IETF Logo Mail Archive

Re: [Netconf] NETCONF call home and new port assignment

"Reinaldo Penno (repenno)" <repenno@cisco.com> Tue, 25 February 2014 17:06 UTC

Return-Path: <repenno@cisco.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7537A1A081D for <netconf@ietfa.amsl.com>; Tue, 25 Feb 2014 09:06:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.448
X-Spam-Level:
X-Spam-Status: No, score=-14.448 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, J_CHICKENPOX_24=0.6, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.547, SPF_PASS=-0.001, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y6pViYUcPpRN for <netconf@ietfa.amsl.com>; Tue, 25 Feb 2014 09:06:30 -0800 (PST)
Received: from rcdn-iport-4.cisco.com (rcdn-iport-4.cisco.com [173.37.86.75]) by ietfa.amsl.com (Postfix) with ESMTP id A6D5B1A0818 for <netconf@ietf.org>; Tue, 25 Feb 2014 09:06:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=5914; q=dns/txt; s=iport; t=1393347987; x=1394557587; h=from:to:subject:date:message-id:in-reply-to:content-id: content-transfer-encoding:mime-version; bh=cML1IDYSTtd+5pFQjUR4EszhlouvHV+9ZjbmVmI8u+4=; b=gV+9SfP/xfAI/mC8AcBtiZla00iBZK3Ygu0xs8u8DyXyazd7YZd3M+UD hhX8B3oMEZJP5kfbFiaU3D8Na1JesnFXFOSRkaB7HuPX6fXlSqv+74KY7 YPxFoLdOnYvnZzfunRmdZm2dHHQNogUr8Xxg1ZyM4/GnvU730f49USsRf M=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AgUFANHMDFOtJV2Z/2dsb2JhbABZgwY7V8ECT4EYFnSCJQEBAQQBAQEkRAMXBgEIEQMBAgFVCx0IAgQBEgkSh2oNxwIXjhMBARw1BQaEMgSJEI8kkieDLYFxOQ
X-IronPort-AV: E=Sophos;i="4.97,541,1389744000"; d="scan'208";a="306491512"
Received: from rcdn-core-2.cisco.com ([173.37.93.153]) by rcdn-iport-4.cisco.com with ESMTP; 25 Feb 2014 17:06:26 +0000
Received: from xhc-aln-x15.cisco.com (xhc-aln-x15.cisco.com [173.36.12.89]) by rcdn-core-2.cisco.com (8.14.5/8.14.5) with ESMTP id s1PH6P7f002569 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=FAIL); Tue, 25 Feb 2014 17:06:26 GMT
Received: from xmb-rcd-x04.cisco.com ([169.254.8.99]) by xhc-aln-x15.cisco.com ([173.36.12.89]) with mapi id 14.03.0123.003; Tue, 25 Feb 2014 11:06:25 -0600
From: "Reinaldo Penno (repenno)" <repenno@cisco.com>
To: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>, Kent Watsen <kwatsen@juniper.net>, netconf <netconf@ietf.org>
Thread-Topic: [Netconf] NETCONF call home and new port assignment
Thread-Index: AQHPMh0sIMAEhPViDUCrzWQVqmFe/JrGgIWAgAABzoD//4++AA==
Date: Tue, 25 Feb 2014 17:06:25 +0000
Message-ID: <CF3209F5.998E%repenno@cisco.com>
In-Reply-To: <530CBB3B.90804@bwijnen.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.2.3.120616
x-originating-ip: [10.21.76.86]
Content-Type: text/plain; charset="iso-8859-1"
Content-ID: <3A3C786BDF01254C85E761FDBEC92148@emea.cisco.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/5r-aqaFyXd2Xi-2SWKrkEmH8zEw
Subject: Re: [Netconf] NETCONF call home and new port assignment
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Feb 2014 17:06:39 -0000

I have some comments on this draft.

Since the draft proposes a ³cold² reverse connection I was expecting some
discussion on the traversal of middleboxes. Given folks that have been
deploying NMS implicitly take for granted that connections are always
inside->out, with the exception of SNMP traps, such a draft should assume
some pitfalls and suggest ways around them. In the case of SNMP for
example, the ³solution² is firewalls/NATs that implement SNMP ALG, but
even then, a first inside->outside connection is expected.

Some points to consider:

- The NMS IP address downloaded from config server can not be behind a
firewall unless there is some pinhole or traversal method the device can
use
- If NMS is behind a NAT, the IP:port should be the outside and stable.
- In the worst case maybe configuration server (which theoretically could
be reached by both parties) could d server as a relay.
- If a NAT exists between NMS and device, one can not assume registered
ports will be available.  Therefore config server needs to be able to send
port information.
- Device should be prepared to check with configuration server is external
port has changed due to state being removed on the NAT.

Thanks,

-RP


On 2/25/14, 7:48 AM, "Bert Wijnen (IETF)" <bertietf@bwijnen.net> wrote:

>
>
>On 25/02/14 16:41, Kent Watsen wrote:
>>
>> I believe that is the case as well, but note that we need two port
>> assignments - one for reverse-SSH and another for reverse-TLS.
>>
>I think that is fine.
>It was/is the principle that we CAN ask for a port number if we have
>consecensus
>that that is what we want.
>
>Bert
>
>> Cheers!
>> Kent
>>
>>
>>
>> On 2/25/14 6:31 AM, "Bert Wijnen (IETF)" <bertietf@bwijnen.net> wrote:
>>
>>> NETCONF WG participants,
>>>
>>> there has been quite some discussion about this topic on our mailing
>>>list.
>>> We (WG chairs) have asked our AD (Benoit) to follow up in the IESG.
>>>
>>> Our current understanding is that if our WG has consensus on asking for
>>> a new port, then we can do so and we should get one.
>>>
>>> We (WG chairs) belive we have (at least rough) consensus on this matter
>>> and so we will ask for a new port.
>>>
>>> Bert and Mehmet
>>>
>>>
>>> -------- Original Message --------
>>> Subject: Re: NETCONF call home and new port assignment
>>> Resent-To: bertietf@bwijnen.net, mehmet.ersue@nsn.com,,
>>> bclaise@cisco.com, joelja@bogus.com, jjaeggli@zynga.com
>>> Date: Mon, 20 Jan 2014 15:58:52 +0100
>>> From: Benoit Claise <bclaise@cisco.com>
>>> CC: Joe Touch <touch@isi.edu>,        "netconf-chairs@tools.ietf.org"
>>> <netconf-chairs@tools.ietf.org>,        "Romascanu, Dan (Dan)"
>>> <dromasca@avaya.com>,        Lemon Ted <ted.lemon@nominum.com>,
>>> "ops-ads@tools.ietf.org" <ops-ads@tools.ietf.org>,
>>> Kent Watsen <kwatsen@juniper.net>
>>>
>>> Dear all,
>>>
>>> We discussed the issue of potentially allocating a new port for the
>>> NETCONF call home during our informal telechat last week.
>>> Personally, I wanted a confirmation on the procedure.
>>> Material:
>>> 
>>>http://www.iana.org/assignments/service-names-port-numbers/service-names
>>>-p
>>> ort-numbers.xhtml
>>> an
>>>      RFC 6335
>>>
>>> Bottom line: The review of the port assignment via IETF standards
>>> (consensus based) does not go to the port review
>>>
>>> There is strong consensus to allocate this port in the NETCONF WG.
>>> - http://www.ietf.org/proceedings/88/minutes/minutes-88-netconf
>>>    30 in favor, 0 against
>>> - doublechecked on the mailing list
>>> http://www.ietf.org/mail-archive/web/netconf/current/msg08445.html
>>>
>>> So we're good here, let's proceed with the new port design
>>>
>>> Regards, Benoit
>>>
>>>> Hi, Benoit,
>>>>
>>>> On 11/4/2013 10:30 AM, Benoit Claise wrote:
>>>>> Hi Joe,
>>>>>
>>>>> Regarding the "NETCONF call home and new port assignment" discussion
>>>>>on
>>>>> the NETCONF mailer, I'm wondering if your comments are made as the
>>>>>port
>>>>> expert reviewer or as a contributor.
>>>>
>>>> The ports review team doesn't participate in that role on these
>>>> discussions on the lists; we review requests and report directly to
>>>> IANA. So I'm speaking as a contributor, but it's with the ports review
>>>> in the back of my mind.
>>>>
>>>>> In the NETCONF WG, there is strong consensus that the new port is the
>>>>> preferred way. We checked that today: by a show of hand, everybody
>>>>> wanted a new port.
>>>>
>>>> Everyone always does.
>>>>
>>>>> I want to understand if there is a major flaw in requesting this
>>>>>port.
>>>>
>>>> There's often a case where the individual request makes sense, but in
>>>> the broader context of "tragedy of the commons" it doesn't. That's my
>>>> impression here. There should be other ways to accomplish this - the
>>>> SYN attempt I recently saw looked like a good alternative that would
>>>> scale to other assignments, e.g.
>>>>
>>>>> Note: I contacted it you directly, because I'm not sure how to reach
>>>>> all
>>>>> the expert reviewers at the same time.
>>>>
>>>> There's no official way to do that. We respond to requests for reviews
>>>> from IANA, and report back to IANA directly. There's no "official"
>>>> role for us in the IETF directly.
>>>>
>>>> Joe
>>>>
>>>>>
>>>>> 
>>>>>http://www.iana.org/assignments/service-names-port-numbers/service-nam
>>>>>es
>>>>> -port-numbers.xhtml
>>>>>
>>>>> is not explicit
>>>>>
>>>>> Regards, Benoit (OPS AD)
>>>> .
>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Netconf mailing list
>>> Netconf@ietf.org
>>> https://www.ietf.org/mailman/listinfo/netconf
>>>
>>>
>>
>>
>>
>
>_______________________________________________
>Netconf mailing list
>Netconf@ietf.org
>https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email