Re: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt
tom petch <ietfc@btconnect.com> Wed, 03 July 2019 10:59 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EF9B12021C for <netconf@ietfa.amsl.com>; Wed, 3 Jul 2019 03:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.248
X-Spam-Level:
X-Spam-Status: No, score=0.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8cE03jISx4EK for <netconf@ietfa.amsl.com>; Wed, 3 Jul 2019 03:59:31 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80099.outbound.protection.outlook.com [40.107.8.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3FE0A12004F for <netconf@ietf.org>; Wed, 3 Jul 2019 03:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector1-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7x3Yh8imFnYAWLqd8Z9p6xFXxFPOHDXXKM+7WR9Jpq8=; b=OL+I4eGQg8By5CTYJhj3/9nbr7m9hKVAiKVxgPHPyaxJ6Uwkq7MfpXQRWCrVcn0KVP+kqzFUQgV5tIIgb1E5rkBZJSQ6QKWKv5Bg+9+yEH0A6fe0vaHgG0ChjtV5+qH43JPPeGV28mL4mvouHSRw5ukKb+KJYsBKJXhRr3Qj6yo=
Received: from AM4PR07MB3204.eurprd07.prod.outlook.com (10.171.188.157) by AM4PR07MB3204.eurprd07.prod.outlook.com (10.171.188.157) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.14; Wed, 3 Jul 2019 10:59:28 +0000
Received: from AM4PR07MB3204.eurprd07.prod.outlook.com ([fe80::1155:d23c:a062:b960]) by AM4PR07MB3204.eurprd07.prod.outlook.com ([fe80::1155:d23c:a062:b960%7]) with mapi id 15.20.2052.010; Wed, 3 Jul 2019 10:59:27 +0000
From: tom petch <ietfc@btconnect.com>
To: Wang Haiguang <wang.haiguang.shieldlab@huawei.com>, "Xialiang (Frank, Network Standard & Patent Dept)" <frank.xialiang@huawei.com>, Kent Watsen <kent+ietf@watsen.net>, Martin Bjorklund <mbj@tail-f.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt
Thread-Index: AQHVMY5h3RGsGK97y063XW8WXl0KJQ==
Date: Wed, 03 Jul 2019 10:59:27 +0000
Message-ID: <077201d5318e$5ed91620$4001a8c0@gateway.2wire.net>
References: <C02846B1344F344EB4FAA6FA7AF481F13E7B118B@dggemm511-mbx.china.huawei.com> <20190625.084508.905200182299290020.mbj@tail-f.com> <0100016b8f701d10-02dff612-5c5f-4ed3-938d-8b9f25679996-000000@email.amazonses.com> <20190625.224243.332607515244909664.mbj@tail-f.com> <0100016b9640a87c-b6e29e8c-0db0-4f15-bb58-887fc48c81d0-000000@email.amazonses.com> <C02846B1344F344EB4FAA6FA7AF481F13E7B45A1@dggemm511-mbx.china.huawei.com> <20303ff0c07346c7ae7cf1200502ecfe@huawei.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P265CA0063.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:60::27) To AM4PR07MB3204.eurprd07.prod.outlook.com (2603:10a6:205:8::29)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: [86.139.215.234]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0a5ceda-24c2-45cf-a8c1-08d6ffa5844a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:AM4PR07MB3204;
x-ms-traffictypediagnostic: AM4PR07MB3204:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <AM4PR07MB32048ED46AD7437EC136E61DA0FB0@AM4PR07MB3204.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39860400002)(346002)(396003)(136003)(189003)(61684003)(199004)(13464003)(7736002)(6246003)(4326008)(81166006)(81156014)(305945005)(1556002)(25786009)(73956011)(26005)(6486002)(44736005)(229853002)(8676002)(5660300002)(61296003)(102836004)(66946007)(186003)(486006)(71200400001)(446003)(4720700003)(476003)(76176011)(68736007)(14444005)(81686011)(478600001)(6436002)(256004)(110136005)(8936002)(66556008)(81816011)(9686003)(14454004)(52116002)(386003)(53546011)(316002)(6506007)(53936002)(99286004)(6306002)(6512007)(44716002)(64756008)(66476007)(2906002)(62236002)(6116002)(50226002)(966005)(66446008)(86362001)(71190400001)(3846002)(14496001)(66066001)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4PR07MB3204; H:AM4PR07MB3204.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: M9CucrUDlKfIb8g45d4Y3mJHRcWlXEpJgLuxGYKCq1BExA9idQ16NkiP8LJ5DMDyTLl/NFMHXqhP2zKAGBF7/fK6ZUkv92G0D7GrsjqfJ1m++ttqTZtHUiz2fqL7Dw7Tg54UXxRzCLOza5tQhqxd3Rl9n0YjeBdX0WuU6KfIB2SCXHP29c1aVkKqlew2R9L2zUrVudgtf0bRHL/PxIZ5WWfJMfBfQt3Zk2z/XBqXTJwms34pbniGncze4sOjD4eSI6f5zE25JLlwJzb3phdDC0ZBU7NbaY/IqjtGWHLMWuP1sG/WODEMRcATE0n7eXGHozAy1lK8o12KL69SCFBFDcw7F7kjqzro8LR9V6Rx9rGNlJzstHs9/LLUp47QnnqD1MLDRgAP3NbPi8XIk83zf7Lk4eGBLjSbXMrsS8MoMUw=
Content-Type: text/plain; charset="gb2312"
Content-ID: <EB2D38A4BD61E24D8BA9BEEC91787A1E@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b0a5ceda-24c2-45cf-a8c1-08d6ffa5844a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 10:59:27.7014 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ietfc@btconnect.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3204
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/-Y41O06-m81zpAP3L_SXoGO06mw>
Subject: Re: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jul 2019 10:59:34 -0000
----- Original Message ----- From: "Wang Haiguang" <wang.haiguang.shieldlab@huawei.com> Sent: Wednesday, July 03, 2019 11:17 AM > Hi, all. > > I have some comments regarding the management of crypto algorithms used by different protocols such as TLS, IPSec and SSL. > > At the moment, different work group maintains own definitions regarding the crypto algorithms, including public key algorithms, key exchange algorithms, hash, mac, encryptions etc. > Each working group defined their own identifiers for crypto algorithms. In some group, crypto algorithms for authentication, encryption and key exchange etc. are defined separately while others may combined identifiers. > The current method requires additional efforts in each group for protocol development, and also in implementation and network management. > > A better way could be that the IETF security group define a unified crypto algorithm identifiers and register them with IANA. These crypto algorithm identifiers can be shared among different working groups in their future work. > The current draft-ietf-crypto-types provides valuable work the classification of crypto algorithms. > > I think we should discuss this point and make a decision whether we should get IANA registration numbers for different crypto algorithms in the coming face-to-face meeting. Yes:-) trouble is, WGs are independent and even if they are in the same area with the same AD, it can be a challenge to get a common approach. (I have been trying, mostly failing, to get a coordinated approach in Routing where an interface can have different attributes0. Here, there is also a technical challenge that the potential list of algorithms is long, different protocols have different views of what is current, what is obsolete and so on so we could and should create a list of everything we can think of and get a Security directorate view of which are acceptable, in terms of strength, for what; and, perhaps, add a tick list of which protocols use them, so that it is easy to extract all those with e.g. IPsec in the ticklist, for use by IPsec, which would be different list for those with NETCONF in the tick list. Then all we can do is make it easy to use, widely known about and encourage others to use - or tell us why not. But the first step, which, after much discussion, we have yet to take, is to create a list. I prefer multiple lists, for encrypt, MAC and so on, easier to maintain. Tom Petch > > Best regards. > > Haiguang > > > From: netconf [mailto:netconf-bounces@ietf.org] On Behalf Of Xialiang (Frank, Network Standard & Patent Dept) > Sent: Thursday, June 27, 2019 11:47 AM > To: Kent Watsen <kent+ietf@watsen.net>; Martin Bjorklund <mbj@tail-f.com> > Cc: netconf@ietf.org > Subject: [netconf] 答复: I-D Action: draft-ietf-netconf-crypto-types-09.txt > > Hi Martin, Kent and all, > Thanks for so productive discussion and clarification for our current problems and possible solution. And sorry for late response since I am out of office yesterday. > > Let me give more information for better understanding the difficulties we are facing, and hopeful a direction worth for going to. > > Please see inline: > > > 发件人: Kent Watsen [mailto:kent+ietf@watsen.net] > 发送时间: 2019年6月27日 8:06 > 收件人: Martin Bjorklund <mbj@tail-f.com<mailto:mbj@tail-f.com>> > 抄送: Xialiang (Frank, Network Standard & Patent Dept) <frank.xialiang@huawei.com<mailto:frank.xialiang@huawei.com>>; netconf@ietf.org<mailto:netconf@ietf.org> > 主题: Re: [netconf] I-D Action: draft-ietf-netconf-crypto-types-09.txt > > Hi Martin, > > 4) to enable the SSH and TLS models to use types defined in their > protocol specs, mapping tables were added to those drafts to map the > protocol-specific types to the generic crypto-types type. > > So perhaps this is not the best solution? The big set of types (in > crypto-types) will change over time, and the subsets used in various > applications will also change over time. The best solution for such > sets in the IETF seems to be IANA registries, with corresponding > IANA-maintained YANG modules. > > I'm hoping someone, perhaps my co-authors, can suggest a path forward. > > [Frank]: We mainly reference to these 3 IANA registries for define our crypto types in draft: > > 1. https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml: which includes TLS 1.2 and TLS 1.3. > > 2. https://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.xhtml , https://tools.ietf.org/html/rfc8221-- crypto algorithms guidance for ESP and AH, https://tools.ietf.org/html/rfc8247-- crypto algorithms guidance for IKEv2: the 2 drafts are the latest recommendations for crypto algos of IPsec, so we mainly reference the definition in them; > > 3. https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml, https://tools.ietf.org/html/rfc4253 -- main SSH Spec, https://tools.ietf.org/html/rfc8332 -- new RSA with SHA256 and SHA512 for its authentication function: also, the 2 drafts are the main resource we have referenced. > > So, the above reference are all current input for the crypto type definition in the crypto types draft. Now, the 2 main difficulties for us are: > > 1. For the above 3 protocols and their respective and different crypto algorithm definition in each IANA registries, should we align our yang model to all of them, or only one of them? If the former, we must deal with the problem that same crypto algo has different IANA number in different IANA registries? > > 2. Considering TLS 1.2, which uses a combined way to represent different types of crypto into one IANA number (e.g., TLS_DHE_RSA_WITH_AES_128_GCM_SHA256). That is against our crypto type definition principle (IPsec and SSH are all aligned): atomic, which means we are currently define 7 categories of crypto type: Hash Algorithms, Asymmetric Key Algorithms, MAC Algorithms, Encryption Algorithms, Encryption and MAC Algorithms, Signature Algorithms and Key Exchange Algorithms. So, how should we map our crypto type definition back to TLS 1.2 IANA numbers? > > After clarifying our problems, I want to ask if we can solve them by this way: we yang guys define a crypto type yang IANA registries, which can keep on being aligned with all the related protocols’ IANA registries, but have its own IANA number for each crypto algorithms. So, our draft just need to follow this IANA registries. > > 8) our efforts to normalize this may be futile, and yet we want to > support keystore. > > Perhaps we can take a step back and define just the types we need > right now for keystore, in order to finish these drafts. Then we (or > some other WG) can immediately start to work on an update to > crypto-types that would define more types for other purposes as well. > > Maybe, depending on how that turns out, it may be trivial to extend the approach to cover everything. > > [Frank]: based on my clarification above, even we have TLS and SSH now, we still have to deal with the aforementioned 2 difficulties. If so, why not do it right at start time? > > > B.R. > Frank > > Kent // contributor > ------------------------------------------------------------------------ -------- > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf >
- [netconf] I-D Action: draft-ietf-netconf-crypto-t… internet-drafts
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Kent Watsen
- [netconf] 答复: I-D Action: draft-ietf-netconf-cryp… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [netconf] 答复: I-D Action: draft-ietf-netconf-… Wang Haiguang
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Martin Bjorklund
- [netconf] 答复: I-D Action: draft-ietf-netconf-cryp… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [netconf] 答复: I-D Action: draft-ietf-netconf-… Martin Bjorklund
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Martin Bjorklund
- [netconf] 答复: 答复: I-D Action: draft-ietf-netconf-… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [netconf] 答复: 答复: I-D Action: draft-ietf-netc… Martin Bjorklund
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Martin Bjorklund
- Re: [netconf] I-D Action: draft-ietf-netconf-cryp… Kent Watsen
- [netconf] 答复: I-D Action: draft-ietf-netconf-cryp… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [netconf] 答复: I-D Action: draft-ietf-netconf-… Wang Haiguang
- Re: [netconf] : I-D Action: draft-ietf-netconf-cr… tom petch
- [netconf] 答复: : I-D Action: draft-ietf-netconf-cr… Xialiang (Frank, Network Standard & Patent Dept)
- Re: [netconf] : I-D Action: draft-ietf-netconf-cr… Wang Haiguang
- [netconf] algorithms in crypto-types Kent Watsen