Re: [Isms] Question regarding RFC 6353
tom petch <ietfc@btconnect.com> Fri, 17 July 2020 16:50 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: isms@ietfa.amsl.com
Delivered-To: isms@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BF53A094E for <isms@ietfa.amsl.com>; Fri, 17 Jul 2020 09:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-4Zy4UScSQe for <isms@ietfa.amsl.com>; Fri, 17 Jul 2020 09:50:04 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40126.outbound.protection.outlook.com [40.107.4.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC6C3A094A for <isms@ietf.org>; Fri, 17 Jul 2020 09:50:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qol+VXDPaM+CariM9lTWaYl8ayMBsBXkM6l41wCwAu+MDtWZGGTxeuujNEvOyCqLOX82kHRF8cVc8ntz3Sm4Nh6ZFEE4vL/+Y/JcbNt05pEJi0r/Z6z7zLTJHdwKPdv1fUyyhqRe+2Hs3/Kx89ZUr9oMeFOsC0j3xqv2NStGf2NshI/e00jtus8TiJ00zj4pZIwCR/yRf0K24UTusCxka/SbottfMkFI6llOMCWg91ot2QJQ/EOS5TOmqZOIsnoqxj8OlED2awV87GDHevIpz3ohV9wmi0iFGyYgLQhaiHvEiTYqgzSt7HRI9HCl+5tFjnksZHb89M6Fsgvzcy3gPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gaqJ3G9ltD4FiA4j3+9c7NUIzFX365uefZGhqvuER+I=; b=NG8Rc1DbvD9i3J3DEs1/uSoMJHWIAgOxuaO3sGxBZY1AGHqKxuC3vF5YJ61ql/1TFmqz3QRcNqIb4L+j+DbLbctYw3LVzHZkJNBoMi3bZ8x+bkAkN8XcmA6zphpotPZPi5rAYpArb8CldPbPUlffF7qQ0hz6xtTbkYxSX7v7pF2DOIjxbLPXxdwdVmf8QVhrXE2O3CVq5Ez6LT38zDJFUPdPFJranEuPxrBTxDnYSQveaC5N27iKR7LVxP2Iv+uyg3Ze12i7FBxtnPniKvcJGGS11HYhqRoHCGPvQSoA4W9x3NRrR2Lq6kRmrf5LszLTfv1MVsPAVFVBXpk/o+g79w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gaqJ3G9ltD4FiA4j3+9c7NUIzFX365uefZGhqvuER+I=; b=fhlXLnRE9cv+v7PJNTqClb6W5HgI6B0fWIf6BJXVGmFgjaB40zieAgDrFh+Vnx9WMrxsWLe60Su93Q0hIUJXDzHTEvESHNYhgpzbOOdArMUe/JTNIEl3tvXPhpY0Jvb7/cqigItVe/Que6nm7yzLwSatGb6AmKY0ztCxOBgLNNI=
Received: from AM6PR07MB5222.eurprd07.prod.outlook.com (2603:10a6:20b:61::25) by AM7PR07MB6440.eurprd07.prod.outlook.com (2603:10a6:20b:131::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.11; Fri, 17 Jul 2020 16:50:02 +0000
Received: from AM6PR07MB5222.eurprd07.prod.outlook.com ([fe80::6d04:3a51:ec0d:9890]) by AM6PR07MB5222.eurprd07.prod.outlook.com ([fe80::6d04:3a51:ec0d:9890%7]) with mapi id 15.20.3195.022; Fri, 17 Jul 2020 16:50:01 +0000
From: tom petch <ietfc@btconnect.com>
To: Kenneth Vaughn <kvaughn@trevilon.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "isms@ietf.org" <isms@ietf.org>
Thread-Topic: [Isms] Question regarding RFC 6353
Thread-Index: AQHWXDoPABqan7xXe0GX6YYvqhOE3akL8XqAgAAHE9A=
Date: Fri, 17 Jul 2020 16:50:01 +0000
Message-ID: <AM6PR07MB52222429E1B317A012AF5033A07C0@AM6PR07MB5222.eurprd07.prod.outlook.com>
References: <840CBD97-1D31-48EB-A210-65CC0B43FFDC@trevilon.com>, <20200717161145.zytufnzyhizpyc5p@anna.jacobs.jacobs-university.de>
In-Reply-To: <20200717161145.zytufnzyhizpyc5p@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: trevilon.com; dkim=none (message not signed) header.d=none; trevilon.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [81.131.229.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10159c5b-7438-4c86-174c-08d82a7172e0
x-ms-traffictypediagnostic: AM7PR07MB6440:
x-microsoft-antispam-prvs: <AM7PR07MB64400E0DDA834C53B5DEDE5EA07C0@AM7PR07MB6440.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MgdXKqJir9KbU/V0bTqfYBPyjlKpAxviXN/Tr8vhMk/oa9JXhNPRrYLm+kFuuyEMI1l7uu41XIY7aNW3vyLc/Q/c2oLSxMTaQ8ZFZnGevcwuUZDlNk3/6NQeGjt02k8WjTjBOekKToYuvEdq2wQSvJRgMwMRrAD4Dud14Tw9wEugFG7sYhMuAMirGIlpoBARIdd9KqbOhuSnGCI1FSqCFBxnZZF7O3g5IVhTTCGwVaeIeImz98bbAdzewDYz2DZicZjJtmw6fs4A7DvBMljN2P2tXv1GlocwJsrl8H1SqI9f+b54kLbvOFDaXIjRzn1gloMmbOFPPrJMbSKSisHmoTk1N+1FuXu1/KkV/8y6zEx0Y8BgjbxEOtCYMgzVpHu3A5kuKORn+SwRaK0ObdZ7Pg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB5222.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(136003)(39860400002)(346002)(396003)(376002)(366004)(71200400001)(966005)(66946007)(64756008)(66446008)(186003)(5660300002)(26005)(66556008)(91956017)(76116006)(4326008)(66476007)(86362001)(2906002)(66574015)(8676002)(83080400001)(83380400001)(8936002)(52536014)(6506007)(316002)(33656002)(55016002)(7696005)(478600001)(9686003)(110136005)(15974865002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: HB5xm8U2gjVQ6phL7E7y8owovPjjC/qNkgxB8HyztFViPLart7jVVhc/642DBx/X8rUgZDNTR9rx9saq0fQgXWEksuToVApxW0+YXVJFXahO5WqdVetgpiRqpemfjZqUbb4B9ZxBE6GtozZlBQgnk5gF/Tcr3Gat6brLXS0LvsAcNLm0NcoiDDzJl+VZyreSiGqw96Q9YiqZGCKdsLiRDq+u3T0PyC7B2ri7DbqBoLVUNNDpC57x7RdKQkD/AoWy2JvYKin0I7htglFm35rKXpb9XgS/xJSP/HNWl/lQPArR3l1O6V1sLzAJ/6pXJOy2gZxfw3P0u8CjCV1Vq02ygZl9d20JJV9muCjjvnoOqhnKs4mZpU1gxuFTgmtntUEq05qPwFrmvUQ8jqAkG5tDdHJ6hvhmlW0ywnCq07cVphX8LnEmU/IQtaqnr2V5w5tv28sER/2ocx1obrTNvYratL6gH+ULLvFrs1n7Rvgp2TM=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB5222.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10159c5b-7438-4c86-174c-08d82a7172e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2020 16:50:01.8695 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EKgXQymnTqtOhDyyTJFzWE2OfzaaKlIwPNvUXQ8nG7cv4/EZc4sHQrsePqPooqVbQ85F/OYEH7HiQF5xGmZ9/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6440
Archived-At: <https://mailarchive.ietf.org/arch/msg/isms/SzihBaZWbvGpwnZfx_jOhL07rKw>
Subject: Re: [Isms] Question regarding RFC 6353
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isms/>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 16:50:07 -0000
From: Isms <isms-bounces@ietf.org> on behalf of Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Sent: 17 July 2020 17:11 Dear Kenneth, RFC 6353 says in section 9.2.1: Implementations of TLS typically support multiple versions of the Transport Layer Security protocol as well as the older Secure Sockets Layer (SSL) protocol. Because of known security vulnerabilities, TLSTM clients and servers MUST NOT request, offer, or use SSL 2.0. See Appendix E.2 of [RFC5246] for further details. This text was published 9 years ago and this it would surely look different today. RFC 7568 (June 2015) has deprecated the usage of SSL 3.0. There is currently an Internet-Draft https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.html aiming to deprecate TLS 1.0 and TLS 1.1. This draft does not update RFC 6363 but this might actually be an omission (I will contact the authors to clarify this in a separate email). TLS versions evolve and what the IETF seems to be doing is to deprecate outdated TLS versions while protocols are usually designed to work with newer TLS versions. I assume that RFC 6353 has no technical issues to work with TLS 1.3 since it does not go into the TLS internals. Unless someone finds a problem with using RFC 6353 with TLS 1.3, I do not see a need to update RFC 6353. (The IETF generally does not spin RFCs to fix references that have become outdated.) If the above I-D gets published as RFC XXXX and if it formally updates RFC 6353, then requiring the implementation of RFC 6353 and RFC XXXX essentially says that (today) TLS 1.2 or 1.3 are required. I do not know whether other SDOs want to be even stricter than this today the long term trajectory of any TLS version seems to be its deprecation. <tp> What a question of CoB on a Friday afternoon. I think that it may be more complicated than that. TLS 1.3 is a radical restructuring of TLS so that e.g. the concept of a ciphersuite changes, digital signatures are specified separately and while renegotiation has gone, TLS has never been much of a fan of client authentication which SNMP is fussy about and prohibited renegotiation as a result. I think that a some features of TLS 1.3 would need banning so that the client authentication cannot change. And some users have found TLS 1.3 not fit for purpose since it renders a number of operational practices impossible, especially in areas where the security of the organisation takes precedence over the security of the individual, not a view that receives much support in the IETF TLS WG! There is an I-D about this in the IETF OPSEC WG and what the future holds for this is hard to know, more politics than engineering. I see the focus of the IETF on YANG these days and think it unlikely that the IETF would update that RFC unless a lot of energy appeared to do so. And I do not believe that the TLS WG has shown much interest in the consequences for other protocols of deprecating earlier versions of TLS. I will think some more but it might be a slow process. Tom Petch /js On Fri, Jul 17, 2020 at 07:58:58AM -0500, Kenneth Vaughn wrote: > Hello and thank you for your time. > > I am providing guidance to both ISO TC 204 and the USDOT on the best policies on upgrading systems currently based on prior versions of SNMP to the latest security solutions for SNMPv3. > > RFC 6353 (TLSTM for SNMP) specifically references RFC 5246 (TLSv1.2), however, TLS has been updated to TLSv1.3. I have not identified any technical reason why using TLSv1.3 would create problems vs TLSv1.2, but technically RFC6353 does not require this. > > Are there any plans to update RFC6353 to reference TLSv1.3? If not, are you aware of any technical problem in others (e.g., ISO TC 204, USDOT, etc) writing a specification that requires the use of RFC 6353 with the stated exception that all references to TLSv1.2 must be replaced with references to TLSv1.3? Or do you believe it would be appropriate to submit (and do you believe there would there be an IETF group interested in receiving) a proposal for a new RFC that updates the reference? If so, who should that update proposal be sent to? > > Thank you for your help in this matter. > > Regards, > Ken Vaughn > > Trevilon LLC > 6606 FM 1488 RD #148-503 > Magnolia, TX 77354 > +1-936-647-1910 > +1-571-331-5670 cell > www.trevilon.com > > _______________________________________________ > Isms mailing list > Isms@ietf.org > https://www.ietf.org/mailman/listinfo/isms -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/> _______________________________________________ Isms mailing list Isms@ietf.org https://www.ietf.org/mailman/listinfo/isms
- [Isms] Question regarding RFC 6353 Kenneth Vaughn
- Re: [Isms] Question regarding RFC 6353 Juergen Schoenwaelder
- Re: [Isms] Question regarding RFC 6353 tom petch
- Re: [Isms] Question regarding RFC 6353 Wes Hardaker
- Re: [Isms] Question regarding RFC 6353 tom petch
- Re: [Isms] Question regarding RFC 6353 Kenneth Vaughn
- Re: [Isms] Question regarding RFC 6353 tom petch