Re: [alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-15: (with DISCUSS and COMMENT)

2024-01-10 Thread Jensen Zhang 
Hi Roman,

Sorry for the delay. We just uploaded the revision -16 to resolve your
comments: https://datatracker.ietf.org/doc/html/draft-ietf-alto-oam-yang-16

We put detailed responses inline below. Please let us know if more is
needed.

Thanks,
Jensen


On Thu, Oct 26, 2023 at 7:31 PM Jensen Zhang 
wrote:

> Hi Roman,
>
> Many thanks for all the comments. Please see my responses inline below.
>
> Thanks,
> Jensen
>
>
> On Wed, Oct 25, 2023 at 12:23 AM Roman Danyliw via Datatracker <
> nore...@ietf.org> wrote:
>
>> Roman Danyliw has entered the following ballot position for
>> draft-ietf-alto-oam-yang-15: Discuss
>>
>> When responding, please keep the subject line intact and reply to all
>> email addresses included in the To and CC lines. (Feel free to cut this
>> introductory paragraph, however.)
>>
>>
>> Please refer to
>> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
>> for more information about how to handle DISCUSS and COMMENT positions.
>>
>>
>> The document, along with other ballot positions, can be found here:
>> https://datatracker.ietf.org/doc/draft-ietf-alto-oam-yang/
>>
>>
>>
>> --
>> DISCUSS:
>> --
>>
>> (There were a number of YANG references to chase down.  Please correct my
>> read
>> of the YANG model if I have misunderstood.)
>>
>> ** Implementing mutual TLS/client side certificates (per Section 8.3.5 of
>> RFC7285) appears to need more guidance.   Client EE certificates and
>> client CAs
>> can be specified by the tls:tls-server-group in
>> alto/server-listen-stack/https/tls-server-parameters.  However, it
>> appears to
>> me that there isn’t any way then to later reference them in the
>> alto-server/auth-client section.  When doing username and password
>> authentication via http-server-parameters/client-authentication, there is
>> a
>> common user-id field shared with auth-client/https-auth-client.
>>
>
> Good point. The intention of alto-server/auth-client is to identify the
> configured HTTP clients. There can be multiple authentication approaches
> beyond HTTP Basic and TLS, like OAuth. This document only focuses on the
> basic structure. Thus, initially, only the HTTP Basic authentication is
> defined. Appendix A.2 gives an example to augment the
> alto-server/auth-client section.
>
> But I agree that TLS is required by RFC7285. If you think it is necessary
> for the initial data model, we can add the related data nodes to this
> section.
>

In the new revision, we added TLS-related configuration for the
'auth-client/https-auth-client'. It will allow to use EE/CA certificates or
public keys to identify the HTTPS clients.


>
>
>>
>> ** Section 5.4.3.  It appears that there is an http-auth-client for both
>> http
>> and https.  Is this suggesting that it is possible to have authenticated
>> users
>> over unencrypted HTTP.  How does that work securely?  Is this related to
>> Section 8’s “The ietf-alto supports an HTTP listen mode to cover cases
>> where
>> the ALTO server stack does not handle the TLS termination itself, but is
>> handled by a separate component.”  If so, what is the residual risk of
>> this
>> approach?
>>
>
> In this case, the security will rely on the external TLS handler.
>
>
>>
>> ** Section 8.  Per the guidance on writeable data, aren’t significant
>> parts of
>> alto-server/listen sensitive as one could alter the stored keys for the
>> server
>> or client; or the username/password combinations (in
>> http-server-parameters)?
>>
>
> Yes, some groupings in alto-server/listen are also sensitive. But they are
> defined in other RFCs, thus the security considerations in those RFCs also
> apply to them.
>
>
>>
>> ** Section 8.  Per the guidance about readable data:
>>
>> -- isn’t tls-server-parameters sensitive since it could contain raw
>> private
>> keys (e.g., ks:inline-or-keystore-symmetric-key-grouping)?
>>
>
> Yes, see above.
>
>
>> -- Would it be best practice to be able to read all of the authorized
>> users?
>>
>
> In practice, the server only needs to identify the authorized users. The
> server doesn't need to read all the sensitive configurations of those users.
>
>
>>
>>
>> --
>> COMMENT:
>> --
>>
>> Thank you to Rich Salz for the SECDIR review.
>>
>> ** Section A.5.  Per the example:
>> "client-authentication": {
>>   "users": {
>> "user": [
>>   {
>> "user-id": "alice",
>> "basic": {
>>   "user-id": "alice",
>>   "password": "$0$p8ssw0rd"
>> }
>>
>> Isn’t the password supposed to be hashed?
>> draft-ietf-netconf-http-client-server says password is of type
>> ianach:crypt-hash.
>>
>
> Yes, the

Re: [alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-15: (with DISCUSS and COMMENT)

2023-10-26 Thread Jensen Zhang 
Hi Roman,

Many thanks for all the comments. Please see my responses inline below.

Thanks,
Jensen


On Wed, Oct 25, 2023 at 12:23 AM Roman Danyliw via Datatracker <
nore...@ietf.org> wrote:

> Roman Danyliw has entered the following ballot position for
> draft-ietf-alto-oam-yang-15: Discuss
>
> When responding, please keep the subject line intact and reply to all
> email addresses included in the To and CC lines. (Feel free to cut this
> introductory paragraph, however.)
>
>
> Please refer to
> https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/
> for more information about how to handle DISCUSS and COMMENT positions.
>
>
> The document, along with other ballot positions, can be found here:
> https://datatracker.ietf.org/doc/draft-ietf-alto-oam-yang/
>
>
>
> --
> DISCUSS:
> --
>
> (There were a number of YANG references to chase down.  Please correct my
> read
> of the YANG model if I have misunderstood.)
>
> ** Implementing mutual TLS/client side certificates (per Section 8.3.5 of
> RFC7285) appears to need more guidance.   Client EE certificates and
> client CAs
> can be specified by the tls:tls-server-group in
> alto/server-listen-stack/https/tls-server-parameters.  However, it appears
> to
> me that there isn’t any way then to later reference them in the
> alto-server/auth-client section.  When doing username and password
> authentication via http-server-parameters/client-authentication, there is a
> common user-id field shared with auth-client/https-auth-client.
>

Good point. The intention of alto-server/auth-client is to identify the
configured HTTP clients. There can be multiple authentication approaches
beyond HTTP Basic and TLS, like OAuth. This document only focuses on the
basic structure. Thus, initially, only the HTTP Basic authentication is
defined. Appendix A.2 gives an example to augment the
alto-server/auth-client section.

But I agree that TLS is required by RFC7285. If you think it is necessary
for the initial data model, we can add the related data nodes to this
section.


>
> ** Section 5.4.3.  It appears that there is an http-auth-client for both
> http
> and https.  Is this suggesting that it is possible to have authenticated
> users
> over unencrypted HTTP.  How does that work securely?  Is this related to
> Section 8’s “The ietf-alto supports an HTTP listen mode to cover cases
> where
> the ALTO server stack does not handle the TLS termination itself, but is
> handled by a separate component.”  If so, what is the residual risk of this
> approach?
>

In this case, the security will rely on the external TLS handler.


>
> ** Section 8.  Per the guidance on writeable data, aren’t significant
> parts of
> alto-server/listen sensitive as one could alter the stored keys for the
> server
> or client; or the username/password combinations (in
> http-server-parameters)?
>

Yes, some groupings in alto-server/listen are also sensitive. But they are
defined in other RFCs, thus the security considerations in those RFCs also
apply to them.


>
> ** Section 8.  Per the guidance about readable data:
>
> -- isn’t tls-server-parameters sensitive since it could contain raw private
> keys (e.g., ks:inline-or-keystore-symmetric-key-grouping)?
>

Yes, see above.


> -- Would it be best practice to be able to read all of the authorized
> users?
>

In practice, the server only needs to identify the authorized users. The
server doesn't need to read all the sensitive configurations of those users.


>
>
> --
> COMMENT:
> --
>
> Thank you to Rich Salz for the SECDIR review.
>
> ** Section A.5.  Per the example:
> "client-authentication": {
>   "users": {
> "user": [
>   {
> "user-id": "alice",
> "basic": {
>   "user-id": "alice",
>   "password": "$0$p8ssw0rd"
> }
>
> Isn’t the password supposed to be hashed?
> draft-ietf-netconf-http-client-server says password is of type
> ianach:crypt-hash.
>

Yes, the password is supposed to be hashed. Just to make it readable in the
example, we use "$0$" type to show the clear text password. Refer to
iana-crypt-h...@2014-08-06.yang:

  A value of this type matches one of the forms:

$0$
$$$


  The '$0$' prefix signals that the value is clear text.

 Of course, it is not recommended in practice.
___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto

[alto] Roman Danyliw's Discuss on draft-ietf-alto-oam-yang-15: (with DISCUSS and COMMENT)

2023-10-24 Thread Roman Danyliw via Datatracker 
Roman Danyliw has entered the following ballot position for
draft-ietf-alto-oam-yang-15: Discuss

When responding, please keep the subject line intact and reply to all
email addresses included in the To and CC lines. (Feel free to cut this
introductory paragraph, however.)


Please refer to 
https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ 
for more information about how to handle DISCUSS and COMMENT positions.


The document, along with other ballot positions, can be found here:
https://datatracker.ietf.org/doc/draft-ietf-alto-oam-yang/



--
DISCUSS:
--

(There were a number of YANG references to chase down.  Please correct my read
of the YANG model if I have misunderstood.)

** Implementing mutual TLS/client side certificates (per Section 8.3.5 of
RFC7285) appears to need more guidance.   Client EE certificates and client CAs
can be specified by the tls:tls-server-group in
alto/server-listen-stack/https/tls-server-parameters.  However, it appears to
me that there isn’t any way then to later reference them in the
alto-server/auth-client section.  When doing username and password
authentication via http-server-parameters/client-authentication, there is a
common user-id field shared with auth-client/https-auth-client.

** Section 5.4.3.  It appears that there is an http-auth-client for both http
and https.  Is this suggesting that it is possible to have authenticated users
over unencrypted HTTP.  How does that work securely?  Is this related to
Section 8’s “The ietf-alto supports an HTTP listen mode to cover cases where
the ALTO server stack does not handle the TLS termination itself, but is
handled by a separate component.”  If so, what is the residual risk of this
approach?

** Section 8.  Per the guidance on writeable data, aren’t significant parts of
alto-server/listen sensitive as one could alter the stored keys for the server
or client; or the username/password combinations (in http-server-parameters)?

** Section 8.  Per the guidance about readable data:

-- isn’t tls-server-parameters sensitive since it could contain raw private
keys (e.g., ks:inline-or-keystore-symmetric-key-grouping)?

-- Would it be best practice to be able to read all of the authorized users?


--
COMMENT:
--

Thank you to Rich Salz for the SECDIR review.

** Section A.5.  Per the example:
"client-authentication": {
  "users": {
"user": [
  {
"user-id": "alice",
"basic": {
  "user-id": "alice",
  "password": "$0$p8ssw0rd"
}

Isn’t the password supposed to be hashed? 
draft-ietf-netconf-http-client-server says password is of type
ianach:crypt-hash.



___
alto mailing list
alto@ietf.org
https://www.ietf.org/mailman/listinfo/alto