Re: [netconf] Create IANA-defined modules?

Qin Wu <> Wed, 09 June 2021 13:07 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 9829D3A1588 for <>; Wed, 9 Jun 2021 06:07:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id rdFFfDXDMYuk for <>; Wed, 9 Jun 2021 06:07:34 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 1EF233A1584 for <>; Wed, 9 Jun 2021 06:07:34 -0700 (PDT)
Received: from (unknown []) by (SkyGuard) with ESMTP id 4G0Rwy3Cf7z6K5dv for <>; Wed, 9 Jun 2021 20:58:10 +0800 (CST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256) id 15.1.2176.2; Wed, 9 Jun 2021 15:07:30 +0200
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Wed, 9 Jun 2021 21:07:28 +0800
Received: from ([]) by ([]) with mapi id 15.01.2176.012; Wed, 9 Jun 2021 21:07:28 +0800
From: Qin Wu <>
To: Kent Watsen <>, "" <>
Thread-Topic: [netconf] Create IANA-defined modules?
Thread-Index: AdddL2Guyi3eG+KzRlGXH8XK0iac4Q==
Date: Wed, 9 Jun 2021 13:07:28 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [netconf] Create IANA-defined modules?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 09 Jun 2021 13:07:39 -0000

发件人: netconf [] 代表 Kent Watsen
发送时间: 2021年5月27日 3:06
主题: [netconf] Create IANA-defined modules?

[CC-ing Gary, who contributed the “ietf-[tls/ssh]-common" modules originally]


The “tls-client-server” draft just received the following GitHub “issue”:

This is rather a question than an issue, maybe.

Given that IANA maintains the TLS parameters at, would it not be better for that content to come from something like iana-tls[-parameters].yang rather than an IETF maintained YANG module?

This is a good point.  Perhaps we should move all the identities for the algorithms defined in the “ietf-tls-common” module to an IANA-maintained “iana-tls-parameters” module.  Thoughts?

[Qin]: I agree this seems straightforward to me. The module name could be "iana-tls-types" like.

By extension, the same statement applies to the “ssh-client-server” draft and the IANA maintained SSH parameters page:

One potential issue with doing this is that the existing identities have “if-feature” statements that constrain them to specific TLS-versions and algorithm-families, and are sometimes marked as “deprecated".  By example:

    identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
       if-feature "tls-1_2";
       if-feature "tls-ecc and tls-sha2";
       base cipher-suite-base;
       status "deprecated";
           "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
          "RFC 5289: TLS Elliptic Curve Cipher Suites with
                             SHA-256/384 and AES Galois Counter Mode (GCM)";

But that information is NOT captured in the IANA-maintained page.   What to do?

[Qin]: Why not bind tls version with cipher-suite in the ecdhe-ecdsa-with-aes-128-cbc-sha256 identity definition. Also I feel identity name is too long.

One option would be to drop all the feature statements.  All they do is limit the totality of algorithms presented to an administrator, when configuring which algorithms the client/server should support.  Worst case, all algorithms (of a given type) are presented, regardless if supported by the, e.g., TLS protocol version.  When configuring clients/servers using, e.g., text-based configuration files, such filters are never available.  Does anyone know what Cisco/Juniper/etc. devices do in their command-line and/or web interfaces?

[Qin]: See above, do we need to introduce if-feature "tls-1_2" and why not tie the tls version in the cipher-suite name such as "tls12-ecdhe-ecdsa-with-aes-128-cbc-sha256". 

Another option, which I like because it’s less work for me (unless someone can volunteer a GitHub pull request), is to remove the ietf-[tls/ssh]-common modules altogether.  They’re currently optional-to-configure and, when not configured, it’s an implementation-specific decision what, e.g., algorithms to list as being supported during the protocol handshake.  Personally, I’ve never used them (or implemented support for them), happily deferring to internal code and underlying libraries.  In lieu of us not defining these modules now, applications could augment-in their own configuration nodes and, of course, a future WG effort could add them.  Thoughts on this approach?


netconf mailing list