Re: [netconf] More complications

tom petch <ietfc@btconnect.com> Tue, 15 June 2021 11:36 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97E3C3A2C31 for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 04:36:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R5Z_1hh4AwuI for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 04:36:32 -0700 (PDT)
Received: from EUR03-VE1-obe.outbound.protection.outlook.com (mail-eopbgr50096.outbound.protection.outlook.com [40.107.5.96]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B10913A2C30 for <netconf@ietf.org>; Tue, 15 Jun 2021 04:36:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XThEjM4AffeoZdBDSy0b7mbFM4SSAglL/PNxxArQTvKdVER4pAlQidZrNy/gX60Us5YvS4g2kJK0f4cjOSBTm+eTCz6FlIxgVyHIP16Iw9cuEn3srplxs1KFxpi0nj4lJRwok+z1RiXtep7xe1KSSclG5W9K+2ym6f9IxrwxfMhCshcTfulevFCmO2KSnV1ACcVX6VvBFjwZFj9EY1PDrxHgadilPvjTOfCJOXYwoLQ0KOqx8BPDI9A0LThHt2vuOwCW4WYTAk1JZ4+QuVEFOToVFSlSBII27a06ZideThaHQIyQvMFWKyImaaNb54uLYRzWqZjXKW4xqSxiBweEcg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CyrS8nzfwu/7csr8VzxGW7x1myznoIO9+e2N+YBiRxc=; b=ls+vKyB0Relvsnw9Ue6yMqojUx+Gdr84YYbZIukfgs8SyqY4XLajwC1snTiFf+OlCSerXgI9xC+cxE/Lnue1qe099T/bCLscamgWLgp9K7WuyyjjYf9Hxy66BUWNytLQ5PR8pr30JL6TFt01VaYcF3NHUHUjR7K6eNHEUsOntLIVVljz8ZqPdTveQbeu41N2uRHJgw7bkKhsXPjfDlt+RdNNuk7W8D4cQDeoKKf7bA3svoEEpFuTSDIGoTynfPyOxs5p52DZQ6XJZ+mIciVv3u/Sd32ctiVN4S6DIOfnlwGRDVZrqxAQ3Xm0WdYCgc7FOdi1J4Do0CNWWRQlxs6oEw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CyrS8nzfwu/7csr8VzxGW7x1myznoIO9+e2N+YBiRxc=; b=F/IkAk1XUtreMk2o2aPIMresXd87ZSwlg8U80DXqvcf1jKCoHqHPsePd4QgFkMDkNcmL6QW+VGVQxvDVUKmhosQH9xTHGpB6OsAtyDeR4Fim1IpwGB63BaUn4kt0Ub+7JvNbCtnxkpW3pLq1H3cE3tYttl5/7gObViCc4ItaqWs=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB5190.eurprd07.prod.outlook.com (2603:10a6:20b:66::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9; Tue, 15 Jun 2021 11:36:29 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4242.016; Tue, 15 Jun 2021 11:36:29 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, Henk Birkholz <henk.birkholz@sit.fraunhofer.de>, "garywu@cisco.com" <garywu@cisco.com>
Thread-Topic: More complications
Thread-Index: AQHXYSl46ebcY/ZiP0e+CTU8u5WUB6sU8i3z
Date: Tue, 15 Jun 2021 11:36:29 +0000
Message-ID: <AM7PR07MB6248E24C8235FBD8573017C8A0309@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com> <AM7PR07MB6248BBDEECB1134C56426F73A0239@AM7PR07MB6248.eurprd07.prod.outlook.com>, <0100017a0aebfbf3-9e9c22e8-da12-4364-a572-8ce7fd43bf0f-000000@email.amazonses.com>
In-Reply-To: <0100017a0aebfbf3-9e9c22e8-da12-4364-a572-8ce7fd43bf0f-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: c3d8981e-1cce-4598-047d-08d92ff1d180
x-ms-traffictypediagnostic: AM6PR07MB5190:
x-microsoft-antispam-prvs: <AM6PR07MB5190EC42DAB4F59CBE6CE36DA0309@AM6PR07MB5190.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 83HTHT/NbC0Ubv1q8ZkWI+1rmeQ8oxoS1apN1KbmiXJj+QilkrBlV9cDMJmrOWt/rmFmF8v9Mb7p3Wf6GKQT8vPsYGVJgnKF25X0/4/luEkefV5H88kMGZPN27j27U+7dWpSbI2sHMUesUCG0jA97tSgPKTHrwtcRORs18QHbkW/qqXupajb9hEXHTfz2gMzIwOwUO1vWP22+IeR8g3HILhoOBr/67A6tohMTJk9p3e+YzG8IGdrBynJrrvMnR0y0ALfDnuOhgaxJMil8bGQ3jNNPJf+3pfqXuRWGKXfRPgEUEdWUJT3GmWqnZyO/7d8077YtvSqHEl2oZjn9gRn/eKFHoCZ4K90odTPC9C7Q57FlyUduTHK0lvXSDKvFYZTwVHXwUrGYQs9pFITvyqiX0zYzxxZZNYO8kFZkOVua8zOtVFeCJX1lVS3mEyvyMpUwamoPMjTcaZlpyZ0yL45PiwoXuXOn/KdqbKJu8btS71/5UaU4RNEWmmHiqByoCqZmOSCwUhIWnjEwHMO/s7qg1JwnJTOEUa3nl/kQwkEdl7gpNFMKpBFg0dyRmmYyWhzePkFNsoRYmrYf/0jp3K83Ky0cDWEB70Q3yM6bODjcIk=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(396003)(376002)(39860400002)(366004)(346002)(136003)(54906003)(38100700002)(9686003)(3480700007)(186003)(26005)(478600001)(8676002)(52536014)(7116003)(316002)(122000001)(8936002)(5660300002)(71200400001)(33656002)(76116006)(86362001)(4326008)(66476007)(66946007)(91956017)(2906002)(55016002)(66556008)(7696005)(6506007)(66446008)(64756008)(83380400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?zI9gjdKldRK7gXjGt0E6aKRd2rChnCUAJw9c1hIZETlbC88h2gagvubw?= =?Windows-1252?Q?2MME1Mm2Y9zI0crehrZ+bSpWgIAiY4szgbR7IG2oAUgRiNLOpQPKBCZK?= =?Windows-1252?Q?4yvUHjVdPfgqwZhRvCcQ49d/aajL8nC+SFaUuMjk6WNgRWA7A0cozzsl?= =?Windows-1252?Q?zY0ZrhVGNmdpyE5ixVDiW0+8zFXDuAcg4CC1mk2f35D6n7Wr/rMc5IY5?= =?Windows-1252?Q?xfxLaQK09H1U+Fup46i6Svz46hfSifOkf0K7UMnBF/RsIohlyWjM1yMU?= =?Windows-1252?Q?bBQwynV2B0P6fy5dworf6Q8KXxMOJD/mnum6zrXxg+h9UsNE2WYtQd0Z?= =?Windows-1252?Q?3G0eOlF6FHA0CeNb+vn1/JGKln2sGEN34R9ZuPnSgHj+ZuaOBqP9l4hD?= =?Windows-1252?Q?BEJQlWdHjKJ/dJqf35isuTeJgm5bfCskfytI25DZNx0ZpLsTIw2hhICo?= =?Windows-1252?Q?L0J65yePohhNaLBbo+aeuEBvvXwZZbB+pBNJGU8vzLIFuPUvQTXYXtzi?= =?Windows-1252?Q?QeFFDqfngyfvGP/0P3It143g8YQVpptrbtQIpYsRp7hqG//Bjlcfb1O5?= =?Windows-1252?Q?/U6LdMV7wuC5GFwFfaCp/v4nSMfX/mZnW1DCF0zQ0zbmzIL9nNtnk/7N?= =?Windows-1252?Q?hp5tbRVsGStUC0vgDmnNcnGr3EhLfDSK/DQCyDoAy8LeXeJJY8uqy+TI?= =?Windows-1252?Q?R+O4dhq9KgK/mmEHKzLpzKujr6qjO0SMyyH90D/YwN/PE7/q0rZReoFj?= =?Windows-1252?Q?3+0ZLaAVMwSGkxgfDQZZ30z4McplNaNKQ3whBDvlismTTTzzZqgAeEVK?= =?Windows-1252?Q?yhx1mCOWgBmXyqeg945LXzZRyljX9gz+6kcVZ4NXM2iRaB3SpnwuI+Bs?= =?Windows-1252?Q?xTw1krwGduWclHwZwL1n4Rhq7c1r5tbl70ChvXBYU0MU95rKqAMxjvEc?= =?Windows-1252?Q?AASugv1VSTQ3M9yibN1K7RF9rDuxPBoCp+VZGHfw3WmewvVsbCJ0eKQp?= =?Windows-1252?Q?L3/GdvEEkQDU39By+sx75WMsStJCqSGdNYz72EIwRiDh3JWOu4/35ZxZ?= =?Windows-1252?Q?s4nXbfIeKAsprvlr3UYlztm3ivnXFLhqh/XRKdxXuOlodWGjT2nl5y2A?= =?Windows-1252?Q?IyX2wDjIm9EvVgxC1FKQsyFVNG+9siV4EfV9Ban7qx/y2SiSmpen/80b?= =?Windows-1252?Q?qK9npfEIe5dIghkIVeurshAqKEP9isr+MeBFbxlTuUPfp1B32MiN/rnH?= =?Windows-1252?Q?LynOkyFla2o1nSTt05kGWky0bYtyoBcOgIw8GJjc1WqYu3lYv2PvSKQN?= =?Windows-1252?Q?EhZzIZ+qFcVbCPq9dD8jPQYMlOXDoCxQu/xbGlc0XyF15vvQadRfeS6K?= =?Windows-1252?Q?OqEWl3o+LW7jAyJ+eDtZm73qw42vvxoBmWc=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: c3d8981e-1cce-4598-047d-08d92ff1d180
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2021 11:36:29.6932 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 7VUQNJrcXNw8PdnKjnkm66YUbf8jLkYACAf+jXxNOG29cCamd8IeQK3rLDMW3stzx1iPIQMD41Jd+2By13jnlA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5190
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/TnYkMFUFyRbmxlf4kOo9di95tgk>
Subject: Re: [netconf] More complications
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 11:36:38 -0000

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 14 June 2021 15:27

[CC-ing Henk, to whom a question is directed to below]


Hi Tom,

> Top posting a new and different issue.

Thanks for updating the subject line.


> server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.
>
> The client description also needs amending.
>
> TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.
>
> As I may have said before, TLS 1.3 is different.

Henk, could you help with these edits?   Support for PSK and raw public key were added to draft-ietf-netconf-tls-client-server per your request and, if memory serves me, didn’t you help me with the YANG update too?   I suppose what is needed is a either a “choice” statement (with cases for 1.2 and 1.3) *or* sibling-container statements (in case it’s necessary both are configured in case, e.g., the client sends one or the other)...

<tp>
Or else drop support for PSK with TLS1.3 at this time because too little is known about it outside the use for HTTP.  I am starting to see I-D about how to use TLS1.3 with application X, even for HTTP,  and I think that such an I-D will be needed for many applications with or without PSK.

Tom Petch

> Tom Petch

Kent