Re: [Isms] ISMS charter broken- onus should be on WG to fix it
Ned Freed <ned.freed@mrochek.com> Wed, 14 September 2005 00:56 UTC
Received: from localhost.localdomain ([127.0.0.1] helo=megatron.ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFLZe-0005OK-6E; Tue, 13 Sep 2005 20:56:30 -0400
Received: from odin.ietf.org ([132.151.1.176] helo=ietf.org) by megatron.ietf.org with esmtp (Exim 4.32) id 1EFLZa-0005Nz-Vx; Tue, 13 Sep 2005 20:56:27 -0400
Received: from ietf-mx.ietf.org (ietf-mx [132.151.6.1]) by ietf.org (8.9.1a/8.9.1a) with ESMTP id UAA12898; Tue, 13 Sep 2005 20:56:24 -0400 (EDT)
Received: from mauve.mrochek.com ([209.55.107.55]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1EFLe3-0000DL-Rv; Tue, 13 Sep 2005 21:01:06 -0400
Received: from dkim-sign.mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01LSZP7BN6OW007T8P@mauve.mrochek.com> (original mail from ned.freed@mrochek.com); Tue, 13 Sep 2005 17:56:09 -0700 (PDT)
DKIM-Signature: a=rsa-sha1; c=nowsp; d=mrochek.com; s=mauve; t=1126659368; h=Date: From:Subject:MIME-version:Content-type; b=AzsQlw0FO/E0FygM56w5+gcjt QndOQ9VpoInNXY3eau9gpa5p1OEL++Lb53pc3eRqnEsg3G7KAYySdwwz2pCew==
Received: from mauve.mrochek.com by mauve.mrochek.com (PMDF V6.1-1 #35243) id <01LSZBHW7HR4000092@mauve.mrochek.com>; Tue, 13 Sep 2005 17:56:05 -0700 (PDT)
To: Jeffrey Hutzelman <jhutz@cmu.edu>
Message-id: <01LSZP7AGR0Y000092@mauve.mrochek.com>
Date: Tue, 13 Sep 2005 17:23:26 -0700
From: Ned Freed <ned.freed@mrochek.com>
In-reply-to: "Your message dated Tue, 13 Sep 2005 17:37:49 -0400" <3C03BDBD60783D559EDAE652@sirius.fac.cs.cmu.edu>
MIME-version: 1.0
Content-type: TEXT/PLAIN; format="flowed"
References: <200509131506.j8DF664A016810@pacific-carrier-annex.mit.edu> <tslhdcokeed.fsf@cz.mit.edu> <20050913204555.GA14153@boskop.local> <tslbr2wk78f.fsf@cz.mit.edu> <3C03BDBD60783D559EDAE652@sirius.fac.cs.cmu.edu>
X-Spam-Score: 0.0 (/)
X-Scan-Signature: cd26b070c2577ac175cd3a6d878c6248
Cc: david.kessens@nokia.com, isms@ietf.org, iesg@ietf.org, 'Eliot Lear' <lear@cisco.com>, Sam Hartman <hartmans-ietf@mit.edu>, ietfdbh@comcast.net, 'IETF Discussion' <ietf@ietf.org>
Subject: Re: [Isms] ISMS charter broken- onus should be on WG to fix it
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
Sender: ietf-bounces@ietf.org
Errors-To: ietf-bounces@ietf.org
> On Tuesday, September 13, 2005 05:06:40 PM -0400 Sam Hartman > <hartmans-ietf@mit.edu> wrote: > >>>>>> "Juergen" == Juergen Schoenwaelder <j.schoenwaelder@iu-bremen.de> > >>>>>> writes: > > > > Juergen> Sam, > > > > Juergen> this is not about blocking port 22 as far as I understand > > Juergen> things. I think the issue here is that TCP connection > > Juergen> establishment determines ssh client/server roles. If > > Juergen> there would be a way to initiate the connection but > > Juergen> subsequently taking over the server role, protocols like > > Juergen> netconf and presumably isms would find it much easier to > > Juergen> provide CH functionality. > > > > Right. But for the ssh-connect application I don't think you would > > want that unless you were trying to get around firewall policy. > I don't think that's necessarily the case. Sure, you might be trying to do > that, but you also might be trying to get around the fact that the machines > at your house are behind a NAT and thus lack routable addresses. Or consider the case of a firewall whose policy is simply one where incoming connections are not allowed for fear of worms infecting vulnerable systems. The only way to monitor systems behind such a firewall is to have them establish outgoing connections. Such behavior is in no way, shape or form a violation of that firewall's policy, yet it is necessary to work properly in such a (very common) firewalled environment. More generally, every protocol we define, every enhancement to a protocol we specify, and every operational policy we advocate has the potential of being used to "get around firewall policy" in some situation or other. And this is especially true when we're defining protocols that provide some form of confidentiality, which of course we do more and more