Re: [netconf] Securing UDP-notif messages with DTLS
Pierre Francois <pierre.francois.ietf@gmail.com> Mon, 02 August 2021 19:22 UTC
Return-Path: <pierre.francois.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6E5703A17F1 for <netconf@ietfa.amsl.com>; Mon, 2 Aug 2021 12:22:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Yz4KZwmomzMS for <netconf@ietfa.amsl.com>; Mon, 2 Aug 2021 12:22:14 -0700 (PDT)
Received: from mail-yb1-xb34.google.com (mail-yb1-xb34.google.com [IPv6:2607:f8b0:4864:20::b34]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A7723A17E5 for <netconf@ietf.org>; Mon, 2 Aug 2021 12:22:14 -0700 (PDT)
Received: by mail-yb1-xb34.google.com with SMTP id s48so7129900ybi.7 for <netconf@ietf.org>; Mon, 02 Aug 2021 12:22:14 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to; bh=Mbbei0TtN0ksh+Gst9iMMGuAuFRAlkGCy0JH8xo1bkA=; b=JMA0KBQyKCEp2pRRquz7+q0Ixx2xDalLTua0YVN4tXpSceLWMg/36Sary9bxSOYi4q C4uPLa8veJMB3TfY3743PlC/JXstrBAhSaT8VrahcdpgTaCJpauKEYzeR+uf9VPQb5nv AzBzSYXIouSaIZXkFewDbauvHwDNC1ceesGDFjBjteoV3mXvCg1EVW+m3/TVJUq7qMVp 0F+8cliMq0RgBO8sZtbRow5Mvl1mMe+pNzylhWfeB4C/ba1VMZ5pTeVsK4PHaRpX/19x X8BWgRwpHuoOi3riNlXjRoeCoDI+ClpGqtGXYVnQj3zAk9ePM2jDO/KxBeaXzv0RtNKh 5jqw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to; bh=Mbbei0TtN0ksh+Gst9iMMGuAuFRAlkGCy0JH8xo1bkA=; b=Q0uxNlq/S+wMKZ5rG33ApWve+v8rXpSNPfWdOJnluwcap/dywqo2e79ljO7DMW88Q2 JAhAtyyLt9+k4PixdoKSS+1K0JPbNm5tA6XSId2xvbb0UZ2mymaBvaCrxKQi3FtoBUvY N6WU3gTpQ7yQGhdVZMQUjKbpg4BD4DI77qFrbu6Zz4/t1N91UhxW8M2ZZr+u/FL+xjkW AgTZtZSIwB9UvPrGXYZUcGZ8cMCVnT/ht3QI3BO5wqLEivu8EiHZY8r9g63cx6ACrYIw PAPhS10cxV6CMuYC6CGRJtbgolmB87RkA/7xXv55uRpv/bcwQVhxVu5xi2S3RZX2dpgN vOBA==
X-Gm-Message-State: AOAM532SgVCOYfgPFPuxkmkzp+J2AscTfr2AR7qZ9l1m95fOUeGTyLrP DQDYiOT048eRdQ3mXOrD6VEAJwsovnV8iFW1K1I=
X-Google-Smtp-Source: ABdhPJzFd2KTXSBOQuoe/DFE1wqFGQJuGQOPAK7E/Y9tsLM2niFc/8ZOB/tNLeHy7dTRGPM/t3n6/1PxLu3mpxZlL/4=
X-Received: by 2002:a25:d683:: with SMTP id n125mr23858894ybg.113.1627932132700; Mon, 02 Aug 2021 12:22:12 -0700 (PDT)
MIME-Version: 1.0
References: <152841A6-6A37-4F75-857D-2F70346AFB5D@insa-lyon.fr> <0100017b07afa694-e244f7b7-ab7b-4fab-b669-793f9f6b87d2-000000@email.amazonses.com> <CAFNmoOHNKP8g9syh9KE6KFtCQUGsYBSCR7GO1NCby6UqCt0y7A@mail.gmail.com> <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de>
From: Pierre Francois <pierre.francois.ietf@gmail.com>
Date: Mon, 02 Aug 2021 21:22:02 +0200
Message-ID: <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Pierre Francois <pierre.francois.ietf@gmail.com>, Kent Watsen <kent@watsen.net>, pierre francois <pierre.francois@insa-lyon.fr>, Marco.Tollini1@swisscom.com, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000007cf46e05c8987cad"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HT9w6gP1bsoUXoAuzw0DpvA2nBw>
Subject: Re: [netconf] Securing UDP-notif messages with DTLS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 02 Aug 2021 19:22:21 -0000
Juergen, Thanks for your input. IESG composition won't change much to the story on this aspect, I think. Alright, I'll discuss with all the authors involved and get back to the list. I guess no one in the wg will object to a merge if we decide to go this way. Cheers, /pfr Le lun. 2 août 2021 à 19:33, Jürgen Schönwälder < j.schoenwaelder@jacobs-university.de> a écrit : > In the past, there were people on the IESG that would tell you that "a > controlled environment" is in most cases a myth. (There is something > to this argument once you think about how messed up the world appears > to be these days.) > > There certainly is a point that compliant implementations must support > a secure transport so that people deploying the technology have the > choice to use it. If an operator then decides to not use the secure > transport, so be it, that is then the operator's free choice (and > responsibility). But not being able make this choice, because a secure > transport is not universally implemented, is an obstacle to avoid. > > And yes, this is all about what needs to be implemented to be > compliant. The IESG has little influence on what people use, but it > can influence that people have a choice by requiring the > implementation of a secure transport by compliant implementations. > > /js > > PS: Of course, I am talking from past experience, and the details of > the story lines usually change with the IESG composition. > > On Mon, Aug 02, 2021 at 07:14:35PM +0200, Pierre Francois wrote: > > Hello everyone, > > > > I'm fine with merging the two drafts. What I wish is that the existing > > implementations that do not mandate dtls activation remain legit wrt the > > resulting RFC. > > We're aiming at lightweight transport in controlled environments here. > > > > Cheers, > > Pierre. > > > > Le lun. 2 août 2021 à 18:26, Kent Watsen <kent@watsen.net> a écrit : > > > > > > > > Mahesh and I were wondering about this. When Pierre mentioned the DTLS > > > work, we were “surprised” in that we too assumed the “udp” draft had > the > > > security bits. > > > > > > It is true that the IESG is all but mandating security for a for years > > > now. IIRC, Syslog over UDP is obsolete due to being unsecured. > > > > > > K. > > > > > > On Aug 2, 2021, at 11:53 AM, Zmail <alex.huang-feng@insa-lyon.fr> > wrote: > > > > > > Noted, I’ll discuss this with Unyte team. > > > > > > Alex > > > > > > On 2 Aug 2021, at 11:40, Jürgen Schönwälder < > > > j.schoenwaelder@jacobs-university.de> wrote: > > > > > > Since I doubt that a protocol not providing security will receive > > > IESG approval, I suggest that this work is getting integrated into > > > draft-ietf-netconf-udp-notif-03.txt. > > > > > > I have not read the content but the I-D seems fairly small so > > > integration into the WG document should be fairly trivial. Given past > > > experience, it might be that the DTLS/UDP transport will become the > > > mandatory to implement transport. > > > > > > /js > > > > > > On Mon, Aug 02, 2021 at 10:59:07AM +0200, Zmail wrote: > > > > > > Hello to everyone, > > > > > > We would like to present a new draft we didn’t have time to show on the > > > last IETF meeting. > > > > > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/ < > > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/> > > > > > > This draft defines a mechanism to secure UDP-notif protocol messages > using > > > DTLS 1.3. > > > It defines the different layers involved, the DTLS session lifecycle > and > > > the mandatory cipher suites to use. It also explicits that no > extensions of > > > DTLS are needed and that IP fragmentation should be avoided. > > > We would like to have some feedback for this draft. > > > > > > We will present the draft to the WG on the next IETF meeting. > > > > > > Looking forward to hearing from you, > > > > > > Alex Huang Feng > > > > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org > > > https://www.ietf.org/mailman/listinfo/netconf > > > > > > > > > > > > -- > > > Juergen Schoenwaelder Jacobs University Bremen gGmbH > > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > > > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > > > > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org > > > https://www.ietf.org/mailman/listinfo/netconf > > > > > > _______________________________________________ > > > netconf mailing list > > > netconf@ietf.org > > > https://www.ietf.org/mailman/listinfo/netconf > > > > > > _______________________________________________ > > netconf mailing list > > netconf@ietf.org > > https://www.ietf.org/mailman/listinfo/netconf > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> >
- [netconf] Securing UDP-notif messages with DTLS Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Kent Watsen
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Benoit Claise
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois