Re: [netconf] Create IANA-defined modules?

Qin Wu <> Tue, 15 June 2021 05:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 03E0D3A2112 for <>; Mon, 14 Jun 2021 22:54:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 2wKLYRw7BspZ for <>; Mon, 14 Jun 2021 22:54:13 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3E1B3A2110 for <>; Mon, 14 Jun 2021 22:54:12 -0700 (PDT)
Received: from (unknown []) by (SkyGuard) with ESMTP id 4G3y4t6mP2z6D9h3 for <>; Tue, 15 Jun 2021 13:47:10 +0800 (CST)
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Tue, 15 Jun 2021 07:54:08 +0200
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.2176.2; Tue, 15 Jun 2021 13:54:06 +0800
Received: from ([]) by ([]) with mapi id 15.01.2176.012; Tue, 15 Jun 2021 13:54:06 +0800
From: Qin Wu <>
To: Kent Watsen <>, tom petch <>, "Per Andersson (perander)" <>
CC: "" <>
Thread-Topic: [netconf] Create IANA-defined modules?
Thread-Index: AddhqjRkR+YrczgKwUaLplcUh/rY0A==
Date: Tue, 15 Jun 2021 05:54:06 +0000
Message-ID: <>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
x-originating-ip: []
Content-Type: multipart/alternative; boundary="_000_48e9f39ba2df45bd96c1dcc400765c14huaweicom_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <>
Subject: Re: [netconf] Create IANA-defined modules?
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 15 Jun 2021 05:54:23 -0000

发件人: Kent Watsen []
发送时间: 2021年6月15日 0:22
收件人: Qin Wu <>om>; tom petch <>om>; Per Andersson (perander) <>
主题: Re: [netconf] Create IANA-defined modules?

Thank you Qin, Tom, and Per for the responses to my last post…this message addresses them all.

Since the discussion has been mostly about *how* to create the IANA-defined module (not *if* we should, e.g., dropping the work for some future effort to pickup), I take it that folks believe having the ability for configure supported-algorithms is needed now.  As no one offered to help (:sigh:, and people wonder why this work takes so long), I wrote the attached script that creates the attached module directly from the data obtained from the IANA-maintained "TLS Cipher Suites" sub-registry of the "Transport Layer Security (TLS) Parameters” registry here:  The resulting module is also attached.

[Qin Wu]  The proposed module looks good to me, I assume these cipher-suite identities are not specific to particular version of TLS, e.g., TLS1.3.

Tom, you will be happy to know that the all the identity names begin with “tls”  :)    Also, there are no “feature” statements, since there is nothing in the source registry that can be used to generate “if-feature” statements.  Out of the 347 algorithms listed in the registry,  310 algorithms are marked “status deprecated” (driven by the “recommended” column having value ’N’), and 7 algorithms are marked “status obsolete” (driven by the "SC-tls-des-idea-ciphers-to-historic” reference).

Regarding if to use a  “config false” tree or an RPC, Per makes an interesting point about “must" and “when” expressions, though I do wonder how that would play out in practice, as said expressions would (presumably) be defined under “config true” nodes and hence couldn't reference the “config false” values?  Maybe Per could say some more about the use-case in mind.

No one responded regarding if we should use identities or enumerations.  The attached sample module uses identities, but it would be an easy thing to change the script to generated enumerations - thoughts?

Again: if “identity” statements are used, and the module is *implemented*, it would NOT mean the server supports all (or even any) of the algorithms. This would only be known if the algorithm appears in the “supported algorithms” "config false” list.  Does anyone feel this is a misuse of YANG?  IMO, YANG identities needing to be implemented is not very useful in practice, and so I don’t view that as a negative in the slightest.

[Qin Wu] I agree with Per that it seems identities are better choice.