IETF Logo Mail Archive

Re: [netconf] WGLC on draft-ietf-netconf-over-tls13

Sean Turner <sean@sn3rd.com> Thu, 09 February 2023 18:32 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E9D3C15153C for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.096
X-Spam-Level:
X-Spam-Status: No, score=-7.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgD8TmoiLBKA for <netconf@ietfa.amsl.com>; Thu, 9 Feb 2023 10:32:43 -0800 (PST)
Received: from mail-qt1-x82d.google.com (mail-qt1-x82d.google.com [IPv6:2607:f8b0:4864:20::82d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF8FFC1522AB for <netconf@ietf.org>; Thu, 9 Feb 2023 10:32:43 -0800 (PST)
Received: by mail-qt1-x82d.google.com with SMTP id q13so3049533qtx.2 for <netconf@ietf.org>; Thu, 09 Feb 2023 10:32:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1KVA/6GstQM25y8/W3D8rg9gAI5cAxVeMSPsbkFqchA=; b=HniVFYZ4n2+KclILusTaHgo2a842sZpxUuUWuWLKbOLIlqJRb0qwWPqXLTzLPKXWgs M766Yef5yyVgw/LC1IHErKOnaESp7BASql2Jol0LicYsvlfjySOUvVtcW/5XiZ0gQF9U XxGOrna7clLiVMti7co/OhL4Na26POCO4YjaA=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1KVA/6GstQM25y8/W3D8rg9gAI5cAxVeMSPsbkFqchA=; b=Baz52Dyq80urEYfGhoVwwps+PjE7D+U1i4xpH176cT6aaeTvhoIKfkj3kFwPbH4nJr RrzmWNxFzVJusb1OVgmojsx78q30Hkqj7YVMVRLHwPxDibEMN2/RZKUt6oSW1BtDhpCA bzEVDmfAE5sBn3hjzie953q5nkOExvVkELWDzqih6g0ne9vlbxy9rMLi+ISYoh1vYesz tUY+r3gL140/cudfwrlAldpcr3g4/YqC4D7WLCoFAMfiTNBpLyOVRHCQgEXEw3FhrKR5 9ckTjpKKGc+WNVN0w7ZWuctyKI85jl8a3O6KvGjUf2D+nGW4SeHBt3t/4rZfEcjawWVh TzTg==
X-Gm-Message-State: AO0yUKWLVpZeoCoSe5HSOdOl7qqiIDNycPCh4A2WZUyPjcpvZ979+zPG 55F8E27PniyJPPr/I27qNB3KNKQCNJbBmEQQ
X-Google-Smtp-Source: AK7set8dBqNk88h1czmUwUslEtXhKuI9gEX7BrVZRS7+vDDgkjpuZKkdHat8Q0D6n1s2vRxS+EBqdw==
X-Received: by 2002:a05:622a:1310:b0:3b6:2f3d:70bc with SMTP id v16-20020a05622a131000b003b62f3d70bcmr19973812qtk.53.1675967562746; Thu, 09 Feb 2023 10:32:42 -0800 (PST)
Received: from smtpclient.apple ([2600:4040:253b:7300:650e:4494:b493:a0a0]) by smtp.gmail.com with ESMTPSA id z187-20020a37b0c4000000b0070638ad5986sm1865340qke.85.2023.02.09.10.32.41 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 09 Feb 2023 10:32:42 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <BN8PR14MB3459E9CADAD7924DC07E4D8A8DCF9@BN8PR14MB3459.namprd14.prod.outlook.com>
Date: Thu, 09 Feb 2023 13:32:41 -0500
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <F7BE8B44-3365-4CF8-8A49-5E627792C0E3@sn3rd.com>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <01000185e0991946-dc4728af-420e-48bb-b2ea-c812c11ab923-000000@email.amazonses.com> <BN8PR14MB3459E9CADAD7924DC07E4D8A8DCF9@BN8PR14MB3459.namprd14.prod.outlook.com>
To: "Hartley, Jeff" <Jeff.Hartley@commscope.com>
X-Mailer: Apple Mail (2.3654.120.0.1.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5lw8kdYV1ZTpulrMscNerZCV2bo>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Feb 2023 18:32:47 -0000

Jeff,

Thanks for your review. Responses below.

I’ll let these and the other PRs settle for a week before merging.

spt

> On Jan 26, 2023, at 16:55, Hartley, Jeff <Jeff.Hartley@commscope.com> wrote:
> 
> Comments re: https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13/
> I concur with others that the overall content of the document is clear from an implementer-reader's standpoint, and it provides useful references.
>  
>  
> 1.  Discussion re: RFC7589 and the Abstract:
> The way the Abstract reads is technically accurate already -- RFC7589 is TLS 1.2-specific, and everything here is TLS 1.3-specific.  Perhaps it's worthwhile reminding readers that some of the functions are not forward/backward-compatible between the two, but that's thoroughly covered in the primary TLS 1.3 docs.
>  
> The format of this document appears to be structured as an addendum for RFC7589, but specific to TLS 1.3.  Thus my concern is, "is this sufficiently stand-alone once TLS 1.2 is deprecated (and thus RFC7589 along with it)?" 
> A) If it's intended to be stand-alone, there's some copy-paste to do from the original.
> B) If not, then describe this as an addendum.

Based on Jürgen’s comment we’re making this an updates I-D, so an addendum. See the following PR:
https://github.com/netconf-wg/netconf-over-tls13/pull/11

Note the cipher suite issue I noted in response to Jügen’s email.

> 2.  On this same topic, there is another reference to RFC7589 in "5. Security Considerations" that should follow the decision above:
> A) If this is a standalone document, it's worth spelling out the full RFC7589 Client Identity requirements here, rewritten to be TLS 1.3-specific.
> B) If this is an addendum to RFC7589, then it's fine as-is, and just fix the Abstract.

Tweaks to the Security Considerations here:
https://github.com/netconf-wg/netconf-over-tls13/pull/10

> 3.  Concurring with others... This section can be safely deleted, as the logic of the adjacent three paragraphs appears to cover the intent sufficiently:
>   "So, this is what {{Section 9.1 of I-D.ietf-tls-rfc8446bis}} says: 
>   ...
>   My guess is not.  These ought to be available in all TLS libraries."

Deleted via the following PR:
https://github.com/netconf-wg/netconf-over-tls13/pull/7

> 4. "Please review ..." verbiage:
> What's the RFC syntax for an import{}?  
>  
> The verbiage intent appears to function as an import or include, thus something like this may suffice:
> "
> The following texts are considered mandatory requirements for this document:
> - Security Considerations in TLS 1.3  [I-D.ietf-tls-rfc8446bis]
> - recommendations regarding Diffie-Hellman exponent reuse in Section 7.4 of [I-D.ietf-uta-rfc7525bis]
> - Security Considerations in NETCONF [RFC6241]
> - certificate revocation checking in Section 7.5 of [I-D.ietf-uta-rfc7525bis]
> - generic host name validation in the TLS context in [RFC6125]

Tweaked this section in a slightly different way; see the following PR:
https://github.com/netconf-wg/netconf-over-tls13/pull/10

> Thanks;
> -Jeff Hartley
>  
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email