Re: [secdir] [netconf] Secdir last call partial review of draft-ietf-netconf-tls-client-server-25

tom petch <ietfc@btconnect.com> Mon, 26 July 2021 11:20 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: secdir@ietfa.amsl.com
Delivered-To: secdir@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B1C793A0C0E; Mon, 26 Jul 2021 04:20:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=btconnect.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id z0P92dq5Ljso; Mon, 26 Jul 2021 04:20:22 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80127.outbound.protection.outlook.com [40.107.8.127]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0FA643A0C05; Mon, 26 Jul 2021 04:20:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OJD4Sxzi5Qy28JklwdFviprUgywkEZh9CODb0YKQFaFZ6pwyDTtdM3GMgUnHDpZ9LxRN3WvK7t0goYe9B0JadQeEdtAEW4dIqu//+a3LLeoIRjVnZVqWK9BCcbXZ4qCFrX4yDmPrDxmZ5ilf5EInTbwcLCC41DAbA29fqq62bVv7ZVdv7LtGVB7xql08JuVKJitPw0zXYAyl09XNS3+CeL8Du7jxAFnKTw7r+Q/WjwYqfTvdukSTnDAsFsNLpKaMIUtcypnnmxJxnhyKD01sdu45PibvKgF1S9o4Prhl9hL66Np//ZKGOPQFkX8KVhZQw6VOkK88HYLFq0QhQYjaIw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+RHH4ZpYbQED7jjSNRTnoC5rAWqv+/+gmfi8FZzb7U=; b=Kwvt12quO7lDj7hbvUC66JEGcRsAaOFjMNt1eoY4iy+qe73BnR3FiOsfZA4mjgRzCaBLbNuxd5HYREIm/oItpOzXfJG7QT58ghDjvuPiO474QOVRyrJna1SSWLhSOIp/oxgtQ+NUrp+X5WwTsTnKy5y6fviHhzdrzx0V/CCIMVpkQseJVtEjpAyjTt2KMVVTzluDpdW8sG18w17YWCwrHF4CvD+JQvJFNXw0/S2wQB+URUywan5FjgQ3Yssp6PHUbUNo29f+53UJzvMgRxkX+XE6XioilEKUnlj5zsj6E4zfevCYGCo+6NvXUQfb9pmjUWIf1y7Ru5z0Z9SjaYtoMQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=btconnect.com; dmarc=pass action=none header.from=btconnect.com; dkim=pass header.d=btconnect.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=btconnect.onmicrosoft.com; s=selector2-btconnect-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=g+RHH4ZpYbQED7jjSNRTnoC5rAWqv+/+gmfi8FZzb7U=; b=DMH0nt8OTaeDt0JwAQURWFWj8mXORu3SnBkFSeLlFsufwASYURISJZ2IUsxVDLsKpLjT1xvcrafjoRVjJgaihBjl5qjou3S5qI+AtoLH5dV5R9r8+gv5saG46OqQQpIBIMWMe6wQl4cnPl/zEZQBeG5iAl4FO6lH91yE9Ic7/U4=
Received: from VI1PR07MB6256.eurprd07.prod.outlook.com (2603:10a6:800:133::7) by VI1PR07MB6224.eurprd07.prod.outlook.com (2603:10a6:800:139::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.9; Mon, 26 Jul 2021 11:20:16 +0000
Received: from VI1PR07MB6256.eurprd07.prod.outlook.com ([fe80::f964:3eed:2d44:a3c0]) by VI1PR07MB6256.eurprd07.prod.outlook.com ([fe80::f964:3eed:2d44:a3c0%9]) with mapi id 15.20.4373.015; Mon, 26 Jul 2021 11:20:16 +0000
From: tom petch <ietfc@btconnect.com>
To: "secdir@ietf.org" <secdir@ietf.org>, Watson Ladd <watsonbladd@gmail.com>
CC: "last-call@ietf.org" <last-call@ietf.org>, "draft-ietf-netconf-tls-client-server.all@ietf.org" <draft-ietf-netconf-tls-client-server.all@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [netconf] Secdir last call partial review of draft-ietf-netconf-tls-client-server-25
Thread-Index: AQHXfr4h0+l6xYEIU0q94nrO/Yk2EKtVGccK
Date: Mon, 26 Jul 2021 11:20:16 +0000
Message-ID: <VI1PR07MB62567234A7F7AED54C9B6781A0E89@VI1PR07MB6256.eurprd07.prod.outlook.com>
References: <162693328770.27111.6978873343722392140@ietfa.amsl.com>
In-Reply-To: <162693328770.27111.6978873343722392140@ietfa.amsl.com>
Accept-Language: en-GB, en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=btconnect.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 81ad94c0-358a-428d-fbc8-08d95027583a
x-ms-traffictypediagnostic: VI1PR07MB6224:
x-microsoft-antispam-prvs: <VI1PR07MB62241E9C3F26785FC4E1BF66A0E89@VI1PR07MB6224.eurprd07.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:3276;
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: PgrTfPtVq4Gft8cYg5LsEvtUtXLJ1NEqjp1j/aroJdgj2/shXRXo4PdfbpenAZnJorx/BWP14PZ2ig82zXXlYXeRSAaSiniwuOJ7J6YAKY/mWvDFmFnMh1EkGJeIVBVYWDQJdacu881kDSIhoca2zHqcb737aWjlwMWlBz+EvUiPA3POf2ltwhaQ1y5qd/J2Ysq8kdECQuM+Tff/a5qLu2lZZS9fI6YugnB6GtIzEQAVmqUX5LuFHYN/mEuvinHQjj52RLMBo/J/BS5j9aJXafOm2dkmXK5zNuCPveyxL4Jnd2clo2MnXS2BZuS8APeenEsXDFX3Xn8iKOfYraS2SmJTyXWaHOdUHJTrpf9kGeN0YeoQtuDWUTL19uyfBe8/DRCDuBDrSA9UEq3eRkDJPKEUlyOHs3ccY/8wABZomeGvnblsi9XLCqYcxfHfX9GexdlHWjsDicVueUo+2uXx95fiFE8qLCq57BB7uAXJ7JvMOrmnpXyLoc7fTWfUZOq0GfUVnBo3LrDCTRaV3VS0Z21NGnzvnKDMtfaQDsKJJKlmAuKdAmwEUe4+aRVrNy7GF784YBHKpabTOTXlgt0CimX4I0G3PwxWsVmq22E1yqZ0tvUw+EOmA5p53LQOSgp6oNwz/YWyhdS5m/VoOwk4gaLlxmlCooloT9GaUTJ/H89QVcgijzgf9VHUxXP7eO28cokZ0OEZz+ba5bdJ7BuQB2yDtjVZe3gAadq5JYsdOEw8e0/ODTyHyFhEBvlkuyPJgq7yndj8Qp/p3NE4QmSazg==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:VI1PR07MB6256.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(136003)(39860400002)(396003)(366004)(346002)(376002)(54906003)(38100700002)(316002)(52536014)(66556008)(66446008)(26005)(86362001)(71200400001)(110136005)(5660300002)(83380400001)(66476007)(33656002)(7696005)(8936002)(4326008)(64756008)(186003)(66946007)(2906002)(122000001)(6506007)(966005)(55016002)(478600001)(8676002)(91956017)(76116006)(9686003)(38070700004); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?23zRwY4RQ/9wvBUyWRcvRliw7H3C9LL+3E/QLIxEyTO5kan1kWW6GndHu1?= =?iso-8859-1?Q?ISlw85V8dF5EpCnCM6QwXCcEXY8DvH6XWRDHprfNUAsg5pJBeoHIQPIfA5?= =?iso-8859-1?Q?E2W5Pw1Y0PMPgHq6HXgXMnR/4K37RH363uLLh93RP7l4GwIurx9IsJ1sLF?= =?iso-8859-1?Q?zv7VKETRskdt8DGyPZVcxXdBYjmqjYcSWbadmEBMyfAm2tD+eNeRC/3rhW?= =?iso-8859-1?Q?OdubbTAWRJHNwyDdHc6e/3abksAa4mzLKcSzv9ZS1VRuPj7PdqRz2Uen/t?= =?iso-8859-1?Q?ut6lDiTSj20biIucz+H6CbQ4xk8PVA0IWa9eRRDoFc7ooRQMtzc7e5FTsc?= =?iso-8859-1?Q?GO0LDseeQJjYO9J5bvK9dEP3ziVldmKa2HJ+j/gniJ2oWwZ/5Jl4iC5C1Q?= =?iso-8859-1?Q?tLsLEnE43o5R0uwWH+VKiq1KY04rkPO0b+YD3VvbDgcESwYMRUc4SZ4h8C?= =?iso-8859-1?Q?dec+LQF5uwfZlA24eUOqhfwfXAJT3o5sWfSmkxZfrrCF39pV9fhY4OlQVy?= =?iso-8859-1?Q?W42K+4Qzz4Mca4DrZKHquhZ9j03y96dousSJfaZD+pFjZIKyZrZXh9FHx/?= =?iso-8859-1?Q?pkFQMLRbi1HwU50uzCAhTb2qxk97tMOhx24PiddqU/IAcSnM5EbJEE2eC+?= =?iso-8859-1?Q?7YBj41E1DaA9rfiQpf/Tsr8FZmix+emX547mQsIP6X1JpdBbAkVH+vKGMu?= =?iso-8859-1?Q?P6lYhEQ0PiELwNNysTqkcnHErD7xIaGaxA7HL++PCJE6+dUZMoDj2erIth?= =?iso-8859-1?Q?H9M0HZzH4Deei/am8CxA1gZNdW3Ha6HCyJXflTKhtLbeKt2zm5kqjWdYmQ?= =?iso-8859-1?Q?NIhxZXEerayaRzxMK2QK9Ilk04GMChjoc2zPRw6AeQKU7OSGbEOIYLuzoY?= =?iso-8859-1?Q?F+a83aobJncEXPnbEnVPOyW3lnYPYM+njD72OBs/D2wpPSz+fOF3+gTX25?= =?iso-8859-1?Q?UHJXu9wtMYTqn4HqBzo27qQb3F6uXJj77Lvv1OUmm67KRB+d1PCjCGE7vu?= =?iso-8859-1?Q?zO8GZi9aYAXFI4ykbWZh2kTTdrjzK4ftHVNXfpKWmEaSSuXbTxqJVXacc8?= =?iso-8859-1?Q?3gYIqUiJTGaue8aQGRE6nNQj4+Kg1SpWXLollUerI2XtDslSMfArNyBm32?= =?iso-8859-1?Q?X/gXqXq2zh/nbAUNFU7uKKb5CF2FZEXJ12/DacnwnqWQ3mul/+zaL64exX?= =?iso-8859-1?Q?BgqrIhJ+5V0Qg6/KhavVjShjRsiBRdlLI4gxKEaNOhG0zdRA0787LJvueh?= =?iso-8859-1?Q?a+r1DEEDb0lhjQ0lP4r+Ue7aLmVwHKfgIDOoRc2OrnaqYpqZDGscCpzLGA?= =?iso-8859-1?Q?70WfOTN3uD718ceLsNUseSbGiBpCT4SRTpW8VKWS+yUIqNo=3D?=
x-ms-exchange-transport-forked: True
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: btconnect.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: VI1PR07MB6256.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 81ad94c0-358a-428d-fbc8-08d95027583a
X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Jul 2021 11:20:16.2140 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: cf8853ed-96e5-465b-9185-806bfe185e30
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: zbSDdjQXFVjgwIIs8lFcvc9mI8Mw7+UKRCe3nYQf4/FF3BgcPSWOZEH1KWw9aUuWhwGoioSN5SwU5lZ78cv0uQ==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR07MB6224
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/oqGCJphawKqG6AAarZQs8aJ_Y9U>
Subject: Re: [secdir] [netconf] Secdir last call partial review of draft-ietf-netconf-tls-client-server-25
X-BeenThere: secdir@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Security Area Directorate <secdir.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/secdir>, <mailto:secdir-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir/>
List-Post: <mailto:secdir@ietf.org>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/secdir>, <mailto:secdir-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 26 Jul 2021 11:20:27 -0000

From: netconf <netconf-bounces@ietf.org> on behalf of Watson Ladd via Datatracker <noreply@ietf.org>
Sent: 22 July 2021 06:54

Review is partially done. Another assignment may be needed to complete it.

Reviewer: Watson Ladd
Review result: Ready

Dear readers,
Forgive my completing this review almost a month late.

I have reviewed this document as part of the security directorate's
ongoing effort to review all IETF documents being processed by the
IESG.  These comments were written primarily for the benefit of the
security area directors.  Document editors and WG chairs should treat
these comments just like any other last call comments.

The summary of the review is ready, because I can't find anything wrong with
it. Your comfort with this fact should be minimal.

Benjamin Kaduk writes me to inform you that the issues with the PSK in TLS 1.3
are being worked on.

And now on to my evaluation of the document. The problem is that I can't
evaluate this in any substantive way: it is a whole bunch of YANG, a technology
I am completely ignorant of. The few English sentences I saw looked fine, and I
didn't spot anything wrong, but I likely wouldn't have.

<tp>

Watson,

I am the one who has been stirring this, FUD mostly.

One issue is the support for TLS1.0, TLS1.1 which originally was more comprehensive than that for TLS1.3 and in some respects still is, as in the examples.  These versions are  now deprecated in YANG; I would have omitted them entirely, but the WG consensus was otherwise.  I take it you are ok with this.  Of the TLS RFC, only RRC8446 is a Normative Reference.

PSK and raw public keys were a late addition to the I-D.  I had forgotten that the latter were a type of certificate and so likely has no issues with TLS1.3 but with PSK I see little resemblance to earlier versions of TLS.  My sense is that the TLS WG really wants to have nothing to do with PSK (unless following a full handshake) even if there are two TLS I-D spelling out the consequences of using PSK alone .  Together with changes in terminology and protocol for PSK, I think it challenging to produce a model for PSK for both TLS1.2 and TLS1.3.  The I-D does tackle the TLS1,3 changes from ciphersuite but says nothing about  the features it specifies for 3DES, GCM, ECC and their interaction with TLS1.3  (should it?)

I am aware of the issues EMU have had with TLS1.3 and see some application I-D  providing a profile for the use of TLS1.3 but overall doubt the feasibility of producing an I-D which covers both TLS1.2 and TLS1.3 without going into the sort of detail that uta-tls13-iot-profile does.

My comfort is minimal!

Tom Petch

Sincerely,
Watson Ladd


_______________________________________________
netconf mailing list
netconf@ietf.org
https://www.ietf.org/mailman/listinfo/netconf