Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication
draft-ietf-netconf-rfc5539bis-10
Revision differences
Document history
Date | Rev. | By | Action |
---|---|---|---|
2015-06-12
|
10 | (System) | RFC Editor state changed to AUTH48-DONE from AUTH48 |
2015-06-05
|
10 | (System) | RFC Editor state changed to AUTH48 from RFC-EDITOR |
2015-05-26
|
10 | (System) | RFC Editor state changed to RFC-EDITOR from EDIT |
2015-05-15
|
10 | Vijay Gurbani | Closed request for Last Call review by GENART with state 'No Response' |
2015-04-16
|
10 | (System) | IANA Action state changed to RFC-Ed-Ack from Waiting on RFC Editor |
2015-04-15
|
10 | (System) | IANA Action state changed to Waiting on RFC Editor from Waiting on Authors |
2015-04-15
|
10 | (System) | IANA Action state changed to Waiting on Authors from In Progress |
2015-04-14
|
10 | (System) | IANA Action state changed to In Progress |
2015-04-14
|
10 | Amy Vezza | IESG state changed to RFC Ed Queue from Approved-announcement sent |
2015-04-14
|
10 | (System) | RFC Editor state changed to EDIT |
2015-04-14
|
10 | (System) | Announcement was received by RFC Editor |
2015-04-14
|
10 | Amy Vezza | IESG state changed to Approved-announcement sent from Approved-announcement to be sent::Point Raised - writeup needed |
2015-04-14
|
10 | Amy Vezza | IESG has approved the document |
2015-04-14
|
10 | Amy Vezza | Closed "Approve" ballot |
2015-04-14
|
10 | Amy Vezza | Ballot approval text was generated |
2015-04-14
|
10 | Amy Vezza | Ballot writeup was changed |
2015-04-10
|
10 | Jürgen Schönwälder | IANA Review state changed to Version Changed - Review Needed from IANA OK - Actions Needed |
2015-04-10
|
10 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-10.txt |
2015-04-09
|
09 | Gunter Van de Velde | Request for Last Call review by OPSDIR Completed: Has Nits. Reviewer: Stefan Winter. |
2015-04-09
|
09 | Cindy Morgan | IESG state changed to Approved-announcement to be sent::Point Raised - writeup needed from IESG Evaluation |
2015-04-09
|
09 | Jari Arkko | [Ballot Position Update] New position, No Objection, has been recorded for Jari Arkko |
2015-04-09
|
09 | Martin Stiemerling | [Ballot Position Update] New position, No Objection, has been recorded for Martin Stiemerling |
2015-04-08
|
09 | Joel Jaeggli | [Ballot Position Update] New position, No Objection, has been recorded for Joel Jaeggli |
2015-04-08
|
09 | Deborah Brungard | [Ballot Position Update] New position, No Objection, has been recorded for Deborah Brungard |
2015-04-08
|
09 | Ben Campbell | [Ballot Position Update] New position, No Objection, has been recorded for Ben Campbell |
2015-04-08
|
09 | Alia Atlas | [Ballot Position Update] New position, No Objection, has been recorded for Alia Atlas |
2015-04-08
|
09 | Alvaro Retana | [Ballot Position Update] New position, No Objection, has been recorded for Alvaro Retana |
2015-04-08
|
09 | Stephen Farrell | [Ballot comment] - section 2: be no harm to say the server has to send a CertificateRequest as part of the handshake and/or to say … [Ballot comment] - section 2: be no harm to say the server has to send a CertificateRequest as part of the handshake and/or to say (or point to) how e.g. to configure that in apache or similar. (Not normatively, but as an illustration to save folks time when they go to do it.) - section 7, if we get the ID via step (b) option 2 and step (c) option A then anyone certified below that CA gets to use that identity. I'd say that's a sufficiently bad plan in almost all cases to be worth noting as a security consideration. (Sorry for not spotting that in RFC7407 but I think the alg there is harder to see in the yang module(s) so I guess I missed it;-) - I agree with Sam's second comment in the secdir review [1] that specifying how to fingerprint is a good idea, even if it's non-normative. I think in this case you may need to fingerprint the full certificate and not the public key, as the latter could allow attacks - but someone would need to spend more time that I have today to figure out if there are any interesting attacks. (Did the WG think those issues through?) [1] https://www.ietf.org/mail-archive/web/secdir/current/msg05522.html |
2015-04-08
|
09 | Stephen Farrell | [Ballot Position Update] New position, No Objection, has been recorded for Stephen Farrell |
2015-04-06
|
09 | Spencer Dawkins | [Ballot Position Update] New position, No Objection, has been recorded for Spencer Dawkins |
2015-04-06
|
09 | Brian Haberman | [Ballot Position Update] New position, No Objection, has been recorded for Brian Haberman |
2015-04-04
|
09 | Kathleen Moriarty | [Ballot comment] I found the discussion on the SecDir review interesting, so thanks for the more detailed explanations. I do agree that the draft already … [Ballot comment] I found the discussion on the SecDir review interesting, so thanks for the more detailed explanations. I do agree that the draft already does state that this is a certificate fingerprint, but don't see (maybe point me to where it is if I missed it), that this is all local, per: https://www.ietf.org/mail-archive/web/secdir/current/msg05526.html I'm wondering why the yang model that was spilt out into another draft isn't referenced as that would be helpful as well (last 2 paragraphs of Tom's response): https://www.ietf.org/mail-archive/web/secdir/current/msg05524.html This is non blocking as I'd like to figure out if it's helpful to avoid questions and link drafts where appropriate (unless I missed something). Thanks, Kathleen |
2015-04-04
|
09 | Kathleen Moriarty | [Ballot Position Update] New position, No Objection, has been recorded for Kathleen Moriarty |
2015-03-28
|
09 | Terry Manderson | [Ballot Position Update] New position, No Objection, has been recorded for Terry Manderson |
2015-03-23
|
09 | Barry Leiba | [Ballot comment] -- Section 5 -- presented X.509 certificate may also be considered valid if it matches a locally configured certificate fingerprint. If … [Ballot comment] -- Section 5 -- presented X.509 certificate may also be considered valid if it matches a locally configured certificate fingerprint. If X.509 certificate path validation fails and the presented X.509 certificate does not match a locally configured certificate fingerprint, It's probably worth it here to allow for things such as DANE, by slightly changing the wording. what do you think of this, perhaps?: NEW presented X.509 certificate may also be considered valid if it matches one obtained by another trusted mechanism, such as using a locally configured certificate fingerprint. If X.509 certificate path validation fails and the presented X.509 certificate does not match a certificate obtained by a trusted mechanism, END Does something like that make sense? Or is it better to limit it to preconfigured certs? -- Section 7 -- Similarily, if the username does not comply to the NETCONF requirements on usernames [RFC6241] (i.e., the username is not representable in XML) Checking: Is "not representable in XML" really the only way the username would not comply? That is, is "i.e." correct here, or do you mean "e.g."? -- Section 9 -- If third- party authentication is needed, the SSH transport can be used. Very small point: you have four citations to 6242 in two paragraphs in Section 3, but none here. This would probably be a good place to stick another citation. |
2015-03-23
|
09 | Barry Leiba | [Ballot Position Update] New position, No Objection, has been recorded for Barry Leiba |
2015-03-23
|
09 | Benoît Claise | Ballot has been issued |
2015-03-23
|
09 | Benoît Claise | [Ballot Position Update] New position, Yes, has been recorded for Benoit Claise |
2015-03-23
|
09 | Benoît Claise | Created "Approve" ballot |
2015-03-23
|
09 | Benoît Claise | Ballot writeup was changed |
2015-03-17
|
09 | Benoît Claise | Placed on agenda for telechat - 2015-04-09 |
2015-03-17
|
09 | Benoît Claise | IESG state changed to IESG Evaluation from Waiting for AD Go-Ahead |
2015-03-17
|
09 | Benoît Claise | IESG state changed to Waiting for AD Go-Ahead from Waiting for Writeup |
2015-03-17
|
09 | Benoît Claise | Changed consensus to Yes from Unknown |
2015-03-12
|
09 | Tero Kivinen | Request for Last Call review by SECDIR Completed: Ready. Reviewer: Sam Hartman. |
2015-03-11
|
09 | (System) | IESG state changed to Waiting for Writeup from In Last Call |
2015-03-09
|
09 | (System) | IANA Review state changed to IANA OK - Actions Needed from IANA - Review Needed |
2015-03-09
|
09 | Pearl Liang | IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-netconf-rfc5539bis-09. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon … IESG/Authors/WG Chairs: IANA has reviewed draft-ietf-netconf-rfc5539bis-09. Authors should review the comments and/or questions below. Please report any inaccuracies and respond to any questions as soon as possible. We received the following comments/questions from the IANA's reviewer: IANA understands that, upon approval of this document, IANA is required complete a single action. In the Service Name and Transport Protocol Port Number Registry located at: https://www.iana.org/assignments/service-names-port-numbers/ the existing port number 6513 for TCP, described as "NETCONF over TLS" will have its reference changed from RFC5539 to [ RFC-to-be ]. IANA understands that this is the only action required to be completed upon approval of this document. Note: The actions requested in this document will not be completed until the document has been approved for publication as an RFC. This message is only to confirm what actions will be performed. |
2015-03-02
|
09 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Sam Hartman |
2015-03-02
|
09 | Tero Kivinen | Request for Last Call review by SECDIR is assigned to Sam Hartman |
2015-03-01
|
09 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Stefan Winter |
2015-03-01
|
09 | Gunter Van de Velde | Request for Last Call review by OPSDIR is assigned to Stefan Winter |
2015-02-25
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2015-02-25
|
09 | Jean Mahoney | Request for Last Call review by GENART is assigned to Vijay Gurbani |
2015-02-25
|
09 | Amy Vezza | IANA Review state changed to IANA - Review Needed |
2015-02-25
|
09 | Amy Vezza | The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Using the NETCONF Protocol over … The following Last Call announcement was sent out: From: The IESG To: IETF-Announce CC: Reply-To: ietf@ietf.org Sender: Subject: Last Call: (Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication) to Proposed Standard The IESG has received a request from the Network Configuration WG (netconf) to consider the following document: - 'Using the NETCONF Protocol over Transport Layer Security (TLS) with Mutual X.509 Authentication' as Proposed Standard The IESG plans to make a decision in the next few weeks, and solicits final comments on this action. Please send substantive comments to the ietf@ietf.org mailing lists by 2015-03-11. Exceptionally, comments may be sent to iesg@ietf.org instead. In either case, please retain the beginning of the Subject line to allow automated sorting. Abstract The Network Configuration Protocol (NETCONF) provides mechanisms to install, manipulate, and delete the configuration of network devices. This document describes how to use the Transport Layer Security (TLS) protocol with mutual X.509 authentication to secure the exchange of NETCONF messages. This revision of RFC 5539 documents the new message framing used by NETCONF 1.1 and it obsoletes RFC 5539. The file can be obtained via http://datatracker.ietf.org/doc/draft-ietf-netconf-rfc5539bis/ IESG discussion can be tracked via http://datatracker.ietf.org/doc/draft-ietf-netconf-rfc5539bis/ballot/ No IPR declarations have been submitted directly on this I-D. |
2015-02-25
|
09 | Amy Vezza | IESG state changed to In Last Call from Last Call Requested |
2015-02-25
|
09 | Benoît Claise | Last call was requested |
2015-02-25
|
09 | Benoît Claise | Last call announcement was generated |
2015-02-25
|
09 | Benoît Claise | Ballot approval text was generated |
2015-02-25
|
09 | Benoît Claise | Ballot writeup was generated |
2015-02-25
|
09 | Benoît Claise | IESG state changed to Last Call Requested from AD Evaluation |
2015-02-25
|
09 | Benoît Claise | IESG state changed to AD Evaluation from Publication Requested |
2015-02-19
|
09 | Cindy Morgan | IESG process started in state Publication Requested |
2015-02-19
|
09 | (System) | Earlier history may be found in the Comment Log for /doc/draft-badra-netconf-rfc5539bis/ |
2015-02-19
|
09 | Cindy Morgan | Working group state set to Submitted to IESG for Publication |
2015-02-19
|
09 | Cindy Morgan | (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? … (1) What type of RFC is being requested (BCP, Proposed Standard, Internet Standard, Informational, Experimental, or Historic)? Why is this the proper type of RFC? Is this type of RFC indicated in the title page header? This document is intended to be a Standards document, and it indicates it as such in the document. (2) The IESG approval announcement includes a Document Announcement Write-Up. Please provide such a Document Announcement Write-Up. Recent examples can be found in the "Action" announcements for approved documents. The approval announcement contains the following sections: Technical Summary The Network Configuration Protocol (NETCONF) provides mechanisms to install, manipulate, and delete the configuration of network devices. This document describes how to use the Transport Layer Security (TLS) protocol with mutual X.509 authentication to secure the exchange of NETCONF messages. This revision of RFC 5539 documents the new message framing used by NETCONF 1.1 and it obsoletes RFC 5539. Working Group Summary Was there anything in WG process that is worth noting? For example, was there controversy about particular points or were there decisions where the consensus was particularly rough? Since the start of the work end of 2012, the focus has been changed to remove call home functionality and to split the server configuration data model into another draft. There were no controversial or difficult decisions. Document Quality Are there existing implementations of the protocol? Have a significant number of vendors indicated their plan to implement the specification? Are there any reviewers that merit special mention as having done a thorough review, e.g., one that resulted in important changes or a conclusion that the document had no substantive issues? If there was a MIB Doctor, Media Type or other expert review, what was its course (briefly)? In the case of a Media Type review, on what date was the request posted? This document revises RFC 5539 by defining the chunked framing mechanism used if both peers adverstise the :base:1.1 capability. As such all implementations of NETCONF 1.1 that want to use TLS with mutual X.509 authentication have to use this new framing format. The document is clear and well written, and it has been extensively reviewed. There are implementations with different code base of different draft versions available. Personnel Who is the Document Shepherd? Who is the Responsible Area Director? The document shepherd is Mehmet Ersue. The responsible AD is Benoit Claise. (3) Briefly describe the review of this document that was performed by the Document Shepherd. If this version of the document is not ready for publication, please explain why the document is being forwarded to the IESG. The document shepherd has followed the development of the document through the WG, and have reviewed the document. There was one comment after the end of the Last Call which resulted to changes. The issue has been addressed by the authors before AD review. (4) Does the document Shepherd have any concerns about the depth or breadth of the reviews that have been performed? No, the document shepherd does not have any concerns about the amount of review the document has received. (5) Do portions of the document need review from a particular or from broader perspective, e.g., security, operational complexity, AAA, DNS, DHCP, XML, or internationalization? If so, describe the review that took place. No. (6) Describe any specific concerns or issues that the Document Shepherd has with this document that the Responsible Area Director and/or the IESG should be aware of? For example, perhaps he or she is uncomfortable with certain parts of the document, or has concerns whether there really is a need for it. In any event, if the WG has discussed those issues and has indicated that it still wishes to advance the document, detail those concerns here. No, the document shepherd does not have any specific concerns. There are no issues remaining. (7) Has each author confirmed that any and all appropriate IPR disclosures required for full conformance with the provisions of BCP 78 and BCP 79 have already been filed. If not, explain why. The WG and authors have been polled on February 2, 2015. The WG members did not disclose any IPR. The authors confirmed publicly that they don't own any IPR on the draft. (8) Has an IPR disclosure been filed that references this document? If so, summarize any WG discussion and conclusion regarding the IPR disclosures. There is no IPR disclosure filed. The authors confirmed publicly that they don't own any IPR on the draft. (9) How solid is the WG consensus behind this document? Does it represent the strong concurrence of a few individuals, with others being silent, or does the WG as a whole understand and agree with it? There is strong consensus from diverse individuals, who have voiced support for the document. (10) Has anyone threatened an appeal or otherwise indicated extreme discontent? If so, please summarize the areas of conflict in separate email messages to the Responsible Area Director. (It should be in a separate email because this questionnaire is publicly available.) No. (11) Identify any ID nits the Document Shepherd has found in this document. (See http://www.ietf.org/tools/idnits/ and the Internet-Drafts Checklist). Boilerplate checks are not enough; this check needs to be thorough. There are no nits in draft-ietf-netconf-rfc5539bis-09. (12) Describe how the document meets any required formal review criteria, such as the MIB Doctor, media type, and URI type reviews. No formal review criteria encountered. (13) Have all references within this document been identified as either normative or informative? Yes. (14) Are there normative references to documents that are not ready for advancement or are otherwise in an unclear state? If such normative references exist, what is the plan for their completion? There is one normative reference to draft-ietf-uta-tls-bcp-09, which is through IETF LC and in IESG evaluation. (15) Are there downward normative references references (see RFC 3967)? If so, list these downward references to support the Area Director in the Last Call procedure. No. (16) Will publication of this document change the status of any existing RFCs? Are those RFCs listed on the title page header, listed in the abstract, and discussed in the introduction? If the RFCs are not listed in the Abstract and Introduction, explain why, and point to the part of the document where the relationship of this document to the other RFCs is discussed. If this information is not in the document, explain why the WG considers it unnecessary. This document obsoletes RFC 5539, which has been listed and discussed in the Introduction section. (17) Describe the Document Shepherd's review of the IANA considerations section, especially with regard to its consistency with the body of the document. Confirm that all protocol extensions that the document makes are associated with the appropriate reservations in IANA registries. Confirm that any referenced IANA registries have been clearly identified. Confirm that newly created IANA registries include a detailed specification of the initial contents for the registry, that allocations procedures for future registrations are defined, and a reasonable name for the new registry has been suggested (see RFC 5226). The IANA considerations section details the changes that are required as a result of this draft replacing an existing RFC which had a IANA registry entry. (18) List any new IANA registries that require Expert Review for future allocations. Provide any public guidance that the IESG would find useful in selecting the IANA Experts for these new registries. The existing IANA registry for netconf-tls needs to be updated to reference the RFC number of this document. (19) Describe reviews and automated checks performed by the Document Shepherd to validate sections of the document written in a formal language, such as XML code, BNF rules, MIB definitions, etc. None necessary. |
2015-02-19
|
09 | Cindy Morgan | Changed document writeup |
2015-02-19
|
09 | Cindy Morgan | Notification list changed to "Mehmet Ersue" <mehmet.ersue@nsn.com> |
2015-02-19
|
09 | Cindy Morgan | Document shepherd changed to Mehmet Ersue |
2015-02-12
|
09 | Mahesh Jethanandani | Intended Status changed to Proposed Standard from None |
2015-02-12
|
09 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-09.txt |
2015-01-26
|
08 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-08.txt |
2014-12-11
|
07 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-07.txt |
2014-09-30
|
06 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-06.txt |
2014-01-29
|
05 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-05.txt |
2013-10-21
|
04 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-04.txt |
2013-05-10
|
03 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-03.txt |
2013-02-21
|
02 | Jürgen Schönwälder | New version available: draft-ietf-netconf-rfc5539bis-02.txt |
2012-10-22
|
01 | Mohamad Badra | New version available: draft-ietf-netconf-rfc5539bis-01.txt |
2012-09-13
|
00 | Mohamad Badra | New version available: draft-ietf-netconf-rfc5539bis-00.txt |