Re: [netconf] Securing UDP-notif messages with DTLS
Pierre Francois <pierre.francois.ietf@gmail.com> Tue, 03 August 2021 18:26 UTC
Return-Path: <pierre.francois.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BC53A2CA0 for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 11:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81qj2WZsHCbA for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 11:26:12 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E4EB3A2C9C for <netconf@ietf.org>; Tue, 3 Aug 2021 11:26:12 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id z128so118649ybc.10 for <netconf@ietf.org>; Tue, 03 Aug 2021 11:26:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aESYiC2TKh1s1rloLWc0uP2QOyCov+7Ja0UekzGS//4=; b=GGOza8cYN39YlYKhswMoEytmohnGBSJIpMsLsPebKPYXefQrfKM9EEaOkfV0XQD7Kl xaR8a6SyclqpI91iNr/EKa35TTQqYz2m3FfQVhaslZ1OP6TWT+FsxyOcY/01Qh76gDR1 lucm0rG5NCdilwO8LtqFZc3rcu+/uyL2C1z5rtXOHPlvJW8+1bH9fV8LlmQ8xiJQdloC nSs+oEWs3M7ikGUcmQSEP/mpRjaZnNnIdqgxZJw9ON/XOHKHvl0yMOAz4SyvaiDOmPwX 0yMSbRfg2M++JLhcBG3alLJGEDhAk4xfJURNumf635gLIAk722NNvLf6jNVJxOBLKfvQ 8zlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aESYiC2TKh1s1rloLWc0uP2QOyCov+7Ja0UekzGS//4=; b=gCLBSMUB0dpELCnsHXeZj5uw7ntaX5Yyc9IZduwz852a0bJJin2nvpdZRDI68Z7Uyn vEvcnW2KtDMxtCyBJEzLkBvyCEXMz0+tyWI67I8Ziv15objT3IIzPoC+fOdAYuTk3Rbq 6q0+bOFMbZx418FjWx9hvmy122MSD1jyUJwvb0E0LiDmsQ8nTKhDA6YtGleuoq3DQ3do BDT9szSNpNKJYKJNFEoCdFOivmc0oh7ekiStjJIpKWOElZqaDbfv46bvqsRJh/+wwiq4 HvRwc8/nnWN+JXDNNfb5DoGTHtwDqRtq1jEkjHeeCMB+sqbmAvopcb3q3F1grLpPgZw7 7LCA==
X-Gm-Message-State: AOAM530JHBMNwd2a1MtuAFbDJTWMGdpRgJ2Me6CCFjP4c7OJWF9lw1s+ 69iKe2v5gIl12mHKawYet0xz4zugEBQCyNyf88E=
X-Google-Smtp-Source: ABdhPJw3dSNiEoe/ljx9G7CJWlu3Z3Hk1Dcr78Kj9xloZYvKlgPtoyF54DRIffSYkLG4hW9++oUN7yPh6TXp4mz+NBs=
X-Received: by 2002:a25:aa6f:: with SMTP id s102mr27221794ybi.54.1628015170088; Tue, 03 Aug 2021 11:26:10 -0700 (PDT)
MIME-Version: 1.0
References: <152841A6-6A37-4F75-857D-2F70346AFB5D@insa-lyon.fr> <0100017b07afa694-e244f7b7-ab7b-4fab-b669-793f9f6b87d2-000000@email.amazonses.com> <CAFNmoOHNKP8g9syh9KE6KFtCQUGsYBSCR7GO1NCby6UqCt0y7A@mail.gmail.com> <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de> <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com> <fbf7ac89-eb31-d1d3-367a-0e7fb33d6132@huawei.com>
In-Reply-To: <fbf7ac89-eb31-d1d3-367a-0e7fb33d6132@huawei.com>
From: Pierre Francois <pierre.francois.ietf@gmail.com>
Date: Tue, 03 Aug 2021 20:26:01 +0200
Message-ID: <CAFNmoOEwMfAn31c4Pv=4Tr9TqLqpMFk=gpo0pZkz+K8hNKK7eg@mail.gmail.com>
To: Benoit Claise <benoit.claise@huawei.com>
Cc: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent@watsen.net>, pierre francois <pierre.francois@insa-lyon.fr>, Marco.Tollini1@swisscom.com, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6f12205c8abd12d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/bM-wwNq4PMfXHfyPiHue87UsMGs>
Subject: Re: [netconf] Securing UDP-notif messages with DTLS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 18:26:17 -0000
Benoit, It works for me. Pierre. Le mar. 3 août 2021 à 14:45, Benoit Claise <benoit.claise@huawei.com> a écrit : > Hi, > > This discussion reminds me of IPFIX discussions :-) > Considering that the industry/operators will implement what they need (not > more), or request what they need from router vendors, regardless of the > RFCs say, let's go with the path of least resistance regarding publication. > I would say: merge the two drafts. > > Regards, Benoit > > On 8/2/2021 9:22 PM, Pierre Francois wrote: > > Juergen, > > Thanks for your input. > > IESG composition won't change much to the story on this aspect, I think. > > Alright, I'll discuss with all the authors involved and get back to the > list. I guess no one in the wg will object to a merge if we decide to go > this way. > > Cheers, > > /pfr > > > > > > > Le lun. 2 août 2021 à 19:33, Jürgen Schönwälder < > j.schoenwaelder@jacobs-university.de> a écrit : > >> In the past, there were people on the IESG that would tell you that "a >> controlled environment" is in most cases a myth. (There is something >> to this argument once you think about how messed up the world appears >> to be these days.) >> >> There certainly is a point that compliant implementations must support >> a secure transport so that people deploying the technology have the >> choice to use it. If an operator then decides to not use the secure >> transport, so be it, that is then the operator's free choice (and >> responsibility). But not being able make this choice, because a secure >> transport is not universally implemented, is an obstacle to avoid. >> >> And yes, this is all about what needs to be implemented to be >> compliant. The IESG has little influence on what people use, but it >> can influence that people have a choice by requiring the >> implementation of a secure transport by compliant implementations. >> >> /js >> >> PS: Of course, I am talking from past experience, and the details of >> the story lines usually change with the IESG composition. >> >> On Mon, Aug 02, 2021 at 07:14:35PM +0200, Pierre Francois wrote: >> > Hello everyone, >> > >> > I'm fine with merging the two drafts. What I wish is that the existing >> > implementations that do not mandate dtls activation remain legit wrt the >> > resulting RFC. >> > We're aiming at lightweight transport in controlled environments here. >> > >> > Cheers, >> > Pierre. >> > >> > Le lun. 2 août 2021 à 18:26, Kent Watsen <kent@watsen.net> a écrit : >> > >> > > >> > > Mahesh and I were wondering about this. When Pierre mentioned the >> DTLS >> > > work, we were “surprised” in that we too assumed the “udp” draft had >> the >> > > security bits. >> > > >> > > It is true that the IESG is all but mandating security for a for years >> > > now. IIRC, Syslog over UDP is obsolete due to being unsecured. >> > > >> > > K. >> > > >> > > On Aug 2, 2021, at 11:53 AM, Zmail <alex.huang-feng@insa-lyon.fr> >> wrote: >> > > >> > > Noted, I’ll discuss this with Unyte team. >> > > >> > > Alex >> > > >> > > On 2 Aug 2021, at 11:40, Jürgen Schönwälder < >> > > j.schoenwaelder@jacobs-university.de> wrote: >> > > >> > > Since I doubt that a protocol not providing security will receive >> > > IESG approval, I suggest that this work is getting integrated into >> > > draft-ietf-netconf-udp-notif-03.txt. >> > > >> > > I have not read the content but the I-D seems fairly small so >> > > integration into the WG document should be fairly trivial. Given past >> > > experience, it might be that the DTLS/UDP transport will become the >> > > mandatory to implement transport. >> > > >> > > /js >> > > >> > > On Mon, Aug 02, 2021 at 10:59:07AM +0200, Zmail wrote: >> > > >> > > Hello to everyone, >> > > >> > > We would like to present a new draft we didn’t have time to show on >> the >> > > last IETF meeting. >> > > >> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/ >> < >> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/> >> > > >> > > This draft defines a mechanism to secure UDP-notif protocol messages >> using >> > > DTLS 1.3. >> > > It defines the different layers involved, the DTLS session lifecycle >> and >> > > the mandatory cipher suites to use. It also explicits that no >> extensions of >> > > DTLS are needed and that IP fragmentation should be avoided. >> > > We would like to have some feedback for this draft. >> > > >> > > We will present the draft to the WG on the next IETF meeting. >> > > >> > > Looking forward to hearing from you, >> > > >> > > Alex Huang Feng >> > > >> > > >> > > _______________________________________________ >> > > netconf mailing list >> > > netconf@ietf.org >> > > https://www.ietf.org/mailman/listinfo/netconf >> > > >> > > >> > > >> > > -- >> > > Juergen Schoenwaelder Jacobs University Bremen gGmbH >> > > Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >> > > Fax: +49 421 200 3103 <https://www.jacobs-university.de/> >> > > >> > > >> > > _______________________________________________ >> > > netconf mailing list >> > > netconf@ietf.org >> > > https://www.ietf.org/mailman/listinfo/netconf >> > > >> > > _______________________________________________ >> > > netconf mailing list >> > > netconf@ietf.org >> > > https://www.ietf.org/mailman/listinfo/netconf >> > > >> >> > _______________________________________________ >> > netconf mailing list >> > netconf@ietf.org >> > https://www.ietf.org/mailman/listinfo/netconf >> >> >> -- >> Juergen Schoenwaelder Jacobs University Bremen gGmbH >> Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany >> Fax: +49 421 200 3103 <https://www.jacobs-university.de/> >> > > _______________________________________________ > netconf mailing listnetconf@ietf.orghttps://www.ietf.org/mailman/listinfo/netconf > > >
- [netconf] Securing UDP-notif messages with DTLS Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Zmail
- Re: [netconf] Securing UDP-notif messages with DT… Kent Watsen
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Jürgen Schönwälder
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois
- Re: [netconf] Securing UDP-notif messages with DT… Benoit Claise
- Re: [netconf] Securing UDP-notif messages with DT… Pierre Francois