Re: [netconf] Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Thu, 29 April 2021 15:09 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D4AC13A287F for <netconf@ietfa.amsl.com>; Thu, 29 Apr 2021 08:09:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Jz06WlxmGdlP for <netconf@ietfa.amsl.com>; Thu, 29 Apr 2021 08:09:33 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70051.outbound.protection.outlook.com [40.107.7.51]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C4B03A0E0F for <netconf@ietf.org>; Thu, 29 Apr 2021 08:09:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KvUqBhOy54zf7sjARSkB2YziZzTHYIdyH6VmutDADKiNjrRoAj2U1XlIb5j1WzGcXlQr4yld8q91lXr3I6Brl/9fuBgzdqTwUJlXGx26h139Z5vYZGk8/q7YB7kqKWYy23eHG48K6xP3nadk8hUxQIXvzIgbJo/II1hWcp459C6FNazRAxrDLBep2lS0vAcUq+60PE6ZtYhyKpiu2OWLtgtl1oQ8Imy8GF4E5NCkLRl2LcqBvZvpyt0zUVfoOcIArz7qvgQAcKnQB5f57aItpIu6JZLu3a7o+3voTOgHKkyeotb2LLib2C1sP56Ct9ijmFnPxhQDhBPLamCTygbq8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0ec1kLVV4wSu1OKPePBDEHn4HtAtbI/ihpunNwm4XUQ=; b=L7q6+/5sMXNPDPdwtTiIqVSbdy7Xv3xtWo8TvsjQhmoihu4dPQdlnEls6hrQbutShNOlrcVaQ5KqsGsVLQlPMln6ovhrH/SzgSUjIslJtq7KVEQbtXOUX+d9sKy8XyFfvtrxFwaprcGik95wTdO3fDjYDOwroL93CSXYdh3tgbkk0YUrA1kF+jsC1d1roHaoZe3BpzjmVXlCfcAQUSwcU7qJo1b49uN8pTM3zkm3DXuVU5DI6EHATraZFOtM0CzBhVhcIHWEt9285Ib/U6xsNBZDccVsP95XNJd3abwYqYc+x2OX0XYgyxwFJv6CNvbFbKXLSaZt82XSC7uSOJwS5Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0ec1kLVV4wSu1OKPePBDEHn4HtAtbI/ihpunNwm4XUQ=; b=HjWEI75x6md1LTQ/dlvWUJO9/pqEmIj2sClXUgCN7nPEXheIGYIDywXu7V62C7+CfQ9a9vElq1SGVr2P8NJMjRr1y6Z4ahjVHTJ8tdOO+lC1PYSEF8SVr1dJuMaIH3sVjPBQ497x1AXZpMJGwB0XRuDpU7ntkzga52jlRVLhIpk=
Authentication-Results: cesnet.cz; dkim=none (message not signed) header.d=none;cesnet.cz; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1684.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3e9::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4065.22; Thu, 29 Apr 2021 15:09:29 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4087.026; Thu, 29 Apr 2021 15:09:29 +0000
Date: Thu, 29 Apr 2021 17:09:28 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210429150928.3rwjhc3llseofssa@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Michal =?utf-8?B?VmHFoWtv?= <mvasko@cesnet.cz>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <010001791de3029b-730530a6-f4fb-4d57-9d39-a1551ab76260-000000@email.amazonses.com> <62ed-608ac900-53-32820540@104833101>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <62ed-608ac900-53-32820540@104833101>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FRYP281CA0010.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10::20) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by FRYP281CA0010.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.10 via Frontend Transport; Thu, 29 Apr 2021 15:09:29 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 2ffb36f8-19e4-46e5-56da-08d90b20c966
X-MS-TrafficTypeDiagnostic: AM9P190MB1684:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB16841F7F5865503E448C3FEEDE5F9@AM9P190MB1684.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Nta5UkI53PBVcCq0+gz8TwcVPjH2zwMtDBk0U2603g3WkVDb3kpY94a11JdLxs1nc+eNa/RlNhloCcb1cCG80Iukx6HAbID0jJZq9LYp5QHd0udXHwqaejwphUg1N7HuLQTQct2wSM8ULX5Oc1DqInc8jz7KLxFQzWA1Qs5/H8ExilD6tODiuQ7/cgJVkuxFofKEbwifl8TXuBhY+8W7rMX2Gim8pGp7MmFCqdrXCSB3tpNVIW/UA3SNj9VG5v5krukcFIEEIUukW3fPFS6Jy4YaVjPHvMVpTab9R8rzBr+OBMGtL8KVKPWa/LiV7/xGn16Nr5bjpZPlBm5jWRPL6z/a32JdybEr+5fd4ZBzfm/6YICh4ZXf9QZ/8Ig5uRULTIPTrzHQZMV0yaMXTHnTtplvgtcaqa5rDGSTTvYYI7UG3EE1ByLWmQcgcNkdSXsfOldWYOGTj9vEcb3ijGWJVQH2WLEPMPJd9yvK8VaDwXl1sG65bK6YvrsZjDWnZO96rV49NaPQnl/s5kj2rm3IHN8pIypz3YB3GVeXihNwHp5/qqdOT0xI23pGgM8e4SRIA4R2N1heNb78jUv1UmMeSQK6huA11aKQTsKBNYgXsK8qv3pcoawm+hZl6MVjXMzRUDwb7G8AZzDkUKaT0aqtdgfzI299iqsl+mMUmRN5SlfVEiODp8cQlndj9TtITvb4B5GXM/EMo77uX9vEFfXPWfzG3RgtWlgjptPPWU3qq4U=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39840400004)(136003)(346002)(376002)(396003)(366004)(478600001)(83380400001)(2906002)(3450700001)(54906003)(16526019)(66946007)(956004)(786003)(86362001)(316002)(6916009)(1076003)(5660300002)(8676002)(26005)(186003)(6496006)(6486002)(66574015)(38350700002)(66476007)(8936002)(38100700002)(4326008)(66556008)(52116002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?QlpIYjUwendRbkc0b1R4UllWdFRld3hQNjE0UE45MUY3Zmc5TG5YZ1JlbGw4?= =?utf-8?B?aVMwd1k5VXl5dHdyT3VLS0lZeGpNV3dzRm1LTWw1akVFcCttbEhtUTBCc3Ja?= =?utf-8?B?T3NHODZxMlBaYS9pZ1lZRjJBYlFkQ2tTbzlQQmFPQ1c5WlFsT3RFTXd3U1gw?= =?utf-8?B?ZjZjWUl4cEdZQnFLUUNESnYwZXBRdVdKSUFLbW53UzgyM2hraFdYdkV6QmZU?= =?utf-8?B?VzIyVVNPU0t2N3VJT2d1dUczM01GbXoxSnV3VmdIOWZ4ZEUwNFl3Njdkb1ZO?= =?utf-8?B?TmtnSzhKQ21hNXEwNi9kRjVTNXk4aFJWQzMvMHQ5SVFWbXNMZ0JDYjBYL3Rl?= =?utf-8?B?RXE3d0dUK1J3WE5UZFpBMDA3ZXRQOUU2MGhMSmxKWmprdjgxS3A1a01SclFh?= =?utf-8?B?ci81TFU5Nkt1Zmh0MDFod1dvZG5ra0JLVEJZSExOMkpTYVBLOENqS0JkSG9N?= =?utf-8?B?ejVlSllPeGZuNUhUa2pGVitQZy9PR2lBUEZ0NCtxcWY2ZWRITUNXY0JUVnVh?= =?utf-8?B?ZlVPNnRlWTJOelhiM0lCR2pyc05CY2NwYWJJK2p3akFRbXQxY0pTYzFvTE9s?= =?utf-8?B?S3ZGN3llUnJ3aUhsYW5UNlpxZENZTW5oNk9oUWhaT2V2UGIwV0pObFlBd0dD?= =?utf-8?B?Yi9PWHhRbWd5Nm1kTHlScVNqK29kaFlXWjBFQlRXRXU2UXUwZzlUUW0xSWMx?= =?utf-8?B?R1hEaEhsdFl5MWY4RVc1Q0JpVWlmY0Z0L0E5V3lnbVllUExZZ2JBQ216Ymlr?= =?utf-8?B?R3k3aFM0dXlLNC9tbk15QjQ4dURwKzNoVmZ5UW5WeHBZa3hkZ2ZuOHdIV3Z3?= =?utf-8?B?TDV1UE0yRDY2M0JLS0NPWURkR0loMDgrcU43azcwZ2JGbjFyVVZsUG5BdjN1?= =?utf-8?B?MGNremozSTZ4WjBqVWZLa0MyS3ZBY0lxOUJYMWtBS2ppeWxFcXR4a0lRdnZn?= =?utf-8?B?QXpiZXMvMXNBUEx6QnYweXBNeGFXdDNwbkd0VU5OYVE4SEV5RmhpQTZ1TTNB?= =?utf-8?B?M3M1N01yV2NhWng4VXh5YjlsZkJJcUFlU1ltSW1kajVldmF2STJ4SHpWL3lw?= =?utf-8?B?UkVnd0pYU29WU2ZNNElXMjNPVlp6bGpBbTZzNG1pUXRYZVdtcjZ1a2dwdnJo?= =?utf-8?B?SXovSHJDVkhoNXROTzBWT1VtUUZ4ZjVSdS9yLytJUkZvKzdNenNTRFFtWVFm?= =?utf-8?B?QUd5a1pqOHJvTWZnTllTQUpGa0w4dktyb1VZOVpXWHp3cHAveHVPM0JLMlYv?= =?utf-8?B?RStUejFET01uMElaOHhTaGFJNXg5WSt3aHE5ZG9mSjVpOTVnZ2VucDRLdURa?= =?utf-8?B?NW93bFF4WEh3Vzk0WWE3d1lOK0kvbGoxcnB3RnVJM1EvR2RKNmFHWVhrVGJn?= =?utf-8?B?ZUFvZ01QMmxaYzg5bnVKR0FwVDJBTEZSU0JjMFh0MDVzRkRRYTNncXNHcUhm?= =?utf-8?B?bGFyWWE4Y09BOEVXMWlpN1pzcm1aVzRBbWNERjhqYTZtR2tnZGNjYmZTTGpD?= =?utf-8?B?RWI0RVRKbmQ5aVl2UjFoQmFsTzZBWTV6M1Q3VmlIOW9CTEQ1eFhLTGdsY2R6?= =?utf-8?B?eUJyU1I5b21zUnV6Vm9TM0NJamhnK3FlUVJOSExTTG54TjNUOUFCRi9lb2M0?= =?utf-8?B?V3pLNWFESGZRSUVXL3k5d0dYQSszYUpnb3BtQUUvOC9TOTlobm1EaG92c2R0?= =?utf-8?B?dHdPL24xdjVCSmhtbDBFdzZqNnNEUU04Q0hUeUgwRlJ5bitlRnFrbUlzUjRU?= =?utf-8?Q?B4qNgWinRmetYxS4adgLWUy+x/Qxl7NYtXxjDIu?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 2ffb36f8-19e4-46e5-56da-08d90b20c966
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Apr 2021 15:09:29.6686 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: NnKb9XGY2f9zHhs1EN7aSovwmxaJx7YkrKhOybhA0VyEWA1DKdjtJKLoicneWRul5kI/AMH82lJbSoyMbpW6PVbbBMOJprKZvnwaUWIC4Jo=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1684
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3fRa3UzEEr3ggSgLWleY-uXlAFY>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 29 Apr 2021 15:09:39 -0000

