IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> Tue, 01 October 2019 06:41 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9BA531200A1 for <netconf@ietfa.amsl.com>; Mon, 30 Sep 2019 23:41:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id apLF0ul_oCyK for <netconf@ietfa.amsl.com>; Mon, 30 Sep 2019 23:40:59 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40062.outbound.protection.outlook.com [40.107.4.62]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 72D99120044 for <netconf@ietf.org>; Mon, 30 Sep 2019 23:40:59 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OTDUFTc0oXu1MZ1h3iqFepIDyDa/ikw+0IQwjDsGqa9Pnu1BgZpIBxEP3QWhNI5OzcBCM83BZa/+pgsBsDeA8xgSqWBwNNZelRPvjV7YhBOpTQuPZeD/SZSg5M1ycng7EXr1Kr9Eo7Bt8nxeY5Sm2J97up5txacIFiot06X8pmQ1L8x8En4HTjvEr+VvXwNseQpp3OCflxbuZpcBsrm/JVZYyutPJ4CZuRP3Mmrytsfz+mOADRXqSqm5F+cwl4uA+TEsdAeAfNW26QRkea3yNU3JFl0m32d+hE+kr8rrRGJ9wKejBNYjshIpLunKR+WVM5MOfsmJScfITMJF2sXuIg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fHFT5r9m0LCwO2StxKQpmVkFtwE0d4JHbXEmz4QeAHw=; b=TICWnnR53pmfwYsZYuu5+Mtr/vTUt166QUQpuLjoDWIQTLfsk4hxFCyMFJJ4oE3l9rFfn1NXXy4l2pJA82rx2du1Z1uyfnS4A4rm13vaqdA+ynZyfBDyFA3rLSk5w4nG2XibD3Q3I3dt3RfyC03s3X/Rq3GeNtdj1g2F/uYP8i9sZNQ9FYkZIAfRw8OtLY6AMOrtgw6kVxA7ngm+CZYeDKSFNiQ+oYRW2H4zL3/O1cwLd+5e+bjKY2OQrzC1WcJXMnDnLT+RVmHALP2rP4XWBdsTy7MqOPYNdmcArzFfIFqYwADjGTT8swNTwUtuP+FOaDekIMUJqYFdpRe/9bX1LA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fHFT5r9m0LCwO2StxKQpmVkFtwE0d4JHbXEmz4QeAHw=; b=F0reEGzgOScbfhMYZtE/FU+9R0407QAd5VslscS5Zgbbl5BrN4qQJzy+u1xQY2ow4K3TK2ulm0bDKleOrE63epsPBocKaoFlSfF/gxoKrNSbePFz/TO8E/FMwjg25KDPXG4VqJ4dnZ/AiC/HE0AQkBKKqaRSGlSABop9pUP/vto=
Received: from VI1P190MB0686.EURP190.PROD.OUTLOOK.COM (10.186.159.71) by VI1P190MB0110.EURP190.PROD.OUTLOOK.COM (10.172.80.12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2305.20; Tue, 1 Oct 2019 06:40:55 +0000
Received: from VI1P190MB0686.EURP190.PROD.OUTLOOK.COM ([fe80::e061:7f73:a47f:2ad4]) by VI1P190MB0686.EURP190.PROD.OUTLOOK.COM ([fe80::e061:7f73:a47f:2ad4%2]) with mapi id 15.20.2305.017; Tue, 1 Oct 2019 06:40:55 +0000
From: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "Rob Wilton (rwilton)" <rwilton@cisco.com>, Martin Bjorklund <mbj@tail-f.com>, "wang.haiguang.shieldlab@huawei.com" <wang.haiguang.shieldlab@huawei.com>, "netconf@ietf.org" <netconf@ietf.org>, "rifaat.ietf@gmail.com" <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVbjbxVhFlbERW30moo9Q8WhnpJqcxoiSAgA4DFOiAAAlXAIAADIaAgAAfcYCABSoJAIAAZVsA
Date: Tue, 01 Oct 2019 06:40:55 +0000
Message-ID: <20191001064054.2g4ujuoy7lsbgjm2@anna.jacobs.jacobs-university.de>
References: <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com> <MN2PR11MB4366E914816F6C3D9515A31DB5890@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d7325f06e-00613ab7-413c-4d97-972c-858cf4886b65-000000@email.amazonses.com> <20190927.170902.142773301948727896.mbj@tail-f.com> <MN2PR11MB4366C30CE4650421CE915840B5810@MN2PR11MB4366.namprd11.prod.outlook.com> <20190927174623.jhvpudof6yfs2m4k@anna.jacobs.jacobs-university.de> <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com>
In-Reply-To: <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com>
Reply-To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: MR2P264CA0088.FRAP264.PROD.OUTLOOK.COM (2603:10a6:500:32::28) To VI1P190MB0686.EURP190.PROD.OUTLOOK.COM (2603:10a6:800:12e::7)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:638:709:5::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 52000013-846e-41df-ca71-08d7463a4fab
x-ms-traffictypediagnostic: VI1P190MB0110:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <VI1P190MB0110EDA330388777695E5847DE9D0@VI1P190MB0110.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-forefront-prvs: 0177904E6B
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(346002)(39850400004)(136003)(396003)(366004)(376002)(199004)(189003)(51444003)(186003)(2906002)(8936002)(43066004)(45776006)(25786009)(4326008)(6116002)(86362001)(3450700001)(7736002)(305945005)(81166006)(8676002)(81156014)(5660300002)(786003)(316002)(6486002)(229853002)(11346002)(446003)(46003)(66946007)(64756008)(256004)(478600001)(66476007)(66556008)(1076003)(6246003)(476003)(486006)(54906003)(52116002)(386003)(99286004)(102836004)(14444005)(6506007)(6512007)(6306002)(71190400001)(6436002)(14454004)(76176011)(71200400001)(66446008); DIR:OUT; SFP:1101; SCL:1; SRVR:VI1P190MB0110; H:VI1P190MB0686.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fZpcKO+33eRZYl5zMe8PPR/ZduwWEWxtOOLrphNZnQP6I56yRWRDofCa4RWnl4ld+n6Esx+BB3nsSJkIXFQmkdgsf9mjGHjPEKMZRO2EDQwTv9ClYIBt3K+tsUtMIZK+spOCZTTjUo3fRQXW6LVhvNDQ3a3m8JblwPwgt9hxAhxfVLoRZjXQadMdk9EP02fm8EUWIQ9VlHyzs2bo6TVZ52ruRM+Xq+BySxgk51RvvtIMENFMenUVS8L2tKPRQuTWRaIc3hEgNGK/s+Kg7P8LQDLM7Mi8FAfQUdzFtrE2ls4mRygfuGJeneAzf40oh/uL4+E/UvKaJnCy40eUSucG3+fF2bv5R50h5QpSG0OgYTv2O+SweSKfjsjiKEuqWPDgqwTMq/WWSIIW1BmKApLiDktnVBJAr5r0EFmDGhZ7pDangxYo1BgPC4PNK84ZfRnAnPQAvrE+FysOGVT5e7mEMQ==
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <C196F1F273FF234FB3CFD131D07B379A@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 52000013-846e-41df-ca71-08d7463a4fab
X-MS-Exchange-CrossTenant-originalarrivaltime: 01 Oct 2019 06:40:55.7382 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: kAl97MFBgD90pPZQZbao/QpAvb79pENT3k40rJGvIHiOLZMZ4TfP8jnZEr+wmtsVQR0BpZtOotJX7rjuesOan9AQmzSzSuGtkb/ObsAYMT4=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1P190MB0110
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/2lURTpKgSjOfQMOUHnP5z9ByPp0>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 Oct 2019 06:41:03 -0000

On Tue, Oct 01, 2019 at 12:38:08AM +0000, Kent Watsen wrote:
> > 
> > It may make sense to split by security protocol.
> 
> That would go some towards addressing Rich's concern.  Presumably we would have one module each for SSH  and TLS algorithms.  That said, to Rich's concern, there is a constant churn with them.  This churn concerns two activities:  the removal and addition of algorithms.  Both occur at protocol-version boundaries and, perhaps, other times as well.  This suggests to me that we could further refine the identities by protocol version, something like this:
> 
> In ietf-crypto-types:
> 
>     identity base-alg {}
>     identity tls-alg { base "base-alg" }
>     identity ssh-alg { base "base-alg" }
> 
> In ietf-tls-1.1-types:
> 
>     identity tls-1.1-alg { base "ct:tls-alg" }
>     <a bunch of tls-1.1 identities here>
> 
> In ietf-tls-1.2-types:
> 
>     identity tls-1.2-alg { base "ct:tls-alg" }
>     <a bunch of tls-1.2 identities here>
> 
> etc.
> 
> Updates only to the specific module would be needed.   The updates would only need to support new algorithms (not to remove support for legacy algorithms), as a different mechanism can be used for a server to advertise which algorithms it actually supports (on a more granular level).

I do not know whether this helps solving a problem or creates other
problems as side effects. I think we have

a) a set of named algorithms that is changing over time
b) a set of algorithms that are "blessed" for use a certain protocol
   version (and the set may change over time)
c) a set of algorithms supported by a protocol implementation (may change
   with over time as well, i.e., with firmware updates)
d) a set of algorithms configured to be used by a protocol implementation
   (this is really what we want to get at)

Perhaps it is best to use identities for a) and to expose the other
sets via data leafs. I am not even sure exposing b) is required since
b) is input to the protocol implementer and a client can (only)
configure what is implemented anyway. I think c) could be exposed as
config false data and d) is then config true data.

> >> If advertising the specific identities is important, then a per identity if-feature could be used, although I'm not entirely sure that one feature per identity is really a great option either, but I think that this would be better than one per module.
> > 
> > Why not instead have a config false list of algorithms supported? Once
> > we have solved this problem generically, this list may get deprecated.
> 
> I like this idea, but it means that ietf-crypto-types, where this config false list would be defined, presumably, would then have protocol accessible nodes and, to the point, may be odd for a "types" module to define.   Thoughts?  - a "config false" list okay?
>

Such a config false list should go where the protocol specifics are
defined. And it likely has to be protocol version specific for
implementations that do support multiple versions of a security
protocol.

I am generally not a fan of overloading names (or concepts in
general). A YANG identity simply gives a name to something and a
module simply puts a collection of named definitions into a common
namespace. We should stay away from associating additional semantics
with how an identity is named or how a module is named. If additional
information is needed, model that additional information as data.
 
/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email