IETF Logo Mail Archive

Re: [Netconf] WG Last Call for draft-ietf-netconf-call-home-04 and draft-ietf-netconf-server-model-06 WAS:FW: call-home-04 and server-model-06 available - All Open issues closed

Kent Watsen <kwatsen@juniper.net> Fri, 20 March 2015 18:31 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8D6B81A6F11 for <netconf@ietfa.amsl.com>; Fri, 20 Mar 2015 11:31:44 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u1DlP5UmqbQw for <netconf@ietfa.amsl.com>; Fri, 20 Mar 2015 11:31:41 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1on0718.outbound.protection.outlook.com [IPv6:2a01:111:f400:fc10::718]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 329281A6F27 for <netconf@ietf.org>; Fri, 20 Mar 2015 11:31:41 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB459.namprd05.prod.outlook.com (10.141.72.146) with Microsoft SMTP Server (TLS) id 15.1.118.21; Fri, 20 Mar 2015 18:31:22 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.152]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.152]) with mapi id 15.01.0118.021; Fri, 20 Mar 2015 18:31:23 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Ersue, Mehmet (Nokia - DE/Munich)" <mehmet.ersue@nokia.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] WG Last Call for draft-ietf-netconf-call-home-04 and draft-ietf-netconf-server-model-06 WAS:FW: call-home-04 and server-model-06 available - All Open issues closed
Thread-Index: AQHQVf+tT/7bNpWPUkyuK74/P/SDo50McXkKgBkXmYA=
Date: Fri, 20 Mar 2015 18:31:22 +0000
Message-ID: <D1319F96.9AD5A%kwatsen@juniper.net>
References: <E4DE949E6CE3E34993A2FF8AE79131F81964E27A@DEMUMBX005.nsn-intra.net> <032f01d0568d$7a8728c0$4001a8c0@gateway.2wire.net>
In-Reply-To: <032f01d0568d$7a8728c0$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.4.140807
x-originating-ip: [66.129.239.12]
authentication-results: btconnect.com; dkim=none (message not signed) header.d=none;
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:CO1PR05MB459;
x-microsoft-antispam-prvs: <CO1PR05MB45955D4C2FC05AA9CC00CC4A50E0@CO1PR05MB459.namprd05.prod.outlook.com>
x-forefront-antispam-report: BMV:1; SFV:NSPM; SFS:(10019020)(6009001)(43784003)(164054003)(51444003)(51704005)(15975445007)(106116001)(62966003)(36756003)(86362001)(102836002)(77156002)(87936001)(107886001)(50986999)(54356999)(2656002)(2501003)(76176999)(83506001)(230783001)(122556002)(46102003)(40100003)(2950100001)(92566002)(2900100001)(66066001)(19580395003)(7059030); DIR:OUT; SFP:1102; SCL:1; SRVR:CO1PR05MB459; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(5005006)(5002010); SRVR:CO1PR05MB459; BCL:0; PCL:0; RULEID:; SRVR:CO1PR05MB459;
x-forefront-prvs: 05214FD68E
Content-Type: text/plain; charset="us-ascii"
Content-ID: <204ED6939CEBD5409B1D0746D87C3E38@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-originalarrivaltime: 20 Mar 2015 18:31:22.6348 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CO1PR05MB459
Archived-At: <http://mailarchive.ietf.org/arch/msg/netconf/4BUIFKiv1lFZtR-VNX2OpX9ZVok>
Subject: Re: [Netconf] WG Last Call for draft-ietf-netconf-call-home-04 and draft-ietf-netconf-server-model-06 WAS:FW: call-home-04 and server-model-06 available - All Open issues closed
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 20 Mar 2015 18:31:44 -0000

Hi Tom,

Thank you for this review, and the other focusing on section 3.2 of
call-home draft.  For the most part, you're asking for improvements in the
flow and wording in the draft, for which I'll incorporate when editing the
draft next.

Below are some additional responses.

Thanks,
Kent


>I have read call-home and find it problematic.  I am reminded of Alan
>Luchuk's comments of almost a year ago when it was still reverse-ssh.  I
>find it unclear, hard to understand, confusing in places without knowing
>things that are unsaid.  The improvements made to the text then have
>mostly disappeared with a change of scope.

