[netconf] today's updates to client/server drafts

Kent Watsen <kent+ietf@watsen.net> Sun, 08 March 2020 21:41 UTC

Return-Path: =?utf-8?q?=3C01000170bc185ffb-441c634d-fd79-41f4-b331-522f6354c?= =?utf-8?q?5f8-000000=40amazonses=2Ewatsen=2Enet=3E?=
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 684E63A078A for <netconf@ietfa.amsl.com>; Sun, 8 Mar 2020 14:41:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IjH9dtfh1xOK for <netconf@ietfa.amsl.com>; Sun, 8 Mar 2020 14:41:20 -0700 (PDT)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 41F9A3A0783 for <netconf@ietf.org>; Sun, 8 Mar 2020 14:41:20 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1583703679; =?utf-8?q?h=3DFrom=3AContent-Type=3AContent-Transfer-Encoding=3AMime-Versio?= =?utf-8?q?n=3ASubject=3AMessage-Id=3ADate=3ATo=3AFeedback-ID=3B?= bh=Ih60zPeZ+6yqQPmXpD6CiGv6ah2x497ARoi8yCE4LGM=; b=VLcRy4RKhIvYXrTkoW7vxC7LhJAPocbyeaTN7dP8fgqBOU/iugqrDt5YWIYERKIr kweTnXwqsLWwM6Lf4V7gC95UUuTTBfC+SwvRF95I9DaMBnRA325deSJCDHGDHHn+ouF 78mAgwA8ZB72RAg4WItwDF/Eg6En+k+xwY20W5JU=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-ID: =?utf-8?q?=3C01000170bc185ffb-441c634d-fd79-41f4-b331-522f6354c5?= =?utf-8?q?f8-000000=40email=2Eamazonses=2Ecom=3E?=
Date: Sun, 8 Mar 2020 21:41:19 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.03.08-54.240.48.92
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9AekNEfUnPni735n_-ZHSNHcJ-M>
Subject: [netconf] today's updates to client/server drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 08 Mar 2020 21:41:22 -0000

Summary:

With only two lingering issues (AFAIK), we’re very close to done with these drafts.   The two open issues are:

1) how to define the algorithm ids in crypto-types.  The current draft now defines registries and a process that IANA can use to generate YANG modules from them.  This approach seemed reasonable to Rich Salz (SecDir), but Ben Kaduk (Sec AD) suggested that protocol-specific registries may be preferred.  The hope that current approach will give everyone something concrete to reference and improve on.

2) the “supported algorithms” list have been removed from crypto-types but not yet added to the ssh-client-server and tls-client-server drafts.  I was hoping that someone else would do this but, alas, none stepped up.


Following are the per-draft Change Log entries.

crypto-types:

  o  Resolved the "FIXME: forward ref" issue by modulating 'must',
      'when', and 'mandatory' expressions.

  o  Moved the 'generatesymmetric-key' and 'generate-asymmetric-key'
      actions from ietf-keystore to ietf-crypto-types, now as RPCs.

  o  Cleaned up various description statements and removed lingering
      FIXMEs.

  o  Converted the "iana-<alg-type>-algs" YANG modules to IANA
      registries with instructions for how to generate modules from the
      registries, whenever they may be updated.


keystore:

  o  Moved the generate key actions to ietf-crypt-types as RPCs, which
      are augmented by ietf-keystore to support encrypted keys.
      Examples updated accordingly.

  o  Added a SSH certificate-based key (RFC 6187) and a raw private key
      to the example instance document (partly so they could be
      referenced by examples in the SSH and TLS client/server drafts.


truststore:

  o  Removed remaining PSK references from text.

  o  Wrapped each top-level list with a container.

  o  Introduced "bag" term.

  o  Merged "SSH Public Keys" and "Raw Public Keys" in a single "Public
      Keys" bag.  Consuming downstream modules (i.e., "ietf-[ssh/tls]-
      [client/server]) refinei the "public-key-format" to be either SSH
      or TLS specific as needed.


tcp-client-server:

  o  Fixed a few typos.


ssh-client-server:

  o  Removed leaf-list 'other' from ietf-ssh-server.

  o  Removed unused 'external-client-auth-supported' feature.

  o  Added features client-auth-password, client-auth-hostbased, and
      client-auth-none.

  o  Renamed 'host-key' to 'public-key' for when refering to
      'publickey' based auth.

  o  Added new feature-protected 'hostbased' and 'none' to the 'user'
      node's config.

  o  Added new feature-protected 'hostbased' and 'none' to the 'client-
      identity' node's config.

  o  Updated examples to reflect new "bag" addition to truststore.

  o  Refined truststore/keystore groupings to ensure the key formats
      "must" be particular values.

  o  Switched to using truststore's new "public-key" bag (instead of
      separate "ssh-public-key" and "raw-public-key" bags.

  o  Updated client/server examples to cover ALL cases (local/ref x
      cert/raw-key/psk).


tls-client-server:

  o  Removed the unused "external-client-auth-supported" feature.

  o  Made client-indentity optional, as there may be over-the-top auth
      instead.

  o  Added augment to uses of local-or-keystore-symmetric-key-grouping
       for a psk "id" node.

  o  Added missing presence container "psks" to ietf-tls-server's
      "client-authentication" container.

  o  Updated examples to reflect new "bag" addition to truststore.

  o  Removed feature-limited caseless 'case' statements to improve tree
      diagram rendering.

  o  Refined truststore/keystore groupings to ensure the key formats
      "must" be particular values.

  o  Switched to using truststore's new "public-key" bag (instead of
      separate "ssh-public-key" and "raw-public-key" bags.

  o  Updated client/server examples to cover ALL cases (local/ref x
      cert/raw-key/psk).


http-client-server:

  o  Removed the unused "external-client-auth-supported" feature from
      ietf-http-server.


netconf-client-server:

  o  Updated examples to reflect new "bag" addition to truststore.


restconf-client-server:

  o  Updated examples to reflect new "bag" addition to truststore.