Re: [Call-home] draft now posted; BoF?
"David T. Perkins" <dperkins@dsperkins.com> Tue, 27 September 2005 17:22 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKJAN-0001hb-FO; Tue, 27 Sep 2005 13:22:55 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EKJAM-0001hV-CU for call-home@megatron.ietf.org; Tue, 27 Sep 2005 13:22:54 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id NAA26383 for <call-home@ietf.org>; Tue, 27 Sep 2005 13:22:51 -0400 (EDT)
Received: from smtpout1.bayarea.net ([209.128.95.10]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EKJHe-0003ir-Iy for call-home@ietf.org; Tue, 27 Sep 2005 13:30:26 -0400
Received: from shell4.bayarea.net (shell4.bayarea.net [209.128.82.1]) by smtpout1.bayarea.net (8.12.10/8.12.10) with ESMTP id j8RHM4BT030264; Tue, 27 Sep 2005 10:22:04 -0700
Received: from shell4.bayarea.net (localhost [127.0.0.1]) by shell4.bayarea.net (8.12.11/8.12.11) with ESMTP id j8RHLrNd014601; Tue, 27 Sep 2005 10:21:53 -0700
Received: from localhost (dperkins@localhost) by shell4.bayarea.net (8.12.11/8.12.11/Submit) with ESMTP id j8RHLrHm014596; Tue, 27 Sep 2005 10:21:53 -0700
X-Authentication-Warning: shell4.bayarea.net: dperkins owned process doing -bs
Date: Tue, 27 Sep 2005 10:21:53 -0700
From: "David T. Perkins" <dperkins@dsperkins.com>
X-Sender: dperkins@shell4.bayarea.net
To: Eliot Lear <lear@cisco.com>
Subject: Re: [Call-home] draft now posted; BoF?
In-Reply-To: <43391200.1020806@cisco.com>
Message-ID: <Pine.LNX.4.10.10509271014390.11557-100000@shell4.bayarea.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
Cc: call-home@ietf.org
X-BeenThere: call-home@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion of issues relating to " call home" functionality and firewall traversal" <call-home.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www1.ietf.org/pipermail/call-home>
List-Post: <mailto:call-home@ietf.org>
List-Help: <mailto:call-home-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/call-home>, <mailto:call-home-request@ietf.org?subject=subscribe>
Sender: call-home-bounces@ietf.org
Errors-To: call-home-bounces@ietf.org
HI Eliot, The key issue, which I have said in previous email on the ISMS list, and you have touched on below, is what credentials are being used by each end of the connection, followed by what autorization rules are in being used and where they are applied. I didn't feel like you answered my previous question about this on the ISMS list. That is, you did provide a response, but I could not understand it. Once it is clear what credentials are available, then the next step is to show the mechanisms that would be used to verify the identities. On Tue, 27 Sep 2005, Eliot Lear wrote: > Juergen Schoenwaelder wrote: > > On Mon, Sep 26, 2005 at 03:46:29PM +0200, Eliot Lear wrote: > > > > > >>A draft is now posted - draft-lear-callhome-description-00.txt. It > >>doesn't yet have much in the way of SNMP specifics but I am working on > >>that now. > > > > > > I am not sure what the scope of your efforts here are. Do you limit > > this in scope to the management domain (which is somewhat implied by > > talking about managers and agents) or do you want to address the more > > general question of how to reverse connection establishment from the > > inside to the outside. > > I've been asked to consider the broader architectural issues (if any), > but my interest is in network management as well. It would be good if > someone could flag issues they see as broader than the area of > management if I miss them. > > > In any case, I would like to discuss this issue > > not only in the context of SNMP, but at least also consider netconf, > > where the required to implement transport mapping also does not > > provide call home at the moment. > > > > Personally, I am concerned about the security considerations. I would > > very much prefer a solution where the authenticated identities and the > > way they are authenticated remain the same, regardless whether I am > > using call-home or not. Now, it may turn out that this is not feasible > > to achieve. If that is the case, these findings need to be documented > > somewhere. > > I am not sure this is a problem with the notion call home, but perhaps > with mechanisms used to achieve it. For instance, BEEP today supports > either side initiating a connection as well as mutual authentication via > TLS. In the case of SNMP, therefore, there would be a mapping from > securityName to X.509 subject (amongst other things), either directly or > via SASL EXTERNAL. > > But I wonder whether we should mandate such a requirement. Also if we > are making use of substrates such as SSH, BEEP, or for that matter HTTP, > how we structure those interfaces. > > In a practical sense, a service provider already provides a username and > password to an end user. It would seem impractical for the user to > provide a username and password back to the service provider when an > X.509 certificate would do the job. > > > > > > >>Did I miss architectural issues in the draft? > > > > > > I only had a very quick read. For me, the really interesting issue is > > to figure out how much security protocols like SSH or TLS actually > > [rely] on the connection initiation procedure or whether the > > client/server roles can be "turned" before the security protocols do > > their work. In other words, I would like to know whether some > > extensions to say SSH can solve most of the issues with call home > > support in ISMS and NETCONF. > > I'm not quite sure what you're asking for. Are you suggesting, for > instance, that the initiator have a host key and the listener make use > of a user key? > > Eliot > Regards, /david t. perkins _______________________________________________ Call-home mailing list Call-home@ietf.org https://www1.ietf.org/mailman/listinfo/call-home
- [Call-home] draft now posted; BoF? Eliot Lear
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Eliot Lear
- RE: [Call-home] draft now posted; BoF? Wijnen, Bert (Bert)
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- Re: [Call-home] draft now posted; BoF? Josh Littlefield
- Re: [Call-home] draft now posted; BoF? David T. Perkins
- Re: [Call-home] draft now posted; BoF? David T. Perkins
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder
- [Call-home] Why not IPsec with IKEv2 + NAT-T? Pekka Nikander
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? David T. Perkins
- Re: [Call-home] draft now posted; BoF? Eliot Lear
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Dean Willis
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Pekka Nikander
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Dean Willis
- Re: [Call-home] Why not IPsec with IKEv2 + NAT-T? Eliot Lear
- Re: [Call-home] draft now posted; BoF? Wes Hardaker
- Re: [Call-home] draft now posted; BoF? Juergen Schoenwaelder