IETF Logo Mail Archive

Re: [OPSAWG] CALL FOR ADOPTION: Transport Layer Security Verion 1.3 (TLS 1.3) Transport Model for the Simple Network Management Protocol Version 3 (SNMPv3)

Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> Thu, 09 December 2021 15:14 UTC

Return-Path: <J.Schoenwaelder@jacobs-university.de>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 22B2E3A09E2 for <opsawg@ietfa.amsl.com>; Thu, 9 Dec 2021 07:14:28 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=jacobsuniversity.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Virc7Kvc3kxq for <opsawg@ietfa.amsl.com>; Thu, 9 Dec 2021 07:14:23 -0800 (PST)
Received: from EUR02-AM5-obe.outbound.protection.outlook.com (mail-am5eur02on061f.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe07::61f]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 37FA63A09DF for <opsawg@ietf.org>; Thu, 9 Dec 2021 07:14:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=h0WPlEhT2UEFFjoa06fD/bRTmrDDMrmfu2iPU6inRIzPKbszGakHdCA2ZmUYDJBWlAERZ2syORSXo0yhM1jrBNFebuizLzBWfzvXgNjIAC7Ggjm9Sg8Wuv+dh7FvO66CdVFk4FP4HkGQwugprlC6G7mFq3Zu01+TMddVutWHWbvPNIC7bkLjiymMCzvVnG6ruLyuHkRrBlBGG5Rhj1jngMdY0OG/RnsgUx8tHQUp//fOyn/6cdpNypfwop23hIGUmYV3fn3n9MzFSInp6jol5+bOVqvAcbOaaw/9vzWFHVSC2k5jMkWgIepIw58ICHLflPqmOXrDZsuzjfKDkenY6A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=blY4ggwzawH+KhQbPQjeoT79+UbLcxn2hxtdiAyFPe0=; b=ZJSqNrVm/f/AzRkAwVWjCmXfnmbaq1vpqHyVfXr6GpvzB5b13vko0zDCRjS/rKCiBHI8Y15Xs1v7iX0SBBp7G/cna25br6RDctqnETmjgt20twVRZjRYlV5NiUCpASALP8BbwTtn6JECA1jehiLyHauP2N/fEzLUnf1sct5sojC1MQnCdcBvuU5i5bnJTZDUd4LFk8Y2CkE5njcHhsxL3ywpXbPqyLdchAM3Y0U5QlDtRVAJbzupoJuSCAAiizMrfsmCy6W/Nq0xE5Rxg5pVkMTEONxURuePdMG6blzc+NTCWbKSTGBe1ceBWb5448wLLjMQY6UISB3giEZgu89GhA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=jacobs-university.de; dmarc=pass action=none header.from=jacobs-university.de; dkim=pass header.d=jacobs-university.de; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jacobsuniversity.onmicrosoft.com; s=selector2-jacobsuniversity-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=blY4ggwzawH+KhQbPQjeoT79+UbLcxn2hxtdiAyFPe0=; b=OIQOFFdOQ1ceS55VWxn1hLODZQZyAuq28mdioQ1thLVV8vwTJTCJmWTvQylox/GPt8TXqafqxLmSohTd25P5dHWPnXk4709+MQBxybOvtbFVnzvCktBOYLg6kQsRh6cHPUZBUx4N2LndO0wP+8xvFWFLHJeDsxJLG1M9LmlRm1Q=
Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=jacobs-university.de;
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23) by AM9P190MB1092.EURP190.PROD.OUTLOOK.COM (2603:10a6:20b:271::20) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4755.24; Thu, 9 Dec 2021 15:14:10 +0000
Received: from AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::f12d:e975:556d:30f8]) by AM0P190MB0641.EURP190.PROD.OUTLOOK.COM ([fe80::f12d:e975:556d:30f8%3]) with mapi id 15.20.4778.013; Thu, 9 Dec 2021 15:14:10 +0000
Date: Thu, 09 Dec 2021 16:14:09 +0100
From: Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de>
To: Kenneth Vaughn <kvaughn@trevilon.com>
Cc: "Joe Clarke (jclarke)" <jclarke=40cisco.com@dmarc.ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, mjethanandani@gmail.com
Message-ID: <20211209151409.uhlh27p4vx3jb5y2@anna>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kenneth Vaughn <kvaughn@trevilon.com>, "Joe Clarke (jclarke)" <jclarke=40cisco.com@dmarc.ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, mjethanandani@gmail.com
References: <BL1PR11MB53687965E7A0BD7C0F090073B89C9@BL1PR11MB5368.namprd11.prod.outlook.com> <20211119185732.pc6pv443asnfzcwx@anna.jacobs.jacobs-university.de> <20211119194037.mbjybtloihk7pt3s@anna.jacobs.jacobs-university.de> <1B61B48B-9744-4A1D-A63A-B4D0C8D96EDA@trevilon.com>
Content-Type: text/plain; charset="utf-8"
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <1B61B48B-9744-4A1D-A63A-B4D0C8D96EDA@trevilon.com>
X-ClientProxiedBy: AM0PR08CA0014.eurprd08.prod.outlook.com (2603:10a6:208:d2::27) To AM0P190MB0641.EURP190.PROD.OUTLOOK.COM (2603:10a6:208:194::23)
MIME-Version: 1.0
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: d00a6cff-eaa8-4003-0a3b-08d9bb268d46
X-MS-TrafficTypeDiagnostic: AM9P190MB1092:EE_
X-Microsoft-Antispam-PRVS: <AM9P190MB10929217E16DA171E3553E29DE709@AM9P190MB1092.EURP190.PROD.OUTLOOK.COM>
X-MS-Oob-TLC-OOBClassifiers: OLM:10000;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: Zexkkp+jfQgy5D6b4WZp3ZcR3O+KDa8C0tuu95hBlKq32sUPLMUWsW807LRnHKrHkNtPaYb+YUS4grULStdcWqBK0iZ/kBkOpI39+KwJqiDTUctMhs5+1jW5e6D5E21mS2r9erP0ahlJajM+FoLe70PH4eQpuNDzcFq/boSdA8D1tXvwSDl9YASKOcT9BhRmoA9/g6KQK78HoCiGA6g6xy6S2SLG4iDM4OH9lSqfTdRrDpNUKfCim/PynAGPFdL/Mcl5N3CBbb2a3LFaDJFPQnpAbRZ/Jvb067La9VOqBUDu4hkLuqxfSq7EyncS0p6dXZVHqDDTzOEQFuDFVLZNAOfOMA4pTaFnDTZXktUe2qJblSJev/sdX+AeNGImEPBTXJ1cFx3u/+5UnWc3IYf6BfkXa0YjY5OI9AS0q2unwExpIKqApK1cgD/4wTe2K5zxP3PMYGyqOSZJuhbNHrU3veajGwLxrK6wLZAjVQaiCTL7M12EsQS7PQ9HghMI9Dw1yjafjGt5vsO36XnucjK5fQg2QLLrBSVYfv3U/OarUUy1JUBJc2q5NfspXs8zA0xr9lQ2CHal6mkSgtHfKNJwpzHMGjSkvoK27Z3ta29hXcZuB6JshgE6APrl6Jv5ewMixCSnvn/FtI6HBqhNngMJ6pl8CnJOC98yqRETro1aeowh4pEBs4uohEXfjm2rXqzP/0T1ZpLVlSx9opcwckqO/Cr0zfgOKfIzmz170nkk4EEXr5EpghjJjrkH88tesTJtmnRCK7JGe5241Y++8m/S6/9GxCygdIHGsM+KH+AE4BXeV/9w0tV+zxXowylh2XQITnTpn4TeIoRnJdSIOfXBtg==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM0P190MB0641.EURP190.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(7916004)(366004)(66574015)(1076003)(15650500001)(83380400001)(6506007)(508600001)(6486002)(8936002)(2906002)(53546011)(86362001)(38100700002)(85182001)(38350700002)(5660300002)(3450700001)(4326008)(316002)(33716001)(186003)(85202003)(66476007)(26005)(66556008)(19627235002)(54906003)(6916009)(40140700001)(66946007)(8676002)(6512007)(9686003)(52116002)(966005)(15974865002)(786003); DIR:OUT; SFP:1101;
