Re: [Netconf] [netmod] draft-ietf-netconf-netconf-client-server – TCP keepalives

Kent Watsen <kwatsen@juniper.net> Mon, 11 June 2018 21:19 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DAC25130ED8 for <netconf@ietfa.amsl.com>; Mon, 11 Jun 2018 14:19:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Level:
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9zjPI6MXj4Ej for <netconf@ietfa.amsl.com>; Mon, 11 Jun 2018 14:19:38 -0700 (PDT)
Received: from mx0b-00273201.pphosted.com (mx0b-00273201.pphosted.com [67.231.152.164]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A236130EE0 for <netconf@ietf.org>; Mon, 11 Jun 2018 14:19:38 -0700 (PDT)
Received: from pps.filterd (m0108162.ppops.net [127.0.0.1]) by mx0b-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w5BLJHpB011173; Mon, 11 Jun 2018 14:19:36 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : cc : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=PPS1017; bh=0fdlvBE4yJHuR7CnjbksXUXv5KbyEYRiuCOVmMFUoNs=; b=PQIzU73+XQVshz0YX5cU/+pX8j4gcmuQHafy8WoZS4ud1gGN+zM8OA0Cgyj1dZKuEdHm TNFXC0Mannw4fGuU5ylDnhZr8tobOrDoX5f+M6WBJUtV9roKAYXeEMmMdSwerZn27uZk ydTRDa26Q4m01SfCqPUjgVcdX5kjygMGp6CC8TEU/jREhSgAnXEXuxBvAf5QKK3YKP4/ MgbyspGX6/ZrkudXSluKgF7Wokh/QiDWAqntSigFbvZ6ISA439yrE7gIIKjeMvGDq4ca pQ6huQfmib8IN6Q4M8OlN1L5NBjnP9o3wDJGXQh/oQK0L6keo/oKIS0avWR2TG3/cw6T ig==
Received: from nam01-by2-obe.outbound.protection.outlook.com (mail-by2nam01lp0182.outbound.protection.outlook.com [216.32.181.182]) by mx0b-00273201.pphosted.com with ESMTP id 2jj07r01ty-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Mon, 11 Jun 2018 14:19:36 -0700
Received: from BYAPR05MB4230.namprd05.prod.outlook.com (52.135.200.153) by BYAPR05MB4534.namprd05.prod.outlook.com (52.135.203.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.863.6; Mon, 11 Jun 2018 21:19:34 +0000
Received: from BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc]) by BYAPR05MB4230.namprd05.prod.outlook.com ([fe80::959d:9fbe:90e4:3cc%3]) with mapi id 15.20.0863.010; Mon, 11 Jun 2018 21:19:34 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: NICK HANCOCK <nick.hancock@adtran.com>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: =?utf-8?B?W25ldG1vZF0gZHJhZnQtaWV0Zi1uZXRjb25mLW5ldGNvbmYtY2xpZW50LXNl?= =?utf-8?B?cnZlciDigJMgVENQIGtlZXBhbGl2ZXM=?=
Thread-Index: AQHUAcnkCIMLMWtNFU+m0D0z05WplQ==
Date: Mon, 11 Jun 2018 21:19:34 +0000
Message-ID: <77A31AA5-0148-46CE-ADC9-6022E5DCAD27@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.13]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; BYAPR05MB4534; 7:m7so6sbi16c3L/AeyOBFyBJthkzoQmusPFtKOdt04+0wjr7GwvuhwIpoEYgU7ZqU6If9Pp4vDtTaLndceSg3KHQpnBhxV5Pg3ofpSwFp91h6Kob3BfmGWV0XlmMSCjY0/cXKPSFpIbS69+RM/XhslbYH7IelN5N5g7esqb9PyuKFzQxW1FWMpnk6/4978eRudQ/RLzYNAySKf3Pq9daiymWYyDZnlMUY3rUBDS95S/VKAjhuGA+a6HNbg4uYsl7k
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(7020095)(4652020)(48565401081)(5600026)(4534165)(4627221)(201703031133081)(201702281549075)(2017052603328)(7153060)(7193020); SRVR:BYAPR05MB4534;
x-ms-traffictypediagnostic: BYAPR05MB4534:
x-microsoft-antispam-prvs: <BYAPR05MB45348DE3EC272A757936948FA5780@BYAPR05MB4534.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(192374486261705);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(3002001)(3231254)(944501410)(52105095)(93006095)(93001095)(10201501046)(6055026)(149027)(150027)(6041310)(20161123564045)(20161123558120)(20161123560045)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(6072148)(201708071742011)(7699016); SRVR:BYAPR05MB4534; BCL:0; PCL:0; RULEID:; SRVR:BYAPR05MB4534;
x-forefront-prvs: 070092A9D3
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39380400002)(366004)(346002)(39860400002)(376002)(396003)(189003)(199004)(53754006)(4326008)(97736004)(14454004)(6246003)(5250100002)(2616005)(68736007)(476003)(82746002)(478600001)(486006)(36756003)(316002)(25786009)(58126008)(33656002)(5660300001)(6916009)(83716003)(86362001)(2900100001)(229853002)(106356001)(105586002)(6486002)(2906002)(3280700002)(6436002)(7736002)(8936002)(186003)(59450400001)(3660700001)(102836004)(53546011)(6506007)(6116002)(66066001)(305945005)(26005)(81166006)(53936002)(3846002)(81156014)(6512007)(99286004); DIR:OUT; SFP:1102; SCL:1; SRVR:BYAPR05MB4534; H:BYAPR05MB4230.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: pAJMK3cTbatETgZmYuh+/iRfv1nSlVj1+ZhRQNqOJM5eHYxfM9wrKKYXFy1qG25cLIdYUql+1+FY3gWz/qJBnA8waNGaX/P7BzS/J4BpeS2W/MntYZgaQnn0Lp7kAfe5u/yMv19Mu/ygfBUJVmc+IQdRfYd18fI4HNA0v3QCTtD6TMKK7TR6Rw2P0bwDw1mz
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: text/plain; charset="utf-8"
Content-ID: <F0307E2A1B85804D9FB10DFD7E0C3EDC@namprd05.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-MS-Office365-Filtering-Correlation-Id: 8518ed44-046a-42be-901c-08d5cfe1079a
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: 8518ed44-046a-42be-901c-08d5cfe1079a
X-MS-Exchange-CrossTenant-originalarrivaltime: 11 Jun 2018 21:19:34.4641 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BYAPR05MB4534
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-06-11_10:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1805220000 definitions=main-1806110239
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/MOzcZKp2rSxPVMTGdmmrVInwx2M>
Subject: Re: [Netconf] =?utf-8?q?=5Bnetmod=5D_draft-ietf-netconf-netconf-clie?= =?utf-8?q?nt-server_=E2=80=93_TCP_keepalives?=
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.26
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 11 Jun 2018 21:19:41 -0000

