IETF Logo Mail Archive

Re: [netconf] Last Call on Re: Today's update to client-server drafts

Kent Watsen <kent+ietf@watsen.net> Mon, 15 June 2020 14:59 UTC

Return-Path: <01000172b87e40fb-56f5a8d3-b671-4837-8ff3-4c377f720c0c-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E8A553A0D9B for <netconf@ietfa.amsl.com>; Mon, 15 Jun 2020 07:59:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.894
X-Spam-Level:
X-Spam-Status: No, score=-1.894 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ffw2hgbILA3H for <netconf@ietfa.amsl.com>; Mon, 15 Jun 2020 07:59:43 -0700 (PDT)
Received: from a8-31.smtp-out.amazonses.com (a8-31.smtp-out.amazonses.com [54.240.8.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0A8C3A0D3B for <netconf@ietf.org>; Mon, 15 Jun 2020 07:59:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1592233181; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=HF9QZydMvDpKr3DpYghSBdYwfPY7DE9ut1jNkavJAVA=; b=MJJbVoG2K6Q1+8NgcJTJlz6TrjI6kVmrsksmeK7wxgD8EPOkTbfGeeGl5xyxn0tu Q404wj+M9bb7wTFWsO6VyUXOgISFLJUl5XfqSklzOJHGSuezF6+cR3d9mo0RR6ryBvg xtWOUMRLvKdLsudm+I9T4vzve1ETeDSQihBecVhI=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000172b87e40fb-56f5a8d3-b671-4837-8ff3-4c377f720c0c-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4103BAC3-F0A1-4CA4-9553-37D5C3123845"
Mime-Version: 1.0 (Mac OS X Mail 13.4 \(3608.80.23.2.2\))
Date: Mon, 15 Jun 2020 14:59:41 +0000
In-Reply-To: <DBAPR07MB701671D1E66A7C53FB559072A0810@DBAPR07MB7016.eurprd07.prod.outlook.com>
Cc: Mahesh Jethanandani <mjethanandani@gmail.com>, "netconf@ietf.org" <netconf@ietf.org>
To: tom petch <ietfc@btconnect.com>
References: <0100017233fe7ff7-8e22b4b1-aa03-4c8e-bf9d-fdbc7d3e41fd-000000@email.amazonses.com> <85A8ECA9-8875-45FA-839B-50CE35F6C8BA@gmail.com> <DBAPR07MB701671D1E66A7C53FB559072A0810@DBAPR07MB7016.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3608.80.23.2.2)
X-SES-Outgoing: 2020.06.15-54.240.8.31
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/4SNP-U3rGxwddk7keYkbDPwgoww>
Subject: Re: [netconf] Last Call on Re: Today's update to client-server drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 15 Jun 2020 14:59:45 -0000

Hi Tom,


> On Jun 12, 2020, at 12:30 PM, tom petch <ietfc@btconnect.com> wrote:
> 
> From: netconf <netconf-bounces@ietf.org> on behalf of Mahesh Jethanandani <mjethanandani@gmail.com>
> Sent: 22 May 2020 06:14
> 
> <tp>
> I am sure I saw a Last Call but cannot now find it.

It looks like you have now found/reply to that thread. :)


> I wonder if there is anyone in the IETF who is familiar with this work and with RFC8635;  would these I-D meet the needs of RFC8635 which I have always seen as one of the two use cases for this work?

I just read the first couple pages.  Yes, this work, keystore in particular, seems complementary to RFC 8635.  Both the “router-driven” and “operator-driven” methods are supported though, with the recent removal of the key-generation RPCs, the “operator-driven” approach is tempered a bit.

Note that the paragraph at the top of Page 3 mimics Section 5.3 (Migrating Configuration to Another Server) in the keystore draft:

   For example, when an operator wants to support hot-swappable routers,
   the same private key needs to be installed in the soon-to-be online
   router that was used by the soon-to-be offline router.  This
   motivated the operator-driven method.



> In passing, trust anchors registers prefix ta; logical except that the I-D uses ts

Good catch.  Corrected here: https://github.com/netconf-wg/trust-anchors/commit/43017b3a448d46a47526b138df551748b92df146 <https://github.com/netconf-wg/trust-anchors/commit/43017b3a448d46a47526b138df551748b92df146>


> Tom Petch
> 
> What would it take to get the remaining drafts into WGLC?


I recently answered this question for Mahesh here: https://mailarchive.ietf.org/arch/msg/netconf/UDNkN5SOmeDaHA5pHYhe-v0l6MI/ <https://mailarchive.ietf.org/arch/msg/netconf/UDNkN5SOmeDaHA5pHYhe-v0l6MI/>



Kent // contributor




>> On May 20, 2020, at 2:30 PM, Kent Watsen <kent+ietf@watsen.net> wrote:
>> 
>> 
>> The entire suite of drafts were updated today.
>> The first three drafts are ready for WGLC.
>> All of the other drafts are almost ready for WGLC.
>> Below is the Change Log entry for each draft.
>> 
>> K.
>> 
>> 
>> For all drafts:
>> 
>>  o  Added a "Note to Reviewers" note to first page.
>> 
>> 
>> For crypto-types:
>> 
>>  o  Removed the IANA-maintained registries for symmetric, asymmetric,
>>      and hash algorithms.
>> 
>>  o  Removed the "generate-symmetric-key" and "generate-asymmetric-key"
>>      RPCs.
>> 
>>  o  Removed the "algorithm" node in the various symmetric and
>>      asymmetric key groupings.
>> 
>>  o  Added 'typedef csr' and 'feature certificate-signing-request-
>>     generation'.
>> 
>>  o  Refined a usage of "end-entity-cert-grouping" to make the "cert"
>>      node mandatory true.
>> 
>> 
>> For trust-anchors:
>> 
>>  o  Removed "algorithm" node from examples.
>> 
>>  o  Removed the no longer used statements supporting the old "ssh-
>>      public-key" and "raw-public-key" nodes.
>> 
>> 
>> For keystore:
>> 
>>  o  Removed augments to the "generate-symmetric-key" and "generate-
>>      asymmetric-key" groupings.
>> 
>>  o  Removed "generate-symmetric-key" and "generate-asymmetric-key"
>>      examples.
>> 
>>  o  Removed the "algorithm" nodes from remaining examples.
>> 
>>  o  Renamed/updated the "Support for Built-in Keys" section.
>> 
>>  o  Added new section "Encrypting Keys in Configuration".
>> 
>> 
>> For tcp-client-server:
>> 
>>  o  Removed commented out "grouping tcp-system-grouping" statement
>>      kept for reviewers.
>> 
>> 
>> For ssh-client-server:
>> 
>>  o  Updated the "keepalives" containers to address Michal Vasko's
>>      request to align with RFC 8071
>> 
>>  o  Removed algorithm-mapping tables from the "SSH Common Model"
>>      section
>> 
>>  o  Removed 'algorithm' node from examples.
>> 
>>  o  Added feature "client-identity-publickey"
>> 
>>  o  Removed "choice auth-type", as auth-types aren't exclusive.
>> 
>>  o  Renamed both "client-certs" and "server-certs" to "ee-certs"
>> 
>>  o  Switch "must" to assert the public-key-format is "subject-public-
>>      key-info-format" when certificates are used.
>> 
>> 
>> For tls-client-server:
>> 
>>  o  Updated the "keepalives" containers in part to address Michal
>>      Vasko's request to align with RFC 8071 and in part to better align to RFC 6520
>> 
>>  o  Removed algorithm-mapping tables from the "TLS Common Model"
>>      section
>> 
>>  o  Removed the 'algorithm' node from the examples.
>> 
>>  o  Renamed both "client-certs" and "server-certs" to "ee-certs"
>> 
>> 
>> For http-client-server:
>> 
>>  o  Removed "protocol-versions" from ietf-http-server based on HTTP WG
>>      feedback.
>> 
>>  o  Slightly restructured the "proxy-server" definition in ietf-http-
>>      client.
>> 
>>  o  Added http-client example show proxy server use.
>> 
>> 
>> For netconf-client-server:
>> 
>>  o  Updated examples to remove the 'algorithm' nodes.
>> 
>>  o  Updated examples to reflect the new TLS keepalives structure.
>> 
>>  o  Added keepalives to the tcp-client-parameters section in the
>>      netconf-server SSH-based call-home example.
>> 
>>  o  Added a TLS-based call-home example to the netconf-client example.
>> 
>> 
>> For restonf-client-server:
>> 
>>  o  Updated examples to remove the 'algorithm' nodes.
>> 
>>  o  Updated examples to reflect the new TLS keepalives structure.
>> 
>>  o  Removed the 'protocol-versions' node from the restconf-server
>>      examples.
>> 
>> 
>> 
>> 
>> _______________________________________________
>> netconf mailing list
>> netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
> 
> Mahesh Jethanandani (as co-chair)
> mjethanandani@gmail.com
> 
> 
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email