Dear all,

draft-badra-netconf-rfc5539bi= s-00=A0includes support for=A0certificate and pre-shared key (PSK)-based au= thentication.

RFC4279 listed three "PSK Ident= ity" types: DNS Names, X509 Distinguished Names and IP Addresses.

PSK identity is used as the NETCONF username.=A0Please don't h= esitate to propose more identity types so we include them in the draft

Best regards,

Badra

--bcaec5016525053ba704b26503b8-- From j.schoenwaelder@jacobs-university.de Wed Nov 23 03:56:42 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 38C2521F8BE8 for ; Wed, 23 Nov 2011 03:56:42 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.193 X-Spam-Level: X-Spam-Status: No, score=-103.193 tagged_above=-999 required=5 tests=[AWL=0.056, BAYES_00=-2.599, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id G6xK8oqGMTkU for ; Wed, 23 Nov 2011 03:56:41 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 1630621F8BE7 for ; Wed, 23 Nov 2011 03:56:39 -0800 (PST) Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 692F720CD6; Wed, 23 Nov 2011 12:56:38 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id 8e5MmB1BDAuf; Wed, 23 Nov 2011 12:56:37 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 1B24320CBE; Wed, 23 Nov 2011 12:56:37 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 1E4E01BDB2A0; Wed, 23 Nov 2011 12:56:20 +0100 (CET) Date: Wed, 23 Nov 2011 12:56:19 +0100 From: Juergen Schoenwaelder To: Badra Message-ID: <20111123115619.GB98340@elstar.local> Mail-Followup-To: Badra , netconf@ietf.org References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: netconf@ietf.org Subject: Re: [Netconf] PSK Identity Types X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2011 11:56:42 -0000 On Wed, Nov 23, 2011 at 03:13:38PM +0400, Badra wrote: > Dear all, > > draft-badra-netconf-rfc5539bis-00 includes support for certificate and > pre-shared key (PSK)-based authentication. > > RFC4279 listed three "PSK Identity" types: DNS Names, X509 Distinguished > Names and IP Addresses. > > PSK identity is used as the NETCONF username. Please don't hesitate to > propose more identity types so we include them in the draft I and Badra seem to have different interpretations of this text (quoting from RFC 4279): 5.1. PSK Identity Encoding The PSK identity MUST be first converted to a character string, and then encoded to octets using UTF-8 [UTF8]. For instance, o IPv4 addresses are sent as dotted-decimal strings (e.g., "192.0.2.1"), not as 32-bit integers in network byte order. o Domain names are sent in their usual text form [DNS] (e.g., "www.example.com" or "embedded\.dot.example.net"), not in DNS protocol format. o X.500 Distinguished Names are sent in their string representation [LDAPDN], not as BER-encoded ASN.1. My reading of this text is that the PSK identity is a UTF-8 character string. Period. In case your identity is an IPv4 address or a domain name or an X.500 DN (that is stuff that is natively not a UTF-8 character string), the bullets say how to render things in UTF-8. I do not see a requirement in this text to specify identity types and specific encoding rules. In other words, if I call my PSK identity "badra", the resulting string is simply the five UTF-8 character sequence "badra". /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From mbadra@gmail.com Wed Nov 23 04:24:52 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7441421F8C50 for ; Wed, 23 Nov 2011 04:24:52 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.598 X-Spam-Level: X-Spam-Status: No, score=-3.598 tagged_above=-999 required=5 tests=[AWL=-0.000, BAYES_00=-2.599, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CxTmEj5zMriZ for ; Wed, 23 Nov 2011 04:24:51 -0800 (PST) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 9F02321F8C4A for ; Wed, 23 Nov 2011 04:24:51 -0800 (PST) Received: by vcbfy13 with SMTP id fy13so1447390vcb.31 for ; Wed, 23 Nov 2011 04:24:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=dsuBmyi9JmEsAszPAiexxXfbUobYYC97bpSnvxS7rs4=; b=d9DMMblQP6LX62rqJjWJLJU5XIktuAFQlQ2hhYP7FULtHUB60Y3lYtFR2DpqpD7te5 heHesK74RjLRSO6+POu9ayH5+qKsnx440tUyBTaMxhvyIoe2YJGDaGS7Z+RjDLOHg2n7 5DdYOBjI2Jb0z7g1k9ABJCRyYRE8L8fr/GDbk= MIME-Version: 1.0 Received: by 10.52.72.227 with SMTP id g3mr25359552vdv.10.1322051089362; Wed, 23 Nov 2011 04:24:49 -0800 (PST) Received: by 10.220.157.5 with HTTP; Wed, 23 Nov 2011 04:24:49 -0800 (PST) In-Reply-To: <20111123115619.GB98340@elstar.local> References: <20111123115619.GB98340@elstar.local> Date: Wed, 23 Nov 2011 13:24:49 +0100 Message-ID: From: Badra To: Juergen Schoenwaelder , Badra , netconf@ietf.org Content-Type: multipart/alternative; boundary=bcaec50165258e6e1304b2660145 Subject: Re: [Netconf] PSK Identity Types X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 23 Nov 2011 12:24:52 -0000 --bcaec50165258e6e1304b2660145 Content-Type: text/plain; charset=ISO-8859-1 On Wed, Nov 23, 2011 at 12:56 PM, Juergen Schoenwaelder < j.schoenwaelder@jacobs-university.de> wrote: > On Wed, Nov 23, 2011 at 03:13:38PM +0400, Badra wrote: > > Dear all, > > > > draft-badra-netconf-rfc5539bis-00 includes support for certificate and > > pre-shared key (PSK)-based authentication. > > > > RFC4279 listed three "PSK Identity" types: DNS Names, X509 Distinguished > > Names and IP Addresses. > > > > PSK identity is used as the NETCONF username. Please don't hesitate to > > propose more identity types so we include them in the draft > > I and Badra seem to have different interpretations of this text > (quoting from RFC 4279): > > 5.1. PSK Identity Encoding > > The PSK identity MUST be first converted to a character string, and > then encoded to octets using UTF-8 [UTF8]. For instance, > > o IPv4 addresses are sent as dotted-decimal strings (e.g., > "192.0.2.1"), not as 32-bit integers in network byte order. > > o Domain names are sent in their usual text form [DNS] (e.g., > "www.example.com" or "embedded\.dot.example.net"), not in DNS > protocol format. > > o X.500 Distinguished Names are sent in their string representation > [LDAPDN], not as BER-encoded ASN.1. > > My reading of this text is that the PSK identity is a UTF-8 character > string. Period. > > In case your identity is an IPv4 address or a domain name or an X.500 > DN (that is stuff that is natively not a UTF-8 character string), the > bullets say how to render things in UTF-8. I do not see a requirement > in this text to specify identity types and specific encoding rules. In > other words, if I call my PSK identity "badra", the resulting string > is simply the five UTF-8 character sequence "badra". > > > I agree with your interpretation; RFC4279 doesn't mandate the use of any particular type of identity. I wanted in my previous message to know if we need to add more examples on how to convert, to UTF-8, some different PSK Identities not being listed in RFC4279. If this is not required, so the current text is more than enough. Best regards, Badra --bcaec50165258e6e1304b2660145 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable

On Wed, Nov 23, 2011 a= t 12:56 PM, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> wrote:

On = Wed, Nov 23, 2011 at 03:13:38PM +0400, Badra wrote:
> Dear all,
>
> draft-badra-netconf-rfc5539bis-00 includes support for certificate and=
> pre-shared key (PSK)-based authentication.
>
> RFC4279 listed three "PSK Identity" types: DNS Names, X509 D= istinguished
> Names and IP Addresses.
>
> PSK identity is used as the NETCONF username. Please don't hesitat= e to
> propose more identity types so we include them in the draft

I and Badra seem to have different interpretations of this text=
(quoting from RFC 4279):

=A05.1. =A0PSK Identity Encoding

=A0 =A0 The PSK identity MUST be first converted to a character string, an= d
=A0 =A0 then encoded to octets using UTF-8 [UTF8]. =A0For instance,

=A0 =A0 o =A0IPv4 addresses are sent as dotted-decimal strings (e.g.,
=A0 =A0 =A0 =A0"192.0.2.1"), not as 32-bit integers in network b= yte order.

=A0 =A0 o =A0Domain names are sent in their usual text form [DNS] (e.g., =A0 =A0 =A0 =A0"= www.example.com" or "embedded\.dot.example.net"), not in DNS
=A0 =A0 =A0 =A0protocol format.

=A0 =A0 o =A0X.500 Distinguished Names are sent in their string representa= tion
=A0 =A0 =A0 =A0[LDAPDN], not as BER-encoded ASN.1.

My reading of this text is that the PSK identity is a UTF-8 character
string. Period.

In case your identity is an IPv4 address or a domain name or an X.500
DN (that is stuff that is natively not a UTF-8 character string), the
bullets say how to render things in UTF-8. =A0I do not see a requirement in this text to specify identity types and specific encoding rules. In
other words, if I call my PSK identity "badra", the resulting str= ing
is simply the five UTF-8 character sequence "badra".

I agree with your interpretation;= RFC4279=A0doesn't=A0mandate the use of any particular type of identity= . I wanted in my previous message to know if we need to add more examples o= n how to convert, to UTF-8, some different=A0PSK Identities not being liste= d in RFC4279. If this is not required, so the current text is more than eno= ugh.

Best regards,
Badra

--bcaec50165258e6e1304b2660145-- From atarashi@alaxala.net Wed Nov 23 16:37:59 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8877D11E80B4 for ; Wed, 23 Nov 2011 16:37:59 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -3.599 X-Spam-Level: X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BUkgBLS22BuP for ; Wed, 23 Nov 2011 16:37:58 -0800 (PST) Received: from mail-iy0-f172.google.com (mail-iy0-f172.google.com [209.85.210.172]) by ietfa.amsl.com (Postfix) with ESMTP id D1F3C11E80B3 for ; Wed, 23 Nov 2011 16:37:58 -0800 (PST) Received: by iaeo4 with SMTP id o4so2680156iae.31 for ; Wed, 23 Nov 2011 16:37:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alaxala.net; s=google; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:content-type:content-transfer-encoding; bh=6iFP06yto3MYOL1XTY+cqsGyqrCCJVL1lz+I5+ge1RM=; b=kxcni7L4a1mIvN6rWGac5l9+jYK9eSsFca6c3pYE8ATbqY32IC7pit70hSuOtmmDDA tm+HnzUTN2dzEXkm5l50IRTNXZdedaenRNP4ws7rwqacA3D4GvmTkfemIaAJsCVthLkM 5Jlwl2t/Ogqyh8vRIiD5KadFAAvWubUI3lAFo= Received: by 10.231.27.203 with SMTP id j11mr7009790ibc.10.1322095078544; Wed, 23 Nov 2011 16:37:58 -0800 (PST) Received: from zamboni.intra.alaxala.net ([2001:200:165:1:f2b4:79ff:fe20:77ba]) by mx.google.com with ESMTPS id n30sm79708231ibl.4.2011.11.23.16.37.56 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 23 Nov 2011 16:37:57 -0800 (PST) Message-ID: <4ECD91EE.2070602@alaxala.net> Date: Thu, 24 Nov 2011 09:38:06 +0900 From: Yoshifumi Atarashi User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: netconf@ietf.org References: <201111211559.pALFxthw007924@idle.juniper.net> In-Reply-To: <201111211559.pALFxthw007924@idle.juniper.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Re: [Netconf] Obsoleting Netconf over SOAP(RFC4743)/BEEP(RFC4744) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 00:37:59 -0000 Hello, Alaxala have an implementation of NETCONF over SOAP. It's supported on our products. And I know HITACHI, NEC, Allied products use NETCONF over SOAP. Yoshifumi Atarashi (11/11/22 0:59), Phil Shafer wrote: > "Bert Wijnen (IETF)" writes: >> 1 - There are multiple implementations >> 2 - There is real production deployment >> 3 - There are multiple people in the WG who want to work >> on such a revision. >> 4 - The existing implementations (if any) are also willing >> to implement such a revision > We have an implementation of NETCONF over BEEP in JUNOS that is > used in real deployments. I'm mostly on hiatus from IETF work due > to "day job" commitments and travel restrictions, so that's two out > of four for me. > > Thanks, > Phil > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From mehmet.ersue@nsn.com Wed Nov 23 23:43:05 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9088A21F8500 for ; Wed, 23 Nov 2011 23:43:05 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -106.577 X-Spam-Level: X-Spam-Status: No, score=-106.577 tagged_above=-999 required=5 tests=[AWL=0.022, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Rt-U8+IPODo0 for ; Wed, 23 Nov 2011 23:43:05 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id B563221F84D4 for ; Wed, 23 Nov 2011 23:43:04 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id pAO7h160023139 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 24 Nov 2011 08:43:01 +0100 Received: from demuexc024.nsn-intra.net (demuexc024.nsn-intra.net [10.159.32.11]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id pAO7guSC027111; Thu, 24 Nov 2011 08:43:01 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by demuexc024.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Thu, 24 Nov 2011 08:43:00 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Thu, 24 Nov 2011 08:42:59 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A6403096118@DEMUEXC006.nsn-intra.net> In-Reply-To: <4ECD91EE.2070602@alaxala.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: [Netconf] Obsoleting Netconf over SOAP(RFC4743)/BEEP(RFC4744) Thread-Index: AcyqQVVWIJYGBYAAS3SUXcnxFu/oGQAOvyNg References: <201111211559.pALFxthw007924@idle.juniper.net> <4ECD91EE.2070602@alaxala.net> From: "Ersue, Mehmet (NSN - DE/Munich)" To: "ext Yoshifumi Atarashi" , X-OriginalArrivalTime: 24 Nov 2011 07:43:00.0877 (UTC) FILETIME=[B0FA6BD0:01CCAA7C] Subject: Re: [Netconf] Obsoleting Netconf over SOAP(RFC4743)/BEEP(RFC4744) X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 24 Nov 2011 07:43:05 -0000 > 3 - There are multiple people in the WG who want to work > on such a revision. > 4 - The existing implementations (if any) are also willing > to implement such a revision This is fine. However, still the questions 3 and 4 need to be=20 answered to update RFC 4743 fitting the NETCONF RFC 6241. Cheers,=20 Mehmet=20 > -----Original Message----- > From: netconf-bounces@ietf.org [mailto:netconf-bounces@ietf.org] On Behalf Of ext > Yoshifumi Atarashi > Sent: Thursday, November 24, 2011 1:38 AM > To: netconf@ietf.org > Subject: Re: [Netconf] Obsoleting Netconf over SOAP(RFC4743)/BEEP(RFC4744) >=20 > Hello, >=20 > Alaxala have an implementation of NETCONF over SOAP. > It's supported on our products. > And I know HITACHI, NEC, Allied products use NETCONF over SOAP. >=20 > Yoshifumi Atarashi >=20 >=20 > (11/11/22 0:59), Phil Shafer wrote: > > "Bert Wijnen (IETF)" writes: > >> 1 - There are multiple implementations > >> 2 - There is real production deployment > >> 3 - There are multiple people in the WG who want to work > >> on such a revision. > >> 4 - The existing implementations (if any) are also willing > >> to implement such a revision > > We have an implementation of NETCONF over BEEP in JUNOS that is > > used in real deployments. I'm mostly on hiatus from IETF work due > > to "day job" commitments and travel restrictions, so that's two out > > of four for me. > > > > Thanks, > > Phil > > _______________________________________________ > > Netconf mailing list > > Netconf@ietf.org > > https://www.ietf.org/mailman/listinfo/netconf >=20 > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf From mehmet.ersue@nsn.com Mon Nov 28 06:31:12 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C629321F8C4C for ; Mon, 28 Nov 2011 06:31:12 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -104.74 X-Spam-Level: X-Spam-Status: No, score=-104.74 tagged_above=-999 required=5 tests=[BAYES_20=-0.74, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id PzW4k+6rmWYH for ; Mon, 28 Nov 2011 06:31:12 -0800 (PST) Received: from demumfd001.nsn-inter.net (demumfd001.nsn-inter.net [93.183.12.32]) by ietfa.amsl.com (Postfix) with ESMTP id 0E26521F88A0 for ; Mon, 28 Nov 2011 06:31:11 -0800 (PST) Received: from demuprx016.emea.nsn-intra.net ([10.150.129.55]) by demumfd001.nsn-inter.net (8.12.11.20060308/8.12.11) with ESMTP id pASEVAaA009718 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK) for ; Mon, 28 Nov 2011 15:31:10 +0100 Received: from DEMUEXC048.nsn-intra.net ([10.159.32.94]) by demuprx016.emea.nsn-intra.net (8.12.11.20060308/8.12.11) with ESMTP id pASEV7i8022885 for ; Mon, 28 Nov 2011 15:31:10 +0100 Received: from DEMUEXC006.nsn-intra.net ([10.150.128.18]) by DEMUEXC048.nsn-intra.net with Microsoft SMTPSVC(6.0.3790.4675); Mon, 28 Nov 2011 15:30:50 +0100 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Mon, 28 Nov 2011 15:30:49 +0100 Message-ID: <80A0822C5E9A4440A5117C2F4CD36A6403114C4C@DEMUEXC006.nsn-intra.net> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Draft IETF 82 NETCONF Session Minutes Thread-Index: Acyt2lLtlkMG7ND1StumRtctl1iPSA== From: "Ersue, Mehmet (NSN - DE/Munich)" To: X-OriginalArrivalTime: 28 Nov 2011 14:30:50.0651 (UTC) FILETIME=[53C09EB0:01CCADDA] Subject: [Netconf] Draft IETF 82 NETCONF Session Minutes X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 14:31:12 -0000 Dear NETCONF WG, please find below the draft minutes of the NETCONF session in IETF 82. Please send us your comments by Dec. 12, 2011. http://www.ietf.org/proceedings/82/minutes/netconf.txt=20 Many thanks to the minute taker Lada Lhotka and Jabber=20 scribe Russ Mundy. Mehmet & Bert From mbadra@gmail.com Mon Nov 28 07:40:58 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CBFE21F8BB2 for ; Mon, 28 Nov 2011 07:40:58 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -2.398 X-Spam-Level: X-Spam-Status: No, score=-2.398 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001, J_CHICKENPOX_16=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pvxg46MTtyb3 for ; Mon, 28 Nov 2011 07:40:57 -0800 (PST) Received: from mail-vx0-f172.google.com (mail-vx0-f172.google.com [209.85.220.172]) by ietfa.amsl.com (Postfix) with ESMTP id 28FF421F8A6C for ; Mon, 28 Nov 2011 07:40:57 -0800 (PST) Received: by vcbfy13 with SMTP id fy13so5461999vcb.31 for ; Mon, 28 Nov 2011 07:40:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=sFcbs9WRtcO/M8DNnPbSm0/U6Db4DePH549wzGhVJAU=; b=Sa/Mlj55Ejt40p33zTIoEKFt6Yk5modKLFHwTZnhWHtvTJtWsHzE+QnH5IfmIz0/oX Jbcd32rs+qEGRGIw+w5fiNkEuUENzyrBUi9jvlRarLte0zcEkq39rDqPJDn/PbU6ytYH oYgyYdzKeKMwoNNfWzN2X6rep0ykCHzQWUzRs= MIME-Version: 1.0 Received: by 10.220.176.12 with SMTP id bc12mr4887463vcb.142.1322494855127; Mon, 28 Nov 2011 07:40:55 -0800 (PST) Received: by 10.220.191.13 with HTTP; Mon, 28 Nov 2011 07:40:54 -0800 (PST) In-Reply-To: References: <4ECCA4F0.7010504@bwijnen.net> Date: Mon, 28 Nov 2011 16:40:54 +0100 Message-ID: From: Badra To: Carsten Bormann Content-Type: multipart/alternative; boundary=90e6ba53aeb60ea54004b2cd5416 Cc: netconf@ietf.org Subject: [Netconf] PSK comment during NETCONF session at IETF X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 15:40:58 -0000 --90e6ba53aeb60ea54004b2cd5416 Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On Wed, Nov 23, 2011 at 5:09 PM, Carsten Bormann wrote: > On Nov 23, 2011, at 08:46, Bert Wijnen (IETF) wrote: > > > I will let Carsten explain what his exact question was/is. > > My understanding of it was that he wonders what happens > > during key roll-over. The way I understood it, one can > > have 2 keys (ofr a period of time) during roll-over (i.e. > > during the time that you are switching from one PSK to a new PSK). > > So how is that being dealth with? > > Exactly. Below please find the question as I posed it to two of the > authors of RFC4279 (I don't have a reply yet), with some additional > comments: > > > I'm neither a netconf nor a TLS expert, but I'm trying to do the same > > thing in CoRE that draft-badra-netconf-rfc5539bis-00.txt tries to do > > in section 3.2.2: use the PSK identity mechanism defined in RFC4279 > > section 2 as a way to establish a user name that is authenticated by > > the TLS (/DTLS) session. > > > > RFC4279: > > Both clients and servers may have pre-shared keys with several > > different parties. The client indicates which key to use by > > including a "PSK identity"... > > > > I would expect many organizations to have a policy that limits the > > lifetime of a PSK. (I'm not talking about rekeying of the TEK here -- > > this is taken care of by starting a new TLS connection.) To do key > > rollover, at any time an old and a new key may be active > > simultaneously for one user. I'd expect these to have different PSK > > key identities. So how can they map to the same username? > > > > 1) we can define an algorithmic mapping from the PSK identity to a > > user name (by removing some information, which then effectively > > becomes the key generation ID). > > e.g., the UTF-8 PSK identity string would be something like cabo@tzi.org/= 1, > cabo@tzi.org/2, and the mapping to the username would get rid of the part > starting with the slash. > > RFC4279 doesn't specify that; I believe it is up to the application layer to manage that. Your approach can help. I can insert it to the document if people agree. > 2) We can store the username with the key and use the PSK identity as > > just that, a key identity; the username is then retrieved with the key. > > e.g., the UTF-8 PSK identity string would be something like Jpzb3YWS, and > there would be a table like > > Jpzb3YWS cabo@tzi.org (key=85) > K3nV6qh0 cabo@tzi.org (key=85) > A4AINPdk bertietf@bwijnen.net (key=85) > n5Dft5CQ mehmet.ersue@nsn.com (key=85) > 2qQbLrhI mehmet.ersue@nsn.com (key=85) > > (probably with columns added that maintain the key validity time ranges). > > > 3) We can expect the TLS implementation to maintain multiple keys > > under one identity and select the one that happens to authenticate. > > (which is a bit ugly to implement and would AFAIK be a new requirement on > a TLS library that no existing one meets.) > > I'd like to know what is the right way to do this. I'll then send a > > message to the netconf and core WGs providing some explanation. > > > > Gruesse, Carsten > > In order to get this discussion going, please feel free to forward this > message to the netconf list (I'm subscribing now, too). > > The WG is cced to this message, and are invited to comment on that issue Best regards Badra --90e6ba53aeb60ea54004b2cd5416 Content-Type: text/html; charset=windows-1252 Content-Transfer-Encoding: quoted-printable

