IETF Logo Mail Archive

[netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)

Paul Wouters via Datatracker <noreply@ietf.org> Mon, 27 November 2023 22:22 UTC

Return-Path: <noreply@ietf.org>
X-Original-To: netconf@ietf.org
Delivered-To: netconf@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [IPv6:::1]) by ietfa.amsl.com (Postfix) with ESMTP id 7D5E3C15108F; Mon, 27 Nov 2023 14:22:39 -0800 (PST)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Paul Wouters via Datatracker <noreply@ietf.org>
To: The IESG <iesg@ietf.org>
Cc: draft-ietf-netconf-over-tls13@ietf.org, netconf-chairs@ietf.org, netconf@ietf.org, kent+ietf@watsen.net, kent+ietf@watsen.net
X-Test-IDTracker: no
X-IETF-IDTracker: 11.15.1
Auto-Submitted: auto-generated
Precedence: bulk
Reply-To: Paul Wouters <paul.wouters@aiven.io>
Message-ID: <170112375949.47813.10096201060725225897@ietfa.amsl.com>
Date: Mon, 27 Nov 2023 14:22:39 -0800
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/H_WqXOBpGpUL21aK2APORuenGiA>
Subject: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 27 Nov 2023 22:22:39 -0000

Paul Wouters has entered the following ballot position for
draft-ietf-netconf-over-tls13-03: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13/



----------------------------------------------------------------------
DISCUSS:
----------------------------------------------------------------------

Why does Section 4 not simply point to the ciphersuites MTI of the respective TLS versions?

TLS 1.3 as per RFC8446bis Section 9.1:
https://datatracker.ietf.org/doc/html/draft-ietf-tls-rfc8446bis-09#name-mandatory-to-implement-ciph

TLS 1.2 to RFC9325 Section 4.2:
https://datatracker.ietf.org/doc/html/rfc9325#name-cipher-suites-for-tls-12

It almost does this but then decides on its own more limited set of
ciphersuites. Is there a good reason for this why to deviate from the
TLS 1.2 and 1.3 standards? Or why not to stick to the RECOMMENDED Y
column in the IANA registry for TLS Ciphersuites ?


----------------------------------------------------------------------
COMMENT:
----------------------------------------------------------------------

        Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED
        to support the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite
        [RFC9325].

Should this say "MUST support mutually authenticatd TLS 1.2" ? Because
the line below talks about "additional mutually authenticated".

        NETCONF implementations SHOULD follow the TLS recommendations
        given in [RFC9325].

It's kind of weird to have a SHOULD here pointing to a document that has
MUSTs in it. I would either use a MUST here, or no BCP14 language at all.


NITS:

[I-D.ietf-uta-rfc6125bis]  is now RFC9525

v2.23.0 | Report a Bug | By Email