Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Wed, 26 May 2021 09:23 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF8ED3A27A6 for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 02:23:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BE5iIRTAKnEK for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 02:23:21 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2126.outbound.protection.outlook.com [40.107.22.126]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 739EF3A27A3 for <netconf@ietf.org>; Wed, 26 May 2021 02:23:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=J/peMfvw9vuvYHSmJkTSNIe2B1VpcERLaZ22vxdOQ+qriX3TcmNszqOb908A4M0i+WuS12iqgX5WU7vjod4ArRP+CNljMr+PhS5k9PPVD133XeeX9rzmdoOWNP2YRjP4kHF4mIud7BwlnGK6F94t2hwr0uGzRbLmoV0Q/G2i4EMv7N5BU7TxzB9wA/60kXJNndfHhLE1WWzFLLyjAYMcx3agiJVBDzkKBXtyn1SnottbGfInVIH2GR2/Qou3zyBZMYWOQzkxcTKVRgl/KkDoLzyCZCCAoHLOrtMCZhqhCVFNRWLud6nGviMmZpExiSC7M4Jed3aJcxlTopDKsNFfSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=URLd6slDkcyfx5FrU9ryCCWRzH/xhRD6rxyHLGfF6v4=; b=gzcNGkPmtR/oQO4IucFXD760PE0bz/Ha3l3IvYlOWF726A/7//vmUS4sX5oqodkqLwT2ZaYoxtOfY/szLAEfg961Or5MI1p/z+c3K7cqp/MBO+yYNOomN8ORJ+X0hVKuDnxsHvm75rC5+KI4vmLLT0qPLq4tWHXsH9dcln2oBhgRN2ZVFQbQXNHDgb5rTxZ/Fm6fb66+mHDPEc02ELGqnszqUhdfMz5mqkWNte/rh2tMLk47hKe2ykycRLWuyPQ1od5B161v4RfJ/m7LpQaXClFcOMnpHcbMPxR60yWuMRUG2LTl0IMrfsMxXFzkIjs6ScAI2AI3vUYW5RjolHMB0g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=URLd6slDkcyfx5FrU9ryCCWRzH/xhRD6rxyHLGfF6v4=; b=OFL/ERq03Ul2FcufZ7FugOEDPDSHeC9kXzb4NwUmEzbMxSNwVb71zt42aIN/VuCfY4bJImXNrTwRd1Zwl/rKucRmfjS2vJYsMjnQujSHwGLrvsPFMKVsV/hfxQyqz4CkXkgSB8CqOMtO1s49B/SnQ3oIEz0/tWRskbxxBBVu2DY=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB4054.eurprd07.prod.outlook.com (2603:10a6:209:3c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Wed, 26 May 2021 09:23:17 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Wed, 26 May 2021 09:23:17 +0000
From: tom petch <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXUU2yri0EENaQXUOJipepn/woM6r0OwUAgAAKPQCAABCh7YAADbyAgAEWW68=
Date: Wed, 26 May 2021 09:23:17 +0000
Message-ID: <AM7PR07MB62480023243A6DAFD2829191A0249@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com> <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de> <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>, <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: jacobs-university.de; dkim=none (message not signed) header.d=none;jacobs-university.de; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 81be820e-ade4-4dc7-1639-08d92027e5a7
x-ms-traffictypediagnostic: AM6PR07MB4054:
x-microsoft-antispam-prvs: <AM6PR07MB40548E950686567B148E5B90A0249@AM6PR07MB4054.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6430;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: yrbcS1Z8m1vSh9e2cyhObuc668pTVtMQJowKX9IOhkmS7I2yC2aYVzuHz1gsYm7L0AL0JnkHMC2XDxwhVYon3+9/xRfEWq7k2swvMkR177YcUEWTTmZ43cKEgGVvyCuu5bZ4eL8OMs3Kun+dcR6hRtuVP28Z5OOzH2KWV/iGwVDg615o46JrBQ+PfSeR9tVhpd9fUaxBReSkZyOII5a+2yqq+lfKC6fqKTUwKXX7Utq4HCTnSRscJmYhgRP5RX8jnnJ6iJkIktzflikgXxoWgNgqBoV/rkF0Brdsurk3ytRvIw9z7mIouw8cAiwmeEn7Sj3m6EzXo64+7JAL3VXMRb5v4zD+Q2PcAq817P3afHRRhCmYzn/x7o6LnV3oR5mJfugKAGDhnjCJfonDwKCMsH2/uxId9CsV6+dwAimoik51Yy3kmkrrcNDJbZquKCeNo6EKovu5ggApJN7CpuzrXoNzbay1NXuYvtAOL7YJ6sApknn4unZKqwzpgxqpW1MNpYLCvswyxz3X+CHSrhuZDT60l5oMR8UxiujVmPk8e7a7O7CN6830uWV/jA0Sd1G6nv+vWD844HASTsQ7Wfp9uyO4yw9+6lWvnA734YA7Mo1Tfo+AQDOb+GEUzbGN6ibN1jmPFvWabxTC8pqKCx0quzc5nt1uSWmJmdkM4HW5o+ozk7KH7G65jSg/Ju15G1WSdsCoZZgtagBikVagsSV1y4LJwTeCgFVhl52g9qkpPg4=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(136003)(396003)(39860400002)(346002)(376002)(66556008)(7696005)(66946007)(33656002)(86362001)(64756008)(66476007)(66446008)(9686003)(6506007)(52536014)(2906002)(76116006)(4326008)(478600001)(83380400001)(8676002)(26005)(54906003)(186003)(316002)(55016002)(8936002)(71200400001)(5660300002)(15650500001)(91956017)(6916009)(122000001)(38100700002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?JfIus4hk7Pv5Khie01R+8trZmor3BRp7+FxvRpbCRuPQ/kc258p4BvYdI1?= =?iso-8859-1?Q?nYd7eu8xpqifjqs0C0O0WblqO03GVICkjRelCN+I7vVn0Y87ROjIoRQMJn?= =?iso-8859-1?Q?yqZUFqDWtVGITbZVWsPHYlvKefYQ7WQ71Cs11xH8hET0PVi6yrDzWAZfic?= =?iso-8859-1?Q?vvw6jQ/RkLt0e6iyzLgADov9S+XWabzE2qZvQk12GYKBKBz4KttDifNKQv?= =?iso-8859-1?Q?a9aOKvmatKXsnEs01R1lPDfQ7tdmSnmSZMxXXO12CbAmB+QX1Q8L7vkbTP?= =?iso-8859-1?Q?uiSmGdSBKkQ4DMbFTrrM49L6FPa8LjSd6VX/mPaSYW1Cr5dRH2DApaykkH?= =?iso-8859-1?Q?+4w1uNTGie1m3+E2nZRl92SJSUxr/k6jlwvA/iNOD9vp4rg0D9Gj5hJp2C?= =?iso-8859-1?Q?MPrWqslwIm60FI1p333OOBk7gOu+MzU1lxh1F2lxk6ocov4/NPyMTAHMc2?= =?iso-8859-1?Q?m3ll07EDjqvNxStP6FgsVz/SKIKc4p1ce6WNENS+0RZHzKJ0oVFCLnhcrT?= =?iso-8859-1?Q?54+TmKxAG2YGMWhsYyXtrtewgl8qowZh7mrh1KQ/L+TsZWRcT+TddMm5Xy?= =?iso-8859-1?Q?hVkggMo9WryqKVkOMQo0DvB0CLFi9n5FV7g/ClvKk+A+V/cE5zp6Qq/Gi3?= =?iso-8859-1?Q?kRcHp0ey72jZMQryyV1oss+NCvMoNEFOh2oR4SLo9H3RzxsO0vXLQq+lTs?= =?iso-8859-1?Q?GNqRfgXVtDoEq1yg09YdhlJRN5BKAB4tPY5FitWPhvNgQjVQmNe8ybtXQt?= =?iso-8859-1?Q?OJSee0eg8xS1DP5fYj+PX99l43VUX/9RV6wbIxrM0nZvB5D2aU/2MRT7TB?= =?iso-8859-1?Q?K56mANXiQsCEQTwbK6kK2MKndRJTV1L0x3J/8WvCust++ar1LQEFqIvxn+?= =?iso-8859-1?Q?seMZNzYiqKhhkxEUJPKWlyI/AarinFQctc975yw/HDiOh6bOhx3UmnsTAi?= =?iso-8859-1?Q?CGpvRjbKxdSFf5+1xDLlCBPLdUGo+MyFLpkCIbXT/1m0mhkZzsTHTsMCuL?= =?iso-8859-1?Q?Ivr/2Y9Z/T0zKT58LvFod/7bS2Lzp1hOL3lX9skIfBP+m/Fu0AiBrvDdIn?= =?iso-8859-1?Q?Qg8vIddtt8XymaRBXW0p+h232sThNnreNng+ZZIfe3MPlutXjxpWgkcBnx?= =?iso-8859-1?Q?81ClIzMwVD7emS2FF8b6MvoC3wP2Z6PW/0YScouVehgDlsBdjDrFRu47yB?= =?iso-8859-1?Q?2Sl9ec54s5zGqAKTTM+HJozg5c7vIXgDAItpzz/d17f/0F9ND+T2mtp4iY?= =?iso-8859-1?Q?qfjvuFyoexndTj5TrJOAyE8mTFYCZMNK1YY1AV6Q3OBxbpr6w69xI8m9pC?= =?iso-8859-1?Q?SHIRKunNzs/Ch46m9M2cs1sTcboN7G1iYSVZ4kbdORsyVmY=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81be820e-ade4-4dc7-1639-08d92027e5a7
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 May 2021 09:23:17.7197 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: D8F1gOWDr4nX8vmpBEXdD6ty54FaA2tgxKrgFBIxCzdcjY5Lf6N2sDGEvnfkoAO2bdFnqzbT5RvZjnVyhklKNA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB4054
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/9Rwjh-rsmgo6cIi9NamGDPXJKvY>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 09:23:26 -0000

From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 25 May 2021 17:29

On Tue, May 25, 2021 at 03:58:10PM +0000, tom petch wrote:
>
> I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
> perspective to tell the WG if any changes are needed so that the WG
> can take an informed decision whether an update of RFC 5539 is
> necessary or whether what we have is good enough.
>
> <tp>
> Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.
>

So regarding a possible update of RFC 7589, what is needed?

+ Require TLS 1.3 (update section 8)

Which extensions should one think about? Do you mean RFC 8773 or
something else?

<tp>
It is more a question of going through 8446 s.4.2 s.9.2 to see what we want by way of an Application Profile.  Thus I would like to prohibit PSK but that prohibits session resumption which is fine by me but I have limited exposure to what the world is doing so may be it is not that simple.

There is another problem which I see as larger and that is that the TAPS WG is revising RFC6125 and this leans heavily on that RFC and that might take a year or two to get revised.  I don't have a sense of where a 6125bis is going.

Tom Petch

/js

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>