IETF Logo Mail Archive

Re: [netconf] crypto-types fallback strategy

Kent Watsen <kent+ietf@watsen.net> Tue, 08 October 2019 13:55 UTC

Return-Path: <0100016daba764f6-86d561df-1a18-4c40-a55c-de44bfcdd934-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 45C911200B2 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 06:55:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.896
X-Spam-Level:
X-Spam-Status: No, score=-1.896 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XKLr6YqZtJuR for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 06:55:39 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com [54.240.8.33]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C6C951200A3 for <netconf@ietf.org>; Tue, 8 Oct 2019 06:55:38 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=6gbrjpgwjskckoa6a5zn6fwqkn67xbtw; d=amazonses.com; t=1570542937; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=OGlDm0L+I5LZ6LcRLaE22bWxymqpsPEN90utiy2rn3M=; b=cU6wH9s9dMDVOXMyMtj5RcTpoFMG63OWug72Y57Rxhlgo1wEPNyHy7XbxrffNwV7 xsr37m1ONRzfsYuVA9yJHoklXQD1ARtb+TKtHccBnB2eLvkvDeEuhV2cuL6NXOydpKG dsCZNYYonOVoXtPPCSiZtHkzDSFiZPs29G7Y9sB8=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100016daba764f6-86d561df-1a18-4c40-a55c-de44bfcdd934-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_DCA92ECB-06FD-49C0-9311-705942F86E68"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Tue, 08 Oct 2019 13:55:37 +0000
In-Reply-To: <20191008125723.7zyaacswkpenlefl@anna.jacobs.jacobs-university.de>
Cc: tom petch <ietfc@btconnect.com>, "netconf@ietf.org" <netconf@ietf.org>
To: Juergen Schoenwaelder <J.Schoenwaelder@jacobs-university.de>
References: <0100016d455c6145-844c669e-8f31-4203-a827-7368d33cdee4-000000@email.amazonses.com> <MN2PR11MB4366E914816F6C3D9515A31DB5890@MN2PR11MB4366.namprd11.prod.outlook.com> <0100016d7325f06e-00613ab7-413c-4d97-972c-858cf4886b65-000000@email.amazonses.com> <20190927.170902.142773301948727896.mbj@tail-f.com> <MN2PR11MB4366C30CE4650421CE915840B5810@MN2PR11MB4366.namprd11.prod.outlook.com> <20190927174623.jhvpudof6yfs2m4k@anna.jacobs.jacobs-university.de> <0100016d84c0c469-e57fd7aa-dcba-4079-9b37-22720f7a4500-000000@email.amazonses.com> <02f501d57846$e29a3b20$4001a8c0@gateway.2wire.net> <0100016d8834e6b1-d2301e8e-89e5-4fb1-ae58-057e82c4cf7f-000000@email.amazonses.com> <0100016da8b59883-9c9c21fa-5030-4dd5-867e-5e33bf7b379d-000000@email.amazonses.com> <20191008125723.7zyaacswkpenlefl@anna.jacobs.jacobs-university.de>
X-Mailer: Apple Mail (2.3445.104.11)
X-SES-Outgoing: 2019.10.08-54.240.8.33
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/pgjwYCglzXakazkdNFPl1B6h78Q>
Subject: Re: [netconf] crypto-types fallback strategy
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 13:55:41 -0000

> 
> I think there are
> 
> a) cryptographic algorithms (the primitives)
> b) operating modes for symmetric algorithms etc.
> c) combinations of a) and b) used by certain security protocols or
>   sub-protocols (keyex vs data transfer)
> d) key formats that are used together to combinations from b)
> 
> and we seem to sometimes confuse these things. If this is a proposal
> for a), then fine. But these registries do not help much with b)-d),
> 
> I believe b) and d) tend to be security protocol specific (and may
> even be security protocol version specific).
> 
> Looking at things from a management perspective, I assume the
> relevance for configuration is d) to a).
> 
> Hence, I believe it makes sense to create a module with definitions
> specifically needed for SSH and a module with definitions specifically
> needed for TLS. (The SNMP model in RFCC 7407 has a several choices to
> deal with different security "algorithms". This does not really matter
> except that we also back then went for a security protocol specific
> solution.)


An attempt to do this already exists.  Please look at:

  - https://tools.ietf.org/html/draft-ietf-netconf-ssh-client-server-14#section-5.3 <https://tools.ietf.org/html/draft-ietf-netconf-ssh-client-server-14#section-5.3>
  - https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-14#section-5.3 <https://tools.ietf.org/html/draft-ietf-netconf-tls-client-server-14#section-5.3>

As well as the tables in Section 5 in both drafts.

Admittedly, my co-authors decided to put this effort on hold while crypto-types issue is resolved, as the WG's focus is on the first three drafts of the client/server suite of drafts.   But the point is that the plan is to address the protocol-specific issue within these drafts.

Kent

v2.23.0 | Report a Bug | By Email