IETF Logo Mail Archive

Re: [Netconf] Updates to the ietf-netconf-tls.yang module

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Wed, 11 April 2012 18:33 UTC

Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48EE711E808D for <netconf@ietfa.amsl.com>; Wed, 11 Apr 2012 11:33:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -103.132
X-Spam-Level:
X-Spam-Status: No, score=-103.132 tagged_above=-999 required=5 tests=[AWL=0.117, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YtClCXUUDlyY for <netconf@ietfa.amsl.com>; Wed, 11 Apr 2012 11:33:13 -0700 (PDT)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 2F82521F84B9 for <netconf@ietf.org>; Wed, 11 Apr 2012 11:33:13 -0700 (PDT)
Received: from localhost (demetrius2.jacobs-university.de [212.201.44.47]) by hermes.jacobs-university.de (Postfix) with ESMTP id 3362120C08; Wed, 11 Apr 2012 20:33:12 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius2.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id x3kXtZKYJLxe; Wed, 11 Apr 2012 20:33:12 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 89DB720C11; Wed, 11 Apr 2012 20:33:11 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id ED5991E5F06F; Wed, 11 Apr 2012 20:33:12 +0200 (CEST)
Date: Wed, 11 Apr 2012 20:33:12 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Alan Luchuk <luchuk@snmp.com>
Message-ID: <20120411183312.GA31171@elstar.local>
Mail-Followup-To: Alan Luchuk <luchuk@snmp.com>, netconf@ietf.org, mbadra@gmail.com
References: <201204111536.LAA15744@adminfs.snmp.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <201204111536.LAA15744@adminfs.snmp.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Cc: netconf@ietf.org
Subject: Re: [Netconf] Updates to the ietf-netconf-tls.yang module
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Apr 2012 18:33:14 -0000

On Wed, Apr 11, 2012 at 11:36:59AM -0400, Alan Luchuk wrote:

>  typedef tls-fingerprint-type {
>    type binary {
>      length "1..max";
>    }
>    description
>      "A cryptographic signature (fingerprint) value that can be used to 
>       uniquely reference other data of potentially arbitrary length.";
>  }

The binary type means the data is encoded in base64. The tools I am
familiar with that produce hash values seem to generate hexadecimal
representations. 
 
>      container fingerprint {
>        choice algorithm-and-hash {
>          leaf md5 {
>            type tls-fingerprint-type;
>          }
>          leaf sha1 {
>            type tls-fingerprint-type;
>          }
>          leaf sha224 {
>            type tls-fingerprint-type;
>          }
>          leaf sha256 {
>            type tls-fingerprint-type;
>          }
>          leaf sha384 {
>            type tls-fingerprint-type;
>          }
>          leaf sha512 {
>            type tls-fingerprint-type;
>          }
>          description
>            "Specifies the signature algorithm and cryptographic 
>             signature (fingerprint) used to identify an X.509 
>             certificate.
>   
>             Implementations of this YANG module MAY, but are not 
>             required to, implement all of these cryptographic signature
>             algorithms.  Implementations of this YANG module MUST 
>             implement at least one of these cryptographic signature 
>             algorithms.  
>   
>             The available choices may be extended in the future as 
>             stronger cryptographic signature algorithms become 
>             available and are deemed necessary.";
> 
>          reference
>            "RFC 5246: The Transport Layer Security (TLS) Protocol 
>             Version 1.2; Section 7.4.1.4.1,  Signature Algorithms";
>        }  // choice algorithm-and-hash
>      }    // container fingerprint

I think we need to make this reusable, more generic and we need to put
the resulting grouping under IANA control. We need the same construct
for the SNMP configuration data model. So one way forward is that we
draft a reusable grouping and an associated fingerprint type (or hash
value type - whatever the correct term will be) to be placed into an
IANA maintained modules. We can do this here or we do it in NETMOD.  I
personally do not care much as long as we get a consistent and
reusable solution into place.

>      leaf data {
>        type string {
>          length "1..max";
>        }
>        description
>          "Auxiliary data used as optional configuration information for
>          a given mapping specified by the map-type leaf.  Only some
>          mapping systems will make use of this leaf.  When the NETCONF
>          server derives the NETCONF username from the client's presented
>          certificate, the value in this leaf MUST be ignored for any
>          mapping type that does not require data present in this leaf.";
>      }
>    }  // list cert-map
>  }    // container cert-mappings

This follows the MIB model but I am not sure this is the right way of
doing this in YANG. Martin uses a slightly different approach in
draft-bjorklund-netmod-snmp-cfg-02.txt.

>      leaf valid-not-before {
>        type yang:date-and-time;
>        description
>          "This PSK identity is not valid before the given data
>           and time.";
>      }

s/data/date/
 
>      leaf valid-not-after {
>        type yang:date-and-time;
>        description
>          "This PSK identity is not valid before the given data
>           and time.";
>      }

s/data/date/

>      leaf key {
>        type binary;
>        nacm:default-deny-all;
>        description
>          "The key associated with the PSK identity";
>      }

The same question raised above applies here. Is a base64
representation really what people feel comfortable with? Using base64
might be more OK here than above - I do not really know.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email