Re: [netconf] netconf-tls wasRe: Summary of updates
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 25 May 2021 14:40 UTC
Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
by ietfa.amsl.com (Postfix) with ESMTP id D644B3A0D78
for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 07:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5
tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001,
RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001]
autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key)
header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44])
by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 481iphtFDxmF for <netconf@ietfa.amsl.com>;
Tue, 25 May 2021 07:40:47 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com
(mail-eopbgr60076.outbound.protection.outlook.com [40.107.6.76])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ietfa.amsl.com (Postfix) with ESMTPS id 1C7613A0DBA
for <netconf@ietf.org>; Tue, 25 May 2021 07:40:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=Jc4QCG0NkwWmnYJw1ApnWQOEJ0lZc8ZmDFn1czjBtExJJTjuL1ONHBjBlV7UM/F6myFcRTEFGlM4oSivPL4HMMoHI7mvHZmhnfwlDkpOWZxGDp0jr8202yRPOipHURgsNfBMSNfmqrDrxRlC3GS4ULn64cBLKAdO/n0F2U5PPIbVFa+xIbfyW7jNP1ma2jSlwagVt2CTmcBN/SLXxY7S/2vEdkQTOGET9lkBUP9+Vig/mROzkAj+936I1cBR9gcuivEVoPk1uIczFaCqmmw0beDpFAjbGajOVbYZmHEq45BoSX2eXWKqfIO+sy/DYMXaY4Bj2IRB6bMuFW/TPl3eSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=1H0Y8UFPjyhHDcCgnuA/S6zYFABbUwWRUJEJ6KfnxxM=;
b=TzEU5jGcA6KMeSv4WoSgo7u+ZmLkX1xvCuigmTBG/iAGbClcte347vxy7+DWM0+qVvAw98KBvt0rlNUDv/b3F3rVH+dAkW7OQm2kgne54KnZhUfg4scJIWT84tEJmVLOraVpwtR1mzonUNt1HicFqCLjDlIpTsUfInHQ452NgijXDLfXyV2GNAmdoy0jgosEfe5W68Pe8UPeuwg17lJ3zLDVU5ADR4ol8q5X2XDV+wYQePX9AWFwvL89kDWk/1/H5edFa0MmCuaeBq0DZ3fb0hYfyeUMdeM8jaDWPZ7vjycPoFkkQtP/pJ1aAg23tc2VLYPaMADd4LBYAOjkPptHyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
smtp.mailfrom=jacobs-university.de; dmarc=pass action=none
header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de;
arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=jacobsuniversity.onmicrosoft.com;
s=selector2-jacobsuniversity-onmicrosoft-com;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=1H0Y8UFPjyhHDcCgnuA/S6zYFABbUwWRUJEJ6KfnxxM=;
b=glY79eoqEt8nrt6N6MqX2m15/fiuQoVygBs5LwaPCODpx/tErxmPWu+m1pHEY63fPdwEJc/Ya0sbIbosPLwJfuVNGvqwPMj4sXcAFd9E0G6mzCpALA12WSMyD+9ih5MELQsKtOoCZUwyHNZe8wxB9Hsr5Qo8ZG1dSZ7uanwXg5g=
Authentication-Results: watsen.net; dkim=none (message not signed)
header.d=none;watsen.net; dmarc=none action=none
header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
by AM9P190MB1364.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:271::8) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Tue, 25 May
2021 14:40:41 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4150.027; Tue, 25 May 2021
14:40:41 +0000
Date: Tue, 25 May 2021 16:40:40 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>,
tom petch <ietfc@btconnect.com>,
"netconf@ietf.org" <netconf@ietf.org>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com>
<AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>
<010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com>
<AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com>
<01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com>
<AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
<20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de>
<01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FR3P281CA0014.DEUP281.PROD.OUTLOOK.COM
(2603:10a6:d10:1d::7) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
(2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by
FR3P281CA0014.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::7) with Microsoft
SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.4173.11 via Frontend Transport; Tue, 25 May 2021 14:40:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 28e0d468-8a0c-460d-f12f-08d91f8b122c
X-MS-TrafficTypeDiagnostic: AM9P190MB1364:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB13642803B5E7C8C9F8148791DE259@AM9P190MB1364.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: V0n5MbsV/K9jDX6QSRGoqiXtILqgasHOA1mrQj7iFeF3dc08kjx+tXSqKkQ2LYDkWJ1TLEsixGvdX/ROa+PAUo0WqeLZQM2Djwonk/NtaT5Gc1hMi+HksmFberMmVgywcBgPU7jVlYOIS+qlOZ3hQFq2IDnS3k9KBz/+OzkkuCARG9D/245jqawcY2J9FZiB78gc84oUAzWJKGR6G5XVOkqrILEwU/CpbFPNLrin6q370Rw0e1sLhY4h8fn41Rwn0fgNAxljcVI9J/HeaUJIdE9sMTyLGEh+ZEfsCe+02v1qA/442k013aOJp4R6PbWORKI7lnV35M9qh21yssb/x4vrzN+Vt+/TGR0J5ko8mH4I6USQhyteQ3w+sUevYyX/gYlZyIn0ngg/k8A+0vE2rFsReciotADuskkwNwN9qqsFRY4u3C9czRfspxqKyLywXKrUbmjEEK/rBuoQJHGoIPjYuWp85hShrq8bpepJoyyXrmXi8Fm4sKC24zy4UtNtPo39eljnLcdqsu8n9nuRibTvguiNba11MP8M7EeSlTk1fc3G16UWBgsJ+wqq/bIxWuhK+AcZVRw6KcpFvK61fuk4QYJZR+Bujzc/sVgdL53C3y1YdSmHIGIeh7VIh5ulM+QO3FdYLD0zr5xdLb7WkdzTj/KR3y1mH+xS/SDlk/lW6RRXkJfp+GTh6ligJBz57YPwn9Q6W+YJmr1IiLJ8cSMBEd2h59FuHiawBAGP+qH7bKtBxR2LhClfJwysMZo3/atfCaMwEbgvDpkk3mc8MKiDIad1solwmAJMkt7nu6U=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
IPV:NLI; SFV:NSPM;
H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE;
SFS:(396003)(39830400003)(376002)(346002)(136003)(366004)(478600001)(54906003)(316002)(6486002)(26005)(15650500001)(86362001)(66476007)(786003)(66946007)(66556008)(1076003)(38350700002)(8936002)(956004)(3450700001)(83380400001)(4326008)(8676002)(186003)(16526019)(2906002)(6496006)(38100700002)(5660300002)(52116002);
DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?KzNqTXMrdlBKU3V1b1lXVkNOclpJRU5sVlJNZEJoMjRuM3QvazVBVTZpM2lV?=
=?utf-8?B?VndHdVhrT2RkOXY0TUhtSXNnaFE5SnhFeVN0Y1NWRFl6aTRPUHRpM3VxY1Fl?=
=?utf-8?B?bUdRS2FRd1pnaEJLa01FUSs1c1VHUisyOW81bmk1YmlxUUFGakhlUTlBZmlF?=
=?utf-8?B?ZlREK2YreVVGRkIzQmlLOXJsNHhmK2JnQTNvN1RXenB5ZGgzdGF2SUM5ZzNQ?=
=?utf-8?B?RndudHRGZlo0WTAyRjFhdUpxOWxrN0hONnFvZVd1Z3VRWjQxZEZZWWo3anVH?=
=?utf-8?B?eHVBU0FNUXFXTGRsUWcySFBUdXlPNWpoVlRwd1kyYkZHYW1halNsaHNRbXpW?=
=?utf-8?B?cnY0TjM2Vzh2YU1nK1NwV2JqZjM0dERMQ2NTQWNCbUI1OHRhNld3ZHhFY1B4?=
=?utf-8?B?VFRNR3lmamdXUEw4alF6VnI2V1dhYjl4NVAzT3ZCd2NIYWxsYVUvTzQvRkdh?=
=?utf-8?B?cXVzd0ZRc3kzSWhqL0N5ODNvaDVGMENsa1VxdFpPdGphME5OblZSd0txNXRT?=
=?utf-8?B?OEJjYzlWN2ZCejFPblFxRnlUSk9CZE9PcXM0UGRmYk1EaDduUXlIUUNmM0dJ?=
=?utf-8?B?R1dPRE8yaFZjZ1htazRyYy9CRXdkWWRlOXFKczVYbW56UmhCdzd0S2RhUjlq?=
=?utf-8?B?dUJRSGQvY1BRTzM0MDQzMFM5dGFjbFQxbkc4K25oMDlnUmprMWcxVUpONzhC?=
=?utf-8?B?SE02c3JDYUU5SEJ4dGkzMHJtVWdzZnhucUNGeHd1OWc4ZTRqZmVSOUlVWU9J?=
=?utf-8?B?dlhqUDZGZTZ4Z09SNk1hSEVINnRSbE0zMGNocUZKWkxvbS9VNUo3MHRoMUI4?=
=?utf-8?B?S0FVendqTjhWc1o2L1AvWlZKZXVGS0piRXh3MXdWYmxNRmZTdFFFalk0TlVU?=
=?utf-8?B?YytLNGYrMW4xWUE4K0ZQRlZxcjA5QWZEaDg0UnRjWkZBQnczSVFRSkhyd1d4?=
=?utf-8?B?dkdibVQ3M1J2c2d1SEE3ZjdpRjYwYlFvekNWUW8yekdHMEZ6T2M5dUpQUFVu?=
=?utf-8?B?c0ZjTEpOWW94MEp0UDJJdVRLbHVmQXd6VDR0aG04N2JEWFYzVGJxbGlQaW91?=
=?utf-8?B?N05ENmhCQ1BXWGE3SnlFOXJUL3hkZkI0UjY3QWdubFZaK0JkZWg1czVTeTY4?=
=?utf-8?B?dEljUDc3aEhKMitMWVBQZmhncDBlVy95aHBsNmVrS3RCWEl6V2VrNWNIYUx2?=
=?utf-8?B?RzY4TmY4NVY2UWNZeG9CdGY2dGJRSnJJdWFDYnFJRCtXTml6V1hTNXlRRmlK?=
=?utf-8?B?Vi9COXp3S2dlT0Q5c1VuSWM0bFRUckl0Ym5BMWdqSzlEcGFIOTVlbUt6bWlW?=
=?utf-8?B?dFB3VTZzMG50aGVaeFQ4U2MzN3hJbkVBQXQrREQ4b1V3d0cra1dEL2F1bWdD?=
=?utf-8?B?UXdDdmgwTFJ5WTliS29iZUU0QVdNT1RQYUQ4RlFSL3NUQkJUT2pTYjlzdzF5?=
=?utf-8?B?Zm0wUkdqbkRJN0ZZNDBodEk0VHAvYWFQVlp5QVlpVzZrMG5KWjF0RHpER0ZO?=
=?utf-8?B?Wm5zNDVPckxudEQ4NW41VnlhTm5OQVk2dTFNWk9OVno2TmhYUUtXWFdUWjE0?=
=?utf-8?B?T1ptZnJUSUVuYU9lS0RVSjZJKzgrblI2UWJMOE1nV21CMFBQcVQ3Szl2aTMz?=
=?utf-8?B?RzV5eEt5OHd0V2lBUzh6OXpSNVM1cU5ZN1VERkkrMFFQOWhlUkxtVEFJUlc3?=
=?utf-8?B?YW9wMlg1UncwSjhnbzZMa2tQWjZuREJpSnhwbGpkNkZQbXZyTUtxVnBGNHUz?=
=?utf-8?Q?B2Wu3Jdydpk+xo+f0AaIqqyP/qGlAIOv5hjsoSJ?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 28e0d468-8a0c-460d-f12f-08d91f8b122c
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 14:40:41.6999 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: AlzpFObu1bb6IW3Gl7xzOdeKURMeIQwFQ4M0OArbHjUE+YUXaRVVz2lJeDL98ip8BL8gGyJE/5iD6zRE3AlGh41H+6m/rq0BND7m5UvDe/g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1364
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Lo_d5GLKUdoThZDU4JonZhmtyxY>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>,
<mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>,
<mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 14:40:52 -0000
On Tue, May 25, 2021 at 02:04:02PM +0000, Kent Watsen wrote: > > Hi Juergen, > > > RFC 5539 (published in May 2009) defines NETCONF over TLS and it is > > very specific that it requires TLS 1.2 or future versions of TLS: > > > > Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to > > support the mandatory-to-implement cipher suite, which is > > TLS_RSA_WITH_AES_128_CBC_SHA. This document is assumed to apply to > > future versions of TLS; in which case, the mandatory-to-implement > > cipher suite for the implemented version MUST be supported. > > > > Given this, I do not think we need to consider TLS versions < 1.2 > > since there was never a specification for NETCONF over TLS versions < > > 1.2 - a NETCONF over TLS 1.1 implementation is using a non-standard > > transport. > > > The tls-client-server draft is not exclusive to NETCONF. For example, RESTCONF and PCE WG has a “peep-yang” draft... Yep, I tend to forget this... > That said, it seems Tom is saying that TLS 1.0 and 1.1 are effectively historic at this point (no longer used) and so support for those versions should be dropped for that reason? If there are any features provided to configure historic versions of TLS, then the features and identities for TLS 1.0 and 1.1 should likely have a status obsolete and the feature and identities for TLS 1.2 may have status deprecated. > The netconf-client-server doesn’t yet, but perhaps should, state > that the tls-client-server’s draft support for 1.3 should be ignored > until RFC 5539 is updated? I guess someone (Tom?) should review RFC 5539 from the TLS 1.3 perspective to tell the WG if any changes are needed so that the WG can take an informed decision whether an update of RFC 5539 is necessary or whether what we have is good enough. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <https://www.jacobs-university.de/>
- [netconf] Summary of updates Kent Watsen
- [netconf] netconf-tls wasRe: Summary of updates tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
- Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- [netconf] More complications was Re: netconf-tls … tom petch
- Re: [netconf] More complications Kent Watsen
- Re: [netconf] More complications tom petch
- Re: [netconf] More complications Henk Birkholz
- Re: [netconf] More complications Juergen Schoenwaelder
- Re: [netconf] More complications Kent Watsen
- Re: [netconf] More complications tom petch
- [netconf] TLS 1.3 and pre-shared-keys and raw-pub… Kent Watsen
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
- Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Kent Watsen
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Rob Wilton (rwilton)
- Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
- Re: [netconf] More complications Kent Watsen