[netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <draft-ietf-netconf-ssh-client-server-40> for your review
Kent Watsen <kent+ietf@watsen.net> Thu, 12 September 2024 16:01 UTC
Return-Path: <01000191e6f83d74-cc10b47d-554c-4882-8da0-37ba8861baeb-000000@amazonses.watsen.net>
X-Original-To: netmod@ietfa.amsl.com
Delivered-To: netmod@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 41D17C14F748 for <netmod@ietfa.amsl.com>; Thu, 12 Sep 2024 09:01:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=amazonses.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Da-yG5JFCi1p for <netmod@ietfa.amsl.com>; Thu, 12 Sep 2024 09:01:55 -0700 (PDT)
Received: from a8-96.smtp-out.amazonses.com (a8-96.smtp-out.amazonses.com [54.240.8.96]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 21A60C14F738 for <netmod@ietf.org>; Thu, 12 Sep 2024 09:01:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/simple; s=ug7nbtf4gccmlpwj322ax3p6ow6yfsug; d=amazonses.com; t=1726156914; h=From:Message-Id:Content-Type:Mime-Version:Subject:Date:In-Reply-To:Cc:To:References:Feedback-ID; bh=plIewu6lti3jnSfuVO1XyxZSsXWm6kolsFvHZPLv444=; b=lqkpFX4Yyw5t3oI7hVb71L4QqH+GtAoMa2ZnbPXkdNACpB57tpRBq46tOjiVnT2n t5E+DLNgn0E+3eIh2cJqEfirjz1YZwVVGgMUAErgQPwQMBEKG6UDF5CavtCk3yXpYao xZ4eydGtiY66nQ7W0OuV6EJfsyFzo9TTzZvWZvks=
From: Kent Watsen <kent+ietf@watsen.net>
Message-ID: <01000191e6f83d74-cc10b47d-554c-4882-8da0-37ba8861baeb-000000@email.amazonses.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_577B8877-29A3-4595-921E-3300D79DFBBF"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3774.400.31\))
Date: Thu, 12 Sep 2024 16:01:54 +0000
In-Reply-To: <DU2PR02MB10160807B1741AC3C990199AF88642@DU2PR02MB10160.eurprd02.prod.outlook.com>
To: Mohamed Boucadair <mohamed.boucadair@orange.com>
References: <DU2PR02MB10160B7C5E0C210F82B774BD788642@DU2PR02MB10160.eurprd02.prod.outlook.com> <01000191e5e7bd22-2999d337-8925-470f-abb4-890ca32884aa-000000@email.amazonses.com> <DU2PR02MB10160807B1741AC3C990199AF88642@DU2PR02MB10160.eurprd02.prod.outlook.com>
X-Mailer: Apple Mail (2.3774.400.31)
Feedback-ID: ::1.us-east-1.DKmIRZFhhsBhtmFMNikgwZUWVrODEw9qVcPhqJEI2DA=:AmazonSES
X-SES-Outgoing: 2024.09.12-54.240.8.96
Message-ID-Hash: 7XYDABIQHBBC344XCAS56WGA77ZFJ2MJ
X-Message-ID-Hash: 7XYDABIQHBBC344XCAS56WGA77ZFJ2MJ
X-MailFrom: 01000191e6f83d74-cc10b47d-554c-4882-8da0-37ba8861baeb-000000@amazonses.watsen.net
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-netmod.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "netmod@ietf.org" <netmod@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <draft-ietf-netconf-ssh-client-server-40> for your review
List-Id: NETMOD WG list <netmod.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/netmod/KJoBZCXsf-2YE2r2yw_WmcVrP6I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netmod>
List-Help: <mailto:netmod-request@ietf.org?subject=help>
List-Owner: <mailto:netmod-owner@ietf.org>
List-Post: <mailto:netmod@ietf.org>
List-Subscribe: <mailto:netmod-join@ietf.org>
List-Unsubscribe: <mailto:netmod-leave@ietf.org>
Hi Med, Sorry this is taking so long, but we’re getting there! ;) > > The reference of QUIC is to the protocol, RFC 9000, not NETCONF over QUIC, an I-D as you note; just as the reference is to SSH protocol, RFC 4252, not NETCONF over SSH, RFC 6242. > [Med] I understand the intent is to cite the transport themselves, but the text refers to MTI of these “YANG-based management protocols”. I don’t think we can make any claim about QUIC here as we don’t have an authoritative spec for that. If we want to cite QUIC, some further tweaking to the text is needed, IMO. > > RESTCONF already supports QUIC. > [Med] Yes, RESTCONF does not require a specific version of HTTP but still TLS is what is indicated as MTI for RC per rfc8040#section-2.1. I was thinking about this nuance too. QUIC uses TLS, so I think rfc8040#section-2.1 is still satisfied. That said, the NETCONF WG will be working on a RESTCONF-next version, for which it would be easy to add some clarifying text - agreed? I just added this (https://github.com/netconf-wg/restconf-next/issues/19) - good for now? > No transport-binding document will be written to enable QUIC for RC. > [Med] Isn’t rfc9114 that is applicable for RC, rather than 9000? RFC 9112: HTTP/1.1 (i.e., TCP-or-TLS over TCP) RFC 9113: HTTP/2 (i.e., TLS over TCP) RFC 9114: HTTP/3 (i.e., QUIC, i.e., TLS over UDP) If we ref 