On Thu, Apr 29, 2021 at 04:56:35PM +0200, Michal Vaško wrote:
> > The question is, how important is the ability to configure a “first” method (assuming more than one has been configured)?
> > 
> > My guess is that it’s not important as follows:
> > 
> > 1) I assume the client is not resource-constrained (as, if it were, then it would likely be using TLS instead of SSH).  Thus, in the worst case, where the client performs some expensive key operation, it’s not a big deal because it has the resources to do it quickly.
> > 
> > 2) Assuming the client sends an “expensive method” first, and the server isn’t configured to support that method first, it will not waste any CPU cycles doing an expensive key operation; it will simple return a failure with a list of “productive” methods.
> > 
> > Thus the net-impact is some wasted CPU-cycles on the client and the latency incurred by one unnecessary roundtrip.  Assuming the client is not resource-constrained, the only significant variable is the network and, in a very high-latency network, it could be important.  Thoughts?
> 
> I am not sure what the problem is but it seems we are still not understanding each other. My specific example is as follows. The client uses "none" method first to get the list of supported methods, always. Then, based on the returned methods, it gets the set of supported methods on both the server and the client. The problem is, what should be the order of trying to authenticate using these methods? Like I said before, if a more complex method is selected instead of a simpler one, it may result in additional failed authentication attempt (and client disconnect if none are allowed), minor user annoyance, and even wasted server CPU time, yes. I consider the first problem serious enough that would like the module to support configuration that could prevent it.
>

RFC 4252 says:

   The server drives the authentication by telling the client which
   authentication methods can be used to continue the exchange at any
   given time.  The client has the freedom to try the methods listed by
   the server in any order.  This gives the server complete control over
   the authentication process if desired, but also gives enough
   flexibility for the client to use the methods it supports or that are
   most convenient for the user, when multiple methods are offered by
   the server.

So the client does have to choose. Looking into the ssh(1) man page of
OpenSSH, I find this:

   The methods available for authentication are: GSSAPI-based authentica-
   tion, host-based authentication, public key authentication, challenge-re-
   sponse authentication, and password authentication.  Authentication meth-
   ods are tried in the order specified above, though
   PreferredAuthentications can be used to change the default order.

And ssh_config(5) says:

   Specifies the order in which the client should try authentication
   methods.  This allows a client to prefer one method (e.g.
   keyboard-interactive) over another method (e.g. password).  The
   default is:

             gssapi-with-mic,hostbased,publickey,
             keyboard-interactive,password

I have no idea how popular it is to change the default order, which is
likely what most people expect.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>