Re: [netconf] More complications

tom petch <ietfc@btconnect.com> Tue, 15 June 2021 16:22 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D0E453A3572 for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 09:22:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MXyx5e4kHtp8 for <netconf@ietfa.amsl.com>; Tue, 15 Jun 2021 09:22:28 -0700 (PDT)
Received: from EUR05-VI1-obe.outbound.protection.outlook.com (mail-vi1eur05on2139.outbound.protection.outlook.com [40.107.21.139]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9B0D03A3573 for <netconf@ietf.org>; Tue, 15 Jun 2021 09:22:27 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B0/Nf/CtYgCtW2guLhdWwYEucOmaP8GbJ4oq85DWmw9hzH+0Hz3u5gf5HnCWsyi1vvQLQrpYcjxh/eVI0XkVxrzrTXRlkeHE5c4zwZ95qS7YWyljNVeAAzonXXiyow5FMsQ2h1LaEYUhZi6MzMAU1USjO42JaUjaqzc5Lc62UwqvYwnn6nErc7eEEPBBxz3Vusi3AfEPs9Cn1Plrit74eZuCPSAKUHYNkW7JdVcK+qdddA8tioBHpTK04ihV+5YnLpI8RmIzNTi5vqkcrQ98Jx3G212phn+jPA0StcDJCe78eJQQAbozm/3ViRjcmCGiPArUKntrWsrq9tDDmjzr6g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G/IlaBiHjYbjL/lpqb+sCFVUsGswP5X1uyldpxCEEAY=; b=fGWmtCj+GxfdfjR+DVaKmopaf92WUovJA7CJdtS3yv9nO2rsGIYCX/BTmBx+4ji6d3TDsj9TPPARFAcm2llHymIRcQyxV9u03ANquABQbPv9MplQn783+9/Swz//6t2xAD5xTCAn9qEz4hvs1/0R8SflsylLs0N6c47TcVTE/4TBccxvKxQfWyNNUnazlPKRBSFrb5NMdDWgOCK9R9KYudo4/LNfRqESMuLcaZtNVxfbMLDOOX4ldD6EeNUWOqJDw1FLhmFXzd9zYD9uUPH/AQ5jNMQ+LVUygVwPVLFYgpQjdsY4ArmY1bfQs9lqAfoybdFBrmNJESte04zKVh3gCw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=G/IlaBiHjYbjL/lpqb+sCFVUsGswP5X1uyldpxCEEAY=; b=BMVR2z4DYbh7bO6Hn16CdTOqhorbcm4L0Z9M7wFarlNwHJkpbASxQHfbIKdhI3IiR+2YpMnDxse0IAb/l3VxZHWPUt80W3d2BIeQJ3rUUDqP3gm/PbAaYdxUvK53KE6NvMv6C0cB/IDZJFToXNYbqXPlVTzpbXFBjSrYkeCUXOs=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by AM6PR07MB5815.eurprd07.prod.outlook.com (2603:10a6:20b:9e::22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4242.9; Tue, 15 Jun 2021 16:22:24 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::a05a:a474:bf78:f0a9%7]) with mapi id 15.20.4242.016; Tue, 15 Jun 2021 16:22:24 +0000
From: tom petch <ietfc@btconnect.com>
To: "netconf@ietf.org" <netconf@ietf.org>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Thread-Topic: [netconf] More complications
Thread-Index: AQHXYSl46ebcY/ZiP0e+CTU8u5WUB6sU8i3zgAAFkYCAAAbqAIAAPxsW
Date: Tue, 15 Jun 2021 16:22:24 +0000
Message-ID: <AM7PR07MB62486FA974373877A0580B60A0309@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <AM7PR07MB624835D8BE54144D97221817A02B9@AM7PR07MB6248.eurprd07.prod.outlook.com> <010001798c0d947e-4d2d14f5-9f0e-450d-ac99-e18c260f0c2b-000000@email.amazonses.com> <AM7PR07MB6248FF0E1E5A053D4FA2BDC4A0299@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a0aa5d37-4810234e-8db2-434d-b8fa-780c1648955a-000000@email.amazonses.com> <AM7PR07MB624888AD4CB3C09809B22702A0259@AM7PR07MB6248.eurprd07.prod.outlook.com> <01000179a5bdc371-b665451f-61d4-4364-9d55-e9369f3adc8e-000000@email.amazonses.com> <AM7PR07MB6248BBDEECB1134C56426F73A0239@AM7PR07MB6248.eurprd07.prod.outlook.com> <0100017a0aebfbf3-9e9c22e8-da12-4364-a572-8ce7fd43bf0f-000000@email.amazonses.com> <AM7PR07MB6248E24C8235FBD8573017C8A0309@AM7PR07MB6248.eurprd07.prod.outlook.com> <540b31e5-10a6-495f-cf44-820adb6213b3@sit.fraunhofer.de>, <20210615121804.weihro7eusvnfym6@anna.jacobs.jacobs-university.de>
In-Reply-To: <20210615121804.weihro7eusvnfym6@anna.jacobs.jacobs-university.de>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
x-originating-ip: [86.143.250.86]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 21d490af-83e2-40d7-c515-08d93019c261
x-ms-traffictypediagnostic: AM6PR07MB5815:
x-microsoft-antispam-prvs: <AM6PR07MB58157D830F5BFBE40364DA26A0309@AM6PR07MB5815.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:5236;
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: MAZDatJSkkaw9ezxWG2cbm6b8VFreJ+CO6hrbHk17axkjQQ7SJEkTBJqKYrNbBIiwk1REIDd5GnCHT9E5EnyJPM0m7CX1eB+J1WjuTX/tTWZrnfCaJ6M2EWGQZRe97DzERRSk7zjkHeFuNVkKIqvVslsSuDhYApItbi6aBI3USqM2/fqLSo6J16p9DZk9QLxmxfSeHe1rywvUguU+GqVW8cAi0sXwVcRfLRxLRWylW0Qz1AfkhGDuV6iGW/qJZYib6zRK/f/b4ZMdd3I6vpp9yvQ+9J0LaULrNLDQrZpSJ8Q54q0g2dWtg9UYRnI/cYlHYqEwv7D2xYq/h6vIfwgBXhCUR/Wh4O6x4jAO24c+EO89T22CknpeXnXVGbXVEA8RllMnllF0vteYD5Ntu0JXYdunlQxa6v30iGBCLV4CGBBO++QRMYdlJNFjP5l5PtJJRl4Ys6ws4/tDGGEMdDXKmjvPbXCOLZmZQ7wFt93hJ40H8yOeY+4WVI9pbJpfVFRwakw3LxtuFmN2+Y37mIUnFEqFK0iGGpqxnFlW2Z8RsZ3+NGl4iwxZlClni/LtXLk9nWCwdzpA643UL+8sIx6+/77VskPThCBwN8o5HYxo0S/RUOSajkAPlaR+TB6WeKZX9APY1oT8SvuGPreRuv2BzVx0bqU0EiyC84Ld2KCgTe7FUOgsvBVe42DS9JTZ0QnJ/60y/skeNtodcZ17cvlNWB3/A4w0Tv4jPZO6dmwsWhE1sO2Tz3zuSKsCuwPND2GRUFmnD5UY85inbCN5MrNDyfZpos/PivDrO8YPkIRLWBnpycVAHDHKEhszeo6oru0
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(346002)(136003)(376002)(396003)(366004)(39860400002)(52536014)(8676002)(66446008)(64756008)(66556008)(186003)(83380400001)(38100700002)(33656002)(86362001)(71200400001)(66946007)(76116006)(66476007)(91956017)(5660300002)(8936002)(9686003)(110136005)(26005)(966005)(55016002)(6506007)(53546011)(2906002)(7696005)(478600001)(122000001)(316002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?Windows-1252?Q?yVz32yxlcQ4hOsF2qQucdGU8pyNpZ4dfj2j5ZM2cb2ZKdFAR3dz4Vg7t?