IETF Logo Mail Archive

Re: [netconf] WGLC on draft-ietf-netconf-over-tls13

Jürgen Schönwälder <jschoenwaelder@constructor.university> Thu, 09 March 2023 07:39 UTC

Return-Path: <jschoenwaelder@constructor.university>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5845C14CEFC for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 23:39:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qGq9Zn8niHX for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 23:39:26 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on061b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::61b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A60DBC14F693 for <netconf@ietf.org>; Wed, 8 Mar 2023 23:39:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oQThZSdRzCtiueaQBpVcVfwQaR3M9bo6xdsxoKTfwekMmLqiH0spyiSrLz3A93AVf68gIeHIyN6LGD3nk8ltO9ls1+msPvnH9/hlHPFwKP4JuD8ahhpMBh7xsogC0eZuB8h9+FRpCWh9CvBqB3xpjtpmHdgVTcaUoey7oAMUlnl3jwI4JORr4XxYSAsnj8jNbKLyumuS6a/DAOoqHD2rGnFayj4SaqWCWXudVwrP6j651+8oMB+r9uBofqZ9lavzwHv4eMQX2FsAzJJnCtCfFUgny/YYmgT1Mv3MWqaNFdRtaJhgc3IWwLyTKTDHnw7htGesgkgwZ3AbDUQ5la26aQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BRc/+TuaQ4aCrJass43/ORnjpwCQHp9FnPHAsWCmkMI=; b=FbOmsuyj2ff/p8bl1bjkbTKU9X9fMjasBYqrtsEyCN/xxpETAvGu4l7iW9Cjm9zwZmK/07m4UczivJgy/ozWCd0RiA6HiUATF4o5MCnmIzb19xC5ufgbgBQXD90818O84UyjCR8D5KNLtXzZHaq/jmSshwmlWVZIfBq5ZskJK0qmLzgdSAnbciciqYqzekBQDWHVE9pOO/LPEWCxfIi9XuhFVkeXoULZh/x35ukFIsWnc7aG2/I7aMTauAf6kQCiK0mHmtE4JhQLn/jxkFt+GplZeqx5+EXG9BSyZaS6lIJmWuK3P1mwJ+YjBm+s7yV0xMeiX2MTvjkA7538hCRXvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=constructor.university; dmarc=pass action=none header.from=constructor.university; dkim=pass header.d=constructor.university; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BRc/+TuaQ4aCrJass43/ORnjpwCQHp9FnPHAsWCmkMI=; b=M9FPNpBn0gBiN+TC2uCpDzBsErh7z0CSDPP1H2WWUP6eczNWDtH1Ub+/Sdyi/0GrP0tS23XUbiSfI8gvFf/tq1UULwBqdHI1G2Rf0NrQC7LM+2DdRNfUWAfBO4ZKqxlMTa6SU5TYhjF1fHwYCN7PtKJq4NRd36MAQyWb3Da/AKo=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=constructor.university;
Received: from GVXP190MB1991.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:3::6) by DBAP190MB0902.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:1ab::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.19; Thu, 9 Mar 2023 07:39:19 +0000
Received: from GVXP190MB1991.EURP190.PROD.OUTLOOK.COM ([fe80::62bb:76a:de40:c7ac]) by GVXP190MB1991.EURP190.PROD.OUTLOOK.COM ([fe80::62bb:76a:de40:c7ac%4]) with mapi id 15.20.6156.029; Thu, 9 Mar 2023 07:39:19 +0000
Date: Thu, 09 Mar 2023 08:39:16 +0100
From: Jürgen Schönwälder <jschoenwaelder@constructor.university>
To: Sean Turner <sean@sn3rd.com>
Cc: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20230309073916.hqibajbof2jogzdf@anna>
Reply-To: Jürgen Schönwälder <jschoenwaelder@constructor.university>
Mail-Followup-To: Sean Turner <sean@sn3rd.com>, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <20230125143234.vrygt7h34codgs2c@anna> <09E3A8B3-91B8-4ACA-8E9C-792E4DBCD62F@sn3rd.com> <32062DC3-D84E-4BAB-9BF1-5B12DFF0D987@sn3rd.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <32062DC3-D84E-4BAB-9BF1-5B12DFF0D987@sn3rd.com>
X-ClientProxiedBy: AS4P195CA0029.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:5d6::19) To GVXP190MB1991.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:3::6)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVXP190MB1991:EE_|DBAP190MB0902:EE_
X-MS-Office365-Filtering-Correlation-Id: 2a07ea4d-d6ce-4bed-644a-08db2071642f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: CqFhHONP4xgNa/EoXNKt6/9SVqAF9dEARxwdJnrPVs0vnXkBpdPEUFsRPczAmYmKmgC+km+ZgmBNlEKa1gSuIR3Q5dl2xFQxdE7dn4DniMLGP/gZZR+RAYPXnkqVp3KAYqU604Dy30q5LfjchaNEbRaDreDRN87xmyg891qhqxEOt6EMKE+2nsYv0uOu77gMjGSkoc0S3C/f8N68bzNf5U9qTNSUo1Cj0MTrC69h2i8GFuJFgREHFLqiLA4kGT5Xjp3nrYXvS3qnQcI7nsm/KKfsS8tZKY9s2mJGlb/pjmLrIhsVhjttOD+5BvlKo2+UKC76nVBCaLn8JsJT2GVsYfI0fQ7RQ3iDRwAlQy7I7IkCemqjVnnqvATtdXYW6hFURhIN+yB+Hm30kFH1FISdLCd0fPhq3ryU22wqgwrkWG9m35dUdBQgAabmE+N2gQ8P0ysSgCyttvrkI3Ft5EYCjsffGt+vYQh9ZOIriVvLpFUC0nJbq6Hf/5uuORwhlkpXHcyJOtXeKMw40mX5bEO7ie7MWNQzrV29q8k6YVsu3zKo0qs0vwOW5sNJunw3tsBGEbr84Fp3xhKzxLaWSNeLCp49ILDzOYXdxJNf6NRqIl9QnxH+3pe8UvjLj8YI7dtAAdZzeWT+k8d7e1lgyBoyavtTDmPlK2c7RLyY1/fVJ8hPC61cGlXwzwDMqNzOLkaIVxF4KNLmjQoeEy9Brd080+OT+BqjFyxNUI89lEf2sRNBGzNmWJkPzBOcd0n0zfz4
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXP190MB1991.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(7916004)(346002)(376002)(136003)(396003)(39850400004)(366004)(451199018)(40140700001)(85182001)(85202003)(41320700001)(54906003)(786003)(478600001)(966005)(6486002)(316002)(52116002)(5660300002)(3450700001)(2906002)(8936002)(66476007)(66556008)(66946007)(8676002)(6916009)(4326008)(41300700001)(38100700002)(86362001)(38350700002)(9686003)(6666004)(186003)(33716001)(53546011)(6512007)(6506007)(1076003)(26005)(83380400001)(66574015)(66899018)(46492015); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: yS4wR8bnukfBoLjsspJDMwExbQVVYA5IntsJXYk7GtkK3LEhvTWdCntgm/Q2RsT8I/VrIbLoeq/L89RARrq1eHWGy8PiIAZ5x7Uf9gJPZ+p9hmUzTukS6cmUu5Z+tBJTYqpJR4/4BuIbaDHrnhL8zoKVDyGEM2HZF3pFAmY5dvw7NV3KHLNXElG45K6DoiGyRToNWQO7+gD0878hXOYL+reGjGxhutQjqmOmFh65EruKoBslNZM9qPdjinVmbY/Wrm/j/hQARnu/+Ych8HF5e96lEscljecEXl4t6a6Tq7IRBtY/Y21jyFuX3Ml8v32lMmWvuFEJcmWjPkcKb2/PmuXVoCx0j/6GOUWhLHc9kEfHm6lnwTdRe6OKUvQS7Baf5xsAq6KtYyhPuvO5+wKJl4GXt8J/P8mLLJ1nSDq5uZxk792WBNToo82L9bwVf39po7TtTZeEX9MpHKP3mZTiQVCbWNMy3BfzYge/AvA4kMv3vYkqmTBUCM3vSbE5tLYbSYQTIfu8xPyzWFFqPaUnGqxWumhJJlza+8LL+jF/VjldQxMVqGLZQB6Zw2/iTUysOehDGCSo+UHMtSaMet4ivfk/co5G+gVbTCBvdhrBOzwJURZw2BAp6HQPShnUiYgbYjfG4Ovx9d/h1Qq3J6aYnW6rgMgOUjvy7jhGykRGsEpq1XGcEET1S9m+WMnhRJ1RXyZANj9atsfqPgwEVIgGJVP6piUAaXvYMGlWtAXFGfIRV6vOhsQBTeff9p7wfhIuG3xS9vpiTwAdI0haBmUg+LXVY2+IOd9hsE4dMZgEPKuThF+RPPTq3gyygIg2nm2+A/zwOqjYCTJ1ggOvu4cIfm4u7KZZiTZaiWWxbfMWIXMJEeHbMwOIul6+evZySvlKwa73QDgSiCRjrdBU3A3ICfJlFJnrN6drJ6ivx2iausj0hxmYz5uggleWsEnCExmgiWzvWX7orudqlhGVCi3ih6oLyLGyodR4UVcdNAPDkaSGudhlmnRszcsDirg2tHjtaJx6GgAahb8+H3DI/o6ZFR6pkuVWkdhIZ0Dx7TNlB/Zm8MrrR/CV6SDxgfh5htrwqE3iAF7UZlQo5wjuVpTaF2Q8Pfw6gT/aPnrsKGrfUDYUJUn4mKhQk4rVJATciBLEuZOOouXXuft5qhpjhjSq82kAfyjLzHLo568/G80B45KlhRFraZiy/LiAWrncdxybVxWquqyOo1xgkBe1/tvcMRJ8p/dzYZfkrbJFBMz1QIrKx9vmGJD+qNz3Fekf3bmOL/GXUtPuX4rqvLru4xm8/GtCpeP16j0YZjRcHUptY4kmQZVy6yXufpyJzzHR1X7KwmFzyihwwQvLBcYXSmvyw0ZCKZbXsOKd8kloonrYQeiqkPFVXYyHfQ+DUyrBued83UUiSXI198pf0Bd01PJM7x62KwG5/5c2CZVeIebp/k7L9cS/9uifq6IKMGAbM9QdbC5tqEv6uI+yPRAQDUEvs8BUulIUpfuxc7dNDIOaDVN3EW/4mXTRSTnK3x17pp706g33sFgyx0Ft+eo3xUsZA3I7MTnvVeEuMhiv+I8pDHKHA+CyISXdFgJGbP43zY4m1bEB4PeImxIG3QEAwvVSGjYn82o/ShR5YdCRzJAgx+Y=
X-OriginatorOrg: constructor.university
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a07ea4d-d6ce-4bed-644a-08db2071642f
X-MS-Exchange-CrossTenant-AuthSource: GVXP190MB1991.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Mar 2023 07:39:18.9465 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: xQsrda6UVb1i9J0Tvp8Mtbq4wRUtkoxpsZblXXYROfr/4BYk36LYENtSWqulh8K6HcV9lWUBSHK9m9EF+56amiCLImytspR74dssb0QWIq8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAP190MB0902
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/LWqDBFgwHRaPsdLMRenP4ajy5ww>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 07:39:30 -0000

Future proofing is always hard since we do not know the future. I
meanwhile find concrete advice more effective than generalized advice
- but I might have answered differently some 20 years ago. ;-)

That said, I am fine with both versions (with a slight preference for
concrete advice over generalized advice).

/js

On Wed, Mar 08, 2023 at 09:00:43PM -0500, Sean Turner wrote:
> Jürgen,
> 
> I am about to start landing these PRs and just wanted to confirm that what you were thinking about in terms of an “update” to RFC 7589 is captured by:
> https://github.com/netconf-wg/netconf-over-tls13/pull/11
> 
> spt
> 
> > On Feb 9, 2023, at 13:32, Sean Turner <sean@sn3rd.com> wrote:
> > 
> > Jürgen,
> > 
> > Thanks for your review. Responses below.
> > 
> > I’ll let these and the other PRs settle for a week before merging.
> > 
> > spt
> > 
> >> On Jan 25, 2023, at 09:32, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
> >> 
> >> On Mon, Jan 09, 2023 at 09:54:28PM +0000, Kent Watsen wrote:
> >>> We are starting a 2 week WGLC on:
> >>> 	- draft-ietf-netconf-over-tls13-01. 
> >>> 
> >>> The document can be found here:
> >>> 	https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13
> >>> 
> >>> Please respond on this thread indicating your support or concerns about why this document should/should not be adopted.
> >>> 
> >>> We are particularly interested in statement of the form:
> >>> 	- I have reviewed the draft and found no issues. 
> >>> 	- I have reviewed the draft and found the following issues …
> >>> 
> >>> This WGLC will conclude on Monday, January 23.   
> >> 
> >> I have reviewed the document and I believe that what it is technically
> >> aims to achieve is OK and on track but the document itself is not ready.
> >> 
> >> - Does this document formally update RFC 7589? I am aware that updates
> >> means many different things (extending, depending-on, rewriting
> >> parts) so I should probably not even ask this question. ;-) But my
> >> gut feeling is that you really want a formal Updates: RFC 7589 here.
> > 
> > We were purposely trying to avoid updating RFC 7589, because we were trying to stay out of picking the MTI protocol. But based on a suggestion in UTA about how to deal with a similar update for syslog, I think we could follow the recommendations in RFC 9325 and not have to get embroiled in a lengthy debate because RFC 9235 is BCP 195:
> > 
> > *  Implementations MUST support TLS 1.2 [RFC5246].
> > *  Implementations SHOULD support TLS 1.3 [RFC8446] and, if
> >  implemented, MUST prefer to negotiate TLS 1.3 over earlier
> >  versions of TLS.
> > 
> > The following PR includes the proposed changes:
> > https://github.com/netconf-wg/netconf-over-tls13/pull/11
> > 
> > The change of course opens a can worms. Do we change the TLS1.2 MTI cipher suite? The MTI cipher suites based on this RFC 7589 (and this PR) is TLS_RSA_WITH_AES_128_CBC_SHA. There is no chance that cipher suites makes it through the IESG at this point. We could change it to what’s in RFC 9325. I understand why RFC 7589 did not make the 7525 recommendations a MUST; when RFC 7589 was published, RFC 7525 was pretty new. However, it’s been almost 8 years since then so I am hoping some of the recommendations, 2 of the four recommended in 2015 are still there, are widely supported. If that’s the case then maybe the 1st para should be:
> > 
> > Implementations MUST support TLS 1.2 {{RFC5246}}. The mandatory-to-implement
> > cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Implementations
> > SHOULD follow the recommendations given in [RFC9325].
> > 
> >> - As already noted by others, there is colloquial discussion around
> >> Section 9.1 of I-D.ietf-tls-rfc8446bis in the document that one
> >> would not expect in a WG last call document.
> > 
> > Yep deleting it. The section kind of did it’s job, i.e., “made you look” :)
> > The following PR removes it:
> > https://github.com/netconf-wg/netconf-over-tls13/pull/7
> > 
> >> - In the Security Considerations, what does 'please review" really
> >> mean? Is it required or expected to do what the referenced documents
> >> say or are these just some reading suggestions that can be ignored?
> >> I would prefer to see much clearer guidelines, in particular since
> >> we talk about security.
> > 
> > I guess this didn’t bother me as much as some, when I read “the security considerations of RFCxyz apply” that’s pretty much the same thing as "Please review  RFCxyz”. But, I can swap it out for the more common language. Note that because it’s an update, the security considerations actually got a lot shorter because we copied a lot them over. Here’s a PR to address this:
> > https://github.com/netconf-wg/netconf-over-tls13/pull/10
> > 
> >> - Editorial: Fix the following "describes defines" double verb.
> > 
> > Please see:
> > https://github.com/netconf-wg/netconf-over-tls13/pull/9
> > 
> >> /js
> >> 
> >> -- 
> >> Jürgen Schönwälder              Constructor University Bremen gGmbH
> >> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> >> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> >> 
> >> _______________________________________________
> >> netconf mailing list
> >> netconf@ietf.org
> >> https://www.ietf.org/mailman/listinfo/netconf
> > 
> 

-- 
Jürgen Schönwälder              Constructor University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://constructor.university/>

v2.23.0 | Report a Bug | By Email