[netconf] netconf-tls wasRe: Latest ietf-netconf-server draft and related modules

tom petch <ietfc@btconnect.com> Tue, 11 May 2021 11:57 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0481A3A12EC for <netconf@ietfa.amsl.com>; Tue, 11 May 2021 04:57:27 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s0J5sgEEyYwt for <netconf@ietfa.amsl.com>; Tue, 11 May 2021 04:57:25 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150120.outbound.protection.outlook.com [40.107.15.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 125F73A12E2 for <netconf@ietf.org>; Tue, 11 May 2021 04:57:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Y2Zg6BCCimascKQrOdMExhEy7N7otxydF2wSlR6V4L/gSTKjDEInIS/fpLAkNfvrmd8m5bWc5qDc4VbM/EfMVxWk8iO87lQ84i4k30K/qIDNW8fARxqyNQCNtHoxSu9JMMe8syAyERTyLW97Cz7jCT6D+YkJWGY+y9EhpM4tH6sE43VgPwutZL4Tf2721Uqj5HcAGS+xKLCvpuncqsZ24fn8VPySoN6jw7YBr3RmnrGwU6OL1fy7U/RL0PHURZkUoQoV6IyImAn+0qvVyiqW4IgJmpU7boqJnSAqUHvhbwnRuCQYZEKxQgIjGrEa3LYDwEmg44EgZlJrARiyp/VS4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vks2iAnPTxK05S0r134DVi51ioBijvHEZ+ll0+1M05c=; b=ACiNeGG35jWMNbnjVREnO3tcFFVBztstYQMETuCyQKHJ+AUpIRBE9S+WEZOXT+E1KoQ9/bXtx1Ze6fCer26CETyGV1UjU+VGJnN2rj3uOare+RT6r9Lgx/Q37BVzyTMx2weYMKx96Vb5m8BWatclSWVCdI1eLPs7dwwGP8teXvGtuJV6TvT/b1NtLko+Hk2YThs8YtrZ5r/Ha2o3CrMVLpmRddaohgAWcxMxloHKmrsi2eFmC59fgw1lIQByumd6SiN1S4hNaxtsatN/H9hLoX3N0PoLK4yFRcN4oA3iaFjt75EsR4MTmbWy4nf0MW0JYOcWC+dKdOPM0wDZ2dw3VA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=vks2iAnPTxK05S0r134DVi51ioBijvHEZ+ll0+1M05c=; b=JvteSReX3iHiW61Ts2a37mcwp6IGvq7os/UIaA+ImdPc1SV046LCD+AcobiOhNv89k2L5a7fHMOXhQxU7wElIlWSNfwCPMpuSuYXqzoXDUNY1gssr6sa2y2qm8+77IDAG3WOFcY3Mo7lzoEKd3dzMk86va+6tLP6ZL7GwQuYSKs=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6546.eurprd07.prod.outlook.com (2603:10a6:20b:1a2::19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4129.22; Tue, 11 May 2021 11:57:22 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::543d:497d:ba3f:5576]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::543d:497d:ba3f:5576%3]) with mapi id 15.20.4129.025; Tue, 11 May 2021 11:57:22 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: netconf-tls wasRe: [netconf] Latest ietf-netconf-server draft and related modules
Thread-Index: AQHXPP5RkEf2qGX72kaPVI9y99M1OqrePBVc
Date: Tue, 11 May 2021 11:57:22 +0000
Message-ID: <AM7PR07MB62488B98AE0E394EFF5C80B1A0539@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <972-608a4700-29-1b90d060@24617716>, <010001791de3029b-730530a6-f4fb-4d57-9d39-a1551ab76260-000000@email.amazonses.com>
In-Reply-To: <010001791de3029b-730530a6-f4fb-4d57-9d39-a1551ab76260-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 6125be43-0837-48ac-6276-08d91473efed
x-ms-traffictypediagnostic: AM7PR07MB6546:
x-microsoft-antispam-prvs: <AM7PR07MB6546325C82D7ECC17E066AD7A0539@AM7PR07MB6546.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: YIBNQtVyIKkExHmdSQHIRr/eSDFV/xRKc5+6zKxuqqhcCvblzklpICzdLpdmw/NPm41yaIOllc7NomQI5IOlUVf74tokzh++C1Qqv/MqnzRZ9mktnjXrD3PsTyArIICsuQSQwdTpNlMJ4/frVXET8OdmABn/Z6ou5+/RwAGQjt1wwlRzXB8EBQVbT1Fxv3EPIWX23slsGZqNMaIcXyRhoVZUsLjPaysptbA+TI5KbekeKGewwpsYPT0zUhL1Kw87L9vRWEozZEgPtxGWIOF9LlfTH/Pdhzrl4ZE90XCwIeDuADhwHmTg+5Psm/ufqJ02Dm0cZXxKhG2LcmfjqGK4vTWe7HXT68jExy64l48Hyb/2MDl51BUiV5pQ8NnpO2WBDlp4SV1C6RgjMf8UVM/6YNg/+y+C2L2UdVurhZU13mXO+oAeqIyAP+vnWCzg51lNZj9qsm8VGItLm9pRkkF+MQuuFiIZsmJMSOrjKj1vRKCw3q+vntEJDU188+sHrPWEgMVknyfmcGap+IGiEzwgiYjt3cL1JaRFItan0tt/HzVESNkjrAVke/f4T3jexrgm6SWj7C3SzXHxP5e2fWVmsSm/AV0NkRIo2tUaFLsbQOo=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(186003)(4326008)(86362001)(5660300002)(52536014)(64756008)(76116006)(66446008)(55016002)(66946007)(66556008)(71200400001)(9686003)(2906002)(91956017)(38100700002)(66476007)(8936002)(7696005)(26005)(498600001)(83380400001)(33656002)(6506007)(122000001)(8676002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?0LVBphwlubC57XWf769v8ICQ6dz1w8Lh4PutMtywLGObfNj4G/Fd2Ejm8h?= =?iso-8859-1?Q?GrhzPxN/Exv4vQlzwYOCbMQ79Er0liMG56KsrRhsPtKxouGlaEF9rko4Yw?= =?iso-8859-1?Q?OpB+eFrZRKFmwRaPYrH1d04m3aK88i935idEcYJwxb78Ad4+bU1XjEtCnF?= =?iso-8859-1?Q?j4tnIca2gSduogWfyo/PSInuBiERq+cNbmZ70boCGPSDqaS4tQWsx5dgeN?= =?iso-8859-1?Q?Htlkj/b6XbmTssW7WZjl7fLI5KFz/d1eqSU3pU3fCfG4jZGb+19RtKgqSV?= =?iso-8859-1?Q?n8bl9HPmoZAWhdC9r/aOLZ0umCMshyPgkgGZ4LUYxDA4d4pLpzlJODi5Va?= =?iso-8859-1?Q?gTA9XN64+g2ZrA8lmyHD7PyBYdgkXiK7Xcrcn6cssSiScEgLIKgQ+6HSOv?= =?iso-8859-1?Q?88QQ663rkxEVwdeCG4T9e8b1h+w4eaagkplhi7G4PYq0lds7fyDiKcx+BV?= =?iso-8859-1?Q?Tf5hsv4k8KuizWkzmQMUL8cJ7Uo/g1h6jj3PwZC0Ez6YyHc4Bd5OGt/e5l?= =?iso-8859-1?Q?kEe38XurQp6Z59yKBeKYSikes5kjTFw2wHqEXFNdmrwsw+6AgJNGUKFHqz?= =?iso-8859-1?Q?9cSdovF7sI5iouM7if67fBIdn0Zu611gTPdXrhFD7VK/6QP8ux4XgrG3B+?= =?iso-8859-1?Q?b0+dk7WoDK/dlShgTzkKwjabGXptVMPfCPX07iFPCnJofIZdtq9La6gy73?= =?iso-8859-1?Q?NusDwVElbJzHTCV/W3wAkZkjzDAUGMt/d+BRitgDD47GCiwODFptq3ckNm?= =?iso-8859-1?Q?wA1MUqAFgwP6d0E/iwcH5tb9Mqn2TPnag9W7eF3RekREW1apNdwhtmvyRx?= =?iso-8859-1?Q?GeU3X5EavWjeVoDB9gJWLn+baquoA6rCwFNJoE+CWaeKqPhWh3Wh3FbseX?= =?iso-8859-1?Q?zD0Tw9Elykua3/hRPAJI7kG6BmE5gT5A+PCPLmtM7sHd2W1r30iJ63JvdN?= =?iso-8859-1?Q?AJ/x4DdFX7M2kw5+gkbZdCEcFjpYxExYrCeko8O3gMM+N4jOfxbsSRvAJc?= =?iso-8859-1?Q?77kZoWcOtcDrj/W088FrTMlVS78FuxJJw7sAqcwG00PlEm9QA4eTWjea9g?= =?iso-8859-1?Q?lZZFrziloUGtuB3PSTBKAMaLCST7HJTfDaJ3FIZLI+Hs7t8Ha91tgbtKoc?= =?iso-8859-1?Q?avdmvAyb3O9viWTlAKVkUhqHm9mQVIziIGFWSQNzGkq3JQUnbCnb2Cg4ta?= =?iso-8859-1?Q?R721GkDa7/EDMOhfz6H/R678SQW691g5brU0ti5iBFkjWmQ9jC4H43lBg2?= =?iso-8859-1?Q?6hM/wfW/FoKMvr3B8iKJGD/RQ6CAs9Rv9Dhl1qCc9FWDzGLPXw9En7Dutw?= =?iso-8859-1?Q?WKBj/QqVE8ZMAY87qQP//LRG9V8ln4m8Dvp5WqIooZTBIsY=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6125be43-0837-48ac-6276-08d91473efed
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 May 2021 11:57:22.7368 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: TaCE9WKe8W7zcfpTshbBApq7/X/13kEbR9CCKz04xdwaPCGKrLbADIk5jjpT2VVddit5Tc1n1Xro0bTzay+dpA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6546
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Lq2ZX4i1lzD5hLgf-utc6IGM0OI>
Subject: [netconf] netconf-tls wasRe: Latest ietf-netconf-server draft and related modules
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 11 May 2021 11:57:27 -0000

I find this I-D confused about which versions of TLS are supported.  It is 1.0/1.1/1.2 or1.2/1.3 or 1.0/1.1/1.2/1.3 or 1.2 or ...
This needs addressing and the text changed to match.

I suspect that the IESG will not accept any support for 1.0 or 1.1 given the existence of an RFC deprecating them and that this I-D should not go further than putting in place hooks with which an organisation could augment such support if they wanted to, but even that may be going too far.

I wonder too about what forms of authentication are acceptable, something that has changed several times in the life of the I-D.  I do  not have a view of which are and which are not but think that guidance from the TLS WG or SecDir or Security AD would be useful now rather than later.

In a similar vein, TLS 1.3 is keen to ship application data before the handshake is complete, before authentication has happened, which causes problems for applications which want the handshake and authentication to complete first.  I see NETCONF as being such an application and the I-D needs to address that, as it is being addressed by other WG.

Tom Petch