IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Kent Watsen <kent+ietf@watsen.net> Mon, 16 September 2019 16:58 UTC

Return-Path: <0100016d3b02a96b-a8f419e4-09f7-45b4-927f-bb715bf4d5e8-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 53C51120122 for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lca6z2x9v4jN for <netconf@ietfa.amsl.com>; Mon, 16 Sep 2019 09:58:14 -0700 (PDT)
Received: from a8-64.smtp-out.amazonses.com (a8-64.smtp-out.amazonses.com [54.240.8.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A76B7120072 for <netconf@ietf.org>; Mon, 16 Sep 2019 09:58:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1568653093; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=JaFXvGTm3AeF4n4P6bnavTwGjifayySWiSqrGZ3wtyY=; b=Wi8EUDrU1BXHby2awDxCG5thS9MwUebfjsUkLjnnsyYhagychvUN9VNDom3IIBp2 taVKgDLoIjAyMr0q9wFMhgJtLtnGrOvm3Yh5Psr4HubniUt6kwnrSwNz1/QNwi8HSMi MdD3+xz/tHkctuA8v37nO2ib1I2MNDSd5f30sENM=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016d3b02a96b-a8f419e4-09f7-45b4-927f-bb715bf4d5e8-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_54B11531-6661-4EF3-929B-CB9F4DEA14B0"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Mon, 16 Sep 2019 16:58:13 +0000
In-Reply-To: <D6740042-7CD9-466F-911A-BA4339042B5D@akamai.com>
Cc: "Rob Wilton (rwilton)" <rwilton@cisco.com>, "netconf@ietf.org" <netconf@ietf.org>, Russ Housley <housley@vigilsec.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
To: "Salz, Rich" <rsalz@akamai.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com> <D6740042-7CD9-466F-911A-BA4339042B5D@akamai.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.09.16-54.240.8.64
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/BbOgwN8EDnY9Dr9usLL9orqs0Ec>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Sep 2019 16:58:18 -0000

Hi Rich, Rob,

> > I think that using a numerical OID to identify crypto algorithms doesn’t seem like a great choice
>  
> Every OID definition I’ve seen has a name, often both a short name and a long name.  Look at https://oid-info.com <https://oid-info.com/>  There is also a URN syntax for OID’s. The widely-used OpenSSL has a built-in mapping; see https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt <https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt> .

I believe that each OID has a common name that can be used.

nit: s/https/http/   (the site didn't resolve until I removed the 's')



> > I wonder if changing from identifiers to enums was a mistake.  If we were to use YANG identifiers then we wouldn’t need to define them all now, and they wouldn’t all need to be defined in the same YANG module.  In fact, if we were to go back to using identifiers then perhaps NETCONF should restrict itself to only defining the identifiers that we actually need now, and leave the rest to the security folks to figure out, probably as separate modules defining the extra identifiers that they need, or as a bis version of the crypto-types draft if required. 
>  
> I am strongly in favor of not trying to create a unified module for *all* cryptography, as I have posted before.  I don’t know enough about YANG to know if this is the only way to achieve that, but this seems like the right thing to do. There are new types of crypto coming (look at what CFRG is doing), and they are likely to create new object types.

Rich, can you explain why not try to define a unified module for all cryptography?   Is it because it is a monster effort?   Would many smaller efforts that, together, achieve the same thing be different in a meaningful way?


Kent

v2.46.0 | Report a Bug | By Email | System Status