9114, then we’d have to ref the others also, which isn’t what we want. This is why 9000 is refed - makes sense? > [mj] Why do you say that? The statement says the protocols have mandatory-to-implement … > [Med] Having an MTI does not mean that MTI is actually used/enabled. > > Touché :) > > One could process “implement” to be at the runtime-level or code-level. I meant the former, and see that you’re interpreting the later, which is fair. > > First, I wonder if there isn’t a formal definition for MTI that disambiguates the two cases. Looking, I see MTI used in the context of algorithms, which lends itself to the “code level” interpretation. Fine. > > [Med] Thanks > > Then either s/implement/use/ or s/-to-implement// ? > [Med] « have to use » would be better, IMO. Hmmm, so this? These protocols have to use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], QUIC [RFC9000]) and have to use mutual authentication. vs These protocols have mandatory to use secure transport layers (e.g., SSH [RFC4252], TLS [RFC8446], QUIC [RFC9000]) and mandatory to use mutual authentication. Vs These protocols have mandatory secure transport layers (e.g., SSH [RFC4252], TLS [RFC8446], QUIC [RFC9000]) and mandatory mutual authentication. Of the three, I like the last one most, but like the first one (yours) next. I like the last one since the statement seems stronger. One idea might be this: These protocols MUST use a secure transport layer (e.g., SSH [RFC4252], TLS [RFC8446], QUIC [RFC9000]) and MUST use mutual authentication. But I don’t think RFC2119 language should be in the Security Considerations section. Thoughts? > This section is modeled after the template described in Section 3.7 of [RFCAAAA]. > > This first line wasn’t picked up. Note that the word “modeled” gives an authors a little flexibility, as is needed sometimes. > > To point, the RFC Editor takes the words literally and raise issues when things aren’t exactly same…until this word was changed. > > Honestly, the same should be done to all of the templates defined in the document. > > [Med] This is fair. Please see: https://github.com/netmod-wg/rfc8407bis/commit/972970ce16c050d8420f50f07637f4e00770cdd5 Thanks, both for accommodating and the link. Looking at the PR, it is only for this template. Do you not agree that “modeled after” is good for all of the templates? > The "<module-name>" YANG module defines a data model that is designed to be accessed via YANG- > > IIRC, you use different words than “data model”. I’m trying to use sufficiently ambiguous language that includes also modules that only define identities, or only enumerations, or only typedefs, etc. > > I was going to write “data model, or parts of data models,” but it seemed unnecessarily wordy and obscures the main point of the sentence. > > I don’t deny that my text could be improved, but your take didn’t seem right either. Can you reply to this? So we have: The "<module-name>" YANG module defines a data model that is designed to be accessed via YANG-based management protocols, vs. The "<module-name>" YANG module defines a schema for data that is designed to be accessed via YANG-based management protocols, > FWIW, I only know about your changes to my text because I received GitHub notifications. Was a link for the PR sent? In any case, it would’ve been nice if you’d stated that changes had been made, rather than me having to discover them on my own. > > [Med] I didn’t share the PR because that wasn’t ready yet and I was waiting for the discussion to converge to have something I’m more happy with it. Now that you are on it, feel free to propose your edits directly there :-) Thanks. I’m unsure what you mean, but I don’t want to submit PRs and, honestly, I don’t want to look at PRs. I want the full conversation to be on the list. Kent // contributor
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair
- [netmod] Fwd: AD - Re: AUTH48: RFC-to-be 9644 <dr… Kent Watsen
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… Kent Watsen
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… Kent Watsen
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… Mahesh Jethanandani
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… Kent Watsen
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… Mahesh Jethanandani
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair
- [netmod] Re: AD - Re: AUTH48: RFC-to-be 9644 <dra… mohamed.boucadair