Re: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt

tom petch <ietfc@btconnect.com> Thu, 05 January 2023 16:41 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A1E3AC14F745 for <netconf@ietfa.amsl.com>; Thu, 5 Jan 2023 08:41:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id w-q5rwQ4GRlX for <netconf@ietfa.amsl.com>; Thu, 5 Jan 2023 08:41:38 -0800 (PST)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2118.outbound.protection.outlook.com [40.107.22.118]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A4665C14F6EC for <netconf@ietf.org>; Thu, 5 Jan 2023 08:41:38 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=cj1LSMY6z3db8l2fDoEhbjLx2/NY0SfLSJr8gLlkJv+wbO6g5DcOiZZ8rf05djNMYO64JJK5DeReFT/aThYJNC7+XbvzuOKzi63P5snIXHs7dSuLdXzXYWMXB22SiP30ySw/+GZGThJ+t5pMB2hNZ2iP+YruR38YnnC0d+C+KS+9XK3kWij3DMIl7iHD26b8dxMa/Wh07MMpvVSaJNKZdOYBoGu4TCxl94eIW0hrPNR6WE3RgXEp1vd0jBh6G6mytQg3Z49lQPMNx5y5/xJ1igOMobhIeScbenI8nTvtbOsK6PzYp16JgyLiYYiNQwhP71uRgANhQtion4KhlvEgiQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=hEtK+FGNwNigef7AuV7WUMPXVgF6oDlPYais3SgkvLw=; b=ivGkH6Be3XA/iuDQMODZ7pfaEWFKPEo7jD1NKI87jvjB8YEElzz4j/NYpDKxZtjtJDdeopuYW1/zPblUhCeh8Q6Fn5lfLy7nO25D49HP5okCiSuXVo0TtUZWZ7ec90Ji+grNAmO8RI+/QgBVkBdae5b86+AIjx0F3q7b3UBicum2xCHT9cMnVmOr1ueBAE64GZl11hqzelU5bCHHU258zryIc982tZFgsKbz5NHTxiAFzrUwCthfePKUT2VzXSxBPdrtKugWhVpPwYfxG2KX0U6Bn8wzwBILjdhbS5JDz9OJ7BKRKs3tqrqEjlg+efsvg2zT/ekO8JSLS2roQFy/lg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hEtK+FGNwNigef7AuV7WUMPXVgF6oDlPYais3SgkvLw=; b=ORBNaASmmMCFkOHE8dJSBz4k4QQOCHjLcUnXA97yq5nWkFzK1sijYXJ6jaMGSJgl6BJGM1orEBCfC173m3QdATJJBRVbagpYxVQvDMPjpXPemLlhN7/doLQrJkd0yQMYmBfHixcW06cG/1yVw0V6zB+pM1ATGPCkUfFfUOqJCpI=
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com (2603:10a6:20b:134::11) by PAXPR07MB7839.eurprd07.prod.outlook.com (2603:10a6:102:13b::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5944.19; Thu, 5 Jan 2023 16:41:33 +0000
Received: from AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::86cd:e36d:9333:8537]) by AM7PR07MB6248.eurprd07.prod.outlook.com ([fe80::86cd:e36d:9333:8537%5]) with mapi id 15.20.5944.019; Thu, 5 Jan 2023 16:41:32 +0000
From: tom petch <ietfc@btconnect.com>
To: "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt
Thread-Index: AQHZDlrqdUHszQtjZUerg6FhDxaHeK6QIhNc
Date: Thu, 05 Jan 2023 16:41:32 +0000
Message-ID: <AM7PR07MB6248B850A61E3BD87A7487BEA0FA9@AM7PR07MB6248.eurprd07.prod.outlook.com>
References: <167087108090.45637.8328251973516760378@ietfa.amsl.com>
In-Reply-To: <167087108090.45637.8328251973516760378@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: AM7PR07MB6248:EE_|PAXPR07MB7839:EE_
x-ms-office365-filtering-correlation-id: d144eb1f-e852-477c-60cc-08daef3bb3e4
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: H4ViKfY+Kb2ur/WP4BOOpACtY9iU6hqBnUxHR86OyMragl8pHSpU13enLaxqjq6vHK78vZvGajhDb1HMSv1UYS125lffa/m/ojHHPorm8lV8FB4H/tYofKWZIeISOLbuzHhTceqsR/MDtaNCSGpJVI98tr9gzZl7aeq+N1v6RkqwZI/PpCGysIw0MqLKMbgeYJjDpcOWNvZ4K6h0+KGFWWNOkvjesXGpl3z26qSxVunXhbhVR43iv664fL8/jc5s/d3iTsPvGndbJ32C9uhwkSlHuAGqdqdJqXt/+qoww3SSiZi6R8UZ9oAQl1JJB0kxPxG4SSy7dht7VfUFu+TDwuAJJ+teTN/Dh7GC7wVncw60Ca7yL6KWallRzGg7icoRKJyWicUr34WA2g+Dtu3nV+X9Zcz2cfd6viOo9VDoeO49hWUagznt9Rtj7oBjdCBIEpgfXciBBHEGu+Hk6X4FrWjXLTFu3CsSfSXqmzc4Krth/6XTvtaq6XiE+ms+oLFVv0JK017aN/GNfm47jjSJbRoTycln/57duvFutUdUqTuEVMe0TgCcoViV1gSKR5Boz6lDBNeQcF5NAT0Jn1tU9CCK1Uj6bgyE7IZtRQtRN9YTP6F9MyNmE+exeDjlL6Bz+ftqqxrqObN+jXKrISRZwETV/ypXeiKNAx3qSrVSd3HaffZofLEhtEuRSb0kmjeVzK9G0c1Ch3fIfAk0n4z6jETEwmq0+zYGb9NTb1JnZ7DKVlNhs8cxYbD29jOJ+ckY+XwLThcWpuSxMLz4WLCkhQ==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR07MB6248.