Re: [Netconf] Comments on draft-ietf-netconf-netconf-client-server
"Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com> Tue, 20 November 2018 08:03 UTC
Return-Path: <ramkumar.dhanapal@nokia.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4CD66128B14 for <netconf@ietfa.amsl.com>; Tue, 20 Nov 2018 00:03:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.37
X-Spam-Level:
X-Spam-Status: No, score=-2.37 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.47, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nokia.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nTFvYppbIrtX for <netconf@ietfa.amsl.com>; Tue, 20 Nov 2018 00:03:38 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70091.outbound.protection.outlook.com [40.107.7.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 829EC124408 for <netconf@ietf.org>; Tue, 20 Nov 2018 00:03:38 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nokia.onmicrosoft.com; s=selector1-nokia-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4oPtpTF6lYuA2A04vVevC+uSlsQmMFUD1VHvq0Lcx8I=; b=KpdkqYDELkawO0tMjWkFo2bidr5aRwNi36PAN3RxOF/Ou1X75uX1NvmxRvxoaPiWfvrmjeiOFduhbIrun1vnfYcR/WnuAD7xntRa1ZuZmfcSlfjLiQWNUC+bbSQnclGy7YXe/F4UcLbueaWxSbPsLyv8Da0nzigTVnkZxH1Whoc=
Received: from HE1PR07MB4329.eurprd07.prod.outlook.com (20.176.167.14) by HE1PR07MB3403.eurprd07.prod.outlook.com (10.170.247.30) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1361.14; Tue, 20 Nov 2018 08:03:35 +0000
Received: from HE1PR07MB4329.eurprd07.prod.outlook.com ([fe80::c4d6:7c7:4669:8058]) by HE1PR07MB4329.eurprd07.prod.outlook.com ([fe80::c4d6:7c7:4669:8058%5]) with mapi id 15.20.1339.027; Tue, 20 Nov 2018 08:03:35 +0000
From: "Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com>
To: Kent Watsen <kwatsen@juniper.net>, "netconf@ietf.org" <netconf@ietf.org>
CC: "Beauville, Yves (Nokia - BE/Antwerp)" <yves.beauville@nokia.com>, "Carey, Timothy (Nokia - US)" <timothy.carey@nokia.com>
Thread-Topic: Comments on draft-ietf-netconf-netconf-client-server
Thread-Index: AdR4HyFGnh375MLeQwOCRy8NnIuKdAE6gMoAACLXEAAAByggAAC9E2sw
Date: Tue, 20 Nov 2018 08:03:34 +0000
Message-ID: <HE1PR07MB43293C991BB4844DBB330E1CF8D90@HE1PR07MB4329.eurprd07.prod.outlook.com>
References: <HE1PR07MB4329ED3FA2BA9D4E53BBE758F8C60@HE1PR07MB4329.eurprd07.prod.outlook.com> <FD4480E1-F938-4146-ABEB-FBADBEA33D43@juniper.net> <HE1PR07MB432948BF1E1A79F933C1E804F8DD0@HE1PR07MB4329.eurprd07.prod.outlook.com> <4103D8BE-8B6A-4877-A016-C263856EF338@juniper.net>
In-Reply-To: <4103D8BE-8B6A-4877-A016-C263856EF338@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ramkumar.dhanapal@nokia.com;
x-originating-ip: [135.245.121.27]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; HE1PR07MB3403; 6:s72N3foEgU5zJCL4utcKD9JEmmLTLtRKrvWb5oo33eFUFCdEDBpUeXsPdP5+S9JN8ut/aWjfC+JlW9k051Qa9nixt6wlF+sksoDYl/dArxOHT4Rt88jNTavX7Y488rshnyS3Qx5099q97PCgcy4FQ0yWn6FJwa12BjcPSVaVcQw8oL1b73CQTG1ACTi+8gZ+Ihxil9VgXsWLlFmRNP7uQFlla7w8wOaag8mWbih+vyX66WtZsDEJEUjP6MiZj8gAcEiDFtOkvE/DegmWbw636lYd4cIEHXjHR9pG3xNmn/UILsg4mfZnu/R/SUxKGzFv2oI5vQDIwgDLkjm8hxoPsJLQARUxMRadeayUg3BNV8PybdkhiKU4h1Su4gEYjtgfz+J4Xv8KqcwxjT3C12PBlQGUgrGr6H20i5lAQZh8IeTuqteOOAYBnWIpBnns6C8XV0rtj9Mf6IBX0s8ulN8kEQ==; 5:oGIY7+9BEhzl8NT8agWenoG5Xp0gRsQw9dUHwlaS6CZ8+49xaRwyah1oKoNj8EVXYE0QBleuZIyKfzyi9SaJgYD6fPNyN3mGp2a4lPas2IfwWL9/ooywWCQfVQTJ6tVQzQLZsNq3A+NjacGFlg0HxrLZu3qaTS0U2tC4gFKNkqs=; 7:C3w79SEudErtu7d37uDsMU3yoKkV1ExzmUEPhg9qgWtbClt7yZmsJRF5DZQleXJorCtt9p8m7vS5Msz1MOjq/XN0Q2qEuGTVsdZ1FM9MWvG904wBLGuFMEdmAVwXhRd34MWOQ13chOSYeQtuu1YdCA==
x-ms-exchange-antispam-srfa-diagnostics: SOS;SOR;
x-forefront-antispam-report: SFV:SKI; SCL:-1; SFV:NSPM; SFS:(10019020)(346002)(396003)(376002)(366004)(39860400002)(136003)(13464003)(199004)(189003)(229853002)(2906002)(966005)(6116002)(3846002)(11346002)(476003)(446003)(486006)(74316002)(99286004)(7696005)(105586002)(106356001)(478600001)(33656002)(107886003)(25786009)(76176011)(53546011)(6506007)(305945005)(1941001)(81166006)(7736002)(53936002)(102836004)(55016002)(2900100001)(6306002)(9686003)(6246003)(66066001)(26005)(186003)(86362001)(110136005)(4326008)(93886005)(54906003)(14454004)(316002)(2501003)(97736004)(71200400001)(68736007)(71190400001)(81156014)(8676002)(5660300001)(8936002)(6436002)(345774005)(14444005)(256004); DIR:OUT; SFP:1102; SCL:1; SRVR:HE1PR07MB3403; H:HE1PR07MB4329.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
x-ms-office365-filtering-correlation-id: 7b7eeddf-b8ee-46d7-f39c-08d64ebeabb1
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7193020); SRVR:HE1PR07MB3403;
x-ms-traffictypediagnostic: HE1PR07MB3403:
x-microsoft-antispam-prvs: <HE1PR07MB34032B07981369A750FE826BF8D90@HE1PR07MB3403.eurprd07.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3002001)(93006095)(93001095)(3231442)(11241501184)(806099)(944501410)(52105112)(6055026)(148016)(149066)(150057)(6041310)(20161123564045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123560045)(20161123558120)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:HE1PR07MB3403; BCL:0; PCL:0; RULEID:; SRVR:HE1PR07MB3403;
x-forefront-prvs: 08626BE3A5
received-spf: None (protection.outlook.com: nokia.com does not designate permitted sender hosts)
x-microsoft-antispam-message-info: RA7pPzexN1h+yEMgnjuXqA4r+UhERkhPYsmt77RVitVjAa6UxGW1zBKN9qIUygkR7rXV52qFGwKwEX0WeQ8fixDppeLc6W4Kutrz0Dhe2OiTyGfYJex630k524nfWtQW9yvCrtaQkyqR1kDyCEXnIeuTfoaD1bjhQNii7m7QjnURRNMPKXfdIFFxHbLwDnf5wFZ3UMQsW1NA4F7rQfwQZjE9+pQGEYF0yLEiwmY/Tm+1N30kYBhZToXsPTZtdlrFAALalczgN2LZe83EYD5GmtViAB62IAsdw8feuGOpqun5pBh9tct2m996ZkMwpiND8hzXDTdddbNZ6c7x/4ZSf8iOdKF56TfQ0Q7B9G0WM10=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: nokia.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 7b7eeddf-b8ee-46d7-f39c-08d64ebeabb1
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Nov 2018 08:03:34.9301 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5d471751-9675-428d-917b-70f44f9630b0
X-MS-Exchange-Transport-CrossTenantHeadersStamped: HE1PR07MB3403
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/of-Ec1-ulsqsdamj_qgB9VkPFlM>
Subject: Re: [Netconf] Comments on draft-ietf-netconf-netconf-client-server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 20 Nov 2018 08:03:42 -0000
Hi Kent, Thanks for your clarifications for comments 1 and 2. It seems the draft yang model is aligned to the NMDA architecture (rfc8342). We understood that our NETCONF server should be NMDA compliant and we shall work towards that. Thanks for your support. Regards, Ramkumar -----Original Message----- From: Kent Watsen <kwatsen@juniper.net> Sent: Saturday, November 17, 2018 12:05 AM To: Dhanapal, Ramkumar (Nokia - IN/Chennai) <ramkumar.dhanapal@nokia.com>; netconf@ietf.org Cc: Beauville, Yves (Nokia - BE/Antwerp) <yves.beauville@nokia.com>; Carey, Timothy (Nokia - US) <timothy.carey@nokia.com> Subject: Re: Comments on draft-ietf-netconf-netconf-client-server Hi Ramkumar, >> Comment 1: >> We are using the ‘ietf-netconf-server’ module for configuration of >> call home parameters like netconf client endpoint IP/port, keys/certificates etc.. >> For static configuration from northbound, this works fine. >> >> Our use case is that the netconf client endpoint IP/port are learnt >> dynamically through DHCP process inline with BBF TR301_Issue2. These >> dynamically learnt endpoints also need to be modelled in the yang. >> These dynamic endpoints should also support the configuration of keys/certificates. > > I just read TR301 Issue2, which is similar to work I do both in and out of the IETF. > > What is your question specifically? Is it how to configure the > ietf-netconf-server data model given the PMA Offer message described > in Section 16.5.2.2? or is it how the PMA can configure these values > after it establishes a NETCONF connection (via NETCONF Call Home) to > the DPU after the discovery process completes? > > [Ram] The DPU gets the PMA IP in the DHCP Offer message from DHCP > server in option 125. The question is where to store these dynamically > learnt IP addresses in the ietf-netconf-server data-model (the > data-model seems to be pertaining to static user configuration)? The dynamically learnt IP addresses would be stored in /ietf-netconf-server:\ netconf-server/call-home/netconf-client/endpoints/endpoint/tls/address. I'm unsure what you mean by "static" configuration. The data model regards configuration in general, whether the configuration is set via, e.g., a NETCONF client or a bootstrapping mechanism is immaterial. >> Comment 2: The server keys/certificates/ca-certs are configurable per >> endpoint per netconf-client. We understand pinned-ca-certs/ pinned-\ >> client-certs can be per endpoint. But for the device acting as the >> netconf server, we see only one set of keys/certificates is enough >> and need not be per endpoint. > > As I understand TR301, the DPU will perform standard certificate path >validation of the PMA’s end-entity certificate to a per-configured >trust-anchor certificate, presumably one provided by a public CA such >as Verisign or Comodo, such as might be found in, e.g., /etc/ssl/certs. > Thusly, these certs are, in effect, the “pinned-ca-certs” that would >be used. For absolute correctness, the DPU could auto-populate >/ietf-trust-anchors:pinned-certificates with these certs, or it could >do “backend magic” to achieve the same result. > > [Ram] We are in-line with you on the “pinned-ca-certs”. > The comment is on the keys/certificate of the DPU i.e. ‘server-identity’. > As per the data-model, this is configurable per endpoint per netconf-client. > Since the DPU is acting as netconf server, we use only one set of > keys/certificates and is not be per endpoint. > > Our view is that this set is applicable for all endpoints (both > statically configured and dynamically learnt scenarios). Since it is > configurable per endpoint now, if the user configures one set for each > endpoint, which set shall the DPU use for the TLS authentication? Thank you for the clarification. As TR301 requires the use of an IDevID certificate that, by definition, is preconfigured by the DPU's OEM, it is expected to appear in /ietf-keystore:keystore/asymmetric-keys/asymmetric-key (in <operational>, with "private-key" having the value "permanently-hidden"). Then /ietf-netconf-server:netconf-server/call-home/netconf-client/endpoints\ /endpoint/tls/server-identity/reference would point to it. For instance, the second example here [1] references the "ex-rsa-cert" certificate (and its associated private key). [Note: "ex-rsa-cert", in this example, is NOT an IDevID cert] But note that, per recent discussions, in order for the reference to be valid, a stub/copy of the asymmetric-key in the <operational> needs to be created in <intended>. This is illustrated by the "tpm-protected-key2" key listed in the first example here [2]. Note how this asymmetric-key entry and its associated "builtin-idevid-cert2" cert contain just the "name" values, per the description of the /keystore/asymmetric-keys/\ asymmetric-key/name node: "An arbitrary name for the asymmetric key. If the name matches the name of a key that exists independently in <operational> (i.e., a 'permanently-hidden' key), then the 'algorithm', 'public-key', and 'private-key' nodes MUST NOT be configured."; [1] https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-08#section-4.2 [2] https://tools.ietf.org/html/draft-ietf-netconf-keystore-07#section-3.2 >> Comment 3: The description of >> ‘netconf-server/listen/endpoint/transport\ >> /ssh/address’ is mentioned as “The NETCONF server will listen on all >> configured interfaces if no value is specified”. When no value is >> specified, we are unable to configure ‘ss:ssh-server-grouping’ parameters. > > Good catch, the mandatory true requires a value. This was discussed > on the list a while back with the result of wanting to instead have > the address always specified, using INADDR_ANY or INADDR6_ANY when > needed. The description statement is wrong. I have removed the 2nd > sentence from the description statement in six locations in the four > modules ietf-[netconf|restconf]-[client|server] in my local copy. > > BTW, you mention “listen” and “ssh” but, for TR301, it should be > “call-home” and “tls”, right? > > [Ram] Yes, we use Call-Home over TLS for DPUs but we also support > listen over SSH for some other platforms Gotcha. Everything written above regarding the TLS data model applies to the SSH data model though, with SSH, there is an option to use a standard SSH pubkey as well as an X.509 certificate. Depending on if your IDevID is stored in a TPM, you may find pubkey easier to implement. Kent
- [Netconf] Comments on draft-ietf-netconf-netconf-… Dhanapal, Ramkumar (Nokia - IN/Chennai)
- Re: [Netconf] Comments on draft-ietf-netconf-netc… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-netc… Dhanapal, Ramkumar (Nokia - IN/Chennai)
- Re: [Netconf] Comments on draft-ietf-netconf-netc… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-netc… Dhanapal, Ramkumar (Nokia - IN/Chennai)