Re: [netconf] netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Tue, 25 May 2021 15:58 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2DE133A11DB for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 08:58:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id od0fOYiEsbA4 for <netconf@ietfa.amsl.com>; Tue, 25 May 2021 08:58:13 -0700 (PDT)
Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150109.outbound.protection.outlook.com [40.107.15.109]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9211E3A11D7 for <netconf@ietf.org>; Tue, 25 May 2021 08:58:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XYKwPe89dkNAgLDsOrkMJoZUJk2I82bnjKV87NTDhYgBdtEGsgjq7HbLvKaiBtaLYmkZvJOM3eeQt8SxJFJ2TIw1JO+kmD0XShFMyz+uqYgBkE+9wenHa0mbnNlBNKtkb2H2hXQPKWdz6Q4HX5lXe6XJz1H1MztNyRsK2PAch2FUPSGKRVoJcexlwIqACBLzBjEjXGkwHTw4VdeyLFiwI1VlUecUt6HDNs+NhRJINZgaPwvLxtD6de0Xvi5wYqarjhgctzMImWouMlOi1WQysE1JY5466AusHQ1ClQOvZ3GtiY0w+wo/DHUbR1NzEDr1QgB01dqZv5Z28dLhk3g8Rg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fwn/F36LmC5Gc++A8Smlc1xSY5WSxt0JJjWdmWQ3czw=; b=hM5YBufA7mjKuCvzh6hAm9PZ6sif9dFMt/DRWO57nvp6usBJLRF4JllwXoP2l8hklDLEMTLFSnSf6NP4jV1rGZNwVRMx5x7cvUjCYy2H+12hqEmYvIhVrW8T1cF/RGHvW6ASOXCT2QyErubpZenMOMPejUbnKv5ZaLygzkV8XQl79D8n/cPa1Q1TcQF4GW1lcbg1M2YCJyka3q5n1we0md7dStGwj2K4E16hE515h3MpPk7NdrOloLHxChHugWHVbY/vR1Zjt3xHLHoEYTt3YG0xoA8eg70IPr1ypXGKK1hcbEu14Bj9oZQLXEOw3oPDvTqHJ7U8Rcu+CyYZ0CXB1w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=fwn/F36LmC5Gc++A8Smlc1xSY5WSxt0JJjWdmWQ3czw=; b=wvuksOYS3Vpsq1diqk7jxma6eEIcggjX1y+zH4+HwGeLwi12wamfiGRAm4OfSN2bVUxZTMl9JbDYBQUphgblV2nK6gdPcx2L/nYClZDxSkzfceqrUTzFY0LG0o6tVutaEjjAV8P3y9P0RqOV+wG7kRXXU7EluYkS/5MRblPGGSM=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM5PR0701MB2291.eurprd07.prod.outlook.com (2603:10a6:203:c::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.12; Tue, 25 May 2021 15:58:10 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Tue, 25 May 2021 15:58:10 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] netconf-tls wasRe: Summary of updates
Thread-Index: AQHXUU2yri0EENaQXUOJipepn/woM6r0OwUAgAAKPQCAABCh7Q==
Date: Tue, 25 May 2021 15:58:10 +0000
Message-ID: <AM7PR07MB62482BE9BA64376D6EC88F14A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <20210525100652.fd3kbsilxscwk7yj@anna.jacobs.jacobs-university.de> <01000179a3d6eefe-455c9e3e-b42d-4704-8030-a34ae3f52b82-000000@email.amazonses.com>, <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210525144040.qn24ruxiof3ydxa2@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: bbca4daf-ed34-4549-50be-08d91f95e507
x-ms-traffictypediagnostic: AM5PR0701MB2291:
x-microsoft-antispam-prvs: <AM5PR0701MB2291FE2047F8379696915DEAA0259@AM5PR0701MB2291.