[netconf] More complications was Re: netconf-tls wasRe: Summary of updates

tom petch <ietfc@btconnect.com> Thu, 27 May 2021 11:09 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8520B3A191D for <netconf@ietfa.amsl.com>; Thu, 27 May 2021 04:09:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PbSnjYRIyYQI for <netconf@ietfa.amsl.com>; Thu, 27 May 2021 04:09:55 -0700 (PDT)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-eopbgr00128.outbound.protection.outlook.com [40.107.0.128]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D87403A191C for <netconf@ietf.org>; Thu, 27 May 2021 04:09:54 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JsMqa/dm5oi1yr0RDJAigX3fuMaZeII6bo/9sXFOnGdq8wcmyrMdrDddl84W0u/bcQSO6XVK+WvVSlhadyZz9zoS2Qj5rGlQHQsRDZO2sIFzGz4kJnYZFk/mWiroCMhM4TfDXH53oLYTf+LTsxeWoUzp28iuepvPFc+mWIi4pLbxJCOIS7gpRosnNxeYMR5hChuaOTHgroJtMBNVlkD8hnTrvwpQtCCNnBtdq2W45AGN0ONEpUH5YjBI2VZLAdcA2w67EeC67VEMVgVo4x2zsfYSEOVicbEpQbvHpqK1yPhCIXGkFQR1X0R2iO+ALy2PZ3Lp4saI36bqnhZBd3XPRg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GwrxqS8h7DPjkJhnqA4yOvUlc2IrSIkqXRb1fme/+6o=; b=V/9jnBHs5Io3KvMZrCWdrEh0eIZMHOe3RXhU5EMIyPotA1p1OIUAqmVsJzHyokboLqSQbzIdtqTTV+GB2ovppMsAJ2a0XECjCLUa7cVSG6N7bMbBKmUpTivgOwKMfnp1nvoEFypeTslvXlQTDKCR6pT/l4eqs5lr2SQnZ+zy6VS2oiEC0z0fI83qUy1dmLvswXriR+mytUOA+Suhrx0oO+n1YLJAje4SJ0sFh49i/KZ6qztjneYhaUPNd9BMAZfBVV/GhlZLU0v36n8a8sDGRcjx6qpztVXjlwhcorkAO8hpaO7eAt5P6AhSvF21py7MDuTs2Hcj+ITMoUej7Dq06w==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=GwrxqS8h7DPjkJhnqA4yOvUlc2IrSIkqXRb1fme/+6o=; b=X5wz7uFUdrY5qz10dlMUh7cMafFXyK1BJUCe1NU10KmNBQ1Tv1gs67lUJ2fDjtYPVxHaiQ3QXnEnzc/xbBuu7o8ttiWyiEvHnwaToophvidfV6XMzc0GpeQ7+vna2OT9RHiMzh2SfwnFKc1hvEuswkWy1Hd7hPOT+ylhgQx1HM8=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB5057.eurprd07.prod.outlook.com (2603:10a6:20b:36::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.13; Thu, 27 May 2021 11:09:52 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4173.020; Thu, 27 May 2021 11:09:52 +0000
From: tom petch <ietfc@btconnect.com>
To: Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>, "garywu@cisco.com" <garywu@cisco.com>
Thread-Topic: More complications was Re: netconf-tls wasRe: [netconf] Summary of updates
Thread-Index: AQHXUPLWSrmKpVGr1UKbZ6VyMkdjp6rz9S9CgADbHoCAAlu6UA==
Date: Thu, 27 May 2021 11:09:52 +0000
Message-ID: <AM7PR07MB6248BBDEECB1134C56426F73A0239@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <0100017980c49236-7975b99d-b591-4da2-a118-f6598517c4e5-000000@email.amazonses.com> <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com>, <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com>
In-Reply-To: <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: watsen.net; dkim=none (message not signed) header.d=none;watsen.net; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.49]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: af59e5bc-95a4-46d6-ea31-08d920fff36f
x-ms-traffictypediagnostic: AM6PR07MB5057:
x-microsoft-antispam-prvs: <AM6PR07MB50577CE124460E15C84404F4A0239@AM6PR07MB5057.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:9508;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: fy8pbbJ39WgkIOFawnY6Rfw/8+NFSHhj6naf/ek2e6DqxihfGl5QBvRMYHYgpW6HdwLzb32mIFudGMZgZC52RcZtAcXWQQt3fCQzMt6+HmFB2YJUH9jRB0OFnN6cakPVMc8qXAACKvhBE+VvLuRkWhOKfyCAgIbmChaIKTzbFYpJIjaqIcL3gquCHTPv0ECvt5Seof3nLGY9fP/oI7m4ztJ3J49JYPnSTlkhY4x/DhbHXQgpuoNRD8xtN9FEb0Nd23rBCmy6zFql1pf8//xV2xe0s7jZa2+/j3zvLBG2hbgl8V/eMou8AO7Q0B1ac8rBWoI42yhKXtgg2xQ4ymgSwoqtWbXkK6h0tnmlDrMS7GkH7PIxTP1barRMuw4HzIFZ5ygDYBLbw/BBygqtWidQhjU0FG+v/3Q6AhfFZGvTRGGgep4HVOAfebPrs3QqJElHvJqYppviBTA2GqhVzDqq+sYDrEYNOz2a3y1WBDDyLhKWYUzyq9IUB234aT1mWw42yUCNTqbZLF0VFyyOhV/nTza/bNU3B7nyavSoQx5whiRN3ls20TrTHV6ffjFhhH1hSVLXr7dqfjvUaVhFbd/jAitwXnlAB0AvQ78H4RNDujQ=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(366004)(39860400002)(346002)(136003)(376002)(396003)(15650500001)(7696005)(4744005)(52536014)(86362001)(4326008)(478600001)(83380400001)(33656002)(316002)(8676002)(54906003)(55016002)(2906002)(6506007)(186003)(8936002)(5660300002)(9686003)(71200400001)(66946007)(26005)(91956017)(122000001)(76116006)(38100700002)(66446008)(66556008)(64756008)(53546011)(66476007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: =?iso-8859-1?Q?LV5kLoc1qBuguwhdbcu/eweFdAMh35ZhcohjUlTrUY9dD/5R96u1YVAoy1?= =?iso-8859-1?Q?/muFX0mro+90QUGuokOxquAoEaugN/YnwrJB6juVlDxgpTRXw7AcFwR6rX?= =?iso-8859-1?Q?o3V2YCc13EsZYYxvF0KaRtwNVl/lWcdXg+ov6RRLmDYxB7cRr9YlL1IVIX?= =?iso-8859-1?Q?rsieItrugodQRJftRA4Xpe1Ry6blPLmu0p3LvfNF+p/kik0W7IC2vfaUyu?= =?iso-8859-1?Q?3Ue9xSpxK85bMhCbGjPxlvrkBfxP00SJjzXF7npx1kclK8uzjUV2clzLpe?= =?iso-8859-1?Q?t+MAXgFK0x8bXzS2J4TF4Hv+etLxx3CNhsOfzU/EmZZMQNW1ZcfVDSjlzB?= =?iso-8859-1?Q?a6ycJA1WT7P2l/Vfw0g5EeVW9gVOSAp4RXz2jrfqOAEe0pP7dgS/CJML9K?= =?iso-8859-1?Q?rEwzVK9xV0d3aB/AZDVsLed2Jk0tSabz8G6sk8u2aHG+XvK1QtLHcAVqEs?= =?iso-8859-1?Q?6CxVogYucWnYP6YnDiJw2yB5gNu5FF6kNcLJECQGA7008C/7lRZR+7BFiR?= =?iso-8859-1?Q?1iA0wOdNR77VmS7bd0qRD52Mp+Hd6BJK4/YdqG7pKc1NjUTh5wZinsgHJZ?= =?iso-8859-1?Q?2kfHDyS3WHkLDk/XTkEzgC3cDGl8mBglfvoQRR5/RLC27gSiYnVaAJT+Ra?= =?iso-8859-1?Q?Aj7fhrqpOE8b7vaD78zRthiUQ2QCpv1DHcLEgT5Ph1kq42R9Cyv1OD83Ik?= =?iso-8859-1?Q?BiETqGIEhDx+C2O2+LABfKxFhcr+CjEpWNDiHYbKsUq3AmKD5I0FW0z+lZ?= =?iso-8859-1?Q?Like1EsguFkguAv+VZth3OTmZLXtpcIrprVyNo02EpRoeBOQcMm/4Bu3Vl?= =?iso-8859-1?Q?wbEYY75keoS+Eylaw7uGP1nxNBk/iIiL/PvMbhHMiQ0iS3ZyxzHOSyj4LA?= =?iso-8859-1?Q?/9+wopAMvMK2vuWG3sfT6hA2YeJll7RPlWNSxTheCSS4KA4jUiNcPFptqq?= =?iso-8859-1?Q?zpFrWHmvttKLRanvwYozQHXJOuTMVye40Rjo75CEpNb+vaAf7yuVmppcvC?= =?iso-8859-1?Q?MHpnK8/FFV44oUxbimjeB5aiCKtYHS5TgzLJi5K+IR4jrqKZLDaH/JMr7k?= =?iso-8859-1?Q?CwxiN+AuZY0s3Oj0fWH+k54xIkWDwBW79rLuH5fzD2V8lrS1tT8NBp/hPH?= =?iso-8859-1?Q?tn1LK7MmLbcAxUoepwbm1Y4TgKH9HJVJ5441yalDVuLMKk1gO8AclIzBfJ?= =?iso-8859-1?Q?07wl91o8U/aet7m0AdTptdIctqOzgCcCh6zng47nA+JdeJnh4RQj6QTM+Y?= =?iso-8859-1?Q?VUTV2+xSf5HBMtH4liAKV1qjGe8yaRKPd5NMUeXZj3ym3oClLqVurnhk0C?= =?iso-8859-1?Q?IiTwjWk7C/14E/fT+lE6gFA+rhdEuEUnG8FeIIgGfTmk71o=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: af59e5bc-95a4-46d6-ea31-08d920fff36f
X-MS-Exchange-CrossTenant-originalarrivaltime: 27 May 2021 11:09:52.1358 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 8O972UofI8SBTXwjgHHDKK8AcpqpGGsErVxomDepp/McUS/tKKl65PG39CIPpYHrr6aQHD8midtP2Ebz+HPjQQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5057
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/tWx1o7gMOgP2QaluzkKaywc-Efs>
Subject: [netconf] More complications was Re: netconf-tls wasRe: Summary of updates
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 27 May 2021 11:10:00 -0000

From: Kent Watsen <kent+ietf@watsen.net>
Sent: 25 May 2021 23:55
Subject: Re: netconf-tls wasRe: [netconf] Summary of updates

<tp>

Top posting a new and different issue.

server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.

The client description also needs amending.

TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.

As I may have said before, TLS 1.3 is different.

Tom Petch 


Hi Tom,

Pruning resolved items below.
<snip>