IETF Logo Mail Archive

Re: [netconf] Securing UDP-notif messages with DTLS

Pierre Francois <pierre.francois.ietf@gmail.com> Mon, 02 August 2021 19:22 UTC

Return-Path: <pierre.francois.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5703A17F1 for <netconf@ietfa.amsl.com>; Mon, 2 Aug 2021 12:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yz4KZwmomzMS for <netconf@ietfa.amsl.com>; Mon, 2 Aug 2021 12:22:14 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A7723A17E5 for <netconf@ietf.org>; Mon, 2 Aug 2021 12:22:14 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id s48so7129900ybi.7 for <netconf@ietf.org>; Mon, 02 Aug 2021 12:22:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Mbbei0TtN0ksh+Gst9iMMGuAuFRAlkGCy0JH8xo1bkA=; b=JMA0KBQyKCEp2pRRquz7+q0Ixx2xDalLTua0YVN4tXpSceLWMg/36Sary9bxSOYi4q C4uPLa8veJMB3TfY3743PlC/JXstrBAhSaT8VrahcdpgTaCJpauKEYzeR+uf9VPQb5nv AzBzSYXIouSaIZXkFewDbauvHwDNC1ceesGDFjBjteoV3mXvCg1EVW+m3/TVJUq7qMVp 0F+8cliMq0RgBO8sZtbRow5Mvl1mMe+pNzylhWfeB4C/ba1VMZ5pTeVsK4PHaRpX/19x X8BWgRwpHuoOi3riNlXjRoeCoDI+ClpGqtGXYVnQj3zAk9ePM2jDO/KxBeaXzv0RtNKh 5jqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Mbbei0TtN0ksh+Gst9iMMGuAuFRAlkGCy0JH8xo1bkA=; b=Q0uxNlq/S+wMKZ5rG33ApWve+v8rXpSNPfWdOJnluwcap/dywqo2e79ljO7DMW88Q2 JAhAtyyLt9+k4PixdoKSS+1K0JPbNm5tA6XSId2xvbb0UZ2mymaBvaCrxKQi3FtoBUvY N6WU3gTpQ7yQGhdVZMQUjKbpg4BD4DI77qFrbu6Zz4/t1N91UhxW8M2ZZr+u/FL+xjkW AgTZtZSIwB9UvPrGXYZUcGZ8cMCVnT/ht3QI3BO5wqLEivu8EiHZY8r9g63cx6ACrYIw PAPhS10cxV6CMuYC6CGRJtbgolmB87RkA/7xXv55uRpv/bcwQVhxVu5xi2S3RZX2dpgN vOBA==
X-Gm-Message-State: AOAM532SgVCOYfgPFPuxkmkzp+J2AscTfr2AR7qZ9l1m95fOUeGTyLrP DQDYiOT048eRdQ3mXOrD6VEAJwsovnV8iFW1K1I=
X-Google-Smtp-Source: ABdhPJzFd2KTXSBOQuoe/DFE1wqFGQJuGQOPAK7E/Y9tsLM2niFc/8ZOB/tNLeHy7dTRGPM/t3n6/1PxLu3mpxZlL/4=
X-Received: by 2002:a25:d683:: with SMTP id n125mr23858894ybg.113.1627932132700; Mon, 02 Aug 2021 12:22:12 -0700 (PDT)
MIME-Version: 1.0
References: <152841A6-6A37-4F75-857D-2F70346AFB5D@insa-lyon.fr> <0100017b07afa694-e244f7b7-ab7b-4fab-b669-793f9f6b87d2-000000@email.amazonses.com> <CAFNmoOHNKP8g9syh9KE6KFtCQUGsYBSCR7GO1NCby6UqCt0y7A@mail.gmail.com> <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de>
From: Pierre Francois <pierre.francois.ietf@gmail.com>
Date: Mon, 02 Aug 2021 21:22:02 +0200
Message-ID: <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Pierre Francois <pierre.francois.ietf@gmail.com>, Kent Watsen <kent@watsen.net>, pierre francois <pierre.francois@insa-lyon.fr>, Marco.Tollini1@swisscom.com, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007cf46e05c8987cad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HT9w6gP1bsoUXoAuzw0DpvA2nBw>
Subject: Re: [netconf] Securing UDP-notif messages with DTLS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 19:22:21 -0000

Juergen,

Thanks for your input.

IESG composition won't change much to the story on this aspect, I think.
Alright, I'll discuss with all the authors involved and get back to the
list. I guess no one in the wg will object to a merge if we decide to go
this way.

Cheers,

/pfr






Le lun. 2 août 2021 à 19:33, Jürgen Schönwälder <
j.schoenwaelder@jacobs-university.de> a écrit :

> In the past, there were people on the IESG that would tell you that "a
> controlled environment" is in most cases a myth. (There is something
> to this argument once you think about how messed up the world appears
> to be these days.)
>
> There certainly is a point that compliant implementations must support
> a secure transport so that people deploying the technology have the
> choice to use it. If an operator then decides to not use the secure
> transport, so be it, that is then the operator's free choice (and
> responsibility). But not being able make this choice, because a secure
> transport is not universally implemented, is an obstacle to avoid.
>
> And yes, this is all about what needs to be implemented to be
> compliant. The IESG has little influence on what people use, but it
> can influence that people have a choice by requiring the
> implementation of a secure transport by compliant implementations.
>
> /js
>
> PS: Of course, I am talking from past experience, and the details of
>     the story lines usually change with the IESG composition.
>
> On Mon, Aug 02, 2021 at 07:14:35PM +0200, Pierre Francois wrote:
> > Hello everyone,
> >
> > I'm fine with merging the two drafts. What I wish is that the existing
> > implementations that do not mandate dtls activation remain legit wrt the
> > resulting RFC.
> > We're aiming at lightweight transport in controlled environments here.
> >
> > Cheers,
> > Pierre.
> >
> > Le lun. 2 août 2021 à 18:26, Kent Watsen <kent@watsen.net> a écrit :
> >
> > >
> > > Mahesh and I were wondering about this.  When Pierre mentioned the DTLS
> > > work, we were “surprised” in that we too assumed the “udp” draft had
> the
> > > security bits.
> > >
> > > It is true that the IESG is all but mandating security for a for years
> > > now.  IIRC, Syslog over UDP is obsolete due to being unsecured.
> > >
> > > K.
> > >
> > > On Aug 2, 2021, at 11:53 AM, Zmail <alex.huang-feng@insa-lyon.fr>
> wrote:
> > >
> > > Noted, I’ll discuss this with Unyte team.
> > >
> > > Alex
> > >
> > > On 2 Aug 2021, at 11:40, Jürgen Schönwälder <
> > > j.schoenwaelder@jacobs-university.de> wrote:
> > >
> > > Since I doubt that a protocol not providing security will receive
> > > IESG approval, I suggest that this work is getting integrated into
> > > draft-ietf-netconf-udp-notif-03.txt.
> > >
> > > I have not read the content but the I-D seems fairly small so
> > > integration into the WG document should be fairly trivial. Given past
> > > experience, it might be that the DTLS/UDP transport will become the
> > > mandatory to implement transport.
> > >
> > > /js
> > >
> > > On Mon, Aug 02, 2021 at 10:59:07AM +0200, Zmail wrote:
> > >
> > > Hello to everyone,
> > >
> > > We would like to present a new draft we didn’t have time to show on the
> > > last IETF meeting.
> > >
> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/ <
> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/>
> > >
> > > This draft defines a mechanism to secure UDP-notif protocol messages
> using
> > > DTLS 1.3.
> > > It defines the different layers involved, the DTLS session lifecycle
> and
> > > the mandatory cipher suites to use. It also explicits that no
> extensions of
> > > DTLS are needed and that IP fragmentation should be avoided.
> > > We would like to have some feedback for this draft.
> > >
> > > We will present the draft to the WG on the next IETF meeting.
> > >
> > > Looking forward to hearing from you,
> > >
> > > Alex Huang Feng
> > >
> > >
> > > _______________________________________________
> > > netconf mailing list
> > > netconf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/netconf
> > >
> > >
> > >
> > > --
> > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > >
> > >
> > > _______________________________________________
> > > netconf mailing list
> > > netconf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/netconf
> > >
> > > _______________________________________________
> > > netconf mailing list
> > > netconf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/netconf
> > >
>
> > _______________________________________________
> > netconf mailing list
> > netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
>
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>

v2.23.0 | Report a Bug | By Email