[netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Wed, 19 May 2021 11:50 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EDA243A097E for <netconf@ietfa.amsl.com>; Wed, 19 May 2021 04:50:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lPw0ZmzmRvGS for <netconf@ietfa.amsl.com>; Wed, 19 May 2021 04:50:11 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2103.outbound.protection.outlook.com [40.107.22.103]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 327C93A09C0 for <netconf@ietf.org>; Wed, 19 May 2021 04:50:09 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=aoLCQON3Vrtrw4IasSi4U9eZese5Sz3aZdBn+K6mSyAwdVoIsWthzcqTypxv937EQ2ngsIYRB3BF/l8p48NeuPDmY55yVldGJdNmPJbU/f5bXDwJvWxVJcA/Xac28zZCFGZvUj51fnxEEwNxoLahh1GKDtCXBYjQrrhf6NfJtayy4nviw8rggLksxXijYmheLeQ9YTxU15W/dHOQJMk93OwPqtK5/FNRY9mBYQ0dbKOnV18kZlWuf6VxeXDsJNxvfEQ82AWeZIZRcXWc5OrSjMeeVVpbmkmFfPMAWcWJoLkbN66MY0nFxiQIT4RiufD6TSLTkMwaiY33qSvBzlfK4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lehGlXfhGjAz+lNZY50reOjV7+uYOu5Ch9lXRWCAq7A=; b=Q0UaN7OTalb+6lbuYNqWazNhdbJdFtteL+ceh2twB6VEt2v0D8u/WL93D3dIHRDClblzc03lx0SeGwMVMiI+NiXLw5xejygSbrO4L4WCuAF74mUW+h9zK0U50o+Zxgrqz2LvObCcgcNmy/rmyN2U6U0dKTZmcJGi5WSYfN6GZeBF6l6jw8EUV2VM0wRqGKi4GhGled9V71lpu+bEzOUDquOKKmaDQdqfbZGTLmcFLeejGsiJX4JLjAh1akBl3H0dOw1og+bMs/k2ot0nSJmdPDqbZlVTw7U9sJkk3lVn9pKK83Hxh52f4IceEEUYbCZTd8HJJcdOzQ47eQgzI3K4Gg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=lehGlXfhGjAz+lNZY50reOjV7+uYOu5Ch9lXRWCAq7A=; b=UWZNCxCQqUi6UlyPd246Qc5Wk+JKx6ah4SCxDni+r1YfIaudNfYXNZbwo4QpW3k6b19VrHzJZ30iS0uSGJ9RdIdcmbgfVQeuofrvQnH7VtPzH1Q3PfVycNQNbQqVWI7WuVeXnje2vOvHECl0GT58PeiryXdLMf7tgf0qqxccSj4=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AS8PR07MB7063.eurprd07.prod.outlook.com (2603:10a6:20b:25f::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.12; Wed, 19 May 2021 11:50:07 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%6]) with mapi id 15.20.4150.019; Wed, 19 May 2021 11:50:07 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: netconf-tls wasRe: [netconf] Summary of updates
Thread-Index: AQHXTBTd+Ars5vZWR0GfweeEA5YRbarqpdED
Date: Wed, 19 May 2021 11:50:06 +0000
Message-ID: <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com>
In-Reply-To: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 070dbd60-2902-42af-1800-08d91abc3f7a
x-ms-traffictypediagnostic: AS8PR07MB7063:
x-microsoft-antispam-prvs: <AS8PR07MB7063E7554B3E94DA011298BDA02B9@AS8PR07MB7063.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: v7RzUqNl833McC3eqXnE9Ekz0T38AQt4eP0SuUUySXJ6zA0pAOlH6wxBHtCnNm1Zw01q4CdZTxNi8qFXeTv6VNSHXorsPCELgV9nM4kRqQM8qEBEyyan8jb4jxzWBeDY89kErWR4Q3gL8u8SmjXyatL68buZI3G7iHIR7GAGLAW5xVJEbssH15O+CTNNVC9yo0ECq5VZg53cPWGv+S1GIezvjWkaXw+nWrrOJ7YEls97S98gR6jYuSKJkk8zSEfCxh0Nh9QGOUCl+ULO0ZJb3T7UgaaRtrUfdkC+26b7q/dQfo+8G5jRkCxmjv1MLZ73j4k8MKcmuBW++ZSe7kuPUd+LqTDntScWYgfJpWQkr/5I2AGQ4NgAWpTdOlJGDLmRRk/HiSf2+y2GbphGzri31NCFfv5z7QLq3CVLOOAuOYGSilFjGewQZXmh3/sLiorJCfuKAwcQPXPjoOP95EoIU2UTzrTAX6C/E2IpHpGhbe2NPkJ8mCQ7B7V7q0NcgI6qQdonPTiPtTKnNcuXoDzb0dOvKQ0Ugy8xLk+dUGBWSp1geFjTmykDUXZEhRJ0Xw+DkEtVWwd/CG5TkXdsmzUvmTrk9E8nHCyHFuWv+AK7HaWLZjYFKXTs8zj17xCNsENytXDJKHpkuiOFpHhKARFl2jRqakZWaFuBiDKzI36PT/jT7PDl9RtiW11yp14xev2KBFkJ3nLjBggrCLYNmJJgdw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(396003)(39860400002)(136003)(376002)(64756008)(26005)(91956017)(76116006)(66556008)(52536014)(122000001)(38100700002)(71200400001)(9686003)(2906002)(7696005)(55016002)(33656002)(86362001)(66946007)(15650500001)(83380400001)(8676002)(66476007)(5660300002)(316002)(966005)(6506007)(8936002)(478600001)(66446008)(110136005)(186003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?MJ6ncmreHCkzuaErwo4MABlCv5MRyEj2csKd+oKWfPwGM5RWVI8F+hw9?= =?Windows-1252?Q?SKxeFKzatRMNv6WYCeOfetkhctWMSLTdsB3YjfYO/bkgKW0NUPVzrxNP?= =?Windows-1252?Q?Q6EErk0sCv44tbFatMwkJM+xIcEHfQaNF1FGLhLEvbkpy/jbhfapMjVb?= =?Windows-1252?Q?hBKYoKSYL4qhSaSVhyXWiQ8AioDTOs63ymzu6p9znMUEQ4EpSlBApz+r?= =?Windows-1252?Q?/Kw/DfXfcWSv8XphyLZ0pKy4WI1NScfFX5YMLrLXB54K0WK0yrcn15Ix?= =?Windows-1252?Q?K+EJSDsmK76APSPpRsUVUMgZPyrYrWabxSpSqaDSNBSacvhGvsZOt15Z?= =?Windows-1252?Q?8q8NNXtURnHL7E18OJfCm0K/KpjiDkCVu9SlScyC876JGJBlylWr6Qeo?= =?Windows-1252?Q?ii9HdWXlCYGXOJBpCKECITsUPllxY5Y+3eHeQTN7blD6w2kv7YwUJimi?= =?Windows-1252?Q?h8PV5J3p48VlRGWQKN3JsVnzd02OQO3i04pcwB5WA76KBiLcFn1Yle6Q?= =?Windows-1252?Q?jPPyWV0XKOxnU+QYtj46LaqS7EBDnfaeUjkFQOdy0x2WswFcv0tjirHs?= =?Windows-1252?Q?3q4yJfOnNuIx9JytkcIP02sDytgkjTKmh/pnQsjGvRQrXg1trFxwHcOX?= =?Windows-1252?Q?mSN2nxiYajeckqSToa2VyJLOg7+xPL6uwMm2kENqjgkzQPa7Y0kF9+0Q?= =?Windows-1252?Q?fh1BqLzTC1S3msXe+zc/r9NpCdNa5AnWBDXTQsf0DQ4W5D1ejl520zB2?= =?Windows-1252?Q?d8e4FHnWUH4a4dgvn+H2v+VIFGEGEAwQuHHTyUypmGCFNxok18Mp6D/2?= =?Windows-1252?Q?IhXjFs2pu0oW82kfsze6vrgOzxMJUd9RnkJLmHDv7AtgjGXxDz03mm1H?= =?Windows-1252?Q?jIHvgMcmGwbQSI0N32sOXSpbpthBQN8oLAsc+0chW6oD/B0WGlrp1+ag?= =?Windows-1252?Q?uhh+BINsFiTcUEfcZvIMhkf68BbVAWr0Qg+zffLjhbibPBOD1s5eutdg?= =?Windows-1252?Q?gI7zSTCx8luZOmlqWaWuFZueppmb0cWgztcyebtBO9/9Q93Iu5l45K4B?= =?Windows-1252?Q?Nj4Ck0XsZm3L63ly1jodbBV8QSrgqZ5q81sb0Hig1VAoQc9dpbnTS9Dy?= =?Windows-1252?Q?5PRhh4BpiWUF7J4pdWZGBJN/mJN+JRs9nVkC3k86O2BzXRov9SE/YoaV?= =?Windows-1252?Q?etAlqPeWqf7HPisBfT/+Mg1NAYtlN9ubh907aVPqyOdUCtjCJzSgP5P2?= =?Windows-1252?Q?WhBn/ThSWbI2Aod/JeegRI6LJ5ekI35IcND2gaI7cW0zg1rN9zDgSDUQ?= =?Windows-1252?Q?GK5gLiJ1pmhB0ZAsJ8Am9h78iJ4JxSq1GvHnCwyl4dxJTDL3yGm6Bgrc?= =?Windows-1252?Q?wwW4DPxZ8sX1xGruRUS/3pS/BKqrjZ32Iaw=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 070dbd60-2902-42af-1800-08d91abc3f7a
X-MS-Exchange-CrossTenant-originalarrivaltime: 19 May 2021 11:50:06.9591 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: K6Vnglli+A7QLobSM7rxKbV31dvnoczLkzhFslVuGzCREefF9eXUYXSwd3tdI7NsC9WIsl/e3Etdzpj8UyRlOA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7063
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/3jLutHhJ4zA6F3-KVei43lrIgv0>
Subject: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 May 2021 11:50:16 -0000

