Re: [Call-home] draft now posted; BoF?

Juergen Schoenwaelder <> Mon, 26 September 2005 21:07 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1EK0Bw-0005a7-1B; Mon, 26 Sep 2005 17:07:16 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1EK0Br-0005ZS-II for; Mon, 26 Sep 2005 17:07:13 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id RAA09495 for <>; Mon, 26 Sep 2005 17:07:09 -0400 (EDT)
Received: from ([] helo=boskop.local) by with esmtp (Exim 4.43) id 1EK0Iy-00070t-08 for; Mon, 26 Sep 2005 17:14:33 -0400
Received: by boskop.local (Postfix, from userid 501) id 9FFC34081A4; Mon, 26 Sep 2005 23:06:55 +0200 (CEST)
Date: Mon, 26 Sep 2005 23:06:54 +0200
From: Juergen Schoenwaelder <>
To: Eliot Lear <>
Subject: Re: [Call-home] draft now posted; BoF?
Message-ID: <20050926210654.GA3067@boskop.local>
References: <>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.10i
X-Spam-Score: 0.0 (/)
X-Scan-Signature: e1e48a527f609d1be2bc8d8a70eb76cb
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion of issues relating to &quot; call home&quot; functionality and firewall traversal" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

On Mon, Sep 26, 2005 at 03:46:29PM +0200, Eliot Lear wrote:
> A draft is now posted - draft-lear-callhome-description-00.txt.  It
> doesn't yet have much in the way of SNMP specifics but I am working on
> that now.

I am not sure what the scope of your efforts here are. Do you limit
this in scope to the management domain (which is somewhat implied by
talking about managers and agents) or do you want to address the more
general question of how to reverse connection establishment from the
inside to the outside. In any case, I would like to discuss this issue
not only in the context of SNMP, but at least also consider netconf,
where the required to implement transport mapping also does not
provide call home at the moment.

Personally, I am concerned about the security considerations. I would
very much prefer a solution where the authenticated identities and the
way they are authenticated remain the same, regardless whether I am
using call-home or not. Now, it may turn out that this is not feasible
to achieve. If that is the case, these findings need to be documented

> Did I miss architectural issues in the draft?

I only had a very quick read. For me, the really interesting issue is
to figure out how much security protocols like SSH or TLS actually
reply on the connection initiation procedure or whether the
client/server roles can be "turned" before the security protocols do
their work. In other words, I would like to know whether some
extensions to say SSH can solve most of the issues with call home
support in ISMS and NETCONF.

To answer this question, one might have to dive into the details of
the security mechanisms in order to figure out whether there is an
architectural reasons why this can or cannot work.


Juergen Schoenwaelder		    International University Bremen
<>	    P.O. Box 750 561, 28725 Bremen, Germany

Call-home mailing list