IETF Logo Mail Archive

Re: [Anima] MichaelR/Rob/*: RFC8995 errata concerns

Michael Richardson <mcr+ietf@sandelman.ca> Thu, 05 August 2021 21:57 UTC

Return-Path: <mcr+ietf@sandelman.ca>
X-Original-To: anima@ietfa.amsl.com
Delivered-To: anima@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B09BF3A0BC0 for <anima@ietfa.amsl.com>; Thu, 5 Aug 2021 14:57:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fywlkx65EDJp for <anima@ietfa.amsl.com>; Thu, 5 Aug 2021 14:57:32 -0700 (PDT)
Received: from tuna.sandelman.ca (tuna.sandelman.ca [209.87.249.19]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EDB7F3A0BC8 for <anima@ietf.org>; Thu, 5 Aug 2021 14:57:31 -0700 (PDT)
Received: from localhost (localhost [127.0.0.1]) by tuna.sandelman.ca (Postfix) with ESMTP id D8D0038984; Thu, 5 Aug 2021 18:01:49 -0400 (EDT)
Received: from tuna.sandelman.ca ([127.0.0.1]) by localhost (localhost [127.0.0.1]) (amavisd-new, port 10024) with LMTP id NJ7YNjOpcmqe; Thu, 5 Aug 2021 18:01:45 -0400 (EDT)
Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id C4E383897F; Thu, 5 Aug 2021 18:01:45 -0400 (EDT)
Received: from localhost (localhost [IPv6:::1]) by sandelman.ca (Postfix) with ESMTP id 57A42963; Thu, 5 Aug 2021 17:57:25 -0400 (EDT)
From: Michael Richardson <mcr+ietf@sandelman.ca>
To: Toerless Eckert <tte@cs.fau.de>
cc: Robert Wilton <rwilton@cisco.com>, "anima@ietf.org" <anima@ietf.org>
In-Reply-To: <20210805211714.GC57091@faui48e.informatik.uni-erlangen.de>
References: <20210805211714.GC57091@faui48e.informatik.uni-erlangen.de>
X-Mailer: MH-E 8.6+git; nmh 1.7+dev; GNU Emacs 26.1
X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m<nPbLgmtKK-5dC@#:k
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=-=-="; micalg="pgp-sha512"; protocol="application/pgp-signature"
Date: Thu, 05 Aug 2021 17:57:25 -0400
Message-ID: <9465.1628200645@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/anima/Z0Jt-fQsX0T5XvBtgg-jIXAPVpY>
Subject: Re: [Anima] MichaelR/Rob/*: RFC8995 errata concerns
X-BeenThere: anima@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Autonomic Networking Integrated Model and Approach <anima.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/anima>, <mailto:anima-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/anima/>
List-Post: <mailto:anima@ietf.org>
List-Help: <mailto:anima-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/anima>, <mailto:anima-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2021 21:57:37 -0000

Toerless Eckert <tte@cs.fau.de> wrote:
    > Wrt to the erratas:

    > https://www.rfc-editor.org/errata_search.php?rfc=8995&rec_status=0

    > I do agree that support for rfc6066 SNI would be great to have.

It's not really about it being "great" :-)

It's REQUIRED by TLS1.3, and in order for multi-tenant to work, it is a MUST.

When I say "multi-tenant", I mean any cloud provider that has, for instance,
"hardware" TLS offload.

    > I do not know if/what difference to implementations it would make
    > if an errata is "validated" or if it is just assessed as
    > "hold for document update", e.g.: if we do need/want/have-to-f ight to
    > get "validated" status from Rob (hi Rob!).

It's not a significant amount of work.

    > So, IMHO the real requirement we have are:

    > 1. Pledge, Registrar and MASA MUST support RFC5246 (TLS 1.2)
    > 2. Pledge, Registrar and MASA SHOULD support RFC8446 (TLS 1.3).
    > 3. Registrars MUST signal SNI according to RFC6066 when connecting to an RFC5246 MASA.

The other bit is that Registrars MUST IGNORE SNI when accepting Pledge
connections.    Pledges ought to not send it, since they don't really know
what to put.
(Is that a SHOULD NOT, or a MUST NOT, or what, I am not sure. The requirement
is on the receiver to ignore it)

That's a second errata.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [


--
Michael Richardson <mcr+IETF@sandelman.ca>   . o O ( IPv6 IøT consulting )
           Sandelman Software Works Inc, Ottawa and Worldwide

v2.35.0 | Report a Bug | By Email | System Status