IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

t.petch <ietfc@btconnect.com> Tue, 08 April 2014 15:52 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 906D41A0470 for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 08:52:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.799
X-Spam-Level:
X-Spam-Status: No, score=0.799 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2JU7J4u0ZRlL for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 08:52:29 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0079.outbound.protection.outlook.com [213.199.154.79]) by ietfa.amsl.com (Postfix) with ESMTP id 044591A0460 for <netconf@ietf.org>; Tue, 8 Apr 2014 08:52:28 -0700 (PDT)
Received: from AMSPR07MB049.eurprd07.prod.outlook.com (10.242.81.11) by AMSPR07MB373.eurprd07.prod.outlook.com (10.242.21.13) with Microsoft SMTP Server (TLS) id 15.0.913.9; Tue, 8 Apr 2014 15:52:28 +0000
Received: from DBXPRD0510HT001.eurprd05.prod.outlook.com (157.56.252.165) by AMSPR07MB049.eurprd07.prod.outlook.com (10.242.81.11) with Microsoft SMTP Server (TLS) id 15.0.918.8; Tue, 8 Apr 2014 15:52:26 +0000
Message-ID: <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>, Kent Watsen <kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net>
Date: Tue, 08 Apr 2014 14:44:59 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.252.165]
X-ClientProxiedBy: DB4PR07CA032.eurprd07.prod.outlook.com (10.242.229.42) To AMSPR07MB049.eurprd07.prod.outlook.com (10.242.81.11)
X-Forefront-PRVS: 017589626D
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(479174003)(377454003)(189002)(199002)(51704005)(51444003)(24454002)(35774003)(41574002)(13464003)(23756003)(54316002)(76482001)(85306002)(84392001)(93516002)(85852003)(50466002)(66066001)(59766001)(74662001)(77982001)(80976001)(74366001)(31966008)(62966002)(83072002)(63696002)(49866001)(61296002)(79102001)(44716002)(65816001)(53806002)(50986002)(47976002)(47736002)(47446003)(80022001)(44736004)(74706001)(62236002)(74876001)(81342001)(4396001)(15975445006)(74502001)(56776001)(94946001)(47776003)(98676001)(81542001)(50226001)(20776003)(46102001)(95416001)(99396002)(87976001)(94316002)(86362001)(69226001)(90146001)(77096001)(42186004)(97336001)(56816005)(92726001)(88136002)(77156001)(97186001)(89996001)(14496001)(92566001)(76786001)(93916002)(76796001)(95666003)(93136001)(33646001)(19580405001)(83322001)(87266001)(87286001)(19580395003)(74416001)(7726001); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR07MB049; H:DBXPRD0510HT001.eurprd05.prod.outlook.com; FPR:C6ECF156.ACFA5151.B2D3124B.52E4D3F1.20656; MLV:sfv; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/2SEAo7wdSqa63LuTitO7QIXcEXg
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 15:52:34 -0000

I do not think that this is ready to advance.  I had not intended to
comment but having started on netconf-server, and found I had to read
5539bis to understand where it was going, I then found that reverse-ssh
was another piece of the jigsaw.

In particular, I think that this I-D is more or less updating RFC4742 in
its considerations of security.  And I think it may be confused about
public keys and certificates and their role in authentication.

Taken together, and I do not think they can be considered separately, I
do not think that the three I-Ds give a coherent view of how to secure a
NETCONF session.

I would point to the queries raised by Tadek and Bajpai which, to me on
the one hand seem spot on and on the other, seem to regard the subject
material of these three I-Ds as of a one - which I obviously agree with.

I think that netconf-server is the one in most need of progress and see
it as a Normative, not Informative, prerequisite.

Tom Petch


----- Original Message -----
From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
To: "Kent Watsen" <kwatsen@juniper.net>
Cc: <netconf@ietf.org>
Sent: Thursday, April 03, 2014 12:36 PM

> WGLC period ended last Tuesday (April 1st).
>
> Kent, where are we with this one?
>
> Do you expect to post a rev 04 that addresses all comments we have
received?
> Either WGLC comments or other comments? Once that is done, I would
like to ask:
> - Kent to post which comments have not been addressed and why (if any)
> - If possible, Kent to post a summary of changes (although that may
already be
>    in the document, and that is fine too).
> - All those that made comments to check if they are OK with the way
that
>    they have been addressed or responded to.
>
> Bert
>
> On 27/03/14 17:02, Kent Watsen wrote:
> >
> > Hi Alan,
> >
> >
> > Awesome comments - thanks!
> >
> >
> > I applied all fixes mentioned below to my working copy of what will
be
> > -04, so you'll have to wait until then to see the diff.  The reason
I'm
> > not posting -04 now is because I'm still trying to work out an issue
with
> > Applicability Statement and with the port's name.
> >
> > Below are my detailed responses.
> >
> > Cheers,
> > Kent
> >
> >
> >
> >
> >
> >
> >
> >> Typos
> >> -----
> >>
> >
> > I fixed all the issues you found.
> >
> >
> >
> >
> >
> >
> >> Section 2.1, Page 3, Second Paragraph:  (wording)
> >> -------------------------------------------------
> >>
> >> The second paragraph seems vague.  Would something along the lines
of
> >> the following text be clearer and/or more specific?
> >
> > I forwarded this comment to Steve Hanna, who wrote the Applicability
> > Statement.  At first I was just going to ask if he was OK with the
> > proposed text, but then I started thinking that I didn't agree with
it.
> > That is, I think that the SSH protocol does require mutual
authentication
> > and that NETCONF's requirement that it be possible to derive a
"username"
> > from the transport doesn't change that.  I'm still OK limiting
Reverse SSH
> > to just NETCONF, but I want the reason to be accurate.  I'm now
waiting
> > for a response from Steve on this.
> >
> >
> >
> >
> >
> >
> >
> >> Section 4, Page 4:  (wording)
> >> -----------------------------
> >>
> >> The current text reads:
> >>
> >>    o  The NETCONF server initiates a TCP connection to the NETCONF
> >>       client on the IANA-assigned Reverse SSH port YYYY.
> >>
> >>    o  The TCP connection is accepted and a TCP session is
established.
> >
> >
> > I'm not sure about this change since these bullet-points are
preceded by
> > the line "From the NETCONF server's perspective:".  The intent is to
only
> > explain the NETCONF-server's perspective, and to let the next
section
> > provide the client's perspective.   Currently, neither section
references
> > the remote peer, so that its text remains squarely focused on its
side of
> > the connection.  What do you think?
> >
> >
> >
> >
> >
> >
> >
> >> Section 5, Page 5, First Paragraph:  (wording)
> >> ----------------------------------------------
> >>
> >> The current text reads:
> >>
> >>    "When the management system accepts a new incoming connection,
it
> >>     needs to authenticate the remote peer.  Ultimately, this
entails
> >>     identifying the peer and verifying its SSH host key.
> >>
> >>     Due to Reverse SSH having the network element initiate the TCP
> >>     connection,"
> >
> >
> > I changed the wording to be more clear, but did it another way,
please let
> > me know if you think it's OK!
> >
> >
> >
> >
> >
> >
> >
> >
> >> Section 5, Page 6, First Paragraph:  (clarification)
> >> ----------------------------------------------------
> >>
> >> The current text reads:
> >>
> >>    "However, configuring distinct host keys on the management
system
> >>    doesn't scale well, which is an important consideration to a
network
> >>    management system.  A more scalable strategy is to have the
network
> >>    element's host key signed by a common trusted key, such as a
> >>    certificate authority.  Thus, the mangement system only needs to
> >>    trust a single public key, which vouches for the authenticity of
the
> >>    various network element public keys."
> >>
> >> Please help me understand this.  The way this paragraph is written,
it
> >> is not clear to me why "signing each network element's host key
with a
> >> common trusted key" scales better than "configuring distinct host
keys
> >> on the management system".
> >>
> >> In either of these two situations, it seems like an administrator
must
> >> do work for each network element.  In one case, it is configuring
host
> >> keys, in another, it is signing each network element's host key.
If
> >> anything, it seems like signing a host key for each network element
> >> requires _more_ work for each network element, so it seems like
this
> >> would scale less well.
> >>
> >> What am I missing here?
> >
> >
> > Very good question.  Of course it comes down to how the device's
"entity
> > certificates", as they are called, is distributed.  In the best
case, as
> > described in the zero-touch draft, the device would ship from
factory with
> > a built-in entity-certificate, signed by a trust-chain to its
vendor's
> > well-known trust anchor.  In this case, there is no additional
effort
> > needed, the management system only needs to trust the vendor's
certificate
> > for its well-known trust anchor.  For cases where the device doesn't
ship
> > from factory with an entity-certificate, introducing PKI is still
> > advantageous as it decouples the management-system from direct
> > involvement, such that it could be outsourced to some 3rd-party.
Makes
> > sense?  What update would you like to see in the draft?
> >
> >
> >
> >
> >
> >
> >
> >
> >> Section 7, Page 7, Third Paragraph:  (wording)
> >> ----------------------------------------------
> >>
> >> In a few places in the third paragraph, and possibly in other
places
> >> in the document, would changing "needs to" to lowercase "must", or
> >> lowercase "should", make the document a little more concise?
Example:
> >>
> >>    "Note that since the SSH server would have to be configured to
know
> >>     which IP address it needs to connect to,"
> >>                         ^^^^^^^^
> >
> >
> > I changed "needs to" to "is to" for this cited location and another
I
> > found.
> >
> >
> >
> >
> >
> > Thanks again,
> > Kent
> >
> >
> >
> >
> >
> >
> >
> >
> > _______________________________________________
> > Netconf mailing list
> > Netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
> >
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email