Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt
Mohamad Badra <badra@isima.fr> Mon, 29 September 2008 11:45 UTC
Return-Path: <netconf-bounces@ietf.org>
X-Original-To: netconf-archive@lists.ietf.org
Delivered-To: ietfarch-netconf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31AC23A6832; Mon, 29 Sep 2008 04:45:50 -0700 (PDT)
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1CAB3A6832 for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 04:45:48 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.544
X-Spam-Level:
X-Spam-Status: No, score=-1.544 tagged_above=-999 required=5 tests=[AWL=0.705, BAYES_00=-2.599, HELO_EQ_FR=0.35]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0e+Y+--PXv2a for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 04:45:47 -0700 (PDT)
Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id F05F43A6784 for <netconf@ietf.org>; Mon, 29 Sep 2008 04:45:46 -0700 (PDT)
Received: from [127.0.0.1] (pc158.isima.fr [193.55.95.158]) by sp.isima.fr (8.13.8/8.13.8) with ESMTP id m8TCjKc21085592; Mon, 29 Sep 2008 13:45:21 +0100
Message-ID: <48E0BF94.2060208@isima.fr>
Date: Mon, 29 Sep 2008 13:44:20 +0200
From: Mohamad Badra <badra@isima.fr>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: fanhuaxiang 90002624 <washam.fan@huawei.com>, Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>, cfinss@dial.pipex.com
References: <fa17895d38c09.38c09fa17895d@huawei.com> <54592.88.164.98.77.1222597371.squirrel@www.isima.fr> <20080929101340.GC22657@elstar.local> <faf6ae7a3806c.3806cfaf6ae7a@huawei.com> <20080929105205.GA22832@elstar.local>
In-Reply-To: <20080929105205.GA22832@elstar.local>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Mon, 29 Sep 2008 13:45:21 +0100 (WEST)
Cc: netconf@ietf.org
Subject: Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: netconf-bounces@ietf.org
Errors-To: netconf-bounces@ietf.org
tom.petch wrote: >>Juergen Schoenwaelder wrote: >>>fanhuaxiang 90002624 wrote: > To quote TLS, > "The other party MUST respond with a close_notify > alert of its own and close down the connection immediately, > discarding any pending writes. " > so this proposed text would appear to contradict a TLS MUST. TLS also takes > great care not to bind itself to TCP and not to prescribe the behaviour of the > underlying transport protocol. >> maybe what said in counterpart section in syslog-tls contradict a >>TLS MUST, too. >>> I think the value of section "connection closure" is to describe >>> when and how to end up a connection. so I think maybe we need to >>> elaborate what "TLS connection is not used anymore" means in netconf >>> context. >>> >>> It is the application's decision and hence any discussion is either >>> pointless or likely getting it wrong. To quote IESG Evaluation on syslog-tls, "Section 4.4: OLD: A TLS client MUST close the associated TLS connection if the connection is not expected to deliver any syslog messages later. It MUST send a TLS close_notify alert before closing the connection. A client MAY choose to not wait for the server's close_noFrom netconf-bounces@ietf.org Mon Sep 29 04:45:50 2008 Return-Path: <netconf-bounces@ietf.org> X-Original-To: netconf-archive@ietf.org Delivered-To: ietfarch-netconf-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 31AC23A6832; Mon, 29 Sep 2008 04:45:50 -0700 (PDT) X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id E1CAB3A6832 for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 04:45:48 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.544 X-Spam-Level: X-Spam-Status: No, score=-1.544 tagged_above=-999 required=5 tests=[AWL=0.705, BAYES_00=-2.599, HELO_EQ_FR=0.35] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0e+Y+--PXv2a for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 04:45:47 -0700 (PDT) Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id F05F43A6784 for <netconf@ietf.org>; Mon, 29 Sep 2008 04:45:46 -0700 (PDT) Received: from [127.0.0.1] (pc158.isima.fr [193.55.95.158]) by sp.isima.fr (8.13.8/8.13.8) with ESMTP id m8TCjKc21085592; Mon, 29 Sep 2008 13:45:21 +0100 Message-ID: <48E0BF94.2060208@isima.fr> Date: Mon, 29 Sep 2008 13:44:20 +0200 From: Mohamad Badra <badra@isima.fr> User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: fanhuaxiang 90002624 <washam.fan@huawei.com>, Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>, cfinss@dial.pipex.com References: <fa17895d38c09.38c09fa17895d@huawei.com> <54592.88.164.98.77.1222597371.squirrel@www.isima.fr> <20080929101340.GC22657@elstar.local> <faf6ae7a3806c.3806cfaf6ae7a@huawei.com> <20080929105205.GA22832@elstar.local> In-Reply-To: <20080929105205.GA22832@elstar.local> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Mon, 29 Sep 2008 13:45:21 +0100 (WEST) Cc: netconf@ietf.org Subject: Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list <netconf.ietf.org> List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe> List-Archive: <https://www.ietf.org/mailman/private/netconf> List-Post: <mailto:netconf@ietf.org> List-Help: <mailto:netconf-request@ietf.org?subject=help> List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe> Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Sender: netconf-bounces@ietf.org Errors-To: netconf-bounces@ietf.org tom.petch wrote: >>Juergen Schoenwaelder wrote: >>>fanhuaxiang 90002624 wrote: > To quote TLS, > "The other party MUST respond with a close_notify > alert of its own and close down the connection immediately, > discarding any pending writes. " > so this proposed text would appear to contradict a TLS MUST. TLS also takes > great care not to bind itself to TCP and not to prescribe the behaviour of the > underlying transport protocol. >> maybe what said in counterpart section in syslog-tls contradict a >>TLS MUST, too. >>> I think the value of section "connection closure" is to describe >>> when and how to end up a connection. so I think maybe we need to >>> elaborate what "TLS connection is not used anymore" means in netconf >>> context. >>> >>> It is the application's decision and hence any discussion is either >>> pointless or likely getting it wrong. To quote IESG Evaluation on syslog-tls, "Section 4.4: OLD: A TLS client MUST close the associated TLS connection if the connection is not expected to deliver any syslog messages later. It MUST send a TLS close_notify alert before closing the connection. A client MAY choose to not wait for the server's close_notify atify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the client (e.g., the closure was indicated by TCP). NEW: A transport sender MUST close the associated TLS connection if the connection is not expected to deliver any syslog messages later. It MUST send a TLS close_notify alert before closing the connection. A transport sender (TLS client) MAY choose to not wait for the transport receiver's close_notify alert and simply close the connection, thus generating an incomplete close on the transport receiver (TLS server) side. Once the transport receiver gets a close_notify from the transport sender, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). Section 4.4: OLD: When no data is received from a connection for a long time (where the application decides what "long" means), a server MAY close the connection. The server MUST attempt to initiate an exchange of close_notify alerts with the client before closing the connection. Servers that are unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the client side. When the client has received the close_notify alert from the server and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert. NEW: When no data is received from a connection for a long time (where the application decides what "long" means), a transport receiver MAY close the connection. The transport receiver (TLS server) MUST attempt to initiate an exchange of close_notify alerts with the transport sender before closing the connection. Transport receivers that are unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the transport sender side. When the transport sender (TLS client) has received the close_notify alert from the transport receiver and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." I think the above text would appear to contradict a TLS MUST. Wouldn't? I also think the above text describes when to close connection for both sides. e.g, when the client doesn't want to initial any syslog message or when the server found there is no data on the wire for a long time. With respect to that, I think we should propose a simalar text, a modified text is below: "A TLS client (NETCONF manager) MUST close the associated TLS connection if the connection is not expected to deliver any rpc operation later. It MUST send a TLS close_notify alert before closing the connection. The client MAY choose to not wait for the TLS server (NETCONF agent) close_notify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). When no data is received from a connection for a long time (where the application decides what "long" means), a TLS server MAY close the connection. The TLS server MUST attempt to initiate an exchange of close_notify alerts with the transport sender before closing the connection. The server that is unprepared to receive any more data MAY close the connection after slert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the client (e.g., the closure was indicated by TCP). NEW: A transport sender MUST close the associated TLS connection if the connection is not expected to deliver any syslog messages later. It MUST send a TLS close_notify alert before closing the connection. A transport sender (TLS client) MAY choose to not wait for the transport receiver's close_notify alert and simply close the connection, thus generating an incomplete close on the transport receiver (TLS server) side. Once the transport receiver gets a close_notify from the transport sender, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). Section 4.4: OLD: When no data is received from a connection for a long time (where the application decides what "long" means), a server MAY close the connection. The server MUST attempt to initiate an exchange of close_notify alerts with the client before closing the connection. Servers that are unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the client side. When the client has received the close_notify alert from the server and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert. NEW: When no data is received from a connection for a long time (where the application decides what "long" means), a transport receiver MAY close the connection. The transport receiver (TLS server) MUST attempt to initiate an exchange of close_notify alerts with the transport sender before closing the connection. Transport receivers that are unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the transport sender side. When the transport sender (TLS client) has received the close_notify alert from the transport receiver and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." I think the above text would appear to contradict a TLS MUST. Wouldn't? I also think the above text describes when to close connection for both sides. e.g, when the client doesn't want to initial any syslog message or when the server found there is no data on the wire for a long time. With respect to that, I think we should propose a simalar text, a modified text is below: "A TLS client (NETCONF manager) MUST close the associated TLS connection if the connection is not expected to deliver any rpc operation later. It MUST send a TLS close_notify alert before closing the connection. The client MAY choose to not wait for the TLS server (NETCONF agent) close_notify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). When no data is received from a connection for a long time (where the application decides what "long" means), a TLS server MAY close the connection. The TLS server MUST attempt to initiate an exchange of close_notify alerts with the transport sender before closing the connection. The server that is unprepared to receive any more data MAY close the connection after sendingending the close_notify alert, thus generating an incomplete close on the client side. When the client has received the close_notify alert from the server and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." Comments? Best regards, Mohamad Badra CNRS - LIMOS Laboratory _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf the close_notify alert, thus generating an incomplete close on the client side. When the client has received the close_notify alert from the server and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." Comments? Best regards, Mohamad Badra CNRS - LIMOS Laboratory _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] WGLC for draft-ietf-netconf-tls-04.txt Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ?? WGLC for draft-ietf-netconf-t??l… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- [Netconf] Re: ?? WGLC for draft-ietf-net conf-t ?… badra
- [Netconf] Re: Re: ?? WGLC for draft-ietf-net conf… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- [Netconf] Re: Re: WGLC for draft-ietf-netcon f-tl… badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf]  Re: WGLC for draft-ietf-netcon… tom.petch
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ? Re:? WGLC? for? draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-… David Harrington
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ��WGLC�for�draft-ietf-netcon f-t ls… badra
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-04… fanhuaxiang 90002624
- Re: [Netconf]   WGLC for draft-ietf-netconf-t… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC??for??draft-ietf-netconf-tls-0… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] ????WGLC for draft-ietf-netconf-tls… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- [Netconf] system or registered port for Netconf o… badra
- Re: [Netconf] system or registered port for Netco… fanhuaxiang 90002624
- Re: [Netconf] system or registered port for Netco… Mohamad Badra
- Re: [Netconf] system or registered port for Netco… David Harrington