Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication
t.petch <ietfc@btconnect.com> Thu, 30 October 2014 09:23 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E9A911AD05B for <netconf@ietfa.amsl.com>; Thu, 30 Oct 2014 02:23:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g-9zNsZbHIp4 for <netconf@ietfa.amsl.com>; Thu, 30 Oct 2014 02:23:34 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1on0701.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe00::701]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 655E01AD04B for <netconf@ietf.org>; Thu, 30 Oct 2014 02:23:34 -0700 (PDT)
Received: from pc6 (86.184.62.161) by DBXPR07MB063.eurprd07.prod.outlook.com (10.242.147.22) with Microsoft SMTP Server (TLS) id 15.1.6.9; Thu, 30 Oct 2014 09:16:22 +0000
Message-ID: <004101cff421$d3569a40$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Martin Bjorklund <mbj@tail-f.com>, Alan Luchuk <luchuk@snmp.com>
References: <201410201458.s9KEw5Qm064083@mainfs.snmp.com> <03ae01cfed3c$50d39d20$4001a8c0@gateway.2wire.net> <20141021153455.GA91264@elstar.local> <D06D6654.86473%kwatsen@juniper.net> <021801cfeea0$4d7ab860$4001a8c0@gateway.2wire.net> <20141027145542.GB8819@elstar.local>
Date: Thu, 30 Oct 2014 09:13:47 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [86.184.62.161]
X-ClientProxiedBy: AM3PR01CA026.eurprd01.prod.exchangelabs.com (10.141.191.16) To DBXPR07MB063.eurprd07.prod.outlook.com (10.242.147.22)
X-MS-Exchange-Transport-FromEntityHeader: Hosted
X-Microsoft-Antispam: UriScan:;
X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:;SRVR:DBXPR07MB063;
X-Forefront-PRVS: 038002787A
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(6009001)(199003)(189002)(377454003)(164054003)(51704005)(13464003)(24454002)(87976001)(106356001)(92566001)(86362001)(20776003)(66066001)(77156001)(93916002)(50226001)(40100003)(80022003)(19580395003)(92726001)(50986999)(15975445006)(122386002)(19580405001)(23756003)(87286001)(84392001)(50466002)(64706001)(62236002)(44736004)(47776003)(89996001)(46102003)(85852003)(44716002)(62966002)(4396001)(15202345003)(88136002)(81816999)(116806002)(105586002)(31966008)(21056001)(14496001)(76482002)(95666004)(107046002)(97736003)(42186005)(104166001)(76176999)(101416001)(120916001)(33646002)(81686999)(61296003)(85306004)(102836001)(99396003)(77096002)(93886004)(74416001)(7059028)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:DBXPR07MB063; H:pc6; FPR:; MLV:sfv; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/UkPfJxDRcQTIKD8bpiHRUTI7VMw
Cc: netconf@ietf.org
Subject: Re: [Netconf] rfc5539bis > - NC over TLS with mutual X.509 authentication
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 30 Oct 2014 09:23:38 -0000
----- Original Message ----- From: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de> To: "t. petch" <ietfc@btconnect.com> Cc: "Kent Watsen" <kwatsen@juniper.net>; <netconf@ietf.org> Sent: Monday, October 27, 2014 2:55 PM > > the editor does not understand the edits since I do not see clear > agreement of the scope of the document and thus there won't be a new > version before the cutoff. It makes a major difference to me > whether the document is > > - NC over TLS with mutual X.509 authentication > > or > > - NC over TLS plus a structure to plug in new authentication > mechanisms I think that limiting this I-D to mutual X.509 authentication resolves the issues that have been raised. Juergen commented on the mix of MAY, MUST etc causing confusion and that becomes simpler when there is just one approach to be specified. Martin commented on not knowing what to do about other forms of authentication - well, keep them out of this I-D and let anyone who wants to produce a separate I-D thereon. After all, the specification of TLS, and of SSH, is littered with I-Ds adding new forms of authentication so that would be nothing new. Tom Petch > and it is not clear whether > > - we details the algorithm to extract a username out of an X.509 > certificate in this spec > > or > > - leave it to the server configuration model. > > If fact, we would be duplicating some elements from RFC 6353 and the > reusable YANG grouping is in draft-ietf-netmod-snmp-cfg-08 (yes, an > interesting dependency chain results from that). > > I think the WG needs to sort out what set of documents is wanted > before making further edits. > > /js > > On Thu, Oct 23, 2014 at 10:04:00AM +0100, t. petch wrote: > > ---- Original Message ----- > > From: "Kent Watsen" <kwatsen@juniper.net> > > To: "Juergen