IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

t.petch <ietfc@btconnect.com> Thu, 01 May 2014 10:04 UTC

Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1DB961A076B for <netconf@ietfa.amsl.com>; Thu, 1 May 2014 03:04:40 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eLIzdeCNOq8t for <netconf@ietfa.amsl.com>; Thu, 1 May 2014 03:04:37 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lp0084.outbound.protection.outlook.com [213.199.154.84]) by ietfa.amsl.com (Postfix) with ESMTP id 8CE7E1A07C9 for <netconf@ietf.org>; Thu, 1 May 2014 03:04:36 -0700 (PDT)
Received: from AMXPRD0111HT004.eurprd01.prod.exchangelabs.com (157.56.250.117) by AMSPR07MB052.eurprd07.prod.outlook.com (10.242.81.27) with Microsoft SMTP Server (TLS) id 15.0.934.12; Thu, 1 May 2014 10:04:33 +0000
Message-ID: <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>, Kent Watsen <kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
Date: Thu, 01 May 2014 10:58:20 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.250.117]
X-ClientProxiedBy: AM3PR07CA0030.eurprd07.prod.outlook.com (10.141.45.158) To AMSPR07MB052.eurprd07.prod.outlook.com (10.242.81.27)
X-Forefront-PRVS: 01986AE76B
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(479174003)(377454003)(199002)(189002)(13464003)(43784003)(51444003)(35774003)(51704005)(24454002)(53474002)(41574002)(44716002)(92566001)(62236002)(92726001)(86362001)(79102001)(93916002)(20776003)(47776003)(50226001)(44736004)(1941001)(74502001)(50466002)(31966008)(74662001)(84392001)(19580395003)(15975445006)(83322001)(19580405001)(88136002)(87286001)(87976001)(80976001)(81816999)(89996001)(81686999)(50986999)(76176999)(85852003)(83072002)(101416001)(99396002)(77156001)(61296002)(66066001)(23756003)(46102001)(33646001)(14496001)(62966002)(4396001)(77982001)(76482001)(81342001)(42186004)(81542001)(80022001)(74416001)(7726001); DIR:OUT; SFP:1101; SCL:1; SRVR:AMSPR07MB052; H:AMXPRD0111HT004.eurprd01.prod.exchangelabs.com; FPR:; MLV:nov; PTR:InfoNoRecords; A:0; MX:1; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/6VGo3apvQTmgubqhEjIE5lxEkDw
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 01 May 2014 10:04:40 -0000

Kent

I commented earlier that I was uncertain about s.5 of reverse-ssh.  I
think that it has not got public key use (SSH host key) quite right.

If I were asked to describe the use of public keys, then I would
identify three steps.

1) get hold of a public key
2) verify that the key is tied to the identity of the other party
3) get the other party to demonstrate possession of the private key

At that level, it is irrelevant where the key comes from, X.509
certificate, pre-configuration, Trust On First Use, etc.  What varies is
step 2).

I can see no difference between the use of certificates with ssh and
with TLS.  And I think that certificates are naturally associated with
TLS, and so the place to describe that is in 5539bis.  In which case, I
would omit any description of it from the ssh I-D and just put in a
reference to 5539bis I-D.  Currently, reverse-ssh does have some
suggestions that are not in 5539bis but then they seem to me equally
appropriate to the use of certificates with TLS and so I think that they
should be in 5539bis.

By contrast, other ways of verifying the key are more associated with
ssh, in which case, they belong in reverse-ssh and 5539bis may then want
to reference this I-D.

I would be willing to expand this into replacement text if this
suggestion meets with approval.

Tom Petch

----- Original Message -----
From: "t.petch" <ietfc@btconnect.com>
To: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>; "Kent Watsen"
<kwatsen@juniper.net>
Cc: <netconf@ietf.org>
Sent: Tuesday, April 08, 2014 2:44 PM
Subject: Re: [Netconf] WG Last Call Comments
ondraft-ietf-netconf-reverse-ssh-03.txt


> I do not think that this is ready to advance.  I had not intended to
> comment but having started on netconf-server, and found I had to read
> 5539bis to understand where it was going, I then found that
reverse-ssh
> was another piece of the jigsaw.
>
> In particular, I think that this I-D is more or less updating RFC4742
in
> its considerations of security.  And I think it may be confused about
> public keys and certificates and their role in authentication.
>
> Taken together, and I do not think they can be considered separately,
I
> do not think that the three I-Ds give a coherent view of how to secure
a
> NETCONF session.
>
> I would point to the queries raised by Tadek and Bajpai which, to me
on
> the one hand seem spot on and on the other, seem to regard the subject
> material of these three I-Ds as of a one - which I obviously agree
with.
>
> I think that netconf-server is the one in most need of progress and
see
> it as a Normative, not Informative, prerequisite.
>
> Tom Petch
>
>
> ----- Original Message -----
> From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
> To: "Kent Watsen" <kwatsen@juniper.net>
> Cc: <netconf@ietf.org>
> Sent: Thursday, April 03, 2014 12:36 PM
>
> > WGLC period ended last Tuesday (April 1st).
> >
> > Kent, where are we with this one?
> >
> > Do you expect to post a rev 04 that addresses all comments we have
> received?
> > Either WGLC comments or other comments? Once that is done, I would
> like to ask:
> > - Kent to post which comments have not been addressed and why (if
any)
> > - If possible, Kent to post a summary of changes (although that may
> already be
> >    in the document, and that is fine too).
> > - All those that made comments to check if they are OK with the way
> that
> >    they have been addressed or responded to.
> >
> > Bert
> >
> > On 27/03/14 17:02, Kent Watsen wrote:
> > >
> > > Hi Alan,
> > >
> > >
> > > Awesome comments - thanks!
> > >
> > >
> > > I applied all fixes mentioned below to my working copy of what
will
> be
> > > -04, so you'll have to wait until then to see the diff.  The
reason
> I'm
> > > not posting -04 now is because I'm still trying to work out an
issue
> with
> > > Applicability Statement and with the port's name.
> > >
> > > Below are my detailed responses.
> > >
> > > Cheers,
> > > Kent
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Typos
> > >> -----
> > >>
> > >
> > > I fixed all the issues you found.
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Section 2.1, Page 3, Second Paragraph:  (wording)
> > >> -------------------------------------------------
> > >>
> > >> The second paragraph seems vague.  Would something along the
lines
> of
> > >> the following text be clearer and/or more specific?
> > >
> > > I forwarded this comment to Steve Hanna, who wrote the
Applicability
> > > Statement.  At first I was just going to ask if he was OK with the
> > > proposed text, but then I started thinking that I didn't agree
with
> it.
> > > That is, I think that the SSH protocol does require mutual
> authentication
> > > and that NETCONF's requirement that it be possible to derive a
> "username"
> > > from the transport doesn't change that.  I'm still OK limiting
> Reverse SSH
> > > to just NETCONF, but I want the reason to be accurate.  I'm now
> waiting
> > > for a response from Steve on this.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Section 4, Page 4:  (wording)
> > >> -----------------------------
> > >>
> > >> The current text reads:
> > >>
> > >>    o  The NETCONF server initiates a TCP connection to the
NETCONF
> > >>       client on the IANA-assigned Reverse SSH port YYYY.
> > >>
> > >>    o  The TCP connection is accepted and a TCP session is
> established.
> > >
> > >
> > > I'm not sure about this change since these bullet-points are
> preceded by
> > > the line "From the NETCONF server's perspective:".  The intent is
to
> only
> > > explain the NETCONF-server's perspective, and to let the next
> section
> > > provide the client's perspective.   Currently, neither section
> references
> > > the remote peer, so that its text remains squarely focused on its
> side of
> > > the connection.  What do you think?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Section 5, Page 5, First Paragraph:  (wording)
> > >> ----------------------------------------------
> > >>
> > >> The current text reads:
> > >>
> > >>    "When the management system accepts a new incoming connection,
> it
> > >>     needs to authenticate the remote peer.  Ultimately, this
> entails
> > >>     identifying the peer and verifying its SSH host key.
> > >>
> > >>     Due to Reverse SSH having the network element initiate the
TCP
> > >>     connection,"
> > >
> > >
> > > I changed the wording to be more clear, but did it another way,
> please let
> > > me know if you think it's OK!
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Section 5, Page 6, First Paragraph:  (clarification)
> > >> ----------------------------------------------------
> > >>
> > >> The current text reads:
> > >>
> > >>    "However, configuring distinct host keys on the management
> system
> > >>    doesn't scale well, which is an important consideration to a
> network
> > >>    management system.  A more scalable strategy is to have the
> network
> > >>    element's host key signed by a common trusted key, such as a
> > >>    certificate authority.  Thus, the mangement system only needs
to
> > >>    trust a single public key, which vouches for the authenticity
of
> the
> > >>    various network element public keys."
> > >>
> > >> Please help me understand this.  The way this paragraph is
written,
> it
> > >> is not clear to me why "signing each network element's host key
> with a
> > >> common trusted key" scales better than "configuring distinct host
> keys
> > >> on the management system".
> > >>
> > >> In either of these two situations, it seems like an administrator
> must
> > >> do work for each network element.  In one case, it is configuring
> host
> > >> keys, in another, it is signing each network element's host key.
> If
> > >> anything, it seems like signing a host key for each network
element
> > >> requires _more_ work for each network element, so it seems like
> this
> > >> would scale less well.
> > >>
> > >> What am I missing here?
> > >
> > >
> > > Very good question.  Of course it comes down to how the device's
> "entity
> > > certificates", as they are called, is distributed.  In the best
> case, as
> > > described in the zero-touch draft, the device would ship from
> factory with
> > > a built-in entity-certificate, signed by a trust-chain to its
> vendor's
> > > well-known trust anchor.  In this case, there is no additional
> effort
> > > needed, the management system only needs to trust the vendor's
> certificate
> > > for its well-known trust anchor.  For cases where the device
doesn't
> ship
> > > from factory with an entity-certificate, introducing PKI is still
> > > advantageous as it decouples the management-system from direct
> > > involvement, such that it could be outsourced to some 3rd-party.
> Makes
> > > sense?  What update would you like to see in the draft?
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >> Section 7, Page 7, Third Paragraph:  (wording)
> > >> ----------------------------------------------
> > >>
> > >> In a few places in the third paragraph, and possibly in other
> places
> > >> in the document, would changing "needs to" to lowercase "must",
or
> > >> lowercase "should", make the document a little more concise?
> Example:
> > >>
> > >>    "Note that since the SSH server would have to be configured to
> know
> > >>     which IP address it needs to connect to,"
> > >>                         ^^^^^^^^
> > >
> > >
> > > I changed "needs to" to "is to" for this cited location and
another
> I
> > > found.
> > >
> > >
> > >
> > >
> > >
> > > Thanks again,
> > > Kent
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > _______________________________________________
> > > Netconf mailing list
> > > Netconf@ietf.org
> > > https://www.ietf.org/mailman/listinfo/netconf
> > >
> >
> > _______________________________________________
> > Netconf mailing list
> > Netconf@ietf.org
> > https://www.ietf.org/mailman/listinfo/netconf
>
> _______________________________________________
> Netconf mailing list
> Netconf@ietf.org
> https://www.ietf.org/mailman/listinfo/netconf

v2.23.0 | Report a Bug | By Email