Re: [Netconf] [netmod] draft-ietf-netconf-netconf-client-server – TCP keepalives

Kent Watsen <kwatsen@juniper.net> Thu, 21 June 2018 17:44 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 988FA130DEE for <netconf@ietfa.amsl.com>; Thu, 21 Jun 2018 10:44:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.71
X-Spam-Level:
X-Spam-Status: No, score=-0.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qHr1bfGO_4b8 for <netconf@ietfa.amsl.com>; Thu, 21 Jun 2018 10:44:00 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 862C512F1A2 for <netconf@ietf.org>; Thu, 21 Jun 2018 10:44:00 -0700 (PDT)
Received: from pps.filterd (m0108160.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w5LHhuRG030687; Thu, 21 Jun 2018 10:43:56 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=bIWIkAxj1rZjFY8DGHcrJAeFzUebi6tEZcZktbmPnjA=; b=DQT0OAfNdv2pehFAWOy2hYHBAcFl22VXi3DkKHhpnaSKbSCkPGMJDXgt1E+gSKSVO+we Q6cVE8m0tyACU6uWy2Kjdb4hXaF/rDQpisTgD7i08LDriohqSQfn7UK3BKcMggoYPSDS gwsCOdgFwGxKWkHXfUuf9LamHJ1k89SfZSfEBci0nMW9EcFcSu+gVqfoMsPy7M3wmjiY UhNXmpgzkUR1+MQQouVELZZH93kuBsWjlYX5F4Ss+7Egktz+JF1huR7YnC8ngXjgDXAB KQU+h8sODT2qncT5Id5WHXK67xN8wfFNYYu8TX9eQBcPwR7sEcKHX34W4XBPtGe2W5oA hg==
Received: from nam04-bn3-obe.outbound.protection.outlook.com (mail-bn3nam04lp0118.outbound.protection.outlook.com [216.32.180.118]) by mx0b-00273201.pphosted.com with ESMTP id 2jreuhr659-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Thu, 21 Jun 2018 10:43:56 -0700
Received: from BYAPR05MB4230.namprd05.prod.outlook.com (52.135.200.153) by BYAPR05MB3957.namprd05.prod.outlook.com (52.135.195.151) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.884.16; Thu, 21 Jun 2018 17:43:54 +0000
Received: from BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc]) by BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc%4]) with mapi id 15.20.0884.010; Thu, 21 Jun 2018 17:43:54 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: NICK HANCOCK <nick.hancock@adtran.com>, "Beauville, Yves (Nokia - BE/Antwerp)" <yves.beauville@nokia.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: =?utf-8?B?W05ldGNvbmZdIFtuZXRtb2RdIGRyYWZ0LWlldGYtbmV0Y29uZi1uZXRjb25m?= =?utf-8?B?LWNsaWVudC1zZXJ2ZXIg4oCTIFRDUCBrZWVwYWxpdmVz?=
Thread-Index: AQHUAkGh8Rh+dKsRu0qFYObTJB07tKRcZ0sAgA59KwCAAAoJgP//2MaA
Date: Thu, 21 Jun 2018 17:43:54 +0000
Message-ID: <9499F0FC-47CA-412C-93B6-6275372F19D8@juniper.net>
References: <51912D52-547F-475F-B71C-A87361DB5690@juniper.net> <5f6300fd-42cf-fa37-68fa-eefccb93e292@nokia.com> <06A7280F-BD10-4FDB-9641-6F2B7D74AA94@juniper.net> <9d5ce8a8-3112-ead1-6c07-cd28e6512a1c@nokia.com> <BD6D193629F47C479266C0985F16AAC7F070B220@ex-mb1.corp.adtran.com>
In-Reply-To: <BD6D193629F47C479266C0985F16AAC7F070B220@ex-mb1.corp.adtran.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB3957; 7:IuimCRHfwNLeO1BOIEcljqdZccIKBY71FDssoT1efRjhxay7nLBETmib2SXeTCBSCnKewth2bWefMakLgnUqadd7lq/jZHRuOy0zaxVoHSKXu7yqxJDZA/uA6r+n+5hHMEAN/HI2hraDVtEVr2fM6I61eD5TPoChuv5v5qTjN9CJk99ZvKkl2O/fJmyNAEbkEslEHyMIwDnabq+ZR6EvgCGyGp2JLo8yUH62ivMeb/NuWWOcB/jKmDRN/gYGjTWm
