[netconf] updates to the suite of client/server drafts
Kent Watsen <kent+ietf@watsen.net> Tue, 30 April 2019 03:37 UTC
Return-Path: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B00DE120284 for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u497TgdO8-pQ for <netconf@ietfa.amsl.com>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
Received: from a8-83.smtp-out.amazonses.com (a8-83.smtp-out.amazonses.com [54.240.8.83]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA27120287 for <netconf@ietf.org>; Mon, 29 Apr 2019 20:37:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1556595436; h=From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:To:Feedback-ID; bh=eZh7Ib+hBpYcVRdBpbfFoOizAhfe0TRAUa5AqGJfMNE=; b=jiDMJdgK0Oh4dAP+7wLzIihrCHdILQtfPBx4ceyqS+M/IgNINjzwt7j5vZolStAk cMSeaFL0RjaQZtEF/GJgzp3T3XZSVw4B8lYx79wcDozrNaorQpqT7p5XF+CKY6+Ho2V AUAZTfju/5O/fC04jM4VCgNzvsACgSTUCYwjc9ZQ=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 12.2 \(3445.102.3\))
Message-ID: <0100016a6c516906-a2beb17b-d32c-4368-81f1-fe81e17b3755-000000@email.amazonses.com>
Date: Tue, 30 Apr 2019 03:37:15 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3445.102.3)
X-SES-Outgoing: 2019.04.30-54.240.8.83
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/fG5y4s2t4sBCP8NVzdtb5vwoZI4>
Subject: [netconf] updates to the suite of client/server drafts
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Apr 2019 03:37:20 -0000
Below are the change logs for each draft just submitted. Highlights: - all issues from the tcp adoption call have been addressed. Lowlights: - some issues from the http adoption call remain. - there are some "fixme" comments left in the models. - the tree-diagram in Sections 2.1 and 3.1 in both the NC and RC drafts are a bit off (GitHub issue reported). K. // contributor === change logs === crypto-types o Added NACM annotations. o Updated Security Considerations section. o Added 'asymmetric-key-pair-with-cert-grouping' grouping. o Removed text from 'permanently-hidden' enum regarding such keys not being backed up or restored. o Updated the boilerplate text in module-level "description" statement to match copyeditor convention. o Added an explanation to the 'public-key-grouping' and 'asymmetric- key-pair-grouping' statements as for why the nodes are not mandatory (e.g., because they may exist only in <operational>. o Added 'must' expressions to the 'public-key-grouping' and 'asymmetric-key-pair-grouping' statements ensuring sibling nodes either all exist or do not all exist. o Added an explanation to the 'permanently-hidden' that the value cannot be configured directly by clients and servers MUST fail any attempt to do so. o Added 'trust-anchor-certs-grouping' and 'end-entity-certs- grouping' (the plural form of existing groupings). o Now states that keys created in <operational> by the *-hidden-key actions are bound to the lifetime of the parent 'config true' node, and that subsequent invocations of either action results in a failure. keystore o Added a 'description' statement to the 'must' in the /keystore/ asymmetric-key node explaining that the descendent values may exist in <operational> only, and that implementation MUST assert that the values are either configured or that they exist in <operational>. o Copied above 'must' statement (and description) into the local-or- keystore-asymmetric-key-grouping, local-or-keystore-asymmetric- key-with-certs-grouping, and local-or-keystore-end-entity-cert- with-key-grouping statements. trust-anchors o Added groupings 'local-or-truststore-certs-grouping' and 'local- or-truststore-host-keys-grouping', matching similar definitions in the keystore draft. Note new (and incomplete) "truststore" usage! o Related to above, also added features 'truststore-supported' and 'local-trust-anchors-supported'. tcp-client-server o addressed issues raised by Michael Scharf, TCPM WG chair and now co-author o this version resolves the adoption-call comments (okay to resubmit as "ietf" now?) ssh-client-server o Removed the "demux containers", floating the nacm:default-deny- write to each descendent node, and adding a note to model designers regarding the potential need to add their own demux containers. o In the server model, replaced <client-cert-auth> with <client- authentication> and introduced 'local-or-external' choice. tls-client-server o In server model, made 'client-authentication' a 'presence' node indicating that the server supports client authentication. o In the server model, added a 'required-or-optional' choice to 'client-authentication' to better support protocols such as RESTCONF. o In the server model, added a 'local-or-external' choice to 'client-authentication' to better support consuming data models that prefer to keep client auth with client definitions than in a model principally concerned with the "transport". o In both models, removed the "demux containers", floating the nacm:default-deny-write to each descendent node, and adding a note to model designers regarding the potential need to add their own demux containers. http-client-server o number of "improvements" (i hope) o not reviewed by HTTP WG chairs yet o likely needs finessing before asking them to review it again netconf-client-server o Removed the "Design Considerations" section. o Removed the 'must' statement limiting keepalives in periodic connections. o Updated models and examples to reflect removal of the "demux" containers in the imported models. o Updated the "periodic-connnection" description statements to be more like the RESTCONF draft, especially where it described dropping the underlying TCP connection. o Updated text to better reference where certain examples come from (e.g., which Section in which draft). o In the server model, commented out the "must 'pinned-ca-certs or pinned-client-certs'" statement to reflect change made in the TLS draft whereby the trust anchors MAY be defined externally. o Replaced the 'listen', 'initiate', and 'call-home' features with boolean expressions. restconf-client-server o Removed the 'must' statement limiting keepalives in periodic connections. o Updated models and examples to reflect removal of the "demux" containers in the imported models. o Updated the "periodic-connnection" description statements to better describe behavior when connections are not closed gracefully. o Updated text to better reference where certain examples come from (e.g., which Section in which draft). o In the server model, commented out the "must 'pinned-ca-certs or pinned-client-certs'" statement to reflect change made in the TLS draft whereby the trust anchors MAY be defined externally. o Replaced the 'listen', 'initiate', and 'call-home' features with boolean expressions.