IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)

Kent Watsen <kent+ietf@watsen.net> Tue, 13 February 2024 18:54 UTC

Return-Path: <0100018da3d1c4bb-16794945-524e-46d4-8bd9-963eb8fe4fdc-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 87E4AC15155F; Tue, 13 Feb 2024 10:54:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.908
X-Spam-Level:
X-Spam-Status: No, score=-1.908 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8v2J2Mcyt4We; Tue, 13 Feb 2024 10:54:12 -0800 (PST)
Received: from a8-88.smtp-out.amazonses.com (a8-88.smtp-out.amazonses.com [54.240.8.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729C4C151552; Tue, 13 Feb 2024 10:54:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=224i4yxa5dv7c2xz3womw6peuasteono; d=amazonses.com; t=1707850450; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=NALBmN/Vb/dOZWLpjL/dg+NbJLt03llGYgxu7D9uMj4=; b=BptXoyzuqyQeDTxYZK7CiemFNFwuOMvXGnr5klsM3fJRP+xJ//NWYZYDIzc78Mwg o2yTTTv+3Dw5OgaQsEue81rPJPRN/fpFaa5id3UyBLEJ4+BiZmEU3m0b1/mpGrcyg3A u4zzBXTjYSOQJz/SbhHU+KNrEn7gLa9H2ZgT6H8A=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018da3d1c4bb-16794945-524e-46d4-8bd9-963eb8fe4fdc-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_2C4847A6-F51C-4A6B-A5E9-AE38C0AE5BE0"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3731.600.7\))
Date: Tue, 13 Feb 2024 18:54:10 +0000
In-Reply-To: <CAGL5yWYWtbfzEJGqGst5rwz8g9A8eSs=zvbsYGjSjK7Ag-Na8g@mail.gmail.com>
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-crypto-types@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
To: Paul Wouters <paul.wouters@aiven.io>
References: <0100018d8e79728d-53c71957-dd1f-4113-ab63-e1b028486824-000000@email.amazonses.com> <7F7D8261-D97E-4FBE-BE0C-6BC0953FC1FD@aiven.io> <0100018d9eda2bba-34bbb7e9-9d31-4651-a098-a3b62abe5d76-000000@email.amazonses.com> <CAGL5yWYWtbfzEJGqGst5rwz8g9A8eSs=zvbsYGjSjK7Ag-Na8g@mail.gmail.com>
X-Mailer: Apple Mail (2.3731.600.7)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.02.13-54.240.8.88
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/a1CWDVl_2X4WFtU5iFHopIu0D94>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-crypto-types-29: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Feb 2024 18:54:12 -0000

NETCONF WG,

Paul below suggests me ask something of the WG.

The question regards if the crypto-types draft should include, as a sibling to the “cert-data” node, a configurable switch for strict enforcement of CRL/OSPF checking.

Pros:
	- solves potential outage issues.
		- important

Cons:
	- not widely documented or implemented
		- is libreswan unique in having such a flag?
	- may be difficult to support with some crypto stacks
		- we could use a “feature” to resolve this objection
	- the libreswan approach may not be used everywhere
		- documentation would be loose to have broad coverage?

Thoughts?   (See below for more)

Kent


> On Feb 12, 2024, at 4:58 PM, Paul Wouters <paul.wouters@aiven.io> wrote:
> 
> That is different from our usage of crl-strict=yes
> 
> For us (libreswan) strict means:
> - If CRL is expired, block everyone
> - If OCSP not available, block attempt
> 
> non-strict means:
> - if CRL expired, but cert is in CRL, still reject. But if it is not in CRL, allow it
> - if OCSP not cached and fails, still allow client
> 
> But if the cert itself is invalid, we never allow it.
> 
> I'm not sure if we would need to add this. I'm fine either way. Perhaps chat with the WG, or don't add it now?
> 
> Paul
> 
> On Mon, Feb 12, 2024 at 2:45 PM Kent Watsen <kent+ietf@watsen.net <mailto:kent%2Bietf@watsen.net>> wrote:
>> Hi Paul,
>> 
>>> On Feb 11, 2024, at 9:37 PM, Paul Wouters <paul.wouters@aiven.io <mailto:paul.wouters@aiven.io>> wrote:
>>> 
>>> I have no good advice to give on strictness of CRLs and OCSP. Obviously a per connection setting would be better than a global setting but that might not be easy. Eg libreswan has it as global option partially because it keeps a global store of received certificates.
>>> 
>> 
>> Granular is better.
>> 
>> I’m thinking to add the following to the `trust-anchor-cert-grouping` and `end-entity-cert-grouping` groupings:
>> 
>>     leaf disable-stict-enforcement {
>>         nacm:default-deny-all;
>>         type boolean;
>>         default false;
>>         description
>>           "Disables strict enforcement of this certificate.
>>            Ignore issues regarding, e.g., the certificate's
>>            validity period or CRL/OCSP validity.  
>> 
>>            This flag should only be set in an emergency
>>            to enable a service to work.  Setting this flag
>>            Is NOT RECOMMENDED.”;
>> 
>> 
>> Is this what you want?
>> 
>> 
>> 
>> 
>>> Paul
>> 
>> 
>> Kent
>> 
>>

v2.23.0 | Report a Bug | By Email