IETF Logo Mail Archive

Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)

Sean Turner <sean@sn3rd.com> Thu, 04 January 2024 01:55 UTC

Return-Path: <sean@sn3rd.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1BC30C2FEE19 for <netconf@ietfa.amsl.com>; Wed, 3 Jan 2024 17:55:35 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.107
X-Spam-Level:
X-Spam-Status: No, score=-7.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=sn3rd.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sROxkO9sWRXq for <netconf@ietfa.amsl.com>; Wed, 3 Jan 2024 17:55:31 -0800 (PST)
Received: from mail-qk1-x735.google.com (mail-qk1-x735.google.com [IPv6:2607:f8b0:4864:20::735]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 68900C2FEE0A for <netconf@ietf.org>; Wed, 3 Jan 2024 17:55:31 -0800 (PST)
Received: by mail-qk1-x735.google.com with SMTP id af79cd13be357-7812275feccso5411985a.3 for <netconf@ietf.org>; Wed, 03 Jan 2024 17:55:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sn3rd.com; s=google; t=1704333330; x=1704938130; darn=ietf.org; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=64LGXBheIdqe/MG5fsdhkHqrMc+FDHzlDETYo0k/vzo=; b=JTo/frRqf+5Q4QyHaAaVRs2/KbgQ8Jb+djRf7/CNfDuRSMCELJg2Ga8gGrls/HeLEr xDGBSUePMA8kTCdAyiHp1W33N0kUp6YWygO57YxzGydC0mcVeih+6LN7XlD7ltFJGArQ amPWMHy49pgIcQEoAA0car73NidWHTNsDQbC0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1704333330; x=1704938130; h=to:references:message-id:content-transfer-encoding:cc:date :in-reply-to:from:subject:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=64LGXBheIdqe/MG5fsdhkHqrMc+FDHzlDETYo0k/vzo=; b=JFeQlxRGNKfoF4QfUkwgGLyE51Ntei6LOK9YY09wRbTf6fCCeqBxZ0Y0I3BzR3lgzA +gmpFfbV0nSGu3fpo7tXRSu9CJedCy52geTkGYW5c4+bzAC5Pk7uGVf5DQ9C4GnAr89S j0TEj1Qt8XJxDZRWNEB2MC9V3hDICrIh3PIpZ5OyR73gei8qWlpA6GLxZEZD+HprO7Pb p0YZnZIfXhKbzkhdziEiYmTXEfP98tmpv+D89HdVy54qltSMMgk7Rdh8p44mO78tYXId 15xyInr/g2MWQGy7VlC2sy81ExGrcsK6d+LCvVpZ/z6TlG20bA/C4S+M3SBq5zDS07pR NOQA==
X-Gm-Message-State: AOJu0Yyj2dXISkl1CoEuLLATNmHKTALyGHvkMstd0hLIDuCMYCONhOKn tQ+7rav+MSioC287FNB96FnH76ga3cGw4A==
X-Google-Smtp-Source: AGHT+IGRR2RkTCRk6z5KDk+AW5OTZ9KFKttMLoK+e+5J8KKpcIQmoS0VYjFPpR37LbuMqOVZiMl5Mg==
X-Received: by 2002:a0c:fd2c:0:b0:67f:ecb3:d9f2 with SMTP id i12-20020a0cfd2c000000b0067fecb3d9f2mr16641854qvs.118.1704333330146; Wed, 03 Jan 2024 17:55:30 -0800 (PST)
Received: from smtpclient.apple (pool-68-238-162-47.washdc.fios.verizon.net. [68.238.162.47]) by smtp.gmail.com with ESMTPSA id z16-20020a0ce610000000b0067f0d8cf418sm11322461qvm.70.2024.01.03.17.55.28 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 03 Jan 2024 17:55:29 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.15\))
From: Sean Turner <sean@sn3rd.com>
In-Reply-To: <0100018c8d1a6397-8ee3b5be-9cd6-4cb6-89f5-e4bb64c3a18b-000000@email.amazonses.com>
Date: Wed, 03 Jan 2024 20:55:28 -0500
Cc: The IESG <iesg@ietf.org>, draft-ietf-netconf-over-tls13@ietf.org, "netconf-chairs@ietf.org" <netconf-chairs@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-Id: <103374AE-90A5-4C68-BB97-6A8A2ABD5FC8@sn3rd.com>
References: <7833B258-8E79-4536-941E-ABE2D4B2D2A5@sn3rd.com> <D4EB97E1-922E-4365-B269-403E1A5CE97B@aiven.io> <DAE255BF-8E8C-46B1-A351-BA0DC9280985@sn3rd.com> <0100018c8d1a6397-8ee3b5be-9cd6-4cb6-89f5-e4bb64c3a18b-000000@email.amazonses.com>
To: Kent Watsen <kent+ietf@watsen.net>, Paul Wouters <paul.wouters@aiven.io>
X-Mailer: Apple Mail (2.3654.120.0.1.15)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/ki3xoZUry1GkIoBDWo-ApQY_0Ac>
Subject: Re: [netconf] Paul Wouters' Discuss on draft-ietf-netconf-over-tls13-03: (with DISCUSS and COMMENT)
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 04 Jan 2024 01:55:35 -0000


