IETF Logo Mail Archive

Re: [netconf] Create IANA-defined modules?

"Gary Wu (garywu)" <garywu@cisco.com> Thu, 27 May 2021 01:40 UTC

Return-Path: <garywu@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 125643A08FD for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 18:40:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -11.896
X-Spam-Level:
X-Spam-Status: No, score=-11.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com header.b=XzXQE3r9; dkim=pass (1024-bit key) header.d=cisco.onmicrosoft.com header.b=Utlj1xSx
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ynUpzG57ccvm for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 18:40:52 -0700 (PDT)
Received: from alln-iport-1.cisco.com (alln-iport-1.cisco.com [173.37.142.88]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86C043A08FA for <netconf@ietf.org>; Wed, 26 May 2021 18:40:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=4914; q=dns/txt; s=iport; t=1622079652; x=1623289252; h=from:to:subject:date:message-id:references:in-reply-to: content-id:content-transfer-encoding:mime-version; bh=sAHaEP7B4PbL1F8TiszZJbI2wuuuIKCBW6vOJbwWUns=; b=XzXQE3r9HVowHXgGPCJTJhqI6huSgjSpc1b3G08MDROzkj8tUqpHjmPC h8uWCJTwWGeeeio3JHIXEDG1eyqlN/A3/sLa8WWBJLxGwz6eYzn69CGpr 95dP3ZhrJpYXqmJZJWAZgwIdq3WO48MiYk6R7+UQ749J3Vr3KIccd9CuO c=;
X-IPAS-Result: A0DHAgAK+K5gl49dJa1RCR4BAQsSDECBTAuBU1F+WjcxC4Q9g0gDhTmIb5oHgS6BJQNUCwEBAQ0BATUKAgQBAYRQAheBZwIlNgcOAgQBAQEBAwIDAQEBAQUBAQUBAQECAQYEFAEBAQEBAQEBaIVoDYZFAgQSEREMAQE4DwIBCBoCJgICAjAVEAIEARIigk8BglUDLwEOmycBgToCih96gTKBAYIHAQEGBASCTYMGGIIxAwaBECqCe4QOhl8nHIFJRIEVJwwQgl8+hBgEEIMvNoIugVsBaG4oGxAggT0fL0mUN6caCoMXnWAFJI9OlgSVQJ8rHIRVAgQCBAUCDgEBBoFbDSWBW3AVOyoBgj5QFwIOjh8HEoNXhRSFSnMCNgIGAQkBAQMJfId7gTUBgRABAQ
IronPort-PHdr: A9a23:IUTCZxwfwbWKnD/XCzPBngc9DxPP853rNxIO55xhjb9SIeyv/JXna UrY4/glzFrERp7S5P8Mje3K+7vhVmoN7dfk0jgCfZVAWgVDhZAQmAotU9GMFVb2KrjsYjBpV MhHXUVuqne8N0UdEc3iZlrU93u16zNaGhj2OQdvYOrvHYuHhMWs3Of08JrWMG11
IronPort-HdrOrdr: A9a23:zYmPAa86n+sMTxGjag1uk+EUdb1zdoMgy1knxilNoENuE/Bwxv rBoB1E73DJYW4qKQ0dcUjpAtjAfZquz+8L3WB3B8bjYOCGghrnEGgG1+vfKlLbalXDH4JmpM Jdmu1FeaDN5DtB/IXHCWuDYq0dKbC8mcjC74qzvhQdLz2CKZsQlTuRYTzrdXGeMTM2fKbRY6 DsgPavyQDQHUg/X4CePD0oTuLDr9rEmNbNehgdHSMq7wGIkHeB9KP6OwLw5GZdbxp/hZMZtU TVmQ3w4auu99uhzAXH6mPV55NK3PP819p4AtCWgMR9EESotu/oXvUkZ1SxhkFynAid0idyrD AKmWZ5Ay1H0QKXQohym2q35+Cv6kd115ao8y7nvZKqm72JeNt9MbsduWqcGSGptHbJe7pHof 52Niuixulq5VmrplWM2/HYEx5tjUa6unwkjKoaiGFeS5IXbPtLoZUY5149KuZMIMvW0vFtLA BVNrCX2B+WSyLtU5nThBgi/DVtZAV6Iv6ieDlMhiW46UkjoJlJ9TpQ+CVEpAZ0yHsUcegy2w 3rCNUbqI1z
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-AV: E=Sophos;i="5.82,333,1613433600"; d="scan'208";a="698440666"
Received: from rcdn-core-7.cisco.com ([173.37.93.143]) by alln-iport-1.cisco.com with ESMTP/TLS/DHE-RSA-SEED-SHA; 27 May 2021 01:40:49 +0000
Received: from mail.cisco.com (xbe-rcd-007.cisco.com [173.37.102.22]) by rcdn-core-7.cisco.com (8.15.2/8.15.2) with ESMTPS id 14R1emd3032187 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Thu, 27 May 2021 01:40:48 GMT
Received: from xfe-aln-005.cisco.com (173.37.135.125) by xbe-rcd-007.cisco.com (173.37.102.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 26 May 2021 20:40:48 -0500
Received: from xfe-aln-003.cisco.com (173.37.135.123) by xfe-aln-005.cisco.com (173.37.135.125) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15; Wed, 26 May 2021 20:40:48 -0500
Received: from NAM10-MW2-obe.outbound.protection.outlook.com (173.37.151.57) by xfe-aln-003.cisco.com (173.37.135.123) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.792.15 via Frontend Transport; Wed, 26 May 2021 20:40:47 -0500
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=mb8Ep2DmUTFfOnvrRTQo6ubSQPbxeG0pJPlwTHMxFcNgGOXzrIVgYoaR2zVjSMPz6wzmHwVHDg+ZCB1m5wgprmO+yurIZGoscsL1rQ7P5LR5IZH3tC7vRfVEbEHdIlwQgtN1N9nQfM9O4ZyCj0ms+du7mh7i8P1Rk54ia3i3mQ01EJclxvU8x8jgOlcnX3iMN+UTIYUxZ2LC4+bFUtiU0wbxUvDrNsHa2rJN8MVe7fMEWb1zhjp2SA+F8ZD6E/NxvRS3vC83t0eycdtFmiJPSqGpwDGh+Zyfnl1B9pv3hajaKqWRWMH43fHryY57wJ+5dHVmG8yN8SpHXm66zkapwA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sAHaEP7B4PbL1F8TiszZJbI2wuuuIKCBW6vOJbwWUns=; b=K25Yj1iZbPciPP4OL6qH4KtZX6/b6VVO/uftRncgC/Fhj2TwoJ0JOf1hkJp1wCfSye3DkCCuV7QHCRYuY4fSoz7CGSHuZ1BCCVwQT3HS4HYnTms54IFuXFA6Us3zAcn7gALgYgxFuMYy1HdjpJ+jwQEsw3DKxhmk7DWpYP2mktlM+afOwzBnJp8iIstYlHnQDdeiapm3oHDfqXuuTWO+Bb2zAcTX+durkGFbjMX3hS2d1ckEV5foECihRf00mKyYC+aFKSWm2LX8ydp6srWbnl/qlU8k1wd8JcNwkS7jVbhiLqcOQcDHdxqAAdnOMpv3yW5UXyMYBiOOqFgCHZq/kQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cisco.com; dmarc=pass action=none header.from=cisco.com; dkim=pass header.d=cisco.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cisco.onmicrosoft.com; s=selector2-cisco-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=sAHaEP7B4PbL1F8TiszZJbI2wuuuIKCBW6vOJbwWUns=; b=Utlj1xSxtzciAol22xKllj9v4dyJfFGOMOOYLry9asjFmDEoItJLkfLGC0Pjk0A5cHrJ6cX9IN435zEKH5eLguglmIbrREHfuLw/mu6F1o5fAXAnME1AVOp1N5G8d1rcVeInGTfE0uujcUhTLNNuTKWVboD81WpZPewVpGkJGkk=
Received: from DM6SPR01MB0053.namprd11.prod.outlook.com (2603:10b6:5:137::12) by DM6PR11MB2537.namprd11.prod.outlook.com (2603:10b6:5:cd::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.23; Thu, 27 May 2021 01:40:45 +0000
Received: from DM6SPR01MB0053.namprd11.prod.outlook.com ([fe80::b93a:ab40:6c73:fbdc]) by DM6SPR01MB0053.namprd11.prod.outlook.com ([fe80::b93a:ab40:6c73:fbdc%6]) with mapi id 15.20.4150.027; Thu, 27 May 2021 01:40:45 +0000
From: "Gary Wu (garywu)" <garywu@cisco.com>
To: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Create IANA-defined modules?
Thread-Index: AQHXUmIpteDIu+EmWk2RV35WNDd5cKr2GIAA
Date: Thu, 27 May 2021 01:40:45 +0000
Message-ID: <5F969C92-1A1F-4983-878F-9C222C3DEC05@cisco.com>
References: <01000179aa118e62-0d8dd2b2-f001-4ff3-9d10-4b4e15098055-000000@email.amazonses.com>
In-Reply-To: <01000179aa118e62-0d8dd2b2-f001-4ff3-9d10-4b4e15098055-000000@email.amazonses.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/16.49.21050901
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=cisco.com;
x-originating-ip: [73.231.130.156]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 946b2d0e-f411-4ad4-18d8-08d920b0726a
x-ms-traffictypediagnostic: DM6PR11MB2537:
x-microsoft-antispam-prvs: <DM6PR11MB2537CAD0B2100FCD11B89F2CCF239@DM6PR11MB2537.namprd11.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 727hs7X9W58KXkryOGdWraT+Z8L8qtL1f2nhcARjp58IY28VYcmRH7yrrC5fqzo0fUt+ra36TI1nh6K9uoE1GD7gJorDbJZ06oJe+3opimVbS2aDf2ERoPgcnvsXiSvBn9WszB0YpYT/oXM1ew7Zp6Vojg1A8vF6ONX7c2gV6M1rEcnBzRIlxFFbxp9XDoYXPnToK/+raymWE0l0xfkYWO4M17ZirSDvQHaIGlARozIYn6Tqu10B5a6gd7rpogOwJuc8jHRrdfGC8A0XKFNbwikhCosTz+4UB0YWARIN/mxkz7t87wyx7ExOUtRj5HZiXepSbouWe7SEW9fYJabjENsI6eFlhLcgO7Yw4t9uIK6tBc0uY43tkh2cR9NqnQAmJr4O7K1ezfNPfHzK08GgRRGDD1R3e+y3dVgtAsnW8RW5xpDJRNC8CJjc+nyqzsuHn8aA8oqJCl2egKMmi4CjgOp4AmYV+RQt4ixDlfpqExfE0NIIUvY3DM6Pt5idev3wf7xRAUqUV7IufSj8VIygnxfvWRPttlL99IFvtZj7NWG3lXlOtp7GoTC9wvGlAbxhpVbH0ndkzlbBlD99YMeQtBUEFSexyUBtDtE6+Bo3pz1chenn1fc0dc+xgh/iSy1SZtG0wmciaVGFNDAjgH3ph8rY23LJDEB8CYzE7Ry2C3V1jShX/HDtH0udgmHQwLBuCKmM3ea2c1m2AhV78s8ICwABPUaMfgFtAuDHaUb+0L5nIStGZYh8w7V379embeBuz94iW6CXt70kg77aGLSJ+w==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6SPR01MB0053.namprd11.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(346002)(39860400002)(376002)(396003)(136003)(66946007)(478600001)(2616005)(316002)(122000001)(8936002)(38100700002)(86362001)(110136005)(186003)(71200400001)(33656002)(76116006)(83380400001)(3480700007)(91956017)(66476007)(2906002)(66556008)(8676002)(6506007)(26005)(6486002)(6512007)(36756003)(5660300002)(966005)(64756008)(66446008)(45980500001); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata: H95ogJHW4nXqUAH4DB2BO9zP/o/bZ98OkxRBkEgPnGpmlJ/zZxZa33NQWAWv9zmneSBtKRsnRXuiIl/GjU52Lz+kirmB5Z++A5b54LEbldV8BcGM7v3i9uLR0GmQnB999WgyfNdAO+zPRe076rMi8TAALL1qd6OoBD+uQc1od48/I04xENEQD3nEXN101B+T37xpo9ZeU03e1t7Cu1pLuNZ3R4RAy3OI9AvzgfO+Px3LoCfiM9FQX1p7o7181n1hgmRB2It/gHd7kFRt8VTTQ1bsLW23TfiMiVjd5wKjDWVE60ticObxF+uk5IP91FIfY1VMzpZv0lGgFLVUuIwELLhYDXF1OkZIP8tH34sxLQQxLxsZLcY02Z2bEOX5mMqsdcxC8C1HOpgKN+8cYByAzSuSkbmG/x2XRUKOckg3jwecyyCq1g1+81/EeNB3J48r75EYluRl3WztqLWKqFGVMT1o3j+jdn/sBDzYZ3nMd2dqnoTP+498FsplL1DDzCdl8t29MReW7GBaDLSwq2OG5M4qM6lLV9IL8DrvcCZK5YOlRMTTq4yyQDAGYXoncNSIXXi2S/25ztQSdlviU8j1KgjWHWJIHxishcvWxTwmkDmtiEq/OdbwwWJwpH3EHC/h+T+ZOnoba+o0UEEjATCQaZm+aAqW7FQ0HEZ7+Ek/VIw6Z4P6LqZ3Cb04hJG76gd1bKf0kZ/kboUtD3DsBPpr2of6rCM0Ni/hhXl7965qZBILYLw1Hop+Tzgue/XBr59vOO8xiLHLWSqBxeXjCr143ZcyMM3IuMd8gRn4sArkIzq+n7DshyigbQxM49w3hCpnzIzBjEqpv8fJ8l8EwilIe0rodEj4Ysjn16qiJE2iej9HiKYi4CVvzv4KtMO1tlgUuw5nBQ+e0rbGJAkzSe1O26leqU0rO94Km6mZ0S08EnDYV0nI4mDKtJB9lJEhwmLw8p5i49UqavjpGQpXXwrk8NUs4fBT0dJXdpZsVmThraTGBQmBLP/m4e1jDypG2a7JY3vjbLLPVg5/0zGLPJh43jiBGgemk3qXD2p36QC0rMXlQXbN1Z2bM4Az/QEOl5ayZjrZHsmpB4ZYp92caMJSex6ri3tLbTook1529lS5zYV/C0SdWYxXNBn1goetpC3C21kUeyItLwv5NoMQwivI/dX8gXilcjK7CzOcB6rPgs+wZeDSeQYxn5MlVDyx/a1JXA6doGokkS0GHlNv43lWODulsUPRVV3d3OBwIkZdU0T3xTZrQUnKDvDXHLVMBppZPGSv2ef4THj4Zfsx/xqoNpehK2TI722Lq00SsbfVGnX7FQzStu8BIDEEBs93WfnS
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <9DDEDD6EDE608C499B8A1A6539391912@namprd11.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6SPR01MB0053.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 946b2d0e-f411-4ad4-18d8-08d920b0726a
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 01:40:45.4764 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5ae1af62-9505-4097-a69a-c1553ef7840e
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 9nKE/H3QjK8fei5lBiuwknix/ovDC5dbp+ygdKTsnxWy04U9lAZdLUnqIWPzrY5uj7C7574nWly9kEXQEAfYEA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR11MB2537
X-OriginatorOrg: cisco.com
X-Outbound-SMTP-Client: 173.37.102.22, xbe-rcd-007.cisco.com
X-Outbound-Node: rcdn-core-7.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/MC3HVVyzT45Eh5OlmhKonPjP4cQ>
Subject: Re: [netconf] Create IANA-defined modules?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 01:40:59 -0000

Hi Kent,

I'm out of the loop with the happenings in the WG, so apologies in advance if
my views are ill-informed.

The IANA maintained module for parameters makes good sense to me.

The if-features are less important than being able to configure or unconfigure
which ciphers are able to be used, so if one has to go, it should be the former.
Presumably, administrators are making security considerations based on sources
other than just what the YANG module has defined.

Thanks,
Gary

On 5/26/21, 12:05 PM, "Kent Watsen" <kent+ietf@watsen.net> wrote:

    [CC-ing Gary, who contributed the “ietf-[tls/ssh]-common" modules originally]


    NETCONF WG,

    The “tls-client-server” draft just received the following GitHub “issue”:

    =====start=====
    This is rather a question than an issue, maybe.

    Given that IANA maintains the TLS parameters at   https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, would it not be better for that content to come from something like iana-tls[-parameters].yang rather than an IETF maintained YANG module?
    =====stop=====

    This is a good point.  Perhaps we should move all the identities for the algorithms defined in the “ietf-tls-common” module to an IANA-maintained “iana-tls-parameters” module.  Thoughts?

    By extension, the same statement applies to the “ssh-client-server” draft and the IANA maintained SSH parameters page: https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml.

    One potential issue with doing this is that the existing identities have “if-feature” statements that constrain them to specific TLS-versions and algorithm-families, and are sometimes marked as “deprecated".  By example:

        identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
           if-feature "tls-1_2";
           if-feature "tls-ecc and tls-sha2";
           base cipher-suite-base;
           status "deprecated";
           description
               "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
           reference
              "RFC 5289: TLS Elliptic Curve Cipher Suites with
                                 SHA-256/384 and AES Galois Counter Mode (GCM)";
        }

    But that information is NOT captured in the IANA-maintained page.   What to do?

    One option would be to drop all the feature statements.  All they do is limit the totality of algorithms presented to an administrator, when configuring which algorithms the client/server should support.  Worst case, all algorithms (of a given type) are presented, regardless if supported by the, e.g., TLS protocol version.  When configuring clients/servers using, e.g., text-based configuration files, such filters are never available.  Does anyone know what Cisco/Juniper/etc. devices do in their command-line and/or web interfaces?

    Another option, which I like because it’s less work for me (unless someone can volunteer a GitHub pull request), is to remove the ietf-[tls/ssh]-common modules altogether.  They’re currently optional-to-configure and, when not configured, it’s an implementation-specific decision what, e.g., algorithms to list as being supported during the protocol handshake.  Personally, I’ve never used them (or implemented support for them), happily deferring to internal code and underlying libraries.  In lieu of us not defining these modules now, applications could augment-in their own configuration nodes and, of course, a future WG effort could add them.  Thoughts on this approach?

    K.

v2.23.0 | Report a Bug | By Email