Re: [Call-home] draft now posted; BoF?

"David T. Perkins" <> Tue, 27 September 2005 17:22 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1EKJAN-0001hb-FO; Tue, 27 Sep 2005 13:22:55 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1EKJAM-0001hV-CU for; Tue, 27 Sep 2005 13:22:54 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id NAA26383 for <>; Tue, 27 Sep 2005 13:22:51 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1EKJHe-0003ir-Iy for; Tue, 27 Sep 2005 13:30:26 -0400
Received: from ( []) by (8.12.10/8.12.10) with ESMTP id j8RHM4BT030264; Tue, 27 Sep 2005 10:22:04 -0700
Received: from (localhost []) by (8.12.11/8.12.11) with ESMTP id j8RHLrNd014601; Tue, 27 Sep 2005 10:21:53 -0700
Received: from localhost (dperkins@localhost) by (8.12.11/8.12.11/Submit) with ESMTP id j8RHLrHm014596; Tue, 27 Sep 2005 10:21:53 -0700
X-Authentication-Warning: dperkins owned process doing -bs
Date: Tue, 27 Sep 2005 10:21:53 -0700 (PDT)
From: "David T. Perkins" <>
To: Eliot Lear <>
Subject: Re: [Call-home] draft now posted; BoF?
In-Reply-To: <>
Message-ID: <>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 10d3e4e3c32e363f129e380e644649be
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Discussion of issues relating to &quot; call home&quot; functionality and firewall traversal" <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

HI Eliot,

The key issue, which I have said in previous email on the ISMS list,
and you have touched on below, is what credentials are being
used by each end of the connection, followed by what autorization
rules are in being used and where they are applied.

I didn't feel like you answered my previous question about
this on the ISMS list. That is, you did provide a response,
but I could not understand it.

Once it is clear what credentials are available, then the
next step is to show the mechanisms that would be used to
verify the identities.

On Tue, 27 Sep 2005, Eliot Lear wrote:
> Juergen Schoenwaelder wrote:
> > On Mon, Sep 26, 2005 at 03:46:29PM +0200, Eliot Lear wrote:
> >  
> > 
> >>A draft is now posted - draft-lear-callhome-description-00.txt.  It
> >>doesn't yet have much in the way of SNMP specifics but I am working on
> >>that now.
> > 
> > 
> > I am not sure what the scope of your efforts here are. Do you limit
> > this in scope to the management domain (which is somewhat implied by
> > talking about managers and agents) or do you want to address the more
> > general question of how to reverse connection establishment from the
> > inside to the outside. 
> I've been asked to consider the broader architectural issues (if any),
> but my interest is in network management as well.  It would be good if
> someone could flag issues they see as broader than the area of
> management if I miss them.
> > In any case, I would like to discuss this issue
> > not only in the context of SNMP, but at least also consider netconf,
> > where the required to implement transport mapping also does not
> > provide call home at the moment.
> > 
> > Personally, I am concerned about the security considerations. I would
> > very much prefer a solution where the authenticated identities and the
> > way they are authenticated remain the same, regardless whether I am
> > using call-home or not. Now, it may turn out that this is not feasible
> > to achieve. If that is the case, these findings need to be documented
> > somewhere.
> I am not sure this is a problem with the notion call home, but perhaps
> with mechanisms used to achieve it.  For instance, BEEP today supports
> either side initiating a connection as well as mutual authentication via
> TLS.  In the case of SNMP, therefore, there would be a mapping from
> securityName to X.509 subject (amongst other things), either directly or
> But I wonder whether we should mandate such a requirement.  Also if we
> are making use of substrates such as SSH, BEEP, or for that matter HTTP,
> how we structure those interfaces.
> In a practical sense, a service provider already provides a username and
> password to an end user.  It would seem impractical for the user to
> provide a username and password back to the service provider when an
> X.509 certificate would do the job.
> > 
> > 
> >>Did I miss architectural issues in the draft?
> > 
> > 
> > I only had a very quick read. For me, the really interesting issue is
> > to figure out how much security protocols like SSH or TLS actually
> > [rely] on the connection initiation procedure or whether the
> > client/server roles can be "turned" before the security protocols do
> > their work. In other words, I would like to know whether some
> > extensions to say SSH can solve most of the issues with call home
> > support in ISMS and NETCONF.
> I'm not quite sure what you're asking for.  Are you suggesting, for
> instance, that the initiator have a host key and the listener make use
> of a user key?
> Eliot

/david t. perkins

Call-home mailing list