[netconf] Create IANA-defined modules?

Kent Watsen <kent+ietf@watsen.net> Wed, 26 May 2021 19:05 UTC

Return-Path: <01000179aa118e62-0d8dd2b2-f001-4ff3-9d10-4b4e15098055-000000@amazonses.watsen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost []) by ietfa.amsl.com (Postfix) with ESMTP id DC8B83A109E for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 12:05:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.895
X-Spam-Status: No, score=-1.895 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([]) by localhost (ietfa.amsl.com []) (amavisd-new, port 10024) with ESMTP id 81rqxYRE-nro for <netconf@ietfa.amsl.com>; Wed, 26 May 2021 12:05:49 -0700 (PDT)
Received: from a8-33.smtp-out.amazonses.com (a8-33.smtp-out.amazonses.com []) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5D0DF3A1094 for <netconf@ietf.org>; Wed, 26 May 2021 12:05:49 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1622055948; h=From:Content-Type:Content-Transfer-Encoding:Mime-Version:Subject:Message-Id:Date:Cc:To:Feedback-ID; bh=6R+hXVu9YK+cIkArA/JFkW735mNpINpacKW3S9l+vN8=; b=WaGgnhuvheSNn2DG1KFLo1u9v9GRonNNjh6MUrK55NYqTl2uCYwFtrpJrsq1CrZ0 Pm+dMkkV3BYJAjJKulZ2d3OyU0vWuWtXcM6E59TdlJSGbH+xKJ9hZj/SX8DlPRYoLXw 2QH8CB0IiClEPYsQoVj3Zwi2BpLenvLCvFoX1prM=
From: Kent Watsen <kent+ietf@watsen.net>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.\))
Message-ID: <01000179aa118e62-0d8dd2b2-f001-4ff3-9d10-4b4e15098055-000000@email.amazonses.com>
Date: Wed, 26 May 2021 19:05:47 +0000
To: "netconf@ietf.org" <netconf@ietf.org>
X-Mailer: Apple Mail (2.3654.
Feedback-ID: 1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2021.05.26-
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/tVaiqDpAr64MpCx0bE_WzaAawbE>
Subject: [netconf] Create IANA-defined modules?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 26 May 2021 19:05:54 -0000

[CC-ing Gary, who contributed the “ietf-[tls/ssh]-common" modules originally]


The “tls-client-server” draft just received the following GitHub “issue”:

This is rather a question than an issue, maybe.

Given that IANA maintains the TLS parameters at   https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml, would it not be better for that content to come from something like iana-tls[-parameters].yang rather than an IETF maintained YANG module?

This is a good point.  Perhaps we should move all the identities for the algorithms defined in the “ietf-tls-common” module to an IANA-maintained “iana-tls-parameters” module.  Thoughts?

By extension, the same statement applies to the “ssh-client-server” draft and the IANA maintained SSH parameters page: https://www.iana.org/assignments/ssh-parameters/ssh-parameters.xhtml.

One potential issue with doing this is that the existing identities have “if-feature” statements that constrain them to specific TLS-versions and algorithm-families, and are sometimes marked as “deprecated".  By example:

    identity ecdhe-ecdsa-with-aes-128-cbc-sha256 {
       if-feature "tls-1_2";
       if-feature "tls-ecc and tls-sha2";
       base cipher-suite-base;
       status "deprecated";
           "Cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256.";
          "RFC 5289: TLS Elliptic Curve Cipher Suites with
                             SHA-256/384 and AES Galois Counter Mode (GCM)";

But that information is NOT captured in the IANA-maintained page.   What to do?

One option would be to drop all the feature statements.  All they do is limit the totality of algorithms presented to an administrator, when configuring which algorithms the client/server should support.  Worst case, all algorithms (of a given type) are presented, regardless if supported by the, e.g., TLS protocol version.  When configuring clients/servers using, e.g., text-based configuration files, such filters are never available.  Does anyone know what Cisco/Juniper/etc. devices do in their command-line and/or web interfaces?

Another option, which I like because it’s less work for me (unless someone can volunteer a GitHub pull request), is to remove the ietf-[tls/ssh]-common modules altogether.  They’re currently optional-to-configure and, when not configured, it’s an implementation-specific decision what, e.g., algorithms to list as being supported during the protocol handshake.  Personally, I’ve never used them (or implemented support for them), happily deferring to internal code and underlying libraries.  In lieu of us not defining these modules now, applications could augment-in their own configuration nodes and, of course, a future WG effort could add them.  Thoughts on this approach?