IETF Logo Mail Archive

Re: [babel] info-model: DTLS config parameters

"STARK, BARBARA H" <bs7652@att.com> Fri, 12 July 2019 14:31 UTC

Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74F3112029A for <babel@ietfa.amsl.com>; Fri, 12 Jul 2019 07:31:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level:
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2hT65b5lgsd for <babel@ietfa.amsl.com>; Fri, 12 Jul 2019 07:31:06 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D52CF120299 for <babel@ietf.org>; Fri, 12 Jul 2019 07:31:05 -0700 (PDT)
Received: from pps.filterd (m0049459.ppops.net [127.0.0.1]) by m0049459.ppops.net-00191d01. (8.16.0.27/8.16.0.27) with SMTP id x6CEReVF024591; Fri, 12 Jul 2019 10:31:03 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049459.ppops.net-00191d01. with ESMTP id 2tpuqgrp6s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 12 Jul 2019 10:31:03 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x6CEV2Fm017526; Fri, 12 Jul 2019 10:31:03 -0400
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [135.47.91.93]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x6CEUwtC017389 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 12 Jul 2019 10:30:58 -0400
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [127.0.0.1]) by zlp30488.vci.att.com (Service) with ESMTP id 194184009E87; Fri, 12 Jul 2019 14:30:58 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30488.vci.att.com (Service) with ESMTPS id 03EF04009E70; Fri, 12 Jul 2019 14:30:58 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.84]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0439.000; Fri, 12 Jul 2019 10:30:57 -0400
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'David Schinazi' <dschinazi.ietf@gmail.com>
CC: 'Babel at IETF' <babel@ietf.org>
Thread-Topic: [babel] info-model: DTLS config parameters
Thread-Index: AdU3Tvn3oHfePCKLQ4CJX1+/HOP9ugA7/2aAAB9z6KA=
Date: Fri, 12 Jul 2019 14:30:57 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114E2203C6@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114E20F015@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+7hWPh7gpYgixmA99sOgbqy-jONYTNwthN97zQGH1f5Mg@mail.gmail.com>
In-Reply-To: <CAPDSy+7hWPh7gpYgixmA99sOgbqy-jONYTNwthN97zQGH1f5Mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.174.19.147]
Content-Type: multipart/alternative; boundary="_000_2D09D61DDFA73D4C884805CC7865E6114E2203C6GAALPA1MSGUSRBF_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-12_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1907120157
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/gWh-_NBI4JvEB93sTmP5lkTgmSE>
Subject: Re: [babel] info-model: DTLS config parameters
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 14:31:08 -0000

Thx David (and Juliusz and Antonin – but I’m replying to David’s email since he included the context in his response).

OK, I’ll move dtls-enable to the interface object.

I think dtls-cert-types still belongs at the global layer, since this is a non-configurable statement of capability (which certificate types are supported – presumably by the implementation) and I don’t envision that differing per interface. Note that the interface-level dtls-cert-prefer parameter is what identifies which of these certificate types gets included in a server_certificate_type extension in a Client Hello. As stated in that parameter’s description, the included values are constrained by the requirement that at least one of the certificates associated with the interface must have the certificate type. The global parameter is intended to prevent certificates from being used that the implementation doesn’t know how to parse/use/read.

While I only asked about DTLS parameters, I’m thinking the html-enable should also be moved to the interface object, for the same reason as DTLS (and to provide a certain degree of symmetry). Would anyone object to that?

Barbara

I would personally recommend having all of these be per-interface, so you can use DTLS on a Wi-Fi interface and unencrypted Babel on a virtual IPsec tunnel interface. But I don't feel overly strongly.

David

On Wed, Jul 10, 2019 at 11:48 AM STARK, BARBARA H <bs7652@att.com<mailto:bs7652@att.com>> wrote:
I was reviewing the minutes from Prague, and saw they indicated we didn't have resolution on whether certain DTLS configuration parameters should be global or at the interface level.
----------------------
The current revision has the following global parameters:

   babel-dtls-enable:  Indicates whether the DTLS security mechanism is
      enabled (true) or disabled (false).  An implementation MAY choose
      to expose this parameter as read-only ("ro")..

   babel-dtls-cert-types:  List of supported DTLS certificate types.
      Possible values include "X.509" and "RawPublicKey".
-----------------------
And the following are at the interface level:

   babel-dtls-cached-info:  Indicates whether the cached_info extension
      is included in ClientHello and ServerHello packets.  The extension
      is included if the value is "true".  An implementation MAY choose
      to expose this parameter as read-only ("ro")..

   babel-dtls-cert-prefer:  List of supported certificate types, in
      order of preference.  The values MUST be among those listed in the
      babel-dtls-cert-types parameter.  This list is used to populate
      the server_certificate_type extension in a Client Hello.  Values
      that are present in at least one instance in the babel-dtls-certs
      object of a referenced babel-dtls instance and that have a non-
      empty babel-cert-private-key will be used to populate the
      client_certificate_type extension in a Client Hello.


Please let me know if you disagree with this set of global/interface DTLS config parameters.
Barbara

_______________________________________________
babel mailing list
babel@ietf.org<mailto:babel@ietf.org>
https://www.ietf.org/mailman/listinfo/babel<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_babel&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=EHDJHfK0Bm3z9u5TKwhyjjL1p0fdxmXQqf61QbIFn80&s=_GZFMXNfG79TWWM-kCf4uqCubdDzz_qqpttxH9QJ2f4&e=>

v2.23.0 | Report a Bug | By Email