Re: [netconf] Create IANA-defined modules?

tom petch <ietfc@btconnect.com> Wed, 09 June 2021 16:32 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 062903A1DF0 for <netconf@ietfa.amsl.com>; Wed, 9 Jun 2021 09:32:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gc2Yi74252JM for <netconf@ietfa.amsl.com>; Wed, 9 Jun 2021 09:32:48 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2138.outbound.protection.outlook.com [40.107.22.138]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A7F163A1D11 for <netconf@ietf.org>; Wed, 9 Jun 2021 09:32:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jqLUWiJX2bTvhvjbDvAOjYC5gnfaYWhSmVPK3cFD1BzYX7IpDnCYaJ21+UvYyBs03b99btoKf/QbAIpl7gyX1Jlcgvy96eOf6WPP9s9gv0nliZSYMxegxiOA4xiIL4lNeLIJGm3ITvU4UGJNb15nEu68VDW7K0GdcyUeCPjOs0XL+dPLpNHxjws4XvjJrxXHIiA4SH9vL5g3iT8ZvYBN6rXQ0lmfnMZmH62PnvVg8fLWy4DWesZGPcxsFsqhpRmlio4V9iamhwKa5Wn6IR6JGo6sgv7kxnsjt0Ixy/V/lG+Cgq3djdjlG1T7S6hbqRzTPDSHTX/gZZiZMKEQIuwoSw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rraCSLqDVfXxumokNpBZFOjOXOIw+e6+gB5uWlaOQlc=; b=gWK3XIcE6e3KGUF3m2KRwHdsEEMtVqCSoT7aVTpVzYb3ajTLT6ZmlcB2q/3L3zAg2ZI1qxcKDWdTloOfZJ4dS+a7pJU+qF+M68+ynAdwFEJ6xu1Ar1HfJPF3+UxzA/+3z7NIOcwOMAQI3hGVyiLvOU5mS5XtbhlGYQbzYT0Drc0OoXExUsKRhaCHcrM9ZB9XI+Jf3Zs4/6C6a1OU/5ycS8U9HvqHn+AVoM3jXbRQ03Qkxfy38iFy+AW51o+Qi+nRQtfZshBIo/kfkuJilofTZVZXuHP+Yx+buarChhZDzKMDC45rtwyWEtORbAW9yhz9j7baWi3CR1taQplpFpX1IA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rraCSLqDVfXxumokNpBZFOjOXOIw+e6+gB5uWlaOQlc=; b=jVnw/tVxrGUdp6MdGwPX44de31yPd9byomf6XyWqwcnUBatln0pnTjxeDEmg3fXGhCZ13r0nMRx0/fELCeW0Uwwzv2lbjSZ91oH8FaRByhdUFrC9gnsp2T7l0zu0sAsdexc3PGFu9uiHwNfK+9mgUfNAgG9A6CsvP6KRc6JPeQs=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AS8PR07MB7862.eurprd07.prod.outlook.com (2603:10a6:20b:394::17) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.9; Wed, 9 Jun 2021 16:32:45 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%8]) with mapi id 15.20.4219.017; Wed, 9 Jun 2021 16:32:45 +0000
From: tom petch <ietfc@btconnect.com>
To: Qin Wu <bill.wu@huawei.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Create IANA-defined modules?
Thread-Index: AdddL2Guyi3eG+KzRlGXH8XK0iac4QAF+Z/J
Date: Wed, 9 Jun 2021 16:32:44 +0000
Message-ID: <AM7PR07MB62487022A9413FDE57FDB5C1A0369@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <2269db3441874166a6525425cf488348@huawei.com>
In-Reply-To: <2269db3441874166a6525425cf488348@huawei.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: huawei.com; dkim=none (message not signed) header.d=none;huawei.com; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 97e316cf-9b87-442b-9d1e-08d92b6435ea
x-ms-traffictypediagnostic: AS8PR07MB7862:
x-microsoft-antispam-prvs: <AS8PR07MB7862F5F6749835303B5FE59DA0369@AS8PR07MB7862.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 93Qj6DePvl1lhLXF4T+tCnUAQ531GNIbl8PrBTTTVUg/kh0mTsl4jnL+qTjFquk3sATmThiwHj24xp0g+ct1pPuKABbTwbAvIn69Oe0iPrLVWey62xNtb8ACJWa6jp1CEisSo4byqzrmvV4lq1Fl2F1TbDYuvmcs8sl2RpdJFi+3dD3oQpbLxG9RRrON+Mvf4XHIdGQDPCNWf8vQzmXLWBF9Zx7IE8DXJxw3C1TCXXmnpA3mq5metnbSs7pHxbGV55ZLRdQp8rwVlF7T4M+AH9Mxj5gVWN9V03bhzD0UwZTQJ9BfMFzZkuPkMpdYnMOfxiEaXNGwt/jZcQTunXoncrrmqTKsYvyzgOhSfStjRHTnkU9iNkUxDuGx9fPZGJdL7jsL6BqxxE9i8HRhoQYnC2ynxlBG1ACx7UFEU06MDBn8ZvEb95npQLqsXbrmwCNr6C3jvU/JHJyu1SYDroVYA46E+4/ve6NCZgYJs/XBDMGGEbkTgzltnZzkO9UsSXjmSQ4w8OtXIyxrb2Yqs5QgqiInWxxDBtbYEIPAnVdSuJOmepHMxRxWR9xsCSmejGChKPyezQ4kcd5MHBj6qFvWhDctIecjBXkfjOf3wg6kmDjNHvFnnTbBAxkVAgdBOAvdY4eZbTIHSbqDLlxrl9Tx7UJenUJHld7/AvtQFE38Z1hDOTgbJ0ZtG7MmtQXhgViwA/w7i+h4Xs54tMvqi8hPN5ZhiAwD/M0g1dXLzTBQJDte7G6UISUtJC00VJi5Qjh5JgwHd/tsBc6pPHUYZMJotA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(376002)(136003)(396003)(39860400002)(346002)(38100700002)(316002)(55016002)(478600001)(9686003)(33656002)(966005)(86362001)(2906002)(8676002)(8936002)(76116006)(83380400001)(6506007)(91956017)(5660300002)(52536014)(66446008)(53546011)(66476007)(66556008)(64756008)(7696005)(71200400001)(110136005)(66946007)(26005)(122000001)(186003)(586874002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?gb2312?B?WTByWkZZWlYyb1MwQVBNK1NTcFdNMkdhWUszMGY5OTRqb1U1dnFrYzZ6WHBG?= =?gb2312?B?dUs3MHZxWFNmYzFEU0xoSE1hYzQ4NTdScTZrVThXYzRxNHVWbnVsSTQrYVhZ?= =?gb2312?B?dGZuU0M0c2g1eCtQcGtyeHlBbTFTTS9wRjVyNDI4Q3JINkkvNDREWlIvUUFU?= =?gb2312?B?V0dxQVVpRDZGSCtyZjBQUTMvRnhZWitUbCtoeWJ0dUs4MEJqMDlWSzNsaDRi?= =?gb2312?B?RzViRmFmUkdYQ3R5dFM5d2NmbHV4elVzMGlubHlRT1JRVWpQbkdVOGpiMVhm?= =?gb2312?B?ZGRobEJ4dTc0T1Nqeno0QUdueHBITjhucTViMWxLVmxKdE5mREJ6WE5sNTlB?= =?gb2312?B?UkFSNTlPbjlOemNuKzJBTlpJU3pjcEJIWTBvc1RHT1MxVXY5cmM4bFl1cjBw?= =?gb2312?B?enBYSHhqL3YyZDhHK1Z2UCs2ODA2N29KeHBENlpyV1lSWnJWdXZ4d3hkZ2hs?= =?gb2312?B?N1JFcHZxMExZc1dtNlJsMmRmQkRzMm1lQ1Bya1pQZ3pwd1hTWFgxNDJ0U2xy?= =?gb2312?B?LzR0UlFTTUF4czFRS1lFUXBqNE1DUGdOaU5GcHl1L2FkSmZyako5VnZzV0hv?= =?gb2312?B?Y0xVYXFZNHFJN2xua0d4L29kN2J0WlNma2xrQWlwWVZsOGN3aXpYRmtqZEpC?= =?gb2312?B?aEx0cGRiT1Z1d0dkZ1VEUjEwQ3h0dGRSZEYzU1MrbUJ2ZmdxRFp5YXJPY0VL?= =?gb2312?B?NVFvZDFDaFAvQnhQZmtTejIrVS9Qdm0vWEtnWlVFZEljZDUxNW5sK0VLWGZC?= =?gb2312?B?Q0VLT3AzOFpOUlZOdFAvUU9EeDBIL05rdFhLUEdUZ2VpdnMveGpUL21TdmNC?= =?gb2312?B?TGxzeUVKR0pmZ29UQTQ5YjdrU1JRQWVpb0hQN1VrWUdRb1VqN2hmWXdRS0ky?= =?gb2312?B?dGhsU0xUQ2dwMUwwNk9mSVFyckZoY0p2bGFJSmpJZWdhZWxFaWpuMnc3WU1h?= =?gb2312?B?Ymt6c0hyK3RhTlJQeDczaHZBbEF4RzdFV1Q4YlJwMEExTWJqMG1sZDdUTjFh?= =?gb2312?B?c1g2dUZRMW9ndUMvdUZOeDU1eWhJTU00L2pXTVVXTU5kZ21TNGhRR1VTOU1M?= =?gb2312?B?Q1BXS0JHR0RUaWR2WnFtU0xiNTNNbXh0eFptTWYxcjlWSGVLRTEwTVhKL1Nk?= =?gb2312?B?bVlPY1BvT2ZxL2t3UW42aVFPeXlsbXB4bEV2Ym9XVG9La2ZvS2t1YUY0Ykx0?= =?gb2312?B?Z1B5QUk5eTVRZUNsckN2MjdxSXMvTkMvWlN5YXoxVmtBbmdKbG8xUkFHbXdY?= =?gb2312?B?bmtOQzQ2K2I3RWRKWlJ2YitFTU5YVlQrRGhTWWpDeWVMaEpxWm9DSVdXTWlt?= =?gb2312?B?VWRRUWpNellPUkZZV2dvSkhXSFo1WWdIZndsazhpemluODBDOGVXYzNFYUpl?= =?gb2312?B?UXVMK09tazlibHQ4bFVrc1ltdmJxNzJBKzgyeEpKcUpsNVFCNHh2U2lsYURJ?= =?gb2312?B?QzJ5MXFoeHFBR2p0aEFJSXlvYkZkTHpoNUVsYkc1R2lmdEp2Zy9lMzhYWVRK?= =?gb2312?B?VGcrMnJZcFdHTkZVUk1FZUxYNGU2cS8yZnR4eFJGR3BZSGk1MVAyNi8wUTRa?= =?gb2312?B?NWRVckpVNTY5WnBVS2lkSE93bzBrc25aQ2tqYWhQVVdEYUsvQ1hwQXhsU3Ry?= =?gb2312?B?aURNd3JFa3FvaTF6dFFMV2lnSlJzRzBRZmNxSTN2MVVVaHRGODVPZEFsYity?= =?gb2312?B?Szd0ZFVmclFLcUc3c1dxZjliSk1ib0swcTBKZ294UlVzazkyUU5UK0NxWExR?= =?gb2312?Q?FHyPzaUUQdFuer8Ses=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="gb2312"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 97e316cf-9b87-442b-9d1e-08d92b6435ea
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jun 2021 16:32:44.9275 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: ZJ+8MI8DTRZcz/F8RMllNqRgOhbjl/FTr8D4+uZp66yOawHGTefML5Y4i44aOEczayh1qjKI2H8VdhKP6RJOEg==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR07MB7862
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/KnmzieX_W_rREwnYLG7i2arjyu0>
Subject: Re: [netconf] Create IANA-defined modules?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 09 Jun 2021 16:32:53 -0000


________________________________________
From: netconf <netconf-bounces@ietf.org> on behalf of Qin Wu <bill.wu@huawei.com>
Sent: 09 June 2021 14:07
To: Kent Watsen; netconf@ietf.org
Subject: Re: [netconf] Create IANA-defined modules?

-----邮件原件-----
发件人: netconf [mailto:netconf-bounces@ietf.org] 代表 Kent Watsen
发送时间: 2021年5月27日 3:06
收件人: netconf@ietf.org
主题: [netconf] Create IANA-defined modules?

[CC-ing Gary, who contributed the “ietf-[tls/ssh]-common" modules originally]


NETCONF WG,

The “tls-client-server” draft just received the following GitHub “issue”:

=====start=====
This is rather a question than an issue, maybe.

Given that IANA maintains the TLS parameters at   https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, would it not be better for that content to come from something like iana-tls[-parameters].yang rather than an IETF maintained YANG module?
=====stop=====

This is a good point.  Perhaps we should move all the identities for the algorithms defined in the “ietf-tls-common” module to an IANA-maintained “iana-tls-parameters” module.  Thoughts?

[Qin]: I agree this seems straightforward to me. The module name could be "iana-tls-types" like.

By extension, the same statement applies to the “ssh-client-server” draft and the IANA maintained SSH parameters page: https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml.

One potential issue with doing this is that the existing identities have “if-feature” statements that constrain them to specific TLS-versions and algorithm-families, and are sometimes marked as “deprecated".  By example:

    identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
       if-feature "tls-1_2";
       if-feature "tls-ecc and tls-sha2";
       base cipher-suite-base;
       status "deprecated";
       description
           "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
       reference
          "RFC 5289: TLS Elliptic Curve Cipher Suites with
                             SHA-256/384 and AES Galois Counter Mode (GCM)";
    }

But that information is NOT captured in the IANA-maintained page.   What to do?

[Qin]: Why not bind tls version with cipher-suite in the ecdhe-ecdsa-with-aes-128-cbc-sha256 identity definition. Also I feel identity name is too long.

One option would be to drop all the feature statements.  All they do is limit the totality of algorithms presented to an administrator, when configuring which algorithms the client/server should support.  Worst case, all algorithms (of a given type) are presented, regardless if supported by the, e.g., TLS protocol version.  When configuring clients/servers using, e.g., text-based configuration files, such filters are never available.  Does anyone know what Cisco/Juniper/etc. devices do in their command-line and/or web interfaces?

[Qin]: See above, do we need to introduce if-feature "tls-1_2" and why not tie the tls version in the cipher-suite name such as "tls12-ecdhe-ecdsa-with-aes-128-cbc-sha256".

Another option, which I like because it’s less work for me (unless someone can volunteer a GitHub pull request), is to remove the ietf-[tls/ssh]-common modules altogether.  They’re currently optional-to-configure and, when not configured, it’s an implementation-specific decision what, e.g., algorithms to list as being supported during the protocol handshake.  Personally, I’ve never used them (or implemented support for them), happily deferring to internal code and underlying libraries.  In lieu of us not defining these modules now, applications could augment-in their own configuration nodes and, of course, a future WG effort could add them.  Thoughts on this approach?

K.



_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf
_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf