Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Mon, 24 May 2021 09:07 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3E0853A2055 for <netconf@ietfa.amsl.com>; Mon, 24 May 2021 02:07:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 52oD68PjcdUW for <netconf@ietfa.amsl.com>; Mon, 24 May 2021 02:07:28 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50111.outbound.protection.outlook.com [40.107.5.111]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B9FC73A2052 for <netconf@ietf.org>; Mon, 24 May 2021 02:07:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=LGHiXMtUIhavu6mNenSaMLLsMf1eRhJJkgEzsV72574uwaBQaC4iW3qTFyzS6ny/IcwZvwULVA5VkFoBEpVJQ1n6K2H5nqnOKfAE1swgiH5w+rlr3Dvh+ylxFtHTUttR6acyQV5fYYt4VC7Cq4Rr+4uqTb+mqLbHBJRYoh155hdDywVcFEGu/MCc3wkN+H/fsVEmQyP2CL6aMZD+XbILhhaQ5GWGMCYNXC5PRL8zjAbFZ7bJaLrRIG1ASnL1vbWUW99HaFZFrdymlX2QNmlTDp5J/YdGGlnwwSjB7T0U/QNMxwjG1X8f9jA1DRKI+7nBcfDkWqiyYKZzLYnOC2Kntw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ls+KdynZXRsz3zK/SQk2WvW1gKBJX2aH/Xu2LV2Eo5E=; b=CP+wBAASYX1DrGe3eGEAXPjXh02X+QcQQyAfCYEVeaF+QJLpG0RosQ1C5nt38paGng/qTfrmy2PX+9z9FiBfuO3/iIAZQu6rQnUeMnBCc0qDa1TFk6/2urTWKee0hBaZfRZO2Wyx2q9j+jkeqF/EXHGOQg4zeql1pkGc0O8vC3RVQQeNoFl5fMB2Yml45d+XPGA3KketH2KnGSAwGEKVPHbXh3jOXHZ+M8WZUf5XmzVpB/51ub/HPcjtM5N1CiyGx9mpAe/kiJclARBvKdlPROqGBvHco9C1u6p48DwgrkBq4lefC5DHu7DlNM9L22gStVuHXRoc86oAb6L+MMiPhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Ls+KdynZXRsz3zK/SQk2WvW1gKBJX2aH/Xu2LV2Eo5E=; b=egvZI2cYMOFz8TyekC4TKmlBX7ujkpHfEwR8DK5HrhOkc2+ncj84rEPrICoVLLLmMnQKNGg/TUOwCQdGIexGJTt8rblsssVd91O7boEkczZFc8h5dU4qSkXS0QgHJQR7b5e8KjE62NXfTp0dpv1HAmnOUAEBFpol8Ib+1betjGc=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM7PR07MB6595.eurprd07.prod.outlook.com (2603:10a6:20b:1ad::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.13; Mon, 24 May 2021 09:07:26 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.018; Mon, 24 May 2021 09:07:26 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXTivrmXzh9hQhpkqYWkZI8gMDLqryWB1g
Date: Mon, 24 May 2021 09:07:25 +0000
Message-ID: <AM7PR07MB6248C43AF481F5A94D2041DAA0269@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>, <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com>, <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com>
In-Reply-To: <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: faf34d61-9732-4c4f-2669-08d91e935990
x-ms-traffictypediagnostic: AM7PR07MB6595:
x-microsoft-antispam-prvs: <AM7PR07MB65950D91B5772E4B74935FE2A0269@AM7PR07MB6595.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:6790;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: DDLNM9jIvyjOa5VexZD5j2UNHjzdYXNuAa2t57/bkbG+HCNnhiGkcMmbtfpXHtH990TG8ZrkdhdD2+RS6TfmBXYRRwyaoNUpqblbNqJ6KorOIOtolxisIUESBad000ilMcAo8p/Xtmqq6sl5QGQ9yVoGhVfLdbvxsboM/AxnG2H1o9nCn24WCLlrgTOjlFerztTAbZCWCy0JwewPLMa0+GqVbkWYPXGjp/pwdFcxkkDjCMVWFMKumExZu8+rmX5ZbzUKT7cmkx9oxJhmZLN+y7sAszehX9OByLE+Iicd10zc5W93yEk8pmArvdqvJQ6Uh1V5+ZJCXv1L0NpwVuoVDjzvNs6lF0X+fkQSc3/iwJcZQBxJm1pvkfqwKs6D5p1WK7sxzWcWCo36YoY10dKeDjI33Kcjh/ZlRN3vCxAb7i/bSGJW5igyTGYOZFU5JWWlp6tPEVszUr/9DlLAjqTJDDvaiFb1wvutxRVCc6BPDkF4tpiGVeQycluCSgkmRicQ4QbpsZxIRUl0K+Ql4Na1vt/WqtLPqyrcr6P39I4irdtxUd2jOol9e87XPodIWVuK/RpnzBV+gy81iV504ilPonA9ymG3eW12EMyEX3zd8v8=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(376002)(366004)(396003)(136003)(39860400002)(346002)(122000001)(15650500001)(71200400001)(7696005)(186003)(86362001)(6506007)(316002)(8676002)(2906002)(8936002)(64756008)(38100700002)(66476007)(66446008)(66946007)(478600001)(9686003)(76116006)(91956017)(66556008)(83380400001)(55016002)(5660300002)(33656002)(4326008)(52536014)(26005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?JI58XbvaCbQokclKPBdvI2FxvFu8UKxf9YmF0v/WlTexLEetdEPw8Z41?= =?Windows-1252?Q?UolK5nbLreuamknxxJe0Sey9lqLIf2zNKai7BNTMH4fa8vmPrqp82RK/?= =?Windows-1252?Q?z7R2ay8hk2MAu3jh6dGKPhmCdPnbwMxSQ6itwvjnIbM0V6dPUUqYGLTr?= =?Windows-1252?Q?HRKOZQXafFITLQ3tLo1sf8kka1kyq33zWvMiwMM3LEkq2+B9dJL15EDx?= =?Windows-1252?Q?4W7gdBhnww3tfHYgPAxEoR62gD3T//2aaVilDSrYIWWSIgTDXuRiP60x?= =?Windows-1252?Q?u9khhN+NTwHb9+QrtnihuokTPvui2++/tDlz3YFYyKtp5gwyyJjEuMwu?= =?Windows-1252?Q?mPYX8M0c+5zaGgb29VlkWp3FdZUEWYH3sya+mGsFcej8+epDM+OM8y6H?= =?Windows-1252?Q?ut2ozO4Wlschdg8SXTfoV5k/TuAZBSJzVxXQgj8INX1tgca23FMEFYbm?= =?Windows-1252?Q?BcdwAu2VjQ/jqHX36MZoiVJ8X+s5WoNwpzZdLoOPGxoF8XuJLtho2orF?= =?Windows-1252?Q?6kall5LhZjK0dnQMD0aVbsn+lK7PSUi/e23tYbsusx6ORnY9FqH5Iu7I?= =?Windows-1252?Q?psWDh7nRal2ISKYXImc6lFSL964O14Y8Fl9tZHQnzol1D5YLzoqh9ujJ?= =?Windows-1252?Q?dczxGIrLp0Os/6lW3J095ja5wkKqB1528b00itlPeUP1ULqD3r4LUxUw?= =?Windows-1252?Q?3kdwLiJQ+oUxLsvpuUxSfAXUXTn2ZVnLIpi1MuYWTypWfnme85p2pWYp?= =?Windows-1252?Q?hJmlibmbRcunZRwuQcnp6bdjAhJtxDqniItIZvqMXzu6Lpi98LXBc5/J?= =?Windows-1252?Q?1T5RNHcr9Y9cnuedwzNZvtIsWkCVgd7IGhRhxbHPx7dgTTZ5ac/fP5jQ?= =?Windows-1252?Q?P177oso7xVz+9FDseMiLrad3NA29Qx2rbWAV7svyoSQ2do/lOL1gBW46?= =?Windows-1252?Q?mIpZmw4vEW97RX4hs/qHE0ZDv932KpMV8X8iEf3uAeMuvALbC/IpRlEN?= =?Windows-1252?Q?H8nfB8WGJjX9p/+3qDn4DaH/jzoqKyKX5Uu4JVgtQGK1VLcTEFBjTxgR?= =?Windows-1252?Q?QUSWig7aThHBLKolRa9H57sMRIdsHCxRdEUK/5WDLeURa1wiBaPiWYA9?= =?Windows-1252?Q?KRMh66nDvg04nhIs/YsBU2CWB4N+VGEVLZNL91rktMIku04pltKFwrLc?= =?Windows-1252?Q?9Jjx0GmdgAZAn8S+RSfX6eWPXUCLlxNhhDUXKRZjoklzQsQYSfrKRpru?= =?Windows-1252?Q?F/qfcedw/ekfx/FNRSTxycmLhyB6cvN4kkJQk55hydpspBlgxWcOxaSJ?= =?Windows-1252?Q?utgrXfN4AvwWexiVYNPa5wpmF+VlB1A+kB/DCH5dDR6ROIW3I4mQT8Rm?= =?Windows-1252?Q?AFGInZGI5w0tb9zaPSHNclOXOdcOGVZBaP0=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: faf34d61-9732-4c4f-2669-08d91e935990
X-MS-Exchange-CrossTenant-originalarrivaltime: 24 May 2021 09:07:25.9986 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qGKBjSp+7npji10mlCYO702hmPFJ0eGbHl52qH5VSdDJyHmK+A0se/hPAOcmWoRIHw1skxIaZLRf24niLBgRjQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM7PR07MB6595
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/MKJXXFmXmp-uBdHd5YMXSsL9xJQ>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 24 May 2021 09:07:34 -0000

From: tom petch <ietfc@btconnect.com>
Sent: 21 May 2021 11:27
From: Kent Watsen <kent+ietf@watsen.net>
Sent: 21 May 2021 00:12

Hi Tom,

I still think that the I-D lacks clarity about supported versions.

<tp2.0>
OK, some references.

tlscmn

tls-ecc
needs RFC8446

tls-dhe
needs 8446

tls-3des
ok no support in 1.3

tls-gcm 
needs 8446

identity ciphersuite
I do not see the 1.3 values from 8446 B.4

hello-params
needs 8446

tls-client
I note that the feature statements do not have references which some YANG doctors say they should have.

container client-identity
needs 8446 and a reference in the body to 8446 s.4.4.2

case psk
needs Normative References to the two
draft-ietf-tls-external-psk-*

tls-server

container server-identity
as client-identity

case psk
as for tls-client

Tom Petch


Introduction
TLS Protocol [RFC5246]
Clearly this is TLS1.2 only

Yes.   In keeping with the original intention (to reference just the current, not obsoleted, document), this should be updated to RFC 8446.   But I wonder if you think the document should reference all four documents (2246, 4346, 5246, and 8446) and then have DOWNREFS?

Background: the document generally references TLS 1.2 as that *was* the “current” TLS version when most of the text was written.  TLS 1.3 happened later, and a minimal (and apparently inadequate) update was made to accommodate it.  What you’re finding are the remnants of that history...

PS:  I don’t claim to be a TLS expert.  It would be helpful if corrected text could be provide.  Pointing out the issues is great, but it takes time for me to determine what update is needed, something you may have well in mind?

<tp>
Yes, I did divine that the I-D appeared before TLS1.3 and so that was retrofitted.  Since that is now the current version and has been for a while, I think that all references to TLS1.2 need a parallel reference to 1.3 as long as 1.3 has the same constructs (which in places it has not).  This applied throughout the YANG modules

I was all for ditching any mention of 1.1 and 1.0 if only for the extra complication.  I no longer recall where 1.2 differs from its predecessors e.g. extensions incorporated in the base, signature algorithms, and it is probably overkill to find the relevant references for those older versions and adding them to the YANG as well but do think something needs adding in the body of the I-D to the effect that support for 1.0, 1.1 is partial, identity for the version number but not details of cipher suites, relevant RFC and so on.

I will look some more at the TLS1.3 references next week.

Tom Petch

K.



s.2
This model supports both TLS1.2 and TLS1.3
Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1

s.2.1.1
Features
tls-1_0
tls-1_1
tls-1_2
tls-1_3
Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what.

2.2
an example for 1.1 and 1.2 but not 1.3; interesting.

Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'.

hello-params-grouping
Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules

Mmm I dunno!

I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking.  Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have.

In passing, I was wrong about public keys.  I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key!

Tom Petch




  4) for the “http” draft, no significant update (really? hmm...)
  5) for the “netconf” draft, whilst not in WGLC, significant updates wrt the "client-identity-mappings” nodes.

Notably, beware that the Last Call YANG-doctor review for some of these four drafts has been pending this update, so expect to see a little more activity on these drafts yet.

K.