[netconf] Enterprise was Re: crypto-types: why symmetric keys?

tom petch <ietfc@btconnect.com> Tue, 08 October 2019 10:06 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EBAA01200D7 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 03:06:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.247
X-Spam-Level:
X-Spam-Status: No, score=0.247 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RATWARE_MS_HASH=2.148, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3agISnjDZjX7 for <netconf@ietfa.amsl.com>; Tue, 8 Oct 2019 03:06:39 -0700 (PDT)
Received: from EUR04-HE1-obe.outbound.protection.outlook.com (mail-eopbgr70110.outbound.protection.outlook.com [40.107.7.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 880181200C3 for <netconf@ietf.org>; Tue, 8 Oct 2019 03:06:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EO4tFy2/FuxeCXaDXStHRqgRJjLo881lmK4+roboHJgl5iHf29K+SILEknVjvYJcDAsUTRGKuhjFCz4d9GloZTh0YjszU43iSJj3ndKGUxHYWJ0Swj4DDzAMbXhBoIcDVK290px53LdCvDbLwtbgTMp94tAX8uii23RL/6pAacQlVtsk2VDITgtETps2DB17UR4trFR8lpjAE4CtSmcx5bRpZry3LjbObGmz6vjoLl13McSslOGXhjN+mB40vxv1aRwqIej8JM17Z/VdtlC2OWPXyYHSZlQ3m0i3CCrlHRDMKhSAkeVHrbrIWiQNZWNMl1PJ9mVOpm6XNQ/riemqkg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+qqYpnIG5zHhb6wSf8s28nPmo/s6jRfop6dtP91ei5s=; b=GS3Ex5/e0oDzMZqTEIj2GYTBYWao5yjA65fzl0zr0CMgicNTdFei8K7VNCC95bpC9Gxz3e3IyLSTsyIA7vIRfAXEbvXyNf6RRntDBwkybwFwvuSNin2MQQyYDSCuOX7XGU2kViR4wochC4xoxfAVQobARYflHgbd4M0dXMy6j5FdCrBfnwcsz0035572elbgYgqGS/dePzGx+lGkO3gzf2LroqebvMbs9ZujIJ78CHsqMnWLLg/LTNUtg3ohgUUc0Aw7j5xUSgNVzcPmHHLKxGiow2b6bkHTVBxmQxrI/K97OXqPgk39lrBgBpkERVaTQ29Lc1tB/4iywNsyA2CE4Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+qqYpnIG5zHhb6wSf8s28nPmo/s6jRfop6dtP91ei5s=; b=F8mxyZN1sRDF8wGznxTOoF05nrOsLoz5rK8lqDgTgM5uqpkpqrWOZLWe01VMwFD80lo5tCA+tn0g+mVpFvhYdHad+hQYSBKLOREBaXvEddV05agg9/pV7mojOg5cfXmk0dLJ659sk/+yBSUiGlyDX0QEYMn0BYL0xzcHoVJt3DY=
Received: from DB7PR07MB5147.eurprd07.prod.outlook.com (20.178.42.32) by DB7PR07MB6185.eurprd07.prod.outlook.com (20.178.43.145) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2347.15; Tue, 8 Oct 2019 10:06:35 +0000
Received: from DB7PR07MB5147.eurprd07.prod.outlook.com ([fe80::d5a9:784f:d667:ef14]) by DB7PR07MB5147.eurprd07.prod.outlook.com ([fe80::d5a9:784f:d667:ef14%4]) with mapi id 15.20.2347.016; Tue, 8 Oct 2019 10:06:35 +0000
From: tom petch <ietfc@btconnect.com>
To: "Salz, Rich" <rsalz@akamai.com>, Kent Watsen <kent+ietf@watsen.net>
CC: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: Enterprise was Re: [netconf] crypto-types: why symmetric keys?
Thread-Index: AQHVfcARvDXLmYc9z0ap0qpoWC22Cg==
Date: Tue, 08 Oct 2019 10:06:35 +0000
Message-ID: <053801d57dbf$c4887380$4001a8c0@gateway.2wire.net>
References: <B840CB4A-3DF9-4C1B-825D-F24A72EFC90F@akamai.com> <84a2ff74-67fb-069b-a9bc-4bd4187ee1bc@alumni.stanford.edu> <017A9541-641B-4826-983B-7C47AFA1A3AD@akamai.com> <0100016d97eb99fe-d6ce4ac2-7c9d-4653-833b-cb9471591e68-000000@email.amazonses.com> <13627E1C-A6D0-49B9-8277-55713E1958BD@akamai.com>
Accept-Language: en-GB, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-clientproxiedby: LO2P265CA0471.GBRP265.PROD.OUTLOOK.COM (2603:10a6:600:a2::27) To DB7PR07MB5147.eurprd07.prod.outlook.com (2603:10a6:10:68::32)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
x-ms-exchange-messagesentrepresentingtype: 1
x-mailer: Microsoft Outlook Express 6.00.2800.1106
x-originating-ip: [86.139.211.103]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 5af82308-5ee2-4d90-1873-08d74bd733b5
x-ms-traffictypediagnostic: DB7PR07MB6185:
x-ms-exchange-purlcount: 1
x-microsoft-antispam-prvs: <DB7PR07MB618597156D355BA2CDE5C455A09A0@DB7PR07MB6185.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:8273;
x-forefront-prvs: 01842C458A
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(346002)(39860400002)(376002)(396003)(366004)(136003)(51914003)(199004)(189003)(13464003)(86362001)(14444005)(1556002)(6512007)(5660300002)(99286004)(64756008)(66556008)(66946007)(66476007)(66446008)(71190400001)(6506007)(71200400001)(44736005)(6486002)(8676002)(386003)(14454004)(52116002)(6436002)(256004)(478600001)(6306002)(81816011)(81686011)(9686003)(76176011)(966005)(476003)(26005)(4720700003)(66066001)(316002)(102836004)(110136005)(486006)(8936002)(7736002)(50226002)(25786009)(14496001)(186003)(305945005)(4326008)(81156014)(446003)(2906002)(81166006)(6116002)(44716002)(3846002)(61296003)(62236002)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:DB7PR07MB6185; H:DB7PR07MB5147.eurprd07.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:0; MX:1;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: k+tl5SBzLr8iC5dQZvjTLWwadTnwIRuI9YrL7cMFiIYRZ62U8wjCb0T1Exy6c+5v9MOEFtujc9hCv1xMRNIK4j+GTje6qQ/lFRumNOCuP5Y+ykvKn+HR3SPSTlkcxNzZRUrL61Sjsb2Tcc7v+t5aHgviEtOYn3elqVSSJjFSt2DiwbL2zr9lipJcTvEeb2dvTVOEG04Rr7bDH+rfy3A8342UHTpMjxL9dv/xV86PxxDlJejfF0pwO1UQ52bvqD7rQyM4Vt2+/zgjIi9UyLtg9HIwDEyC+r/X1NU+6GXJeh9HBPuoflKqMhgNKHwMDMm3knxYvuuZCKX0TXy+oVzPIDi3ozlACGc4vIyYdn/K7rkZD6iiLderEQziF5nbf4Tgqv3h6OsOxludtlVySPAOnsI+DLVUbjuGQ5UgQnz204vxqeyMD3EUUCYWdz0sDH1Bb9CG1JbSmDZ5TT/CYX3qkw==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="utf-8"
Content-ID: <FEA1563DD760D04EB15065A9AE8E545C@eurprd07.prod.outlook.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 5af82308-5ee2-4d90-1873-08d74bd733b5
X-MS-Exchange-CrossTenant-originalarrivaltime: 08 Oct 2019 10:06:35.7820 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: +kNXzAZ/c36o/4lQvdLdiyTezmBqNVk7qlIsZsZ4tkhOuN62bQWwCa/QT5Wi3f3fPcaIe7PWeIoifVoOvuTYew==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB6185
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/zF5Q9ohnHjE574YIfRKuDDBa6Co>
Subject: [netconf] Enterprise was Re: crypto-types: why symmetric keys?
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Oct 2019 10:06:41 -0000

----- Original Message -----
From: "Salz, Rich" <rsalz@akamai.com>
Sent: Friday, October 04, 2019 7:06 PM

> Thanks for the clarification.
>
> I continue to urge development of small models that meet most (*not
all*) needs of service configuration.  TLS’s PSK keys need to be shared
by the server and client(s), so I am not sure about the utility of “so
not even the administrator knows it”  I am ignorant if PSK’s are
actually needed for enterprise use of TLS.


Rich

From my (limited) experience of Enterprise, and assuming that PSK is
Pre-Shared Key, a string of unspecifed length, I see SSH used,
mostly, for Systems and Network Management with HTTPS used, mostly, for
operational systems, user access, with two-factor authentication where
user authentication  is needed.  Almost all user access is to a web
server with little or no raw e-mail, file transfer or such like
protocols.

I see device - not user - certificates used to secure VPN access.

I do also see configuration of PSK when a new departmental server comes
along, and is configured with user-id and one-time passwords which are
e-mailed out to the users; sometimes the PSK is a four-digit pin.
(Real-world security as opposed to IETF standards security:-)

One other thought.  The Enterprises I know are just migrating from
Windows 7 to Windows 10 since support for the former expires this year.
Over the past year or so, they have migrated from TLS 1.0 to TLS1.2.
This suggests to me that TLS 1.3, which is rather different, for PSK and
everything else, is some way off and that our focus should be on TLS 1.2
but I do not know if that would get past a Secuirty AD - the YANG
boilerplate now mandates TLS 1.3.

Tom Petch





------------------------------------------------------------------------
--------


> _______________________________________________
> netconf mailing list
> netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf
>