IETF Logo Mail Archive

Re: [netconf] IANA templates for algorithms

Kent Watsen <kent+ietf@watsen.net> Wed, 19 February 2020 03:37 UTC

Return-Path: <010001705b85d22d-4cb8597c-6703-4d13-98aa-284cd569c163-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CD05C120033 for <netconf@ietfa.amsl.com>; Tue, 18 Feb 2020 19:37:46 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cw14jPy6uIl9 for <netconf@ietfa.amsl.com>; Tue, 18 Feb 2020 19:37:45 -0800 (PST)
Received: from a48-92.smtp-out.amazonses.com (a48-92.smtp-out.amazonses.com [54.240.48.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 22253120836 for <netconf@ietf.org>; Tue, 18 Feb 2020 19:37:42 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1582083461; h=Content-Type:Mime-Version:Subject:From:In-Reply-To:Date:Cc:Content-Transfer-Encoding:Message-Id:References:To:Feedback-ID; bh=M1FDvk8QieqFcvxwXZtZIUpF1sruCiqbd4WLUl8QicQ=; b=mrqXAyt/1U8N/6H35TAkcqx59IlVuB1k5WuLupmAPXrNnBdBcpxOkOYPY00BKhxR PpLshuzrI1Zwk6HQPN1s0EKMs5gCppYNS2UYS9KRaoRay/fpvh8tGvEcB65bOrVkpTy rK3m8PJVJvS7GbbLmGF0D7AUSoQXYXagR7i9Qgi4=
Content-Type: text/plain; charset="utf-8"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
From: Kent Watsen <kent+ietf@watsen.net>
In-Reply-To: <8713517D-96E9-45CF-8ABF-8691581A8F89@akamai.com>
Date: Wed, 19 Feb 2020 03:37:41 +0000
Cc: "netconf@ietf.org" <netconf@ietf.org>
Content-Transfer-Encoding: quoted-printable
Message-ID: <010001705b85d22d-4cb8597c-6703-4d13-98aa-284cd569c163-000000@email.amazonses.com>
References: <010001705ad1e8a3-891d7081-80c2-4a0d-857e-f6242b1a8793-000000@email.amazonses.com> <8713517D-96E9-45CF-8ABF-8691581A8F89@akamai.com>
To: "Salz, Rich" <rsalz@akamai.com>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2020.02.19-54.240.48.92
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/lnvQ5XtOkUM0G3IkbBh6QcSSnjM>
Subject: Re: [netconf] IANA templates for algorithms
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Feb 2020 03:37:47 -0000

Hi Rich,


>>   Neither of these registries help us, at least not directly.  Yes, they provide enumerations for on-the-wire protocol values, but they fail to provide an enumeration for, e.g., a 2048-bit RSA key.
> 
> Yes, RSA size is not relevant to the protocols.

Not to TLS, but I think that size may be relevant to SSH.  For instance, RFC 4432 defines both "rsa1024-sha” and "rsa2048-sha256”.   But these enumerations are for ciphers (i.e., more than we need/want to generate a key).

FWIW, `ssh-keygen` has the “-b bits” parameter and `openssl genrsa` has the “[numbits]” parameter.   The SSH/TLS protocols don’t define how the keys are created (it's out-of-scope to those drafts), hence why their registries don’t need to define enumerations for the base algorithms.

Of course, it is our goal to enable the configuration/generation of the keys themselves; effectively mimicking the CLI commands


>>       2) engage an "expert reviewer" to see if any of the new entries
>            regard an undefined algorithm and, if so, a TBD process is
>            used to add the new algorithms to the appropriate YANG
>            module (e.g., iana-symmetric-algorithms), which would be
>            automatically published by IANA.
> 
> By undefined, you mean "unknown to YANG" I assume, and not "a new crypto alg not previously used in TLS (for example).”

Yes, unknown to the YANG modules that we’re trying to define, but also unknown to the TBD “base algorithms” registry mentioned in (2a) below.


>>     2a) update some new TBD registry (e.g., “base algorithms”).
>            This would need to be done by a crypto expert (not the
>            NETCONF WG or YANG Doctors).  Good candidates might
>            be the Security ADs or, perhaps better, the WG that published
>            the source RFC.
> 
> I don't know if the sec folks would be interested in this but I could be wrong.  It might be good to have a brief chat F2F in Vancouver, which I can help set up.

That would be great!  FWIW, I’m on good terms with Ben Kaduk, Sean Turner, and Russ Housley, but maybe you were thinking SecDir?  Would it be good prepare something (e.g., slides) to help explain it?  IDK, it seems easy enough to just talk to, but that’s just my POV.

Regading “interest", do you mean in terms of a) acknowledging it’s a problem, b) supporting the creation of a registry, c) participating in the creation of the registry, or d) maintaining the registry (the expert reviews)?   The minimal would be (a+b), so our attempt to do (c) isn’t torpedoed by SecDir/IESG.  For (d), it would be best if they could assign an expert reviewer (perhaps SecDir), as the prospect of (presumably) just me doing it doesn’t seem right...

Kent // contributor

v2.23.0 | Report a Bug | By Email