IETF Logo Mail Archive

Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)

Martin Duke <martin.h.duke@gmail.com> Fri, 09 September 2022 22:38 UTC

Return-Path: <martin.h.duke@gmail.com>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E254FC15259B; Fri, 9 Sep 2022 15:38:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vQWNFPkf-HFM; Fri, 9 Sep 2022 15:38:04 -0700 (PDT)
Received: from mail-qv1-xf2e.google.com (mail-qv1-xf2e.google.com [IPv6:2607:f8b0:4864:20::f2e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3C4D4C1524B1; Fri, 9 Sep 2022 15:38:04 -0700 (PDT)
Received: by mail-qv1-xf2e.google.com with SMTP id l5so2326304qvs.13; Fri, 09 Sep 2022 15:38:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date; bh=DL+PpeodXs9MQdFoj48Va/X4lura2trTWdzkASYsK7E=; b=OAEprCX316RVrA8PXAVRceyBLd6c5/yNBErn084toG/SW5GQ0NgF8ODITsuxaOmJHa r3GdkMUz6Bz4LqM5P/TIiqv7WwziHRMO6+gwPCw46JcSoZPQpDTle1Ibru+TBO++ZiRQ BJOJ1SOLUi22TTdFsJZx3D6yrzEzcj0POnoisYsXmGjXW0BCXKk9AKdcd7c5zURYxCeL YqzepTKWHpVeK04uqNRoa2pxbahfnm5CsessjdnZNxV0fjm/61DFXkcJn7XL6xtnbgTi 65njqle3H7NilbYqZMXE9qwCkI2Dbc0LkdCWlrlWEfroJME6RpCe2LOtCHgylZy6aM7s utDA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date; bh=DL+PpeodXs9MQdFoj48Va/X4lura2trTWdzkASYsK7E=; b=CrUBqk+CtWk3btkR9sRJd/aohAdE9Y0qCfUg24SVrt4KFvO9vPOGPvgEpmh8Amsfbu tl33EOJ3pGt+G7A3ir4ZPQqzREGGq+ppMKHi6HTWOdyMRLjlFeD1MxF69SfG15NcSGVj V8Mgg8Dmy3UQatQCNy8/blZe8ZhlVDLh6N7D7apwHqKijHHtvX8BAuTrTeQybb3/yKIS wfqyHCyw1Sqq8eaWDui/8Z3q6ifxqZ4S2YvAubsQ91nrYVuzgzqZtsZtVwTGQKltYK/T odj/zd1oYnfrGzeaf2w2aoApzg8ckfusZ0vMGKNpcYwA8EEhFprNzgw6IuuWmphXNxgs 676A==
X-Gm-Message-State: ACgBeo2LiyjJZl/Fzc5a1JrRT4hw3759aBF73m749RaZKFcpM88zSRBH sGONIv0rOpwL1zTJdo4T0VIngQwT2RTahBMrc9YmGwbB
X-Google-Smtp-Source: AA6agR6BUrDsLvCq+hetpf2F19fHCmJjZ7vjwooztME94Ijne8n6HQxaFAZArP2/qzJq+mUK2erRaZkSL9zO/y17ypo=
X-Received: by 2002:a05:6214:27e9:b0:4aa:9ff0:e8de with SMTP id jt9-20020a05621427e900b004aa9ff0e8demr13881687qvb.99.1662763082896; Fri, 09 Sep 2022 15:38:02 -0700 (PDT)
MIME-Version: 1.0
References: <165651637903.27765.15214938683310593938@ietfa.amsl.com> <810dbd31883342ffbc514a825bb40969@hs-esslingen.de>
In-Reply-To: <810dbd31883342ffbc514a825bb40969@hs-esslingen.de>
From: Martin Duke <martin.h.duke@gmail.com>
Date: Fri, 09 Sep 2022 15:37:50 -0700
Message-ID: <CAM4esxTR_hgnBnGwoNLOxJHrnJxC1Wc6nLjb=gevtDJ=-EUmcQ@mail.gmail.com>
To: "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
Cc: Roman Danyliw <rdd@cert.org>, The IESG <iesg@ietf.org>, "draft-ietf-tcpm-yang-tcp@ietf.org" <draft-ietf-tcpm-yang-tcp@ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e6d93c05e84632d5"
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/H8RpQdg8gPQJJ28RUQhHKfvGxXw>
Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Sep 2022 22:38:08 -0000

Can we just post -09 so Roman can clear his DISCUSS?

On Mon, Sep 5, 2022 at 2:10 AM Scharf, Michael <
Michael.Scharf@hs-esslingen.de> wrote:

> Hi Roman,
>
> Thank you for this feedback and sorry for staying silent during the
> holiday season.
>
> The authors have prepared a new version -08. Please refer to
> https://www.ietf.org/rfcdiff?url2=draft-ietf-tcpm-yang-tcp-08 to see the
> changes.
>
> Unfortunately, when preparing -08, one of the patches got lost, and
> therefore one change regarding one of your concerns is still missing in
> -08. Sorry! This was not intended, and this bug will be fixed in the next
> version -09. The suggested change for -09 is explained below.
>
> > -----Original Message-----
> > From: Roman Danyliw via Datatracker <noreply@ietf.org>
> > Sent: Wednesday, June 29, 2022 5:26 PM
> > To: The IESG <iesg@ietf.org>
> > Cc: draft-ietf-tcpm-yang-tcp@ietf.org; tcpm-chairs@ietf.org;
> tcpm@ietf.org;
> > nsd.ietf@gmail.com; nsd.ietf@gmail.com
> > Subject: Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with
> > DISCUSS and COMMENT)
> >
> > Roman Danyliw has entered the following ballot position for
> > draft-ietf-tcpm-yang-tcp-07: Discuss
> >
> > When responding, please keep the subject line intact and reply to all
> > email addresses included in the To and CC lines. (Feel free to cut this
> > introductory paragraph, however.)
> >
> >
> > Please refer to
> > https://www.ietf.org/about/groups/iesg/statements/handling-ballot-
> > positions/
> > for more information about how to handle DISCUSS and COMMENT
> > positions.
> >
> >
> > The document, along with other ballot positions, can be found here:
> > https://datatracker.ietf.org/doc/draft-ietf-tcpm-yang-tcp/
> >
> >
> >
> > ----------------------------------------------------------------------
> > DISCUSS:
> > ----------------------------------------------------------------------
> >
> > ** B.2.  Thanks for providing an example of a TCP-AO configuration.
> > Unfortunately, this isn't a valid example example and it seems to be
> making
> > citations that don't match.  Specifically:
> >
> > -- "<crypto-algorithm>hmac-sha-256</crypto-algorithm>"
> >
> > The algorithms usable by TCP-AO come from
> > https://www.iana.org/assignments/tcp-parameters/tcp-
> > parameters.xhtml#tcp-parameters-3.
> >  Only SHA1 and AES128 are registered.  As far as I tell, the only work
> to add
> > SHA256 is in an unadopted and expired draft
> > (https://datatracker.ietf.org/doc/draft-nayak-tcp-sha2/).
> >
> > As aside, I think the algorithm name would have been SHA-256 or SHA256
> (no
> > HMAC).
>
> Good catch. The examples now use AES-128 (BTW, an identifier for AES-128
> is not defined in the YANG model in RFC 8177, but it is needed.)
>
> There has been not much energy in TCPM to finalize draft-nayak-tcp-sha2
> some years ago. Indeed, we should not use this algorithm in this document.
> In the meantime, further TCP-AO implementations have emerged. This may open
> an opportunity to standardize further TCP-AO algorithms. Yet, this
> discussion seems orthogonal to this YANG model.
>
> > --    Per the link to RFC9235:
> >
> >     The following example demonstrates how to model a TCP-AO [RFC5925]
> >    configuration for the example in TCP-AO Test Vectors [RFC9235].  The
> >    IP addresses and other parameters are taken from the test vectors.
> >
> > RFC9235 doesn't use SHA256; and uses KeyID 61 and 84.  Different KeyIDs
> are
> > used in this example.  Which parameters are being used from the test-
> > vector?
>
> Good catch. This mismatch was not intended, and we agree that this should
> be fixed. Yet, unfortunately, when preparing version -08, the authors
> messed up the corresponding patch, and version -08 still shows the old
> variant. The current proposal for the example in the next version -09 is:
>
> <!--
> This example sets TCP-AO configuration parameters similar to
> the examples in RFC 9235.
> -->
>
> <key-chains
>     xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain">
>   <key-chain>
>     <name>ao-config</name>
>     <description>"An example for TCP-AO configuration."</description>
>     <key>
>       <key-id>55</key-id>
>       <lifetime>
>         <send-lifetime>
>           <start-date-time>2017-01-01T00:00:00Z</start-date-time>
>           <end-date-time>2017-02-01T00:00:00Z</end-date-time>
>         </send-lifetime>
>         <accept-lifetime>
>           <start-date-time>2016-12-31T23:59:55Z</start-date-time>
>           <end-date-time>2017-02-01T00:00:05Z</end-date-time>
>         </accept-lifetime>
>       </lifetime>
>       <crypto-algorithm
>           xmlns:tcp=
>
> "urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto-algorithm>
>       <key-string>
>         <keystring>testvector</keystring>
>       </key-string>
>       <authentication
>           xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp">
>         <keychain>ao-config</keychain>
>         <ao>
>           <send-id>61</send-id>
>           <recv-id>84</recv-id>
>         </ao>
>       </authentication>
>     </key>
>   </key-chain>
> </key-chains>
>
> As shown in the example, the suggestion is to use the key ideas from RFC
> 9235. I'd also simplify the example by using only one entry in the
> key-chain.
>
> Unless somebody agrees, this example will be used in the next version -09,
> which will be published soon.
>
> > ----------------------------------------------------------------------
> > COMMENT:
> > ----------------------------------------------------------------------
> >
> > Thank you to Hilarie Orman for the SECDIR review.
> >
> > I concur with the SECDIR observation that "there are no statistics kept
> for
> > authentication failures.  If a shared key falls out of synch, the
> statistics
> > might help detect that."  I appreciate the response
> > (https://mailarchive.ietf.org/arch/msg/secdir/BnjVJ7_IgN7mSNaGi3H2ujVYv
> > n0/)
> > which recommends that this should be generically modeled.  I disagree
> that
> > this
> > should be deferred. There is a very specific TCP-level primitive being
> > described here and it makes sense to me to provide a corresponding
> logging
> > primitive.
>
> Personally, I don't agree to that observation. For what it is worth, I
> have replied to this comment already with follow-up questions, as
> documented in
> https://mailarchive.ietf.org/arch/msg/tcpm/H0UNpd1Fh-uI6rblHh1895-7iT4/.
> Unfortunately, I am not aware of any reply.
>
> Yet, that is my personal view only. Adding some counter to make everybody
> happy may not be a big deal. Therefore, the model now includes in -08 an
> additional counter:
>
>          leaf auth-failures {
>                    if-feature authentication;
>                    type yang:counter64;
>                    description
>                      "The number of times that authentication has failed
> either
>                       with TCP-AO or MD5.";
>          }
>
> This hopefully sorts out this issue.
>
> Thanks
>
> Michael
>
> _______________________________________________
> tcpm mailing list
> tcpm@ietf.org
> https://www.ietf.org/mailman/listinfo/tcpm
>

v2.23.0 | Report a Bug | By Email