IETF Logo Mail Archive

Re: [Netconf] rfc5539bis- leave it to the server configuration model.

t.petch <ietfc@btconnect.com> Thu, 30 October 2014 14:34 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9C1B91A00FB for <netconf@ietfa.amsl.com>; Thu, 30 Oct 2014 07:34:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wCGhAtEaxhaJ for <netconf@ietfa.amsl.com>; Thu, 30 Oct 2014 07:34:10 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0735.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::735]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34D841A00E6 for <netconf@ietf.org>; Thu, 30 Oct 2014 07:34:09 -0700 (PDT)
Received: from pc6 (86.184.62.161) by DB3PR07MB057.eurprd07.prod.outlook.com (10.242.137.144) with Microsoft SMTP Server (TLS) id 15.1.11.14; Thu, 30 Oct 2014 14:15:55 +0000
Message-ID: <048801cff44b$aba6e5c0$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Alan Luchuk <luchuk@snmp.com>
References: <201410201458.s9KEw5Qm064083@mainfs.snmp.com> <03ae01cfed3c$50d39d20$4001a8c0@gateway.2wire.net> <20141021153455.GA91264@elstar.local> <D06D6654.86473%kwatsen@juniper.net> <021801cfeea0$4d7ab860$4001a8c0@gateway.2wire.net> <20141027145542.GB8819@elstar.local>
Date: Thu, 30 Oct 2014 11:28:51 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.184.62.161]
X-ClientProxiedBy: AM3PR01CA048.eurprd01.prod.exchangelabs.com (10.141.191.38) To DB3PR07MB057.eurprd07.prod.outlook.com (10.242.137.144)
X-MS-Exchange-Transport-FromEntityHeader: Hosted
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DB3PR07MB057;
X-Forefront-PRVS: 038002787A
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(24454002)(164054003)(13464003)(377454003)(51704005)(189002)(77096002)(62236002)(44716002)(47776003)(20776003)(61296003)(42186005)(89996001)(50466002)(106356001)(76482002)(80022003)(46102003)(95666004)(105586002)(107046002)(120916001)(64706001)(33646002)(66066001)(23756003)(81686999)(81816999)(116806002)(87286001)(104166001)(19580395003)(76176999)(50986999)(93886004)(86362001)(62966002)(93916002)(85306004)(19580405001)(102836001)(84392001)(15975445006)(15202345003)(97736003)(88136002)(122386002)(85852003)(21056001)(87976001)(31966008)(101416001)(40100003)(92726001)(50226001)(92566001)(4396001)(77156001)(44736004)(7059028); DIR:OUT; SFP:1102; SCL:1; SRVR:DB3PR07MB057; H:pc6; FPR:; MLV:sfv; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/Qh_VtCDSMVuByYIjgNOIXqQ8zOU
Cc: netconf@ietf.org
Subject: Re: [Netconf] rfc5539bis- leave it to the server configuration model.
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 14:34:13 -0000

----- Original Message -----
From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>
To: "t. petch" <ietfc@btconnect.com>
Cc: "Kent Watsen" <kwatsen@juniper.net>; <netconf@ietf.org>
Sent: Monday, October 27, 2014 2:55 PM

> the editor does not understand the edits since I do not see clear
> agreement of the scope of the document and thus there won't be a new
> version before the cutoff. It makes a major difference to me
> whether the document is
>
> - NC over TLS with mutual X.509 authentication
>
> or
>
> - NC over TLS plus a structure to plug in new authentication
>   mechanisms
>
> and it is not clear whether
>
> - we details the algorithm to extract a username out of an X.509
>   certificate in this spec
>
> or
>
> - leave it to the server configuration model.

I think that the right place for this is in the server configuration
model.

Alan made the point that he wanted to keep this in line with SNMP, and
that is exactly what this would do.  SNMP puts the details in the MIB
DESCRIPTION so the parallel would be to put it in the YANG model.

And it means we will ultimately have it in just the one place, as
opposed to having parallel and perhaps different definitions for TLS
and, e.g., SSH.

Tom Petch

> If fact, we would be duplicating some elements from RFC 6353 and the
> reusable YANG grouping is in draft-ietf-netmod-snmp-cfg-08 (yes, an
> interesting dependency chain results from that).
>
> I think the WG needs to sort out what set of documents is wanted
> before making further edits.
>
> /js
>
> On Thu, Oct 23, 2014 at 10:04:00AM +0100, t. petch wrote:
> > ---- Original Message -----
> > From: "Kent Watsen" <kwatsen@juniper.net>
> > To: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>;
"t.
> > petch" <ietfc@btconnect.com>
> > Cc: <netconf@ietf.org>
> > Sent: Wednesday, October 22, 2014 7:29 PM
> >
> > >RFC 5539 has used X.509 certificates and nobody seems to request
any
> > >changes. Why do you make this complicated?
> > >
> > >Yes, NC access control is different from SNMP access control but
this
> > >is irrelevant. All the transport has to deliver is a user name. Why
do
> > >we have to make this complicated?
> >
> > I kind of agree with both sides.
> >
> > On one hand, 5539bis-06 clearly intends to define mutual
> > certificate-based
> > authentication - just search for the word "mutual".  Additionally,
> > Juergen
> > already explained that he put PSK in (-02, according to the change
log )
> > to support NETCONF-light, and since took it out.  So we're
essentially
> > back to just trying to clean up 5539 and make it be in-line with
NETCONF
> > 1.1.
> >
> > On the other hand, there are a couple issues with 5539bis-06:
> >
> > 1) section 2.4.2 (Client Identity) doesn't actually say that
> > certificate-based authentication is required.  For instance, this
text
> > from RFC5539 was left out: "with certificate-based authentication
> > according to local policy"
> >
> > 2) I'm confused by these seemingly conflicting statements:
> >
> >   - section 2.4 (X.509-based Authentication...) says
"Implementations
> > MAY
> > optionally
> >     support TLS certificate-based authentication"
> >   - section 2.5 (Cipher Suites) says "However, implementations MUST
> > support TLS 1.2".
> >
> > So, to Juergen's point, I don't think this needs to be complicated,
but
> > I
> > do think we need to be methodical about ensuring the text says what
we
> > want it to say.
> >
> > <tp>
> >
> > Kent
> >
> > This is what I keep saying or at least, try to say - not sure how
clear
> > I am being.  But until those loose ends of text are removed, then
> > 5539bis remains ambiguous IMHO (and I then remain reluctant to move
on
> > to other issues and other I-Ds).
> >
> > I would go slightly further and change the title and Intro.  Martin
> > raised the point about this I-D seeming to exclude other forms of
> > authentication with TLS so I would entitle this one
> >
> > " Using the NETCONF Protocol over Transport Layer Security (TLS)
with
> > X.509 Certificates"
> >
> > Then anyone is free to write another I-D entitled
> > " Using the NETCONF Protocol over Transport Layer Security (TLS)
with
> > PAKE"
> > or
> > " Using the NETCONF Protocol over Transport Layer Security (TLS)
with
> > PSK"
> > etc etc
> >
> > That leaves us free to be as 'MUST' as we like about authentication,
> > because our use case is simple.
> >
> > I want to see a fresh I-D along these lines - but see below ...
> >
> > </tp>
> >
> > One last point, I'm opposed to 5539bis using
> > draft-ietf-netconf-server-model as a Normative Reference.  I believe
> > that
> > 5539bis should define the protocol on its own, and view
> > draft-ietf-netconf-server-model as just one data-model that could
> > configure it.  FWIW, neither 6242 nor draft-ietf-netconf-call-home
have
> > a
> > Normative Reference draft-ietf-netconf-server-model.
> >
> > <tp>
> > suive ... There is another issue in here.  RFC6241 mandates
> > "The authentication process MUST result in an authenticated client
> > identity whose permissions are known to the server."
> > which suggests we should say something about how. 5539bis did have
text
> > about this but that is now in server-model.  Which sort of leads to
> > having a normative dependency of 5539bis on server-model, not for
> > configuration reasons but for the algorithm used to extract an
> > authenticated client identity from what information the server has
> > gotten..
> >
> > But I do see this as a separate, more debatable issue, to be
discussed
> > once there is clarity in the published I-D about the use of
> > certificates.  And I do think that the document structure is right,
that
> > is, how to extract the identity does belong in server-model and not
in
> > TLS or SSH or other transport I-Ds.
> >
> > Tom Petch
> >
> > Thanks,
> > Kent
> >
>
> --
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1, 28759 Bremen, Germany
> Fax:   +49 421 200 3103         <http://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email