Re: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt

tom petch <> Wed, 03 July 2019 10:59 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9EF9B12021C for <>; Wed, 3 Jul 2019 03:59:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.248
X-Spam-Status: No, score=0.248 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 8cE03jISx4EK for <>; Wed, 3 Jul 2019 03:59:31 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 3FE0A12004F for <>; Wed, 3 Jul 2019 03:59:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=7x3Yh8imFnYAWLqd8Z9p6xFXxFPOHDXXKM+7WR9Jpq8=; b=OL+I4eGQg8By5CTYJhj3/9nbr7m9hKVAiKVxgPHPyaxJ6Uwkq7MfpXQRWCrVcn0KVP+kqzFUQgV5tIIgb1E5rkBZJSQ6QKWKv5Bg+9+yEH0A6fe0vaHgG0ChjtV5+qH43JPPeGV28mL4mvouHSRw5ukKb+KJYsBKJXhRr3Qj6yo=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2052.14; Wed, 3 Jul 2019 10:59:28 +0000
Received: from ([fe80::1155:d23c:a062:b960]) by ([fe80::1155:d23c:a062:b960%7]) with mapi id 15.20.2052.010; Wed, 3 Jul 2019 10:59:27 +0000
From: tom petch <>
To: Wang Haiguang <>, "Xialiang (Frank, Network Standard & Patent Dept)" <>, Kent Watsen <>, Martin Bjorklund <>
CC: "" <>
Thread-Topic: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt
Thread-Index: AQHVMY5h3RGsGK97y063XW8WXl0KJQ==
Date: Wed, 03 Jul 2019 10:59:27 +0000
Message-ID: <077201d5318e$5ed91620$>
References: <> <> <> <> <> <> <>
Accept-Language: en-GB, en-US
Content-Language: en-US
x-clientproxiedby: LO2P265CA0063.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:60::27) To (2603:10a6:205:8::29)
authentication-results: spf=none (sender IP is );
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: []
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: b0a5ceda-24c2-45cf-a8c1-08d6ffa5844a
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390118)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600148)(711020)(4605104)(1401327)(2017052603328)(7193020); SRVR:AM4PR07MB3204;
x-ms-traffictypediagnostic: AM4PR07MB3204:
x-ms-exchange-purlcount: 8
x-microsoft-antispam-prvs: <>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 00872B689F
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(366004)(376002)(39860400002)(346002)(396003)(136003)(189003)(61684003)(199004)(13464003)(7736002)(6246003)(4326008)(81166006)(81156014)(305945005)(1556002)(25786009)(73956011)(26005)(6486002)(44736005)(229853002)(8676002)(5660300002)(61296003)(102836004)(66946007)(186003)(486006)(71200400001)(446003)(4720700003)(476003)(76176011)(68736007)(14444005)(81686011)(478600001)(6436002)(256004)(110136005)(8936002)(66556008)(81816011)(9686003)(14454004)(52116002)(386003)(53546011)(316002)(6506007)(53936002)(99286004)(6306002)(6512007)(44716002)(64756008)(66476007)(2906002)(62236002)(6116002)(50226002)(966005)(66446008)(86362001)(71190400001)(3846002)(14496001)(66066001)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM4PR07MB3204;; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:0;
received-spf: None ( does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam-message-info: M9CucrUDlKfIb8g45d4Y3mJHRcWlXEpJgLuxGYKCq1BExA9idQ16NkiP8LJ5DMDyTLl/NFMHXqhP2zKAGBF7/fK6ZUkv92G0D7GrsjqfJ1m++ttqTZtHUiz2fqL7Dw7Tg54UXxRzCLOza5tQhqxd3Rl9n0YjeBdX0WuU6KfIB2SCXHP29c1aVkKqlew2R9L2zUrVudgtf0bRHL/PxIZ5WWfJMfBfQt3Zk2z/XBqXTJwms34pbniGncze4sOjD4eSI6f5zE25JLlwJzb3phdDC0ZBU7NbaY/IqjtGWHLMWuP1sG/WODEMRcATE0n7eXGHozAy1lK8o12KL69SCFBFDcw7F7kjqzro8LR9V6Rx9rGNlJzstHs9/LLUp47QnnqD1MLDRgAP3NbPi8XIk83zf7Lk4eGBLjSbXMrsS8MoMUw=
Content-Type: text/plain; charset="gb2312"
Content-ID: <>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-Network-Message-Id: b0a5ceda-24c2-45cf-a8c1-08d6ffa5844a
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jul 2019 10:59:27.7014 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR07MB3204
Archived-At: <>
Subject: Re: [netconf] : I-D Action: draft-ietf-netconf-crypto-types-09.txt
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 03 Jul 2019 10:59:34 -0000

----- Original Message -----
From: "Wang Haiguang" <>
Sent: Wednesday, July 03, 2019 11:17 AM

> Hi, all.
> I have some comments regarding the management of crypto algorithms
used by different protocols such as TLS, IPSec and SSL.
> At the moment, different work group maintains own definitions
regarding the crypto algorithms, including public key algorithms, key
exchange algorithms, hash, mac, encryptions etc.
> Each working group defined their own identifiers for crypto
algorithms. In some group, crypto algorithms for authentication,
encryption and key exchange etc. are defined separately while others may
combined identifiers.
> The current method requires additional efforts in each group for
protocol development, and also in implementation and network management.
> A better way could be that the IETF security group define a unified
crypto algorithm identifiers and register them with IANA. These crypto
algorithm identifiers can be shared among  different working groups in
their future work.
> The current draft-ietf-crypto-types provides valuable work the
classification of crypto algorithms.
> I think we should discuss this point and make a decision whether we
should get IANA registration numbers for different crypto algorithms in
the coming face-to-face meeting.

Yes:-) trouble is, WGs are independent and even if they are in the same
area with the same AD, it can be a challenge to get a common approach.
(I have been trying, mostly failing, to get a coordinated approach in
Routing where an interface can have different attributes0.

Here, there is also a technical challenge that the potential list of
algorithms is long, different protocols have different views of what is
current, what is obsolete and so on so we could and should create a list
of everything we can think of and get a Security directorate view of
which are acceptable, in terms of strength, for what; and, perhaps, add
a tick list of which protocols use them, so that it is easy to extract
all those with e.g. IPsec in the ticklist, for use by IPsec, which would
be different list for those with NETCONF in the tick list.

Then all we can do is make it easy to use, widely known about and
encourage others to use - or tell us why not.

But the first step, which, after much discussion, we have yet to take,
is to create a list. I prefer multiple lists, for encrypt, MAC and so
on, easier to maintain.

Tom Petch

> Best regards.
> Haiguang
> From: netconf [] On Behalf Of Xialiang
(Frank, Network Standard & Patent Dept)
> Sent: Thursday, June 27, 2019 11:47 AM
> To: Kent Watsen <>; Martin Bjorklund
> Cc:
> Subject: [netconf] 答复: I-D Action:
> Hi Martin, Kent and all,
> Thanks for so productive discussion and clarification for our current
problems and possible solution. And sorry for late response since I am
out of office yesterday.
> Let me give more information for better understanding the difficulties
we are facing, and hopeful a direction worth for going to.
> Please see inline:
> 发件人: Kent Watsen []
> 发送时间: 2019年6月27日 8:06
> 收件人: Martin Bjorklund <<>>
> 抄送: Xialiang (Frank, Network Standard & Patent Dept)
> 主题: Re: [netconf] I-D Action: draft-ietf-netconf-crypto-types-09.txt
> Hi Martin,
> 4) to enable the SSH and TLS models to use types defined in their
> protocol specs, mapping tables were added to those drafts to map the
> protocol-specific types to the generic crypto-types type.
> So perhaps this is not the best solution?  The big set of types (in
> crypto-types) will change over time, and the subsets used in various
> applications will also change over time.  The best solution for such
> sets in the IETF seems to be IANA registries, with corresponding
> IANA-maintained YANG modules.
> I'm hoping someone, perhaps my co-authors, can suggest a path forward.
> [Frank]: We mainly reference to these 3 IANA registries for define our
crypto types in draft:
> 1.
which includes TLS 1.2 and TLS 1.3.
> 2.
, crypto algorithms guidance for
ESP and AH, crypto algorithms
guidance for IKEv2: the 2 drafts are the latest recommendations for
crypto algos of IPsec, so we mainly reference the definition in them;
> 3., -- main SSH Spec, -- new RSA with SHA256 and SHA512
for its authentication function: also, the 2 drafts are the main
resource we have referenced.
> So, the above reference are all current input for the crypto type
definition in the crypto types draft. Now, the 2 main difficulties for
us are:
> 1.       For the above 3 protocols and their respective and different
crypto algorithm definition in each IANA registries, should we align our
yang model to all of them, or only one of them? If the former, we must
deal with the problem that same crypto algo has different IANA number in
different IANA registries?
> 2.       Considering TLS 1.2, which uses a combined way to represent
different types of crypto into one IANA number (e.g.,
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256). That is against our crypto type
definition principle (IPsec and SSH are all aligned): atomic, which
means we are currently define 7 categories of crypto type: Hash
Algorithms, Asymmetric Key Algorithms, MAC Algorithms, Encryption
Algorithms, Encryption and MAC Algorithms, Signature Algorithms and Key
Exchange Algorithms. So, how should we map our crypto type definition
back to TLS 1.2 IANA numbers?
> After clarifying our problems, I want to ask if we can solve them by
this way: we yang guys define a crypto type yang IANA registries, which
can keep on being aligned with all the related protocols’ IANA
registries, but have its own IANA number for each crypto algorithms. So,
our draft just need to follow this IANA registries.
> 8) our efforts to normalize this may be futile, and yet we want to
> support keystore.
> Perhaps we can take a step back and define just the types we need
> right now for keystore, in order to finish these drafts.  Then we (or
> some other WG) can immediately start to work on an update to
> crypto-types that would define more types for other purposes as well.
> Maybe, depending on how that turns out, it may be trivial to extend
the approach to cover everything.
> [Frank]: based on my clarification above, even we have TLS and SSH
now, we still have to deal with the aforementioned 2 difficulties. If
so, why not do it right at start time?
> B.R.
> Frank
> Kent // contributor


> _______________________________________________
> netconf mailing list