Re: [Netconf] Call Home for Notifications
Kent Watsen <kwatsen@juniper.net> Wed, 12 December 2012 21:33 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DFBF121E805F for <netconf@ietfa.amsl.com>; Wed, 12 Dec 2012 13:33:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -3.167
X-Spam-Level:
X-Spam-Status: No, score=-3.167 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, UNRESOLVED_TEMPLATE=3.132]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ol+zwybrKOQ7 for <netconf@ietfa.amsl.com>; Wed, 12 Dec 2012 13:33:35 -0800 (PST)
Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com [64.18.2.16]) by ietfa.amsl.com (Postfix) with ESMTP id 9655021E8054 for <netconf@ietf.org>; Wed, 12 Dec 2012 13:33:35 -0800 (PST)
Received: from P-EMHUB03-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP ID DSNKUMj4KDxjb2wCUJiH+bqL0CNtfH4qj/GC@postini.com; Wed, 12 Dec 2012 13:33:35 PST
Received: from P-CLDFE01-HQ.jnpr.net (172.24.192.59) by P-EMHUB03-HQ.jnpr.net (172.24.192.37) with Microsoft SMTP Server (TLS) id 8.3.213.0; Wed, 12 Dec 2012 13:31:02 -0800
Received: from o365mail.juniper.net (207.17.137.149) by o365mail.juniper.net (172.24.192.59) with Microsoft SMTP Server id 14.1.355.2; Wed, 12 Dec 2012 13:31:02 -0800
Received: from CO9EHSOBE017.bigfish.com (207.46.163.25) by o365mail.juniper.net (207.17.137.149) with Microsoft SMTP Server (TLS) id 14.1.355.2; Wed, 12 Dec 2012 13:32:52 -0800
Received: from mail36-co9-R.bigfish.com (10.236.132.226) by CO9EHSOBE017.bigfish.com (10.236.130.80) with Microsoft SMTP Server id 14.1.225.23; Wed, 12 Dec 2012 21:30:40 +0000
Received: from mail36-co9 (localhost [127.0.0.1]) by mail36-co9-R.bigfish.com (Postfix) with ESMTP id 1E812700128 for <netconf@ietf.org.FOPE.CONNECTOR.OVERRIDE>; Wed, 12 Dec 2012 21:30:40 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.245.197; KIP:(null); UIP:(null); (null); H:CH1PRD0511HT002.namprd05.prod.outlook.com; R:internal; EFV:INT
X-SpamScore: -4
X-BigFish: PS-4(zzbb2dI98dI9371I1432Izz1de0h1202h1e76h1d1ah1d2ahzz8275chz2dh2a8h668h839h944hd25hf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh15d0h162dh1631h1758h1155h)
Received: from mail36-co9 (localhost.localdomain [127.0.0.1]) by mail36-co9 (MessageSwitch) id 1355347838164897_29122; Wed, 12 Dec 2012 21:30:38 +0000 (UTC)
Received: from CO9EHSMHS030.bigfish.com (unknown [10.236.132.254]) by mail36-co9.bigfish.com (Postfix) with ESMTP id 1B55E9000B0; Wed, 12 Dec 2012 21:30:38 +0000 (UTC)
Received: from CH1PRD0511HT002.namprd05.prod.outlook.com (157.56.245.197) by CO9EHSMHS030.bigfish.com (10.236.130.40) with Microsoft SMTP Server (TLS) id 14.1.225.23; Wed, 12 Dec 2012 21:30:30 +0000
Received: from CH1PRD0511MB407.namprd05.prod.outlook.com ([169.254.5.104]) by CH1PRD0511HT002.namprd05.prod.outlook.com ([10.255.159.37]) with mapi id 14.16.0245.002; Wed, 12 Dec 2012 21:30:26 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Phil Shafer <phil@juniper.net>, Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Thread-Topic: [Netconf] Call Home for Notifications
Thread-Index: AQHN16Q0tNon+hBUn0KjuKRoLf/9zZgTnkOAgAAIggCAAW/qgIAAhmUAgAAA8oD//76pgA==
Date: Wed, 12 Dec 2012 21:30:25 +0000
Message-ID: <DCD496BDC395CF48802ED971215794A81202FE99@CH1PRD0511MB407.namprd05.prod.outlook.com>
In-Reply-To: <201212122024.qBCKOFJ9093061@idle.juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.4.120824
x-originating-ip: [10.255.131.4]
Content-Type: text/plain; charset="us-ascii"
Content-ID: <81FB3B1A3B42544FA8A5975FEA482E39@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%12219$Dn%JACOBS-UNIVERSITY.DE$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
X-FOPE-CONNECTOR: Id%12219$Dn%IETF.ORG$RO%2$TLS%5$FQDN%onpremiseedge-1018244.customer.frontbridge.com$TlsDn%o365mail.juniper.net
Cc: Netconf <netconf@ietf.org>
Subject: Re: [Netconf] Call Home for Notifications
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 12 Dec 2012 21:33:42 -0000
On 12/12/12 3:24 PM, "Phil Shafer" <phil@juniper.net> wrote: >Juergen Schoenwaelder writes: >>Back im ISMS days, some security folks argued that even then this is >>not the same. The reasoning, as far as I understood it and recall it, >>which may be completely wrong, was that in the normal case, the client >>has a clear idea to which host it wants to connect and then the client >>can check the discovered host key against what was expected. If you >>turn this around, the 'client' gets presented with a host connecting >>and since the initiative come from the remote entity, the client has a >>harder time to decide whether the host is meaningful to engage into a >>conversation with. This may sound like an artificial philosophical >>argument, perhaps it is, perhaps it is just my poor recollection and >>paraphrasing of it. > >Does having the device pre-configured with the hostkey of the manager >help? It then knows that the incoming connection is from someone that >it's supposed to be talking with. Assuming you meant host key of the *device*, absolutely, but draft-kwatsen-reverse-ssh takes it a step further by enabling trust in the host-key to be learned, per it being cryptographically signed with something the manager trusts. Juergon, I'm familiar with the need for TLS clients to verify a certificate's subject matter matches expectations, as it is prudent to validate the identity your peer. In the case of device-initiated connection, there is still a desire to validate its identity, though it may take on other forms including serial-number, hash(serial-number), ip-address, and/or fqdn. Ideally the manager has some precognition of one of these, but this may not always be possible. This is why draft-kwatsen-reverse-ssh introduced the ability for a CA to sign the device's credentials, thus enabling a manager to extend its trust for the CA to the device, even if never seeing its identity before. FWIW, neither the IETF-SSH nor SAAG raised any security concerns when discussing draft-kwatsen-reverse-ssh, though this may be due to them being too preoccupied with protocol-purity and never getting to think about it ;) K.
- [Netconf] Fwd: New Version Notification for draft… Andy Bierman
- [Netconf] Call Home for Notifications Balazs Lengyel
- Re: [Netconf] Call Home for Notifications Phil Shafer
- Re: [Netconf] Call Home for Notifications Juergen Schoenwaelder
- Re: [Netconf] Call Home for Notifications Kent Watsen
- Re: [Netconf] Call Home for Notifications Juergen Schoenwaelder
- Re: [Netconf] Call Home for Notifications Phil Shafer
- Re: [Netconf] Call Home for Notifications Kent Watsen