IETF Logo Mail Archive

RE: ISMS working group

Daniel Senie <dts@senie.com> Thu, 08 September 2005 20:45 UTC

Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EDTGi-0001K6-0L; Thu, 08 Sep 2005 16:45:12 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EDTGe-0001Js-KB; Thu, 08 Sep 2005 16:45:09 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id QAA16489; Thu, 8 Sep 2005 16:45:05 -0400 (EDT)
Received: from parsley.amaranth.net ([204.10.1.23]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EDTK5-0007XZ-9y; Thu, 08 Sep 2005 16:48:42 -0400
Received: from ancho.senie.com (c-24-34-19-2.hsd1.ma.comcast.net [24.34.19.2]) (authenticated bits=0) by parsley.amaranth.net (8.12.11/8.12.11) with ESMTP id j88Kinmv018654 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 8 Sep 2005 16:44:51 -0400
Message-Id: <6.2.3.4.2.20050908162942.07a9cda8@mail.amaranth.net>
X-Mailer: QUALCOMM Windows Eudora Version 6.2.3.4
Date: Thu, 08 Sep 2005 16:38:23 -0400
To: "Nelson, David" <dnelson@enterasys.com>, iesg@ietf.org, ietf@ietf.org
From: Daniel Senie <dts@senie.com>
In-Reply-To: <2A5E4540D4D5934D9A1E7E0B0FDB2D690103258F@MAANDMBX2.ets.ent erasys.com>
References: <2A5E4540D4D5934D9A1E7E0B0FDB2D690103258F@MAANDMBX2.ets.enterasys.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format="flowed"
X-Virus-Scanned: ClamAV version 0.86.2, clamav-milter version 0.86 on parsley.amaranth.net
X-Virus-Status: Clean
X-Spam-Score: 0.0 (/)
X-Scan-Signature: 082a9cbf4d599f360ac7f815372a6a15
Cc:
Subject: RE: ISMS working group
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org

At 02:41 PM 9/8/2005, Nelson, David wrote:
>Let's assume, for the sake of discussion, that SNMP must always work
>across Firewalls and NATs.  The original objection to the proposed
>charter was that it did not include support for "Call Home"
>functionality.
>
>I can see how Call Home would solve the NAT problem, at least on a
>sporadic basis.  The managed entity could initiate an "outgoing" NAT
>session to the management station, and the management station could use
>that connection as needed.  I don't see how this allows the management
>station to later initiate an "incoming" connection to the NAT'ed managed
>entity.  Nor do I see how it would enable firewalls to safely pass
>through only the desired SNMP traffic.
>
>Clarification would be helpful.  Thanks.

Especially in the case of UDP traffic, there is no clear distinction 
between packets leaving a NAT-protected environment and packets 
coming in, for a particular association. So if the device that "calls 
home" sends a heartbeat packet once a minute or every 15 seconds or 
whatever, the NAT device will keep an association ("connection" 
doesn't really cut it for describing a UDP conversation) open. The 
management station would then be able to initiate a request to the 
managed entity, provided the managed entity accepted new requests on 
the same port it was using for heartbeats. Note that EVERYTHING in 
this paragraph applies equally to firewalls doing stateful packet 
inspection using publicly routable IP addresses.

Implementing call home functionality over SSH would provide a 
connection that is likely to be nailed up, and re-established 
automatically whenever it drops for any reason. Otherwise, the 
expense of setup and tear-down of TCP sessions and SSH keying on the 
management platform would probably become a concern in large 
deployments. If a channel exists for sending information over SSH to 
the management platform, then a channel exists for information in the 
other direction too. Even if the connection is NOT nailed up, but 
only comes up for status information and heartbeats, there's still an 
opportunity to have a command queue of waiting messages destined for 
the managed device.

Such functionality is potentially useful. It certainly has the 
ability to bypass NAT and/or firewall functionality, which is a 
serious concern. Equipment vendors certainly like the concept of 
hardware that calls home. Stratus Computer did this starting in the 
early 1980s (using 2400 baud modems, as that was the technology that 
was reliable in that era). Others have done it as well. There are 
some ethical and perhaps even liability issues involved too, however. 
If you use a "call home" function to set up a communication path into 
a a customer's network (e.g. a router vendor trying to track 
licensing on products they sell to a company), and the server(s) at 
the vendor get infected resulting in a breakin at the customer's 
site, the vendor may be in trouble. If the customer didn't know and 
approve the product calling home, the customer might not be aware of 
the potential for that security breach. That too could be a 
significant problem.

I'm not taking sides over whether call home should be in ISMS or not, 
but it's certainly something that should be thought through carefully 
before implementing systems that do these things.




_______________________________________________
Ietf mailing list
Ietf@ietf.org
https://www1.ietf.org/mailman/listinfo/ietf

v2.23.0 | Report a Bug | By Email