Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
Martin Duke <martin.h.duke@gmail.com> Fri, 09 September 2022 22:38 UTC
Return-Path: <martin.h.duke@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E254FC15259B; Fri, 9 Sep 2022 15:38:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQWNFPkf-HFM; Fri, 9 Sep 2022 15:38:04 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C4D4C1524B1; Fri, 9 Sep 2022 15:38:04 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id l5so2326304qvs.13; Fri, 09 Sep 2022 15:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=DL+PpeodXs9MQdFoj48Va/X4lura2trTWdzkASYsK7E=; b=OAEprCX316RVrA8PXAVRceyBLd6c5/yNBErn084toG/SW5GQ0NgF8ODITsuxaOmJHa r3GdkMUz6Bz4LqM5P/TIiqv7WwziHRMO6+gwPCw46JcSoZPQpDTle1Ibru+TBO++ZiRQ BJOJ1SOLUi22TTdFsJZx3D6yrzEzcj0POnoisYsXmGjXW0BCXKk9AKdcd7c5zURYxCeL YqzepTKWHpVeK04uqNRoa2pxbahfnm5CsessjdnZNxV0fjm/61DFXkcJn7XL6xtnbgTi 65njqle3H7NilbYqZMXE9qwCkI2Dbc0LkdCWlrlWEfroJME6RpCe2LOtCHgylZy6aM7s utDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=DL+PpeodXs9MQdFoj48Va/X4lura2trTWdzkASYsK7E=; b=CrUBqk+CtWk3btkR9sRJd/aohAdE9Y0qCfUg24SVrt4KFvO9vPOGPvgEpmh8Amsfbu tl33EOJ3pGt+G7A3ir4ZPQqzREGGq+ppMKHi6HTWOdyMRLjlFeD1MxF69SfG15NcSGVj V8Mgg8Dmy3UQatQCNy8/blZe8ZhlVDLh6N7D7apwHqKijHHtvX8BAuTrTeQybb3/yKIS wfqyHCyw1Sqq8eaWDui/8Z3q6ifxqZ4S2YvAubsQ91nrYVuzgzqZtsZtVwTGQKltYK/T odj/zd1oYnfrGzeaf2w2aoApzg8ckfusZ0vMGKNpcYwA8EEhFprNzgw6IuuWmphXNxgs 676A==
X-Gm-Message-State: ACgBeo2LiyjJZl/Fzc5a1JrRT4hw3759aBF73m749RaZKFcpM88zSRBH sGONIv0rOpwL1zTJdo4T0VIngQwT2RTahBMrc9YmGwbB
X-Google-Smtp-Source: AA6agR6BUrDsLvCq+hetpf2F19fHCmJjZ7vjwooztME94Ijne8n6HQxaFAZArP2/qzJq+mUK2erRaZkSL9zO/y17ypo=
X-Received: by 2002:a05:6214:27e9:b0:4aa:9ff0:e8de with SMTP id jt9-20020a05621427e900b004aa9ff0e8demr13881687qvb.99.1662763082896; Fri, 09 Sep 2022 15:38:02 -0700 (PDT)
MIME-Version: 1.0
References: <165651637903.27765.15214938683310593938@ietfa.amsl.com> <810dbd31883342ffbc514a825bb40969@hs-esslingen.de>
In-Reply-To: <810dbd31883342ffbc514a825bb40969@hs-esslingen.de>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 09 Sep 2022 15:37:50 -0700
Message-ID: <CAM4esxTR_hgnBnGwoNLOxJHrnJxC1Wc6nLjb=gevtDJ=-EUmcQ@mail.gmail.com>
To: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-tcpm-yang-tcp@ietf.org" <draft-ietf-tcpm-yang-tcp@ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6d93c05e84632d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/H8RpQdg8gPQJJ28RUQhHKfvGxXw>
Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2022 22:38:08 -0000
Can we just post -09 so Roman can clear his DISCUSS? On Mon, Sep 5, 2022 at 2:10 AM Scharf, Michael < Michael.Scharf@hs-esslingen.de> wrote: > Hi Roman, > > Thank you for this feedback and sorry for staying silent during the > holiday season. > > The authors have prepared a new version -08. Please refer to > https://www.ietf.org/rfcdiff?url2=draft-ietf-tcpm-yang-tcp-08 to see the > changes. > > Unfortunately, when preparing -08, one of the patches got lost, and > therefore one change regarding one of your concerns is still missing in > -08. Sorry! This was not intended, and this bug will be fixed in the next > version -09. The suggested change for -09 is explained below. > > > -----Original Message----- > > From: Roman Danyliw via Datatracker <noreply@ietf.org> > > Sent: Wednesday, June 29, 2022 5:26 PM > > To: The IESG <iesg@ietf.org> > > Cc: draft-ietf-tcpm-yang-tcp@ietf.org; tcpm-chairs@ietf.org; > tcpm@ietf.org; > > nsd.ietf@gmail.com; nsd.ietf@gmail.com > > Subject: Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with > > DISCUSS and COMMENT) > > > > Roman Danyliw has entered the following ballot position for > > draft-ietf-tcpm-yang-tcp-07: Discuss > > > > When responding, please keep the subject line intact and reply to all > > email addresses included in the To and CC lines. (Feel free to cut this > > introductory paragraph, however.) > > > > > > Please refer to > > https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > > positions/ > > for more information about how to handle DISCUSS and COMMENT > > positions. > > > > > > The document, along with other ballot positions, can be found here: > > https://datatracker.ietf.org/doc/draft-ietf-tcpm-yang-tcp/ > > > > > > > > ---------------------------------------------------------------------- > > DISCUSS: > > ---------------------------------------------------------------------- > > > > ** B.2. Thanks for providing an example of a TCP-AO configuration. > > Unfortunately, this isn't a valid example example and it seems to be > making > > citations that don't match. Specifically: > > > > -- "<crypto-algorithm>hmac-sha-256</crypto-algorithm>" > > > > The algorithms usable by TCP-AO come from > > https://www.iana.org/assignments/tcp-parameters/tcp- > > parameters.xhtml#tcp-parameters-3. > > Only SHA1 and AES128 are registered. As far as I tell, the only work > to add > > SHA256 is in an unadopted and expired draft > > (https://datatracker.ietf.org/doc/draft-nayak-tcp-sha2/). > > > > As aside, I think the algorithm name would have been SHA-256 or SHA256 > (no > > HMAC). > > Good catch. The examples now use AES-128 (BTW, an identifier for AES-128 > is not defined in the YANG model in RFC 8177, but it is needed.) > > There has been not much energy in TCPM to finalize draft-nayak-tcp-sha2 > some years ago. Indeed, we should not use this algorithm in this document. > In the meantime, further TCP-AO implementations have emerged. This may open > an opportunity to standardize further TCP-AO algorithms. Yet, this > discussion seems orthogonal to this YANG model. > > > -- Per the link to RFC9235: > > > > The following example demonstrates how to model a TCP-AO [RFC5925] > > configuration for the example in TCP-AO Test Vectors [RFC9235]. The > > IP addresses and other parameters are taken from the test vectors. > > > > RFC9235 doesn't use SHA256; and uses KeyID 61 and 84. Different KeyIDs > are > > used in this example. Which parameters are being used from the test- > > vector? > > Good catch. This mismatch was not intended, and we agree that this should > be fixed. Yet, unfortunately, when preparing version -08, the authors > messed up the corresponding patch, and version -08 still shows the old > variant. The current proposal for the example in the next version -09 is: > > <!-- > This example sets TCP-AO configuration parameters similar to > the examples in RFC 9235. > --> > > <key-chains > xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> > <key-chain> > <name>ao-config</name> > <description>"An example for TCP-AO configuration."</description> > <key> > <key-id>55</key-id> > <lifetime> > <send-lifetime> > <start-date-time>2017-01-01T00:00:00Z</start-date-time> > <end-date-time>2017-02-01T00:00:00Z</end-date-time> > </send-lifetime> > <accept-lifetime> > <start-date-time>2016-12-31T23:59:55Z</start-date-time> > <end-date-time>2017-02-01T00:00:05Z</end-date-time> > </accept-lifetime> > </lifetime> > <crypto-algorithm > xmlns:tcp= > > "urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto-algorithm> > <key-string> > <keystring>testvector</keystring> > </key-string> > <authentication > xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> > <keychain>ao-config</keychain> > <ao> > <send-id>61</send-id> > <recv-id>84</recv-id> > </ao> > </authentication> > </key> > </key-chain> > </key-chains> > > As shown in the example, the suggestion is to use the key ideas from RFC > 9235. I'd also simplify the example by using only one entry in the > key-chain. > > Unless somebody agrees, this example will be used in the next version -09, > which will be published soon. > > > ---------------------------------------------------------------------- > > COMMENT: > > ---------------------------------------------------------------------- > > > > Thank you to Hilarie Orman for the SECDIR review. > > > > I concur with the SECDIR observation that "there are no statistics kept > for > > authentication failures. If a shared key falls out of synch, the > statistics > > might help detect that." I appreciate the response > > (https://mailarchive.ietf.org/arch/msg/secdir/BnjVJ7_IgN7mSNaGi3H2ujVYv > > n0/) > > which recommends that this should be generically modeled. I disagree > that > > this > > should be deferred. There is a very specific TCP-level primitive being > > described here and it makes sense to me to provide a corresponding > logging > > primitive. > > Personally, I don't agree to that observation. For what it is worth, I > have replied to this comment already with follow-up questions, as > documented in > https://mailarchive.ietf.org/arch/msg/tcpm/H0UNpd1Fh-uI6rblHh1895-7iT4/. > Unfortunately, I am not aware of any reply. > > Yet, that is my personal view only. Adding some counter to make everybody > happy may not be a big deal. Therefore, the model now includes in -08 an > additional counter: > > leaf auth-failures { > if-feature authentication; > type yang:counter64; > description > "The number of times that authentication has failed > either > with TCP-AO or MD5."; > } > > This hopefully sorts out this issue. > > Thanks > > Michael > > _______________________________________________ > tcpm mailing list > tcpm@ietf.org > https://www.ietf.org/mailman/listinfo/tcpm >
- [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm… Roman Danyliw via Datatracker
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Scharf, Michael
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Scharf, Michael
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Martin Duke
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw