Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
Roman Danyliw <rdd@cert.org> Mon, 12 September 2022 15:29 UTC
Return-Path: <rdd@cert.org>
X-Original-To: tcpm@ietfa.amsl.com
Delivered-To: tcpm@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 75595C14F613; Mon, 12 Sep 2022 08:29:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=seicmu.onmicrosoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UPcYMYKcIU8l; Mon, 12 Sep 2022 08:29:54 -0700 (PDT)
Received: from USG02-BN3-obe.outbound.protection.office365.us (mail-bn3usg02on0129.outbound.protection.office365.us [23.103.208.129]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4F6B5C14CF01; Mon, 12 Sep 2022 08:29:52 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector5401; d=microsoft.com; cv=none; b=EmMH/J5ZpVt8uBUHgBF92QxtFxy5h4h9NEazgjzCL/Wr/oy9UjVhz58XQYGwmUDTpBR7//A4qlDs3FTR9tIWd1Fe8VUt66hVoVmU/F2U/1Bb7XyIp2hmY7hh7Zq2aTv2cOgHBjviijt8z6hvYqauX2psOw+fyjtY/9O4cNdC4F3qEUejQj0nlnAB7CwULhGxXiqORv1cTMgbCuGvO4CYBucnzwkvbpy6PiYUcO9xAVMDM6m8cbVo5WWnqXtfhfkskbkXsN/LoHeUso7waFCRsjdwIxmIVJRp9Icm1AbjdqHiGZjnGDRiHqxaE9xu5ersPkgMyhD4KsdLfk2SEKx5MA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector5401; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u4Wg+95Tzkg1w1RtsmeYAa+X2Scunss+cm+2t6RpEZ0=; b=ZrZ4oJ6vWxw/J5F90wufWxS68ZkSwLT8lfhBIHL/sRwl/kgFMlCCru+rtwyVf44+4ZYOGNxFmSpP5WIUtdA+2kanVPvLtmflVOcwmYzZjjQPRB3yHs8JzZ0redi7SPEHWFsIUNgzlymMSbCk60/hOyQ5Ddx4VTu241Y9zSFKb7mHQAEVPONdJfh+5JeN6Nc1M0X2ktsD+a9LH8Tdo2FlzD/coUIT4zSzSaVAG3nQ6htIml8wlhqr+zEl0oa3KXNHS0gZ9+TQm4hwD68CdSB82nPLqnBjrY1DmNGqmFs5hWhpWxO/0U+EzR7ZZ1Wp1q7Fhqdn/QaCnbCeNldEnQN5+g==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=cert.org; dmarc=pass action=none header.from=cert.org; dkim=pass header.d=cert.org; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=seicmu.onmicrosoft.com; s=selector1-seicmu-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u4Wg+95Tzkg1w1RtsmeYAa+X2Scunss+cm+2t6RpEZ0=; b=V2qgnFt2gtSEEgL2ahuEQL5uTYO9XTBniC0co6C1o7qcJTlkpqaVYyogc+bnpGklHmPZnTpHp0YxeBEuMRQs/NNkCSWvDiPo5QAWKMGqrcPdMg4Gd2FaSg02O70rc0HZOI1IIWTsjyNZvBSU8zF7j0qy6TV8a2H/y2/vKqDJ2t0=
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:168::11) by BN2P110MB1399.NAMP110.PROD.OUTLOOK.COM (2001:489a:200:17c::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5612.22; Mon, 12 Sep 2022 15:29:49 +0000
Received: from BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2531:868b:fc1a:3716]) by BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM ([fe80::2531:868b:fc1a:3716%5]) with mapi id 15.20.5566.028; Mon, 12 Sep 2022 15:29:49 +0000
From: Roman Danyliw <rdd@cert.org>
To: Martin Duke <martin.h.duke@gmail.com>, "Scharf, Michael" <Michael.Scharf@hs-esslingen.de>
CC: The IESG <iesg@ietf.org>, "draft-ietf-tcpm-yang-tcp@ietf.org" <draft-ietf-tcpm-yang-tcp@ietf.org>, "tcpm@ietf.org" <tcpm@ietf.org>, "tcpm-chairs@ietf.org" <tcpm-chairs@ietf.org>
Thread-Topic: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
Thread-Index: AQHYi8yiGwN/hKZFiEuyBeynM7+Tn63Q8lSAgAcvpwCABD89cA==
Date: Mon, 12 Sep 2022 15:29:49 +0000
Message-ID: <BN2P110MB11072A61F941DA2962DDB7E3DC449@BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM>
References: <165651637903.27765.15214938683310593938@ietfa.amsl.com> <810dbd31883342ffbc514a825bb40969@hs-esslingen.de> <CAM4esxTR_hgnBnGwoNLOxJHrnJxC1Wc6nLjb=gevtDJ=-EUmcQ@mail.gmail.com>