From: netconf <netconf-bounces@ietf.org> on behalf of Kent Watsen <kent+ietf@watsen.net>
Sent: 18 May 2021 19:37

Thank you to all that contributed to the WGLC of the tcp-, ssh-, tls-, and http- client-server drafts.  Below is the result change log for each draft, but the highlights for me are:

   1) for the “tcp” draft, the abstract/introduction sections were enhanced by Michael, my co-author and TCP WG co-chair.
   2) for the “ssh” draft, we added and then removed the keyboard-interactive and GSS-API support.
   3) for the “tls” draft, we marked the feature statements for versions  other than 1.3 as “not recommended”.

<tp>
I still think that the I-D lacks clarity about supported versions.

Introduction 
TLS Protocol [RFC5246] 
Clearly this is TLS1.2 only

s.2
This model supports both TLS1.2 and TLS1.3
Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1

s.2.1.1
Features
tls-1_0
tls-1_1
tls-1_2
tls-1_3
Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what.

2.2 
an example for 1.1 and 1.2 but not 1.3; interesting.

Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'.

hello-params-grouping
Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules

Mmm I dunno!

I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking.  Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have.

In passing, I was wrong about public keys.  I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key!

Tom Petch




   4) for the “http” draft, no significant update (really? hmm...)
   5) for the “netconf” draft, whilst not in WGLC, significant updates wrt the "client-identity-mappings” nodes.

Notably, beware that the Last Call YANG-doctor review for some of these four drafts has been pending this update, so expect to see a little more activity on these drafts yet.

K.


DETAILS:

crypto-types:
   *  Nits found via YANG Doctors reviews.
   *  Aligned modules with `pyang -f` formatting.

truststore:
   *  Added prefixes to 'path' statements per trust-anchors/issues/1
   *  Renamed feature "truststore-supported" to "central-truststore-supported".
   *  Associated with above, generally moved text to refer to a
      "central" truststore.
   *  Removed two unecessary/unwanted "min-elements 1" and associated
      "presence" statements.
   *  Aligned modules with `pyang -f` formatting.
   *  Fixed nits found by YANG Doctor reviews.

keystore:
   *  Added prefixes to 'path' statements per trust-anchors/issues/1
   *  Renamed feature "keystore-supported" to "central-keystore-
      supported".
   *  Associated with above, generally moved text to refer to a
      "central" keystore.
   *  Aligned modules with `pyang -f` formatting.
   *  Fixed nits found by YANG Doctor reviews.

tcp-client-server:
   *  Updated Abstract and Intro to address comments by Tom Petch.
   *  Removed the "tcp-connection-grouping" grouping (now models use the
      "tcp-common-grouping" directly).
   *  Added XML-comment above examples explaining the reason for the
      unusual top-most element's presence.
   *  Added Securty Considerations section for the "local-binding-
      supported" feature.
   *  Replaced some hardcoded refs to <xref> elements.
   *  Fixed nits found by YANG Doctor reviews.
   *  Aligned modules with `pyang -f` formatting.
   *  Added an "Acknowledgements" secetion.

ssh-client-server:
   *  Removed the 'supported-authentication-methods' from {grouping ssh-
      server-grouping}/client-authentication.
   *  Added XML-comment above examples explaining the reason for the
      unexepected top-most element's presence.
   *  Added RFC-references to various 'feature' statements.
   *  Renamed "credentials" to "authentication methods"
   *  Renamed "client-auth-*" to "userauth-*"
   *  Renamed "client-identity-*" to "userauth-*"
   *  Fixed nits found by YANG Doctor reviews.
   *  Aligned modules with `pyang -f` formatting.
   *  Added a 'Contributors' section.

tls-client-server:
   *  Added missing reference to "FIPS PUB 180-4".
   *  Added identity "tls-1.3" and updated description statement in
      other identities indicating that the protocol version is obsolete
      and enabling the feature is NOT RECOMMENDED.
   *  Added XML-comment above examples explaining the reason for the
      unexpected top-most element's presence.
   *  Added missing "client-ident-raw-public-key" and "client-ident-psk"
      featutes.
   *  Aligned modules with `pyang -f` formatting.
   *  Fixed nits found by YANG Doctor reviews.
   *  Added a 'Contributors' section.

http-client-server:
   *  Added XML-comment above examples explaining the reason for the
      unusual top-most element's presence.
   *  Renamed 'client-auth-config-supported' to 'client-auth-supported'
      consistent with other drafts.
   *  Wrapped 'container basic' choice inside a 'case basic' per best
      practice.
   *  Aligned modules with `pyang -f` formatting.
   *  Fixed nits found by YANG Doctor reviews.

netconf-client-server:
   *  Floated an 'if-feature' statement in a grouping down to where the
      grouping is used.
   *  Clarified 'client-identity-mappings' for both the SSH and TLS
      transports.
   *  For netconf-client, augmented-in a 'mapping-required' flag into
      'client-identity-mappings' only for the SSH transport, and
      refined-in a 'min-elements 1' only for the TLS transport.
   *  Aligned modules with `pyang -f` formatting.

restconf-client-server:
   *  Further clarified why some 'presence' statements are present.
   *  Addressed nits found in YANG Doctor reviews.
   *  Aligned modules with `pyang -f` formatting.




_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf