Re: [netconf] Security template RE: I-D Action: draft-ietf-netconf-tcp-client-server-26.txt
Kent Watsen <kent+ietf@watsen.net> Fri, 05 April 2024 18:12 UTC
Return-Path: <0100018eaf7676ed-e09e25a2-88ad-4234-b35a-7695a4cc0825-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7F30CC169412 for <netconf@ietfa.amsl.com>; Fri, 5 Apr 2024 11:12:45 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.893
X-Spam-Level:
X-Spam-Status: No, score=-1.893 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H5=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qbO4CTtle2os for <netconf@ietfa.amsl.com>; Fri, 5 Apr 2024 11:12:41 -0700 (PDT)
Received: from a48-95.smtp-out.amazonses.com (a48-95.smtp-out.amazonses.com [54.240.48.95]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7656AC169404 for <netconf@ietf.org>; Fri, 5 Apr 2024 11:12:41 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1712340760; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=BYHNRRwHYGUbYgyEq65/xKvuRLxhCKavBhFQwBon6rY=; b=jhgduFbZcJ4xbRl+tZhHDurUycPPU6dSAnw7qQbbLPPYPvvnQgI5NJlAefJIefcu XeCfa9JuLqmQtpEQ9BP03yMLwZxz+F2jDpKPyuHUzPVp6uLnmIW//7pIS0/tDitzXPu PWCBUy8fJuIrrVaikqaA5BddMTCsmAGAZXFbGwX8=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <0100018eaf7676ed-e09e25a2-88ad-4234-b35a-7695a4cc0825-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_17F85CE1-00C2-47F4-AC72-8CEFB92128B1"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Fri, 05 Apr 2024 18:12:40 +0000
In-Reply-To: <DU2PR02MB10160AD48CEB348F913C94E1888032@DU2PR02MB10160.eurprd02.prod.outlook.com>
Cc: "netconf@ietf.org" <netconf@ietf.org>
To: BOUCADAIR Mohamed IMT/OLN <mohamed.boucadair@orange.com>
References: <171226403149.2606.821454564035808417@ietfa.amsl.com> <0100018eaaea53c1-a5bf6813-0fec-4824-bcfc-39d82d4e6e01-000000@email.amazonses.com> <DU2PR02MB1016096DD114F7547AC6EF74488032@DU2PR02MB10160.eurprd02.prod.outlook.com> <0100018eae7efaef-bb42b15a-aaba-413e-abf8-9e1e4fa9068a-000000@email.amazonses.com> <DU2PR02MB1016053785410738A21476D1188032@DU2PR02MB10160.eurprd02.prod.outlook.com> <0100018eaf08d8d2-b5b9e055-498f-4280-a64a-8cdc1b8d7fca-000000@email.amazonses.com> <DU2PR02MB10160AD48CEB348F913C94E1888032@DU2PR02MB10160.eurprd02.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.04.05-54.240.48.95
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/s1sg--syqt5y2e7hq743REWUe6E>
Subject: Re: [netconf] Security template RE: I-D Action: draft-ietf-netconf-tcp-client-server-26.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Apr 2024 18:12:45 -0000
Hi Med, Right, but mandatory-to-implement != mandatory-to-use. What is important to say is that *all* defined/allowed transports are 1) secure and 2) require mutual-authentication. This statement is what allows the security analysis to proceed. As an aside, looking at RFC 8040 just now, it says "The RESTCONF protocol MUST NOT be used over HTTP without using the TLS protocol”, which is bad given recent moves to run RESTCONF on top of QUIC. We also want to run NETCONF on top of QUIC, but fortunately RFC 6241 doesn’t limit that possibility. Kent > On Apr 5, 2024, at 1:01 PM, mohamed.boucadair@orange.com wrote: > > Kent, > > I’m not sure what is broken in the template. It is true that other transports were defined, but still SSH is MTI for NETCONF and TLS is MTI for RESTCONF. > > Cheers, > Med > > De : Kent Watsen <kent+ietf@watsen.net <mailto:kent+ietf@watsen.net>> > Envoyé : vendredi 5 avril 2024 18:13 > À : BOUCADAIR Mohamed INNOV/NET <mohamed.boucadair@orange.com <mailto:mohamed.boucadair@orange.com>> > Cc : netconf@ietf.org <mailto:netconf@ietf.org> > Objet : Re: [netconf] I-D Action: draft-ietf-netconf-tcp-client-server-26.txt > > > > rfc8407bis isn’t published yet… > [Med] This is the actual template since 2018! Please seehttps://wiki.ietf.org/group/ops/yang-security-guidelines > > Ack, but that text is broken for the reasons I mentioned true. > > > My text is better: > - more concise > - more accurate > - NETCONF supports other transports besides SSH > - RESTCONF supports other transports beside TLS > > I suggest fixing rfc8407bis > > Please fix the broken text in rfc8704bis. > > > ____________________________________________________________________________________________________________ > Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc > pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler > a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, > Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. > > This message and its attachments may contain confidential or privileged information that may be protected by law; > they should not be distributed, used or copied without authorisation. > If you have received this email in error, please notify the sender and delete this message and its attachments. > As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. > Thank you.
- [netconf] I-D Action: draft-ietf-netconf-tcp-clie… internet-drafts
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… mohamed.boucadair
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… mohamed.boucadair
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… Kent Watsen
- [netconf] Security template RE: I-D Action: draft… mohamed.boucadair
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… Kent Watsen
- Re: [netconf] Security template RE: I-D Action: d… Kent Watsen
- Re: [netconf] I-D Action: draft-ietf-netconf-tcp-… Mahesh Jethanandani