Re: [netconf] netconf-tls wasRe: Summary of updates

Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 25 May 2021 16:29 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 262663A140F for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 09:29:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, MSGID_FROM_MTA_HEADER=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vjwpIoHWKvdX for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 09:29:24 -0700 (PDT)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-eopbgr60075.outbound.protection.outlook.com [40.107.6.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 807FD3A140A for <netconf@ietf.org>; Tue, 25 May 2021 09:29:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JhtxlQfM9ku+u1Ow7GTjlEvubLUWKB2AEHDCA+DaPetkkK9Xj13aMeZyCTjM6n7Hatbf5sf0FFtfQQdjHGeHx0j2D1AVKkxYLVgTgWuaeGTi8U2S5uzt3VraVqRdtc4/+iOmGpotwew8LIQT1xB1E8IRsMWbC2WSizPEcGxvNLwUlfUr/ZrmqLnxw3XinqLcQ8CcOFvoQUR/ISMo+SsCkqhAVa3YsHX91ByF2iiMLCzGatMGbyBGWdDyTURmY0buch0qJMOJHva8sziEay3gUDD5djzKUwnaMRI8dzn0r8xbyvMzPCFlYgNnlws233+xPy0gsBepBFYqt5zqoeTnlg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O/ulk3gcge9V5nl1mepM14Kqqe55HIDDgLRdomAUTRI=; b=YL2Mdeqj4AYTamOk1NQe7tsJPiNhcwCmzGv7Q1UIp48W33GlSAbEovtMbjUXDV3eQMv2xM/vRvjtbytZJv/dl4XB3UTCkEiXu7uKXRBCauZxliXP35WpQ/itX5fsh181D0NNWoBTsa0o3ZP1XoTpBI2/Zyt+KhBvPNKTLt4Oj4fH4WFI63oobYKuY+oC+tFSIHf5uX/DihmdbXJ0K3j47QXuUTN6NRQhyooC52ybSlMK/SfZYuTxgo+jUojH1oBIGH8iiihRpN3BJAXJNDIUfwSYN8z9KCU7KIFY2NTWjsnjYsibrZd6y1ObO9F+rmQv3F+S6kW/pr4KC1WSJehaJA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=O/ulk3gcge9V5nl1mepM14Kqqe55HIDDgLRdomAUTRI=; b=GZ6Zwl2QTbv8dahKf3w+BDAS//8OC1vSM9uqE47WoVIVs6AoBal4RERElWsvf0DAcMNTWsLIYeHUWEP1HaFTBPdlaEPV2gCEyjEARIkhwf49F3+Pid05mmC66rPgize4Cz92OydzKDHV1QT0q33yAQDjfR7U5NGk+/EBiydtRFA=
Authentication-Results: btconnect.com; dkim=none (message not signed) header.d=none;btconnect.com; dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1649.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:3ed::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20; Tue, 25 May 2021 16:29:22 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::fd93:9b33:ac92:ea58%8]) with mapi id 15.20.4150.027; Tue, 25 May 2021 16:29:22 +0000
Date: Tue, 25 May 2021 18:29:21 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: tom petch <ietfc@btconnect.com>
Cc: Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20210525162921.ec2l7yc276yonzfb@anna.jacobs.jacobs-university.de>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: tom petch <ietfc@btconnect.com>, Kent Watsen <kent+ietf@watsen.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com> <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de> <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
X-Originating-IP: [212.201.44.244]
X-ClientProxiedBy: FR0P281CA0013.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::18) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from localhost (212.201.44.244) by FR0P281CA0013.DEUP281.PROD.OUTLOOK.COM (2603:10a6:d10:15::18) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12 via Frontend Transport; Tue, 25 May 2021 16:29:21 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: fecec25c-7c6c-4aa3-d0ba-08d91f9a40aa
X-MS-TrafficTypeDiagnostic: AM9P190MB1649:
X-MS-Exchange-Transport-Forked: True
X-Microsoft-Antispam-PRVS: <AM9P190MB1649D986B1EB7B6514B607B4DE259@AM9P190MB1649.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:9508;
X-MS-Exchange-SenderADCheck: 1
