IETF Logo Mail Archive

Re: [OPSAWG] CALL FOR ADOPTION: Transport Layer Security Verion 1.3 (TLS 1.3) Transport Model for the Simple Network Management Protocol Version 3 (SNMPv3)

Kenneth Vaughn <kvaughn@trevilon.com> Thu, 09 December 2021 16:17 UTC

Return-Path: <kvaughn@trevilon.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 019A83A0E48 for <opsawg@ietfa.amsl.com>; Thu, 9 Dec 2021 08:17:30 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.898
X-Spam-Level:
X-Spam-Status: No, score=-1.898 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (768-bit key) header.d=trevilon.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Uq5Q4Un1XtNS for <opsawg@ietfa.amsl.com>; Thu, 9 Dec 2021 08:17:25 -0800 (PST)
Received: from tre.trevilon.com (tre.trevilon.com [198.57.226.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 314213A0E47 for <opsawg@ietf.org>; Thu, 9 Dec 2021 08:17:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=trevilon.com; s=default; h=References:To:Cc:In-Reply-To:Date:Subject: Mime-Version:Content-Type:Message-Id:From:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=spxpwbLZwRNkX1EwIVTW04BOVQByo9AygPPj++XtN5w=; b=rr3j0r2i/XKRJ2vm+h7pNbH2oj 8RQ84cb9/uWkCZyqc2X0RtdnLY0UpSzUtppUjpAs4200BnFNhH4/+vC7lhXdIUX2/OgeBkHxQcXPd eGp+MyJuPhI4rQlQ8yw+eotAR;
Received: from mobile-166-173-248-249.mycingular.net ([166.173.248.249]:62590 helo=smtpclient.apple) by tre.trevilon.com with esmtpsa (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from <kvaughn@trevilon.com>) id 1mvM6k-0004kQ-UU; Thu, 09 Dec 2021 16:17:23 +0000
From: Kenneth Vaughn <kvaughn@trevilon.com>
Message-Id: <206AB0A3-3629-4B3E-9402-27C96255E867@trevilon.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_48992DCA-2222-4B1E-887A-240DCA4EF2B0"
Mime-Version: 1.0 (Mac OS X Mail 14.0 \(3654.120.0.1.13\))
Date: Thu, 09 Dec 2021 10:17:20 -0600
In-Reply-To: <20211209151409.uhlh27p4vx3jb5y2@anna>
Cc: "Joe Clarke (jclarke)" <jclarke=40cisco.com@dmarc.ietf.org>, "opsawg@ietf.org" <opsawg@ietf.org>, mjethanandani@gmail.com
To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
References: <BL1PR11MB53687965E7A0BD7C0F090073B89C9@BL1PR11MB5368.namprd11.prod.outlook.com> <20211119185732.pc6pv443asnfzcwx@anna.jacobs.jacobs-university.de> <20211119194037.mbjybtloihk7pt3s@anna.jacobs.jacobs-university.de> <1B61B48B-9744-4A1D-A63A-B4D0C8D96EDA@trevilon.com> <20211209151409.uhlh27p4vx3jb5y2@anna>
X-Mailer: Apple Mail (2.3654.120.0.1.13)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - tre.trevilon.com
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - trevilon.com
X-Get-Message-Sender-Via: tre.trevilon.com: authenticated_id: kvaughn@trevilon.com
X-Authenticated-Sender: tre.trevilon.com: kvaughn@trevilon.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/PPqSdC4kPcl-2OBk9iqgJntSJzA>
Subject: Re: [OPSAWG] CALL FOR ADOPTION: Transport Layer Security Verion 1.3 (TLS 1.3) Transport Model for the Simple Network Management Protocol Version 3 (SNMPv3)
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 09 Dec 2021 16:17:30 -0000

> "all these references"
RFC 7407
draft-ietf-netconf-https-notif-09.txt
any other imports of this YANG definition

> the values in the TLS HashAlgorithm
> registry are only applicable to version of (D)TLS protocol versions
> prior to 1.3.  Perhaps we need to let IANA know somehow that
> there are non (D)TLS specifications depending on the registry values
Correct, based on my reading of the standards, I was concerned that, at some point in the future, hash algorithms might not be assigned the one octet identifier. This concerned seemed to be shared by several others (e.g., including those in the TLS community). If we can convince IANA to continue to assign the one octet values, we should be able to continue to use the existing fingerprint algorithm. That would then make this update quite minor, although I believe it still necessary to clarify other ambiguities that arise.

Regards,
Ken Vaughn

Trevilon LLC
6606 FM 1488 RD #148-503
Magnolia, TX 77354
+1-936-647-1910
+1-571-331-5670 cell
kvaughn@trevilon.com
www.trevilon.com

> On Dec 9, 2021, at 9:14 AM, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
> 
> Ken,
> 
> note sure what "all these references" are. I am now looking at Section
> 15 of RFC 8447 and it states that the values in the TLS HashAlgorithm
> registry are only applicable to version of (D)TLS protocol versions
> prior to 1.3. This does not necessarily imply that we can't continue
> to use them for the fingerprint algorithm. Hence, this might have all
> been a false alarm... Perhaps we need to let IANA know somehow that
> there are non (D)TLS specifications depending on the registry values
> so that they can take a note in case people in the future want to
> deprecate the registry.
> 
> /js
> 
> On Thu, Dec 09, 2021 at 08:54:36AM -0600, Kenneth Vaughn wrote:
>> Juergen,
>> 
>> It seems to me that all of these references argue for asking IANA to maintain the one-octet identifiers for the hashing algorithms (i.e., including the addition of new identifiers as new algorithms are developed), even after TLS 1.2 fades from use. That will allow the fingerprint algorithm to remain unchanged in all of these scenarios and greatly simplifies our update effort.
>> 
>> Regards,
>> Ken Vaughn
>> 
>> Trevilon LLC
>> 6606 FM 1488 RD #148-503
>> Magnolia, TX 77354
>> +1-936-647-1910
>> +1-571-331-5670 cell
>> kvaughn@trevilon.com
>> www.trevilon.com
>> 
>>> On Nov 19, 2021, at 1:40 PM, Jürgen Schönwälder <j.schoenwaelder@jacobs-university.de> wrote:
>>> 
>>> Let me add one additional observation: RFC 6353 has been a blueprint
>>> for the YANG data model for SNMP configuration defined in RFC 7407.
>>> The ietf-x509-cert-to-name module, which is part of RFC 7407, defines
>>> a tls-fingerprint, which is also using a 1 octet hashing algorithm
>>> identifier. If we expand SNMP's TC, we should also look at the YANG
>>> equivalent. I also spotted that the YANG definition is imported by
>>> draft-ietf-netconf-https-notif-09.txt, I am not sure whether there are
>>> any other imports of this YANG definition (or the SNMP TC).
>>> 
>>> /js
>>> 
>>> On Fri, Nov 19, 2021 at 07:57:32PM +0100, Jürgen Schönwälder wrote:
>>>> Hi,
>>>> 
>>>> any clarifications that are necessary to run SNMP over (D)TLS 1.3 are
>>>> worth to work on. Looking at the document, it leaves me a bit puzzled
>>>> of what is actually changed. I think all text that is in RFC 6353 and
>>>> not modified should be removed from the update (for example, I think
>>>> there is no need to republish text concerning USM). For the MIB
>>>> module, it would help a lot if the revision clause would detail what
>>>> has actually changed instead of just saying "This version updated the
>>>> MIB to support (D)TLS 1.3." I like to see concrete text like
>>>> 
>>>> - SnmpTLSFingerprint has been depracted and SnmpTLS13Fingerprint
>>>> has been introduced.
>>>> 
>>>> - The snmpTlstmCertToTSNTable has been deprecated and a new
>>>> snmpTlstmCertToTSN13Table has been introduced.
>>>> 
>>>> - The snmpTlstmParamsTable has been deprecated and a new
>>>> snmpTlstmParams13Table has been introduced
>>>> 
>>>> I find it problematic to embed "13" in the new object names as this
>>>> suggests the objects work only for TLS 1.3, which I hope is not the
>>>> case, i.e., I hope we do not have do yet another update when (D)TLS
>>>> 1.4 comes along in the future - or is the idea we actually do that? I
>>>> think there should also be clear guidelines what implementations
>>>> should do, implement the new objects and accept also D(TLS) 1.2
>>>> configurations via them or should the new objects only be supported
>>>> for D(TLS) 1.3 (and higher?) configurations?
>>>> 
>>>> /js
>>>> 
>>>> PS: There are also some bugs in the MIB module, mpTlstmAddrCount
>>>>   should be snmpTlstmAddrCount and CONTACT-INFO string is not
>>>>   terminated.
>>>> 
>>>> On Fri, Nov 19, 2021 at 04:26:50PM +0000, Joe Clarke (jclarke) wrote:
>>>>> Hello, WG.  Kenneth presented
>>>>> https://datatracker.ietf.org/doc/draft-vaughn-tlstm-update/ at IETF112
>>>>> to us, and this was previously presented at SecDispatch at IETF111.  The
>>>>> feeling there was that this work had merit, but Sec didn't have enough
>>>>> SNMP experience to be the owner.  At the AD level, the feeling was that
>>>>> perhaps opsawg did have the expertise and could pick this up.
>>>>> 
>>>>> Therefore, this serves as a three week call for adoption of this draft. 
>>>>> The three weeks is being given due to the US holiday next week.  There
>>>>> has already been some comments regarding scope that have been raised
>>>>> on-list, and Kenneth has called out potential courses of action in his
>>>>> 112 presentation.
>>>>> 
>>>>> Please respond by December 10, 2021 regarding your thoughts on adopting
>>>>> this work as well as comments on the work so far.
>>>>> 
>>>>> Thanks.
>>>>> 
>>>>> Joe
>>>>> 
>>>>> _______________________________________________
>>>>> OPSAWG mailing list
>>>>> OPSAWG@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/opsawg
>>>> 
>>>> -- 
>>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>>> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/>
>>> 
>>> -- 
>>> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
>>> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
>>> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/ <https://www.jacobs-university.de/> <https://www.jacobs-university.de/ <https://www.jacobs-university.de/>>>
>>> 
>>> _______________________________________________
>>> OPSAWG mailing list
>>> OPSAWG@ietf.org <mailto:OPSAWG@ietf.org> <mailto:OPSAWG@ietf.org <mailto:OPSAWG@ietf.org>>
>>> https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg> <https://www.ietf.org/mailman/listinfo/opsawg <https://www.ietf.org/mailman/listinfo/opsawg>>
> 
> -- 
> Juergen Schoenwaelder           Jacobs University Bremen gGmbH
> Phone: +49 421 200 3587         Campus Ring 1 | 28759 Bremen | Germany
> Fax:   +49 421 200 3103         <https://www.jacobs-university.de/ <https://www.jacobs-university.de/>>

v2.23.0 | Report a Bug | By Email