IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Salz, Rich" <rsalz@akamai.com> Wed, 02 October 2019 19:24 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6478312084C for <netconf@ietfa.amsl.com>; Wed, 2 Oct 2019 12:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.7
X-Spam-Level:
X-Spam-Status: No, score=-2.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s8Qpz3Byozya for <netconf@ietfa.amsl.com>; Wed, 2 Oct 2019 12:24:26 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F438120052 for <netconf@ietf.org>; Wed, 2 Oct 2019 12:24:26 -0700 (PDT)
Received: from pps.filterd (m0122330.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x92JHeYj007562; Wed, 2 Oct 2019 20:24:13 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=Pv67xMhGAnBQbKKAcAvct7yyGIijJmthKiS1kG7s/9k=; b=iFDoBM8rXBEOxXaA7w+kdALH9iphqa12VvfTgzM8GcJQfnf7IGTqf0bMGsfom/OWFR5/ 1kMeVC4bGcyqqdV3w5SmlkpmRWQyT7l3GMEIt0zOfAX/lXFv7q3LTyE1bqNSphVD9CQU IcYgvLWuWiAsAVXhYkDlNBtH7ZzIBdXo70bYGyh9a1vz7GmFQB7np8lA1J2akLoksPgp caxf6W74FoZxEDvBoYLZrsjCCgchZsN+brVBzSDFb30rvE66h1nQ+G5qZUlE2O1U3k0w xdEQcBQk0bgXP+qwibAkb+DFi2ivMpFZcCe4thHl1I7Q3VS4yXovBxfbDgOYF7aqKj2H XQ==
Received: from prod-mail-ppoint8 (prod-mail-ppoint8.akamai.com [96.6.114.122] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2vcefsvd81-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 02 Oct 2019 20:24:13 +0100
Received: from pps.filterd (prod-mail-ppoint8.akamai.com [127.0.0.1]) by prod-mail-ppoint8.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x92JHU5B010266; Wed, 2 Oct 2019 15:24:12 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint8.akamai.com with ESMTP id 2va2uxc0u9-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 02 Oct 2019 15:24:12 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb4.msg.corp.akamai.com (172.27.123.104) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 2 Oct 2019 15:24:07 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Wed, 2 Oct 2019 15:24:06 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Wed, 2 Oct 2019 15:24:06 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: Kent Watsen <kent+ietf@watsen.net>, Juergen Schoenwaelder <J.Schoenwaelder@jacobs-university.de>
CC: "netconf@ietf.org" <netconf@ietf.org>, "wang.haiguang.shieldlab@huawei.com" <wang.haiguang.shieldlab@huawei.com>, "rifaat.ietf@gmail.com" <rifaat.ietf@gmail.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxGVhFlbERW30moo9Q8WhnpJqcpkUCAgAU9agCAASLxgP//+5oAgABHL4D//+j+AIAARomA//+/BAAAKuwGgP//8LyAgABEJYCAABougIAAFdoAgAAQsoCAAAnmgIABJdcAgAzTTICAAAlgAIAADIWAgAAfcwCABSoHAIACid8A
Date: Wed, 02 Oct 2019 19:24:06 +0000
Message-ID: <398D975D-8591-4785-B959-F1EECEF18EC8@akamai.com>
References: <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com> <MN2PR11MB4366E914816F6C3D9515A31DB5890@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d7325f06e-00613ab7-413c-4d97-972c-858cf4886b65-000000@email.amazonses.com> <20190927.170902.142773301948727896.mbj@tail-f.com> <MN2PR11MB4366C30CE4650421CE915840B5810@MN2PR11MB4366.namprd11.prod.outlook.com> <20190927174623.jhvpudof6yfs2m4k@anna.jacobs.jacobs-university.de> <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com>
In-Reply-To: <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.34.38]
Content-Type: multipart/alternative; boundary="_000_398D975D85914785B959F1EECEF18EC8akamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-10-02_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1910020152
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.95,1.0.8 definitions=2019-10-02_08:2019-10-01,2019-10-02 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 phishscore=0 impostorscore=0 lowpriorityscore=0 suspectscore=0 clxscore=1015 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1910020152
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/645Xmg-6GZ2vac3oZeBuaBYCxq4>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 02 Oct 2019 19:24:28 -0000

Yes there is churn.  We prefer to call it “change” or “evolution” :)  We hope that our protocols and data structures have enough flexibility, known as crypto agility, so that we don’t have to do huge revisions (as was the case when the MD5 digest was broken, for example).

Predicting the future is hard, especially for crypto, and this WG shouldn’t try.  That means that if the WG wants to keep current with best crypto practices, it probably should have smaller easy-to-revise documents rather than a single encyclopedia. (Apologies for repeating myself.) I don’t know the best way for this WG to do that as I am a netconf newbie.

As for the TLS ciphersuite evolution Tom mentioned, I can comment.  I am one of the TLS registry “expert reviewers.”  Yes, TLS 1.2 has dozens of algorithms supported; TLS 1.3 has eight.  While others may be added, they will be “not commended” (a new column added). My question is, do the ciphersuites matter in TLS configuration?  For most configurations that I see (including Akamai customers in my day job), it’s a random text string. Why does TLS configuration need more than a cert or two (RSA and ECDSA), the corresponding private keys, and a text list of ciphersuites?

Similarly, in my experiences with SSH, it’s about public keys (for hosts you talk to) and private keys.

I don’t think this WG needs to think about symmetric/bulk encryption keys at this point. Of course, I could be wrong and would love to understand why, if so.

v2.23.0 | Report a Bug | By Email