IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

"Salz, Rich" <rsalz@akamai.com> Fri, 13 September 2019 13:41 UTC

Return-Path: <rsalz@akamai.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 883D8120806 for <netconf@ietfa.amsl.com>; Fri, 13 Sep 2019 06:41:16 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=akamai.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NZtemKy415xG for <netconf@ietfa.amsl.com>; Fri, 13 Sep 2019 06:41:15 -0700 (PDT)
Received: from mx0b-00190b01.pphosted.com (mx0b-00190b01.pphosted.com [IPv6:2620:100:9005:57f::1]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 05F9E120288 for <netconf@ietf.org>; Fri, 13 Sep 2019 06:41:14 -0700 (PDT)
Received: from pps.filterd (m0122331.ppops.net [127.0.0.1]) by mx0b-00190b01.pphosted.com (8.16.0.42/8.16.0.42) with SMTP id x8DDbvaY027007; Fri, 13 Sep 2019 14:41:11 +0100
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=akamai.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=jan2016.eng; bh=90UIJNbc8s0Y8OfMWKURKpy0d1bvSgr6FeeJmEQbL5g=; b=Hvnc/hnDptelvhFHuHISpdqMb1jytRQANzmjbmj6XxR8obxog2nakRPbmKAegD9b0gbk E0FefpAoNng6fxul2I+prNQM/imOVwmaorPBBs+v9Radl91krKEzoRGsvZejWFWHqetl p0YJ9TNZQCtSi/miE1c0S5F6fMdMk+gvyvDXhXufkReZ/v5uoQXHSbovAwUze0VQ+a6f kDt2OoQls+H9LZ3u6ysIzH+05F892JSWeQ89e35FTKHO1vvo3v91Jd8/stQLnjKvv7Fc q4N/y4w588LR3ZXNFccT7AUSyKN0lsucjaxYboTCl17SB2NZIzd+SjydAUHLx7N9XzFg ng==
Received: from prod-mail-ppoint7 (prod-mail-ppoint7.akamai.com [96.6.114.121] (may be forged)) by mx0b-00190b01.pphosted.com with ESMTP id 2uytckkhyv-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 13 Sep 2019 14:41:11 +0100
Received: from pps.filterd (prod-mail-ppoint7.akamai.com [127.0.0.1]) by prod-mail-ppoint7.akamai.com (8.16.0.27/8.16.0.27) with SMTP id x8DDXfmX031544; Fri, 13 Sep 2019 09:41:09 -0400
Received: from email.msg.corp.akamai.com ([172.27.123.57]) by prod-mail-ppoint7.akamai.com with ESMTP id 2uyth7q018-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 13 Sep 2019 09:41:08 -0400
Received: from USMA1EX-DAG1MB5.msg.corp.akamai.com (172.27.123.105) by usma1ex-dag1mb3.msg.corp.akamai.com (172.27.123.103) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 13 Sep 2019 09:41:06 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com (172.27.123.101) by usma1ex-dag1mb5.msg.corp.akamai.com (172.27.123.105) with Microsoft SMTP Server (TLS) id 15.0.1473.3; Fri, 13 Sep 2019 09:41:06 -0400
Received: from USMA1EX-DAG1MB1.msg.corp.akamai.com ([172.27.123.101]) by usma1ex-dag1mb1.msg.corp.akamai.com ([172.27.123.101]) with mapi id 15.00.1473.005; Fri, 13 Sep 2019 09:41:06 -0400
From: "Salz, Rich" <rsalz@akamai.com>
To: "Rob Wilton (rwilton)" <rwilton@cisco.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
CC: Russ Housley <housley@vigilsec.com>, Rifaat Shekh-Yusef <rifaat.ietf@gmail.com>, Sean Turner <sean@sn3rd.com>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVaNxGVhFlbERW30moo9Q8WhnpJqcpkUCAgAAOz4A=
Date: Fri, 13 Sep 2019 13:41:05 +0000
Message-ID: <D6740042-7CD9-466F-911A-BA4339042B5D@akamai.com>
References: <0100016d21ee2101-fb4f3288-1975-4a7d-a499-cb42ff8d9e14-000000@email.amazonses.com> <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com>
In-Reply-To: <MN2PR11MB4366AE6CF9E03B15EBEA3A39B5B30@MN2PR11MB4366.namprd11.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.1d.0.190908
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [172.19.32.151]
Content-Type: multipart/alternative; boundary="_000_D67400427CD9466F911ABA4339042B5Dakamaicom_"
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2019-09-13_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=500 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1908290000 definitions=main-1909130134
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.70,1.0.8 definitions=2019-09-13_06:2019-09-11,2019-09-13 signatures=0
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 priorityscore=1501 mlxlogscore=481 spamscore=0 lowpriorityscore=0 impostorscore=0 phishscore=0 adultscore=0 clxscore=1011 mlxscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-1908290000 definitions=main-1909130135
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FFjt69Yqv2gLyNx3yerU8b_RqeQ>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2019 13:41:17 -0000

> I think that using a numerical OID to identify crypto algorithms doesn’t seem like a great choice

Every OID definition I’ve seen has a name, often both a short name and a long name.  Look at https://oid-info.com  There is also a URN syntax for OID’s. The widely-used OpenSSL has a built-in mapping; see https://github.com/openssl/openssl/blob/master/crypto/objects/objects.txt .

> I wonder if changing from identifiers to enums was a mistake.  If we were to use YANG identifiers then we wouldn’t need to define them all now, and they wouldn’t all need to be defined in the same YANG module.  In fact, if we were to go back to using identifiers then perhaps NETCONF should restrict itself to only defining the identifiers that we actually need now, and leave the rest to the security folks to figure out, probably as separate modules defining the extra identifiers that they need, or as a bis version of the crypto-types draft if required.

I am strongly in favor of not trying to create a unified module for *all* cryptography, as I have posted before.  I don’t know enough about YANG to know if this is the only way to achieve that, but this seems like the right thing to do. There are new types of crypto coming (look at what CFRG is doing), and they are likely to create new object types.

v2.46.0 | Report a Bug | By Email | System Status