On Wed, Nov 23, 2011 at 5:0= 9 PM, Carsten Bormann <cabo@tzi.org> wrote:

On Nov 23, 2011, at 08:46, Bert Wijnen (IETF) wrote:

> I will let Carsten explain what his exact question was/is.
> My understanding of it was that he wonders what happens
> during key roll-over. The way I understood it, one can
> have 2 keys (ofr a period of time) during roll-over (i.e.
> during the time that you are switching from one PSK to a new PSK).
> So how is that being dealth with?

Exactly. =A0Below please find the question as I posed it to two of th= e authors of RFC4279 (I don't have a reply yet), with some additional c= omments:

> I'm neither a netconf nor a TLS expert, but I'm trying to do t= he same
> thing in CoRE that draft-badra-netconf-rfc5539bis-00.txt tries to do > in section 3.2.2: use the PSK identity mechanism defined in RFC4279 > section 2 as a way to establish a user name that is authenticated by > the TLS (/DTLS) session.
>
> RFC4279:
> =A0 Both clients and servers may have pre-shared keys with several
> =A0 different parties. =A0The client indicates which key to use by
> =A0 including a "PSK identity"...
>
> I would expect many organizations to have a policy that limits the
> lifetime of a PSK. =A0(I'm not talking about rekeying of the TEK h= ere --
> this is taken care of by starting a new TLS connection.) =A0To do key<= br> > rollover, at any time an old and a new key may be active
> simultaneously for one user. =A0I'd expect these to have different= PSK
> key identities. =A0So how can they map to the same username?
>
> 1) we can define an algorithmic mapping from the PSK identity to a
> user name (by removing some information, which then effectively
> becomes the key generation ID).

e.g., the UTF-8 PSK identity string would be something like cabo@tzi.org/1, cabo@tzi.org/2, and the mapping to th= e username would get rid of the part starting with the slash.

RFC4279 doesn't spe= cify that; I believe it is up to the application layer to manage that.

Your approach can help. I can insert it to the documen= t if people agree.

cabo@tzi.org =A0 =A0 =A0 =A0 = =A0 =A0 (key=85)
K3nV6qh0 cabo@tzi.org =A0 =A0 =A0 =A0 = =A0 =A0 (key=85)
A4AINPdk bertietf@bwijnen.net = =A0 =A0 (key=85)
n5Dft5CQ mehmet.ersue@nsn.com = =A0 =A0 (key=85)
2qQbLrhI mehmet.ersue@nsn.com = =A0 =A0 (key=85)

(probably with columns added that maintain the key validity time ranges).
> 3) We can expect the TLS implementation to maintain multiple keys
> under one identity and select the one that happens to authenticate.
(which is a bit ugly to implement and would AFAIK be a new requirement on a= TLS library that no existing one meets.)
=A0

> I'd like to know what is the right way to do this. =A0I'll the= n send a
> message to the netconf and core WGs providing some explanation.
>
> Gruesse, Carsten

In order to get this discussion going, please feel free to forward this mes= sage to the netconf list (I'm subscribing now, too).

The WG is cced to this message, and are in= vited to comment on that issue

Best regards

<= div>Badra=A0

--90e6ba53aeb60ea54004b2cd5416-- From j.schoenwaelder@jacobs-university.de Mon Nov 28 07:59:37 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5F5CE21F8B53 for ; Mon, 28 Nov 2011 07:59:37 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -101.72 X-Spam-Level: X-Spam-Status: No, score=-101.72 tagged_above=-999 required=5 tests=[AWL=0.329, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_16=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5j6mB2lzyCh6 for ; Mon, 28 Nov 2011 07:59:36 -0800 (PST) Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) by ietfa.amsl.com (Postfix) with ESMTP id 63F7721F8B45 for ; Mon, 28 Nov 2011 07:59:36 -0800 (PST) Received: from localhost (demetrius3.jacobs-university.de [212.201.44.48]) by hermes.jacobs-university.de (Postfix) with ESMTP id B652120CC2; Mon, 28 Nov 2011 16:59:35 +0100 (CET) X-Virus-Scanned: amavisd-new at jacobs-university.de Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius3.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id xHSNxK9GK1G3; Mon, 28 Nov 2011 16:59:34 +0100 (CET) Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id 372D320CBC; Mon, 28 Nov 2011 16:59:34 +0100 (CET) Received: by elstar.local (Postfix, from userid 501) id 615591BE7160; Mon, 28 Nov 2011 16:59:17 +0100 (CET) Date: Mon, 28 Nov 2011 16:59:16 +0100 From: Juergen Schoenwaelder To: Carsten Bormann Message-ID: <20111128155916.GE22835@elstar.local> Mail-Followup-To: Carsten Bormann , netconf@ietf.org References: <4ECCA4F0.7010504@bwijnen.net> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: User-Agent: Mutt/1.5.21 (2010-09-15) Cc: netconf@ietf.org Subject: Re: [Netconf] PSK comment during NETCONF session at IETF X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list Reply-To: Juergen Schoenwaelder List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2011 15:59:37 -0000 On Wed, Nov 23, 2011 at 05:09:24PM +0100, Carsten Bormann wrote: > > I would expect many organizations to have a policy that limits the > > lifetime of a PSK. (I'm not talking about rekeying of the TEK here -- > > this is taken care of by starting a new TLS connection.) To do key > > rollover, at any time an old and a new key may be active > > simultaneously for one user. I'd expect these to have different PSK > > key identities. So how can they map to the same username? > > > > 1) we can define an algorithmic mapping from the PSK identity to a > > user name (by removing some information, which then effectively > > becomes the key generation ID). > > e.g., the UTF-8 PSK identity string would be something like cabo@tzi.org/1, cabo@tzi.org/2, and the mapping to the username would get rid of the part starting with the slash. > > > 2) We can store the username with the key and use the PSK identity as > > just that, a key identity; the username is then retrieved with the key. > > e.g., the UTF-8 PSK identity string would be something like Jpzb3YWS, and there would be a table like > > Jpzb3YWS cabo@tzi.org (key…) > K3nV6qh0 cabo@tzi.org (key…) > A4AINPdk bertietf@bwijnen.net (key…) > n5Dft5CQ mehmet.ersue@nsn.com (key…) > 2qQbLrhI mehmet.ersue@nsn.com (key…) > > (probably with columns added that maintain the key validity time ranges). > > > 3) We can expect the TLS implementation to maintain multiple keys > > under one identity and select the one that happens to authenticate. > > (which is a bit ugly to implement and would AFAIK be a new requirement on a TLS library that no existing one meets.) > > > I'd like to know what is the right way to do this. I'll then send a > > message to the netconf and core WGs providing some explanation. > > > > Gruesse, Carsten > > In order to get this discussion going, please feel free to forward this message to the netconf list (I'm subscribing now, too). While we could invent option 1), things get bad if other WGs choose to invent a different notation as there does not seem to be a common notation for this (yet). Option 2) seems to be a safe bet since it pushed the problem to controllable configuration (and as a side effect we would have a NETCONF way of managing PSK keys). Option 3 seems to be out of scope since PSK does not allow "key probing" (and I assume security folks might not like this either). /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany Fax: +49 421 200 3103 From ietfc@btconnect.com Tue Nov 29 03:39:18 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FD1D21F85B8 for ; Tue, 29 Nov 2011 03:39:18 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.399 X-Spam-Level: X-Spam-Status: No, score=-1.399 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, J_CHICKENPOX_16=0.6, J_CHICKENPOX_43=0.6] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Hv-54ktXWpqF for ; Tue, 29 Nov 2011 03:39:17 -0800 (PST) Received: from mail.btconnect.com (c2bthomr07.btconnect.com [213.123.20.125]) by ietfa.amsl.com (Postfix) with ESMTP id 004EB21F85F2 for ; Tue, 29 Nov 2011 03:39:16 -0800 (PST) Received: from host86-177-208-97.range86-177.btcentralplus.com (HELO pc6) ([86.177.208.97]) by c2bthomr07.btconnect.com with SMTP id FMD87298; Tue, 29 Nov 2011 11:38:58 +0000 (GMT) Message-ID: <035a01ccae83$5c9c55c0$4001a8c0@gateway.2wire.net> From: "t.petch" To: "Juergen Schoenwaelder" , "Carsten Bormann" References: <4ECCA4F0.7010504@bwijnen.net> <20111128155916.GE22835@elstar.local> Date: Tue, 29 Nov 2011 11:40:46 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mirapoint-IP-Reputation: reputation=Fair-1, source=Queried, refid=tid=0001.0A0B0303.4ED4C451.00A7, actions=TAG X-Junkmail-Premium-Raw: score=7/50, refid=2.7.2:2011.11.29.104816:17:7.586, ip=86.177.208.97, rules=__HAS_MSGID, __OUTLOOK_MSGID_1, __SANE_MSGID, __TO_MALFORMED_2, __BOUNCE_CHALLENGE_SUBJ, __BOUNCE_NDR_SUBJ_EXEMPT, __MIME_VERSION, __CT, __CT_TEXT_PLAIN, __CTE, __HAS_X_PRIORITY, __HAS_MSMAIL_PRI, __HAS_X_MAILER, USER_AGENT_OE, __OUTLOOK_MUA_1, __USER_AGENT_MS_GENERIC, __ANY_URI, __FRAUD_CONTACT_NUM, __CP_URI_IN_BODY, __C230066_P5, __PHISH_SPEAR_ACCOUNT_1, BODY_SIZE_3000_3999, __MIME_TEXT_ONLY, RDNS_GENERIC_POOLED, BODY_SIZE_5000_LESS, RDNS_SUSP_GENERIC, __OUTLOOK_MUA, RDNS_SUSP, BODY_SIZE_7000_LESS X-Junkmail-Status: score=10/50, host=c2bthomr07.btconnect.com X-Junkmail-Signature-Raw: score=unknown, refid=str=0001.0A0B020C.4ED4C452.017C,ss=1,re=0.000,fgs=0, ip=0.0.0.0, so=2011-07-25 19:15:43, dmn=2011-05-27 18:58:46, mode=multiengine X-Junkmail-IWF: false Cc: netconf@ietf.org Subject: Re: [Netconf] PSK comment during NETCONF session at IETF X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 11:39:18 -0000 ---- Original Message ----- From: "Juergen Schoenwaelder" To: "Carsten Bormann" Cc: Sent: Monday, November 28, 2011 4:59 PM > On Wed, Nov 23, 2011 at 05:09:24PM +0100, Carsten Bormann wrote: > > > > I would expect many organizations to have a policy that limits the > > > lifetime of a PSK. (I'm not talking about rekeying of the TEK here -- > > > this is taken care of by starting a new TLS connection.) To do key > > > rollover, at any time an old and a new key may be active > > > simultaneously for one user. I'd expect these to have different PSK > > > key identities. So how can they map to the same username? > > > > > > 1) we can define an algorithmic