IETF Logo Mail Archive

[netconf] IANA templates for algorithms

Kent Watsen <kent+ietf@watsen.net> Wed, 19 February 2020 00:21 UTC

Return-Path: <010001705ad1e8a3-891d7081-80c2-4a0d-857e-f6242b1a8793-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B5976120058 for <netconf@ietfa.amsl.com>; Tue, 18 Feb 2020 16:21:14 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Gsn2knegW2vU for <netconf@ietfa.amsl.com>; Tue, 18 Feb 2020 16:21:12 -0800 (PST)
Received: from a48-95.smtp-out.amazonses.com (a48-95.smtp-out.amazonses.com [54.240.48.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 85650120041 for <netconf@ietf.org>; Tue, 18 Feb 2020 16:21:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1582071671; h=From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:Cc:To:Feedback-ID; bh=AVIrcuR4nZFzpVNvA6WrffB2gDvxRuYt2ffT8IEw81I=; b=bOz4voXF6HuudG8gGD7IxqSWN/86JyqD1v4Sc0Xlrgur2OoSgS2vYRzgHYhd0DXY Z2XTjuHL+OoR2DOOtty/SEnMf1U/uGldG3Ah5VQSPe3B0fIpOFx7DMz5rCBdJLcSoPC nnLPcbg4VMmagtao2p+6P2gbnTJ5nKtR9ISLpa4Y=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Message-ID: <010001705ad1e8a3-891d7081-80c2-4a0d-857e-f6242b1a8793-000000@email.amazonses.com>
Date: Wed, 19 Feb 2020 00:21:11 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.02.19-54.240.48.95
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/cmudFQxPMQD67HIEjyT6BhapKFI>
Subject: [netconf] IANA templates for algorithms
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 00:21:15 -0000

From our session at IETF 106, there was a suggestion to follow the “template” pattern forged by draft-ietf-dnsop-iana-class-type-yang, which provides an XSLT script that generates a YANG module by processing as input the XML for the separately maintained "DNS Parameters” registry, specifically https://www.iana.org/assignments/dns-parameters/dns-parameters.xml.  The IANA workflow is:

    1) whenever updating the DNS Parameters registry...
            - for whatever RFC may be requesting it

    2) also update the YANG module...
            - by re-running the XSLT script again over the updated XML file

The prerequisite for this process is that there exists separate registries to pull data from, i.e., the input to the XSLT script.  The closest comparable registries that we could pull from seem to be:

 - for TLS: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml
 - for SSH: https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml

Neither of these registries help us, at least not directly.  Yes, they provide enumerations for on-the-wire protocol values, but they fail to provide an enumeration for, e.g., a 2048-bit RSA key.

Keying off Rob’s comment from the 106 meeting for the IANA process to engage expert reviewers, it seems that a process akin to the following is needed:

    1) whenever some number of existing target registries are updated
          - for now, just the SSH/TLS registries listed above

    2) engage an "expert reviewer" to see if any of the new entries
        regard an undefined algorithm and, if so, a TBD process is
        used to add the new algorithms to the appropriate YANG
        module (e.g., iana-symmetric-algorithms), which would be
        automatically published by IANA.

Drilling into step (2) some, the process might actually be:

  2a) update some new TBD registry (e.g., “base algorithms”).
        This would need to be done by a crypto expert (not the
        NETCONF WG or YANG Doctors.  Good candidates might
        the Security ADs or, perhaps better, the WG that published
        the source RFC.

  2b) run a script over the updated new TBD “base algorithms” 
         registry to produce the desired updated YANG module(s).  
         Presumably IANA could do this in the same way as will
         Be done for the DNS Parameters registry.

Obviously (2a) relies heavily on buy-in from the Security Area experts.  The buy-in needs to be both that this is an important registry to define and support the publication of an RFC that creates and defines rules for maintaining said registry.   Our “crypto-types” draft could be this RFC, if they’re okay with that.

Rich, as someone more connected to the Security Area, what do you think about this plan and any ideas on how to proceed to get the needed buy-in?


Kent // contributor

v2.23.0 | Report a Bug | By Email