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: e0yzD4lqL05hokodAgSZIeO3UfzACDKQxiotDq2nqHM9daCA0cge1MAeF2YEdUG6wVU/LiibArEKUsEi7VShRc6SA8L1Q+pr+Rd+crBf8whjUD9qJ8kZg/G43ENKza+ZNJJCvm0Yl2nuMUs8wenJLwhelOFPVGJrdxTxzt5pblIaIvUs/ITxUBpJZ5YmLfilPsfDtERvJmiSc70VAUMnh6LLjTqAfy2HDNMfPgA4xFAz4WBDJPI221338QkpbQDTp3l9X9m2Nxoq8lvybEnCZ8fUGl7HTioDHqAAiwdDM3gfGmIs/F7JaeYXSPE+/utyk6JPsjLndDmVczLEuKLYSldBrjNK9CAyVtUNZBgAKu2qYJsgBuypEgl+Fxmi3AoLzKOKOCqfzKuA9+LTTO3Xvv97BLjnECideagktbPJnA5q/9ukCr4aGr5uJYkL4z/UvUjUgIL8EgI5Fp9Tx07Hd3d5VIA+A8ucBVSNXtnz+K1+DL6bhIPUBedYeJNYEN63oI2z0CnvBKxRjyYMbDV0yGePOdEKKaUsFNYwyiJYjxYsZkr7lLPakDghA+EsL+pT0k+OqEgAOACQzYm+bWyCcJlz5K4qqqpYNXVIMMrUqIDfX5C+R5t7Npd66lsQkyO0QY8LM6QMBnIfAHSU0lFS+D9AZ1hsPRBxoZScAMVdx3AYg7b3goJA9Lb4LMREHnnbOakG7yvJ0yqC3zvVOA56haDKNlp+d2FqTTuPUfukoEIOIRG5QlkGlm9s0EFyji9gwgKEQGOfOAMZZ+VviPyG3aqHnN4P6FsBeAzXlGcMJxbVx018dKCVJzxHs9vDlvz36R94+rN9pgl3ZGpwiaYICcNkdW36ZLi6GnqBu9sJuexwJRktcN/2at6zCuCujZWxBfa0jHJOBuPEPLALq+xLoaunNShHHtAz9xtY1YwX7R5ecIwRPBrZd6GAjXOF8Zifi5Nr4mecO7BvQNT2xY/rcdf29sq7m31iJwPFACMu1IPqoAsp8PzkX90AaUepfbvLzosYpUEtOuRIeigGDrNGDI7SVLu+bA4gxWAreuOyBIXJ95t1TRMg3dRRDj6I2ujrfP3jabTP4/N3/mo+1jbiyF3k1RTc+uVL51l1j0dQKOOEZuBzzsrGoyIeGjdK0kjk5Uel+q3dauhFVHoGz6sZA1YXtr78e+hQoakZ5NfmymVj3xSdn7S6UuGHA4wAdb+l/HdIZ3aqfwkrtlOLh6zuB8rUv7hHZEJ/tL8q+NQr1ApQjPU0YW6W/QbOZwYxU8fUI4ntmqvFNlDfZkvpglfclbkP7zUDDxAMRWOkY46whSFhNhe8/Yw0yANJpzUkSV4ujsOMqeEJEEHxKbg8IekvVxWMoZTfxUckKqRaHDdsKOU7odb5fNT2+IUuemwHDfXU9Twd090jDzFb1cOnbEm8H3PQcVkD4zOjgdcPvVzFlU+zchDdXsVRtKxTnn3XjdIsuIs3CbkYgaItxB/bUlHU1CN3akqXSedkzGZwxt24pgxlegjfOA50zMD9H5AB6mBCNo1BgLYKNdvQcvEAnvpL8831V3HwtYU0UnmrCHw+BCCfvgNS02LMQ4p53CiELDH/aXhkGtasnNxa+AR5MHhw9lettD8hlZiFj+WZpvWHVPFshEF83vjmI+6tuwzVVJ1yUjLVgkDvAYpe5XuNmfq2/SrCu3WLKTl9/Lqbdz1r1WI=
X-OriginatorOrg: jacobs-university.de
X-MS-Exchange-CrossTenant-Network-Message-Id: d00a6cff-eaa8-4003-0a3b-08d9bb268d46
X-MS-Exchange-CrossTenant-AuthSource: AM0P190MB0641.EURP190.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 09 Dec 2021 15:14:10.4370 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: f78e973e-5c0b-4ab8-bbd7-9887c95a8ebd
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: 1QTaleycpmpwflaIv0ySoBtorGFlDq/F+juRX8UYwxWd3SzOAf2F1BlAE8JwcU3CiJr8XGEbqygIY1KolYZ4i+RpaKtO6s35oKHTboWVzaY=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9P190MB1092
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/BvzJRngHe9HgmchL61dMVo2ncmc>
Subject: Re: [OPSAWG] CALL FOR ADOPTION: Transport Layer Security Verion 1.3 (TLS 1.3) Transport Model for the Simple Network Management Protocol Version 3 (SNMPv3)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 15:14:28 -0000

Ken,

note sure what "all these references" are. I am now looking at Section
15 of RFC 8447 and it states that the values in the TLS HashAlgorithm
registry are only applicable to version of (D)TLS protocol versions
prior to 1.3. This does not necessarily imply that we can't continue
to use them for the fingerprint algorithm. Hence, this might have all
been a false alarm... Perhaps we need to let IANA know somehow that
there are non (D)TLS specifications depending on the registry values
so that they can take a note in case people in the future want to
deprecate the registry.

/js

On Thu, Dec 09, 2021 at 08:54:36AM -0600, Kenneth Vaughn wrote:
> Juergen,
> 
> It seems to me that all of these references argue for asking IANA to maintain the one-octet identifiers for the hashing algorithms (i.e., including the addition of new identifiers as new algorithms are developed), even after TLS 1.2 fades from use. That will allow the fingerprint algorithm to remain unchanged in all of these scenarios and greatly simplifies our update effort.
> 
> Regards,
> Ken Vaughn
> 
> Trevilon LLC
> 6606 FM 1488 RD #148-503
> Magnolia, TX 77354
> +1-936-647-1910
> +1-571-331-5670 cell
> kvaughn@trevilon.com
> www.trevilon.com
> 
> > On Nov 19, 2021, at 1:40 PM, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
> > 
> > Let me add one additional observation: RFC 6353 has been a blueprint
> > for the YANG data model for SNMP configuration defined in RFC 7407.
> > The ietf-x509-cert-to-name module, which is part of RFC 7407, defines
> > a tls-fingerprint, which is also using a 1 octet hashing algorithm
> > identifier. If we expand SNMP's TC, we should also look at the YANG
> > equivalent. I also spotted that the YANG definition is imported by
> > draft-ietf-netconf-https-notif-09.txt, I am not sure whether there are
> > any other imports of this YANG definition (or the SNMP TC).
> > 
> > /js
> > 
> > On Fri, Nov 19, 2021 at 07:57:32PM +0100, Jürgen Schönwälder wrote:
> >> Hi,
> >> 
> >> any clarifications that are necessary to run SNMP over (D)TLS 1.3 are
> >> worth to work on. Looking at the document, it leaves me a bit puzzled
> >> of what is actually changed. I think all text that is in RFC 6353 and
> >> not modified should be removed from the update (for example, I think
> >> there is no need to republish text concerning USM). For the MIB
> >> module, it would help a lot if the revision clause would detail what
> >> has actually changed instead of just saying "This version updated the
> >> MIB to support (D)TLS 1.3." I like to see concrete text like
> >> 
> >> - SnmpTLSFingerprint has been depracted and SnmpTLS13Fingerprint
> >>  has been introduced.
> >> 
> >> - The snmpTlstmCertToTSNTable has been deprecated and a new
> >>  snmpTlstmCertToTSN13Table has been introduced.
> >> 
> >> - The snmpTlstmParamsTable has been deprecated and a new
> >>  snmpTlstmParams13Table has been introduced
> >> 
> >> I find it problematic to embed "13" in the new object names as this
> >> suggests the objects work only for TLS 1.3, which I hope is not the
> >> case, i.e., I hope we do not have do yet another update when (D)TLS
> >> 1.4 comes along in the future - or is the idea we actually do that? I
> >> think there should also be clear guidelines what implementations
> >> should do, implement the new objects and accept also D(TLS) 1.2
> >> configurations via them or should the new objects only be supported
> >> for D(TLS) 1.3 (and higher?) configurations?
> >> 
> >> /js
> >> 
> >> PS: There are also some bugs in the MIB module, mpTlstmAddrCount
> >>    should be snmpTlstmAddrCount and CONTACT-INFO string is not
> >>    terminated.
> >> 
> >> On Fri, Nov 19, 2021 at 04:26:50PM +0000, Joe Clarke (jclarke) wrote:
> >>> Hello, WG.  Kenneth presented
> >>> https://datatracker.ietf.org/doc/draft-vaughn-tlstm-update/ at IETF112
> >>> to us, and this was previously presented at SecDispatch at IETF111.  The
> >>> feeling there was that this work had merit, but Sec didn't have enough
> >>> SNMP experience to be the owner.  At the AD level, the feeling was that
> >>> perhaps opsawg did have the expertise and could pick this up.
> >>> 
> >>> Therefore, this serves as a three week call for adoption of this draft. 
> >>> The three weeks is being given due to the US holiday next week.  There
> >>> has already been some comments regarding scope that have been raised
> >>> on-list, and Kenneth has called out potential courses of action in his
> >>> 112 presentation.
> >>> 
> >>> Please respond by December 10, 2021 regarding your thoughts on adopting
> >>> this work as well as comments on the work so far.
> >>> 
> >>> Thanks.
> >>> 
> >>> Joe
> >>> 
> >>> _______________________________________________
> >>> OPSAWG mailing list
> >>> OPSAWG@ietf.org
> >>> https://www.ietf.org/mailman/listinfo/opsawg
> >> 
> >> -- 
> >> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> >> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> >> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
> > 
> > -- 
> > Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> > Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> > Fax:   +49 421 200 3103         <https://www.jacobs-university.de/ <https://www.jacobs-university.de/>>
> > 
> > _______________________________________________
> > OPSAWG mailing list
> > OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>
> > https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>

-- 
Juergen Schoenwaelder           Jacobs University Bremen gGmbH
Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>

v2.23.0 | Report a Bug | By Email