[+netconf, -netmod]

The issue appears to be with current TLS libraries not implementing TLS keepalives, the HeartbeatRequest messages defined by [RFC6520].   I have not myself validated this yet, does anyone have any experience?

If it is true that HeartbeatRequest messages is not supported today, do we:
  a) encourage the TLS library maintainers to implement it
  b) or introduce an ability to configure TCP-level keepalives
  c) or both?

Any other ideas?

Thanks,
Kent



On 6/11/18, 12:32 PM, "netmod on behalf of NICK HANCOCK" <netmod-bounces@ietf.org on behalf of nick.hancock@adtran.com>; wrote:

Hi All, 
 
A couple of companies are working on a solutions to implement devices, such as DPUs, based on the requirements of the Broadband Forum Technical Report TR-301 issue 2 “Architecture and Requirements for Fiber to the Distribution Point”, which requires TLS for the persistent NETCONF connection, for which the configuration of call home is to be by means of the ‘ietf-netconf-server’ module. 
 
TLS heartbeat cannot be supported to keep the call home connection alive, because TLS heartbeat is not or no longer supported by many TLS libraries, such as OpenSSL in the wake of the Heartbleed security bug. Although TCP keep-alives are not secure, we will nevertheless be required to support TCP keepalives to ensure that the connection remains persistent and these keepalives would also need to be configurable. Unfortunately, the keepalive configuration implemented in ‘ietf-netconf-server’, although not bound to the ‘transport’ choice, is bound to the secure layer textually in the description of the data nodes (references to “SSH/TLS client” and “SSH/TLS-level message”), which makes its use for configuring TCP keepalives for specific implementations possible, but obviously problematic. RFC 8071, Section 4.1, S7, also heavily implies that it is intended to be used for the designated transport layer (e.g., SSH, TLS).
 
Since this issue affects the industry as a whole, we believe it would be better to provide support for the configuration of TCP keepalives within the ‘ietf-netconf-server’ module from the beginning, rather than wait for other SDOs or vendors to augment the module after publication as an RFC, which they will be practicably forced to do.
 
Would supporting TCP keepalives in the IETF-defined module be something the WG would agree to discuss? A possible solution, shown below, could be to add a new container parallel to the existing ‘keep-alives’ container to explicitly support the configuration for TCP keepalives. In addition, a feature statement (e.g. "keep-alives") could be added to the existing ‘keep-alives’ container, as RFC 8071 S7 says SHOULD (not MUST). 
                   container tcp-keep-alives {
                     if-feature tcp-keep-alives;
                     description
                       "Configures the keep-alive policy, to
                        proactively test the aliveness of the TCP
                        peer.  An unresponsive TCP peer will
                        be dropped after approximately max-attempts *
                        max-wait seconds.";
                     reference
                       "RFC 1122: Requirements for Internet Hosts -- 
                        Communication Layers, section 4.2.3.6.";
                     leaf max-wait {
                       type uint16 {
                         range "1..32767";
                       }
                       units seconds;
                       default 30;
                       description
                        "Sets the amount of time in seconds after
                         which if no data has been received from
                         the TCP peer, a TCP-level message
                         will be sent to test the aliveness of the
                         TCP peer.";
                     }
                     leaf max-attempts {
                       type uint8 {
                         range "1..127";
                       }
                       default 3;
                       description
                        "Sets the maximum number of sequential keep-
                        alive messages that can fail to obtain a
                        response from the TCP peer before
                        assuming the TCP peer is no longer
                        alive.";
                     }
                     leaf interval-between-attempts {
                       type uint16  {
                         range "1..32767";
                       }
                       units seconds;
                       default 30;
                       description
                        "Sets the amount of time in seconds after
                         which, if no reply to a keep-alive message
                         has been received from the TCP peer, the
                         next keep-alive message will be sent.";
                     }
                   }
                 }
 
 
What is the opinion of the list? Would this solution work?
 
Best regards
Nick & Yves