[netconf] AD review of draft-ietf-netconf-tls-client-server-33
"Rob Wilton (rwilton)" <rwilton@cisco.com> Wed, 28 June 2023 13:09 UTC
Return-Path: <rwilton@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 95F20C14CE31; Wed, 28 Jun 2023 06:09:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -9.594
X-Spam-Level:
X-Spam-Status: No, score=-9.594 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIMWL_WL_MED=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b="jVoCJE8O"; dkim=pass (1024-bit key) header.d=cisco.com header.b="UME+oUSl"
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LZWUHEdk4cp7; Wed, 28 Jun 2023 06:09:39 -0700 (PDT)
Received: from rcdn-iport-3.cisco.com (rcdn-iport-3.cisco.com [173.37.86.74]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5BEE7C14CEF9; Wed, 28 Jun 2023 06:09:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=35318; q=dns/txt; s=iport; t=1687957779; x=1689167379; h=from:to:subject:date:message-id: content-transfer-encoding:mime-version; bh=7fgub8xBN73s1RJxyjsRDhNU474kMYQjsPK0B88L34Q=; b=jVoCJE8O3KzndMWm6CJFhi3Z4mPntE4NjPJJ+Z6IkvJUlMkUX5ZWlIix 5gckCXKTBBk3lIGcgeXJbjVDxXRH9HT5CLss9Bc3nXfRjvllv9RAaZQC+ zLQ2+oDuLOpFHn2IHYPUz9zIZdLOWTuP3s7lItPDewe2Qx9TWmyAaa+WN U=;
X-IPAS-Result: A0AYAAAPMJxkmI9dJa1RCRwBAQEBAQEHAQESAQEEBAEBQCWBFgcBAQsBgWAqKHNbKhJHiB0DhE5fiFuBFpAfjD+BJQNWDwEBAQ0BAUQEAQGFBgKGBwIlNAkOAQICAgEBAQEDAgMBAQEBAQEDAQEFAQEBAgEHBBQBAQEBAQEBAR4ZBQ4QJ4VoDYYdKAYBASkPEQE+QiYBBAEaGoJcgl0DAaNjAYFAAooleIE0gQGCCQEBBgQFsmwJgUIBkE2BHwgfG4FJRIEVQ4Iwg1gCgTQUGoQSgi6LJw0MgmGDCYIUGC4HMospZYEnb4EegSB6AgkCEWeBCAhfgW4+Ag1VCwtjgRxSOoFGAgIROhRTeB0DBwOBBRAvBwQyCR8GCRgvJQZRBy0kCRMVQQSDWAqBDT8VDhGCWiICBzY/G1GCbQkXDj0HQgNEHUADC3A9FCEGDhsFBIJDboEJAkajUDsxAhsbDCYEDRU1K1ZAFQQHBhIWGQ8CCwIELMQYCoQIoTcXhAGMbJgJYoNLhxmNOyCiLikHGQGEewIEAgQFAg4BAQaBYzqBW3AVO4JnUhkPjiALAQ0JgQYBAoJJj3l1OwIHCwEBAwmLSAEB
IronPort-PHdr: A9a23:NSb9chRDOSHsMAUX5dZlH55FlNpso3DLVj580XJvo6hFfqLm+IztI wmEo/5sl1TOG47c7qEMh+nXtvX4UHcbqdaasX8EeYBRTRJNl8gMngIhDcLEQU32JfLndWo7S exJVURu+DewNk0GUN3maQjqq2appSUXBg25MAN0IurvHYuHldu20/y1/bXYYh5Dg3y2ZrYhZ BmzpB/a49EfmpAqar5k0wbAuHJOZ+VQyCtkJEnGmRH664b48Mto8j9bvLQq8MsobA==
