IETF Logo Mail Archive

Re: [Netconf] guidance on draft-kwatsen-reverse-ssh

Kent Watsen <kwatsen@juniper.net> Wed, 13 July 2011 19:10 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6579921F863A; Wed, 13 Jul 2011 12:10:29 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.599
X-Spam-Level:
X-Spam-Status: No, score=-6.599 tagged_above=-999 required=5 tests=[AWL=0.000, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ws+gaPFQsUkN; Wed, 13 Jul 2011 12:10:25 -0700 (PDT)
Received: from exprod7og119.obsmtp.com (exprod7og119.obsmtp.com [64.18.2.16]) by ietfa.amsl.com (Postfix) with ESMTP id B0C0221F8B45; Wed, 13 Jul 2011 12:10:17 -0700 (PDT)
Received: from P-EMHUB01-HQ.jnpr.net ([66.129.224.36]) (using TLSv1) by exprod7ob119.postini.com ([64.18.6.12]) with SMTP ID DSNKTh3tkn5jqaC736dHA+6cgw6qCz+z41Vk@postini.com; Wed, 13 Jul 2011 12:10:23 PDT
Received: from EMBX01-HQ.jnpr.net ([fe80::c821:7c81:f21f:8bc7]) by P-EMHUB01-HQ.jnpr.net ([fe80::fc92:eb1:759:2c72%11]) with mapi; Wed, 13 Jul 2011 12:08:54 -0700
From: Kent Watsen <kwatsen@juniper.net>
To: "Bert (IETF) Wijnen" <bertietf@bwijnen.net>
Date: Wed, 13 Jul 2011 12:08:53 -0700
Thread-Topic: [Netconf] guidance on draft-kwatsen-reverse-ssh
Thread-Index: AcxBMGXEAtBJWpEuRXWBb7JvV/wdEwAVs/Rw
Message-ID: <84600D05C20FF943918238042D7670FD3E8429F92B@EMBX01-HQ.jnpr.net>
References: <84600D05C20FF943918238042D7670FD3E8429F313@EMBX01-HQ.jnpr.net> <4E1D4C56.8090307@bwijnen.net>
In-Reply-To: <4E1D4C56.8090307@bwijnen.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Cc: "opsawg@ietf.org" <opsawg@ietf.org>, "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] guidance on draft-kwatsen-reverse-ssh
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Jul 2011 19:10:29 -0000

> So Kent, do I understand correctly from your email that the
> SAAG and SSH people prefer solution 2?

Not as the -01 draft is written, which maps to solution #2, but it might be more palatable to them if we tweak the SSH handshake so that the device (the SSH client) indicates that it wants a role-reversal.  as it's written now, the server MUST listen on a port other than 22, with this change, it MAY listen on port 22.  
I've resisted this solution since it would require non-trivial modification to the various SSH client/server implementations.  The current -01 draft could be implemented with just minor tuning - to advertize support for the x.509 and HMAC based host-keys...



> If so, are they (I guess specifically the SSH guys) willing to work on the
> spec and then implement this in SSH implementations/products/distributions?

They are willing to work on the RFC, but they have no influence over implementations, specifically OpenSSH.  Case in point, they recently standardized x.509 host-keys (RFC 6187), but OpenSSH just released its own non-x.509 based solution (http://lwn.net/Articles/377703/)...



Thanks,
Kent

v2.23.0 | Report a Bug | By Email