Re: [netconf] netconf-tls wasRe: Summary of updates

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 25 May 2021 14:40 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D644B3A0D78 for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 07:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 481iphtFDxmF for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 07:40:47 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60076.outbound.protection.outlook.com [40.107.6.76]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1C7613A0DBA for <netconf@ietf.org>; Tue, 25 May 2021 07:40:46 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Jc4QCG0NkwWmnYJw1ApnWQOEJ0lZc8ZmDFn1czjBtExJJTjuL1ONHBjBlV7UM/F6myFcRTEFGlM4oSivPL4HMMoHI7mvHZmhnfwlDkpOWZxGDp0jr8202yRPOipHURgsNfBMSNfmqrDrxRlC3GS4ULn64cBLKAdO/n0F2U5PPIbVFa+xIbfyW7jNP1ma2jSlwagVt2CTmcBN/SLXxY7S/2vEdkQTOGET9lkBUP9+Vig/mROzkAj+936I1cBR9gcuivEVoPk1uIczFaCqmmw0beDpFAjbGajOVbYZmHEq45BoSX2eXWKqfIO+sy/DYMXaY4Bj2IRB6bMuFW/TPl3eSg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1H0Y8UFPjyhHDcCgnuA/S6zYFABbUwWRUJEJ6KfnxxM=; b=TzEU5jGcA6KMeSv4WoSgo7u+ZmLkX1xvCuigmTBG/iAGbClcte347vxy7+DWM0+qVvAw98KBvt0rlNUDv/b3F3rVH+dAkW7OQm2kgne54KnZhUfg4scJIWT84tEJmVLOraVpwtR1mzonUNt1HicFqCLjDlIpTsUfInHQ452NgijXDLfXyV2GNAmdoy0jgosEfe5W68Pe8UPeuwg17lJ3zLDVU5ADR4ol8q5X2XDV+wYQePX9AWFwvL89kDWk/1/H5edFa0MmCuaeBq0DZ3fb0hYfyeUMdeM8jaDWPZ7vjycPoFkkQtP/pJ1aAg23tc2VLYPaMADd4LBYAOjkPptHyg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1H0Y8UFPjyhHDcCgnuA/S6zYFABbUwWRUJEJ6KfnxxM=; b=glY79eoqEt8nrt6N6MqX2m15/fiuQoVygBs5LwaPCODpx/tErxmPWu+m1pHEY63fPdwEJc/Ya0sbIbosPLwJfuVNGvqwPMj4sXcAFd9E0G6mzCpALA12WSMyD+9ih5MELQsKtOoCZUwyHNZe8wxB9Hsr5Qo8ZG1dSZ7uanwXg5g=
Authentication-Results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1364.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:271::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.26; Tue, 25 May 2021 14:40:41 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4150.027; Tue, 25 May 2021 14:40:41 +0000
Date: Tue, 25 May 2021 16:40:40 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
Cc: tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kent+ietf@watsen.net>, tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FR3P281CA0014.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::7) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by FR3P281CA0014.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:1d::7) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.11 via Frontend Transport; Tue, 25 May 2021 14:40:41 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 28e0d468-8a0c-460d-f12f-08d91f8b122c
X-MS-TrafficTypeDiagnostic: AM9P190MB1364:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB13642803B5E7C8C9F8148791DE259@AM9P190MB1364.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: V0n5MbsV/K9jDX6QSRGoqiXtILqgasHOA1mrQj7iFeF3dc08kjx+tXSqKkQ2LYDkWJ1TLEsixGvdX/ROa+PAUo0WqeLZQM2Djwonk/NtaT5Gc1hMi+HksmFberMmVgywcBgPU7jVlYOIS+qlOZ3hQFq2IDnS3k9KBz/+OzkkuCARG9D/245jqawcY2J9FZiB78gc84oUAzWJKGR6G5XVOkqrILEwU/CpbFPNLrin6q370Rw0e1sLhY4h8fn41Rwn0fgNAxljcVI9J/HeaUJIdE9sMTyLGEh+ZEfsCe+02v1qA/442k013aOJp4R6PbWORKI7lnV35M9qh21yssb/x4vrzN+Vt+/TGR0J5ko8mH4I6USQhyteQ3w+sUevYyX/gYlZyIn0ngg/k8A+0vE2rFsReciotADuskkwNwN9qqsFRY4u3C9czRfspxqKyLywXKrUbmjEEK/rBuoQJHGoIPjYuWp85hShrq8bpepJoyyXrmXi8Fm4sKC24zy4UtNtPo39eljnLcdqsu8n9nuRibTvguiNba11MP8M7EeSlTk1fc3G16UWBgsJ+wqq/bIxWuhK+AcZVRw6KcpFvK61fuk4QYJZR+Bujzc/sVgdL53C3y1YdSmHIGIeh7VIh5ulM+QO3FdYLD0zr5xdLb7WkdzTj/KR3y1mH+xS/SDlk/lW6RRXkJfp+GTh6ligJBz57YPwn9Q6W+YJmr1IiLJ8cSMBEd2h59FuHiawBAGP+qH7bKtBxR2LhClfJwysMZo3/atfCaMwEbgvDpkk3mc8MKiDIad1solwmAJMkt7nu6U=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(396003)(39830400003)(376002)(346002)(136003)(366004)(478600001)(54906003)(316002)(6486002)(26005)(15650500001)(86362001)(66476007)(786003)(66946007)(66556008)(1076003)(38350700002)(8936002)(956004)(3450700001)(83380400001)(4326008)(8676002)(186003)(16526019)(2906002)(6496006)(38100700002)(5660300002)(52116002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?KzNqTXMrdlBKU3V1b1lXVkNOclpJRU5sVlJNZEJoMjRuM3QvazVBVTZpM2lV?= =?utf-8?B?VndHdVhrT2RkOXY0TUhtSXNnaFE5SnhFeVN0Y1NWRFl6aTRPUHRpM3VxY1Fl?= =?utf-8?B?bUdRS2FRd1pnaEJLa01FUSs1c1VHUisyOW81bmk1YmlxUUFGakhlUTlBZmlF?= =?utf-8?B?ZlREK2YreVVGRkIzQmlLOXJsNHhmK2JnQTNvN1RXenB5ZGgzdGF2SUM5ZzNQ?= =?utf-8?B?RndudHRGZlo0WTAyRjFhdUpxOWxrN0hONnFvZVd1Z3VRWjQxZEZZWWo3anVH?= =?utf-8?B?eHVBU0FNUXFXTGRsUWcySFBUdXlPNWpoVlRwd1kyYkZHYW1halNsaHNRbXpW?= =?utf-8?B?cnY0TjM2Vzh2YU1nK1NwV2JqZjM0dERMQ2NTQWNCbUI1OHRhNld3ZHhFY1B4?= =?utf-8?B?VFRNR3lmamdXUEw4alF6VnI2V1dhYjl4NVAzT3ZCd2NIYWxsYVUvTzQvRkdh?= =?utf-8?B?cXVzd0ZRc3kzSWhqL0N5ODNvaDVGMENsa1VxdFpPdGphME5OblZSd0txNXRT?= =?utf-8?B?OEJjYzlWN2ZCejFPblFxRnlUSk9CZE9PcXM0UGRmYk1EaDduUXlIUUNmM0dJ?= =?utf-8?B?R1dPRE8yaFZjZ1htazRyYy9CRXdkWWRlOXFKczVYbW56UmhCdzd0S2RhUjlq?= =?utf-8?B?dUJRSGQvY1BRTzM0MDQzMFM5dGFjbFQxbkc4K25oMDlnUmprMWcxVUpONzhC?= =?utf-8?B?SE02c3JDYUU5SEJ4dGkzMHJtVWdzZnhucUNGeHd1OWc4ZTRqZmVSOUlVWU9J?= =?utf-8?B?dlhqUDZGZTZ4Z09SNk1hSEVINnRSbE0zMGNocUZKWkxvbS9VNUo3MHRoMUI4?= =?utf-8?B?S0FVendqTjhWc1o2L1AvWlZKZXVGS0piRXh3MXdWYmxNRmZTdFFFalk0TlVU?= =?utf-8?B?YytLNGYrMW4xWUE4K0ZQRlZxcjA5QWZEaDg0UnRjWkZBQnczSVFRSkhyd1d4?= =?utf-8?B?dkdibVQ3M1J2c2d1SEE3ZjdpRjYwYlFvekNWUW8yekdHMEZ6T2M5dUpQUFVu?= =?utf-8?B?c0ZjTEpOWW94MEp0UDJJdVRLbHVmQXd6VDR0aG04N2JEWFYzVGJxbGlQaW91?= =?utf-8?B?N05ENmhCQ1BXWGE3SnlFOXJUL3hkZkI0UjY3QWdubFZaK0JkZWg1czVTeTY4?= =?utf-8?B?dEljUDc3aEhKMitMWVBQZmhncDBlVy95aHBsNmVrS3RCWEl6V2VrNWNIYUx2?= =?utf-8?B?RzY4TmY4NVY2UWNZeG9CdGY2dGJRSnJJdWFDYnFJRCtXTml6V1hTNXlRRmlK?= =?utf-8?B?Vi9COXp3S2dlT0Q5c1VuSWM0bFRUckl0Ym5BMWdqSzlEcGFIOTVlbUt6bWlW?= =?utf-8?B?dFB3VTZzMG50aGVaeFQ4U2MzN3hJbkVBQXQrREQ4b1V3d0cra1dEL2F1bWdD?= =?utf-8?B?UXdDdmgwTFJ5WTliS29iZUU0QVdNT1RQYUQ4RlFSL3NUQkJUT2pTYjlzdzF5?= =?utf-8?B?Zm0wUkdqbkRJN0ZZNDBodEk0VHAvYWFQVlp5QVlpVzZrMG5KWjF0RHpER0ZO?= =?utf-8?B?Wm5zNDVPckxudEQ4NW41VnlhTm5OQVk2dTFNWk9OVno2TmhYUUtXWFdUWjE0?= =?utf-8?B?T1ptZnJUSUVuYU9lS0RVSjZJKzgrblI2UWJMOE1nV21CMFBQcVQ3Szl2aTMz?= =?utf-8?B?RzV5eEt5OHd0V2lBUzh6OXpSNVM1cU5ZN1VERkkrMFFQOWhlUkxtVEFJUlc3?= =?utf-8?B?YW9wMlg1UncwSjhnbzZMa2tQWjZuREJpSnhwbGpkNkZQbXZyTUtxVnBGNHUz?= =?utf-8?Q?B2Wu3Jdydpk+xo+f0AaIqqyP/qGlAIOv5hjsoSJ?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 28e0d468-8a0c-460d-f12f-08d91f8b122c
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 14:40:41.6999 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: AlzpFObu1bb6IW3Gl7xzOdeKURMeIQwFQ4M0OArbHjUE+YUXaRVVz2lJeDL98ip8BL8gGyJE/5iD6zRE3AlGh41H+6m/rq0BND7m5UvDe/g=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1364
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Lo_d5GLKUdoThZDU4JonZhmtyxY>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 14:40:52 -0000

