IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

Kent Watsen <kwatsen@juniper.net> Tue, 08 April 2014 16:24 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C0E1A04AA for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 09:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.349
X-Spam-Level:
X-Spam-Status: No, score=-1.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IW7hI_a3RyGF for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 09:24:09 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 84F841A0484 for <netconf@ietf.org>; Tue, 8 Apr 2014 09:24:09 -0700 (PDT)
Received: from mail24-ch1-R.bigfish.com (10.43.68.239) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.22; Tue, 8 Apr 2014 16:23:51 +0000
Received: from mail24-ch1 (localhost [127.0.0.1]) by mail24-ch1-R.bigfish.com (Postfix) with ESMTP id 5258E3E065B; Tue, 8 Apr 2014 16:23:51 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -38
X-BigFish: VPS-38(z579ehzbb2dI98dI9371I103dK542I1dbaI1432I1418I14e3M4015I111aIdf9Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz8275ch1de098h1033IL8275bh8275dh1de097h186068hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h255eh25cch25f6h2605h262fh268bh26c8h26d3h1155h)
Received-SPF: pass (mail24-ch1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(979002)(6009001)(428001)(199002)(35774003)(189002)(24454002)(479174003)(377454003)(51704005)(43784003)(51444003)(164054003)(41574002)(53474002)(13464003)(19580395003)(93136001)(56816005)(76482001)(81342001)(92726001)(74366001)(46102001)(81542001)(83322001)(93516002)(94316002)(66066001)(86362001)(63696002)(92566001)(77982001)(19580405001)(56776001)(99396002)(80976001)(53806002)(50986002)(51856002)(54316003)(74876001)(90146001)(65816001)(81686001)(80022001)(15975445006)(97186001)(59766001)(85852003)(31966008)(83506001)(76796001)(69226001)(76786001)(87266001)(4396001)(94946001)(49866001)(74706001)(81816001)(74502001)(97336001)(87936001)(36756003)(20776003)(2656002)(77096001)(98676001)(85306002)(74662001)(99286001)(95416001)(79102001)(95666003)(83072002)(54356002)(47736002)(47446003)(47976002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:66CF155.A4DA5141.B2D1124B.52E4D3F1.206DE; MLV:ovrnspm; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail24-ch1 (localhost.localdomain [127.0.0.1]) by mail24-ch1 (MessageSwitch) id 1396974229812499_29328; Tue, 8 Apr 2014 16:23:49 +0000 (UTC)
Received: from CH1EHSMHS007.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.226]) by mail24-ch1.bigfish.com (Postfix) with ESMTP id B76984400C2; Tue, 8 Apr 2014 16:23:49 +0000 (UTC)
Received: from BL2PRD0510HT002.namprd05.prod.outlook.com (157.56.240.101) by CH1EHSMHS007.bigfish.com (10.43.70.7) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 8 Apr 2014 16:23:48 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by BL2PRD0510HT002.namprd05.prod.outlook.com (10.255.100.37) with Microsoft SMTP Server (TLS) id 14.16.435.0; Tue, 8 Apr 2014 16:24:05 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.913.9; Tue, 8 Apr 2014 16:24:02 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) with mapi id 15.00.0913.002; Tue, 8 Apr 2014 16:24:02 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsHpGQA
Date: Tue, 08 Apr 2014 16:24:01 +0000
Message-ID: <CF69971C.685E2%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
In-Reply-To: <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.241.13]
x-forefront-prvs: 017589626D
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C878B60E13DDF8469E2B17DECEF83DB5@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CRA-Verdict: 157.56.240.101$btconnect.com%0%1%DuplicateDomain-c684c95e-93ad-459f-9d80-96fa46cd75af.juniper.net%False%False%0$
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%0$Dn%BTCONNECT.COM$RO%1$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/L06pg4tJPswifiG9pCxTP6IIVQc
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 16:24:15 -0000

Hi Tom,

Thank you for voicing my own thoughts as well.  I had previously raised
the idea of merging the reverse-ssh draft into a 4742bis, but the WG
agreed to keep it separate for simplicity sake.  That said, I like
symmetry, and it would be more consistent for 5539bis and a 4447bis,
rather than what we have now.  Just saying  ;)

Regarding Normative vs Informative, I recently asked about this and Bert
said that it comes down to if said draft needs to be understood and/or
implemented.  If this is the condition, then I believe it swings to being
Informative, as proprietary vendor-specific configuration could be used
alternatively.  As it is, the vendor can decide if they want to advertise
urn:ietf:params:xml:ns:yang:ietf-netconf-server-model in their <hello>
message.  Are you suggesting that advertising this capability in the
<hello> message should be required in order for an implementation to claim
they implement Reverse SSH for NETCONF Call Home?

Thanks,
Kent


On 4/8/14 9:44 AM, "t.petch" <ietfc@btconnect.com> wrote:

>I do not think that this is ready to advance.  I had not intended to
>comment but having started on netconf-server, and found I had to read
>5539bis to understand where it was going, I then found that reverse-ssh
>was another piece of the jigsaw.
>
>In particular, I think that this I-D is more or less updating RFC4742 in
>its considerations of security.  And I think it may be confused about
>public keys and certificates and their role in authentication.
>
>Taken together, and I do not think they can be considered separately, I
>do not think that the three I-Ds give a coherent view of how to secure a
>NETCONF session.
>
>I would point to the queries raised by Tadek and Bajpai which, to me on
>the one hand seem spot on and on the other, seem to regard the subject
>material of these three I-Ds as of a one - which I obviously agree with.
>
>I think that netconf-server is the one in most need of progress and see
>it as a Normative, not Informative, prerequisite.
>
>Tom Petch
>
>
>----- Original Message -----
>From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
>To: "Kent Watsen" <kwatsen@juniper.net>
>Cc: <netconf@ietf.org>
>Sent: Thursday, April 03, 2014 12:36 PM
>
>> WGLC period ended last Tuesday (April 1st).
>>
>> Kent, where are we with this one?
>>
>> Do you expect to post a rev 04 that addresses all comments we have
>received?
>> Either WGLC comments or other comments? Once that is done, I would
>like to ask:
>> - Kent to post which comments have not been addressed and why (if any)
>> - If possible, Kent to post a summary of changes (although that may
>already be
>>    in the document, and that is fine too).
>> - All those that made comments to check if they are OK with the way
>that
>>    they have been addressed or responded to.
>>
>> Bert
>>
>> On 27/03/14 17:02, Kent Watsen wrote:
>> >
>> > Hi Alan,
>> >
>> >
>> > Awesome comments - thanks!
>> >
>> >
>> > I applied all fixes mentioned below to my working copy of what will
>be
>> > -04, so you'll have to wait until then to see the diff.  The reason
>I'm
>> > not posting -04 now is because I'm still trying to work out an issue
>with
>> > Applicability Statement and with the port's name.
>> >
>> > Below are my detailed responses.
>> >
>> > Cheers,
>> > Kent
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Typos
>> >> -----
>> >>
>> >
>> > I fixed all the issues you found.
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Section 2.1, Page 3, Second Paragraph:  (wording)
>> >> -------------------------------------------------
>> >>
>> >> The second paragraph seems vague.  Would something along the lines
>of
>> >> the following text be clearer and/or more specific?
>> >
>> > I forwarded this comment to Steve Hanna, who wrote the Applicability
>> > Statement.  At first I was just going to ask if he was OK with the
>> > proposed text, but then I started thinking that I didn't agree with
>it.
>> > That is, I think that the SSH protocol does require mutual
>authentication
>> > and that NETCONF's requirement that it be possible to derive a
>"username"
>> > from the transport doesn't change that.  I'm still OK limiting
>Reverse SSH
>> > to just NETCONF, but I want the reason to be accurate.  I'm now
>waiting
>> > for a response from Steve on this.
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Section 4, Page 4:  (wording)
>> >> -----------------------------
>> >>
>> >> The current text reads:
>> >>
>> >>    o  The NETCONF server initiates a TCP connection to the NETCONF
>> >>       client on the IANA-assigned Reverse SSH port YYYY.
>> >>
>> >>    o  The TCP connection is accepted and a TCP session is
>established.
>> >
>> >
>> > I'm not sure about this change since these bullet-points are
