Re: [netconf] netconf-tls wasRe: Summary of updates

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 25 May 2021 10:07 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED69C3A077C for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 03:07:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9D1Ena3Y62bc for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 03:06:57 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2077.outbound.protection.outlook.com [40.107.21.77]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EC43C3A0770 for <netconf@ietf.org>; Tue, 25 May 2021 03:06:56 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FArIslf+C6Y8lcZjm7ICtAHGR3MQzuB8BwYY/xyua6AKw8I8JIlO1tBff6EleT29+ETxkqZjyWc4L+uXlsLqzvoC4aRgsM3qiskrE50bYn/K1TQ1JsFMzRYADlXbfS7rkVNHt344n+u92Ug3Qq+jQR3E46DaZInZKypTn1fb+Yany6lK5agiYGnZREmrFEQ7pejqBiHtUyyrBFYb9Y4k9YAZe6MCK9NbCX/H6S/UXvVGzsrf/mhGhXi40mkSKqgH6lavEZ1I6WCKyjpqBPn9QAJNKz6UsStxwec2WzqOb3wHXP7wQOVFAYjvKGWHPgMqYZ3CTN7ENr3ni/dbUjHt2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jl3LRt85jkAJ+SXKA9V8YvEYKma3wnev/w8tUVZ1m74=; b=VliFQNYx/AGQfs1ZS/7TI3WjbAyDC7OjEdJ3jJUN4nycp7EeLuCHuZ9hFixHxfupVZaTHG/iIdpmyRtyjejQ4v8FKsK7AhLUc+fe8Dt6ATrlTyvqoVbgZsvFNcWPlJD2hQLY/x9bSWN3gMmhNv0SNaRcJbnpC5OcdYJLodMqe5Rt9Y1+ZZu+LyxLFpGzIR2pvcPAO3KLHoEuRa1gKlE0+gg2Z5/fv5LAGpjNVcy0g7wQ3JrTAQx3ByHE6Yf9EWgOzqrrtgfUFUmHn4iadVPdvR+u/R/JfGpkERQzCcLs9ndQEMbos3zCFdKTrqkFLIb5a5vocUVXXBTHS4weBoevtA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Jl3LRt85jkAJ+SXKA9V8YvEYKma3wnev/w8tUVZ1m74=; b=ZV2BmmJGiBNj6E1LM263TeKrVwbaTQSCOB8R9z8ibcLVXQi3B7BoOCz7bX6Yoz2njpsJmsSOLZcRzxGKJmuM9N7IGB3/KUXbfERwikdHv2UESXqSZPRDWYGjA7NurU9A5dtca5fRZtlpunuwrYqHAuh5/QoSySPCsjgWmIXwZlg=
Authentication-Results: btconnect.com; dkim=none (message not signed) header.d=none;btconnect.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM4P190MB0051.EURP190.PROD.OUTLOOK.COM (2603:10a6:200:5b::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.25; Tue, 25 May 2021 10:06:53 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4150.027; Tue, 25 May 2021 10:06:53 +0000
