Re: [Last-Call] [art] Artart last call review of draft-ietf-netconf-over-tls13-03

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

 

 

From: Rob Sayre <sayrer@xxxxxxxxx>
Sent: Thursday, November 23, 2023 2:17 AM
To: Russ Housley <housley@xxxxxxxxxxxx>
Cc: Rob Wilton (rwilton) <rwilton@xxxxxxxxx>; Sean Turner <sean@xxxxxxxxx>; Jiankang Yao <yaojk@xxxxxxxx>; art@xxxxxxxx; draft-ietf-netconf-over-tls13.all@xxxxxxxx; last-call@xxxxxxxx; netconf@xxxxxxxx
Subject: Re: [art] Artart last call review of draft-ietf-netconf-over-tls13-03

 

On Wed, Nov 22, 2023 at 2:07 PM Russ Housley <housley@xxxxxxxxxxxx> wrote:

Rob:

 

You are right.  I forgot about a discussion we had in the NETCONF WG.  They do not want to be evolutionary.  They decided to continue to require TLS 1.2 for now, but allow TLS 1.3.  In the future, an activity (often called nextconf) will shift the MUST to TLS 1.3.

 

OK, but here we can see that the draft sort of conflicts with RFC 9325. This would seem to be a protocol where you really can require TLS 1.3, if it makes sense. I don't have any objection to describing the TLS 1.2 requirements, but requiring TLS 1.2 itself seems kind of weird. So, I think falling back on the (IETF consensus) RFC 9325 framing would be good.

[Rob Wilton (rwilton)]

But what does requiring TLS 1.3 actually mean from a deployed software perspective?

I.e., I cannot really see a router vendor changing their NETCONF server implementation in a new software release to prohibit TLS 1.2 sessions.  Neither can I see a management tool vendor changing their client so that the software will not connect to older deployed routers that don’t yet understand TLS 1.3.  I appreciate that both clients and servers may have config options to explicitly allow them to connect to older versions.


If we create a new version of NETCONF over the next few years, which is seeming a bit more likely, then mandating TLS 1.3 (or later) for that new version makes more sense to me since other development and changes will be happening at the same time and so it seems like a natural time to update to the latest security as well.

But I still believe that the text in this document is entirely consistent with RFC 9325 framing (that I quoted previously).

Regards,
Rob

 

 

 

 

thanks,

Rob

 

-- 
last-call mailing list
last-call@xxxxxxxx
https://www.ietf.org/mailman/listinfo/last-call
[Index of Archives]     [IETF Annoucements]     [IETF]     [IP Storage]     [Yosemite News]     [Linux SCTP]     [Linux Newbies]     [Mhonarc]     [Fedora Users]

  Powered by Linux