Re: [babel] info-model: DTLS config parameters
"STARK, BARBARA H" <bs7652@att.com> Fri, 12 July 2019 14:31 UTC
Return-Path: <bs7652@att.com>
X-Original-To: babel@ietfa.amsl.com
Delivered-To: babel@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 74F3112029A for <babel@ietfa.amsl.com>; Fri, 12 Jul 2019 07:31:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.498
X-Spam-Level:
X-Spam-Status: No, score=-2.498 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id n2hT65b5lgsd for <babel@ietfa.amsl.com>; Fri, 12 Jul 2019 07:31:06 -0700 (PDT)
Received: from mx0a-00191d01.pphosted.com (mx0b-00191d01.pphosted.com [67.231.157.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D52CF120299 for <babel@ietf.org>; Fri, 12 Jul 2019 07:31:05 -0700 (PDT)
Received: from pps.filterd (m0049459.ppops.net [127.0.0.1]) by m0049459.ppops.net-00191d01. (8.16.0.27/8.16.0.27) with SMTP id x6CEReVF024591; Fri, 12 Jul 2019 10:31:03 -0400
Received: from alpi154.enaf.aldc.att.com (sbcsmtp6.sbc.com [144.160.229.23]) by m0049459.ppops.net-00191d01. with ESMTP id 2tpuqgrp6s-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 12 Jul 2019 10:31:03 -0400
Received: from enaf.aldc.att.com (localhost [127.0.0.1]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x6CEV2Fm017526; Fri, 12 Jul 2019 10:31:03 -0400
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [135.47.91.93]) by alpi154.enaf.aldc.att.com (8.14.5/8.14.5) with ESMTP id x6CEUwtC017389 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO); Fri, 12 Jul 2019 10:30:58 -0400
Received: from zlp30488.vci.att.com (zlp30488.vci.att.com [127.0.0.1]) by zlp30488.vci.att.com (Service) with ESMTP id 194184009E87; Fri, 12 Jul 2019 14:30:58 +0000 (GMT)
Received: from GAALPA1MSGHUBAG.ITServices.sbc.com (unknown [130.8.218.156]) by zlp30488.vci.att.com (Service) with ESMTPS id 03EF04009E70; Fri, 12 Jul 2019 14:30:58 +0000 (GMT)
Received: from GAALPA1MSGUSRBF.ITServices.sbc.com ([169.254.5.84]) by GAALPA1MSGHUBAG.ITServices.sbc.com ([130.8.218.156]) with mapi id 14.03.0439.000; Fri, 12 Jul 2019 10:30:57 -0400
From: "STARK, BARBARA H" <bs7652@att.com>
To: 'David Schinazi' <dschinazi.ietf@gmail.com>
CC: 'Babel at IETF' <babel@ietf.org>
Thread-Topic: [babel] info-model: DTLS config parameters
Thread-Index: AdU3Tvn3oHfePCKLQ4CJX1+/HOP9ugA7/2aAAB9z6KA=
Date: Fri, 12 Jul 2019 14:30:57 +0000
Message-ID: <2D09D61DDFA73D4C884805CC7865E6114E2203C6@GAALPA1MSGUSRBF.ITServices.sbc.com>
References: <2D09D61DDFA73D4C884805CC7865E6114E20F015@GAALPA1MSGUSRBF.ITServices.sbc.com> <CAPDSy+7hWPh7gpYgixmA99sOgbqy-jONYTNwthN97zQGH1f5Mg@mail.gmail.com>
In-Reply-To: <CAPDSy+7hWPh7gpYgixmA99sOgbqy-jONYTNwthN97zQGH1f5Mg@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [135.174.19.147]
Content-Type: multipart/alternative; boundary="_000_2D09D61DDFA73D4C884805CC7865E6114E2203C6GAALPA1MSGUSRBF_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-07-12_04:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_policy_notspam policy=outbound_policy score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1907120157
Archived-At: <https://mailarchive.ietf.org/arch/msg/babel/gWh-_NBI4JvEB93sTmP5lkTgmSE>
Subject: Re: [babel] info-model: DTLS config parameters
X-BeenThere: babel@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "A list for discussion of the Babel Routing Protocol." <babel.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/babel>, <mailto:babel-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/babel/>
List-Post: <mailto:babel@ietf.org>
List-Help: <mailto:babel-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/babel>, <mailto:babel-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 12 Jul 2019 14:31:08 -0000
