[netconf] netconf-tls wasRe: Summary of updates
tom petch <ietfc@btconnect.com> Wed, 19 May 2021 11:50 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA243A097E for <netconf@ietfa.amsl.com>; Wed, 19 May 2021 04:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPw0ZmzmRvGS for <netconf@ietfa.amsl.com>; Wed, 19 May 2021 04:50:11 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2103.outbound.protection.outlook.com [40.107.22.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327C93A09C0 for <netconf@ietf.org>; Wed, 19 May 2021 04:50:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aoLCQON3Vrtrw4IasSi4U9eZese5Sz3aZdBn+K6mSyAwdVoIsWthzcqTypxv937EQ2ngsIYRB3BF/l8p48NeuPDmY55yVldGJdNmPJbU/f5bXDwJvWxVJcA/Xac28zZCFGZvUj51fnxEEwNxoLahh1GKDtCXBYjQrrhf6NfJtayy4nviw8rggLksxXijYmheLeQ9YTxU15W/dHOQJMk93OwPqtK5/FNRY9mBYQ0dbKOnV18kZlWuf6VxeXDsJNxvfEQ82AWeZIZRcXWc5OrSjMeeVVpbmkmFfPMAWcWJoLkbN66MY0nFxiQIT4RiufD6TSLTkMwaiY33qSvBzlfK4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lehGlXfhGjAz+lNZY50reOjV7+uYOu5Ch9lXRWCAq7A=; b=Q0UaN7OTalb+6lbuYNqWazNhdbJdFtteL+ceh2twB6VEt2v0D8u/WL93D3dIHRDClblzc03lx0SeGwMVMiI+NiXLw5xejygSbrO4L4WCuAF74mUW+h9zK0U50o+Zxgrqz2LvObCcgcNmy/rmyN2U6U0dKTZmcJGi5WSYfN6GZeBF6l6jw8EUV2VM0wRqGKi4GhGled9V71lpu+bEzOUDquOKKmaDQdqfbZGTLmcFLeejGsiJX4JLjAh1akBl3H0dOw1og+bMs/k2ot0nSJmdPDqbZlVTw7U9sJkk3lVn9pKK83Hxh52f4IceEEUYbCZTd8HJJcdOzQ47eQgzI3K4Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lehGlXfhGjAz+lNZY50reOjV7+uYOu5Ch9lXRWCAq7A=; b=UWZNCxCQqUi6UlyPd246Qc5Wk+JKx6ah4SCxDni+r1YfIaudNfYXNZbwo4QpW3k6b19VrHzJZ30iS0uSGJ9RdIdcmbgfVQeuofrvQnH7VtPzH1Q3PfVycNQNbQqVWI7WuVeXnje2vOvHECl0GT58PeiryXdLMf7tgf0qqxccSj4=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AS8PR07MB7063.eurprd07.prod.outlook.com (2603:10a6:20b:25f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.12; Wed, 19 May 2021 11:50:07 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%6]) with mapi id 15.20.4150.019; Wed, 19 May 2021 11:50:07 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: netconf-tls wasRe: [netconf] Summary of updates
Thread-Index: AQHXTBTd+Ars5vZWR0GfweeEA5YRbarqpdED
Date: Wed, 19 May 2021 11:50:06 +0000
Message-ID: <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com>
In-Reply-To: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 070dbd60-2902-42af-1800-08d91abc3f7a
x-ms-traffictypediagnostic: AS8PR07MB7063:
x-microsoft-antispam-prvs: <AS8PR07MB7063E7554B3E94DA011298BDA02B9@AS8PR07MB7063.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v7RzUqNl833McC3eqXnE9Ekz0T38AQt4eP0SuUUySXJ6zA0pAOlH6wxBHtCnNm1Zw01q4CdZTxNi8qFXeTv6VNSHXorsPCELgV9nM4kRqQM8qEBEyyan8jb4jxzWBeDY89kErWR4Q3gL8u8SmjXyatL68buZI3G7iHIR7GAGLAW5xVJEbssH15O+CTNNVC9yo0ECq5VZg53cPWGv+S1GIezvjWkaXw+nWrrOJ7YEls97S98gR6jYuSKJkk8zSEfCxh0Nh9QGOUCl+ULO0ZJb3T7UgaaRtrUfdkC+26b7q/dQfo+8G5jRkCxmjv1MLZ73j4k8MKcmuBW++ZSe7kuPUd+LqTDntScWYgfJpWQkr/5I2AGQ4NgAWpTdOlJGDLmRRk/HiSf2+y2GbphGzri31NCFfv5z7QLq3CVLOOAuOYGSilFjGewQZXmh3/sLiorJCfuKAwcQPXPjoOP95EoIU2UTzrTAX6C/E2IpHpGhbe2NPkJ8mCQ7B7V7q0NcgI6qQdonPTiPtTKnNcuXoDzb0dOvKQ0Ugy8xLk+dUGBWSp1geFjTmykDUXZEhRJ0Xw+DkEtVWwd/CG5TkXdsmzUvmTrk9E8nHCyHFuWv+AK7HaWLZjYFKXTs8zj17xCNsENytXDJKHpkuiOFpHhKARFl2jRqakZWaFuBiDKzI36PT/jT7PDl9RtiW11yp14xev2KBFkJ3nLjBggrCLYNmJJgdw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(396003)(39860400002)(136003)(376002)(64756008)(26005)(91956017)(76116006)(66556008)(52536014)(122000001)(38100700002)(71200400001)(9686003)(2906002)(7696005)(55016002)(33656002)(86362001)(66946007)(15650500001)(83380400001)(8676002)(66476007)(5660300002)(316002)(966005)(6506007)(8936002)(478600001)(66446008)(110136005)(186003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: MJ6ncmreHCkzuaErwo4MABlCv5MRyEj2csKd+oKWfPwGM5RWVI8F+hw9SKxeFKzatRMNv6WYCeOfetkhctWMSLTdsB3YjfYO/bkgKW0NUPVzrxNPQ6EErk0sCv44tbFatMwkJM+xIcEHfQaNF1FGLhLEvbkpy/jbhfapMjVbhBKYoKSYL4qhSaSVhyXWiQ8AioDTOs63ymzu6p9znMUEQ4EpSlBApz+r/Kw/DfXfcWSv8XphyLZ0pKy4WI1NScfFX5YMLrLXB54K0WK0yrcn15IxK+EJSDsmK76APSPpRsUVUMgZPyrYrWabxSpSqaDSNBSacvhGvsZOt15Z8q8NNXtURnHL7E18OJfCm0K/KpjiDkCVu9SlScyC876JGJBlylWr6Qeoii9HdWXlCYGXOJBpCKECITsUPllxY5Y+3eHeQTN7blD6w2kv7YwUJimih8PV5J3p48VlRGWQKN3JsVnzd02OQO3i04pcwB5WA76KBiLcFn1Yle6QjPPyWV0XKOxnU+QYtj46LaqS7EBDnfaeUjkFQOdy0x2WswFcv0tjirHs3q4yJfOnNuIx9JytkcIP02sDytgkjTKmh/pnQsjGvRQrXg1trFxwHcOXmSN2nxiYajeckqSToa2VyJLOg7+xPL6uwMm2kENqjgkzQPa7Y0kF9+0Qfh1BqLzTC1S3msXe+zc/r9NpCdNa5AnWBDXTQsf0DQ4W5D1ejl520zB2d8e4FHnWUH4a4dgvn+H2v+VIFGEGEAwQuHHTyUypmGCFNxok18Mp6D/2IhXjFs2pu0oW82kfsze6vrgOzxMJUd9RnkJLmHDv7AtgjGXxDz03mm1HjIHvgMcmGwbQSI0N32sOXSpbpthBQN8oLAsc+0chW6oD/B0WGlrp1+aguhh+BINsFiTcUEfcZvIMhkf68BbVAWr0Qg+zffLjhbibPBOD1s5eutdggI7zSTCx8luZOmlqWaWuFZueppmb0cWgztcyebtBO9/9Q93Iu5l45K4BNj4Ck0XsZm3L63ly1jodbBV8QSrgqZ5q81sb0Hig1VAoQc9dpbnTS9Dy5PRhh4BpiWUF7J4pdWZGBJN/mJN+JRs9nVkC3k86O2BzXRov9SE/YoaVetAlqPeWqf7HPisBfT/+Mg1NAYtlN9ubh907aVPqyOdUCtjCJzSgP5P2WhBn/ThSWbI2Aod/JeegRI6LJ5ekI35IcND2gaI7cW0zg1rN9zDgSDUQGK5gLiJ1pmhB0ZAsJ8Am9h78iJ4JxSq1GvHnCwyl4dxJTDL3yGm6BgrcwwW4DPxZ8sX1xGruRUS/3pS/BKqrjZ32Iaw=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 070dbd60-2902-42af-1800-08d91abc3f7a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2021 11:50:06.9591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K6Vnglli+A7QLobSM7rxKbV31dvnoczLkzhFslVuGzCREefF9eXUYXSwd3tdI7NsC9WIsl/e3Etdzpj8UyRlOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7063
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3jLutHhJ4zA6F3-KVei43lrIgv0>
Subject: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 11:50:16 -0000
From: netconf <netconf-bounces@ietf.org> on behalf of Kent Watsen <kent+ietf@watsen.net> Sent: 18 May 2021 19:37 Thank you to all that contributed to the WGLC of the tcp-, ssh-, tls-, and http- client-server drafts. Below is the result change log for each draft, but the highlights for me are: 1) for the “tcp” draft, the abstract/introduction sections were enhanced by Michael, my co-author and TCP WG co-chair. 2) for the “ssh” draft, we added and then removed the keyboard-interactive and GSS-API support. 3) for the “tls” draft, we marked the feature statements for versions other than 1.3 as “not recommended”. <tp> I still think that the I-D lacks clarity about supported versions. Introduction TLS Protocol [RFC5246] Clearly this is TLS1.2 only s.2 This model supports both TLS1.2 and TLS1.3 Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1 s.2.1.1 Features tls-1_0 tls-1_1 tls-1_2 tls-1_3 Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what. 2.2 an example for 1.1 and 1.2 but not 1.3; interesting. Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'. hello-params-grouping Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules Mmm I dunno! I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking. Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have. In passing, I was wrong about public keys. I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key! Tom Petch 4) for the “http” draft, no significant update (really? hmm...) 5) for the “netconf” draft, whilst not in WGLC, significant updates wrt the "client-identity-mappings” nodes. Notably, beware that the Last Call YANG-doctor review for some of these four drafts has been pending this update, so expect to see a little more activity on these drafts yet. K. DETAILS: crypto-types: * Nits found via YANG Doctors reviews. * Aligned modules with `pyang -f` formatting. truststore: * Added prefixes to 'path' statements per trust-anchors/issues/1 * Renamed feature "truststore-supported" to "central-truststore-supported". * Associated with above, generally moved text to refer to a "central" truststore. * Removed two unecessary/unwanted "min-elements 1" and associated "presence" statements. * Aligned modules with `pyang -f` formatting. * Fixed nits found by YANG Doctor