IETF Logo Mail Archive

Re: [netconf] draft-ietf-netconf-tls-client-server-34 tls-version

Kent Watsen <kent+ietf@watsen.net> Mon, 04 March 2024 15:08 UTC

Return-Path: <0100018e0a0255de-e6679b09-c804-4159-bd44-5ae159be4166-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2F0C14F75F for <netconf@ietfa.amsl.com>; Mon, 4 Mar 2024 07:08:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.906
X-Spam-Level:
X-Spam-Status: No, score=-6.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RublwRIPG6iv for <netconf@ietfa.amsl.com>; Mon, 4 Mar 2024 07:08:30 -0800 (PST)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2C950C14F5E3 for <netconf@ietf.org>; Mon, 4 Mar 2024 07:08:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1709564909; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=AuX9SBO8v1uGupR58WhcbuQNnOh011KsbU3jQWm35tk=; b=LSbiRuU8+BcJZ8+P1CbVc8L0x1VHXbyJhozyjg/VcowJL2hnojd9vq93Mg7fkXGc XouZejndlM+7aV3nlQaCEs7KCkVSOh012HPWOAAuPEJh4TR364J0vrf2h/WgcSxknvr 8FivlhnZnmSaJ4waOT1UNSCo0pWu1aPMfqIhsAQo=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018e0a0255de-e6679b09-c804-4159-bd44-5ae159be4166-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_47196E13-107E-457E-90C3-C0BAEF211CEE"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Mon, 04 Mar 2024 15:08:29 +0000
In-Reply-To: <5ef6227d-393b-4b5d-aaf0-363f4943e30d@cesnet.cz>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: Michal Vasko <mvasko@cesnet.cz>
References: <afa59a41-0fb6-47c3-a1bf-aadfa0433a5d@cesnet.cz> <0100018df764a22e-48daaa70-a779-4636-b004-91b524b556b6-000000@email.amazonses.com> <1b1fa39b-da8c-45c5-8ba2-ce72d1b54ea8@cesnet.cz> <0100018dfd4f9dbb-77e2c1f3-96c8-4dd2-afa9-a02566f98621-000000@email.amazonses.com> <5ef6227d-393b-4b5d-aaf0-363f4943e30d@cesnet.cz>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.03.04-54.240.48.90
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/B6511XW9j9BPVn0fav4uyRMHgAU>
Subject: Re: [netconf] draft-ietf-netconf-tls-client-server-34 tls-version
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 04 Mar 2024 15:08:30 -0000

Hi Michal,

> On Mar 4, 2024, at 2:09 AM, Michal Vasko <mvasko@cesnet.cz> wrote:
> 
> Hi Kent,
> 
> thanks, that seems good except I would not be sure what the meaning of "no configured min/max version" is. Does it depend on the implementation (so, for example, if it supports TLS 1.0 and no `min` is defined, it is supported as well) or it is derived from the TLS versions supported by the module (which depends on the enabled features)? In my opinion, it needs clarification at least in the form of more detailed descriptions and I assume it is the latter.
> 

Two possible fixes:

  1) make these two  leafs “mandatory true” 

	PROs: forces the min/max “features”  to be enabled.
	CONs: rely solely on that the full set of features are enabled.

  2) remove the “tls-versions” container entirely

	PROs: rely solely on that features are enabled accurately.
	CONs: no way to configure limits per TLS endpoint (features are global)

Thoughts?

PS: have only a few hours untill submission-cutoff, so a quick response would be appreciated.

Kent





> Regards,
> Michal
> 
> On 2. 3. 2024 4:57, Kent Watsen wrote:
>> Hi Michal,
>> 
>>> On Mar 1, 2024, at 2:11 AM, Michal Vasko <mvasko@cesnet.cz> <mailto:mvasko@cesnet.cz> wrote:
>>> 
>>> Hi Kent,
>>> 
>>> yeah, I was not sure whether you have seen it but had enough other work and then forgotten about it.
>>> 
>> Distracted by life  ;)
>> 
>>> As stated in the email, being able to set both min and max supported version makes sense to me (and is supported by OpenSSL), not so much customizing the priority of each TLS version, so that is my proposal. Thanks.
>>> 
>> Okay, so I just did this:
>> 
>> 162     container tls-versions {
>> 163       description
>> 164         "Parameters regarding TLS versions.";
>> 165       leaf min {
>> 166         type identityref {
>> 167           base tls-version-base;
>> 168         }
>> 169         description
>> 170           "If not specified, then there is no configured
>> 171            minimum version.";
>> 172       }
>> 173       leaf max {
>> 174         type identityref {
>> 175           base tls-version-base;
>> 176         }
>> 177         description
>> 178           "If not specified, then there is no configured
>> 179            maximum version.";
>> 180       }
>> 181     }   
>> 
>> All good?
>> 
>>> Regards,
>>> Michal
>>> 
>> 
>> Thanks again,
>> Kent
>>

v2.23.0 | Report a Bug | By Email