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-ms-office365-filtering-correlation-id: c5638392-f676-46d9-cae8-08d5d79e8eb6
x-microsoft-antispam: UriScan:(109105607167333); BCL:0; PCL:0; RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(48565401081)(5600026)(711020)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB3957;
x-ms-traffictypediagnostic: BYAPR05MB3957:
x-microsoft-antispam-prvs: <BYAPR05MB3957BDEDBB4A9CEEAAE7035CA5760@BYAPR05MB3957.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(28532068793085)(158342451672863)(10436049006162)(166708455590820)(192374486261705)(82608151540597)(109105607167333)(21748063052155);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(93006095)(93001095)(10201501046)(3231254)(944501410)(52105095)(3002001)(6055026)(149027)(150027)(6041310)(20161123560045)(20161123562045)(20161123564045)(20161123558120)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BYAPR05MB3957; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB3957;
x-forefront-prvs: 07106EF9B9
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(396003)(39860400002)(366004)(39380400002)(376002)(53754006)(54534003)(52314003)(199004)(189003)(58126008)(54896002)(6246003)(11346002)(3280700002)(59450400001)(476003)(446003)(36756003)(53546011)(606006)(6436002)(25786009)(3846002)(82746002)(6116002)(5250100002)(7736002)(102836004)(2900100001)(68736007)(186003)(236005)(2616005)(3660700001)(53936002)(6506007)(2501003)(93886005)(33656002)(6306002)(110136005)(26005)(53376002)(316002)(66066001)(6512007)(6486002)(8936002)(486006)(5660300001)(81166006)(575784001)(8656006)(86362001)(83716003)(966005)(97736004)(2906002)(99286004)(76176011)(478600001)(229853002)(106356001)(14454004)(105586002)(81156014); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB3957; H:BYAPR05MB4230.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: PcLjai4idyUCoVzE2PHAc3IoIxL90lo6NwCKftxZnZcqhv5wuQ9v0UdTrO691wSUONwUOMZIj8u0Io/DMCo5E/58me/TLI1NhyNigEkCpp5f3ysyjahvZF5j7TdU7qpzfiwEb109BtcqRaMHOkjtUB5w7Tegf/La4Khcoz/EkRGIlb7PgxksP9jAtoRTLTWc6z9F3io25Dek+CqJXghAsubA6hU19gf7zENH+hibhNwN+K5cXCpo6u04Fvw4gtL5rjoorHjbuvAUJo9gWSpgnwGVXi2Yxx7BdAL2FiCOnzFLPG8D4Qx222me4GaxM34PvEAxAQerp3CWJTnBHWCnuQ==
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_9499F0FC47CA412C93B66275372F19D8junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: c5638392-f676-46d9-cae8-08d5d79e8eb6
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Jun 2018 17:43:54.1101 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB3957
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-21_08:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806210191
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/FTGhPbhZwapXugB54oguRRMlhl0>
Subject: Re: [Netconf] =?utf-8?q?=5Bnetmod=5D_draft-ietf-netconf-netconf-clie?= =?utf-8?q?nt-server_=E2=80=93_TCP_keepalives?=
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Jun 2018 17:44:05 -0000

Just a couple comments from my

1) TCP-keepalives are not always implemented.  From Spencer Dawkins: "we've been recommending that people not rely on TCP keepalives for so long that implementation support for them is still a MAY in https://tools.ietf.org/html/draft-ietf-tcpm-rfc793bis-09#section-3.8.4<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_draft-2Dietf-2Dtcpm-2Drfc793bis-2D09-23section-2D3.8.4&d=DwMFaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=C6ZMJa-eXYZ8LEFBzCeFiZHsjvW0ncjeAY_Qzl35rMQ&s=oxAmYSIqAeQ9YdJIh6YwgqasacCu8Rvta9vz6P_Oalw&e=>";.  I don't view this as a blocker from a modelling perspective as, if we support configuring TCP-keepalives at all, we would use a "feature" statement so the support could be advertised on a per-device basis.  However, from a BBF solution perspective, this might be something to consider.

2) TCP-keepalives may not always support second-level polling rates.  Apparently, one of the motivations for TLS-keepalive was that they could be sent more often: https://tools.ietf.org/html/rfc6520#section-5.2.   I don't understand why TCP-keepalives are any slower.  Sure, I see the TCP-keepalive interval MUST default be no less than two hours, but I don't yet see why it couldn't be configured to as low as one second (e.g. http://tldp.org/HOWTO/TCP-Keepalive-HOWTO/usingkeepalive.html), and second-level granularity is all the ietf-*conf-[client|server] modules are using.  Anyway, someone might want to look into this also, since RFC 6520 goes through the effort of calling it out.

Kent // contributor


On 6/21/18, 12:04 PM, "NICK HANCOCK" <nick.hancock@adtran.com<mailto:nick.hancock@adtran.com>> wrote:

Hi Kent,

At this time, we are being required to support the configuration of TCP keepalives for the on the connection between the NETCONF client and server and specifically to avoid multiple proprietary solutions within the industry, encourage the support directly within ietf-netconf-server. Adding a separate container to configure TCP keepalives, does not exclude the support of keepalives to test the aliveness of the SSH/TLS client. Through the feature flags, implementations can advertise exactly what they support.

Regards
Nick
This message has been classified General Business by NICK HANCOCK on Thursday, 21 June 2018 at 18:04:16.

From: Beauville, Yves (Nokia - BE/Antwerp) [mailto:yves.beauville@nokia.com]
Sent: Thursday, June 21, 2018 5:28 PM
To: Kent Watsen; NICK HANCOCK
Cc: netconf@ietf.org
Subject: Re: [Netconf] [netmod] draft-ietf-netconf-netconf-client-server – TCP keepalives

Hi Kent,

I understand that OpenSSL folks confirmed that they are not supporting TLS heartbeat.

We want to move forward with using the ietf-netconf-server defined in draft-ietf-netconf-netconf-client-server and to do this we minimally need to support configuration of TCP keepalives. Having a TCP keep alive container, controlled by a feature flag, will enable us to achieve this target.

Would this be a valid and acceptable path for ietf-netconf-server to follow?

Thanks,
Yves

On 12-06-18 16:12, Kent Watsen wrote:
> Yes, it seems that they're in the process:
>
> https://github.com/openssl/openssl/issues/4856<https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openssl_openssl_issues_4856&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=f1mQZB52BQHRxF7T0NNUYOMmlBSI42GDpC_NX1VCdzw&s=to5OiGRFh8ClW2BY9m21BFNQR7CESg-Dgh-lwBQp4C4&e=>
>
> Kent
>
> ===== original message =====
>
> Hi Kent,
>
> From the change log of OpenSSL
> (https://urldefense.proofpoint.com/v2/url?u=https-3A__www.openssl.org_news_changelog.txt&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=zzFq9Fp2lEWaEupRxa7mXtOgQHfoylXJshq8HQwfUnA&s=b2Ckx4ZL4J51XaBFNl95mcQaSVBtJUvrmCHAWFK6mUU&e=), I can see the following
> change being logged between 1.1.0h and 1.1.1:
>
> *) Heartbeat support has been removed; the ABI is changed for now.
> [Richard Levitte, Rich Salz]
>
> Thanks,
> Yves
>
> On 12-06-18 03:22, Kent Watsen wrote:
>> Looking into this just a little more, I know that Heartbeat was supported by OpenSSL before (recall Heartbleed bug?), so I grepped the 1.1.0g source code (which has the Heartbleed fix) and found evidence that the support might still be in the code. That said, I can't tell if the code is specific to DTLS or works on TLS as well…
>>
>> /kw
>>
>>
>> ===== original message =====
>>
>> [+netconf, -netmod]
>>
>> The issue appears to be with current TLS libraries not implementing TLS keepalives, the HeartbeatRequest messages defined by [RFC6520]. I have not myself validated this yet, does anyone have any experience?
>>
>> If it is true that HeartbeatRequest messages is not supported today, do we:
>> a) encourage the TLS library maintainers to implement it
>> b) or introduce an ability to configure TCP-level keepalives
>> c) or both?
>>
>> Any other ideas?
>>
>> Thanks,
>> Kent
>>
>>
>>
>> On 6/11/18, 12:32 PM, "netmod on behalf of NICK HANCOCK" <netmod-bounces@ietf.org on behalf of nick.hancock@adtran.com>; wrote:
>>
>> Hi All,
>>
>> A couple of companies are working on a solutions to implement devices, such as DPUs, based on the requirements of the Broadband Forum Technical Report TR-301 issue 2 “Architecture and Requirements for Fiber to the Distribution Point”, which requires TLS for the persistent NETCONF connection, for which the configuration of call home is to be by means of the ‘ietf-netconf-server’ module.
>>
>> TLS heartbeat cannot be supported to keep the call home connection alive, because TLS heartbeat is not or no longer supported by many TLS libraries, such as OpenSSL in the wake of the Heartbleed security bug. Although TCP keep-alives are not secure, we will nevertheless be required to support TCP keepalives to ensure that the connection remains persistent and these keepalives would also need to be configurable. Unfortunately, the keepalive configuration implemented in ‘ietf-netconf-server’, although not bound to the ‘transport’ choice, is bound to the secure layer textually in the description of the data nodes (references to “SSH/TLS client” and “SSH/TLS-level message”), which makes its use for configuring TCP keepalives for specific implementations possible, but obviously problematic. RFC 8071, Section 4.1, S7, also heavily implies that it is intended to be used for the designated transport layer (e.g., SSH, TLS).
>>
>> Since this issue affects the industry as a whole, we believe it would be better to provide support for the configuration of TCP keepalives within the ‘ietf-netconf-server’ module from the beginning, rather than wait for other SDOs or vendors to augment the module after publication as an RFC, which they will be practicably forced to do.
>>
>> Would supporting TCP keepalives in the IETF-defined module be something the WG would agree to discuss? A possible solution, shown below, could be to add a new container parallel to the existing ‘keep-alives’ container to explicitly support the configuration for TCP keepalives. In addition, a feature statement (e.g. "keep-alives") could be added to the existing ‘keep-alives’ container, as RFC 8071 S7 says SHOULD (not MUST).
>> container tcp-keep-alives {
>> if-feature tcp-keep-alives;
>> description
>> "Configures the keep-alive policy, to
>> proactively test the aliveness of the TCP
>> peer. An unresponsive TCP peer will
>> be dropped after approximately max-attempts *
>> max-wait seconds.";
>> reference
>> "RFC 1122: Requirements for Internet Hosts --
>> Communication Layers, section 4.2.3.6<https://urldefense.proofpoint.com/v2/url?u=http-3A__4.2.3.6&d=DwMGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=f1mQZB52BQHRxF7T0NNUYOMmlBSI42GDpC_NX1VCdzw&s=tOy-XYY63vW0GIzmo_whpDffv-YEaiPy-lDshUOyx-o&e=>.";;
>> leaf max-wait {
>> type uint16 {
>> range "1..32767";
>> }
>> units seconds;
>> default 30;
>> description
>> "Sets the amount of time in seconds after
>> which if no data has been received from
>> the TCP peer, a TCP-level message
>> will be sent to test the aliveness of the
>> TCP peer.";
>> }
>> leaf max-attempts {
>> type uint8 {
>> range "1..127";
>> }
>> default 3;
>> description
>> "Sets the maximum number of sequential keep-
>> alive messages that can fail to obtain a
>> response from the TCP peer before
>> assuming the TCP peer is no longer
>> alive.";
>> }
>> leaf interval-between-attempts {
>> type uint16 {
>> range "1..32767";
>> }
>> units seconds;
>> default 30;
>> description
>> "Sets the amount of time in seconds after
>> which, if no reply to a keep-alive message
>> has been received from the TCP peer, the
>> next keep-alive message will be sent.";
>> }
>> }
>> }
>>
>>
>> What is the opinion of the list? Would this solution work?
>>
>> Best regards
>> Nick & Yves
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> Netconf mailing list
>> Netconf@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwIGaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=n1Ew69P_92NcpKfb6HiepQwhe21v4fTuNEa-YZ_vs6s&s=CVqduXP2RuuZY7nPF0drm5h9oFCMIMGg0ux6shk88OI&e=
>>
>>
>> _______________________________________________
>> Netconf mailing list
>> Netconf@ietf.org
>> https://urldefense.proofpoint.com/v2/url?u=https-3A__www.ietf.org_mailman_listinfo_netconf&d=DwIDaQ&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=zzFq9Fp2lEWaEupRxa7mXtOgQHfoylXJshq8HQwfUnA&s=gxTeCP_OaETTpPPkfQ7cgU-ELC_B8b_vVF0XCONqtVE&e=
>
>