Re: [Netconf] review of draft-ietf-netconf-ssh-client-server-03 and draft-ietf-netconf-tls-client-server-03
Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de> Tue, 22 August 2017 06:22 UTC
Return-Path: <j.schoenwaelder@jacobs-university.de>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DE1EA132195 for <netconf@ietfa.amsl.com>; Mon, 21 Aug 2017 23:22:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fgTcC_QR0k8j for <netconf@ietfa.amsl.com>; Mon, 21 Aug 2017 23:22:06 -0700 (PDT)
Received: from atlas5.jacobs-university.de (atlas5.jacobs-university.de [212.201.44.20]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 729341320B5 for <netconf@ietf.org>; Mon, 21 Aug 2017 23:22:06 -0700 (PDT)
Received: from localhost (demetrius5.irc-it.jacobs-university.de [10.70.0.222]) by atlas5.jacobs-university.de (Postfix) with ESMTP id 24E6C360; Tue, 22 Aug 2017 08:22:05 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from atlas5.jacobs-university.de ([10.70.0.217]) by localhost (demetrius5.jacobs-university.de [10.70.0.222]) (amavisd-new, port 10032) with ESMTP id oDoBxOu9Rmkm; Tue, 22 Aug 2017 08:22:00 +0200 (CEST)
Received: from hermes.jacobs-university.de (hermes.jacobs-university.de [212.201.44.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "hermes.jacobs-university.de", Issuer "Jacobs University CA - G01" (verified OK)) by atlas5.jacobs-university.de (Postfix) with ESMTPS; Tue, 22 Aug 2017 08:22:05 +0200 (CEST)
Received: from localhost (demetrius1.jacobs-university.de [212.201.44.46]) by hermes.jacobs-university.de (Postfix) with ESMTP id 004B7200E1; Tue, 22 Aug 2017 08:22:05 +0200 (CEST)
X-Virus-Scanned: amavisd-new at jacobs-university.de
Received: from hermes.jacobs-university.de ([212.201.44.23]) by localhost (demetrius1.jacobs-university.de [212.201.44.32]) (amavisd-new, port 10024) with ESMTP id h30OozsuLLUZ; Tue, 22 Aug 2017 08:22:03 +0200 (CEST)
Received: from elstar.local (elstar.jacobs.jacobs-university.de [10.50.231.133]) by hermes.jacobs-university.de (Postfix) with ESMTP id E1465200E0; Tue, 22 Aug 2017 08:22:03 +0200 (CEST)
Received: by elstar.local (Postfix, from userid 501) id 96DFA4046B11; Tue, 22 Aug 2017 08:22:03 +0200 (CEST)
Date: Tue, 22 Aug 2017 08:22:03 +0200
From: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
To: Kent Watsen <kwatsen@juniper.net>
Cc: "netconf@ietf.org" <netconf@ietf.org>
Message-ID: <20170822062203.tpisslwgbstdout2@elstar.local>
Reply-To: Juergen Schoenwaelder <j.schoenwaelder@jacobs-university.de>
Mail-Followup-To: Kent Watsen <kwatsen@juniper.net>, "netconf@ietf.org" <netconf@ietf.org>
References: <20170803112619.GA35785@elstar.local> <2465A343-16D3-4DD1-9AF8-6007D108084A@juniper.net> <20170811142428.GD46402@elstar.local> <BDEA59B2-46EF-4A67-BA30-410A2B1D30AE@juniper.net> <20170821092717.menstdafm6dpw6at@elstar.local> <3676A0F4-4631-42C6-B1E6-259ADA247C37@juniper.net>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <3676A0F4-4631-42C6-B1E6-259ADA247C37@juniper.net>
User-Agent: NeoMutt/20170714 (1.8.3)
Archived-At: <https://mailarchive.ietf.org/arch/msg/netconf/NTaRinlGd7hDn768MCs79TId1g8>
Subject: Re: [Netconf] review of draft-ietf-netconf-ssh-client-server-03 and draft-ietf-netconf-tls-client-server-03
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 22 Aug 2017 06:22:10 -0000
On Mon, Aug 21, 2017 at 11:09:27PM +0000, Kent Watsen wrote: > Hi Juergen, > > > >> >> For the ssh-client-server draft > >> >> =============================== > >> >> > >> >> > - The overall setup is somewhat complicated but I do understand why. > >> >> > Obviously, the attempts to make things generic come with a price > >> >> > since many YANG definitions interact with other definitions that > >> >> > need to be understood. And while the end result is that we can > >> >> > configure SSH clients and servers for NETCONF, we only have a > >> >> > collection of groupings to configure a regular SSH client or > >> >> > server. Should we have an instantiation of these groupings for > >> >> > regular SSH clients and servers as well? > >> >> > >> >> I'm hoping to not have to do this, but can see that there might be > >> >> value in doing so in order to further proof-out the model. To do > >> >> this right would entail something like what Clyde did for the syslog > >> >> model in evaluating many vendor's implementations to find a common > >> >> denominator. I can imagine the WG undertaking such an analysis for > >> >> an SSH-server container, but I fail to see how it could be done for > >> >> an SSH-client container. Also, when thinking about symmetry to the > >> >> tls-client-server draft, note that the idea of creating a container > >> >> for a TLS-server doesn't make sense (which one, right?) > >> > > >> > Yes, for TLS there is no a common standalone TLS service. For SSH, > >> > there is however since SSH was created for a specific service (while > >> > TLS was created as a plugin to secure another existing service). > >> > > >> > The client question we discussed before and I tend to agree that > >> > usually a client you configure is embedded into some other > >> > functionality that likely has its own configuration, so having a > >> > grouping is OK. > >> > > >> > But since there are SSH servers out there, do we expect this ID to > >> > just provide groupings and we hope that some other module later comes > >> > along and picks up the groupings and turns them into a more general > >> > SSH server configuration model? > >> > >> This is my hope, so as to limit the scope of this document. > >> > >> > >> > My understanding is that NC implementations actually come in different > >> > forms, some simply