Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Tue, 25 May 2021 09:56 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAB453A00C8 for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 02:56:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id B_JdQ5drz55N for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 02:56:55 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60139.outbound.protection.outlook.com [40.107.6.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1DD333A00C3 for <netconf@ietf.org>; Tue, 25 May 2021 02:56:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B9cs8D057aAhSReg2AA5LEx84Id8u1vzbFzlLI7yWshElEvu/y+djKCfEus0BRzIT2EarLbo3kK3QgLq53MwYuc2XO+LpzfrmukTu23XMzl6cKdOXymJbLUaxL9gZp9+fIpadwDDWAFolKbf7TQI6pC/MRHopRHMxV3+w5ntw79nZVN99YHMYdK3NDYonIWg9HReO3tVR+r/XihYl8BZHdO7lxXa8Xymh81dLPGzhJ25HucXEz8LWHUCOzOwXM5BIqjASGr51p0fmH1HgQal5yINVyszC7Xy+DH3804poQZKGLJ5stLQxiqInlcgB+ot+07fn5NAQ3f3DRHAWR8+/A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6OxMZu669sKNhiP4yJnhHkgFiBGZsraegtb1Eg/TWi8=; b=PSWQ4xJ+qak1d2dkhzYT1gcPYFkX4rM8s2dOSdwnqZzQF6mWGsuNDXFUkbHQepDmPfAuS3n8WDDWkIuowmwF76ZFk2gUwj0gCPPkbSmeZFDioGyMsdEwP8lY9575kctADVCGdHIw8dhxyn5ItdwuW85HslQ+We1163ZiX58VAExfeCH+elk3opVbYxzH/EXO7KzfzlW7UShkl5jCLzWAjOcrdxK0HLwWwRsWmyW34HGsQ/45xHZRdYwGvEVmeNQSYV6ToP7wVIBAK9DwDY6vwQ2agvzRdJY5ehksXsVkSW0d0uOoe9Tnid56JwUCGNAPFvV6pmw/WniTPlXQmR/nnw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=6OxMZu669sKNhiP4yJnhHkgFiBGZsraegtb1Eg/TWi8=; b=MQFdQ81cAx/QlNkyodDeyrNK8dYppzpmXLYeEn+30fSDMFZCcWWoWSafAiLI3i0sutM4RFWEm6VfSCfmE+//+RXC9huy5D/mEDHfPqQthj0AX/YNdRlN1pGpgY68o1y1qseEyPqDzpBFEOySncO3dkV6MjRhXNn4kpy2rxZ8MPQ=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6279.eurprd07.prod.outlook.com (2603:10a6:20b:137::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Tue, 25 May 2021 09:56:52 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Tue, 25 May 2021 09:56:52 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, "garywu@cisco.com" <garywu@cisco.com>
Thread-Topic: netconf-tls wasRe: [netconf] Summary of updates
Thread-Index: AQHXUPLWSrmKpVGr1UKbZ6VyMkdjp6rz9S9C
Date: Tue, 25 May 2021 09:56:52 +0000
Message-ID: <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com>, <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com>
In-Reply-To: <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bd0e12d7-7eb1-426c-9d22-08d91f636c12
x-ms-traffictypediagnostic: AM7PR07MB6279:
x-microsoft-antispam-prvs: <AM7PR07MB6279134C272CF4566C3C3231A0259@AM7PR07MB6279.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:2449;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: gZTNNyLYFw8BNsDqywTTexaKrhHeVUvizWcrmkgZoTGMEBXqEtbKTRDdKaFe8QqPgjC1VuHNQ9pl4x/y7pEY1PAUFtZSszfgAk/rAKARG9N+6V2cRJ1W/tkKLCdYY+pItgIgbDh2FU2KwfkLn7MIj/vW7M9C2Mff23ZdNup0y6+plvzsxqxMgRdS/Hd6hToAsfwsTTFGDmQ06+0inq5UDn43ZaPie+j4424miCeAu6zo741TUkCkmk6rse/uFbyfdJLH8M5B3n2pkXVlx51/My8sHMz4OGKutAl5g1zAcPy0Kga/QCCYdjyJ3UOWcT3K+EyCh5YZ595nREDhd7p5jFczbcP22JQP7Wp+ppfC46o32BjTjhkAXULLzzKFhq8OA1Nv1Do1oxWFx6KY5ZqYZ8GoOdoi0HIxTYXNG46AKxVoa2OKAb98jln/AJRWX5fD10ddyUY0obBCyrou4dstqDHTz2K5KnfYuGKKALVsp/ZNuLDGO/Pz57F2sUr/H9gwO2WMzXxDBoGxM4c7ZShhgzZFlQwt978NOzmDASmKhOnOypNFr0V2OA8IFa9kRtoVVXuIkq/C1QWyhNHTyMFnkMX2bI6ARBRWxG9ZwsKLH5Z90lfZuMUfItUlbtBs4bY5ueHDF2awNPKlQ1Msjpg1fVuTZfnosI8gEb47RD45Bb7nuGBXTQkeGP4Xkr3ct7NVGiOYhMJnkA4A5a8KBf7h97I5XJf4UWvFGCTX67QlAhM=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(346002)(39860400002)(366004)(136003)(376002)(64756008)(66446008)(66476007)(52536014)(66556008)(86362001)(76116006)(5660300002)(54906003)(91956017)(26005)(9686003)(66946007)(316002)(33656002)(8676002)(8936002)(71200400001)(83380400001)(38100700002)(122000001)(15650500001)(966005)(478600001)(2906002)(6506007)(55016002)(4326008)(7696005)(186003); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?PRQfN6hsQcn+3vEvbxbj9zqdr3ooc3bzJ5RDpAh1SvJsRmiktAktTvRh?= =?Windows-1252?Q?iggZ99mTjhhS7GFBO3stDn/N/wt0V/zhJBhAIQnpFqlBQ+oi80Waz+Im?= =?Windows-1252?Q?SPQEMr7CDlMSf7QPFN/V+Oz6Et6V91LP5kK6h0tlncnDr5/jhd5gcCly?= =?Windows-1252?Q?S0QB866p/vDiKh74CTWbpKIorvePsCk/zaqPZrL2yXueTBU0Ca5ezHLA?= =?Windows-1252?Q?nLUXLq7TqXw28Yy/q03yb9b/S2O5OeIiIEZ+mTy9PjCFw04jBB2YBPLE?= =?Windows-1252?Q?u0dLbQR4Ms/jX++a/qPemATn8lnRB9Z5EQwD2bTF7/asYK36qyEr4oCV?= =?Windows-1252?Q?7JI72kQInsz84oy7d6uT5VuMXX2Um/S6fOulNMfglsJoRrcBoX1SYmlp?= =?Windows-1252?Q?TCSx4fH79R1S2fJE13wA3WHjEbG6qZimS39tLOyzaC/I4CNc8wzD17wl?= =?Windows-1252?Q?2d7UXeBPN/y3CXQz2Rm1ECDL7Yh4QUgub9rRdq8IpU8YN/mjL5MxthTW?= =?Windows-1252?Q?9DirF00obG7Us/ymtaGV4omUmATnk8p1FF9BqiSRcVpG3OedWRYkdQ7Q?= =?Windows-1252?Q?2ylvu29GI+EIBm/QOiF7VJ4x7oKo14nr2Pc0p+m+M8nDo4qO8AEa2M21?= =?Windows-1252?Q?HgPWTKtap8zJ2yy9gWY9ei9zlrROZqfp+f+jGM1eZwOdw2NHZdVoBnfv?= =?Windows-1252?Q?uTHf1ZPBMzcJKZw2yxER3TFfxTR7FHzZKkqOBzQO8y4xAxMcSh04tkWO?= =?Windows-1252?Q?sh56eYHHn4LEhqF9RHiRBv8sS0+sx/6flLFrm4EaBOboshLyL5HsxP7C?= =?Windows-1252?Q?Z0e4EIFLIsUfSbnFC7w0dTN8mal9itPEQaJLeh8qz0avCl1jnYmc3+uZ?= =?Windows-1252?Q?Ei1OWaPe5EXgBl4l9Xn9a3v1kfic5J5giqCgUmw58NBIfhfS/MWMC4E6?= =?Windows-1252?Q?lnlQWUf6s6tCQ0+sGVTCOK2WinypdiO1pIFxcO61UVmJhgyK7UtS5hRa?= =?Windows-1252?Q?28xC/MJCR0B4ZagtzY/P8AM4OVWaYmC/qNnfrMDl/YC+bQo4ym5vHxnI?= =?Windows-1252?Q?M97ABTK68goC/FMKsg0MOBwNC4k9+sG/hKw6R4CKp4mEkqLEpAVohP3+?= =?Windows-1252?Q?qxiGFRIjM6NdF/zFbE9uD+f4zwo6wlllCrrhCNfpR2SW3MVpVE5fnfii?= =?Windows-1252?Q?8QwSGHNvcOkBqX11REkyn4MtK+2dSoY22cAvDE2mnWONoNWXBa9/N+uV?= =?Windows-1252?Q?CAa5BKy2QXWw3th3n902Xb7houBEIgMU7i3YmzxPBRUj9pbDUOMfZp/0?= =?Windows-1252?Q?ZCH2Jm0JcRhVRDO5R010MZW8IjeOgCKBdy4OlB69euk0NGdlZ2vGdHVZ?= =?Windows-1252?Q?4hnttNG/st8R2MIX7r2fenJKpB+GsR8eGy4=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bd0e12d7-7eb1-426c-9d22-08d91f636c12
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2021 09:56:52.3903 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ybwguubvtYszlcywEF6ilC48+t89m4IT1fO/Z+CkY4pys0JeSn4oizi7ZaUAC89jQj9+MNlnuAqnt3S/Yx2C3Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6279
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Fv9-oMS9KC2jkSNGIA07ADXA61E>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 09:57:00 -0000

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 25 May 2021 00:16
[CC-ing Gary in case he can help]

Hi Tom,

> I still think that the I-D lacks clarity about supported versions.
>
> Introduction
> TLS Protocol [RFC5246]
> Clearly this is TLS1.2 only
>
> Yes.   In keeping with the original intention (to reference just the current, not obsoleted, document), this should be updated to RFC 8446.   But I wonder if you think the document should reference all four documents (2246, 4346, 5246, and 8446) and then have DOWNREFS?

I didn’t get what you wanted to do here but, for now, I replaced that reference with this paragraph:

    Any version of TLS may be configured, including
     <xref target="RFC2246"/>,  <xref target="RFC4346"/>,
     <xref target="RFC5246"/>, and <xref target="RFC8446"/>.
     Configuring obsolete protocol versions for use in production
     networks is NOT RECOMMENDED.

<tp>
I would still drop 1.0 and 1.1 entirely but see that others disagree.  As things stand, I do think that you need to differentiate between 1.2/1.3 and 1.0/1.1, the former being comprehensively supported, the latter not.  I do not have a good set of words for this but think that you need something in the Introduction to set expectations. You could add more details of 1.0/1.1 but I would see that as a retrograde step.

Tom Petch 

Tom Petch


> I was all for ditching any mention of 1.1 and 1.0 if only for the extra complication.

By “was all for”, do you mean that you’re no longer?  That is, that “supporting” all versions is fine?



>   I no longer recall where 1.2 differs from its predecessors e.g. extensions incorporated in the base, signature algorithms, and it is probably overkill to find the relevant references for those older versions and adding them to the YANG as well but do think something needs adding in the body of the I-D to the effect that support for 1.0, 1.1 is partial, identity for the version number but not details of cipher suites, relevant RFC and so on.

Would you suggest adding said comment to the above paragraph?



> s.2
> This model supports both TLS1.2 and TLS1.3
> Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1

Do you mean that the sentence is incorrect because the model does support 1.0 and 1.1?  Perhaps simple remove the sentence altogether in light of the above new paragraph?



> s.2.1.1
> Features
> tls-1_0
> tls-1_1
> tls-1_2
> tls-1_3
> Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what.

I don’t understand this comment.



> 2.2
> an example for 1.1 and 1.2 but not 1.3; interesting.

That example is completely arbitrary IMO but, alas, it was created by Gary Wu, who is listed as a “Contributor”, but we haven’t heard from in a long time since...



> Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'.

Correct.  All the versions as “supported”; all but 1.3 are NOT RECOMMENDED.  Is this a problem?



> hello-params-grouping
> Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules
>
> Mmm I dunno!

Again, 1.2 *was* “current” before and so everything just pointed to it, assuming that it is a superset of 1.0 and 1.1?  We could just replace all refs to “1.2” with “1.3” and call it a day, but I don’t know if that would be technically accurate.



> I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking.  Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have.

So we need to define additional ciphersuites for 1.0 and 1.1 or dump support for those protocol versions?



> In passing, I was wrong about public keys.  I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key!

Gotcha


> Tom Petch

THANK YOU!

Updates can be found in https://github.com/netconf-wg/tls-client-server/commit/b94588b5a33c0852cfacbc415ca0a626bc1c5763.

K.