IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Schönwälder, Jürgen <J.Schoenwaelder@jacobs-university.de> Tue, 08 October 2019 12:57 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5785E120033 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 05:57:31 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NYl2j37T2ors for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 05:57:28 -0700 (PDT)
Received: from EUR03-DB5-obe.outbound.protection.outlook.com (mail-eopbgr40042.outbound.protection.outlook.com [40.107.4.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 86EAC120807 for <netconf@ietf.org>; Tue, 8 Oct 2019 05:57:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=IfWbeGgtSeyHpWKLF5gh3GctnK92jA8OuZLUk1lDZQXlna7jNJ+p23rYskFVWY6bB32CvtazXyWs1diUQHh/h7nNBtp7DwH+GMkIJuYVoMpROD25/ElQkFnjzD0ZOwkuTUav6T+qoBN22uVq3hEFs0qdLH3r7Ump2/NVlib+lozi9v9mIWBJ63h1JzGkh5nWOBqlmTniN3l4jyiUOqLShwYD0uneqOICcuLxuz5VmsdoWbpeqDk9UQkdClLHh3/W2E3cOYtABylEZqmbIpQf2jNpX7f7uRun6UFT5ELqMVwZ4c+4P4gV7P8S0yqS+03MibzheYWSpp3r6R/aUqIXfQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1qeY4WbImpPJeTXGSBReK/gbzXXq5yIO8fqofv1QKrs=; b=AH6Ejl5ryw4RWzmz/RC5gbsVfDdQppgv86zVrAwb0mbDHtnJNzW4x/929ACVVXgIzUk7ErsobCzU4RINnxpPYT80k0XVB+1BQr4Z4zJNx9lZaWVCWKTTHNXxLNoQV/mKdK7lMurzF5+4DUTPPG5rKKnpISqGQiO2/xj36Y8JH0BvL3KLEW38OjVMwsFgdfEzklI8nj5bJSJIqbrm/fJvgkNH7+L+Ow/7fL7O5s3ayj0GjD9qazknIR74q/sWz9+KME+9akUYvuQ9w54jlaGMal0T77lfbAZwlMdG5Cn9vsmX4uSwmnTObphCVI8xeaK3yNaDO+fN5udQXfZT2kmgfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=1qeY4WbImpPJeTXGSBReK/gbzXXq5yIO8fqofv1QKrs=; b=gLlfVsidZQTgndQTNfGK9fgYKFg5w18itvTHXuaGTaENde60SXn5T1SQSbV6l5DzaeOR81TRMWj/zGhR8hZPdLIUtsaSxf+zcxlmwNLFc8rQdABvbQSlMs+TOB1sbu8Yi5gyF5Op/jcaDcLXfoYFZKeAVTbeoMVtCAq6CMOB3Qk=
Received: from DB6P190MB0181.EURP190.PROD.OUTLOOK.COM (10.172.229.20) by DB6P190MB0085.EURP190.PROD.OUTLOOK.COM (10.172.229.19) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2327.24; Tue, 8 Oct 2019 12:57:25 +0000
Received: from DB6P190MB0181.EURP190.PROD.OUTLOOK.COM ([fe80::3031:b318:b167:f8ee]) by DB6P190MB0181.EURP190.PROD.OUTLOOK.COM ([fe80::3031:b318:b167:f8ee%12]) with mapi id 15.20.2327.026; Tue, 8 Oct 2019 12:57:24 +0000
From: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
To: Kent Watsen <kent+ietf@watsen.net>
CC: tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] crypto-types fallback strategy
Thread-Index: AQHVbjbxVhFlbERW30moo9Q8WhnpJg==
Date: Tue, 08 Oct 2019 12:57:24 +0000
Message-ID: <20191008125723.7zyaacswkpenlefl@anna.jacobs.jacobs-university.de>
References: <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com> <MN2PR11MB4366E914816F6C3D9515A31DB5890@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d7325f06e-00613ab7-413c-4d97-972c-858cf4886b65-000000@email.amazonses.com> <20190927.170902.142773301948727896.mbj@tail-f.com> <MN2PR11MB4366C30CE4650421CE915840B5810@MN2PR11MB4366.namprd11.prod.outlook.com> <20190927174623.jhvpudof6yfs2m4k@anna.jacobs.jacobs-university.de> <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com> <02f501d57846$e29a3b20$4001a8c0@gateway.2wire.net> <0100016d8834e6b1-d2301e8e-89e5-4fb1-ae58-057e82c4cf7f-000000@email.amazonses.com> <0100016da8b59883-9c9c21fa-5030-4dd5-867e-5e33bf7b379d-000000@email.amazonses.com>
In-Reply-To: <0100016da8b59883-9c9c21fa-5030-4dd5-867e-5e33bf7b379d-000000@email.amazonses.com>
Reply-To: "Schönwälder, Jürgen" <J.Schoenwaelder@jacobs-university.de>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: AM3PR05CA0121.eurprd05.prod.outlook.com (2603:10a6:207:2::23) To DB6P190MB0181.EURP190.PROD.OUTLOOK.COM (2603:10a6:4:88::20)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=J.Schoenwaelder@jacobs-university.de;
x-ms-exchange-messagesentrepresentingtype: 1
x-originating-ip: [2001:638:709:5::7]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3e05be35-21d8-4318-60e5-08d74bef10a8
x-ms-traffictypediagnostic: DB6P190MB0085:
x-ms-exchange-purlcount: 1
x-ms-exchange-transport-forked: True
x-microsoft-antispam-prvs: <DB6P190MB00859C80277E8F7D09069ED4DE9A0@DB6P190MB0085.EURP190.PROD.OUTLOOK.COM>
x-ms-oob-tlc-oobclassifiers: OLM:8882;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(39850400004)(346002)(396003)(376002)(136003)(189003)(199004)(6116002)(4326008)(316002)(71190400001)(43066004)(786003)(386003)(6506007)(186003)(52116002)(71200400001)(14454004)(46003)(229853002)(6246003)(2906002)(5660300002)(81166006)(81156014)(102836004)(8676002)(66946007)(66476007)(478600001)(486006)(99286004)(446003)(66446008)(86362001)(66556008)(25786009)(3450700001)(14444005)(305945005)(8936002)(64756008)(256004)(1076003)(45776006)(476003)(6486002)(76176011)(54906003)(561944003)(7736002)(6512007)(6436002)(11346002)(6306002); DIR:OUT; SFP:1101; SCL:1; SRVR:DB6P190MB0085; H:DB6P190MB0181.EURP190.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1;
received-spf: None (protection.outlook.com: jacobs-university.de does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: Y51y1lZxFGc7hlsQOPSo6WAdyg91jM7zVChUqi+OgvRVHj8H3HSWCmJEWDnRfD5bh2PEhBlpzqGu2NfrObf1t9ePpBi23UtnajX+yxr6PeQpoUdCbrSqfttam+Zc5oLD+0ZFk4wQhj8qJODrJNCvJ7dVAHKmzGVZ3DxseGw6jcypY7mY1ttG2LDNnwXEFWMpZtfnD7wHEt+6xfdrzJPYAD2c8BE5hd0gXlp47+xlugNSHRkXlZWbCtf6dqdeSOc/RdQNMwqdwouBQn6SkMb3XfwLXCjVgz1CHRksaUkSCrKiJbPIFnxnX9T9ik0xmD1xD7+l1rptIemCnwhpmImaYqcW+QgoMkmX4cckX+PrDK3jyWiez5nKQJMF/G5BGZ5CfEhrjqiCKNu0vHGoUVC9ErxAYgJbGy3N37bGHx2FpArxrXa/crpE55CSBdgzA30cy5PFEY/A6BSe4qwuiKS5Xw==
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <2E3F5B64DFD8A143BE5CCA0C9A64FB3D@EURP190.PROD.OUTLOOK.COM>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: 3e05be35-21d8-4318-60e5-08d74bef10a8
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 12:57:24.8080 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: V5BCpOvduwQUcWLbGrmP9TpWr1hIAoLxXSwKJuQ639udYsFCjK+G2zJLTZIw1C8dqP9B3B2/i8Vc7MMXmoTLwysY7qbpoQZN2ProdI9EgLI=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB6P190MB0085
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/mEpJuQ-WQROXy9MzhjPi8gOEMSI>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 12:57:31 -0000

