IETF Logo Mail Archive

Re: [alto] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21

Kent Watsen <kent+ietf@watsen.net> Wed, 13 December 2023 23:54 UTC

Return-Path: <0100018c659a41ae-e591b2ed-d7f8-4ef0-866b-147294158aee-000000@amazonses.watsen.net>
X-Original-To: alto@ietfa.amsl.com
Delivered-To: alto@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C4A3C14CF09; Wed, 13 Dec 2023 15:54:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Level:
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7OQXd0VJJA1W; Wed, 13 Dec 2023 15:54:29 -0800 (PST)
Received: from a48-110.smtp-out.amazonses.com (a48-110.smtp-out.amazonses.com [54.240.48.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EFE1C14CEFD; Wed, 13 Dec 2023 15:54:18 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1702511657; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=jSZYg4GpqqEUBB8dIWUsCUcUc8An8bhgfQZS/erZ5aE=; b=cBrlwX3msTLL5oDXQ+M+/dkzcqXp73bG6oe7qps8zJ/WnjJvi51rc3RFQEW3tyyb LYXc6en3trRlFSGMKNO61XkjLsp10dtmpiRMnA8ymdt4lQXfZARB8J2CrNeZhq8yXGU 93lCok1MMlqoNPEkwidPkQ8m8iAEmLWCJnkc5Y/g=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018c659a41ae-e591b2ed-d7f8-4ef0-866b-147294158aee-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_40A29A2E-3F9B-4C10-B5A7-C07ECAA641FF"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Wed, 13 Dec 2023 23:54:17 +0000
In-Reply-To: <CAAbpuyqiscNH+m4M3=5z_3KcinjdhYeSS=xf0PcH0w-wtWxYkw@mail.gmail.com>
Cc: draft-ietf-netconf-trust-anchors@ietf.org, "netconf@ietf.org" <netconf@ietf.org>, IETF ALTO <alto@ietf.org>
To: Jensen Zhang <jingxuan.n.zhang@gmail.com>
References: <CAAbpuypYpm863NC3ka6LvEJMBEarpSguQKdHNs7EiooSWNsXcA@mail.gmail.com> <0100018c5f5160d6-5b04359a-1517-4563-a9ab-42ee29b41a2e-000000@email.amazonses.com> <CAAbpuyqiscNH+m4M3=5z_3KcinjdhYeSS=xf0PcH0w-wtWxYkw@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2023.12.13-54.240.48.110
Archived-At: <https://mailarchive.ietf.org/arch/msg/alto/zd93_soMkzGjZTvR15zQvdpJqZE>
Subject: Re: [alto] Comment on typedef 'public-key-ref' of draft-ietf-netconf-trust-anchors-21
X-BeenThere: alto@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: "Application-Layer Traffic Optimization \(alto\) WG mailing list" <alto.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/alto>, <mailto:alto-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/alto/>
List-Post: <mailto:alto@ietf.org>
List-Help: <mailto:alto-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/alto>, <mailto:alto-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Dec 2023 23:54:30 -0000

Hi Jensen,

> On Dec 12, 2023, at 9:32 PM, Jensen Zhang <jingxuan.n.zhang@gmail.com> wrote:
> 
> Hi Kent,
> 
> Thanks for your quick response.
> 
> Maybe I did not make it clear. I am just pointing out a very simple specific issue in the current 'ietf-truststore' module, which is that the typedef 'public-key-ref' cannot be used by another module.
> 
> The reason is very simple: Based on the description, if module A wants to use this typedef to reference a public key in the central trust store, it is supposed to provide another sibling leaf node called 'public-key-bag' that has the typedef 'public-key-bag-ref', so that the public-key-ref can use the relative path '[ts:name = current()/../ts:public-key-bag]' to locate in which public-key-bag the referenced public key should be. However, in this relative path, 'public-key-bag' is prefixed by 'ts', it cannot reference the sibling leaf node 'public-key-bag' defined in module A correctly.
> 
> The fix should also be very simple: Just remove the prefix of the 'public-key-bag', i.e.,
> 
> OLD:
>>          + "[ts:name = current()/../ts:public-key-bag]/"
> 
> NEW:
>>          + "[ts:name = current()/../public-key-bag]/"
> 
> You mentioned that the 'ietf-restconf-server' module also uses the 'ietf-truststore' module. But does it use the typedef 'public-key-ref' anywhere? I don't find any other module that uses the current typedef 'public-key-ref'. Do you have such a successful example?

