IETF Logo Mail Archive

Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh

Kent Watsen <kwatsen@juniper.net> Tue, 19 July 2011 20:34 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4AFBF21F8B2C; Tue, 19 Jul 2011 13:34:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id e+WH7hiqyVN0; Tue, 19 Jul 2011 13:34:38 -0700 (PDT)
Received: from exprod7og102.obsmtp.com (exprod7og102.obsmtp.com [64.18.2.157]) by ietfa.amsl.com (Postfix) with ESMTP id 5722521F8B2B; Tue, 19 Jul 2011 13:34:38 -0700 (PDT)
Received: from P-EMHUB03-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob102.postini.com ([64.18.6.12]) with SMTP ID DSNKTiXqXJ8eSR+vkl1Sr0hUGV/gDTXgfgHP@postini.com; Tue, 19 Jul 2011 13:34:38 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB03-HQ.jnpr.net ([::1]) with mapi; Tue, 19 Jul 2011 13:32:57 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: Andy Bierman <ietf@andybierman.com>, "t.petch" <ietfc@btconnect.com>, "opsawg@ietf.org" <opsawg@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Date: Tue, 19 Jul 2011 13:32:55 -0700
Thread-Topic: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh
Thread-Index: AcxGO87C1rGjIcD/SuOgTYH/eb0A7AAE3UZA
Message-ID: <84600D05C20FF943918238042D7670FD3E849038E3@EMBX01-HQ.jnpr.net>
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net> <20110713044711.GA80654@elstar.local> <84600D05C20FF943918238042D7670FD3E8429F98E@EMBX01-HQ.jnpr.net> <01c401cc45ed$07d58060$4001a8c0@gateway.2wire.net> <20110719102454.GA67454@elstar.local> <4E25C2EE.8060004@andybierman.com>
In-Reply-To: <4E25C2EE.8060004@andybierman.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [Netconf] [OPSAWG] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 19 Jul 2011 20:34:39 -0000

> My recollection of the conclusion was that the problem space was
> not big enough, and an SSH-specific solution was inappropriate.  
> A more general approach should be investigated.

If this is still a concern, we might be able to extend the protocol so that it could reverse *any* TCP-based client/server protocol (HTTP, POP, IMAP, etc.)  Is there a perceived need to reverse other protocols? - perhaps to resolve the NAT traversal case?


> ...assuming the security experts approve

So far their objections have primarily been that the solution proposed wasn't integrated into the SSH protocol enough.  There were few comments/concerns regarding security (see my July 12 email for details)


> The main reason given is that the client connection maintenance is
> not worth the resources and coding effort.

Just to clarify, the coding effort on the devices is really quite small.  All that is needed is a daemon to initiate the TCP connection, complete the bootstrap sequence, and then fork/exec `sshd -i` in exactly the same way that `inetd` does.  SSH itself can't differentiate how the underlying transport was established.  Juniper has C-based source code for doing this that we have provided to partners in the past, but we should be able to open source it in order to validate the draft, presuming it moves forward...


Thanks,
Kent

v2.23.0 | Report a Bug | By Email