frequently. This is the nature of the beast, like it or not. Were we to use this as a criteria not to proceed with our work we might as well all go home. Furthermore, the fact of the matter is that specifying how something is supposed to be done tends to aid in establishing useful firewall policies far more than it hurts. People are going to use the "call home" approach for monitoring whether we like it or not - it is just too useful for them not to. And absent a specification it will be done in a zillion incompatible ways and without any real understanding of the security issues. And unless firewall operators are prepared to block absolutely everything (which of course they cannot) they don't stand a chance in hell of controlling such services. A timely specification, on the other hand, could simultaneously raise awareness of the security issues as well as provide some measure of consistency in such traffic, in turn allowing some measure of control. And make no mistake about it: When it comes to call home services, the situation is already dire. Only yesterday I observed a popup from a piece of video processing software I use informing me that a new version is now available. Obviously this application had just "called home" and found out about the new version. Hopefully that's all it did - nowhere in the product documentation does it mention it would do this, nor is there any preferences setting I can find to tell it not to. If I were to object to Eliot's proposal (I don't - in fact I strongly support it), it would be on the grounds that the IETF should be taking a long hard look at the issues surrounding call home in general, not just in the special case of SNMP. > > I suspect that the ssh community would decline to extend ssh in this > > direction; I certainly know I would not support it. > I'm not entirely sure _how_ I'd extend SSH in this direction, or how much > utility it would have. I don't think I would object to it, especially > since I suspect it might make some of the ISMS cases easier even if you > don't care about the firewall problem. Well, the ssh client I use has the ability to do port forwarding in both directions already. The only thing that has stopped me from using this feature to do SNMP monitoring of various mobile agents is that it doesn't work with UDP, and the SNMP stuff I use is UDP only. Ned _______________________________________________ Ietf mailing list Ietf@ietf.org https://www1.ietf.org/mailman/listinfo/ietf
- Re: net.stewards [Re: BitTorrent (Was: Re: [Isms]… Marc Manthey
- RE: [Isms] ISMS charter broken- onus should be on… Nelson, David
- Re: [Isms] ISMS charter broken- onus should be on… Sam Hartman
- Re: [Isms] ISMS charter broken- onus should be on… Juergen Schoenwaelder
- Re: [Isms] ISMS charter broken- onus should be on… Sam Hartman
- Re: [Isms] ISMS charter broken- onus should be on… Jeffrey Hutzelman
- Re: [Isms] ISMS charter broken- onus should be on… Juergen Schoenwaelder
- Re: [Isms] ISMS charter broken- onus should be on… Ned Freed
- Re: [Isms] ISMS charter broken- onus should be on… Jeffrey Hutzelman
- Re: [Isms] ISMS charter broken- onus should be on… Michael Thomas
- Re: [Isms] ISMS charter broken- onus should be on… Ned Freed
- Re: [Isms] ISMS charter broken- onus should be on… Michael Thomas
- BitTorrent (Was: Re: [Isms] ISMS charter broken- … Paul Hoffman
- CH and p2p [Re: [Isms] ISMS charter broken- onus … Brian E Carpenter
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Michael Thomas
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Paul Hoffman
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Scott W Brim
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Michael Thomas
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Michael Thomas
- Re: BitTorrent (Was: Re: [Isms] ISMS charter brok… Iljitsch van Beijnum
- net.stewards [Re: BitTorrent (Was: Re: [Isms] ISM… Brian E Carpenter
- Re: net.stewards [Re: BitTorrent (Was: Re: [Isms]… Steven M. Bellovin
- Re: net.stewards [Re: BitTorrent (Was: Re: [Isms]… Michael Thomas
- RE: net.stewards [Re: BitTorrent (Was: Re: [Isms]… Nicholas Staff