Re: [secdir] Secdir Review of draft-ietf-netconf-rfc5539bis-09

t.p. <> Tue, 10 March 2015 12:32 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 325DE1ACD54; Tue, 10 Mar 2015 05:32:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id yPQQojV_aimY; Tue, 10 Mar 2015 05:32:53 -0700 (PDT)
Received: from ( [IPv6:2a01:111:f400:fe00::760]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 021BA1ACDB2; Tue, 10 Mar 2015 05:32:52 -0700 (PDT)
Received: from ( by ( with Microsoft SMTP Server (TLS) id; Tue, 10 Mar 2015 12:15:17 +0000
Received: from pc6 ( by ( with Microsoft SMTP Server (TLS) id; Tue, 10 Mar 2015 12:15:16 +0000
Message-ID: <000b01d05b2b$8d3ab2a0$>
From: t.p. <>
To: Sam Hartman <>, <>, <>, <>
References: <>
Date: Tue, 10 Mar 2015 12:12:14 +0000
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: []
X-ClientProxiedBy: ( To (
Authentication-Results:; dkim=none (message not signed) header.d=none;
X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:; SRVR:AM3PR07MB242; UriScan:; BCL:0; PCL:0; RULEID:; SRVR:AM3PR07MB0711;
X-Forefront-Antispam-Report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(13464003)(377454003)(51704005)(129404003)(33646002)(50226001)(61296003)(116806002)(1556002)(86362001)(50466002)(230783001)(19580405001)(23756003)(19580395003)(44716002)(87976001)(2201001)(77096005)(77156002)(62966003)(47776003)(42186005)(40100003)(46102003)(76176999)(92566002)(62236002)(122386002)(81686999)(81816999)(66066001)(44736004)(50986999)(1456003)(2171001)(84392001)(74416001)(7726001); DIR:OUT; SFP:1102; SCL:1; SRVR:AM3PR07MB242; H:pc6; FPR:; SPF:None; MLV:sfv; LANG:en;
X-Microsoft-Antispam-PRVS: <>
X-Exchange-Antispam-Report-Test: UriScan:;
X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(601004)(5002009)(5005006); SRVR:AM3PR07MB242; BCL:0; PCL:0; RULEID:; SRVR:AM3PR07MB242;
X-Forefront-PRVS: 051158ECBB
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 10 Mar 2015 12:15:16.6850 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM3PR07MB242
Archived-At: <>
X-Mailman-Approved-At: Tue, 10 Mar 2015 05:34:29 -0700
Subject: Re: [secdir] Secdir Review of draft-ietf-netconf-rfc5539bis-09
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Security Area Directorate <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Tue, 10 Mar 2015 12:32:56 -0000

----- Original Message -----
From: "Sam Hartman" <>
To: <>rg>; <>rg>; <>
Cc: <>
Sent: Monday, March 09, 2015 12:10 PM
Subject: Secdir Review of draft-ietf-netconf-rfc5539bis-09

> This is an update to netconf over TLS with mutual X.509
> In general, this looks fairly good.
> I'd ask the security ADs to take a look at two things:
> * The text on certificate validation in section 5.
> Certificate validation has a number of options, none of which are
> described or specified in this text.
> Is that good enough for this application?  (Probably)
> In section 7, there is a description of how the netconf server finds
> username of the client.
> It talks about a certificate fingerprint without a reference to a
> specific algorithm.
> I'm aware of multiple algorithms for fingerprints.
> This text is probably too vague for interoperability.


I see what you mean but had a different model in mind.  The fingerprint
is not transmitted as part of the tls/netconf protocol, I assume that it
is only generated within a server when a certificate arrives over the
tls/netconf protocol and is then compared with a prestored list of
fingerprints within the server.

So as long as the same algorithm is used within the server, then it does
not matter what is used.  If, instead, the prestored list of
fingerprints is generated outside the server and installed as a file,
then yes, the algorithm used to create the prestored list must be the
same as that used within the server when a certificate arrives over the
tls/netconf protocol.  That is the only issue I can see.

However, this I-D used to contain a data model to go with it but that
has been put into a different I-D namely netconf-server.  That data
model imports a YANG data type tls-fingerprint which is defined as a one
octet hashing algorithm identifier followed by the fingerprint value.
The  octet value is taken from the IANA TLS Hash Algorithm Registry (RFC

So if the YANG data model is used, then the algorithm is part of the
model and the server can look up what has been used in its prestored
list of fingerprints.  If users do not use the YANG data model, well
that is up to them

Hope this helps

Tom Petch