>preceded by
>> > the line "From the NETCONF server's perspective:".  The intent is to
>only
>> > explain the NETCONF-server's perspective, and to let the next
>section
>> > provide the client's perspective.   Currently, neither section
>references
>> > the remote peer, so that its text remains squarely focused on its
>side of
>> > the connection.  What do you think?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Section 5, Page 5, First Paragraph:  (wording)
>> >> ----------------------------------------------
>> >>
>> >> The current text reads:
>> >>
>> >>    "When the management system accepts a new incoming connection,
>it
>> >>     needs to authenticate the remote peer.  Ultimately, this
>entails
>> >>     identifying the peer and verifying its SSH host key.
>> >>
>> >>     Due to Reverse SSH having the network element initiate the TCP
>> >>     connection,"
>> >
>> >
>> > I changed the wording to be more clear, but did it another way,
>please let
>> > me know if you think it's OK!
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Section 5, Page 6, First Paragraph:  (clarification)
>> >> ----------------------------------------------------
>> >>
>> >> The current text reads:
>> >>
>> >>    "However, configuring distinct host keys on the management
>system
>> >>    doesn't scale well, which is an important consideration to a
>network
>> >>    management system.  A more scalable strategy is to have the
>network
>> >>    element's host key signed by a common trusted key, such as a
>> >>    certificate authority.  Thus, the mangement system only needs to
>> >>    trust a single public key, which vouches for the authenticity of
>the
>> >>    various network element public keys."
>> >>
>> >> Please help me understand this.  The way this paragraph is written,
>it
>> >> is not clear to me why "signing each network element's host key
>with a
>> >> common trusted key" scales better than "configuring distinct host
>keys
>> >> on the management system".
>> >>
>> >> In either of these two situations, it seems like an administrator
>must
>> >> do work for each network element.  In one case, it is configuring
>host
>> >> keys, in another, it is signing each network element's host key.
>If
>> >> anything, it seems like signing a host key for each network element
>> >> requires _more_ work for each network element, so it seems like
>this
>> >> would scale less well.
>> >>
>> >> What am I missing here?
>> >
>> >
>> > Very good question.  Of course it comes down to how the device's
>"entity
>> > certificates", as they are called, is distributed.  In the best
>case, as
>> > described in the zero-touch draft, the device would ship from
>factory with
>> > a built-in entity-certificate, signed by a trust-chain to its
>vendor's
>> > well-known trust anchor.  In this case, there is no additional
>effort
>> > needed, the management system only needs to trust the vendor's
>certificate
>> > for its well-known trust anchor.  For cases where the device doesn't
>ship
>> > from factory with an entity-certificate, introducing PKI is still
>> > advantageous as it decouples the management-system from direct
>> > involvement, such that it could be outsourced to some 3rd-party.
>Makes
>> > sense?  What update would you like to see in the draft?
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >> Section 7, Page 7, Third Paragraph:  (wording)
>> >> ----------------------------------------------
>> >>
>> >> In a few places in the third paragraph, and possibly in other
>places
>> >> in the document, would changing "needs to" to lowercase "must", or
>> >> lowercase "should", make the document a little more concise?
>Example:
>> >>
>> >>    "Note that since the SSH server would have to be configured to
>know
>> >>     which IP address it needs to connect to,"
>> >>                         ^^^^^^^^
>> >
>> >
>> > I changed "needs to" to "is to" for this cited location and another
>I
>> > found.
>> >
>> >
>> >
>> >
>> >
>> > Thanks again,
>> > Kent
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> >
>> > _______________________________________________
>> > Netconf mailing list
>> > Netconf@ietf.org
>> > https://www.ietf.org/mailman/listinfo/netconf
>> >
>>
>> _______________________________________________
>> Netconf mailing list
>> Netconf@ietf.org
>> https://www.ietf.org/mailman/listinfo/netconf
>
>
>

v2.23.0 | Report a Bug | By Email