Re: [netconf] Latest ietf-netconf-server draft and related modules

Michal Vaško <> Tue, 20 April 2021 05:48 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 29FF03A0EF9 for <>; Mon, 19 Apr 2021 22:48:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.099
X-Spam-Status: No, score=-2.099 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id mnTC3tOq3NO8 for <>; Mon, 19 Apr 2021 22:48:37 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id ECA853A0EFA for <>; Mon, 19 Apr 2021 22:48:36 -0700 (PDT)
Received: by (Postfix, from userid 110) id 112C56007C; Tue, 20 Apr 2021 07:48:33 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=kalendar; t=1618897713; bh=eEb0IiJgmnrA/JLOOtlRl467cj4E8GFpB9HSLhPiIh4=; h=From:In-Reply-To:Date:Cc:To:Subject; b=nCnPEcMNrwZbijaQHWTAGn6oBT4ha2+awFlRFF9wZTuiDHw76wLMAgUoW2pKCm0gG xqBxqwFPN2fJP5Q2Aox6K5/vScjdOD66/wILDomjXresPEjUSxSw0KN0Ri4xw10gtT 85LrV5zNx9EwbAZ4Fg1iaT5lx5X5mbyaq7YgLDvk=
From: Michal Vaško <>
In-Reply-To: <>
Content-Type: text/plain; charset="utf-8"
Date: Tue, 20 Apr 2021 07:48:33 +0200
Cc: "" <>
To: Kent Watsen <>
MIME-Version: 1.0
Message-ID: <1104-607e6b00-3-2fba9200@222555441>
User-Agent: SOGoMail 5.1.0
Content-Transfer-Encoding: quoted-printable
Archived-At: <>
Subject: Re: [netconf] Latest ietf-netconf-server draft and related modules
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 20 Apr 2021 05:48:42 -0000

Hi Kent,

responses also inline.

> Hi Michal,
> Please find responses below.
> K.
> >>>>> - ietf-ssh-server, ssh-server-grouping/client-authentication/supported-authentication-methods> 
> >>>>> Since the "other" leaf-list was removed there is no way to support some other methods than those specified. I am not sure whether this was the intention and if so, what is the reason for it? If nothing else, we support "interactive" authentication method but there are some others that I see no reason why they could not be used.
> >>>> 
> >>>> It took me a bit to determine that this change happened in ssh-client-server-18.
> >>>> 
> >>>> The motivation behind the change was to align the values with those defined in RFCs 4252 and 4250.
> >>>> 
> >>>> You mention an “interactive” and “some other” methods - where are they defined?
> >>> 
> >>> That is a good question. It seems no other methods are standardized but that does not mean they are not used.
> >> 
> >> What change are you hoping to see?  Is there anyway that such changes could be augmented in, or must they be in the base module?
> > 
> > Okay, so properly looking at all this, the 2 missing authentication methods (that are supported by libssh or sshd, or example) are actually standardized so I suppose you can add them directly into the YANG module. There are "keyboard-interactive" [1] (not "interactive") and "gssapi-with-mic" [2].
> > 
> > [1] <>
> > [2] <>
> Thanks for tracking those RFCs down.
> From RFC 4256, the "keyboard-interactive” auth method was added here:
> From RFC 4462, the "gssapi-with-mic” and “gssapi-keyex” auth methods were added here:
> It would be great if you could verify these additions.  I’m not myself configuring any SSH clients or servers, and thus the configuration-formulations are purely academic based on my reading of the RFCs.

I am using only the "keyboard-interactive"  method and only as a user, so I do not have in-depth knowledge. However, it seems fine and should be now configurable, thanks! Like I said, I cannot say much about the "gssapi" methods, never used them. But they also seems fine to me.

> Additionally, in ietf-ssh-server, the whole "client-authentication” container, especially its "supported-authentication-methods” and “users” descendent nodes, seem less than ideal.  Have you been using these trees, do them seem to be formulated correctly?

We are not using them (yet) as the last draft we implemented was still missing some features. Looking at it now, it seems okay. An improvement I can think of is to put all the authentication methods in "users/user" in a mandatory choice. The authentication methods would be one case, while something like "global-config" (empty leaf, for example) would be the other. That should allow for maximum versatility when one could configure the 'global authentication methods', enable the "client-auth-config-supported" feature to configure the recognized users, but use the global authentication methods settings for some/all the users (not having to configure each one separately). Because that will probably be our use-case.

> >>>>> For a robust and extendible solution, why not use an identityref leaf-list with all the methods as identities? One could then simply add new ones with specific "if-feature" statements.
> >>>> 
> >>>> An identityref seems reasonable, could you propose a snippet of YANG for it?
> >>>> 
> >>>> That said, it seems equally possible for a future module to augment-in a new leaf under the "supported-authentication-methods” container...
> >>> 
> >>> Right, that would solve the problem, too. So you can keep it the way it is, up to you which solution you prefer. Not sure why I did not think of augments first but identityrefs. But identityrefs are much more general so the implementation should probably depend on whether these authentication methods are to be used only for this single purpose or not.
> >> 
> >> Either way is fine with me.  As the module is in WGLC currently, it would be good if others could express an option...
> Anyone?
> >>>>> - ietf-netconf-server, grouping netconf-server-grouping/client-identity-mappings
> >>>>> 
> >>>>> The "if-feature" on this container is strange. The practical problem is that if one wants to support certificates only for TLS, both one of the TLS features and "ssh-x509-certs" must be enabled. This then results in the container being defined for both SSH and TLS so there is no way to support it only for TLS or SSH.
> >>>> 
> >>>> Yes, granular features would be nice.  This issue is tracked here: <>.  A possible fix would be to enable features on a per-XPath basis, perhaps using the “node-tags” draft going on in NETMOD.   Do you have a proposal?
> >>>> 
> >>>> BTW, shouldn’t the “if-feature” statement have an “or” (not an “and”) between the two major expressions?
> >>> 
> >>> Yes, I think "or" fits much better. I just was not sure whether there is not a specific reason why "and" was chosen.
> >> 
> >> OLD:        "(tls-listen or tls-call-home) and (sshcmn:ssh-x509-certs)”;
> >> NEW:        "tls-listen or tls-call-home or sshcmn:ssh-x509-certs";
> > 
> > Well, this is no good either because now ANY of those features are enabled, the certificates will be supported for BOTH TLS and SSH. What should be possible to support is X509 certificates for SSH, TLS, or both. That would require some more remodeling of "netconf-server-grouping", not just an "if-feature" update.
> But I wasn’t trying to fix your original issue.  As mentioned, there is a YANG-next issue and the best that consuming modules can do is to 1) enable all the features defined in these modules and 2) augment-in “use”-specific feature statements where the groupings are used.

Okay, I suppose this can be done although it seems to me like a minor deviation (the augment solution). What is the reason for not having the module this way out-of-the-box?

> My OLD/NEW update is trying to correct a logic error.  I believe the new formulation is correct.  It could be expanded to;
> 	(tls-listen or tls-call-home)
> 	or 
> 	( (ssh-listen or ssh-call-home) and sshcmn:ssh-x509-certs)
> But I don’t think "(ssh-listen or ssh-call-home)” is needed, as certainly one would be true when "sshcmn:ssh-x509-certs” is enabled, right?

Yes, I agree with this.