On Tue, Oct 08, 2019 at 12:12:16AM +0000, Kent Watsen wrote:
> 
> Other than the "IANA registry" based proposal I gave Sep 27th (which I still think is pretty good), I don't see any other way to do this other than by going half-way back towards the old identity approach.  By "halfway", I mean to say that it doesn't define all the algorithm types, just the subset needed for our immediate needs.  So, either in addition or as a replacement to the identities for key formats, I think we should do the following:
> 
>    In ietf-crypto-types:
> 
> 	   // define base identities so they can be referenced by groupings
> 	   identity asymmetric-key-algorithm;
> 	   identity symmetric-key-algorithm;
> 	   identity hash-algorithm;
> 
>    In ietf-asymmetric-key-algs.yang:
> 
> 	    identity foo { base "asymmetric-key-algorithm" }
>             ...
>     
>    In ietf-symmetric-key-algs.yang
> 
> 	    identity bar { base "symmetric-key-algorithm" }
>             ...
> 
>    In ietf-hash-algs.yang
> 
> 	    identity baz { base "hash-algorithm" }
>             ...
> 

I think there are

a) cryptographic algorithms (the primitives)
b) operating modes for symmetric algorithms etc.
c) combinations of a) and b) used by certain security protocols or
   sub-protocols (keyex vs data transfer)
d) key formats that are used together to combinations from b)

and we seem to sometimes confuse these things. If this is a proposal
for a), then fine. But these registries do not help much with b)-d),

I believe b) and d) tend to be security protocol specific (and may
even be security protocol version specific).

Looking at things from a management perspective, I assume the
relevance for configuration is d) to a).

Hence, I believe it makes sense to create a module with definitions
specifically needed for SSH and a module with definitions specifically
needed for TLS. (The SNMP model in RFCC 7407 has a several choices to
deal with different security "algorithms". This does not really matter
except that we also back then went for a security protocol specific
solution.)

/js

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email