IETF Logo Mail Archive

Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)

Roman Danyliw <rdd@cert.org> Thu, 08 February 2024 19:27 UTC

Return-Path: <rdd@cert.org>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 25ADDC15198D; Thu, 8 Feb 2024 11:27:56 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cert.org
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cpjaU91YiQHO; Thu, 8 Feb 2024 11:27:52 -0800 (PST)
Received: from USG02-CY1-obe.outbound.protection.office365.us (mail-cy1usg02on0058.outbound.protection.office365.us [23.103.209.58]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 88FABC1516EB; Thu, 8 Feb 2024 11:27:51 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=UimzTX/L7gbDRdEA18GzIhPPo6gLtWIpyhQLR3XaRdq/jqyWHJLg6tpQGPm+HMYmxgpop6oRWGBGbQcS5B1GCbKHhTzPjza74zCzFJ4u+4LTmcFZz7OL9kVFaYeVBcsJIAh7CSQoY2H7oWLP2YI2afq/ybBOYrN11utBzl/7le26NTfLVzTMdzpRMbpQc8hH6eB9IZUYhiCMApMFKK3MOKpTotDN3jlqhJ+XLxdw3s4/vHxW7pyToyT7kuc/iRPZ0hoGvXuUY/T30VZ1a/H3gP2fspjFOcsGaLhDucB5DQQsBWVCHxgcaH4HvwZpD6RUXL6hHbBheX1H180Bq9KYqg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=8Nnu6OczFfgvvJDrxj+nSkX7X3H2VuX4pb6IABELWsM=; b=gNa8b6W/IzBkN0hDIsw4TRonohg1hx3pNjUjieQ6jgiVlJ3VDBZdmPcNO1R2csJjm7zZFRhSAA2RDO5W6vME3UcTS4QR7uIFkE82U9A/mGhcfuiFDnOdtJindAZycegaEEL5YW3U1Y1RiqJ60Edzu4wwINxvk8uc8NBCbvNuBkV09y8XO8Bif1S1i8rRqwrnffECeRwg6HJy2zm7uc2ngu3eImN420AvnhaXFWYaDs3HlZz85IIVoTUH/10TK66FsroaUVap5/bVwhJ+2oOlh3FdHsTuTyDxgdL33KcEY9nrIjVgFpr20PHBwYvuUdnofD35Klp2drQrubD4iYCnag==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cert.org; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=8Nnu6OczFfgvvJDrxj+nSkX7X3H2VuX4pb6IABELWsM=; b=Y0mU4EdigwOVYyMGeOfd7heGXKxYq226jBLgcTNtqxBCUpJV8dJq+jovYyqdtcSET2epe9gVK5MCQ/3vmrhfOkBxuAzrk8YlTc8xhmEnKz5xqalwK/AgrIkC/zOfShIqbNrKzsCIQe4s/LnaYL8ueu/tb30HDzYI5lEpgk0/j34=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1398.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17f::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7249.33; Thu, 8 Feb 2024 19:27:48 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::364:96fe:e2d6:b29f%4]) with mapi id 15.20.7249.032; Thu, 8 Feb 2024 19:27:48 +0000
From: Roman Danyliw <rdd@cert.org>
To: Kent Watsen <kent@watsen.net>
CC: The IESG <iesg@ietf.org>, "draft-ietf-netconf-crypto-types@ietf.org" <draft-ietf-netconf-crypto-types@ietf.org>, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
Thread-Index: AQHaUwfwa0M0JF5rqkqMPcIje+HANrD0KlaAgAy4csA=
Date: Thu, 08 Feb 2024 19:27:48 +0000
Message-ID: <BN2P110MB1107B45FA9BD7BEA8001BC8BDC44A@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <170656963762.34041.922180093314268674@ietfa.amsl.com> <0100018d607eee07-04a9a8b6-3256-42d4-95e7-e9636b953246-000000@email.amazonses.com>
In-Reply-To: <0100018d607eee07-04a9a8b6-3256-42d4-95e7-e9636b953246-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: BN2P110MB1107:EE_|BN2P110MB1398:EE_
x-ms-office365-filtering-correlation-id: d13b732d-6a79-436a-61c3-08dc28dc08ad
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 804Uzz8jkvrvL3CjVr10JlV1CiCk62OVvPFy5Cux0ae7byviMc1XekEGDvtpVFh+naymxvEoLL7dKXCwAkBHeb2f0B6/Bhjbf7PKa/d7hjBRU1qKZ7QZBhomESA6TRZ/yyxo5nADG6QvDCIQHm8aduKRag+N7RBjkZ+ChKMWal3JWznQeaJo5qIwbO2AfDwb9yBcz5nvUanw7R0pKgLq1+GihKaqcJie//XMd9H1A6EXeKOUAupMp+nQeYuOL77wOhWOYv09OPV/4PmJYsq/JEkhPm6jRC+fjR/v9isXJ9ZHjObv+zOvkme+SAEKbS/jmqb62tAZEi+D4fqInXiejOdFsf7qQZkZmzdEQxb82JqVoeai8nitAG+xbVyt3pNFNjB8DJJaU+1TEj4A9AFHzwlt3BgYlTBROsl0J2ZFgpJDgLasN96jr0NdFXurlJz3e9HNDe2JHAKmoOa49YvqKfuSiZa+NcAqpfa2HoV7ZAuYbv1L+llCF2L1rieFcHUnyOjOhS+AVC2HY7S58CbNVKD0/o49S3YRgUhif0h6y5xxyl+6nzGhZ+4Ocbq3mZ6QXhfaOMiGY2Q6xZiAr5skizrEvUeQuzGm22UeDrUtCuwPDwWSgMQY/AyiX3wDlt/K
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230031)(396003)(39830400003)(366004)(136003)(230922051799003)(1800799012)(64100799003)(186009)(451199024)(2906002)(55016003)(33656002)(66899024)(41320700001)(38070700009)(9686003)(53546011)(508600001)(41300700001)(86362001)(83380400001)(26005)(82960400001)(6506007)(5660300002)(66556008)(64756008)(8936002)(66446008)(7696005)(8676002)(66476007)(66946007)(71200400001)(52536014)(122000001)(54906003)(6916009)(38100700002)(4326008)(76116006); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bEveMK1yFAnYIAv2CJBViwk1G19K+FJVC4IT5SuinkfiqrLKQtVrY6BaOr9j9Phu9dGUEwcNPQ8htgHzoHZL7xqGr0K7m1P5SK5sQvHDdWoTp0B8f2QJxZjO4T9gY706ZhNTRYOYWkoCVu4w7NdlAeOkIxIjBuw+njN0AgXAo5T8a70yfR3i50ynUrxySZUaxYkPlLBvV/pSKVTXgi66ptYBWE1hhOoelMmefyVKHd/DnqEE+kjGqG9qZSmgqGA7QMlbL7nFFTailjyIeHzvXE3Trg0f2YnJ3V0zhEy2GAgWD3X/pBG/v6j6pze7tb3TnqUiZoGfDYbOdMb7WSyO//Cmr3jqx25BLjRAq79Ymr63mBUuP0oM489lYlQW/HIIHl9dye74vcRScW0/mqseY/bgecvPVQW/t79M+WeWvly301ThzYjeI9kd3aNWylUIKXMvqvLEJzjMl0CJhXfRQzM/Hqwaajn57KeRLHUsxh2SF5bg1Z/6kBOaaQ2gmi0/Fib3SeXFiVWvsOfDAhM53Lrb7Jp2HFigLQV0ghJKscwXRFCMRXmR8hLGmI6GsQGA9lJSi0QaqliX6HSF/Q4dMJMOFv+lm1KF7dqhH8Yi1X7HUSoFBaWC6ApCPb6IrIWGTi0Pw75YRYRFbFhJoRi4QeB001lMDBqt1Rz/DoB+jcOKAs/Ep9LGEtDDaagszlXqFb6qyBZP0nKijNkMcTekH1nvV/1t6zCzmvyBmouxXhkUOg+cIXz2RITu+Krff/DhDLKM+8Se3frZ1mjtep42xKL+F7LKx8iJuPpHC7wUlxm8E0zoPViN71gx4eLiREPTdcAg6cyy/v3TbJgodMcWs+xbwlXyGGJHTeqj0fCo/eoTHF/o9gDxXDHxXXE3bX19qlwUcWUjOUF8x2y4Mfx2jLcVzXgJEy/FwcRMNUFiS1oSVXTkjtpnjlUg0WACw+1opKhMI6drMin+XJRptfEdKHM34/s6d25TMWBmUL5oTKdJYV9p2y6K47NHCrLD2RGV3ows/f6XWB7WOe8cmZcwWO5C8QoEJaC1ZkztFjzW0OmYm6RteJqkvD/brivwl9NeHN+dXkBsxOLSNWN6JcA3E5AvV1uxXFOhHmoWQnFqkg7Ulcsx/Ur0wnW2mAMZ+tnEPI+FPQ2i4oW0zeOIvPQ5Llnaq2ZYZUtClK8yWAocKjPduDkyREuezUDj3u1iXYIoK9jC/BU5dHdSDRyTJRrdZ9aJ96oW38HsrVsu54p3m3lKBzESwZWPu4OXThl7XFSCG9wSvmBJKi8/WPXnDKt6i5705nxGmARw4ADVxgSO3ekRUmsib/VW66g7DQVs8Rv3THyc0YtaDmzHajtdl34cXiJgFqABK3qcJOtpHJfQWXuUQMmTJLy/WPoCngHmgBUe4ZoPsHkUIa6gzzpt3S7ZHYtCCtYpskVjQLXmTNmx95l5UebCldGvHdhS75NS/QV2cZibL7GL7rCUBlP+LYuczXU/CaUBStFOFV0s5L0sON8=
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: d13b732d-6a79-436a-61c3-08dc28dc08ad
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Feb 2024 19:27:48.3029 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1398
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/0m6U5mVO_7wBOVb8m195OCkrvDs>
Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 Feb 2024 19:27:56 -0000

Hi Kent!

Thanks for your detailed response and for producing -30.  I've cleared my DISCUSS position.  One response below to a COMMENT ...

> -----Original Message-----
> From: iesg <iesg-bounces@ietf.org> On Behalf Of Kent Watsen
> Sent: Wednesday, January 31, 2024 12:09 PM
> To: Roman Danyliw <rdd@cert.org>
> Cc: The IESG <iesg@ietf.org>; draft-ietf-netconf-crypto-types@ietf.org;
> netconf-chairs@ietf.org; netconf@ietf.org
> Subject: Re: [netconf] Roman Danyliw's Discuss on draft-ietf-netconf-crypto-
> types-29: (with DISCUSS and COMMENT)

[snip]

> > ** Section 3.5.
> >   When accessing key values, it is desireable that implementations
> >   ensure that the strength of the keys being accessed is not greater
> >   than the strength of the underlying secure transport connection over
> >   which the keys are conveyed.  However, comparing key strengths can be
> >   complicated and difficult to implement in practice.
> >
> > I don’t understand the guidance in this section.  I would have
> > benefited from clarity in the following areas.
> >
> > -- Explain the impact of using keys whose strength exceeds the
> > underlying transport connection (i.e., it doesn’t offer more security)
> >
> > -- The verb “accessing” is confusing.  Let’s say that an
> > implementation notices a discrepancy between key strength, what is it
> supposed to do?
> >
> > -- The last sentence (“However, comparing ...) seems to acknowledge
> > (correctly) that this advice might not be practical.  Is the WG sure the text is
> needed?

I appreciate the revised text.  I'm still no clear on what action implementations should take on detection of the mismatch.

> > ** Section 3.5.
> >   That said, expert Security opinion suggests that already it is
> >   infeasible to break a 128-bit symmetric key using a classical
> >   computer, and thus the concern for conveying higher-strength keys
> >   begins to lose its allure.
> >
> > Recommend removing this generic statement.  There would be a variety
> > of reasons operators might choose to use symmetric keys in excess of
> > 128-bits, policy being one of them.
> 
> I’m happy to remove Section 3.5 (Strength of Keys Conveyed) entirely.
> 
> IDK if there is any value to keeping it.   I only added it because it is something
> I remembered from a past life.  No one ever asked me to add this Section...
> 
> Is my understanding from your "Is the WG sure the text is needed?” above that
> you lean towards removing Section 3.5?

Exactly.  I didn't find the guidance actionable.


> > ** Section 3.6
> >   Implementations SHOULD only use secure transport protocols meeting
> >   local policy.  A reasonable policy may, e.g., state that only
> >   ciphersuites listed as "recommended" by the IETF be used (e.g.,
> >   [RFC7525] for TLS).
> >
> > -- Would there be instances where implementation would use secure
> > transport that _doesn’t_ meet local policy?
> 
> Shouldn’t be, but maybe a rouge new employee doesn’t know it ;)
> 
> Is your point that we should s/SHOULD/MUST/ here?

Yes, exactly.

> > -- RFC7525 has been obsoleted.  s/RFC7525/RFC9325/
> Updated - thanks!

Roman

v2.23.0 | Report a Bug | By Email