Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
"Bert Wijnen (IETF)" <bertietf@bwijnen.net> Tue, 06 May 2014 11:11 UTC
Return-Path: <bertietf@bwijnen.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 48DD61A07B2 for <netconf@ietfa.amsl.com>; Tue, 6 May 2014 04:11:49 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.3
X-Spam-Level:
X-Spam-Status: No, score=-1.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_15=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qaxAqa2l5XYn for <netconf@ietfa.amsl.com>; Tue, 6 May 2014 04:11:46 -0700 (PDT)
Received: from kaka.ripe.net (kaka.ripe.net [IPv6:2001:67c:2e8:11::c100:1347]) by ietfa.amsl.com (Postfix) with ESMTP id A7C301A02A8 for <netconf@ietf.org>; Tue, 6 May 2014 04:11:46 -0700 (PDT)
Received: from nene.ripe.net ([193.0.23.10]) by kaka.ripe.net with esmtps (UNKNOWN:AES256-GCM-SHA384:256) (Exim 4.72) (envelope-from <bertietf@bwijnen.net>) id 1WhdHa-00020G-Ul; Tue, 06 May 2014 13:11:42 +0200
Received: from kitten.ripe.net ([2001:67c:2e8:1::c100:1f0] helo=guest210.guestnet.ripe.net) by nene.ripe.net with esmtp (Exim 4.72) (envelope-from <bertietf@bwijnen.net>) id 1WhdHa-0005gq-SK; Tue, 06 May 2014 13:11:34 +0200
Message-ID: <5368C366.8070509@bwijnen.net>
Date: Tue, 06 May 2014 13:11:34 +0200
From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: "t.petch" <ietfc@btconnect.com>, Kent Watsen <kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net>
In-Reply-To: <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net>
Content-Type: text/plain; charset="ISO-8859-1"; format="flowed"
Content-Transfer-Encoding: 7bit
X-RIPE-Spam-Level: --
X-RIPE-Spam-Report: Spam Total Points: -2.9 points pts rule name description ---- ---------------------- ------------------------------------ -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000]
X-RIPE-Signature: 86ab03e524994f79ca2c75a176445dd41173e6d6acc8e3d451bc3c923c7842cf
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/IaXa05ZXY80tsqfABChCgg7lxyQ
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 06 May 2014 11:11:49 -0000
om, is this still an issue with rev 5 of the reverse-ssh document? Bert On 01/05/14 11:58, t.petch wrote: > Kent > > I commented earlier that I was uncertain about s.5 of reverse-ssh. I > think that it has not got public key use (SSH host key) quite right. > > If I were asked to describe the use of public keys, then I would > identify three steps. > > 1) get hold of a public key > 2) verify that the key is tied to the identity of the other party > 3) get the other party to demonstrate possession of the private key > > At that level, it is irrelevant where the key comes from, X.509 > certificate, pre-configuration, Trust On First Use, etc. What varies is > step 2). > > I can see no difference between the use of certificates with ssh and > with TLS. And I think that certificates are naturally associated with > TLS, and so the place to describe that is in 5539bis. In which case, I > would omit any description of it from the ssh I-D and just put in a > reference to 5539bis I-D. Currently, reverse-ssh does have some > suggestions that are not in 5539bis but then they seem to me equally > appropriate to the use of certificates with TLS and so I think that they > should be in 5539bis. > > By contrast, other ways of verifying the key are more associated with > ssh, in which case, they belong in reverse-ssh and 5539bis may then want > to reference this I-D. > > I would be willing to expand this into replacement text if this > suggestion meets with approval. > > Tom Petch > > ----- Original Message ----- > From: "t.petch" <ietfc@btconnect.com> > To: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>; "Kent Watsen" > <kwatsen@juniper.net> > Cc: <netconf@ietf.org> > Sent: Tuesday, April 08, 2014 2:44 PM > Subject: Re: [Netconf] WG Last Call Comments > ondraft-ietf-netconf-reverse-ssh-03.txt > > >> I do not think that this is ready to advance. I had not intended to >> comment but having started on netconf-server, and found I had to read >> 5539bis to understand where it was going, I then found that > reverse-ssh >> was another piece of the jigsaw. >> >> In particular, I think that this I-D is more or less updating RFC4742 > in >> its considerations of security. And I think it may be confused about >> public keys and certificates and their role in authentication. >> >> Taken together, and I do not think they can be considered separately, > I >> do not think that the three I-Ds give a coherent view of how to secure > a >> NETCONF session. >> >> I would point to the queries raised by Tadek and Bajpai which, to me > on >> the one hand seem spot on and on the other, seem to regard the subject >> material of these three I-Ds as of a one - which I obviously agree > with. >> >> I think that netconf-server is the one in most need of progress and > see >> it as a Normative, not Informative, prerequisite. >> >> Tom Petch >> >> >> ----- Original Message ----- >> From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net> >> To: "Kent Watsen" <kwatsen@juniper.net> >> Cc: <netconf@ietf.org> >> Sent: Thursday, April 03, 2014 12:36 PM >> >>> WGLC period ended last Tuesday (April 1st). >>> >>> Kent, where are we with this one? >>> >>> Do you expect to post a rev 04 that addresses all comments we have >> received? >>> Either WGLC comments or other comments? Once that is done, I would >> like to ask: >>> - Kent to post which comments have not been addressed and why (if > any) >>> - If possible, Kent to post a summary of changes (although that may >> already be >>> in the document, and that is fine too). >>> - All those that made comments to check if they are OK with the way >> that >>> they have been addressed or responded to. >>> >>> Bert >>> >>> On 27/03/14 17:02, Kent Watsen wrote: >>>> >>>> Hi Alan, >>>> >>>> >>>> Awesome comments - thanks! >>>> >>>> >>>> I applied all fixes mentioned below to my working copy of what > will >> be >>>> -04, so you'll have to wait until then to see the diff. The > reason >> I'm >>>> not posting -04 now is because I'm still trying to work out an > issue >> with >>>> Applicability Statement and with the port's name. >>>> >>>> Below are my detailed responses. >>>> >>>> Cheers, >>>> Kent >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Typos >>>>> ----- >>>>> >>>> >>>> I fixed all the issues you found. >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Section 2.1, Page 3, Second Paragraph: (wording) >>>>> ------------------------------------------------- >>>>> >>>>> The second paragraph seems vague. Would something along the > lines >> of >>>>> the following text be clearer and/or more specific? >>>> >>>> I forwarded this comment to Steve Hanna, who wrote the > Applicability >>>> Statement. At first I was just going to ask if he was OK with the >>>> proposed text, but then I started thinking that I didn't agree > with >> it. >>>> That is, I think that the SSH protocol does require mutual >> authentication >>>> and that NETCONF's requirement that it be possible to derive a >> "username" >>>> from the transport doesn't change that. I'm still OK limiting >> Reverse SSH >>>> to just NETCONF, but I want the reason to be accurate. I'm now >> waiting >>>> for a response from Steve on this. >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Section 4, Page 4: (wording) >>>>> ----------------------------- >>>>> >>>>> The current text reads: >>>>> >>>>> o The NETCONF server initiates a TCP connection to the > NETCONF >>>>> client on the IANA-assigned Reverse SSH port YYYY. >>>>> >>>>> o The TCP connection is accepted and a TCP session is >> established. >>>> >>>> >>>> I'm not sure about this change since these bullet-points are >> preceded by >>>> the line "From the NETCONF server's perspective:". The intent is > to >> only >>>> explain the NETCONF-server's perspective, and to let the next >> section >>>> provide the client's perspective. Currently, neither section >> references >>>> the remote peer, so that its text remains squarely focused on its >> side of >>>> the connection. What do you think? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Section 5, Page 5, First Paragraph: (wording) >>>>> ---------------------------------------------- >>>>> >>>>> The current text reads: >>>>> >>>>> "When the management system accepts a new incoming connection, >> it >>>>> needs to authenticate the remote peer. Ultimately, this >> entails >>>>> identifying the peer and verifying its SSH host key. >>>>> >>>>> Due to Reverse SSH having the network element initiate the > TCP >>>>> connection," >>>> >>>> >>>> I changed the wording to be more clear, but did it another way, >> please let >>>> me know if you think it's OK! >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Section 5, Page 6, First Paragraph: (clarification) >>>>> ---------------------------------------------------- >>>>> >>>>> The current text reads: >>>>> >>>>> "However, configuring distinct host keys on the management >> system >>>>> doesn't scale well, which is an important consideration to a >> network >>>>> management system. A more scalable strategy is to have the >> network >>>>> element's host key signed by a common trusted key, such as a >>>>> certificate authority. Thus, the mangement system only needs > to >>>>> trust a single public key, which vouches for the authenticity > of >> the >>>>> various network element public keys." >>>>> >>>>> Please help me understand this. The way this paragraph is > written, >> it >>>>> is not clear to me why "signing each network element's host key >> with a >>>>> common trusted key" scales better than "configuring distinct host >> keys >>>>> on the management system". >>>>> >>>>> In either of these two situations, it seems like an administrator >> must >>>>> do work for each network element. In one case, it is configuring >> host >>>>> keys, in another, it is signing each network element's host key. >> If >>>>> anything, it seems like signing a host key for each network > element >>>>> requires _more_ work for each network element, so it seems like >> this >>>>> would scale less well. >>>>> >>>>> What am I missing here? >>>> >>>> >>>> Very good question. Of course it comes down to how the device's >> "entity >>>> certificates", as they are called, is distributed. In the best >> case, as >>>> described in the zero-touch draft, the device would ship from >> factory with >>>> a built-in entity-certificate, signed by a trust-chain to its >> vendor's >>>> well-known trust anchor. In this case, there is no additional >> effort >>>> needed, the management system only needs to trust the vendor's >> certificate >>>> for its well-known trust anchor. For cases where the device > doesn't >> ship >>>> from factory with an entity-certificate, introducing PKI is still >>>> advantageous as it decouples the management-system from direct >>>> involvement, such that it could be outsourced to some 3rd-party. >> Makes >>>> sense? What update would you like to see in the draft? >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>>> Section 7, Page 7, Third Paragraph: (wording) >>>>> ---------------------------------------------- >>>>> >>>>> In a few places in the third paragraph, and possibly in other >> places >>>>> in the document, would changing "needs to" to lowercase "must", > or >>>>> lowercase "should", make the document a little more concise? >> Example: >>>>> >>>>> "Note that since the SSH server would have to be configured to >> know >>>>> which IP address it needs to connect to," >>>>> ^^^^^^^^ >>>> >>>> >>>> I changed "needs to" to "is to" for this cited location and > another >> I >>>> found. >>>> >>>> >>>> >>>> >>>> >>>> Thanks again, >>>> Kent >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Netconf mailing list >>>> Netconf@ietf.org >>>> https://www.ietf.org/mailman/listinfo/netconf >>>> >>> >>> _______________________________________________ >>> Netconf mailing list >>> Netconf@ietf.org >>> https://www.ietf.org/mailman/listinfo/netconf >> >> _______________________________________________ >> Netconf mailing list >> Netconf@ietf.org >> https://www.ietf.org/mailman/listinfo/netconf > >
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)