Re: [Netconf] rfc5539bis
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Mon, 27 October 2014 14:55 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E01091A89E5 for <netconf@ietfa.amsl.com>; Mon, 27 Oct 2014 07:55:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.56
X-Spam-Level:
X-Spam-Status: No, score=-1.56 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_NONE=-0.0001, T_RP_MATCHES_RCVD=-0.01] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NRaZzXqDtH99 for <netconf@ietfa.amsl.com>; Mon, 27 Oct 2014 07:55:48 -0700 (PDT)
Received: from atlas3.jacobs-university.de (atlas3.jacobs-university.de [212.201.44.18]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 38AC11A8839 for <netconf@ietf.org>; Mon, 27 Oct 2014 07:55:48 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas3.jacobs-university.de (Postfix) with ESMTP id B38338F2; Mon, 27 Oct 2014 15:55:46 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas3.jacobs-university.de ([10.70.0.220]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10030) with ESMTP id HKCOJgW9OFLT; Mon, 27 Oct 2014 15:55:42 +0100 (CET)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas3.jacobs-university.de (Postfix) with ESMTPS; Mon, 27 Oct 2014 15:55:45 +0100 (CET)
Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id 8233D20037; Mon, 27 Oct 2014 15:55:45 +0100 (CET)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id Mw39EVwriNeK; Mon, 27 Oct 2014 15:55:44 +0100 (CET)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id D100720035; Mon, 27 Oct 2014 15:55:43 +0100 (CET)
Received: by elstar.local (Postfix, from userid 501) id 199552F140CA; Mon, 27 Oct 2014 15:55:43 +0100 (CET)
Date: Mon, 27 Oct 2014 15:55:42 +0100
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: "t. petch" <ietfc@btconnect.com>
Message-ID: <20141027145542.GB8819@elstar.local>
Mail-Followup-To: "t. petch" <ietfc@btconnect.com>, Kent Watsen <kwatsen@juniper.net>, netconf@ietf.org
References: <201410201458.s9KEw5Qm064083@mainfs.snmp.com> <03ae01cfed3c$50d39d20$4001a8c0@gateway.2wire.net> <20141021153455.GA91264@elstar.local> <D06D6654.86473%kwatsen@juniper.net> <021801cfeea0$4d7ab860$4001a8c0@gateway.2wire.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <021801cfeea0$4d7ab860$4001a8c0@gateway.2wire.net>
User-Agent: Mutt/1.4.2.3i
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/G0U-Iwpl3_KFu9U2C0N6qNSOrnU
Cc: netconf@ietf.org
Subject: Re: [Netconf] rfc5539bis
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Oct 2014 14:55:51 -0000
Hi, the editor does not understand the edits since I do not see clear agreement of the scope of the document and thus there won't be a new version before the cutoff. It makes a major difference to me whether the document is - NC over TLS with mutual X.509 authentication or - NC over TLS plus a structure to plug in new authentication mechanisms and it is not clear whether - we details the algorithm to extract a username out of an X.509 certificate in this spec or - leave it to the server configuration model. If fact, we would be duplicating some elements from RFC 6353 and the reusable YANG grouping is in draft-ietf-netmod-snmp-cfg-08 (yes, an interesting dependency chain results from that). I think the WG needs to sort out what set of documents is wanted before making further edits. /js On Thu, Oct 23, 2014 at 10:04:00AM +0100, t. petch wrote: > ---- Original Message ----- > From: "Kent Watsen" <kwatsen@juniper.net> > To: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>; "t. > petch" <ietfc@btconnect.com> > Cc: <netconf@ietf.org> > Sent: Wednesday, October 22, 2014 7:29 PM > > >RFC 5539 has used X.509 certificates and nobody seems to request any > >changes. Why do you make this complicated? > > > >Yes, NC access control is different from SNMP access control but this > >is irrelevant. All the transport has to deliver is a user name. Why do > >we have to make this complicated? > > I kind of agree with both sides. > > On one hand, 5539bis-06 clearly intends to define mutual > certificate-based > authentication - just search for the word "mutual". Additionally, > Juergen > already explained that he put PSK in (-02, according to the change log ) > to support NETCONF-light, and since took it out. So we're essentially > back to just trying to clean up 5539 and make it be in-line with NETCONF > 1.1. > > On the other hand, there are a couple issues with 5539bis-06: > > 1) section 2.4.2 (Client Identity) doesn't actually say that > certificate-based authentication is required. For instance, this text > from RFC5539 was left out: "with certificate-based authentication > according to local policy" > > 2) I'm confused by these seemingly conflicting statements: > > - section 2.4 (X.509-based Authentication...) says "Implementations > MAY > optionally > support TLS certificate-based authentication" > - section 2.5 (Cipher Suites) says "However, implementations MUST > support TLS 1.2". > > So, to Juergen's point, I don't think this needs to be complicated, but > I > do think we need to be methodical about ensuring the text says what we > want it to say. > > <tp> > > Kent > > This is what I keep saying or at least, try to say - not sure how clear > I am being. But until those loose ends of text are removed, then > 5539bis remains ambiguous IMHO (and I then remain reluctant to move on > to other issues and other I-Ds). > > I would go slightly further and change the title and Intro. Martin > raised the point about this I-D seeming to exclude other forms of > authentication with TLS so I would entitle this one > > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > X.509 Certificates" > > Then anyone is free to write another I-D entitled > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > PAKE" > or > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > PSK" > etc etc > > That leaves us free to be as 'MUST' as we like about authentication, > because our use case is simple. > > I want to see a fresh I-D along these lines - but see below ... > > </tp> > > One last point, I'm opposed to 5539bis using > draft-ietf-netconf-server-model as a Normative Reference. I believe > that > 5539bis should define the protocol on its own, and view > draft-ietf-netconf-server-model as just one data-model that could > configure it. FWIW, neither 6242 nor draft-ietf-netconf-call-home have > a > Normative Reference draft-ietf-netconf-server-model. > > <tp> > suive ... There is another issue in here. RFC6241 mandates > "The authentication process MUST result in an authenticated client > identity whose permissions are known to the server." > which suggests we should say something about how. 5539bis did have text > about this but that is now in server-model. Which sort of leads to > having a normative dependency of 5539bis on server-model, not for > configuration reasons but for the algorithm used to extract an > authenticated client identity from what information the server has > gotten.. > > But I do see this as a separate, more debatable issue, to be discussed > once there is clarity in the published I-D about the use of > certificates. And I do think that the document structure is right, that > is, how to extract the identity does belong in server-model and not in > TLS or SSH or other transport I-Ds. > > Tom Petch > > Thanks, > Kent > -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- Re: [Netconf] rfc5539bis Alan Luchuk
- Re: [Netconf] rfc5539bis t.petch
- Re: [Netconf] rfc5539bis Juergen Schoenwaelder
- Re: [Netconf] rfc5539bis Kent Watsen
- Re: [Netconf] rfc5539bis t.petch
- Re: [Netconf] rfc5539bis Juergen Schoenwaelder
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… t.petch
- Re: [Netconf] rfc5539bis- leave it to the server … t.petch