Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Kent Watsen <kwatsen@juniper.net> Tue, 08 April 2014 16:24 UTC
Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 80C0E1A04AA for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 09:24:14 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.349
X-Spam-Level:
X-Spam-Status: No, score=-1.349 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001, UNRESOLVED_TEMPLATE=1.252] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IW7hI_a3RyGF for <netconf@ietfa.amsl.com>; Tue, 8 Apr 2014 09:24:09 -0700 (PDT)
Received: from ch1outboundpool.messaging.microsoft.com (ch1ehsobe005.messaging.microsoft.com [216.32.181.185]) by ietfa.amsl.com (Postfix) with ESMTP id 84F841A0484 for <netconf@ietf.org>; Tue, 8 Apr 2014 09:24:09 -0700 (PDT)
Received: from mail24-ch1-R.bigfish.com (10.43.68.239) by CH1EHSOBE010.bigfish.com (10.43.70.60) with Microsoft SMTP Server id 14.1.225.22; Tue, 8 Apr 2014 16:23:51 +0000
Received: from mail24-ch1 (localhost [127.0.0.1]) by mail24-ch1-R.bigfish.com (Postfix) with ESMTP id 5258E3E065B; Tue, 8 Apr 2014 16:23:51 +0000 (UTC)
X-Forefront-Antispam-Report: CIP:157.56.240.101; KIP:(null); UIP:(null); IPV:NLI; H:BL2PRD0510HT002.namprd05.prod.outlook.com; RD:none; EFVD:NLI
X-SpamScore: -38
X-BigFish: VPS-38(z579ehzbb2dI98dI9371I103dK542I1dbaI1432I1418I14e3M4015I111aIdf9Izz1f42h2148h1ee6h1de0h1fdah2073h2146h1202h1e76h2189h1d1ah1d2ah21bch1fc6h208chzz8275ch1de098h1033IL8275bh8275dh1de097h186068hz2fh109h2a8h839h944he5bhf0ah1220h1288h12a5h12a9h12bdh137ah13b6h1441h1504h1537h153bh162dh1631h1758h18e1h1946h19b5h19ceh1ad9h1b0ah224fh1d0ch1d2eh1d3fh1dfeh1dffh1e1dh1fe8h1ff5h209eh2216h22d0h2336h2438h2461h2487h24ach24d7h2516h2545h255eh25cch25f6h2605h262fh268bh26c8h26d3h1155h)
Received-SPF: pass (mail24-ch1: domain of juniper.net designates 157.56.240.101 as permitted sender) client-ip=157.56.240.101; envelope-from=kwatsen@juniper.net; helo=BL2PRD0510HT002.namprd05.prod.outlook.com ; .outlook.com ;
X-Forefront-Antispam-Report-Untrusted: SFV:NSPM; SFS:(10009001)(979002)(6009001)(428001)(199002)(35774003)(189002)(24454002)(479174003)(377454003)(51704005)(43784003)(51444003)(164054003)(41574002)(53474002)(13464003)(19580395003)(93136001)(56816005)(76482001)(81342001)(92726001)(74366001)(46102001)(81542001)(83322001)(93516002)(94316002)(66066001)(86362001)(63696002)(92566001)(77982001)(19580405001)(56776001)(99396002)(80976001)(53806002)(50986002)(51856002)(54316003)(74876001)(90146001)(65816001)(81686001)(80022001)(15975445006)(97186001)(59766001)(85852003)(31966008)(83506001)(76796001)(69226001)(76786001)(87266001)(4396001)(94946001)(49866001)(74706001)(81816001)(74502001)(97336001)(87936001)(36756003)(20776003)(2656002)(77096001)(98676001)(85306002)(74662001)(99286001)(95416001)(79102001)(95666003)(83072002)(54356002)(47736002)(47446003)(47976002)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:66CF155.A4DA5141.B2D1124B.52E4D3F1.206DE; MLV:ovrnspm; PTR:InfoNoRecords; A:1; MX:1; LANG:en;
Received: from mail24-ch1 (localhost.localdomain [127.0.0.1]) by mail24-ch1 (MessageSwitch) id 1396974229812499_29328; Tue, 8 Apr 2014 16:23:49 +0000 (UTC)
Received: from CH1EHSMHS007.bigfish.com (snatpool3.int.messaging.microsoft.com [10.43.68.226]) by mail24-ch1.bigfish.com (Postfix) with ESMTP id B76984400C2; Tue, 8 Apr 2014 16:23:49 +0000 (UTC)
Received: from BL2PRD0510HT002.namprd05.prod.outlook.com (157.56.240.101) by CH1EHSMHS007.bigfish.com (10.43.70.7) with Microsoft SMTP Server (TLS) id 14.16.227.3; Tue, 8 Apr 2014 16:23:48 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by BL2PRD0510HT002.namprd05.prod.outlook.com (10.255.100.37) with Microsoft SMTP Server (TLS) id 14.16.435.0; Tue, 8 Apr 2014 16:24:05 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.913.9; Tue, 8 Apr 2014 16:24:02 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.33]) with mapi id 15.00.0913.002; Tue, 8 Apr 2014 16:24:02 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsHpGQA
Date: Tue, 08 Apr 2014 16:24:01 +0000
Message-ID: <CF69971C.685E2%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
In-Reply-To: <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.3.9.131030
x-originating-ip: [66.129.241.13]
x-forefront-prvs: 017589626D
Content-Type: text/plain; charset="us-ascii"
Content-ID: <C878B60E13DDF8469E2B17DECEF83DB5@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-FOPE-CRA-Verdict: 157.56.240.101$btconnect.com%0%1%DuplicateDomain-c684c95e-93ad-459f-9d80-96fa46cd75af.juniper.net%False%False%0$
X-OriginatorOrg: juniper.net
X-FOPE-CONNECTOR: Id%0$Dn%*$RO%0$TLS%0$FQDN%$TlsDn%
X-FOPE-CONNECTOR: Id%0$Dn%BTCONNECT.COM$RO%1$TLS%0$FQDN%$TlsDn%
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/L06pg4tJPswifiG9pCxTP6IIVQc
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Apr 2014 16:24:15 -0000
Hi Tom, Thank you for voicing my own thoughts as well. I had previously raised the idea of merging the reverse-ssh draft into a 4742bis, but the WG agreed to keep it separate for simplicity sake. That said, I like symmetry, and it would be more consistent for 5539bis and a 4447bis, rather than what we have now. Just saying ;) Regarding Normative vs Informative, I recently asked about this and Bert said that it comes down to if said draft needs to be understood and/or implemented. If this is the condition, then I believe it swings to being Informative, as proprietary vendor-specific configuration could be used alternatively. As it is, the vendor can decide if they want to advertise urn:ietf:params:xml:ns:yang:ietf-netconf-server-model in their <hello> message. Are you suggesting that advertising this capability in the <hello> message should be required in order for an implementation to claim they implement Reverse SSH for NETCONF Call Home? Thanks, Kent On 4/8/14 9:44 AM, "t.petch" <ietfc@btconnect.com> wrote: >I do not think that this is ready to advance. I had not intended to >comment but having started on netconf-server, and found I had to read >5539bis to understand where it was going, I then found that reverse-ssh >was another piece of the jigsaw. > >In particular, I think that this I-D is more or less updating RFC4742 in >its considerations of security. And I think it may be confused about >public keys and certificates and their role in authentication. > >Taken together, and I do not think they can be considered separately, I >do not think that the three I-Ds give a coherent view of how to secure a >NETCONF session. > >I would point to the queries raised by Tadek and Bajpai which, to me on >the one hand seem spot on and on the other, seem to regard the subject >material of these three I-Ds as of a one - which I obviously agree with. > >I think that netconf-server is the one in most need of progress and see >it as a Normative, not Informative, prerequisite. > >Tom Petch > > >----- Original Message ----- >From: "Bert Wijnen (IETF)" <bertietf@bwijnen.net> >To: "Kent Watsen" <kwatsen@juniper.net> >Cc: <netconf@ietf.org> >Sent: Thursday, April 03, 2014 12:36 PM > >> WGLC period ended last Tuesday (April 1st). >> >> Kent, where are we with this one? >> >> Do you expect to post a rev 04 that addresses all comments we have >received? >> Either WGLC comments or other comments? Once that is done, I would >like to ask: >> - Kent to post which comments have not been addressed and why (if any) >> - If possible, Kent to post a summary of changes (although that may >already be >> in the document, and that is fine too). >> - All those that made comments to check if they are OK with the way >that >> they have been addressed or responded to. >> >> Bert >> >> On 27/03/14 17:02, Kent Watsen wrote: >> > >> > Hi Alan, >> > >> > >> > Awesome comments - thanks! >> > >> > >> > I applied all fixes mentioned below to my working copy of what will >be >> > -04, so you'll have to wait until then to see the diff. The reason >I'm >> > not posting -04 now is because I'm still trying to work out an issue >with >> > Applicability Statement and with the port's name. >> > >> > Below are my detailed responses. >> > >> > Cheers, >> > Kent >> > >> > >> > >> > >> > >> > >> > >> >> Typos >> >> ----- >> >> >> > >> > I fixed all the issues you found. >> > >> > >> > >> > >> > >> > >> >> Section 2.1, Page 3, Second Paragraph: (wording) >> >> ------------------------------------------------- >> >> >> >> The second paragraph seems vague. Would something along the lines >of >> >> the following text be clearer and/or more specific? >> > >> > I forwarded this comment to Steve Hanna, who wrote the Applicability >> > Statement. At first I was just going to ask if he was OK with the >> > proposed text, but then I started thinking that I didn't agree with >it. >> > That is, I think that the SSH protocol does require mutual >authentication >> > and that NETCONF's requirement that it be possible to derive a >"username" >> > from the transport doesn't change that. I'm still OK limiting >Reverse SSH >> > to just NETCONF, but I want the reason to be accurate. I'm now >waiting >> > for a response from Steve on this. >> > >> > >> > >> > >> > >> > >> > >> >> Section 4, Page 4: (wording) >> >> ----------------------------- >> >> >> >> The