Re: [Isms] Question regarding RFC 6353

tom petch <ietfc@btconnect.com> Fri, 17 July 2020 16:50 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: isms@ietfa.amsl.com
Delivered-To: isms@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B9BF53A094E for <isms@ietfa.amsl.com>; Fri, 17 Jul 2020 09:50:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id p-4Zy4UScSQe for <isms@ietfa.amsl.com>; Fri, 17 Jul 2020 09:50:04 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40126.outbound.protection.outlook.com [40.107.4.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5AC6C3A094A for <isms@ietf.org>; Fri, 17 Jul 2020 09:50:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Qol+VXDPaM+CariM9lTWaYl8ayMBsBXkM6l41wCwAu+MDtWZGGTxeuujNEvOyCqLOX82kHRF8cVc8ntz3Sm4Nh6ZFEE4vL/+Y/JcbNt05pEJi0r/Z6z7zLTJHdwKPdv1fUyyhqRe+2Hs3/Kx89ZUr9oMeFOsC0j3xqv2NStGf2NshI/e00jtus8TiJ00zj4pZIwCR/yRf0K24UTusCxka/SbottfMkFI6llOMCWg91ot2QJQ/EOS5TOmqZOIsnoqxj8OlED2awV87GDHevIpz3ohV9wmi0iFGyYgLQhaiHvEiTYqgzSt7HRI9HCl+5tFjnksZHb89M6Fsgvzcy3gPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gaqJ3G9ltD4FiA4j3+9c7NUIzFX365uefZGhqvuER+I=; b=NG8Rc1DbvD9i3J3DEs1/uSoMJHWIAgOxuaO3sGxBZY1AGHqKxuC3vF5YJ61ql/1TFmqz3QRcNqIb4L+j+DbLbctYw3LVzHZkJNBoMi3bZ8x+bkAkN8XcmA6zphpotPZPi5rAYpArb8CldPbPUlffF7qQ0hz6xtTbkYxSX7v7pF2DOIjxbLPXxdwdVmf8QVhrXE2O3CVq5Ez6LT38zDJFUPdPFJranEuPxrBTxDnYSQveaC5N27iKR7LVxP2Iv+uyg3Ze12i7FBxtnPniKvcJGGS11HYhqRoHCGPvQSoA4W9x3NRrR2Lq6kRmrf5LszLTfv1MVsPAVFVBXpk/o+g79w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=gaqJ3G9ltD4FiA4j3+9c7NUIzFX365uefZGhqvuER+I=; b=fhlXLnRE9cv+v7PJNTqClb6W5HgI6B0fWIf6BJXVGmFgjaB40zieAgDrFh+Vnx9WMrxsWLe60Su93Q0hIUJXDzHTEvESHNYhgpzbOOdArMUe/JTNIEl3tvXPhpY0Jvb7/cqigItVe/Que6nm7yzLwSatGb6AmKY0ztCxOBgLNNI=
Received: from AM6PR07MB5222.eurprd07.prod.outlook.com (2603:10a6:20b:61::25) by AM7PR07MB6440.eurprd07.prod.outlook.com (2603:10a6:20b:131::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3195.11; Fri, 17 Jul 2020 16:50:02 +0000
Received: from AM6PR07MB5222.eurprd07.prod.outlook.com ([fe80::6d04:3a51:ec0d:9890]) by AM6PR07MB5222.eurprd07.prod.outlook.com ([fe80::6d04:3a51:ec0d:9890%7]) with mapi id 15.20.3195.022; Fri, 17 Jul 2020 16:50:01 +0000
From: tom petch <ietfc@btconnect.com>
To: Kenneth Vaughn <kvaughn@trevilon.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "isms@ietf.org" <isms@ietf.org>
Thread-Topic: [Isms] Question regarding RFC 6353
Thread-Index: AQHWXDoPABqan7xXe0GX6YYvqhOE3akL8XqAgAAHE9A=
Date: Fri, 17 Jul 2020 16:50:01 +0000
Message-ID: <AM6PR07MB52222429E1B317A012AF5033A07C0@AM6PR07MB5222.eurprd07.prod.outlook.com>
References: <840CBD97-1D31-48EB-A210-65CC0B43FFDC@trevilon.com>, <20200717161145.zytufnzyhizpyc5p@anna.jacobs.jacobs-university.de>
In-Reply-To: <20200717161145.zytufnzyhizpyc5p@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: trevilon.com; dkim=none (message not signed) header.d=none; trevilon.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [81.131.229.35]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 10159c5b-7438-4c86-174c-08d82a7172e0
x-ms-traffictypediagnostic: AM7PR07MB6440:
x-microsoft-antispam-prvs: <AM7PR07MB64400E0DDA834C53B5DEDE5EA07C0@AM7PR07MB6440.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MgdXKqJir9KbU/V0bTqfYBPyjlKpAxviXN/Tr8vhMk/oa9JXhNPRrYLm+kFuuyEMI1l7uu41XIY7aNW3vyLc/Q/c2oLSxMTaQ8ZFZnGevcwuUZDlNk3/6NQeGjt02k8WjTjBOekKToYuvEdq2wQSvJRgMwMRrAD4Dud14Tw9wEugFG7sYhMuAMirGIlpoBARIdd9KqbOhuSnGCI1FSqCFBxnZZF7O3g5IVhTTCGwVaeIeImz98bbAdzewDYz2DZicZjJtmw6fs4A7DvBMljN2P2tXv1GlocwJsrl8H1SqI9f+b54kLbvOFDaXIjRzn1gloMmbOFPPrJMbSKSisHmoTk1N+1FuXu1/KkV/8y6zEx0Y8BgjbxEOtCYMgzVpHu3A5kuKORn+SwRaK0ObdZ7Pg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM6PR07MB5222.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(136003)(39860400002)(346002)(396003)(376002)(366004)(71200400001)(966005)(66946007)(64756008)(66446008)(186003)(5660300002)(26005)(66556008)(91956017)(76116006)(4326008)(66476007)(86362001)(2906002)(66574015)(8676002)(83080400001)(83380400001)(8936002)(52536014)(6506007)(316002)(33656002)(55016002)(7696005)(478600001)(9686003)(110136005)(15974865002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: HB5xm8U2gjVQ6phL7E7y8owovPjjC/qNkgxB8HyztFViPLart7jVVhc/642DBx/X8rUgZDNTR9rx9saq0fQgXWEksuToVApxW0+YXVJFXahO5WqdVetgpiRqpemfjZqUbb4B9ZxBE6GtozZlBQgnk5gF/Tcr3Gat6brLXS0LvsAcNLm0NcoiDDzJl+VZyreSiGqw96Q9YiqZGCKdsLiRDq+u3T0PyC7B2ri7DbqBoLVUNNDpC57x7RdKQkD/AoWy2JvYKin0I7htglFm35rKXpb9XgS/xJSP/HNWl/lQPArR3l1O6V1sLzAJ/6pXJOy2gZxfw3P0u8CjCV1Vq02ygZl9d20JJV9muCjjvnoOqhnKs4mZpU1gxuFTgmtntUEq05qPwFrmvUQ8jqAkG5tDdHJ6hvhmlW0ywnCq07cVphX8LnEmU/IQtaqnr2V5w5tv28sER/2ocx1obrTNvYratL6gH+ULLvFrs1n7Rvgp2TM=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM6PR07MB5222.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 10159c5b-7438-4c86-174c-08d82a7172e0
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Jul 2020 16:50:01.8695 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: EKgXQymnTqtOhDyyTJFzWE2OfzaaKlIwPNvUXQ8nG7cv4/EZc4sHQrsePqPooqVbQ85F/OYEH7HiQF5xGmZ9/A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6440
Archived-At: <https://mailarchive.ietf.org/arch/msg/isms/SzihBaZWbvGpwnZfx_jOhL07rKw>
Subject: Re: [Isms] Question regarding RFC 6353
X-BeenThere: isms@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Mailing list for the ISMS working group <isms.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/isms>, <mailto:isms-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/isms/>
List-Post: <mailto:isms@ietf.org>
List-Help: <mailto:isms-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/isms>, <mailto:isms-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 17 Jul 2020 16:50:07 -0000

From: Isms <isms-bounces@ietf.org> on behalf of Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 17 July 2020 17:11

Dear Kenneth,

RFC 6353 says in section 9.2.1:

   Implementations of TLS typically support multiple versions of the
   Transport Layer Security protocol as well as the older Secure Sockets
   Layer (SSL) protocol.  Because of known security vulnerabilities,
   TLSTM clients and servers MUST NOT request, offer, or use SSL 2.0.
   See Appendix E.2 of [RFC5246] for further details.

This text was published 9 years ago and this it would surely look
different today. RFC 7568 (June 2015) has deprecated the usage of SSL
3.0. There is currently an Internet-Draft

https://tools.ietf.org/id/draft-ietf-tls-oldversions-deprecate-06.html

aiming to deprecate TLS 1.0 and TLS 1.1. This draft does not update
RFC 6363 but this might actually be an omission (I will contact the
authors to clarify this in a separate email).

TLS versions evolve and what the IETF seems to be doing is to
deprecate outdated TLS versions while protocols are usually designed
to work with newer TLS versions. I assume that RFC 6353 has no
technical issues to work with TLS 1.3 since it does not go into the
TLS internals. Unless someone finds a problem with using RFC 6353 with
TLS 1.3, I do not see a need to update RFC 6353. (The IETF generally
does not spin RFCs to fix references that have become outdated.)

If the above I-D gets published as RFC XXXX and if it formally updates
RFC 6353, then requiring the implementation of RFC 6353 and RFC XXXX
essentially says that (today) TLS 1.2 or 1.3 are required. I do not
know whether other SDOs want to be even stricter than this today the
long term trajectory of any TLS version seems to be its deprecation.

<tp>
What a question of CoB on a Friday afternoon.

I think that it may be more complicated than that.  TLS 1.3 is a radical restructuring of TLS so that e.g. the concept of a ciphersuite changes, digital signatures are specified separately and while renegotiation has gone, TLS has never been much of a fan of client authentication which SNMP is fussy about and prohibited renegotiation as a result.  I think that a some features of TLS 1.3 would need banning so that the client authentication cannot change.  And some users have found TLS 1.3 not fit for purpose since it renders a number of operational practices impossible, especially in areas where the security of the organisation takes precedence over the security of the individual, not a view that receives much support in the IETF TLS WG!  There is an I-D about this in the IETF OPSEC WG and what the future holds for this is hard to know, more politics than engineering.

I see the focus of the IETF on YANG these days and think it unlikely that the IETF would update that RFC unless a lot of energy appeared to do so.

And I do not believe that the TLS WG has shown much interest in the consequences for other protocols of deprecating earlier versions of TLS.

I will think some more but it might be a slow process.

Tom Petch
/js

On Fri, Jul 17, 2020 at 07:58:58AM -0500, Kenneth Vaughn wrote:
> Hello and thank you for your time.
>
> I am providing guidance to both ISO TC 204 and the USDOT on the best policies on upgrading systems currently based on prior versions of SNMP to the latest security solutions for SNMPv3.
>
> RFC 6353 (TLSTM for SNMP) specifically references RFC 5246 (TLSv1.2), however, TLS has been updated to TLSv1.3. I have not identified any technical reason why using TLSv1.3 would create problems vs TLSv1.2, but technically RFC6353 does not require this.
>
> Are there any plans to update RFC6353 to reference TLSv1.3? If not, are you aware of any technical problem in others (e.g., ISO TC 204, USDOT, etc) writing a specification that requires the use of RFC 6353 with the stated exception that all references to TLSv1.2 must be replaced with references to TLSv1.3? Or do you believe it would be appropriate to submit (and do you believe there would there be an IETF group interested in receiving) a proposal for a new RFC that updates the reference? If so, who should that update proposal be sent to?
>
> Thank you for your help in this matter.
>
> Regards,
> Ken Vaughn
>
> Trevilon LLC
> 6606 FM 1488 RD #148-503
> Magnolia, TX 77354
> +1-936-647-1910
> +1-571-331-5670 cell
> www.trevilon.com
>

> _______________________________________________
> Isms mailing list
> Isms@ietf.org
> https://www.ietf.org/mailman/listinfo/isms


--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

_______________________________________________
Isms mailing list
Isms@ietf.org
https://www.ietf.org/mailman/listinfo/isms