IETF Logo Mail Archive

Re: [netconf] Securing UDP-notif messages with DTLS

Pierre Francois <pierre.francois.ietf@gmail.com> Tue, 03 August 2021 18:26 UTC

Return-Path: <pierre.francois.ietf@gmail.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 46BC53A2CA0 for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 11:26:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.096
X-Spam-Level:
X-Spam-Status: No, score=-2.096 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 81qj2WZsHCbA for <netconf@ietfa.amsl.com>; Tue, 3 Aug 2021 11:26:12 -0700 (PDT)
Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1E4EB3A2C9C for <netconf@ietf.org>; Tue, 3 Aug 2021 11:26:12 -0700 (PDT)
Received: by mail-yb1-xb31.google.com with SMTP id z128so118649ybc.10 for <netconf@ietf.org>; Tue, 03 Aug 2021 11:26:12 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=aESYiC2TKh1s1rloLWc0uP2QOyCov+7Ja0UekzGS//4=; b=GGOza8cYN39YlYKhswMoEytmohnGBSJIpMsLsPebKPYXefQrfKM9EEaOkfV0XQD7Kl xaR8a6SyclqpI91iNr/EKa35TTQqYz2m3FfQVhaslZ1OP6TWT+FsxyOcY/01Qh76gDR1 lucm0rG5NCdilwO8LtqFZc3rcu+/uyL2C1z5rtXOHPlvJW8+1bH9fV8LlmQ8xiJQdloC nSs+oEWs3M7ikGUcmQSEP/mpRjaZnNnIdqgxZJw9ON/XOHKHvl0yMOAz4SyvaiDOmPwX 0yMSbRfg2M++JLhcBG3alLJGEDhAk4xfJURNumf635gLIAk722NNvLf6jNVJxOBLKfvQ 8zlg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=aESYiC2TKh1s1rloLWc0uP2QOyCov+7Ja0UekzGS//4=; b=gCLBSMUB0dpELCnsHXeZj5uw7ntaX5Yyc9IZduwz852a0bJJin2nvpdZRDI68Z7Uyn vEvcnW2KtDMxtCyBJEzLkBvyCEXMz0+tyWI67I8Ziv15objT3IIzPoC+fOdAYuTk3Rbq 6q0+bOFMbZx418FjWx9hvmy122MSD1jyUJwvb0E0LiDmsQ8nTKhDA6YtGleuoq3DQ3do BDT9szSNpNKJYKJNFEoCdFOivmc0oh7ekiStjJIpKWOElZqaDbfv46bvqsRJh/+wwiq4 HvRwc8/nnWN+JXDNNfb5DoGTHtwDqRtq1jEkjHeeCMB+sqbmAvopcb3q3F1grLpPgZw7 7LCA==
X-Gm-Message-State: AOAM530JHBMNwd2a1MtuAFbDJTWMGdpRgJ2Me6CCFjP4c7OJWF9lw1s+ 69iKe2v5gIl12mHKawYet0xz4zugEBQCyNyf88E=
X-Google-Smtp-Source: ABdhPJw3dSNiEoe/ljx9G7CJWlu3Z3Hk1Dcr78Kj9xloZYvKlgPtoyF54DRIffSYkLG4hW9++oUN7yPh6TXp4mz+NBs=
X-Received: by 2002:a25:aa6f:: with SMTP id s102mr27221794ybi.54.1628015170088; Tue, 03 Aug 2021 11:26:10 -0700 (PDT)
MIME-Version: 1.0
References: <152841A6-6A37-4F75-857D-2F70346AFB5D@insa-lyon.fr> <0100017b07afa694-e244f7b7-ab7b-4fab-b669-793f9f6b87d2-000000@email.amazonses.com> <CAFNmoOHNKP8g9syh9KE6KFtCQUGsYBSCR7GO1NCby6UqCt0y7A@mail.gmail.com> <20210802173342.6kv5gkhkuu4tapcw@anna.jacobs.jacobs-university.de> <CAFNmoOHQ96g3ZX0DMN8x9J1PPbqkzHR6_uj73oUDfXqgwC5E9A@mail.gmail.com> <fbf7ac89-eb31-d1d3-367a-0e7fb33d6132@huawei.com>
In-Reply-To: <fbf7ac89-eb31-d1d3-367a-0e7fb33d6132@huawei.com>
From: Pierre Francois <pierre.francois.ietf@gmail.com>
Date: Tue, 03 Aug 2021 20:26:01 +0200
Message-ID: <CAFNmoOEwMfAn31c4Pv=4Tr9TqLqpMFk=gpo0pZkz+K8hNKK7eg@mail.gmail.com>
To: Benoit Claise <benoit.claise@huawei.com>
Cc: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>, Kent Watsen <kent@watsen.net>, pierre francois <pierre.francois@insa-lyon.fr>, Marco.Tollini1@swisscom.com, Netconf <netconf@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6f12205c8abd12d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/bM-wwNq4PMfXHfyPiHue87UsMGs>
Subject: Re: [netconf] Securing UDP-notif messages with DTLS
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Aug 2021 18:26:17 -0000

Benoit,

It works for me.

Pierre.

