Re: [Isms] ISMS charter broken- onus should be on WG to fix it

Ned Freed <> Wed, 14 September 2005 00:56 UTC

Received: from localhost.localdomain ([] by with esmtp (Exim 4.32) id 1EFLZe-0005OK-6E; Tue, 13 Sep 2005 20:56:30 -0400
Received: from ([] by with esmtp (Exim 4.32) id 1EFLZa-0005Nz-Vx; Tue, 13 Sep 2005 20:56:27 -0400
Received: from (ietf-mx []) by (8.9.1a/8.9.1a) with ESMTP id UAA12898; Tue, 13 Sep 2005 20:56:24 -0400 (EDT)
Received: from ([]) by with esmtp (Exim 4.43) id 1EFLe3-0000DL-Rv; Tue, 13 Sep 2005 21:01:06 -0400
Received: from by (PMDF V6.1-1 #35243) id <> (original mail from; Tue, 13 Sep 2005 17:56:09 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=nowsp;; s=mauve; t=1126659368; h=Date: From:Subject:MIME-version:Content-type; b=AzsQlw0FO/E0FygM56w5+gcjt QndOQ9VpoInNXY3eau9gpa5p1OEL++Lb53pc3eRqnEsg3G7KAYySdwwz2pCew==
Received: from by (PMDF V6.1-1 #35243) id <>; Tue, 13 Sep 2005 17:56:05 -0700 (PDT)
To: Jeffrey Hutzelman <>
Message-id: <>
Date: Tue, 13 Sep 2005 17:23:26 -0700 (PDT)
From: Ned Freed <>
In-reply-to: "Your message dated Tue, 13 Sep 2005 17:37:49 -0400" <>
MIME-version: 1.0
Content-type: TEXT/PLAIN; format=flowed
References: <> <> <20050913204555.GA14153@boskop.local> <> <>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc:,,, 'Eliot Lear' <>, Sam Hartman <>,, 'IETF Discussion' <>
Subject: Re: [Isms] ISMS charter broken- onus should be on WG to fix it
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <>
List-Unsubscribe: <>, <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>

> On Tuesday, September 13, 2005 05:06:40 PM -0400 Sam Hartman
> <> wrote:

> >>>>>> "Juergen" == Juergen Schoenwaelder <>
> >>>>>> writes:
> >
> >     Juergen> Sam,
> >
> >     Juergen> this is not about blocking port 22 as far as I understand
> >     Juergen> things. I think the issue here is that TCP connection
> >     Juergen> establishment determines ssh client/server roles.  If
> >     Juergen> there would be a way to initiate the connection but
> >     Juergen> subsequently taking over the server role, protocols like
> >     Juergen> netconf and presumably isms would find it much easier to
> >     Juergen> provide CH functionality.
> >
> > Right.  But for the ssh-connect application I don't think you would
> > want that unless you were trying to get around firewall policy.

> I don't think that's necessarily the case. Sure, you might be trying to do
> that, but you also might be trying to get around the fact that the machines
> at your house are behind a NAT and thus lack routable addresses.

Or consider the case of a firewall whose policy is simply one where incoming
connections are not allowed for fear of worms infecting vulnerable systems. The
only way to monitor systems behind such a firewall is to have them establish
outgoing connections. Such behavior is in no way, shape or form a violation of
that firewall's policy, yet it is necessary to work properly in such a (very
common) firewalled environment.

More generally, every protocol we define, every enhancement to a protocol we
specify, and every operational policy we advocate has the potential of being
used to "get around firewall policy" in some situation or other.  And this is
especially true when we're defining protocols that provide some form of
confidentiality, which of course we do more and more frequently. This is the
nature of the beast, like it or not. Were we to use this as a criteria not to
proceed with our work we might as well all go home.

Furthermore, the fact of the matter is that specifying how something is
supposed to be done tends to aid in establishing useful firewall policies far
more than it hurts. People are going to use the "call home" approach for
monitoring whether we like it or not - it is just too useful for them not to.
And absent a specification it will be done in a zillion incompatible ways and
without any real understanding of the security issues. And unless firewall
operators are prepared to block absolutely everything (which of course they
cannot) they don't stand a chance in hell of controlling such services. A
timely specification, on the other hand, could simultaneously raise awareness
of the security issues as well as provide some measure of consistency in such
traffic, in turn allowing some measure of control.

And make no mistake about it: When it comes to call home services, the
situation is already dire. Only yesterday I observed a popup from a piece of
video processing software I use informing me that a new version is now
available. Obviously this application had just "called home" and found out
about the new version. Hopefully that's all it did - nowhere in the product
documentation does it mention it would do this, nor is there any preferences
setting I can find to tell it not to. 

If I were to object to Eliot's proposal (I don't - in fact I strongly support
it), it would be on the grounds that the IETF should be taking a long hard look
at the issues surrounding call home in general, not just in the special case of

> > I suspect that the ssh community would decline to extend ssh in this
> > direction; I certainly know I would not support it.

> I'm not entirely sure _how_ I'd extend SSH in this direction, or how much
> utility it would have.  I don't think I would object to it, especially
> since I suspect it might make some of the ISMS cases easier even if you
> don't care about the firewall problem.

Well, the ssh client I use has the ability to do port forwarding in both
directions already. The only thing that has stopped me from using this feature
to do SNMP monitoring of various mobile agents is that it doesn't work with
UDP, and the SNMP stuff I use is UDP only.


Ietf mailing list