reviews. keystore: * Added prefixes to 'path' statements per trust-anchors/issues/1 * Renamed feature "keystore-supported" to "central-keystore- supported". * Associated with above, generally moved text to refer to a "central" keystore. * Aligned modules with `pyang -f` formatting. * Fixed nits found by YANG Doctor reviews. tcp-client-server: * Updated Abstract and Intro to address comments by Tom Petch. * Removed the "tcp-connection-grouping" grouping (now models use the "tcp-common-grouping" directly). * Added XML-comment above examples explaining the reason for the unusual top-most element's presence. * Added Securty Considerations section for the "local-binding- supported" feature. * Replaced some hardcoded refs to <xref> elements. * Fixed nits found by YANG Doctor reviews. * Aligned modules with `pyang -f` formatting. * Added an "Acknowledgements" secetion. ssh-client-server: * Removed the 'supported-authentication-methods' from {grouping ssh- server-grouping}/client-authentication. * Added XML-comment above examples explaining the reason for the unexepected top-most element's presence. * Added RFC-references to various 'feature' statements. * Renamed "credentials" to "authentication methods" * Renamed "client-auth-*" to "userauth-*" * Renamed "client-identity-*" to "userauth-*" * Fixed nits found by YANG Doctor reviews. * Aligned modules with `pyang -f` formatting. * Added a 'Contributors' section. tls-client-server: * Added missing reference to "FIPS PUB 180-4". * Added identity "tls-1.3" and updated description statement in other identities indicating that the protocol version is obsolete and enabling the feature is NOT RECOMMENDED. * Added XML-comment above examples explaining the reason for the unexpected top-most element's presence. * Added missing "client-ident-raw-public-key" and "client-ident-psk" featutes. * Aligned modules with `pyang -f` formatting. * Fixed nits found by YANG Doctor reviews. * Added a 'Contributors' section. http-client-server: * Added XML-comment above examples explaining the reason for the unusual top-most element's presence. * Renamed 'client-auth-config-supported' to 'client-auth-supported' consistent with other drafts. * Wrapped 'container basic' choice inside a 'case basic' per best practice. * Aligned modules with `pyang -f` formatting. * Fixed nits found by YANG Doctor reviews. netconf-client-server: * Floated an 'if-feature' statement in a grouping down to where the grouping is used. * Clarified 'client-identity-mappings' for both the SSH and TLS transports. * For netconf-client, augmented-in a 'mapping-required' flag into 'client-identity-mappings' only for the SSH transport, and refined-in a 'min-elements 1' only for the TLS transport. * Aligned modules with `pyang -f` formatting. restconf-client-server: * Further clarified why some 'presence' statements are present. * Addressed nits found in YANG Doctor reviews. * Aligned modules with `pyang -f` formatting. _______________________________________________ netconf mailing list netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [netconf] Summary of updates Kent Watsen
- [netconf] netconf-tls wasRe: Summary of updates tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- [netconf] More complications was Re: netconf-tls … tom petch
- Re: [netconf] More complications Kent Watsen
- Re: [netconf] More complications tom petch
- Re: [netconf] More complications Henk Birkholz
- Re: [netconf] More complications Juergen Schoenwaelder
- Re: [netconf] More complications Kent Watsen
- Re: [netconf] More complications tom petch
- [netconf] TLS 1.3 and pre-shared-keys and raw-pub… Kent Watsen
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Kent Watsen
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Rob Wilton (rwilton)
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
- Re: [netconf] More complications Kent Watsen