IETF Logo Mail Archive

Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11

Alexander Clemm <alexander.clemm@huawei.com> Thu, 23 February 2017 23:36 UTC

Return-Path: <alexander.clemm@huawei.com>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DBA5E129C3C; Thu, 23 Feb 2017 15:36:29 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.22
X-Spam-Level:
X-Spam-Status: No, score=-4.22 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ubf3h-qxiF-C; Thu, 23 Feb 2017 15:36:27 -0800 (PST)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 48359129C44; Thu, 23 Feb 2017 15:36:25 -0800 (PST)
Received: from 172.18.7.190 (EHLO lhreml704-cah.china.huawei.com) ([172.18.7.190]) by lhrrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id DBP55162; Thu, 23 Feb 2017 23:36:22 +0000 (GMT)
Received: from SJCEML702-CHM.china.huawei.com (10.208.112.38) by lhreml704-cah.china.huawei.com (10.201.108.45) with Microsoft SMTP Server (TLS) id 14.3.301.0; Thu, 23 Feb 2017 23:36:21 +0000
Received: from SJCEML703-CHM.china.huawei.com ([169.254.5.69]) by SJCEML702-CHM.china.huawei.com ([169.254.4.133]) with mapi id 14.03.0235.001; Thu, 23 Feb 2017 15:36:18 -0800
From: Alexander Clemm <alexander.clemm@huawei.com>
To: Kent Watsen <kwatsen@juniper.net>, "draft-ietf-netmod-syslog-model@ietf.org" <draft-ietf-netmod-syslog-model@ietf.org>
Thread-Topic: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11
Thread-Index: AQHSYJW2xokX16DuSk+HNpIDiLq0CKEhVn2AgAFzDYCAEba3AIA00fcAgAuFvYCAABxJgIAB30KAgAB3xFCAAKyBAP//gjPAgACZzAD//4A0gA==
Date: Thu, 23 Feb 2017 23:36:16 +0000
Message-ID: <644DA50AFA8C314EA9BDDAC83BD38A2E0DF81CBA@SJCEML703-CHM.china.huawei.com>
References: <19039254-973A-461A-8749-95F74C33DAD1@juniper.net> <1481689016940.22442@Aviatnet.com> <CABCOCHSXVrZG-kz2TMmptcQ3pZ76u+MWse=0NVNY0h4q5GzrKw@mail.gmail.com> <3F4C49C9-1A6A-4644-97C6-F9CDC2E4EB4B@cisco.com> <CABCOCHRAugaAcDN589AOUYW6J4dntuX_azouEtzxcu02_TfA4w@mail.gmail.com> <1CC274D2-72B9-4F79-A70F-3DF332C65A60@cisco.com> <44C50B18-8918-47E4-A9FE-F4A676E64AA1@cisco.com> <FEF5A115-37CA-426E-A7AA-DD81BA840C36@juniper.net> <CABCOCHQP4hGaFT1onhyNi9N6Y_NgUxYusPOJt_9wRn3ZcdLZMg@mail.gmail.com> <BBF09820-4986-49A7-AE96-6360E93C671E@juniper.net> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF818AA@SJCEML703-CHM.china.huawei.com> <02B9298C-631A-46F7-9FA9-19B1959327FE@juniper.net> <644DA50AFA8C314EA9BDDAC83BD38A2E0DF81C18@SJCEML703-CHM.china.huawei.com> <DB23E987-42CA-4345-B712-3116A26228DC@juniper.net>
In-Reply-To: <DB23E987-42CA-4345-B712-3116A26228DC@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.213.48.130]
Content-Type: multipart/alternative; boundary="_000_644DA50AFA8C314EA9BDDAC83BD38A2E0DF81CBASJCEML703CHMchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020201.58AF71F7.015B, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.5.69, so=2013-06-18 04:22:30, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: 3aaf4b4098dc1e423922ba2891e7ee30
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/GCwSIIbRKmhuSb45AcUDvmgmsuQ>
Cc: "netmod@ietf.org" <netmod@ietf.org>
Subject: Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11
X-BeenThere: netmod@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: NETMOD WG list <netmod.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netmod>, <mailto:netmod-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod/>
List-Post: <mailto:netmod@ietf.org>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netmod>, <mailto:netmod-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 23 Feb 2017 23:36:30 -0000

Hi Kent

More responses, <ALEX>

--- Alex

From: Kent Watsen [mailto:kwatsen@juniper.net]
Sent: Thursday, February 23, 2017 2:52 PM
To: Alexander Clemm <alexander.clemm@huawei.com>; draft-ietf-netmod-syslog-model@ietf.org
Cc: netmod@ietf.org
Subject: Re: [netmod] WG Last Call for draft-ietf-netmod-syslog-model-11

>> - should the leafs not starting with "cert-" start with "sig-", to better match section 6.1?
>
> <ALEX> No, that would actually match less and be misleading.   The parameters mentioned in 6.1.1
> refer to configuration parameters for certificate blocks, and are accordingly prefixed “cert”.  The
> parameters mentioned in 6.1.2 are related to Signature Blocks and are accordingly prefixed with
> “sig” (sigMaxDelay, sigNumberResends, sigREsendDelay, and sigResendCount).  So, you might
> actually want to consider prefixing max-delay, number-resends, resend-delay, and resend-count
> with“sig-“. </ALEX>

Exactly, we agree.   These were the leafs I meant by "not starting with 'cert-' ".

<ALEX>
Ah, okay.  Yes, we agree; I misunderstood your earlier sentence.
</ALEX>

> Syslog-sign does not specify how these types got there and what key material they
> used.  Now, if you wanted to manage that as well, sure, but now you would be getting
> into TLS territory as you mention and I would think this should be kept outside the
> scope.

That Syslog-sign doesn't specify this is a good response as well.  But answer
me honestly, isn't it something that a device would have to have configured
and, if so, wouldn't it make most sense for that configuration to be in this
module?

FWIW, I don't think that it's TLS-territory so much as keystore-territory.

<ALEX>
True, this is keystore territory, and I don’t think this should venture in that direction – the can be considered clearly out of scope.
However, what would actually make sense would be to offer a configuration option that clearly states which of the signature options (and signing material) should be used.    Clearly the ability to configure this will be needed.

If you want to accommodate this, you probably need to consider another modification to the model:  It is conceivable that there could be multiple signers, and different signers might each use a different option.  Therefore, to allow for differentiation by signer, you might want to consider introducing a corresponding parameter under a list of signers.  (You could even move the configuration parameters into this list, although frankly I would opt to keep those parameters global (and the use of the model simple), not per-signer.)
</ALEX>

Thanks,
Kent        // shepherd

v2.23.0 | Report a Bug | By Email