Re: [netconf] Create IANA-defined modules?

tom petch <ietfc@btconnect.com> Tue, 15 June 2021 11:32 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CC673A2C14 for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 04:32:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gDTKb1YOHVvb for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 04:32:21 -0700 (PDT)
Received: from EUR02-HE1-obe.outbound.protection.outlook.com (mail-eopbgr10129.outbound.protection.outlook.com [40.107.1.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9772F3A2C11 for <netconf@ietf.org>; Tue, 15 Jun 2021 04:32:21 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JQvrJ8/tan0xWk9v++ZJJlVZ0ZJ5fQabBpC79i+uqCSn7zjx0vYl143aPBDQHrpcW3fBPJEXbbHrJDwICfP3GJ9OLMumHwdvmnRATukT0xTk51kt1NKSNPlD8xw0mypl6t9C2o0RmCq7mFd5fM/lpO+rR2EHYAdLUMnEc73DWyk81788iddWHWZKsjj8RE7YkyERnijLvGmMLcfIDyJUaAQj6A36c8oKkeTkuist7c/tdJ5kAslzlZB0eNXhPVGM12wjmMxjqzZrbWT4uqemj1NqS2ZVSlbDbbhg5bmiTBIUYkGRrs/zupvaK7VY0Y5fVfpnXiYSml1hG9UsiR6byw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QiYN1uCNRG6YSYMet68PoriZU8sCt1sfbef1tvkerhE=; b=Gk1XVvsrCS160o+6f60/uU7q58Y2Y729lVfJEelJNljcFU/6WGyMKzqyxte6Iu43Cmg0qedi6B6VwMmpS5VcCic1kqQagsDyFpWyTRgVh5W5+kYV4/+rj3eynBapi9zmBA21yM3ckr4sc2ZnN18Q5Ehrf7lcqngVylWH/vUVJMErbkAQ5vpnG8zzjeVGqbO2NjHz7mCC6xs5/Egi9nsHaW7oiQRO2xVRP9kx4rpUjufXKawUoq/wQfX6KZd8vB2BO6vupwtuldZ6PUK5LyPuBNaheEWnQ5YoEm+UItFccUO22HNOX74UzAbmSbDwn36UmGwcMM+zMeMsuM14ItYMVA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=QiYN1uCNRG6YSYMet68PoriZU8sCt1sfbef1tvkerhE=; b=sN9jIrfBCLvR6lrMpI+gP69ya3bkcgBwl6wXxdbMKa/Mim6bmCI2Kcon0gLEiSguVgaHl4wcwsPRiVLB8PwKwHZcxf38jvn6ubUoSIJ8dxNxWTfq7kWN2WfeU91ThCnidsyJM+iGOkyZagwqJmCOyn7vuM3CwoivWu9fx6R/IrE=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6771.eurprd07.prod.outlook.com (2603:10a6:20b:1bd::21) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.10; Tue, 15 Jun 2021 11:32:18 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4242.016; Tue, 15 Jun 2021 11:32:18 +0000
From: tom petch <ietfc@btconnect.com>
To: Qin Wu <bill.wu@huawei.com>, Kent Watsen <kent+ietf@watsen.net>, "Per Andersson (perander)" <perander@cisco.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Create IANA-defined modules?
Thread-Index: AddhqjRkR+YrczgKwUaLplcUh/rY0AALjxgL
Date: Tue, 15 Jun 2021 11:32:18 +0000
Message-ID: <AM7PR07MB624892645005F104D56BFCCFA0309@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <48e9f39ba2df45bd96c1dcc400765c14@huawei.com>
In-Reply-To: <48e9f39ba2df45bd96c1dcc400765c14@huawei.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: a548feae-68db-4c13-8ba9-08d92ff13bc0
x-ms-traffictypediagnostic: AM7PR07MB6771:
x-microsoft-antispam-prvs: <AM7PR07MB677134644D48405C8F099F26A0309@AM7PR07MB6771.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Ty7AZFosa8HPPRCPc9jXlsSClJzAeEh9FX3+Tkqbo3kOFFoK/+PtIrUqvgU+653Ie2u+JgCxmfot26PGAtn13Ie+1khgow/aL6ybkQ/sRyDGWW+VuoEyqWHuL9ljvT0rP8H4Y9+qWBEUeyjKlFA6/Rj1q7+HZtR1d3mvW7FjzCSxdaYC0FfsBQFElrCW3hejrVAYKGWAYgK2aor7CZR1d+9hy1d+HJp107mSjTxLasEH/CIul/bTHE0buYm+gSyOcXND1cX58gm9clrX/pPVZGVeqCfV6fspidZO1YXZuFzRNXIpOpHKYJ7CdprZ2yyHYQrBY85hMuMOx4vmtMqevxV7UIQ/deNBjCgtkjWnWVpQhmz6w9llMuWPIyjeNt8pq91m0kNVbU7RcVXTlL9Gb02QpfD8vqj9wuwykb3gxiMQA1r/5naK15ZL/3qGvv+1wBMjXcQNUH4zAhBv/4vJPxCpSi3zzdmOD+39rrxYw69U6Dtro9Li5i2CjBK33cG3wghCogWZszISSBokJfQKMwp9tRLdX44/DD2RnljGrej0R7pcSVY4Ui4f62cLBfKt68kyYSsJTmUtpg2Iytg5J0AdyP2jZKZATVdTHAW9N08Oj64vnLLXkFXYJmvbNpyrSn3/u39vDquQNqDuR/rnCIq7BeOIl9z2h5QAkaFhdM47uDmZQ8+zTSas26p0LMVOSOaQxLN3m2wi6PfgYkYd/A==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(39860400002)(366004)(136003)(346002)(376002)(396003)(122000001)(91956017)(26005)(8676002)(66946007)(4326008)(8936002)(110136005)(186003)(6506007)(55016002)(316002)(76116006)(2906002)(9686003)(38100700002)(7696005)(52536014)(66556008)(66476007)(478600001)(83380400001)(64756008)(5660300002)(966005)(66446008)(86362001)(33656002)(71200400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?CC1o6+cfM8oEUz00guLDDAUpLVr53WOGsr84nQ/3bfRqUUa9yrdqqd6J?= =?Windows-1252?Q?2plwqeUgcMota6oVVTqOLgsk2bWPSiQfznPKkXrEIGFIq4EguNtW8l/q?= =?Windows-1252?Q?eVkz739mRu39dlVRNpvP3EcOsRz7CbB+PiIgTNKoJhw1JHGLgml13srL?= =?Windows-1252?Q?tMEeQ+ATKANTURkOKVETyfDPZMZwTEwXNH9MhzNcnTMzaJTkCmUVBLw4?= =?Windows-1252?Q?CeuLPhcUIZJYDEua6fLr2pnmMx1RFQ100S32xoMQI//ZwrQ3N8uKwC/o?= =?Windows-1252?Q?edBq60fnKHB11u8MrLFiK8A0diAvZHZBzK5uH8o4V61D+9txl6zt0SgC?= =?Windows-1252?Q?XwqefBrt9YV9/ZozP5X611BkE6IYaM5aeHtsuGaFOmQ3UA4VvvLbM5jk?= =?Windows-1252?Q?8ixqwim/RxyD+4Uf0orHrQ/zGji3L6Yo70mFxsW0k31XTY3pbILeDZSp?= =?Windows-1252?Q?QB+98S7raaRC17ioexu7yDvpleJo1SDRS9DJvyeoEvkJUtNr8iY2sFx4?= =?Windows-1252?Q?bctaE7Dz5VAVVdXba+gGhmcMczCaK9ywFgXSW+5k/ZMq03KwEkIoF8X+?= =?Windows-1252?Q?Rj00LCz+Ooo1Qp0zerooqtdWWtX/T26rISP1TmDv+ZouXkY2nNpH1KMD?= =?Windows-1252?Q?AdmMiQOpx34i7iUc2rkHh65U6z/Ae1b6hCLZdMba3HO/oD4WUz2hj9dE?= =?Windows-1252?Q?5X/tSYo/MTFUZ4IJVCWN+Q6//WhJEOLp4Acc1oxzYHrWbYn2UVmtwRbc?= =?Windows-1252?Q?tHDCDB5kueLVLTCR40QWn0Kw0GGqdW7JVROIhscfit+6PkGKITH7rZ6A?= =?Windows-1252?Q?SBX7ZW/C8exOz4hMfhT1UwdHkgx+BdXyd/ANpxF8VCxiwch14dZGB+nv?= =?Windows-1252?Q?LPJA0/+UIPdpLlsUosrh+tKH0x/6oCpt2xHu/jKa8ei4WRYdYJNc8aiy?= =?Windows-1252?Q?PL78RVco5UA07XYvYMmibTsLR6WzXI6URFafj7mJJgb+aHgrPvB1M7oA?= =?Windows-1252?Q?uDDA76B2EZoIoO+I9nFXqFtxgLD7VdKIR3sDshGHpkC3mwCbzldl8Njo?= =?Windows-1252?Q?b++wG/tuSSQIrvFQRRCahsJo9juFXg0nYFvzhPwMScIto7xQlN+7gq3u?= =?Windows-1252?Q?EToEBP4W1ZFeyVzAOkj08ZpmuUP7ZnlHnyArkhiDlItT1EpstmqMUwoo?= =?Windows-1252?Q?hVMWHjtEXU5AtXPKl3vTYf3bCSbYjzyebOLyKfOOy6luM4U1HJfTRn1A?= =?Windows-1252?Q?c2PaHPev9CkaHtZNVABU0uOt+c2l7MoCXiX+E8vW6PgmbXIMarlcx3k0?= =?Windows-1252?Q?VKRs8xmDKUDAjA0bLYLt23IEkMiFtPE2Nhf/kXI6F6dogcd531HsgRj9?= =?Windows-1252?Q?YuFZF5nQynk1KgfW5AEUppNXffV2vjbg8u0=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: a548feae-68db-4c13-8ba9-08d92ff13bc0
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2021 11:32:18.4618 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ORM8VMyi+CWOODOCVQ5L6PUtmc6mHvF8KJPWgjyVDlxMTXBGR04LWCWYwSUOTvcDO5aO7j4MMk2bAOne7xlJCg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6771
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/7byXRnvEDakxtd0TGt7-iaLypeg>
Subject: Re: [netconf] Create IANA-defined modules?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 11:32:27 -0000

From: Qin Wu <bill.wu@huawei.com>
Sent: 15 June 2021 06:54

 Kent Watsen [mailto:kent+ietf@watsen.net]
 2021 6 5 0:22

Thank you Qin, Tom, and Per for the responses to my last post…this message addresses them all.

Since the discussion has been mostly about *how* to create the IANA-defined module (not *if* we should, e.g., dropping the work for some future effort to pickup), I take it that folks believe having the ability for configure supported-algorithms is needed now.  As no one offered to help (:sigh:, and people wonder why this work takes so long), I wrote the attached script that creates the attached module directly from the data obtained from the IANA-maintained "TLS Cipher Suites" sub-registry of the "Transport Layer Security (TLS) Parameters” registry here: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml.  The resulting module is also attached.

[Qin Wu]  The proposed module looks good to me, I assume these cipher-suite identities are not specific to particular version of TLS, e.g., TLS1.3.

<tp>
No, the exact opposite.  AFAIK there is no recommended ciphersuite that is common to TLS1.2 and TLS1.3 (or indeed one that is not recommended).  TLS1.3 is very different!


Tom, you will be happy to know that the all the identity names begin with “tls”  :)    Also, there are no “feature” statements, since there is nothing in the source registry that can be used to generate “if-feature” statements.  Out of the 347 algorithms listed in the registry,  310 algorithms are marked “status deprecated” (driven by the “recommended” column having value ’N’), and 7 algorithms are marked “status obsolete” (driven by the "SC-tls-des-idea-ciphers-to-historic” reference).

Regarding if to use a  “config false” tree or an RPC, Per makes an interesting point about “must" and “when” expressions, though I do wonder how that would play out in practice, as said expressions would (presumably) be defined under “config true” nodes and hence couldn't reference the “config false” values?  Maybe Per could say some more about the use-case in mind.

No one responded regarding if we should use identities or enumerations.  The attached sample module uses identities, but it would be an easy thing to change the script to generated enumerations - thoughts?

Again: if “identity” statements are used, and the module is *implemented*, it would NOT mean the server supports all (or even any) of the algorithms. This would only be known if the algorithm appears in the “supported algorithms” "config false” list.  Does anyone feel this is a misuse of YANG?  IMO, YANG identities needing to be implemented is not very useful in practice, and so I don’t view that as a negative in the slightest.

[Qin Wu] I agree with Per that it seems identities are better choice.

<tp>
They differ in how easy they are to extend, to modify; identity easy, enumeration less so.  Either way I am sceptical that YANG has the capabilities to model the flexibility that is needed here.  IANA/TLS WG provide the base capabilities - identifier, TLS/DTLS, recommended or not, 1.3 or earlier - from which a YANG module provides a subset from which an implementation specifies which it supports.  And the list keeps changing from the work of the TLS WG and other bodies.

Tom Petch

Tom Petch
K.