Re: [Call-home] draft now posted; BoF?
Wes Hardaker <wjhns1@hardakers.net> Tue, 27 September 2005 13:33 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKFaY-0000sF-Ok; Tue, 27 Sep 2005 09:33:42 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKFaX-0000rm-Rz for call-home@megatron.ietf.org; Tue, 27 Sep 2005 09:33:41 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id JAA07606 for <call-home@ietf.org>; Tue, 27 Sep 2005 09:33:40 -0400 (EDT)
Received: from dcn236-43.dcn.davis.ca.us ([168.150.236.43] helo=wes.hardakers.net) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EKFhl-0005LT-11 for call-home@ietf.org; Tue, 27 Sep 2005 09:41:12 -0400
Received: by wes.hardakers.net (Postfix, from userid 274) id 9CAA111D5D1; Tue, 27 Sep 2005 06:33:36 -0700 (PDT)
From: Wes Hardaker <wjhns1@hardakers.net>
To: Eliot Lear <lear@cisco.com>
Subject: Re: [Call-home] draft now posted; BoF?
Organization: Sparta
References: <4337FBB5.4010701@cisco.com> <20050926210654.GA3067@boskop.local> <43391200.1020806@cisco.com>
Date: Tue, 27 Sep 2005 06:33:35 -0700
In-Reply-To: <43391200.1020806@cisco.com> (Eliot Lear's message of "Tue, 27 Sep 2005 11:33:52 +0200")
Message-ID: <sdy85iocsw.fsf@wes.hardakers.net>
User-Agent: Gnus/5.110003 (No Gnus v0.3) XEmacs/21.4 (Jumbo Shrimp, linux)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 69a74e02bbee44ab4f8eafdbcedd94a1
Cc: call-home@ietf.org
X-BeenThere: call-home@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion of issues relating to " call home" functionality and firewall traversal" <call-home.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/call-home>
List-Post: <mailto:call-home@ietf.org>
List-Help: <mailto:call-home-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=subscribe>
Sender: call-home-bounces@ietf.org
Errors-To: call-home-bounces@ietf.org
>>>>> On Tue, 27 Sep 2005 11:33:52 +0200, Eliot Lear <lear@cisco.com> said: Eliot> In a practical sense, a service provider already provides a Eliot> username and password to an end user. It would seem Eliot> impractical for the user to provide a username and password Eliot> back to the service provider when an X.509 certificate would do Eliot> the job. The general issue with reversing a connection is that the order in which you present credentials to the end other side often doesn't work. EG, if in a normal connection via netconf or snmp/isms you'd get this: manager agent opens connection --> [possibly negs encryption] <-- sends host id cert verifies agent ID sends users/pass --> verifies user/pass <-- finishes open with a protocol ack That, of course, is just an example. The problem comes when you reverse the connection you need to do things in the same order. A manager can't send their side of the credentials first when it's a username/password since you'd be disclosing information before verifying the other side can receive it. Ok, you say, then just make sure it happens in the same order and that the agent opens the connection and immediately sends his own credentials? Great in theory, but the current protocols (SSH, TLS) don't do this. They are designed with a particular order of sending the credentials and they all expect the model above. Whether you can trigger them to do the reverse is subject to a huge debate with their authors I'd think. -- "In the bathtub of history the truth is harder to hold than the soap, and much more difficult to find." -- Terry Pratchett _______________________________________________ Call-home mailing list Call-home@ietf.org https://www1.ietf.org/mailman/listinfo/call-home
- [Call-home] draft now posted; BoF? Eliot Lear
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Eliot Lear
- RE: [Call-home] draft now posted; BoF? Wijnen, Bert (Bert)
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Josh Littlefield
- Re: [Call-home] draft now posted; BoF? David T. Perkins
- Re: [Call-home] draft now posted; BoF? David T. Perkins
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- [Call-home] Why not IPsec with IKEv2 + NAT-T? Pekka Nikander
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? David T. Perkins
- Re: [Call-home] draft now posted; BoF? Eliot Lear
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Dean Willis
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Pekka Nikander
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Dean Willis
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Eliot Lear
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder