IETF Logo Mail Archive

Re: [netconf] WGLC on draft-ietf-netconf-over-tls13

Sean Turner <sean@sn3rd.com> Thu, 09 March 2023 02:00 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4D828C14CE36 for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 18:00:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ttadjweasGf1 for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 18:00:45 -0800 (PST)
Received: from mail-qv1-xf32.google.com (mail-qv1-xf32.google.com [IPv6:2607:f8b0:4864:20::f32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AD496C15C524 for <netconf@ietf.org>; Wed, 8 Mar 2023 18:00:45 -0800 (PST)
Received: by mail-qv1-xf32.google.com with SMTP id ne1so503903qvb.9 for <netconf@ietf.org>; Wed, 08 Mar 2023 18:00:45 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1678327244; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=ePIzGJWAJxLuUb1s322BZ7+Hh/lxRzlG++mV3zaQ3bM=; b=XO9f/yFggJZtBUmKZUQQd1BI1Xv/W23oRxtSwIhbmkhvKWMfIlnfrvRXTLJJ+dd5FC PnFnMJMlkuHga9f/WTGVYuYWyR6aZSfM2uWFGm9t8kpCrWSkXcIG6DA3Os0S78xIOdpk Sywxe2Qu7wWedPmfpnev8+8zsPA4G6c4Mks9s=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1678327244; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=ePIzGJWAJxLuUb1s322BZ7+Hh/lxRzlG++mV3zaQ3bM=; b=pNk65vxM5Q/9rlGi6OMDDLy+gsnLM1wFBQ1SLTrvNrI4BpuGwmVnsK6uz2Kz912oWO V9DHpiBli9OzVl0MQYk+pgiyqIN0nU3OplGBEE4E3SOjRbBapmimnxU0cdvHdVrlK/nC 3SdgxyCZR1Xit4tEIhhcITnTjnADOR0w6D6a/19rXb1gRDPyKWHnr82MMN/w00rhXHxl ouE04KnFSC4IqiLS+fAwwSplXlzR/rowAAYGfHQNlcrUslA4EgdYQBtt27hy1BieT7J4 sz89Soxzl7JLiAYRPoqAkTk+Lq+pHSAbhCYr/u6sP2sTDDv1Ry9aCLGS792NeiP5RmtY juJQ==
X-Gm-Message-State: AO0yUKUolnS72OsNd9lYXpPF9mMzKbP+e4YMBOOPMlpOTV24L3HBat8r K74dK3RF5D+HCv4rxyIY+hjHM0+4NYRcxMD4YO0=
X-Google-Smtp-Source: AK7set+F47ITG7w8YMsp3EqtKSpWWoUoy3BFvQs1jOtn4sFvBj3JXHK5XFvfvb2pVajWWZC9oohVLg==
X-Received: by 2002:a05:6214:761:b0:56e:b1c8:381b with SMTP id f1-20020a056214076100b0056eb1c8381bmr37753436qvz.31.1678327244692; Wed, 08 Mar 2023 18:00:44 -0800 (PST)
Received: from smtpclient.apple (pool-68-238-162-47.washdc.fios.verizon.net. [68.238.162.47]) by smtp.gmail.com with ESMTPSA id s4-20020a372c04000000b0074283b87a4esm12410854qkh.90.2023.03.08.18.00.43 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 08 Mar 2023 18:00:43 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.14\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <09E3A8B3-91B8-4ACA-8E9C-792E4DBCD62F@sn3rd.com>
Date: Wed, 08 Mar 2023 21:00:43 -0500
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <32062DC3-D84E-4BAB-9BF1-5B12DFF0D987@sn3rd.com>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <20230125143234.vrygt7h34codgs2c@anna> <09E3A8B3-91B8-4ACA-8E9C-792E4DBCD62F@sn3rd.com>
To: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.3654.120.0.1.14)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/HWRlmJXT8YQ37CdIKadF3v1LsqA>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 02:00:49 -0000

Jürgen,

I am about to start landing these PRs and just wanted to confirm that what you were thinking about in terms of an “update” to RFC 7589 is captured by:
https://github.com/netconf-wg/netconf-over-tls13/pull/11

spt

> On Feb 9, 2023, at 13:32, Sean Turner <sean@sn3rd.com> wrote:
> 
> Jürgen,
> 
> Thanks for your review. Responses below.
> 
> I’ll let these and the other PRs settle for a week before merging.
> 
> spt
> 
>> On Jan 25, 2023, at 09:32, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
>> 
>> On Mon, Jan 09, 2023 at 09:54:28PM +0000, Kent Watsen wrote:
>>> We are starting a 2 week WGLC on:
>>> 	- draft-ietf-netconf-over-tls13-01. 
>>> 
>>> The document can be found here:
>>> 	https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13
>>> 
>>> Please respond on this thread indicating your support or concerns about why this document should/should not be adopted.
>>> 
>>> We are particularly interested in statement of the form:
>>> 	- I have reviewed the draft and found no issues. 
>>> 	- I have reviewed the draft and found the following issues …
>>> 
>>> This WGLC will conclude on Monday, January 23.   
>> 
>> I have reviewed the document and I believe that what it is technically
>> aims to achieve is OK and on track but the document itself is not ready.
>> 
>> - Does this document formally update RFC 7589? I am aware that updates
>> means many different things (extending, depending-on, rewriting
>> parts) so I should probably not even ask this question. ;-) But my
>> gut feeling is that you really want a formal Updates: RFC 7589 here.
> 
> We were purposely trying to avoid updating RFC 7589, because we were trying to stay out of picking the MTI protocol. But based on a suggestion in UTA about how to deal with a similar update for syslog, I think we could follow the recommendations in RFC 9325 and not have to get embroiled in a lengthy debate because RFC 9235 is BCP 195:
> 
> *  Implementations MUST support TLS 1.2 [RFC5246].
> *  Implementations SHOULD support TLS 1.3 [RFC8446] and, if
>  implemented, MUST prefer to negotiate TLS 1.3 over earlier
>  versions of TLS.
> 
> The following PR includes the proposed changes:
> https://github.com/netconf-wg/netconf-over-tls13/pull/11
> 
> The change of course opens a can worms. Do we change the TLS1.2 MTI cipher suite? The MTI cipher suites based on this RFC 7589 (and this PR) is TLS_RSA_WITH_AES_128_CBC_SHA. There is no chance that cipher suites makes it through the IESG at this point. We could change it to what’s in RFC 9325. I understand why RFC 7589 did not make the 7525 recommendations a MUST; when RFC 7589 was published, RFC 7525 was pretty new. However, it’s been almost 8 years since then so I am hoping some of the recommendations, 2 of the four recommended in 2015 are still there, are widely supported. If that’s the case then maybe the 1st para should be:
> 
> Implementations MUST support TLS 1.2 {{RFC5246}}. The mandatory-to-implement
> cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Implementations
> SHOULD follow the recommendations given in [RFC9325].
> 
>> - As already noted by others, there is colloquial discussion around
>> Section 9.1 of I-D.ietf-tls-rfc8446bis in the document that one
>> would not expect in a WG last call document.
> 
> Yep deleting it. The section kind of did it’s job, i.e., “made you look” :)
> The following PR removes it:
> https://github.com/netconf-wg/netconf-over-tls13/pull/7
> 
>> - In the Security Considerations, what does 'please review" really
>> mean? Is it required or expected to do what the referenced documents
>> say or are these just some reading suggestions that can be ignored?
>> I would prefer to see much clearer guidelines, in particular since
>> we talk about security.
> 
> I guess this didn’t bother me as much as some, when I read “the security considerations of RFCxyz apply” that’s pretty much the same thing as "Please review  RFCxyz”. But, I can swap it out for the more common language. Note that because it’s an update, the security considerations actually got a lot shorter because we copied a lot them over. Here’s a PR to address this:
> https://github.com/netconf-wg/netconf-over-tls13/pull/10
> 
>> - Editorial: Fix the following "describes defines" double verb.
> 
> Please see:
> https://github.com/netconf-wg/netconf-over-tls13/pull/9
> 
>> /js
>> 
>> -- 
>> Jürgen Schönwälder              Constructor University Bremen gGmbH
>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>> 
>> _______________________________________________
>> netconf mailing list
>> netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
>

v2.23.0 | Report a Bug | By Email