Re: [Netconf] draft-ietf-netconf-reverse-ssh: MUST only be used for a NETCONF server
Kent Watsen <kwatsen@juniper.net> Tue, 27 May 2014 21:30 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 786641A0781 for <netconf@ietfa.amsl.com>; Tue, 27 May 2014 14:30:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F0oSW6cM7YQ7 for <netconf@ietfa.amsl.com>; Tue, 27 May 2014 14:30:17 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0239.outbound.protection.outlook.com [207.46.163.239]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B12751A0428 for <netconf@ietf.org>; Tue, 27 May 2014 14:30:17 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.949.11; Tue, 27 May 2014 21:30:08 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.75]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.75]) with mapi id 15.00.0949.001; Tue, 27 May 2014 21:30:08 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: Benoit Claise <bclaise@cisco.com>, NETCONF <netconf@ietf.org>
Thread-Topic: [Netconf] draft-ietf-netconf-reverse-ssh: MUST only be used for a NETCONF server
Thread-Index: AQHPN7qRbEntuwYggEq2TH81C6tQ8ptVMyIA
Date: Tue, 27 May 2014 21:30:06 +0000
Message-ID: <CFAA7A44.72CFE%kwatsen@juniper.net>
References: <5315AA7F.6080006@cisco.com> <CF3B991B.602BF%kwatsen@juniper.net>
In-Reply-To: <CF3B991B.602BF%kwatsen@juniper.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.11]
x-forefront-prvs: 02243C58C6
x-forefront-antispam-report: SFV:NSPM; SFS:(428001)(377454003)(199002)(189002)(164054003)(66066001)(79102001)(99286001)(80022001)(99396002)(50986999)(64706001)(83506001)(83322001)(76176999)(83072002)(20776003)(36756003)(19580395003)(92726001)(92566001)(16236675002)(87936001)(21056001)(86362001)(54356999)(101416001)(31966008)(74662001)(4396001)(19580405001)(76482001)(81342001)(74502001)(77982001)(85852003)(2656002)(81542001)(46102001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: multipart/alternative; boundary="_000_CFAA7A4472CFEkwatsenjunipernet_"
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/Di0VyA_oiZsdl2cR34YmjHdQMUo
Subject: Re: [Netconf] draft-ietf-netconf-reverse-ssh: MUST only be used for a NETCONF server
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 27 May 2014 21:30:20 -0000
Just reviewing list mail while putting the finishing touches on the netconf-server-model draft and noticed this one.
Unfortunately, this change did NOT make it into the -06 draft. I just made this change to my working copy, as the first change that will go into -07, which I'll hold off posting for now...
Thanks,
Kent
From: Kent Watsen <kwatsen@juniper.net<mailto:kwatsen@juniper.net>>
Date: Tuesday, March 4, 2014 at 4:01 PM
To: Benoit Claise <bclaise@cisco.com<mailto:bclaise@cisco.com>>, NetConf <netconf@ietf.org<mailto:netconf@ietf.org>>
Cc: Stephen Hanna <shanna@juniper.net<mailto:shanna@juniper.net>>
Subject: Re: [Netconf] draft-ietf-netconf-reverse-ssh: MUST only be used for a NETCONF server
CC-ing Steve, who wrote the Applicability Statement.
Kent
From: Benoit Claise <bclaise@cisco.com<mailto:bclaise@cisco.com>>
Date: Tuesday, March 4, 2014 5:27 AM
To: NetConf <netconf@ietf.org<mailto:netconf@ietf.org>>
Subject: [Netconf] draft-ietf-netconf-reverse-ssh: MUST only be used for a NETCONF server
Dear all,
Yesterday, Andy asked how this MUST could be enforced in draft-ietf-netconf-reverse-ssh
However, these techniques MUST only be used for a NETCONF server to
initiate a connection to a NETCONF client, as described in this
document.
The way I understood this statement: the security experts wanted us to restrict the scope to only NETCONF. Fine.
However, that "MUST" can't be enforced, at least with RFC 2119 keyword.
This should be changed to "must".
We should obviously validate this with the security experts.
Regards, Benoit
- [Netconf] draft-ietf-netconf-reverse-ssh: MUST on… Benoit Claise
- Re: [Netconf] draft-ietf-netconf-reverse-ssh: MUS… Kent Watsen
- Re: [Netconf] draft-ietf-netconf-reverse-ssh: MUS… Kent Watsen