current text reads: >> >> >> >> o The NETCONF server initiates a TCP connection to the NETCONF >> >> client on the IANA-assigned Reverse SSH port YYYY. >> >> >> >> o The TCP connection is accepted and a TCP session is >established. >> > >> > >> > I'm not sure about this change since these bullet-points are >preceded by >> > the line "From the NETCONF server's perspective:". The intent is to >only >> > explain the NETCONF-server's perspective, and to let the next >section >> > provide the client's perspective. Currently, neither section >references >> > the remote peer, so that its text remains squarely focused on its >side of >> > the connection. What do you think? >> > >> > >> > >> > >> > >> > >> > >> >> Section 5, Page 5, First Paragraph: (wording) >> >> ---------------------------------------------- >> >> >> >> The current text reads: >> >> >> >> "When the management system accepts a new incoming connection, >it >> >> needs to authenticate the remote peer. Ultimately, this >entails >> >> identifying the peer and verifying its SSH host key. >> >> >> >> Due to Reverse SSH having the network element initiate the TCP >> >> connection," >> > >> > >> > I changed the wording to be more clear, but did it another way, >please let >> > me know if you think it's OK! >> > >> > >> > >> > >> > >> > >> > >> > >> >> Section 5, Page 6, First Paragraph: (clarification) >> >> ---------------------------------------------------- >> >> >> >> The current text reads: >> >> >> >> "However, configuring distinct host keys on the management >system >> >> doesn't scale well, which is an important consideration to a >network >> >> management system. A more scalable strategy is to have the >network >> >> element's host key signed by a common trusted key, such as a >> >> certificate authority. Thus, the mangement system only needs to >> >> trust a single public key, which vouches for the authenticity of >the >> >> various network element public keys." >> >> >> >> Please help me understand this. The way this paragraph is written, >it >> >> is not clear to me why "signing each network element's host key >with a >> >> common trusted key" scales better than "configuring distinct host >keys >> >> on the management system". >> >> >> >> In either of these two situations, it seems like an administrator >must >> >> do work for each network element. In one case, it is configuring >host >> >> keys, in another, it is signing each network element's host key. >If >> >> anything, it seems like signing a host key for each network element >> >> requires _more_ work for each network element, so it seems like >this >> >> would scale less well. >> >> >> >> What am I missing here? >> > >> > >> > Very good question. Of course it comes down to how the device's >"entity >> > certificates", as they are called, is distributed. In the best >case, as >> > described in the zero-touch draft, the device would ship from >factory with >> > a built-in entity-certificate, signed by a trust-chain to its >vendor's >> > well-known trust anchor. In this case, there is no additional >effort >> > needed, the management system only needs to trust the vendor's >certificate >> > for its well-known trust anchor. For cases where the device doesn't >ship >> > from factory with an entity-certificate, introducing PKI is still >> > advantageous as it decouples the management-system from direct >> > involvement, such that it could be outsourced to some 3rd-party. >Makes >> > sense? What update would you like to see in the draft? >> > >> > >> > >> > >> > >> > >> > >> > >> >> Section 7, Page 7, Third Paragraph: (wording) >> >> ---------------------------------------------- >> >> >> >> In a few places in the third paragraph, and possibly in other >places >> >> in the document, would changing "needs to" to lowercase "must", or >> >> lowercase "should", make the document a little more concise? >Example: >> >> >> >> "Note that since the SSH server would have to be configured to >know >> >> which IP address it needs to connect to," >> >> ^^^^^^^^ >> > >> > >> > I changed "needs to" to "is to" for this cited location and another >I >> > found. >> > >> > >> > >> > >> > >> > Thanks again, >> > Kent >> > >> > >> > >> > >> > >> > >> > >> > >> > _______________________________________________ >> > Netconf mailing list >> > Netconf@ietf.org >> > https://www.ietf.org/mailman/listinfo/netconf >> > >> >> _______________________________________________ >> Netconf mailing list >> Netconf@ietf.org >> https://www.ietf.org/mailman/listinfo/netconf > > >
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)