Re: [Last-Call] [art] Artart last call review of draft-ietf-netconf-over-tls13-03

["Rob Wilton \(rwilton\)" <rwilton=40cisco.com@xxxxxxxxxxxxxx>]

Hi Rob,

 

I’m not sure that I saw a reply to this (and I’m about to put this in for next week’s telechat so wanted to close off this thread), and I’m also sure that Sean or Russ will correct me if my answer is wrong, but my understanding is that this document is intended to both add support for TLS 1.3 and also update the TLS 1.2 requirements.  E.g., from the abstract:

Abstract

 

   RFC 7589 defines how to protect NETCONF messages with TLS 1.2.  This

   document updates RFC 7589 to update support requirements for TLS 1.2

   and add TLS 1.3 support requirements, including restrictions on the

   use of TLS 1.3's early data.

 

 

In terms of why supporting TLS 1.2 is a MUST, my interpretation (and I’m happy if the SEC experts correct me on this) but I think that this recommendation (and document) is consistent with the recently published RFC 9325 - Recommendations for Secure Use of Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) (ietf.org), quoting from Section 3.1.1:

   *  Implementations MUST support TLS 1.2 [RFC5246].

   *  Implementations SHOULD support TLS 1.3 [RFC8446] and, if

      implemented, MUST prefer to negotiate TLS 1.3 over earlier

      versions of TLS.

 

The prose in this draft is consistent with RFC 9325, i.e., from section 4:

   Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to

   support the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite

   [RFC9325].

 

   Implementations MAY implement additional TLS 1.2 cipher suites that

   provide mutual authentication [RFC5246] and confidentiality as

   required by NETCONF [RFC6241].

 

   Implementations SHOULD support TLS 1.3 [I-D.ietf-tls-rfc8446bis] and,

   if implemented, MUST prefer to negotiate TLS 1.3 over earlier

   versions of TLS.

 

Regards,
Rob

 

 

 

From: Rob Sayre <sayrer@xxxxxxxxx>
Sent: Sunday, November 5, 2023 11:36 PM
To: Sean Turner <sean@xxxxxxxxx>
Cc: Jiankang Yao <yaojk@xxxxxxxx>; art@xxxxxxxx; draft-ietf-netconf-over-tls13.all@xxxxxxxx; last-call@xxxxxxxx; netconf@xxxxxxxx
Subject: Re: [art] Artart last call review of draft-ietf-netconf-over-tls13-03

 

It's a little bit off though, isn't it?

 

Implementations that support TLS 1.3 should refer to TLS 1.3? Yes. Why does this even need to be written?

 

Also what is the consensus on this paragraph:

 

"Implementations MUST support TLS 1.2 [RFC5246] and are REQUIRED to support the TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 cipher suite [RFC9325]."

 

I cannot understand why TLS 1.2 is a "MUST" here. How did the WG get there?

 

thanks,

Rob

 

 

 

On Sun, Nov 5, 2023 at 3:15 PM Sean Turner <sean@xxxxxxxxx> wrote:

> On Oct 28, 2023, at 18:02, Jiankang Yao via Datatracker <noreply@xxxxxxxx> wrote:
>
> Reviewer: Jiankang Yao
> Review result: Ready
>
> I am the assigned ART-ART reviewer for this draft. The Art Area
> Review Team (ART-ART) reviews all IETF documents being processed
> by the IESG.  Please treat these comments just
> like any other last call comments.
>
> Document: draft-ietf-netconf-over-tls13-03
> Reviewer: Jiankang Yao
> Review Date: 2023-10-28
> IETF LC End Date: 2023-11-13
> IESG Telechat date: Not scheduled for a telechat
>
> Summary: Ready for publication as a Proposed Standard RFC
>
> This document is clear and in good shape.
>
>
> BTW,
> In section 1,
> "
>             |  Implementations that support TLS 1.3 [I-D.ietf-tls-rfc8446bis]
>             |  should refer to TLS 1.3 [I-D.ietf-tls-rfc8446bis] in Sections 4
>             |  and 5 of [RFC7589].
> "
>
> The "|" looks to be odd to me.
>
> remove "|"?

Hi! This is part of the “aside” feature.  I guess we could put “NOTE:” in front of it to make it clearer.

spt

_______________________________________________
art mailing list
art@xxxxxxxx
https://www.ietf.org/mailman/listinfo/art

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call