Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
t.petch <ietfc@btconnect.com> Thu, 08 May 2014 09:08 UTC
Return-Path: <ietfc@btconnect.com>
X-Original-To: netconf@ietfa.amsl.com
Delivered-To: netconf@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4F4C91A026A for <netconf@ietfa.amsl.com>; Thu, 8 May 2014 02:08:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.601
X-Spam-Level:
X-Spam-Status: No, score=-2.601 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9ifgun98iZOh for <netconf@ietfa.amsl.com>; Thu, 8 May 2014 02:07:59 -0700 (PDT)
Received: from emea01-am1-obe.outbound.protection.outlook.com (mail-am1lp0013.outbound.protection.outlook.com [213.199.154.13]) by ietfa.amsl.com (Postfix) with ESMTP id AEBCE1A0239 for <netconf@ietf.org>; Thu, 8 May 2014 02:07:58 -0700 (PDT)
Received: from DBXPRD0210HT001.eurprd02.prod.outlook.com (157.56.253.181) by DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149) with Microsoft SMTP Server (TLS) id 15.0.939.12; Thu, 8 May 2014 09:07:52 +0000
Message-ID: <007201cf6a9c$aa76f980$4001a8c0@gateway.2wire.net>
From: "t.petch" <ietfc@btconnect.com>
To: Kent Watsen <kwatsen@juniper.net>, "Bert Wijnen (IETF)" <bertietf@bwijnen.net>
References: <201403251517.LAA15291@adminfs.snmp.com> <CF58ED17.65F0C%kwatsen@juniper.net> <533D47CF.30402@bwijnen.net> <01f401cf5342$4d48d740$4001a8c0@gateway.2wire.net> <032f01cf6524$71cb2340$4001a8c0@gateway.2wire.net> <5368C366.8070509@bwijnen.net> <023701cf69d5$abcfb320$4001a8c0@gateway.2wire.net> <CF8FD96F.6E752%kwatsen@juniper.net>
Date: Thu, 08 May 2014 09:59:31 +0100
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1106
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106
X-Originating-IP: [157.56.253.181]
X-ClientProxiedBy: AM3PR07CA0045.eurprd07.prod.outlook.com (10.141.45.173) To DB3PR07MB059.eurprd07.prod.outlook.com (10.242.137.149)
X-Forefront-PRVS: 0205EDCD76
X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10009001)(979002)(6009001)(428001)(51444003)(51704005)(189002)(164054003)(199002)(377454003)(40224001)(13464003)(50226001)(76176999)(66066001)(81686999)(79102001)(62236002)(20776003)(50466002)(77982001)(88136002)(89996001)(50986999)(99396002)(44736004)(84392001)(19580395003)(93916002)(101416001)(46102001)(76482001)(74502001)(42186004)(87976001)(92726001)(19580405001)(86362001)(83322001)(4396001)(44716002)(33646001)(31966008)(81342001)(85852003)(61296002)(62966002)(81816999)(80022001)(83072002)(74662001)(87286001)(47776003)(1941001)(64706001)(92566001)(77156001)(21056001)(23756003)(14496001)(81542001)(74416001)(7726001)(969003)(989001)(999001)(1009001)(1019001); DIR:OUT; SFP:1101; SCL:1; SRVR:DB3PR07MB059; H:DBXPRD0210HT001.eurprd02.prod.outlook.com; FPR:; MLV:ovrnspm; PTR:InfoNoRecords; MX:1; A:0; LANG:en;
Received-SPF: None (: btconnect.com does not designate permitted sender hosts)
Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ietfc@btconnect.com;
X-OriginatorOrg: btconnect.com
Archived-At: http://mailarchive.ietf.org/arch/msg/netconf/SgNTg2jRFnjbEcO6IBkmXRg38hY
Cc: netconf@ietf.org
Subject: Re: [Netconf] WG Last Call Comments ondraft-ietf-netconf-reverse-ssh-03.txt
X-BeenThere: netconf@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Configuration WG mailing list <netconf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/netconf>, <mailto:netconf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/netconf/>
List-Post: <mailto:netconf@ietf.org>
List-Help: <mailto:netconf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/netconf>, <mailto:netconf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 08 May 2014 09:08:04 -0000
----- Original Message ----- From: "Kent Watsen" <kwatsen@juniper.net> To: "t.petch" <ietfc@btconnect.com>; "Bert Wijnen (IETF)" <bertietf@bwijnen.net> Cc: <netconf@ietf.org> Sent: Wednesday, May 07, 2014 6:54 PM Hi Tom, >So, my still outstanding points are > >- s.5, re-arrange to dovetail better with 5539bis My understanding is that you believe that both drafts share the issue of the northbound management application being able to identify and verify the [SSH/TLS] server that uses call-home to connect to it. I agree. And that the text in the reverse-ssh draft, while ostensibly about SSH host keys, could similarly apply to TLS and its use of X.509 certificates. I agree again, there is an overlap. Thus you think that much of the text should be moved to 5539bis and for the reverse-ssh draft to reference it there. I don¹t agree, for two reasons: 1) if there is a need to define common call-home behavior, we should have a ³call-home² draft that covers both TLS and SSH call-home together. I recall this being one of the options discussed before, but the WG decided to move ahead with this document structure. In lieu of that, I think that the reverse-ssh draft is closer to being a ³call-home² draft than 5539bis, and so suggest putting common call-home information into it, perhaps pulled out into a section called ³common call-home behavious² - what do you think? 2) The text in the reverse-ssh draft is also much about the use of legacy host-keys versus the new X.509 based keys with SSH. Saying that use of legacy keys is possible and allowed, but fraught with issues that are resolved when using X.509 keys. Maybe this needs to be may clearer, but I don¹t think the information should be lost. <tp> Kent No, I think I am not making myself clear. I am not saying that we need a common call home section. I am saying that having obtained a public key somehow, then it needs verifying, that it is tied to the party that we are trying to communicate with, and that that process is largely the same whether this is call home or not. One form of verification is using X.509 certs, and that is the usual way for TLS. My logic then is put everything we have to say about the use of X.509 certs for verification in the TLS I-D and reference it from the (reverse-)ssh I-D. The approach is the same for SSH and TLS and call home and not call home IMHO so put it in the one place. Currently, reverse-ssh lacks some of the points that 5539bis makes about the use of certs, and the base ssh RFC says nothing, but reverse-ssh has points that 5539bis does not such as the paragraph " Since both the identification and verification issues are addressed using certificates, this draft RECOMMENDS network elements use a host key that can encode a unique identifier (e.g., its serial number) and be signed by a common trust anchor (e.g., a certificate authority). Examples of suitable public host keys are the X.509v3 keys defined in defined in [RFC6187]." 5539bis would be better for having that information in it alongside what it currently has so I would move that to 5539bis leaving behind something like " Since both the identification and verification issues are addressed using certificates, this draft RECOMMENDS network elements use them - more details can be found in [5539bis]." By contrast, the use of raw public keys is rare in TLS and commonplace in SSH, so I would keep everything about that that is currently there in reverse-ssh - mostly it is nothing to do with call home but the base ssh RFC does not cover it so we might as well do the job properly now. So between them, reverse-ssh and 5539bis currently have all we need, it is just that you have to read both in tandem to learn what you should know. Tom Petch >- wordsmith the Abstract/Introduction (as first suggested last >November:-) where I think the first reference to 'SSH Connection' is >wrong, so make it something like > >"This memo presents a technique for a NETCONF server to request that a >NETCONF client initiates a SSH connection to the NETCONF server, >a technique referred to as 'call home'." I like this text, especially since we switched everything else to "call-home" in -05. I just updated my local copy this this change, but will wait for resolution of the above before putting out -06 Thanks, Kent
- [Netconf] Comments on draft-ietf-netconf-reverse-… Alan Luchuk
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Kent Watsen
- Re: [Netconf] Comments on draft-ietf-netconf-reve… Alan Luchuk
- Re: [Netconf] WG Last Call Comments on draft-ietf… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments on draft-ietf… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Juergen Schoenwaelder
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Martin Bjorklund
- [Netconf] periodic connections, heartbeats, recon… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] periodic connections, heartbeats, r… Kent Watsen
- Re: [Netconf] periodic connections, heartbeats, r… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Bert Wijnen (IETF)
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf keep-alive (was periodic connec… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Liubing (Leo)
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Phil Shafer
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… Andy Bierman
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… Kent Watsen
- Re: [Netconf] Netconf keep-alive (was periodic co… Kent Watsen
- Re: [Netconf] Netconf keep-alive Martin Bjorklund
- Re: [Netconf] Netconf keep-alive t.petch
- Re: [Netconf] Netconf keep-alive (was periodic co… t.petch
- Re: [Netconf] WG Last Call Comments ondraft-ietf-… t.petch
- [Netconf] Netconf running state indication-//RE: … Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… t.petch
- Re: [Netconf] Netconf running state indication-//… Radek Krejčí
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)
- Re: [Netconf] Netconf running state indication-//… Liubing (Leo)