IETF Logo Mail Archive

Re: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt

tom petch <ietfc@btconnect.com> Thu, 23 February 2023 12:04 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5DD73C153CBF for <netconf@ietfa.amsl.com>; Thu, 23 Feb 2023 04:04:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2Z4VRDJdpCcS for <netconf@ietfa.amsl.com>; Thu, 23 Feb 2023 04:04:14 -0800 (PST)
Received: from EUR04-DB3-obe.outbound.protection.outlook.com (mail-db3eur04on0723.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe0c::723]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DAB71C15257C for <netconf@ietf.org>; Thu, 23 Feb 2023 04:04:13 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=R2pGt5B2WQsqQg5ft6XvXvUi6Yh+rQW9aUceQWO6RKHOEzZQjMoZNs3Qge01y13ngeZQp+TdApKTuOrCi86l5VWtBjxhc9maxYhOQQEdlYds+DCQH1s9HMyrFODRZ5z+eau75OeZYuhlyEK01BaA2koK26Va5zEigNKx0jrRJ1gDOijePKa99MKY4RBkiKWFKLyeT5GsMWfjtfR8w+m2JURQEcTgckB79KSESuudhD3+9Phvsbl+/pXP+UUarrayHsIc8uv8cIwBqYLPBsJQoCtRzUvACKLrsQbgKJHLoONa03fLqPEhzY6FfGQYyW5vF0lSSin6j04sNqBma79QMw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=5NLWwi0Y7iCH9BXfaoNifFW6FnfPV1/3/e3VFiCiU0g=; b=cHGaQHIIa7Luf9VD4NYdckAWSeV5Qb+vS3xSo0U+Gxrr+jqd3Y9sAA8TXZ4rFRAQ1mhvhKvw6ybDs0arYas52MQBrbVi385KurfIFbRyqht0DwIC/F4c3z9g8YpsypjXQvGYXwmw8IzsSQgIwZkE3ZQ5bow9pobBB8FwCtBCkjxSZUw5P4/kbCydbeMn1AAhsKrCZ8hfA8eWg8Br4c2XC/yYYHOUBigruHJllf0HxSrJaTZB5CKvNXh8S+OFeWUMgdkspNAIGTF/lkdJ6FWUboz+Yo7iiomEjf+vNQLSzcmFhSvGG6bVsiVXXvLN0zcqb4mp+BIz0lecH4z1K0t9Og==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=5NLWwi0Y7iCH9BXfaoNifFW6FnfPV1/3/e3VFiCiU0g=; b=VLAoS15dS22FkQQi0E6kd8h15h2SeFTyUGWQ6gpL95iyRQ8AVbMpEwJsUtW6UnQ80ngBOXTK1fbWziZAyb8mGpiIpRmcXzPPazXlEh41hOl1yKBhvhhlmg3KS6eSuqK7sTuvcUXUoqOtGhFbG0gD3MrI+owM+eJeC56bGCwcxmg=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by DBAPR07MB6823.eurprd07.prod.outlook.com (2603:10a6:10:193::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6134.19; Thu, 23 Feb 2023 12:04:09 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::d0fd:8461:b6d3:748a]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::d0fd:8461:b6d3:748a%9]) with mapi id 15.20.6134.018; Thu, 23 Feb 2023 12:04:09 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt
Thread-Index: AQHZDlrqdUHszQtjZUerg6FhDxaHeK6QIhNcgCTTMwCAJ+h8PA==
Date: Thu, 23 Feb 2023 12:04:09 +0000
Message-ID: <AM7PR07MB6248EA4BD3DFAB22C9D76762A0AB9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <167087108090.45637.8328251973516760378@ietfa.amsl.com> <AM7PR07MB6248B850A61E3BD87A7487BEA0FA9@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000185fb584e98-8d9313c8-eae5-4ec9-bbdd-50f762461d99-000000@email.amazonses.com>
In-Reply-To: <01000185fb584e98-8d9313c8-eae5-4ec9-bbdd-50f762461d99-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|DBAPR07MB6823:EE_
x-ms-office365-filtering-correlation-id: 747becb9-6adc-410b-5bd8-08db159611cf
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 2mmQ7njChZdvKTJS9g7U1hGqrU7dmO/Edhh2NtYxBIY50lDqkr3Mz5OzX1qqFvUtvt/+PXnFH3AiD90bsrSfCB8A+137EA6Gqn6QQR8nzaNKCdcxW6KCJSKTu3tQtIRIznqEq7L3VCTCRM92iFAv7Nn4Ggj2q+S73o53isPo0N16JfFPpBzp6BxZsiy0rzXssjVDITDi0dxDSJ5QDF3EYJekWpJSwMFyRZbDDEwoJV3NXnby0kOrpt/r3RRSzsgOUTHlu25zptBxtIuyy8QK184HeNKuL8GLW2IhkG3V+AQxC7Tn+aK/QzA8gbJazsqiUNQMTmosupqtpaCZClDNrataorvQdoN2IZTz2/5LfHa4wFMtuTzErY7l++DH9y+C5FDL2SGCz4AkDzpsgHVAxNzXR81clLRVALDQvlH9w5WfvQ1fi2ZsDTRlJQ6nsbM8OR5rAJYZS+7PY+SYPVZnR43/U4EBJ0H5gAPS7EXuJD+oB6hGyzB3Tp1uMVAtHzmgq+rlOLUFOhTu5YOzdaZf39oKd26jrjukJVQePYCEV9p5M97EHPUJbw8KuMgFVSnyr3paxi91X5iGtVCxALWsOQrAn0dqMvZgxa/BKRgVN57sOX7uO+1Ghk6NEPYfCoqf8HRAtZ2jfmgsgPNyz9mjiRPSuNEmct5kLD1jQ5hpanI7Ftnz/Y64qdKNto+ZMpKHN882izs4GH4rhNjTlSqzm/2N4jCknUkYGBN7X7fBD/Vn+8+qoBN04pYPc2UJ2dvWUzmL1eYbFfAEjmG5b9NlYg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230025)(396003)(376002)(39860400002)(136003)(346002)(366004)(451199018)(86362001)(33656002)(64756008)(316002)(9686003)(66476007)(66446008)(66946007)(8676002)(66556008)(6916009)(6506007)(26005)(8936002)(7696005)(55016003)(53546011)(76116006)(4326008)(52536014)(966005)(71200400001)(478600001)(186003)(91956017)(122000001)(38070700005)(4001150100001)(2906002)(38100700002)(82960400001)(83380400001)(5660300002)(66574015)(41300700001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: b6S27EjJ2qn7pl/VuRZqqexIXlqp2tLPKU3PDWcptBhI6Y2FIEA+ONPSYn05StvJR8a4K+F1dWon+pYDBqycmEqZm3N5+YwA0wx3fcYT7z6MYK4EnGaJD4Ha2y7S+7KTTIbUlNwI/DBpUTgHQP1MqkrEo6TuK25ReI29WqNU2dEAcknZA1KqrOJHKXTGW6DXbei8Ws6garH5ow8IYu/tJ5NUbp3W/M4Yuc8Wf55VfD/RuzZYg4qcc6LGGCp3gmjrFJc9EDmEVIRlb2tAJYTvw7kG/+/6JPrBFp086hnaHqD8wqQD0uGtaSeWUtsiGyNrZuhvmLKqspQYVCecBXaRo2UP1zDTJXt0dCOwNYx3w+pCucYRZRPs2IgFjWeI8XxM658yKHglkfLmdVCe45xaHGxJBPMnsxjSgmtE+UUJ1Vtg/0jzYMUB9kLYbkISfXsGnSWQS4+/+VW0CQKxl/9tmweaQqfjTVfQmUnbOkHDm3a5GcpO9nSohUURLnkOlUxs8x++062qOj/Z+7+f/lY9DxSmWFpzjjRFCLnFUsKkeFkeTfT+LwqHXkzeplXBQjOgKDPZAb/PISQRoYrYDYmsXqLwVM3XEKlfkuflAHN3UOIf2CmyyYcQCRiuwGfLzZALONoZeiIXeLb2w1GFe/YI+8aUL57k2KAgSR4M8XMSsBqgKNAkqwxy7Lo3/beGwRjJVv1NmxpKt9BQ1wtJYE+4kS5RoSDwf0XOUxQ9GKjArPLhE4W4/bzHLc7jz9816fC6hFum9o/GKjNyJEgvdvQjG81kZchrogChsjFjkvyj7x8JKi4sPU+Z91ALVLzEYcU1BX2mrgLzqR8BNw8ivcQYyoyeo1XFnk7haMu6VzTjkGyJPeKM2ZPVcPXuB1JLXP/MaY2ChZ131V5Xa8MhKaSv/Q9FbkgrH8s/INURHQHCm944T8JwwLCV250Yc4sAON2DA22S3XvSW1PVDCtZPGxbFIdlAaYcDgaSEYcxo3A3G42Yg1+NiBwDCkOnQyuVrWv3oUKNwlGjTFFwSygogyTcdBnIWsHsjYnBcg+GnFF47OBzooNWmGkFCluL7CIwkifUy09ApLWZOL77kF0DcGPY1F6b70OdnSEYF1U6FmV46NaJKny2PpPgdx9LHWKBWCpjbdswqvsuxGcHUJm2Zi2lUYzlQnmndlxEum4Ty85dBkCRbe/RECSgb3jFcgI7QpS3TwIEOH3+MA/yz/gksjtRE6ouGqoEujhGAOfI+NAxx6iSn7GTH7U11u2jK6sNt1k7eQSJ4Xf8lVNLiZA7qAo0PVa6WQ6E3FP07+5JDCO60gobl9Erje5HOlTvySExpYmgTlvU7jNRl3/LmdoQOqAYRGU/CSldtGTsTjFayJX4ddjjsZxgsP/dfK95ecTteSkSITDqO1PZNzzKAddLUpI3h3W3w+PfHmnOjGlMel8IBYqs3v3rc+yO7PCCGQ0w+mPn1kUK8O0SKJPu+Tg+A4gPC9YxCAdAour0REh8bTiRSuFd6dCXdWGmLWeo4ofXAuXaz+NQoM+lnrRL4ptnxo68Kdzi7Qv+qoU9Sz9rpKUCTBNHTSX4+Tqce359B/w7pPz6
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 747becb9-6adc-410b-5bd8-08db159611cf
X-MS-Exchange-CrossTenant-originalarrivaltime: 23 Feb 2023 12:04:09.0824 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: jwwBZl28RGG7FB01PWPBrNbbel6s3AhqZXO2R0rWI0ZJhWCQYEFb9hDI3yy0K6L3INlFbN1UgNdDPnXEPQ24FA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DBAPR07MB6823
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/iXXgZqmmA-8cs36T1MDUqCUt9RQ>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2023 12:04:15 -0000

From: Kent Watsen <kent@watsen.net>
Sent: 29 January 2023 02:25

<tp>

I mixed up my TCP and TLS reviews and so sent the TCP review again later.  I also managed to lose my marked up copy of tls -32 so I have no record of what I meant to say about tls.  Oh dear.  A few comments in line under <tp> >

Hi Tom,

Thank you for your review of the tls-client-server draft.
Please see below for my responses to your comments.

Kent

On Jan 5, 2023, at 11:41 AM, tom petch <ietfc@btconnect.com> wrote:

Some thoughts on  -25

tcp-client tcp-server local address includes the zone as does implicitly the remote address

[this comment should be in a separate email on the tcp-client-server draft]

Nonetheless, I converted the two "inet:ip-address" to "init:ip-address-no-zone".  There's nothing I can do about the "inet:host" type referring to "inet:ip-address" (there is no "inet:host-no-zone" type, nor in the WGLC 6991-bis doc).

The YANG modules contain two references to SOCKS documents - these need adding to the I-D References

[this comment should be in a separate email on the tcp-client-server draft]

Nonetheless, Fixed.

    <local-address>10.20.30.40</local-address>
this is an allocated addess - should be a documentation one

[this comment should be in a separate email on the tcp-client-server draft]

Now 192.0.2.2.


    <local-port>7777</local-port>
this port is allocated to cbt; not lure what the connection is with NETCONF

[this comment should be in a separate email on the tcp-client-server draft]

IDK, is there a special TCP-port set aside for RFCs?

<tp>

No, use one of the dynamic range 49152 upwards

</tp>

FWIW, connection to NETCONF protocol is irrelevant.

Security Consideration should include RFC references for TLS, SSH, as per YANG Guidelines (which opens up a can of worms)

Does the can of worms entail the fact that this is how the IESG template is written and now there are dozens of RFCs published w/o these two refs in the Security Considerations section?

<tp>
Can of worms is one of my politer references to TLS1.3 and the work it has created for all the other IETF WGs.

</tp>


Security Considerations talks of mutual authentication which is almost always not the case for TLS.

That section (in the template) specifically regards NETCONF/TLS and RESTCONF/HTTPS and, in both cases, the protocol requires mutual auth.


Security Considerations says that NACM default deny all has been applied to the cleartext password.  Not really.  The NACM is applied in another module which hopefully it will continue to do but I think that the dependency needs stating explicitly to save people a wild goose chase.

It is explicit, no?  Current text reads:

            Please be aware that this module uses the "key" and "private-key"
            nodes from the "ietf-crypto-types" module [I-D.ietf-netconf-crypto-types],
            where said nodes have the NACM extension "default-deny-all" set, thus
            preventing unrestricted read-access to the cleartext key values.

<tp>
ok

Tom Petch
</tp>
</tp>
Kent



Tom Petch
________________________________________
From: netconf <netconf-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: 12 December 2022 18:51
To: i-d-announce@ietf.org
Cc: netconf@ietf.org
Subject: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt

Tom Petch

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Configuration WG of the IETF.

       Title           : YANG Groupings for TLS Clients and TLS Servers
       Author          : Kent Watsen
 Filename        : draft-ietf-netconf-tls-client-server-32.txt
 Pages           : 155
 Date            : 2022-12-12

Abstract:
  This document defines three YANG 1.1 modules: the first defines
  features and groupings common to both TLS clients and TLS servers,
  the second defines a grouping for a generic TLS client, and the third
  defines a grouping for a generic TLS server.

Editorial Note (To be removed by RFC Editor)

  This draft contains placeholder values that need to be replaced with
  finalized values at the time of publication.  This note summarizes
  all of the substitutions that are needed.  No other RFC Editor
  instructions are specified elsewhere in this document.

  Artwork in this document contains shorthand references to drafts in
  progress.  Please apply the following replacements:

  *  AAAA --> the assigned RFC value for draft-ietf-netconf-crypto-
     types

  *  BBBB --> the assigned RFC value for draft-ietf-netconf-trust-
     anchors

  *  CCCC --> the assigned RFC value for draft-ietf-netconf-keystore

  *  DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client-
     server

  *  FFFF --> the assigned RFC value for this draft

  Artwork in this document contains placeholder values for the date of
  publication of this draft.  Please apply the following replacement:

  *  2022-12-12 --> the publication date of this draft
  The "Relation to other RFCs" section Section 1.1 contains the text
  "one or more YANG modules" and, later, "modules".  This text is
  sourced from a file in a context where it is unknown how many modules
  a draft defines.  The text is not wrong as is, but it may be improved
  by stating more directly how many modules are defined.

  The "Relation to other RFCs" section Section 1.1 contains a self-
  reference to this draft, along with a corresponding Informative
  Reference in the Appendix.

  The following Appendix section is to be removed prior to publication:

  *  Appendix B.  Change Log


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-netconf-tls-client-server-32.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-netconf-tls-client-server-32


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf

_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email