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: CK6yXajbjemM7gVwbwYYsqZKCoxOLIthnw1tUL7DPpfN9kiAESAI8+ctb3XxJy3RDiZ8bgfbDbTA4eCAhn0FimhCX297vEdSjAHa7h5EsK4IjMXajLkIlDR2wzpJ+6ZncaVBgSZTgDso7dJI3RUnvPDNxQ5768kyHBNyyUPX6uvgzcI7/Y29f2Kn7rwbnshjpshFxBkCKT/oVe3qfv2sNiL1NYUjidEgSOcUCt9ToK50DTxrnzFXfgzuAX7HRVSv6w5tP91GWDtYa/sgtSwB5trCpwVhmozFyE5GFbAuZyh97KDEBuBXvE1UbynstQiNUYfthtapt72LeMBxVHEQLJmknaQwpjiJY2374yyXqFy3R7QttrW21bulTc4FrG2loWzr1dUm+Ulmque8GTvG9gRRGK/k4DoJN6kGBE7H+RzumKRbTvw+rhAi441X9JgCsQOq2FownDMoivYZzl10k0pasOP9qsWtsbVk42R7GQLH4fndXEcVQuMf4ZvJtGheNKKlyAulkXyWQ3PLDBd5NKoWK25RnVwH/k0MDXYmSpR1Ti0UK2M75xahUIzXSR8xslFDYYcJymtCszn4umBGPA0qRSqKQEXln4PaJeJesUW8hJeD6RVNNxcN9E8/ZIVGh3KdLVc0H4a+nKVjFRVg2appua0icblgT8nwrUEl7kzQPFl5cMo71KjkoVTA47sG6Yxkr7alSr3KFahtogV169rMpUSLp/JVb6h2rVMq+84=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(346002)(396003)(39860400002)(366004)(376002)(52536014)(122000001)(38100700002)(8936002)(6506007)(86362001)(8676002)(64756008)(316002)(83380400001)(66556008)(186003)(5660300002)(66446008)(9686003)(76116006)(91956017)(66476007)(110136005)(55016002)(478600001)(26005)(66946007)(71200400001)(4326008)(7696005)(2906002)(15650500001)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?Windows-1252?Q?ZOiKBpa1fDz+kOCT+Bu97/M4qY91ypVjVLMYOIqDA7VHr/zcFTmpHank?= =?Windows-1252?Q?/h36hibSIQObyWpmr8C50H8bVnjXNXog4KiePkkQjbPd046RjmWTdWN3?= =?Windows-1252?Q?3f7bQWK79NyzqVtLLq7uNPjcFfy5NxkBzudpAYa5N+rNGWLns4kJRPdl?= =?Windows-1252?Q?SoxdvSmvm0rQoKRknrRyY8JW7v8FAPpH+2OwLcM2r41YNZfdjolLM1gv?= =?Windows-1252?Q?iOuzqSYyNjM35r1ht6kBDVB6RonE9fH96pzg8Rcis05X3SnhcFcnNehR?= =?Windows-1252?Q?Zbmp45Mpa5H7zwaCLkd7RUecfdjxz7p1pwJdDDncRhoQmKQ+eQofvVOU?= =?Windows-1252?Q?u9N30bcw1D1DZMvG37DbkvMsESu9aa3BkbDuYowWDdNRq+nwbt6YUc9L?= =?Windows-1252?Q?t2Oxr+89eftaBgML38sAPwwPmYzBo0/f/qQQSQ1MDOHzZv06Sf1ROk8d?= =?Windows-1252?Q?3CODWyWw1L3iljoXfKd6pB980qK8utlAvf/2o3mqdMpexNBLK0VEDKXx?= =?Windows-1252?Q?vNkCX3gKUMtR+dIHyQEhcFeLdQk9l846/1vLVLIHWEQ55zYUhanyIVzj?= =?Windows-1252?Q?+zmxumBfzvTO+tu7nipw6HF6vql1rNJtYU/3lIIrlene/0ML2TPV67Cd?= =?Windows-1252?Q?fi9T77W/LDY+YmOXFzBlbk/O+KauQAVKRFQhiyZ7LSXI0JdeKbVxysHZ?= =?Windows-1252?Q?l8rdTn7bH8zUJ/MQt6u7sy8NtWsUaN+7koQf0e6b6xqX8BAbhrPcO3q2?= =?Windows-1252?Q?S+MRmBZibZCbwnoAdCAwcvFz1zPCa5vMVM+MvtsjW6SE5cBRaO7RBbrz?= =?Windows-1252?Q?riBOWKSyneE9tMQMpgWI9TFLx5j1ZgzGF0KC+LJC040gO/14HvsQxRQf?= =?Windows-1252?Q?JXo6UxWw+0b/l0CCJFP1xzf7HmKzLyGK0Uw2bFxMoLsuA1bCNJR2/L1g?= =?Windows-1252?Q?arcEh772yCjooHa2EDuRim5np1blX0z6cN1lg7joypi+ULude3m+hLrM?= =?Windows-1252?Q?TGmbtN5Oykt7/KC3fcA0rbIR1xhnZ+6ekvxpQlBCUVDxnxBKRp72xJEA?= =?Windows-1252?Q?trC01jZYuehE6bM5YqylWYUHndErbFPYyAA1/eKh8AGWB+Xsn1UDK8eG?= =?Windows-1252?Q?FUkmt90Z/GCDxt1ud+4ohwsct71BJFQV8/thJTwTP836/T39zmnVU0mD?= =?Windows-1252?Q?5dyXOJGZF+gEnu5/pEFA4mml3kFk9Ybom182lVMuMtHrHHzDQj5iq27x?= =?Windows-1252?Q?J7EyQTerR44QDl3kPDSEROHa6/S0upKbnn7bwnAnbWcTd+CHB2nxo4QO?= =?Windows-1252?Q?DwRl2p6iTaXr9b5vLXxCBeAKue+K3mdI+FYTrjvfv6FecUfCXxeg/9iv?= =?Windows-1252?Q?Vtn6wq0jYvU+VT98yo9t239/lALoAZyKEU4=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: bbca4daf-ed34-4549-50be-08d91f95e507
X-MS-Exchange-CrossTenant-originalarrivaltime: 25 May 2021 15:58:10.1431 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: i6OBZuRMys5Qffh3AHkr44OIfb7Iayi+6M8ONMoju9w7Eou0k/BBuk4Vt5aC0yVM1UTYUdyXQB0fVDB3J7Vi2w==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5PR0701MB2291
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/iFsEN7_G4Bgg7pda-CN465VezwA>
Subject: Re: [netconf] netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 May 2021 15:58:18 -0000

From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 25 May 2021 15:40

On Tue, May 25, 2021 at 02:04:02PM +0000, Kent Watsen wrote:
>
> Hi Juergen,
>
> > RFC 5539 (published in May 2009) defines NETCONF over TLS and it is
> > very specific that it requires TLS 1.2 or future versions of TLS:
> >
> >   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
> >   support the mandatory-to-implement cipher suite, which is
> >   TLS_RSA_WITH_AES_128_CBC_SHA.  This document is assumed to apply to
> >   future versions of TLS; in which case, the mandatory-to-implement
> >   cipher suite for the implemented version MUST be supported.
> >
> > Given this, I do not think we need to consider TLS versions < 1.2
> > since there was never a specification for NETCONF over TLS versions <
> > 1.2 - a NETCONF over TLS 1.1 implementation is using a non-standard
> > transport.

> The tls-client-server draft is not exclusive to NETCONF.  For example, RESTCONF and PCE WG has a “peep-yang” draft...

Yep, I tend to forget this...

> That said, it seems Tom is saying that TLS 1.0 and 1.1 are effectively historic at this point (no longer used) and so support for those versions should be dropped for that reason?

If there are any features provided to configure historic versions of
TLS, then the features and identities for TLS 1.0 and 1.1 should
likely have a status obsolete and the feature and identities for TLS
1.2 may have status deprecated.

> The netconf-client-server doesn’t yet, but perhaps should, state
> that the tls-client-server’s draft support for 1.3 should be ignored
> until RFC 5539 is updated?

I guess someone (Tom?) should review RFC 5539 from the TLS 1.3
perspective to tell the WG if any changes are needed so that the WG
can take an informed decision whether an update of RFC 5539 is
necessary or whether what we have is good enough.

<tp>
Well, I tend to forget that RFC5539 is obsolete, obsoleted by RFC7589 which is X.509 certificate only; no PSK, no naked public keys.  My concerns with TLS1.3 mostly relate to PSK which allows data to flow before the handshake is complete, before authentication is complete, which is a problem for some applications as I mentioned before; but staying with X.509 authentication only for Netconf makes life simpler for a 7589bis, replace 1.2 by 1.3 and think about the extensions to see what may be needed.

Here however, with netconf-tls, the question is what the scope should be, to include or exclude TLS1.0/1.1 and how far to delve into PSK and early data; I assume that TLS1.3 must be covered in at least as much detail as TLS1.2, which was the starting point for my comments, where I saw lots of references for 1.2, very few for 1.3.. 

Tom Petch

/js

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>