IETF Logo Mail Archive

Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt

Kent Watsen <kwatsen@juniper.net> Wed, 14 May 2014 21:30 UTC

Return-Path: <kwatsen@juniper.net>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B71BD1A0202 for <netconf@ietfa.amsl.com>; Wed, 14 May 2014 14:30:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.602
X-Spam-Level:
X-Spam-Status: No, score=-2.602 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ys6kRH89jC14 for <netconf@ietfa.amsl.com>; Wed, 14 May 2014 14:30:40 -0700 (PDT)
Received: from na01-by2-obe.outbound.protection.outlook.com (mail-by2lp0242.outbound.protection.outlook.com [207.46.163.242]) by ietfa.amsl.com (Postfix) with ESMTP id 9E4A61A01F0 for <netconf@ietf.org>; Wed, 14 May 2014 14:30:40 -0700 (PDT)
Received: from CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) by CO1PR05MB458.namprd05.prod.outlook.com (10.141.72.140) with Microsoft SMTP Server (TLS) id 15.0.944.11; Wed, 14 May 2014 21:30:32 +0000
Received: from CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.51]) by CO1PR05MB458.namprd05.prod.outlook.com ([169.254.10.51]) with mapi id 15.00.0944.000; Wed, 14 May 2014 21:30:32 +0000
From: Kent Watsen <kwatsen@juniper.net>
To: "t.petch" <ietfc@btconnect.com>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
Thread-Topic: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
Thread-Index: AQHPU0KVQTfYkuZcEUioVZNKor+uVZsro1aWgAfuBgCAAXRlEYAAS5QAgAFCeQGAAhhMgIAEWebjgAARYgCAAuzV2IAAia6A
Date: Wed, 14 May 2014 21:30:31 +0000
Message-ID: <CF99485B.7172F%kwatsen@juniper.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net> <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net> <CF929D94.6F4D4%kwatsen@juniper.net> <00da01cf6dd5$ce36e740$4001a8c0@gateway.2wire.net> <CF9664F8.6F7B6%kwatsen@juniper.net> <021c01cf6f54$e6ed96a0$4001a8c0@gateway.2wire.net>
In-Reply-To: <021c01cf6f54$e6ed96a0$4001a8c0@gateway.2wire.net>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
user-agent: Microsoft-MacOutlook/14.4.1.140326
x-originating-ip: [66.129.241.13]
x-forefront-prvs: 0211965D06
x-forefront-antispam-report: SFV:NSPM; SFS:(979002)(6009001)(428001)(164054003)(189002)(199002)(40224001)(21056001)(19300405004)(64706001)(99396002)(83506001)(54356999)(83322001)(19580395003)(99286001)(76482001)(46102001)(74502001)(36756003)(77982001)(76176999)(81342001)(83072002)(85852003)(2656002)(20776003)(79102001)(87936001)(66066001)(86362001)(80022001)(4396001)(92566001)(81542001)(74662001)(50986999)(31966008)(92726001)(101416001)(562404015)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:; SCL:1; SRVR:CO1PR05MB458; H:CO1PR05MB458.namprd05.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None (: juniper.net does not designate permitted sender hosts)
authentication-results: spf=none (sender IP is ) smtp.mailfrom=kwatsen@juniper.net;
Content-Type: text/plain; charset="us-ascii"
Content-ID: <3F6475BB3B7FD347AB756C937CE9B119@namprd05.prod.outlook.com>
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: juniper.net
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/SLbgo6WcDKiO_B-C54GxPsWZRN4
Cc: "netconf@ietf.org" <netconf@ietf.org>
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 14 May 2014 21:30:42 -0000

Hi Tom,


>No, we are still not meeting anywhere in the middle.

On this we can agree, but hopefully we'll get there soon  ;)



>It seems to me that you are proposing that all devices share the same
>private key and so the same public key (in which case the choice of CA
>seems irrelevant).

Of course not, each device must have unique private keys.  The zero-touch
draft goes into more specifics regarding certificate construction and use
of PKI.



>As
>http://www.rfc-editor.org/rfc/rfc5592.txt
>says "this requires the client
>   to know the host's public key a priori and to verify that the correct
>   key is being used."
>which is the sort of thing I would expect to see, in the absence of
>X.509 certificates.  With certificates, then you know the subjectAltName
>a priori.  Either way, you configure the NMS for every device.


The zero-touch draft touches on this as well:

Section 3.5:

   The NMS SHOULD also validate that the unique identifier (e.g., serial
   number), within the "Common Name" field of the device's X.509
   certificate, is an identity that the NMS is expecting, and not
   another device having the same device type.  In order for the NMS to
   know the unique identifiers for devices shipped directly to their
   destinations, it may be necessary for the device manufacturer to
   provide the unique identifiers along with other shipping or billing
   information.  This draft not specify a format for this information
   exchange.



Section 4.1:

   The unique identifier MUST be something that is both known to the
   device and easily tracked through labels affixed to the device as
   well as the box it is packaged in.  A device's serial number is
   commonly treated this way and would be suitable for this purpose.


I guess my point is that we agree on how the solution can scale.  The
reverse-ssh draft leaves it up to deployments to decide what to do, while
the zero-touch draft specifies a specific solution that satisfies all its
particular use-cases.


Thanks,
Kent

v2.23.0 | Report a Bug | By Email