IETF Logo Mail Archive

Re: [netconf] netconf-tls wasRe: Summary of updates

Kent Watsen <kent+ietf@watsen.net> Tue, 25 May 2021 22:55 UTC

Return-Path: <01000179a5bd8ba9-31f98af8-18b4-422f-8b0a-3be3241175b9-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7982E3A115F for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 15:55:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5q1L_u9qlzjQ for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 15:55:34 -0700 (PDT)
Received: from a48-94.smtp-out.amazonses.com (a48-94.smtp-out.amazonses.com [54.240.48.94]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B00963A115E for <netconf@ietf.org>; Tue, 25 May 2021 15:55:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1621983333; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=lzbKzlmhYe6c5srKVdYQmtPedned1m3oP5RtKOlFgiU=; b=HXUJ0oW0xHLN48gttUFA7JIEALXqm0YMNzcqmiQDk9WgjAYlHtCwlpyDwrHjMOQa NcoCojTLwe4hX+24xeOrzt8txvLYP/p5WjJ0yWNigxA78bdUstRgGiLuWKxHL5bkvAu Nfy5dy0zlWmjngY4Q2w/nztWCHs4YS62Stlbwiyg=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000179a5bd8ba9-31f98af8-18b4-422f-8b0a-3be3241175b9-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_20CD996F-CF4F-4C1C-8BD0-CCF6583BCDF9"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.60.0.2.21\))
Date: Tue, 25 May 2021 22:55:33 +0000
In-Reply-To: <AM7PR07MB624878220E9E03CAA2375C8EA0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>, "garywu@cisco.com" <garywu@cisco.com>
To: tom petch <ietfc@btconnect.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <AM7PR07MB6248C43AF481F5A94D2041DAA0269@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0c32a2e-d0bce1e5-c006-4550-aebf-29b903643b4c-000000@email.amazonses.com> <AM7PR07MB624878220E9E03CAA2375C8EA0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Mailer: Apple Mail (2.3654.60.0.2.21)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.05.25-54.240.48.94
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/gvOQ5Qii210kBTOA9ET2wPWsk5Q>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 22:55:38 -0000

Hi Tom,

Pruning resolved items below.



> <tp2.0>
> OK, some references.
> 
> Grepping for the string “tp2.0” returns no results.

Oh, I think that you’re trying to be funny, as <tp2.0> identifies your follow-up comments, which may’ve been marked <tp>.   Do you see now how that wasn’t obvious to me, perhaps next time preface with a comment “see <tp2.0> for follow-ups”.  Better, as I and others have been recommended, you should ditch your web-mail client for something that implements normal indentation for replies...



> tlscmn
> 
> tls-ecc
> needs RFC8446
> 
> Why?  8446 refs and defers to 8422, right?
> <tp>
> wrong IMHO; look at the title of 8422 - "Versions 1.2 and earlier"

Okay, added.



> tls-dhe
> needs 8446
> 
> Okay, 8446 obsoletes 5246.
> <tp>
> Right but I think you need both.  The I-D currently highlights 1.2 and mostly ignores 1.3 where I think they should have equal billing and since they are so different, a reference to 1.3 alone is inadequate so my default position is that both 5246 and 8446 are needed.

The previous git-commit has both.



> tls-gcm
> needs 8446
> 
> Okay, but it’s strange that 8446 doesn’t ref/obsolete 5288…I guess because it uses the NIST “GCM” ref instead…perhaps this draft should as well?
> <tp>
> Well where do you stop? As above, I think that every 5246 needs a 8446 alongside it unless one version does not support the functionality but that is as far as I would go.
> 
> 
> identity ciphersuite
> I do not see the 1.3 values from 8446 B.4
> 
> grepping for “ciphersuite” returns no matches…?
> <tp>
> Bear in mind that 1.3 changes everything it can - try 'cipher suite’

Oh, you meant "cipher-suite-base”

This was Gary’s contribution, so I’m not too familiar with it, but I went ahead and added 5 new derived identities (for the 5 cipher suites listed in B.4), marking each with an “if-feature tls-1_3” statement, while also marking all the other derived identities with an "if-feature tls-1_2” statement.



> case psk
> needs Normative References to the two
> draft-ietf-tls-external-psk-*
> 
> "external-psk-guidance” is Informational and "external-psk-importer” while Standards Track, only regards an interface for importing the PSKs into TLS.  It seems that the existing ref to RFC 4279 (which is NOT obsolete) is pretty good, right?
> 
> <tp>
> Disagree.  The cipher suites of 4279 are invalid with 1.3  1.3 sort of does away with PSK except where there has been a full handshake from which a PSK can be derived for resumption.  1.3 imposes limits on the use of a PSK across versions and with different algorithms which is what  I see the two I-D as addressing.

Okay, added.



> Tom Petch


Updates can be found here: https://github.com/netconf-wg/tls-client-server/commit/d2af1d7707095f2ad977b804d0f9e13024489ab4 <https://github.com/netconf-wg/tls-client-server/commit/d2af1d7707095f2ad977b804d0f9e13024489ab4>

K.

v2.23.0 | Report a Bug | By Email