Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Kent Watsen <kwatsen@juniper.net> Wed, 29 August 2018 23:58 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C007D130DF4 for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 16:58:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.71
X-Spam-Level:
X-Spam-Status: No, score=-2.71 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, T_DKIMWL_WL_HIGH=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=juniper.net
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MGbprEZvj35w for <netconf@ietfa.amsl.com>; Wed, 29 Aug 2018 16:58:51 -0700 (PDT)
Received: from mx0a-00273201.pphosted.com (mx0a-00273201.pphosted.com [208.84.65.16]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 64FB0130DC8 for <netconf@ietf.org>; Wed, 29 Aug 2018 16:58:51 -0700 (PDT)
Received: from pps.filterd (m0108158.ppops.net [127.0.0.1]) by mx0a-00273201.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w7TNwmgJ007107; Wed, 29 Aug 2018 16:58:48 -0700
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=juniper.net; h=from : to : subject : date : message-id : references : in-reply-to : content-type : mime-version; s=PPS1017; bh=A6XMenvgvFai8K8TjrJ2aiMT87MRRS8STcIxpIl+67w=; b=auwdwLdA8NHKrGXbiW8O7jctXXEz4mZZspH06B+5DWH55uDBThUEWMnDij8f4XpJ8pUD l+GQBZlAGPqUmkHgUPxU1ukXicFEqvrvD5+rWUhQQw91u3E/mEKxw1wc+9EKfE9ZJPg1 kV46oShOghFVswyAszCYLDpuneY2fUvozdtCxzvBo51z0u9uCs2aGk1uEKeyaBv+jFd8 hh0gAHkUnukUVapqfZTVYFXfi9VK4U1uIfISZp+WDj7ltHY+Ozrcbj0sbdWC6MsElEbU em5QbQyGdBHikX9nLtNkmYM9TDeZNZVBaUK+xz2KDJBolVr5yLEXSkTT7hu0uo9r4Su+ SA==
Received: from nam02-bl2-obe.outbound.protection.outlook.com (mail-bl2nam02lp0085.outbound.protection.outlook.com [207.46.163.85]) by mx0a-00273201.pphosted.com with ESMTP id 2m61qh0c78-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT); Wed, 29 Aug 2018 16:58:47 -0700
Received: from DM6PR05MB4665.namprd05.prod.outlook.com (20.176.109.202) by DM6PR05MB4380.namprd05.prod.outlook.com (20.176.78.149) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1101.10; Wed, 29 Aug 2018 23:58:44 +0000
Received: from DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d]) by DM6PR05MB4665.namprd05.prod.outlook.com ([fe80::544a:dd4d:9524:9e6d%5]) with mapi id 15.20.1122.000; Wed, 29 Aug 2018 23:58:43 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Balázs Kovács <balazs.kovacs@ericsson.com>, "netconf@ietf.org" <netconf@ietf.org>
Thread-Topic: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Thread-Index: AQHUO/s1CXjlU9QRBEKDDvBt+svnz6TTNyTQgACJxQCAAS0GQIACP3kA
Date: Wed, 29 Aug 2018 23:58:43 +0000
Message-ID: <F4813208-9234-4A77-82C8-8BA630C80018@juniper.net>
References: <C635FC84-CF42-47F0-96B9-588AD20FE2F1@juniper.net> <VI1PR0701MB2016969E34395727CF5CC5C3830B0@VI1PR0701MB2016.eurprd07.prod.outlook.com> <04D060B8-3B11-468B-A53E-7BF5B600546E@juniper.net> <VI1PR0701MB201668B2EC89CFD793BDE2AD830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
In-Reply-To: <VI1PR0701MB201668B2EC89CFD793BDE2AD830A0@VI1PR0701MB2016.eurprd07.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/f.20.0.170309
x-originating-ip: [66.129.241.14]
x-ms-publictraffictype: Email
x-microsoft-exchange-diagnostics: 1; DM6PR05MB4380; 6:Dc4+3N2ujYityVD0Ep2gmINlU6txoIdsPX/U+av+KoQnVBjgmPe9HyAY7DC5v0lNnzvLHWfiIDtVI5YsbRZ3zEKEEBSFfivftkCigUqXtg5vcak334wI90X9Jfl+ojPv/X14pjrY/IC2SkQ0F9Dd5afXuVC9XpTjcMVJvQ1A6vu197K98+ZF+KLIAwBnpHAucAyKk2ATibPVIC5wKyr2bXgJETSqknlkgXIi7E9nAH0eqlrejmpBwQdk9j24z5al+cnvWWg/ALtSZXe7Cqps+grEaQC+tSl7lpsZ13jqlp8NU4XJpfomg0N3ZSTW6NwbkasSeQ1cS5wjOI+XjgE2MhaQgaaJQfgiU7bm+jg4AFoZVT6ocyBvERYrRubMqnLq6ATiruMPUp/+dzRnv6MYa1cCVaqfvyOUZrs00KTrjxKvYPQv13BYRwqBvk1Bzs16q8/5DplgWxT0ZBuWrxg/tg==; 5:EKxg5FWzqNagL5XmK95GAqOdfC2Yu5K7Gq+B97HdWhpW9Wx4XMRx9cgE/PDoEOXVCDTm+LfNojpSmkh8/Bk8CimqIjiZT3lNP2YmEsRg/lRqrZlxt3SxTHJNgHmLpZdeJsHcC6lLDH7u/ceU8Dt8dxex8+ymRiSOAqq1vVHcMZ4=; 7:h7cWNPVF2NJZx+u8mCMoALx52Rkf7O3qrF1Kq2LqgZHhsO3fMQsFKwKI4fgukrUniddJo5J9O1vvR5lV0UFGRu+PGvVjESY033o8N8cnGF47RDeuU5WV1rs+xExL5AME7/QvybBKrjiS4r5IbK3QSzoRJxQCOH2PZtlIoCJyHPXpJCJCBAxgxwKfCSMIG9TrEc88yZCv3WaKuxVzLUS+lNZzQCkZ7RgCSFgkRP7FlMW/6zVYxX90fta0HoaFuNMJ
x-ms-exchange-antispam-srfa-diagnostics: SOS;
x-ms-office365-filtering-correlation-id: b40a77b0-e6cf-40f2-445b-08d60e0b5a1c
x-ms-office365-filtering-ht: Tenant
x-microsoft-antispam: BCL:0; PCL:0; RULEID:(7020095)(4652040)(8989137)(4534165)(4627221)(201703031133081)(201702281549075)(8990107)(5600074)(711020)(4618075)(2017052603328)(7153060)(7193020); SRVR:DM6PR05MB4380;
x-ms-traffictypediagnostic: DM6PR05MB4380:
x-microsoft-antispam-prvs: <DM6PR05MB438024EEA0B50C138163B8E7A5090@DM6PR05MB4380.namprd05.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:(37575265505322)(28532068793085)(158342451672863)(278428928389397)(138986009662008)(21748063052155)(248295561703944);
x-ms-exchange-senderadcheck: 1
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(8211001083)(6040522)(2401047)(5005006)(8121501046)(10201501046)(3231311)(944501410)(52105095)(3002001)(93006095)(93001095)(6055026)(149027)(150027)(6041310)(20161123558120)(20161123562045)(20161123564045)(20161123560045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(201708071742011)(7699049)(76991033); SRVR:DM6PR05MB4380; BCL:0; PCL:0; RULEID:; SRVR:DM6PR05MB4380;
x-forefront-prvs: 077929D941
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39860400002)(396003)(366004)(346002)(376002)(136003)(53754006)(199004)(189003)(2616005)(82746002)(14444005)(86362001)(8936002)(186003)(256004)(26005)(6346003)(93886005)(66066001)(6506007)(7736002)(486006)(99286004)(6436002)(76176011)(478600001)(476003)(446003)(53546011)(229853002)(68736007)(11346002)(6486002)(102836004)(106356001)(6306002)(105586002)(2906002)(110136005)(6512007)(58126008)(54896002)(53936002)(25786009)(2900100001)(561944003)(236005)(316002)(97736004)(551544002)(33656002)(6246003)(2501003)(6116002)(8676002)(5250100002)(81166006)(81156014)(3846002)(5660300001)(83716003)(14454004)(36756003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM6PR05MB4380; H:DM6PR05MB4665.namprd05.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; MX:1;
received-spf: None (protection.outlook.com: juniper.net does not designate permitted sender hosts)
x-microsoft-antispam-message-info: oJ//2z02ZcqL3qUUWkUprQ4Aozttr67064IBCA+7qwzADGqRCmHYlRJlVpJzeb0K3vtIHT3X/yvklbdom/Rxksick87pO0j5LmAAO3Fg8yb98RwwXGg4TeCGNoJgEbgPHFLop/3mH7kavpdch2B+8u5byIeIT7c7q3pY5dWp1DAaECReqDMCBthuhEjXb/lkHa8X/p0l7GyywLlHOA+aK8dbdnLYY+hiWIoObdARdcCSvHaWCx6cQUB/EAHZUbjSPZ+UOjfdm94enkrtXgOWPqL4Kmv73Jndo99JHx80o568bOeBDIMf32T4XOJoNM5AK2UaSn5hXTeQPuOqO+EAZkuQiuy3IHWPvOpNqfOTxqA=
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_F481320892344A7782C88BA630C80018junipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
X-MS-Exchange-CrossTenant-Network-Message-Id: b40a77b0-e6cf-40f2-445b-08d60e0b5a1c
X-MS-Exchange-CrossTenant-originalarrivaltime: 29 Aug 2018 23:58:43.7624 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bea78b3c-4cdb-4130-854a-1d193232e5f4
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM6PR05MB4380
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-08-29_07:, , signatures=0
X-Proofpoint-Spam-Details: rule=outbound_spam_notspam policy=outbound_spam score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1808290233
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/82VizSk4YQ_bHOJ0XPFh8Xyavyg>
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 29 Aug 2018 23:58:54 -0000
Hi Balazs, All,
I made the change in my local copy, but note that I also separated server-auth
and transport-params. Below is an example, is it okay?
grouping ssh-client-grouping {
description
"A reusable grouping for configuring a SSH client without
any consideration for how an underlying TCP session is
established.";
uses client-identity-grouping;
uses server-auth-grouping;
uses transport-params-grouping;
}
I made the change to all four of the groupings: [ssh|tls]-[client|server]-grouping.
PS: soon I'll be posting an update to all these drafts so folks can see the updates
made since the IETF 102 presentation.
Kent
On 8/28/18, 5:42 AM, "Balázs Kovács" <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:
Hi Kent,
Yes, this would be my proposal. Would similar change to ietf-tls-client would be applicable? I don’t have the same interactive use case for TLS, but maybe having this flexibility (the 2 new groupings) could be beneficial for TLS too.
Br,
Balazs
From: Kent Watsen <kwatsen@juniper.net>
Sent: Monday, August 27, 2018 9:42 PM
To: Balázs Kovács <balazs.kovacs@ericsson.com>; netconf@ietf.org
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Assuming your two groupings below, or something close to them, we could redefine the existing "ssh-client-grouping" to the following:
grouping ssh-client-grouping {
uses ssh-client-client-identity-grouping;
uses ssh-client-server-auth-transport-params-grouping;
}
The net-result is no change to the model, but now the inner groupings can be repurposed. Is this your proposal?
Kent // contributor
On 8/27/18, 3:49 AM, "Balázs Kovács" <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:
Hi Kent,
It is as you say, an app that can launch an interactive connection using previously configured client credentials, host authentication, and transport params.
My request or question would be if the current single grouping called ‘ssh-client-grouping’ could be split into two: one that only includes the ‘client-identity’ definition, and another which includes ‘server-auth’ and ‘transport-params’. I think this change would enable better flexibility for re-use in case of any SSH-based applications, and the only impact on the existing modules using ssh-client-grouping would be to use two groupings from now on instead of one.
Just to recap the use case, my intention would be to be able to mount a client identity into a list and into a container that is independent of the actual endpoint (for example, as defined in netconf-client /netconf-client/netconf-server/endpoints/endpoint) being used. Which identity is to be used is selected by interaction with the SSH client (e.g., via action parameter).
What do you think?
Br,
Balazs
From: Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>>
Sent: Saturday, August 25, 2018 12:39 AM
To: Balázs Kovács <balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>>; netconf@ietf.org<mailto:netconf@ietf.org>
Subject: Re: [Netconf] ietf-ssh-client@2018-06-04, issues with the grouping
Hi Balazs,
Why have configuration for an "interactive client" at all? Is this an app that can launch an interactive connection using previously configured client credentials? If so, then I think I understand the problem; the use case seems rather different than the use case that is currently being solved.
I understand the desire to have a YANG module to capture your config, and I understand the desire for that module to be able to make use of groupings defined in the ietf-ssh-client.
If the request is to expose a couple groupings, but otherwise leave the model unchanged, then I can see how that might be done. But if the request is to change e.g., ssh-client-grouping, to support a decoupling of client credentials, then I don't see how to do that.
Kent // contributor
On 8/24/18, 10:14 AM, "Netconf on behalf of Balázs Kovács" <netconf-bounces@ietf.org<mailto:netconf-bounces@ietf.org> on behalf of balazs.kovacs@ericsson.com<mailto:balazs.kovacs@ericsson.com>> wrote:
Hi All,
I made an attempt to make use of the ietf-ssh-client@2018-06-04 module to configure an interactive ssh client, and I found some obstacles. The current ietf-ssh-client model has the following structure:
module: ietf-ssh-client
+--rw client
+--rw client-identity
| +--rw username? string
| +--rw (auth-type)
| +--:(password)
| | +--rw password? string
| +--:(public-key)
| | +--rw public-key
| +--:(certificate)
| +--rw certificate {sshcmn:ssh-x509-certs}?
+--rw server-auth
| +--rw pinned-ssh-host-keys? ta:pinned-host-keys-ref
| +--rw pinned-ca-certs? ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
| +--rw pinned-server-certs? ta:pinned-certificates-ref {sshcmn:ssh-x509-certs}?
+--rw transport-params {ssh-client-transport-params-config}?
In the netconf-client module, which I took as example it is mounted to the ‘ssh’ container and preceded by:
module: ietf-netconf-client
+--rw netconf-client
+--rw initiate! {initiate}?
| +--rw netconf-server* [name]
| +--rw name string
| +--rw endpoints
| | +--rw endpoint* [name]
| | +--rw name string
| | +--rw (transport)
| | +--:(ssh) {ssh-initiate}?
| | | +--rw ssh
| | | +--rw address? inet:host
| | | +--rw port? inet:port-number\
In the case of the interactive client, I want some limited parameters to be provided by the invoking user, which is at least the target user, target address, and target port, so I would not need all the data nodes present in the netconf-client, but I need a subset of them, including the user credentials. The problem I face, is that for one target address, the user can select multiple target users, and for one target user, it should be able to select multiple target addresses. With the above model, if I want to set up a second client identity, I would basically need to create a complete endpoint with the same data in all the rest of the data nodes. Equally, if I want to set up a different endpoint, I need to copy all the possible client identities to be able to use them at other target addresses.
My thinking is that the endpoint related configuration (address, port, server-auth, transport-params) should be decoupled from client identities, so I can set them up and mount them independently. However, I think this would effect the ssh-client grouping a bit heavily, basically breaking it up into two pieces. One that caters for the client identity, and another for the endpoint/server security.
One looking like this (temp name ‘ssh-client-client-identity-grouping’):
grouping ssh-client-client-identity-grouping
+-- client-identity
+-- username? string
+-- (auth-type)
+--:(password)
| +-- password? string
+--:(public-key)
| +-- public-key
| +---u ks:local-or-keystore-asymmetric-key-grouping
+--:(certificate)
+-- certificate {sshcmn:ssh-x509-certs}?
+---u ks:local-or-keystore-end-entity-certificate-grouping
And another (temp name ‘ssh-server-auth-transport-params-grouping’):
grouping ssh-client-server-auth-transport-params-grouping
+-- server-auth
| +-- pinned-ssh-host-keys? ta:pinned-host-keys-ref
| +-- pinned-ca-certs? ta:pinned-certificates-ref
| | {sshcmn:ssh-x509-certs}?
| +-- pinned-server-certs? ta:pinned-certificates-ref
| {sshcmn:ssh-x509-certs}?
+-- transport-params {ssh-client-transport-params-config}?
+---u sshcmn:transport-params-grouping
I also wonder if this would effect the similar module of tls-client. In TLS case, the client identity used is more bound to actual server and is rarely selectable by interaction, but splitting the current single grouping into two may probably not harm either.
Best Regards,
Balazs
- [Netconf] ietf-ssh-client@2018-06-04, issues with… Balázs Kovács
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Kent Watsen
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Balázs Kovács
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Kent Watsen
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Balázs Kovács
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Kent Watsen
- Re: [Netconf] ietf-ssh-client@2018-06-04, issues … Balázs Kovács