Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt
Mohamad Badra <badra@isima.fr> Mon, 29 September 2008 12:14 UTC
Return-Path: <netconf-bounces@ietf.org>
X-Original-To: netconf-archive@ietf.org
Delivered-To: ietfarch-netconf-archive@core3.amsl.com
Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEA1A3A69A1; Mon, 29 Sep 2008 05:14:20 -0700 (PDT)
X-Original-To: netconf@core3.amsl.com
Delivered-To: netconf@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A85C3A68CE for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 05:14:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.294
X-Spam-Level:
X-Spam-Status: No, score=-1.294 tagged_above=-999 required=5 tests=[AWL=0.355, BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_35=0.6]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Txwu5PjQPwbC for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 05:14:18 -0700 (PDT)
Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id 03D4B3A68F5 for <netconf@ietf.org>; Mon, 29 Sep 2008 05:14:17 -0700 (PDT)
Received: from [127.0.0.1] (pc158.isima.fr [193.55.95.158]) by sp.isima.fr (8.13.8/8.13.8) with ESMTP id m8TDEXrd634974; Mon, 29 Sep 2008 14:14:35 +0100
Message-ID: <48E0C66D.8020106@isima.fr>
Date: Mon, 29 Sep 2008 14:13:33 +0200
From: Mohamad Badra <badra@isima.fr>
User-Agent: Thunderbird 2.0.0.17 (Windows/20080914)
MIME-Version: 1.0
To: fanhuaxiang 90002624 <washam.fan@huawei.com>
References: <fa17895d38c09.38c09fa17895d@huawei.com> <54592.88.164.98.77.1222597371.squirrel@www.isima.fr> <20080929101340.GC22657@elstar.local> <faf6ae7a3806c.3806cfaf6ae7a@huawei.com> <20080929105205.GA22832@elstar.local> <48E0BF94.2060208@isima.fr>
In-Reply-To: <48E0BF94.2060208@isima.fr>
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Mon, 29 Sep 2008 14:14:35 +0100 (WEST)
Cc: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>, netconf@ietf.org
Subject: Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://www.ietf.org/mailman/private/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
Sender: netconf-bounces@ietf.org
Errors-To: netconf-bounces@ietf.org
My apologies, I forgot to include Washam comments "in netconf case, both sides are expected to send data" So please forget my last text, below is the correct one: "A TLS client (NETCONF manager) MUST close the associated TLS connection if the connection is not expected to deliver any rpc operation later. It MUST send a TLS close_notify alert before closing the connection. The client MAY choose to not wait for the TLS server (NETCONF agent) close_notify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). When no data is received from a connection for a long time (where the application decides what "long" means), a NETCONF peer MAY close the connection. The peer MUST attempt to initiate an exchange of close_notify alerts with the other NETCONF peer before closing the connection. The close_notify's sender that is unpreFrom netconf-bounces@ietf.org Mon Sep 29 05:14:20 2008 Return-Path: <netconf-bounces@ietf.org> X-Original-To: netconf-archive@lists.ietf.org Delivered-To: ietfarch-netconf-archive@core3.amsl.com Received: from [127.0.0.1] (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id AEA1A3A69A1; Mon, 29 Sep 2008 05:14:20 -0700 (PDT) X-Original-To: netconf@core3.amsl.com Delivered-To: netconf@core3.amsl.com Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 7A85C3A68CE for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 05:14:19 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.294 X-Spam-Level: X-Spam-Status: No, score=-1.294 tagged_above=-999 required=5 tests=[AWL=0.355, BAYES_00=-2.599, HELO_EQ_FR=0.35, J_CHICKENPOX_35=0.6] Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Txwu5PjQPwbC for <netconf@core3.amsl.com>; Mon, 29 Sep 2008 05:14:18 -0700 (PDT) Received: from sp.isima.fr (sp.isima.fr [193.55.95.1]) by core3.amsl.com (Postfix) with ESMTP id 03D4B3A68F5 for <netconf@ietf.org>; Mon, 29 Sep 2008 05:14:17 -0700 (PDT) Received: from [127.0.0.1] (pc158.isima.fr [193.55.95.158]) by sp.isima.fr (8.13.8/8.13.8) with ESMTP id m8TDEXrd634974; Mon, 29 Sep 2008 14:14:35 +0100 Message-ID: <48E0C66D.8020106@isima.fr> Date: Mon, 29 Sep 2008 14:13:33 +0200 From: Mohamad Badra <badra@isima.fr> User-Agent: Thunderbird 2.0.0.17 (Windows/20080914) MIME-Version: 1.0 To: fanhuaxiang 90002624 <washam.fan@huawei.com> References: <fa17895d38c09.38c09fa17895d@huawei.com> <54592.88.164.98.77.1222597371.squirrel@www.isima.fr> <20080929101340.GC22657@elstar.local> <faf6ae7a3806c.3806cfaf6ae7a@huawei.com> <20080929105205.GA22832@elstar.local> <48E0BF94.2060208@isima.fr> In-Reply-To: <48E0BF94.2060208@isima.fr> X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (sp.isima.fr [193.55.95.1]); Mon, 29 Sep 2008 14:14:35 +0100 (WEST) Cc: Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de>, netconf@ietf.org Subject: Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon f-tls-04.txt X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.9 Precedence: list List-Id: Network Configuration WG mailing list <netconf.ietf.org> List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe> List-Archive: <https://www.ietf.org/mailman/private/netconf> List-Post: <mailto:netconf@ietf.org> List-Help: <mailto:netconf-request@ietf.org?subject=help> List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe> Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="iso-8859-1"; Format="flowed" Sender: netconf-bounces@ietf.org Errors-To: netconf-bounces@ietf.org My apologies, I forgot to include Washam comments "in netconf case, both sides are expected to send data" So please forget my last text, below is the correct one: "A TLS client (NETCONF manager) MUST close the associated TLS connection if the connection is not expected to deliver any rpc operation later. It MUST send a TLS close_notify alert before closing the connection. The client MAY choose to not wait for the TLS server (NETCONF agent) close_notify alert and simply close the connection, thus generating an incomplete close on the server side. Once the server gets a close_notify from the client, it MUST reply with a close_notify unless it becomes aware that the connection has already been closed by the transport sender (e.g., the closure was indicated by TCP). When no data is received from a connection for a long time (where the application decides what "long" means), a NETCONF peer MAY close the connection. The peer MUST attempt to initiate an exchange of close_notify alerts with the other NETCONF peer before closing the connection. The close_notify's sender that is pared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the close_notify's receiver side. When the receiver has received the close_notify alert from the sender and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." Best regards Mohamad Badra CNRS - LIMOS Laboratory Mohamad Badra a écrit : > tom.petch wrote: > >>Juergen Schoenwaelder wrote: > >>>fanhuaxiang 90002624 wrote: >> To quote TLS, >> "The other party MUST respond with a close_notify >> alert of its own and close down the connection immediately, >> discarding any pending writes. " >> so this proposed text would appear to contradict a TLS MUST. TLS also >> takes >> great care not to bind itself to TCP and not to prescribe the >> behaviour of the >> underlying transport protocol. > > >> maybe what said in counterpart section in syslog-tls contradict a > >>TLS MUST, too. > >>>> I think the value of section "connection closure" is to describe >>>> when and how to end up a connection. so I think maybe we need to >>>> elaborate what "TLS connection is not used anymore" means in netconf >>>> context. >>>> >>>> It is the application's decision and hence any discussion is either >>>> pointless or likely getting it wrong. > > To quote IESG Evaluation on syslog-tls, > > "Section 4.4: > OLD: > A TLS client MUST close the associated TLS connection if the > connection is not expected to deliver any syslog messages later. > It MUST send a TLS close_notify alert before closing the > connection. A client MAY choose to not wait for the server's > close_notify alert and simply close the connection, thus > generating an incomplete close on the server side. Once the > server gets a close_notify from the client, it MUST reply with a > close_notify unless it becomes aware that the connection has > already been closed by the client (e.g., the closure was > indicated by TCP). > NEW: > A transport sender MUST close the associated TLS connection if > the connection is not expected to deliver any syslog messages > later. It MUST send a TLS close_notify alert before closing the > connection. A transport sender (TLS client) MAY choose to not > wait for the transport receiver's close_notify alert and simply > close the connection, thus generating an incomplete close on the > transport receiver (TLS server) side. Once the transport > receiver gets a close_notify from the transport sender, it MUST > reply with a close_notify unless it becomes aware that the > connection has already been closed by the transport sender > (e.g., the closure was indicated by TCP). > > Section 4.4: > OLD: > When no data is received from a connection for a long time > (where the application decides what "long" means), a server MAY > close the connection. The server MUST attempt to initiate an > exchange of close_notify alerts with the client before closing > the connection. Servers that are unprepared to receive any more > data MAY close the connection after sending the close_notify > alert, thus generating an incomplete close on the client side. > When the client has received the close_notify alert from the > server and still has pending data to send, it SHOULD send the > pending data before sending the close_notify alert. > NEW: > When no data is received from a connection for a long time > (where the application decides what "long" means), a transport > receiver MAY close the connection. The transport receiver (TLS > server) MUST attempt to initiate an exchange of close_notify > alerts with the transport sender before closing the connection. > Transport receivers that are unprepared to receive any more data > MAY close the connection after sending the close_notify unprepared to receive any more data MAY close the connection after sending the close_notify alert, thus generating an incomplete close on the close_notify's receiver side. When the receiver has received the close_notify alert from the sender and still has pending data to send, it SHOULD send the pending data before sending the close_notify alert." Best regards Mohamad Badra CNRS - LIMOS Laboratory Mohamad Badra a écrit : > tom.petch wrote: > >>Juergen Schoenwaelder wrote: > >>>fanhuaxiang 90002624 wrote: >> To quote TLS, >> "The other party MUST respond with a close_notify >> alert of its own and close down the connection immediately, >> discarding any pending writes. " >> so this proposed text would appear to contradict a TLS MUST. TLS also >> takes >> great care not to bind itself to TCP and not to prescribe the >> behaviour of the >> underlying transport protocol. > > >> maybe what said in counterpart section in syslog-tls contradict a > >>TLS MUST, too. > >>>> I think the value of section "connection closure" is to describe >>>> when and how to end up a connection. so I think maybe we need to >>>> elaborate what "TLS connection is not used anymore" means in netconf >>>> context. >>>> >>>> It is the application's decision and hence any discussion is either >>>> pointless or likely getting it wrong. > > To quote IESG Evaluation on syslog-tls, > > "Section 4.4: > OLD: > A TLS client MUST close the associated TLS connection if the > connection is not expected to deliver any syslog messages later. > It MUST send a TLS close_notify alert before closing the > connection. A client MAY choose to not wait for the server's > close_notify alert and simply close the connection, thus > generating an incomplete close on the server side. Once the > server gets a close_notify from the client, it MUST reply with a > close_notify unless it becomes aware that the connection has > already been closed by the client (e.g., the closure was > indicated by TCP). > NEW: > A transport sender MUST close the associated TLS connection if > the connection is not expected to deliver any syslog messages > later. It MUST send a TLS close_notify alert before closing the > connection. A transport sender (TLS client) MAY choose to not > wait for the transport receiver's close_notify alert and simply > close the connection, thus generating an incomplete close on the > transport receiver (TLS server) side. Once the transport > receiver gets a close_notify from the transport sender, it MUST > reply with a close_notify unless it becomes aware that the > connection has already been closed by the transport sender > (e.g., the closure was indicated by TCP). > > Section 4.4: > OLD: > When no data is received from a connection for a long time > (where the application decides what "long" means), a server MAY > close the connection. The server MUST attempt to initiate an > exchange of close_notify alerts with the client before closing > the connection. Servers that are unprepared to receive any more > data MAY close the connection after sending the close_notify > alert, thus generating an incomplete close on the client side. > When the client has received the close_notify alert from the > server and still has pending data to send, it SHOULD send the > pending data before sending the close_notify alert. > NEW: > When no data is received from a connection for a long time > (where the application decides what "long" means), a transport > receiver MAY close the connection. The transport receiver (TLS > server) MUST attempt to initiate an exchange of close_notify > alerts with the transport sender before closing the connection. > Transport receivers that are unprepared to receive any more data > MAY close the connection after sending the close_notify alert, > thus generating an incomplete close on the transport sender > side. When the transport sender (TLS client) has received the > close_notify alert from the transport receiver and still has > pending data to send, it SHOULD send the pending data before > sending the close_notify alert." > > > I think the above text would appear to contradict a TLS MUST. Wouldn't? > > I also think the above text describes when to close connection for both > sides. e.g, when the client doesn't want to initial any syslog message > or when the server found there is no data on the wire for a long time. > > With respect to that, I think we should propose a simalar text, a > modified text is below: > > "A TLS client (NETCONF manager) MUST close the associated TLS > connection if the connection is not expected to deliver any rpc > operation later. It MUST send a TLS close_notify alert before > closing the connection. The client MAY choose to not wait for the > TLS server (NETCONF agent) close_notify alert and simply close the > connection, thus generating an incomplete close on the server > side. Once the server gets a close_notify from the client, it > MUST reply with a close_notify unless it becomes aware that the > connection has already been