:sigh:


>I think that the scope of the document - NETCONF, RESTCONF, TLS, SSH,
>certificates, public keys - is right

Oh good, the restructuring of the documents we took on is paying off


>but that does not mean it is always
>possible to cover all the cases in a single sentence and that more
>fleshing out is needed.  Thus repeatedly the use of NETCONF/RESTCONF
>allows combinations that I suspect are invalid, such as RESTCONF over
>SSH or NETCONF using the port assigned to RESTCONF.

This came up before.  In fact, I raised the issue originally and did try
to make it better.  Apparently not.  I have reopened
https://github.com/netconf-wg/call-home/issues/6 to track this.



>What then is the scope?  For most of the I-D, I infer NETCONF with SSH
>and TLS, RESTCONF (which I am not competent to review) with TLS, TLS
>with certificates, SSH with public keys.  But then I see at the end of
>s.3
>" However, to use X.509 certificates with SSH, ..."
>so it looks like SSH with certificates is there too.  How about TLS with
>something else?  We did debate this at length for another I-D and slowly
>converged on X.509 certificates only.  Is this true here?  If so, it
>needs saying up front IMO.

The scope is: NETCONF/SSH, NETCONF/TLS, RESTCONF/TLS

But it so happens that NETCONF/SSH can also support X.509 certificates,
which is really important for the zero-touch solution.  To be honest, I'm
beginning to think that we should take out most of section 3.2 (the one
that leads to recommending X.509 host-keys).  For the call-home protocol,
all we need to say is that the client needs to:

 1) extract the server's identity
	- options: source-ip, host-key lookup, or PKI
 2) validate the server's host-key
	- options: pinning or PKI.

I think the current text is overstepping its scope and, in the process,
hiding the essential bits.  You providing an extensive response on section
3.2 separately, but I'm thinking another solution might be to make most of
this section 3.2 disappear
 


>SSH makes a rather sudden appearance in the Introduction (lack of scope
>again); I think it should be in the Abstract e.g.
>
>NEW (In both Abstract and Introduction)
>
> This document presents NETCONF Call Home and RESTCONF Call Home, which
>enable a NETCONF or RESTCONF server to initiate a
>   secure connection to a NETCONF or RESTCONF client respectively.  The
>RESTCONFconnection is over TLS, the NETCONF over TLS or SSH. "

True, SSH was removed from the abstract when we added RESTCONF, as I
didn't want to introductory paragraphs to already be in the weeds.  I like
your suggested text.



>[Note that the current use of respectively is wrong IMO; you have 'A and
>B', but no 'C and D' to be respective to.]

Not that it matters, but isn't it:

  A = NETCONF Call Home
  B = RESTCONF Call Home
  C = enable a NETCONF server to initiate a
      secure connection to a NETCONF client
  D = enable a RESTCONF server to initiate a
      secure connection to a RESTCONF client

So, A goes with C and B goes with D?



>1
>"preserve the client/server roles of underlying transport, as when
>compared"
>
>Well no, the whole point is to reverse the transport.  Of course, if TCP
>is not a transport, well, I part company there.  It is argued just what
>TLS is, transport or not, with TCPM and TLS WGs apt to part company.  SO
>
>" preserve the client/server roles of underlying secure connection, as
>when
>compared"
>I would add at the end of this paragraph
>"References to SSH in this document are only applicable to NETCONF"
>
>(as well as fleshing this out later).


I think the word "transport" simply refers to the layer below.  So TCP is
the transport for SSH and TLS, whereas SSH is a transport for NETCONF and
TLS is a transport for NETCONF and the transport for HTTPS/RESTCONF.
This also seems consistent with the term's usage in RFCs 5539 and 6242.

Nonetheless, as Rohit's recent confusion illustrates, it seems that this
draft still does not spell out clearly enough this point.  So, how about
this:

=====START=====

   Both NETCONF Call Home and RESTCONF Call Home preserve all client/
   server roles, except for at the TCP transport layer, as when compared
   to standard NETCONF and RESTCONF connections.  Specifically,
   regardless if call home is used or not, the SSH, TLS, NETCONF, and
   RESTCONF roles are the same, only the TCP roles vary.  Stated another
   way, and depicted below, the network element is always the NETCONF/
   RESTCONF server, as well as also always the SSH/TLS server.  Indeed,
   the only difference is in which peer initiates the underlying TCP
   connection.

