Re: [netconf] Securing UDP-notif messages with DTLS
Benoit Claise <benoit.claise@huawei.com> Tue, 03 August 2021 12:45 UTC
Return-Path: <benoit.claise@huawei.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8EA233A2205 for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 05:45:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bNaHz2_zvlbh for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 05:45:33 -0700 (PDT)
Received: from frasgout.his.huawei.com (frasgout.his.huawei.com [185.176.79.56]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3A9223A2204 for <netconf@ietf.org>; Tue, 3 Aug 2021 05:45:33 -0700 (PDT)
Received: from fraeml736-chm.china.huawei.com (unknown [172.18.147.206]) by frasgout.his.huawei.com (SkyGuard) with ESMTP id 4GfF2l339Lz6GCyM; Tue, 3 Aug 2021 20:45:19 +0800 (CST)
Received: from [10.47.29.35] (10.47.29.35) by fraeml736-chm.china.huawei.com (10.206.15.217) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2176.2; Tue, 3 Aug 2021 14:45:24 +0200
To: Pierre Francois <pierre.francois.ietf@gmail.com>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent@watsen.net>, pierre francois <pierre.francois@insa-lyon.fr>, Marco.Tollini1@swisscom.com, Netconf <netconf@ietf.org>
References: <152841A6-6A37-4F75-857D-2F70346AFB5D@insa-lyon.fr> <0100017b07afa694-e244f7b7-ab7b-4fab-b669-793f9f6b87d2-000000@email.amazonses.com> <CAFNmoOHNKP8g9syh9KE6KFtCQUGsYBSCR7GO1NCby6UqCt0y7A@mail.gmail.com> <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de> <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com>
From: Benoit Claise <benoit.claise@huawei.com>
Message-ID: <fbf7ac89-eb31-d1d3-367a-0e7fb33d6132@huawei.com>
Date: Tue, 03 Aug 2021 14:45:19 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.11.0
MIME-Version: 1.0
In-Reply-To: <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com>
Content-Type: multipart/alternative; boundary="------------DC02628D50837D0591E7B2C2"
Content-Language: en-GB
X-Originating-IP: [10.47.29.35]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To fraeml736-chm.china.huawei.com (10.206.15.217)
X-CFilter-Loop: Reflected
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/8blWW2_rDaAP7Rk1f9Wc-U5uyGY>
Subject: Re: [netconf] Securing UDP-notif messages with DTLS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 12:45:39 -0000
Hi, This discussion reminds me of IPFIX discussions :-) Considering that the industry/operators will implement what they need (not more), or request what they need from router vendors, regardless of the RFCs say, let's go with the path of least resistance regarding publication. I would say: merge the two drafts. Regards, Benoit On 8/2/2021 9:22 PM, Pierre Francois wrote: > Juergen, > > Thanks for your input. > > IESG composition won't change much to the story on this aspect, I think. > Alright, I'll discuss with all the authors involved and get back to > the list. I guess no one in the wg will object to a merge if we decide > to go this way. > > Cheers, > > /pfr > > > > > > > Le lun. 2 août 2021 à 19:33, Jürgen Schönwälder > <j.schoenwaelder@jacobs-university.de > <mailto:j.schoenwaelder@jacobs-university.de>> a écrit : > > In the past, there were people on the IESG that would tell you that "a > controlled environment" is in most cases a myth. (There is something > to this argument once you think about how messed up the world appears > to be these days.) > > There certainly is a point that compliant implementations must support > a secure transport so that people deploying the technology have the > choice to use it. If an operator then decides to not use the secure > transport, so be it, that is then the operator's free choice (and > responsibility). But not being able make this choice, because a secure > transport is not universally implemented, is an obstacle to avoid. > > And yes, this is all about what needs to be implemented to be > compliant. The IESG has little influence on what people use, but it > can influence that people have a choice by requiring the > implementation of a secure transport by compliant implementations. > > /js > > PS: Of course, I am talking from past experience, and the details of > the story lines usually change with the IESG composition. > > On Mon, Aug 02, 2021 at 07:14:35PM +0200, Pierre Francois wrote: > > Hello everyone, > > > > I'm fine with merging the two drafts. What I wish is that the > existing > > implementations that do not mandate dtls activation remain legit > wrt the > > resulting RFC. > > We're aiming at lightweight transport in controlled environments > here. > > > > Cheers, > > Pierre. > > > > Le lun. 2 août 2021 à 18:26, Kent Watsen <kent@watsen.net > <mailto:kent@watsen.net>> a écrit : > > > > > > > > Mahesh and I were wondering about this. When Pierre mentioned > the DTLS > > > work, we were “surprised” in that we too assumed the “udp” > draft had the > > > security bits. > > > > > > It is true that the IESG is all but mandating security for a > for years > > > now. IIRC, Syslog over UDP is obsolete due to being unsecured. > > > > > > K. > > > > > > On Aug 2, 2021, at 11:53 AM, Zmail > <alex.huang-feng@insa-lyon.fr > <mailto:alex.huang-feng@insa-lyon.fr>> wrote: > > > > > > Noted, I’ll discuss this with Unyte team. > > > > > > Alex > > > > > > On 2 Aug 2021, at 11:40, Jürgen Schönwälder < > > > j.schoenwaelder@jacobs-university.de > <mailto:j.schoenwaelder@jacobs-university.de>> wrote: > > > > > > Since I doubt that a protocol not providing security will receive > > > IESG approval, I suggest that this work is getting integrated into > > > draft-ietf-netconf-udp-notif-03.txt. > > > > > > I have not read the content but the I-D seems fairly small so > > > integration into the WG document should be fairly trivial. > Given past > > > experience, it might be that the DTLS/UDP transport will > become the > > > mandatory to implement transport. > > > > > > /js > > > > > > On Mon, Aug 02, 2021 at 10:59:07AM +0200, Zmail wrote: > > > > > > Hello to everyone, > > > > > > We would like to present a new draft we didn’t have time to > show on the > > > last IETF meeting. > > > > > > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/ > <https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/> > < > > > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/ > <https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/>> > > > > > > This draft defines a mechanism to secure UDP-notif protocol > messages using > > > DTLS 1.3. > > > It defines the different layers involved, the DTLS session > lifecycle and > > > the mandatory cipher suites to use. It also explicits that no > extensions of > > > DTLS are needed and that IP fragmentation should be avoided. > > > We would like to have some feedback for this draft. > > > > > > We will present the draft to the WG on the next IETF meeting. > > > > > > Looking forward to hearing from you, > > > > > > Alex Huang Feng > > > > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org <mailto:netconf@ietf.org> > > > https://www.ietf.org/mailman/listinfo/netconf > <https://www.ietf.org/mailman/listinfo/netconf> > > > > > > > > > > > > -- > > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | > Germany > > > Fax: +49 421 200 3103 > <https://www.jacobs-university.de/ > <https://www.jacobs-university.de/>> > > > > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org <mailto:netconf@ietf.org> > > > https://www.ietf.org/mailman/listinfo/netconf > <https://www.ietf.org/mailman/listinfo/netconf> > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org <mailto:netconf@ietf.org> > > > https://www.ietf.org/mailman/listinfo/netconf > <https://www.ietf.org/mailman/listinfo/netconf> > > > > > > _______________________________________________ > > netconf mailing list > > netconf@ietf.org <mailto:netconf@ietf.org> > > https://www.ietf.org/mailman/listinfo/netconf > <https://www.ietf.org/mailman/listinfo/netconf> > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/ > <https://www.jacobs-university.de/>> > > > _______________________________________________ > netconf mailing list > netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf
- [netconf] Securing UDP-notif messages with DTLS Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Kent Watsen
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Benoit Claise
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois