Re: [OPSAWG] draft-ietf-opsawg-sdi status
tom petch <ietfc@btconnect.com> Fri, 03 April 2020 16:29 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: opsawg@ietfa.amsl.com
Delivered-To: opsawg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 523763A1A3F for <opsawg@ietfa.amsl.com>; Fri, 3 Apr 2020 09:29:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ngcJSxnNddfL for <opsawg@ietfa.amsl.com>; Fri, 3 Apr 2020 09:29:32 -0700 (PDT)
Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2122.outbound.protection.outlook.com [40.107.22.122]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82C893A1A3A for <opsawg@ietf.org>; Fri, 3 Apr 2020 09:29:32 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jw5J8WD7cueraIgIOugNW8IGuKIkhXfuURZgweqisO8bsXl8sGGWTB1iLe4XsCp2akG+DSks8NgxEVOdEcgWFvyBs1Jud6oL0e8ekbU3Q/+RtLGL5DkC8MZYkwP29mipNJ7ab8BUU8D11Jae6J3KoEi11jK2OMRJ+m30+FygcEa+3U4ifnc6ECPI4Dvw+BIqUSnzKMshJlgfvADngCdU9iltNbmIt5vwjQg0hi1qKb/PfFRp6XRW7EFo4ksx+PzVgf2GVoWbm97r3sysUqPmzgLNWxzvwP0B/I/q1y/AA1hp2FSpOJM9DdB1NzB13ROqyJt+z8Gc5/Wy0jnvEVhOdA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rv5kf3Cs3aKMcgBlS3f7QGRhN8mdz20iA/7Fce1pZGg=; b=BImY0QtOg35p19tWqQRkxGwA9i0JOnwDFbsyKL+m65zEIS1p11EIjJxbem+Chcc019ZNa/l2o8JYuU9MeVJmoS3qOKw3qsPqKbDfkK72HoBd6gipeBs+2nqo+i8IO/FQf0iqn1gFBW1JiQU3kJhn3rNGNG85rvT1usHJKGRsymyvBhxv6rbP/uP+thyXnfjVpYZP+YsUYhVnyn/tKgxhno1g8IUql/YL1rzvYITLtFBcxHOLaTlQOxYqy1SFN72v5sLVbVjeW9wAsQb91+EXTgdQ72OK/huY+dHjfZNvVWxddHtOR1dZmxQ/T5oCJ24ufakSnj88sQGi2FS3t7nWrw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rv5kf3Cs3aKMcgBlS3f7QGRhN8mdz20iA/7Fce1pZGg=; b=EVCUqTyz8hg1zNId46x7VqrpADujNoy3pg02RZkktteBgSYylWgTUg7ea6mwcYfa+doohz36iAdkod0mL2y8AS4heiUt+0Z0mVY0sKPlFBXs29amX1qHqu40EZmpK7smZasEwmthYYIyE0u1QKxxe2ZViFh5aDgBLJANxZUKg5s=
Received: from DB7PR07MB5657.eurprd07.prod.outlook.com (20.178.85.222) by DB7PR07MB4972.eurprd07.prod.outlook.com (20.178.42.214) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2878.13; Fri, 3 Apr 2020 16:29:30 +0000
Received: from DB7PR07MB5657.eurprd07.prod.outlook.com ([fe80::a438:bbc9:2ffe:33ee]) by DB7PR07MB5657.eurprd07.prod.outlook.com ([fe80::a438:bbc9:2ffe:33ee%5]) with mapi id 15.20.2878.017; Fri, 3 Apr 2020 16:29:30 +0000
From: tom petch <ietfc@btconnect.com>
To: Warren Kumari <warren@kumari.net>, Michael Richardson <mcr+ietf@sandelman.ca>
CC: opsawg <opsawg@ietf.org>
Thread-Topic: [OPSAWG] draft-ietf-opsawg-sdi status
Thread-Index: AQHV6Pn8J2mIe/3yfk2QyndIR73Ovqg8ammAgCo+mQCAASqElQ==
Date: Fri, 03 Apr 2020 16:29:29 +0000
Message-ID: <DB7PR07MB565789783E96B610C98CC186A0C70@DB7PR07MB5657.eurprd07.prod.outlook.com>
References: <49B4136E-589D-4E52-A9C2-1CD9281A8691@cisco.com> <25575.1583543855@localhost>, <CAHw9_i+CjvrioGHZS6nzw6JVs1ERFWwCW0=_cJjL3ffMXS2yuw@mail.gmail.com>
In-Reply-To: <CAHw9_i+CjvrioGHZS6nzw6JVs1ERFWwCW0=_cJjL3ffMXS2yuw@mail.gmail.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
x-originating-ip: [81.131.229.19]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 9220a7da-d9ea-4c05-f59b-08d7d7ec2f38
x-ms-traffictypediagnostic: DB7PR07MB4972:
x-microsoft-antispam-prvs: <DB7PR07MB49725C36BC1E86318D8477ACA0C70@DB7PR07MB4972.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0362BF9FDB
