Re: [netconf] More complications

Henk Birkholz <henk.birkholz@sit.fraunhofer.de> Tue, 15 June 2021 11:53 UTC

IronPort-SDR: eetWd2spWAqYm6eIjf+gP+baGfuGStubowqT3m48OUOno+eVbg8DLO5CCsqknX7+88cb4ldsjp VH7XuVVSFrzrEAT04Wb8Ee6CVjvl4eauVxLuXnQjSt/0oC+pfLfFflwe5QIfTYvY5m9bDty3/8 hKaS1aq2Z8pxeU2yvQOlynCr035xMepbyeHj7b7pnosUHI6ycro6ebYHWvXL/TSvi7CPpt4oqo dvKlLNY8pfrRh+IhaiuH0qtYMRb8Dhps3D9bsumEldtPDyryXL1YB/yJtOJOMIrGXZOcsLcUXu qoQ=
IronPort-PHdr: A9a23:yg+YgRLO6RUWsuSPJ9mcuYEyDhhOgF28FgUU8ZEgzblJd/fr85fjORnZ4vNgxB/MUJ7A4v1Jw+zRr+j7WGMG7JrA1RJKcJFFWxIfz8lDmQsmDZ2OCFbwK7jhaClpVMhHXUVuqne8N0UdEc3iZlrU93u16zN3eF3/OAN5K/6zFJTVipGs1vz09YfafgNIgzSwe/V+IUbekA==
IronPort-SDR: c56M5J3J+nTa2Vvb1JdFYi8muYhcH7pzynZVB6ZCYdDzxVZQMPI44Zoq8bmcIfhTlQTTjgWWLn g6ift45EBcK/L5xuypzeHQ5pswHRFibWclaIQhJf5qq8DqT4TZGLFpx2nKhRZZyNPqfF+Dvb00 6752yEOHGqgQYkS3LfboJF4Ipu0y4lqX3Er+ksxVBRlQqO1qx6q1ytBl/BqhjtkdugJ0hO31Yn FvX96dVSjcbjjt97WV4K9862VLSzuBCgJQtMtK+VEwgE+5C2ktWqlE4WiBr0VjA4jEfM7cSOsG Q7Ztv7e2pIfWQJ3UmibvFoIV
IronPort-PHdr: A9a23:5vlHqh+nEswx5P9uWMXoyV9kXcBvk771JQUSrJEgjuEGfqei+sHkO0rSrbVogUTSVIrWo/RDl6LNsq/mVGBBhPTJsH0LfJFWERNQj8IQkl8rAdWODgvwK/u5JyA/Fd5JAVli+XzzOENJGcH4MlvVpHDXj3YSFxzzOBAzKP7yH9vJjtjx2fq75pvTZAtFnnyxbOAaEQ==
IronPort-HdrOrdr: A9a23:/enrx61T59heaqLs+Nn/egqjBH4kLtp133Aq2lEZdPUMSL3iqyncpoVg6faUskdhZJhOo6HmBEDtexPhHNtOkPEs1NSZLXnbUQmTXedfBOLZqlWKdkGQmI9gPOVbAtFD4bbLfDpHZLPBkW2F+qEbsby6Gc6T9ITjJy0Ed3AXV0gq1XYFNu/SKDwIeCB2Qb4CPN6nxvMvnVCdkRh7VLXJOpAqZZm8m+H2
To: tom petch <ietfc@btconnect.com>, Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, "garywu@cisco.com" <garywu@cisco.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com> <AM7PR07MB6248BBDEECB1134C56426F73A0239@AM7PR07MB6248.eurprd07.prod.outlook.com> <0100017a0aebfbf3-9e9c22e8-da12-4364-a572-8ce7fd43bf0f-000000@email.amazonses.com> <AM7PR07MB6248E24C8235FBD8573017C8A0309@AM7PR07MB6248.eurprd07.prod.outlook.com>
From: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Message-ID: <540b31e5-10a6-495f-cf44-820adb6213b3@sit.fraunhofer.de>
Date: Tue, 15 Jun 2021 13:53:19 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.10.0
In-Reply-To: <AM7PR07MB6248E24C8235FBD8573017C8A0309@AM7PR07MB6248.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset="windows-1252"; format="flowed"
Content-Language: en-US
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from [192.168.16.50] (79.206.151.153) by AM3PR07CA0100.eurprd07.prod.outlook.com (2603:10a6:207:6::34) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9 via Frontend Transport; Tue, 15 Jun 2021 11:53:20 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: aa0f27a1-007d-46c9-c589-08d92ff42c50
X-MS-TrafficTypeDiagnostic: DBBP194MB0970:
X-Microsoft-Antispam-PRVS: <DBBP194MB097092B556F1F0A9D4FB7374A8309@DBBP194MB0970.EURP194.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:8882;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: HSA1RUAqbiicQ1RVeJhCAk37BYctknCbiX5QvrsNtQzdqBuQWx62WDOOb84Sdo9wkvKn+dd8xQyKK1LY47yuV0Zn5wSiQg9nqyJ5ZYCd6vpOu/M7Cn6tRgA5xgr8oVpgYoveKvJYWf9DlCinQKuq0mIoxtQqw7qP2n/ANTOxpUb0Ni8mo1k54dKqMXUa92H2UQWTNHS4r/peFYLgWHN3FlERWHVEDdvKEW0mPiNqTPWBq20HQIeBydWA3014AB5ez0wZPOaQE/Xe5AeNKBdHaMX60jY7sgcEkEPN0DfSxuuGQlzrVLWnma9F9ApAae/OjKTNR62Mi+CW3PV/ouw9dRHUtOYKPR50srlvyHM+4Z3Xj+ZqV5MJAUFOCaOC/9K5n3PnRg+/HpRvJ8n6x689HIeJAQr/lGFhQsJChhPFk4O+kCid/KXkOfC3ZZws2IiCGjnL6s//1qxnC/c3+9WIFmqnV+V4ZnG662MR02E8bNUiHkNrzlq0PKYQT8DLngq7SbFwDtsRY636qCY2cive+xaQs224E5JOBGs1W2ZbDWAyYc8xUYUEzntE4jXjJW4iYg7Ingv15ZwZK0PQ/yacUmUKo1IWXKV8rFJ54CcZJtAEjG3ZGgRm9EhDLkNVu/4my+Cr4mIfh012CQ9mO1nNUqLKraBXPbqyO9k6C5d1cpCtbrYtdRTKFO75G52Rmfi0eLR2j/oiLrYK8xD6e4ctYg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DU2P194MB1709.EURP194.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(4636009)(39860400002)(376002)(366004)(136003)(396003)(346002)(956004)(2616005)(478600001)(44832011)(8936002)(2906002)(66476007)(16526019)(52116002)(186003)(54906003)(110136005)(16576012)(7116003)(316002)(53546011)(86362001)(26005)(4326008)(31686004)(8676002)(5660300002)(6486002)(83380400001)(3480700007)(38350700002)(31696002)(38100700002)(66946007)(66556008)(45980500001)(43740500002); DIR:OUT; SFP:1102;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: kwz/zCmEqemEn2TfhaTNgi8XFwz21/fQ9fiPXBQ1TDwWnCFIqaHb7NsKEhwHvmEY1W3BO0U7ks3dIZ7J7kurA0cZUQ8oKIOPAIujWZR15VWWETT1hGCmCaRiVpjOK0IX4BDzk5rzephQZIDfUjukFJKeAoU/tT/PcEM830Ceu8OVkbzTD2emFNdzvpRe4iHthC2ufLSXwt4xFM0RQPux9speBWxR37HuH2MitsU/HicKSOaVLKA0FZguGmHWm6AzP9RFPzAzCHVlBMb94Dm9F+3htfMANzuNGQT0l7Z8HB/quEngGJMx2pyK0UB6TYI9dnD3T6RFKE0YQeZRp1ulEpp7p0SKgugiC2ZrvzEjz0UCb9czm79DZLO/pm3lFbJv5zFJtR4pfA9rLGLfbXeRWi6t0mEKe8mcwyIuQGgOPT4phUVFJvv3IjsKL2a3K2BITWDGu9RrPvp3j9S7A6OEP3PfGr/agEuMBQqcS4IJVedfv1KUJ3CY4lqMuScfcYz9PJSq1QwNgF+jo6ukyXSgbFZrku4r0nsJraoN9rkfZbOEm5E7XOBzerRRJE/FfSwybhP6xT1yqOtOFqsf0vuLzGaGBSzgdho/+C4gxxlkRZbjl2HP2UsxGKj95EeK5mtEQSwDW04YrbiYvWm0ZTtJBpULIChrzXmfnIolDL7/YkuuCFhMLU8TiMguIC8HeqFr7oc49AHr9Q6Ow/RIktMbpWKANcYgMHKBjLJwaFG8uWaOXO6JFfqpAKyAnsdzUAR9reE9iKJGQrKCJYe12DW95F+CrPaZM1u2UUKXOV6B87TeAVpv3RfhO8qUqOcaykBD8C6koPfAPICvoR+jOu/hOAtTgKmduRigGmURS5OLthLlosi20jW607opgJHsEPhMQSd4oILP6oiNIkp6IIu4rE2lqBSpO0T85WyPba/C8WAEY70hGOVoyPgo3W5aFbccxLjwatwjYLtrUiX7rf3ISqfHcHXtpEBbtgzkkcNS+HOstuaW0BUT50nEnrOVJPtd86OeCxw0TyCBDJov7kP8YZUShAxrR9pGxNENXiITtQfiQMDPfhsjLKhGPVRl4Q3ClAFT+bFHtavyECyRP7iuOLHC+dQLU4bStS1Vf8Mx1TMeNdLxbvqyE9/dcoYIKOhK2Q6Xor8vV/q2sHwk2YQ4eVUDNw1nqGw+vhubSPWswmhaUBS4JoinYUAZyLQenTUBJxw0FUn3oT9PRYRcTEtxQbIN3l2UOt5D/zDFaEZ3wGuIpwQafDy0F8Xjb4DQ4pyy9Vfp6xfIPxVu2lzmsLGpKkHqSZzyImOqFoZqPOXOo4LxIXpsV8Yg3Q7PykKAJc5o
X-MS-Exchange-CrossTenant-Network-Message-Id: aa0f27a1-007d-46c9-c589-08d92ff42c50
X-MS-Exchange-CrossTenant-AuthSource: DU2P194MB1709.EURP194.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 15 Jun 2021 11:53:21.2946 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f930300c-c97d-4019-be03-add650a171c4
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: PVfA+WxKCSnUg0/FQoCApOlcFIBa8fb79wxsYIwnBRSDIWzZU6+iMwrxjJswDZ49hKjwwbcKBReL5y8IOdzkeJcgDWDlSXzpwPPjBFcQrsI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBBP194MB0970
X-OriginatorOrg: sit.fraunhofer.de
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/MX_PD5Wg60WpW7aFEjyAKNDNP6o>
Subject: Re: [netconf] More complications
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 11:53:37 -0000