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230022)(366004)(396003)(346002)(39860400002)(136003)(376002)(451199015)(66574015)(83380400001)(86362001)(38070700005)(8936002)(4001150100001)(122000001)(2906002)(38100700002)(5660300002)(41300700001)(52536014)(71200400001)(91956017)(55016003)(7696005)(478600001)(186003)(53546011)(8676002)(9686003)(6506007)(4326008)(66476007)(64756008)(26005)(66446008)(316002)(6916009)(66946007)(966005)(82960400001)(76116006)(66556008)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: eKg3+ghj/r4eLPUj7d1sESVlCXzyWovj+4suVhw16rr4FnQfST7N4LMNLNAhjIfJ/p2IUl1b5WiQbrhtqIMs5x5aGG9gWEmBTeg3XI3ZTmQ8TwF2l/KqVXn/BDoCknZdZPf3dLrKrTXp4k5E5dgfq2rKIA6d+23l4sAC6Tl3lzYdoK3OMRvqUCn+JVPwduzBu9i9SGFxOMIqZSS3dv/X6hUdcnnzA9omNC4t6OMbzB55zJbK7qDTLUfn7yJEdC5mEOyKdXO5sTxlt2wylmxUHzbBaCvlHth9Ar13WmZeDMHPkEejrnKhpvAVZG7BU0W6CMoqky1WwrfOz8DT1fLpvbQqZhpfOEintu584kbPZb/X8FmuwSSZ3KCp/O9JTU3D7HggvNo504Ernwd/gHHGtf5pO80QU8zJ79+poEBQEv405AwADoVhGPrzil2IGu36+go8Rwlzsy39BSwLDZlG6l7NbD052+HrQYiPiE1zUYWSwqU0uWqufvTjY18rxHPhaigvsl2/yQWxMHTeNEtz8oNNRRcwbytUkBe8VvlZ87wS2LWkRbLaaJ9iNwvsloWyINgIqZaIwyiUD2LZoUzgOahrOIn52tl7bXnHqYAgttnMEjudXpD0zFm5zGpe1jO2GNspI9MUUzn+fXLpEWjEijt6HC1h95Ci6MMQ8LDUJsFTi9oUSb2s+c+x7w9zK3em6wN/k74nd1Q+3S3YOxZHe1LiCzeyqFJmkZlCWyqCB0Uolnd5blVRDHEv+6xVFAivW8H01jBxEdsO67tW8l6ptfYrve6yGciTU02R8wJAKvq4G5k9X2rz3i8KJYm/pFkmuc/aSP+KE9uDafSUAi099Ng67TUYHQWwhd07xhEy5TlXHo3kIkBg+PM8ngbz9hh0H6DitGyvpcRM9yi6kofmy5Uy4HIOEXDu7FGnW3NJRm7Q0B1/GVMLg7wxm9IrcUB5/MLlz2CHncDld3KLuYcQ2E3q/rIVS1fOzJGTTAIGO+KzPb73nnKXjKUjJA8QZFGE+otZZaomx3Lcb6GZRgVYw5kzYqw7UE3XmdIWK8wQWd8qSMy1zzfLI5l9OBA2lSBY5U5gPuhTR301+XG1O5SmtsHPqyN9H64DpbbIXzim7YPCCDKiLiVg6y2GeR7xcgi3Ig4MIQZHMIyYSojkJYA2NPiLw2Mq3mQpHCj2ah+xQ3RDwev6S+Ze3hHgcWu3TxfwhnIvUydUsbkr062CAYsTO6MYX3oMgbi/kUvU8b3HESHgxzr0QYE0aIor3apBPprdl22pE6EJkS5Frfy/ecohYc/fmzwdjka9EvhIRg+IbCbg4JGZJfJbdwIfIQQpKNJg+JZlGkZ/6cQ9WtZ1HAixSVHJPtgrPyeCvLCyQpUibRx4REkcXbLVEQ85l4bpKoGeG9QO00I6JVY12y49Xz/KMytvMH7uTG4jEAXaBorNpHqFYTXDVhWBAqak0kS2zxXhHcpBqMB/+CwEHJIsA86Tz47nRcRC6GndtbD3Z1YYlGUv68fqMIi0f/71v6/TFDYjfL31uoBlgKwpMxs26a5gGE//2vhpskSufGbffGN/EGoe5VNoyaZuzVz5y4KIu2E0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: AM7PR07MB6248.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: d144eb1f-e852-477c-60cc-08daef3bb3e4
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Jan 2023 16:41:32.6075 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: MF8e2hhBFC0q2ns8Fd1gF13Hw/STqOYqKUDWI110tJCET59PFGkoHlah78r9ZbFPUgR8iayxYcrdhUreYpI3iA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR07MB7839
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/zGMVLQpRt3ZgiQDZPjXfFVEMnVs>
Subject: Re: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: NETCONF WG list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Jan 2023 16:41:42 -0000

Some thoughts on  -25

tcp-client tcp-server local address includes the zone as does implicitly the remote address

The YANG modules contain two references to SOCKS documents - these need adding to the I-D References

     <local-address>10.20.30.40</local-address>
this is an allocated addess - should be a documentation one

     <local-port>7777</local-port>
this port is allocated to cbt; not lure what the connection is with NETCONF

Security Consideration should include RFC references for TLS, SSH, as per YANG Guidelines (which opens up a can of worms)

Security Considerations talks of mutual authentication which is almost always not the case for TLS.

Security Considerations says that NACM default deny all has been applied to the cleartext password.  Not really.  The NACM is applied in another module which hopefully it will continue to do but I think that the dependency needs stating explicitly to save people a wild goose chase.

Tom Petch
________________________________________
From: netconf <netconf-bounces@ietf.org> on behalf of internet-drafts@ietf.org <internet-drafts@ietf.org>
Sent: 12 December 2022 18:51
To: i-d-announce@ietf.org
Cc: netconf@ietf.org
Subject: [netconf] I-D Action: draft-ietf-netconf-tls-client-server-32.txt

Tom Petch

A New Internet-Draft is available from the on-line Internet-Drafts directories.
This draft is a work item of the Network Configuration WG of the IETF.

        Title           : YANG Groupings for TLS Clients and TLS Servers
        Author          : Kent Watsen
  Filename        : draft-ietf-netconf-tls-client-server-32.txt
  Pages           : 155
  Date            : 2022-12-12

Abstract:
   This document defines three YANG 1.1 modules: the first defines
   features and groupings common to both TLS clients and TLS servers,
   the second defines a grouping for a generic TLS client, and the third
   defines a grouping for a generic TLS server.

Editorial Note (To be removed by RFC Editor)

   This draft contains placeholder values that need to be replaced with
   finalized values at the time of publication.  This note summarizes
   all of the substitutions that are needed.  No other RFC Editor
   instructions are specified elsewhere in this document.

   Artwork in this document contains shorthand references to drafts in
   progress.  Please apply the following replacements:

   *  AAAA --> the assigned RFC value for draft-ietf-netconf-crypto-
      types

   *  BBBB --> the assigned RFC value for draft-ietf-netconf-trust-
      anchors

   *  CCCC --> the assigned RFC value for draft-ietf-netconf-keystore

   *  DDDD --> the assigned RFC value for draft-ietf-netconf-tcp-client-
      server

   *  FFFF --> the assigned RFC value for this draft

   Artwork in this document contains placeholder values for the date of
   publication of this draft.  Please apply the following replacement:

   *  2022-12-12 --> the publication date of this draft
   The "Relation to other RFCs" section Section 1.1 contains the text
   "one or more YANG modules" and, later, "modules".  This text is
   sourced from a file in a context where it is unknown how many modules
   a draft defines.  The text is not wrong as is, but it may be improved
   by stating more directly how many modules are defined.

   The "Relation to other RFCs" section Section 1.1 contains a self-
   reference to this draft, along with a corresponding Informative
   Reference in the Appendix.

   The following Appendix section is to be removed prior to publication:

   *  Appendix B.  Change Log


The IETF datatracker status page for this draft is:
https://datatracker.ietf.org/doc/draft-ietf-netconf-tls-client-server/

There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-netconf-tls-client-server-32.html

A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-netconf-tls-client-server-32


Internet-Drafts are also available by rsync at rsync.ietf.org::internet-drafts


_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf