IETF Logo Mail Archive

Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11

Alexander Clemm <alexander.clemm@huawei.com> Fri, 24 February 2017 00:25 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3F4F9129D04; Thu, 23 Feb 2017 16:25:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JiKN57NT_0D; Thu, 23 Feb 2017 16:25:36 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 39F34129CDB; Thu, 23 Feb 2017 16:25:35 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml701-cah.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DHQ78801; Fri, 24 Feb 2017 00:25:33 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml701-cah.china.huawei.com (10.201.108.42) with Microsoft SMTP Server (TLS) id 14.3.301.0; Fri, 24 Feb 2017 00:25:31 +0000
Received: from SJCEML703-CHM.china.huawei.com ([169.254.5.69]) by SJCEML702-CHM.china.huawei.com ([169.254.4.133]) with mapi id 14.03.0235.001; Thu, 23 Feb 2017 16:25:23 -0800
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Kent Watsen <kwatsen@juniper.net>, "draft-ietf-netmod-syslog-model@ietf.org" <draft-ietf-netmod-syslog-model@ietf.org>
Thread-Topic: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11
Thread-Index: AQHSYJW2xokX16DuSk+HNpIDiLq0CKEhVn2AgAFzDYCAEba3AIA00fcAgAuFvYCAABxJgIAB30KAgAB3xFCAAKyBAP//gjPAgACZzAD//4A0gIAAlpYA//97qyA=
Date: Fri, 24 Feb 2017 00:25:22 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF81CF7@SJCEML703-CHM.china.huawei.com>
References: <19039254-973A-461A-8749-95F74C33DAD1@juniper.net> <1481689016940.22442@Aviatnet.com> <CABCOCHSXVrZG-kz2TMmptcQ3pZ76u+MWse=0NVNY0h4q5GzrKw@mail.gmail.com> <3F4C49C9-1A6A-4644-97C6-F9CDC2E4EB4B@cisco.com> <CABCOCHRAugaAcDN589AOUYW6J4dntuX_azouEtzxcu02_TfA4w@mail.gmail.com> <1CC274D2-72B9-4F79-A70F-3DF332C65A60@cisco.com> <44C50B18-8918-47E4-A9FE-F4A676E64AA1@cisco.com> <FEF5A115-37CA-426E-A7AA-DD81BA840C36@juniper.net> <CABCOCHQP4hGaFT1onhyNi9N6Y_NgUxYusPOJt_9wRn3ZcdLZMg@mail.gmail.com> <BBF09820-4986-49A7-AE96-6360E93C671E@juniper.net> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF818AA@SJCEML703-CHM.china.huawei.com> <02B9298C-631A-46F7-9FA9-19B1959327FE@juniper.net> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF81C18@SJCEML703-CHM.china.huawei.com> <DB23E987-42CA-4345-B712-3116A26228DC@juniper.net> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF81CBA@SJCEML703-CHM.china.huawei.com> <033D3CA2-7297-48C8-A5BD-B723F7F1911B@juniper.net>
In-Reply-To: <033D3CA2-7297-48C8-A5BD-B723F7F1911B@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.130]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0DF81CF7SJCEML703CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.58AF7D7D.0196, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.5.69, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 2839319eefcb328df6ef2d888f3fc922
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/2Th0wBaMuBzVjRk8ssroF0K1xkA>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 24 Feb 2017 00:25:39 -0000

Hi Kent,

I would think option c is the preferable option.  And I agree with your implied suggestion to accomplish this via references to the keystore.

Option a could be a less-preferred-still-acceptable alternative.  The case with multiple signers is a true corner case.

I don’t think b is acceptable, frankly.
--- Alex

From: Kent Watsen [mailto:kwatsen@juniper.net]
Sent: Thursday, February 23, 2017 4:13 PM
To: Alexander Clemm <alexander.clemm@huawei.com>; draft-ietf-netmod-syslog-model@ietf.org
Cc: netmod@ietf.org
Subject: Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11

> <ALEX>
> True, this is keystore territory, and I don’t think this should venture in that direction – the [sic]
> can be considered clearly out of scope.

Why would it be out of scope?  Seems like this is actually what you might want given what you
wrote below...


> However, what would actually make sense would be to offer a configuration option that
> clearly states which of the signature options (and signing material) should be used.
> Clearly the ability to configure this will be needed.

I think I agree here but, if I understand you correctly, wouldn't this be best accomplished
via references to keystore keys/certificates?


> If you want to accommodate this,

Actually, I'm just probing the issue.  I was hoping the response was going to be "this was discussed
by the working group here: <link to email-thread>" and we could move on.   But since that does
not seem to be the case, it would be good for the WG (not me) to decide if we want/need to
accommodate this.  What do people think?

Options:
  a) leave as is (and document the shortcoming)
  b) remove signing-options (add back later when ready)
  c) address the issue now


> you probably need to consider another modification to the model:  It is conceivable that there
> could be multiple signers, and different signers might each use a different option.  Therefore, to
> allow for differentiation by signer, you might want to consider introducing a corresponding
> parameter under a list of signers.  (You could even move the configuration parameters into this
> list, although frankly I would opt to keep those parameters global (and the use of the model
> simple), not per-signer.)

True, and potentially a reason to not go with (a) as, with that option, it may not
be easy to add in this kind of flexibility later in a backwards-compatible manner.


Thanks,
Kent        // shepherd

v2.23.0 | Report a Bug | By Email