Date: Tue, 25 May 2021 12:06:52 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: tom petch <ietfc@btconnect.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: tom petch <ietfc@btconnect.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FR0P281CA0069.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:49::22) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by FR0P281CA0069.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:49::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.11 via Frontend Transport; Tue, 25 May 2021 10:06:53 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 364e79fe-602b-4a03-abe6-08d91f64d24d
X-MS-TrafficTypeDiagnostic: AM4P190MB0051:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM4P190MB0051A7A58C5B76017D888FB1DE259@AM4P190MB0051.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:4941;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: EFtWoaQsSAhfvrFUam+FYxVEIsN/DUZybsbjhPP52Gi54bvRQKrbNzz/4XzFxSgm8R/vUcgvi8aE2bO/ug29jXq90EluThpyb3PZqPVxfl3x62aDRnujEUq4jU6kotHvrKbQjjcdOvVKas/NrRUzlRhCh7lVoddIaWe9AeyVuBWQwRWUCsFQl8e+jOpcMefQyME1OwQxEUP06h4Nvtk7ltHDpsvU5YaXnAiIpSbXmz+PU2m1d4aRLqM+HFCDUWYAJdZQQ5Vs85ZvWXJrQFvVsau3vGbCbE3zxW0lGzamhYsW/woonINb48SH4iPSNPY8A8JJKoImk1x0ts+d76Be9OtWFqFbVaLO9GZJSP3yDOw09INqSsgNFrmZed6h0G8egrfs3WvtXVctlHWnueNskepClJY9/lHm68rgJtW4wKg44xhmyKATnCTXjmqBLBVewTRg1lkLzr19e9p9vPEw68NQMTgWNacAnCu3U9BF2AtlnYHamiF3jpadeRchCuUqHQO66bokhc7h9q+ApyNHJrJohLzj8pbmZm7m+il5dvCwKaSOMAYRcJzEd6DIs2jgPqLUE6EjyTJ2NFq8x9OiICQ6FuXOHLbitKWIL8G+J34468A4CvGKpf8Os/5hhTeRGEDYPSdgZJAi/tBhZkkM4q95P2K+EklyXXlqQxHo5Nu8zOGY2scsClu7Rlkj88Y/7arHzpT9FW3tKLkNB7Dxq2FDm5NP1Ejl/7DotNezKlpm6GKJOx0dKgy+R0IaV9SU3zjIa1qrvmqBUPFXB4A0yg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(39850400004)(366004)(136003)(376002)(346002)(396003)(4326008)(66476007)(15650500001)(38350700002)(3450700001)(956004)(38100700002)(54906003)(786003)(316002)(6486002)(6916009)(296002)(66556008)(66946007)(2906002)(8936002)(5660300002)(6496006)(186003)(478600001)(52116002)(26005)(16526019)(83380400001)(86362001)(966005)(1076003)(8676002); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?utf-8?B?Tk5PY2crSEZuUC9hWWdPZ2FBSzJMVndJRUVkMytoTHAxVWtlelk2dTJ1OEx6?= =?utf-8?B?cGZSaXdjSkpiZXA2OTBtdDNjUVFtUU5tMk11UEM5SlA0Vmk0dmtlSi8vamtF?= =?utf-8?B?OFlmRWgzRXFKSkdxaHkzMFI0aUh3R1ZtYmFyTUcwT3dBeEdDbzkxOXVIbFJT?= =?utf-8?B?SnBmc0JFc1cwbm1INEJscmorRmUvb29KZHVwWDZoVEpqRXp3QWEvdkRlNXda?= =?utf-8?B?LytHSDlTUEExWlRtNlVZWHRzZTU1WWo5aW00L2N1cWgrbldZUUdXTnp3MlB5?= =?utf-8?B?SlprOXl5bXM1OFFuQWlnTmpnVDdudHQxRGFoQS9aSVVScnN6cjNzenFCVWZD?= =?utf-8?B?U0hQMmE0NHAzN09zYUU1VXQwT2JDSjYyN1cwSGlFS0wvNU5qeXFkajhia2xO?= =?utf-8?B?a2FMSEg0VTJCRGkvcVJ0N05RdnY1ZEI0bU9wQ3BUV3JWY1lxbEdpeS9qa29J?= =?utf-8?B?cUVvdFM4MlluVVhwbHRIbWhnbW1ZaTVxY2ZJZWZ6K1d3NFAwczBFTEJqTWNM?= =?utf-8?B?NDVDUkZiTmFHVEFTdFNYZzZRT3NZdDF2Y3NuR3NvdDQ3R0M5dFJjMFhvM0tZ?= =?utf-8?B?WXhYb3pjVFkxSi9LOXFZK09KMVN6ejhqWjUzcjA0VjJIWDhoNGxSdlBSVTFS?= =?utf-8?B?bVUwOFhRV2oxQ05qOEJGRUNkWnBXY1V0eUx0QTRpbWc3VHFDTjhsS2llYmZO?= =?utf-8?B?RmxoWTlOMmJWbEJpcCtWKzdrTFU0aTBYdkJ6ZGxPK2ZFdnFvbndObVdBcDZ1?= =?utf-8?B?K0l6cHhNREg4V09QdXBRRXJ2SVdMZStpNit5cVBYcEh6a2pJWTRVZWJGRHM0?= =?utf-8?B?RFJkSXprY3FXUktob0dsd3pvWUppT3NWUDVmK0dSUmxQTTlsMXRhYmRuaWp5?= =?utf-8?B?WC8xMXlsczNkVUE1bXplMElpNE44L1NKK1JWQUtkMXdiY1Y5SW5hV3JIZE9p?= =?utf-8?B?TTdlK1Q4V3NWbmJ0QmdyTDFadXpHZUkxTzZWemlBdnRYQU15UGY0aXI1SU1C?= =?utf-8?B?Q0lYdkFXcE1uNDVieXBuY05YQTRIWXlNK05JZUtueWgxNFRNMGY0eVdaLzY1?= =?utf-8?B?R244KzRKalVuNm9tOGc4clFBdFNOdCthZUtodnFFZVB0dkwzekRSVDBXRGRL?= =?utf-8?B?NkoxV3BvTU9lWGlUcjNTVUx4amxWL0p1MTJPQ1pFZFdqRkVMQ3ExQjJDdUlz?= =?utf-8?B?dzNDYkcxNHRIS3Azd3pvbFlVM0pseVV2VXNhbzFxZHhEUTBKSVkyUnlQYk8w?= =?utf-8?B?aXZEM3A2ZWw3SWtLUWVzQnNNcE5lR1Fjd1RhV2N4SXVocDVkMGdWalNHanZs?= =?utf-8?B?U0NMd0x6c2krbURWWXd1TENLTS9XbE85VDcrcnM0T21haTIvZXArdElhbXJ6?= =?utf-8?B?WlRlMXN3OWU1VTJ5cm54eElZcnhBMEwrWTYrVlhuVXJGU2RpVzY1SW1wSEgy?= =?utf-8?B?RUtra2xoRFlXTUlYblpRL1VmZWNkQzdUaWZPS0dKTTNkdU9ySkFVWG5rVjBV?= =?utf-8?B?NUI1UmMyaTkrSDlXQ1FzRTc4Y0xCVFdPQmJMVGNsQldVT1h4UlcvVWpadVNx?= =?utf-8?B?MW5qM2Vma0pCZFJ3K3pyRXNOMEZTVGFRdXNTMjRkY21qaklMVC9tR0l5Z0pL?= =?utf-8?B?YjFHWmQrRnlkdStCVGlRcWl2NFZ2VFNwL3JERnZqVnltZ1NlalhjWHp4L2xi?= =?utf-8?B?UnV5NHhFSk5oRzcvZHBoTGtQQmtqZmtNUTV6aHlFUGVyRFNoSUxNYUd0bE8v?= =?utf-8?Q?64OMwxoCs2ymZNWpNA3triYTp2ToVkbNz0NBXXU?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 364e79fe-602b-4a03-abe6-08d91f64d24d
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 10:06:53.7501 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: hDZi2+kk8uG2id145u8Ljp0Heughq2mLn9nm9KrAPK2asxqQTzARqwachCAlSQcNkJCVr4aFmTa9xMXwE4OBB80lTWlOkbHpQL6TVpW27LM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4P190MB0051
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/Sh4lN4FSyjyT-zG7iymcjKlQhx4>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 10:07:02 -0000

Hi,

RFC 5539 (published in May 2009) defines NETCONF over TLS and it is
very specific that it requires TLS 1.2 or future versions of TLS:

   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
   support the mandatory-to-implement cipher suite, which is
   TLS_RSA_WITH_AES_128_CBC_SHA.  This document is assumed to apply to
   future versions of TLS; in which case, the mandatory-to-implement
   cipher suite for the implemented version MUST be supported.

Given this, I do not think we need to consider TLS versions < 1.2
since there was never a specification for NETCONF over TLS versions <
1.2 - a NETCONF over TLS 1.1 implementation is using a non-standard
transport.

/js

PS: And as I said before, if any updates to RFC 5539 are necessary to
    support NETCONF over TLS 1.3 properly, then we should spin RFC
    5539 and not deal with the definition of a transport mapping in
    the configuration document.

On Tue, May 25, 2021 at 09:56:52AM +0000, tom petch wrote:
> From: Kent Watsen <kent+ietf@watsen.net>
> Sent: 25 May 2021 00:16
> [CC-ing Gary in case he can help]
> 
> Hi Tom,
> 
> > I still think that the I-D lacks clarity about supported versions.
> >
> > Introduction
> > TLS Protocol [RFC5246]
> > Clearly this is TLS1.2 only
> >
> > Yes.   In keeping with the original intention (to reference just the current, not obsoleted, document), this should be updated to RFC 8446.   But I wonder if you think the document should reference all four documents (2246, 4346, 5246, and 8446) and then have DOWNREFS?
> 
> I didn’t get what you wanted to do here but, for now, I replaced that reference with this paragraph:
> 
>     Any version of TLS may be configured, including
>      <xref target="RFC2246"/>,  <xref target="RFC4346"/>,
>      <xref target="RFC5246"/>, and <xref target="RFC8446"/>.
>      Configuring obsolete protocol versions for use in production
>      networks is NOT RECOMMENDED.
> 
> <tp>
> I would still drop 1.0 and 1.1 entirely but see that others disagree.  As things stand, I do think that you need to differentiate between 1.2/1.3 and 1.0/1.1, the former being comprehensively supported, the latter not.  I do not have a good set of words for this but think that you need something in the Introduction to set expectations. You could add more details of 1.0/1.1 but I would see that as a retrograde step.
> 
> Tom Petch 
> 
> Tom Petch
> 
> 
> > I was all for ditching any mention of 1.1 and 1.0 if only for the extra complication.
> 
> By “was all for”, do you mean that you’re no longer?  That is, that “supporting” all versions is fine?
> 
> 
> 
> >   I no longer recall where 1.2 differs from its predecessors e.g. extensions incorporated in the base, signature algorithms, and it is probably overkill to find the relevant references for those older versions and adding them to the YANG as well but do think something needs adding in the body of the I-D to the effect that support for 1.0, 1.1 is partial, identity for the version number but not details of cipher suites, relevant RFC and so on.
> 
> Would you suggest adding said comment to the above paragraph?
> 
> 
> 
> > s.2
> > This model supports both TLS1.2 and TLS1.3
> > Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1
> 
> Do you mean that the sentence is incorrect because the model does support 1.0 and 1.1?  Perhaps simple remove the sentence altogether in light of the above new paragraph?
> 
> 
> 
> > s.2.1.1
> > Features
> > tls-1_0
> > tls-1_1
> > tls-1_2
> > tls-1_3
> > Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what.
> 
> I don’t understand this comment.
> 
> 
> 
> > 2.2
> > an example for 1.1 and 1.2 but not 1.3; interesting.
> 
> That example is completely arbitrary IMO but, alas, it was created by Gary Wu, who is listed as a “Contributor”, but we haven’t heard from in a long time since...
> 
> 
> 
> > Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'.
> 
> Correct.  All the versions as “supported”; all but 1.3 are NOT RECOMMENDED.  Is this a problem?
> 
> 
> 
> > hello-params-grouping
> > Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules
> >
> > Mmm I dunno!
> 
> Again, 1.2 *was* “current” before and so everything just pointed to it, assuming that it is a superset of 1.0 and 1.1?  We could just replace all refs to “1.2” with “1.3” and call it a day, but I don’t know if that would be technically accurate.
> 
> 
> 
> > I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking.  Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have.
> 
> So we need to define additional ciphersuites for 1.0 and 1.1 or dump support for those protocol versions?
> 
> 
> 
> > In passing, I was wrong about public keys.  I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key!
> 
> Gotcha
> 
> 
> > Tom Petch
> 
> THANK YOU!
> 
> Updates can be found in https://github.com/netconf-wg/tls-client-server/commit/b94588b5a33c0852cfacbc415ca0a626bc1c5763.
> 
> K.
> 
> 
> 
> 
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>