= =?Windows-1252?Q?tw579wtJ8ncSIelkC0mf1r/DPvgZwtbbkXspg6ItgW2sszhc5eTy9Afi?= =?Windows-1252?Q?iChlNrx2Xz8PH4yH9p9qqXKqIJi94CwedbyaZDj1OyRSYM7zeRfuyol4?= =?Windows-1252?Q?kadVxJjbXs1WnLWf7KaQjrxxdVSvVpoOzhnjosl28ILwmlTp3JT5Xcnt?= =?Windows-1252?Q?4mgrqmYCn2GDmn+2nsfohgEteG9+aDBsHJsZ1C/cus+kqWyfp+OxZNAS?= =?Windows-1252?Q?SkQococG6fHsRHApp4Gq5pa/8GFZTi71qRnVfPA859kTo4TO/8c44S14?= =?Windows-1252?Q?dkl4O758RQo+SVmlL+w4EHnE9C7jvdlsrcQJZSSfLp2tN5LmviQYW4tR?= =?Windows-1252?Q?nb/yCUrFty0Flx2eSDevFbZJjZ5YTd+NpjeWmefWFJ2T+D5AiMMbJxUH?= =?Windows-1252?Q?L9AcFDvFwhT9s1kG6mpYeKf2jkcOy9seYLCmyW+BVezQ0pWXL7RE+cC8?= =?Windows-1252?Q?8DPm2xibYS6308RZF1PkxSM3apHPnSdyD4U8IQ7UcwKb96/WA/7QI/RE?= =?Windows-1252?Q?a1LJiCRDqYxOFp49wHz+SeZFdUzXYN3Xg/N2bSXd5Y07jpxlfTQV9oaV?= =?Windows-1252?Q?nQ+tXfc9nPHu/DOQMGCZ8YsOkh1IwDTI0alyZIR3YKGm3qjG3vNWD2QV?= =?Windows-1252?Q?NJ5Pz4Vw7Q/MknvIZKku210edlUj8XS6DobWAozcyicr6BVZaFslfYSG?= =?Windows-1252?Q?phFTxh5KHDaBiNsOE+FhiB+BjuB0R9su/sJGLHobqE4zwR6GLc7yLcTI?= =?Windows-1252?Q?cofS+01qb62hfoP2BeFNUKC73riOewqCXWt6rGEBxYxrw2srBNmQWa1j?= =?Windows-1252?Q?E70ZC827s4dNJBLmKtqU5RhJ43KI+untKUCx8JiG5Fgc4xJeLbK1k26B?= =?Windows-1252?Q?30c7SiLPmajcvyorEypoe091uwWGp5lumc5JPnJHGFbeGtG07rsedIUg?= =?Windows-1252?Q?JcDycAOT0D4mMJZty/wao0g88zmYqFcZNpIiBUGpd3D9AiOtRaNaKXVq?= =?Windows-1252?Q?s/SCdee3XeskH7TZn9vbDxIL19yn54QJYmIV/repMLpazhyIys4XS+Wu?= =?Windows-1252?Q?ORrdWmsYNSewdVJ1CdiGOc9CcT2f10tpSAjUc2rqC5BtQW10V990YgBM?= =?Windows-1252?Q?q43sqJXpeY0WHXGYvKIMvv/p5bKEaf6aHtgZVoZGr7mYjrZd1E6j7CM7?= =?Windows-1252?Q?EurXFkbxdYOnq7pqSnEz+3hBIza4WuNTRD9gQYYYAS4IaMYfbQlwoy96?= =?Windows-1252?Q?vFTN7ezQdrWBu5GxMKks721f7QzRK2hFlHYixn8EKGS0VnzAr/rHQbAV?= =?Windows-1252?Q?sCPuvQ6FD3AhqWm6pthNvR+9AZiZXTM7XN8=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="Windows-1252"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 21d490af-83e2-40d7-c515-08d93019c261
X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Jun 2021 16:22:24.2720 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: sYgLcxh3o35absba7seOXKZ+O6fvbR6joAyZ7Mm66wSwNCdiOlwOvnv51q8ZqTHLK7ajcwKxCSYlmsFOIk1onw==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM6PR07MB5815
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/xv3ckflMr6Tj2BsZlKA81R1KyPc>
Subject: Re: [netconf] More complications
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 15 Jun 2021 16:22:33 -0000