Thx David (and Juliusz and Antonin – but I’m replying to David’s email since he included the context in his response). OK, I’ll move dtls-enable to the interface object. I think dtls-cert-types still belongs at the global layer, since this is a non-configurable statement of capability (which certificate types are supported – presumably by the implementation) and I don’t envision that differing per interface. Note that the interface-level dtls-cert-prefer parameter is what identifies which of these certificate types gets included in a server_certificate_type extension in a Client Hello. As stated in that parameter’s description, the included values are constrained by the requirement that at least one of the certificates associated with the interface must have the certificate type. The global parameter is intended to prevent certificates from being used that the implementation doesn’t know how to parse/use/read. While I only asked about DTLS parameters, I’m thinking the html-enable should also be moved to the interface object, for the same reason as DTLS (and to provide a certain degree of symmetry). Would anyone object to that? Barbara I would personally recommend having all of these be per-interface, so you can use DTLS on a Wi-Fi interface and unencrypted Babel on a virtual IPsec tunnel interface. But I don't feel overly strongly. David On Wed, Jul 10, 2019 at 11:48 AM STARK, BARBARA H <bs7652@att.com<mailto:bs7652@att.com>> wrote: I was reviewing the minutes from Prague, and saw they indicated we didn't have resolution on whether certain DTLS configuration parameters should be global or at the interface level. ---------------------- The current revision has the following global parameters: babel-dtls-enable: Indicates whether the DTLS security mechanism is enabled (true) or disabled (false). An implementation MAY choose to expose this parameter as read-only ("ro").. babel-dtls-cert-types: List of supported DTLS certificate types. Possible values include "X.509" and "RawPublicKey". ----------------------- And the following are at the interface level: babel-dtls-cached-info: Indicates whether the cached_info extension is included in ClientHello and ServerHello packets. The extension is included if the value is "true". An implementation MAY choose to expose this parameter as read-only ("ro").. babel-dtls-cert-prefer: List of supported certificate types, in order of preference. The values MUST be among those listed in the babel-dtls-cert-types parameter. This list is used to populate the server_certificate_type extension in a Client Hello. Values that are present in at least one instance in the babel-dtls-certs object of a referenced babel-dtls instance and that have a non- empty babel-cert-private-key will be used to populate the client_certificate_type extension in a Client Hello. Please let me know if you disagree with this set of global/interface DTLS config parameters. Barbara _______________________________________________ babel mailing list babel@ietf.org<mailto:babel@ietf.org> https://www.ietf.org/mailman/listinfo/babel<https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_babel&d=DwMFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=LoGzhC-8sc8SY8Tq4vrfog&m=EHDJHfK0Bm3z9u5TKwhyjjL1p0fdxmXQqf61QbIFn80&s=_GZFMXNfG79TWWM-kCf4uqCubdDzz_qqpttxH9QJ2f4&e=>
- [babel] info-model: DTLS config parameters STARK, BARBARA H
- Re: [babel] info-model: DTLS config parameters David Schinazi
- Re: [babel] info-model: DTLS config parameters Juliusz Chroboczek
- Re: [babel] info-model: DTLS config parameters Antonin Décimo
- Re: [babel] info-model: DTLS config parameters STARK, BARBARA H
- Re: [babel] info-model: DTLS config parameters Antonin Décimo
- Re: [babel] info-model: DTLS config parameters David Schinazi