Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
Jürgen Schönwälder <jschoenwaelder@constructor.university> Thu, 09 March 2023 07:39 UTC
Return-Path: <jschoenwaelder@constructor.university>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A5845C14CEFC for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 23:39:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2qGq9Zn8niHX for <netconf@ietfa.amsl.com>; Wed, 8 Mar 2023 23:39:26 -0800 (PST)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-he1eur04on061b.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0d::61b]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A60DBC14F693 for <netconf@ietf.org>; Wed, 8 Mar 2023 23:39:24 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oQThZSdRzCtiueaQBpVcVfwQaR3M9bo6xdsxoKTfwekMmLqiH0spyiSrLz3A93AVf68gIeHIyN6LGD3nk8ltO9ls1+msPvnH9/hlHPFwKP4JuD8ahhpMBh7xsogC0eZuB8h9+FRpCWh9CvBqB3xpjtpmHdgVTcaUoey7oAMUlnl3jwI4JORr4XxYSAsnj8jNbKLyumuS6a/DAOoqHD2rGnFayj4SaqWCWXudVwrP6j651+8oMB+r9uBofqZ9lavzwHv4eMQX2FsAzJJnCtCfFUgny/YYmgT1Mv3MWqaNFdRtaJhgc3IWwLyTKTDHnw7htGesgkgwZ3AbDUQ5la26aQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=BRc/+TuaQ4aCrJass43/ORnjpwCQHp9FnPHAsWCmkMI=; b=FbOmsuyj2ff/p8bl1bjkbTKU9X9fMjasBYqrtsEyCN/xxpETAvGu4l7iW9Cjm9zwZmK/07m4UczivJgy/ozWCd0RiA6HiUATF4o5MCnmIzb19xC5ufgbgBQXD90818O84UyjCR8D5KNLtXzZHaq/jmSshwmlWVZIfBq5ZskJK0qmLzgdSAnbciciqYqzekBQDWHVE9pOO/LPEWCxfIi9XuhFVkeXoULZh/x35ukFIsWnc7aG2/I7aMTauAf6kQCiK0mHmtE4JhQLn/jxkFt+GplZeqx5+EXG9BSyZaS6lIJmWuK3P1mwJ+YjBm+s7yV0xMeiX2MTvjkA7538hCRXvw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=constructor.university; dmarc=pass action=none header.from=constructor.university; dkim=pass header.d=constructor.university; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=BRc/+TuaQ4aCrJass43/ORnjpwCQHp9FnPHAsWCmkMI=; b=M9FPNpBn0gBiN+TC2uCpDzBsErh7z0CSDPP1H2WWUP6eczNWDtH1Ub+/Sdyi/0GrP0tS23XUbiSfI8gvFf/tq1UULwBqdHI1G2Rf0NrQC7LM+2DdRNfUWAfBO4ZKqxlMTa6SU5TYhjF1fHwYCN7PtKJq4NRd36MAQyWb3Da/AKo=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=constructor.university;
Received: from GVXP190MB1991.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:3::6) by DBAP190MB0902.EURP190.PROD.OUTLOOK.COM (2603:10a6:10:1ab::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6178.19; Thu, 9 Mar 2023 07:39:19 +0000
Received: from GVXP190MB1991.EURP190.PROD.OUTLOOK.COM ([fe80::62bb:76a:de40:c7ac]) by GVXP190MB1991.EURP190.PROD.OUTLOOK.COM ([fe80::62bb:76a:de40:c7ac%4]) with mapi id 15.20.6156.029; Thu, 9 Mar 2023 07:39:19 +0000
Date: Thu, 09 Mar 2023 08:39:16 +0100
From: Jürgen Schönwälder <jschoenwaelder@constructor.university>
To: Sean Turner <sean@sn3rd.com>
Cc: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20230309073916.hqibajbof2jogzdf@anna>
Reply-To: Jürgen Schönwälder <jschoenwaelder@constructor.university>
Mail-Followup-To: Sean Turner <sean@sn3rd.com>, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <01000185988718f9-8bf57d79-4101-4bfb-a8a9-063e7d56e858-000000@email.amazonses.com> <20230125143234.vrygt7h34codgs2c@anna> <09E3A8B3-91B8-4ACA-8E9C-792E4DBCD62F@sn3rd.com> <32062DC3-D84E-4BAB-9BF1-5B12DFF0D987@sn3rd.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <32062DC3-D84E-4BAB-9BF1-5B12DFF0D987@sn3rd.com>
X-ClientProxiedBy: AS4P195CA0029.EURP195.PROD.OUTLOOK.COM (2603:10a6:20b:5d6::19) To GVXP190MB1991.EURP190.PROD.OUTLOOK.COM (2603:10a6:150:3::6)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: GVXP190MB1991:EE_|DBAP190MB0902:EE_
X-MS-Office365-Filtering-Correlation-Id: 2a07ea4d-d6ce-4bed-644a-08db2071642f
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: CqFhHONP4xgNa/EoXNKt6/9SVqAF9dEARxwdJnrPVs0vnXkBpdPEUFsRPczAmYmKmgC+km+ZgmBNlEKa1gSuIR3Q5dl2xFQxdE7dn4DniMLGP/gZZR+RAYPXnkqVp3KAYqU604Dy30q5LfjchaNEbRaDreDRN87xmyg891qhqxEOt6EMKE+2nsYv0uOu77gMjGSkoc0S3C/f8N68bzNf5U9qTNSUo1Cj0MTrC69h2i8GFuJFgREHFLqiLA4kGT5Xjp3nrYXvS3qnQcI7nsm/KKfsS8tZKY9s2mJGlb/pjmLrIhsVhjttOD+5BvlKo2+UKC76nVBCaLn8JsJT2GVsYfI0fQ7RQ3iDRwAlQy7I7IkCemqjVnnqvATtdXYW6hFURhIN+yB+Hm30kFH1FISdLCd0fPhq3ryU22wqgwrkWG9m35dUdBQgAabmE+N2gQ8P0ysSgCyttvrkI3Ft5EYCjsffGt+vYQh9ZOIriVvLpFUC0nJbq6Hf/5uuORwhlkpXHcyJOtXeKMw40mX5bEO7ie7MWNQzrV29q8k6YVsu3zKo0qs0vwOW5sNJunw3tsBGEbr84Fp3xhKzxLaWSNeLCp49ILDzOYXdxJNf6NRqIl9QnxH+3pe8UvjLj8YI7dtAAdZzeWT+k8d7e1lgyBoyavtTDmPlK2c7RLyY1/fVJ8hPC61cGlXwzwDMqNzOLkaIVxF4KNLmjQoeEy9Brd080+OT+BqjFyxNUI89lEf2sRNBGzNmWJkPzBOcd0n0zfz4
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXP190MB1991.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230025)(7916004)(346002)(376002)(136003)(396003)(39850400004)(366004)(451199018)(40140700001)(85182001)(85202003)(41320700001)(54906003)(786003)(478600001)(966005)(6486002)(316002)(52116002)(5660300002)(3450700001)(2906002)(8936002)(66476007)(66556008)(66946007)(8676002)(6916009)(4326008)(41300700001)(38100700002)(86362001)(38350700002)(9686003)(6666004)(186003)(33716001)(53546011)(6512007)(6506007)(1076003)(26005)(83380400001)(66574015)(66899018)(46492015); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: yS4wR8bnukfBoLjsspJDMwExbQVVYA5IntsJXYk7GtkK3LEhvTWdCntgm/Q2RsT8I/VrIbLoeq/L89RARrq1eHWGy8PiIAZ5x7Uf9gJPZ+p9hmUzTukS6cmUu5Z+tBJTYqpJR4/4BuIbaDHrnhL8zoKVDyGEM2HZF3pFAmY5dvw7NV3KHLNXElG45K6DoiGyRToNWQO7+gD0878hXOYL+reGjGxhutQjqmOmFh65EruKoBslNZM9qPdjinVmbY/Wrm/j/hQARnu/+Ych8HF5e96lEscljecEXl4t6a6Tq7IRBtY/Y21jyFuX3Ml8v32lMmWvuFEJcmWjPkcKb2/PmuXVoCx0j/6GOUWhLHc9kEfHm6lnwTdRe6OKUvQS7Baf5xsAq6KtYyhPuvO5+wKJl4GXt8J/P8mLLJ1nSDq5uZxk792WBNToo82L9bwVf39po7TtTZeEX9MpHKP3mZTiQVCbWNMy3BfzYge/AvA4kMv3vYkqmTBUCM3vSbE5tLYbSYQTIfu8xPyzWFFqPaUnGqxWumhJJlza+8LL+jF/VjldQxMVqGLZQB6Zw2/iTUysOehDGCSo+UHMtSaMet4ivfk/co5G+gVbTCBvdhrBOzwJURZw2BAp6HQPShnUiYgbYjfG4Ovx9d/h1Qq3J6aYnW6rgMgOUjvy7jhGykRGsEpq1XGcEET1S9m+WMnhRJ1RXyZANj9atsfqPgwEVIgGJVP6piUAaXvYMGlWtAXFGfIRV6vOhsQBTeff9p7wfhIuG3xS9vpiTwAdI0haBmUg+LXVY2+IOd9hsE4dMZgEPKuThF+RPPTq3gyygIg2nm2+A/zwOqjYCTJ1ggOvu4cIfm4u7KZZiTZaiWWxbfMWIXMJEeHbMwOIul6+evZySvlKwa73QDgSiCRjrdBU3A3ICfJlFJnrN6drJ6ivx2iausj0hxmYz5uggleWsEnCExmgiWzvWX7orudqlhGVCi3ih6oLyLGyodR4UVcdNAPDkaSGudhlmnRszcsDirg2tHjtaJx6GgAahb8+H3DI/o6ZFR6pkuVWkdhIZ0Dx7TNlB/Zm8MrrR/CV6SDxgfh5htrwqE3iAF7UZlQo5wjuVpTaF2Q8Pfw6gT/aPnrsKGrfUDYUJUn4mKhQk4rVJATciBLEuZOOouXXuft5qhpjhjSq82kAfyjLzHLo568/G80B45KlhRFraZiy/LiAWrncdxybVxWquqyOo1xgkBe1/tvcMRJ8p/dzYZfkrbJFBMz1QIrKx9vmGJD+qNz3Fekf3bmOL/GXUtPuX4rqvLru4xm8/GtCpeP16j0YZjRcHUptY4kmQZVy6yXufpyJzzHR1X7KwmFzyihwwQvLBcYXSmvyw0ZCKZbXsOKd8kloonrYQeiqkPFVXYyHfQ+DUyrBued83UUiSXI198pf0Bd01PJM7x62KwG5/5c2CZVeIebp/k7L9cS/9uifq6IKMGAbM9QdbC5tqEv6uI+yPRAQDUEvs8BUulIUpfuxc7dNDIOaDVN3EW/4mXTRSTnK3x17pp706g33sFgyx0Ft+eo3xUsZA3I7MTnvVeEuMhiv+I8pDHKHA+CyISXdFgJGbP43zY4m1bEB4PeImxIG3QEAwvVSGjYn82o/ShR5YdCRzJAgx+Y=