Schoenwaelder" <j.schoenwaelder@jacobs-university.de>; "t. > > petch" <ietfc@btconnect.com> > > Cc: <netconf@ietf.org> > > Sent: Wednesday, October 22, 2014 7:29 PM > > > > >RFC 5539 has used X.509 certificates and nobody seems to request any > > >changes. Why do you make this complicated? > > > > > >Yes, NC access control is different from SNMP access control but this > > >is irrelevant. All the transport has to deliver is a user name. Why do > > >we have to make this complicated? > > > > I kind of agree with both sides. > > > > On one hand, 5539bis-06 clearly intends to define mutual > > certificate-based > > authentication - just search for the word "mutual". Additionally, > > Juergen > > already explained that he put PSK in (-02, according to the change log ) > > to support NETCONF-light, and since took it out. So we're essentially > > back to just trying to clean up 5539 and make it be in-line with NETCONF > > 1.1. > > > > On the other hand, there are a couple issues with 5539bis-06: > > > > 1) section 2.4.2 (Client Identity) doesn't actually say that > > certificate-based authentication is required. For instance, this text > > from RFC5539 was left out: "with certificate-based authentication > > according to local policy" > > > > 2) I'm confused by these seemingly conflicting statements: > > > > - section 2.4 (X.509-based Authentication...) says "Implementations > > MAY > > optionally > > support TLS certificate-based authentication" > > - section 2.5 (Cipher Suites) says "However, implementations MUST > > support TLS 1.2". > > > > So, to Juergen's point, I don't think this needs to be complicated, but > > I > > do think we need to be methodical about ensuring the text says what we > > want it to say. > > > > <tp> > > > > Kent > > > > This is what I keep saying or at least, try to say - not sure how clear > > I am being. But until those loose ends of text are removed, then > > 5539bis remains ambiguous IMHO (and I then remain reluctant to move on > > to other issues and other I-Ds). > > > > I would go slightly further and change the title and Intro. Martin > > raised the point about this I-D seeming to exclude other forms of > > authentication with TLS so I would entitle this one > > > > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > > X.509 Certificates" > > > > Then anyone is free to write another I-D entitled > > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > > PAKE" > > or > > " Using the NETCONF Protocol over Transport Layer Security (TLS) with > > PSK" > > etc etc > > > > That leaves us free to be as 'MUST' as we like about authentication, > > because our use case is simple. > > > > I want to see a fresh I-D along these lines - but see below ... > > > > </tp> > > > > One last point, I'm opposed to 5539bis using > > draft-ietf-netconf-server-model as a Normative Reference. I believe > > that > > 5539bis should define the protocol on its own, and view > > draft-ietf-netconf-server-model as just one data-model that could > > configure it. FWIW, neither 6242 nor draft-ietf-netconf-call-home have > > a > > Normative Reference draft-ietf-netconf-server-model. > > > > <tp> > > suive ... There is another issue in here. RFC6241 mandates > > "The authentication process MUST result in an authenticated client > > identity whose permissions are known to the server." > > which suggests we should say something about how. 5539bis did have text > > about this but that is now in server-model. Which sort of leads to > > having a normative dependency of 5539bis on server-model, not for > > configuration reasons but for the algorithm used to extract an > > authenticated client identity from what information the server has > > gotten.. > > > > But I do see this as a separate, more debatable issue, to be discussed > > once there is clarity in the published I-D about the use of > > certificates. And I do think that the document structure is right, that > > is, how to extract the identity does belong in server-model and not in > > TLS or SSH or other transport I-Ds. > > > > Tom Petch > > > > Thanks, > > Kent > > > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- Re: [Netconf] rfc5539bis Alan Luchuk
- Re: [Netconf] rfc5539bis t.petch
- Re: [Netconf] rfc5539bis Juergen Schoenwaelder
- Re: [Netconf] rfc5539bis Kent Watsen
- Re: [Netconf] rfc5539bis t.petch
- Re: [Netconf] rfc5539bis Juergen Schoenwaelder
- Re: [Netconf] rfc5539bis > - NC over TLS with mut… t.petch
- Re: [Netconf] rfc5539bis- leave it to the server … t.petch