Hi all,

a fellow IETF'ler poked me to pay attention to this thread. Sorry for 
the latency.

Hm - dropping PSK support for TLS 1.3 seems to be leaving a bunch of 
implementations in the IoT space behind that are inching towards 
migration, currently.

How urgent is this? I can certainly massage the current YANG module, but 
(in theory) I am occupied by another SDO meeting this week.

Viele Grüße,

Henk


On 15.06.21 13:36, tom petch wrote:
> From: Kent Watsen <kent+ietf@watsen.net>
> Sent: 14 June 2021 15:27
> 
> [CC-ing Henk, to whom a question is directed to below]
> 
> 
> Hi Tom,
> 
>> Top posting a new and different issue.
> 
> Thanks for updating the subject line.
> 
> 
>> server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.
>>
>> The client description also needs amending.
>>
>> TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.
>>
>> As I may have said before, TLS 1.3 is different.
> 
> Henk, could you help with these edits?   Support for PSK and raw public key were added to draft-ietf-netconf-tls-client-server per your request and, if memory serves me, didn’t you help me with the YANG update too?   I suppose what is needed is a either a “choice” statement (with cases for 1.2 and 1.3) *or* sibling-container statements (in case it’s necessary both are configured in case, e.g., the client sends one or the other)...
> 
> <tp>
> Or else drop support for PSK with TLS1.3 at this time because too little is known about it outside the use for HTTP.  I am starting to see I-D about how to use TLS1.3 with application X, even for HTTP,  and I think that such an I-D will be needed for many applications with or without PSK.
> 
> Tom Petch
> 
>> Tom Petch
> 
> Kent
>

[netconf] Summary of updates Kent Watsen
[netconf] netconf-tls wasRe: Summary of updates tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… Juergen Schoenwaelder
Re: [netconf] netconf-tls wasRe: Summary of updat… Kent Watsen
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
[netconf] More complications was Re: netconf-tls … tom petch
Re: [netconf] More complications Kent Watsen
Re: [netconf] More complications tom petch
Re: [netconf] More complications Henk Birkholz
Re: [netconf] More complications Juergen Schoenwaelder
Re: [netconf] More complications Kent Watsen
Re: [netconf] More complications tom petch
[netconf] TLS 1.3 and pre-shared-keys and raw-pub… Kent Watsen
Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
Re: [netconf] netconf-tls wasRe: Summary of updat… tom petch
Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Kent Watsen
Re: [netconf] TLS 1.3 and pre-shared-keys and raw… Rob Wilton (rwilton)
Re: [netconf] TLS 1.3 and pre-shared-keys and raw… tom petch
Re: [netconf] More complications Kent Watsen