[netconf] Re: http and RC client-server updates

Kent Watsen <kent+ietf@watsen.net> Sat, 10 August 2024 19:59 UTC

Return-Path: <010001913de050d9-17e13902-af20-43a8-addb-06030cd81d84-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7FB40C169416 for <netconf@ietfa.amsl.com>; Sat, 10 Aug 2024 12:59:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eT35aKmi6-bq for <netconf@ietfa.amsl.com>; Sat, 10 Aug 2024 12:59:58 -0700 (PDT)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7EC2C1654F3 for <netconf@ietf.org>; Sat, 10 Aug 2024 12:59:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1723319996; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=oiuqc6LA9g8pF3TV5HWocmId+PR7Tju2K/Ec6OKbW7c=; b=A9T+1KryOuWcKVwujEslHWQpnPPMk/JPunZXD4zxEh7hci5ecSHdvAnfNs2y5Ue7 xC7p09nUFAG+SjXzdAyCtwYTRsvomFIBaci9jcCVU6ZQPchV0vhmOd5E2NJYXXQ9Ckr eYTgO3Rl+ZTUnRPqOwfpk+rW7pINpRIJpNgDUcm4=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <010001913de050d9-17e13902-af20-43a8-addb-06030cd81d84-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_128BF99B-1C8B-4685-A463-44F6BBFB17E3"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Sat, 10 Aug 2024 19:59:56 +0000
In-Reply-To: <LV8PR11MB85366A0517EFC81D1DCEDB34B5BA2@LV8PR11MB8536.namprd11.prod.outlook.com>
To: "Rob Wilton (rwilton)" <rwilton=40cisco.com@dmarc.ietf.org>
References: <010001909524f397-3c195919-3b71-4178-b8c5-dcd3f4db7a16-000000@email.amazonses.com> <LV8PR11MB85366A0517EFC81D1DCEDB34B5BA2@LV8PR11MB8536.namprd11.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: ::1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.08.10-54.240.48.90
Message-ID-Hash: ALDUQAWX44KD72DKNEWR33KNBLG2MBIY
X-Message-ID-Hash: ALDUQAWX44KD72DKNEWR33KNBLG2MBIY
X-MailFrom: 010001913de050d9-17e13902-af20-43a8-addb-06030cd81d84-000000@amazonses.watsen.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netconf.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "netconf@ietf.org" <netconf@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netconf] Re: http and RC client-server updates
List-Id: NETCONF WG list <netconf.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/DMHEXfqJdJdSSngaQyFxZgclQp4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Owner: <mailto:netconf-owner@ietf.org>
List-Post: <mailto:netconf@ietf.org>
List-Subscribe: <mailto:netconf-join@ietf.org>
List-Unsubscribe: <mailto:netconf-leave@ietf.org>

Hi Rob,

Thank you for your review!
I just replied to Med’s review too…


> On Aug 9, 2024, at 11:01 AM, Rob Wilton (rwilton) <rwilton=40cisco.com@dmarc.ietf.org> wrote:
> 
> Hi Kent,
>  
> Just commenting on the http-client-server draft (--21), I think that these changes make sense (based on the discussion that we had with Mark & Lars in Brisbane at IETF 119).

Yes, it seems to be in pretty good shape now, especially with your’s and Med’s reviews!


> A few comments for you to consider
>  
> 1)
> In Section 2.2, you use an example which includes tls-client-parameters and server-authentication.  I think that it might also be helpful to also include the trivial example of just using a URI, since that may well be the most common use case?

I added a simple example w/o TLS.


> 2)
> Section 2.3:
>  
>      feature tls-supported {
>        description
>          "Indicates that the server supports configuring
>           HTTP client certificates.";
>        reference
>          "RFC 9110: HTTP Semantics";
>      }
>  
> Is “tls-supported” the right name for this feature?  Will clients that support HTTPS (and hence TLS) always be expected to support these additional parameters?  Please consider whether tweaking the grouping name would make sense.

I think the name is good, but only in the soon-to-be-posted -22, where a new “http-3-supported” feature depends on the “tls-supported” feature.


> 3) Section 2.3:
>        leaf uri {
>          nacm:default-deny-all;
>          type inet:uri;
>          mandatory true;
>  
> I was surprised by the default-deny-all on the URI, since I don’t generally think of these as being particularly security sensitive beyond any other configuration.  Was this intentional? 

Yes, but I’m willing to be convinced otherwise.  My reasoning is because the URI may encode a cleartext password (basic or digest auth)... 


> And if this does remain, then you may need to update the security considerations in section 4.1 which talks about other nodes, but not this one. 

Security Considerations section updated!


> In fact, looking at the security considerations text, perhaps you wanted the nacm:default-deny-all to be on the proxy-uri instead?

It should be on both nodes, as seen in -22


> Regards,
> Rob

Thanks!
Kent