Re: [netconf] netconf-tls wasRe: Latest ietf-netconf-server draft and related modules

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 11 May 2021 15:16 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 046C33A1B28 for <netconf@ietfa.amsl.com>; Tue, 11 May 2021 08:16:23 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crC0RZVhiX0H for <netconf@ietfa.amsl.com>; Tue, 11 May 2021 08:16:17 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40071.outbound.protection.outlook.com [40.107.4.71]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C71B23A1B27 for <netconf@ietf.org>; Tue, 11 May 2021 08:16:17 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=m1acgEs+BMJoU8n5n/i0vzIhbbAwDesXFNFTcj6z8df0e+ziQC8XlAUS/RCIGZd1N/29tYkZchM6x6oIWRcz3Tm2yP1eHZDWhKAc7T0GwhPg+f/OxPmvxt86pq3YU9GAimBcN267T1Oh7vPsiz3awKJp0nTkLbRy/3GXy/Eu+kyfCPnTOolNpWh9UJxdBsv0dmqcujKpbmz2orFQhKaW4Am7iI8cR90Om/6FdUrt1eW74GDO4yEN/gmKPgW6rJuai0b2ltllcpl44kEGVZvjn8LFtsia3PA0+xH7otjvJQLT7RscO1wO/47id0u0uZiHARuXS/2SYi+BwW4ECoxmtA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rkIUS/tTeo4AJ+VlpoaEXyDBNRsBFt5vWu4hQ8JEBmQ=; b=E3//mxsKpkXJO+gxgn5gw81pZW/ieMqdl0A0h8/KS7Mz/mqf579fsU8LoVVH1Mw9lwF8mp5byAgjGCZbVzwqPAGq9mIVZ3AUTJcLCI40fyHNpL0PTiZj14QKgfFqajtImKVU2YLsM8RdN492rLzqLowUwBBduj+BJ1HYWO4lmD63jnZ3rl+eOQgLRc45ufOV0hMHETISidxcGujLTzK/6/81jBsbKYhbzZC9suzHnYH56h9TYW/wuB0Y5cmY1OIhv8at2p3sXmPg1AkLmxyCTzGKWEyWFCtRs1kR017oM4xdxEkHruyJtHo9sOh4eDU1hbMEA3U9UNshNRQ59uCVrg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rkIUS/tTeo4AJ+VlpoaEXyDBNRsBFt5vWu4hQ8JEBmQ=; b=Oz1SSmE4SONB2SBqrv8H6btRs1wOO5OUmvdp6wwbxhsqqnsUNP1rr/3TPfnfP4XU/Ujpfx/SIhAB2yAkEGGaUJXVBDkVnjTs+8wMXHgJseosYTbbEWCIxxvFuhe9DSZUgDq92F4bgisXYZMaXjAFB2/bJLoh9vfYmAQftbTtfVo=
Authentication-Results: btconnect.com; dkim=none (message not signed) header.d=none;btconnect.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1601.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3b6::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.24; Tue, 11 May 2021 15:16:15 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4129.025; Tue, 11 May 2021 15:16:15 +0000
Date: Tue, 11 May 2021 17:16:14 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: tom petch <ietfc@btconnect.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210511151614.lcee2jna33bib4gk@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: tom petch <ietfc@btconnect.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <972-608a4700-29-1b90d060@24617716> <010001791de3029b-730530a6-f4fb-4d57-9d39-a1551ab76260-000000@email.amazonses.com> <AM7PR07MB62488B98AE0E394EFF5C80B1A0539@AM7PR07MB6248.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AM7PR07MB62488B98AE0E394EFF5C80B1A0539@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: AM8P191CA0025.EURP191.PROD.OUTLOOK.COM (2603:10a6:20b:21a::30) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by AM8P191CA0025.EURP191.PROD.OUTLOOK.COM (2603:10a6:20b:21a::30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4108.24 via Frontend Transport; Tue, 11 May 2021 15:16:15 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: a30a30d8-93ab-48b1-6298-08d9148fb832
X-MS-TrafficTypeDiagnostic: AM9P190MB1601:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB1601A9092D5F1BA3861BA90EDE539@AM9P190MB1601.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Xj9/Ou82YYL5oWkleAdPbVwHbhGPwj8Na9Ix2dqTueaDJTYU9c7IIBup7GEGMeogmHLvcNTaOLIoz1ocs5yd3HxR5CokT6kxh0FRj/5c6chEctmfZI50LnjoQPxcAUqwkCEynH9CfuTVyOr+KURSs3yedetr1Q+vZaFW6E3ewkePQRhGvK/F1pf2iybJUnxsboAEz6dlhhQA0x2H6xlLGQgcPCFCd6b5Zi3MovBBXKRio1hUU5/u6ryROPa95sNwulAVdhU1Q1Ij5n4tncmqwafBDSYzab2PZY+5+emT+/Y6nd6Hk3n4RTptUdKvuxg2J68CAsZeqLpLhs1DrP1FmwC5JohP+uKWhfcCcB8oulWRG9qDURpMaz3YcyXEL7fifDPu7+2sG9rzUnk1tUeHKMtJ09ix7ou5eOEYa5bezAOMusbgm0HtS7kFhcnw07XokLqRBV//1tS6Ftm0D3zuuPatavxQsTE6HuO2uLC5D8b5HY2w91QhbllrEWyIJlQ+b2GIKP4Gp4xAJby4I0+t5RRz3E+7HhCgDjmVIKETdJJ1DKRGVAmUuCcD/JLgQbKJIAgAykFyLgkBeXeGhbhVq9Dascf8tXTB29ROxtAFMwqfA7LrMXrqxee+1vxdx5iFY3sjihId/4sADQLQNsqz6rjXj9Spq+rGDoRMpejspr+8DSjXnYWrHViJ8h04bjVzloUndNa07YK952vJQKxPAZ+eYrZYv0tyFeOzmgD7E/RAoxUP5uXbOdbe/VrchcCbD4Snwot9i66n6+en0vWqEA==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(376002)(346002)(366004)(136003)(396003)(39850400004)(86362001)(186003)(16526019)(956004)(6916009)(8676002)(2906002)(54906003)(66556008)(66946007)(1076003)(38350700002)(478600001)(296002)(316002)(4326008)(26005)(83380400001)(786003)(966005)(3450700001)(38100700002)(66476007)(52116002)(8936002)(6496006)(5660300002)(6486002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?MVVc7kIxPWV0IHkjX6ZPSjHDxtM8p2l7AHx2gg4/IfHlEs+Qjx6+AfCNO32E?= =?us-ascii?Q?uBlOsEG2MHaAQ4x5wnw8GnDiDFx8s1jolSg3E6OBoIlvH6J1I4mCgONumBKO?= =?us-ascii?Q?PM1x5CfxrvgnWIHG0neyltufxeLZEEfd9ngTuB1M7/xKMuWcm9RCsoXtLN2n?= =?us-ascii?Q?4MORaQTLtQjZp/wBpawTAN4xmAlhTukbtkgrVW5Aw3+9UzBgUkNuS+h4u33R?= =?us-ascii?Q?0jLzNNJ/l1mYBhbLAk77EGC2o6+UyC92CEFKTMjymZgtyCG9iP8IOHddiKzL?= =?us-ascii?Q?rBuwz1cNXWgqT0MUMtmOKqqJFhUaNrtZrybTSRFwnC8eiOT5XFlxOLYMtx08?= =?us-ascii?Q?7v3HClS1+ja3II+zoydxz0vsl2P55NTKNJeiUYzrusKwlAVQGtI5Gqj+pVNW?= =?us-ascii?Q?utLZoCESictvRqo7khCZbh1/XoOru4NhE/4AyJH3hdJH+vU91oKL1DLQYc+V?= =?us-ascii?Q?+/6q7PzFHO/JzttfmORTmOYfmtpMO7Y3LBlDj+WNzC6MDw1rUrfl5gITwQRl?= =?us-ascii?Q?BqtipyOWSrU2GWpvkdQ3Yc0BeH6K59V50xc/1iBMR20gXOv2cvpD939hzadw?= =?us-ascii?Q?nk/BUeHUnXUBBMckmIxj7y5WrqpbNnFQ5aJpzFIopoIus4cQjHnRssqs3U5G?= =?us-ascii?Q?lLjNF6DFK8RJXk02cU0gfp72Wod2OdCcaUw0WVDfgJmrDy9Ol/CY6TMcX8de?= =?us-ascii?Q?uRFeDewsXtJ8C9ozvbf3XsW0XQC5iGtLK2dsHANDrHtxCLT32n3pmin41DWZ?= =?us-ascii?Q?9eiAi9v62aL2fa5N7ZyCwZlJILBNikpj4ek5xKc4siQN2ZzSAtBP7hxT98nv?= =?us-ascii?Q?wdomDcVGtZph09OBCXsuqmKVW+6tZJqNK1KbwsE1C7jEK9VK4qb7GkplGkim?= =?us-ascii?Q?BKU/LR9BlB8RInvUrO6vzzFH5b7Hznmtnx+KtcwxMyTLf9kfrVcoflzgIHSH?= =?us-ascii?Q?1+/EwB2hliV2D2gQF8nJnadpoKtrbi9+OS5C6afYNng1qgzSOqlxzjX7LyrA?= =?us-ascii?Q?manUaY3TnuvsUD0RWiCqr8o0LE238tGycgMXaayovMSnjMt4CtNeRUKhekzu?= =?us-ascii?Q?08b0EXPzx2vPdmvenlwtbFEMD6gwCgFD0m9b9lsjh+IFtB0+XMbGHfp5eUPH?= =?us-ascii?Q?CWumuvCNX3vygFc7nWDN8vChLMlGTWSsGGBGFrNQllDEh8NEIX+3+CifqoJa?= =?us-ascii?Q?EgbboAOCFTiORk/Krr5jEH4++TBoB7e6FDRJ9xbbNvSUCgrC6eBOT6FCP+8T?= =?us-ascii?Q?wikKnKfK0jYussSZ7tdhv4rRR95VCqE/Zln4M5asrzce3PJZSvmZdCTZUcfg?= =?us-ascii?Q?PpY8eDoK0T80GUTzT6+mKz8o?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: a30a30d8-93ab-48b1-6298-08d9148fb832
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 11 May 2021 15:16:15.4497 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: +SRJezp80Y7giUyWTvSe58juB0OwrppXfOV1VlRmoVinxZZLCCqaggi+ht3jF6zeEK+6/7GN7uCUpxQqgWyPCJf+pY93ch96vHWPqIL+5mQ=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1601
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/5ojkWGzuf_wkxPREP6ZQeJVW5Po>
Subject: Re: [netconf] netconf-tls wasRe: Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 15:16:23 -0000

While I share sympathy to your points, I am not sure the configuration
interface documents are the right place to address some of your points
since NC over TLS is defined in RFC 5539 and this is the place where
updates may be needed.

/js

On Tue, May 11, 2021 at 11:57:22AM +0000, tom petch wrote:
> I find this I-D confused about which versions of TLS are supported.  It is 1.0/1.1/1.2 or1.2/1.3 or 1.0/1.1/1.2/1.3 or 1.2 or ...
> This needs addressing and the text changed to match.
> 
> I suspect that the IESG will not accept any support for 1.0 or 1.1 given the existence of an RFC deprecating them and that this I-D should not go further than putting in place hooks with which an organisation could augment such support if they wanted to, but even that may be going too far.
> 
> I wonder too about what forms of authentication are acceptable, something that has changed several times in the life of the I-D.  I do  not have a view of which are and which are not but think that guidance from the TLS WG or SecDir or Security AD would be useful now rather than later.
> 
> In a similar vein, TLS 1.3 is keen to ship application data before the handshake is complete, before authentication has happened, which causes problems for applications which want the handshake and authentication to complete first.  I see NETCONF as being such an application and the I-D needs to address that, as it is being addressed by other WG.
> 
> Tom Petch
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>