IronPort-Data: A9a23:xC8pAa2XqDBeGVwiW/bD5c1xkn2cJEfYwER7XKvMYLTBsI5bpzcDx mcXXzqGPfiKY2egf9l0bY6zpk4CvsXSy9NkSgFl3Hw8FHgiRegpqji6wuYcGwvIc6UvmWo+t 512huHodZxyFjmGzvuUGuCJQUNUjclkfZKiTradUsxNbVU8Enx510gzw7RRbrNA2LBVPSvc4 bsenOWHULOV82Yc3rU8sv/rRLtH5ZweiRtA1rAMTakjUGz2yxH5OKkiyZSZdBMUdGX78tmSH I4vxJnhlo/QEoxE5tmNyt4XeWVSKlLe0JTnZnd+A8CfbhZ+SiMa/p8xEeYMV2lr0W+DnNZXk tUSpJyScFJ8VkHMsLx1vxhwCSpyO+hN/6XKZCf5us2IxEqAeHzpqxlsJBhpZstDpaAmWicXq adwxDMlNnhvg8qs37O/Vu5qrs8iN8LseogYvxmMyBmGXKl9GMGSGc0m4/dW7DdpgZhBGsqPb u1JNGFEMTuYZj1QbwJ/5JUWxbf02SaXnydjgFSYuaEw5Wb7zQFt3v7qKtW9UtCQTMtJ20eVu myD+WnlCRYcOpmDzSHA+Xati+nT2Dj2QpwfDvux8vpCgVCPyCoUEhJ+aLegieOyhkj7UNVFJ glLvCEvtqM1skesS7ERQiFUvlaohxQ5R8puPdFgsguOzIyO41mIBko9G2sphMMdiOc6Qjkj1 1msltzvBCByvLD9dZ573urKxd9VEXVLRVLudRPoXiNevIa++NBbYgbnC4c8QPTs37UZDBmpm 2jSxBXSkYn/miLi6klW1UrMjzTprZ/TQ0tqoA7WRWmiqAh+YeZJhrBEC3CFt56sz67AHjFtW UTofeDCtYji6rnRzUSwrB0lRu3B2hp8GGS0baRTN5cg7S+x3HWoYJpd5jpzTG8wbJZbKW6xP hSI41wBjHO2AJdMRfEvC25WI5pypZUM6fy+PhwpRoMUO8MoJFPvEN9GPBfNgQgBb3TAYYlma cvELq5A/F4RCL9sy3KtVvwB3Lowrh3SNkuNLa0XOy+PiOLEDFbMEO9tGALXMogRsvjeyC2Lq Ik3Cid/40gFOAEISnOJodd7wJFjBSVTOK0aXOQMKbfbelo4QDt9YxITqJt4E7FYc21uvr6g1 lm2W1RTzxz0gnivFOlAQikLhG/HNXqnkU8GAA==
IronPort-HdrOrdr: A9a23:UeKc3qyguiwKR9EFlQclKrPxqeskLtp133Aq2lEZdPULSK2lfp GV8sjziyWatN9IYgBbpTnhAsO9qADnhONICO4qTPyftWjdySOVxeRZjbcKrAeQYxEWmtQtsJ uIEJIOQuEYb2IK9voSiTPQe71Nsbr3kpxA7t2uqEuFODsaEp2ImD0JbDpzfHcGIDWuA6BVKL Osou584xawc3Ueacq2QlMfWfLYmtHNnJX6JTYbGh8O8mC1/H+VwY+/NyLd8gYVUjtJz7tn23 PCiRbF6qKqtOz+4gPA1lXU849dlLLau5R+7Y23+4YowwfX+0aVjbdaKv6/VfcO0aOSAWMR4Z jxStEbToFOAj3qDyWISFDWqnXdOX4VmgDfIBmj8DbeSQiTfkN9NyKH7rgpNSfx+g4uuspx37 lM2H/cv51LDQnYlCC4/NTQUQp2/3DE1kbKvNRj+kC3a7FuHIN5vMga5gdYAZ0AFCX15MQuF/ RvFtjV4LJTfUmBZ37Us2FzyJj0N05DVyuuUwwHoIiYwjJWlHd2ww8Rw9EehG4J8NY4R4Nf7+ rJP6x0nPVFT9MQb6h6GOAdKPHHfFDlUFbJKiafMF7nHKYINzbErIP2+qw84KWwdJkB3PIJ6e b8uZNjxB0Pkm7VeL2zNcdwg27wqU2GLEXQ9v0=
X-Talos-CUID: 9a23:PjQnTW0uqJpbd+xbxUgidbxfNvkvV2HN8lnseRWyCmBPEr3KWF+ywfYx
X-Talos-MUID: 9a23:bsKE2QTR/CFoEKVIRXTitDE7M59n5Jj/AWddzM4t5ubcMAxvbmI=
X-IronPort-Anti-Spam-Filtered: true
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by rcdn-iport-3.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 28 Jun 2023 13:09:38 +0000
Received: from rcdn-opgw-3.cisco.com (rcdn-opgw-3.cisco.com [72.163.7.164]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 35SD9cji030151 (version=TLSv1.2 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Wed, 28 Jun 2023 13:09:38 GMT
Authentication-Results: rcdn-opgw-3.cisco.com; dkim=pass (signature verified) header.i=@cisco.com; spf=Pass smtp.mailfrom=rwilton@cisco.com; dmarc=pass (p=quarantine dis=none) d=cisco.com
X-IronPort-AV: E=Sophos;i="6.01,165,1684800000"; d="scan'208";a="3551084"
Received: from mail-mw2nam12lp2049.outbound.protection.outlook.com (HELO NAM12-MW2-obe.outbound.protection.outlook.com) ([104.47.66.49]) by rcdn-opgw-3.cisco.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 28 Jun 2023 13:09:37 +0000
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fhxSziUpSghTat7nTaDczjoE7Z439+F0RXvWAjK3DW381LGJ0gW3EHexUUOFbavRzV3KK/JFlMBCZM4ANDtiJ7o2olZG2niaQwk++f6WAOc6mqND8UKO24hHSdNq7gOGSwX0UhPuNKS3bY8yUL6LtHAG8zq2tOLpKh9vYjO8I2haaXQqC48Znf9or052n+rchvnGV0SWF6Byoj90YGqAWU9OH+ZpE676BKOxe+7JtANCLDgCy0VGSYVTsfLvati0yrD+aECz2A59XwWiTPxCl7FksOW1WCz+o6ORdVbC/OwD5r6RybmddmRex5YldC+fZzQKyV/gRVMjWcj0N4ZEJA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=qkU9+dNh5RAFEi4FG8MlzfDQz0W6IvSPUvpGlzC6bhY=; b=IoTT/7AapJgQ8/L3TEKa1kyT9VF47gvYKsimMhszNrxeLEUj2Xo2Tl3GJ/2OrhSfx8dpjI1HZxolh6Aeu5b3C1MwiowmWfO3gMq2EM85YtfrzXv29kwDG+fs+isTPPMjjPiaQhDnUNgmysNU6pBndKfoJYiZI6mqgaBAkj7Ukp9eeoXOX/j2P2BcGQpIOgpcdAu/AEqMfeykMVitM7Bh52klH8VEPejyweIKikxIu2FPzbrZRfQpFIrBGF2pqVcdaFjkjsAVVEFb4vzWPNqmvvej4cmJFlyj89CF8VXC20r7D80qT5GsTG4in91bPH6sykxhpvlExNStDEvWhOsvOw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qkU9+dNh5RAFEi4FG8MlzfDQz0W6IvSPUvpGlzC6bhY=; b=UME+oUSlncAKNn9F6KMPLAgbTteLorOBMzItBRXLeZIlhppIQC/vnBKUGVddYIlrpH3dgYECsFPmYyzHsoxGmUiOAcY4fL4OZnfPgYxeokQ6Nd7A1YXUDz2ztnkxYLRttnzI6gHR/Cl4lTm+Uia8yhySdPWMcfULshJFgcUfgno=
Received: from BY5PR11MB4196.namprd11.prod.outlook.com (2603:10b6:a03:1ce::13) by PH0PR11MB7616.namprd11.prod.outlook.com (2603:10b6:510:26d::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6521.26; Wed, 28 Jun 2023 13:09:35 +0000
Received: from BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::a6a3:7e3b:903b:2035]) by BY5PR11MB4196.namprd11.prod.outlook.com ([fe80::a6a3:7e3b:903b:2035%5]) with mapi id 15.20.6521.024; Wed, 28 Jun 2023 13:09:35 +0000
From: "Rob Wilton (rwilton)" <rwilton@cisco.com>
To: "draft-ietf-netconf-tls-client-server.all@ietf.org" <draft-ietf-netconf-tls-client-server.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: AD review of draft-ietf-netconf-tls-client-server-33
Thread-Index: AdmpvbsqumJkACWjQNi9mFQ8M2h4mQ==
Date: Wed, 28 Jun 2023 13:09:35 +0000
Message-ID: <BY5PR11MB4196C94A3F111E771CA8B3E9B524A@BY5PR11MB4196.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BY5PR11MB4196:EE_|PH0PR11MB7616:EE_
x-ms-office365-filtering-correlation-id: 8acdc686-59d5-4fd6-ea7c-08db77d8eb7f
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 9CEXo8WhzZZpuJ0zN0hGab1NrUfXiH7ZD4/NejI+szgsQBrDO6sol6gaaXbgH6zvW0O4btivFk1VpXSHkP0iRlxPkt2KCamr5XXhIndHIX/Mksk+JFISwGI9QpLjNKchs3zJ9/VvyglzcED96XgqeQImRHPaBER+BvfzEgN6BntePMo+aKfMEafyjFSqFFXHym7kHoDQOuiF4w6dqZ8UDuTVHdKTvd/X4VdohUdg5v4H1zDw5RYJWly41xHrDo1cxmoY983GLOE5F5Sg/k5Ohw+SdyMLetbqrvWiWiMfqZeqinGW+zXI9G9uP0JHc0lp+mR3T8RQbRqj7Irf05b/R+iqY5FcSPFTeoFV/Ac/Tr+r4PgsNk/LZkK35CHxw5Y3VK8+qUFY/siLnCUNekx0+p+FJKk/x4msm44z6SXqcwSuSEevqpJrIRO9xMe47aUemErCA28/7f4+LpPqh9sJM3qphD5urJiWsN7WOC4gmTYTKX61YEaCfQG3de+oZ0184tc7LPNq0YcKYvpB/nmqtDNdvsFYnF8O3Rukc3Kb0z8snYRYVDHZW1fFOzmMiFP7uE0m4lww+MgldQfBnOAqKPjQBYi8HF4Jg3BhcosmSLPxjbNRe1UksQ7vrKn8R2+9
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BY5PR11MB4196.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(396003)(376002)(346002)(136003)(39860400002)(366004)(451199021)(6506007)(5660300002)(52536014)(66446008)(33656002)(450100002)(66556008)(316002)(64756008)(66946007)(478600001)(66476007)(76116006)(8676002)(8936002)(86362001)(2906002)(26005)(9686003)(110136005)(41300700001)(55016003)(7696005)(186003)(38070700005)(122000001)(38100700002)(30864003)(71200400001)(83380400001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: i56xx9Sa3QK8HuRfvPNEZsSv69uTmlEtvwSCqoWMn2kpQ7QAjaOWQ0+k6FzN69+wSDL2sT01FUQhBa+ADgop2wPXNR3ip3A1OPS5l3+svoo66yGXRWbIJdbkNnCduCIyokUTKv26IEkQ3NsIUISiGLpDIbE7ySPvHXrnISq7j7S/1XK5eVUXcldc9yL3Gd3P/45ddDpZJsFBJ5zvRrbb0P/uUbPl67+hRawlOkyOR6F1k9dEHS+rN7+sCJYj8BnpFpx592mgfBg9eJQzVis3gslM5JK9ClZxBpZtgavGZujjlsa55B1YkIH3NG+w+swCrTm3ZqA/GZooWBp0UWYD7reAszCU+QIWHIyQ27hhyS9u4PEq+veqOviV+/M+3ACPra8InD7mIO+C4nQ1hVx4hdTK9GqPyMGl+VYeYDRUiQDZ++wDHfu+XoGKNvGTmUHippd3lnCe8PvXcOKzkloHJktzHWia5Eae2Bjd2lAzvvEPHrqdXDZdb73vIWo5U2yCWHJ52y76gv0hsB8Dq+i4qIdSiBXHoZO6uD3o0sAIL3RfC0HGeaSlAOGTymKrwuxcrlimjlmOzTZNAeRA2K6ns08dJsmQS0M4T7tNn+rILNzseGal0Sn3g2k4JppCZ/hX6u2/u2BgnUVqJpRnN3PV0NE6natdqWoYeHncHw2II5AJljd86jpw5oG8nWIiUuQdFDp0CxMpHy/ErqaWfJ5aQln44bqf0b9F0EO8DAITn2bUC8fXd2Fufy0OWRaJaHrFjtDgNRthylhww64MrY8zUasFqmXEsJ1vCUAeA400rQcsie/RMXXpvhaqGfs1hIOi0VW2U1yhrEwTePDBUs4oM6hyPUAA6lTdLIy0N2NEmGjXppYbCAjMQTXEIPSmvo5FDcKP8acytytWhxtRlic7KZWiELeSei8KN7pSBLIJgnXBwjvb+YJgr6JTdasbYvFjgjX0kzjWrGNgWdBSVepvfmpTKxYpKMuuIk66I8YO2VFvNT5DZJ+EQauGGqi9aooCvWwZZ93UxFaRV4jjguoIxiMhEXtuA3sqOY682SwV/GFBxd9n5LSouM/14lQExxXDOsEg/gjMQCPe2ZK+lLUknrykkTIYDLa6+uwicV4BUv/IOAc5wMWOlptgQM35BihauCh/4HVhUFXQBSEOoE3hB5uy5nqI9Fz3+QWqcDrMZ6+fxnHcojdA6LiU8YrV3jEJYOZeZrJA1KZSAxm5E1H6Cm4tl3xyPlnjCDaovjWX5JnxkQFzOSoql2JEyzYLGgYtGVGtrNG7ahekT9dkrrC89+eGqfw+804+z7kOXMr6Z8Vwv9RVZ8xa0x2K7amm4AjVIh8duIZDDTvnZI8xxyf0BFLtqipQqHfiixbzBamMjJA0gIpVnfHTC0cGCxJqWALlCktuZ0BTEwRlYIwOK6IWUOTp8qewfpP7NjuPfXzw+wYlVsf45C5BN8pwfDgop4mQ7Ou+6mxRHja+7znYRPv+31JJLjh22wCkGVFdbQzR7lMShvaCnjJz35sj3a6Md0EgK3rxTsHC/WdhWY/YiUO1as8HQ7l9pW9TIJhQNVSnb+4=
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: cisco.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BY5PR11MB4196.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8acdc686-59d5-4fd6-ea7c-08db77d8eb7f
X-MS-Exchange-CrossTenant-originalarrivaltime: 28 Jun 2023 13:09:35.0540 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: KJxamelIkoTyOajzicjpyIEXIQO1Sr9yf090rS6Isr+IIC/WV7cX80dmS0f8QEHXkY73voKNRe9hhdCbZ4as1g==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PH0PR11MB7616
X-Outbound-SMTP-Client: 72.163.7.164, rcdn-opgw-3.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-T7tff7hQY8dc-27ETMbFc5BZGA>
Subject: [netconf] AD review of draft-ietf-netconf-tls-client-server-33
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Jun 2023 13:09:43 -0000
Hi Kent,
Here is my AD review of draft-ietf-netconf-tls-client-server-33
This is another well written document, thank you. The comments from my review are:
Moderate level comments:
(1) p 3, sec 1. Introduction
Any version of TLS may be configured. TLS 1.0 [RFC2246] and TLS 1.1
[RFC4346] are historic and hence the YANG "feature" statements
enabling them are marked "status obsolete". TLS 1.2 [RFC5246] is
obsoleted by TLS 1.3 [RFC8446] but still in common use, and hence its
"feature" statement is marked "status deprecated". All the feature
statements for 1.0, 1.1, and 1.3 have "description" statements
stating that it is NOT RECOMMENDED to enable obsolete protocol
versions.
s/and 1.3/and 1.2/?
In the context of this paragraph, it is worth noting that draft-ietf-netmod-yang-module-versioning refines the meaning of deprecated and obsolete (depending on whether that document progresses). I.e., from that document the expectation is that implementations would implement deprecated nodes or explicitly deviate not-support them, and must not implement obsolete nodes. One of the reasons for this approach is to ensure that the client can understand always build the exact schema used by the server without ambiguity over deprecated/obsolete nodes.
Hence, I think that there is perhaps a general question as to whether we should be supporting TLS 1.0 or TLS 1.1 at all in this model? I did briefly ask the SEC ADs yesterday. Only one responded indicating that they would prefer if it wasn't present (but also said that he probably wouldn't DISCUSS on this if they were included). Do we know if there are likely use cases that still need TLS 1.0 or TLS 1.1 to justify keeping them in?
(2) p 17, sec 2.3. YANG Module
leaf bits {
type uint16;
description
"Specifies the number of bits in the key to create.
For RSA keys, the minimum size is 1024 bits and
the default is 3072 bits. Generally, 3072 bits is
considered sufficient. DSA keys must be exactly 1024
bits as specified by FIPS 186-2. For elliptical
keys, the 'bits' value determines the key length
of the curve (e.g., 256, 384 or 521), where valid
values supported by the server are conveyed via an
unspecified mechanism. For some public algorithms,
the keys have a fixed length and the 'bits' value,
if specified, will be ignored.";
}
Wouldn't it be safer to fail the RPC request rather than ignore an incorrect bits value?
(3) p 17, sec 2.3. YANG Module
choice private-key-encoding {
default cleartext;
description
"A choice amongst optional private key handling.";
case cleartext {
if-feature "ct:cleartext-private-keys";
leaf cleartext {
type empty;
description
"Indicates that the private key is to be returned
as a cleartext value.";
}
}
I was wondering whether it makes sense to have a default value referencing a case that is conditional on if-feature? From a quick look at RFC 7950, the behaviour seems to be unspecified in the case that the feature is not supported.
I also note that the 'private-key-encoding' doesn't turn up in the instance data (because it is a choice), so reading the XML doesn't make it obvious that it is the private key that is encoded. Hence, might it be helpful to include a private-key-encoding container?
(4) p 33, sec 3.3. YANG Module
leaf target-protocol {
type uint16;
description
"As per Section 3.1 of I-D.
ietf-tls-external-psk-guidance:
The protocol for which a PSK is imported for use.";
reference
"I-D.ietf-tls-external-psk-importer:
Importing External PSKs for TLS";
}
It wasn't clear to me exactly what the target-protocol value looks like here, i.e., where to find the list of allowed values.
(5) p 67, sec Appendix A. YANG Modules for IANA
Following are the complete contents to the initial IANA-maintained
YANG module. Please note that the date "2022-06-16" reflects the day
on which the extraction occurred.
As per my comments on the SSH draft, I wonder whether including this copy in this document is actually helpful, or just means that it is more likely that someone could end up using an outdated version rather than getting the latest version from IANA. I.e., perhaps include is for now, but ask the RFC editor to remove it at publication (at which point IANA should generate a current version).
It also means that this document ends up with a lot of normative references, which although not necessarily a problem, I wonder how useful/meaningful they really are.
In the generated module, some of the initial cipher entries are obsolete. Would it be better for those to always be excluded from the initial list of identities? Many cipher entries are also deprecated. Will the YANG status deprecated be sufficient to warn users that these are deprecated? E.g., the description could also flag that they are deprecated and SHOULD NOT be used (if that is appropriate)?
Note, I have not checked the generated list of identities in detail (but can review the generating script if that is helpful).
Minor level comments:
(6) p 4, sec 1. Introduction
Please also mention the YANG modules defined from IANA registries that this document creates.
(7) p 16, sec 2.3. YANG Module
grouping hello-params-grouping {
description
"A reusable grouping for TLS hello message parameters.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2
RFC 8446: The Transport Layer Security (TLS) Protocol
Version 1.3";
container tls-versions {
description
"Parameters regarding TLS versions.";
leaf-list tls-version {
type identityref {
base tls-version-base;
}
description
"Acceptable TLS protocol versions.
Presumably this does not need to be ordered-by user because the later versions are always preferable over older versions?
(8) p 19, sec 3.1.2.1. The "tls-client-grouping" Grouping
The following tree diagram [RFC8340] illustrates the "tls-client-
grouping" grouping:
I note that for the common module grouping you provide both unexpanded and expanded tree diagrams for the groupings, but for the client and server modules you only provide the unexpanded grouping. Is this just because of the length of the expanded grouping tree-diagrams? If they are too long, then would it be helpful to perhaps included them in an appendix?
(9) p 20, sec 3.1.2.1. The "tls-client-grouping" Grouping
| +-- ca-certs! {server-auth-x509-cert}?
| | +---u ts:inline-or-truststore-certs-grouping
| +-- ee-certs! {server-auth-x509-cert}?
| | +---u ts:inline-or-truststore-certs-grouping
Not a crypto expert, so this may be a daft question, but I noted that both ca-certs and ee-certs use the same if-feature statement (also in the server model). Is it always expected to be the case that if an implementation supports ca-certs then it would also support ee-certs?
(10) p 21, sec 3.1.2.1. The "tls-client-grouping" Grouping
* The "server-authentication" node configures trust anchors for
authenticating the TLS server, with each option enabled by a
"feature" statement.
As per my previous comment, I just wanted to highlight that two of the options are enabled by the same feature statement, which might be okay.
(11) p 21, sec 3.1.3. Protocol-accessible Nodes
The "ietf-tls-client" module defines only "grouping" statements that
are used by other modules to instantiate protocol-accessible nodes.
Flagging as per previous comments on the other drafts, is this section needed/helpful, or should it be elided?
(12) p 32, sec 3.3. YANG Module
leaf hash {
type tlscmn:epsk-supported-hash;
mandatory true;
description
"As per Section 4.2.11 of RFC 8446, for externally
established PSKs, the Hash algorithm MUST be set
when the PSK is established or default to SHA-256
if no such algorithm is defined. The server MUST
ensure that it selects a compatible PSK (if any)
and cipher suite. Each PSK MUST only be used with
a single hash function.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
I note that the description indicates that it should default to SHA-256, but this leaf is marked as mandatory with no default set instead?
(13) p 33, sec 3.3. YANG Module
leaf target-kdf {
type uint16;
description
"As per Section 3.1 of I-D.
ietf-tls-external-psk-guidance:
The specific Key Derivation Function (KDF) for which
a PSK is imported for use.";
reference
"I-D.ietf-tls-external-psk-importer:
Importing External PSKs for TLS";
}
For these two, draft ietf-tls-external-psk-guidance has no section 3.1, were these two descriptions (for target-protocol and target-kdf) meant to be referring to section 3.1 of ietf-tls-external-psk-importer instead?
(14) p 46, sec 4.3. YANG Module
feature server-ident-tls12-psk {
description
"Indicates that the server supports identifying itself
using TLS-1.2 PSKs (pre-shared or pairwise-symmetric keys).";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
Would it make sense for this feature to be conditional on the tls12 feature in the common module?
(15) p 46, sec 4.3. YANG Module
feature server-ident-tls13-epsk {
description
"Indicates that the server supports identifying itself
using TLS-1.3 External PSKs (pre-shared keys).";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
Would it make sense for this feature to be conditional on the tls13 feature in the common module?
(16) p 47, sec 4.3. YANG Module
feature client-auth-tls12-psk {
description
"Indicates that the server supports authenticating clients
using PSKs (pre-shared or pairwise-symmetric keys).";
reference
"RFC 4279:
Pre-Shared Key Ciphersuites for Transport Layer Security
(TLS)";
}
Would it make sense for this feature to be conditional on the tls12 feature in the common module?
(17) p 47, sec 4.3. YANG Module
feature client-auth-tls13-epsk {
description
"Indicates that the server supports authenticating clients
using TLS-1.3 External PSKs (pre-shared keys).";
reference
"RFC 8446:
The Transport Layer Security (TLS) Protocol Version 1.3";
}
Would it make sense for this feature to be conditional on the tls13 feature in the common module?
(18) p 49, sec 4.3. YANG Module
leaf id_hint {
type string;
description
"The key 'psk_identity_hint' value used in the TLS
'ServerKeyExchange' message.";
reference
"RFC 4279: Pre-Shared Key Ciphersuites for
Transport Layer Security (TLS)";
}
Would id-hint be better that id_hint for consistency with how we generally see YANG identifiers?
(19) p 51, sec 4.3. YANG Module
leaf target-protocol {
type uint16;
description
"As per Section 3.1 of I-D.
ietf-tls-external-psk-guidance: The protocol
for which a PSK is imported for use.";
reference
"I-D.ietf-tls-external-psk-importer:
Importing External PSKs for TLS";
}
leaf target-kdf {
type uint16;
description
"As per Section 3.1 of I-D.
ietf-tls-external-psk-guidance: The specific Key
Derivation Function (KDF) for which a PSK is
imported for use.";
reference
"I-D.ietf-tls-external-psk-importer:
Importing External PSKs for TLS";
}
Same question as previously asked about whether section 3.1 and ietf-tls-external-psk-guidance is the correct reference here.
(20) p 55, sec 5.1. The "iana-tls-cipher-suite-algs" Module
YANG identities are not security-sensitive, as they are statically
defined in the publicly-accessible YANG module.
Is it worth adding any text to highlight that these identities represent algorithms that may be deprecated or obsoleted for security reasons? I.e., these identities feel a bit different than the usual kind.
(21) p 59, sec 6.3. The "iana-tls-cipher-suite-algs" Module
* Please note that this module was created on June 16th, 2022, and
that additional entries may have been added in the interim before
this document's publication. If this is that case, IANA may
either publish just an updated module containing the new entries,
or publish the initial module as is immediately followed by a
"revision" containing the additional algorithm names.
As per comments below, I propose that IANA just publishes the initial version at the point that this document becomes an RFC.
(22) p 65, sec Appendix A. YANG Modules for IANA
The module contained in this section was generated by scripts using
the contents of the associated sub-registry as they existed on June
16th, 2022.
I presume that these scripts will be available and owned by IANA?
Nit level comments:
(23) p 9, sec 2.1.4. Protocol-accessible Nodes
| | +---w (encrypted-by-choice)
| | +--:(symmetric-key-ref)
| | | {central-keystore-supported,symmetric\
-keys}?
| | | +---w symmetric-key-ref?
| | | ks:symmetric-key-ref
| | +--:(asymmetric-key-ref)
| | {central-keystore-supported,asymmetri\
c-keys}?
| | +---w asymmetric-key-ref?
For readability, perhaps worth asking the RFC editor to manually fold the symmetric-keys and asymmetric-keys features onto a new line rather than relying on RFC 8792?
(24) p 13, sec 2.3. YANG Module
feature tls12 {
status "deprecated";
description
"TLS Protocol Version 1.2 is supported TLS 1.2 is obsolete
and thus it is NOT RECOMMENDED to enable this feature.";
reference
"RFC 5246: The Transport Layer Security (TLS) Protocol
Version 1.2";
}
s/supported TLS/supported. TLS/
(25) p 15, sec 2.3. YANG Module
identity tls13 {
if-feature "tls13";
base tls-version-base;
description
"TLS Protocol Version 1.3.";
reference
"RFC 8446: The Transport Layer Security (TLS)
Protocol Version 1.3";
}
Do you want a " // Typedefs" since this isn't an identity?
(26) p 29, sec 3.3. YANG Module
container client-identity {
nacm:default-deny-write;
presence
"Indicates that a TLS-level client identity has been
configured. This statement is present so the mandatory
descendant do not imply that this node must be configured.";
description
"Identity credentials the TLS client MAY present when
establishing a connection to a TLS server. If not
configured, then client authentication is presumed to
occur a protocol layer above TLS. When configured,
and requested by the TLS server when establishing a
s/occur a protocol layer/occur in a protocol layer/
(27) p 35, sec 3.3. YANG Module
description
"Indicates that the TLS client can authenticate TLS servers
using configure PSKs (pre-shared or pairwise-symmetric
keys).
s/configure/configured/?
(28) p 39, sec 4.1.2.1. The "tls-server-grouping" Grouping
* The "keepalives" node, which must be enabled by a feature,
configures a flag enabling the TLS client to test the aliveness of
the TLS server, as well as a "presence" container for testing the
aliveness of the TLSi client. The aliveness-tests occurs at the
TLS protocol layer.
s/TLSi/TLS/?
Regards,
Rob
- [netconf] AD review of draft-ietf-netconf-tls-cli… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-tls… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-tls… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-tls… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-tls… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-tls… Kent Watsen
- Re: [netconf] AD review of draft-ietf-netconf-tls… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-tls… Rob Wilton (rwilton)
- Re: [netconf] AD review of draft-ietf-netconf-tls… Kent Watsen