running behind a regular SSH server while others > >> > come with their own integrated SSH server. Does this affect the data > >> > model? > >> > >> I think JUNOS is an example where the NC server runs "behind an SSH > >> server", but it's not really "behind" so much as a fork/exec of an > >> sshd process running the "netconf" subsystem (i.e., the NC server). > >> Is this what you meant? > >> > >> Regardless, I don't see a need to change either the ietf-netconf-server > >> or ietf-ssh-server data models to support either the fork/exec or > >> link-to-library implementation strategies. Do you? > > > > Well, if your server is running as a subsystem of your regular SSH > > daemon, then I think your SSH daemon configuration and your NETCONF > > specific SSH configuration are essentially the same, no? Or more > > precisely, you have an SSH daemon configuration plus a statement that > > enables NETCONF as a subsystem, but you do not have a NETCONF specific > > SSH configuration. > > Not exactly. There's SSH listening on port 22 and then there is SSH > listening on port 830. When listening on 830, it can be a separate > instance of `sshd` and given unique startup parameters (e.g., the > sshd_config file). It is not expected that this configuration > (ietf-netconf-server) would ever influence the SSH listening on > port 22. So are you running a separate SSH server just for NETCONF or not? I am not asking about 'it _can_ be given unique parameters'. > Back to if the implementation strategy can affects the data model, my > assertion is that the startup parameters are equally applicable, whether > using the fork/exec (e.g., instances of `sshd`) or the link-to-library > (e.g., a python script), and therefore I don't think the implementation > strategy affects the data model. The question is whether there is a separate SSH daemon for NETCONF or NETCONF is just hooked up the SSH daemon also used for other services. I think this does make a difference, no? > > >> >> This sounds a lot like what was discussed before about configuring > >> >> NC/RC clients to authentication to call-home connections. We decided > >> >> to just support a single set of auth params that would be used for all > >> >> servers (and not define a server-id to client-auth mapping). So, this > >> >> grouping may not work well in some examples. Is it okay? > >> > > >> > Perhaps not supporting SNI is sufficient for network management > >> > purposes but then also pretty clearly the TLS groupings are not > >> > generally usable. > >> > >> Thinking about this some more, it seems my previous response > >> wasn't on target. This isn't about what auth-credentials the > >> client passes, so much as how the client indicates the server > >> it wants to connect to in its client hello message. It > >> seems like something to configure SNI should be added to > >> ietf-tls-client, how about this? > >> > >> +-- server-name-indication > >> +-- server-name* [name-type] > >> +-- name-type enumeration (e.g., 'hostname') > >> +-- name-value anydata (e.g., foobar.example.com) > >> > > Second guessing myself here, does this really need to be configuration > or is the client-side of SNI just a function of how the code works? It is the server side that matters I think. > > > > Well, the TLS spec text does not help me to configure this such that I > > get the right certificate selected for the SNI presented... > > Peaking at TLS 1.3, draft-ietf-tls-tls13-21#section-4.4.2.2 says: > > - The "server_name" and "certificate_authorities" extensions > [RFC6066] are used to *guide certificate selection*. > > and in S4.2.4 it says: > > The "trusted_ca_keys" extension, which serves a similar purpose > [RFC6066], but is more complicated, is not used in TLS 1.3 (although > it may appear in ClientHello messages from clients which are offering > prior versions of TLS). > > So, there's at least 3 different ways that the server can go about > selecting which certificates it sends. To me, this again seems like > something maybe the server's code does internally - e.g., it sifts > through all the certs it has (i.e. list certificate in the YANG model), > sending the subset matching protocol-level criteria. Do you know? > > Peaking at NGINX config, it seems to have a config like: > > +--- server* [ <not sure what the key might be> ] > +--- listen inet:port // 443 > +--- server_name string // example.com > +--- root string // /usr/share/nginx/www > +--- ssl Boolean // on > +--- ssl_certificate // /etc/nginx/ssl/example.org/server.crt; > +--- ssl_certificate_key // /etc/nginx/ssl/example.org/server.key; > > Note that the TLS-part of the config has been splayed across the > app-specific config. By contrast, the groupings we have now are more > for a single SSL host (not virtual hosting). We could add 'sni-to-name' > mapping structures, but we it be helpful to complex TLS apps like NGINX? > I think the key here is server_name as this allows nginx to multiplex incoming connections to the "right" list instance, i.e., I can have multiple server configured to listen on the same port and the TLS SNI indication provides a hint which list instance is used and this implies the correct security parameters. /js -- Juergen Schoenwaelder Jacobs University Bremen gGmbH Phone: +49 421 200 3587 Campus Ring 1 | 28759 Bremen | Germany Fax: +49 421 200 3103 <http://www.jacobs-university.de/>
- [Netconf] review of draft-ietf-netconf-ssh-client… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Gary Wu (garywu)
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Juergen Schoenwaelder
- Re: [Netconf] review of draft-ietf-netconf-ssh-cl… Kent Watsen