mapping from the PSK identity to a > > > user name (by removing some information, which then effectively > > > becomes the key generation ID). > > > > e.g., the UTF-8 PSK identity string would be something like cabo@tzi.org/1, cabo@tzi.org/2, and the mapping to the username would get rid of the part starting with the slash. > > > > > 2) We can store the username with the key and use the PSK identity as > > > just that, a key identity; the username is then retrieved with the key. > > > > e.g., the UTF-8 PSK identity string would be something like Jpzb3YWS, and there would be a table like > > > > Jpzb3YWS cabo@tzi.org (key…) > > K3nV6qh0 cabo@tzi.org (key…) > > A4AINPdk bertietf@bwijnen.net (key…) > > n5Dft5CQ mehmet.ersue@nsn.com (key…) > > 2qQbLrhI mehmet.ersue@nsn.com (key…) > > > > (probably with columns added that maintain the key validity time ranges). > > > > > 3) We can expect the TLS implementation to maintain multiple keys > > > under one identity and select the one that happens to authenticate. > > > > (which is a bit ugly to implement and would AFAIK be a new requirement on a TLS library that no existing one meets.) > > > > > I'd like to know what is the right way to do this. I'll then send a > > > message to the netconf and core WGs providing some explanation. > > > > > > Gruesse, Carsten > > > > In order to get this discussion going, please feel free to forward this message to the netconf list (I'm subscribing now, too). > > While we could invent option 1), things get bad if other WGs choose to > invent a different notation as there does not seem to be a common > notation for this (yet). I think that the underlying problem is a lack of interest in PSK and allied technologies. There was an I-D brought to the TLS recently in this area which provoked the response, 'why do you expect this one to succeed when the previous three I-Ds have not?' Logically, PSK makes a lot of sense but as here, more work is needed. But it just does not seem to get used, hence, IMO, the unresolved details. Tom Petch > > Option 2) seems to be a safe bet since it pushed the problem to > controllable configuration (and as a side effect we would have a > NETCONF way of managing PSK keys). > > Option 3 seems to be out of scope since PSK does not allow "key > probing" (and I assume security folks might not like this either). > > /js > > -- > Juergen Schoenwaelder Jacobs University Bremen gGmbH > Phone: +49 421 200 3587 Campus Ring 1, 28759 Bremen, Germany > Fax: +49 421 200 3103 > _______________________________________________ > Netconf mailing list > Netconf@ietf.org > https://www.ietf.org/mailman/listinfo/netconf > From cabo@tzi.org Tue Nov 29 07:09:31 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C082221F8B5D for ; Tue, 29 Nov 2011 07:09:31 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -105.649 X-Spam-Level: X-Spam-Status: No, score=-105.649 tagged_above=-999 required=5 tests=[AWL=-0.600, BAYES_00=-2.599, HELO_EQ_DE=0.35, J_CHICKENPOX_16=0.6, J_CHICKENPOX_43=0.6, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qga9olojY7-n for ; Tue, 29 Nov 2011 07:09:31 -0800 (PST) Received: from informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) by ietfa.amsl.com (Postfix) with ESMTP id EB6CD21F8AC9 for ; Tue, 29 Nov 2011 07:09:30 -0800 (PST) X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de Received: from smtp-fb3.informatik.uni-bremen.de (smtp-fb3.informatik.uni-bremen.de [134.102.224.120]) by informatik.uni-bremen.de (8.14.3/8.14.3) with ESMTP id pATF9NF0025591; Tue, 29 Nov 2011 16:09:23 +0100 (CET) Received: from eduroam-pool6-0601.wlan.uni-bremen.de (eduroam-pool6-0601.wlan.uni-bremen.de [134.102.26.89]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by smtp-fb3.informatik.uni-bremen.de (Postfix) with ESMTPSA id 4B664A6A; Tue, 29 Nov 2011 16:09:23 +0100 (CET) Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=windows-1252 From: Carsten Bormann In-Reply-To: <20111128155916.GE22835@elstar.local> Date: Tue, 29 Nov 2011 16:09:23 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <73DE8CE6-8C58-414C-994E-891560A78D4B@tzi.org> References: <4ECCA4F0.7010504@bwijnen.net> <20111128155916.GE22835@elstar.local> To: Juergen Schoenwaelder X-Mailer: Apple Mail (2.1251.1) Cc: netconf@ietf.org Subject: Re: [Netconf] PSK comment during NETCONF session at IETF X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 15:09:31 -0000 On Nov 28, 2011, at 16:59, Juergen Schoenwaelder wrote: >>> 2) We can store the username with the key and use the PSK identity = as >>> just that, a key identity; the username is then retrieved with the = key. >>=20 >> e.g., the UTF-8 PSK identity string would be something like Jpzb3YWS, = and there would be a table like >>=20 >> Jpzb3YWS cabo@tzi.org (key=85) >> K3nV6qh0 cabo@tzi.org (key=85) >> A4AINPdk bertietf@bwijnen.net (key=85) >> n5Dft5CQ mehmet.ersue@nsn.com (key=85) >> 2qQbLrhI mehmet.ersue@nsn.com (key=85) >>=20 >> (probably with columns added that maintain the key validity time = ranges). >>=20 > Option 2) seems to be a safe bet since it pushed the problem to > controllable configuration (and as a side effect we would have a > NETCONF way of managing PSK keys). Sounds good to me. Gr=FC=DFe, Carsten From dromasca@avaya.com Tue Nov 29 08:38:47 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CBDCD21F8BF4 for ; Tue, 29 Nov 2011 08:38:47 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -102.963 X-Spam-Level: X-Spam-Status: No, score=-102.963 tagged_above=-999 required=5 tests=[AWL=0.636, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2D7G8ZDmmWCj for ; Tue, 29 Nov 2011 08:38:47 -0800 (PST) Received: from co300216-co-outbound.net.avaya.com (co300216-co-outbound.net.avaya.com [198.152.13.100]) by ietfa.amsl.com (Postfix) with ESMTP id 404E821F8AFA for ; Tue, 29 Nov 2011 08:38:47 -0800 (PST) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwAAN0J1U7GmAcF/2dsb2JhbABDmmKQGIEFgXIBAQEBAxIeCksGAQgNBAQBAQsGDAsBB0UHAQEFBAEEEwganzeEFJtjiAmCMmMEmjmMLQ X-IronPort-AV: E=Sophos;i="4.69,592,1315195200"; d="scan'208";a="316988581" Received: from unknown (HELO co300216-co-erhwest.avaya.com) ([198.152.7.5]) by co300216-co-outbound.net.avaya.com with ESMTP; 29 Nov 2011 11:38:44 -0500 Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.12]) by co300216-co-erhwest-out.avaya.com with ESMTP; 29 Nov 2011 11:36:45 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 29 Nov 2011 17:38:40 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: secdir review of draft-ietf-netconf-access-control-06 Thread-Index: AcyuF5BqVfAUJ9IqRUO/NntQ7LuMHQAncVdA From: "Romascanu, Dan (Dan)" To: Subject: [Netconf] FW: secdir review of draft-ietf-netconf-access-control-06 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 16:38:47 -0000 -----Original Message----- From: Carl Wallace [mailto:carl@redhoundsoftware.com]=20 Sent: Monday, November 28, 2011 11:49 PM To: draft-ietf-netconf-access-control.all@tools.ietf.org Cc: iesg@ietf.org; secdir@ietf.org Subject: secdir review of draft-ietf-netconf-access-control-06 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines such an access control model to restrict NETCONF protocol access for particular users to a pre-configured subset of all available NETCONF protocol operations and content. I am not familiar with NETCONF or YANG so my review may be off-base. I found the frequent references to "recovery sessions" and "non-recovery sessions" unnecessary and somewhat confusing. Couldn't this concept be described once and omitted from the various lists of steps? There are probably some inconsistencies in the RFC 2119 language around the "recovery session" concept. For example, section 3.4.4 provides a bulleted list of steps that MUST be followed. Included in this list is an exception for recovery sessions. Section 3.3.1 says a "server MAY support a "recovery session" mechanism". Should 3.3.1 be a MUST? Section 3.1.1 references both "recovery session" and the ability to disable the entire access control model "during operation, in order to debug operational problems". What does the latter bullet that mentions debugging refer to in the model? Is this bullet just a second reference to recovery session? In section 3.2.4, copy operations may be partially performed while "nodes to which the client does not have read access are silently omitted". Why is this OK? It seems inconsistent with section 3.1.3, which says "If the user is authorized to perform the requested access operation on the requested data, then processing continues", implying that processing does not continue otherwise. The same silent skipping of items appears elsewhere as well, including edit config. At a minimum, some rationale describing why these silent omissions are acceptable should be provided. From dromasca@avaya.com Tue Nov 29 08:39:11 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1458321F8C76 for ; Tue, 29 Nov 2011 08:39:11 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.09 X-Spam-Level: X-Spam-Status: No, score=-103.09 tagged_above=-999 required=5 tests=[AWL=0.509, BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjAgzJloK0BU for ; Tue, 29 Nov 2011 08:39:09 -0800 (PST) Received: from de307622-de-outbound.net.avaya.com (de307622-de-outbound.net.avaya.com [198.152.71.100]) by ietfa.amsl.com (Postfix) with ESMTP id 0CF8E21F8AFA for ; Tue, 29 Nov 2011 08:39:08 -0800 (PST) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: ApwAAIoJ1U6HCzI1/2dsb2JhbABDmmKQGIEFgXIBAQEBAxIeCj0OBgEIDQQEAQELBgwLAQdFBwEBBQQBBBMIGp83hBSbY4gJgjJjBJo5jC0 X-IronPort-AV: E=Sophos;i="4.69,592,1315195200"; d="scan'208";a="279642515" Received: from unknown (HELO p-us1-erheast.us1.avaya.com) ([135.11.50.53]) by de307622-de-outbound.net.avaya.com with ESMTP; 29 Nov 2011 11:39:04 -0500 Received: from unknown (HELO 307622ANEX5.global.avaya.com) ([135.64.140.12]) by p-us1-erheast-out.us1.avaya.com with ESMTP; 29 Nov 2011 11:27:20 -0500 X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Date: Tue, 29 Nov 2011 17:39:01 +0100 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Secdir review of draft-ietf-netconf-system-notifications-06 Thread-Index: AcyuKpFYfdWR2kGRTCWxWg8QktjYBwAis4Bg From: "Romascanu, Dan (Dan)" To: Subject: [Netconf] FW: Secdir review of draft-ietf-netconf-system-notifications-06 X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 16:39:11 -0000 -----Original Message----- From: iesg-bounces@ietf.org [mailto:iesg-bounces@ietf.org] On Behalf Of Brian Weis Sent: Tuesday, November 29, 2011 2:05 AM To: secdir@ietf.org; The IESG Cc: draft-ietf-netconf-system-notifications.all@tools.ietf.org Subject: Secdir review of draft-ietf-netconf-system-notifications-06 I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This document defines a YANG module that allows a NETCONF client to receive notifications for some common system events. Events reported include change of system configuration, start or stop of of a NETCONF client, and the like. These are important notifications for the purposes of accounting and auditing. I have two comments on the Security Considerations text: 1) The first paragraph indicates that SSH is mandatory-to-implement for the transport layer and cites RFC 6242 ("Using the NETCONF Protocol over Secure Shell (SSH)". This is certainly good and acceptable, but I'm not sure where the statement is made that says RFC 6242 MUST be implemented as part of a NETCONF implementation. It would be good to cite that RFC as well. 2) The second paragraph wisely states that read access to the data nodes described in this memo should be controlled. It would be helpful to give some advice how the control can be done. For example, this could be an authorization step by the SSH server as part of authenticating a client. Or it could be true because authentication credentials known by server are only given to users who are authorized to have read access. The first paragraph of RFC 62642's Security Considerations discusses this a bit and seems to imply the latter authorization model. If that's the intention here, a statement recommending giving out authentication credentials only to users/devices authorized to read the NETCONF notifications would be sufficient. Brian From cabo@tzi.org Tue Nov 29 12:20:02 2011 Return-Path: X-Original-To: netconf@ietfa.amsl.com Delivered-To: netconf@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A2A331F0CAE for ; Tue, 29 Nov 2011 12:20:02 -0800 (PST) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -103.316 X-Spam-Level: X-Spam-Status: No, score=-103.316 tagged_above=-999 required=5 tests=[AWL=-1.317, BAYES_00=-2.599, J_CHICKENPOX_15=0.6, USER_IN_WHITELIST=-100] Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cODhIN3xqowl for ; Tue, 29 Nov 2011 12:20:02 -0800 (PST) Received: from informatik.uni-bremen.de (mailhost.informatik.uni-bremen.de [IPv6:2001:638:708:30c9::12]) by ietfa.amsl.com (Postfix) with ESMTP id BC5D71F0CAD for ; Tue, 29 Nov 2011 12:19:58 -0800 (PST) X-Virus-Scanned: amavisd-new at informatik.uni-bremen.de Received: from [127.0.0.1] (maildrop [134.102.201.19]) by informatik.uni-bremen.de (8.14.3/8.14.3) with ESMTP id pATKJjpF010273; Tue, 29 Nov 2011 21:19:47 +0100 (CET) From: Carsten Bormann To: "t.petch" In-Reply-To: <035a01ccae83$5c9c55c0$4001a8c0@gateway.2wire.net> X-Priority: 3 References: <4ECCA4F0.7010504@bwijnen.net> <20111128155916.GE22835@elstar.local> <035a01ccae83$5c9c55c0$4001a8c0@gateway.2wire.net> Message-Id: <53FCB843-FCB0-4F2E-9715-566354C9FA65@tzi.org> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Date: Tue, 29 Nov 2011 21:19:45 +0100 X-Mailer: Apple Mail (2.936) Cc: netconf@ietf.org Subject: Re: [Netconf] PSK comment during NETCONF session at IETF X-BeenThere: netconf@ietf.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: Network Configuration WG mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Nov 2011 20:20:02 -0000 On Nov 29 2011, at 11:40, t.petch wrote: > lack of interest in PSK > and allied technologies I see the same problem in a slightly different light: TLS is just not yet being used a lot for PSK (just as, e.g., TLS 1.2 hasn't seen a lot of use yet). If we want to get TLS there (and I certainly want to get the DTLS part of TLS there), we have to make it fit for PSK. Or we'll have to use something else, and that would be a pity. But then I don't think the mapping between the identity hints used in the handshake and application layer user-ids used in ACLs is something that needs to be part of TLS itself. Different applications may have different needs here. Where they don't, something like RFC 6125 may emerge. Gruesse, Carsten