> On Dec 21, 2023, at 10:59, Kent Watsen <kent+ietf@watsen.net> wrote:
> 
> As a contributor:
> 
> 
>> On Dec 19, 2023, at 10:12 PM, Sean Turner <sean@sn3rd.com> wrote:
>> 
>> 
>>> On Dec 13, 2023, at 09:03, Paul Wouters <paul.wouters@aiven.io> wrote:
>>> 
>>> On Dec 12, 2023, at 11:35, Sean Turner <sean@sn3rd.com> wrote:
>>>> 
>>>> ----------------------------------------------------------------------
>>>>> 
>>>>> DISCUSS:
>>>>> ----------------------------------------------------------------------
>>>>> 
>>>>> Why does Section 4 not simply point to the ciphersuites MTI of the respective TLS versions?
> 
> This is my question as well.  This draft pinning any cipher suite (i.e., TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) will likely not age well...
> 
> 
>>>>> TLS 1.3 as per RFC8446bis Section 9.1:
>>>>> https://datatracker.ietf.org/doc/html/draft-ietf-tls-rfc8446bis-09#name-mandatory-to-implement-ciph
>>>>> 
>>>>> TLS 1.2 to RFC9325 Section 4.2:
>>>>> https://datatracker.ietf.org/doc/html/rfc9325#name-cipher-suites-for-tls-12
>>>>> 
>>>>> It almost does this but then decides on its own more limited set of
>>>>> ciphersuites. Is there a good reason for this why to deviate from the
>>>>> TLS 1.2 and 1.3 standards? Or why not to stick to the RECOMMENDED Y
>>>>> column in the IANA registry for TLS Ciphersuites ?
>>>> 
>>>> For TLS 1.2:
>>>> 
>>>> RFC 7589 includes the following text:
>>>> 
>>>> Implementations MUST support TLS 1.2 and are REQUIRED to
>>>> support the mandatory-to-implement cipher suite.
>>>> 
>>>> That cipher suite is TLS_RSA_WITH_AES_128_CBC_SHA. RFC 7589
> 
> RFC 5246 is obsoleted by RFC 8446.  https://datatracker.ietf.org/doc/html/rfc8446#section-9.1 says:
> 
>    A TLS-compliant application MUST implement the TLS_AES_128_GCM_SHA256
>    [GCM] cipher suite and SHOULD implement the TLS_AES_256_GCM_SHA384
>    [GCM] and TLS_CHACHA20_POLY1305_SHA256 [RFC8439] cipher suites (see
>    Appendix B.4).
> 
> So TLS_RSA_WITH_AES_128_CBC_SHA is no longer required.
> 
> 
>>>> also includes:
>>>> 
>>>> Implementations SHOULD follow the recommendations given in [RFC7525].
>>>> 
>>>> So what I did was go look at the four algorithms in RFC 9325:
>>> 
>>> Now I am a bit worried about the use of “I” here. If you picked the TLS 1.2 parameters based on existing netconf implementations, I would feel better. But now it seems based on your assumptions on netconf? Are there any netconf people who can weigh in ?
>> 
>> “I" was just providing background as to how the I-D ended up the way it did, so don’t read too much into the “I”. But, I get your point. Let me see if I can get some more input.
>> 
>>>> * TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
>>>> * TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
>>>> * TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
>>>> * TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
>>>> 
>>>> and I (potentially naively) thought RSA AES_128 CDC to RSA AES_128 GCM seemed like an easy enough swap so let’s specify TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256. So, I picked one from the list as opposed to pointing at the entire list. The difference is that implementations are required to support only one and not 4 algorithms.
> 
> This doesn’t make sense to me.  How does RFC 7589’s "Implementations SHOULD follow the recommendations given in [RFC7525]” get promoted to requiring a specific algorithm?  [Note: 7525 obsoleted by 9325]
> 
> 
>>> That might of course be a valid enough reason. Do we have any implementers or operators in the room to guide us ?
>>> 
>>>> But, what I think you are suggesting (and I can live with) is the following ? :
>>>> 
>>>> Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
>>>> support the cipher suites from Section 4.2. [RFC9325
>>> 
>>> I am saying we should do this, but I did want to hear some justification if we are not doing this. But I don’t know if AES-GCM is as available as AES-CBC on netconf devices for example. I was hoping the WG would have guidance here that would explain the choices made. (Generally, “Sean thought this was wise” is a good choice, but it would be better if we could make a more informed discussion)
> 
> Is this not the expected collateral damage that the IETF creates when, e.g., RFC 8446 obsoletes RFC 5246 with different MTIs.  This affects all apps, it isn't a NETCONF-specific problem, right?
> 
> Being very practical, NETCONF servers implemented prior to RFC 8446 MUST support TLS_RSA_WITH_AES_128_CBC_SHA.  NETCONF servers implemented after to RFC 8446 don’t have to but, in order to maintain interoperability with existing clients, likely will.
> 
> Kent  // contributor

Agreed that picking one is not a good idea and you’re probably right that to maintain interop with existing implementations TLS_RSA_WITH_AES_128_CBC_SHA is going to keep right on getting used. But, I can’t really in good conscious include it in an I-D anymore (except to deprecate it).  So, here’s my proposal:

OLD:
   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to
   support the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite
   [RFC9325].

NEW:
   Implementations MUST support TLS 1.2 [RFC5246] and they are, as specified
   in [RFC9325], recommended to support the cipher suites found in Section 4.2 of
   [RFC9325].

I purposely used “recommended” and not “RECOMMENDED" because the recommendation is already in RFC 9525; I have been told repeating requirements is bad.

Cheers,
spt

v2.23.0 | Report a Bug | By Email