Oh, now I get it.  Okay, change made in my local copy.   I also made the same fix for `typedef certificate-ref`.


> About your other feedback, please see my responses inline :)
> 
> Thanks,
> Jensen
> 
> On Wed, Dec 13, 2023 at 2:36 AM Kent Watsen <kent+ietf@watsen.net <mailto:kent%2Bietf@watsen.net>> wrote:
>> Hi Jensen,
>> 
>>> On Dec 12, 2023, at 7:47 AM, Jensen Zhang <jingxuan.n.zhang@gmail.com <mailto:jingxuan.n.zhang@gmail.com>> wrote:
>>> 
>>> Hi authors,
>>> 
>>> I am one of the authors of the draft-ietf-alto-oam-yang draft. Our draft is trying to reuse some groupings and typedefs in this document to support some TLS authentication features. But we find the current typedef 'public-key-ref' cannot be used by another module.
>>> 
>>> To be more concrete, in the current document, the path of the typedef 'public-key-ref' enforces a prefix of the relative path to the sibling 'public-key-bag' leaf:
>>> 
>>>    typedef public-key-ref {
>>>      type leafref {
>>>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>>>          + "[ts:name = current()/../ts:public-key-bag]/"
>>>          + "ts:public-key/ts:name";
>>>      }
>>>      ...
>>>    }
>>> 
>>> From my understanding, this typedef is for other modules to reference a public key in the trust store. The sibling 'public-key-bag' leaf should be in the same module of the leaf using this typedef, instead of the module 'ts'.
>>> 
>>> To make this typedef usable, I believe it should look like the following:
>>> 
>>>    typedef public-key-ref {
>>>      type leafref {
>>>        path "/ts:truststore/ts:public-key-bags/ts:public-key-bag"
>>>          + "[ts:name = current()/../public-key-bag]/"
>>>          + "ts:public-key/ts:name";
>>>      }
>>>      ...
>>>    }
>>> 
>>> Otherwise, we have to define another typedef in our own module like this: https://github.com/ietf-wg-alto/draft-ietf-alto-oam-yang/blob/284d2e630cec00f752ea94f586469797786c6f57/yang/ietf-alto.yang#L612-L628
>> 
>> This is my first time looking at Alto.  It may take me a little to fully grok what’s going on.  Please let me know if you think a call would be helpful.
>> 
>> Looking at the linked YANG module, I see that it looks very much like the "ietf-restconf-server" module’s grouping "restconf-server-listen-stack-grouping”, which is fine.
>> 
>> I take it that Alto is okay referencing the central truststore (not defining its own instances of "truststore-grouping") as well as supporting inlined definitions.  I do not see the Alto module augmenting the centralized truststore and, in general, it seems to behave just like the ietf-restconf-server module, though I’m sure I’m missing something  ;)
>> 
>> What I don’t understand is why what seems to work in ietf-restconf-server doesn’t work in ietf-alto.  Can you help me understand?  
>> 
>> Separately, did ALTO WG ever consider renaming to “ietf-alto-server”?  Would there be value to extending that convention for consistency?
> 
> The module 'ietf-alto' provides both server and client configurations. I guess you are suggesting to separate them into two modules. It may not be necessary unless somebody has a strong opinion on this. But still thanks for your comment.
>  
>> 
>> One last thought, I notice that ietf-alto defines a number of typedefs that seem generic enough to move to ietf-truststore.  Is this thought yours as well?
> 
> Good point. The reason why ietf-alto defines those typedefs and groupings is that we don't find the reusable typedefs and groupings in another module. It definitely will be great if ietf-truststore can provide some of them.
> 
> Specifically, I believe the typedef 'public-key-ref' and grouping 'truststore-public-key-ref' can be moved to ietf-truststore.


"typedef public-key-ref” (and "typedef certificate-ref”) already exists.  Nothing to do here (other than the fix mentioned above).

"grouping truststore-public-key-ref” and "grouping truststore-certificate-ref” have been added to ietf-truststore.



> But for the typedefs and groupings related to the inline certificates, I have no idea how to make them generic properly. Because the inline certificates defined by the 'inline-or-truststore-certs-grouping' grouping will have different absolute paths when it is used in different modules.

Nowhere in any of the client-server drafts do we enable configuration to reference an inlined thing.  That would defeat the purpose of inlining things.  If you find the need for referencing inlined things, it suggests the need to NOT inline some things.


>> 
>>> Thanks,
>>> Jensen
>> 
>> 
>> Kent   // author
>>

v2.23.0 | Report a Bug | By Email