Re: [Netconf] Comments on draft-ietf-netconf-keystore-07

Kent Watsen <kwatsen@juniper.net> Fri, 07 December 2018 18:03 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 167A3130EA2 for <netconf@ietfa.amsl.com>; Fri, 7 Dec 2018 10:03:51 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.161
X-Spam-Level:
X-Spam-Status: No, score=-2.161 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-1.46, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=1.989, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ijZOAxn690mu for <netconf@ietfa.amsl.com>; Fri, 7 Dec 2018 10:03:48 -0800 (PST)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 006301277D2 for <netconf@ietf.org>; Fri, 7 Dec 2018 10:03:47 -0800 (PST)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wB7HwtIB008317; Fri, 7 Dec 2018 10:03:47 -0800
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=ZnXW/W6DMi2M0Gqp59jRB/tUzX7g7VfkSlGot7auUFY=; b=V6K7kB4KdKjqGQL10MW+h6Yvucp73/UwTR0LxQpHZ7EeDRrDH1HfbCN8t1WKS5g8IHIT RxrZtCSj9LyNeTUbLJz1eDQ0O6mxraIOYidSeU03/kpDOif6SrYNji28Ar9SzO0VgfqT YNL3VhYPHVxX541+DNjty1uo4kNJE6skg5n45CO1itGoKtsanNiRCvj2Hluq4GbrIX1L PHQhl2kNfdU5LzbsqVeAS/8Z99iRWAdFG1TvaJWfV/PnwZfzd8kOI385V2q5MswAwIq9 dr7GCs91Xxy9uuzzhllvK3+/OSPw9KR98PFFba42DBk1b8Edw2/VDI8s9KRgufbS2oeE gQ==
Received: from nam02-sn1-obe.outbound.protection.outlook.com (mail-sn1nam02lp2052.outbound.protection.outlook.com [104.47.36.52]) by mx0a-00273201.pphosted.com with ESMTP id 2p7vsw03ur-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Fri, 07 Dec 2018 10:03:46 -0800
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4603.namprd05.prod.outlook.com (20.176.109.148) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1425.8; Fri, 7 Dec 2018 18:03:44 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::f0f3:20f0:2104:638c%2]) with mapi id 15.20.1404.021; Fri, 7 Dec 2018 18:03:44 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com>
CC: "Carey, Timothy (Nokia - US)" <timothy.carey@nokia.com>, "Beauville, Yves (Nokia - BE/Antwerp)" <yves.beauville@nokia.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Comments on draft-ietf-netconf-keystore-07
Thread-Index: AdSNTY3WYTbcD2eSQECPpWnErs7VugA37n6A
Date: Fri, 7 Dec 2018 18:03:44 +0000
Message-ID: <22659F26-AF4C-46AB-BC03-359E1D0C5E89@juniper.net>
References: <DB7PR07MB49535839F84D99D318D4D921F8A90@DB7PR07MB4953.eurprd07.prod.outlook.com>
In-Reply-To: <DB7PR07MB49535839F84D99D318D4D921F8A90@DB7PR07MB4953.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/10.10.4.181110
x-originating-ip: [66.129.241.10]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4603; 6:Wf+6JEhn5T4ER4frGGzITtkFSxIXd2RcMH7zUFo9tKMerqPffkmt/DhBIOBL+abywNF2mTxldFLkgOjQdqrO7mPWmVFYEI19LSsw9qvCXOtyZiTDW33UK8QKAO/KbWD77deSU9aBBAe2Ec8FfPh3otXqTEsdCSdJ6NqwSbj+UdtyRziY8xixXEKEGKhYYJI+2rqgkWNa/SO51NJeTQAVVzvOsh7LfwLYDB/JzQ8uWXrO5rm2/NpqlxCh+1z8/MAqgslptLUfevLymXYRQfSsVSJqoDHixD9W68P8rV7lIQruvpuQiYeJzxeSXjQUYGRcYC5QJ2AmG2LREg3ODs7yMjxV1Z3MS6sEz7YgxiPOvGFsnc6cZTzDL4S+626ACm+fwTnB2dlm928X72KYCbzZ/FmxtaNZSvA6cXZFYM8mvB7DJ8LWYfId1DswwdbKGO7Q5yx2bsWEIyjIYEWwyBYi5A==; 5:tyEDmMBZymQb7Fu5WO+N8SXTZOW2d+IDJjkkNtWVkZnZRl6AobtzLj4tskUBE45bjKrsoATwgXQzakIgpkPHdLOgh6P/qeTfor6uKEZe4Q4Qq08wo92R6guUa0JagOE8NTB4Tuk6XiByjCaDLQfHrps5qsO2DvDIpAvoV4M81bk=; 7:eKSFMlNwhb+K/VCn4Rga1xk8Kfkn/JZJuRX521AGnazmuGV5S6rMeQ326AdQFY3aN6u/WzauZ4ezt7HpeumDHpZTWuyirq6r31oL6oIE461s9FP4GqMd0EUAVcQBShkHxc1iyS8aqsJ04+ECJTREjw==
