Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Tue, 25 May 2021 09:50 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DDF9D3A1EB1 for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 02:50:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5Ql9PclOTqXv for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 02:50:48 -0700 (PDT)
Received: from EUR05-DB8-obe.outbound.protection.outlook.com (mail-db8eur05on2111.outbound.protection.outlook.com [40.107.20.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D6A413A1EAE for <netconf@ietf.org>; Tue, 25 May 2021 02:50:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=UDaZf9S/xwVuTlj/Ha4EXlJxFDrbco+NhN1WTPWs/+jnRYQlNGMkjpTnlohQhiV1mEFSurwD+6fLtMwybQFgSUQkrJR9FYh73MlIASX3JOS4dg+jwDdWsxKCR33aGdMkM+8v52i8rRzL7Qx9PweertW75GytzvpZcNjgMZza/svzZttREbM3d5czkFPmYkXVLLuTBYkAiiq6ySe7+Oxfy8mqIbvPWVzR0Uc52oLtpfTrBsb9rO81+XekdBQLKTa2q+vVM+3J6L1nPyU8HUOq/sjAfe/8Q+Y1xwHWN0MuhS6RRSMh6YWGCp99ig6cgooI895V0c6viGwBNkbmcxkbAA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uXr0U+PCQRdsDmetqxxPwuTRlQiSelVjyU5yNcccjmA=; b=SQKpOl3wFEQJpnjMYnNblDUfKzocrU5c1VDR3qHC1aFpj7B4a0ansg9BLsFXCcjWg5tBpaWWzJo4CIuExyYY99o7SiN9hH0ukMDNIhl06kwub1O/G61vxrwJej/Ms4NfRxaoE3BaaL3lYVUeQuXVx0Yy1PIR4ClwGtIBlOZwcGQDa7yG6PyTWMC0J5X2JNUbtLqCL3YO/r+jkmPbYdLjRNXrdzmei6UmN9poNhbnz8CpN8thSmNuN0ad7XlEzFMN80HUIMJGElQvXZGIc6tqmcQ8MJ1IdzYkQfpfPT8AusZ0yIUtaUQ/puiZkTn09RxMF+DFZpYl9iLwGPIj1X58JA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uXr0U+PCQRdsDmetqxxPwuTRlQiSelVjyU5yNcccjmA=; b=vYbKi2qgHEPHFdqfU7GFWMAnRSHFfhp1Uw4WY4PHXtD1uf+9bGuUBty3eiSxZV1PGmdECYnUyAnaR07pFOPwWMHL7P++ZK4JAnxI7oh8YRFxaMOqvN63BMnOTtQf0uo7k1NwhQt1bjGkHIafuVfCjj+iv0C/IfHhAgfkeAgCy24=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6516.eurprd07.prod.outlook.com (2603:10a6:20b:1a4::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Tue, 25 May 2021 09:50:44 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Tue, 25 May 2021 09:50:44 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, "garywu@cisco.com" <garywu@cisco.com>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXTivrmXzh9hQhpkqYWkZI8gMDLqryWB1ggAD4xICAAKRbJA==
Date: Tue, 25 May 2021 09:50:44 +0000
Message-ID: <AM7PR07MB624878220E9E03CAA2375C8EA0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248C43AF481F5A94D2041DAA0269@AM7PR07MB6248.eurprd07.prod.outlook.com>, <01000179a0c32a2e-d0bce1e5-c006-4550-aebf-29b903643b4c-000000@email.amazonses.com>
In-Reply-To: <01000179a0c32a2e-d0bce1e5-c006-4550-aebf-29b903643b4c-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6bf69021-dff3-46f6-9e5c-08d91f6290d0
x-ms-traffictypediagnostic: AM7PR07MB6516:
x-microsoft-antispam-prvs: <AM7PR07MB651673164324FC63543AB740A0259@AM7PR07MB6516.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: XHOfVRIkvDfBsvTKzx1zEDfvh9NSZrst6T+XgNmxJ1U/g8jPfGifU/W9vkoCzpovzgw7uwsRvRElf8nWIaIF4Vs1HZHZpkzThoAOWhZaqz1hOvmTXcgWgkyZLYDBFOMh3wz9pAaXmejSXg3MX+7KP/pjM7GG37yc/EWSBrrnpKYsgzKpcX9CiJBVmcDjt0e4ybixUV1FLPvjQbXm3AKJuYU3gbl9gIM1GBx56cL0f41OT3kUL9NOb7Uz5VYHYkidFeHNbOo05Z6wouBIaJGEl3jJmr3VhxSFeu+jIGIJyP97Ho8q3nDJCg9JV5gHTMj5jYXbtjhvXE952Qe2Zd2KN/CNxdmIZoHReHb6VqGfabXjIh6q9+yuwWOl4xMaVmgiG7Vz5DMAfHlJZ0c09/Zejl1yAU3wvv1D0QQvTOQ4Ft7RqgNpkNnrTs6CVP2aYLyf+PVONes0sjFpxvlUAVblPz+DnR/rlhYRTdjWue1iRB9jNOqjSqhDBwdafEaIp1WNZA4fA+ppMaxvGGF29Y443CYJ7t58/QqMuuUK9vEfLNsQ+8dhUtQkt2KcrevIKLbXyuSxATBn7Ano4cWA3luzhLhAn9tu/94gmpGMMzh5BGkp+faauYXh2dK2fLCLZWsp4B4qKJpDkjI9rvPYdVifHuAbMdsRu8Zc0IgHRuA+wkVsnRHrwUhSlA/T2Ktvgydgm6KH0q2zAZzbZMvDon7U8w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(39860400002)(136003)(376002)(346002)(366004)(26005)(91956017)(76116006)(15650500001)(55016002)(66946007)(66476007)(66556008)(316002)(64756008)(33656002)(66446008)(186003)(2906002)(83380400001)(4326008)(8936002)(8676002)(86362001)(9686003)(71200400001)(54906003)(52536014)(478600001)(5660300002)(6506007)(7696005)(122000001)(966005)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?/9+TE4wYaO5HlDQBVpHLZ5HrbPuCHuvO8JUXtjzh7AiQKVRl0448Ur0i?= =?Windows-1252?Q?vW26av27t+On5T579f4eozvXtkoqHFn3G9N+4VOgVd08e39me4uQLZFJ?= =?Windows-1252?Q?O3+xLRm64R7ll4bg1AUH/7gImn36wyKvnPtSmnRMmljrLt9CGgS0QI4p?= =?Windows-1252?Q?urGv1BjRkr3y7VgBEF5g4Meh4ehTlZZXDPypsJYw86EJl6XucI8S0Iu6?= =?Windows-1252?Q?urYDTyZWw7Ap3Zl7y9wsoyAydnLUbqU6RdaJOu1TbQTbMYek0eEtTeUc?= =?Windows-1252?Q?joMqaj+uszjapVVnKwX+6/6942yL/+u89YRhpxvN+fRitTLGRQjDfQCZ?= =?Windows-1252?Q?64S0jOLPtqW9RVbKO+guS17mw4eg1rkqW7mh6WdbpBZ394YmYf8JPAC6?= =?Windows-1252?Q?JuWhvQKv6IiO5pA44GgliOu+BnAaR9Rj16LLr8r8ksI7hVAI9zwAV0L5?= =?Windows-1252?Q?IkwnhtTnjMcLwVPjkg6JTFLRSpLENLPZkB4If/P4/w1XXArU2LwRIB4A?= =?Windows-1252?Q?+EBf1s6U0KOu/FpofT1zFhI8GJGqaXk3zXNDg9Gq4NBhwZ8iya0DUCHR?= =?Windows-1252?Q?taCIBJHv6mLMB/3/HSykW6W/fjxLGNbftRshXqdenLctpsQ9/mn68cMB?= =?Windows-1252?Q?i6NrKPnr7zUkBPsjDNVx4pU3iFxxAYmC9vEuuNalpJDMg9HFq/mHS9lM?= =?Windows-1252?Q?c9uH/y48VaxDolTQuiCIvQTceZF7XCtFAxD/OUtSqXKTXYHK9BJ8u0Qx?= =?Windows-1252?Q?MlJ8HAIUQJO2Ul7BL+odoYcwfRLuP42mV72vrg9NMfwuPPR09svNwbaf?= =?Windows-1252?Q?zFf5qkXWUExXSVotyzdYo5gPAUGOdyeSsDE6twZbqh9U0a/s35Fefbau?= =?Windows-1252?Q?pQiPCrnEwq0KWkOHFib/pEH5vfKEZXxB2ksQHIOT41E/N6l9kqyNDPIA?= =?Windows-1252?Q?MITr8OI97OKchs0YydbyMgaHnAkQNdISxPo9nn9kRbSBOXC4S+3O/xzB?= =?Windows-1252?Q?oIfDAqBc7OVQ7iMeOZ6Y4lQm4T0lm0ZTMbisy6jdraCTAqmiihJNkGU1?= =?Windows-1252?Q?rylFek8pVughPSHZJ0qXkpslPiM9/T1hQcjwWQN7L05cE+sePuX9/7HY?= =?Windows-1252?Q?tbdpNUa/Q+R7zh/3EHuQt57k+Peq8K/WZnzQ7qtlp6HVyRwpa9Q1C38z?= =?Windows-1252?Q?KHqytt7jZnfcX53g9oFd1WCJ7Rf5byUcjXCFnlQBGeWozUreqN9cgKMz?= =?Windows-1252?Q?fK7hYP+R2lBdb5f7M8jktRiLnyfQWTaDS6nGUubT05wJA8k1jzgmoDiu?= =?Windows-1252?Q?ay21v1e+oeTb3Xn2bai1a1Fd9dTxRNtD60i0tb9n34JSiHGaJi+q0Qa/?= =?Windows-1252?Q?Vb4rAC/GirfXeB+koOU1+59QToVIQj+EBrE=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6bf69021-dff3-46f6-9e5c-08d91f6290d0
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2021 09:50:44.5079 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: YtnyT3eK4nscZfoI27f4/Y7Pd727YzLh0ZZvQbcvvuw0G8qzxUXMaLnvKJQIW1K9WElCyJxYF0xJsw0EeKroVw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6516
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/1vwdZqmPkqS6_e3gdvBuwvUUeqw>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 09:50:53 -0000

