yang/
>
>
>
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
>
> (There were a number of YANG references to chase down.  Please correct my
> read
> of the YANG model if I have misunderstood.)
>
> ** Implementing mutual TLS/client side certificates (per Section 8.3.5 of
> RFC7285) appears to need more guidance.   Client EE certificates and
> client CAs
> can be specified by the tls:tls-server-group in
> alto/server-listen-stack/https/tls-server-parameters.  However, it appears
> to
> me that there isn’t any way then to later reference them in the
> alto-server/auth-client section.  When doing username and password
> authentication via http-server-parameters/client-authentication, there is a
> common user-id field shared with auth-client/https-auth-client.
>

Good point. The intention of alto-server/auth-client is to identify the
configured HTTP clients. There can be multiple authentication approaches
beyond HTTP Basic and TLS, like OAuth. This document only focuses on the
basic structure. Thus, initially, only the HTTP Basic authentication is
defined. Appendix A.2 gives an example to augment the
alto-server/auth-client section.

But I agree that TLS is required by RFC7285. If you think it is necessary
for the initial data model, we can add the related data nodes to this
section.


>
> ** Section 5.4.3.  It appears that there is an http-auth-client for both
> http
> and https.  Is this suggesting that it is possible to have authenticated
> users
> over unencrypted HTTP.  How does that work securely?  Is this related to
> Section 8’s “The ietf-alto supports an HTTP listen mode to cover cases
> where
> the ALTO server stack does not handle the TLS termination itself, but is
> handled by a separate component.”  If so, what is the residual risk of this
> approach?
>

In this case, the security will rely on the external TLS handler.


>
> ** Section 8.  Per the guidance on writeable data, aren’t significant
> parts of
> alto-server/listen sensitive as one could alter the stored keys for the
> server
> or client; or the username/password combinations (in
> http-server-parameters)?
>

Yes, some groupings in alto-server/listen are also sensitive. But they are
defined in other RFCs, thus the security considerations in those RFCs also
apply to them.


>
> ** Section 8.  Per the guidance about readable data:
>
> -- isn’t tls-server-parameters sensitive since it could contain raw private
> keys (e.g., ks:inline-or-keystore-symmetric-key-grouping)?
>

Yes, see above.


> -- Would it be best practice to be able to read all of the authorized
> users?
>

In practice, the server only needs to identify the authorized users. The
server doesn't need to read all the sensitive configurations of those users.


>
>
> ----------------------------------------------------------------------
> COMMENT:
> ----------------------------------------------------------------------
>
> Thank you to Rich Salz for the SECDIR review.
>
> ** Section A.5.  Per the example:
>             "client-authentication": {
>               "users": {
>                 "user": [
>                   {
>                     "user-id": "alice",
>                     "basic": {
>                       "user-id": "alice",
>                       "password": "$0$p8ssw0rd"
>                     }
>
> Isn’t the password supposed to be hashed?
> draft-ietf-netconf-http-client-server says password is of type
> ianach:crypt-hash.
>

Yes, the password is supposed to be hashed. Just to make it readable in the
example, we use "$0$" type to show the clear text password. Refer to
iana-crypt-hash@2014-08-06.yang:

          A value of this type matches one of the forms:

            $0$<clear text password>
            $<id>$<salt>$<password hash>
            $<id>$<parameter>$<salt>$<password hash>

          The '$0$' prefix signals that the value is clear text.

 Of course, it is not recommended in practice.

v2.23.0 | Report a Bug | By Email