IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-tls-client-server-39: (with DISCUSS)

Kent Watsen <kent+ietf@watsen.net> Fri, 01 March 2024 23:49 UTC

Return-Path: <0100018dfc6c66fc-7aa58c9b-5d82-4e0b-a54a-780063b45286-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86AC8C14F617; Fri, 1 Mar 2024 15:49:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RFzgcxKzAq8p; Fri, 1 Mar 2024 15:49:40 -0800 (PST)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6B55CC14F686; Fri, 1 Mar 2024 15:49:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1709336979; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=jW+xrH+y4zbRR9YW8TB9ZgsjOYypbp/XYipLLcLyLGE=; b=REl3qsUaZMDllk1XJAlLj8cF0JdGtiRkQNjlJ4whHJWdqzHOi43WK2XqVRxh0A3L BMJ5Wso0Vuk4Kko4E/+cM+A2VMhah88cDQriR3z8p4g7Li/FZVaL0nJ8kBeSLrVdylj rrAjYO0AfKtuaQXMakXtJrVM7dGZgfaL5BIsZEfg=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018dfc6c66fc-7aa58c9b-5d82-4e0b-a54a-780063b45286-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_524983A7-5ACA-4B99-B1DA-CED5AF4C23D1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Fri, 01 Mar 2024 23:49:39 +0000
In-Reply-To: <170915318121.38047.7822426820911812006@ietfa.amsl.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-tls-client-server@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>, jeff.hartley@commscope.com, Mahesh Jethanandani <mjethanandani@gmail.com>
To: Paul Wouters <paul.wouters@aiven.io>
References: <170915318121.38047.7822426820911812006@ietfa.amsl.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.03.01-54.240.48.90
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5DPNLHu44d6cjj5ndN7ZSgLfepM>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-tls-client-server-39: (with DISCUSS)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 01 Mar 2024 23:49:41 -0000

Hi Paul,

Thank you for your comments.
Please find responses below.

Kent // author



> On Feb 28, 2024, at 3:46 PM, Paul Wouters via Datatracker <noreply@ietf.org> wrote:
> 
> Paul Wouters has entered the following ballot position for
> draft-ietf-netconf-tls-client-server-39: Discuss
> 
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
> 
> 
> Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
> for more information about how to handle DISCUSS and COMMENT positions.
> 
> 
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/
> 
> 
> 
> ----------------------------------------------------------------------
> DISCUSS:
> ----------------------------------------------------------------------
> 
> Two minor DISCUSS points that are likely easy to resolve.
> 
> 1) 2.2 examples
> 
> This example uses tls11 and tls12. It would be better to use tls12 and tls13
> as examples as tls11 is on its way to being deprecated. also "identity tls11"
> is not defined in the document but they are for 1.2 and 1.3.

Example updated.


> It claims in "identity tls12" that it's status is "deprecated"
> 
> I don't see that (yet) in https://datatracker.ietf.org/doc/bcp195/
> or at https://datatracker.ietf.org/wg/tls/documents/
> 
> 1.2 is obsoleted by 1.3, but is not yet deprecated. I'm also not sure
> why the "status" field needs to be there at all? What is the purpose of
> this field? I read the description and it related to MUST NOT actions, but
> I'm unsure what the difference is between not having the the entry (eg the
> entire "identity tls12") or having the entry with the included "status"
> field ? (again, sorry I am not a Yang Doctor)

My misunderstanding.  I have removed the two “status deprecated” statements.

FWIW, the semantics for the “deprecated” statement is that the configuration is allowed, but the validator should throw a warning.



> 2) !-- USE ONLY ONE AT A TIME
> 
> I am confused about this directive. Is it to the RFC Editor for generating
> the yang? For the implementer to only allow one? For the user to only define
> one?

My bad - that was cruft from my testing harness.  In order to avoid confusion, I have removed all of the commented-out configuration.


> What it you want to migrate from one method to another in a cloud of machines,
> and you cannot update them all at once? Wouldn't having more than one give
> you a proper migration path?

I don’t understand this comment.  
Can you give an example?


Thanks again!
Kent

v2.23.0 | Report a Bug | By Email