            +--------------------+------------+-------------+
            |    Protocol Layer  |  Standard  |  Call home  |
            +--------------------+------------+-------------+
            |  NETCONF/RESTCONF  |   server   |   server    |
            |           SSH/TLS  |   server   |   server    |
            |               TCP  |   server   |   client    |
            +--------------------+------------+-------------+

               Client/Server Roles for the Network Element

  Please note that throughout this document, including the text above,
  are switches such as "NETCONF/RESTCONF" and "SSH/TLS".  It should
  be understood that the only valid combinations are NETCONF/SSH [RFC
  6242], NETCONF/TLS [RFC 5593], and RESTCONF/TLS
[draft-ietf-netconf-restconf].
  In particular, never is it intended that RESTCONF/SSH is a valid
  combination.

=====STOP=====




>
>1.3
>A year ago, we had
>
>" these techniques MUST only be used for NETCONF Call Home"
>
>which Benoit said was impossible.  Now we have 'SHOULD' but it still
>seems impossible to me.  'SHOULD' should be accompanied by indications
>of when it does not apply and I don't really see this.  I think we are
>still leaving the barn door wide open.  I would say something like
>"These techniques are only defined for ..."
>since I think any RFC2119 language unenforceable.

Sound OK to me, do others agree?



>1.4
>"Security implications related to
>  this change are discussed in Security Considerations (Section 4)."
>Not really, section 4 refers you to section 3.

Good point.  There use to be more text there at one time though ;)



>2.1
>"The NETCONF/RESTCONF server initiates a TCP connection request
>      (SYN) to the NETCONF/RESTCONF client.  "
>A strict reading of this allows a NETCONF server to initiate connection
>of a RESTCONF client!  I think you need
>'NETCONF server or RESTCONF server' twice with a ',respectively' tacked
>On

OK


>"depending on how it is configured."
>Again, this allows you to configure a RESTCONF server to use port X.  It
>is not configuration, it is a question of which port you have just
>called that determines what the server fires up.

[assuming section 2.1, there would be a different response if for section
3.1]

No, non-standard and even mismatched IANA-assigned ports are possible.
>From the network-elements POV, what matters is how it was configured.  For
example, in the server-model draft, the configuration allows the
transport-specific default-port destination port to be overwritten.


>"Using this TCP connection, the NETCONF/RESTCONF server MUST
>      immediately start using either the SSH-server [RFC4253] or the
>      TLS-server [RFC5246] protocol.
>If the connection was made to PORT-X (or a user chosen non-default
>port), then the SSH-server protocol is initiated; if the connection was
>made to either port PORT-Y or PORT-Z (or a user-chosen non-deault port),
>then the TLS-server protocol is initiated."

I'm confused, are you providing alternate text here?



>" Once the SSH or TLS connection is established, the NETCONF/
> RESTCONF server MUST immediately start using either the NETCONF-server
>[RFC6241] or RESTCONF-server [draft-ietf-netconf-restconf] protocol,
>depending on how it is configured.  "
>
>Same story, it is the port not the configuration that matters. Perhaps
>" Once the SSH or TLS connection is established, the NETCONF/
>RESTCONF server MUST immediately start using either the NETCONF-server
>[RFC6241] or RESTCONF-server [draft-ietf-netconf-restconf]
>protocol, depending on the port to which the connection has been
>established."

See above for my comment on section 2.1



>3
>same comments about
>"depending on how it is configured"
>Twice

Actually, here I think it is different, in that I believe we can use a
MUST (or a SHOULD, since it's not enforceable?) to assert that the right
protocol is started on the IANA-assigned port.  That is, ports must/should
only be used for the protocols as assigned by IANA.  For non-standard
ports, it would be as configured.  Tom, I might need your wordsmithing
prowess here ;)




>3.2 I need to go through this many more times but meanwhile
>
>"information  persisted previously."
>I don't understand.
>
>"This IP address could be used as an identifier directly, but doing "
>so should come with a health warning; source IP addresses are forgeable
>in the Internet.
>
>"Yet another option for identifying a NETCONF/RESTCONF server is for
>its host key or certificate to encode its identity directly (e.g.,
>   within the "Subject" field).  "
>
>What 'Subject field' is that?  I am not familiar with one.

You did provide a separate response focusing on section 3.2, so I'll defer
comment on it here now.



>4
>"An attacker could DoS the "
>I just read an AD review (in IESG review I think ) that said 'Dos is not
>a verb'!

Good point, it should be "An attacker could launch a denial of service
(DoS) attack on the..."


Thanks again,
Kent

v2.23.0 | Report a Bug | By Email