IETF Logo Mail Archive

[NGO] RE: FW: 10/18 agenda item - NETCONF WG Rechartering

badra@isima.fr Sun, 21 October 2007 18:45 UTC

Return-path: <ngo-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ijfo2-0007Ke-FL; Sun, 21 Oct 2007 14:45:46 -0400
Received: from ngo by megatron.ietf.org with local (Exim 4.43) id 1Ijfo0-0007KB-RX for ngo-confirm+ok@megatron.ietf.org; Sun, 21 Oct 2007 14:45:44 -0400
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IjfnC-0006p0-BU for ngo@ietf.org; Sun, 21 Oct 2007 14:44:54 -0400
Received: from sp.isima.fr ([193.55.95.1]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ijfn2-0002wP-ID for ngo@ietf.org; Sun, 21 Oct 2007 14:44:54 -0400
Received: from www.isima.fr (www-data@www.isima.fr [193.55.95.79]) by sp.isima.fr (8.9.3/jtpda-5.3.1) with SMTP id UAA692402 ; Sun, 21 Oct 2007 20:41:50 +0100
Received: from 86.72.162.23 (SquirrelMail authenticated user badra) by www.isima.fr with HTTP; Sun, 21 Oct 2007 20:45:55 +0200 (CEST)
Message-ID: <61725.86.72.162.23.1192992355.squirrel@www.isima.fr>
In-Reply-To: <EDC652A26FB23C4EB6384A4584434A04525ECD@307622ANEX5.global.avaya.com>
References: <EDC652A26FB23C4EB6384A4584434A04525CF0@307622ANEX5.global.avaya.com> <53216.137.194.164.217.1192806809.squirrel@www.isima.fr> <EDC652A26FB23C4EB6384A4584434A04525ECD@307622ANEX5.global.avaya.com>
Date: Sun, 21 Oct 2007 20:45:55 +0200
From: badra@isima.fr
To: "Romascanu=?utf-8?Q?=2C=C2_Dan=C2_?= (Dan)�" <dromasca@avaya.com>
User-Agent: SquirrelMail/1.4.2
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
X-Priority: 3
Importance: Normal
Content-Transfer-Encoding: quoted-printable
X-MIME-Autoconverted: from 8bit to quoted-printable by sp.isima.fr id UAA692402
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 932cba6e0228cc603da43d861a7e09d8
Cc: ngo@ietf.org, � Sam� Hartman� <hartmans-ietf@mit.edu>
Subject: [NGO] RE: FW: 10/18 agenda item - NETCONF WG Rechartering
X-BeenThere: ngo@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: NETCONF Goes On - discussions on future work and extensions to NETCONF <ngo.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/ngo>
List-Post: <mailto:ngo@ietf.org>
List-Help: <mailto:ngo-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ngo>, <mailto:ngo-request@ietf.org?subject=subscribe>
Errors-To: ngo-bounces@ietf.org

Dear Dan and all,

Following is a tentative, Comments are welcome..

"It should be possible to transport the Netconf protocol using several
different protocols. Netconf relies on the transport protocol for the
mutual authentication. During the authentication stage, the identity check
of the two communicating endpoints MUST be performed by the transport
protocol before any configuration or state data is sent to or received
from each other."

Regarding the document "Netconf over TLS", I will insert the following
text to meet above requirements:

Within TLS, the server authentication is usually by default using a X.509
certificate. During the TLS negotiation, the client MUST carefully examine
the certificate presented by the server to determine if it meets their
expectations. Particularly, the client MUST check its understanding of the
server hostname against the server's identity as presented in the server
Certificate message, in order to prevent man-in-the-middle attacks.
Matching is performed according to these rules in section 5 of RFC4642.
According to RFC3546, a TLS client MAY include an extension of type
"server_name" in the (extended) client hello to tell a server the name of
the server it is contacting.

If the server authenticates a client using certificate, the server MUST
validate the certificate and check the client identity. The general
algorithm described RFC4642 can be used for the client certificate
validation. The client identity handled through its certificate MUST be
verified and authenticated by the server according to local policy before
any configuration or state data is sent to or received from the server.
The client identity could be considered to be the Common Name field in the
X.509 v3 certificate or any of the fields in the AlternativeName extension
defined in RFC3280. In this latter case, defined options include, among
others, an Internet electronic mail address, a DNS name, an IP address,
MAC, or a uniform resource identifier (URI) (RFC2459 section 4.2.1.7).
Multiple name forms, and multiple instances of each name form, may be
included.

Best regards,
Badra

>
> Badra,
>
> At this point we need to provide text in the charter to make the security
> AD confident that the requirements for dealing with this issue are clear
> for the Working Group. It is exactly the fact that ISMS and SYSLOG did not
> do too good a job on this respect that seems to worry Sam Hartman. Can you
> make a suggestion on this respect?
>
> Dan
>
>
>
>
>
>
>> -----Original Message-----
>> From: badra@isima.fr [mailto:badra@isima.fr]
>> Sent: Friday, October 19, 2007 5:13 PM
>> To: Romascanu, Dan (Dan)
>> Cc: Mohamad Badra; �
>> Subject: Re: FW: 10/18 agenda item - NETCONF WG Rechartering
>>
>> Dear Dan and all,
>>
>> I think it is not easy to provide a generic solution. Since
>> TLS left that to the application itself, I wish we have a
>> common text for all network managment protocols* to identify
>> the clients when TLS is used.
>>
>> For the moment, what about remplacing the section 3.2 of
>> NETCONF over TLS with the following text? Please advice...
>>
>>    If a server authenticates a client using certificate, the
>> server MUST
>>    validate the certificate and check the client identity. The general
>>    algorithm described in section 3.1 can be used for the client
>>    certificate validation. The user identity could be
>> considered to be the
>>    Common Name field in the X.509 v3 certificate or any of
>> the fields in
>>    the AlternativeName extension defined in RFC3280. In this
>> latter case,
>>    defined options include, among others, an Internet electronic mail
>>    address, a DNS name, an IP address, MAC, or a uniform resource
>>    identifier (URI) (RFC2459 section 4.2.1.7). Multiple name
>> forms, and
>>    multiple instances of each name form, may be included.
>>
>> Best regards,
>> Badra
>>
>> * draft-ietf-syslog-transport-tls-10,
>> draft-marinov-isms-tlstm-00.txt and isms are not clear
>> regarding the client identification.
>>
>>
>> > Badra and all,
>> >
>> > Sam Hartman who is one of the Security Area Directors expressed
>> > concern that the NETCONF over TLS charter proposal does not set the
>> > requirements for user authentication. As these issues proved to be
>> > problematic in syslog and isms, we need more clear requirements in
>> > order to have the NETCONF charter approved including this
>> item. Please propose.
>> >
>> > Dan
>> >
>> >
>> >
>> >
>> >
>> > -----Original Message-----
>> > From: Sam Hartman [mailto:hartmans-ietf@mit.edu]
>> > Sent: Thursday, October 18, 2007 5:31 PM
>> > To: Romascanu, Dan (Dan)
>> > Cc: Internet Engineering Steering Group
>> > Subject: Re: 10/18 agenda item - NETCONF WG Rechartering
>> >
>> >
>> >
>> > Hi.  I am concerned that the TLS charter item is not
>> specific enough
>> > to lead anywhere clear.  In particular, what are the
>> requirements for
>> > user authentication?
>> >
>>
>



_______________________________________________
NGO mailing list
NGO@ietf.org
https://www1.ietf.org/mailman/listinfo/ngo

v2.23.0 | Report a Bug | By Email