Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Kent Watsen <kwatsen@juniper.net> Fri, 09 May 2014 21:08 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692C01A00D8 for <netconf@ietfa.amsl.com>; Fri, 9 May 2014 14:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6BJ9a1zsL_n for <netconf@ietfa.amsl.com>; Fri, 9 May 2014 14:08:46 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id AFC361A0127 for <netconf@ietf.org>; Fri, 9 May 2014 14:08:45 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB457.namprd05.prod.outlook.com (10.141.72.141) with Microsoft SMTP Server (TLS) id 15.0.939.12; Fri, 9 May 2014 21:08:38 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) with mapi id 15.00.0939.000; Fri, 9 May 2014 21:08:37 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsro1aWgAfuBgCAAXRlEYAAS5QAgAFCeQGAAhhMgA==
Date: Fri, 09 May 2014 21:08:36 +0000
Message-ID: <CF929D94.6F4D4%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net> <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
In-Reply-To: <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.14]
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(164054003)(40224001)(199002)(189002)(92566001)(87936001)(83506001)(2656002)(86362001)(92726001)(83072002)(21056001)(76482001)(46102001)(99286001)(77982001)(101416001)(80022001)(76176999)(66066001)(54356999)(50986999)(79102001)(20776003)(81542001)(36756003)(64706001)(74662001)(74502001)(81342001)(83322001)(31966008)(4396001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB457; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5C8EC8E32693CB40B795BA79FFA4A8F6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/Ja3_QdWyk-I0LybLboIul7op6pk
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 21:08:57 -0000
Hi Tom, Regarding the paragraph you quoted below, note that it's about more than just X.509. Specifically, there are other SSH host-key formats that can encode a unique identifier and be signed by a common trust anchor (e.g., the PGP keys from RFC 4253). I admit the text could be made better - how about this? Examples of suitable public host keys are the X.509v3 keys defined in defined in [RFC6187] and the PGP keys defined in [RFC5253]. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ If this doesn't resolve the issue, can you also provide the text you hope to now show up in 5539bis? I see below what text is proposed to be removed from draft-ietf-netconf-reverse-ssh, but it doesn't make sense to just put that into 5539bis, what more do you hope to see in 5539bis? Thanks, Kent ><tp> >Kent > >No, I think I am not making myself clear. > >I am not saying that we need a common call home section. > >I am saying that having obtained a public key somehow, then it needs >verifying, that it is tied to the party that we are trying to >communicate with, and that that process is largely the same whether this >is call home or not. > >One form of verification is using X.509 certs, and that is the usual way >for TLS. My logic then is put everything we have to say about the use >of X.509 certs for verification in the TLS I-D and reference it from the >(reverse-)ssh I-D. The approach is the same for SSH and TLS and call >home and not call home IMHO so put it in the one place. > >Currently, reverse-ssh lacks some of the points that 5539bis makes about >the use of certs, and the base ssh RFC says nothing, but reverse-ssh has >points that 5539bis does not such as the paragraph >" Since both the identification and verification issues are addressed > using certificates, this draft RECOMMENDS network elements use a host > key that can encode a unique identifier (e.g., its serial number) and > be signed by a common trust anchor (e.g., a certificate authority). > Examples of suitable public host keys are the X.509v3 keys defined in > defined in [RFC6187]." >5539bis would be better for having that information in it alongside what >it currently has so I would move that to 5539bis leaving behind >something like > >" Since both the identification and verification issues are addressed > using certificates, this draft RECOMMENDS network elements use them - > more details can be found in [5539bis]." > >By contrast, the use of raw public keys is rare in TLS and commonplace >in SSH, so I would keep everything about that that is currently there in >reverse-ssh - mostly it is nothing to do with call home but the base ssh >RFC does not cover it so we might as well do the job properly now. > >So between them, reverse-ssh and 5539bis currently have all we need, it >is just that you have to read both in tandem to learn what you should >know.
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)