[netconf] updates to the suite of client/server drafts

Kent Watsen <kent+ietf@watsen.net> Tue, 30 April 2019 03:37 UTC

Return-Path: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00DE120284 for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u497TgdO8-pQ for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA27120287 for <netconf@ietf.org>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556595436; h=From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:To:Feedback-ID; bh=eZh7Ib+hBpYcVRdBpbfFoOizAhfe0TRAUa5AqGJfMNE=; b=jiDMJdgK0Oh4dAP+7wLzIihrCHdILQtfPBx4ceyqS+M/IgNINjzwt7j5vZolStAk cMSeaFL0RjaQZtEF/GJgzp3T3XZSVw4B8lYx79wcDozrNaorQpqT7p5XF+CKY6+Ho2V AUAZTfju/5O/fC04jM4VCgNzvsACgSTUCYwjc9ZQ=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-ID: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@email.amazonses.com>
Date: Tue, 30 Apr 2019 03:37:15 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.30-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/fG5y4s2t4sBCP8NVzdtb5vwoZI4>
Subject: [netconf] updates to the suite of client/server drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 03:37:20 -0000

Below are the change logs for each draft just submitted.

Highlights:
  - all issues from the tcp adoption call have been addressed.

Lowlights:
  - some issues from the http adoption call remain.
  - there are some "fixme" comments left in the models.
  - the tree-diagram in Sections 2.1 and 3.1 in both the NC
     and RC drafts are a bit off (GitHub issue reported).

K. // contributor


=== change logs ===

crypto-types

   o  Added NACM annotations.

   o  Updated Security Considerations section.

   o  Added 'asymmetric-key-pair-with-cert-grouping' grouping.

   o  Removed text from 'permanently-hidden' enum regarding such keys
      not being backed up or restored.

   o  Updated the boilerplate text in module-level "description"
      statement to match copyeditor convention.

   o  Added an explanation to the 'public-key-grouping' and 'asymmetric-
      key-pair-grouping' statements as for why the nodes are not
      mandatory (e.g., because they may exist only in <operational>.

   o  Added 'must' expressions to the 'public-key-grouping' and
      'asymmetric-key-pair-grouping' statements ensuring sibling nodes
      either all exist or do not all exist.

   o  Added an explanation to the 'permanently-hidden' that the value
      cannot be configured directly by clients and servers MUST fail any
      attempt to do so.

   o  Added 'trust-anchor-certs-grouping' and 'end-entity-certs-
      grouping' (the plural form of existing groupings).

   o  Now states that keys created in <operational> by the *-hidden-key
      actions are bound to the lifetime of the parent 'config true'
      node, and that subsequent invocations of either action results in
      a failure.



keystore

   o  Added a 'description' statement to the 'must' in the /keystore/
      asymmetric-key node explaining that the descendent values may
      exist in <operational> only, and that implementation MUST assert
      that the values are either configured or that they exist in
      <operational>.


   o  Copied above 'must' statement (and description) into the local-or-
      keystore-asymmetric-key-grouping, local-or-keystore-asymmetric-
      key-with-certs-grouping, and local-or-keystore-end-entity-cert-
      with-key-grouping statements.



trust-anchors

   o  Added groupings 'local-or-truststore-certs-grouping' and 'local-
      or-truststore-host-keys-grouping', matching similar definitions in
      the keystore draft.  Note new (and incomplete) "truststore" usage!

   o  Related to above, also added features 'truststore-supported' and
      'local-trust-anchors-supported'.



tcp-client-server

      o addressed issues raised by Michael Scharf, TCPM WG chair and now co-author
      o this version resolves the adoption-call comments  (okay to resubmit as "ietf" now?)



ssh-client-server

   o  Removed the "demux containers", floating the nacm:default-deny-
      write to each descendent node, and adding a note to model
      designers regarding the potential need to add their own demux
      containers.


   o  In the server model, replaced <client-cert-auth> with <client-
      authentication> and introduced 'local-or-external' choice.



tls-client-server

   o  In server model, made 'client-authentication' a 'presence' node
      indicating that the server supports client authentication.

   o  In the server model, added a 'required-or-optional' choice to
      'client-authentication' to better support protocols such as
      RESTCONF.

   o  In the server model, added a 'local-or-external' choice to
      'client-authentication' to better support consuming data models
      that prefer to keep client auth with client definitions than in a
      model principally concerned with the "transport".

   o  In both models, removed the "demux containers", floating the
      nacm:default-deny-write to each descendent node, and adding a note
      to model designers regarding the potential need to add their own
      demux containers.



http-client-server

   o number of "improvements" (i hope)
   o not reviewed by HTTP WG chairs yet
   o likely needs finessing before asking them to review it again



netconf-client-server

   o  Removed the "Design Considerations" section.

   o  Removed the 'must' statement limiting keepalives in periodic
      connections.

   o  Updated models and examples to reflect removal of the "demux"
      containers in the imported models.

   o  Updated the "periodic-connnection" description statements to be
      more like the RESTCONF draft, especially where it described
      dropping the underlying TCP connection.

   o  Updated text to better reference where certain examples come from
      (e.g., which Section in which draft).

   o  In the server model, commented out the "must 'pinned-ca-certs or
      pinned-client-certs'" statement to reflect change made in the TLS
      draft whereby the trust anchors MAY be defined externally.

   o  Replaced the 'listen', 'initiate', and 'call-home' features with
      boolean expressions.



restconf-client-server

   o  Removed the 'must' statement limiting keepalives in periodic
      connections.

   o  Updated models and examples to reflect removal of the "demux"
      containers in the imported models.

   o  Updated the "periodic-connnection" description statements to
      better describe behavior when connections are not closed
      gracefully.

   o  Updated text to better reference where certain examples come from
      (e.g., which Section in which draft).

   o  In the server model, commented out the "must 'pinned-ca-certs or
      pinned-client-certs'" statement to reflect change made in the TLS
      draft whereby the trust anchors MAY be defined externally.

   o  Replaced the 'listen', 'initiate', and 'call-home' features with
      boolean expressions.