On Tue, May 25, 2021 at 02:04:02PM +0000, Kent Watsen wrote:
> 
> Hi Juergen,
> 
> > RFC 5539 (published in May 2009) defines NETCONF over TLS and it is
> > very specific that it requires TLS 1.2 or future versions of TLS:
> > 
> >   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
> >   support the mandatory-to-implement cipher suite, which is
> >   TLS_RSA_WITH_AES_128_CBC_SHA.  This document is assumed to apply to
> >   future versions of TLS; in which case, the mandatory-to-implement
> >   cipher suite for the implemented version MUST be supported.
> > 
> > Given this, I do not think we need to consider TLS versions < 1.2
> > since there was never a specification for NETCONF over TLS versions <
> > 1.2 - a NETCONF over TLS 1.1 implementation is using a non-standard
> > transport.
> 
> 
> The tls-client-server draft is not exclusive to NETCONF.  For example, RESTCONF and PCE WG has a “peep-yang” draft...

Yep, I tend to forget this...
 
> That said, it seems Tom is saying that TLS 1.0 and 1.1 are effectively historic at this point (no longer used) and so support for those versions should be dropped for that reason?

If there are any features provided to configure historic versions of
TLS, then the features and identities for TLS 1.0 and 1.1 should
likely have a status obsolete and the feature and identities for TLS
1.2 may have status deprecated.
 
> The netconf-client-server doesn’t yet, but perhaps should, state
> that the tls-client-server’s draft support for 1.3 should be ignored
> until RFC 5539 is updated?

I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
perspective to tell the WG if any changes are needed so that the WG
can take an informed decision whether an update of RFC 5539 is
necessary or whether what we have is good enough.

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>