Le mar. 3 août 2021 à 14:45, Benoit Claise <benoit.claise@huawei.com> a
écrit :

> Hi,
>
> This discussion reminds me of IPFIX discussions :-)
> Considering that the industry/operators will implement what they need (not
> more), or request what they need from router vendors, regardless of the
> RFCs say, let's go with the path of least resistance regarding publication.
> I would say: merge the two drafts.
>
> Regards, Benoit
>
> On 8/2/2021 9:22 PM, Pierre Francois wrote:
>
> Juergen,
>
> Thanks for your input.
>
> IESG composition won't change much to the story on this aspect, I think.
>
> Alright, I'll discuss with all the authors involved and get back to the
> list. I guess no one in the wg will object to a merge if we decide to go
> this way.
>
> Cheers,
>
> /pfr
>
>
>
>
>
>
> Le lun. 2 août 2021 à 19:33, Jürgen Schönwälder <
> j.schoenwaelder@jacobs-university.de> a écrit :
>
>> In the past, there were people on the IESG that would tell you that "a
>> controlled environment" is in most cases a myth. (There is something
>> to this argument once you think about how messed up the world appears
>> to be these days.)
>>
>> There certainly is a point that compliant implementations must support
>> a secure transport so that people deploying the technology have the
>> choice to use it. If an operator then decides to not use the secure
>> transport, so be it, that is then the operator's free choice (and
>> responsibility). But not being able make this choice, because a secure
>> transport is not universally implemented, is an obstacle to avoid.
>>
>> And yes, this is all about what needs to be implemented to be
>> compliant. The IESG has little influence on what people use, but it
>> can influence that people have a choice by requiring the
>> implementation of a secure transport by compliant implementations.
>>
>> /js
>>
>> PS: Of course, I am talking from past experience, and the details of
>>     the story lines usually change with the IESG composition.
>>
>> On Mon, Aug 02, 2021 at 07:14:35PM +0200, Pierre Francois wrote:
>> > Hello everyone,
>> >
>> > I'm fine with merging the two drafts. What I wish is that the existing
>> > implementations that do not mandate dtls activation remain legit wrt the
>> > resulting RFC.
>> > We're aiming at lightweight transport in controlled environments here.
>> >
>> > Cheers,
>> > Pierre.
>> >
>> > Le lun. 2 août 2021 à 18:26, Kent Watsen <kent@watsen.net> a écrit :
>> >
>> > >
>> > > Mahesh and I were wondering about this.  When Pierre mentioned the
>> DTLS
>> > > work, we were “surprised” in that we too assumed the “udp” draft had
>> the
>> > > security bits.
>> > >
>> > > It is true that the IESG is all but mandating security for a for years
>> > > now.  IIRC, Syslog over UDP is obsolete due to being unsecured.
>> > >
>> > > K.
>> > >
>> > > On Aug 2, 2021, at 11:53 AM, Zmail <alex.huang-feng@insa-lyon.fr>
>> wrote:
>> > >
>> > > Noted, I’ll discuss this with Unyte team.
>> > >
>> > > Alex
>> > >
>> > > On 2 Aug 2021, at 11:40, Jürgen Schönwälder <
>> > > j.schoenwaelder@jacobs-university.de> wrote:
>> > >
>> > > Since I doubt that a protocol not providing security will receive
>> > > IESG approval, I suggest that this work is getting integrated into
>> > > draft-ietf-netconf-udp-notif-03.txt.
>> > >
>> > > I have not read the content but the I-D seems fairly small so
>> > > integration into the WG document should be fairly trivial. Given past
>> > > experience, it might be that the DTLS/UDP transport will become the
>> > > mandatory to implement transport.
>> > >
>> > > /js
>> > >
>> > > On Mon, Aug 02, 2021 at 10:59:07AM +0200, Zmail wrote:
>> > >
>> > > Hello to everyone,
>> > >
>> > > We would like to present a new draft we didn’t have time to show on
>> the
>> > > last IETF meeting.
>> > >
>> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/
>> <
>> > > https://datatracker.ietf.org/doc/draft-unyte-netconf-udp-notif-dtls/>
>> > >
>> > > This draft defines a mechanism to secure UDP-notif protocol messages
>> using
>> > > DTLS 1.3.
>> > > It defines the different layers involved, the DTLS session lifecycle
>> and
>> > > the mandatory cipher suites to use. It also explicits that no
>> extensions of
>> > > DTLS are needed and that IP fragmentation should be avoided.
>> > > We would like to have some feedback for this draft.
>> > >
>> > > We will present the draft to the WG on the next IETF meeting.
>> > >
>> > > Looking forward to hearing from you,
>> > >
>> > > Alex Huang Feng
>> > >
>> > >
>> > > _______________________________________________
>> > > netconf mailing list
>> > > netconf@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/netconf
>> > >
>> > >
>> > >
>> > > --
>> > > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>> > > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>> > > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>> > >
>> > >
>> > > _______________________________________________
>> > > netconf mailing list
>> > > netconf@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/netconf
>> > >
>> > > _______________________________________________
>> > > netconf mailing list
>> > > netconf@ietf.org
>> > > https://www.ietf.org/mailman/listinfo/netconf
>> > >
>>
>> > _______________________________________________
>> > netconf mailing list
>> > netconf@ietf.org
>> > https://www.ietf.org/mailman/listinfo/netconf
>>
>>
>> --
>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>>
>
> _______________________________________________
> netconf mailing listnetconf@ietf.orghttps://www.ietf.org/mailman/listinfo/netconf
>
>
>

v2.23.0 | Report a Bug | By Email