IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

Kent Watsen <kwatsen@juniper.net> Fri, 09 May 2014 21:08 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 692C01A00D8 for <netconf@ietfa.amsl.com>; Fri, 9 May 2014 14:08:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Level:
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T6BJ9a1zsL_n for <netconf@ietfa.amsl.com>; Fri, 9 May 2014 14:08:46 -0700 (PDT)
Received: from na01-bn1-obe.outbound.protection.outlook.com (mail-bn1blp0185.outbound.protection.outlook.com [207.46.163.185]) by ietfa.amsl.com (Postfix) with ESMTP id AFC361A0127 for <netconf@ietf.org>; Fri, 9 May 2014 14:08:45 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB457.namprd05.prod.outlook.com (10.141.72.141) with Microsoft SMTP Server (TLS) id 15.0.939.12; Fri, 9 May 2014 21:08:38 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.115]) with mapi id 15.00.0939.000; Fri, 9 May 2014 21:08:37 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsro1aWgAfuBgCAAXRlEYAAS5QAgAFCeQGAAhhMgA==
Date: Fri, 09 May 2014 21:08:36 +0000
Message-ID: <CF929D94.6F4D4%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net> <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
In-Reply-To: <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.14]
x-forefront-prvs: 02065A9E77
x-forefront-antispam-report: SFV:NSPM; SFS:(10009001)(6009001)(428001)(51704005)(164054003)(40224001)(199002)(189002)(92566001)(87936001)(83506001)(2656002)(86362001)(92726001)(83072002)(21056001)(76482001)(46102001)(99286001)(77982001)(101416001)(80022001)(76176999)(66066001)(54356999)(50986999)(79102001)(20776003)(81542001)(36756003)(64706001)(74662001)(74502001)(81342001)(83322001)(31966008)(4396001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB457; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:sfv; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <5C8EC8E32693CB40B795BA79FFA4A8F6@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/Ja3_QdWyk-I0LybLboIul7op6pk
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 May 2014 21:08:57 -0000

Hi Tom,


Regarding the paragraph you quoted below, note that it's about more than
just X.509.  Specifically, there are other SSH host-key formats that can
encode a unique identifier and be signed by a common trust anchor (e.g.,
the PGP keys from RFC 4253).   I admit the text could be made better - how
about this?

   Examples of suitable public host keys are the X.509v3 keys defined in
   defined in [RFC6187] and the PGP keys defined in [RFC5253].

                        ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

If this doesn't resolve the issue, can you also provide the text you hope
to now show up in 5539bis?  I see below what text is proposed to be
removed from draft-ietf-netconf-reverse-ssh, but it doesn't make sense to
just put that into 5539bis, what more do you hope to see in 5539bis?

Thanks,
Kent




><tp>
>Kent
>
>No, I think I am not making myself clear.
>
>I am not saying that we need a common call home section.
>
>I am saying that having obtained a public key somehow, then it needs
>verifying, that it is tied to the party that we are trying to
>communicate with, and that that process is largely the same whether this
>is call home or not.
>
>One form of verification is using X.509 certs, and that is the usual way
>for TLS.  My logic then is put everything we have to say about the use
>of X.509 certs for verification in the TLS I-D and reference it from the
>(reverse-)ssh I-D.  The approach is the same for SSH and TLS and call
>home and not call home IMHO so put it in the one place.
>
>Currently, reverse-ssh lacks some of the points that 5539bis makes about
>the use of certs, and the base ssh RFC says nothing, but reverse-ssh has
>points that 5539bis does not such as the paragraph
>" Since both the identification and verification issues are addressed
>   using certificates, this draft RECOMMENDS network elements use a host
>   key that can encode a unique identifier (e.g., its serial number) and
>   be signed by a common trust anchor (e.g., a certificate authority).
>   Examples of suitable public host keys are the X.509v3 keys defined in
>   defined in [RFC6187]."
>5539bis would be better for having that information in it alongside what
>it currently has so I would move that to 5539bis leaving behind
>something like
>
>" Since both the identification and verification issues are addressed
>   using certificates, this draft RECOMMENDS network elements use them -
>   more details can be found in [5539bis]."
>
>By contrast, the use of raw public keys is rare in TLS and commonplace
>in SSH, so I would keep everything about that that is currently there in
>reverse-ssh - mostly it is nothing to do with call home but the base ssh
>RFC does not cover it so we might as well do the job properly now.
>
>So between them, reverse-ssh and 5539bis currently have all we need, it
>is just that you have to read both in tandem to learn what you should
>know.

v2.23.0 | Report a Bug | By Email