closed by the transport sender (e.g., > the closure was indicated by TCP). > > When no data is received from a connection for a long time (where > the application decides what "long" means), a TLS server MAY close > the connection. The TLS server MUST attempt to initiate an > exchange of close_notify alerts with the transport sender before > closing the connection. The server that is unprepared to receive > any more data MAY close the connection after sending the > close_notify alert, thus generating an incomplete close on the > client side. When the client has received the close_notify alert > from the server and still has pending data to send, it SHOULD send > the pending data before sending the close_notify alert." > > > Comments? > Best regards, > Mohamad Badra > CNRS - LIMOS Laboratory > _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf alert, > thus generating an incomplete close on the transport sender > side. When the transport sender (TLS client) has received the > close_notify alert from the transport receiver and still has > pending data to send, it SHOULD send the pending data before > sending the close_notify alert." > > > I think the above text would appear to contradict a TLS MUST. Wouldn't? > > I also think the above text describes when to close connection for both > sides. e.g, when the client doesn't want to initial any syslog message > or when the server found there is no data on the wire for a long time. > > With respect to that, I think we should propose a simalar text, a > modified text is below: > > "A TLS client (NETCONF manager) MUST close the associated TLS > connection if the connection is not expected to deliver any rpc > operation later. It MUST send a TLS close_notify alert before > closing the connection. The client MAY choose to not wait for the > TLS server (NETCONF agent) close_notify alert and simply close the > connection, thus generating an incomplete close on the server > side. Once the server gets a close_notify from the client, it > MUST reply with a close_notify unless it becomes aware that the > connection has already been closed by the transport sender (e.g., > the closure was indicated by TCP). > > When no data is received from a connection for a long time (where > the application decides what "long" means), a TLS server MAY close > the connection. The TLS server MUST attempt to initiate an > exchange of close_notify alerts with the transport sender before > closing the connection. The server that is unprepared to receive > any more data MAY close the connection after sending the > close_notify alert, thus generating an incomplete close on the > client side. When the client has received the close_notify alert > from the server and still has pending data to send, it SHOULD send > the pending data before sending the close_notify alert." > > > Comments? > Best regards, > Mohamad Badra > CNRS - LIMOS Laboratory > _______________________________________________ Netconf mailing list Netconf@ietf.org https://www.ietf.org/mailman/listinfo/netconf
- [Netconf] WGLC for draft-ietf-netconf-tls-04.txt Ersue, Mehmet (NSN - DE/Munich)
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ?? WGLC for draft-ietf-netconf-t??l… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-t ls-0… badra
- [Netconf] Re: ?? WGLC for draft-ietf-net conf-t ?… badra
- [Netconf] Re: Re: ?? WGLC for draft-ietf-net conf… fanhuaxiang 90002624
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… fanhuaxiang 90002624
- [Netconf] Re: Re: WGLC for draft-ietf-netcon f-tl… badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf]  Re: WGLC for draft-ietf-netcon… tom.petch
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ? Re:? WGLC? for? draft-ietf-netcon… fanhuaxiang 90002624
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Juergen Schoenwaelder
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] ??Re:??WGLC??for??draft-ietf-netcon… Mohamad Badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-… David Harrington
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ��WGLC�for�draft-ietf-netcon f-t ls… badra
- [Netconf] RE: WGLC for draft-ietf-netconf-t ls-0… badra
- Re: [Netconf] ????WGLC??for??draft-ietf-netconf-t… Juergen Schoenwaelder
- Re: [Netconf] WGLC for draft-ietf-netconf-t ls-04… fanhuaxiang 90002624
- Re: [Netconf]   WGLC for draft-ietf-netconf-t… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC??for??draft-ietf-netconf-tls-0… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] ????WGLC for draft-ietf-netconf-tls… Juergen Schoenwaelder
- [Netconf] Re: WGLC for draft-ietf-netconf-tls-04… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… tom.petch
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… badra
- Re: [Netconf] WGLC for draft-ietf-netconf-tls-04.… David B Harrington
- [Netconf] system or registered port for Netconf o… badra
- Re: [Netconf] system or registered port for Netco… fanhuaxiang 90002624
- Re: [Netconf] system or registered port for Netco… Mohamad Badra
- Re: [Netconf] system or registered port for Netco… David Harrington