Re: [netconf] netconf-tls wasRe: Summary of updates

Kent Watsen <kent+ietf@watsen.net> Tue, 25 May 2021 14:04 UTC

Return-Path: <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 47EEA3A0B34 for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 07:04:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xb2Cpq9xloTg for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 07:04:04 -0700 (PDT)
Received: from a48-90.smtp-out.amazonses.com (a48-90.smtp-out.amazonses.com [54.240.48.90]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 27A953A0B20 for <netconf@ietf.org>; Tue, 25 May 2021 07:04:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1621951442; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=LavMbt+QatkWw/2voVWH/pij6ZAai9yjeoGn0Lhkpg8=; b=LAbJDJZlje+ZEbLu81PGXITr5y2cexgQNoRnZqJNRdO/2W3VRgA1oYws6FSXJnfm EAKfNcpB2cnuZwLT2906I3W2Xtke52hKSDOryTXm6UQmdBuWTo4Jav142EHaAsp1FCg DqhdbL4z35j0UhkJ2jVjtDZHkryuOMaod+lomZxg=
Content-Type: text/plain; charset=utf-8
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de>
Date: Tue, 25 May 2021 14:04:02 +0000
Cc: tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.05.25-54.240.48.90
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/RQ-gpmy4_z7LoZqaMoFO8s34kpc>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 14:04:09 -0000

Hi Juergen,

> RFC 5539 (published in May 2009) defines NETCONF over TLS and it is
> very specific that it requires TLS 1.2 or future versions of TLS:
> 
>   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
>   support the mandatory-to-implement cipher suite, which is
>   TLS_RSA_WITH_AES_128_CBC_SHA.  This document is assumed to apply to
>   future versions of TLS; in which case, the mandatory-to-implement
>   cipher suite for the implemented version MUST be supported.
> 
> Given this, I do not think we need to consider TLS versions < 1.2
> since there was never a specification for NETCONF over TLS versions <
> 1.2 - a NETCONF over TLS 1.1 implementation is using a non-standard
> transport.


The tls-client-server draft is not exclusive to NETCONF.  For example, RESTCONF and PCE WG has a “peep-yang” draft...

That said, it seems Tom is saying that TLS 1.0 and 1.1 are effectively historic at this point (no longer used) and so support for those versions should be dropped for that reason?


> PS: And as I said before, if any updates to RFC 5539 are necessary to
>    support NETCONF over TLS 1.3 properly, then we should spin RFC
>    5539 and not deal with the definition of a transport mapping in
>    the configuration document.


Adding TLS 1.3 to the tls-client-server draft is not for NETCONF’s sake.  

The netconf-client-server doesn’t yet, but perhaps should, state that the tls-client-server’s draft support for 1.3 should be ignored until RFC 5539 is updated? 


Kent