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: dnY8rrSVRCx2yXo6lev4yTlxxKtcL9HMAr8FJVETdBvChtahoa4XDUQeuAdZYsisTC8St4FUFkngpmIRQOtXOOdyZMJE6ZaHxWDDoO4elXjgWvaidTCoDqpmxXEFGXlwMVizehnBaQcKW8497F34bmFxq9FCZVP+jnEqo0CbEQgWbO29Hwz3uIawgQYZnAWwajheQP7mj9EUP/G1iYSQrBG5npWraW8KZwzIaHkYU3SViWL9MBSwj2A5Za+ITYjiADT4a818UeReV6R+UZIPgxUBNupXgRI+RzWgVcqsxCjK6o6Bx9KGw6y2vHywKvmAqMhxi16JZEeQtW+Xuv4v6XeoFqDa0W7vROCB3PQ7CMggbOF0onrIU94oV03gLb6uh3tjaucHvbQVx1CWyC3e9RiG60MCh6MCig7aWJQZvHcvwgqbouK28hipA0nkrxATc8BKWFpKNNrhOPnHL2fa/YzEHJ5iT06M80EV5o+MzptqsbguBVc1anPnGhQ1dNgX6NWSJXC/F/W7Ssvy6j4nalD7H3VAppm0ClZ4fRbEh6B+nOL7gb97jtkIobY2SKDWEsu5XPExQcZ/WvEzYK4Hvv1szRJxbrZSxaARzDE6ch99tC1eYembGM8X5uYMIXBgx+puQGF6rE+aoLecX2Rtmn1oZZUWzdDjOySO6wMo1lqFaywpR+GQu8BGigW6ZEkqCPiYMgx4hx10gorHRICQl8qY/8JQvBBwGaI3lIrVYftR82CL+ImsZVDqDICaI9lvUjyI4h0fULCdMmDdW3/zzSrmvHKpGqnclUc3Gjw9f2w=
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(346002)(366004)(376002)(136003)(396003)(39850400004)(6496006)(3450700001)(15650500001)(83380400001)(956004)(66556008)(8676002)(66476007)(66946007)(8936002)(38350700002)(2906002)(38100700002)(6486002)(786003)(54906003)(4326008)(316002)(296002)(5660300002)(478600001)(6916009)(1076003)(16526019)(86362001)(52116002)(26005)(186003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData: =?us-ascii?Q?8NpHpg+fUmlhLv9v7QBvbya9JW6f/fY07K8QGv0b/rkbkL7o5R7znZQ77lc8?= =?us-ascii?Q?BxLOB26V0LTVIBPiL9lFgVYwVPtNvygTLtUWqemtajeq2gyejYUiwrlOwOFs?= =?us-ascii?Q?Vqtd8Kx+QpLW1lE/suSAW1gKZYKcJfh1gpIepkQLYqINy4L3P42rSj1J5YL2?= =?us-ascii?Q?O6J5tC7foW8k905K0x7W/zl81NgsFd8ngkgnbT3YGxPMH4zb0bwbnTFljx78?= =?us-ascii?Q?iTbF+Ys+9ajf1LxW/1CP3272cuDGaWEXGUom/3IYQq7cxJ+i5Pl65riYGEIY?= =?us-ascii?Q?qmNqt3LJMxXqXIitEGhcY+BPuTDhL8mX0ugZS17A6LvB09TCsKU74hhXUpHQ?= =?us-ascii?Q?iDqmPJ0THafd7jxpwIib33BPSRlKa0BEb1nnZ16bnprkAZmXFJBMw6vZ0OQ7?= =?us-ascii?Q?BeoxCNM5srjvzov2dUsSq+RQ4t6TGvzVN8ZbG6/yIFvYkpSGzRk9l07PXHNv?= =?us-ascii?Q?ch1bGIC1l2wyVxRPkbfE3oka3Kqw0ueMzk1jprxJCzZRGscTGvmrTgOmx7Gq?= =?us-ascii?Q?Ipdh5mXpN5Bsf1u2nvNoeQNzSctE+PfMbkol+z0j4TMTWut2IyoZ78okRgKD?= =?us-ascii?Q?Go3D5zsNH1G3RYn2drmbNwFItzfLBkUCag6kg0GOSQ3R1+qPo7/ew4fuMO5k?= =?us-ascii?Q?iH/y7eEUCrNS4GKINW/AxSsSZTbA4c9YPAlCnoMW2qmGMgUdXC6bbNjMGduO?= =?us-ascii?Q?f+o05M/GD0PYfGAJeXBfbViXr9HK00ebsSy3DeOT4zTftqQNjSj2sBeSktQN?= =?us-ascii?Q?+5OCkR+G4GJpjXe3H6nOHeCT+vt+M8NHFAIJt6VV2ZmNgNlB6kX2Uz8/jzwA?= =?us-ascii?Q?MUYThTInC8orj2zyX6hi6R55zLk8BDZebofFVMoje7BepTh7gzcUHsfM9XbT?= =?us-ascii?Q?XZEz+dqVYPyOw9wOecfgfPnmflrSl7sHSpnJL7GhDeTDHOBL+J9dxCCZPoH5?= =?us-ascii?Q?yV5rW/imcLLeFpyTrt3R/4WSOfedc4yPn8iJpm8DmO1nQbzT1CbvqBCsbsU9?= =?us-ascii?Q?SuZqNFalUw8Hjs1mG/R1sC6tin2lFa6NTgvzLCPahktvDRds0np1LO8rzurZ?= =?us-ascii?Q?dTl24YEChMO7stD/re5sDbKzRmaNZXpBphu6A1TRb3IoP8oK90TOJ7murckf?= =?us-ascii?Q?eXskauAJhiEuMOvqv2gsWix/7UjD2Gh2FlerKuvpR+YA1cS+0FIJm8FOWYyt?= =?us-ascii?Q?sERu5RpOLWg8JjkpcJ4ZOW3mylMDAS0i4ZUx5db6H7iUhSI827QX+JJoUcxP?= =?us-ascii?Q?fNxmAJiK1bgrKRImpC2SkNa1YqcniisN0pRiAF7Z+Z5ULvxWIrc1mbmeiktP?= =?us-ascii?Q?5T6+8pf+R1/5pzwS4qETbDOl?=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: fecec25c-7c6c-4aa3-d0ba-08d91f9a40aa
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2021 16:29:22.1440 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: ULvodpu6UpSC0+uHwXWMNH6iSYIDbS62qdihDo+DycoTWe4pqFLtZnY4LX3r/i/w6PKERgcXvsD6XxcbRtXdcUpFOy5nGDlzW48d8bFKhpg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1649
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/i9awJXSFojkb6d1ZicAiPGmJG7g>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 16:29:30 -0000

On Tue, May 25, 2021 at 03:58:10PM +0000, tom petch wrote:
> 
> I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
> perspective to tell the WG if any changes are needed so that the WG
> can take an informed decision whether an update of RFC 5539 is
> necessary or whether what we have is good enough.
> 
> <tp>
> Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.
>

So regarding a possible update of RFC 7589, what is needed?

+ Require TLS 1.3 (update section 8)

Which extensions should one think about? Do you mean RFC 8773 or
something else?

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>