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: a98669bc-7860-44bf-b4b6-08d65c6e53ed
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390098)(7020095)(4652040)(8989299)(4534185)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4603;
x-ms-traffictypediagnostic: DM6PR05MB4603:
x-microsoft-antispam-prvs: <DM6PR05MB46036460AC18E244936F6B6AA5AA0@DM6PR05MB4603.namprd05.prod.outlook.com>
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(8121501046)(5005006)(3231455)(999002)(944501520)(52105112)(93006095)(93001095)(3002001)(10201501046)(6055026)(148016)(149066)(150057)(6041310)(20161123564045)(20161123560045)(20161123558120)(20161123562045)(201703131423095)(201703031522075)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699051)(76991095); SRVR:DM6PR05MB4603; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4603;
x-forefront-prvs: 0879599414
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(376002)(346002)(366004)(396003)(136003)(199004)(189003)(14454004)(575784001)(99286004)(86362001)(106356001)(76176011)(105586002)(6506007)(53546011)(186003)(14444005)(256004)(102836004)(26005)(316002)(58126008)(11346002)(446003)(54906003)(3846002)(296002)(476003)(6246003)(33656002)(486006)(2616005)(6512007)(54896002)(6306002)(6116002)(790700001)(82746002)(236005)(25786009)(53936002)(2906002)(68736007)(7736002)(6436002)(5660300001)(36756003)(6486002)(6916009)(9326002)(71200400001)(229853002)(4326008)(8676002)(66066001)(8936002)(97736004)(71190400001)(81166006)(966005)(81156014)(83716004)(478600001)(606006); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4603; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: SmrP8tgg+M40Rv67m5sjCEH+xB2xm1YQx8vxklRbHkldHhzKoCWKTEwyjyiMQ+H0/ydsP6tl4T+Z7g5sLHOwQqQlXUDEMM3Z3jaMUE1Bymwt7NMrIbVVvjvEXkqjDSYymWgZOi0gWXFPFe970vV/7YXR7opl6i4Hq1CzEOFf484NyDVGnuwcr8m1hMAdqhAeyzGcZiLxmPhFNvtEFeHxYEr2728VQFYBlPhEYy435zzKT8qLFWkzdPN0xSVcHHsASC/nIlIsGGVyYD1Y3Bzc62xl8WtNNAM8qXZ9Jc1OmBGWDdse8cXJK1pK9H564+zsx/yvlyyH+QjtecEuul4b581wbRvrxLy3o/6r1oZs7I4=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_22659F26AF4C46ABBC03359E1D0C5E89junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: a98669bc-7860-44bf-b4b6-08d65c6e53ed
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Dec 2018 18:03:44.2967 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4603
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-12-07_06:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1810050000 definitions=main-1812070145
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Hg2-As6TwAl8o77t8gfAO95G2K0>
Subject: Re: [Netconf] Comments on draft-ietf-netconf-keystore-07
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 07 Dec 2018 18:03:51 -0000

Hi Ramkumar, thanks for pointing this out!

The proposed fix is to:

  *   add a “local-definition” container around the “uses” statement(s)
  *   rename “reference” to “keystore-reference”

The Github commit for this is here:
  -  https://github.com/netconf-wg/keystore/commit/7fc73f052f05dc212e7d40d82c84460ab5ea64ec

Also, to see how it plays out in the other drafts, the Github commits for them are here:
  - ssh: https://github.com/netconf-wg/ssh-client-server/commit/df25274c5c50a432e57deb7809722aee7d5e8fa9
  - tls: https://github.com/netconf-wg/tls-client-server/commit/2686e81ac5fcb98a0346b8c203ca25a071faa0e9
  - netconf: https://github.com/netconf-wg/netconf-client-server/commit/148b5cdc5b1755901d318e6a0cfe94ef04134252
  - restconf: https://github.com/netconf-wg/restconf-client-server/commit/475fb627527174795e034339fd6504def4dd4d32

If no objections are raised, this change will go into the next published version.

Kent


On 12/6/18, 5:39 AM, "Dhanapal, Ramkumar (Nokia - IN/Chennai)" <ramkumar.dhanapal@nokia.com<mailto:ramkumar.dhanapal@nokia.com>> wrote:

Hi Kent,
We see the following definition in draft-ietf-netconf-keystore-07.

grouping local-or-keystore-end-entity-cert-with-key-grouping {
       description
         "A grouping that expands to allow an end-entity certificate
          (and its associated private key) to be either stored locally,
         within the using data model, or be a reference to a specific
          certificate in the keystore.";
       choice local-or-keystore {
         mandatory true;
         case local {
           if-feature "local-keys-supported";
           uses ct:asymmetric-key-pair-grouping;
           uses ct:end-entity-cert-grouping;
         }
         case keystore {
           if-feature "keystore-supported";
           leaf reference {
             type ks:asymmetric-key-certificate-ref;
             description
               "A reference to a specific certificate, and its
                associated private key, stored in the keystore.";
           }
         }
         description
           "A choice between an inlined definition and a definition
            that exists in the keystore.";
       }
     }

In ct:asymmetric-key-pair-grouping, 2 actions are defined.
In ct:end-entity-cert-grouping, 1 notification is defined.

But w.r.t. RFC7950 references below, looks like it is not okay to have either actions or notifications in “case” statements.

https://tools.ietf.org/html/rfc7950#section-7.15<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7950-23section-2D7.15&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=5MdSdliP9J3hgvGhkGCct2XcKpZ02-EvBh7-1XguBpc&s=UNvfZFjpmFaI7esgjHxrocBZttgjQ5vyfn2E_TkrxFo&e=>

        Since an action cannot be defined at the top level of a module or in

        a "case" statement, it is an error if a grouping that contains an

        action at the top of its node hierarchy is used at the top level of a

        module or in a case definition



https://tools.ietf.org/html/rfc7950#section-7.16<https://urldefense.proofpoint.com/v2/url?u=https-3A__tools.ietf.org_html_rfc7950-23section-2D7.16&d=DwMFAg&c=HAkYuh63rsuhr6Scbfh0UjBXeMK-ndb3voDTXcWzoCI&r=9zkP0xnJUvZGJ9EPoOH7Yhqn2gsBYaGTvjISlaJdcZo&m=5MdSdliP9J3hgvGhkGCct2XcKpZ02-EvBh7-1XguBpc&s=rQNBqLPet_vEb3FYg0E01BhnxdNQ0u21b4frMZ6WodM&e=>

        Since a notification cannot be defined in a "case" statement, it is

        an error if a grouping that contains a notification at the top of its

        node hierarchy is used in a case definition.



Can you please check and provide your feedback? Or Am I missing something here?



Thanks & Regards,

Ramkumar