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 25 May 2021 00:43

[CC-ing Gary again...]

Hi Tom,

I still think that the I-D lacks clarity about supported versions.

<tp2.0>
OK, some references.

Grepping for the string “tp2.0” returns no results.


tlscmn

tls-ecc
needs RFC8446

Why?  8446 refs and defers to 8422, right?
<tp>
wrong IMHO; look at the title of 8422 - "Versions 1.2 and earlier"


tls-dhe
needs 8446

Okay, 8446 obsoletes 5246.
<tp>
Right but I think you need both.  The I-D currently highlights 1.2 and mostly ignores 1.3 where I think they should have equal billing and since they are so different, a reference to 1.3 alone is inadequate so my default position is that both 5246 and 8446 are needed.


tls-3des
ok no support in 1.3

Ack.  Unmodified.



tls-gcm
needs 8446

Okay, but it’s strange that 8446 doesn’t ref/obsolete 5288…I guess because it uses the NIST “GCM” ref instead…perhaps this draft should as well?
<tp>
Well where do you stop? As above, I think that every 5246 needs a 8446 alongside it unless one version does not support the functionality but that is as far as I would go.


identity ciphersuite
I do not see the 1.3 values from 8446 B.4

grepping for “ciphersuite” returns no matches…?
<tp>
Bear in mind that 1.3 changes everything it can - try 'cipher suite'



hello-params
needs 8446

Added.


tls-client
I note that the feature statements do not have references which some YANG doctors say they should have.

Added (for X.509, PSK, and RPK)


container client-identity
needs 8446 and a reference in the body to 8446 s.4.4.2

Added.


case psk
needs Normative References to the two
draft-ietf-tls-external-psk-*

"external-psk-guidance” is Informational and "external-psk-importer” while Standards Track, only regards an interface for importing the PSKs into TLS.  It seems that the existing ref to RFC 4279 (which is NOT obsolete) is pretty good, right?

<tp>
Disagree.  The cipher suites of 4279 are invalid with 1.3  1.3 sort of does away with PSK except where there has been a full handshake from which a PSK can be derived for resumption.  1.3 imposes limits on the use of a PSK across versions and with different algorithms which is what  I see the two I-D as addressing.

Tom Petch

tls-server

container server-identity
as client-identity

Added.


case psk
as for tls-client

Same.


Tom Petch

THANK YOU!

Updates can be found in https://github.com/netconf-wg/tls-client-server/commit/b94588b5a33c0852cfacbc415ca0a626bc1c5763.


K.