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB7PR07MB5657.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(10019020)(136003)(396003)(39860400002)(346002)(376002)(366004)(8676002)(26005)(8936002)(966005)(186003)(4326008)(7696005)(53546011)(110136005)(9686003)(76116006)(5660300002)(66476007)(66556008)(91956017)(64756008)(81166006)(81156014)(2906002)(52536014)(66446008)(478600001)(86362001)(71200400001)(316002)(33656002)(66946007)(55016002)(6506007); DIR:OUT; SFP:1102;
received-spf: None (protection.outlook.com: btconnect.com does not designate permitted sender hosts)
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: p++NjyBs/4tb/HaIyGDGNEDs9CAYyN9qU7oW5nF3b967zf4qj1bmUz4M93GSPY/E/VNJSaylWgTWrNzONd/YfFPuBc2H1mOiwS8KG/EXf7V3vYOXHhzA4BGB6tZVFdNY04gqr3VaXOt8jnwixg9aDIps8KyP7F/aqI3S0vz+Wn7QAmdi+bbpZQx5bsFj7rnAegC+RrxoOLeBWP7Ws8r3Qus4VoiBQ3hYGX0z9o+bMBbl82eibKqKJetclBMrfMLDjcqsg/pxtTuCKRqiC82hJ15ZzMELfmj5x7p6Nv6nT9+M5r21vgcY9O6MoUG0+SC4z1oEVCKI9+frvTTkTZvtAmVdO6WlhW9b7x4Dd8psBoeuji+lGuFLYWiKSbh/jOOUYSGx+3wmIDSvrqr8CnP5nJVchUlxHEw4j+vwgpFpZEN9n3Vqsc2GwULlxgG4gGDG0OjE/gL5kKVrgFsvQ7bLiDEryC5rfFe4Z8x+7heULNaoN2KZ5wM30kmlNKvdG/85bpA5ZoeDOBxF3bH8X5am8g==
x-ms-exchange-antispam-messagedata: CD/WWHKukvUNs0PlC2X5xyqSxVt1+qT6otA96pHaw9QfrpMkn+lfEXV9ZX/xF13eHOlpDGpaMoyf67IvxnSxNSWcF5RDibM54d3wdsbaxLQ9kwIOQUd1b4iEE9dfZkXCue6qg5S7P6uR6c3WX+Df9w==
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 9220a7da-d9ea-4c05-f59b-08d7d7ec2f38
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Apr 2020 16:29:29.9630 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: qW5pOkvDjcD89bFROW4Dxa78i5nVYVVooB44QHh2k1FBzHM8NRq7+HsoFLINuZuA0TURJaTiMi5R8TtKrdF6TQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB7PR07MB4972
Archived-At: <https://mailarchive.ietf.org/arch/msg/opsawg/yw0RZDrZOwcmwhgy-_VcUxPyWTM>
Subject: Re: [OPSAWG] draft-ietf-opsawg-sdi status
X-BeenThere: opsawg@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: OPSA Working Group Mail List <opsawg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/opsawg>, <mailto:opsawg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/opsawg/>
List-Post: <mailto:opsawg@ietf.org>
List-Help: <mailto:opsawg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/opsawg>, <mailto:opsawg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Apr 2020 16:29:35 -0000
From: OPSAWG <opsawg-bounces@ietf.org> on behalf of Warren Kumari <warren@kumari.net> Sent: 02 April 2020 23:24 On Fri, Mar 6, 2020 at 8:17 PM Michael Richardson <mcr+ietf@sandelman.ca> wrote: > > > I have posted a shepherd write-up. > > Some suggestions that I have, one of which came from the idnits: > > 1) IPv6 example maybe? How would IPv6 work at all? > Can it work in a SLAAC-only environment? Good catch - the only IPv4 address was in the example in the Appendix ('tftp 192.0.2.1 -c get SN19842256.enc') -- I've changed this to instead be 'tftp 2001:0db8::23 -c get SN19842256.enc'. I've also clarified that the document is more of a framework, and that things like how devices perform their autoboot is background and describes existing vendor functionality. Currently the autoboot implementations mostly / all use DHCP. There was a 6MAN document to add a "Boot File URL option" to RAs (draft-qin-6man-nb-option), but this work seems to have been abandoned - but, whatever the case, this functionality should work with any sort of autoboot that delivers something that looks like a config file, regardless of how that files is discovered... > > 2) no references for DHCP are there at all. Probably there should be a few? > at least to RFC2131? Gadzooks, yes, definitely! Fixed and pushed to github... Thank you... > > Some questions about how the keys would be generated, kept, distributed, > etc. were asked during WG adoption discussion (tom perch and other), and I'm > not sure that those comments/questions were dealt with fully at the time. > I don't think that this is blocking though. I've added some (admittedly handwavey) text to an earlier commit, but am expecting that I'll get some feedback during LC / SecDir / Security AD reviews. <tp> I said months ago that I would provide text linking to previous practices and every time I have sat down to write it have gone round in circles and was reminded of that when my MUA told me to logon as administrator so that it could overwrite my PC - NO! So- apologies I do think that the Security Considerations needs more. Like the padlock on the web page which could mean an encrypted connection with an entropy of 40 bit, having a private public key pair is useless unless it is strong enough and used in a good algorithm. Lifting recommended values from TLS1.3 or, given the context, SSH is the sort of thing I have in mind. I note that the example uses RSA. I would be disappointed if a Security AD thought that this was ok:-) Also the cert needs checking if only for the correct serial number or other fields that should match but also for the other standard cert checks I think that more references are needed. DHCP yes, but also RADIUS, TFTP, HTTPS, 802.1AR, SMIME Tom Petch Thank you for the shepherd writeup / review, W P.S: Apologies all for the terseness of this email (and other emails) - I am attempting to improve my typing, and so am trying a split, ortholinear keyboard, and am having a REALLY hard time adjusting... > > -- > Michael Richardson <mcr+IETF@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > _______________________________________________ > OPSAWG mailing list > OPSAWG@ietf.org > https://www.ietf.org/mailman/listinfo/opsawg -- I don't think the execution is relevant when it was obviously a bad idea in the first place. This is like putting rabid weasels in your pants, and later expressing regret at having chosen those particular rabid weasels and that pair of pants. ---maf _______________________________________________ OPSAWG mailing list OPSAWG@ietf.org https://www.ietf.org/mailman/listinfo/opsawg
- [OPSAWG] draft-ietf-opsawg-sdi status Joe Clarke (jclarke)
- Re: [OPSAWG] draft-ietf-opsawg-sdi status Michael Richardson
- Re: [OPSAWG] draft-ietf-opsawg-sdi status Warren Kumari
- Re: [OPSAWG] draft-ietf-opsawg-sdi status tom petch
- Re: [OPSAWG] draft-ietf-opsawg-sdi status Warren Kumari