X-OriginatorOrg: constructor.university
X-MS-Exchange-CrossTenant-Network-Message-Id: 2a07ea4d-d6ce-4bed-644a-08db2071642f
X-MS-Exchange-CrossTenant-AuthSource: GVXP190MB1991.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Mar 2023 07:39:18.9465 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: xQsrda6UVb1i9J0Tvp8Mtbq4wRUtkoxpsZblXXYROfr/4BYk36LYENtSWqulh8K6HcV9lWUBSHK9m9EF+56amiCLImytspR74dssb0QWIq8=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAP190MB0902
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/LWqDBFgwHRaPsdLMRenP4ajy5ww>
Subject: Re: [netconf] WGLC on draft-ietf-netconf-over-tls13
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Mar 2023 07:39:30 -0000
Future proofing is always hard since we do not know the future. I meanwhile find concrete advice more effective than generalized advice - but I might have answered differently some 20 years ago. ;-) That said, I am fine with both versions (with a slight preference for concrete advice over generalized advice). /js On Wed, Mar 08, 2023 at 09:00:43PM -0500, Sean Turner wrote: > Jürgen, > > I am about to start landing these PRs and just wanted to confirm that what you were thinking about in terms of an “update” to RFC 7589 is captured by: > https://github.com/netconf-wg/netconf-over-tls13/pull/11 > > spt > > > On Feb 9, 2023, at 13:32, Sean Turner <sean@sn3rd.com> wrote: > > > > Jürgen, > > > > Thanks for your review. Responses below. > > > > I’ll let these and the other PRs settle for a week before merging. > > > > spt > > > >> On Jan 25, 2023, at 09:32, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote: > >> > >> On Mon, Jan 09, 2023 at 09:54:28PM +0000, Kent Watsen wrote: > >>> We are starting a 2 week WGLC on: > >>> - draft-ietf-netconf-over-tls13-01. > >>> > >>> The document can be found here: > >>> https://datatracker.ietf.org/doc/draft-ietf-netconf-over-tls13 > >>> > >>> Please respond on this thread indicating your support or concerns about why this document should/should not be adopted. > >>> > >>> We are particularly interested in statement of the form: > >>> - I have reviewed the draft and found no issues. > >>> - I have reviewed the draft and found the following issues … > >>> > >>> This WGLC will conclude on Monday, January 23. > >> > >> I have reviewed the document and I believe that what it is technically > >> aims to achieve is OK and on track but the document itself is not ready. > >> > >> - Does this document formally update RFC 7589? I am aware that updates > >> means many different things (extending, depending-on, rewriting > >> parts) so I should probably not even ask this question. ;-) But my > >> gut feeling is that you really want a formal Updates: RFC 7589 here. > > > > We were purposely trying to avoid updating RFC 7589, because we were trying to stay out of picking the MTI protocol. But based on a suggestion in UTA about how to deal with a similar update for syslog, I think we could follow the recommendations in RFC 9325 and not have to get embroiled in a lengthy debate because RFC 9235 is BCP 195: > > > > * Implementations MUST support TLS 1.2 [RFC5246]. > > * Implementations SHOULD support TLS 1.3 [RFC8446] and, if > > implemented, MUST prefer to negotiate TLS 1.3 over earlier > > versions of TLS. > > > > The following PR includes the proposed changes: > > https://github.com/netconf-wg/netconf-over-tls13/pull/11 > > > > The change of course opens a can worms. Do we change the TLS1.2 MTI cipher suite? The MTI cipher suites based on this RFC 7589 (and this PR) is TLS_RSA_WITH_AES_128_CBC_SHA. There is no chance that cipher suites makes it through the IESG at this point. We could change it to what’s in RFC 9325. I understand why RFC 7589 did not make the 7525 recommendations a MUST; when RFC 7589 was published, RFC 7525 was pretty new. However, it’s been almost 8 years since then so I am hoping some of the recommendations, 2 of the four recommended in 2015 are still there, are widely supported. If that’s the case then maybe the 1st para should be: > > > > Implementations MUST support TLS 1.2 {{RFC5246}}. The mandatory-to-implement > > cipher suite is TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. Implementations > > SHOULD follow the recommendations given in [RFC9325]. > > > >> - As already noted by others, there is colloquial discussion around > >> Section 9.1 of I-D.ietf-tls-rfc8446bis in the document that one > >> would not expect in a WG last call document. > > > > Yep deleting it. The section kind of did it’s job, i.e., “made you look” :) > > The following PR removes it: > > https://github.com/netconf-wg/netconf-over-tls13/pull/7 > > > >> - In the Security Considerations, what does 'please review" really > >> mean? Is it required or expected to do what the referenced documents > >> say or are these just some reading suggestions that can be ignored? > >> I would prefer to see much clearer guidelines, in particular since > >> we talk about security. > > > > I guess this didn’t bother me as much as some, when I read “the security considerations of RFCxyz apply” that’s pretty much the same thing as "Please review RFCxyz”. But, I can swap it out for the more common language. Note that because it’s an update, the security considerations actually got a lot shorter because we copied a lot them over. Here’s a PR to address this: > > https://github.com/netconf-wg/netconf-over-tls13/pull/10 > > > >> - Editorial: Fix the following "describes defines" double verb. > > > > Please see: > > https://github.com/netconf-wg/netconf-over-tls13/pull/9 > > > >> /js > >> > >> -- > >> Jürgen Schönwälder Constructor University Bremen gGmbH > >> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany > >> Fax: +49 421 200 3103 <https://www.jacobs-university.de/> > >> > >> _______________________________________________ > >> netconf mailing list > >> netconf@ietf.org > >> https://www.ietf.org/mailman/listinfo/netconf > > > -- Jürgen Schönwälder Constructor University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://constructor.university/>
- [netconf] WGLC on draft-ietf-netconf-over-tls13 Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Per Andersson (perander)
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Kent Watsen
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Jürgen Schönwälder
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Hartley, Jeff
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Dhruv Dhody
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Qin Wu
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Jürgen Schönwälder
- Re: [netconf] WGLC on draft-ietf-netconf-over-tls… Sean Turner