IETF Logo Mail Archive

Re: [netconf] netconf-tls wasRe: Summary of updates

Kent Watsen <kent+ietf@watsen.net> Thu, 20 May 2021 23:12 UTC

Return-Path: <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C8CF3A0E7B for <netconf@ietfa.amsl.com>; Thu, 20 May 2021 16:12:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Level:
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id EUx4OOyJfCIb for <netconf@ietfa.amsl.com>; Thu, 20 May 2021 16:12:53 -0700 (PDT)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CB1753A0E77 for <netconf@ietf.org>; Thu, 20 May 2021 16:12:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1621552371; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=2xYQDfUp9MS8sPvTOjIuUe9n6AveHIDb6kRT680YW/I=; b=G+2f89K1+n+O3LJB4ZrMoFzylX2Wicmjfy3dmTjZFI4ucni+tPD5QIpJ8//Lb1zr mdsaMq/iISuaCmGbKjpIp5jERDt8fllaRvyc/C28duOsScBVRZYD67Ga8C7fseK95Gj SssEF4BAfHDkuR+on4b5uy/a0hzVi01g5bwFN82I=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_BAAE516F-30D2-4468-AFD3-8047851DD9EF"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Thu, 20 May 2021 23:12:50 +0000
In-Reply-To: <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: tom petch <ietfc@btconnect.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.05.20-54.240.48.92
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/cfb81HZLWFN00aSTd6fsGTvacGY>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 May 2021 23:12:57 -0000

Hi Tom,


> I still think that the I-D lacks clarity about supported versions.
> 
> Introduction 
> TLS Protocol [RFC5246] 
> Clearly this is TLS1.2 only

Yes.   In keeping with the original intention (to reference just the current, not obsoleted, document), this should be updated to RFC 8446.   But I wonder if you think the document should reference all four documents (2246, 4346, 5246, and 8446) and then have DOWNREFS?

Background: the document generally references TLS 1.2 as that *was* the “current” TLS version when most of the text was written.  TLS 1.3 happened later, and a minimal (and apparently inadequate) update was made to accommodate it.  What you’re finding are the remnants of that history...

PS:  I don’t claim to be a TLS expert.  It would be helpful if corrected text could be provide.  Pointing out the issues is great, but it takes time for me to determine what update is needed, something you may have well in mind?

K.


> 
> s.2
> This model supports both TLS1.2 and TLS1.3
> Ah, no, TLS1.2 and TLS1.3 but not TLS1.0 or TLS1.1
> 
> s.2.1.1
> Features
> tls-1_0
> tls-1_1
> tls-1_2
> tls-1_3
> Ah no, it may not support 1.0 and 1.1 but it ........ for them but I know not what.
> 
> 2.2 
> an example for 1.1 and 1.2 but not 1.3; interesting.
> 
> Reverse engineering the YANG I find that that 'Version 1.0 is supported', 'Version 1.1 is supported'.
> 
> hello-params-grouping
> Only 1.2 is referenced as indeed is repeatedly the case in the YANG modules
> 
> Mmm I dunno!
> 
> I want the Introduction to set the scene which subsequent sections expand on and that I see as lacking.  Support fot 1.0 and 1.1 would, for me, catering for the different cipher suites that they have.
> 
> In passing, I was wrong about public keys.  I misread the statement that only certificates and PSK are supported in TLS1.3, forgetting that certificate(255) is a public key!
> 
> Tom Petch
> 
> 
> 
> 
>   4) for the “http” draft, no significant update (really? hmm...)
>   5) for the “netconf” draft, whilst not in WGLC, significant updates wrt the "client-identity-mappings” nodes.
> 
> Notably, beware that the Last Call YANG-doctor review for some of these four drafts has been pending this update, so expect to see a little more activity on these drafts yet.
> 
> K.
> 
> 
> DETAILS:
> 
> crypto-types:
>   *  Nits found via YANG Doctors reviews.
>   *  Aligned modules with `pyang -f` formatting.
> 
> truststore:
>   *  Added prefixes to 'path' statements per trust-anchors/issues/1
>   *  Renamed feature "truststore-supported" to "central-truststore-supported".
>   *  Associated with above, generally moved text to refer to a
>      "central" truststore.
>   *  Removed two unecessary/unwanted "min-elements 1" and associated
>      "presence" statements.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Fixed nits found by YANG Doctor reviews.
> 
> keystore:
>   *  Added prefixes to 'path' statements per trust-anchors/issues/1
>   *  Renamed feature "keystore-supported" to "central-keystore-
>      supported".
>   *  Associated with above, generally moved text to refer to a
>      "central" keystore.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Fixed nits found by YANG Doctor reviews.
> 
> tcp-client-server:
>   *  Updated Abstract and Intro to address comments by Tom Petch.
>   *  Removed the "tcp-connection-grouping" grouping (now models use the
>      "tcp-common-grouping" directly).
>   *  Added XML-comment above examples explaining the reason for the
>      unusual top-most element's presence.
>   *  Added Securty Considerations section for the "local-binding-
>      supported" feature.
>   *  Replaced some hardcoded refs to <xref> elements.
>   *  Fixed nits found by YANG Doctor reviews.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Added an "Acknowledgements" secetion.
> 
> ssh-client-server:
>   *  Removed the 'supported-authentication-methods' from {grouping ssh-
>      server-grouping}/client-authentication.
>   *  Added XML-comment above examples explaining the reason for the
>      unexepected top-most element's presence.
>   *  Added RFC-references to various 'feature' statements.
>   *  Renamed "credentials" to "authentication methods"
>   *  Renamed "client-auth-*" to "userauth-*"
>   *  Renamed "client-identity-*" to "userauth-*"
>   *  Fixed nits found by YANG Doctor reviews.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Added a 'Contributors' section.
> 
> tls-client-server:
>   *  Added missing reference to "FIPS PUB 180-4".
>   *  Added identity "tls-1.3" and updated description statement in
>      other identities indicating that the protocol version is obsolete
>      and enabling the feature is NOT RECOMMENDED.
>   *  Added XML-comment above examples explaining the reason for the
>      unexpected top-most element's presence.
>   *  Added missing "client-ident-raw-public-key" and "client-ident-psk"
>      featutes.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Fixed nits found by YANG Doctor reviews.
>   *  Added a 'Contributors' section.
> 
> http-client-server:
>   *  Added XML-comment above examples explaining the reason for the
>      unusual top-most element's presence.
>   *  Renamed 'client-auth-config-supported' to 'client-auth-supported'
>      consistent with other drafts.
>   *  Wrapped 'container basic' choice inside a 'case basic' per best
>      practice.
>   *  Aligned modules with `pyang -f` formatting.
>   *  Fixed nits found by YANG Doctor reviews.
> 
> netconf-client-server:
>   *  Floated an 'if-feature' statement in a grouping down to where the
>      grouping is used.
>   *  Clarified 'client-identity-mappings' for both the SSH and TLS
>      transports.
>   *  For netconf-client, augmented-in a 'mapping-required' flag into
>      'client-identity-mappings' only for the SSH transport, and
>      refined-in a 'min-elements 1' only for the TLS transport.
>   *  Aligned modules with `pyang -f` formatting.
> 
> restconf-client-server:
>   *  Further clarified why some 'presence' statements are present.
>   *  Addressed nits found in YANG Doctor reviews.
>   *  Aligned modules with `pyang -f` formatting.
> 
> 
> 
> 
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email