From: netconf <netconf-bounces@ietf.org> on behalf of Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Sent: 15 June 2021 13:18

The way TLS is used with NETCONF is defined in RFC 7589. If any of
that needs clarification to properly support TLS 1.3, then we need to
revise RFC 7589. Defining the proper configuration knobs should follow
from that.

<tp>
You wisely pointed out this before and then and now, I re-read RFC7589 and think that updating it will take some time and that I am unclear how much scope it gives us for the time being.

It only mentions TLS1.2 (of course) but does not prohibit other versions so arguably caters for some forms of TLS1.3.

It is very keen on certificates but allows for other suitable mutual authentication which could be taken to include PSK but would appear not to cater for deriving a username from a PSK (s.7) which suggests PSK is out of scope.  TLS regards a public key as a certificate which is fine until you need a subjectAltName  or some such from which to derive the username, which the RFC does so that would seem to be out of scope. 

It does not cover TLS keepalive (which netconf-tls does).

So, TLS1.3 with proper certificates would seem to be the only option.

Tom Petch

And as Kent reminds us, the scope of the TLS configuration draft is
much wider than just NETCONF over TLS. Hence, dropping support for
certain TLS 1.3 features, that may be essential in some use cases,
should be done with great care. (And lets keep in mind that dropping
standard configuration knobs just means that there are no standard
configuration knobs, it does not mean that a certain protocol feature
won't be used, it will just be configured using other non-standard
means).

/js

On Tue, Jun 15, 2021 at 01:53:19PM +0200, Henk Birkholz wrote:
> Hi all,
>
> a fellow IETF'ler poked me to pay attention to this thread. Sorry for the
> latency.
>
> Hm - dropping PSK support for TLS 1.3 seems to be leaving a bunch of
> implementations in the IoT space behind that are inching towards migration,
> currently.
>
> How urgent is this? I can certainly massage the current YANG module, but (in
> theory) I am occupied by another SDO meeting this week.
>
> Viele Grüße,
>
> Henk
>
>
> On 15.06.21 13:36, tom petch wrote:
> > From: Kent Watsen <kent+ietf@watsen.net>
> > Sent: 14 June 2021 15:27
> >
> > [CC-ing Henk, to whom a question is directed to below]
> >
> >
> > Hi Tom,
> >
> > > Top posting a new and different issue.
> >
> > Thanks for updating the subject line.
> >
> >
> > > server case psk references ServerKeyExchange and psk-identity-hint neither of which exist in TLS1.3.  The client sends an extension PreSharedKeyExtension which contains a list of identities from which the server selects one as selected-identity for which the identifier is uint16 indexing into the client's list. RFC8446 s.4.2.11.
> > >
> > > The client description also needs amending.
> > >
> > > TLS1.2 was extended to use tickets in this area to aid session resumption; these have now gone and been replaced by this extension.  I would not suggest adding support for tickets.
> > >
> > > As I may have said before, TLS 1.3 is different.
> >
> > Henk, could you help with these edits?   Support for PSK and raw public key were added to draft-ietf-netconf-tls-client-server per your request and, if memory serves me, didn’t you help me with the YANG update too?   I suppose what is needed is a either a “choice” statement (with cases for 1.2 and 1.3) *or* sibling-container statements (in case it’s necessary both are configured in case, e.g., the client sends one or the other)...
> >
> > <tp>
> > Or else drop support for PSK with TLS1.3 at this time because too little is known about it outside the use for HTTP.  I am starting to see I-D about how to use TLS1.3 with application X, even for HTTP,  and I think that such an I-D will be needed for many applications with or without PSK.
> >
> > Tom Petch
> >
> > > Tom Petch
> >
> > Kent
> >
>
> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

--
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf