IETF Logo Mail Archive

Re: [netconf] WGLC on draft-ietf-netconf-over-tls13

Sean Turner <sean@sn3rd.com> Thu, 09 February 2023 18:32 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C73A9C15DD44 for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:45 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qJbYBgsZTDix for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:41 -0800 (PST)
Received: from mail-qt1-x82a.google.com (mail-qt1-x82a.google.com [IPv6:2607:f8b0:4864:20::82a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6221C15153C for <netconf@ietf.org>; Thu, 9 Feb 2023 10:32:41 -0800 (PST)
Received: by mail-qt1-x82a.google.com with SMTP id g18so3018545qtb.6 for <netconf@ietf.org>; Thu, 09 Feb 2023 10:32:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zLb6UHbesMeBBKqiYuB65Uh+EhiuyNyZDPlJxprWM1A=; b=DANqy/HhMZRqw/hQup8HFGsnYQR5J400tHHhsmLUJFJ7vSSUXKVdRD25xIIEnzFrUV 9sth09dWUxMiVwuqluPTcecOrbBeTBh8GvC2ON19L372e+KTbLa4bNjaelFtFbbAx4gM REpWyr1L3axoLvboEN9LdNxYn2EqmjEzSNE3s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zLb6UHbesMeBBKqiYuB65Uh+EhiuyNyZDPlJxprWM1A=; b=dpxHDYX8JaS9X/lczv3D08xfuQbZiU5DBZw387nSNPDY7pV0K9d+3Dg6yeJ5MK8jIp NWhvM0tkiriHrwa66/IODMbjKW5CfIPumOV0/THqWQs56XN90yvaDzUNPUnxLJr9+4Er hnndxJbJast6oQtClwLHipTYWEtAuXPBaZeJTdqktLTEg26ONOICFF3pe365pp8T9JOt rLXPZFw7CO8zWCGEjorU/tqzbfxVu1Svz85uonxBSQpIbSEqvpA9B2ns1fADUlX1nYZ/ kQ0Bh21ebcIQkXiESgOlX9xKYPzd3aUDBROsXmeyZ93sCYKcE+pMy07mQ8haV+oSLQ5J p2IQ==
X-Gm-Message-State: AO0yUKUPfvJMBmCjZucpKQk/P1VCoEfncw1dXcA4bz8bJSxL6hWmfxYW zrvmRQa6yfgoD1PUOaOcAzMP2Q==
X-Google-Smtp-Source: AK7set+k1K4NCTOmc+N+U7PbnONNV0W48+6pnZ7gaCM0EjOduJ0u/MaUpYq9KazTdpz9s4GxT17omw==
X-Received: by 2002:a05:622a:1a9b:b0:3b8:2b94:5bf5 with SMTP id s27-20020a05622a1a9b00b003b82b945bf5mr21537659qtc.55.1675967560727; Thu, 09 Feb 2023 10:32:40 -0800 (PST)
Received: from smtpclient.apple ([2600:4040:253b:7300:650e:4494:b493:a0a0]) by smtp.gmail.com with ESMTPSA id z187-20020a37b0c4000000b0070638ad5986sm1865340qke.85.2023.02.09.10.32.39 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2023 10:32:40 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <20230125143234.vrygt7h34codgs2c@anna>
Date: Thu, 09 Feb 2023 13:32:39 -0500
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <09E3A8B3-91B8-4ACA-8E9C-792E4DBCD62F@sn3rd.com>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <20230125143234.vrygt7h34codgs2c@anna>
To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.3654.120.0.1.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/2_OtB8DRidoiBueGStetS8UIXQ4>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 18:32:45 -0000

Jürgen,

Thanks for your review. Responses below.

I’ll let these and the other PRs settle for a week before merging.

spt

> On Jan 25, 2023, at 09:32, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
> 
> On Mon, Jan 09, 2023 at 09:54:28PM +0000, Kent Watsen wrote:
>> We are starting a 2 week WGLC on:
>> 	- draft-ietf-netconf-over-tls13-01. 
>> 
>> The document can be found here:
>> 	https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13
>> 
>> Please respond on this thread indicating your support or concerns about why this document should/should not be adopted.
>> 
>> We are particularly interested in statement of the form:
>> 	- I have reviewed the draft and found no issues. 
>> 	- I have reviewed the draft and found the following issues …
>> 
>> This WGLC will conclude on Monday, January 23.   
> 
> I have reviewed the document and I believe that what it is technically
> aims to achieve is OK and on track but the document itself is not ready.
> 
> - Does this document formally update RFC 7589? I am aware that updates
>  means many different things (extending, depending-on, rewriting
>  parts) so I should probably not even ask this question. ;-) But my
>  gut feeling is that you really want a formal Updates: RFC 7589 here.

We were purposely trying to avoid updating RFC 7589, because we were trying to stay out of picking the MTI protocol. But based on a suggestion in UTA about how to deal with a similar update for syslog, I think we could follow the recommendations in RFC 9325 and not have to get embroiled in a lengthy debate because RFC 9235 is BCP 195:

*  Implementations MUST support TLS 1.2 [RFC5246].
*  Implementations SHOULD support TLS 1.3 [RFC8446] and, if
  implemented, MUST prefer to negotiate TLS 1.3 over earlier
  versions of TLS.

The following PR includes the proposed changes:
https://github.com/netconf-wg/netconf-over-tls13/pull/11

The change of course opens a can worms. Do we change the TLS1.2 MTI cipher suite? The MTI cipher suites based on this RFC 7589 (and this PR) is TLS_RSA_WITH_AES_128_CBC_SHA. There is no chance that cipher suites makes it through the IESG at this point. We could change it to what’s in RFC 9325. I understand why RFC 7589 did not make the 7525 recommendations a MUST; when RFC 7589 was published, RFC 7525 was pretty new. However, it’s been almost 8 years since then so I am hoping some of the recommendations, 2 of the four recommended in 2015 are still there, are widely supported. If that’s the case then maybe the 1st para should be:

Implementations MUST support TLS 1.2 {{RFC5246}}. The mandatory-to-implement
cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Implementations
SHOULD follow the recommendations given in [RFC9325].

> - As already noted by others, there is colloquial discussion around
>  Section 9.1 of I-D.ietf-tls-rfc8446bis in the document that one
>  would not expect in a WG last call document.

Yep deleting it. The section kind of did it’s job, i.e., “made you look” :)
The following PR removes it:
https://github.com/netconf-wg/netconf-over-tls13/pull/7

> - In the Security Considerations, what does 'please review" really
>  mean? Is it required or expected to do what the referenced documents
>  say or are these just some reading suggestions that can be ignored?
>  I would prefer to see much clearer guidelines, in particular since
>  we talk about security.

I guess this didn’t bother me as much as some, when I read “the security considerations of RFCxyz apply” that’s pretty much the same thing as "Please review  RFCxyz”. But, I can swap it out for the more common language. Note that because it’s an update, the security considerations actually got a lot shorter because we copied a lot them over. Here’s a PR to address this:
https://github.com/netconf-wg/netconf-over-tls13/pull/10

> - Editorial: Fix the following "describes defines" double verb.

Please see:
https://github.com/netconf-wg/netconf-over-tls13/pull/9

> /js
> 
> -- 
> Jürgen Schönwälder              Constructor University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email