In-Reply-To: <CAM4esxTR_hgnBnGwoNLOxJHrnJxC1Wc6nLjb=gevtDJ=-EUmcQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=cert.org;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 2c03af66-1d21-47a7-5e48-08da94d3a1bb
x-ms-traffictypediagnostic: BN2P110MB1399:EE_
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: xNtr9tskqMsjEJpb/H3AUcxS2Yp61+j+2y+imqK9TXjg0eyY78pMiLzF927TAtMqMqceom37GnLzFLVw4eRIXLrYBKPll3GgjDdKGDHrahoU/XfeWKaB4EKpwQLm7BMTUarlPkfECH6K+E4gCdhKT5bCTwVhCVjfLiGY3YbuNDYPKvJ8Dd5DYBCI670RTnxn60YYGq9uFwO8IBn4wMh38USh1WMaBIfnr2lgbn49prWICrmrk3u8nx7Ra7atSL1m1MOFlnmsYGTh50Sm2MgqU0Po9mp2lPDPNbu8P62n5ixhCRFY1n6qzJ6Gzx/G32QDj6eYmQrHUh5csIpP6x1ENo9cefob7cYrBBi2zlhA3PA/I73v7souTQXL7hatnveaG0a3fygcrrF7vNvWcnnZ9+GQzpY8SisgEv+16cO3dcEeGv/EfzM5gceJ5U1aNOPpeImthlew+6QQSbCBpJLCDBX0oTDeMGMhfduInv+yd5oDPMtgyo4kK1jOMuQKsQuxrRg079m2n30VUO4hOnqPSJiYQgCpfszojIapcW3bJOEr20ldodIIgT9vcCU36oa291EAwxyGsBH9mP+i5HvqbQDUqJJR+1sufINnOlMQZ+G75eJnqkKY6CDcBWGnNoCgdf987nwj51DJW3rHR1BLldFb+cNxIlCbQD0v2XiXOLxxRhxLZHDY9/bAhmYOAa0CW+HqY5V+6Tkxu3gSPwGBJw==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM; PTR:; CAT:NONE; SFS:(13230016)(366004)(66946007)(76116006)(66556008)(4326008)(66476007)(8676002)(64756008)(5660300002)(54906003)(110136005)(52536014)(8936002)(26005)(2906002)(66446008)(966005)(33656002)(71200400001)(498600001)(7696005)(166002)(6506007)(53546011)(9686003)(122000001)(38100700002)(86362001)(186003)(83380400001)(38070700005)(55016003)(82960400001); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 2hrO4/YLtPrXkGoCzHWM7VsPa3i7hxCuOruDJSakTINgF+lLzmqvx6SmQH1YFjwU5EnGS3wMccIx7hAwpEX0Qj4AvBO3qE/JCsD5fMdZUUBeny2S8J9b+nt/I7N3+17OkfGKMyEIKVv/4stH7AdjO3yEt0Qi43mP4zlaZGR1CFnG8guMaoN4zOGIYiMdSrtVdVwRk0GicUVZ9qPSohQ8eLWihK7Z0lw6X3axu04miWrGKdBbhmxc2ehOwDwj4B7uLAnM84z6vxuW3dgQnHoDjmZVzM7RMSbYal0N8NcLHonr3PAibpK7WJ/A3UHXrdJ1xIf0YK6sP39DEwHTeiOHBQqZlbzFmPBd7VGfCZ3QyXKWKSPTYFsB9GglQzSQkmadeCaRlHnXXO3+BKDu6HS5WATE63hWc+msS6kArb1FEb4=
Content-Type: multipart/alternative; boundary="_000_BN2P110MB11072A61F941DA2962DDB7E3DC449BN2P110MB1107NAMP_"
MIME-Version: 1.0
X-OriginatorOrg: cert.org
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: BN2P110MB1107.NAMP110.PROD.OUTLOOK.COM
X-MS-Exchange-CrossTenant-Network-Message-Id: 2c03af66-1d21-47a7-5e48-08da94d3a1bb
X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Sep 2022 15:29:49.8611 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 95a9dce2-04f2-4043-995d-1ec3861911c6
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN2P110MB1399
Archived-At: <https://mailarchive.ietf.org/arch/msg/tcpm/rhc5iA2gVndR2dT4gbz4d59Zkn0>
Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT)
X-BeenThere: tcpm@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: TCP Maintenance and Minor Extensions Working Group <tcpm.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tcpm>, <mailto:tcpm-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/tcpm/>
List-Post: <mailto:tcpm@ietf.org>
List-Help: <mailto:tcpm-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tcpm>, <mailto:tcpm-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Sep 2022 15:29:58 -0000
Hi! I appreciate the new text in -08 and -09. It addresses both my DISCUSS and COMMENT feedback. I’ve cleared my ballot. Regards, Roman From: Martin Duke <martin.h.duke@gmail.com> Sent: Friday, September 9, 2022 6:38 PM To: Scharf, Michael <Michael.Scharf@hs-esslingen.de> Cc: Roman Danyliw <rdd@cert.org>; The IESG <iesg@ietf.org>; draft-ietf-tcpm-yang-tcp@ietf.org; tcpm@ietf.org; tcpm-chairs@ietf.org Subject: Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with DISCUSS and COMMENT) Can we just post -09 so Roman can clear his DISCUSS? On Mon, Sep 5, 2022 at 2:10 AM Scharf, Michael <Michael.Scharf@hs-esslingen.de<mailto:Michael.Scharf@hs-esslingen.de>> wrote: Hi Roman, Thank you for this feedback and sorry for staying silent during the holiday season. The authors have prepared a new version -08. Please refer to https://www.ietf.org/rfcdiff?url2=draft-ietf-tcpm-yang-tcp-08 to see the changes. Unfortunately, when preparing -08, one of the patches got lost, and therefore one change regarding one of your concerns is still missing in -08. Sorry! This was not intended, and this bug will be fixed in the next version -09. The suggested change for -09 is explained below. > -----Original Message----- > From: Roman Danyliw via Datatracker <noreply@ietf.org<mailto:noreply@ietf.org>> > Sent: Wednesday, June 29, 2022 5:26 PM > To: The IESG <iesg@ietf.org<mailto:iesg@ietf.org>> > Cc: draft-ietf-tcpm-yang-tcp@ietf.org<mailto:draft-ietf-tcpm-yang-tcp@ietf.org>; tcpm-chairs@ietf.org<mailto:tcpm-chairs@ietf.org>; tcpm@ietf.org<mailto:tcpm@ietf.org>; > nsd.ietf@gmail.com<mailto:nsd.ietf@gmail.com>; nsd.ietf@gmail.com<mailto:nsd.ietf@gmail.com> > Subject: Roman Danyliw's Discuss on draft-ietf-tcpm-yang-tcp-07: (with > DISCUSS and COMMENT) > > Roman Danyliw has entered the following ballot position for > draft-ietf-tcpm-yang-tcp-07: Discuss > > When responding, please keep the subject line intact and reply to all > email addresses included in the To and CC lines. (Feel free to cut this > introductory paragraph, however.) > > > Please refer to > https://www.ietf.org/about/groups/iesg/statements/handling-ballot- > positions/ > for more information about how to handle DISCUSS and COMMENT > positions. > > > The document, along with other ballot positions, can be found here: > https://datatracker.ietf.org/doc/draft-ietf-tcpm-yang-tcp/ > > > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ** B.2. Thanks for providing an example of a TCP-AO configuration. > Unfortunately, this isn't a valid example example and it seems to be making > citations that don't match. Specifically: > > -- "<crypto-algorithm>hmac-sha-256</crypto-algorithm>" > > The algorithms usable by TCP-AO come from > https://www.iana.org/assignments/tcp-parameters/tcp- > parameters.xhtml#tcp-parameters-3. > Only SHA1 and AES128 are registered. As far as I tell, the only work to add > SHA256 is in an unadopted and expired draft > (https://datatracker.ietf.org/doc/draft-nayak-tcp-sha2/). > > As aside, I think the algorithm name would have been SHA-256 or SHA256 (no > HMAC). Good catch. The examples now use AES-128 (BTW, an identifier for AES-128 is not defined in the YANG model in RFC 8177, but it is needed.) There has been not much energy in TCPM to finalize draft-nayak-tcp-sha2 some years ago. Indeed, we should not use this algorithm in this document. In the meantime, further TCP-AO implementations have emerged. This may open an opportunity to standardize further TCP-AO algorithms. Yet, this discussion seems orthogonal to this YANG model. > -- Per the link to RFC9235: > > The following example demonstrates how to model a TCP-AO [RFC5925] > configuration for the example in TCP-AO Test Vectors [RFC9235]. The > IP addresses and other parameters are taken from the test vectors. > > RFC9235 doesn't use SHA256; and uses KeyID 61 and 84. Different KeyIDs are > used in this example. Which parameters are being used from the test- > vector? Good catch. This mismatch was not intended, and we agree that this should be fixed. Yet, unfortunately, when preparing version -08, the authors messed up the corresponding patch, and version -08 still shows the old variant. The current proposal for the example in the next version -09 is: <!-- This example sets TCP-AO configuration parameters similar to the examples in RFC 9235. --> <key-chains xmlns="urn:ietf:params:xml:ns:yang:ietf-key-chain"> <key-chain> <name>ao-config</name> <description>"An example for TCP-AO configuration."</description> <key> <key-id>55</key-id> <lifetime> <send-lifetime> <start-date-time>2017-01-01T00:00:00Z</start-date-time> <end-date-time>2017-02-01T00:00:00Z</end-date-time> </send-lifetime> <accept-lifetime> <start-date-time>2016-12-31T23:59:55Z</start-date-time> <end-date-time>2017-02-01T00:00:05Z</end-date-time> </accept-lifetime> </lifetime> <crypto-algorithm xmlns:tcp= "urn:ietf:params:xml:ns:yang:ietf-tcp">tcp:aes-128</crypto-algorithm> <key-string> <keystring>testvector</keystring> </key-string> <authentication xmlns="urn:ietf:params:xml:ns:yang:ietf-tcp"> <keychain>ao-config</keychain> <ao> <send-id>61</send-id> <recv-id>84</recv-id> </ao> </authentication> </key> </key-chain> </key-chains> As shown in the example, the suggestion is to use the key ideas from RFC 9235. I'd also simplify the example by using only one entry in the key-chain. Unless somebody agrees, this example will be used in the next version -09, which will be published soon. > ---------------------------------------------------------------------- > COMMENT: > ---------------------------------------------------------------------- > > Thank you to Hilarie Orman for the SECDIR review. > > I concur with the SECDIR observation that "there are no statistics kept for > authentication failures. If a shared key falls out of synch, the statistics > might help detect that." I appreciate the response > (https://mailarchive.ietf.org/arch/msg/secdir/BnjVJ7_IgN7mSNaGi3H2ujVYv > n0/) > which recommends that this should be generically modeled. I disagree that > this > should be deferred. There is a very specific TCP-level primitive being > described here and it makes sense to me to provide a corresponding logging > primitive. Personally, I don't agree to that observation. For what it is worth, I have replied to this comment already with follow-up questions, as documented in https://mailarchive.ietf.org/arch/msg/tcpm/H0UNpd1Fh-uI6rblHh1895-7iT4/. Unfortunately, I am not aware of any reply. Yet, that is my personal view only. Adding some counter to make everybody happy may not be a big deal. Therefore, the model now includes in -08 an additional counter: leaf auth-failures { if-feature authentication; type yang:counter64; description "The number of times that authentication has failed either with TCP-AO or MD5."; } This hopefully sorts out this issue. Thanks Michael _______________________________________________ tcpm mailing list tcpm@ietf.org<mailto:tcpm@ietf.org> https://www.ietf.org/mailman/listinfo/tcpm
- [tcpm] Roman Danyliw's Discuss on draft-ietf-tcpm… Roman Danyliw via Datatracker
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Scharf, Michael
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Scharf, Michael
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Martin Duke
- Re: [tcpm] Roman Danyliw's Discuss on draft-ietf-… Roman Danyliw